hping

hping

 

What is hping ?

•     Hping is a command-line oriented TCP/IP packet crafter.

•     HPING can be used to create IP packets containing TCP, UDP or ICMP payloads.

•      All header fields can be modified and controlled using the command line.

•     A good understanding of IP and TCP/UDP is mandatory to use and understand the utility.

What can hping do?

•     Firewall testing

•     Advanced port scanning

•     Network testing, using different protocols, TOS, fragmentation

•     Manual path MTU discovery

•     Advanced traceroute, under all the supported protocols

•     Remote OS fingerprinting

•     Remote uptime guessing

•     TCP/IP stacks auditing

•     hping can also be useful to students that are learning TCP/IP.

Help for hping

# hping -h

usage: hping host [options]

 

Help for hping    --- Mode

 

default mode     TCP

  -0  --rawip      RAW IP mode

  -1  --icmp       ICMP mode

  -2  --udp        UDP mode

  -9  --listen     listen mode

Help for hping    --- IP

-a  --spoof      spoof source address         -t  --ttl        ttl (default 64)

-W  --winid      use win* id byte ordering  -N  --id         id (default random)

-y  --dontfrag   set dont fragment flag     -r  --rel        relativize id field

-f  --frag       split packets in more frag 

-x  --morefrag   set more fragments flag

-g  --fragoff    set the fragment offset

-m  --mtu        set virtual mtu, implies --frag if packet size > mtu

-o  --tos        type of service (default 0x00), try --tos help

-G  --rroute     includes RECORD_ROUTE option and display the route buffer

-H  --ipproto    set the IP protocol field, only in RAW IP mode

Help for hping    --- ICMP

 

-C  --icmptype   icmp type (default echo request)

-K  --icmpcode   icmp code (default 0)

      --icmp-ts    Alias for --icmp --icmptype 13 (ICMP timestamp)

      --icmp-addr  Alias for --icmp --icmptype 17 (ICMP address subnet mask)

      --icmp-help  display help for others icmp options

Help for hping    --- UDP/TCP

-s  --baseport   base source port             (default random)

-p  --destport   [+][+]<port> destination port(default 0) ctrl+z inc/dec

-k  --keep       keep still source port

-w  --win        winsize (default 64)

-O  --tcpoff     set fake tcp data offset     (instead of tcphdrlen / 4)

-Q  --seqnum     shows only tcp sequence number

-b  --badcksum   (try to) send packets with a bad IP checksum

                   many systems will fix the IP checksum sending the packet

                   so you'll get bad UDP/TCP checksum instead.

Help for hping    --- UDP/TCP

  -M  --setseq     set TCP sequence number

  -L  --setack     set TCP ack

  -F  --fin        set FIN flag

  -S  --syn        set SYN flag

  -R  --rst        set RST flag

  -P  --push       set PUSH flag

  -A  --ack        set ACK flag

  -U  --urg        set URG flag

  -X  --xmas       set X unused flag (0x40)

  -Y  --ymas       set Y unused flag (0x80)

  --tcpexitcode    use last tcp->th_flags as exit code

  --tcp-timestamp  enable the TCP timestamp option to guess the HZ/uptime

Help for hping    --- Common

  -d  --data       data size                    (default is 0)

  -E  --file       data from file

  -e  --sign       add 'signature'

  -j  --dump       dump packets in hex

  -J  --print      dump printable characters

  -B  --safe       enable 'safe' protocol

  -u  --end        tell you when --file reached EOF and prevent rewind

  -T  --traceroute traceroute mode          (implies --bind and --ttl 1)

  --tr-stop        Exit when receive the first not ICMP in traceroute mode

  --tr-keep-ttl    Keep the source TTL fixed, useful to monitor just one hop

  --tr-no-rtt       Don't calculate/show RTT information in traceroute mode

IP Spoofing

 

# hping -a 172.27.20.100 -1 192.168.100.205

HPING 192.168.100.205 (hme0 192.168.100.205): icmp mode set, 28 headers + 0 data bytes

46 bytes from 192.168.100.205: icmp_seq=0 ttl=127 id=20484 rtt=2.0 ms

46 bytes from 192.168.100.205: icmp_seq=1 ttl=127 id=20485 rtt=1.7 ms

46 bytes from 192.168.100.205: icmp_seq=2 ttl=127 id=20486 rtt=1.8 ms

^C

--- 192.168.100.205 hping statistic ---

3 packets tramitted, 3 packets received, 0% packet loss

round-trip min/avg/max = 1.7/1.8/2.0 ms

#

Note: This do not works in windows XP SP2

Syn flood --- src port differ

 

# hping 192.168.100.205 -S -p 80

HPING 192.168.100.205 (hme0 192.168.100.205): S set, 40 headers + 0 data bytes

len=46 ip=192.168.100.205 flags=RA seq=0 ttl=127 id=20345 win=0 rtt=2.4 ms

len=46 ip=192.168.100.205 flags=RA seq=1 ttl=127 id=20346 win=0 rtt=1.0 ms

len=46 ip=192.168.100.205 flags=RA seq=2 ttl=127 id=20347 win=0 rtt=0.9 ms

len=46 ip=192.168.100.205 flags=RA seq=3 ttl=127 id=20348 win=0 rtt=1.0 ms

len=46 ip=192.168.100.205 flags=RA seq=4 ttl=127 id=20350 win=0 rtt=1.0 ms

len=46 ip=192.168.100.205 flags=RA seq=5 ttl=127 id=20351 win=0 rtt=0.9 ms

^C

--- 192.168.100.205 hping statistic ---

6 packets tramitted, 6 packets received, 0% packet loss

round-trip min/avg/max = 0.9/1.2/2.4 ms

Syn packets --- duplicated syn packets

 

d:\>hping 192.168.1.1 -S -k -p 80

HPING 192.168.1.1 (eth0 192.168.1.1): S set, 40 headers + 0 data bytes

len=65543 ip=192.168.1.1 ttl=64 id=11924 sport=80 flags=SA seq=0 win=8192 rtt=10.0 ms

DUP! len=65543 ip=192.168.1.1 ttl=64 id=11925 sport=80 flags=SA seq=0 win=8192 rtt=1001.0 ms

DUP! len=65543 ip=192.168.1.1 ttl=64 id=11926 sport=80 flags=SA seq=0 win=8192 rtt=2002.0 ms

DUP! len=65543 ip=192.168.1.1 ttl=64 id=11927 sport=80 flags=SA seq=0 win=8192 rtt=3004.0 ms

 

--- 192.168.1.1 hping statistic ---

4 packets tramitted, 4 packets received, 0% packet loss

round-trip min/avg/max = 10.0/1504.2/3004.0 ms

Packets with payload

d:\partner\hping>cat payload.txt

This is testing payload for hping!!!

 

d:\partner\hping>hping 192.168.1.1 -1 -d 100 -E payload.txt

 

Hping --- Resource