HPing As Port Scanner

Hping Tutorial:

First of all Download Hping From Here

HPING as a port scanner.



Crafting TCP packets is the default behavior of HPING.
By specifying the TCP flags, a destination port and a target IP
address, one can easily construct TCP packets.





-F --fin set FIN flag
-S --syn set SYN flag
-R --rst set RST flag
-P --push set PUSH flag
-A --ack set ACK flag
-U --urg set URG flag
-X --xmas set X unused flag (0x40)
-Y --ymas set Y unused flag (0x80)





[root@localhost root]# hping -I eth0 -S 192.168.10.1 -p 80
HPING 192.168.10.1 (eth0 192.168.10.1): S set, 40 headers + 0 data
bytes
len=46 ip=192.168.10.1 flags=SA DF seq=0 ttl=64 id=11101 win=16080
rtt=2.7 ms
len=46 ip=192.168.10.1 flags=SA DF seq=1 ttl=64 id=11102 win=16080
rtt=2.4 ms
len=46 ip=192.168.10.1 flags=SA DF seq=2 ttl=64 id=11103 win=16080
rtt=2.4 ms



An open port is indicated by a SA return packet, closed ports by a RA
packets. Remember the TCP 3-way handshake!
This is similar to a very known way of scanning, called a SYN scan or
Stealth scan.






A nice build in feature is the ++, which will increase the destination
port in the packets by one.




You can also press ‘ctrl+z’, instead of using ++, to increase the port
number during the scan.





[root@localhost root]# hping -I eth0 -S 192.168.10.1 -p ++79
HPING 192.168.10.1 (eth0 192.168.10.1): S set, 40 headers + 0 data
bytes
len=46 ip=192.168.10.1 sport=79 flags=RA seq=0 ttl=255 id=17491 win=0
rtt=2.4 ms
len=46 ip=192.168.10.1 sport=80 flags=SA DF seq=1 ttl=64 id=17492
win=16080 rtt=3.1 ms
len=46 ip=192.168.10.1 sport=81 flags=RA seq=2 ttl=255 id=17493 win=0
rtt=1.7 ms
len=46 ip=192.168.10.1 sport=82 flags=RA seq=3 ttl=255 id=17494 win=0
rtt=1.8 ms
len=46 ip=192.168.10.1 sport=83 flags=RA seq=4 ttl=255 id=17495 win=0
rtt=1.4 ms
len=46 ip=192.168.10.1 sport=84 flags=RA seq=5 ttl=255 id=17496 win=0
rtt=3.6 ms




or




[root@localhost root]# hping -I eth0 -S 192.168.10.1 -p ++79 | grep SA
len=46 ip=192.168.10.1 sport=80 flags=SA DF seq=1 ttl=64 id=17498
win=16080 rtt=2.1 ms




All known NMAP scanning techniques can be easily reproduced (accept a
CONNECT scan), but a finer (don’t get me wrong, not a bad word about
NMAP!!!) control on the packets can be obtained. Take a look at the
following options that can be set.




-s --baseport base source port (default random)
-p --destport [+][+]<port> destination port(default 0)
or ctrl+z inc/dec
-k --keep keep still source port
-w --win winsize (default 64)
-O --tcpoff set fake tcp data offset (instead of
tcphdrlen / 4)
-Q --seqnum shows only tcp sequence number
-b --badcksum (try to) send packets with a bad IP checksum
many systems will fix the IP checksum sending
the packet you'll get bad UDP/TCP checksum
instead.
-M --setseq set TCP sequence number
-L --setack set TCP ack




You can easily combine flags and other parameters as follows




[root@localhost root]# hping -I eth0 -M 3000 -SA 192.168.10.1 -p 80
HPING 192.168.10.1 (eth0 192.168.10.1): SA set, 40 headers + 0 data
bytes
len=46 ip=192.168.10.1 flags=R seq=3000 ttl=255 id=11118 win=0 rtt=1.8
ms
len=46 ip=192.168.10.1 flags=R seq=3001 ttl=255 id=11119 win=0 rtt=1.9
ms
len=46 ip=192.168.10.1 flags=R seq=3002 ttl=255 id=11120 win=0 rtt=1.9
ms.

Enjoy...:)