hping2
is a network tool able to send custom TCP/UDP/ICMP packets and display target replies. It work pretty much like ping but with far more options. It can be used among other things to:
- test firewall rules
- make port scanning
- test net performance using different protocols, packet size, etc…
- Path MTU discovery
- traceroute like under different protocols
Testing port state
One of the most useful use-case of hping
is to test if a TCP port is open or not:
# hping -S -p 22 192.70.106.78
HPING 192.70.106.78 (eth0 192.70.106.78): S set, 40 headers + 0 data bytes
len=40 ip=192.70.106.78 ttl=64 DF id=0 sport=22 flags=RA seq=0 win=0 rtt=0.2 ms
The RA
flag indicate that the TCP port 22 is closed. The remote host have sent a RST/ACK in response to our SYN packet. If the port was open the flag would have been SA
instead.
Not that you can also use the ++
parameter to automatically increase the port number:
# hping -S -p ++80 192.168.10.1
Port scanning
hping
can be use as a lightweight port scanner:
# hping -S --scan 20-22,80,8080 -V 192.168.100.1
using eth0, addr: 192.168.100.18, MTU: 1500
Scanning 192.168.100.1 (192.168.100.1), port 20,21,22,80,8080
5 ports to scan, use -V to see all the replies
+----+-----------+---------+---+-----+-----+
|port| serv name | flags |ttl| id | win |
+----+-----------+---------+---+-----+-----+
20 ftp-data : ..R.A... 64 0 0
21 ftp : ..R.A... 64 0 0
22 ssh : .S..A... 64 0 5840
80 www : .S..A... 64 0 5840
8080 http-alt : .S..A... 64 0 5840
All replies received. Done.
Not responding ports:
Firewall mapping
traceroute
is usually the first utility people use for this task but it’s limited to UDP “probe” packets (on port 53 by default). hping
can use any protocol:
# hping -z -t 6 -S mail.test.com -p 143
TTL 0 during transit from ip=10.1.5.3
7: TTL 0 during transit from ip=10.1.5.3
8: TTL 0 during transit from ip=10.2.5.3
9: TTL 0 during transit from ip=10.3.5.3
10: TTL 0 during transit from ip=10.4.5.3
11: TTL 0 during transit from ip=10.6.5.3
....
len=46 ip=10.5.5.3 flags=SA DF seq=33 ttl=47 id=0 win=5840 rtt=4341.3ms
Doing a SYN attack
hping
can forge packets with a spoofed IP address using the -a
parameter. Together with the -i
(for interval) option, you can use it to make a SYN attack :
# hping -a 192.168.10.99 -S 192.168.10.33 -p 80 -i u1000
Transferring file
hping
can be use in very creative manners, for example to transfer a file between two hosts you have access to, through a very ‘closed’ firewall.
On the receiving end we need to start hping
in listener mode, and specify a ‘signature’ string that indicate the beginning of the file content:
# hping 192.168.10.66 --listen signature --safe --icmp > myfile
On the sending side, you must ‘sign’ the packet, with the signature used at the receiving site, and indicate the file to read:
# hping 192.168.10.44 --icmp -d 100 --sign signature
--file myfile
ICMP, TCP or UDP can be use indiscriminately.
Further Reading and sources