Added hping3 to documents

2026-04-05 23:26:22 +03:30
parent bd21f7c0df
commit 2182412ade
2 changed files with 500 additions and 0 deletions
--- a/Networking/hping3/01-Information.md
+++ b/Networking/hping3/01-Information.md
@@ -0,0 +1,248 @@
 # 01. Information – What is `hping3`?
 ## Overview
 `hping3` is a powerful network tool used primarily for:
 - Crafting and sending custom TCP/IP packets  
 - Testing firewalls and intrusion detection systems (IDS/IPS)  
 - Network scanning, mapping, and discovery  
 - Performance and connectivity testing (latency, MTU, path issues)
 From a DevOps/SRE perspective, `hping3` is like a “Swiss Army knife” for low‑level network troubleshooting and security‑oriented testing. It allows you to send packets with very precise control over headers and flags, which goes far beyond what tools like `ping` or `traceroute` can do.
 > Note: `hping3` should be used only on networks and systems you are authorized to test. It can easily be mistaken for malicious traffic.
 ---
 ## Key Capabilities
 ### 1. Custom Packet Crafting
 `hping3` lets you build packets with specific parameters:
 - **IP layer**:
  - Source/destination IP
  - TTL, fragmentation, IP ID
 - **TCP layer**:
  - Source/destination port
  - Flags (SYN, ACK, FIN, RST, PSH, URG)
  - Sequence/ack numbers
 - **UDP & ICMP**:
  - Custom payloads
  - Port selection (UDP)
  - ICMP type and code
 This is useful for:
 - Reproducing odd traffic patterns seen in logs  
 - Simulating client behavior at the packet level  
 - Testing how devices and middleboxes handle specific combinations of flags
 ---
 ### 2. Stateful Firewall & IDS Testing
 Because `hping3` can manipulate flags and headers, it is commonly used to test:
 - Firewall rules (ingress/egress)  
 - NAT behavior  
 - IDS/IPS detection and blocking
 Examples of what you can validate:
 - Whether SYN packets to certain ports are correctly blocked or allowed  
 - How a firewall responds to fragmented packets  
 - Whether “stealth” scans are detected by security tooling
 ---
 ### 3. Port Scanning and Host Discovery
 `hping3` can act as a flexible port scanner:
 - TCP SYN scans on specific ports or ranges  
 - FIN/XMAS/NULL scans to observe firewall behavior  
 - Host discovery based on custom probes (TCP/UDP/ICMP)
 While tools like `nmap` are more convenient for general scanning, `hping3` is useful when you need precise control over how probes are sent or you want to emulate specific traffic patterns.
 ---
 ### 4. Network Performance & Path Testing
 `hping3` can be used to measure:
 - Round-trip time (RTT) for various protocols and ports  
 - Packet loss and jitter under different conditions  
 - MTU/path issues with fragmentation control
 Typical use cases:
 - Measuring latency to a specific TCP port (e.g., 443) instead of relying on ICMP `ping`  
 - Determining whether ICMP is blocked and testing alternative paths with TCP/UDP  
 - Debugging connectivity problems through stateful devices that treat ICMP differently from TCP
 ---
 ### 5. Traceroute-like Functionality
 `hping3` can perform traceroute‑style path discovery, but using TCP or UDP instead of ICMP:
 - Helps when ICMP is filtered or rate-limited  
 - Shows how TCP packets to specific ports traverse the network
 This is useful when:
 - ICMP-based `traceroute` doesn’t give meaningful results  
 - You need path information for application ports (e.g., 80, 443, 5432)
 ---
 ## Why DevOps/SRE Engineers Care
 In modern environments (cloud, containers, microservices), networking problems often involve:
 - Security groups, NACLs, firewalls  
 - Load balancers and proxies  
 - Overlay networks (e.g., Kubernetes CNI)  
 - Complex routing or NAT
 `hping3` helps you:
 - Validate security rules (e.g., between Kubernetes nodes, across VPCs/VNETs)  
 - Troubleshoot weird connectivity issues that don’t show up with `ping`  
 - Investigate asymmetrical routing or stateful filtering  
 - Reproduce network conditions reported by applications or logs
 It is especially valuable when standard utilities (`ping`, `curl`, `telnet`, `nc`) aren’t enough to reveal how packets are handled in transit.
 ---
 ## TCP Flags & Special Packets (FIN, URG, RST, XMAS) and Flooding
 `hping3` gives you direct control over TCP flags. Understanding these is crucial for using it correctly and interpreting responses.
 ### FIN (Finish) flag / FIN packet
 - **What it is**:  
  The FIN flag indicates that the sender has finished sending data and wants to gracefully close the TCP connection.
 - **Normal use**:  
  Used at the end of a TCP session as part of the connection teardown (FIN/ACK, ACK).
 - **In scanning/testing**:  
  - A **FIN scan** sends packets with only the FIN flag set to a port.  
  - On a **closed port**, the target should respond with `RST`.  
  - On an **open port**, many TCP/IP stacks ignore the packet (no response).  
  This behavior is used to infer whether ports are open/filtered without sending SYN packets that might be logged more aggressively.
 ### URG (Urgent) flag / URG packet
 - **What it is**:  
  URG marks that some of the data in the TCP segment is “urgent” and should be prioritized by the receiving host.
 - **Normal use**:  
  Rarely used in modern applications. Historically used for things like interrupt signals.
 - **In scanning/testing**:  
  Setting the URG flag along with other flags can:
  - Stress or test how TCP stacks handle unusual or rarely seen combinations  
  - Help detect middleboxes that mishandle or log such packets  
  Tools like `hping3` can create URG packets to see how targets or firewalls react.
 ### RST (Reset) flag / RST packet
 - **What it is**:  
  The RST flag instructs the receiver to immediately terminate the TCP connection.
 - **Normal use**:  
  - Sent when a packet arrives for a port where no service is listening.  
  - Used to abort a connection abruptly (e.g., when a process crashes or refuses a connection).
 - **In scanning/testing**:  
  - When you send a SYN to a **closed** port, a typical response is a `RST` packet.  
  - Tools use the presence or absence of RST to determine whether a port is open or closed.  
  - You can also send RST packets to tear down existing connections (for testing, in controlled environments).
 ### XMAS packet
 - **What it is**:  
  A “XMAS” (Christmas tree) packet is a TCP packet with multiple flags set at once, commonly: **FIN, PSH, URG**.
 - **Why the name**:  
  It’s called a “Christmas tree” packet because many flags are “lit up” at the same time, like lights on a tree.
 - **In scanning/testing**:
  - Used for **XMAS scans**.  
  - Similar to FIN scans:
    - On **closed** ports, the host often responds with `RST`.  
    - On **open** ports, many stacks send no reply.  
  - Some older or non-standard TCP/IP stacks respond differently, leaking information about OS type or configuration.
 - **Firewall/IDS behavior**:  
  XMAS packets are unusual and often treated as suspicious, so many devices log or drop them, which can be useful for testing detection.
 ---
 ## What is a Flood?
 In the context of `hping3` and network testing, a **flood** means sending a very high rate of packets to a target, typically as fast as possible.
 - **Purpose in legitimate testing**:
  - Stress-test network devices (firewalls, load balancers, routers).  
  - Identify bottlenecks or performance limits in network paths.  
  - Observe how systems behave under heavy packet load (Do they drop packets? Do they rate-limit?).
 - **Types of floods (conceptually)**:
  - **SYN flood**: flood of TCP SYN packets to a port.  
  - **ICMP flood**: flood of ICMP echo requests.  
  - **UDP flood**: flood of UDP packets.
 - **Use in `hping3`**:
  - `hping3` can send packets in “flood mode” (no delays between packets).  
  - This is powerful and potentially disruptive: packet floods can consume bandwidth and CPU, degrade service, or trigger protective mechanisms.
 - **Operational considerations**:
  - Only perform flood tests on infrastructure you control and where such testing is explicitly allowed.  
  - Coordinate with network and security teams.  
  - Monitor carefully (CPU, memory, bandwidth, and logs) during tests to avoid unintended outages.
 ---
 ## Typical Usage Contexts
 - **On-prem / data center**:  
  Test firewalls, routers, and IDS, validate segmentation between environments (e.g., prod vs. non‑prod).
 - **Cloud environments (AWS/Azure/GCP/etc.)**:  
  - Verify security group/NACL behavior at the packet level.  
  - Test connectivity between VPCs/VNETs, on‑prem VPNs, and cloud workloads.
 - **Kubernetes & containerized apps**:  
  - Validate node-to-node or pod-to-pod connectivity.  
  - Test ingress/egress rules in CNIs and service meshes.  
  - Debug why a service is reachable via one path but not another.
 ---
 ## Limitations & Considerations
 - Requires appropriate privileges (often root) to craft raw packets.  
 - Can generate traffic patterns similar to port scans or attacks, so:
  - Always get proper authorization.  
  - Coordinate with security teams to avoid false alarms.
 - Not designed as a full replacement for higher-level tools (e.g., `nmap`, `iperf`, `traceroute`), but as a complementary low-level tool.
 - Behavior may differ slightly across OSes and network stacks.
 ---
 ## Installation (High-Level)
 Availability varies by distribution, but generally:
 - **Debian/Ubuntu**: via `apt` (package usually named `hping3`)  
 - **RHEL/CentOS/Fedora**: via `yum`/`dnf` or EPEL  
 - **macOS**: via Homebrew (if available) or compile from source  
 - **Others**: typically built from source from the official repository
 (Installation instructions can be detailed in a separate document.)
 ---
 ## Summary
 `hping3` is a low-level TCP/IP packet crafting and analysis tool used by DevOps/SRE and security engineers to:
 - Test and validate firewall and network security policies  
 - Perform targeted port scans (including FIN/XMAS-style scans) and host discovery  
 - Troubleshoot complex connectivity and performance issues  
 - Generate controlled floods for stress tests (in authorized environments)
--- a/Networking/hping3/02-Commands.md
+++ b/Networking/hping3/02-Commands.md
@@ -0,0 +1,252 @@
 # 02. Commands – Practical `hping3` Usage
 This document explains common `hping3` commands and what they do at a packet/protocol level.  
 Replace `<target>` with an IP or hostname, and `<port>` with a TCP/UDP port number.
 > Use these commands only on systems and networks you are authorized to test.
 ---
 ## 1. ICMP “Normal Ping”
 ```bash
 hping3 -1 <target>
 ```
 - `-1`: Use **ICMP mode** (type 8 echo request), similar to the standard `ping` command.
 - Behavior:
  - Sends ICMP echo request packets to `<target>`.
  - Measures round-trip time (RTT) and indicates packet loss.
 - Use case:
  - Basic connectivity check when you want to use `hping3` instead of `ping`.
  - Helpful if you want later to switch to more advanced testing without changing tools.
 ---
 ## 2. Send TCP ACK Packets
 ```bash
 hping3 -A <target>
 ```
 - `-A`: Set the **ACK** flag in TCP packets.
 - Behavior:
  - Sends TCP packets with the ACK flag set to the default port (0 unless `-p` is specified).
 - Use case:
  - Test firewall rules related to **established** connections (many firewalls allow ACK packets but block SYN).
  - Map which hosts respond to unsolicited ACK packets and how (RST/no response).
 To target a specific port (for example, 80):
 ```bash
 hping3 -A <target> -p 80
 ```
 ---
 ## 3. Send TCP SYN Packets
 ```bash
 hping3 -S <target>
 ```
 - `-S`: Set the **SYN** flag in TCP packets.
 - Behavior:
  - Sends SYN packets to the default port (0 unless `-p` is specified).
 - Use case:
  - Test how the target responds to connection attempts.
  - When combined with `-p`, this becomes a basic SYN scan for that port.
 With a specific port:
 ```bash
 hping3 -S <target> -p <port>
 ```
 ---
 ## 4. Send TCP FIN Packets
 ```bash
 hping3 -F <target>
 ```
 - `-F`: Set the **FIN** flag in TCP packets.
 - Behavior:
  - Sends packets that look like “finish” requests for a connection.
 - Use case:
  - Perform **FIN scans** (when combined with `-p`) to check firewall behavior:
 - Closed ports typically respond with `RST`.
 - Open ports often send no response.
  - Useful for testing how devices treat non-SYN traffic.
 Example with a port:
 ```bash
 hping3 -F <target> -p 80
 ```
 ---
 ## 5. Send TCP RST (Reset) Packets
 ```bash
 hping3 -R <target>
 ```
 - `-R`: Set the **RST** flag in TCP packets.
 - Behavior:
  - Sends packets that instruct the receiver to immediately terminate a connection.
 - Use case:
  - Observe how the target or firewall handles unexpected RST packets.
  - In controlled tests, can be used to tear down test connections.
 With a specific port:
 ```bash
 hping3 -R <target> -p 80
 ```
 ---
 ## 6. Send TCP URG (Urgent) Packets
 ```bash
 hping3 -U <target>
 ```
 - `-U`: Set the **URG** flag in TCP packets.
 - Behavior:
  - Marks data as “urgent” (though most modern applications rarely use it).
 - Use case:
  - Test how TCP stacks and firewalls handle **uncommon flags**.
  - Validate logging/alerting for rare or suspicious traffic patterns.
 Example with a port:
 ```bash
 hping3 -U <target> -p 80
 ```
 ---
 ## 7. Send XMAS Packets
 ```bash
 hping3 -X <target>
 ```
 - `-X`: Send **XMAS** packets (commonly FIN + PSH + URG flags set).
 - Behavior:
  - Creates “Christmas tree” packets with multiple flags lit.
 - Use case:
  - **XMAS scans**:
 - Closed ports usually respond with `RST`.
 - Open ports often do not respond.
  - Test firewall/IDS handling of obviously suspicious packets.
 Example with a port:
 ```bash
 hping3 -X <target> -p 80
 ```
 ---
 ## 8. Send SYN Packet to a Destination Port
 ```bash
 hping3 -S <target> -p <port>
 ```
 - `-S`: SYN flag.
 - `-p <port>`: Destination port.
 - Behavior:
  - Sends a TCP SYN packet to the specified `<port>` on `<target>`.
 - Use case:
  - Simple port check:
 - Open port: typically responds with SYN/ACK.
 - Closed port: typically responds with RST.
  - Validate firewall rules for a specific service port.
 ---
 ## 9. Send SYN Packets with Random Source Address
 ```bash
 hping3 -S <target> --rand-source
 ```
 - `-S`: SYN flag.
 - `--rand-source`: Randomize the **source IP address** for each packet.
 - Behavior:
  - Target sees SYN packets as if they are coming from many different IPs.
 - Use case (legitimate, controlled testing):
  - Test how firewalls, load balancers, or DDoS protection handle **spoofed** or distributed-looking traffic.
  - Validate rate-limiting or connection limiting across “different” clients.
 Note: Because of IP spoofing, responses will not come back to you; this is for observing target-side behavior/logs.
 ---
 ## 10. SYN Flood with Random Source
 ```bash
 hping3 -S <target> --rand-source --flood
 ```
 - `-S`: SYN flag.
 - `--rand-source`: Randomize source IP per packet.
 - `--flood`: Send packets as fast as possible, no output per packet.
 - Behavior:
  - High-rate SYN traffic with spoofed source IPs.
 - Use case:
  - **Stress testing** and **capacity testing** of firewalls/load balancers/IPS in a lab or authorized environment.
 - Warning:
  - This can severely impact services and look like a SYN flood attack.
  - Use only with explicit permission and monitoring in place.
 ---
 ## 11. ICMP Flood with Spoofed Source Address
 ```bash
 hping3 -1 <target> -a <src-address> --flood
 ```
 > Note: Your original example used `-i`, but for ICMP mode it should be `-1`.
 - `-1`: ICMP mode (echo requests).
 - `-a <src-address>`: Spoof **source IP** as `<src-address>`.
 - `--flood`: Send packets as fast as possible.
 - Behavior:
  - Sends a high-rate ICMP echo request flood to `<target>` with a fake source IP.
 - Use case:
  - Test how devices handle **ICMP flood** conditions and spoofed traffic (in a controlled environment).
 - Warning:
  - Can consume bandwidth and trigger DDoS protections or rate limits.
  - Only for authorized stress testing.
 If you really meant `-i` (interval), that changes send rate instead of protocol:
 ```bash
 hping3 -1 <target> -a <src-address> --flood
 # or with custom interval (e.g., 10 ms):
 hping3 -1 <target> -a <src-address> -i u10000
 ```
 ---
 ## 12. Check If Port 22 (SSH) Is Open
 ```bash
 hping3 -S <target> -p 22 -c 1
 ```
 - `-S`: SYN flag (start of TCP handshake).
 - `-p 22`: Destination port 22 (typically SSH).
 - `-c 1`: Send only **one** packet.
 - Behavior:
  - Sends a single SYN to port 22 on `<target>`.
 - How to interpret:
  - If you see a **SYN/ACK** response, port 22 is likely open and reachable.
  - If you see a **RST**, port 22 is closed or actively refused.
  - If there is **no response**, the port may be filtered by a firewall or silently dropped.
 ---
 ## Summary
 - `-1`: ICMP mode (ping-like).
 - `-S`, `-A`, `-F`, `-R`, `-U`, `-X`: Control which TCP flags are set (SYN, ACK, FIN, RST, URG, XMAS).
 - `-p <port>`: Target a specific port.
 - `--rand-source`: Spoof/randomize source IPs.
 - `-a <src-address>`: Spoof a specific source IP.
 - `--flood`: Send packets as fast as possible (for stress testing).
 - `-c <count>`: Limit number of packets sent.