hping2

hping2 is a network tool able to send custom TCP/UDP/ICMP packets and display target replies. It work pretty much like ping but with far more options. It can be used among other things to:

• test firewall rules
• make port scanning
• test net performance using different protocols, packet size, etc…
• Path MTU discovery
• traceroute like under different protocols

Testing port state

One of the most useful use-case of hping is to test if a TCP port is open or not:

# hping -S -p 22 192.70.106.78
HPING 192.70.106.78 (eth0 192.70.106.78): S set, 40 headers + 0 data bytes
len=40 ip=192.70.106.78 ttl=64 DF id=0 sport=22 flags=RA seq=0 win=0 rtt=0.2 ms

The RA flag indicate that the TCP port 22 is closed. The remote host have sent a RST/ACK in response to our SYN packet. If the port was open the flag would have been SA instead.

Not that you can also use the ++ parameter to automatically increase the port number:

# hping -S -p ++80 192.168.10.1

Port scanning

hping can be use as a lightweight port scanner:

# hping -S --scan 20-22,80,8080 -V 192.168.100.1
using eth0, addr: 192.168.100.18, MTU: 1500
Scanning 192.168.100.1 (192.168.100.1), port 20,21,22,80,8080
5 ports to scan, use -V to see all the replies
+----+-----------+---------+---+-----+-----+
|port| serv name |  flags  |ttl| id  | win |
+----+-----------+---------+---+-----+-----+
   20 ftp-data   : ..R.A...  64     0     0
   21 ftp        : ..R.A...  64     0     0
   22 ssh        : .S..A...  64     0  5840
   80 www        : .S..A...  64     0  5840
 8080 http-alt   : .S..A...  64     0  5840
All replies received. Done.
Not responding ports:

Firewall mapping

traceroute is usually the first utility people use for this task but it’s limited to UDP “probe” packets (on port 53 by default). hping can use any protocol:

# hping -z -t 6 -S mail.test.com -p 143
TTL 0 during transit from ip=10.1.5.3
7: TTL 0 during transit from ip=10.1.5.3
8: TTL 0 during transit from ip=10.2.5.3
9: TTL 0 during transit from ip=10.3.5.3
10: TTL 0 during transit from ip=10.4.5.3
11: TTL 0 during transit from ip=10.6.5.3
....
len=46 ip=10.5.5.3 flags=SA DF seq=33 ttl=47 id=0 win=5840 rtt=4341.3ms

Doing a SYN attack

hping can forge packets with a spoofed IP address using the -a parameter. Together with the -i (for interval) option, you can use it to make a SYN attack :

# hping -a 192.168.10.99 -S 192.168.10.33 -p 80 -i u1000

Transferring file

hping can be use in very creative manners, for example to transfer a file between two hosts you have access to, through a very ‘closed’ firewall.

On the receiving end we need to start hping in listener mode, and specify a ‘signature’ string that indicate the beginning of the file content:

# hping 192.168.10.66 --listen signature --safe --icmp > myfile

On the sending side, you must ‘sign’ the packet, with the signature used at the receiving site, and indicate the file to read:

# hping 192.168.10.44 --icmp -d  100 --sign signature
--file myfile

ICMP, TCP or UDP can be use indiscriminately.

Further Reading and sources

• https://www.ethicalhacker.net/columns/gates/tutorial-hping2-basics
• http://www.radarhack.com/tutorial/hping2.pdf