hping3 Syntax

hping commands for scanning methods

ICMP ping

hping3 -1 10.0.0.25

Hping performs an ICMP ping scan by specifying the argument -1 on the command line. You may use –ICMP of -1 argument in the command line. By issuing the above command, hping sends ICMP-echo request to 10.0.0.25 and receives ICMP-reply, the same as with a ping utility.

ACK scan on port 80

hping3 –A 10.0.0.25 –p 80

Hping can be configured to perform an ACK scan by specifying the argument -A in the command line. Here, you are setting ACK flag in the probe packets and performing the scan. You perform this scan when a host does not respond to a ping request. By issuing this command, Hping checks if a host is alive on a network. If it finds a live host and an open port, it returns an RST response.

UDP scan on port 80

hping3 -2 10.0.0.25 –p 80

Hping uses TCP as its default protocol. Using the argument -2 in the command line specifies that Hping operates in UDP mode. You may use either --udp of -2 arguments in the command line. By issuing the above command, Hping sends UDP packets to port 80 on the host (10.0.0.25). It returns an ICMP port unreachable message if it finds the port closed, and does not respond with a message if the port is open.

Collecting Initial Sequence Number

hping3 192.168.1.103 -Q -p 139 –s

By using the argument -Q in the command line, Hping collects all the TCP sequence numbers generated by the target host (192.168.1.103).

Firewalls and Time Stamps

hping3 -S 72.14.207.99 -p 80 --tcp-timestamp

Many firewalls drop those TCP packets that do not have TCP Timestamp option set. By adding the –tcp-timestamp argument in the command line, you can enable TCP timestamp option in Hping and try to guess the timestamp update frequency and uptime of the target host (72.14.207.99).

SYN scan on port 50-60

hping3 -8 50-60 –S 10.0.0.25 –V
By using the argument -8 (or) --scan in the command, you are operating Hping in scan mode in order to scan a range of ports on the target host. Adding the argument -S allows you to perform a SYN scan. Therefore, the above command performs a SYN scan on ports 50-60 on the target host.

FIN, PUSH and URG scan on port 80

hping3 –F –P –U 10.0.0.25 –p 80
By adding the arguments –F, -P, and –U in the command, you are setting FIN, PUSH, and URG packets in the probe packets. By issuing this command, you are performing FIN, PUSH, and URG scans on port 80 on the target host (10.0.0.25). If port 80 is open on the target, you will not receive a response. If the port is closed, Hping will return an RST response.

Scan entire subnet for live host

hping3 -1 10.0.1.x --rand-dest –I eth0
By issuing this command, Hping performs an ICMP ping scan on the entire subnet 10.0.1.x; in other words, it sends ICMP-echo request randomly (--rand-dest) to all the hosts from 10.0.1.0 – 10.0.1.255 that are connected to the interface eth0. The hosts whose ports are open will respond with an ICMP-reply. In this case, you have not set a port, so Hping sends packets to port 0 on all IP addresses by default.

Intercept all traffic containing HTTP signature

hping3 -9 HTTP –I eth0

The argument -9 will set the Hping to listen mode. So, by issuing the command -9 HTTP, Hping starts listening on port 0 (of all the devices connected in the network to interface eth0), intercepts all the packets containing HTTP signature, and dump from signature end to the packet’s end. For example, on issuing the command hping2 -9 HTTP, if Hping reads a packet that contains data 234-09sdflkjs45-HTTPhello_world, it will display the result as hello_world.

SYN flooding a victim

hping3 -S 192.168.1.1 -a 192.168.1.254 -p 22 --flood

The attacker employs TCP SYN flooding techniques by using spoofed IP addresses to perform DoS attack.

Determine number of pings

hping3 -c 3 10.10.10.10

Here, -c 3 means that we only want to send three packets to the target machine.

Use random source address

--rand-source

Set data size

Set data packet size in bytes --data <size>

Spoof source address

hping3 -S <IP address attacked> -a <spoofed IP address>

or

hping3 -S <IP address attacked> --spoof <spoofed IP address>

Examples

hping3 <Target IP> -Q -p 139 -s
By using the argument -Q in the command line, Hping collects all the TCP sequence numbers generated by the target host.
hping3 –A <Target IP> –p 80
By issuing this command, Hping checks if a host is alive on a network. If it finds a live host and an open port, it returns an RST response.
hping3 -S <Target IP> -p 80 --tcp-timestamp
By adding the –tcp-timestamp argument in the command line, Hping enable TCP timestamp option and try to guess the timestamp update frequency and uptime of the target host.

hping3 –F –P –U 10.0.0.25 –p 80
By issuing this command, an attacker can perform FIN, PUSH, and URG scans on port 80 on the target host.

hping3 –scan 1-3000 -S 10.10.10.10
Here, –scan parameter defines the port range to scan and –S represents SYN flag

hping3 10.10.10.10 --udp --rand-source --data 500
Perform UDP packet crafting

You might be also interested in…

External references

4 Comments

    • I cannot find any mention to ECE flag when typing hping3 -h . My guess is that hping3 is not supporting ECN, and it is not implementing extension RFC 3168 where it is defined. It seems that ECN has not been broadly adopted in general.

Leave a Reply

Your email address will not be published. Required fields are marked *