Nov 12, 2011 hping is a command-line oriented TCP/IP packet assembler / analyzer. The interface is inspired to the ping(8) unix command, but hping isn't only able to send ICMP echo requests.
hping3 - send (almost) arbitrary TCP/IP packets to network hosts
hping3 [ -hvnqVDzZ012WrfxykQbFSRPAUXYjJBuTG ] [ -ccount ] [ -iwait ] [ --fast ] [ -Iinterface ] [ -9signature ] [ -ahost ] [ -tttl ] [ -Nip id ] [ -Hip protocol] [ -gfragoff ] [ -mmtu ] [ -otos ] [ -Cicmp type ] [ -Kicmp code ] [ -ssource port ] [ -p[+][+]dest port ] [ -wtcp window ] [ -Otcp offset ] [ -Mtcp sequencenumber ] [ -Ltcp ack ] [ -ddata size ] [ -Efilename ] [ -esignature ] [ --icmp-ipverversion ] [ --icmp-iphlenlength ] [ --icmp-iplenlength ] [ --icmp-ipidid ] [ --icmp-ipprotoprotocol ] [ --icmp-cksumchecksum ] [ --icmp-ts ] [ --icmp-addr ] [ --tcpexitcode ] [ --tcp-timestamp ] [--tr-stop ] [ --tr-keep-ttl ] [ --tr-no-rtt ] [ --rand-dest ] [ --rand-source ] [ --beep ] hostname
- DOWNLOAD HPING STABLE: The latest version of hping is 2.0.0-rc3 (release candidate 3). Rc3 changes: Fixed a problem with the checksum code. Some packet was.
- What is fping? Fping is a program to send ICMP echo probes to network hosts, similar to ping, but much better performing when pinging multiple hosts. Fping has a very long history: Roland Schemers did publish a first version of it in 1992 and it has established itself since then as a standard tool for network diagnostics and statistics.
hping3 is a network tool able to send custom TCP/IP packets and to display target replies like ping program does with ICMP replies. hping3 handlefragmentation, arbitrary packets body and size and can be used in order to transfer files encapsulated under supported protocols. Using hping3 you are able toperform at least the following stuff:
- Test firewall rules - Advanced port scanning - Test net performance using different protocols, packet size, TOS (type of service) and fragmentation. -Path MTU discovery - Transferring files between even really fascist firewall rules. - Traceroute-like under different protocols. - Firewalk-like usage. -Remote OS fingerprinting. - TCP/IP stack auditing. - A lot of others.
It's also a good didactic tool to learn TCP/IP. hping3 is developed and maintained by [email protected] and is licensed under GPL version 2.Development is open so you can send me patches, suggestion and affronts without inhibitions.
primary site at http://www.hping.org. You can found both the stable release and the instruction to download the latest source code athttp://www.hping.org/download.html
Alias for -i u10000. Hping will send 10 packets for second.
len=46 ip=192.168.1.1 flags=RA DF seq=0 ttl=255 id=0 win=0 rtt=0.4 ms tos=0 iplen=40 seq=0 ack=1380893504 sum=2010 urp=0
Beep for every matching received packet (but not for ICMP errors).
Default protocol is TCP, by default hping3 will send tcp headers to target host's port 0 with a winsize of 64 without any tcp flag on. Often this is thebest way to do an 'hide ping', useful when target is behind a firewall that drop ICMP. Moreover a tcp null-flag to port 0 has a good probability of not beinglogged.
- --baseport, --destport,--keep.
- -8 --scan
- Scan mode, the option expects an argument that describes groups of ports to scan. port groups are comma separated: a number describes just a single port, so1,2,3 means port 1, 2 and 3. ranges are specified using a start-end notation, like 1-1000, that tell hping to scan ports between 1 and 1000 (included). thespecial word all is an alias for 0-65535, while the special word known includes all the ports listed in /etc/services.
Groups can be combined, so the following command line will scan ports between 1 and 1000 AND port 8888 AND ports listed in /etc/services: hping --scan1-1000,8888,known -S target.host.com
Groups can be negated (subtracted) using a ! character as prefix, so the following command line will scan all the ports NOT listed in /etc/services in therange 1-1024: hping --scan '1-1024,!known' -S target.host.com
Keep in mind that while hping seems much more like a port scanner in this mode, most of the hping switches are still honored, so for example to perform a SYNscan you need to specify the -S option, you can change the TCP windows size, TTL, control the IP fragmentation as usually, and so on. The only realdifference is that the standard hping behaviors are encapsulated into a scanning algorithm.
Tech note: The scan mode uses a two-processes design, with shared memory for synchronization. The scanning algorithm is still not optimal, but alreadyquite fast.
Hint: unlike most scanners, hping shows some interesting info about received packets, the IP ID, TCP win, TTL, and so on, don't forget to look at thisadditional information when you perform a scan! Sometimes they shows interesting details.
- -9 --listen signature
- HPING3 listen mode, using this option hping3 waits for packet that contain signature and dump from signature end to packet's end. For exampleif hping3 --listen TEST reads a packet that contain 234-09sdflkjs45-TESThello_world it will display hello_world.
Ip Related Options
-a --spoof hostname
- This option enables the random source mode. hping will send packets with random source address. It is interesting to use this option to stressfirewall state tables, and other per-ip basis dynamic tables inside the TCP/IP stacks and firewall software.
- This option enables the random destination mode. hping will send the packets to random addresses obtained following the rule you specify as thetarget host. You need to specify a numerical IP address as target host like 10.0.0.x. All the occurrences of x will be replaced with a randomnumber in the range 0-255. So to obtain Internet IP addresses in the whole IPv4 space use something like hping x.x.x.x --rand-dest. If you are not sureabout what kind of addresses your rule is generating try to use the --debug switch to display every new destination address generated. When this optionis turned on, matching packets will be accept from all the destinations.
Warning: when this option is enabled hping can't detect the right outgoing interface for the packets, so you should use the --interface option toselect the desired outgoing interface.
- -t --ttl time to live
- Using this option you can set TTL (time to live) of outgoing packets, it's likely that you will use this with --traceroute or --bindoptions. If in doubt try 'hping3 some.host.com -t 1 --traceroute'.
- -N --id
- Set ip->id field. Default id is random but if fragmentation is turned on and id isn't specified it will be getpid() & 0xFF, to implement abetter solution is in TODO list.
- -H --ipproto
- Set the ip protocol in RAW IP mode.
- -W --winid
- id from Windows* systems before Win2k has different byte ordering, if this option is enable hping3 will properly display id replies from thoseWindows.
- -r --rel
- Display id increments instead of id. See the HPING3-HOWTO for more information. Increments aren't computed as id[N]-id[N-1] but using packet losscompensation. See relid.c for more information.
- -f --frag
- Split packets in more fragments, this may be useful in order to test IP stacks fragmentation performance and to test if some packet filter is so weak thatcan be passed using tiny fragments (anachronistic). Default 'virtual mtu' is 16 bytes. see also --mtu option.
- -x --morefrag
- Set more fragments IP flag, use this option if you want that target host send an ICMP time-exceeded during reassembly.
- -y --dontfrag
- Set don't fragment IP flag, this can be used to perform MTU path discovery.
- -g --fragoff fragment offset value
- Set the fragment offset.
- -m --mtu mtu value
- Set different 'virtual mtu' than 16 when fragmentation is enabled. If packets size is greater that 'virtual mtu' fragmentation is automatically turnedon.
- -o --tos hex_tos
- Set Type Of Service (TOS), for more information try --tos help.
- -G --rroute
- Record route. Includes the RECORD_ROUTE option in each packet sent and displays the route buffer of returned packets. Note that the IP header is only largeenough for nine such routes. Many hosts ignore or discard this option. Also note that using hping you are able to use record route even if target host filterICMP. Record route is an IP option, not an ICMP option, so you can use record route option even in TCP and UDP mode.
Icmp Related Options
-C --icmptype type
- -w --win
- Set TCP window size. Default is 64.
- -O --tcpoff
- Set fake tcp data offset. Normal data offset is tcphdrlen / 4.
- -M --setseq
- Set the TCP sequence number.
- -L --setack
- Set the TCP ack.
- -Q --seqnum This option can be used in order to collect sequence numbers generated by target host. This can be useful when you need to analyze whether TCP sequencenumber is predictable. Output example:
- -b --badcksum
- Send packets with a bad UDP/TCP checksum.
- Enable the TCP timestamp option, and try to guess the timestamp update frequency and the remote system uptime.
- -F --fin
- Set FIN tcp flag.
- -S --syn
- Set SYN tcp flag.
- -R --rst
- Set RST tcp flag.
- -P --push
- Set PUSH tcp flag.
- -A --ack
- Set ACK tcp flag.
- -U --urg
- Set URG tcp flag.
- -X --xmas
- Set Xmas tcp flag.
- -Y --ymas
- Set Ymas tcp flag.
- -e --sign signature
- Fill first signature length bytes of data with signature. If the signature length is bigger than data size an error message will bedisplayed. If you don't specify the data size hping will use the signature size as data size. This option can be used safely with --file filenameoption, remainder data space will be filled using filename.
- -j --dump
- Dump received packets in hex.
- -J --print
- Dump received packets' printable characters.
- -B --safe
- Enable safe protocol, using this option lost packets in file transfers will be resent. For example in order to send file /etc/passwd from host A to host Byou may use the following:
- -u --end
- If you are using --file filename option, tell you when EOF has been reached. Moreover prevent that other end accept more packets. Please, for moreinformation see the HPING3-HOWTO.
- -T --traceroute
- Traceroute mode. Using this option hping3 will increase ttl for each ICMP time to live 0 during transit received. Try hping3 host--traceroute. This option implies --bind and --ttl 1. You can override the ttl of 1 using the --ttl option. Since 2.0.0 stable it prints RTTinformation.
- Keep the TTL fixed in traceroute mode, so you can monitor just one hop in the route. For example, to monitor how the 5th hop changes or how its RTT changesyou can try hping3 host --traceroute --ttl 5 --tr-keep-ttl.
- If this option is specified hping will exit once the first packet that isn't an ICMP time exceeded is received. This better emulates the traceroutebehavior.
- Don't show RTT information in traceroute mode. The ICMP time exceeded RTT information aren't even calculated if this option is set.
- Exit with last received packet tcp->th_flag as exit code. Useful for scripts that need, for example, to known if the port 999 of some host reply withSYN/ACK or with RST in response to SYN, i.e. the service is up or down.
- App name: hping
- App description: Command-line oriented TCP/IP packet assembler/analyzer
- App website: http://www.hping.org/
Command+Spaceand type Terminal and press enter/return key.
- Run in Terminal app:
ruby -e '$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)' < /dev/null 2> /dev/null
and press enter/return key.
If the screen prompts you to enter a password, please enter your Mac's user password to continue. When you type the password, it won't be displayed on screen, but the system would accept it. So just type your password and press ENTER/RETURN key. Then wait for the command to finish.
brew install hping
keep still source port, see --baseport for more information.
#hping3 win98 --seqnum -p 139 -S -i u1 -I eth0The first column reports the sequence number, the second difference between current and last sequence number. As you can see target host's sequence numbersare predictable.
-d --data data size
Tcp Output Format
The standard TCP output format is the following:
len=46 ip=192.168.1.1 flags=RA DF seq=0 ttl=255 id=0 win=0 rtt=0.4 ms
len is the size, in bytes, of the data captured from the data link layer excluding the data link header size. This may not match the IP datagram sizedue to low level transport layer padding.
ip is the source ip address.
flags are the TCP flags, R for RESET, S for SYN, A for ACK, F for FIN, P for PUSH, U for URGENT, X for not standard 0x40, Y for not standard 0x80.
If the reply contains DF the IP header has the don't fragment bit set.
seq is the sequence number of the packet, obtained using the source port for TCP/UDP packets, the sequence field for ICMP packets.
id is the IP ID field.
win is the TCP window size.
rtt is the round trip time in milliseconds.
If you run hping using the -V command line switch it will display additional information about the packet, example:
len=46 ip=192.168.1.1 flags=RA DF seq=0 ttl=255 id=0 win=0 rtt=0.4 ms tos=0 iplen=40 seq=0 ack=1223672061 sum=e61d urp=0
tos is the type of service field of the IP header.
iplen is the IP total len field.
seq and ack are the sequence and acknowledge 32bit numbers in the TCP header.
sum is the TCP header checksum value.
urp is the TCP urgent pointer value.
Udp Output Format
The standard output format is:
len=46 ip=192.168.1.1 seq=0 ttl=64 id=0 rtt=6.0 ms
The field meaning is just the same as the TCP output meaning of the same fields.
Icmp Output Format
An example of ICMP output is:
ICMP Port Unreachable from ip=192.168.1.1 name=nano.marmoc.net
It is very simple to understand. It starts with the string 'ICMP' followed by the description of the ICMP error, Port Unreachable in the example. The ipfield is the IP source address of the IP datagram containing the ICMP error, the name field is just the numerical address resolved to a name (a dns PTRrequest) or UNKNOWN if the resolution failed.
The ICMP Time exceeded during transit or reassembly format is a bit different:
TTL 0 during transit from ip=192.168.1.1 name=nano.marmoc.net
TTL 0 during reassembly from ip=220.127.116.11 name=UNKNOWN
The only difference is the description of the error, it starts with TTL 0.
Salvatore Sanfilippo <[email protected]>, with the help of the people mentioned in AUTHORS file and athttp://www.hping.org/authors.html
Even using the --end and --safe options to transfer files the final packet will be padded with 0x00 bytes.
Data is read without care about alignment, but alignment is enforced in the data structures. This will not be a problem under i386 but, while usually theTCP/IP headers are naturally aligned, may create problems with different processors and bogus packets if there is some unaligned access around the code(hopefully none).
On solaris hping does not work on the loopback interface. This seems a solaris problem, as stated in the tcpdump-workers mailing list, so the libpcap can'tdo nothing to handle it properly.
ping(8), traceroute(8), ifconfig(8), nmap(1)
About the App
What Is Hping
Install the App
Done! You can now use