### ARS Packet Description: TCP Layer Example with SYN Flag Source: https://github.com/antirez/hping/blob/master/docs/APD.txt This example illustrates defining a TCP layer, specifically setting the SYN flag and specifying source and destination ports. It's useful for initiating TCP connections. ```text tcp{flags=S,dport=80,sport=10} ``` -------------------------------- ### Static Route Configuration Examples Source: https://github.com/antirez/hping/blob/master/RFCs/rfc1812.txt Illustrates how to define static routes with specific metrics for different routing protocols like RIP, OSPF, and EGP. This allows administrators to explicitly set next-hop information and associated costs for reaching network destinations. ```shell route 10.0.0.0/8 via 192.0.2.3 rip metric 3 route 10.21.0.0/16 via 192.0.2.4 ospf inter-area metric 27 route 10.22.0.0/16 via 192.0.2.5 egp 123 metric 99 ``` -------------------------------- ### ARS Packet Description: IP Layer Example Source: https://github.com/antirez/hping/blob/master/docs/APD.txt This example demonstrates how to define an IP layer with source and destination addresses, used in constructing network packets with the ARS library. It shows the basic structure for specifying IP header fields. ```text ip{saddr=1.2.3.4,daddr=www.yahoo.com} ``` -------------------------------- ### Estimating Host Traffic using hping and IP ID Source: https://github.com/antirez/hping/blob/master/docs/HPING2-HOWTO.txt This example demonstrates how to estimate host traffic by observing the incrementing IP ID field in responses from www.yahoo.com. It shows the difference in IP IDs between consecutive packets to infer the number of packets sent by the host within a given time frame. ```bash # hping www.yahoo.com -p 80 -A ppp0 default routing interface selected (according to /proc) HPING www.yahoo.com (ppp0 204.71.200.74): A set, 40 headers + 0 data bytes 40 bytes from 204.71.200.74: flags=R seq=0 ttl=53 id=29607 win=0 rtt=329.4 ms 40 bytes from 204.71.200.74: flags=R seq=1 ttl=53 id=31549 win=0 rtt=390.0 ms 40 bytes from 204.71.200.74: flags=R seq=2 ttl=53 id=33432 win=0 rtt=390.0 ms 40 bytes from 204.71.200.74: flags=R seq=3 ttl=53 id=35368 win=0 rtt=390.0 ms 40 bytes from 204.71.200.74: flags=R seq=4 ttl=53 id=37335 win=0 rtt=390.0 ms 40 bytes from 204.71.200.74: flags=R seq=5 ttl=53 id=39157 win=0 rtt=380.0 ms 40 bytes from 204.71.200.74: flags=R seq=6 ttl=53 id=41118 win=0 rtt=370.0 ms 40 bytes from 204.71.200.74: flags=R seq=7 ttl=53 id=43330 win=0 rtt=390.0 ms --- www.yahoo.com hping statistic --- 8 packets tramitted, 8 packets received, 0% packet loss round-trip min/avg/max = 329.4/377.4/390.0 ms As you can se id field increase. Packet with sequence 0 has id=29607, sequence 1 has id=31549, so www.yahoo.com host sent 31549-29607 = 1942 packets in circa one second. Using -r|--relid option hping output id field as difference between last and current received packet id. ``` -------------------------------- ### ARS Packet Description: ICMP Echo Request Example Source: https://github.com/antirez/hping/blob/master/docs/APD.txt This example shows how to construct a basic ICMP echo request packet. It includes the IP layer, ICMP header with type and code, and a data payload. ```text ip{saddr=1.2.3.4,daddr=www.yahoo.com}+icmp{type=8,code=0}\n+data{str=hello world} ``` -------------------------------- ### ARS Packet Description: UDP Layer Example Source: https://github.com/antirez/hping/blob/master/docs/APD.txt This example shows how to define a UDP layer with source and destination ports. It's a common component when constructing UDP or TCP packets using the ARS Packet Description format. ```text udp{sport=53,dport=53} ``` -------------------------------- ### Resolve Hostnames and Detect Network Interfaces with hping Tcl API Source: https://context7.com/antirez/hping/llms.txt This snippet demonstrates how to use hping's Tcl API to resolve hostnames to IP addresses, get the outgoing interface address for a destination, and list all network interfaces with their details. It also shows how to parse the interface information into a readable format. ```tcl # Resolve hostname to IP address set target "www.example.com" set target_ip [hping resolve $target] # Returns: 192.0.2.1 # Get outgoing interface address for a destination set my_addr [hping outifa www.google.com] # Returns: 192.168.1.100 (your local IP) # List all network interfaces with details foreach iface [hping iflist] { puts $iface } # Output format for each interface: # {lo 16436 {127.0.0.1} {LOOPBACK}} # {eth0 1500 {192.168.1.100} {}} # Format: {name mtu {ip_addresses} {flags}} # Parse interface information foreach iface [hping iflist] { set name [lindex $iface 0] set mtu [lindex $iface 1] set addresses [lindex $iface 2] set flags [lindex $iface 3] puts "Interface: $name, MTU: $mtu, IPs: $addresses" } ``` -------------------------------- ### ARS Packet Description: Combined IP, UDP, and Data Layers Source: https://github.com/antirez/hping/blob/master/docs/APD.txt This example shows a combination of IP, UDP, and Data layers, potentially for DNS queries. It illustrates combining different layer types with specific field values. ```text ip{dst=192.168.1.2}+udp{sport=53,dport=53}+data{file=./dns.packet} ``` -------------------------------- ### ARS Packet Description: ICMP Destination Unreachable Example Source: https://github.com/antirez/hping/blob/master/docs/APD.txt This example demonstrates creating an ICMP destination unreachable message, encapsulating a quoted UDP packet. It shows how to nest packet descriptions. ```text ip{saddr=1.2.3.4,daddr=5.6.7.8}+icmp{type=3,code=3}\n+ip{saddr=www.yahoo.com,daddr=1.2.3.4}+udp{sport=53,dport=53} ``` -------------------------------- ### Get IP Layer TTL using hping3 Source: https://context7.com/antirez/hping/llms.txt Demonstrates retrieving the Time-To-Live (TTL) field from the IP layer of a packet. It shows how to get the outer TTL (skipping zero fields) and the inner TTL (skipping one field). This is useful for analyzing packet hops and network path characteristics. Dependencies include hping3. ```tcl # Get first IP layer TTL (skip=0 or omit skip parameter) set outer_ttl [hping getfield ip ttl $icmp_err] # Get second IP layer TTL (skip=1) set inner_ttl [hping getfield ip ttl 1 $icmp_err] ``` -------------------------------- ### Monitor Host Packet Activity with hping Source: https://github.com/antirez/hping/blob/master/docs/SPOOFED_SCAN.txt This command monitors outgoing packets from a specified host (B) and observes the IP ID field increments. This is crucial for identifying hosts with predictable IP ID sequences, a prerequisite for certain scanning techniques. It requires the 'hping' utility to be installed. ```shell #hping B -r ``` -------------------------------- ### hping: Listen for packets from host B Source: https://github.com/antirez/hping/blob/master/docs/HPING2-HOWTO.txt This command initiates hping to listen for packets originating from host B. It's a preparatory step for spoofed scanning, allowing observation of network responses. ```bash hping B -r ``` -------------------------------- ### Basic HPing Host Scan Source: https://github.com/antirez/hping/blob/master/docs/HPING2-HOWTO.txt Sends TCP null-flags packets to port 0 of a target host to check for replies, useful for 'TCP ping' when ICMP is filtered. It shows packet loss statistics and response details. ```bash #hping host ``` ```bash HPING www.debian.org (ppp0 209.81.8.242): NO FLAGS are set, 40 headers + 0 data bytes 40 bytes from 209.81.8.242: flags=RA seq=0 ttl=243 id=63667 win=0 time=369.4 ms 40 bytes from 209.81.8.242: flags=RA seq=1 ttl=243 id=63719 win=0 time=420.0 ms 40 bytes from 209.81.8.242: flags=RA seq=2 ttl=243 id=63763 win=0 time=350.0 ms [Ctrl+C] --- www.debian.org hping statistic --- 3 packets tramitted, 3 packets received, 0% packet loss ``` -------------------------------- ### OS Fingerprinting with hping Source: https://github.com/antirez/hping/blob/master/docs/HPING2-HOWTO.txt Demonstrates how hping can be used for OS fingerprinting by analyzing the IP header's ID field. This technique is particularly useful when targeting Windows systems. ```shell #hping win95 -r HPING win95 (eth0 192.168.4.41): NO FLAGS are set, 40 headers + 0 data bytes 46 bytes from 192.168.4.41: flags=RA seq=0 ttl=128 id=47371 win=0 rtt=0.5 ms 46 bytes from 192.168.4.41: flags=RA seq=1 ttl=128 id=+256 win=0 rtt=0.5 ms 46 bytes from 192.168.4.41: flags=RA seq=2 ttl=128 id=+256 win=0 rtt=0.6 ms 46 bytes from 192.168.4.41: flags=RA seq=3 ttl=128 id=+256 win=0 rtt=0.5 ms --- win95 hping statistic --- 4 packets tramitted, 4 packets received, 0% packet loss round-trip min/avg/max = 0.5/0.5/0.6 ms ``` -------------------------------- ### hping TCP Port Scan with ACK Flag (debian.org) Source: https://github.com/antirez/hping/blob/master/docs/HPING2-HOWTO.txt This command sends ACK packets to port 80 of www.debian.org to test its responsiveness. It demonstrates receiving replies even when a port is in a LISTEN state, highlighting the effectiveness of ACK and RST flags for ACL tests. ```bash # hping www.debian.org -p 80 -A ppp0 default routing interface selected (according to /proc) HPING www.debian.org (ppp0 209.81.8.242): A set, 40 headers + 0 data bytes 40 bytes from 209.81.8.242: flags=R seq=0 ttl=243 id=5590 win=0 time=379.5 ms 40 bytes from 209.81.8.242: flags=R seq=1 ttl=243 id=5638 win=0 time=370.0 ms 40 bytes from 209.81.8.242: flags=R seq=2 ttl=243 id=5667 win=0 time=360.0 ms --- www.debian.org hping statistic --- 3 packets tramitted, 3 packets received, 0% packet loss We can see replies even if port 80 is in LISTEN mode because a port in LISTEN mode may not replay only to NULL, FIN, Xmas, Ymas flags TCP packet. ACK and RST are two important TCP flags that allow to do ACL tests and to guess ip->id without to produce any log (usually). ``` -------------------------------- ### hping: Get IP Checksum from Packet Source: https://github.com/antirez/hping/blob/master/docs/API.txt This command retrieves the IP checksum from a specified packet. It can target specific IP layers by using a 'skip' argument to indicate the layer offset. ```shell hping getfield ip cksum $packet hping getfield ip cksum 1 $packet ``` -------------------------------- ### hping Port Scan with Null Flags Source: https://github.com/antirez/hping/blob/master/docs/HPING2-HOWTO.txt This command tests port 79 on www.microsoft.com using hping with no TCP flags set (null packet). It demonstrates how to check for open or firewalled ports and interpret packet loss. ```bash # hping www.microsoft.com -p 79 ppp0 default routing interface selected (according to /proc) HPING www.microsoft.com (ppp0 207.46.130.150): NO FLAGS are set, 40 headers + 0 data bytes --- www.microsoft.com hping statistic --- 4 packets tramitted, 0 packets received, 100% packet loss No reply from microsoft. Is the port firewalled or in LISTEN mode? To uncover this is very simply. Just we try to set ACK flag instead to send a TCP null-flag packet. If the host respond maybe this port is in LISTEN mode (but it's possible that there is a rules that deny null-flag TCP packet but allow ACK). ``` -------------------------------- ### TCP Options: No-Operation Source: https://github.com/antirez/hping/blob/master/RFCs/rfc793.txt Defines the 'No-Operation' TCP option. With a Kind value of 1, this option can be inserted between other options, potentially for alignment purposes. Receivers must handle options even if they don't start on word boundaries. ```text +--------+ |00000001| +--------+ Kind=1 This option code may be used between options, for example, to align the beginning of a subsequent option on a word boundary. There is no guarantee that senders will use this option, so receivers must be prepared to process options even if they do not begin on a word boundary. ``` -------------------------------- ### hping3: Advanced Packet Crafting Source: https://context7.com/antirez/hping/llms.txt Allows for advanced packet construction, including custom TCP flags, IP fragmentation, setting virtual MTU, spoofing source IP addresses, and using source routing options. ```bash hping3 -S -A -F -p 80 --tcp-timestamp --ttl 64 --win 1024 192.168.1.1 ``` ```bash hping3 -S -p 80 -f -d 1000 192.168.1.1 ``` ```bash hping3 -S -p 80 -m 500 -d 2000 192.168.1.1 ``` ```bash hping3 -S -a 10.0.0.5 -p 80 192.168.1.1 ``` ```bash hping3 -S --rand-source -p 80 192.168.1.1 ``` ```bash hping3 -S --lsrr 192.168.1.254,192.168.2.1 -p 80 192.168.3.100 ``` -------------------------------- ### Basic TCP Ping to Yahoo Source: https://github.com/antirez/hping/blob/master/docs/HPING2-HOWTO.txt Sends TCP packets to a specified host and port, displaying response times and packet statistics. It helps in assessing network connectivity and latency. ```shell # hping www.yahoo.com -P 80 -A -r -i u 500000 ppp0 default routing interface selected (according to /proc) HPING www.yahoo.com (ppp0 204.71.200.68): A set, 40 headers + 0 data bytes 40 bytes from 204.71.200.68: flags=R seq=0 ttl=53 id=35713 win=0 rtt=327.0 ms 40 bytes from 204.71.200.68: flags=R seq=1 ttl=53 id=+806 win=0 rtt=310.0 ms 40 bytes from 204.71.200.68: flags=R seq=2 ttl=53 id=+992 win=0 rtt=320.0 ms 40 bytes from 204.71.200.68: flags=R seq=3 ttl=53 id=+936 win=0 rtt=330.0 ms 40 bytes from 204.71.200.68: flags=R seq=4 ttl=53 id=+987 win=0 rtt=310.0 ms 40 bytes from 204.71.200.68: flags=R seq=5 ttl=53 id=+952 win=0 rtt=320.0 ms 40 bytes from 204.71.200.68: flags=R seq=6 ttl=53 id=+918 win=0 rtt=330.0 ms 40 bytes from 204.71.200.68: flags=R seq=7 ttl=53 id=+809 win=0 rtt=320.0 ms 40 bytes from 204.71.200.68: flags=R seq=8 ttl=53 id=+881 win=0 rtt=320.0 ms --- www.yahoo.com hping statistic --- 9 packets tramitted, 9 packets received, 0% packet loss round-trip min/avg/max = 310.0/320.8/330.0 ms ``` -------------------------------- ### Port Knocking Script using hping3 Source: https://context7.com/antirez/hping/llms.txt This script defines a procedure to perform port knocking against a target. It constructs and sends TCP SYN packets to a sequence of ports. Dependencies include the hping3 executable and Tcl. The input is a target host and a list of ports. The output is a series of network packets sent to the target. ```tcl #!/usr/bin/env hping3 # Save as portknock.htcl, run with: hping3 exec portknock.htcl # Port knocking script proc port_knock {target ports} { set myaddr [hping outifa $target] foreach port $ports { puts "Knocking port $port..." set pkt "ip(saddr=$myaddr,daddr=$target)" append pkt "+tcp(sport=12345,dport=$port,flags=s)" hping send $pkt after 500 } } # Execute port knock sequence port_knock "firewall.example.com" {1000 2000 3000 4000} ``` -------------------------------- ### Spoofed SYN Scan using Idle Host Source: https://github.com/antirez/hping/blob/master/docs/HPING2-HOWTO.txt Explains and demonstrates a spoofed SYN scan method using an 'idle host' (Host B) to mask the attacker's (Host A) IP address. It leverages IP ID increments to detect open ports on the victim (Host C). ```shell #hping B -r HPING B (eth0 xxx.yyy.zzz.jjj): no flags are set, 40 data bytes 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=0 ttl=64 id=41660 win=0 time=1.2 ms 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=1 ttl=64 id=+1 win=0 time=75 ms 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=2 ttl=64 id=+1 win=0 time=91 ms 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=3 ttl=64 id=+1 win=0 time=90 ms 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=4 ttl=64 id=+1 win=0 time=91 ms 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=5 ttl=64 id=+1 win=0 time=87 ms -cut- .. . ``` -------------------------------- ### Get IP TTL Field from Packet String (Tcl) Source: https://github.com/antirez/hping/blob/master/docs/API.txt This Tcl command demonstrates how to extract specific field values from a packet string representation. The 'hping getfield' command is used here to retrieve the 'ttl' value from an IP layer within a given packet string. If the layer does not exist, an empty string is returned. This is useful for inspecting packet details. ```Tcl hping getfield ip ttl "ip(saddr=1.2.3.4,daddr=5.6.7.8,ttl=64)" ``` -------------------------------- ### Receive and Parse Raw Binary Packets with hping3 Source: https://context7.com/antirez/hping/llms.txt This Tcl snippet demonstrates how to receive raw binary network packets using hping3 and then parse specific headers, like the Ethernet header. It uses the 'binary scan' command for low-level data interpretation. Dependencies include hping3 and Tcl. ```tcl # Receive raw binary packets (useful for low-level operations) set raw_packet [hping recvraw eth0] set length [string length $raw_packet] puts "Received $length bytes" # Example: Extract Ethernet header (first 14 bytes) binary scan [string range $raw_packet 0 13] H12H12S \ dst_mac src_mac ether_type puts "DST MAC: $dst_mac" puts "SRC MAC: $src_mac" puts "Type: [format 0x%04X $ether_type]" ``` -------------------------------- ### Simple SYN Flood Detection using hping3 Source: https://context7.com/antirez/hping/llms.txt This script monitors a network interface for SYN flood attacks. It counts incoming SYN packets within a defined time window and triggers a warning if the count exceeds a specified threshold. Dependencies include hping3 and Tcl. Inputs are the interface, threshold, and window duration. ```tcl # Simple SYN flood detection proc detect_syn_flood {interface threshold window} { puts "Monitoring for SYN flood (threshold: $threshold SYNs in $window seconds)..." set syn_count 0 set start_time [clock seconds] while {1} { set packets [hping recv $interface 1000 0] foreach pkt $packets { if {[hping hasfield tcp flags $pkt]} { set flags [hping getfield tcp flags $pkt] if {$flags eq "s"} { incr syn_count } } } set elapsed [expr {[clock seconds] - $start_time}] if {$elapsed >= $window} { if {$syn_count > $threshold} { puts "WARNING: Possible SYN flood! $syn_count SYNs in $window seconds" } else { puts "Normal traffic: $syn_count SYNs in $window seconds" } set syn_count 0 set start_time [clock seconds] } } } ``` -------------------------------- ### Manipulate Packet Fields with hping Tcl API Source: https://context7.com/antirez/hping/llms.txt This snippet demonstrates how to extract, check for, and modify specific fields within network packets using hping's Tcl API. It covers getting values like TTL and port numbers, checking for the existence of fields, and setting new values to create modified packets. It also shows how to work with layered packets containing ICMP errors. ```tcl # Get specific field values from a packet set pkt "ip(saddr=192.168.1.1,daddr=192.168.1.2,ttl=64,proto=6)+tcp(sport=80,dport=12345,flags=sa)" # Get IP TTL set ttl [hping getfield ip ttl $pkt] puts "TTL: $ttl" # Output: 64 # Get TCP source port set sport [hping getfield tcp sport $pkt] puts "Source port: $sport" # Output: 80 # Get TCP flags set flags [hping getfield tcp flags $pkt] puts "TCP flags: $flags" # Output: sa (SYN+ACK) # Check if field exists if {[hping hasfield tcp flags $pkt]} { puts "This is a TCP packet" } # Set field values (creates new packet) set new_pkt [hping setfield tcp dport 443 $pkt] puts "Modified packet: $new_pkt" # Changed destination port from 12345 to 443 # Chain multiple field modifications set pkt [hping setfield ip ttl 128 $pkt] set pkt [hping setfield tcp win 65535 $pkt] set pkt [hping setfield tcp flags s $pkt] # Working with layered packets (ICMP error with quoted IP) set icmp_err "ip(saddr=192.168.1.1,daddr=192.168.1.2,proto=1)+icmp(type=3,code=3)+ip(saddr=192.168.1.2,daddr=192.168.1.100,proto=6)+tcp(sport=50000,dport=80)" ``` -------------------------------- ### List Network Interfaces with hping Source: https://github.com/antirez/hping/blob/master/docs/API.txt The 'iflist' subcommand in hping displays all active network interfaces on the system, along with their MTU, IP addresses, and flags. The output is structured as a Tcl list, allowing for easy parsing of multiple addresses or flags per interface. ```tcl hping3.0.0-alpha> hping iflist {lo 16436 {127.0.0.1} {LOOPBACK}} {eth0 1500 {192.168.1.6} {}} ``` ```tcl hping3.0.0-alpha> foreach i [hping iflist] {puts $i} lo 16436 {127.0.0.1} {LOOPBACK} eth0 1500 {192.168.1.6} {} ``` ```tcl hping3.0.0-alpha> foreach i [hping iflist] {puts $i} lo0 33224 {127.0.0.1} {LOOPBACK} xl0 1500 {191.224.144.21 64.238.141.219} {} ``` -------------------------------- ### hping: Spoofed SYN scan with microsecond interval Source: https://github.com/antirez/hping/blob/master/docs/HPING2-HOWTO.txt This command performs a spoofed SYN scan on www.yahoo.com's port 80, originating from server.alicom.com. The '-i u10000' option specifies a microsecond interval between packets, enabling more precise detection even on busy hosts. ```bash hping -a server.alicom.com -S -p 80 -i u10000 www.yahoo.com ``` -------------------------------- ### Send TCP SYN Packet with hping (Tcl) Source: https://github.com/antirez/hping/blob/master/docs/API.txt This Tcl script demonstrates sending a TCP SYN packet to a specified target. It constructs the packet string by appending IP and TCP layers. The script first retrieves the local IP address and then builds the packet string, which is then sent using the 'hping send' command. It highlights how packets are represented as strings and how layers are added. ```Tcl set target www.hping.org set myaddr [hping outifa $target] set syn {} append syn "ip(saddr=$myaddr,daddr=$target,ttl=255)" append syn "+tcp(sport=123,dport=80,flags=2)" hping send $syn ``` -------------------------------- ### hping Port Scan with SYN Flag Source: https://github.com/antirez/hping/blob/master/docs/HPING2-HOWTO.txt This command tests port 79 on www.microsoft.com using hping with the SYN flag set. It's a standard probe for checking port status and helps determine if a port is actively filtered. ```bash # hping www.microsoft.com -S -p 79 ppp0 default routing interface selected (according to /proc) HPING www.microsoft.com (ppp0 207.46.130.149): S set, 40 headers + 0 data bytes --- www.microsoft.com hping statistic --- 3 packets tramitted, 0 packets received, 100% packet loss Ok.. seems that port 79 of microsoft is really filtered. Just for clearness we send some ACK to port 80 of www.debian.org: ``` -------------------------------- ### hping: Scan with specific interface and ACK flag Source: https://github.com/antirez/hping/blob/master/docs/HPING2-HOWTO.txt This command uses hping to send ACK packets to a specified host ('awake.host.org') on port 80, using the 'ppp0' interface. It's used here to observe the host's packet ID increments. ```bash hping awake.host.org -p 80 -A -r ``` -------------------------------- ### hping Port Scan with ACK Flag Source: https://github.com/antirez/hping/blob/master/docs/HPING2-HOWTO.txt This command tests port 79 on www.microsoft.com using hping with the ACK flag set. It's used to infer whether a port is filtered or in a LISTEN state, especially when null packets receive no response. ```bash # hping www.microsoft.com -A -p 79 ppp0 default routing interface selected (according to /proc) HPING www.microsoft.com (ppp0 207.46.130.149): A set, 40 headers + 0 data bytes --- www.microsoft.com hping statistic --- 3 packets tramitted, 0 packets received, 100% packet loss No response again, So this port seems to be filtered. Anyway it's possible that microsoft is using an 'intelligent' firewall that know that in order to connect first I must send a SYN. ``` -------------------------------- ### HPing Scan Specific Port Source: https://github.com/antirez/hping/blob/master/docs/HPING2-HOWTO.txt Tests a specific TCP port on a target host using null-flags packets. This helps determine if a port is in a LISTEN state by observing packet loss. If a port is listening, no reply is expected. ```bash # hping www.debian.org -p 80 ``` ```bash HPING www.debian.org (ppp0 209.81.8.242): NO FLAGS are set, 40 headers + 0 data bytes [Ctrl+C] --- www.debian.org hping statistic --- 5 packets trasmitted, 0 packets received, 100% packet loss ``` -------------------------------- ### Test Port 80 Connectivity with ACK Flag (hping) Source: https://github.com/antirez/hping/blob/master/docs/french/HPING2-HOWTO.txt This command tests connectivity to port 80 on www.debian.org using the ACK flag. It demonstrates how to verify responses from a port that is likely in a LISTEN state and how to interpret ACK and RST flags for ACL testing. ```bash # hping www.debian.org -p 80 -A ppp0 default routing interface selected (according to /proc) HPING www.debian.org (ppp0 209.81.8.242): A set, 40 headers + 0 data bytes 40 bytes from 209.81.8.242: flags=R seq=0 ttl=243 id=5590 win=0 time=379.5 ms 40 bytes from 209.81.8.242: flags=R seq=1 ttl=243 id=5638 win=0 time=370.0 ms 40 bytes from 209.81.8.242: flags=R seq=2 ttl=243 id=5667 win=0 time=360.0 ms --- www.debian.org hping statistic --- 3 packets tramitted, 3 packets received, 0% packet loss ``` -------------------------------- ### Data Segment with Timestamps Source: https://github.com/antirez/hping/blob/master/RFCs/rfc1323.txt Illustrates how to format a data segment when the Snd.TS.OK flag is set, including the TCP Timestamps option with TSval and TSecr. ```pseudocode SEG.WND = (SND.WND >> Rcv.Wind.Scale). ``` -------------------------------- ### IP Datagram Routing Logic Before Subnetting Source: https://github.com/antirez/hping/blob/master/RFCs/rfc950.txt Illustrates the basic logic in IP host software for deciding whether to send a datagram directly to a destination on the local network or to a gateway. This pseudocode assumes a simplified network configuration. ```pseudocode IF ip_net_number(dg.ip_dest) = ip_net_number(my_ip_addr) THEN send_dg_locally(dg, dg.ip_dest) ELSE send_dg_locally(dg, gateway_to(ip_net_number(dg.ip_dest))) ``` -------------------------------- ### SYN Spoofed Scan Method Explanation Source: https://github.com/antirez/hping/blob/master/docs/french/HPING2-HOWTO.txt This section explains a SYN spoofed port scanning technique. It details the roles of three systems (attacker, silent system, victim) and how the attacker leverages IP ID increments and TCP/IP stack behaviors to scan a target without revealing its own IP address. ```text Comment effectuer des scans SYN spoofs en utilisant un champ id incrmental ? Ce qui suit est le message original (ndt : du moins sa traduction) bugtraq propos de la mthode de scan usurpe/indirecte/passive, dessous j'essayerai d'expliquer les dtails et comment cela est possible mme avec UDP avec quelques restrictions. ---- le postage bugtraq propos des scans usurps ---- Salut, J'ai dcouvert une nouvelle mthode de scan de ports TCP. Au contraire de toutes les autres elle vous permet de scanner en utilisant des paquets usurps (ndt : dont l'adresse IP source est usurpe), ainsi les systmes scanns ne peuvent pas voir votre adresse relle. Afin de raliser cela j'utilise trois particularits bien connues des mises en oeuvre TCP/IP de la plupart des OS. (1) * les systmes rpondent SYN|ACK SYN si le port TCP cible est ouvert, et RST|ACK si le port TCP cible est ferm. (2) * Vous pouvez connatre le nombre de paquets que les systmes envoient en utilisant le champ id de l'entte IP. Voir mes prcdents postages ' propos de l'entte IP' dans cette mailing liste. (3) * les systmes rpondent RST SYN|ACK, ne rpondent rien RST. Les joueurs: systme A - le systme malfaisant, l'attaquant. systme B - le systme silencieux. systme C - le systme victime. A est votre systme. B est un systme particulier : il ne doit envoyer aucun paquet pendant que vous scannez C. Il y a normment de systmes 'trafic nul' sur Internet, spcialement la nuit :) C est la victime, il doit tre vulnrable aux scans SYN. J'ai appel cette mthode de scan 'scan du systme muet' (ndt : l'autre traduction de 'dumb' est bte) en rfrence aux caractristiques du systme B. Comment elle fonctionne : Le systme A surveille le nombre de paquets sortants depuis B en utilisant le champ id de l'entte IP. Vous pouvez faire ceci simplement en utilisant hping : #hping B -r HPING B (eth0 xxx.yyy.zzz.jjj): no flags are set, 40 data bytes 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=0 ttl=64 id=41660 win=0 time=1.2 ms 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=1 ttl=64 id=+1 win=0 time=75 ms 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=2 ttl=64 id=+1 win=0 time=91 ms ``` -------------------------------- ### Test Port 79 Connectivity with SYN Flag (hping) Source: https://github.com/antirez/hping/blob/master/docs/french/HPING2-HOWTO.txt This command tests connectivity to port 79 on www.microsoft.com using the SYN flag. It further helps in diagnosing filtered ports by simulating a standard TCP connection initiation. ```bash # hping www.microsoft.com -S -p 79 ppp0 default routing interface selected (according to /proc) HPING www.microsoft.com (ppp0 207.46.130.149): S set, 40 headers + 0 data bytes --- www.microsoft.com hping statistic --- 3 packets tramitted, 0 packets received, 100% packet loss ``` -------------------------------- ### Test Port 79 Connectivity with Default Flags (hping) Source: https://github.com/antirez/hping/blob/master/docs/french/HPING2-HOWTO.txt This command tests connectivity to port 79 on www.yahoo.com using default hping settings. It helps diagnose if the port is open or blocked by a firewall, and identifies the type of ICMP response received. ```bash # hping www.yahoo.com -p 79 ppp0 default routing interface selected (according to /proc) HPING www.yahoo.com (ppp0 204.71.200.67): NO FLAGS are set, 40 headers + 0 data bytes ICMP Packet filtered from 206.132.254.41 (pos1-0-2488M.hr8.SNV.globalcenter.net) --- www.yahoo.com hping statistic --- 14 packets tramitted, 0 packets received, 100% packet loss ``` -------------------------------- ### SYN Segment Format Source: https://github.com/antirez/hping/blob/master/RFCs/rfc1323.txt Defines the structure of a SYN segment sent during connection initiation. Includes sequence number, control flags, Timestamp value, and Window Scale option. ```pseudocode ``` ```pseudocode If the Snd.WS.OK bit is on, include a WSopt option in this segment. If the Snd.TS.OK bit is on, include a TSopt in this segment. ``` ```pseudocode ``` -------------------------------- ### Test Port 79 Connectivity with ACK Flag (hping) Source: https://github.com/antirez/hping/blob/master/docs/french/HPING2-HOWTO.txt This command tests connectivity to port 79 on www.microsoft.com using the ACK flag. It helps determine if a port is in a LISTEN state or if it is filtered by a firewall, especially when default flags yield no response. ```bash # hping www.microsoft.com -A -p 79 ppp0 default routing interface selected (according to /proc) HPING www.microsoft.com (ppp0 207.46.130.149): A set, 40 headers + 0 data bytes --- www.microsoft.com hping statistic --- 3 packets tramitted, 0 packets received, 100% packet loss ``` -------------------------------- ### TCP Connection Monitoring with hping3 Source: https://context7.com/antirez/hping/llms.txt This script monitors network traffic on a specified interface for a given duration, identifying and logging new TCP connections based on SYN flags. It uses hping3 to capture packets and extract TCP header information. Dependencies include hping3 and Tcl. Input is an interface name and duration in seconds. ```tcl # TCP connection monitoring proc monitor_tcp {interface duration} { puts "Monitoring TCP connections for $duration seconds..." set start_time [clock seconds] set connections [dict create] while {[expr {[clock seconds] - $start_time}] < $duration} { set packets [hping recv $interface 1000 0] foreach pkt $packets { if {[hping hasfield tcp sport $pkt]} { set src [hping getfield ip saddr $pkt] set dst [hping getfield ip daddr $pkt] set sport [hping getfield tcp sport $pkt] set dport [hping getfield tcp dport $pkt] set flags [hping getfield tcp flags $pkt] set conn_key "$src:$sport -> $dst:$dport" if {[string match "*s*" $flags]} { puts "New connection: $conn_key (SYN)" dict set connections $conn_key "SYN" } elseif {[string match "*f*" $flags]} { puts "Closing: $conn_key (FIN)" } } } } puts "Total unique connections: [dict size $connections]" } ``` -------------------------------- ### hping3: Send TCP SYN Packets Source: https://context7.com/antirez/hping/llms.txt Sends TCP SYN packets to a specified port on a target host. This is commonly used for initiating a connection or checking port availability. It uses the '-S' flag for SYN and '-p' for port. ```bash hping3 -S -p 80 www.example.com ``` -------------------------------- ### Forming a SYN,ACK Segment Source: https://github.com/antirez/hping/blob/master/RFCs/rfc1323.txt This code snippet illustrates the formation of a SYN,ACK segment during the SYN-RECEIVED state. It includes sequence and acknowledgment numbers, control flags, and optional Timestamps and Window Scale options. ```plaintext If the Snd.Echo.OK bit is on, include a TSopt option in this segment. If the Snd.WS.OK bit is on, include a WSopt option in this segment. ``` -------------------------------- ### hping3: Port Scanning Source: https://context7.com/antirez/hping/llms.txt Performs port scanning on a target host. The '--scan' flag specifies the port range or known ports. SYN scan ('-S') is used by default for scanning ranges. ```bash hping3 --scan 1-1000 -S www.target.com ``` ```bash hping3 --scan known -S 192.168.1.100 ``` ```bash hping3 --scan 1-100,200-300,!80,!443 -S target.host ``` -------------------------------- ### Tcl: Split Packet into Layers Source: https://github.com/antirez/hping/blob/master/docs/API.txt This Tcl script demonstrates how to split a network packet string into individual layers using '+' as a delimiter. It then iterates through each layer and splits it into fields using ',' as a delimiter. ```tcl set packet "ip(ihl=5,ver=4,tos=c0,totlen=58,id=62912,fragoff=0,mf=0,df=0,rf=0,ttl=64,proto=1,cksum=e500,saddr=192.168.1.7,daddr=192.168.1.6)+icmp(type=3,code=3,unused=0)+ip(ihl=5,ver=4,tos=00,totlen=30,id=60976,fragoff=0,mf=0,df=1,rf=0,ttl=64,proto=17,cksum=40c9,saddr=192.168.1.6,daddr=192.168.1.7)+udp(sport=33169,dport=10,len=10,cksum=94d6)+data(str=f\0a)" foreach layer [split $packet +] { set t [split $layer ()] set name [lindex $t 0] set fields [lindex $t 1] puts $name foreach field [split $fields ,] { puts " $field" } puts {} } ``` -------------------------------- ### Convert hping Packet to Tcl List and Back (Tcl) Source: https://github.com/antirez/hping/blob/master/docs/API.txt Demonstrates how to convert hping's packet representation (APD) to a Tcl list using `apd2list` and then convert it back to a human-readable format using `list2apd`. This allows for programmatic manipulation of packet data within Tcl scripts. Dependencies include the hping3 utility and Tcl environment. ```tcl hping3.0.0-alpha> apd2list $p {ip {ihl 5} {ver 4} {tos 00} {totlen 52} {id 28845} {fragoff 0} {mf 0} {df 1} {rf 0} {ttl 64} {proto 6} {cksum bb46} {saddr 192.168.1.5} {daddr 192.168.1.6}} {tcp {sport 3733} {dport 4662} {seq 2054230415} {ack 1135045853} {x2 0} {off 8} {flags a} {win 63700} {cksum a509} {urp 0}} tcp.nop tcp.nop {tcp.timestamp {val 6860018} {ecr 13978115}} hping3.0.0-alpha> list2apd $list ip(ihl=5,ver=4,tos=00,totlen=52,id=28845,fragoff=0,mf=0,df=1,rf=0,ttl=64,proto=6,cksum=bb46,saddr=192.168.1.5,daddr=192.168.1.6)+tcp(sport=3733,dport=4662,seq=2054230415,ack=1135045853,x2=0,off=8,flags=a,win=63700,cksum=a509,urp=0)+tcp.nop()+tcp.nop()+tcp.timestamp(val=6860018,ecr=13978115) ``` -------------------------------- ### TCP State Variable Initialization on ESTABLISHED Entry Source: https://github.com/antirez/hping/blob/master/RFCs/rfc1122.txt Details the required initialization of send window variables (SND.WND, SND.WL1, SND.WL2) when a TCP connection enters the ESTABLISHED state. These variables are essential for managing data transmission and acknowledgments. ```text SND.WND <- SEG.WND SND.WL1 <- SEG.SEQ SND.WL2 <- SEG.ACK ``` -------------------------------- ### Send Raw TCP SYN Packet with hping3 Source: https://context7.com/antirez/hping/llms.txt This snippet demonstrates how to send raw binary TCP SYN packet data using hping3. It involves defining the raw packet bytes and then using the 'hping sendraw' command. This method allows for precise control over the packet content, sending exactly the bytes specified. ```shell set raw_tcp_syn "\x45\x00\x00\x3c\x00\x00\x40\x00\x40\x06\x00\x00\xc0\xa8\x01\x64\xc0\xa8\x01\x01" hping sendraw $raw_tcp_syn ``` -------------------------------- ### hping: Filter non-incrementing IDs for idle host scanning Source: https://github.com/antirez/hping/blob/master/docs/HPING2-HOWTO.txt This command demonstrates how to filter hping output to show only packets where the ID has not incremented by exactly 1. This is useful for analyzing traffic from idle hosts, making it easier to spot responses to specific probes. ```bash hping host -r | grep -v "id=+1" ``` -------------------------------- ### Custom Ping with Variable Packet Size using hping3 Source: https://context7.com/antirez/hping/llms.txt This Tcl script implements a custom ping function that allows specifying the packet count and size. It constructs ICMP echo request packets with arbitrary data and sends them to a target. It includes logic to wait for replies and report timeouts. Dependencies include hping3 and Tcl. ```tcl # Ping with custom packet size proc custom_ping {target count size} { set myaddr [hping outifa $target] set data [string repeat "A" $size] for {set i 0} {$i < $count} {incr i} { set pkt "ip(saddr=$myaddr,daddr=$target)" append pkt "+icmp(type=8,code=0,id=1234,seq=$i)" append pkt "+data(str=$data)" hping send $pkt # Wait for reply with 1 second timeout set reply [hping recv eth0 1000 1] if {[llength $reply] > 0} { puts "Reply received for seq $i" } else { puts "Timeout for seq $i" } } } ```