Fun With Hping
by methodic (firstname.lastname@example.org)
Hping is a very powerful tool that lets you create arbitrary packets with all types of options, as well as show the output of any returned traffic from the host you're Hping'ing. By default when you Hping a host, it will send UDP packets to the host's port 0. As you will see later on, you can change this behavior by specifying a source port, a destination port, a different protocol, the list goes on. You'll find that most of Hping's output deals with low-level information from the packets received, which is beyond the scope of this article. For now, we'll only be interested in a few select things.
Let's start off by running a plain Hping against 2600.com to get our bearings on Hping output:
# hping2 -c 3 www.2600.com HPING www.2600.com (eth0 188.8.131.52): NO FLAGS are set, 40 headers + 0 data bytes len=46 ip=184.108.40.206 ttl=49 id=85 sport=0 flags=RA seq=0 win=0 rtt=50.9 ms len=46 ip=220.127.116.11 ttl=49 id=48918 sport=0 flags=RA seq=1 win=0 rtt=51.0 ms len=46 ip=18.104.22.168 ttl=49 id=19729 sport=0 flags=RA seq=2 win=0 rtt=50.4 ms --- www.2600.com hping statistic --- 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max = 50.4/50.7/51.0 ms
As you can see, we are able to find out some pretty interesting stuff. (If you want to see even more, enable output with the "-V" flag.) We know that the remote host uses random IP IDs, which means they aren't as vulnerable to information gathering and spoofing attacks. Also note they flag that came back: RA.
The "A" stands for ACK, meaning "I acknowledge your request," and the "R" stands for RST, meaning "Resetting connection. Good-bye."
Next, we'll see when kind of ICMP requests www.2600.com responds to. In Hping, you enable ICMP packets with the "-1" flag. By default, Hping will send ICMP Echo-Request packets (ICMP Type 8, standard ping):
# hping2 -1 -c 3 www.2600.com HPING www.2600.com (eth0 22.214.171.124): icmp mode set, 28 headers + 0 data bytes ICMP Packet filtered from ip=126.96.36.199 name=UNKNOWN ICMP Packet filtered from ip=188.8.131.52 name=UNKNOWN ICMP Packet filtered from ip=184.108.40.206 name=UNKNOWN --- www.2600.com hping statistic --- 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max = 0.0/0.0/0.0 ms
So we know that www.2600.com is blocking ICMP echo requests. We could also check to see if www.2600.com answers to other types of ICMP requests like address mask or timestamp by adding "--icmp-addr" or "--icmp-ts" to Hping's arguments. We'll leave that as an exercise to the reader!
Now on to the fun stuff, using Hping to create custom TCP packets. Let's start off by sending SYN packets (first part of the TCP handshake) to port 80 on www.2600.com, since we already know port 80 is open:
# hping2 -S -p 80 -c 3 www.2600.com HPING www.2600.com (eth0 220.127.116.11): S set, 40 headers + 0 data bytes len=46 ip=18.104.22.168 ttl=49 id=65000 sport=80 flags=SA seq=0 win=65535 rtt=565.0 ms len=46 ip=22.214.171.124 ttl=49 id=63206 sport=80 flags=SA seq=1 win=65535 rtt=530.6 ms len=46 ip=126.96.36.199 ttl=49 id=26539 sport=80 flags=SA seq=2 win=0 rtt=490.5 ms --- www.2600.com hping statistic --- 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max = 490.5/528.7/565.0 ms
OK, so we see the IP IDs are random, which we already found out earlier. We know we're getting somewhere because the flags we received were SA (a SYN|ACK), which is the second step to a TCP handshake. The SYN|ACK stands for "I acknowledge your request, proceed." We can gleam more information now that we have a responding port. Let's see if we can get the uptime for www.2600.com by adding "--icmp-timestamp" to Hping's argument list:
# hping2 -S -p 80 -c 3 --tcp-timestamp www.2600.com HPING www.2600.com (eth0 188.8.131.52): S set, 40 headers + 0 data bytes len=56 ip=184.108.40.206 ttl=49 id=41548 sport=80 flags=SA seq=0 win=65535 rtt=358.1 ms TCP timestamp: tcpts=979995024 len=56 ip=220.127.116.11 ttl=49 id=24700 sport=80 flags=SA seq=0 win=65535 rtt=398.9 ms TCP timestamp: tcpts=979995125 HZ seems hz=100 System uptime seems: 113 days, 10 hours, 12 minutes, 31 seconds
Not bad. Let's go a step further and see if www.2600.com's TCP sequencing is predictable or not by using the "-Q" flag:
# hping2 -S -p 80 -c 3 -Q www.2600.com HPING www.2600.com (eth0 18.104.22.168): S set, 40 headers + 0 data bytes 1347913158 +1347913158 3604885414 +2256972256 1768794044 +2458875925 --- www.2600.com hping statistic --- 3 packets transmitted, 3 packets received, 0% packet loss round-trip min/avg/max = 575.8/609.4/639.0 ms
By the looks of it, they aren't predictable. You can tell the first column is the sequence number itself and the second is the difference between the current and last sequence number. Just for argument's sake, I'll run the same command on a remote Windows box:
# hping2 -S -p 80 -c 5 -Q xxx.xxxxxx.xxx HPING xxx.xxxxxx.xxx (eth0 xxx.xxx.xxx.xxx): S set, 40 headers + 0 data bytes 35128670 +35128670 35128672 +2 35128684 +12 35128703 +19 35128710 +16 --- xxx.xxxxxx.xxx hping statistic --- 5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max = 54.6/74.6/148.4 ms
As you can see, that host has very predictable sequence numbers, making them a lot more vulnerable to source-IP based trust relationships.
We can also port scan using Hping! It's relatively easy. The only thing you need to do is put a plus sign ("+") before the destination port and Hping will increment the destination port every time it sends out a packet.
Since we now know that SYN|ACK (flags=SA) means an open port, we can tell which ones are available.
Example: hping2 -S -p +21 www.2600.com will start sending SYN packets starting at port 21 all the way up until you kill Hping.
This should sound very familiar to some people. It's the same exact thing Nmap does when it runs a stealth scan. The nice thing Hping has over Nmap is finer destination port control. If you want to increase the destination port each time a reply is received, you just have to precede the destination port with a "+". If you want to increase the destination port for each packet sent, precede the destination port with a "++" (examples: +80, ++1).
The destination port can also be modified interactively by using "Ctrl-Z." You can also specify the source port with the "-s" flag. By default, Hping uses a random source port, and increments it by one with each packet send, but you can stop the increments with the "-k" flag, which means your source port will never change. You can essentially iterate through every source port and destination port available. These functions are very useful when you're mapping out a remote firewall's rules.
Here's a tip to get you started: a lot of filtering devices allow any TCP traffic with the source port of 20 to come through (which is used for active FTP transfers), and any UDP traffic with the source port of 53 to come through (used for DNS traffic). Also, some old firewalls let traffic pass when the packets are too fragmented (which you can do with the "-f" and "-x" flags).
One last example that is a fun one to pull on your extra-paranoid friend (we all know that person that's filtering and logging everything). Run this Hping command against their firewall: hping2 -1 -a www.fbi.gov HOST (Replace HOST with your friend's IP). Leave that running for a few minutes, and wait by your phone. (*RING RING* "Hello?" "Dude, I swear the FBI is pinging my web server!") The "-a" flag allows you to spoof an address/hostname. Obviously you won't be getting any traffic back, but since ICMP is a connection-less protocol (UDP as well), you are able to pull this sort of trick off.
As you can see, Hping is a very powerful tool. I barely scratched the surface with this article. With Hping you can do everything from testing net performance to transferring files to using Hping as a backdoor! You have almost total control of Hping's outgoing packets. The possibilities are virtually limitless. The best thing you can do is download Hping, read the man page, and start playing around with it. If there's enough demand, I'll write a follow-up article on using Hping as a read-world application.
Hping - www.hping.org
ICMP types/codes - dark-intentions.net/files/icmp.txt
Shouts: victim1 for the kcmo h00kup, vegac for always being leet. Thanks guys. Much love to mom dukes.