Table of Contents
Introduction to hping3 command
hping3 is a network utility that allows you to send custom TCP/IP packets and display target replies like ping command does with ICMP replies.
hping3 is a didactic tool to learn TCP/IP. It can do the following operations.
- Test firewall rules
- Advanced port scanning
- Test internet performance using different protocols, packets size
- Discover MTU path
- Tracerouting under different protocols
- Remote OS fingerprinting
- Firewalk-like usage
- TCP/IP stack auditing
How to install hping3
hping3 is pre-installed in Kali Linux. If it is not found in your system, you can run the following commands to install hping3 according to your Linux distribution.
Install hping3 on CentOS, RHEL, Fedora
$ sudo dnf install hping3
Install hping3 on Ubuntu and Debian
$ sudo apt install hping3
Syntax to use hping3 command
The syntax for the hping3 command is as follows:
$ sudo hping3 [options] hostname
Some important options in hping3 command are as follows:
- -c, --count: specify the number of packets to be sent
- -8, --scan: Scan mode
- -9, --listen: Listen mode
- -a, --spoof: Spoof source address
- -t, --ttl: set TTL (time to live) of outgoing packets
Different examples to use hping3 command
1. Send TCP packets to a host
When hping3 command is used without any options, it sends TCP packets to the specified host.
$ sudo hping3 192.168.56.102
Sample Output:
2. Send SYN packets to the target
To send SYN packets to the target IP address, you can use the -S
or --syn
option.
$ sudo hping3 -S 192.168.56.102
OR
$ sudo hping3 --syn 192.168.56.102
Sample Output:
3. Send FIN/ACK packets to the target host
The -F
or --fin
option is used to send FIN packets to the specified host.
$ sudo hping3 -F 192.168.56.102
OR
$ sudo hping3 --fin 192.168.56.102
Sample Output:
Similarly, you can use the below options to set the respective TCP flags in the hping3 command.
-R
: RST TCP flag-P
: PUSH TCP flag-A
: ACK TCP flag-U
: URG TCP flag-X
: Xmas TCP flag-Y
: Ymas TCP flag
4. Enable raw IP mode
In raw IP mode, hping3 sends IP header with data appended with --signature
and/or --file
.
$ sudo hping3 -0 192.168.56.102
OR
$ sudo hping3 --rawip 192.168.56.102
Sample Output:
5. Send ICMP packets to the target
The -1
or --icmp
option allows you to enable ICMP mode and send ICMP echo requests to the given IP address.
$ sudo hping3 -1 192.168.56.102
OR
$ sudo hping3 --icmp 192.168.56.102
Sample Output:
6. Send UDP packets to target
You can use the -2
or --udp
option to send UDP packets to the target host.
$ sudo hping3 -2 192.168.56.102
OR
$ sudo hping3 --udp 192.168.56.102
Sample Output:
7. Specify the destination port
The default port is 0
. You can use the -p
or --destport
option to set the destination port when sending packets.
$ sudo hping3 -p port 192.168.56.102
OR
$ sudo hping3 --destport port 192.168.56.102
Sample Output:
When double +
is used before the port number, the destination port will be incremented for each packet sent.
$ sudo hping3 -p ++1024 192.168.56.102
Sample Output:
8. Specify the number of packets
The -c
or --count
option lets you specify the number of packets to be sent.
$ sudo hping3 -c num 192.168.56.102
OR
$ sudo hping3 --count num 192.168.56.102
Sample Output:
9. hping3 listen mode
You can enable listen mode to using the -9
or --listen
option.
$ sudo hping3 -9 signature
OR
$ sudo hping3 --listen signature
Sample Output:
10. Enable verbose output
The -V
or --verbose
option displays the verbose information. You can see the details of what packets are being sent.
$ sudo hping3 -V 192.168.56.102
OR
$ sudo hping3 --verbose 192.168.56.102
Sample Output:
11. Specify the interface to use
The -I
or --interface
option forces hping3 to use the interface you specify in the command.
$ sudo hping3 -I interface_name 192.168.56.102
OR
$ sudo hping3 -I interface_name 192.168.56.102
Sample Output:
12. hping3 as a network packet sniffer
hping3 can also be used for sniffing network packets. Using the listen mode, you can intercept the traffic going through the system network interface.
For example, you can use this command to intercept all traffic containing HTTP signatures.
$ sudo hping3 -9 HTTP -I enp0s9
Sample Output:
13. Set packet body size
The -d
or --data
option allows you to specify the packet size.
$ sudo hping3 -d size 192.168.56.102
OR
$ sudo hping3 --data size 192.168.56.102
Sample Output:
14. Enable the TCP timestamp
You can use the --tcp-timestamp
option to display the TCP timestamp. It can be used to estimate the timestamp update frequency and the remote system uptime.
$ sudo hping3 --tcp-timestamp 192.168.52.106
Sample Output:
15. SYN flood using hping3 command
The following command does the SYN flood or DOS attack on the target host.
$ sudo hping3 -S 192.168.56.102 --flood
Sample Output:
16. Performing a TCP SYN scan
Scan mode, the option expects an argument that describes groups of ports to scan. port groups are comma separated: a number describes just a single port, so 1,2,3 means port 1, 2 and 3. ranges are specified using a start-end notation, like 1-1000
, that tell hping to scan ports between 1 and 1000 (included). the special word all is an alias for 0-65535
, while the special word known includes all the ports listed in /etc/services
.
# hping3 --scan known -S 192.185.5.1 Scanning 192.185.5.1 (192.185.5.1), port known 337 ports to scan, use -V to see all the replies +----+-----------+---------+---+-----+-----+-----+ |port| serv name | flags |ttl| id | win | len | +----+-----------+---------+---+-----+-----+-----+ 21 ftp : .S..A... 128 3987 8192 46 25 smtp : .S..A... 128 4755 8192 46 53 domain : .S..A... 128 6291 8192 46 80 http : .S..A... 128 8595 8192 46 110 pop3 : .S..A... 128 10643 8192 46 443 https : .S..A... 128 17299 8192 46 143 imap2 : .S..A... 128 30867 8192 46 465 ssmtp : .S..A... 128 33427 8192 46 587 submission : .S..A... 128 39315 8192 46 995 pop3s : .S..A... 128 45715 8192 46
Conclusion
hping3 is one of the useful network tools that send TCP/IP packets to network hosts. It is widely used for testing a network and tracerouting under different protocols.
We hope this tutorial helps you to understand different hping3 commands in Linux. If you have any questions or feedback, please let us know in the comment section.
What’s Next
Analyze TCP Receive Window with Wireshark [Step-by-Step]
How to stop ICMP ping flood attack (DOS) on Linux
Further Reading