Hping - Active Network Security Tool
Hping Tutorial
by d3hydr8 > www.darkc0de.com
date: 12/24/07
Homepage: http://www.hping.org/
Download: http://www.hping.org/download.php
Description:
hping is a command-line oriented TCP/IP packet assembler/analyzer. The interface
is inspired to the ping(8) unix command, but hping isn't only able to send ICMP
echo requests. It supports TCP, UDP, ICMP and RAW-IP protocols, has a traceroute
mode, the ability to send files between a covered channel, and many other
features.
First, lets look at installing it. I'm not much of a writer so I will just show
the commands used throughout most of this tutorial.
---------------------------------------------------------------------
d3hydr8@linuxbox:~> ls | grep hping
hping3-20051105.tar.gz
d3hydr8@linuxbox:~> tar xvf hping3-20051105.tar.gz
hping3-20051105/
hping3-20051105/CVS/
hping3-20051105/CVS/Root
hping3-20051105/CVS/Repository
hping3-20051105/CVS/Entries
[...]
d3hydr8@linuxbox:~> ls
hping3-20051105 hping3-20051105.tar.gz
d3hydr8@linuxbox:~> cd hping3-20051105
linuxbox:/home/d3hydr8/hping3-20051105 # ./configure
build byteorder.c...
create byteorder.h...
[...]
linuxbox:/home/d3hydr8/hping3-20051105 # make
gcc -c -O2 -Wall -DUSE_TCL -g libpcap_stuff.c
gcc -c -O2 -Wall -DUSE_TCL -g memlockall.c
[...]
linuxbox:/home/d3hydr8/hping3-20051105 # make install
cp -f hping3 /usr/sbin/
chmod 755 /usr/sbin/hping3
ln -s /usr/sbin/hping3 /usr/sbin/hping
ln -s /usr/sbin/hping3 /usr/sbin/hping2
linuxbox:/home/d3hydr8/hping3-20051105 # ./hping3 -v
hping version 3.0.0-alpha-1 ($Id: release.h,v 1.4 2004/04/09 23:38:56 antirez
Exp $)
This binary is TCL scripting capable
---------------------------------------------------------------------
Now that we have hping installed lets enter the hping3 interactive shell and
use the resolve command.
---------------------------------------------------------------------
linuxbox:/home/d3hydr8 # hping3
hping3> hping resolve www.darkc0de.com
97.82.189.122
---------------------------------------------------------------------
You can find a complete list of commands in the hping3 API page.
http://wiki.hping.org/34
Hping2 is the old version of the tool supporting the command line interface,
while the new hping3 is the evolution that adds a Tcl scripting engine.
Since we will be working mainly with the command line, you will see me
using hping2 from here on. By using the --help command you will see a list
of commands supported by hping or scroll to the bottom of this tutorial.
---------------------------------------------------------------------
linuxbox:/home/d3hydr8 # hping2 --help
usage: hping host [options]
---------------------------------------------------------------------
Lets start with some port scanning...
---------------------------------------------------------------------
linuxbox:/home/d3hydr8 # host yahoo.com
yahoo.com has address 66.94.234.13
[...]
linuxbox:/home/d3hydr8 # hping -I wlan0 -S 66.94.234.13 -p 80 -c 3
HPING 66.94.234.13 (wlan0 66.94.234.13): S set, 40 headers + 0 data bytes
len=40 ip=66.94.234.13 ttl=110 id=18735 sport=80 flags=SA seq=0 win=8192 rtt=95.7 ms
len=40 ip=66.94.234.13 ttl=112 id=18931 sport=80 flags=SA seq=1 win=8192 rtt=97.9 ms
len=40 ip=66.94.234.13 ttl=110 id=19104 sport=80 flags=SA seq=2 win=8192 rtt=94.4 ms
--- 66.94.234.13 hping statistic ---
3 packets tramitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 94.4/96.0/97.9 ms
---------------------------------------------------------------------
In this output you can see that we used the -I option to choose our interface
name (wlan0). You can get your interface name by using the ifconfig command.
We used the -S option for our scan type SYN aka Stealth scan. We
also chose to scan port 80 and only capture 3 packets using the -c option.
flags=SA >> open
flags=RA >> closed
As you can see by that little table port 80 was open. Lets try another
example with a few more flags.
---------------------------------------------------------------------
linuxbox:/home/d3hydr8 # hping2 -I wlan0 -S 66.94.234.13 -M 3000 -p ++21 --fast
HPING 66.94.234.13 (wlan0 66.94.234.13): S set, 40 headers + 0 data bytes
len=40 ip=66.94.234.13 ttl=110 id=17176 sport=80 flags=SA seq=59 win=8192 rtt=100.5 ms
len=40 ip=66.94.234.13 ttl=112 id=22501 sport=443 flags=SA seq=422 win=8192 rtt=101.9 ms
---------------------------------------------------------------------
As you can see from this example we are doing another port scan but this time
incrementing the ports from 21 with the -p ++21 option (21,22,23,etc). We also
use the --fast option which is self-explanatory. The other option is the
-M 3000 which will set the TCP sequence number to 3000.
We all know how port scans can be noisy so lets use an option that will
help us out.
---------------------------------------------------------------------
linuxbox:/home/d3hydr8 # hping2 -I wlan0 -SA -a 192.168.1.100 66.94.234.13 -p ++21 --faster
HPING 66.94.234.13 (wlan0 66.94.234.13): SA set, 40 headers + 0 data bytes
len=40 ip=66.94.234.13 ttl=255 id=6899 sport=80 flags=R seq=0 win=0 rtt=0.0 ms
--- 66.94.234.13 hping statistic ---
161083 packets tramitted, 1 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
---------------------------------------------------------------------
As you can see here we used the -a option to spoof our ip address. We also
chose to combine scan types with -SA which is a SYN/ACK scan. To see if my
ip address was being spoofed I ran a session of tcpdump.
---------------------------------------------------------------------
linuxbox:/home/d3hydr8 # tcpdump -i wlan0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wlan0, link-type EN10MB (Ethernet), capture size 96 bytes
00:14:03.969419 IP 192.168.1.100.29664 > w2.rc.vip.scd.yahoo.com.27299: S 247614302:247614302(0) ack 1324676282 win 512
00:14:03.971087 IP 192.168.1.100.29665 > w2.rc.vip.scd.yahoo.com.27300: S 1843027743:1843027743(0) ack 503065324 win 512
---------------------------------------------------------------------
Just as I expected my ip is being spoofed "IP 192.168.1.100.29664".
Lets try some firewall, traceroute action. First lets use nmap to scan a port.
---------------------------------------------------------------------
linuxbox:/home/d3hydr8 # nmap -sS 69.147.122.169 -p 25
Starting Nmap 4.50 ( http://insecure.org ) at 2007-12-24 00:52 EST
Interesting ports on srp42r2.flickr.re2.yahoo.com (69.147.122.169):
PORT STATE SERVICE
25/tcp filtered smtp
Nmap done: 1 IP address (1 host up) scanned in 1.489 seconds
---------------------------------------------------------------------
It seams this port is behind some kind of a firewall. Lets test it with hping and
a couple of new options:
-t sets initial ttl in the IP header
-z binds the “ctrl+z” key combination to the ttl, meaning every time
you press “crtl+z” the TTL field is increased.
---------------------------------------------------------------------
linuxbox:/home/d3hydr8 # hping -I wlan0 -z -t 6 -S 69.147.122.169 -p 25
HPING 69.147.122.169 (wlan0 69.147.122.169): S set, 40 headers + 0 data bytes
TTL 0 during transit from ip=172.22.32.217 name=UNKNOWN
7: TTL 0 during transit from ip=216.206.221.149 name=atl-edge-18.inet.qwest.net
8: TTL 0 during transit from ip=205.171.21.161 name=atl-core-01.inet.qwest.net
9: TTL 0 during transit from ip=67.14.8.206 name=cer-core-02.inet.qwest.net
10: TTL 0 during transit from ip=205.171.139.118 name=chp-brdr-02.inet.qwest.net
12: TTL 0 during transit from ip=66.110.27.90 name=if-5-0-0-720.core2.DTX-Dallas.teleglobe.net
13: TTL 0 during transit from ip=66.198.2.10 name=ix-4-1.core2.DTX-Dallas.teleglobe.net
14: TTL 0 during transit from ip=216.115.101.144 name=so-4-1-0.pat1.dce.yahoo.com
15: TTL 0 during transit from ip=216.115.108.61 name=ge-3-1-0-p150.msr2.re1.yahoo.com
16: TTL 0 during transit from ip=206.190.41.73 name=te4-1.bas-b2.re2.yahoo.com
17: len=40 ip=69.147.122.169 ttl=255 id=31610 sport=25 flags=SA seq=0 win=0 rtt=0.0 ms
len=40 ip=69.147.122.169 ttl=255 id=21098 sport=25 flags=SA seq=0 win=0 rtt=0.0 ms
len=40 ip=69.147.122.169 ttl=255 id=2613 sport=25 flags=SA seq=0 win=0 rtt=0.0 ms
---------------------------------------------------------------------
As you can see above we reached the server in 11 extra hops.
Using hping as a DOS tool can be as easy as 2 options.
-a option to spoof your address
-i indicates your intervals in microseconds (-i u1000)
hping2 -I wlan0 -a 192.168.1.100 -S 192.168.1.104 -p 6667 -i u1000
I hope you learned something about the basic workings of hping from this
tutorial. I encourage you to check out all the options and techniques
hping has to offer.
visit darkc0de.com, thanks d3hydr8[at]darkc0de[dot]com
Hping Options:
usage: hping host [options]
-h --help show this help
-v --version show version
-c --count packet count
-i --interval wait (uX for X microseconds, for example -i u1000)
--fast alias for -i u10000 (10 packets for second)
--faster alias for -i u1000 (100 packets for second)
--flood sent packets as fast as possible. Don't show replies.
-n --numeric numeric output
-q --quiet quiet
-I --interface interface name (otherwise default routing interface)
-V --verbose verbose mode
-D --debug debugging info
-z --bind bind ctrl+z to ttl (default to dst port)
-Z --unbind unbind ctrl+z
--beep beep for every matching packet received
Mode
default mode TCP
-0 --rawip RAW IP mode
-1 --icmp ICMP mode
-2 --udp UDP mode
-8 --scan SCAN mode.
Example: hping --scan 1-30,70-90 -S www.target.host
-9 --listen listen mode
IP
-a --spoof spoof source address
--rand-dest random destionation address mode. see the man.
--rand-source random source address mode. see the man.
-t --ttl ttl (default 64)
-N --id id (default random)
-W --winid use win* id byte ordering
-r --rel relativize id field (to estimate host traffic)
-f --frag split packets in more frag. (may pass weak acl)
-x --morefrag set more fragments flag
-y --dontfrag set dont fragment flag
-g --fragoff set the fragment offset
-m --mtu set virtual mtu, implies --frag if packet size > mtu
-o --tos type of service (default 0x00), try --tos help
-G --rroute includes RECORD_ROUTE option and display the route buffer
--lsrr loose source routing and record route
--ssrr strict source routing and record route
-H --ipproto set the IP protocol field, only in RAW IP mode
ICMP
-C --icmptype icmp type (default echo request)
-K --icmpcode icmp code (default 0)
--force-icmp send all icmp types (default send only supported types)
--icmp-gw set gateway address for ICMP redirect (default 0.0.0.0)
--icmp-ts Alias for --icmp --icmptype 13 (ICMP timestamp)
--icmp-addr Alias for --icmp --icmptype 17 (ICMP address subnet mask)
--icmp-help display help for others icmp options
UDP/TCP
-s --baseport base source port (default random)
-p --destport [+][+]<port> destination port(default 0) ctrl+z inc/dec
-k --keep keep still source port
-w --win winsize (default 64)
-O --tcpoff set fake tcp data offset (instead of tcphdrlen / 4)
-Q --seqnum shows only tcp sequence number
-b --badcksum (try to) send packets with a bad IP checksum
many systems will fix the IP checksum sending the packet
so you'll get bad UDP/TCP checksum instead.
-M --setseq set TCP sequence number
-L --setack set TCP ack
-F --fin set FIN flag
-S --syn set SYN flag
-R --rst set RST flag
-P --push set PUSH flag
-A --ack set ACK flag
-U --urg set URG flag
-X --xmas set X unused flag (0x40)
-Y --ymas set Y unused flag (0x80)
--tcpexitcode use last tcp->th_flags as exit code
--tcp-timestamp enable the TCP timestamp option to guess the HZ/uptime
Common
-d --data data size (default is 0)
-E --file data from file
-e --sign add 'signature'
-j --dump dump packets in hex
-J --print dump printable characters
-B --safe enable 'safe' protocol
-u --end tell you when --file reached EOF and prevent rewind
-T --traceroute traceroute mode (implies --bind and --ttl 1)
--tr-stop Exit when receive the first not ICMP in traceroute mode
--tr-keep-ttl Keep the source TTL fixed, useful to monitor just one hop
--tr-no-rtt Don't calculate/show RTT information in traceroute mode
ARS packet description (new, unstable)
--apd-send Send the packet described with APD (see docs/APD.txt)