How to use the command 'hping3' (with examples)

How to use the command 'hping3' (with examples)

Hping3 is an advanced network probing utility used for packet crafting and analysis. It allows users to perform actions beyond what standard ping utilities offer, such as testing various types of packet responses and network path analysis using protocols, which include TCP, UDP, and raw IP. Running hping3 with elevated privileges is recommended to achieve full functionality. This article illustrates how to use hping3 effectively with a variety of use cases.

Use case 1: Ping a destination with 4 ICMP ping requests

Code:

hping3 --icmp --count 4 ip_or_hostname

Motivation: This command is widely used to verify whether a remote host is reachable over an IP network. Sending ICMP echo requests is an essential part of network troubleshooting, allowing administrators to check the availability and responsiveness of network nodes.

Explanation:

  • --icmp: This flag indicates that hping3 should use the Internet Control Message Protocol (ICMP) to send echo requests.
  • --count 4: This option signifies that only four ICMP packets will be sent, providing a controlled environment to monitor the round-trip times and packet loss.

Example Output:

HPING ip_or_hostname (ip_or_hostname): icmp mode set, 56 headers + 0 data bytes
64 bytes from ip_or_hostname: icmp_seq=0 ttl=64 time=0.056 ms
64 bytes from ip_or_hostname: icmp_seq=1 ttl=64 time=0.062 ms
64 bytes from ip_or_hostname: icmp_seq=2 ttl=64 time=0.058 ms
64 bytes from ip_or_hostname: icmp_seq=3 ttl=64 time=0.054 ms
--- ip_or_hostname hping statistic ---
4 packets transmitted, 4 packets received, 0% packet loss

Use case 2: Ping an IP address over UDP on port 80

Code:

hping3 --udp --destport 80 --syn ip_or_hostname

Motivation: Pinging a host over UDP can be useful for checking whether a specific service is available or responsive on a particular port, such as port 80 in this example, which is normally reserved for HTTP traffic.

Explanation:

  • --udp: Instructs hping3 to use the User Datagram Protocol (UDP) for packet transmission.
  • --destport 80: This specifies that the destination port should be 80, targeting services that typically run on this port.
  • --syn: It is essential to initialize a connection using SYN in other scenarios, though here it won’t have the same effect as it would with TCP.

Example Output:

HPING ip_or_hostname (ip_or_hostname): udp mode set, 28 headers + 0 data bytes
len=46 ip=ip_or_hostname ttl=64 DF id=0 sport=80 flags=RA seq=0 win=0 rtt=0.1 ms
len=46 ip=ip_or_hostname ttl=64 DF id=0 sport=80 flags=RA seq=1 win=0 rtt=0.1 ms

Use case 3: Scan TCP port 80, scanning from the specific local source port 5090

Code:

hping3 --verbose --syn --destport 80 --baseport 5090 ip_or_hostname

Motivation: This command can be helpful in testing and troubleshooting network services by specifying the local source port, providing insights into whether packets can be successfully routed from a given port on the client’s side.

Explanation:

  • --verbose: Provides detailed output, which is essential for understanding the packet transit and reception process.
  • --syn: Initiates a SYN scan, useful in checking the status of the target port (80).
  • --destport 80: Targets traffic specifically to port 80.
  • --baseport 5090: Specifies port 5090 as the source port, useful for overcoming port restrictions or applying specific routing rules.

Example Output:

HPING ip_or_hostname (ip_or_hostname): S set, 40 headers + 0 data bytes
len=44 ip=ip_or_hostname ttl=64 DF id=0 sport=80 flags=SA seq=0 win=28944 rtt=0.1 ms
len=44 ip=ip_or_hostname ttl=64 DF id=0 sport=80 flags=SA seq=1 win=28944 rtt=0.1 ms

Use case 4: Traceroute using a TCP scan to a specific destination port

Code:

hping3 --traceroute --verbose --syn --destport 80 ip_or_hostname

Motivation: Performing a traceroute with a specific port helps to trace the route packets take through a network to a destination, allowing tracking of the entire path of a TCP connection, which can be crucial for diagnosing connectivity issues.

Explanation:

  • --traceroute: Conducts a traceroute operation, a diagnostics tool for network path discovery.
  • --verbose: Detailed output for each hop, providing insights into the network’s performance.
  • --syn: Using TCP SYN packets to make the traceroute.
  • --destport 80: Ensures that the traceroute focuses on the path to port 80.

Example Output:

HPING ip_or_hostname (ip_or_hostname): S set, 40 headers + 0 data bytes
hop=1 IP=router_ip delay=10.4 ms
hop=2 IP=intermediate_device_ip delay=30.2 ms
hop=3 IP=final_destination_ip delay=50.3 ms

Use case 5: Scan a set of TCP ports on a specific IP address

Code:

hping3 --scan 80,3000,9000 --syn ip_or_hostname

Motivation: Port scanning a range or specific set of ports is a common step in security assessments. It helps identify which ports are open and possibly hosting a service, assessing potential vulnerabilities.

Explanation:

  • --scan 80,3000,9000: Specifies the list of ports to scan.
  • --syn: Initiates a TCP SYN scan to determine the state of each specified port.

Example Output:

Scanning ip_or_hostname (ip_or_hostname), 3 ports
Port 80 open
Port 3000 closed
Port 9000 filtered

Use case 6: Perform a TCP ACK scan to check if a given host is alive

Code:

hping3 --count 2 --verbose --destport 80 --ack ip_or_hostname

Motivation: An ACK scan can be used to verify the existence of a host, even when more traditional ICMP-based pings are blocked by network filters.

Explanation:

  • --count 2: Sends two packets to validate host responsiveness.
  • --verbose: Provides additional detail for packet analysis.
  • --destport 80: Targets port 80 to send ACK packets.
  • --ack: Uses TCP ACK segment to assert host availability.

Example Output:

HPING ip_or_hostname (ip_or_hostname): A set, 40 headers + 0 data bytes
len=44 ip=ip_or_hostname ttl=64 DF id=0 sport=80 flags=RA seq=0 win=0 rtt=30.2 ms
len=44 ip=ip_or_hostname ttl=64 DF id=0 sport=80 flags=RA seq=1 win=0 rtt=30.4 ms

Use case 7: Perform a charge test on port 80

Code:

hping3 --flood --destport 80 --syn ip_or_hostname

Motivation: The charge test floods the target host with packets, which can be used in stress tests to determine how well a host handles a high volume of requests. Note: This should only be run in a controlled environment with explicit permission, as it can lead to denial-of-service conditions.

Explanation:

  • --flood: Sends packets as fast as possible, used here to stress-test.
  • --destport 80: Locates the test/enforcement on port 80.
  • --syn: Utilizes TCP SYN packets in the test.

Example Output:

HPING ip_or_hostname (ip_or_hostname): F set, 40 headers + 0 data bytes
[...continuous stream of packet stats...]

Conclusion:

Hping3 serves as a potent tool in the toolkit of anyone looking to diagnose network issues, deploy security testing procedures, or analyze network behavior under varying loads. By mastering the command’s various use cases and understanding the semantics of options and flags, users can deploy it effectively across different network environments, contributing positively to system maintenance and security audits.

Tags :

Related Posts

How to Use the Command 'mailx' (with examples)

How to Use the Command 'mailx' (with examples)

The mailx command is a powerful Unix utility tool used primarily for sending and receiving messages from a command-line interface.

Read More
How to Use the Command 'pipx' (with examples)

How to Use the Command 'pipx' (with examples)

pipx is a powerful command-line tool that allows you to install and run Python applications in isolated environments with ease.

Read More
How to use the command 'wget2' (with examples)

How to use the command 'wget2' (with examples)

wget2 is a powerful command-line utility that facilitates downloading files from the internet.

Read More