Hping2 is a command-line oriented TCP/IP packet assembler/analyzer. The interface is inspired by the ping(8) Unix command, but hping isn’t only able to send ICMP echo requests. It supports TCP, UDP, ICMP and RAW-IP protocols, has a traceroute mode, the ability to send files between a covert channel, and many other features. All header fields can be modified and controlled using the command line. A good understanding of IP and TCP/UDP is mandatory to use and understand the utility. While hping2 was mainly used as a security tool in the past, it can be used in many ways. Below is a subset of the stuff you can do using hping2:

  • Firewall testing
  • Advanced port scanning
  • Network testing, using different protocols, TOS, fragmentation
  • Manual path MTU discovery
  • Advanced traceroute, under all the supported protocols
  • Remote OS fingerprinting
  • Remote uptime guessing
  • TCP/IP stacks auditing
  • hping can also be useful to students that are learning TCP/IP.

­­­­­­­­­­­For a more detailed description and to download the binaries, visit http://www.hping.org. You can obtain a full working version of hping2 on a bootable CD (among other tools) at http://www.knoppix-std.org or on BackTrack.

While hping2 can do all of that, we will start by learning how hping2 can manipulate and craft packets for the testing of remote systems. We are going to start out easy and send different types of TCP packets with different flags set.

Hping2 is relatively easy to install on any *nix system. Go to the website and download it or use wget. Once it’s downloaded you can issue the configure, make & make install commands to compile and install the program. Once it’s installed you will see that hping2 has a ton of options. You can see them by issuing the man hping2 or hping2 –help command. I won’t promise we’ll go through them all but we are going to try.

Using Hping2 to Craft TCP Packets

Crafting TCP packets is the default behavior of Hping. By specifying the TCP flags, a destination port and a target IP address, one can easily construct TCP packets.

-F –fin set FIN flag
-S –syn set SYN flag
-R –rst set RST flag
-P –push set PUSH flag
-A –ack set ACK flag
-U –urg set URG flag
-X –xmas set X unused flag (0x40)
-Y –ymas set Y unused flag (0x80)

Before we start throwing packets all over your lab network, you should be aware that when you do not specify a destination port on the targeted computer it will default to 0. Also if you do not specify a source port it will use a random ephemeral port and go up numerically from there. P.S. I am going to use TCPDUMP to view the output of the hping2 packets/scans. If it’s a bunch of nonsense to you, I recommend you learn TCPDUMP basics (use Google).

-S (SYN) Packet

The first packet we are going to send is the –S Syn packet. The attacker computer is 192.168.0.105 and the computer we are attacking is 192.168.0.100.

Hping2 INPUT:

[root@localhost hping2-rc3]# hping2 -S 192.168.0.100
HPING 192.168.0.100 (eth0 192.168.0.100): S set, 40 headers + 0 data bytes
len=46 ip=192.168.0.100 ttl=128 id=18414 sport=0 flags=RA seq=0 win=0 rtt=149.9 ms
len=46 ip=192.168.0.100 ttl=128 id=18416 sport=0 flags=RA seq=1 win=0 rtt=0.5 ms
len=46 ip=192.168.0.100 ttl=128 id=18417 sport=0 flags=RA seq=2 win=0 rtt=0.4 ms
len=46 ip=192.168.0.100 ttl=128 id=18418 sport=0 flags=RA seq=3 win=0 rtt=0.5 ms
len=46 ip=192.168.0.100 ttl=128 id=18420 sport=0 flags=RA seq=4 win=0 rtt=1.6 ms
— 192.168.0.100 hping statistic —
5 packets tramitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.4/30.6/149.9 ms
[root@localhost hping2-rc3]#

TCPDUMP OUTPUT:

[root@localhost root]# tcpdump tcp -X -s 1514
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 1514 bytes
14:19:22.506194 IP 192.168.0.105.2690 > 192.168.0.100.0: S 729051484:729051484(0) win 512
0x0000: 4500 0028 f5e2 0000 4006 02d0 c0a8 0069 E..( ….@……i This e-mail address is being protected from spam bots, you need JavaScript enabled to view it
0x0010: c0a8 0064 0a82 0000 2b74 715c 00ee aed9 …d….+tq\….
0x0020: 5002 0200 d4aa 0000 P…….
14:19:23.649879 IP 192.168.0.105.2691 > 192.168.0.100.0: S 1045497134:1045497134(0) win 512
0x0000: 4500 0028 09bb 0000 4006 eef7 c0a8 0069 E..( ….@……i This e-mail address is being protected from spam bots, you need JavaScript enabled to view it
0x0010: c0a8 0064 0a83 0000 3e51 052e 34a4 7513 …d….>Q..4.u.
0x0020: 5002 0200 340b 0000 P…4…
14:19:24.649886 IP 192.168.0.105.2692 > 192.168.0.100.0: S 734408221:734408221(0) win 512
0x0000: 4500 0028 79cb 0000 4006 7ee7 c0a8 0069 E..(y…@.~….i
0x0010: c0a8 0064 0a84 0000 2bc6 2e1d 1432 0224 …d….+….2.$
0x0020: 5002 0200 b107 0000 P…….

—–SNIP———
10 packets captured
10 packets received by filter
0 packets dropped by kernel
[root@localhost root]#

As you can see in blue, hping2 picked an arbitrary port, in this case 2690, and incremented by one each time. In orange is the target port of 0 on the remote system which stays 0 since we did not specify a destination port. We can tell that is a SYN packet by seeing the S in red. Additionally, I received ACKs back from the 192.168.0.100 machine but edited those out here. That explains why in the hping2 output I sent 5 packets and received 5 packets. They were ACKs to my SYN packets.

Sending a SYN packet by the initiating system is the first step in the TCP/IP 3 way handshake. The next step is for the replying computer to send back a SYN/ACK packet, and finally an ACK packet to complete the handshake process.

The SYN (Steath) Scan is one of the most common scans used by port scanners. When the scan was initially being used it was considered stealthy because connections were not logged if they did not complete the 3 way handshake process. This has sense been long remedied and most common Intrusion Detection Systems will alert on SYN Scans.

-R (RST) Packet

The next packet we are going to send is the –R Reset (RST) packet. The reset packet is used to reset a connection. As you can see the command syntax is very similar. The only change is in the actual switch itself. Instead of -S it is -R.

“The RST packet is often used to perform what is known as inverse mapping. What this means is that RST packets are sent out and the response received is what will tell you if the host exists or not. If you send out a RST scan you would get one of two things. You will either get no response which indicates to you that the host is probably alive or you’ll receive an ICMP host unreachable message. This would indicate that the host does not exist. This is what is known as inverse mapping. Some IDS systems will not log RST packets/scans due to the sheer multitude of them. This is why the inverse scan is popular.” [1]

Hping2 INPUT:

[root@localhost hping2-rc3]# hping2 -R 192.168.0.100
HPING 192.168.0.100 (eth0 192.168.0.100): R set, 40 headers + 0 data bytes

— 192.168.0.100 hping statistic —
6 packets tramitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
[root@localhost hping2-rc3]#

TCPDUMP OUTPUT:

[root@localhost root]# tcpdump tcp -X -s 1514
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 1514 bytes
13:52:02.992694 IP 192.168.0.105.2894 > 192.168.0.100.0: R 843167096:843167096(0) win 512
0x0000: 4500 0028 8689 0000 4006 7229 c0a8 0069 E..(….@.r)…i
0x0010: c0a8 0064 0b4e 0000 3241 b578 14bc b5a8 …d.N..2A.x….
0x0020: 5004 0200 6e56 0000 P…nV..
13:52:04.009817 IP 192.168.0.105.2895 > 192.168.0.100.0: R 378615428:378615428(0) win 512
0x0000: 4500 0028 d259 0000 4006 2659 c0a8 0069 E..(.Y..@.&Y…i
0x0010: c0a8 0064 0b4f 0000 1691 3684 60ba 0a6b …d.O….6.`..k
0x0020: 5004 0200 6839 0000 P…h9..
13:52:05.010133 IP 192.168.0.105.2896 > 192.168.0.100.0: R 1069416179:1069416179(0) win 512
0x0000: 4500 0028 5cd5 0000 4006 9bdd c0a8 0069 E..( …@……i This e-mail address is being protected from spam bots, you need JavaScript enabled to view it
0x0010: c0a8 0064 0b50 0000 3fbd fef3 51ed 7a0f …d.P..?…Q.z.
0x0020: 5004 0200 15c5 0000 P…….
13:52:06.009702 IP 192.168.0.105.2897 > 192.168.0.100.0: R 1038765926:1038765926(0) win 512
0x0000: 4500 0028 f915 0000 4006 ff9c c0a8 0069 E..( ….@……i This e-mail address is being protected from spam bots, you need JavaScript enabled to view it
0x0010: c0a8 0064 0b51 0000 3dea 4f66 641a 6926 …d.Q..=.Ofd.i&
0x0020: 5004 0200 c5e0 0000 P…….
—SNIP—
6 packets captured
6 packets received by filter
0 packets dropped by kernel
[root@localhost root]#

-F (FIN) Packet

The FIN packet is used to close an established connection. It is also used to conduct a FIN Scan. When a closed port receives a FIN packet, it should respond with a RST packet while an open port should do nothing (ignore the packet).

Hping2 INPUT:

[root@localhost hping2-rc3]# hping2 -F 192.168.0.100
HPING 192.168.0.100 (eth0 192.168.0.100): F set, 40 headers + 0 data bytes
len=46 ip=192.168.0.100 ttl=128 id=20173 sport=0 flags=RA seq=0 win=0 rtt=34.2 ms
len=46 ip=192.168.0.100 ttl=128 id=20174 sport=0 flags=RA seq=1 win=0 rtt=0.8 ms
len=46 ip=192.168.0.100 ttl=128 id=20175 sport=0 flags=RA seq=2 win=0 rtt=0.5 ms
len=46 ip=192.168.0.100 ttl=128 id=20176 sport=0 flags=RA seq=3 win=0 rtt=0.5 ms
— 192.168.0.100 hping statistic —
4 packets tramitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 0.5/9.0/34.2 ms
[root@localhost hping2-rc3]#

TCPDUMP OUTPUT:

[root@localhost root]# tcpdump tcp -X -s 1514
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 1514 bytes
14:47:52.920308 IP 192.168.0.105.1416 > 192.168.0.100.0: F 1501065776:1501065776(0) win 512
0x0000: 4500 0028 a604 0000 4006 52ae c0a8 0069 E..( ….@.R….i This e-mail address is being protected from spam bots, you need JavaScript enabled to view it
0x0010: c0a8 0064 0588 0000 5978 7230 4472 964e …d….Yxr0Dr.N
0x0020: 5001 0200 7fd4 0000 P…….
14:47:52.922503 IP 192.168.0.100.0 > 192.168.0.105.1416: R 0:0(0) ack 1501065777 win 0
0x0000: 4500 0028 4ecd 0000 8006 69e5 c0a8 0064 E..(N…..i….d
0x0010: c0a8 0069 0000 0588 0000 0000 5978 7231 …i……..Yxr1
0x0020: 5014 0000 5c81 0000 0000 0000 0000 P…\………
14:47:53.950386 IP 192.168.0.105.1417 > 192.168.0.100.0: F 378133699:378133699(0) win 512
0x0000: 4500 0028 e2c8 0000 4006 15ea c0a8 0069 E..( ….@……i This e-mail address is being protected from spam bots, you need JavaScript enabled to view it
0x0010: c0a8 0064 0589 0000 1689 dcc3 42ae d092 …d……..B…
0x0020: 5001 0200 1faf 0000 P…….
14:47:53.950837 IP 192.168.0.100.0 > 192.168.0.105.1417: R 0:0(0) ack 378133700 win 0
0x0000: 4500 0028 4ece 0000 8006 69e4 c0a8 0064 E..(N…..i….d
0x0010: c0a8 0069 0000 0589 0000 0000 1689 dcc4 …i…………
0x0020: 5014 0000 34dc 0000 0000 0000 0000 P…4………
14:47:54.950227 IP 192.168.0.105.1418 > 192.168.0.100.0: F 716278911:716278911(0) win 512
0x0000: 4500 0028 3a33 0000 4006 be7f c0a8 0069 E..(: 3..@……i This e-mail address is being protected from spam bots, you need JavaScript enabled to view it
0x0010: c0a8 0064 058a 0000 2ab1 8c7f 072d 4ef8 …d….*….-N.
0x0020: 5001 0200 18e6 0000 P…….
14:47:54.950539 IP 192.168.0.100.0 > 192.168.0.105.1418: R 0:0(0) ack 716278912 win 0
0x0000: 4500 0028 4ecf 0000 8006 69e3 c0a8 0064 E..(N…..i….d
0x0010: c0a8 0069 0000 058a 0000 0000 2ab1 8c80 …i……..*…
0x0020: 5014 0000 70f7 0000 0000 0000 0000 P…p………
14:47:55.950485 IP 192.168.0.105.1419 > 192.168.0.100.0: F 453633263:453633263(0) win 512
0x0000: 4500 0028 a536 0000 4006 537c c0a8 0069 E..(.6..@.S|…i
0x0010: c0a8 0064 058b 0000 1b09 e4ef 16f3 9998 …d…………
0x0020: 5001 0200 75b6 0000 P…u…
14:47:55.950800 IP 192.168.0.100.0 > 192.168.0.105.1419: R 0:0(0) ack 453633264 win 0
0x0000: 4500 0028 4ed0 0000 8006 69e2 c0a8 0064 E..(N…..i….d
0x0010: c0a8 0069 0000 058b 0000 0000 1b09 e4f0 …i…………
0x0020: 5014 0000 282e 0000 0000 0000 0000 P…(………

8 packets captured
8 packets received by filter
0 packets dropped by kernel
[root@localhost root]#

You can see from the TCPDUMP output that the attacker computer 192.168.0.105 sends a FIN packet to 192.168.0.100, and in turn, because we are sending the packet to a most likely closed port, port 0, it returns a RST packet back. Most documentation will tell you that this scan usually doesn’t work anymore due to patching and whatnot, but the 192.168.0.100 computer is an XP Professional SP2 fully patched machine only. The firewall is completely turned off.

For giggles I tried to send FIN packets to ports I knew were open on the box, ports 135 & 445, and received RST back as well. So I guess that tells us something about the reliability of the scan against a Windows XP Box.

I am going to show the output of the scan here, but we will cover destination ports later so don’t worry too much about it now.

Hping2 INPUT:

[root@localhost hping2-rc3]# hping2 -F 192.168.0.100 -p 135
HPING 192.168.0.100 (eth0 192.168.0.100): F set, 40 headers + 0 data bytes
len=46 ip=192.168.0.100 ttl=128 id=22178 sport=135 flags=RA seq=0 win=0 rtt=131.7 ms
len=46 ip=192.168.0.100 ttl=128 id=22181 sport=135 flags=RA seq=1 win=0 rtt=0.6 ms
len=46 ip=192.168.0.100 ttl=128 id=22182 sport=135 flags=RA seq=2 win=0 rtt=2.8 ms
len=46 ip=192.168.0.100 ttl=128 id=22183 sport=135 flags=RA seq=3 win=0 rtt=0.9 ms
— 192.168.0.100 hping statistic —
4 packets tramitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 0.6/34.0/131.7 ms
[root@localhost hping2-rc3]#

TCPDUMP OUTPUT:

[root@localhost root]# tcpdump tcp -X -s 1514
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 1514 bytes
15:17:04.795615 IP 192.168.0.105.2805 > 192.168.0.100.135: F 879656640:879656640(0) win 512
0x0000: 4500 0028 9418 0000 4006 649a c0a8 0069 E..( ….@.d….i This e-mail address is being protected from spam bots, you need JavaScript enabled to view it
0x0010: c0a8 0064 0af5 0087 346e 7ec0 63a0 baf6 …d….4n~.c…
0x0020: 5001 0200 4e84 0000 P…N…
15:17:04.797291 IP 192.168.0.100.135 > 192.168.0.105.2805: R 0:0(0) ack 879656641 win 0
0x0000: 4500 0028 56a2 0000 8006 6210 c0a8 0064 E..(V…..b….d
0x0010: c0a8 0069 0087 0af5 0000 0000 346e 7ec1 …i……..4n~.
0x0020: 5014 0000 6f07 0000 0000 0000 0000 P…o………
15:17:05.922394 IP 192.168.0.105.2806 > 192.168.0.100.135: F 1281421513:1281421513(0) win 512
0x0000: 4500 0028 fb96 0000 4006 fd1b c0a8 0069 E..( ….@……i This e-mail address is being protected from spam bots, you need JavaScript enabled to view it
0x0010: c0a8 0064 0af6 0087 4c60 f0c9 349c 85a8 …d….L`..4…
0x0020: 5001 0200 28da 0000 P…(…
15:17:05.922708 IP 192.168.0.100.135 > 192.168.0.105.2806: R 0:0(0) ack 1281421514 win 0
0x0000: 4500 0028 56a5 0000 8006 620d c0a8 0064 E..(V…..b….d
0x0010: c0a8 0069 0087 0af6 0000 0000 4c60 f0ca …i……..L`..
0x0020: 5014 0000 e50a 0000 0000 0000 0000 P………….
—SNIP—8 packets captured
8 packets received by filter
0 packets dropped by kernel
[root@localhost root]#

ICMP Packets

Most ping programs use ICMP echo requests and wait for echo replies to come back to test connectivity. Hping2 allows us to do the same testing using any IP packet, including ICMP, UDP, and TCP. This can be helpful since nowadays most firewalls or routers block ICMP. Hping2, by default, will use TCP, but, if you still want to send an ICMP scan, you can. We send ICMP scans using the -1 (one) mode. Basically the syntax will be hping2 -1 IPADDRESS

Hping2 INPUT:

[root@localhost hping2-rc3]# hping2 -1 192.168.0.100
HPING 192.168.0.100 (eth0 192.168.0.100): icmp mode set, 28 headers + 0 data bytes
len=46 ip=192.168.0.100 ttl=128 id=27118 icmp_seq=0 rtt=14.9 ms
len=46 ip=192.168.0.100 ttl=128 id=27119 icmp_seq=1 rtt=0.5 ms
len=46 ip=192.168.0.100 ttl=128 id=27120 icmp_seq=2 rtt=0.5 ms
len=46 ip=192.168.0.100 ttl=128 id=27121 icmp_seq=3 rtt=1.5 ms
len=46 ip=192.168.0.100 ttl=128 id=27122 icmp_seq=4 rtt=0.9 ms
— 192.168.0.100 hping statistic —
5 packets tramitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.5/3.7/14.9 ms
[root@localhost hping2-rc3]#

TCPDUMP OUTPUT:

[root@localhost root]# tcpdump -X
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 68 bytes
15:44:16.052016 IP 192.168.0.105 > 192.168.0.100: icmp 8: echo request seq 0
0x0000: 4500 001c 5161 0000 4001 a762 c0a8 0069 E…Qa..@..b…i This e-mail address is being protected from spam bots, you need JavaScript enabled to view it
0x0010: c0a8 0064 0800 8bb6 6c49 0000 …d….lI..
15:44:16.052673 IP 192.168.0.100 > 192.168.0.105: icmp 8: echo reply seq 0
0x0000: 4500 001c 69ee 0000 8001 4ed5 c0a8 0064 E…i…..N….d
0x0010: c0a8 0069 0000 93b6 6c49 0000 0000 0000 …i….lI……
0x0020: 0000 0000 0000 0000 0000 0000 0000 …………..

UDP Packets

Like I already mentioned, the default protocol for hping2 is the TCP. But just like with ICMP, if you want to send a UDP packet you can with hping2. We send UDP scans using the -2 (two) mode. Basically the syntax will be hping2 -2 IPADDRESS. UDP Scans can be useful when probing UDP services like NETBIOS, NFS, DNS, & NIS.

Hping2 INPUT:

[root@localhost hping2-rc3]# hping2 -2 192.168.0.100
HPING 192.168.0.100 (eth0 192.168.0.100): udp mode set, 28 headers + 0 data bytes
ICMP Port Unreachable from ip=192.168.0.100 name=UNKNOWN
ICMP Port Unreachable from ip=192.168.0.100 name=UNKNOWN
ICMP Port Unreachable from ip=192.168.0.100 name=UNKNOWN
ICMP Port Unreachable from ip=192.168.0.100 name=UNKNOWN
ICMP Port Unreachable from ip=192.168.0.100 name=UNKNOWN
— 192.168.0.100 hping statistic —
5 packets tramitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
[root@localhost hping2-rc3]#

TCPDUMP OUTPUT:

[root@localhost root]# tcpdump udp -X -s 1514
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 1514 bytes
15:55:32.164563 IP 192.168.0.105.2356 > 192.168.0.100.0: UDP, length: 0
0x0000: 4500 001c 0b98 0000 4011 ed1b c0a8 0069 E…….@……i This e-mail address is being protected from spam bots, you need JavaScript enabled to view it
0x0010: c0a8 0064 0934 0000 0008 748c …d.4….t.
15:55:33.190960 IP 192.168.0.105.2357 > 192.168.0.100.0: UDP, length: 0
0x0000: 4500 001c bc4e 0000 4011 3c65 c0a8 0069 E….N..@.<e…i
0x0010: c0a8 0064 0935 0000 0008 748b …d.5….t.
15:55:34.192154 IP 192.168.0.105.2358 > 192.168.0.100.0: UDP, length: 0
0x0000: 4500 001c 7f81 0000 4011 7932 c0a8 0069 E…….@.y2…i This e-mail address is being protected from spam bots, you need JavaScript enabled to view it
0x0010: c0a8 0064 0936 0000 0008 748a …d.6….t.
15:55:35.190593 IP 192.168.0.105.2359 > 192.168.0.100.0: UDP, length: 0
0x0000: 4500 001c 3a9c 0000 4011 be17 c0a8 0069 E…: …@……i This e-mail address is being protected from spam bots, you need JavaScript enabled to view it
0x0010: c0a8 0064 0937 0000 0008 7489 …d.7….t.
15:55:36.190661 IP 192.168.0.105.2360 > 192.168.0.100.0: UDP, length: 0
0x0000: 4500 001c 6faa 0000 4011 8909 c0a8 0069 E…o…@……i This e-mail address is being protected from spam bots, you need JavaScript enabled to view it
0x0010: c0a8 0064 0938 0000 0008 7488 …d.8….t.
[root@localhost root]#

-S SYN Scan and Specifying Ports

Now we are going to start seeing the power of hping2 a little more. We are going to direct a SYN packet at a specified port, in this case port 135. To send a SYN packet at a specific port requires a few more switches. We are going to send a SYN (-S) packet to 192.168.0.100 specifically on port 135 by putting in the (-p) switch. The –p switch allows you to specify the destination port. To specify the source port on your machine you want the packet to go out on, you would use the -s switch followed by a port number just as the destination port example below.

HPING2 INPUT:

[root@localhost hping2-rc3]# hping2 -S 192.168.0.100 -p 135
HPING 192.168.0.100 (eth0 192.168.0.100): S set, 40 headers + 0 data bytes
len=46 ip=192.168.0.100 ttl=128 DF id=28733 sport=135 flags=SA seq=0 win=16616 rtt=122.8 ms
len=46 ip=192.168.0.100 ttl=128 DF id=28734 sport=135 flags=SA seq=1 win=16616 rtt=11.7 ms
len=46 ip=192.168.0.100 ttl=128 DF id=28737 sport=135 flags=SA seq=2 win=16616 rtt=1.4 ms
len=46 ip=192.168.0.100 ttl=128 DF id=28738 sport=135 flags=SA seq=3 win=16616 rtt=1.5 ms
— 192.168.0.100 hping statistic —
4 packets tramitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 1.4/34.3/122.8 ms
[root@localhost hping2-rc3]#

TCPDUMP OUTPUT:

[root@localhost root]# tcpdump tcp -X -s 1514
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 1514 bytes
16:09:12.059187 IP 192.168.0.105.1839 > 192.168.0.100.135: S 15960697:15960697(0) win 512
0x0000: 4500 0028 596b 0000 4006 9f47 c0a8 0069 E..( Yk..@..G…i This e-mail address is being protected from spam bots, you need JavaScript enabled to view it
0x0010: c0a8 0064 072f 0087 00f3 8a79 3a64 1ef1 …d./…..y:d..
0x0020: 5002 0200 3f4d 0000 P…?M..
16:09:12.061047 IP 192.168.0.100.135 > 192.168.0.105.1839: S 1298117721:1298117721(0) ack 15960698 win 16616 <mss 1460>
0x0000: 4500 002c 703d 4000 8006 0871 c0a8 0064 E..,p=@….q…d
0x0010: c0a8 0069 0087 072f 4d5f b459 00f3 8a7a …i…/M_.Y…z
0x0020: 6012 40e8 4034 0000 0204 05b4 0000 `.@.@4……..
16:09:12.069235 IP 192.168.0.105.1839 > 192.168.0.100.135: R 15960698:15960698(0) win 0
0x0000: 4500 0028 0000 4000 4006 b8b2 c0a8 0069 E..(..@ .@……i This e-mail address is being protected from spam bots, you need JavaScript enabled to view it
0x0010: c0a8 0064 072f 0087 00f3 8a7a 0000 0000 …d./…..z….
0x0020: 5004 0000 9a9f 0000 P…….
[root@localhost root]#

An open port is indicated by a SA return packet (see the hping2 input), closed ports by a RA packet (see the other hping2 input where we sent the packet to port 0). Remember the TCP 3-way handshake! In this case the 192.168.0.100 computer responded with a SYN-ACK and the attacker computer responded with a RST to end the connection.

Now that you are starting to see the possibilities of crafting your own custom packets with hping2, it’s time for you to expand on the knowledge you have just acquired. Test out hping2 on your own and start to think creatively about ways in which this versatile tool can be used. Then you will be ready for the more advanced tutorial that will be arriving within the next few months.

References

This tutorial is very much based on Don Parker’s paper. I didn’t like that he didn’t show the hping output or explain very much on the tcpdump output so I attempted to improve upon his work by showing the output of the hping2 commands and going into more detail with the tcpdump output.

Getting Started

First steps

First of all you need a working hping3 installation. Go to the download page, and download the latest hping3 tar.gz available. Install it, and log in as the root user (you need this to send and receive raw packets).

To enter the hping3 interactive shell, just type:

# hping3
 

without any argument. If hping was compiled with Tcl scripting capabilities you should see a prompt. The prompt will accept any Tcl command, it’s actually a Tcl shell, what’s special about it is that there is a new command called hping, and support for big numbers using commands like +, , and so on.

As first try, you can type a simple command and see the result:

hping3.0.0-alpha-1> hping resolve www.google.com
66.102.9.104
 

The hping command should be called with a subcommand as a first argument (resolve in the example) and additional arguments according to the particular subcommand. The hping resolve command is used to convert a hostname to an IP address.

Ok, that’s the basic usage. Now we can start to try more advanced commands (you can find a complete list of commands in the hping3 API page). For example the hping send command can send TCP/IP packets that you can easily describe as strings:

hping3.0.0-alpha-1> hping send {ip(daddr=192.168.1.8)+icmp(type=8,code=0)}
 

This command means “send an ICMP echo request packet to 192.168.1.8”. Many details of the packet can be omitted. For example we didn’t specify our source address (that will default to the real source address of the sender, the one of the outgoing interface), nor the IP or ICMP checksum. hping will compute them for us.

Let’s check what tcpdump running at 192.168.1.8 detected:

tcpdump: listening on eth0
19:09:16.556695 192.168.1.6 > 192.168.1.8: icmp: echo request [ttl 0]
19:09:16.556803 192.168.1.8 > 192.168.1.6: icmp: echo reply
 

Our ICMP packet reached the destination, that kindly replied with an ICMP echo reply packet.
It’s better to recall for a second the previous command, to analyze it better:
hping3.0.0-alpha-1> hping send {ip(daddr=192.168.1.8)+icmp(type=8,code=0)}
As you can see, there are { and } surrounding the packet description. This is required by Tcl in order to quote the string so that special characters will not be interpreted. Quoting with {} in Tcl is just like to quote with “” in most other languages, with the difference that no escapes are recognized inside {} quoting.
The second thing to note is the format we used to describe the packet. That’s called APD, and was introduced with hping3 itself. The APD syntax is trivial, and there is a simple way to figure how to generate a given packet, because hping3 use this format to send packets, but also to receive packets as we will see in a moment.

Tcl inside
Before to show how it’s possible to receive packets, I want to stress the fact that we are inside a Tcl interpreter, so we can use any of the Tcl abilities in hping scripts.

The following hping script will send the same ICMP packet we already sent to 192.168.1.8, but using different TTL values, from 5 to 10.

foreach i [list 5 6 7 8 9 10] {
    hping send "ip(daddr=192.168.1.8,ttl=$i)+icmp(type=8,code=0)"
}
 

With scripts longer then one line it can be a good idea to write the script with a text editor, and then run it using hping:

# hping exec foo.htcl
 

– Cut&paste it into the hping interactive shell also works well.
Note that because this example uses a variable i to increment the ttl value on every iteration of the foreach, we used “” rather than {} quoting so that $i would be expanded to the value of i.

I think it’s clear now that in order to make a good use of hping3 you need to learn the Tcl language. The good news are that Tcl is a very powerful language, but it’s very easy to learn, and if you learn Tcl you will enjoy it in many different tasks related or not to hping. The best site about Tcl is the Tcler’s Wiki.

Packet reception
Another very important subcommand of hping is hping recv, that is used to capture packets from the specified interface. The simplest usage is the following:

hping3.0.0-alpha-1> hping recv eth0
ip(ihl=0x5,ver=0x4,tos=0x00,totlen=52,id=42833,fragoff=0,mf=0,df=1,rf=0,ttl=54,proto=6,cksum=0xd53a,saddr=192.106.224.132,daddr=192.168.1.6)+\
tcp(sport=6667,dport=52466,seq=2163829654,ack=3105171942,x2=0x0,off=8,flags=a,win=2848,cksum=0x99bd,urp=0)+\
tcp.nop()+tcp.nop()+tcp.timestamp(val=181365875,ecr=104872758)
 

Because the received packet description is too long I added newlines quoted with \, but actually hping will read the packet as a unique string.

hping recv returns a Tcl list, where every element is a packet (but by default it will be just one-element list).

At every call, hping recv eth0 will return the packet(s) in queue. If there is no packet to receive the command will block until one is available.

If you don’t want hping recv to block forever, you can specify an additional argument. One more argument will tell hping the max number of packets to return in a single call. To learn the details please check the hping recv page in this wiki.

Note that the command always returns a Tcl list of packets, even when just one packet is returned. So if you want to use the returned packets you need to use Tcl list commands (as we will see in a moment). Another thing to note is that the packets are received in APD format, so it’s possible to get a packet, possibly manipulate it, and resend the packet using hping send.

The following is an example script using hping recv.

while 1 {
    set p [lindex [hping recv eth0] 0]
    puts "[hping getfield ip saddr $p] -> [hping getfield ip ttl $p]"
}
 

The first line is just a while loop that will repeat the script provided as second argument forever. The second line, set p [lindex [hping recv eth0] 0] gets the next packet, the lindex command is used to extract the packet from the Tcl list (and the 0 argument tells lindex to get the first packet).

The second line of code, puts “…”, print on the screen the source IP address and the TTL value of the packet. To extract fiels from packets there is the command hping getfield (see the specific page for more information as usually).

If you execute this script, you’ll get an output similar to the following:

# ./hping3 exec /tmp/test.tcl
192.168.1.6 -> 128
192.168.1.20 -> 128
 

the script will dump the packets until you press ctrl+C.

A more complex example

The following is a more real-world example, an hping script used to analyze the Initial Sequence Number of a TCP/IP stack implementation. This example uses Tk in order to be able to display a spectrogram of the ISN increments in graphic. Note that the script is quite “rude” in order to make it as simple as possible (otherwise it will hardly be good in order to learn hping3 by examples).

Before to show the actual code, I want to show an example output for Linux and Windows.
That’s Linux:

While that’s what I get with Windows 2000:

To appreaciate the real difference about the two OSes note the scale indication in the pictures.

Note that the script sends SYN packets to the target host always using the same IP address, so it does only check how random the increment is in a particular situation. But if your TCP/IP stack will show a bad spectrogram in this context, there is already something of bad (think about dialups, or DSL lines with dynamic IP, I can connect, sample a given host, reconnect with a different IP and try to do IP spoofing with the previous one).

Finally that’s the hping3 script to do the actual analysis:

# isn-spectrogram.htcl -- show the ISN increments "spectrogram".
# Copyright(C) 2003 Salvatore Sanfilippo.
#
# All rights reserved.
#
# Here the idea is very simple, in operating systems implemeting
# ISN as random increments, it is useless to analyze the whole
# sequence number, because the random part is just the increment.
# Morover, some weaknes isn't about correlation between previous
# and successive increments, but just about increments don't show
# a good distribution. So the idea is to display a spectrogram
# of the increments distribution instead of the more complex to read
# 3D attractors (See [1]). This way is possible to see at least some of
# the common vulnerabilties you can discover with 3D attractors,
# but it is much simpler to guess how hard is to exploit the system
# just from the picture.
#
# [1] http://razor.bindview.com/publish/papers/tcpseq.html
#
# Please if you make this script better write me back the
# changes. (antirez@invece.org).
#
# The script requires Tk to run.
 
package require Tk
source hpingstdlib.htcl
 
if {$argc != 3} {
    puts stderr "Usage: isn-spectrogram <host> <scale> <open-tcp-port>"
    puts stderr "Example: isn-spectrogram www.example.com 100000 80"
    exit
}
 
set bgcolor {#000000}
wm title . {hping3 -- attractors}
set w .main
frame $w
pack $w -side top
. config -background $bgcolor
$w config -background $bgcolor
 
# canvas
set xres 800
set yres 800
canvas $w.can -width $xres -height $yres
$w.can config -background $bgcolor
pack $w.can -fill both -expand true
 
# globals
foreach {hostname div dport} $argv break
set sport 1
#set dport 80
set target [hping resolve $hostname]
set targetif [outifname $target]
set myip [hping outifa $target]
set isnqueue {}
set relative_attractor 1
set lastisn 0
#set div 10000000
 
hping setfilter $targetif "tcp and src host $target"
 
 
$w.can create rectangle 40 450 139 450 -fill white -width 0
$w.can create text 90 470 -fill white -text [expr $div*100]
 
proc sendsyn {} {
    global sport dport myip target
    append syn "ip(saddr=$myip,daddr=$target,ttl=255)+"
    append syn "tcp(sport=$sport,dport=$dport,flags=s)"
    hping send $syn
    incr sport
    after 1 sendsyn
}
 
proc recvsynack {} {
    global lastisn relative_attractor
 
    set packets [hping recv eth0 0 0]
    foreach p $packets {
      if {![hping hasfield tcp flags $p]} continue
      set isn [hping getfield tcp seq $p]
      if {$relative_attractor} {
              set tisn [expr abs($isn-$lastisn)]
              set lastisn $isn
              set isn $tisn
      }
      #puts "ISN: $isn"
      displaypoint $isn
    }
    after 10 recvsynack
}
 
proc displaypoint isn {
    global w xres yres pastcol div
 
    set isn [expr $isn/$div]
    set y 300
    set x $isn
    puts "$x $y"
    if {[haskey pastcol $x.$y]} {
      set graylevel [incr pastcol($x.$y) 10]
    } else {
      set pastcol($x.$y) 0
      set graylevel 0
    }
    if {$graylevel >= 256*3} {
      set graylevel [expr (256*3)-1]
    }
    if {$graylevel <= 255} {
      set b $graylevel
 
      set g 0
      set r 0
    } elseif {$graylevel <= 511} {
      set b 0
      set g [expr $graylevel - 256]
      set r 255
    } elseif {$graylevel <= 767} {
      set b 255
      set g 255
      set r [expr $graylevel - 512]
    }
    set color [format "#%02X%02X%02X" $r $g $b]
    $w.can create rectangle $x $y [expr $x+1] [expr $y+100] -fill $color -width 0
}
 
after 1 sendsyn
after 1 recvsynack
 
vwait forever
 
# vim: filetype=tcl softtabstop=4
 

If you know some basic Tcl/Tk you will find it very simple to read I hope. Note that if you want to run this code you require a little hping standard library, but both this program and the lib itself are under the /lib directory of the hping3 distribution, so don’t bother to retype it from this page.
That’s how to use the script against a Linux box.

cd /your/path/hping3/lib
../hping3 exec isn-spectrogram.htcl <target-host> 100000 25
 

Note that ’25’ is an open port, you need to specify an open TCP port for the target system. 100000 is instead the scale, if you see that the graph is bigger than the screen use a bigger scale value, if you see it concentrating in the left of the screen and very dense, use a lower one. auto-scaling is trivial but not implemented in that script.

Send your feedbacks

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s