# 02. Commands – Practical `hping3` Usage This document explains common `hping3` commands and what they do at a packet/protocol level. Replace `` with an IP or hostname, and `` with a TCP/UDP port number. > Use these commands only on systems and networks you are authorized to test. --- ## 1. ICMP “Normal Ping” ```bash hping3 -1 ``` - `-1`: Use **ICMP mode** (type 8 echo request), similar to the standard `ping` command. - Behavior: - Sends ICMP echo request packets to ``. - Measures round-trip time (RTT) and indicates packet loss. - Use case: - Basic connectivity check when you want to use `hping3` instead of `ping`. - Helpful if you want later to switch to more advanced testing without changing tools. --- ## 2. Send TCP ACK Packets ```bash hping3 -A ``` - `-A`: Set the **ACK** flag in TCP packets. - Behavior: - Sends TCP packets with the ACK flag set to the default port (0 unless `-p` is specified). - Use case: - Test firewall rules related to **established** connections (many firewalls allow ACK packets but block SYN). - Map which hosts respond to unsolicited ACK packets and how (RST/no response). To target a specific port (for example, 80): ```bash hping3 -A -p 80 ``` --- ## 3. Send TCP SYN Packets ```bash hping3 -S ``` - `-S`: Set the **SYN** flag in TCP packets. - Behavior: - Sends SYN packets to the default port (0 unless `-p` is specified). - Use case: - Test how the target responds to connection attempts. - When combined with `-p`, this becomes a basic SYN scan for that port. With a specific port: ```bash hping3 -S -p ``` --- ## 4. Send TCP FIN Packets ```bash hping3 -F ``` - `-F`: Set the **FIN** flag in TCP packets. - Behavior: - Sends packets that look like “finish” requests for a connection. - Use case: - Perform **FIN scans** (when combined with `-p`) to check firewall behavior: - Closed ports typically respond with `RST`. - Open ports often send no response. - Useful for testing how devices treat non-SYN traffic. Example with a port: ```bash hping3 -F -p 80 ``` --- ## 5. Send TCP RST (Reset) Packets ```bash hping3 -R ``` - `-R`: Set the **RST** flag in TCP packets. - Behavior: - Sends packets that instruct the receiver to immediately terminate a connection. - Use case: - Observe how the target or firewall handles unexpected RST packets. - In controlled tests, can be used to tear down test connections. With a specific port: ```bash hping3 -R -p 80 ``` --- ## 6. Send TCP URG (Urgent) Packets ```bash hping3 -U ``` - `-U`: Set the **URG** flag in TCP packets. - Behavior: - Marks data as “urgent” (though most modern applications rarely use it). - Use case: - Test how TCP stacks and firewalls handle **uncommon flags**. - Validate logging/alerting for rare or suspicious traffic patterns. Example with a port: ```bash hping3 -U -p 80 ``` --- ## 7. Send XMAS Packets ```bash hping3 -X ``` - `-X`: Send **XMAS** packets (commonly FIN + PSH + URG flags set). - Behavior: - Creates “Christmas tree” packets with multiple flags lit. - Use case: - **XMAS scans**: - Closed ports usually respond with `RST`. - Open ports often do not respond. - Test firewall/IDS handling of obviously suspicious packets. Example with a port: ```bash hping3 -X -p 80 ``` --- ## 8. Send SYN Packet to a Destination Port ```bash hping3 -S -p ``` - `-S`: SYN flag. - `-p `: Destination port. - Behavior: - Sends a TCP SYN packet to the specified `` on ``. - Use case: - Simple port check: - Open port: typically responds with SYN/ACK. - Closed port: typically responds with RST. - Validate firewall rules for a specific service port. --- ## 9. Send SYN Packets with Random Source Address ```bash hping3 -S --rand-source ``` - `-S`: SYN flag. - `--rand-source`: Randomize the **source IP address** for each packet. - Behavior: - Target sees SYN packets as if they are coming from many different IPs. - Use case (legitimate, controlled testing): - Test how firewalls, load balancers, or DDoS protection handle **spoofed** or distributed-looking traffic. - Validate rate-limiting or connection limiting across “different” clients. Note: Because of IP spoofing, responses will not come back to you; this is for observing target-side behavior/logs. --- ## 10. SYN Flood with Random Source ```bash hping3 -S --rand-source --flood ``` - `-S`: SYN flag. - `--rand-source`: Randomize source IP per packet. - `--flood`: Send packets as fast as possible, no output per packet. - Behavior: - High-rate SYN traffic with spoofed source IPs. - Use case: - **Stress testing** and **capacity testing** of firewalls/load balancers/IPS in a lab or authorized environment. - Warning: - This can severely impact services and look like a SYN flood attack. - Use only with explicit permission and monitoring in place. --- ## 11. ICMP Flood with Spoofed Source Address ```bash hping3 -1 -a --flood ``` > Note: Your original example used `-i`, but for ICMP mode it should be `-1`. - `-1`: ICMP mode (echo requests). - `-a `: Spoof **source IP** as ``. - `--flood`: Send packets as fast as possible. - Behavior: - Sends a high-rate ICMP echo request flood to `` with a fake source IP. - Use case: - Test how devices handle **ICMP flood** conditions and spoofed traffic (in a controlled environment). - Warning: - Can consume bandwidth and trigger DDoS protections or rate limits. - Only for authorized stress testing. If you really meant `-i` (interval), that changes send rate instead of protocol: ```bash hping3 -1 -a --flood # or with custom interval (e.g., 10 ms): hping3 -1 -a -i u10000 ``` --- ## 12. Check If Port 22 (SSH) Is Open ```bash hping3 -S -p 22 -c 1 ``` - `-S`: SYN flag (start of TCP handshake). - `-p 22`: Destination port 22 (typically SSH). - `-c 1`: Send only **one** packet. - Behavior: - Sends a single SYN to port 22 on ``. - How to interpret: - If you see a **SYN/ACK** response, port 22 is likely open and reachable. - If you see a **RST**, port 22 is closed or actively refused. - If there is **no response**, the port may be filtered by a firewall or silently dropped. --- ## Summary - `-1`: ICMP mode (ping-like). - `-S`, `-A`, `-F`, `-R`, `-U`, `-X`: Control which TCP flags are set (SYN, ACK, FIN, RST, URG, XMAS). - `-p `: Target a specific port. - `--rand-source`: Spoof/randomize source IPs. - `-a `: Spoof a specific source IP. - `--flood`: Send packets as fast as possible (for stress testing). - `-c `: Limit number of packets sent.