hping2-howto.txt

网络流量生成工具,开源软件,也可以作为网络流量检测软件使用

N.B.: this HOWTO is not completed and in some points very silly. I leave this
      here only because maybe it's better that nothing.

HPING2 HOWTO

Changes Log
-----------
Aug 7 1999		vi HPING2-HOWTO.txt
Aug 8 1999		__0000, __0001, __0002, __0003
Aug 10 1999		__0004

Index
-----
[search __XXXX in order to jump to point you want]

	__0000: Copyright notice
	__0001: What is hping?
        __0002: What i need to know about TCP/IP in order to use hping?
	__0003: First step with hping
	__0004: IP id and how to scan TCP ports using spoofing.
	__0005: How to test firewall rules. (TODO)
	__0006: How to trasfer files accross firewall. (TODO)

	__000A: hping usage example (TODO)

__0000: Copyright notice, License, and all that stuff

  Copyright (C) Salvatore Sanfilippo, 1999.

  Permission is granted to make and distribute copies of this manual
  provided the copyright notice and this permission notice are preserved
  on all copies.

  Permission is granted to copy and distribute modified versions of this
  manual under the conditions for verbatim copying, provided that the
  derived work is distributed under the terms of a permission notice
  identical to this one. Translations fall under the catagory of
  ``modified versions.''

  Warranty: None.

  Recommendations: Commercial redistribution is allowed and encouraged;
  however, it is strongly recommended that the redistributor contact the
  author before the redistribution, in the interest of keeping things
  up-to-date (you could send me a copy of the thing you're making while
  you're at it). Translators are also advised to contact the author
  before translating. The printed version looks nicer. Recycle.

__0001: What is hping?

  Hping is a software to do TCP/IP stack auditing, to uncover firewall
  policy, to scan TCP port in a lot of different modes, to transfer
  files accross a firewall and many other stuff. Using hping you are
  able to do even a lot of not security-regarding stuff. For example you
  can test networks performance, check if a host is up, check if TOS
  is handled et cetera.

__0002: What i need to know about TCP/IP in order to use hping?

  If you know TCP/IP you will find hping very usefull, otherwise
  you can use hping only to do well known tests. See __000A for 
  some example.

__0003: First step with hping

  The simplest usage of hping is the following:

	#hping host

  This command sends a TCP null-flags packet to port 0 of target
  host every second and show the host replies. For example:

# hping www.debian.org
ppp0 default routing interface selected (according to /proc)
HPING www.debian.org (ppp0 209.81.8.242): NO FLAGS are set, 40 headers + 0 data bytes
40 bytes from 209.81.8.242: flags=RA seq=0 ttl=243 id=63667 win=0 time=369.4 ms
40 bytes from 209.81.8.242: flags=RA seq=1 ttl=243 id=63719 win=0 time=420.0 ms
40 bytes from 209.81.8.242: flags=RA seq=2 ttl=243 id=63763 win=0 time=350.0 ms
[Ctrl+C]
--- www.debian.org hping statistic ---
3 packets tramitted, 3 packets received, 0% packet loss

  As you can see host replies with a TCP packet with RST and ACK flags
  set. So you are able to perform a 'TCP ping', usefull when ICMPs are
  filtered. By default port 0 are used because it's very strange that
  is in LISTEN state. If we send a TCP null-flags to a port in
  LISTEN state a lot of TCP/IP stack will not send any reply. So we are
  able to know if a port is in LISTEN state. For example:

# hping www.debian.org -p 80
ppp0 default routing interface selected (according to /proc)
HPING www.debian.org (ppp0 209.81.8.242): NO FLAGS are set, 40 headers + 0 data bytes
[Ctrl+C]
--- www.debian.org hping statistic ---
5 packets trasmitted, 0 packets received, 100% packet loss

  Since port 80 of www.debian.org is in LISTEN mode we got
  no response.

  But What's happen if we try to hping a firewalled port? This depends
  on firewall policy/implementation. Usually we get an ICMP or
  nothing. For example:

# hping www.yahoo.com -p 79
ppp0 default routing interface selected (according to /proc)
HPING www.yahoo.com (ppp0 204.71.200.67): NO FLAGS are set, 40 headers + 0 data bytes
ICMP Packet filtered from 206.132.254.41  (pos1-0-2488M.hr8.SNV.globalcenter.net)

--- www.yahoo.com hping statistic ---
14 packets tramitted, 0 packets received, 100% packet loss

  yahoo firewall doesn't allow connection to port 79, so reply with
  an ICMP Packet filtered (ICMP unreachable code 13). However
  there are a lot of firewall that simply drop the packet. For example:

# hping www.microsoft.com -p 79
ppp0 default routing interface selected (according to /proc)
HPING www.microsoft.com (ppp0 207.46.130.150): NO FLAGS are set, 40 headers + 0 data bytes

--- www.microsoft.com hping statistic ---
4 packets tramitted, 0 packets received, 100% packet loss

  No reply from microsoft. Is the port firewalled or in LISTEN mode?
  To uncover this is very simply. Just we try to set ACK flag instead
  to send a TCP null-flag packet. If the host respond maybe this port
  is in LISTEN mode (but it's possible that there is a rules that
  deny null-flag TCP packet but allow ACK).

# hping www.microsoft.com -A -p 79
ppp0 default routing interface selected (according to /proc)
HPING www.microsoft.com (ppp0 207.46.130.149): A set, 40 headers + 0 data bytes

--- www.microsoft.com hping statistic ---
3 packets tramitted, 0 packets received, 100% packet loss

  No response again, So this port seems to be filtered. Anyway
  it's possible that microsoft is using an 'intelligent' firewall
  that know that in order to connect first I must send a SYN.

# hping www.microsoft.com -S -p 79
ppp0 default routing interface selected (according to /proc)
HPING www.microsoft.com (ppp0 207.46.130.149): S set, 40 headers + 0 data bytes

--- www.microsoft.com hping statistic ---
3 packets tramitted, 0 packets received, 100% packet loss

  Ok.. seems that port 79 of microsoft is really filtered.
  Just for clearness we send some ACK to port 80 of www.debian.org:

# hping www.debian.org -p 80 -A
ppp0 default routing interface selected (according to /proc)
HPING www.debian.org (ppp0 209.81.8.242): A set, 40 headers + 0 data bytes
40 bytes from 209.81.8.242: flags=R seq=0 ttl=243 id=5590 win=0 time=379.5 ms
40 bytes from 209.81.8.242: flags=R seq=1 ttl=243 id=5638 win=0 time=370.0 ms
40 bytes from 209.81.8.242: flags=R seq=2 ttl=243 id=5667 win=0 time=360.0 ms

--- www.debian.org hping statistic ---
3 packets tramitted, 3 packets received, 0% packet loss

  We can see replies even if port 80 is in LISTEN mode because
  a port in LISTEN mode may not replay only to NULL, FIN, Xmas, Ymas
  flags TCP packet. ACK and RST are two important TCP flags that
  allow to do ACL tests and to guess ip->id without to produce any log
  (usually).

__0004: IP id and how to scan TCP ports using spoofing.

  Every IP packet is identified by a 16 bit id. Thanks to this id
  IP stacks are able to handle fragmentation. A lot of OSs handle
  ip->id travially: just increment by 1 this id for each packet sent.
  Using this id you are able at least to estimate hosts traffic and to
  scan with spoofed packets. OpenBSD >= 2.5 and many others implement
  a random not repetitive id so you aren't able to joke with ip->id.
  Win* ip->id has different byte ordering, so you must specify
  --winid or -W option if you are using hping2 against Win*.

  N.B.: You are able to scan spoofed hosts with safe/random ip->id
        because in order to spoof your packets you need a third
	part host with incremental id rule but you don't need that
	target of your scanning has an incremental id.

  How to estimate host traffic using ip->id? It's really simple:

# hping www.yahoo.com -p 80 -A
ppp0 default routing interface selected (according to /proc)
HPING www.yahoo.com (ppp0 204.71.200.74): A set, 40 headers + 0 data bytes
40 bytes from 204.71.200.74: flags=R seq=0 ttl=53 id=29607 win=0 rtt=329.4 ms
40 bytes from 204.71.200.74: flags=R seq=1 ttl=53 id=31549 win=0 rtt=390.0 ms
40 bytes from 204.71.200.74: flags=R seq=2 ttl=53 id=33432 win=0 rtt=390.0 ms
40 bytes from 204.71.200.74: flags=R seq=3 ttl=53 id=35368 win=0 rtt=380.0 ms
40 bytes from 204.71.200.74: flags=R seq=4 ttl=53 id=37335 win=0 rtt=390.0 ms
40 bytes from 204.71.200.74: flags=R seq=5 ttl=53 id=39157 win=0 rtt=380.0 ms
40 bytes from 204.71.200.74: flags=R seq=6 ttl=53 id=41118 win=0 rtt=370.0 ms
40 bytes from 204.71.200.74: flags=R seq=7 ttl=53 id=43330 win=0 rtt=390.0 ms

--- www.yahoo.com hping statistic ---
8 packets tramitted, 8 packets received, 0% packet loss
round-trip min/avg/max = 329.4/377.4/390.0 ms

  As you can se id field increase. Packet with sequence 0 has id=29607,
  sequence 1 has id=31549, so www.yahoo.com host sent 31549-29607 = 1942
  packets in circa one second. Using -r|--relid option hping output
  id field as difference between last and current received packet id.

# hping www.yahoo.com -P 80 -A -r
ppp0 default routing interface selected (according to /proc)
HPING www.yahoo.com (ppp0 204.71.200.68): A set, 40 headers + 0 data bytes
40 bytes from 204.71.200.68: flags=R seq=0 ttl=53 id=65179 win=0 rtt=327.1 ms
40 bytes from 204.71.200.68: flags=R seq=1 ttl=53 id=+1936 win=0 rtt=360.0 ms
40 bytes from 204.71.200.68: flags=R seq=2 ttl=53 id=+1880 win=0 rtt=340.0 ms
40 bytes from 204.71.200.68: flags=R seq=3 ttl=53 id=+1993 win=0 rtt=330.0 ms
40 bytes from 204.71.200.68: flags=R seq=4 ttl=53 id=+1871 win=0 rtt=350.0 ms
40 bytes from 204.71.200.68: flags=R seq=5 ttl=53 id=+1932 win=0 rtt=340.0 ms
40 bytes from 204.71.200.68: flags=R seq=6 ttl=53 id=+1776 win=0 rtt=330.0 ms
40 bytes from 204.71.200.68: flags=R seq=7 ttl=53 id=+1749 win=0 rtt=320.0 ms
40 bytes from 204.71.200.68: flags=R seq=8 ttl=53 id=+1888 win=0 rtt=340.0 ms
40 bytes from 204.71.200.68: flags=R seq=9 ttl=53 id=+1907 win=0 rtt=330.0 ms

--- www.yahoo.com hping statistic ---
10 packets tramitted, 10 packets received, 0% packet loss
round-trip min/avg/max = 320.0/336.7/360.0 ms