ports by setting the count with the
-c
flag. In this case,
hping3
is going to scan 10 ports
and stop. Finally, we can set the source port with the
-s
flag and a port number. For
this scan, the source port doesn’t really matter, but in some cases, it will.
Example 3-20. Using hping3 for port scanning
root@rosebud:~# hping3 -S -p ++80 -s
1657
-c
10
192.168.86.1
HPING 192.168.86.1
(
eth0 192.168.86.1
)
: S
set
,
40
headers +
0
data bytes
len
=
46
ip
=
192.168.86.1
ttl
=
64
DF
id
=
0
sport
=
80
flags
=
SA
seq
=
0
win
=
29200
rtt
=
7.8 ms
len
=
46
ip
=
192.168.86.1
ttl
=
64
DF
id
=
15522
sport
=
81
flags
=
RA
seq
=
1
win
=
0
rtt
=
7.6 ms
len
=
46
ip
=
192.168.86.1
ttl
=
64
DF
id
=
15523
sport
=
82
flags
=
RA
seq
=
2
win
=
0
rtt
=
7.3 ms
len
=
46
ip
=
192.168.86.1
ttl
=
64
DF
id
=
15524
sport
=
83
flags
=
RA
seq
=
3
win
=
0
rtt
=
7.0 ms
len
=
46
ip
=
192.168.86.1
ttl
=
64
DF
id
=
15525
sport
=
84
flags
=
RA
seq
=
4
win
=
0
rtt
=
6.7 ms
len
=
46
ip
=
192.168.86.1
ttl
=
64
DF
id
=
15526
sport
=
85
flags
=
RA
seq
=
5
win
=
0
rtt
=
6.5 ms
len
=
46
ip
=
192.168.86.1
ttl
=
64
DF
id
=
15527
sport
=
86
flags
=
RA
seq
=
6
win
=
0
rtt
=
6.2 ms
len
=
46
ip
=
192.168.86.1
ttl
=
64
DF
id
=
15528
sport
=
87
flags
=
RA
seq
=
7
win
=
0
rtt
=
5.9 ms
len
=
46
ip
=
192.168.86.1
ttl
=
64
DF
id
=
15529
sport
=
88
flags
=
RA
seq
=
8
win
=
0
rtt
=
5.6 ms
len
=
46
ip
=
192.168.86.1
ttl
=
64
DF
id
=
15530
sport
=
89
flags
=
RA
seq
=
9
win
=
0
rtt
=
5.3 ms
--- 192.168.86.1 hping statistic ---
10
packets transmitted,
10
packets received, 0% packet loss
round-trip min/avg/max
=
5.3/6.6/7.8 ms
Unlike a port scanner, which will tell you what ports are open, with
hping3
you have
to interpret the results to determine whether you’ve found an open port. As you look
over each line of the responses, you can see the
flags
field. The first message returned
has the SYN and ACK flags set. This indicates that the port is open. If you look at the
sport
field, you will see that the port that’s open is 80. This may seem backward in that
it’s giving a source port, but keep in mind that what you are looking at is a response
message. In the message going out, 80 would be the destination port, but in the
response, it would become the source port.
The other response messages show that the RST and ACK flags are set. Because the
RST flag is set on the response, we know that the port is closed. Using
hping3
, you can
set any collection of flags you would like. For example, you could do an Xmas scan in
which the
FIN
,
PSH
, and
URG
flags are set. It’s called an
Xmas scan
because with all
those flags set, the packet is said to look like a Christmas tree with lights on it. You
have to imagine that enabling a flag turns on a light in order to make sense of this
name. To do an Xmas scan, we could just set all those flags on the command line, as
in
hping3 -F -P -U
. When we send those messages to the same target as before, the
target responds with the RST and ACK flags on ports 81–89. There is no response at
all on port 80. This is because port 80 is open, but RFC 793 suggests that packets
looking like this fall into a category that should be discarded, meaning no response.
As noted above,
hping3
can also be used to send high-speed messages. There are two
ways to do this. The first is by using the
-i
flag and a value. A simple numeric value
will be the wait time in seconds. If you want it to go faster, you can use
-i u1
, for
