What is, and how can you use hping3?

/ Networking and Computing Tips and Tricks / By
Post Views: 1,337

A CLEAR WORD OF CAUTION – ONLY USE THIS TOOL WHERE YOU HAVE PERMISSION.
THIS ARTICLE IS OFFERRED FOR LEARNING PURPOSES ONLY.

Hping3 is a network tool designed for packet crafting and analysis, similar to Scapy but with a more command-line-oriented interface. It is often used for testing and troubleshooting network infrastructure, performing security assessments, and crafting custom packets. Hping3 is particularly popular in network security because of its simplicity and power, allowing users to simulate different types of network traffic or attacks.

Some key Features of Hping3:

  1. TCP/UDP/ICMP/RAW IP Packet Crafting:
    Hping3 allows you to craft custom TCP, UDP, ICMP, or raw IP packets. You can specify various parameters such as source IP address, destination IP, port numbers, flags (SYN, ACK, etc.), sequence numbers, TTL, and more.
  2. Firewall Testing:
    It’s commonly used to test firewall rules by sending packets with specific flags or other crafted features. You can simulate legitimate and illegitimate traffic to see how the firewall responds. For example, sending SYN or FIN packets to test how the firewall handles connection requests.
  3. Advanced Traceroute:
    Hping3 can be used for tracerouting in different protocols, including TCP and ICMP. Unlike traditional traceroute, which typically uses ICMP, hping3 can perform traceroute with customized packet types, giving more flexibility to bypass firewalls or troubleshoot specific application-layer issues.
  4. DoS (Denial of Service) Simulation:
    Hping3 can simulate DoS attacks like SYN flooding, where large numbers of SYN packets are sent to overwhelm a system’s TCP/IP stack. This is useful for testing the robustness of network equipment or security systems under attack scenarios.
  5. Network Scanning:
    Hping3 can be used for port scanning, similar to tools like Nmap. It allows you to scan individual ports or a range of ports by sending SYN packets and analyzing the responses to identify open/closed/filtered ports.
  6. Packet Sniffing:
    Though not its primary purpose, Hping3 has the capability to capture and analyze packets, though for more detailed packet analysis, tools like Wireshark or Scapy are usually preferred.
  7. Remote Host Fingerprinting:
    You can use hping3 for OS fingerprinting by analyzing how different operating systems respond to various TCP/IP stimuli (like crafted TCP packets with unusual flags). This can help identify the type of system or device running at a particular IP address.
  8. Idle Scanning:
    Hping3 can perform idle scans (a stealth scanning method) by exploiting another system to send packets on your behalf. This allows you to scan a target without revealing your IP address.
  9. Bandwidth Measurement:
    You can use Hping3 to send packets at a specific rate to measure the available bandwidth between two hosts. This is particularly useful in troubleshooting network performance issues or estimating link capacities.
  10. Path MTU Discovery:
    Hping3 can help with Path Maximum Transmission Unit (MTU) Discovery. It can send packets of increasing sizes with the “Don’t Fragment” flag set to discover the smallest MTU along the path, ensuring proper packet delivery without fragmentation.
  11. Timing Analysis and RTT (Round-Trip Time):
    Hping3 can measure the round-trip time of packets, allowing you to gauge latency between the source and destination. It can also be used to perform packet loss analysis, which is useful in diagnosing network issues.
  12. Spoofing Attacks:
    You can use hping3 to send spoofed packets by specifying a false source IP address. This technique can be used for testing, but it’s also a common tactic in certain types of network attacks (e.g., SYN floods or man-in-the-middle attacks).

So where would I use hping3?

  • Penetration Testing: Hping3 is used to simulate various network attacks, such as SYN floods or ACK scans, to test how well network defenses like firewalls and intrusion detection systems hold up under attack.
  • Network Troubleshooting: By sending customized packets, you can identify issues like routing problems, slow links, packet loss, or faulty firewall rules.
  • Performance Benchmarking: You can measure RTT and packet loss under different network conditions, helping to identify bottlenecks or poorly performing network segments.
  • Firewall/IDS Evasion Testing: Hping3 allows you to send crafted packets that may bypass improperly configured firewalls or intrusion detection systems (IDS) by mimicking legitimate traffic.

Here are some basic hping3 examples:

Any commands shown below are only executable as super user, so precede then with ‘sudo’ or become root.

  • Ping with TCP SYN:
  hping3 -S <target IP>
  • Performing a Port Scan:
  hping3 -S <target IP> -p 80 -c 1

This sends a single SYN packet to port 80 of the target IP.

  • Flooding a Target with SYN Packets:
  hping3 -S <target IP> -p 80 --flood
  • Traceroute Using TCP:
  hping3 --traceroute -S -p 80 <target IP>
  • Simulate a UDP Ping:
  hping3 --udp -p 53 <target IP>

Advanced hping3 usage

Below are some advanced and interesting ways to use hping3 for various network-related tasks:

1. TCP SYN Flood (Denial of Service Simulation):

You can simulate a SYN flood attack to test how well a server or network device handles high volumes of half-open connections. This helps in stress-testing firewall or load-balancer configurations.

hping3 -S <target IP> -p 80 --flood --rand-source
  • The --flood option sends packets as fast as possible.
  • The --rand-source option randomizes the source IP, making it appear as though many hosts are attacking.

2. Advanced OS Fingerprinting:

By analyzing the way an operating system responds to various types of crafted packets, you can fingerprint the OS more accurately. This is similar to how Nmap performs OS detection but allows you to customize it further.

Example: Send a packet with unusual flags to get a response that might differ based on the OS:

hping3 <target IP> -p 80 -A -F -S -U
  • Sends packets with ACK, FIN, SYN, and URG flags set to test how the target responds.

3. ICMP-based Path MTU Discovery:

Use hping3 to discover the Path Maximum Transmission Unit (MTU), which is the largest packet size that can be transmitted over a network without fragmentation. The MTU discovery process is useful in tuning network performance.

hping3 <target IP> -c 1 -d 1500 --fragoff 0 --icmp
  • The –fragoff option prevents fragmentation, helping you determine the largest packet that can traverse the path without being fragmented.

4. Network Congestion & Loss Measurement:

Measure how packet loss or latency changes over time by sending crafted packets at different intervals. This can help identify network congestion or routing issues.

hping3 <target IP> -S -p 80 -i u1000
  • The -i u1000 option sends a packet every 1000 microseconds (1ms).

5. Simulate a Slowloris Attack:

Slowloris is a type of DoS attack that keeps many connections open to a target server without completing them. While hping3 isn’t specialized for this, you can simulate something similar by sending SYN packets with a long delay between them.

hping3 -S <target IP> -p 80 -i u500000
  • This sends SYN packets every 0.5 seconds, simulating a slow attack.

6. Firewalking (Firewall Penetration Testing):

Firewalking is a technique used to determine which ports are allowed through a firewall by sending packets with specific TTL values. Hping3 can perform this by incrementally increasing the TTL.

hping3 --traceroute -S -p 80 <target IP>
  • By analyzing where the packets are dropped, you can identify firewall rules.

7. Idle Scan (Stealth Scanning):

In an idle scan, you use a third-party (idle) machine to perform a scan on your behalf, making it harder for the target to trace the scan back to you. Hping3 allows you to send spoofed packets.

hping3 -S <target IP> -p 80 --spoof <idle IP>
  • You use the idle IP to relay your packets, hiding your identity from the target.

8. TTL-based Host Discovery:

Use TTL values to detect how far away a host is and whether it’s reachable without revealing your real source IP. This is a stealthier method of host discovery compared to traditional pings.

hping3 --ttl 1 -S <target IP> -p 80
  • The response you receive helps you determine the distance to the target in terms of hops.

9. TCP Reset Attack:

A TCP Reset (RST) attack can terminate a connection between two hosts by sending a forged TCP RST packet. This can be used to test how gracefully your services handle such disruptions.

hping3 -R -p <target port> <target IP>
  • Sends a TCP RST packet to forcibly terminate connections to a target port.

10. Web Server Performance Testing:

You can test how a web server responds under different types of crafted traffic by sending customized packets to simulate a range of scenarios.

For example, send HTTP GET requests in a custom-crafted TCP packet:

hping3 -S <target IP> -p 80 -d 40 -E /path/to/payload.txt
  • The payload could contain an HTTP GET request for a specific resource.

11. Detecting Network Timeouts:

Send packets and check whether the host is responding or if packets are being dropped by the firewall. This can help you troubleshoot connectivity issues or diagnose network misconfigurations.

hping3 --tcp-timestamp <target IP> -p 80

12. Simulating UDP Flood Attack:

Like the SYN flood, you can simulate a UDP flood attack to test network resilience by sending a high volume of UDP packets to a particular port.

hping3 --udp -p <target port> <target IP> --flood

13. Measure Packet Reordering:

Hping3 can help you detect whether packets are being reordered on their way to the destination. This is useful for diagnosing network equipment that might be malfunctioning.

hping3 -S <target IP> -p 80 --tcp-timestamp --seqnum
  • Compare sequence numbers of received packets to detect reordering.

14. Craft Custom Ping of Death Attack:

The Ping of Death attack involves sending malformed ICMP packets that exceed the size limits, potentially crashing the target. You can simulate this using hping3:

hping3 -c 1 -d 65535 --icmp <target IP>
  • Be careful with this command, as it might crash systems that are vulnerable to the Ping of Death.

15. Covert Channel Communication:

You can use Hping3 to send hidden messages or covert data across networks, such as embedding information in TCP flags or in the payloads of packets. While it’s more experimental, it could be useful for research purposes.

hping3 <target IP> -p 80 -E /path/to/hidden_data.txt
  • Embeds the contents of hidden_data.txt in the packets being sent.

Hping3 is a versatile, low-level network testing and troubleshooting tool. However, because it can be used to simulate attacks, it’s important to use it responsibly and only in environments where you have permission to perform such testing.

Comments are welcomed below from registered users.  You can also leave comments at our Discord server

If you would like to see more content and articles like this, please support us by clicking the patron link where you will receive free bonus access to courses and more, or simply buying us a cup of coffee!

Contact Us Here


Please verify.
Validation complete :)
Validation failed :(
 
Your contact request has been received. We usually respond within an hour, but please be patient. We will get back to you very soon.
Scroll to Top