Hping Tips and Tricks

Peter Kacherginsky
14 min readAug 13, 2008

Hping is a TCP/IP packet forging tool with embedded Tcl scripting functionality. Developed by antirez in 1998, it is now in its 3rd release. The tool runs on all major operatings systems including Linux, *BSD, and Windows.

Port Scanning

Hping gives you complete freedom to craft any raw IP, TCP, UDP, and ICMP packets.

With such powerful capability we can proceed to replicate most of the standard scan types:

TCP SYN Scan

The simplest way to initiate a classic TCP SYN Scan is to use the following command line options:

hping3 -S 72.14.207.99 -p 80 -c 1

NOTE: I had to use -c 1 flag in order to send the SYN packet only once, otherwise hping will continue sending probes.

This will produce the following output:

HPING 72.14.207.99 (eth1 72.14.207.99): S set, 40 headers + 0 data bytes
len=46 ip=72.14.207.99 ttl=244 id=64932 sport=80 flags=SA seq=0 win=8190 rtt=266.4 ms

--- 72.14.207.99 hping statistic ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 266.4/266.4/266.4 ms

This will scan port 80 on Google. As we can see from the output returned packet from Google contains SYN and ACK flags set which indicates an open port.

In order to scan a range of ports starting from port 80 and up use the following command line:

hping3 -S 4.2.2.1 -p ++50

The ++ prefix will increment port number each subsequent packet sent to the target.

HPING 4.2.2.1 (eth1 4.2.2.1): S set, 40 headers + 0 data bytes
len=46 ip=4.2.2.1 ttl=56 DF id=32839 sport=50 flags=RA seq=0 win=0 rtt=264.3 ms
len=46 ip=4.2.2.1 ttl=56 DF id=32840 sport=51 flags=RA seq=1 win=0 rtt=277.6 ms
len=46 ip=4.2.2.1 ttl=56 DF id=32841 sport=52 flags=RA seq=2 win=0 rtt=285.4 ms
len=46 ip=4.2.2.1 ttl=56 DF id=32842 sport=53 flags=SA seq=3 win=49312 rtt=270.7 ms
len=46 ip=4.2.2.1 ttl=56 DF id=32843 sport=54 flags=RA seq=4 win=0 rtt=225.1 ms
len=46 ip=4.2.2.1 ttl=56 DF id=32844 sport=55 flags=RA seq=5 win=0 rtt=202.6 ms
len=46 ip=4.2.2.1 ttl=56 DF id=32845 sport=56 flags=RA seq=6 win=0 rtt=196.7 ms

--- 4.2.2.1 hping statistic ---
7 packets transmitted, 7 packets received, 0% packet loss
round-trip min/avg/max = 196.7/246.1/285.4 ms

From the output above we can see that the majority of probes returned RST packets…

--

--

Peter Kacherginsky

Blockchain Security, Malware Analysis, Incident Response, Pentesting, BlockThreat.net