Author: JT Smith
As the name suggests, hping is based on the ping utility, but the two applications are used in different ways.You will have used ping to see if a device is accessible via a network, and even looked at the route between your computer and another one (by using the
-R option). Ping uses the Internet Control Message Protocol (ICMP), one of the fundamental elements of TCP/IP. All that it does is send out ICMP requests (the ICMP ECHO_REQUEST) and then waits for a valid reply (an ICMP ECHO_RESPONSE). Ping tells you that the destination is reachable, but says nothing about what is going on at the other end. In fact, a device does not even have to be fully booted before it will respond to ping.
Hping differs from ping in that as well as sending ICMP packets, it can also send UDP (User Datagram Protocol) and IP (Internet Protocol) packets. The default is TCP (Transmission Control Protocol). Users can also modify packet headers to try to elicit different responses from target devices.
Using hping to simulate an attack
When attacking a system, hackers frequently start by carrying out a SYN Scan, which is the first step in a TCP/IP handshake and a basic way of obtaining information about a targeted computer. The hacker sends a SYN packet to a port on the computer. If the port is available for communication then the computer will return a SYN/ACC packet. If he gets this response then the hacker knows that he has found a possible way in.
This is where hping comes into its own. We can use it to carry out exactly this type of activity (you may have to log in as root to run hping):
hping -S localhost -c 1 HPING localhost (lo 127.0.0.1): S set, 40 headers + 0 data bytes len=40 ip=127.0.0.1 ttl=64 DF id=0 sport=0 flags=RA seq=0 win=0 rtt=0.2 ms --- localhost hping statistic --- 1 packets tramitted, 1 packets received, 0% packet loss round-trip min/avg/max = 0.2/0.2/0.2 ms
There are two fields to take particular note of. The first is “sport,” which is the port currently being scanned (in this case it is the default, 0). The second important field is “flags,” which is the response sent back by the target host (localhost in this example). An RA (RST/ACC) packet was returned, meaning that this port is not open for any communication. If the response had been an SA (SYN/ACC) packet then we might have found a way into the network.
We can use hping to talk to any port on the target:
hping -S localhost -c 1 -p 1 HPING localhost (lo 127.0.0.1): S set, 40 headers + 0 data bytes len=40 ip=127.0.0.1 ttl=64 DF id=0 sport=1 flags=RA seq=0 win=0 rtt=0.2 ms --- localhost hping statistic --- 1 packets tramitted, 1 packets received, 0% packet loss round-trip min/avg/max = 0.2/0.2/0.2 ms
But even more usefully we can tell hping to scan the ports incrementally:
hping -S localhost -p ++0 HPING localhost (lo 127.0.0.1): S set, 40 headers + 0 data bytes len=40 ip=127.0.0.1 ttl=64 DF id=0 sport=0 flags=RA seq=0 win=0 rtt=0.2 ms len=40 ip=127.0.0.1 ttl=64 DF id=0 sport=1 flags=RA seq=1 win=0 rtt=0.1 ms len=40 ip=127.0.0.1 ttl=64 DF id=0 sport=2 flags=RA seq=2 win=0 rtt=0.1 ms len=40 ip=127.0.0.1 ttl=64 DF id=0 sport=3 flags=RA seq=3 win=0 rtt=0.1 ms len=40 ip=127.0.0.1 ttl=64 DF id=0 sport=4 flags=RA seq=4 win=0 rtt=0.1 ms len=40 ip=127.0.0.1 ttl=64 DF id=0 sport=5 flags=RA seq=5 win=0 rtt=0.1 ms len=40 ip=127.0.0.1 ttl=64 DF id=0 sport=6 flags=RA seq=6 win=0 rtt=0.1 ms len=40 ip=127.0.0.1 ttl=64 DF id=0 sport=7 flags=RA seq=7 win=0 rtt=0.1 ms --- localhost hping statistic --- 8 packets tramitted, 8 packets received, 0% packet loss round-trip min/avg/max = 0.1/0.1/0.2 ms
As you can imagine, this operation will generate a large amount of data, most of which we don’t want (we need only the SA responses, not the RAs). We can, therefore, filter the output:
hping -S localhost -p ++0 |grep "flags=SA" len=44 ip=127.0.0.1 ttl=64 DF id=0 sport=22 flags=SA seq=22 win=32767 rtt=0.3 ms len=44 ip=127.0.0.1 ttl=64 DF id=0 sport=25 flags=SA seq=25 win=32767 rtt=0.2 ms len=44 ip=127.0.0.1 ttl=64 DF id=0 sport=37 flags=SA seq=37 win=32767 rtt=0.2 ms len=44 ip=127.0.0.1 ttl=64 DF id=0 sport=80 flags=SA seq=80 win=32767 rtt=0.2 ms len=44 ip=127.0.0.1 ttl=64 DF id=0 sport=113 flags=SA seq=113 win=32767 rtt=0.2 ms len=44 ip=127.0.0.1 ttl=64 DF id=0 sport=587 flags=SA seq=587 win=32767 rtt=0.3 ms len=44 ip=127.0.0.1 ttl=64 DF id=0 sport=3306 flags=SA seq=3306 win=32767 rtt=0.4 ms --- localhost hping statistic --- 9479 packets tramitted, 9479 packets received, 0% packet loss round-trip min/avg/max = 0.1/0.2/0.4 ms
This makes it clearer that we have seven ports that are (potential) areas of weakness.
Seeing it from both sides
So far we’ve looked only at what’s happening from the outside, but it is interesting to run tcpdump on the target host at the same time as you’re using hping. You will probably need to log on as root to run tcpdump.
hping -S -p 0 localhost -c 1 HPING localhost (lo 127.0.0.1): S set, 40 headers + 0 data bytes len=40 ip=127.0.0.1 ttl=64 DF id=0 sport=0 flags=RA seq=0 win=0 rtt=0.4 ms --- localhost hping statistic --- 1 packets tramitted, 1 packets received, 0% packet loss round-trip min/avg/max = 0.4/0.4/0.4 ms hping -S -p 3306 localhost -c 1 HPING localhost (lo 127.0.0.1): S set, 40 headers + 0 data bytes len=44 ip=127.0.0.1 ttl=64 DF id=0 sport=3306 flags=SA seq=0 win=32767 rtt=0.6 ms --- localhost hping statistic --- 1 packets tramitted, 1 packets received, 0% packet loss round-trip min/avg/max = 0.6/0.6/0.6 ms
tcpdump 11:00:28.038363 IP localhost.2857 > localhost.0: S 2108417289:2108417289(0) win 512 11:00:28.038420 IP localhost.0 > localhost.2857: R 0:0(0) ack 2108417290 win 0 11:00:33.829503 IP localhost.1842 > localhost.3306: S 103283023:103283023(0) win 512 11:00:33.829592 IP localhost.3306 > localhost.1842: S 1486936409:1486936409(0) ack 103283024 win 32767 11:00:33.829623 IP localhost.1842 > localhost.3306: R 103283024:103283024(0) win 0 5 packets captured 10 packets received by filter 0 packets dropped by kernel
Tcpdump shows that the target host is aware of the scan. If you see this type of activity then you may well be under attack.
In conclusion
You now have enough information to give hping a try. If you feel that you need to learn more (and I recommend that you do), hping’s Web site contains a useful documentation section and wiki.
Armed with Hping you will be able to test the security of your network. Make sure that you do it soon — don’t forget that you’re not the only one who has access to this powerful tool.
