hping2is a command-line program that can send custom IP, TCP, UDP, and ICMP packets. The tool gives the user access to altering most of the fields in the con- structed packet.hping2 has three main modes. The first, which was originally the only one, consists of describing the packet you want to send and lettinghpingsend it and display the replies. The second mode allows the user to configure a list of multi- ple ports to send the packet to, and the third listens for packets of a particular format.
Here is a simple example of generating a TCP SYN packet: # hping --syn -p 80 www.slashdot.org
HPING www.slashdot.org (eth0 66.35.250.151): S set, 40 headers + 0 data bytes len=46 ip=66.35.250.151 ttl=48 DF id=0 sport=80 flags=SA seq=0 win=5840 rtt=189.4 ms len=46 ip=66.35.250.151 ttl=48 DF id=0 sport=80 flags=SA seq=1 win=5840 rtt=189.2 ms --- www.slashdot.org hping statistic ---
3 packets transmitted, 2 packets received, 34% packet loss round-trip min/avg/max = 189.2/189.3/189.4 ms
To create the packet of your dreams, you must choose between TCP (default), IP (-0
or--rawip), ICMP (-1or--icmp), or UDP (-2or--udp). Then you can set each field at the value you want. Most of the time, unset fields have a null value, so do not for- get to set important fields such as TCP flags. You can display the complete list of options by calling for help (hping2 –h). For instance, here is how to send a fake ICMP echo reply packet from a spoofed source:
# hping --icmp -C 0 -K 0 -a 192.168.1.1 192.168.1.10
Additional options are available to create an ICMP citation, which makes it easy to create fake ICMP error messages. Details about these options are available from
hping --icmp-help. For instance, this example breaks an established TCP connection toupdate.microsoft.com (for more, see the following section):
# hping --icmp -C 3 -K 1 -a 192.168.1.1 --icmp-ipdst update.microsoft.com \ --icmp-ipsrc victim --icmp-srcport 1034 --icmp-dstport 80 victim
To add a payload to a packet,hpingrequires you to put the packet in a file and pro- vide the size of the desired payload. The file is cut into as many pieces as necessary in order to reach the desired payload size. The pieces are sent one after the other; the remaining piece is padded with null bytes. After the last chunk is sent,hpingloops to the first piece. If no file is provided, the filling is done withX. For instance, here is a way to send your/etc/passwd to slashdot over UDP packets by chunks of 42 bytes:
# hping --udp www.slashdot.org -p 123 -E /etc/passwd -d 42
The--tcpexitcodeparameter can be of great help in shell scripts. It enables you to test the state of a TCP port:
len=44 ip=127.0.0.1 ttl=64 DF id=0 sport=22 flags=SA seq=0 win=32767 rtt=0.4 ms --- 127.0.0.1 hping statistic ---
1 packets transmitted, 1 packets received, 0% packet loss round-trip min/avg/max = 0.4/0.4/0.4 ms
# echo $? 18
# hping 127.0.0.1 --syn -p 23 --tcpexitcode -c 1
HPING 127.0.0.1 (lo 127.0.0.1): S set, 40 headers + 0 data bytes
len=40 ip=127.0.0.1 ttl=64 DF id=24359 sport=23 flags=RA seq=0 win=0 rtt=0.2 ms --- 127.0.0.1 hping statistic ---
1 packets transmitted, 1 packets received, 0% packet loss round-trip min/avg/max = 0.2/0.2/0.2 ms
# echo $? 20
For those who are bored by sending the same packet over and over, there is aSIGINT
handler (Ctrl-Z) to increment or decrement either the TCP/UDP destination port or the IP TTL:
# hping2 www.slashdot.org --syn -p 79
HPING www.slashdot.org (eth0 66.35.250.151): S set, 40 headers + 0 data bytes ICMP Unreachable type=10 from ip=66.35.250.151 name=star.slashdot.org ICMP Unreachable type=10 from ip=66.35.250.151 name=star.slashdot.org (1)
80: len=46 ip=66.35.250.151 ttl=49 DF id=0 sport=80 flags=SA seq=2 win=5840 rtt=194.2 ms
len=46 ip=66.35.250.151 ttl=49 DF id=0 sport=80 flags=SA seq=3 win=5840 rtt=194.4 ms len=46 ip=66.35.250.151 ttl=49 DF id=0 sport=80 flags=SA seq=4 win=5840 rtt=194.4 ms In the preceding example, Ctrl-Z is pressed after the second line, at1 ). The destina- tion port was incremented and there is an answer on port 80. Great, Slashdot is up! But you don’t want to scan 65,535 ports like this.hping2 is not a port scanner. The second mode actually does enable you to provide a list of destination ports you wanthping2 to go through. All other parameters work the same as before:
# hping2 --scan 79-81 www.slashdot.org –S
Scanning www.slashdot.org (66.35.250.151), port 79-81 3 ports to scan, use -V to see all the replies +----+---+---+---+---+---+ |port| serv name | flags |ttl| id | win | +----+---+---+---+---+---+
79: 241 9223 (ICMP 3 10 from 66.35.250.151) 80 www : .S..A... 49 0 5840
81: 241 9224 (ICMP 3 10 from 66.35.250.151) All replies received. Done.
Not responding ports:
The third mode just listens to incoming packets, waiting to recognize a pattern. It then prints all the data from the end of the pattern to the end of the packet. For
example, we can display content following a 404. We should catch HTTP errors for Not Found pages:
# hping2 --listen "404" Not Found
Server: Apache
Transfer-Encoding: chunked [...]
Alas, this mode captures incoming packets only. You cannot use this to peek at packets sent by programs running on your box.