Description

Hping3 is a network tool able to send custom ICMP/UDP/TCP packets and to display target replies like ping do with ICMP replies. Hping3 handles fragmentation, arbitrary packet body and size and can be used in order to transfer files under supported protocols.

Hping3 can be used, among other things to:

• Test firewall rules,
• [spoofed] port scanning,
• Test net performance using differents protocols, packet size, TOS (type of service) and fragmentation,
• Path MTU discovery,
• Files transfering even between really fascist firewall rules,
• Traceroute like under different protocols,
• Firewalk like usage,
• Remote OS fingerprint,
• TCP/IP stack auditing

It's also really a good didactic tool to learn TCP/IP.

Installation

$ sudo apt-get install hping3

Usage

Basic syntax

$ hping3 host [options]

Options

Note

Notice that new options (from v2) appear in yellow.

Mode

Note

Notice that without precision, the default mode is TCP

-0, --rawip

RAW IP mode

-1, --icmp

ICMP mode

-2, --udp

UDP mode

-8, --scan

SCAN mode.

Example: hping --scan 1-30,70-90 -S www.target.host

-9, --listen

listen mode

IP

-a, --spoof

spoof source address

--rand-dest

random destionation address mode. see the man.

--rand-source

random source address mode. see the man.

-t --ttl

ttl (default 64)

-N --id

id (default random)

-W --winid

use win* id byte ordering

-r --rel

relativize id field

(to estimate host traffic)

-f --frag

split packets in more frag.

(may pass weak acl)

-x --morefrag

set more fragments flag

-y --dontfrag

set dont fragment flag

-g --fragoff

set the fragment offset

-m --mtu

set virtual mtu, implies --frag if packet size > mtu

-o --tos

type of service (default 0x00), try --tos help

-G --rroute

includes RECORD_ROUTE option and display the route buffer

--lsrr

loose source routing and record route

--ssrr

strict source routing and record route

-H --ipproto

set the IP protocol field, only in RAW IP mode

ICMP

-C --icmptype

icmp type (default echo request)

-K --icmpcode

icmp code (default 0)

--force-icmp

send all icmp types (default send only supported types)

--icmp-gw

set gateway address for ICMP redirect (default 0.0.0.0)

--icmp-ts

Alias for --icmp --icmptype 13 (ICMP timestamp)

--icmp-addr

Alias for --icmp --icmptype 17 (ICMP address subnet mask)

--icmp-help

display help for others icmp options

UDP/TCP

-s --baseport

base source port (default random)

-p --destport [+][+]<port>

destination port(default 0) ctrl+z inc/dec

-k --keep

keep still source port

-w --win

winsize (default 64)

-O --tcpoff

set fake tcp data offset (instead of tcphdrlen / 4)

-Q --seqnum

shows only tcp sequence number

-b --badcksum

(try to) send packets with a bad IP checksum many systems will fix the IP checksum sending the packet so you'll get bad UDP/TCP checksum instead.

-M --setseq

set TCP sequence number

-L --setack

set TCP ack

-F --fin

set FIN flag

-S --syn

set SYN flag

-R --rst

set RST flag

-P --push

set PUSH flag

-A --ack

set ACK flag

-U --urg

set URG flag

-X --xmas

set X unused flag (0x40)

-Y --ymas

set Y unused flag (0x80)

--tcpexitcode

use last tcp->th_flags as exit code

--tcp-timestamp

enable the TCP timestamp option to guess the HZ/uptime

Common

-d --data

data size (default is 0)

-E --file

data from file

-e --sign

add 'signature'

-j --dump

dump packets in hex

-J --print

dump printable characters

-B --safe

enable 'safe' protocol

-u --end

tell you when --file reached EOF and prevent rewind

-T --traceroute

traceroute mode (implies --bind and --ttl 1)

--tr-stop

Exit when receive the first not ICMP in traceroute mode

--tr-keep-ttl

Keep the source TTL fixed, useful to monitor just one hop

--tr-no-rtt

Don't calculate/show RTT information in traceroute mode ARS packet description (new, unstable)

--apd-send

Send the packet described with APD (see docs/APD.txt)

Other options

-h --help

show help

-v --version

show version

-c --count

packet count

-i --interval

wait (uX for X microseconds, for example -i u1000)

--fast

alias for -i u10000 (10 packets for second)

--faster

alias for -i u1000 (100 packets for second)

--flood

send packets as fast as possible. Don't show replies.

-n --numeric

numeric output

-q --quiet

quiet

-I --interface

interface name (otherwise default routing interface)

-V --verbose

verbose mode

-D --debug

debugging info

-z --bind

bind ctrl+z to ttl (default to dst port)

-Z --unbind

unbind ctrl+z

--beep

beep for every matching packet received

Example

Open port

Following command checks the status of port 22/tcp with a TCP SYN scan:

$ sudo hping3 192.168.100.1 -c 1 -I wlan0 -S -p 22
HPING 192.168.100.1 (wlan0 192.168.100.1): S set, 40 headers + 0 data bytes
len=46 ip=192.168.100.1 ttl=64 DF id=0 sport=22 flags=SA seq=0 win=5840 rtt=1.9 ms

--- 192.168.100.1 hping statistic ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 1.9/1.9/1.9 ms

Closed port

Following command sends a TCP SYN packet to port 81/tcp on host 192.168.100.1:

$ sudo hping3 192.168.100.1 -c 1 -I wlan0 -S -p 81
HPING 192.168.100.1 (wlan0 192.168.100.1): S set, 40 headers + 0 data bytes
len=46 ip=192.168.100.1 ttl=64 DF id=0 sport=81 flags=RA seq=0 win=0 rtt=2.4 ms

--- 192.168.100.1 hping statistic ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 2.4/2.4/2.4 ms

Scan mode

$ sudo hping3 192.168.100.1 -I wlan0 -S --scan 20,21,22,80,8080 -V
using wlan0, addr: 192.168.100.18, MTU: 1500
Scanning 192.168.100.1 (192.168.100.1), port 20,21,22,80,8080
5 ports to scan, use -V to see all the replies
+----+-----------+---------+---+-----+-----+-----+
|port| serv name |  flags  |ttl| id  | win | len |
+----+-----------+---------+---+-----+-----+-----+
   20 ftp-data   : ..R.A...  64     0     0    46
   21 ftp        : ..R.A...  64     0     0    46
   22 ssh        : .S..A...  64     0  5840    46
   80 www        : .S..A...  64     0  5840    46
 8080 http-alt   : .S..A...  64     0  5840    46
All replies received. Done.
Not responding ports:

Comments