Let's Learn some useful HPING3 commands or syntax that are very useful for scanning and general purpose exploitation.
hping3 commands for scanning methods
ICMP ping
hping3 -1 10.0.0.25
Hping performs an ICMP ping scan by specifying the argument -1 on the command line. You may use –ICMP of -1 argument in the command line. By issuing the above command, hping sends an ICMP-echo request to 10.0.0.25 and receives ICMP-reply, the same as with a ping utility.
ACK scan on port 80
hping3 –A 10.0.0.25 –p 80
Hping can be configured to perform an ACK scan by specifying the argument -A in the command line. Here, you are setting the ACK flag in the probe packets and performing the scan. You perform this scan when a host does not respond to a ping request. By issuing this command, Hping checks if a host is alive on a network. If it finds a live host and an open port, it returns an RST response.
UDP scan on port 80
hping3 -2 10.0.0.25 –p 80
Hping uses TCP as its default protocol. Using the argument -2 in the command line specifies that Hping operates in UDP mode. You may use either --udp of -2 arguments in the command line. By issuing the above command, Hping sends UDP packets to port 80 on the host (10.0.0.25). It returns an ICMP port unreachable message if it finds the port closed, and does not respond with a message if the port is open.
Collecting Initial Sequence Number
hping3 192.168.1.103 -Q -p 139 –s
By using the argument -Q in the command line, Hping collects all the TCP sequence numbers generated by the target host (192.168.1.103).
Firewalls and Time Stamps
hping3 -S 72.14.207.99 -p 80 --tcp-timestamp
Many firewalls drop those TCP packets that do not have the TCP Timestamp option set. By adding the –TCP-timestamp argument in the command line, you can enable the TCP timestamp option in Hping and try to guess the timestamp update frequency and uptime of the target host (72.14.207.99).
SYN scan on port 50–60
hping3 -8 50-60 –S 10.0.0.25 –V
By using the argument -8 (or) --scan in the command, you are operating Hping in scan mode to scan a range of ports on the target host. Adding the argument -S allows you to perform an SYN scan. Therefore, the above command performs an SYN scan on ports 50-60 on the target host.
FIN, PUSH and URG scan on port 80
hping3 –F –P –U 10.0.0.25 –p 80
By adding the arguments –F, -P, and –U in the command, you are setting FIN, PUSH, and URG packets in the probe packets. By issuing this command, you are performing FIN, PUSH, and URG scans on port 80 on the target host (10.0.0.25). If port 80 is open on the target, you will not receive a response. If the port is closed, Hping will return an RST response.
Scan entire subnet for live host
hping3 -1 10.0.1.x --rand-dest –I eth0
By issuing this command, Hping performs an ICMP ping scan on the entire subnet 10.0.1.x; in other words, it sends ICMP-echo requests randomly (--rand-dest) to all the hosts from 10.0.1.0 – 10.0.1.255 that are connected to the interface eth0. The hosts whose ports are open will respond with an ICMP reply. In this case, you have not set a port, so Hping sends packets to port 0 on all IP addresses by default.
Intercept all traffic containing HTTP signature
hping3 -9 HTTP –I eth0
The argument -9 will set the Hping to listen mode. So, by issuing the command -9 HTTP, Hping starts listening on port 0 (of all the devices connected in the network to interface eth0), intercepts all the packets containing HTTP signature, and dumps from the signature end to the packet’s end. For example, on issuing the command hping2 -9 HTTP, if Hping reads a packet that contains data 234–09sdflkjs45-HTTPhello_world, it will display the result as hello_world.
SYN flooding a victim
hping3 -S 192.168.1.1 -a 192.168.1.254 -p 22 --flood
The attacker employs TCP SYN flooding techniques by using spoofed IP addresses to perform a DoS attack.
Determine the number of pings
hping3 -c 3 10.10.10.10
Here, -c 3 means that we only want to send three packets to the target machine
Use a random source address
--rand-source
Set data size
Set data packet size in bytes --data <size>
Spoof source address
hping3 -S <IP address attacked> -a <spoofed IP address>
or
hping3 -S <IP address attacked> --spoof <spoofed IP address>
Examples
hping3 <Target IP> -Q -p 139 -s
By using the argument -Q in the command line, Hping collects all the TCP sequence numbers generated by the target host.hping3 –A <Target IP> –p 80
By issuing this command, Hping checks if a host is alive on a network. If it finds a live host and an open port, it returns an RST response.hping3 -S <Target IP> -p 80 --tcp-timestamp
By adding the –TCP-timestamp argument in the command line, Hping enables the TCP timestamp option and tries to guess the timestamp update frequency and uptime of the target host.
hping3 –F –P –U 10.0.0.25 –p 80
By issuing this command, an attacker can perform FIN, PUSH, and URG scans on port 80 on the target host.
hping3 –scan 1–3000 -S 10.10.10.10
Here, the –scan parameter defines the port range to scan and –S represents the SYN flag
hping3 10.10.10.10 --udp --rand-source --data 500
Perform UDP packet crafting.
Thanks for reading, That's the end of it… I hope you have learnt something new today, let's hope that you will have the intuition that the knowledge that you get will be used only and only for knowledge and educational purposes, it does not intend to harm or cause damage to anybody or anyone. All readers are responsible for their stake in making the internet a safe haven, and let's promise ourselves that we will not use or make use of tools and techniques that we learnt from this article for malicious intentions or purposes. As the saying goes, “Don't Be Evil” … Google.
References:
Hping.org. (2019). Hping — Active Network Security Tool. [online] Available at: http://www.hping.org/.
