Nping

From aldeid
Jump to navigation Jump to search

Description

Nping is an open source tool for network packet generation, response analysis and response time measurement. Nping can generate network packets for a wide range of protocols, allowing users full control over protocol headers. While Nping can be used as a simple ping utility to detect active hosts, it can also be used as a raw packet generator for network stack stress testing, ARP poisoning, Denial of Service attacks, route tracing, etc. Nping's novel echo mode lets users see how packets change in transit between the source and destination hosts. That's a great way to understand firewall rules, detect packet corruption, and more.

Installation

Backtrack

Backtrack 5 R2 already comes with nping 0.5.61TEST4 installed, in /usr/local/bin.

From scratch

Nping is part of nmap. To install it, run following commands:

$ cd ~/src/
$ wget http://nmap.org/dist/nmap-6.01.tar.bz2
$ bzip2-cd nmap-6.01.tar.bz2 | tar xf -
$ cd nmap-6.01/
$ ./configure
$ make
$ sudo make install

Usage

Syntax

nping [Probe mode] [Options] {target specification}

Options

Target Specification

Targets may be specified as hostnames, IP addresses, networks, etc.

Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254

Probe modes

--tcp-connect
Unprivileged TCP connect probe mode.
--tcp
TCP probe mode.
--udp
UDP probe mode.
--icmp
ICMP probe mode.
--arp
ARP/RARP probe mode.
--tr, --traceroute
Traceroute mode (can only be used with TCP/UDP/ICMP modes).

TCP CONNECT mode

-p, --dest-port <port spec>
Set destination port(s).
-g, --source-port <portnumber>
Try to use a custom source port.

TCP Probe mode

-g, --source-port <portnumber>
Set source port.
-p, --dest-port <port spec>
Set destination port(s).
--seq <seqnumber>
Set sequence number.
--flags <flag list>
Set TCP flags (ACK,PSH,RST,SYN,FIN...)
--ack <acknumber>
Set ACK number.
--win <size>
Set window size.
--badsum
Use a random invalid checksum.

UDP Probe mode

-g, --source-port <portnumber>
Set source port.
-p, --dest-port <port spec>
Set destination port(s).
--badsum
Use a random invalid checksum.

ICMP Probe mode

--icmp-type <type>
ICMP type.
--icmp-code <code>
ICMP code.
--icmp-id <id>
Set identifier.
--icmp-seq <n>
Set sequence number.
--icmp-redirect-addr <addr>
Set redirect address.
--icmp-param-pointer <pnt>
Set parameter problem pointer.
--icmp-advert-lifetime
Set router advertisement lifetime.
--icmp-advert-entry <IP,pref>
Add router advertisement entry.
--icmp-orig-time <timestamp>
Set originate timestamp.
--icmp-recv-time <timestamp>
Set receive timestamp.
--icmp-trans-time <timestamp>
Set transmit timestamp.

ARP/RARP Probe mode

--arp-type <type>
Type: ARP, ARP-reply, RARP, RARP-reply.
--arp-sender-mac <mac>
Set sender MAC address.
--arp-sender-ip <addr>
Set sender IP address.
--arp-target-mac <mac>
Set target MAC address.
--arp-target-ip <addr>
Set target IP address.

IPv4 options

-S, --source-ip
Set source IP address.
--dest-ip <addr>
Set destination IP address (used as an alternative to {target specification} ).
--tos <tos>
Set type of service field (8bits).
--id <id>
Set identification field (16 bits).
--df
Set Don't Fragment flag.
--mf
Set More Fragments flag.
--ttl <hops>
Set time to live [0-255].
--badsum-ip
Use a random invalid checksum.
--ip-options <S|R [route]|L [route]|T|U ...>
Set IP options
--ip-options <hex string>
Set IP options
--mtu <size>
Set MTU. Packets get fragmented if MTU is small enough.

IPv6 Options

-6, --IPv6
Use IP version 6.
--dest-ip
Set destination IP address (used as an alternative to {target specification}).
--hop-limit
Set hop limit (same as IPv4 TTL).
--traffic-class <class>
Set traffic class.
--flow <label>
Set flow label.

Ethernet Options

--dest-mac <mac>
Set destination mac address. (Disables ARP resolution)
--source-mac <mac>
Set source MAC address.
--ether-type <type>
Set EtherType value.

Payloads Options

--data <hex string>
Include a custom payload.
--data-string <text>
Include a custom ASCII text.
--data-length <len>
Include len random bytes as payload.

Echo Client/Server

--echo-client <passphrase>
Run Nping in client mode.
--echo-server <passphrase>
Run Nping in server mode.
--echo-port <port>
Use custom <port> to listen or connect.
--no-crypto
Disable encryption and authentication.
--once
Stop the server after one connection.
--safe-payloads
Erase application data in echoed packets.

Timing and Performance

Options which take

--delay
Adjust delay between probes.
--rate <rate>
Send num packets per second.

Miscellaneous

-h, --help
Display help information.
-V, --version
Display current version number.
-c, --count <n>
Stop after <n> rounds.
-e, --interface <name>
Use supplied network interface.
-H, --hide-sent
Do not display sent packets.
-N, --no-capture
Do not try to capture replies.
--privileged
Assume user is fully privileged.
--unprivileged
Assume user lacks raw socket privileges.
--send-eth
Send packets at the raw ethernet layer.
--send-ip
Send packets using raw IP sockets.
--bpf-filter <filter spec>
Specify custom BPF filter.

Output

-v
Increment verbosity level by one.
-v[level]
Set verbosity level. E.g: -v4
-d
Increment debugging level by one.
-d[level]
Set debugging level. E.g: -d3
-q
Decrease verbosity level by one.
-q[N]
Decrease verbosity level N times
--quiet
Set verbosity and debug level to minimum.
--debug
Set verbosity and debug to the max level.

Examples

ICMP ping

# nping aldeid.com
Starting Nping 0.6.01 ( http://nmap.org/nping ) at 2012-06-20 20:27 CEST
SENT (0.1879s) ICMP 192.168.60.129 > 199.83.132.66 Echo request (type=8/code=0) ttl=64 id=53514 iplen=28 
SENT (1.1890s) ICMP 192.168.60.129 > 199.83.132.66 Echo request (type=8/code=0) ttl=64 id=53514 iplen=28 
SENT (2.1901s) ICMP 192.168.60.129 > 199.83.132.66 Echo request (type=8/code=0) ttl=64 id=53514 iplen=28

TCP Flags

# nping --tcp -p 80 --flags rst -c 3 aldeid.com

Starting Nping 0.6.01 ( http://nmap.org/nping ) at 2012-06-20 20:30 CEST
SENT (0.2140s) TCP 192.168.60.129:46880 > 199.83.132.66:80 SR ttl=64 id=39564 iplen=40  seq=3392761691 win=1480 
SENT (1.2144s) TCP 192.168.60.129:46880 > 199.83.132.66:80 SR ttl=64 id=39564 iplen=40  seq=3392761691 win=1480 
SENT (2.2144s) TCP 192.168.60.129:46880 > 199.83.132.66:80 SR ttl=64 id=39564 iplen=40  seq=3392761691 win=1480 
nping_event_handler(): READ-PCAP killed: Resource temporarily unavailable
nping_event_handler(): TIMER killed: Resource temporarily unavailable
 
Max rtt: N/A | Min rtt: N/A | Avg rtt: N/A
Raw packets sent: 3 (120B) | Rcvd: 0 (0B) | Lost: 3 (100.00%)
Tx time: 2.00146s | Tx bytes/s: 59.96 | Tx pkts/s: 1.50
Rx time: 3.00116s | Rx bytes/s: 0.00 | Rx pkts/s: 0.00
Nping done: 1 IP address pinged in 3.21 seconds
# nping --tcp -p 80 --flags syn -c 3 aldeid.com

Starting Nping 0.6.01 ( http://nmap.org/nping ) at 2012-06-20 20:31 CEST
SENT (0.1981s) TCP 192.168.60.129:47803 > 199.83.132.66:80 S ttl=64 id=52526 iplen=40  seq=2617481754 win=1480 
RCVD (0.3703s) TCP 199.83.132.66:80 > 192.168.60.129:47803 SA ttl=128 id=65419 iplen=44  seq=3288422312 win=64240 <mss 1460>
SENT (1.1984s) TCP 192.168.60.129:47803 > 199.83.132.66:80 S ttl=64 id=52526 iplen=40  seq=2617481754 win=1480 
RCVD (1.3191s) TCP 199.83.132.66:80 > 192.168.60.129:47803 SA ttl=128 id=65420 iplen=44  seq=1833067768 win=64240 <mss 1460>
SENT (2.1984s) TCP 192.168.60.129:47803 > 199.83.132.66:80 S ttl=64 id=52526 iplen=40  seq=2617481754 win=1480 
RCVD (2.3342s) TCP 199.83.132.66:80 > 192.168.60.129:47803 SA ttl=128 id=65421 iplen=44  seq=935977506 win=64240 <mss 1460>
 
Max rtt: 172.048ms | Min rtt: 120.478ms | Avg rtt: 142.689ms
Raw packets sent: 3 (120B) | Rcvd: 3 (138B) | Lost: 0 (0.00%)
Tx time: 2.00137s | Tx bytes/s: 59.96 | Tx pkts/s: 1.50
Rx time: 3.00543s | Rx bytes/s: 45.92 | Rx pkts/s: 1.00
Nping done: 1 IP address pinged in 3.20 seconds
# nping --tcp -p 80 --flags ack -c 3 aldeid.com

Starting Nping 0.6.01 ( http://nmap.org/nping ) at 2012-06-20 20:32 CEST
SENT (0.1972s) TCP 192.168.60.129:59078 > 199.83.132.66:80 SA ttl=64 id=21833 iplen=40  seq=991426470 win=1480 
RCVD (0.1977s) TCP 199.83.132.66:80 > 192.168.60.129:59078 R ttl=128 id=65424 iplen=40  seq=2736126497 win=32767 
SENT (1.1983s) TCP 192.168.60.129:59078 > 199.83.132.66:80 SA ttl=64 id=21833 iplen=40  seq=991426470 win=1480 
RCVD (1.1989s) TCP 199.83.132.66:80 > 192.168.60.129:59078 R ttl=128 id=65425 iplen=40  seq=2736126497 win=32767 
SENT (2.1989s) TCP 192.168.60.129:59078 > 199.83.132.66:80 SA ttl=64 id=21833 iplen=40  seq=991426470 win=1480 
RCVD (2.1995s) TCP 199.83.132.66:80 > 192.168.60.129:59078 R ttl=128 id=65426 iplen=40  seq=2736126497 win=32767 
nping_event_handler(): TIMER killed: Resource temporarily unavailable

Max rtt: 0.078ms | Min rtt: 0.056ms | Avg rtt: 0.066ms
Raw packets sent: 3 (120B) | Rcvd: 3 (138B) | Lost: 0 (0.00%)
Tx time: 2.00279s | Tx bytes/s: 59.92 | Tx pkts/s: 1.50
Rx time: 3.00183s | Rx bytes/s: 45.97 | Rx pkts/s: 1.00
Nping done: 1 IP address pinged in 3.20 seconds

Echo client / server

Server

On the server, run:

# nping --echo-server "pass123" -e eth0 -vvv

Starting Nping 0.6.01 ( http://nmap.org/nping ) at 2012-06-20 20:38 CEST
Packet capture will be performed using network interface eth0.
Waiting for connections...
Server bound to 0.0.0.0:9929
[1340217541] Connection received from 192.168.1.13:56108
[1340217541] Client #0 (192.168.1.13:56108) disconnected
[1340217552] Connection received from 192.168.1.13:53935
[1340217552] Good packet specification received from client #1 (Specs=8,IP=4,Proto=6,Cnt=5)
[1340217552] NEP handshake with client #1 (192.168.1.13:53935) was performed successfully
[1340217555] Client #1 (192.168.1.13:53935) disconnected
^C 
Raw packets captured: 0 (0B) | Echoed: 0 (0B) | Not Matched: 0 (0B) (0.00%)
Tx time: 20.92945s | Tx bytes/s: 0.00 | Tx pkts/s: 0.00
Rx time: 20.92945s | Rx bytes/s: 0.00 | Rx pkts/s: 0.00
Nping done: 1 client served in 20.93 seconds

Client

On the client, run:

# nping --echo-client "pass123" 192.168.1.18 --tcp -p1-30 --flags ack

Starting Nping 0.5.61TEST4 ( http://nmap.org/nping ) at 2012-06-20 14:39 EDT
SENT (0.5060s) TCP 192.168.1.13:9776 > 192.168.1.18:1 SA ttl=64 id=8941 iplen=40  seq=563261407 win=1480 
RCVD (0.5069s) TCP 192.168.1.18:1 > 192.168.1.13:9776 R ttl=64 id=0 iplen=40  seq=2016569017 win=0 
SENT (1.5085s) TCP 192.168.1.13:9776 > 192.168.1.18:2 SA ttl=64 id=8941 iplen=40  seq=563261407 win=1480 
RCVD (1.5097s) TCP 192.168.1.18:2 > 192.168.1.13:9776 R ttl=64 id=0 iplen=40  seq=2016569017 win=0 
SENT (2.5120s) TCP 192.168.1.13:9776 > 192.168.1.18:3 SA ttl=64 id=8941 iplen=40  seq=563261407 win=1480 
RCVD (2.5137s) TCP 192.168.1.18:3 > 192.168.1.13:9776 R ttl=64 id=0 iplen=40  seq=2016569017 win=0 
^C 
Max rtt: 0.976ms | Min rtt: 0.491ms | Avg rtt: 0.811ms
Raw packets sent: 3 (120B) | Rcvd: 3 (138B) | Lost: 0 (0.00%)| Echoed: 0 (0B) 
Tx time: 2.51520s | Tx bytes/s: 47.71 | Tx pkts/s: 1.19
Rx time: 2.51520s | Rx bytes/s: 54.87 | Rx pkts/s: 1.19
Nping done: 1 IP address pinged in 3.02 seconds

Comments

blog comments powered by Disqus