Annotation of embedaddon/hping2/docs/HPING2-HOWTO.txt, revision 1.1
1.1 ! misho 1: N.B.: this HOWTO is not completed and in some points very silly. I leave this
! 2: here only because maybe it's better that nothing.
! 3:
! 4: HPING2 HOWTO
! 5:
! 6: Changes Log
! 7: -----------
! 8: Aug 7 1999 vi HPING2-HOWTO.txt
! 9: Aug 8 1999 __0000, __0001, __0002, __0003
! 10: Aug 10 1999 __0004
! 11:
! 12: Index
! 13: -----
! 14: [search __XXXX in order to jump to point you want]
! 15:
! 16: __0000: Copyright notice
! 17: __0001: What is hping?
! 18: __0002: What i need to know about TCP/IP in order to use hping?
! 19: __0003: First step with hping
! 20: __0004: IP id and how to scan TCP ports using spoofing.
! 21: __0005: How to test firewall rules. (TODO)
! 22: __0006: How to trasfer files accross firewall. (TODO)
! 23:
! 24: __000A: hping usage example (TODO)
! 25:
! 26: __0000: Copyright notice, License, and all that stuff
! 27:
! 28: Copyright (C) Salvatore Sanfilippo, 1999.
! 29:
! 30: Permission is granted to make and distribute copies of this manual
! 31: provided the copyright notice and this permission notice are preserved
! 32: on all copies.
! 33:
! 34: Permission is granted to copy and distribute modified versions of this
! 35: manual under the conditions for verbatim copying, provided that the
! 36: derived work is distributed under the terms of a permission notice
! 37: identical to this one. Translations fall under the catagory of
! 38: ``modified versions.''
! 39:
! 40: Warranty: None.
! 41:
! 42: Recommendations: Commercial redistribution is allowed and encouraged;
! 43: however, it is strongly recommended that the redistributor contact the
! 44: author before the redistribution, in the interest of keeping things
! 45: up-to-date (you could send me a copy of the thing you're making while
! 46: you're at it). Translators are also advised to contact the author
! 47: before translating. The printed version looks nicer. Recycle.
! 48:
! 49: __0001: What is hping?
! 50:
! 51: Hping is a software to do TCP/IP stack auditing, to uncover firewall
! 52: policy, to scan TCP port in a lot of different modes, to transfer
! 53: files accross a firewall and many other stuff. Using hping you are
! 54: able to do even a lot of not security-regarding stuff. For example you
! 55: can test networks performance, check if a host is up, check if TOS
! 56: is handled et cetera.
! 57:
! 58: __0002: What i need to know about TCP/IP in order to use hping?
! 59:
! 60: If you know TCP/IP you will find hping very usefull, otherwise
! 61: you can use hping only to do well known tests. See __000A for
! 62: some example.
! 63:
! 64: __0003: First step with hping
! 65:
! 66: The simplest usage of hping is the following:
! 67:
! 68: #hping host
! 69:
! 70: This command sends a TCP null-flags packet to port 0 of target
! 71: host every second and show the host replies. For example:
! 72:
! 73: # hping www.debian.org
! 74: ppp0 default routing interface selected (according to /proc)
! 75: HPING www.debian.org (ppp0 209.81.8.242): NO FLAGS are set, 40 headers + 0 data bytes
! 76: 40 bytes from 209.81.8.242: flags=RA seq=0 ttl=243 id=63667 win=0 time=369.4 ms
! 77: 40 bytes from 209.81.8.242: flags=RA seq=1 ttl=243 id=63719 win=0 time=420.0 ms
! 78: 40 bytes from 209.81.8.242: flags=RA seq=2 ttl=243 id=63763 win=0 time=350.0 ms
! 79: [Ctrl+C]
! 80: --- www.debian.org hping statistic ---
! 81: 3 packets tramitted, 3 packets received, 0% packet loss
! 82:
! 83: As you can see host replies with a TCP packet with RST and ACK flags
! 84: set. So you are able to perform a 'TCP ping', usefull when ICMPs are
! 85: filtered. By default port 0 are used because it's very strange that
! 86: is in LISTEN state. If we send a TCP null-flags to a port in
! 87: LISTEN state a lot of TCP/IP stack will not send any reply. So we are
! 88: able to know if a port is in LISTEN state. For example:
! 89:
! 90: # hping www.debian.org -p 80
! 91: ppp0 default routing interface selected (according to /proc)
! 92: HPING www.debian.org (ppp0 209.81.8.242): NO FLAGS are set, 40 headers + 0 data bytes
! 93: [Ctrl+C]
! 94: --- www.debian.org hping statistic ---
! 95: 5 packets trasmitted, 0 packets received, 100% packet loss
! 96:
! 97: Since port 80 of www.debian.org is in LISTEN mode we got
! 98: no response.
! 99:
! 100: But What's happen if we try to hping a firewalled port? This depends
! 101: on firewall policy/implementation. Usually we get an ICMP or
! 102: nothing. For example:
! 103:
! 104: # hping www.yahoo.com -p 79
! 105: ppp0 default routing interface selected (according to /proc)
! 106: HPING www.yahoo.com (ppp0 204.71.200.67): NO FLAGS are set, 40 headers + 0 data bytes
! 107: ICMP Packet filtered from 206.132.254.41 (pos1-0-2488M.hr8.SNV.globalcenter.net)
! 108:
! 109: --- www.yahoo.com hping statistic ---
! 110: 14 packets tramitted, 0 packets received, 100% packet loss
! 111:
! 112: yahoo firewall doesn't allow connection to port 79, so reply with
! 113: an ICMP Packet filtered (ICMP unreachable code 13). However
! 114: there are a lot of firewall that simply drop the packet. For example:
! 115:
! 116: # hping www.microsoft.com -p 79
! 117: ppp0 default routing interface selected (according to /proc)
! 118: HPING www.microsoft.com (ppp0 207.46.130.150): NO FLAGS are set, 40 headers + 0 data bytes
! 119:
! 120: --- www.microsoft.com hping statistic ---
! 121: 4 packets tramitted, 0 packets received, 100% packet loss
! 122:
! 123: No reply from microsoft. Is the port firewalled or in LISTEN mode?
! 124: To uncover this is very simply. Just we try to set ACK flag instead
! 125: to send a TCP null-flag packet. If the host respond maybe this port
! 126: is in LISTEN mode (but it's possible that there is a rules that
! 127: deny null-flag TCP packet but allow ACK).
! 128:
! 129: # hping www.microsoft.com -A -p 79
! 130: ppp0 default routing interface selected (according to /proc)
! 131: HPING www.microsoft.com (ppp0 207.46.130.149): A set, 40 headers + 0 data bytes
! 132:
! 133: --- www.microsoft.com hping statistic ---
! 134: 3 packets tramitted, 0 packets received, 100% packet loss
! 135:
! 136: No response again, So this port seems to be filtered. Anyway
! 137: it's possible that microsoft is using an 'intelligent' firewall
! 138: that know that in order to connect first I must send a SYN.
! 139:
! 140: # hping www.microsoft.com -S -p 79
! 141: ppp0 default routing interface selected (according to /proc)
! 142: HPING www.microsoft.com (ppp0 207.46.130.149): S set, 40 headers + 0 data bytes
! 143:
! 144: --- www.microsoft.com hping statistic ---
! 145: 3 packets tramitted, 0 packets received, 100% packet loss
! 146:
! 147: Ok.. seems that port 79 of microsoft is really filtered.
! 148: Just for clearness we send some ACK to port 80 of www.debian.org:
! 149:
! 150: # hping www.debian.org -p 80 -A
! 151: ppp0 default routing interface selected (according to /proc)
! 152: HPING www.debian.org (ppp0 209.81.8.242): A set, 40 headers + 0 data bytes
! 153: 40 bytes from 209.81.8.242: flags=R seq=0 ttl=243 id=5590 win=0 time=379.5 ms
! 154: 40 bytes from 209.81.8.242: flags=R seq=1 ttl=243 id=5638 win=0 time=370.0 ms
! 155: 40 bytes from 209.81.8.242: flags=R seq=2 ttl=243 id=5667 win=0 time=360.0 ms
! 156:
! 157: --- www.debian.org hping statistic ---
! 158: 3 packets tramitted, 3 packets received, 0% packet loss
! 159:
! 160: We can see replies even if port 80 is in LISTEN mode because
! 161: a port in LISTEN mode may not replay only to NULL, FIN, Xmas, Ymas
! 162: flags TCP packet. ACK and RST are two important TCP flags that
! 163: allow to do ACL tests and to guess ip->id without to produce any log
! 164: (usually).
! 165:
! 166: __0004: IP id and how to scan TCP ports using spoofing.
! 167:
! 168: Every IP packet is identified by a 16 bit id. Thanks to this id
! 169: IP stacks are able to handle fragmentation. A lot of OSs handle
! 170: ip->id travially: just increment by 1 this id for each packet sent.
! 171: Using this id you are able at least to estimate hosts traffic and to
! 172: scan with spoofed packets. OpenBSD >= 2.5 and many others implement
! 173: a random not repetitive id so you aren't able to joke with ip->id.
! 174: Win* ip->id has different byte ordering, so you must specify
! 175: --winid or -W option if you are using hping2 against Win*.
! 176:
! 177: N.B.: You are able to scan spoofed hosts with safe/random ip->id
! 178: because in order to spoof your packets you need a third
! 179: part host with incremental id rule but you don't need that
! 180: target of your scanning has an incremental id.
! 181:
! 182: How to estimate host traffic using ip->id? It's really simple:
! 183:
! 184: # hping www.yahoo.com -p 80 -A
! 185: ppp0 default routing interface selected (according to /proc)
! 186: HPING www.yahoo.com (ppp0 204.71.200.74): A set, 40 headers + 0 data bytes
! 187: 40 bytes from 204.71.200.74: flags=R seq=0 ttl=53 id=29607 win=0 rtt=329.4 ms
! 188: 40 bytes from 204.71.200.74: flags=R seq=1 ttl=53 id=31549 win=0 rtt=390.0 ms
! 189: 40 bytes from 204.71.200.74: flags=R seq=2 ttl=53 id=33432 win=0 rtt=390.0 ms
! 190: 40 bytes from 204.71.200.74: flags=R seq=3 ttl=53 id=35368 win=0 rtt=380.0 ms
! 191: 40 bytes from 204.71.200.74: flags=R seq=4 ttl=53 id=37335 win=0 rtt=390.0 ms
! 192: 40 bytes from 204.71.200.74: flags=R seq=5 ttl=53 id=39157 win=0 rtt=380.0 ms
! 193: 40 bytes from 204.71.200.74: flags=R seq=6 ttl=53 id=41118 win=0 rtt=370.0 ms
! 194: 40 bytes from 204.71.200.74: flags=R seq=7 ttl=53 id=43330 win=0 rtt=390.0 ms
! 195:
! 196: --- www.yahoo.com hping statistic ---
! 197: 8 packets tramitted, 8 packets received, 0% packet loss
! 198: round-trip min/avg/max = 329.4/377.4/390.0 ms
! 199:
! 200: As you can se id field increase. Packet with sequence 0 has id=29607,
! 201: sequence 1 has id=31549, so www.yahoo.com host sent 31549-29607 = 1942
! 202: packets in circa one second. Using -r|--relid option hping output
! 203: id field as difference between last and current received packet id.
! 204:
! 205: # hping www.yahoo.com -P 80 -A -r
! 206: ppp0 default routing interface selected (according to /proc)
! 207: HPING www.yahoo.com (ppp0 204.71.200.68): A set, 40 headers + 0 data bytes
! 208: 40 bytes from 204.71.200.68: flags=R seq=0 ttl=53 id=65179 win=0 rtt=327.1 ms
! 209: 40 bytes from 204.71.200.68: flags=R seq=1 ttl=53 id=+1936 win=0 rtt=360.0 ms
! 210: 40 bytes from 204.71.200.68: flags=R seq=2 ttl=53 id=+1880 win=0 rtt=340.0 ms
! 211: 40 bytes from 204.71.200.68: flags=R seq=3 ttl=53 id=+1993 win=0 rtt=330.0 ms
! 212: 40 bytes from 204.71.200.68: flags=R seq=4 ttl=53 id=+1871 win=0 rtt=350.0 ms
! 213: 40 bytes from 204.71.200.68: flags=R seq=5 ttl=53 id=+1932 win=0 rtt=340.0 ms
! 214: 40 bytes from 204.71.200.68: flags=R seq=6 ttl=53 id=+1776 win=0 rtt=330.0 ms
! 215: 40 bytes from 204.71.200.68: flags=R seq=7 ttl=53 id=+1749 win=0 rtt=320.0 ms
! 216: 40 bytes from 204.71.200.68: flags=R seq=8 ttl=53 id=+1888 win=0 rtt=340.0 ms
! 217: 40 bytes from 204.71.200.68: flags=R seq=9 ttl=53 id=+1907 win=0 rtt=330.0 ms
! 218:
! 219: --- www.yahoo.com hping statistic ---
! 220: 10 packets tramitted, 10 packets received, 0% packet loss
! 221: round-trip min/avg/max = 320.0/336.7/360.0 ms
! 222:
! 223: Obviously checking the id every 1/2 second instead of 1 second, increment
! 224: will be half.
! 225:
! 226: # hping www.yahoo.com -P 80 -A -r -i u 500000
! 227: ppp0 default routing interface selected (according to /proc)
! 228: HPING www.yahoo.com (ppp0 204.71.200.68): A set, 40 headers + 0 data bytes
! 229: 40 bytes from 204.71.200.68: flags=R seq=0 ttl=53 id=35713 win=0 rtt=327.0 ms
! 230: 40 bytes from 204.71.200.68: flags=R seq=1 ttl=53 id=+806 win=0 rtt=310.0 ms
! 231: 40 bytes from 204.71.200.68: flags=R seq=2 ttl=53 id=+992 win=0 rtt=320.0 ms
! 232: 40 bytes from 204.71.200.68: flags=R seq=3 ttl=53 id=+936 win=0 rtt=330.0 ms
! 233: 40 bytes from 204.71.200.68: flags=R seq=4 ttl=53 id=+987 win=0 rtt=310.0 ms
! 234: 40 bytes from 204.71.200.68: flags=R seq=5 ttl=53 id=+952 win=0 rtt=320.0 ms
! 235: 40 bytes from 204.71.200.68: flags=R seq=6 ttl=53 id=+918 win=0 rtt=330.0 ms
! 236: 40 bytes from 204.71.200.68: flags=R seq=7 ttl=53 id=+809 win=0 rtt=320.0 ms
! 237: 40 bytes from 204.71.200.68: flags=R seq=8 ttl=53 id=+881 win=0 rtt=320.0 ms
! 238:
! 239: --- www.yahoo.com hping statistic ---
! 240: 9 packets tramitted, 9 packets received, 0% packet loss
! 241: round-trip min/avg/max = 310.0/320.8/330.0 ms
! 242:
! 243: N.B. Warning, using ip->id you are able only to guess *the number
! 244: of packets sent/time*. You can't always compare different hosts.
! 245: ip->id refers to all host interfaces and for example if an host
! 246: use NAT or redirect TCP connections to another host (for example
! 247: a firewall used to hide a web server) ip->id increment may
! 248: result fakely increased.
! 249:
! 250: hpinging windows box without using --winid option you will see as
! 251: increments are 256 multiple because different id byteordering. This
! 252: can be really usefull for OS fingerprinting:
! 253:
! 254: #hping win95 -r
! 255: HPING win95 (eth0 192.168.4.41): NO FLAGS are set, 40 headers + 0 data bytes
! 256: 46 bytes from 192.168.4.41: flags=RA seq=0 ttl=128 id=47371 win=0 rtt=0.5 ms
! 257: 46 bytes from 192.168.4.41: flags=RA seq=1 ttl=128 id=+256 win=0 rtt=0.5 ms
! 258: 46 bytes from 192.168.4.41: flags=RA seq=2 ttl=128 id=+256 win=0 rtt=0.6 ms
! 259: 46 bytes from 192.168.4.41: flags=RA seq=3 ttl=128 id=+256 win=0 rtt=0.5 ms
! 260:
! 261: --- win95 hping statistic ---
! 262: 4 packets tramitted, 4 packets received, 0% packet loss
! 263: round-trip min/avg/max = 0.5/0.5/0.6 ms
! 264:
! 265: Windows systems are "marked", so in order to discovery if an host is
! 266: a Windows host you need to send just some packet.
! 267:
! 268: How to perform spoofed SYN scan using incremental id? The following
! 269: is the original message to bugtraq about spoofed/indirect/idle scan method,
! 270: bottom i'll try to explain details and how this is possible even with UDP
! 271: with some restriction.
! 272:
! 273: ---- bugtraq posting about spoofed scanning ----
! 274:
! 275: Hi,
! 276:
! 277: I have uncovered a new tcp port scan method.
! 278: Instead all others it allows you to scan using spoofed
! 279: packets, so scanned hosts can't see your real address.
! 280: In order to perform this i use three well known tcp/ip
! 281: implementation peculiarities of most OS:
! 282:
! 283: (1) * hosts reply SYN|ACK to SYN if tcp target port is open,
! 284: reply RST|ACK if tcp target port is closed.
! 285:
! 286: (2) * You can know the number of packets that hosts are sending
! 287: using id ip header field. See my previous posting 'about the ip
! 288: header' in this ml.
! 289:
! 290: (3) * hosts reply RST to SYN|ACK, reply nothing to RST.
! 291:
! 292:
! 293: The Players:
! 294:
! 295: host A - evil host, the attacker.
! 296: host B - silent host.
! 297: host C - victim host.
! 298:
! 299: A is your host.
! 300: B is a particular host: It must not send any packets while
! 301: you are scanning C. There are a lot of 'zero traffic' hosts
! 302: in internet, especially in the night :)
! 303: C is the victim, it must be vulnerable to SYN scan.
! 304:
! 305: I've called this scan method 'dumb host scan' in honour of host
! 306: B characteristics.
! 307:
! 308:
! 309: How it works:
! 310:
! 311: Host A monitors number of outgoing packets from B using id iphdr.
! 312: You can do this simply using hping:
! 313:
! 314: #hping B -r
! 315: HPING B (eth0 xxx.yyy.zzz.jjj): no flags are set, 40 data bytes
! 316: 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=0 ttl=64 id=41660 win=0 time=1.2 ms
! 317: 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=1 ttl=64 id=+1 win=0 time=75 ms
! 318: 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=2 ttl=64 id=+1 win=0 time=91 ms
! 319: 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=3 ttl=64 id=+1 win=0 time=90 ms
! 320: 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=4 ttl=64 id=+1 win=0 time=91 ms
! 321: 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=5 ttl=64 id=+1 win=0 time=87 ms
! 322: -cut-
! 323: ..
! 324: .
! 325:
! 326: As you can see, id increases are always 1. So this host have the
! 327: characteristics that host B should to own.
! 328:
! 329: Now host A sends SYN to port X of C spoofing from B.
! 330: (using hping => 0.67 is very easy, http://www.kyuzz.org/antirez)
! 331: if port X of C is open, host C will send SYN|ACK to B (yes,
! 332: host C don't know that the real sender is A). In this
! 333: case host B replies to SYN|ACK with a RST.
! 334: If we send to host C a few of SYN it will reply to B with a few
! 335: of SYN|ACK, so B will reply to C a few of RST... so
! 336: we'll see that host B is sending packets!
! 337:
! 338: .
! 339: ..
! 340: -cut-
! 341: 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=17 ttl=64 id=+1 win=0 time=96 ms
! 342: 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=18 ttl=64 id=+1 win=0 time=80 ms
! 343: 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=19 ttl=64 id=+2 win=0 time=83 ms
! 344: 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=20 ttl=64 id=+3 win=0 time=94 ms
! 345: 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=21 ttl=64 id=+1 win=0 time=92 ms
! 346: 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=22 ttl=64 id=+2 win=0 time=82 ms
! 347: -cut-
! 348: ..
! 349: .
! 350:
! 351: The port is open!
! 352:
! 353: Instead, if port X of C is closed sending to C a few
! 354: of SYN spoofed from B, it will reply with RST to B, and
! 355: B will not reply (see 3). So we'll see that host B is not sending
! 356: any packet:
! 357:
! 358: .
! 359: ..
! 360: -cut-
! 361: 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=52 ttl=64 id=+1 win=0 time=85 ms
! 362: 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=53 ttl=64 id=+1 win=0 time=83 ms
! 363: 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=54 ttl=64 id=+1 win=0 time=93 ms
! 364: 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=55 ttl=64 id=+1 win=0 time=74 ms
! 365: 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=56 ttl=64 id=+1 win=0 time=95 ms
! 366: 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=57 ttl=64 id=+1 win=0 time=81 ms
! 367: -cut-
! 368: ..
! 369: .
! 370:
! 371: The port is closed.
! 372:
! 373: All this can appear complicated to perform, but using two sessions
! 374: of hping on Linux virtual consoles or under X makes it more simple.
! 375: First session listen host B: hping B -r
! 376: Second session send spoofed SYN: hping C -a B -S
! 377:
! 378: Sorry if my english is not so clear.
! 379: However this posting is not adequate to describe exaustively
! 380: this scan method, so i'll write a paper on this topic, specially
! 381: about how to implement this in a port scanner (i.e. nmap), and
! 382: about players characteristics and OS used.
! 383:
! 384: happy new year,
! 385: antirez
! 386:
! 387: ---- EOF ----
! 388:
! 389: As you can see spoofed scanning is travial to perform, especially
! 390: unsing hping2 you are able to specify micro seconds interval (-i uX)
! 391: so you don't need that B host is a totally idle host. You may read
! 392: id increment once every second sending 10 SYN every second. If you
! 393: send an adequate SYNnumber/second expected id increment is so big
! 394: that you are able to see if port is open or closed even if B host
! 395: is sending other packets. Example:
! 396:
! 397: # hping awake.host.org -p 80 -A -r
! 398: ppp0 default routing interface selected (according to /proc)
! 399: HPING server.alicom.com (ppp0 111.222.333.44): A set, 40 headers + 0 data bytes
! 400: 40 bytes from 111.222.333.44: flags=R seq=0 ttl=249 id=47323 win=0 rtt=239.7 ms
! 401: 40 bytes from 111.222.333.44: flags=R seq=1 ttl=249 id=+6 win=0 rtt=630.0 ms
! 402: 40 bytes from 111.222.333.44: flags=R seq=2 ttl=249 id=+6 win=0 rtt=280.0 ms
! 403: 40 bytes from 111.222.333.44: flags=R seq=3 ttl=249 id=+8 win=0 rtt=340.0 ms
! 404: 40 bytes from 111.222.333.44: flags=R seq=4 ttl=249 id=+5 win=0 rtt=440.0 ms
! 405: 40 bytes from 111.222.333.44: flags=R seq=5 ttl=249 id=+5 win=0 rtt=410.0 ms
! 406: 40 bytes from 111.222.333.44: flags=R seq=6 ttl=249 id=+8 win=0 rtt=1509.9 ms
! 407: 40 bytes from 111.222.333.44: flags=R seq=7 ttl=249 id=+4 win=0 rtt=1460.0 ms
! 408: 40 bytes from 111.222.333.44: flags=R seq=8 ttl=249 id=+7 win=0 rtt=770.0 ms
! 409: 40 bytes from 111.222.333.44: flags=R seq=9 ttl=249 id=+5 win=0 rtt=230.0 ms
! 410: ...
! 411:
! 412: as you can see this host isn't in idle, it sends ~ 6 packets every second.
! 413: Now scan www.yahoo.com's port 80 to see if it's open:
! 414:
! 415: root.1# hping -a server.alicom.com -S -p 80 -i u10000 www.yahoo.com
! 416: ppp0 default routing interface selected (according to /proc)
! 417: HPING www.yahoo.com (ppp0 204.71.200.74): S set, 40 headers + 0 data bytes
! 418:
! 419: [wait some second and press CTRL+C]
! 420:
! 421: --- www.yahoo.com hping statistic ---
! 422: 130 packets tramitted, 0 packets received, 100% packet loss
! 423: round-trip min/avg/max = 0.0/0.0/0.0 ms
! 424:
! 425: Looking output of 'hping awake.host.org -p 80 -A -r' it's
! 426: simple to understand that www.yahoo.com's port 80 is open:
! 427:
! 428: 40 bytes from 111.222.333.44: flags=R seq=59 ttl=249 id=+16 win=0 rtt=380.0 ms
! 429: 40 bytes from 111.222.333.44: flags=R seq=60 ttl=249 id=+75 win=0 rtt=850.0 ms
! 430: 40 bytes from 111.222.333.44: flags=R seq=61 ttl=249 id=+12 win=0 rtt=1050.0 ms
! 431: 40 bytes from 111.222.333.44: flags=R seq=62 ttl=249 id=+1 win=0 rtt=450.0 ms
! 432: 40 bytes from 111.222.333.44: flags=R seq=63 ttl=249 id=+27 win=0 rtt=230.0 ms
! 433: 40 bytes from 111.222.333.44: flags=R seq=64 ttl=249 id=+11 win=0 rtt=850.0 ms
! 434:
! 435: note that 16+75+12+27+11+1-6 = 136 and that we sent 130 packets. So it's
! 436: very realistic that increments are produced by our packtes.
! 437:
! 438: Tips: Using an idle host to perform spoofed scanning it's usefull to
! 439: output only replies that show an increment != 1. Try
! 440: `hping host -r | grep -v "id=+1"'
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to HPING2-HOWTO.txt CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / hping2 / docs