hping
What is hping ?
• Hping is a command-line oriented TCP/IP packet crafter.
• HPING can be used to create IP packets containing TCP, UDP or ICMP payloads.
• All header fields can be modified and controlled using the command line.
• A good understanding of IP and TCP/UDP is mandatory to use and understand the utility.
What can hping do?
• Firewall testing
• Advanced port scanning
• Network testing, using different protocols, TOS, fragmentation
• Manual path MTU discovery
• Advanced traceroute, under all the supported protocols
• Remote OS fingerprinting
• Remote uptime guessing
• TCP/IP stacks auditing
• hping can also be useful to students that are learning TCP/IP.
Help for hping
# hping -h
usage: hping host [options]
Help for hping --- Mode
default mode TCP
-0 --rawip RAW IP mode
-1 --icmp ICMP mode
-2 --udp UDP mode
-9 --listen listen mode
Help for hping --- IP
-a --spoof spoof source address -t --ttl ttl (default 64)
-W --winid use win* id byte ordering -N --id id (default random)
-y --dontfrag set dont fragment flag -r --rel relativize id field
-f --frag split packets in more frag
-x --morefrag set more fragments flag
-g --fragoff set the fragment offset
-m --mtu set virtual mtu, implies --frag if packet size > mtu
-o --tos type of service (default 0x00), try --tos help
-G --rroute includes RECORD_ROUTE option and display the route buffer
-H --ipproto set the IP protocol field, only in RAW IP mode
Help for hping --- ICMP
-C --icmptype icmp type (default echo request)
-K --icmpcode icmp code (default 0)
--icmp-ts Alias for --icmp --icmptype 13 (ICMP timestamp)
--icmp-addr Alias for --icmp --icmptype 17 (ICMP address subnet mask)
--icmp-help display help for others icmp options
Help for hping --- UDP/TCP
-s --baseport base source port (default random)
-p --destport [+][+]<port> destination port(default 0) ctrl+z inc/dec
-k --keep keep still source port
-w --win winsize (default 64)
-O --tcpoff set fake tcp data offset (instead of tcphdrlen / 4)
-Q --seqnum shows only tcp sequence number
-b --badcksum (try to) send packets with a bad IP checksum
many systems will fix the IP checksum sending the packet
so you'll get bad UDP/TCP checksum instead.
Help for hping --- UDP/TCP
-M --setseq set TCP sequence number
-L --setack set TCP ack
-F --fin set FIN flag
-S --syn set SYN flag
-R --rst set RST flag
-P --push set PUSH flag
-A --ack set ACK flag
-U --urg set URG flag
-X --xmas set X unused flag (0x40)
-Y --ymas set Y unused flag (0x80)
--tcpexitcode use last tcp->th_flags as exit code
--tcp-timestamp enable the TCP timestamp option to guess the HZ/uptime
Help for hping --- Common
-d --data data size (default is 0)
-E --file data from file
-e --sign add 'signature'
-j --dump dump packets in hex
-J --print dump printable characters
-B --safe enable 'safe' protocol
-u --end tell you when --file reached EOF and prevent rewind
-T --traceroute traceroute mode (implies --bind and --ttl 1)
--tr-stop Exit when receive the first not ICMP in traceroute mode
--tr-keep-ttl Keep the source TTL fixed, useful to monitor just one hop
--tr-no-rtt Don't calculate/show RTT information in traceroute mode
IP Spoofing
# hping -a 172.27.20.100 -1 192.168.100.205
HPING 192.168.100.205 (hme0 192.168.100.205): icmp mode set, 28 headers + 0 data bytes
46 bytes from 192.168.100.205: icmp_seq=0 ttl=127 id=20484 rtt=2.0 ms
46 bytes from 192.168.100.205: icmp_seq=1 ttl=127 id=20485 rtt=1.7 ms
46 bytes from 192.168.100.205: icmp_seq=2 ttl=127 id=20486 rtt=1.8 ms
^C
--- 192.168.100.205 hping statistic ---
3 packets tramitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 1.7/1.8/2.0 ms
#
Note: This do not works in windows XP SP2
Syn flood --- src port differ
# hping 192.168.100.205 -S -p 80
HPING 192.168.100.205 (hme0 192.168.100.205): S set, 40 headers + 0 data bytes
len=46 ip=192.168.100.205 flags=RA seq=0 ttl=127 id=20345 win=0 rtt=2.4 ms
len=46 ip=192.168.100.205 flags=RA seq=1 ttl=127 id=20346 win=0 rtt=1.0 ms
len=46 ip=192.168.100.205 flags=RA seq=2 ttl=127 id=20347 win=0 rtt=0.9 ms
len=46 ip=192.168.100.205 flags=RA seq=3 ttl=127 id=20348 win=0 rtt=1.0 ms
len=46 ip=192.168.100.205 flags=RA seq=4 ttl=127 id=20350 win=0 rtt=1.0 ms
len=46 ip=192.168.100.205 flags=RA seq=5 ttl=127 id=20351 win=0 rtt=0.9 ms
^C
--- 192.168.100.205 hping statistic ---
6 packets tramitted, 6 packets received, 0% packet loss
round-trip min/avg/max = 0.9/1.2/2.4 ms
Syn packets --- duplicated syn packets
d:\>hping 192.168.1.1 -S -k -p 80
HPING 192.168.1.1 (eth0 192.168.1.1): S set, 40 headers + 0 data bytes
len=65543 ip=192.168.1.1 ttl=64 id=11924 sport=80 flags=SA seq=0 win=8192 rtt=10.0 ms
DUP! len=65543 ip=192.168.1.1 ttl=64 id=11925 sport=80 flags=SA seq=0 win=8192 rtt=1001.0 ms
DUP! len=65543 ip=192.168.1.1 ttl=64 id=11926 sport=80 flags=SA seq=0 win=8192 rtt=2002.0 ms
DUP! len=65543 ip=192.168.1.1 ttl=64 id=11927 sport=80 flags=SA seq=0 win=8192 rtt=3004.0 ms
--- 192.168.1.1 hping statistic ---
4 packets tramitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 10.0/1504.2/3004.0 ms
Packets with payload
d:\partner\hping>cat payload.txt
This is testing payload for hping!!!
d:\partner\hping>hping 192.168.1.1 -1 -d 100 -E payload.txt
Hping --- Resource