Disclaimer: This article is for educational purposes only, do not attempt to hack the system without prior consent from the person you are hacking, and only use this information for ethical purposes.
🧭 What is hping3
hping3 is a tool similar to PING. However, it can send L4 (Transport) packets. If the target server opens TCP ports but cannot return ICMP echo replies. In this case it can be a good replacement for the PING tool.
📋 What kind of test?
Each operating system reacts differently. Gonna explain how 3 types of operating systems react to arbitrary packets generated by hping3.
🔧 Test Setup
🖥 Targets OS
- 🎯 Ubuntu 20.04.5
Private IP address : 192.168.10.137 - 🎯 Fedora 37
Private IP address : 192.168.10.119 - 🎯Windows 11Pro 21H2
Private IP address : 192.168.10.116
# Sending packats from 192.168.10.113 ( Kali linux ).
🎯 Ubuntu
PING response setting is disabled.
Set up the kernel parameter ‘net.ipv4.icmp_echo_ignore_all’ is 1.
🎯 Fedora
PING response setting is disabled.
Set up the kernel parameter ‘net.ipv4.icmp_echo_ignore_all’ is 1.
🎯 Windows
PING response setting is disabled.
⚀ TEST Pattern 1 ( No flag )
Sends packets without a flag to TCP port 0.
🔖 Summary
- ⭕ ️Ubuntu replied.
- ❌ Fedora and Windows did not reply.
⌨️ Commands
hping3 'Target IP address'
⭕️ Result of Ubuntu
Response received. You can receive packets with RST, ACK flags. This is sufficient to identify the existence of the server.
❌ Result of Fedora
No response.
❌ Result of Windows
No response.
⚁ TEST Pattern 2 ( SYN )
Sends packets with SYN flag to TCP port 0.
🔖 Summary
- ⭕ ️Ubuntu and Fedora replied.
- ❌ Windows did not reply.
⌨️ Commands
hping3 -c 4 -S 'Target IP address'
⭕️ Result of Ubuntu
Response received. You can receive packets with RST, ACK flags. Same result with TEST pattern 1.
⭕️ Result of Fedora
Response received. You can receive ICMP reply packets. I assume this is sufficient to identify the existence of the server. Because even though the reply is written as filtered, the reply came from the target IP address.
❌ Result of Windows
No response.
⚂ TEST Pattern 3 ( SYN to open port )
Sends packets with SYN flag to TCP oepn port.
🔖 Summary
- ⭕ ️All OS replied.
⌨️ Commands
hping3 -c 4 -S -p 'Target port' 'Target IP address'
⭕️ Result of Ubuntu
Response received. This Ubuntu is running Node.js on TCP port 8080.
⭕️ Result of Fedora
Response received. This Fedora is running nginx on TCP port 80.
⭕️ Result of Windows
Response received. This Windows is running RDP service on TCP port 3389.
🔍 How to find Windows ?
The following code sends packets to the major ports of machines on the same private network segment (192.168.10.1 ~ 192.168.10.255).
import subprocess
Ports = ['21','22','80','139','443','445','3389']
for i in range(255):
TargetIP = '192.168.10.' + str(i+1)
Chk = '1 packets transmitted, 1 packets received, 0% packet loss'
devNull = open('/dev/null', 'w')
for j in Ports:
ResultBytes = subprocess.run(['hping3','-S','-c','1','-p', j, TargetIP], stdout=subprocess.PIPE, stderr=subprocess.PIPE)
Results = ResultBytes.stdout.decode('utf-8')
Erros = ResultBytes.stderr.decode('utf-8')
if Chk in Erros:
print(Results)
If Windows has open ports, it can detect as follows result.
🔍 Run hping3 and Nessus simultaneously
If I run hping3 and Nessus at the same time, it doesn’t work properly. Packets are interfering.
⌨️ Command
hping3 -S -p 80 192.168.10.119
Even if I use send packets to port 0, packets are interfering.
⌨️ Command
hping3 -S -p 0 192.168.10.119