Saturday, 13 April 2013

HPing As Port Scanner

Hping Tutorial:

First of all Download Hping From Here

HPING as a port scanner.

Crafting TCP packets is the default behavior of HPING.
By specifying the TCP flags, a destination port and a target IP
address, one can easily construct TCP packets.

-F --fin set FIN flag
-S --syn set SYN flag
-R --rst set RST flag
-P --push set PUSH flag
-A --ack set ACK flag
-U --urg set URG flag
-X --xmas set X unused flag (0x40)
-Y --ymas set Y unused flag (0x80)

[root@localhost root]# hping -I eth0 -S -p 80
HPING (eth0 S set, 40 headers + 0 data
len=46 ip= flags=SA DF seq=0 ttl=64 id=11101 win=16080
rtt=2.7 ms
len=46 ip= flags=SA DF seq=1 ttl=64 id=11102 win=16080
rtt=2.4 ms
len=46 ip= flags=SA DF seq=2 ttl=64 id=11103 win=16080
rtt=2.4 ms

An open port is indicated by a SA return packet, closed ports by a RA
packets. Remember the TCP 3-way handshake!
This is similar to a very known way of scanning, called a SYN scan or
Stealth scan.

A nice build in feature is the ++, which will increase the destination
port in the packets by one.

You can also press ‘ctrl+z’, instead of using ++, to increase the port
number during the scan.

[root@localhost root]# hping -I eth0 -S -p ++79
HPING (eth0 S set, 40 headers + 0 data
len=46 ip= sport=79 flags=RA seq=0 ttl=255 id=17491 win=0
rtt=2.4 ms
len=46 ip= sport=80 flags=SA DF seq=1 ttl=64 id=17492
win=16080 rtt=3.1 ms
len=46 ip= sport=81 flags=RA seq=2 ttl=255 id=17493 win=0
rtt=1.7 ms
len=46 ip= sport=82 flags=RA seq=3 ttl=255 id=17494 win=0
rtt=1.8 ms
len=46 ip= sport=83 flags=RA seq=4 ttl=255 id=17495 win=0
rtt=1.4 ms
len=46 ip= sport=84 flags=RA seq=5 ttl=255 id=17496 win=0
rtt=3.6 ms


[root@localhost root]# hping -I eth0 -S -p ++79 | grep SA
len=46 ip= sport=80 flags=SA DF seq=1 ttl=64 id=17498
win=16080 rtt=2.1 ms

All known NMAP scanning techniques can be easily reproduced (accept a
CONNECT scan), but a finer (don’t get me wrong, not a bad word about
NMAP!!!) control on the packets can be obtained. Take a look at the
following options that can be set.

-s --baseport base source port (default random)
-p --destport [+][+]<port> destination port(default 0)
or ctrl+z inc/dec
-k --keep keep still source port
-w --win winsize (default 64)
-O --tcpoff set fake tcp data offset (instead of
tcphdrlen / 4)
-Q --seqnum shows only tcp sequence number
-b --badcksum (try to) send packets with a bad IP checksum
many systems will fix the IP checksum sending
the packet you'll get bad UDP/TCP checksum
-M --setseq set TCP sequence number
-L --setack set TCP ack

You can easily combine flags and other parameters as follows

[root@localhost root]# hping -I eth0 -M 3000 -SA -p 80
HPING (eth0 SA set, 40 headers + 0 data
len=46 ip= flags=R seq=3000 ttl=255 id=11118 win=0 rtt=1.8
len=46 ip= flags=R seq=3001 ttl=255 id=11119 win=0 rtt=1.9
len=46 ip= flags=R seq=3002 ttl=255 id=11120 win=0 rtt=1.9



Post a Comment

Thanks for giving your valueable response