Hping is a TCP/IP packet forging tool with embedded Tcl scripting functionality. Developed by antirez in 1998, it is now in its 3rd release. The tool runs on all major operatings systems including Linux, *BSD, and Windows.
Hping gives you complete freedom to craft any raw IP, TCP, UDP, and ICMP packets.
With such powerful capability we can proceed to replicate most of the standard scan types:
TCP SYN Scan
The simplest way to initiate a classic TCP SYN Scan is to use the following command line options:
hping3 -S 188.8.131.52 -p 80 -c 1
NOTE: I had to use -c 1 flag in order to send the SYN packet only once, otherwise hping will continue sending probes.
This will produce the following output:
HPING 184.108.40.206 (eth1 220.127.116.11): S set, 40 headers + 0 data bytes
len=46 ip=18.104.22.168 ttl=244 id=64932 sport=80 flags=SA seq=0 win=8190 rtt=266.4 ms
--- 22.214.171.124 hping statistic ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 266.4/266.4/266.4 ms
This will scan port 80 on Google. As we can see from the output returned packet from Google contains SYN and ACK flags set which indicates an open port.
In order to scan a range of ports starting from port 80 and up use the following command line:
hping3 -S 126.96.36.199 -p ++50
The ++ prefix will increment port number each subsequent packet sent to the target.
HPING 188.8.131.52 (eth1 184.108.40.206): S set, 40 headers + 0 data bytes
len=46 ip=220.127.116.11 ttl=56 DF id=32839 sport=50 flags=RA seq=0 win=0 rtt=264.3 ms
len=46 ip=18.104.22.168 ttl=56 DF id=32840 sport=51 flags=RA seq=1 win=0 rtt=277.6 ms
len=46 ip=22.214.171.124 ttl=56 DF id=32841 sport=52 flags=RA seq=2 win=0 rtt=285.4 ms
len=46 ip=126.96.36.199 ttl=56 DF id=32842 sport=53 flags=SA seq=3 win=49312 rtt=270.7 ms
len=46 ip=188.8.131.52 ttl=56 DF id=32843 sport=54 flags=RA seq=4 win=0 rtt=225.1 ms
len=46 ip=184.108.40.206 ttl=56 DF id=32844 sport=55 flags=RA seq=5 win=0 rtt=202.6 ms
len=46 ip=220.127.116.11 ttl=56 DF id=32845 sport=56 flags=RA seq=6 win=0 rtt=196.7 ms
--- 18.104.22.168 hping statistic ---
7 packets transmitted, 7 packets received, 0% packet loss
round-trip min/avg/max = 196.7/246.1/285.4 ms
From the output above we can see that the majority of probes returned RST packets…