Hping is a command line TCP/IP packet assembler/analyzer with embedded Tcl scripting functionality. Inspired by the ping command, Hping was developed by Antirez in 1998. As the name suggest, hping isn’t only able to send ICMP echo requests, but supports TCP, UDP, ICMP and RAW-IP protocols, has a traceroute mode, the ability to send files between a covered channel and many other features. Hping is often considered a complementary tool to Nmap. The tool runs on all major operating systems including Linux, *BSD, and Windows. Hping was mainly used as a security tool in the past, but now can be used in many ways to test networks and hosts. Below are the things you can do using hping:
- Firewall testing
- Advanced Port Scanning
- Network testing, using different protocols, TOS, fragmentation
- Manual path MTU discovery
- Advanced Traceroute, under all the supported protocols
- Remote OS fingerprinting
- Remote Uptime guessing
- TCP/IP stacks auditing
- Students learning TCP/IP
How to install Hping?
Hping is available as RPM in the EPEL repository. If you have EPEL repo setup, you can install with yum. If you haven’t setup the EPEL repository, you will need to set it up as below:
#yum install epel-release
Install Hping3
#yum install hping3
How to use Hping/Hping3
Below are the things you can do using hping.
Port Scanning
TCP SYN scan
The simplest way to initiate a classic TCP SYN Scan is to send TCP SYN packets to ports on host/ip. The below command will scan port 80 on IP 192.168.8.223. From the output, we can notice the SYN and ACK flags set which indicates an open port.
VM-1#hping3 -S 192.168.8.223 -p 80 -c 1 HPING 192.168.8.223 (eth0 192.168.8.223): S set, 40 headers + 0 data bytes len=44 ip=192.168.8.223 ttl=64 DF id=0 sport=80 flags=SA seq=0 win=29200 rtt=0.3 ms --- 192.168.8.223 hping statistic --- 1 packets transmitted, 1 packets received, 0% packet loss round-trip min/avg/max = 0.3/0.3/0.3 ms VM-1#
Note: -c 1 option is to send SYN packet only once.
To scan a range of ports starting from port 80 and run the following command.
VM-1$hping3 -S 192.168.8.223 -p ++80 HPING 192.168.8.223 (eth0 192.168.8.223): S set, 40 headers + 0 data bytes len=44 ip=192.168.8.223 ttl=64 DF id=0 sport=80 flags=SA seq=0 win=29200 rtt=0.4 ms len=40 ip=192.168.8.223 ttl=64 DF id=22960 sport=81 flags=RA seq=1 win=0 rtt=0.4 ms len=40 ip=192.168.8.223 ttl=64 DF id=23167 sport=82 flags=RA seq=2 win=0 rtt=0.3 ms ^C --- 192.168.8.223 hping statistic --- 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max = 0.3/0.4/0.4 ms VM-1$
From the above command, you can notice the R flags set. This is the RST packets returned indicating that all these ports are closed.
If you want to scan a range of ports, then use the following command:
VM-1$hping3 -8 80-86 -S 192.168.8.223 Scanning 192.168.8.223 (192.168.8.223), port 80-86 7 ports to scan, use -V to see all the replies +----+-----------+---------+---+-----+-----+-----+ |port| serv name | flags |ttl| id | win | len | +----+-----------+---------+---+-----+-----+-----+ 80 http : .S..A... 64 0 29200 44 All replies received. Done. Not responding ports: VM-1$
From the above scan of ports range between 80-86, only port 80 is open with SYN and ACK flags set.
TCP ACK Scan
This scan would help to see if a host is alive (when Ping is blocked for example). Below command should send a RST response back if the port is open.
VM-1$hping3 -p 80 -A 192.168.8.223 -c 1 HPING 192.168.8.223 (eth0 192.168.8.223): A set, 40 headers + 0 data bytes len=40 ip=192.168.8.223 ttl=64 DF id=50603 sport=80 flags=R seq=0 win=0 rtt=0.2 ms --- 192.168.8.223 hping statistic --- 1 packets transmitted, 1 packets received, 0% packet loss round-trip min/avg/max = 0.2/0.2/0.2 ms VM-1$
and many more usages of hping. For more usage of hping visit here.
I finally got hping 3 installed!