Hping is a TCP/IP packet forging tool with embedded Tcl scripting functionality. Developed by antirez in 1998, it is now in its 3rd release. The tool runs on all major operatings systems including Linux, *BSD, and Windows.
Hping gives you complete freedom to craft any raw IP, TCP, UDP, and ICMP packets.
With such powerful capability we can proceed to replicate most of the standard scan types:
TCP SYN Scan
The simplest way to initiate a classic TCP SYN Scan is to use the following command line options:
hping3 -S 126.96.36.199 -p 80 -c 1
NOTE: I had to use -c 1 flag in order to send the SYN packet only once, otherwise hping will continue sending probes.
This will produce the following output:
HPING 188.8.131.52 (eth1 184.108.40.206): S set, 40 headers + 0 data bytes
len=46 ip=220.127.116.11 ttl=244 id=64932 sport=80 flags=SA seq=0 win=8190 rtt=266.4 ms
--- 18.104.22.168 hping statistic ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 266.4/266.4/266.4 ms
This will scan port 80 on Google. As we can see from the output returned packet from Google contains SYN and ACK flags set which indicates an open port.
In order to scan a range of ports starting from port 80 and up use the following command line:
hping3 -S 22.214.171.124 -p ++50
The ++ prefix will increment port number each subsequent packet sent to the target.
HPING 126.96.36.199 (eth1 188.8.131.52): S set, 40 headers + 0 data bytes
len=46 ip=184.108.40.206 ttl=56 DF id=32839 sport=50 flags=RA seq=0 win=0 rtt=264.3 ms
len=46 ip=220.127.116.11 ttl=56 DF id=32840 sport=51 flags=RA seq=1 win=0 rtt=277.6 ms
len=46 ip=18.104.22.168 ttl=56 DF id=32841 sport=52 flags=RA seq=2 win=0 rtt=285.4 ms
len=46 ip=22.214.171.124 ttl=56 DF id=32842 sport=53 flags=SA seq=3 win=49312 rtt=270.7 ms
len=46 ip=126.96.36.199 ttl=56 DF id=32843 sport=54 flags=RA seq=4 win=0 rtt=225.1 ms
len=46 ip=188.8.131.52 ttl=56 DF id=32844 sport=55 flags=RA seq=5 win=0 rtt=202.6 ms
len=46 ip=184.108.40.206 ttl=56 DF id=32845 sport=56 flags=RA seq=6 win=0 rtt=196.7 ms
--- 220.127.116.11 hping statistic ---
7 packets transmitted, 7 packets received, 0% packet loss
round-trip min/avg/max = 196.7/246.1/285.4 ms
From the output above we can see that the majority of probes returned RST packets…