Thursday 14 September 2017

Using hping3

A quick cheat sheet for using hping3 for port scanning,

-c 1      Only send one request per port (c = count)
-v        Verbose, show response for each port
-1        Sends a ping request (ICMP echo request) This number one not letter ell
-2        Send as UDP packet
-S        Send a SYN scan, open ports will send a SYN-ACK packet back (a half-open scan)
-A        Send an ACK packet
-F        Send packet with a FIN flag
-8 1-500  Scan a range of ports equivalent of --span
-p 80     Scan a particular port

Examples

Send one request with a half-open scan to port 80
> hping3 -c 1 -S <www.website.somewhere> -p 80
HPING <www.website.somewhere> (eth1 <website ip>): S set, 40 headers + 0 data bytes
len=46 ip=<website ip> ttl=64 id=31610 sport=80 flags=SA seq=0 win=65535 rtt=14.8 ms

--- <www.website.somewhere> hping statistic ---
1 packets transmitted, 1 packets received, 0% packet loss


Send one request per port using a half-open scan against a Windows XP machine with no firewall
>hping3 -c 1 -S --scan 1-10000 <ip address>
Scanning <ip address>, port 1-10000
10000 ports to scan, use -V to see all the replies
+----+-----------+---------+---+-----+-----+-----+
|port| serv name |  flags  |ttl| id  | win | len |
+----+-----------+---------+---+-----+-----+-----+
  445 microsoft-d: .S..A...  64 33955 65535    46
  139 netbios-ssn: .S..A...  64 46756 65535    46
  135 loc-srv    : .S..A...  64 47780 65535    46
 3389              .S..A...  64 58947 65535    46

All replies received. Done.
Not responding ports:

Flags
The S and A flags show that the target system responded with a SYN-ACK which means the port is open and can be explored further.