hping 安装和参数使用，加以实验

主机扫描命令hping
特点：支持使用的TCP/IP数据包组装、分析工具
官方站点：http://www.hping.org/

主要在github上维护，github项目地址：https://github.com/antirez/hping

一、下载

[root@localhost ~]# wget https://github.com/antirez/hping/archive/master.zip

下载下来的是master.zip，文件是ZIP压缩格式的，我们使用unzip命令解压

[root@localhost ~]# ls
anaconda-ks.cfg  a.txt  fping-3.10  fping-3.10.tar.gz  hbk  master.zip  mysql-5.6.33-linux-glibc2.5-x86_64  mysql-5.6.33-linux-glibc2.5-x86_64.tar.gz
[root@localhost ~]# file master.zip 
master.zip: Zip archive data, at least v1.0 to extract

[root@localhost ~]# unzip master.zip 

解压之后的文件目录变为hping-master

[root@localhost ~]# ll
总用量 307700
-rw-------.  1 root  root       1257 2月  27 23:42 anaconda-ks.cfg
-rw-r--r--.  1 root  root         58 6月  26 14:29 a.txt
drwxrwxr-x.  4 mysql mysql      4096 7月   3 16:08 fping-3.10
-rw-r--r--.  1 root  root     157010 5月   5 2014 fping-3.10.tar.gz
drwxr-xr-x.  7 root  root        186 4月  28 17:19 hbk
drwxr-xr-x.  6 root  root       4096 12月 26 2014 hping-master
-rw-r--r--.  1 root  root     638370 7月   5 11:21 master.zip
drwxr-xr-x. 13 root  root        191 6月  22 09:41 mysql-5.6.33-linux-glibc2.5-x86_64
-rw-r--r--.  1 root  root  314267330 8月  26 2016 mysql-5.6.33-linux-glibc2.5-x86_64.tar.gz

进入hping-master目录

[root@localhost ~]# cd hping-master/

二、编译安装

编译检查执行./configure之前需要依赖pcap库，没有相关环境执行./configure和make命令的时候会报如下错误。

[root@localhost hping-master]# make
gcc -c -O2 -Wall    -g  main.c
main.c:29:18: 致命错误：pcap.h：没有那个文件或目录
 #include <pcap.h>
                  ^
编译中断。
make: *** [main.o] 错误 1

所以先执行下如下命令

yum install libpcap-devel

ln -sf /usr/include/pcap-bpf.h /usr/include/net/bpf.h

之后重新 ./configure make make install

三、常用参数介绍

3.1 对指定目标端口发起tcp探测

-p 端口
-S 设置TCP模式SYN包

3.2 伪造来源IP，模拟Ddos攻击

-a 伪造IP地址

四、实验

4.1 tcp探测实验

查看当前机器开放监听哪些端口

[root@localhost hping-master]# netstat -ltn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN     
tcp6       0      0 :::22                   :::*                    LISTEN     
tcp6       0      0 ::1:25                  :::*                    LISTEN     

可以看出我的22端口是开放的
使用hping探测192.168.254.136机器（我虚拟机中的一台机器）

[root@localhost hping-master]# hping -p 22 -S 192.168.254.136
HPING 192.168.254.136 (ens33 192.168.254.136): S set, 40 headers + 0 data bytes
len=46 ip=192.168.254.136 ttl=64 DF id=0 sport=22 flags=SA seq=0 win=29200 rtt=1.6 ms
len=46 ip=192.168.254.136 ttl=64 DF id=0 sport=22 flags=SA seq=1 win=29200 rtt=0.7 ms
len=46 ip=192.168.254.136 ttl=64 DF id=0 sport=22 flags=SA seq=2 win=29200 rtt=0.9 ms
len=46 ip=192.168.254.136 ttl=64 DF id=0 sport=22 flags=SA seq=3 win=29200 rtt=0.8 ms
len=46 ip=192.168.254.136 ttl=64 DF id=0 sport=22 flags=SA seq=4 win=29200 rtt=0.6 ms
len=46 ip=192.168.254.136 ttl=64 DF id=0 sport=22 flags=SA seq=5 win=29200 rtt=0.6 ms

说明是通的，使用ping命令，使用icmp包也是通的，如下：

[root@localhost hping-master]# ping 192.168.254.136
PING 192.168.254.136 (192.168.254.136) 56(84) bytes of data.
64 bytes from 192.168.254.136: icmp_seq=1 ttl=64 time=0.802 ms
64 bytes from 192.168.254.136: icmp_seq=2 ttl=64 time=0.450 ms
64 bytes from 192.168.254.136: icmp_seq=3 ttl=64 time=0.440 ms
64 bytes from 192.168.254.136: icmp_seq=4 ttl=64 time=0.486 ms

我们把目标机器192.168.254.136icmp协议包内核给拒绝掉，执行：

sysctl -w net.ipv4.icmp_echo_ignore_all=1

再次执行ping 192.168.254.136 发现已经不通了

[root@localhost hping-master]# ping 192.168.254.136
PING 192.168.254.136 (192.168.254.136) 56(84) bytes of data.

使用之前的fping命令发现也在unreachable列表中了

[root@localhost hping-master]# fping -u 192.168.254.136
192.168.254.136

但是使用hping 还是能通的。

[root@localhost hping-master]# hping -p 22 -S 192.168.254.136
HPING 192.168.254.136 (ens33 192.168.254.136): S set, 40 headers + 0 data bytes
len=46 ip=192.168.254.136 ttl=64 DF id=0 sport=22 flags=SA seq=0 win=29200 rtt=1.7 ms
len=46 ip=192.168.254.136 ttl=64 DF id=0 sport=22 flags=SA seq=1 win=29200 rtt=0.7 ms
len=46 ip=192.168.254.136 ttl=64 DF id=0 sport=22 flags=SA seq=2 win=29200 rtt=0.7 ms
len=46 ip=192.168.254.136 ttl=64 DF id=0 sport=22 flags=SA seq=3 win=29200 rtt=0.7 ms

4.2 伪造ip实验

在192.168.254.136机器上使用tcpdump命令进行查看
使用tcpdump -np -ens33报了如下错ens33可以通过ifconfig查看网卡名称

tcpdump: packet printing is not supported for link type NFLOG: use -w

应该使用正确的如下命令带-i参数

tcpdump -np -i ens33

进行包过滤下，只监听192.168.254.135机器下的tcp包

[root@localhost ~]# tcpdump -np -ens33 src host 192.168.254.135

192.168.254.135发起如下请求的时候

[root@localhost hping-master]# hping -p 22 -S 192.168.254.136

192.168.254.136机器监听到的报文如下：

[root@localhost ~]# tcpdump -np -i ens33 src host 192.168.254.135
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
04:46:25.795724 IP 192.168.254.135.l3-hbmon > 192.168.254.136.ssh: Flags [S], seq 240572762, win 512, length 0
04:46:25.796440 IP 192.168.254.135.l3-hbmon > 192.168.254.136.ssh: Flags [R], seq 240572763, win 0, length 0
04:46:26.795893 IP 192.168.254.135.worldwire > 192.168.254.136.ssh: Flags [S], seq 1834317432, win 512, length 0
04:46:26.796623 IP 192.168.254.135.worldwire > 192.168.254.136.ssh: Flags [R], seq 1834317433, win 0, length 0
04:46:27.796314 IP 192.168.254.135.lanmessenger > 192.168.254.136.ssh: Flags [S], seq 640168899, win 512, length 0
04:46:27.797817 IP 192.168.254.135.lanmessenger > 192.168.254.136.ssh: Flags [R], seq 640168900, win 0, length 0
04:46:28.796881 IP 192.168.254.135.remographlm > 192.168.254.136.ssh: Flags [S], seq 98681779, win 512, length 0
04:46:28.797730 IP 192.168.254.135.remographlm > 192.168.254.136.ssh: Flags [R], seq 98681780, win 0, length 0
04:46:29.797483 IP 192.168.254.135.hydra > 192.168.254.136.ssh: Flags [S], seq 121605374, win 512, length 0
04:46:29.798300 IP 192.168.254.135.hydra > 192.168.254.136.ssh: Flags [R], seq 121605375, win 0, length 0
04:46:33.807403 ARP, Request who-has 192.168.254.136 tell 192.168.254.135, length 46

可以看到192.168.254.135跟192.168.254.136进行通信，含有【S】和【R】确认响应。

下面我们进行一个ip伪造，在192.168.254.135机器执行如下命令：

[root@localhost hping-master]# hping -p 22 -S 192.168.254.136 -a 192.168.254.111

此时在136中监听192.168.254.135的包将成如下：

[root@localhost ~]# tcpdump -np -i  ens33 src host 192.168.254.135
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes

而只能查看到192.168.254.111的报文。

[root@localhost ~]# tcpdump -np -i ens33 src host 192.168.254.111
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 262144 bytes
05:05:33.989607 IP 192.168.254.111.netdb-export > 192.168.254.136.ssh: Flags [S], seq 1923913366, win 512, length 0
05:05:34.989819 IP 192.168.254.111.streetperfect > 192.168.254.136.ssh: Flags [S], seq 1977424286, win 512, length 0
05:05:35.990879 IP 192.168.254.111.intersan > 192.168.254.136.ssh: Flags [S], seq 687293311, win 512, length 0
05:05:36.991426 IP 192.168.254.111.pcia-rxp-b > 192.168.254.136.ssh: Flags [S], seq 1541089718, win 512, length 0
05:05:37.992029 IP 192.168.254.111.passwrd-policy > 192.168.254.136.ssh: Flags [S], seq 1097035667, win 512, length 0
05:05:38.992636 IP 192.168.254.111.writesrv > 192.168.254.136.ssh: Flags [S], seq 1892550241, win 512, length 0
05:05:39.993217 IP 192.168.254.111.digital-notary > 192.168.254.136.ssh: Flags [S], seq 790278757, win 512, length 0
05:05:40.993858 IP 192.168.254.111.ischat > 192.168.254.136.ssh: Flags [S], seq 1344224069, win 512, length 0
05:05:41.994970 IP 192.168.254.111.menandmice-dns > 192.168.254.136.ssh: Flags [S], seq 1185946447, win 512, length 0

发现192.168.254.136一直收到192.168.254.111的【S】syn包，而没有建立三次握手的【R】响应包，长期将会对192.168.254.136造成资源耗尽，这就是常见的Ddos攻击。

专业墙纸贴纸厨房用具装饰出售，本人网店经营，访问即是爱

博客对你有用记得访问下哦，增加下访问量，如有需要可以下单购买哦^_^。店铺地址https://item.taobao.com/item.htm?id=570637716145