hping commands for scanning methods
hping3 -1 10.0.0.25
ACK scan on port 80
hping3 –A 10.0.0.25 –p 80
UDP scan on port 80
hping3 -2 10.0.0.25 –p 80
-2arguments in the command line. By issuing the above command, Hping sends UDP packets to port 80 on the host (10.0.0.25). It returns an ICMP port unreachable message if it finds the port closed, and does not respond with a message if the port is open.
Collecting Initial Sequence Number
hping3 192.168.1.103 -Q -p 139 –s
Firewalls and Time Stamps
hping3 -S 220.127.116.11 -p 80 --tcp-timestamp
Many firewalls drop those TCP packets that do not have TCP Timestamp option set. By adding the –tcp-timestamp argument in the command line, you can enable TCP timestamp option in Hping and try to guess the timestamp update frequency and uptime of the target host (18.104.22.168).
SYN scan on port 50-60
hping3 -8 50-60 –S 10.0.0.25 –V
By using the argument
--scan in the command, you are operating Hping in scan mode in order to scan a range of ports on the target host. Adding the argument -S allows you to perform a SYN scan. Therefore, the above command performs a SYN scan on ports 50-60 on the target host.
FIN, PUSH and URG scan on port 80
hping3 –F –P –U 10.0.0.25 –p 80
By adding the arguments –F, -P, and –U in the command, you are setting FIN, PUSH, and URG packets in the probe packets. By issuing this command, you are performing FIN, PUSH, and URG scans on port 80 on the target host (10.0.0.25). If port 80 is open on the target, you will not receive a response. If the port is closed, Hping will return an RST response.
Scan entire subnet for live host
hping3 -1 10.0.1.x --rand-dest –I eth0
By issuing this command, Hping performs an ICMP ping scan on the entire subnet 10.0.1.x; in other words, it sends ICMP-echo request randomly (
--rand-dest) to all the hosts from 10.0.1.0 – 10.0.1.255 that are connected to the interface eth0. The hosts whose ports are open will respond with an ICMP-reply. In this case, you have not set a port, so Hping sends packets to port 0 on all IP addresses by default.
Intercept all traffic containing HTTP signature
hping3 -9 HTTP –I eth0
SYN flooding a victim
hping3 -S 192.168.1.1 -a 192.168.1.254 -p 22 --flood
Determine number of pings
hping3 -c 3 10.10.10.10
Use random source address
Set data size
Set data packet size in bytes
Spoof source address
hping3 -S <IP address attacked> -a <spoofed IP address>
hping3 -S <IP address attacked> --spoof <spoofed IP address>
hping3 <Target IP> -Q -p 139 -s
By using the argument -Q in the command line, Hping collects all the TCP sequence numbers generated by the target host.
hping3 –A <Target IP> –p 80
By issuing this command, Hping checks if a host is alive on a network. If it finds a live host and an open port, it returns an RST response.
hping3 -S <Target IP> -p 80 --tcp-timestamp
By adding the –tcp-timestamp argument in the command line, Hping enable TCP timestamp option and try to guess the timestamp update frequency and uptime of the target host.
hping3 –F –P –U 10.0.0.25 –p 80
By issuing this command, an attacker can perform FIN, PUSH, and URG scans on port 80 on the target host.
hping3 10.10.10.10 --udp --rand-source --data 500
Perform UDP packet crafting
You might be also interested in…
- “hping3 Linux man page“
- EC-Council; “CEH v10. Module 3. Scanning”
hping3: you must specify only one target host at a time”.
I guess you are getting this error message. If you want to apply the same command to different targets, you can create a script. Check this link for more info:
How to send ECE flags in the hping3 tool?
I cannot find any mention to ECE flag when typing
hping3 -h. My guess is that hping3 is not supporting ECN, and it is not implementing extension RFC 3168 where it is defined. It seems that ECN has not been broadly adopted in general.