hping

HPING 参数

-h --help 显示帮助

-v --version 版本信息

-c N --count 指定发送N个数据包

-i --interval 包发送间隔时间(单位是毫秒) 缺省时间是1秒,此功能在增加传输率上很重要,在idle/spoofing扫描时此

功能也会被用到,你可以参考hping-howto获得更多信息

--fast 每秒发10个数据包,(似乎可用作dos攻击,没测试过,不忍拿同学开刀)

--faster Alias for -i u1

--flood This is ways faster than to specify the -i u0 option

-n -nmeric 数字输出,象征性输出主机地址(用处不大)

-q -quiet 退出 (什么都不会输出,除了开始结诉时间)

-I --interface interface name 指定网络接口, 多网卡的时候用.

-V --verbose 显示很多信息,TCP回应一般如下:

len=46 ip=192.168.1.1 flags=RADF seq=0 ttl=255 id=0 win=0 rtt=0.4ms tos=0 iplen=40 seq=0 ack=1380893504 sum=2010 urp=0

-D --debug 进入debug模式 当你遇到麻烦时,比如用hping遇到一些不合你习惯的时候,你可以用此模式修改

hping,(INTERFACE DETECTION,DATA LINK LAYER ACCESS,INTERFACE SETTINGS,.......)

-z --BIND 快捷键的使用 (按自己个人喜好设定吧)

-Z --unbind 消除快捷键

协议选择项

-0 --rawip RAW Ip模式,在此模式下,HPING会发送带数据的IP 头,....原文:

RAW IP mode, in this mode hping3 will send IP header with data appended with --signature

and/or --file, see also --ipproto that allows you to set the ip protocol field.

-1 --icmp ICMP模式, 此模式下HPING会发送IGMP应答报文,你可以用--icmptype –icmpcode 选项发送其

他类型/模式的ICMP 报文

-2 --udp UDP 模式,缺省下,HPING会发送UDP报文到主机的0端口你可以用--baseport --destport --keep

选项指定其模式

-8 --scan Scan 模式

-9 --listen str hping的listen模式,用此模式,HPING会接收指定的数据

比如:hping --listen TEST 接收数据如下时:234-09 sdflkjs45-TESThello_world 会显示 hello_word

IP 选项

-a --spoof IP 伪造IP攻击,防火墙就不会记录你的真实IP了,当然,回应的包你也接收不到.

hping3 -1 -a 8.8.8.8 58.30.34.18 -c 1 发送的是icmp 8 0 数据包, 但源地址是8.8.8.8

--rand-source用随机的原地址 hping3 -1 --rand-source 58.30.34.18

--rand-dest 使用目的随机目的地址如 hping3 -I eth0 -1 58.30.34.x --rand-dest -c 10

-t --ttl num 选项可以指定发出包的TTL值

hping3 -1 -t 2 58.30.34.18 -c 1 将发送生存时间为2的icmp 8 0 数据包请求

这选项一般和--traceroute 或--bind 一齐用,比如:hping 1.1.1.1 -t 1 --traceroute

-N --id 设置IP头部的16位标识(分片用), 设置时为10进制数.

-H --ipproto Set the ip protocol in RAW IP mode

-W --winid UNIX ,WINDIWS的id回应不同, 这选项可以让你的ID回应和WINDOWS 一样

-r --rel 更改ID,可以让ID曾递减输出,详见HPING-HOWTO

-f --frag 更改包的FRAG ,这可以测试对方对于包碎片的处理能力,缺省的'virtual mtu'是16字节,

-x --morefrag 此功能可以发送碎片使主机忙于恢复碎片而造成主机的拒绝服务

-y -dontfrag 发送不可恢复的IP碎片,这可以让你了解更多的MTU PATH DISCOVERY

-o --tos hex_tos TOS=TYPE OF SERVICE （0x00 默认， 0 x02 费用， 0 x04 可靠， 0 x08 吞吐，0 x10延迟）

-G --rroute 记录路由, 可以看到详悉的数据, 最多可以经过9个路由, 即使主机屏蔽了ICMP报文路由只涉及IP, 所

以任可以记录, 在TCP UDP下也可以记录路由的.

-g --fragoff fragment offset value set the fragment offset

-m --mtu mtu value 用此项后 ID数值变得很大 50000没指定此项时3000-20000左右

ICMP 选项

-C --icmptype 指定ICMP类型,缺省是ICMP ECHO REQUEST

-K --icmpcode 指定ICMP代号,缺省0

--icmp-ipver 把IP版本也插入IP 头,

--icmp-iphlen 设置IP头的长度,缺省为5 (32字节)

--icmp-iplen 设置IP包长度

--icmp-ipid 设置ICMP报文IP头的ID,缺省是RANDOM

--icmp-ipproto 设置协议的,缺省是TCP

--icmp-cksum 设置校验和的

--icmp-ts Alias for --icmptype 13 (to send ICMP timestamp requests)

--icmp-addr Alias for --icmptype 17 (to send ICMP address mask requests)

TCP/UDP 选项

-s --baseport sPort hping用源端口猜测回应的包,它从一个基本端口计数,每收一个包,端口也加1,

这规则你可以自己定义,如用-k --keep可以使端口不会增加,每次的基本端口是随机的

-p --deskport [+][+]desk port 设置目标端口缺省为0,一个加号为:每发送一个请求包到达后,

端口加1两个加号为:每发一个包,端口数加1

--keep keep still source port, see --baseport for more information.

-w --win Set TCP window size. Default is 64.

-O --tcpoff Set fake tcp data offset. Normal data offset is tcphdrlen / 4.

-M --tcpseq 设置TCP序列数,

-L --tcpck 设置TCP ack 的

-Q --seqnum 搜集序列号, 这对于你分析TCP序列号有很大作用,例如:

#hping2 win98 --seqnum -p 139 -S -i u1 -I eth0

HPING uaz (eth0 192.168.4.41): S set, 40 headers + 0 data bytes

2361294848 +2361294848

2411626496 +50331648

2545844224 +134217728

2713616384 +167772160

2881388544 +167772160

3049160704 +167772160

3216932864 +167772160

3384705024 +167772160

3552477184 +167772160

3720249344 +167772160

3888021504 +167772160

4055793664 +167772160

4223565824 +167772160

第一排是序列号,第2排是应答的序列号,所以你可以预见主机的序列号

(三次握手后,数值基本不再变,定在167772160了)

-b --badcksum 发出一个错误校验和的UDP/TCP 包

--tcp-mss Enable the TCP MSS option and set it to the given value.

--tcp-timestamp Enable the TCP timestamp option, and try to guess the timestamp update frequency and

the remote system uptime.

-F -fin Set FIN tcp flag

-S --syn Set SYN tcp flag.

-R --rst Set RST tcp flag.

-P --push Set PUSH tcp flag.

-A --ack Set ACK tcp flag.

-U --urg Set URG tcp flag.

-X --xmas Set Xmas tcp flag.

-Y --ymas Set Ymas tcp flag.

其他:

-d --data data size 设置包大小,注意:指定DATA 为40时,输出如下:

HPING www.yahoo.com (ppp0 204.71.200.67): NO FLAGS are set, 40 headers + 40 data bytes

-E --file filename 指定包内容如FILENAME里的一样

-j --dump Dump received packets in hex.

-J --print Dump received packets's printable characters. -B --safe

-B --safe 确保数据完整发出 例如:要发送A 的/etc/passwd给B

[host_a]# hping2 host_b --udp -p 53 -d 100 --sign signature --safe --file /etc/passwd

[host_b]# hping2 host_a --listen signature --safe --icmp

-u --end 如果你用了--FILE 项,当EOF到达后,此项可以帮助你自动停止接收无用的数据,

-T --traceroute 路由模式

--tr -keep-ttl 一个和路由有关的项,

Keep the TTL fixed in traceroute mode, so you can monitor just one hop in the route.

For example, to monitor how the 5th hop changes or how its RTT changes you can try

hping3 host --traceroute --ttl 5 --tr-keep-ttl.

--tr-stop 当ICMP一旦不可到达时,自动停止发送

--tr-no-rrt 在路由模式里不显示RTT 信息,

--tcpexitcode 在某些规则下可探知主机是否存活

-e --sign signat ure 指定包头的内容

Fill first signature length bytes of data with signature. If the signature length is bigger than data size an error message

will be displayed. If you don't specify the data size hping will use the signature size as data size. This option can be used

safely with --file filename option, remainder data space will be filled using filename.

TCP OUTPUT FORWAT

The standard TCP output format is the following:

len=46 ip=192.168.1.1 flags=RA DF seq=0 ttl=255 id=0 win=0 rtt=0.4 ms

len is the size, in bytes, of the data captured from the data link layer excluding the

data link header size. This may not match the IP datagram size due to low level transport

layer padding.

ip is the source ip address.

flags are the TCP flags, R for RESET, S for SYN, A for ACK, F for FIN, P for PUSH, U for

URGENT, X for not standard 0x40, Y for not standard 0x80.

If the reply contains DF the IP header has the don't fragment bit set.

seq is the sequence number of the packet, obtained using the source port for TCP/UDP

packets, the sequence field for ICMP packets.

id is the IP ID field.

win is the TCP window size.

rtt is the round trip time in milliseconds.

If you run hping using the V

command line switch it will display additional information

about the packet, example:

len=46 ip=192.168.1.1 flags=RA DF seq=0 ttl=255 id=0 win=0 rtt=0.4 ms tos=0 iplen=40 seq=0

ack=1223672061 sum=e61d urp=0

tos is the type of service field of the IP header.

iplen is the IP total len field.

seq and ack are the sequence and acknowledge 32bit numbers in the TCP header.

sum is the TCP header checksum value.

urp is the TCP urgent pointer value.

UDP OUTPUT FORMAT

The standard output format is:

len=46 ip=192.168.1.1 seq=0 ttl=64 id=0 rtt=6.0 ms

The field meaning is just the same as the TCP output meaning of the same fields.

ICMP OUTPUT FORMAT

An example of ICMP output is:

ICMP Port Unreachable from ip=192.168.1.1 name=nano.marmoc.net

It is very simple to understand. It starts with the string "ICMP" followed by the

description of the ICMP error, Port Unreachable in the example. The ip field is the IP source

address of the IP datagram containing the ICMP error, the name field is just the numerical

address resolved to a name (a dns PTR request) or UNKNOWN if the resolution failed.

The ICMP Time exceeded during transit or reassembly format is a bit different:

TTL 0 during transit from ip=192.168.1.1 name=nano.marmoc.net

TTL 0 during reassembly from ip=192.70.106.25 name=UNKNOWN

The only difference is the description of the error, it starts with TTL 0.