June 14, 2005

Testing security with hping

Author: JT Smith

You can test the security of your network in a number of ways. One is to hire your own hacker and see if he can get in. Another (and maybe more practical) way is to install hping.
As the name suggests, hping is based on the ping utility, but the two applications are used in different ways.You will have used ping to see if a device is accessible via a network, and even looked at the route between your computer and another one (by using the -R option). Ping uses the Internet Control Message Protocol (ICMP), one of the fundamental elements of TCP/IP. All that it does is send out ICMP requests (the ICMP ECHO_REQUEST) and then waits for a valid reply (an ICMP ECHO_RESPONSE). Ping tells you that the destination is reachable, but says nothing about what is going on at the other end. In fact, a device does not even have to be fully booted before it will respond to ping.

Hping differs from ping in that as well as sending ICMP packets, it can also send UDP (User Datagram Protocol) and IP (Internet Protocol) packets. The default is TCP (Transmission Control Protocol). Users can also modify packet headers to try to elicit different responses from target devices.

Using hping to simulate an attack

When attacking a system, hackers frequently start by carrying out a SYN Scan, which is the first step in a TCP/IP handshake and a basic way of obtaining information about a targeted computer. The hacker sends a SYN packet to a port on the computer. If the port is available for communication then the computer will return a SYN/ACC packet. If he gets this response then the hacker knows that he has found a possible way in.

This is where hping comes into its own. We can use it to carry out exactly this type of activity (you may have to log in as root to run hping):

hping -S localhost -c 1
HPING localhost (lo 127.0.0.1): S set, 40 headers + 0 data bytes
len=40 ip=127.0.0.1 ttl=64 DF id=0 sport=0 flags=RA seq=0 win=0 rtt=0.2 ms

--- localhost hping statistic ---
1 packets tramitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0.2/0.2/0.2 ms

There are two fields to take particular note of. The first is "sport," which is the port currently being scanned (in this case it is the default, 0). The second important field is "flags," which is the response sent back by the target host (localhost in this example). An RA (RST/ACC) packet was returned, meaning that this port is not open for any communication. If the response had been an SA (SYN/ACC) packet then we might have found a way into the network.

We can use hping to talk to any port on the target:

hping -S localhost -c 1 -p 1
HPING localhost (lo 127.0.0.1): S set, 40 headers + 0 data bytes
len=40 ip=127.0.0.1 ttl=64 DF id=0 sport=1 flags=RA seq=0 win=0 rtt=0.2 ms

--- localhost hping statistic ---
1 packets tramitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0.2/0.2/0.2 ms

But even more usefully we can tell hping to scan the ports incrementally:

hping -S localhost -p ++0
HPING localhost (lo 127.0.0.1): S set, 40 headers + 0 data bytes
len=40 ip=127.0.0.1 ttl=64 DF id=0 sport=0 flags=RA seq=0 win=0 rtt=0.2 ms
len=40 ip=127.0.0.1 ttl=64 DF id=0 sport=1 flags=RA seq=1 win=0 rtt=0.1 ms
len=40 ip=127.0.0.1 ttl=64 DF id=0 sport=2 flags=RA seq=2 win=0 rtt=0.1 ms
len=40 ip=127.0.0.1 ttl=64 DF id=0 sport=3 flags=RA seq=3 win=0 rtt=0.1 ms
len=40 ip=127.0.0.1 ttl=64 DF id=0 sport=4 flags=RA seq=4 win=0 rtt=0.1 ms
len=40 ip=127.0.0.1 ttl=64 DF id=0 sport=5 flags=RA seq=5 win=0 rtt=0.1 ms
len=40 ip=127.0.0.1 ttl=64 DF id=0 sport=6 flags=RA seq=6 win=0 rtt=0.1 ms
len=40 ip=127.0.0.1 ttl=64 DF id=0 sport=7 flags=RA seq=7 win=0 rtt=0.1 ms

--- localhost hping statistic ---
8 packets tramitted, 8 packets received, 0% packet loss
round-trip min/avg/max = 0.1/0.1/0.2 ms

As you can imagine, this operation will generate a large amount of data, most of which we don't want (we need only the SA responses, not the RAs). We can, therefore, filter the output:

hping -S localhost -p ++0 |grep "flags=SA"
len=44 ip=127.0.0.1 ttl=64 DF id=0 sport=22 flags=SA seq=22 win=32767 rtt=0.3 ms
len=44 ip=127.0.0.1 ttl=64 DF id=0 sport=25 flags=SA seq=25 win=32767 rtt=0.2 ms
len=44 ip=127.0.0.1 ttl=64 DF id=0 sport=37 flags=SA seq=37 win=32767 rtt=0.2 ms
len=44 ip=127.0.0.1 ttl=64 DF id=0 sport=80 flags=SA seq=80 win=32767 rtt=0.2 ms
len=44 ip=127.0.0.1 ttl=64 DF id=0 sport=113 flags=SA seq=113 win=32767 rtt=0.2 ms
len=44 ip=127.0.0.1 ttl=64 DF id=0 sport=587 flags=SA seq=587 win=32767 rtt=0.3 ms
len=44 ip=127.0.0.1 ttl=64 DF id=0 sport=3306 flags=SA seq=3306 win=32767 rtt=0.4 ms

--- localhost hping statistic ---
9479 packets tramitted, 9479 packets received, 0% packet loss
round-trip min/avg/max = 0.1/0.2/0.4 ms

This makes it clearer that we have seven ports that are (potential) areas of weakness.

Seeing it from both sides

So far we've looked only at what's happening from the outside, but it is interesting to run tcpdump on the target host at the same time as you're using hping. You will probably need to log on as root to run tcpdump.

hping -S -p 0 localhost -c 1
HPING localhost (lo 127.0.0.1): S set, 40 headers + 0 data bytes
len=40 ip=127.0.0.1 ttl=64 DF id=0 sport=0 flags=RA seq=0 win=0 rtt=0.4 ms

--- localhost hping statistic ---
1 packets tramitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0.4/0.4/0.4 ms

hping -S -p 3306 localhost -c 1
HPING localhost (lo 127.0.0.1): S set, 40 headers + 0 data bytes
len=44 ip=127.0.0.1 ttl=64 DF id=0 sport=3306 flags=SA seq=0 win=32767 rtt=0.6 ms

--- localhost hping statistic ---
1 packets tramitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0.6/0.6/0.6 ms
tcpdump
11:00:28.038363 IP localhost.2857 > localhost.0: S 2108417289:2108417289(0) win 512
11:00:28.038420 IP localhost.0 > localhost.2857: R 0:0(0) ack 2108417290 win 0
11:00:33.829503 IP localhost.1842 > localhost.3306: S 103283023:103283023(0) win 512
11:00:33.829592 IP localhost.3306 > localhost.1842: S 1486936409:1486936409(0) ack 103283024 win 32767 
11:00:33.829623 IP localhost.1842 > localhost.3306: R 103283024:103283024(0) win 0

5 packets captured
10 packets received by filter
0 packets dropped by kernel

Tcpdump shows that the target host is aware of the scan. If you see this type of activity then you may well be under attack.

In conclusion

You now have enough information to give hping a try. If you feel that you need to learn more (and I recommend that you do), hping's Web site contains a useful documentation section and wiki.

Armed with Hping you will be able to test the security of your network. Make sure that you do it soon -- don't forget that you're not the only one who has access to this powerful tool.

Click Here!