Hping - Active Network Security Tool

Hping Tutorial

by d3hydr8 > www.darkc0de.com
date: 12/24/07

Homepage: http://www.hping.org/
Download: http://www.hping.org/download.php


hping is a command-line oriented TCP/IP packet assembler/analyzer. The interface
is inspired to the ping(8) unix command, but hping isn't only able to send ICMP
echo requests. It supports TCP, UDP, ICMP and RAW-IP protocols, has a traceroute
mode, the ability to send files between a covered channel, and many other

First, lets look at installing it. I'm not much of a writer so I will just show
the commands used throughout most of this tutorial.

d3hydr8@linuxbox:~> ls | grep hping
d3hydr8@linuxbox:~> tar xvf hping3-20051105.tar.gz
d3hydr8@linuxbox:~> ls
hping3-20051105 hping3-20051105.tar.gz
d3hydr8@linuxbox:~> cd hping3-20051105
linuxbox:/home/d3hydr8/hping3-20051105 # ./configure
build byteorder.c...
create byteorder.h...
linuxbox:/home/d3hydr8/hping3-20051105 # make
gcc -c -O2 -Wall -DUSE_TCL -g libpcap_stuff.c
gcc -c -O2 -Wall -DUSE_TCL -g memlockall.c
linuxbox:/home/d3hydr8/hping3-20051105 # make install
cp -f hping3 /usr/sbin/
chmod 755 /usr/sbin/hping3
ln -s /usr/sbin/hping3 /usr/sbin/hping
ln -s /usr/sbin/hping3 /usr/sbin/hping2
linuxbox:/home/d3hydr8/hping3-20051105 # ./hping3 -v
hping version 3.0.0-alpha-1 ($Id: release.h,v 1.4 2004/04/09 23:38:56 antirez
Exp $)
This binary is TCL scripting capable


Now that we have hping installed lets enter the hping3 interactive shell and
use the resolve command.


linuxbox:/home/d3hydr8 # hping3
hping3> hping resolve www.darkc0de.com


You can find a complete list of commands in the hping3 API page.


Hping2 is the old version of the tool supporting the command line interface,
while the new hping3 is the evolution that adds a Tcl scripting engine.
Since we will be working mainly with the command line, you will see me
using hping2 from here on. By using the --help command you will see a list
of commands supported by hping or scroll to the bottom of this tutorial.

linuxbox:/home/d3hydr8 # hping2 --help
usage: hping host [options]

Lets start with some port scanning...

linuxbox:/home/d3hydr8 # host yahoo.com
yahoo.com has address
linuxbox:/home/d3hydr8 # hping -I wlan0 -S -p 80 -c 3
HPING (wlan0 S set, 40 headers + 0 data bytes
len=40 ip= ttl=110 id=18735 sport=80 flags=SA seq=0 win=8192 rtt=95.7 ms
len=40 ip= ttl=112 id=18931 sport=80 flags=SA seq=1 win=8192 rtt=97.9 ms
len=40 ip= ttl=110 id=19104 sport=80 flags=SA seq=2 win=8192 rtt=94.4 ms

--- hping statistic ---
3 packets tramitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 94.4/96.0/97.9 ms

In this output you can see that we used the -I option to choose our interface
name (wlan0). You can get your interface name by using the ifconfig command.
We used the -S option for our scan type SYN aka Stealth scan. We
also chose to scan port 80 and only capture 3 packets using the -c option.

flags=SA >> open
flags=RA >> closed

As you can see by that little table port 80 was open. Lets try another
example with a few more flags.


linuxbox:/home/d3hydr8 # hping2 -I wlan0 -S -M 3000 -p ++21 --fast
HPING (wlan0 S set, 40 headers + 0 data bytes
len=40 ip= ttl=110 id=17176 sport=80 flags=SA seq=59 win=8192 rtt=100.5 ms
len=40 ip= ttl=112 id=22501 sport=443 flags=SA seq=422 win=8192 rtt=101.9 ms


As you can see from this example we are doing another port scan but this time
incrementing the ports from 21 with the -p ++21 option (21,22,23,etc). We also
use the --fast option which is self-explanatory. The other option is the
-M 3000 which will set the TCP sequence number to 3000.

We all know how port scans can be noisy so lets use an option that will
help us out.


linuxbox:/home/d3hydr8 # hping2 -I wlan0 -SA -a -p ++21 --faster
HPING (wlan0 SA set, 40 headers + 0 data bytes
len=40 ip= ttl=255 id=6899 sport=80 flags=R seq=0 win=0 rtt=0.0 ms

--- hping statistic ---
161083 packets tramitted, 1 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms


As you can see here we used the -a option to spoof our ip address. We also
chose to combine scan types with -SA which is a SYN/ACK scan. To see if my
ip address was being spoofed I ran a session of tcpdump.


linuxbox:/home/d3hydr8 # tcpdump -i wlan0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on wlan0, link-type EN10MB (Ethernet), capture size 96 bytes
00:14:03.969419 IP > w2.rc.vip.scd.yahoo.com.27299: S 247614302:247614302(0) ack 1324676282 win 512
00:14:03.971087 IP > w2.rc.vip.scd.yahoo.com.27300: S 1843027743:1843027743(0) ack 503065324 win 512


Just as I expected my ip is being spoofed "IP".

Lets try some firewall, traceroute action. First lets use nmap to scan a port.


linuxbox:/home/d3hydr8 # nmap -sS -p 25

Starting Nmap 4.50 ( http://insecure.org ) at 2007-12-24 00:52 EST
Interesting ports on srp42r2.flickr.re2.yahoo.com (
25/tcp filtered smtp

Nmap done: 1 IP address (1 host up) scanned in 1.489 seconds


It seams this port is behind some kind of a firewall. Lets test it with hping and
a couple of new options:

-t sets initial ttl in the IP header
-z binds the “ctrl+z” key combination to the ttl, meaning every time
you press “crtl+z” the TTL field is increased.


linuxbox:/home/d3hydr8 # hping -I wlan0 -z -t 6 -S -p 25
HPING (wlan0 S set, 40 headers + 0 data bytes
TTL 0 during transit from ip= name=UNKNOWN
7: TTL 0 during transit from ip= name=atl-edge-18.inet.qwest.net
8: TTL 0 during transit from ip= name=atl-core-01.inet.qwest.net
9: TTL 0 during transit from ip= name=cer-core-02.inet.qwest.net
10: TTL 0 during transit from ip= name=chp-brdr-02.inet.qwest.net
12: TTL 0 during transit from ip= name=if-5-0-0-720.core2.DTX-Dallas.teleglobe.net
13: TTL 0 during transit from ip= name=ix-4-1.core2.DTX-Dallas.teleglobe.net
14: TTL 0 during transit from ip= name=so-4-1-0.pat1.dce.yahoo.com
15: TTL 0 during transit from ip= name=ge-3-1-0-p150.msr2.re1.yahoo.com
16: TTL 0 during transit from ip= name=te4-1.bas-b2.re2.yahoo.com
17: len=40 ip= ttl=255 id=31610 sport=25 flags=SA seq=0 win=0 rtt=0.0 ms
len=40 ip= ttl=255 id=21098 sport=25 flags=SA seq=0 win=0 rtt=0.0 ms
len=40 ip= ttl=255 id=2613 sport=25 flags=SA seq=0 win=0 rtt=0.0 ms


As you can see above we reached the server in 11 extra hops.

Using hping as a DOS tool can be as easy as 2 options.

-a option to spoof your address
-i indicates your intervals in microseconds (-i u1000)

hping2 -I wlan0 -a -S -p 6667 -i u1000

I hope you learned something about the basic workings of hping from this
tutorial. I encourage you to check out all the options and techniques
hping has to offer.
visit darkc0de.com, thanks d3hydr8[at]darkc0de[dot]com

Hping Options:

usage: hping host [options]
-h --help show this help
-v --version show version
-c --count packet count
-i --interval wait (uX for X microseconds, for example -i u1000)
--fast alias for -i u10000 (10 packets for second)
--faster alias for -i u1000 (100 packets for second)
--flood sent packets as fast as possible. Don't show replies.
-n --numeric numeric output
-q --quiet quiet
-I --interface interface name (otherwise default routing interface)
-V --verbose verbose mode
-D --debug debugging info
-z --bind bind ctrl+z to ttl (default to dst port)
-Z --unbind unbind ctrl+z
--beep beep for every matching packet received
default mode TCP
-0 --rawip RAW IP mode
-1 --icmp ICMP mode
-2 --udp UDP mode
-8 --scan SCAN mode.
Example: hping --scan 1-30,70-90 -S www.target.host
-9 --listen listen mode

-a --spoof spoof source address
--rand-dest random destionation address mode. see the man.
--rand-source random source address mode. see the man.
-t --ttl ttl (default 64)
-N --id id (default random)
-W --winid use win* id byte ordering
-r --rel relativize id field (to estimate host traffic)
-f --frag split packets in more frag. (may pass weak acl)
-x --morefrag set more fragments flag
-y --dontfrag set dont fragment flag
-g --fragoff set the fragment offset
-m --mtu set virtual mtu, implies --frag if packet size > mtu
-o --tos type of service (default 0x00), try --tos help
-G --rroute includes RECORD_ROUTE option and display the route buffer
--lsrr loose source routing and record route
--ssrr strict source routing and record route
-H --ipproto set the IP protocol field, only in RAW IP mode
-C --icmptype icmp type (default echo request)
-K --icmpcode icmp code (default 0)
--force-icmp send all icmp types (default send only supported types)
--icmp-gw set gateway address for ICMP redirect (default
--icmp-ts Alias for --icmp --icmptype 13 (ICMP timestamp)
--icmp-addr Alias for --icmp --icmptype 17 (ICMP address subnet mask)
--icmp-help display help for others icmp options
-s --baseport base source port (default random)
-p --destport [+][+] destination port(default 0) ctrl+z inc/dec
-k --keep keep still source port
-w --win winsize (default 64)
-O --tcpoff set fake tcp data offset (instead of tcphdrlen / 4)
-Q --seqnum shows only tcp sequence number
-b --badcksum (try to) send packets with a bad IP checksum
many systems will fix the IP checksum sending the packet
so you'll get bad UDP/TCP checksum instead.
-M --setseq set TCP sequence number
-L --setack set TCP ack
-F --fin set FIN flag
-S --syn set SYN flag
-R --rst set RST flag
-P --push set PUSH flag
-A --ack set ACK flag
-U --urg set URG flag
-X --xmas set X unused flag (0x40)
-Y --ymas set Y unused flag (0x80)
--tcpexitcode use last tcp->th_flags as exit code
--tcp-timestamp enable the TCP timestamp option to guess the HZ/uptime

-d --data data size (default is 0)
-E --file data from file
-e --sign add 'signature'
-j --dump dump packets in hex
-J --print dump printable characters
-B --safe enable 'safe' protocol
-u --end tell you when --file reached EOF and prevent rewind
-T --traceroute traceroute mode (implies --bind and --ttl 1)
--tr-stop Exit when receive the first not ICMP in traceroute mode
--tr-keep-ttl Keep the source TTL fixed, useful to monitor just one hop
--tr-no-rtt Don't calculate/show RTT information in traceroute mode
ARS packet description (new, unstable)
--apd-send Send the packet described with APD (see docs/APD.txt)