radin/my-docs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
9c419f72c4ddc187990e08df7d8d68cacf45cb67
my-docs/Security-Networking/hping3/02-Commands.md

6.7 KiB
Raw Blame History

02. Commands Practical hping3 Usage

This document explains common hping3 commands and what they do at a packet/protocol level.
Replace <target> with an IP or hostname, and <port> with a TCP/UDP port number.

Use these commands only on systems and networks you are authorized to test.

1. ICMP “Normal Ping”

hping3 -1 <target>
  • -1: Use ICMP mode (type 8 echo request), similar to the standard ping command.
  • Behavior:
    • Sends ICMP echo request packets to <target>.
    • Measures round-trip time (RTT) and indicates packet loss.
  • Use case:
    • Basic connectivity check when you want to use hping3 instead of ping.
    • Helpful if you want later to switch to more advanced testing without changing tools.

2. Send TCP ACK Packets

hping3 -A <target>
  • -A: Set the ACK flag in TCP packets.
  • Behavior:
    • Sends TCP packets with the ACK flag set to the default port (0 unless -p is specified).
  • Use case:
    • Test firewall rules related to established connections (many firewalls allow ACK packets but block SYN).
    • Map which hosts respond to unsolicited ACK packets and how (RST/no response).

To target a specific port (for example, 80):

hping3 -A <target> -p 80

3. Send TCP SYN Packets

hping3 -S <target>
  • -S: Set the SYN flag in TCP packets.
  • Behavior:
    • Sends SYN packets to the default port (0 unless -p is specified).
  • Use case:
    • Test how the target responds to connection attempts.
    • When combined with -p, this becomes a basic SYN scan for that port.

With a specific port:

hping3 -S <target> -p <port>

4. Send TCP FIN Packets

hping3 -F <target>
  • -F: Set the FIN flag in TCP packets.
  • Behavior:
    • Sends packets that look like “finish” requests for a connection.
  • Use case:
    • Perform FIN scans (when combined with -p) to check firewall behavior:
  • Closed ports typically respond with RST.
  • Open ports often send no response.
    • Useful for testing how devices treat non-SYN traffic.

Example with a port:

hping3 -F <target> -p 80

5. Send TCP RST (Reset) Packets

hping3 -R <target>
  • -R: Set the RST flag in TCP packets.
  • Behavior:
    • Sends packets that instruct the receiver to immediately terminate a connection.
  • Use case:
    • Observe how the target or firewall handles unexpected RST packets.
    • In controlled tests, can be used to tear down test connections.

With a specific port:

hping3 -R <target> -p 80

6. Send TCP URG (Urgent) Packets

hping3 -U <target>
  • -U: Set the URG flag in TCP packets.
  • Behavior:
    • Marks data as “urgent” (though most modern applications rarely use it).
  • Use case:
    • Test how TCP stacks and firewalls handle uncommon flags.
    • Validate logging/alerting for rare or suspicious traffic patterns.

Example with a port:

hping3 -U <target> -p 80

7. Send XMAS Packets

hping3 -X <target>
  • -X: Send XMAS packets (commonly FIN + PSH + URG flags set).
  • Behavior:
    • Creates “Christmas tree” packets with multiple flags lit.
  • Use case:
    • XMAS scans:
  • Closed ports usually respond with RST.
  • Open ports often do not respond.
    • Test firewall/IDS handling of obviously suspicious packets.

Example with a port:

hping3 -X <target> -p 80

8. Send SYN Packet to a Destination Port

hping3 -S <target> -p <port>
  • -S: SYN flag.
  • -p <port>: Destination port.
  • Behavior:
    • Sends a TCP SYN packet to the specified <port> on <target>.
  • Use case:
    • Simple port check:
  • Open port: typically responds with SYN/ACK.
  • Closed port: typically responds with RST.
    • Validate firewall rules for a specific service port.

9. Send SYN Packets with Random Source Address

hping3 -S <target> --rand-source
  • -S: SYN flag.
  • --rand-source: Randomize the source IP address for each packet.
  • Behavior:
    • Target sees SYN packets as if they are coming from many different IPs.
  • Use case (legitimate, controlled testing):
    • Test how firewalls, load balancers, or DDoS protection handle spoofed or distributed-looking traffic.
    • Validate rate-limiting or connection limiting across “different” clients.

Note: Because of IP spoofing, responses will not come back to you; this is for observing target-side behavior/logs.

10. SYN Flood with Random Source

hping3 -S <target> --rand-source --flood
  • -S: SYN flag.
  • --rand-source: Randomize source IP per packet.
  • --flood: Send packets as fast as possible, no output per packet.
  • Behavior:
    • High-rate SYN traffic with spoofed source IPs.
  • Use case:
    • Stress testing and capacity testing of firewalls/load balancers/IPS in a lab or authorized environment.
  • Warning:
    • This can severely impact services and look like a SYN flood attack.
    • Use only with explicit permission and monitoring in place.

11. ICMP Flood with Spoofed Source Address

hping3 -1 <target> -a <src-address> --flood

Note: Your original example used -i, but for ICMP mode it should be -1.

  • -1: ICMP mode (echo requests).
  • -a <src-address>: Spoof source IP as <src-address>.
  • --flood: Send packets as fast as possible.
  • Behavior:
    • Sends a high-rate ICMP echo request flood to <target> with a fake source IP.
  • Use case:
    • Test how devices handle ICMP flood conditions and spoofed traffic (in a controlled environment).
  • Warning:
    • Can consume bandwidth and trigger DDoS protections or rate limits.
    • Only for authorized stress testing.

If you really meant -i (interval), that changes send rate instead of protocol:

hping3 -1 <target> -a <src-address> --flood
# or with custom interval (e.g., 10 ms):
hping3 -1 <target> -a <src-address> -i u10000

12. Check If Port 22 (SSH) Is Open

hping3 -S <target> -p 22 -c 1
  • -S: SYN flag (start of TCP handshake).
  • -p 22: Destination port 22 (typically SSH).
  • -c 1: Send only one packet.
  • Behavior:
    • Sends a single SYN to port 22 on <target>.
  • How to interpret:
    • If you see a SYN/ACK response, port 22 is likely open and reachable.
    • If you see a RST, port 22 is closed or actively refused.
    • If there is no response, the port may be filtered by a firewall or silently dropped.

Summary

  • -1: ICMP mode (ping-like).
  • -S, -A, -F, -R, -U, -X: Control which TCP flags are set (SYN, ACK, FIN, RST, URG, XMAS).
  • -p <port>: Target a specific port.
  • --rand-source: Spoof/randomize source IPs.
  • -a <src-address>: Spoof a specific source IP.
  • --flood: Send packets as fast as possible (for stress testing).
  • -c <count>: Limit number of packets sent.
Reference in New Issue View Git Blame Copy Permalink