hping3
hping3
description
hping3 is a network tool able to send custom TCP/IP packets,you can:
- Test firewall rules
- Advanced port scanning
- Test net performance using different protocols,packet size, TOS (type of service) and fragmentation
- Path MTU discovery
- Traceroute-like under different protocols
- Firewalk-like usage
- Remote OS fingerprinting
- TCP/IP stack auditing
- ……
hping是安全审计、防火墙测试等工作的标配工具。hping优势在于能够定制数据包的各个部分,但是每次只能向一个IP地址发送数据包,还能够在两个相互包含的通道之间传送文件。
options
| 参数 | 参数说明 |
|---|---|
| -v | --version |
| -c | --count,发送数据包的个数 |
| -i | --interval wait (uX for X microseconds, for example -i u1000), |
| --fast | alias for -i u10000 (10 packets for second) |
| --faster | alias for -i u1000 (100 packets for second) |
| --flood | sent packets as fast as possible. Don't show replies. This is ways faster than to specify the -i u0 option |
| -q | --quiet quiet ,安静模式,好像没什么用 |
| -I | --interface interface name |
| -V | --verbose verbose mode详细信息 |
| -D | --debug debugging info调试信息 |
| -d | 指定 data的大小 |
| 协议选择 | 默认是TCP |
| -0 | --rawip,裸IP模式 |
| -1 | --icmp,ICMP mode, by default hping3 will send ICMP echo-request, you can set other ICMP type/code using --icmptype --icmpcode options,你可以设置ICMP的code字段 |
| -2 | --udp,UDP mode, by default hping3 will send udp to target host's port 0 |
| -8 | --scan,Scan mode |
| -9 | HPING3 listen mode,监听模式(类似于NC,和--safe搭配使用) |
| IP模式 | |
| -a | 设置一个假的源地址 |
| --rand-source | 使用随机源地址 |
| --rand-dest | 设置随机的目的 |
| -t | --ttl,设置ttl值 |
| -f | 拆分数据包更多的frag,将大包分片成很多小包,默认拆成50B。 |
| -x | 设置更多的分片标志 ,好像没什么用 |
| -y | 设置不分片标志 ,好像没什么用 |
| -g | set the fragment offset 设置段偏移。 |
| -m | 设置虚拟MTU值。 |
| -o | --tos type of service,设置tos字段 |
| ICMP 模式 | |
| -C | --icmptype icmp类型(默认echo请求) // ICMP类型,缺省回显请求 |
| -K | icmp代号(默认0) // ICMP代码 |
| --icmp-ipver | Set IP version of IP header contained into ICMP data, default is 4. |
| --icmp-iphlen | set IP header length of IP header contained into ICMP data, default is 5 (5 words of 32 bits). |
| --icmp-iplen | Set IP packet length of IP header contained into ICMP data, default is the real length. |
| --icmp-ipproto | Set IP protocol of IP header contained into ICMP data, default is TCP. |
| --icmp-cksum | Set ICMP checksum, for default is the valid checksum. |
| --icmp-ts | Alias for --icmptype 13 (to send ICMP timestamp requests). |
| --force-icmp | 发送所有icmp类型(默认仅发送支持的类型) // 强制ICMP类型。 |
| --icmp-gw | 设置ICMP重定向网关地址(默认0.0.0.0) // ICMP重定向 |
| ICMP concerned packet options: --icmp-ipver set ip version ( default 4 ) --icmp-iphlen set ip header lenght ( default IPHDR_SIZE >> 2) --icmp-iplen set ip total lengtht ( default real lenght ) --icmp-ipid set ip id ( default random ) --icmp-ipproto set ip protocol ( default IPPROTO_TCP ) --icmp-ipsrc set ip source ( default 0.0.0.0 ) --icmp-ipdst set ip destination ( default 0.0.0.0 ) --icmp-srcport set tcp/udp source port ( default random ) --icmp-dstport set tcp/udp destination port ( default random ) --icmp-cksum set icmp checksum ( default the right cksum) |
|
| TCP/UDP模式 | |
| -s | --baseport base source port (default random) ,默认源端口随机 |
| -p | --destport [+][+] |
| -k | --keep keep still source port,不知道干什么用的 |
| -w | --win winsize (default 64),调整tcp窗口大小,默认64 |
| -O | --tcpoff set fake tcp data offset, 设置假的tcp偏移量 |
| -Q | --seqnum shows only tcp sequence number,不知道干什么用的 |
| -b | --badcksum,设置错误的tcp校验位 |
| -M | --setseq,set TCP sequence number 设置tcp序列号 |
| -L | --setack set TCP ack ,不知道干什么用的 |
| tcp.flags | -F -S -A -P -U -R set FIN SYN ACK PSH URG RST flag |
| --xmas | --xmas set X unused flag (0x40) |
| --ymas | --ymas set Y unused flag (0x80) |
| --tcpexitcode | use last tcp->th_flags as exit code |
| --tcp-timestamp | enable the TCP timestamp option to guess the HZ/uptime,tcp options开启时间戳字段 |
| --tcp-mss | tcp options开启mss字段 |
| Common通用选项 | |
| -d | --data data size,填充进数据包的数据的大小,默认是0 |
| -E | --file data from file,data来自某文件 |
| -e | --sign 添加“签名” |
| -B | --safe enable 'safe' protocol 启用安全协议,安全专用,获取server shell或和server之间传输文件 |
| -T | --traceroute traceroute mode ,使用-traceroute模式 |
examples
hping --flood -S -d 500 192.168.3.1
--flood 泛洪,-S tcp.syn 置位,-d data 500B,每秒发送1W+数据包,受限制PC硬件,CPU已到99%,速率大约8M/s。
[root@rhel ~]# hping --flood -S -d 500 192.168.3.1
HPING 192.168.3.1 (ens160 192.168.3.1): S set, 40 headers + 500 data bytes
hping in flood mode, no replies will be shown
^C
--- 192.168.3.1 hping statistic ---
25746 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
hping3 -1 --tcp-timestamp -S 192.168.3.1 -p 80
-1 icmp模式
[root@rhel ~]# hping3 -1 --tcp-timestamp -S 192.168.3.1 -p 80
HPING 192.168.3.1 (ens160 192.168.3.1): icmp mode set, 28 headers + 0 data bytes
len=46 ip=192.168.3.1 ttl=64 id=17899 icmp_seq=0 rtt=6.5 ms
len=46 ip=192.168.3.1 ttl=64 id=17900 icmp_seq=1 rtt=5.2 ms
len=46 ip=192.168.3.1 ttl=64 id=17936 icmp_seq=2 rtt=7.4 ms
1 0.000000 192.168.3.143 192.168.3.1 ICMP 54 Timestamp request id=0x49e2, seq=0/0, ttl=64
2 1.003686 192.168.3.143 192.168.3.1 ICMP 54 Timestamp request id=0x49e2, seq=256/1, ttl=64
3 2.005063 192.168.3.143 192.168.3.1 ICMP 54 Timestamp request id=0x49e2, seq=512/2, ttl=64
hping3 -1 -T 223.5.5.5
tracertroute模式 -1 icmp -T tracertroute
[root@rhel ~]# hping3 -1 -T 223.5.5.5
HPING 223.5.5.5 (ens160 223.5.5.5): icmp mode set, 28 headers + 0 data bytes
hop=1 TTL 0 during transit from ip=192.168.3.1 name=_gateway
hop=1 hoprtt=15.8 ms
hop=2 TTL 0 during transit from ip=192.168.1.1 name=UNKNOWN
hop=2 hoprtt=6.7 ms
hop=3 TTL 0 during transit from ip=100.67.64.1 name=UNKNOWN
hop=3 hoprtt=11.1 ms
hop=4 TTL 0 during transit from ip=60.235.2.229 name=UNKNOWN
hop=4 hoprtt=7.0 ms
hping3 -0 -d 2000 -f 192.168.3.1
-f 将2000B的大包 分成50B的小包。
[root@rhel ~]# hping3 -0 -d 2000 -f 192.168.3.1
HPING 192.168.3.1 (ens160 192.168.3.1): raw IP mode set, 20 headers + 2000 data bytes
356 192.168.3.143 192.168.3.1 IPv4 50 Fragmented IP protocol (proto=TCP 6, off=1424, ID=00d8)
357 192.168.3.143 192.168.3.1 IPv4 50 Fragmented IP protocol (proto=TCP 6, off=1440, ID=00d8)
358 192.168.3.143 192.168.3.1 IPv4 50 Fragmented IP protocol (proto=TCP 6, off=1456, ID=00d8)
hping3 -a 192.168.3.1 -S 192.168.3.1 -p 80
-a 设置一个假地址,让目的和自己建立连接
[root@rhel ~]# hping3 -a 192.168.3.1 -S 192.168.3.1 -p 80
HPING 192.168.3.1 (ens160 192.168.3.1): S set, 40 headers + 0 data bytes
^C
--- 192.168.3.1 hping statistic ---
3 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
19:58:00.443374 IP 192.168.3.1.2631 > 192.168.3.1.80: Flags [S], seq 402320079, win 512, length 0
19:58:01.458693 IP 192.168.3.1.2632 > 192.168.3.1.80: Flags [S], seq 503913005, win 512, length 0
19:58:02.474306 IP 192.168.3.1.2633 > 192.168.3.1.80: Flags [S], seq 2123940357, win 512, length 0
hping3 --rand-source -S 192.168.3.1 -p 80
使用随机的源地址对目标发起tcp连接。
[root@rhel ~]# hping3 --rand-source -S 192.168.3.1 -p 80
HPING 192.168.3.1 (ens160 192.168.3.1): S set, 40 headers + 0 data bytes
^C
--- 192.168.3.1 hping statistic ---
7 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
[root@rhel ~]# tcpdump -i ens160 -nn host 192.168.3.1
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens160, link-type EN10MB (Ethernet), capture size 262144 bytes
20:01:12.156505 IP 25.199.32.201.2303 > 192.168.3.1.80: Flags [S], seq 2135994748, win 512, length 0
20:01:13.160264 IP 50.177.179.147.2304 > 192.168.3.1.80: Flags [S], seq 1211621690, win 512, length 0
20:01:14.175851 IP 252.188.157.155.2305 > 192.168.3.1.80: Flags [S], seq 276655753, win 512, length 0
hping3 --rand-source -S 192.168.3.1 -p 80 --flood
使用随机源地址flood模式和无线路由器建立tcp 三次连接,如果无线路由性能不足的话,无线路由器tcp 连接队列会被占满。
参考
浙公网安备 33010602011771号