information gathering – nping

Nping is an open source tool for network packet generation, response analysis and response time measurement. Nping allows to generate network packets of a wide range of protocols, letting users to tune virtually any field of the protocol headers. While Nping can be used as a simple ping utility to detect active hosts, it can also be used as a raw packet generator for network stack stress tests, ARP poisoning, Denial of Service attacks, route tracing, etc.

Nping has a very flexible and powerful command-line interface that grants the user full control of the generated packets. These are some of Nping’s features:

Custom TCP, UDP, ICMP and ARP packet generation.
Support for multiple target host specification.
Support for multiple target port specification.
Unprivileged modes for non-root users.
Support for Ethernet frame generation.
Support for IPv6 (currently experimental).
Runs on Linux, Mac OS and MS Windows.
Route tracing capabilities.
Highly customizable.
Free and open-source.

root@bt:~# nping -c 1 –tcp -p 445 –flags syn 192.168.1.2

Starting Nping 0.5.61TEST4 ( http://nmap.org/nping ) at 2012-02-15 12:33 GMT
SENT (0.0071s) TCP 192.168.1.2:30838 > 192.168.1.2:445 S ttl=64 id=35300 iplen=40  seq=2937838608 win=1480
RCVD (0.0099s) TCP 192.168.1.2:445 > 192.168.1.2:30838 SA ttl=128 id=19927 iplen=44  seq=692810284 win=8192 <mss 1460>
nping_event_handler(): READ-PCAP killed: Resource temporarily unavailable
nping_event_handler(): TIMER killed: Resource temporarily unavailable

Max rtt: 1.737ms | Min rtt: 1.737ms | Avg rtt: 1.737ms
Raw packets sent: 1 (40B) | Rcvd: 1 (46B) | Lost: 0 (0.00%)
Tx time: 0.00285s | Tx bytes/s: 14044.94 | Tx pkts/s: 351.12
Rx time: 1.00259s | Rx bytes/s: 45.88 | Rx pkts/s: 1.00
Nping done: 1 IP address pinged in 1.01 seconds

root@bt:~# nping
Nping 0.5.61TEST4 ( http://nmap.org/nping )
Usage: nping [Probe mode] [Options] {target specification}

TARGET SPECIFICATION:
Targets may be specified as hostnames, IP addresses, networks, etc.
Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
PROBE MODES:
–tcp-connect                    : Unprivileged TCP connect probe mode.
–tcp                            : TCP probe mode.
–udp                            : UDP probe mode.
–icmp                           : ICMP probe mode.
–arp                            : ARP/RARP probe mode.
–tr, –traceroute               : Traceroute mode (can only be used with
TCP/UDP/ICMP modes).
TCP CONNECT MODE:
-p, –dest-port <port spec>     : Set destination port(s).
-g, –source-port <portnumber>  : Try to use a custom source port.
TCP PROBE MODE:
-g, –source-port <portnumber>  : Set source port.
-p, –dest-port <port spec>     : Set destination port(s).
–seq <seqnumber>               : Set sequence number.
–flags <flag list>             : Set TCP flags (ACK,PSH,RST,SYN,FIN…)
–ack <acknumber>               : Set ACK number.
–win <size>                    : Set window size.
–badsum                        : Use a random invalid checksum.
UDP PROBE MODE:
-g, –source-port <portnumber>  : Set source port.
-p, –dest-port <port spec>     : Set destination port(s).
–badsum                        : Use a random invalid checksum.
ICMP PROBE MODE:
–icmp-type <type>               : ICMP type.
–icmp-code <code>               : ICMP code.
–icmp-id <id>                   : Set identifier.
–icmp-seq <n>                   : Set sequence number.
–icmp-redirect-addr <addr>      : Set redirect address.
–icmp-param-pointer <pnt>       : Set parameter problem pointer.
–icmp-advert-lifetime <time>    : Set router advertisement lifetime.
–icmp-advert-entry <IP,pref>    : Add router advertisement entry.
–icmp-orig-time  <timestamp>    : Set originate timestamp.
–icmp-recv-time  <timestamp>    : Set receive timestamp.
–icmp-trans-time <timestamp>    : Set transmit timestamp.
ARP/RARP PROBE MODE:
–arp-type <type>                : Type: ARP, ARP-reply, RARP, RARP-reply.
–arp-sender-mac <mac>           : Set sender MAC address.
–arp-sender-ip  <addr>          : Set sender IP address.
–arp-target-mac <mac>           : Set target MAC address.
–arp-target-ip  <addr>          : Set target IP address.
IPv4 OPTIONS:
-S, –source-ip                  : Set source IP address.
–dest-ip <addr>                 : Set destination IP address (used as an
alternative to {target specification} ).
–tos <tos>                      : Set type of service field (8bits).
–id  <id>                       : Set identification field (16 bits).
–df                             : Set Don’t Fragment flag.
–mf                             : Set More Fragments flag.
–ttl <hops>                     : Set time to live [0-255].
–badsum-ip                      : Use a random invalid checksum.
–ip-options <S|R [route]|L [route]|T|U …> : Set IP options
–ip-options <hex string>                    : Set IP options
–mtu <size>                     : Set MTU. Packets get fragmented if MTU is
small enough.
IPv6 OPTIONS:
-6, –IPv6                       : Use IP version 6.
–dest-ip                        : Set destination IP address (used as an
alternative to {target specification}).
–hop-limit                      : Set hop limit (same as IPv4 TTL).
–traffic-class <class> :        : Set traffic class.
–flow <label>                   : Set flow label.
ETHERNET OPTIONS:
–dest-mac <mac>                 : Set destination mac address. (Disables
ARP resolution)
–source-mac <mac>               : Set source MAC address.
–ether-type <type>              : Set EtherType value.
PAYLOAD OPTIONS:
–data <hex string>              : Include a custom payload.
–data-string <text>             : Include a custom ASCII text.
–data-length <len>              : Include len random bytes as payload.
ECHO CLIENT/SERVER:
–echo-client <passphrase>       : Run Nping in client mode.
–echo-server <passphrase>       : Run Nping in server mode.
–echo-port <port>               : Use custom <port> to listen or connect.
–no-crypto                      : Disable encryption and authentication.
–once                           : Stop the server after one connection.
–safe-payloads                  : Erase application data in echoed packets.
TIMING AND PERFORMANCE:
Options which take <time> are in seconds, or append ‘ms’ (milliseconds),
‘s’ (seconds), ‘m’ (minutes), or ‘h’ (hours) to the value (e.g. 30m, 0.25h).
–delay <time>                   : Adjust delay between probes.
–rate  <rate>                   : Send num packets per second.
MISC:
-h, –help                       : Display help information.
-V, –version                    : Display current version number.
-c, –count <n>                  : Stop after <n> rounds.
-e, –interface <name>           : Use supplied network interface.
-H, –hide-sent                  : Do not display sent packets.
-N, –no-capture                 : Do not try to capture replies.
–privileged                     : Assume user is fully privileged.
–unprivileged                   : Assume user lacks raw socket privileges.
–send-eth                       : Send packets at the raw ethernet layer.
–send-ip                        : Send packets using raw IP sockets.
–bpf-filter <filter spec>       : Specify custom BPF filter.
OUTPUT:
-v                               : Increment verbosity level by one.
-v[level]                        : Set verbosity level. E.g: -v4
-d                               : Increment debugging level by one.
-d[level]                        : Set debugging level. E.g: -d3
-q                               : Decrease verbosity level by one.
-q[N]                            : Decrease verbosity level N times
–quiet                          : Set verbosity and debug level to minimum.
–debug                          : Set verbosity and debug to the max level.
EXAMPLES:
nping scanme.nmap.org
nping –tcp -p 80 –flags rst –ttl 2 192.168.1.1
nping –icmp –icmp-type time –delay 500ms 192.168.254.254
nping –echo-server “public” -e wlan0 -vvv
nping –echo-client “public” echo.nmap.org –tcp -p1-1024 –flags ack