Skip to content

HPING3

hping is a command-line oriented TCP/IP packet assembler/analyzer. The interface is inspired to the ping(8) unix command, but hping isn’t only able to send ICMP echo requests. It supports TCP, UDP, ICMP and RAW-IP protocols, has a traceroute mode, the ability to send files between a covered channel, and many other features.

While hping was mainly used as a security tool in the past, it can be used in many ways by people that don’t care about security to test networks and hosts. A subset of the stuff you can do using hping:

  • Firewall testing
  • Advanced port scanning
  • Network testing, using different protocols, TOS, fragmentation
  • Manual path MTU discovery
  • Advanced traceroute, under all the supported protocols
  • Remote OS fingerprinting
  • Remote uptime guessing
  • TCP/IP stacks auditing
  • hping can also be useful to students that are learning TCP/IP.

Usage: hping3 host [options]

options

-h  –helpshow this help
  -v  –versionshow version
  -c  –countpacket count
  -i  –interval wait (uX for X microseconds for example -i u1000)–fast      alias for -i u10000 (10 packets for second)–faster    alias for -i u1000 (100 packets for second)–flood      sent packets as fast as possible. Don’t show replies.
  -n  –numericnumeric output
  -q  –quietquiet
  -I  –interfaceinterface name (otherwise default routing interface)
  -V  –verboseverbose mode
  -D  –debugdebugging info
  -z  –bindbind ctrl+z to ttl           (default to dst port)
  -Z  –unbindunbind ctrl+z–beep      beep for every matching packet received


Mode

default modeTCP
  -0  –rawipRAW IP mode
  -1  –icmpICMP mode
  -2  –udpUDP mode
  -8  –scanSCAN mode.Example: hping –scan 1-30,70-90 -S http://www.target.host
  -9  –listenlisten mode IP
  -a  –spoofspoof source address
  –rand-destrandom destionation address mode. see the man.
  –rand-sourcerandom source address mode. see the man.
  -t  –ttlttl (default 64)
  -N  –idid (default random)
  -W  –winiduse win* id byte ordering
  -r  –relrelativize id field (to estimate host traffic)
  -f  –fragsplit packets in more frag.  (may pass weak acl)
  -x  –morefragset more fragments flag
  -y  –dontfragset don’t fragment flag
  -g  –fragoffset the fragment offset
  -m  –mtuset virtual mtu implies –frag if packet size > mtu
  -o  –tostype of service (default 0x00) try –tos help
  -G  –rrouteincludes RECORD_ROUTE option and display the route buffer
  –lsrrloose source routing and record route
  –ssrrstrict source routing and record route
  -H  –ipprotoset the IP protocol field only in RAW IP mode
  -C  –icmptypeicmp type (default echo request)
  -K  –icmpcodeicmp code (default 0)–force-icmp send all icmp types (default send only supported types)–icmp-gw    set gateway address for ICMP redirect (default 0.0.0.0)–icmp-ts    Alias for –icmp –icmptype 13 (ICMP timestamp)–icmp-addr  Alias for –icmp –icmptype 17 (ICMP address subnet mask)–icmp-help  display help for others icmp options

UDP/TCP 

-s  –baseport  base source port             (default random)
  -p  –destport  [+][+] destination port(default 0) ctrl+z inc/dec
  -k  –keep  keep still source port
  -w  –win  winsize (default 64)
  -O  –tcpoff set fake tcp data offset     (instead of tcphdrlen / 4)
  -Q  –seqnum shows only tcp sequence number
  -b  –badcksum (try to) send packets with a bad IP checksum many systems will fix the IP checksum sending the packet so you’ll get bad UDP/TCP checksum instead.
  -M  –setseqset TCP sequence number
  -L  –setackset TCP ack
  -F  –finset FIN flag
  -S  –synset SYN flag
  -R  –rstset RST flag
  -P  –pushset PUSH flag
  -A  –ackset ACK flag
  -U  –urgset URG flag
  -X  –xmasset X unused flag (0x40)
  -Y  –ymasset Y unused flag (0x80)
  –tcpexitcodeuse last tcp->th_flags as exit code
  –tcp-mssenable the TCP MSS option with the given value
  –tcp-timestampenable the TCP timestamp option to guess the HZ/uptime

Common

-d  –datadata size (default is 0)
  -E  –filedata from file
  -e  –signadd ‘signature’
  -j  –dumpdump packets in hex
  -J  –printdump printable characters
  -B  –safeenable ‘safe’ protocol
  -u  –endtell you when –file reached EOF and prevent rewind
  -T  –traceroutetraceroute mode(implies –bind and –ttl 1)
  –tr-stopExit when receive the first not ICMP in traceroute mode
  –tr-keep-ttlKeep the source TTL fixed useful to monitor just one hop
  –tr-no-rttDon’t calculate/show RTT information in traceroute mode
  –apd-send      Send the packet described with APD (see docs/APD.txt)ARS packet description (new unstable)

hping3 Usage Example

Use traceroute mode (–traceroute), be verbose (-V) in ICMP mode (-1) against the target (www.example.com):

root@kali:~# hping3 –traceroute -V -1 http://www.example.com
using eth0, addr: 192.168.1.15, MTU: 1500
HPING http://www.example.com (eth0 93.184.216.119): icmp mode set, 28 headers + 0 data bytes
hop=1 TTL 0 during transit from ip=192.168.1.1 name=UNKNOWN
hop=1 hoprtt=0.3 ms
hop=2 TTL 0 during transit from ip=192.168.0.1 name=UNKNOWN
hop=2 hoprtt=3.3 ms