Hping is a TCP/IP packet forging tool with embedded Tcl scripting functionality. Developed by antirez in 1998, it is now in its 3rd release. The tool runs on all major operatings systems including Linux, *BSD, and Windows.
Hping gives you complete freedom to craft any raw IP, TCP, UDP, and ICMP packets.
With such powerful capability we can proceed to replicate most of the standard scan types:
TCP SYN Scan
The simplest way to initiate a classic TCP SYN Scan is to use the following command line options:
hping3 -S 18.104.22.168 -p 80 -c 1
NOTE: I had to use -c 1 flag in order to send the SYN packet only once, otherwise hping will continue sending probes.
This will produce the following output:
HPING 22.214.171.124 (eth1 126.96.36.199): S set, 40 headers + 0 data bytes
len=46 ip=188.8.131.52 ttl=244 id=64932 sport=80 flags=SA seq=0 win=8190 rtt=266.4 ms
--- 184.108.40.206 hping statistic ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 266.4/266.4/266.4 ms
This will scan port 80 on Google. As we can see from the output returned packet from Google contains SYN and ACK flags set which indicates an open port.
In order to scan a range of ports starting from port 80 and up use the following command line:
hping3 -S 220.127.116.11 -p ++50
The ++ prefix will increment port number each subsequent packet sent to the target.
HPING 18.104.22.168 (eth1 22.214.171.124): S set, 40 headers + 0 data bytes
len=46 ip=126.96.36.199 ttl=56 DF id=32839 sport=50 flags=RA seq=0 win=0 rtt=264.3 ms
len=46 ip=188.8.131.52 ttl=56 DF id=32840 sport=51 flags=RA seq=1 win=0 rtt=277.6 ms
len=46 ip=184.108.40.206 ttl=56 DF id=32841 sport=52 flags=RA seq=2 win=0 rtt=285.4 ms
len=46 ip=220.127.116.11 ttl=56 DF id=32842 sport=53 flags=SA seq=3 win=49312 rtt=270.7 ms
len=46 ip=18.104.22.168 ttl=56 DF id=32843 sport=54 flags=RA seq=4 win=0 rtt=225.1 ms
len=46 ip=22.214.171.124 ttl=56 DF id=32844 sport=55 flags=RA seq=5 win=0 rtt=202.6 ms
len=46 ip=126.96.36.199 ttl=56 DF id=32845 sport=56 flags=RA seq=6 win=0 rtt=196.7 ms
--- 188.8.131.52 hping statistic ---
7 packets transmitted, 7 packets received, 0% packet loss
round-trip min/avg/max = 196.7/246.1/285.4 ms
From the output above we can see that the majority of probes returned RST packets…