N.B.: this HOWTO is not completed and in some points very silly. I leave this here only because maybe it's better that nothing. HPING2 HOWTO Changes Log ----------- Aug 7 1999 vi HPING2-HOWTO.txt Aug 8 1999 __0000, __0001, __0002, __0003 Aug 10 1999 __0004 Index ----- [search __XXXX in order to jump to point you want] __0000: Copyright notice __0001: What is hping? __0002: What i need to know about TCP/IP in order to use hping? __0003: First step with hping __0004: IP id and how to scan TCP ports using spoofing. __0005: How to test firewall rules. (TODO) __0006: How to trasfer files accross firewall. (TODO) __000A: hping usage example (TODO) __0000: Copyright notice, License, and all that stuff Copyright (C) Salvatore Sanfilippo, 1999. Permission is granted to make and distribute copies of this manual provided the copyright notice and this permission notice are preserved on all copies. Permission is granted to copy and distribute modified versions of this manual under the conditions for verbatim copying, provided that the derived work is distributed under the terms of a permission notice identical to this one. Translations fall under the catagory of ``modified versions.'' Warranty: None. Recommendations: Commercial redistribution is allowed and encouraged; however, it is strongly recommended that the redistributor contact the author before the redistribution, in the interest of keeping things up-to-date (you could send me a copy of the thing you're making while you're at it). Translators are also advised to contact the author before translating. The printed version looks nicer. Recycle. __0001: What is hping? Hping is a software to do TCP/IP stack auditing, to uncover firewall policy, to scan TCP port in a lot of different modes, to transfer files accross a firewall and many other stuff. Using hping you are able to do even a lot of not security-regarding stuff. For example you can test networks performance, check if a host is up, check if TOS is handled et cetera. __0002: What i need to know about TCP/IP in order to use hping? If you know TCP/IP you will find hping very usefull, otherwise you can use hping only to do well known tests. See __000A for some example. __0003: First step with hping The simplest usage of hping is the following: #hping host This command sends a TCP null-flags packet to port 0 of target host every second and show the host replies. For example: # hping www.debian.org ppp0 default routing interface selected (according to /proc) HPING www.debian.org (ppp0 209.81.8.242): NO FLAGS are set, 40 headers + 0 data bytes 40 bytes from 209.81.8.242: flags=RA seq=0 ttl=243 id=63667 win=0 time=369.4 ms 40 bytes from 209.81.8.242: flags=RA seq=1 ttl=243 id=63719 win=0 time=420.0 ms 40 bytes from 209.81.8.242: flags=RA seq=2 ttl=243 id=63763 win=0 time=350.0 ms [Ctrl+C] --- www.debian.org hping statistic --- 3 packets tramitted, 3 packets received, 0% packet loss As you can see host replies with a TCP packet with RST and ACK flags set. So you are able to perform a 'TCP ping', usefull when ICMPs are filtered. By default port 0 are used because it's very strange that is in LISTEN state. If we send a TCP null-flags to a port in LISTEN state a lot of TCP/IP stack will not send any reply. So we are able to know if a port is in LISTEN state. For example: # hping www.debian.org -p 80 ppp0 default routing interface selected (according to /proc) HPING www.debian.org (ppp0 209.81.8.242): NO FLAGS are set, 40 headers + 0 data bytes [Ctrl+C] --- www.debian.org hping statistic --- 5 packets trasmitted, 0 packets received, 100% packet loss Since port 80 of www.debian.org is in LISTEN mode we got no response. But What's happen if we try to hping a firewalled port? This depends on firewall policy/implementation. Usually we get an ICMP or nothing. For example: # hping www.yahoo.com -p 79 ppp0 default routing interface selected (according to /proc) HPING www.yahoo.com (ppp0 204.71.200.67): NO FLAGS are set, 40 headers + 0 data bytes ICMP Packet filtered from 206.132.254.41 (pos1-0-2488M.hr8.SNV.globalcenter.net) --- www.yahoo.com hping statistic --- 14 packets tramitted, 0 packets received, 100% packet loss yahoo firewall doesn't allow connection to port 79, so reply with an ICMP Packet filtered (ICMP unreachable code 13). However there are a lot of firewall that simply drop the packet. For example: # hping www.microsoft.com -p 79 ppp0 default routing interface selected (according to /proc) HPING www.microsoft.com (ppp0 207.46.130.150): NO FLAGS are set, 40 headers + 0 data bytes --- www.microsoft.com hping statistic --- 4 packets tramitted, 0 packets received, 100% packet loss No reply from microsoft. Is the port firewalled or in LISTEN mode? To uncover this is very simply. Just we try to set ACK flag instead to send a TCP null-flag packet. If the host respond maybe this port is in LISTEN mode (but it's possible that there is a rules that deny null-flag TCP packet but allow ACK). # hping www.microsoft.com -A -p 79 ppp0 default routing interface selected (according to /proc) HPING www.microsoft.com (ppp0 207.46.130.149): A set, 40 headers + 0 data bytes --- www.microsoft.com hping statistic --- 3 packets tramitted, 0 packets received, 100% packet loss No response again, So this port seems to be filtered. Anyway it's possible that microsoft is using an 'intelligent' firewall that know that in order to connect first I must send a SYN. # hping www.microsoft.com -S -p 79 ppp0 default routing interface selected (according to /proc) HPING www.microsoft.com (ppp0 207.46.130.149): S set, 40 headers + 0 data bytes --- www.microsoft.com hping statistic --- 3 packets tramitted, 0 packets received, 100% packet loss Ok.. seems that port 79 of microsoft is really filtered. Just for clearness we send some ACK to port 80 of www.debian.org: # hping www.debian.org -p 80 -A ppp0 default routing interface selected (according to /proc) HPING www.debian.org (ppp0 209.81.8.242): A set, 40 headers + 0 data bytes 40 bytes from 209.81.8.242: flags=R seq=0 ttl=243 id=5590 win=0 time=379.5 ms 40 bytes from 209.81.8.242: flags=R seq=1 ttl=243 id=5638 win=0 time=370.0 ms 40 bytes from 209.81.8.242: flags=R seq=2 ttl=243 id=5667 win=0 time=360.0 ms --- www.debian.org hping statistic --- 3 packets tramitted, 3 packets received, 0% packet loss We can see replies even if port 80 is in LISTEN mode because a port in LISTEN mode may not replay only to NULL, FIN, Xmas, Ymas flags TCP packet. ACK and RST are two important TCP flags that allow to do ACL tests and to guess ip->id without to produce any log (usually). __0004: IP id and how to scan TCP ports using spoofing. Every IP packet is identified by a 16 bit id. Thanks to this id IP stacks are able to handle fragmentation. A lot of OSs handle ip->id travially: just increment by 1 this id for each packet sent. Using this id you are able at least to estimate hosts traffic and to scan with spoofed packets. OpenBSD >= 2.5 and many others implement a random not repetitive id so you aren't able to joke with ip->id. Win* ip->id has different byte ordering, so you must specify --winid or -W option if you are using hping2 against Win*. N.B.: You are able to scan spoofed hosts with safe/random ip->id because in order to spoof your packets you need a third part host with incremental id rule but you don't need that target of your scanning has an incremental id. How to estimate host traffic using ip->id? It's really simple: # hping www.yahoo.com -p 80 -A ppp0 default routing interface selected (according to /proc) HPING www.yahoo.com (ppp0 204.71.200.74): A set, 40 headers + 0 data bytes 40 bytes from 204.71.200.74: flags=R seq=0 ttl=53 id=29607 win=0 rtt=329.4 ms 40 bytes from 204.71.200.74: flags=R seq=1 ttl=53 id=31549 win=0 rtt=390.0 ms 40 bytes from 204.71.200.74: flags=R seq=2 ttl=53 id=33432 win=0 rtt=390.0 ms 40 bytes from 204.71.200.74: flags=R seq=3 ttl=53 id=35368 win=0 rtt=380.0 ms 40 bytes from 204.71.200.74: flags=R seq=4 ttl=53 id=37335 win=0 rtt=390.0 ms 40 bytes from 204.71.200.74: flags=R seq=5 ttl=53 id=39157 win=0 rtt=380.0 ms 40 bytes from 204.71.200.74: flags=R seq=6 ttl=53 id=41118 win=0 rtt=370.0 ms 40 bytes from 204.71.200.74: flags=R seq=7 ttl=53 id=43330 win=0 rtt=390.0 ms --- www.yahoo.com hping statistic --- 8 packets tramitted, 8 packets received, 0% packet loss round-trip min/avg/max = 329.4/377.4/390.0 ms As you can se id field increase. Packet with sequence 0 has id=29607, sequence 1 has id=31549, so www.yahoo.com host sent 31549-29607 = 1942 packets in circa one second. Using -r|--relid option hping output id field as difference between last and current received packet id. # hping www.yahoo.com -P 80 -A -r ppp0 default routing interface selected (according to /proc) HPING www.yahoo.com (ppp0 204.71.200.68): A set, 40 headers + 0 data bytes 40 bytes from 204.71.200.68: flags=R seq=0 ttl=53 id=65179 win=0 rtt=327.1 ms 40 bytes from 204.71.200.68: flags=R seq=1 ttl=53 id=+1936 win=0 rtt=360.0 ms 40 bytes from 204.71.200.68: flags=R seq=2 ttl=53 id=+1880 win=0 rtt=340.0 ms 40 bytes from 204.71.200.68: flags=R seq=3 ttl=53 id=+1993 win=0 rtt=330.0 ms 40 bytes from 204.71.200.68: flags=R seq=4 ttl=53 id=+1871 win=0 rtt=350.0 ms 40 bytes from 204.71.200.68: flags=R seq=5 ttl=53 id=+1932 win=0 rtt=340.0 ms 40 bytes from 204.71.200.68: flags=R seq=6 ttl=53 id=+1776 win=0 rtt=330.0 ms 40 bytes from 204.71.200.68: flags=R seq=7 ttl=53 id=+1749 win=0 rtt=320.0 ms 40 bytes from 204.71.200.68: flags=R seq=8 ttl=53 id=+1888 win=0 rtt=340.0 ms 40 bytes from 204.71.200.68: flags=R seq=9 ttl=53 id=+1907 win=0 rtt=330.0 ms --- www.yahoo.com hping statistic --- 10 packets tramitted, 10 packets received, 0% packet loss round-trip min/avg/max = 320.0/336.7/360.0 ms Obviously checking the id every 1/2 second instead of 1 second, increment will be half. # hping www.yahoo.com -P 80 -A -r -i u 500000 ppp0 default routing interface selected (according to /proc) HPING www.yahoo.com (ppp0 204.71.200.68): A set, 40 headers + 0 data bytes 40 bytes from 204.71.200.68: flags=R seq=0 ttl=53 id=35713 win=0 rtt=327.0 ms 40 bytes from 204.71.200.68: flags=R seq=1 ttl=53 id=+806 win=0 rtt=310.0 ms 40 bytes from 204.71.200.68: flags=R seq=2 ttl=53 id=+992 win=0 rtt=320.0 ms 40 bytes from 204.71.200.68: flags=R seq=3 ttl=53 id=+936 win=0 rtt=330.0 ms 40 bytes from 204.71.200.68: flags=R seq=4 ttl=53 id=+987 win=0 rtt=310.0 ms 40 bytes from 204.71.200.68: flags=R seq=5 ttl=53 id=+952 win=0 rtt=320.0 ms 40 bytes from 204.71.200.68: flags=R seq=6 ttl=53 id=+918 win=0 rtt=330.0 ms 40 bytes from 204.71.200.68: flags=R seq=7 ttl=53 id=+809 win=0 rtt=320.0 ms 40 bytes from 204.71.200.68: flags=R seq=8 ttl=53 id=+881 win=0 rtt=320.0 ms --- www.yahoo.com hping statistic --- 9 packets tramitted, 9 packets received, 0% packet loss round-trip min/avg/max = 310.0/320.8/330.0 ms N.B. Warning, using ip->id you are able only to guess *the number of packets sent/time*. You can't always compare different hosts. ip->id refers to all host interfaces and for example if an host use NAT or redirect TCP connections to another host (for example a firewall used to hide a web server) ip->id increment may result fakely increased. hpinging windows box without using --winid option you will see as increments are 256 multiple because different id byteordering. This can be really usefull for OS fingerprinting: #hping win95 -r HPING win95 (eth0 192.168.4.41): NO FLAGS are set, 40 headers + 0 data bytes 46 bytes from 192.168.4.41: flags=RA seq=0 ttl=128 id=47371 win=0 rtt=0.5 ms 46 bytes from 192.168.4.41: flags=RA seq=1 ttl=128 id=+256 win=0 rtt=0.5 ms 46 bytes from 192.168.4.41: flags=RA seq=2 ttl=128 id=+256 win=0 rtt=0.6 ms 46 bytes from 192.168.4.41: flags=RA seq=3 ttl=128 id=+256 win=0 rtt=0.5 ms --- win95 hping statistic --- 4 packets tramitted, 4 packets received, 0% packet loss round-trip min/avg/max = 0.5/0.5/0.6 ms Windows systems are "marked", so in order to discovery if an host is a Windows host you need to send just some packet. How to perform spoofed SYN scan using incremental id? The following is the original message to bugtraq about spoofed/indirect/idle scan method, bottom i'll try to explain details and how this is possible even with UDP with some restriction. ---- bugtraq posting about spoofed scanning ---- Hi, I have uncovered a new tcp port scan method. Instead all others it allows you to scan using spoofed packets, so scanned hosts can't see your real address. In order to perform this i use three well known tcp/ip implementation peculiarities of most OS: (1) * hosts reply SYN|ACK to SYN if tcp target port is open, reply RST|ACK if tcp target port is closed. (2) * You can know the number of packets that hosts are sending using id ip header field. See my previous posting 'about the ip header' in this ml. (3) * hosts reply RST to SYN|ACK, reply nothing to RST. The Players: host A - evil host, the attacker. host B - silent host. host C - victim host. A is your host. B is a particular host: It must not send any packets while you are scanning C. There are a lot of 'zero traffic' hosts in internet, especially in the night :) C is the victim, it must be vulnerable to SYN scan. I've called this scan method 'dumb host scan' in honour of host B characteristics. How it works: Host A monitors number of outgoing packets from B using id iphdr. You can do this simply using hping: #hping B -r HPING B (eth0 xxx.yyy.zzz.jjj): no flags are set, 40 data bytes 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=0 ttl=64 id=41660 win=0 time=1.2 ms 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=1 ttl=64 id=+1 win=0 time=75 ms 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=2 ttl=64 id=+1 win=0 time=91 ms 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=3 ttl=64 id=+1 win=0 time=90 ms 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=4 ttl=64 id=+1 win=0 time=91 ms 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=5 ttl=64 id=+1 win=0 time=87 ms -cut- .. . As you can see, id increases are always 1. So this host have the characteristics that host B should to own. Now host A sends SYN to port X of C spoofing from B. (using hping => 0.67 is very easy, http://www.kyuzz.org/antirez) if port X of C is open, host C will send SYN|ACK to B (yes, host C don't know that the real sender is A). In this case host B replies to SYN|ACK with a RST. If we send to host C a few of SYN it will reply to B with a few of SYN|ACK, so B will reply to C a few of RST... so we'll see that host B is sending packets! . .. -cut- 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=17 ttl=64 id=+1 win=0 time=96 ms 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=18 ttl=64 id=+1 win=0 time=80 ms 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=19 ttl=64 id=+2 win=0 time=83 ms 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=20 ttl=64 id=+3 win=0 time=94 ms 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=21 ttl=64 id=+1 win=0 time=92 ms 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=22 ttl=64 id=+2 win=0 time=82 ms -cut- .. . The port is open! Instead, if port X of C is closed sending to C a few of SYN spoofed from B, it will reply with RST to B, and B will not reply (see 3). So we'll see that host B is not sending any packet: . .. -cut- 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=52 ttl=64 id=+1 win=0 time=85 ms 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=53 ttl=64 id=+1 win=0 time=83 ms 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=54 ttl=64 id=+1 win=0 time=93 ms 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=55 ttl=64 id=+1 win=0 time=74 ms 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=56 ttl=64 id=+1 win=0 time=95 ms 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=57 ttl=64 id=+1 win=0 time=81 ms -cut- .. . The port is closed. All this can appear complicated to perform, but using two sessions of hping on Linux virtual consoles or under X makes it more simple. First session listen host B: hping B -r Second session send spoofed SYN: hping C -a B -S Sorry if my english is not so clear. However this posting is not adequate to describe exaustively this scan method, so i'll write a paper on this topic, specially about how to implement this in a port scanner (i.e. nmap), and about players characteristics and OS used. happy new year, antirez ---- EOF ---- As you can see spoofed scanning is travial to perform, especially unsing hping2 you are able to specify micro seconds interval (-i uX) so you don't need that B host is a totally idle host. You may read id increment once every second sending 10 SYN every second. If you send an adequate SYNnumber/second expected id increment is so big that you are able to see if port is open or closed even if B host is sending other packets. Example: # hping awake.host.org -p 80 -A -r ppp0 default routing interface selected (according to /proc) HPING server.alicom.com (ppp0 111.222.333.44): A set, 40 headers + 0 data bytes 40 bytes from 111.222.333.44: flags=R seq=0 ttl=249 id=47323 win=0 rtt=239.7 ms 40 bytes from 111.222.333.44: flags=R seq=1 ttl=249 id=+6 win=0 rtt=630.0 ms 40 bytes from 111.222.333.44: flags=R seq=2 ttl=249 id=+6 win=0 rtt=280.0 ms 40 bytes from 111.222.333.44: flags=R seq=3 ttl=249 id=+8 win=0 rtt=340.0 ms 40 bytes from 111.222.333.44: flags=R seq=4 ttl=249 id=+5 win=0 rtt=440.0 ms 40 bytes from 111.222.333.44: flags=R seq=5 ttl=249 id=+5 win=0 rtt=410.0 ms 40 bytes from 111.222.333.44: flags=R seq=6 ttl=249 id=+8 win=0 rtt=1509.9 ms 40 bytes from 111.222.333.44: flags=R seq=7 ttl=249 id=+4 win=0 rtt=1460.0 ms 40 bytes from 111.222.333.44: flags=R seq=8 ttl=249 id=+7 win=0 rtt=770.0 ms 40 bytes from 111.222.333.44: flags=R seq=9 ttl=249 id=+5 win=0 rtt=230.0 ms ... as you can see this host isn't in idle, it sends ~ 6 packets every second. Now scan www.yahoo.com's port 80 to see if it's open: root.1# hping -a server.alicom.com -S -p 80 -i u10000 www.yahoo.com ppp0 default routing interface selected (according to /proc) HPING www.yahoo.com (ppp0 204.71.200.74): S set, 40 headers + 0 data bytes [wait some second and press CTRL+C] --- www.yahoo.com hping statistic --- 130 packets tramitted, 0 packets received, 100% packet loss round-trip min/avg/max = 0.0/0.0/0.0 ms Looking output of 'hping awake.host.org -p 80 -A -r' it's simple to understand that www.yahoo.com's port 80 is open: 40 bytes from 111.222.333.44: flags=R seq=59 ttl=249 id=+16 win=0 rtt=380.0 ms 40 bytes from 111.222.333.44: flags=R seq=60 ttl=249 id=+75 win=0 rtt=850.0 ms 40 bytes from 111.222.333.44: flags=R seq=61 ttl=249 id=+12 win=0 rtt=1050.0 ms 40 bytes from 111.222.333.44: flags=R seq=62 ttl=249 id=+1 win=0 rtt=450.0 ms 40 bytes from 111.222.333.44: flags=R seq=63 ttl=249 id=+27 win=0 rtt=230.0 ms 40 bytes from 111.222.333.44: flags=R seq=64 ttl=249 id=+11 win=0 rtt=850.0 ms note that 16+75+12+27+11+1-6 = 136 and that we sent 130 packets. So it's very realistic that increments are produced by our packtes. Tips: Using an idle host to perform spoofed scanning it's usefull to output only replies that show an increment != 1. Try `hping host -r | grep -v "id=+1"'