One of the most time-consuming, but necessary, activities in hacking is reconnaissance. Before we can hack a system, we need to know what operating system it’s running, what ports are open, what services are running, and hopefully, what applications are installed and running.
Good reconnaissance increases our chance for success and reduces our chances of being detected. One of the best tools for this is hping3.
Due to its versatility, hping3 is often referred as a “packet crafting tool,” which means that it can create just about any type of packet you can imagine. This can be very helpful in doing recon, as different packets will illicit different responses from the operating system TCP/IP stack, giving us clues to the underlying OS, ports, and services.
In addition, we can test various IDS and firewall evasion techniques such a fragmenting packets, slow scans, etc. There are so many things we can do with hping3, but I’ll limit myself to just a few in this tutorial.
Like nearly all of the tools I demonstrate here at UltimatePeter, hping3 is built into BackTrack and Kali. So, let’s fire up our BackTrack or Kali and take a look at hping3.
Step 1: Finding Hping3
hping3 is a powerful tool with numerous features and functions. We’ll look at some of the basic functions that are applicable to hackers here, but investing a little time to learn additional features will be time well invested.
Let’s look at the help screen first.
As you can see, the help screen for hping3 is very long and detailed. To better view it, let’s pipe it out to more.
hping3 -h |more
After hitting the enter key a few times to move down the screen, we come to the following information. Please note that hping3 can create TCP, RAW IP, ICMP, and UDP packets with TCP being the default. About the middle of the screen note that:
- -a switch enables us to spoof our IP address
- –rand-dest produces packets with random destination ports
- –rand-source produces packets with random addresses
- -t sets the Time to live for the packets
- -f fragments the packets
If we now scroll down the help page a bit, we will see the following options. Note that like nmap, we can set any of the flags in the packet (FSPURA).
I want you to note the following switches.
- -Q shows only the sequence number
- -S scan using SYN packets
- –tcp-timestamp grabs the timestamp from the tcp packet
Step 2: hping3 Default
One of the most important features to understand about hping3 is that its default packet is TCP. This means that when a network device such a router or firewall is blocking ICMP (ping), we can still do host discovery and reconnaissance with hping3.
Let’s try setting the SYN flag (this would be essentially the same as nmap -sS scan) and checking whether port 80 is open (-p 80).
hping3 -S 192.168.1.105 -p 80
Note in the screenshot above that the packets come back with the flags SA set, meaning the port is open. If the port were closed, the port would respond with an RA.
If we want to scan all the ports beginning with 1, we can simply add the increment switch (++) after the port (p) switch and the port number where we want to start scanning (in this case 1), like so:
hping -S 192.168.1.105 -p ++1
This will scan each port starting at 1, and then increment by one to port 2, then 3, and so on.
Step 3: Fragment Packets with hping3
TCP was designed to be a robust protocol that would continue to communicate even in unfavorable or difficult circumstances. One feature that ensures this robustness is its ability to deal with packets that have been fragmented or broken into multiple pieces. TCP will reassemble those packets when they arrive at the target system.
This feature of TCP can be used against itself by using a tool like hping3 to fragment an attack across multiple packets to evade the IDS and firewall and then have the malware reassembled at the target.
Although most modern IDS’s now attempt to catch fragmentation attacks (in Snort, there is a frag3 preprocessor that attempts to detect fragmentation), older ones do not. Even the newer IDS can only pick up fragmentation they are designed to detect. The beauty of hping3 is that it allows us to design new attacks that the IDS has not yet seen.
Let’s try the hping3 fragmentation.
hping3 -f 192.168.1.105 -p 80
Step 4: Sending Data with hping3
In addition to being able to craft a packet with just about any characteristics we can imagine, hping3 will also allow us to place whatever data we want in those packets. Note in the help screen from Step 1 that the -E switch enables us to denote a file we want to use to fill the payload of the packet.
Let’s say we have a file named malware that contains an exploit we’re trying to send to the target. In addition, we are concerned that this malware might be detected by the IDS. We could use the fragmentation switch and load the malware across multiple packets where it will be reassembled by the target, while evading the IDS or AV software.
hping3 -f 192.168.1.105 -p 80 -d 10 -E malware
- -d is the data payload size (here, we’ve designated it as 10 bytes)
- -E tells hping3 to grab data from the following file
This command then sends the content of the file malware 10 bytes at a time to the target on port 80.
Step 5: Traceroute with hping3
Traceroute is a tool that allows us to trace the route a packet takes across the internet from the client to the target by manipulating the TTL (time to live) of ICMP packets.
It can be a very useful tool for diagnosing problems on an network, and can also be used by hackers to find devices on the network and the location of firewalls, routers, etc. For this reason, most network admin’s block or drop ICMP (ping).
Fortunately for us, hping3 enables us to do exactly the same thing, but use TCP which nearly every firewall allows (otherwise, it wouldn’t allow Internet traffic). Let’s try to run a traceroute using hping3 with the SYN flag set to google.com.
hping3 -z -t 1 -S google.com -p 80
- -z connects the command to the ctrl-z on the keyboard so that every time we press it, the TTL is incremented by 1
- -t sets the initial TTL (in this case, we’re using 1)
- -S sets the flag to SYN
- -p 80 sets the destination port to 80
In the screenshot above, the TTL is still 1, and hping3 tells us that the device is UNKNOWN. We can then hit the ctrl-z and increment the TTL by one and find each device between us and the target.
This screenshot shows us two devices between myself and google.com. Continuing to hit ctrl-z will increment TTL and find each device until I get to Google’s server.
Step 6: Predicting Sequence Numbers with hping3
Another feature that’s built into TCP to assure its robustness is the ability to re-order packets at the target even if they arrive out of order.
Remember that packets don’t always take the same route to the target, so they very often will arrive out of order. TCP puts a sequence number on the packets so that it can put them back into order where they arrive.
This feature has been used by hackers from the beginning of time (well….at least the beginning of Internet time) to conduct man-in-the-middle attacks (MitM). To protect against MitM attacks, operating system manufacturers tweaked their TCP/IP stack so that the sequence numbers are no longer numbered serially. Instead, to make it harder to conduct MitM attacks, the OS uses an algorithm to generate the sequence numbers.
To conduct a successful MitM attack, then we’ll need to predict the sequence numbers. hping3 can help us with that task. We can get the target system to respond with its sequence numbers, and then from the sequence numbers we can decipher what algorithm the OS is using. We can do this by:
hping3 -Q -S google.com -p 80
- -Q displays the sequence numbers
As you can see, google.com responds with its sequence numbers that hping3 captures and displays.
Step 7: hping3 for Uptime
Lastly , we can use hping3 to tell how long the server has been up. This can be very useful information for the hacker, as usually the server must be re-booted to apply updates and patches. By knowing how long the system has been up, we can predict what patches have been applied and what hacks the system is vulnerable to.
For instance, if we find a system that has not been re-booted in three years, we can be pretty certain that any security patches that have been released in that time have not been applied. This means that all the vulnerabilities that have become known in that time are still open on that system.
Hping3 uses the tcp-timestamp packet to predict how long the system has been up. Let’s try this against google.com.
hping3 –tcp-timestamp -S google.com -p 80
As we can see, this google.com web server has been up just 8 days, 4 hours, 21 minutes, and 39 seconds. If you try this scan against other servers, you are likely to see much longer periods of time between the last reboot, sometimes measured in years. These, of course, would be prime targets!