转载出处:http://hnytgl.blog.sohu.com/216935414.html
hping3可以发送任意定制的包给主机
hping3可以控制ip分层,定制包体和大小,很强大的安全测试工具,也是学习tcp/ip的一种途径。加油咧!^ _ ^
从这里开始介绍hping3。
基本选项:
《1》 -c:设定发送包个数,如要向目标发送2个包:
[root@localhost ~]# hping3 -c 2 192.168.0.106
HPING 192.168.0.106 (eth0 192.168.0.106): NO FLAGS are set, 40 headers + 0 data bytes
ICMP Unreachable type=10 from ip=192.168.0.106 name=UNKNOWN
ICMP Unreachable type=10 from ip=192.168.0.106 name=UNKNOWN
--- 192.168.0.106 hping statistic ---
2 packets tramitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
## 发现virtualbox负载过高,心疼了,所以临时改变实验环境,将virtualbox 的cnetos5.5换成vmware player上的peppermint(192.168.0.107)
《2》-i :发送的包的时间间隔,默认单位是s,可以使用u10,表示每10微秒发送一个包(1微秒=1/100000秒,慎用!),可以个和 -c 配合使用:
--每100秒发送一个包:
[root@localhost ~]# hping3 -i 100 192.168.0.107 《--这里第一个包会在第一时间发送出去,等100s后再发送第二个包
--每1微秒发送一个包---》这是一种攻击行为,大家慎用,我只是做实验
[root@localhost ~]# hping3 -i u1 192.168.0.107
HPING 192.168.0.107 (eth0 192.168.0.107): NO FLAGS are set, 40 headers + 0 data bytes
^C
--- 192.168.0.107 hping statistic ---
332388 packets tramitted, 0 packets received, 100% packet loss 《--到达一定速度后只发不接
round-trip min/avg/max = 0.0/0.0/0.0 ms
--每微秒发送一个包,总共发送10个包:
[root@localhost ~]# hping3 -i u1 -c 10 192.168.0.107
HPING 192.168.0.107 (eth0 192.168.0.107): NO FLAGS are set, 40 headers + 0 data bytes
--- 192.168.0.107 hping statistic ---
10 packets tramitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
《3》--fast , --faster,--flood: 前两个选项分别是 -i u10000 、-i u1 的别名,--flood 顾名思义,尤其是后面两个选项,如果不是做压力和防火墙过滤等测试时,强烈不建议使用,引起的不良后果自负,一切法律责任与本篇文章无关。
《4》-n:不进行lookup; -q :quiet模式,只显示最后的统计数据;
《5》-I : 制定需要使用的interface,在特定的os下为了满足特定的需要才会用到这个选项;
《6》-D:进入debug模式
《7》-z : 加入这个选项后,可以通过ctrl +Z 来增加发送出去的包的TTL,按一次增加1,按两次增加2,依次类推,按住不放是减小TTL,按Z的感觉自己去找。要看效果可以在目标主机上开启iptables的日志记录功能,就可以很直观的看到TTL的变化。
[root@localhost ~]# hping -z 192.168.0.107
HPING 192.168.0.107 (eth0 192.168.0.107): NO FLAGS are set, 40 headers + 0 data bytes
len=40 ip=192.168.0.107 ttl=64 DF id=0 sport=0 flags=RA seq=0 win=0 rtt=1.0 ms
len=40 ip=192.168.0.107 ttl=64 DF id=0 sport=0 flags=RA seq=1 win=0 rtt=0.6 ms
65: len=40 ip=192.168.0.107 ttl=64 DF id=0 sport=0 flags=RA seq=2 win=0 rtt=0.6 ms
66: len=40 ip=192.168.0.107 ttl=64 DF id=0 sport=0 flags=RA seq=3 win=0 rtt=0.5 ms
68: len=40 ip=192.168.0.107 ttl=64 DF id=0 sport=0 flags=RA seq=4 win=0 rtt=0.8 ms
69: len=40 ip=192.168.0.107 ttl=64 DF id=0 sport=0 flags=RA seq=5 win=0 rtt=0.4 ms
71: len=40 ip=192.168.0.107 ttl=64 DF id=0 sport=0 flags=RA seq=6 win=0 rtt=0.8 ms
72: len=40 ip=192.168.0.107 ttl=64 DF id=0 sport=0 flags=RA seq=7 win=0 rtt=0.9 ms
74: len=40 ip=192.168.0.107 ttl=64 DF id=0 sport=0 flags=RA seq=8 win=0 rtt=0.5 ms
^C
--- 192.168.0.107 hping statistic ---
9 packets tramitted, 9 packets received, 0% packet loss
round-trip min/avg/max = 0.4/0.7/1.0 ms
《8》 --beep : 接受到返回的包就发声(我的不会叫,也不知道是什么声音,还是我理解错了)
协议部分
《1》hping3默认是TCP模式,不设置任何flag,到对方的0 prot,以做到“hide ping”,这是在对方经由firewall保护下最好的发现方式了
《2》-0 : RAW IP 模式,可以单独使用,但是多和 --ipproto 或者 --file 配合使用
由于是原始的ip封包,iptables会记录下来,显示的是INCOMPLETE,我们也得不到回应:
[root@localhost hping3-0.0.20051105]# hping3 -0 192.168.0.107
HPING 192.168.0.107 (eth0 192.168.0.107): raw IP mode set, 20 headers + 0 data bytes
^C
--- 192.168.0.107 hping statistic ---
3 packets tramitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
《3》-1: ICMP 模式,默认是采用icmp echo-request, 可以通过 --icmptype 和 --icmpcode 来设定需要的icmp 类型,通常情况下防火墙只允许icmp的回显请求(echo-request);
《4》-2:UDP模式,默认也是发往目标0 号port,可以通过选项 --baseport --destport --keep 来调整udp包头;
《5》-8 : 扫描模式,这里介绍他的通配符和端口范围的表示方法:
all:所有端口,1-65535
known:/etc/services 中记录的所有端口
多个不相连的端口用逗号分开,如:1,4,443;
表示一个端口范围使用:1-4000
!表示非: !known
扫描对方在/etc/services中列出的端口:
[root@localhost 桌面]# hping3 -8 known -S 192.168.0.1 <---这里-S 表示采用SYN扫描
Scanning 192.168.0.1 (192.168.0.1), port known
5458 ports to scan, use -V to see all the replies
+----+-----------+---------+---+-----+-----+-----+
|port| serv name | flags |ttl| id | win | len |
+----+-----------+---------+---+-----+-----+-----+
23 telnet : .S..A... 128 7458 16384 46
1780 dpkeyserv : .S..A... 128 64037 16384 46
80 http : .S..A... 128 60464 16384 46
扫描1-1024号端口:
[root@localhost 桌面]# hping3 -8 1-1024 -S 192.168.0.1
Scanning 192.168.0.1 (192.168.0.1), port 1-1024
1024 ports to scan, use -V to see all the replies
+----+-----------+---------+---+-----+-----+-----+
|port| serv name | flags |ttl| id | win | len |
+----+-----------+---------+---+-----+-----+-----+
23 telnet : .S..A... 128 11064 16384 46
80 http : .S..A... 128 60475 16384 46
All replies received. Done.
Not responding ports:
《6》-9 : --listen signature <--监听模式,监听含有特定signature的包,并且将含有该signature的包dump;
从这部分开始,我会将iptables针对每次试探和扫描的记录附上
IP 协议部分
《1》-a :(--spoof hostname)伪装自己的地址,会造成自己收不到返回的包,在进行idle扫描时候有用,
[root@localhost 桌面]# hping3 -a www.baidu.com 192.168.0.107
HPING 192.168.0.107 (eth0 192.168.0.107): NO FLAGS are set, 40 headers + 0 data bytes
len=40 ip=192.168.0.107 ttl=64 DF id=0 sport=0 flags=RA seq=0 win=0 rtt=0.5 ms
DUP! len=40 ip=192.168.0.107 ttl=64 DF id=0 sport=0 flags=RA seq=0 win=0 rtt=0.5 ms
len=40 ip=192.168.0.107 ttl=64 DF id=0 sport=0 flags=RA seq=1 win=0 rtt=0.4 ms
DUP! len=40 ip=192.168.0.107 ttl=64 DF id=0 sport=0 flags=RA seq=1 win=0 rtt=0.5 ms
^C
--- 192.168.0.107 hping statistic ---
2 packets tramitted, 4 packets received, -100% packet loss 《--自己是收不到的
round-trip min/avg/max = 0.4/0.5/0.5 ms
记录如下
Jul 28 04:48:22 linuxer-desktop kernel: [ 1955.489880] scan or attackIN=eth0 OUT= MAC=00:0c:29:80:6c:a2:00:1e:ec:c8:1f:b5:08:00 SRC=220.181.6.175 DST=192.168.0.107 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=40048 PROTO=TCP SPT=1849 DPT=0 WINDOW=512 RES=0x00 URGP=0
Jul 28 04:48:22 linuxer-desktop kernel: [ 1955.489931] scan or attackIN=eth0 OUT= MAC=00:0c:29:80:6c:a2:00:1e:ec:c8:1f:b5:08:00 SRC=220.181.6.175 DST=192.168.0.107 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=40048 PROTO=TCP SPT=1849 DPT=0 WINDOW=512 RES=0x00 URGP=0
ip地址是成功的伪装了,但是mac还是自己的
《2》--rand-source : 使用随机地址伪装自己的地址
[root@localhost 桌面]# hping3 --rand-source 192.168.0.107
HPING 192.168.0.107 (eth0 192.168.0.107): NO FLAGS are set, 40 headers + 0 data bytes
len=40 ip=192.168.0.107 ttl=64 DF id=0 sport=0 flags=RA seq=0 win=0 rtt=0.6 ms
DUP! len=40 ip=192.168.0.107 ttl=64 DF id=0 sport=0 flags=RA seq=0 win=0 rtt=0.7 ms
len=40 ip=192.168.0.107 ttl=64 DF id=0 sport=0 flags=RA seq=1 win=0 rtt=0.6 ms
DUP! len=40 ip=192.168.0.107 ttl=64 DF id=0 sport=0 flags=RA seq=1 win=0 rtt=0.6 ms
^C
--- 192.168.0.107 hping statistic ---
2 packets tramitted, 4 packets received, -100% packet loss
round-trip min/avg/max = 0.6/0.6/0.7 ms
记录
Jul 28 04:53:19 linuxer-desktop kernel: [ 2252.836277] scan or attackIN=eth0 OUT= MAC=00:0c:29:80:6c:a2:00:1e:ec:c8:1f:b5:08:00 SRC=98.65.146.212 DST=192.168.0.107 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=20079 PROTO=TCP SPT=1841 DPT=0 WINDOW=512 RES=0x00 URGP=0
Jul 28 04:53:20 linuxer-desktop kernel: [ 2253.836351] scan or attackIN=eth0 OUT= MAC=00:0c:29:80:6c:a2:00:1e:ec:c8:1f:b5:08:00 SRC=152.101.28.151 DST=192.168.0.107 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=37500 PROTO=TCP SPT=1842 DPT=0 WINDOW=512 RES=0x00 URGP=0
《3》--rand-dest : 随机选择目标,
如:hping3 --rand-dest -I eth0 192.168.0.x <--使用x代表0-255,要是在整个网络中选择目标可以换成4个x;在这种模式下一定要制定interface,
《4》-t :制定包的TTL ,具体要设定为多大要看是做什么,最大是255;
[root@localhost 桌面]# hping3 192.168.0.107 -t 1 --tracerouteHPING 192.168.0.107 (eth0 192.168.0.107): NO FLAGS are set, 40 headers + 0 data bytes
len=40 ip=192.168.0.107 ttl=64 DF id=0 sport=0 flags=RA seq=0 win=0 rtt=0.4 ms
len=40 ip=192.168.0.107 ttl=64 DF id=0 sport=0 flags=RA seq=1 win=0 rtt=0.6 ms
^C
--- 192.168.0.107 hping statistic ---
2 packets tramitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.4/0.5/0.6 ms
记录
Jul 28 05:04:07 linuxer-desktop kernel: [ 2900.504384] scan or attackIN=eth0 OUT= MAC=00:0c:29:80:6c:a2:00:1e:ec:c8:1f:b5:08:00 SRC=192.168.0.101 DST=192.168.0.107 LEN=40 TOS=0x00 PREC=0x00 TTL=1 ID=8808 PROTO=TCP SPT=2828 DPT=0 WINDOW=512 RES=0x00 URGP=0
Jul 28 05:04:07 linuxer-desktop kernel: [ 2900.504416] scan or attackIN=eth0 OUT= MAC=00:0c:29:80:6c:a2:00:1e:ec:c8:1f:b5:08:00 SRC=192.168.0.101 DST=192.168.0.107 LEN=40 TOS=0x00 PREC=0x00 TTL=1 ID=8808 PROTO=TCP SPT=2828 DPT=0 WINDOW=512 RES=0x00 URGP=0
《5》-N : 指定ip -> id ,防火墙记录时可以看到我们定制的id,哈哈
[root@localhost 桌面]# hping3 192.168.0.107 -N 888
HPING 192.168.0.107 (eth0 192.168.0.107): NO FLAGS are set, 40 headers + 0 data bytes
len=40 ip=192.168.0.107 ttl=64 DF id=0 sport=0 flags=RA seq=0 win=0 rtt=0.7 ms
^C
--- 192.168.0.107 hping statistic ---
1 packets tramitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 0.7/0.7/0.7 ms
记录
Jul 28 05:08:36 linuxer-desktop kernel: [ 3170.026046] scan or attackIN=eth0 OUT= MAC=00:0c:29:80:6c:a2:00:1e:ec:c8:1f:b5:08:00 SRC=192.168.0.101 DST=192.168.0.107 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=888 PROTO=TCP SPT=2489 DPT=0 WINDOW=512 RES=0x00 URGP=0
《6》 -r : 显示id的增量,而不显示id
[root@localhost 桌面]# hping3 192.168.0.107 -r
HPING 192.168.0.107 (eth0 192.168.0.107): NO FLAGS are set, 40 headers + 0 data bytes
len=40 ip=192.168.0.107 ttl=64 DF id=0 sport=0 flags=RA seq=0 win=0 rtt=8.1 ms
len=40 ip=192.168.0.107 ttl=64 DF id=+0 sport=0 flags=RA seq=1 win=0 rtt=0.6 ms
len=40 ip=192.168.0.107 ttl=64 DF id=+0 sport=0 flags=RA seq=2 win=0 rtt=0.6 ms
len=40 ip=192.168.0.107 ttl=64 DF id=+0 sport=0 flags=RA seq=3 win=0 rtt=0.5 ms
^C
--- 192.168.0.107 hping statistic ---
4 packets tramitted, 4 packets received, 0% packet loss
《7》-m:设定 mtu 值; -f :进行fragment;mtu默认是16 bytes,当发送的包的大小超过16 bytes时,就启动 fragment ,这样可以用来进行防火墙的重组包能力的测试,当然这也是一种突破防火墙的方法,我这里只给一个很粗糙的原型,要想能在实际中运用需要进行一些计算,哈哈。还有两个相关的选项 -x :more frag,-y :don‘t frag
[root@localhost 桌面]# hping3 192.168.0.107 -m 8 -f
HPING 192.168.0.107 (eth0 192.168.0.107): NO FLAGS are set, 40 headers + 0 data bytes 《--可以在包体里做文章
len=40 ip=192.168.0.107 ttl=64 DF id=0 sport=0 flags=RA seq=0 win=0 rtt=0.7 ms
len=40 ip=192.168.0.107 ttl=64 DF id=0 sport=0 flags=RA seq=1 win=0 rtt=0.6 ms
^C
--- 192.168.0.107 hping statistic ---
2 packets tramitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0.6/0.7/0.7 ms
《9》-o : tos (type of service),默认是0x00,通过 --tos help 查看可以设定为哪几种值:
[root@localhost 桌面]# hping3 --tos help
tos help:
TOS Name Hex Value Typical Uses
Minimum Delay 10 ftp, telnet
Maximum Throughput 08 ftp-data
Maximum Reliability 04 snmp
Minimum Cost 02 nntp
如我要将tos 改为最小延迟类服务类型:
[root@localhost 桌面]# hping3 --tos 10 192.168.0.107 《--16进制的
HPING 192.168.0.107 (eth0 192.168.0.107): NO FLAGS are set, 40 headers + 0 data bytes
len=40 ip=192.168.0.107 ttl=64 DF id=0 sport=0 flags=RA seq=0 win=0 rtt=0.7 ms
len=40 ip=192.168.0.107 ttl=64 DF id=0 sport=0 flags=RA seq=1 win=0 rtt=0.4 ms
len=40 ip=192.168.0.107 ttl=64 DF id=0 sport=0 flags=RA seq=2 win=0 rtt=0.4 ms
^C
--- 192.168.0.107 hping statistic ---
3 packets tramitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 0.4/0.5/0.7 ms
记录
Jul 28 05:38:59 linuxer-desktop kernel: [ 4992.379746] scan or attackIN=eth0 OUT= MAC=00:0c:29:80:6c:a2:00:1e:ec:c8:1f:b5:08:00 SRC=192.168.0.101 DST=192.168.0.107 LEN=40 TOS=0x10 PREC=0x00 TTL=64 ID=14192 PROTO=TCP SPT=1360 DPT=0 WINDOW=512 RES=0x00 URGP=0
Jul 28 05:38:59 linuxer-desktop kernel: [ 4992.379794] scan or attackIN=eth0 OUT= MAC=00:0c:29:80:6c:a2:00:1e:ec:c8:1f:b5:08:00 SRC=192.168.0.101 DST=192.168.0.107 LEN=40 TOS=0x10 PREC=0x00 TTL=64 ID=14192 PROTO=TCP SPT=1360 DPT=0 WINDOW=512 RES=0x00 URGP=0
《10》 -G: --rroute 显示路由
[root@localhost 桌面]# hping3 -G 192.168.0.107
HPING 192.168.0.107 (eth0 192.168.0.107): NO FLAGS are set, 40 headers + 0 data bytes
len=80 ip=192.168.0.107 ttl=64 DF id=0 sport=0 flags=RA seq=0 win=0 rtt=0.9 ms
RR: 1.2.3.4
192.168.0.107
192.168.0.107
记录
Jul 28 05:44:41 linuxer-desktop kernel: [ 5334.394594] scan or attackIN=eth0 OUT= MAC=00:0c:29:80:6c:a2:00:1e:ec:c8:1f:b5:08:00 SRC=192.168.0.101 DST=192.168.0.107 LEN=80 TOS=0x00 PREC=0x00 TTL=64 ID=197 OPT (07270C01020304C0A8006B0000000000000000000000000000000000000000000000000000000000)
##这里由于使用了 -G ,每个包都设置了记录路由的选项,所以OPT有值了,长度LEN也变了,^_^##
PROTO=TCP SPT=1563 DPT=0 WINDOW=512 RES=0x00 URGP=0
TCP/UDP 协议相关
《1》-s:(--baseport)设定发送包的最开始的端口,如果要使用一个固定的端口的话,就要加上 -k(--keep)
[root@localhost 桌面]# hping3 -s 2 192.168.0.107
HPING 192.168.0.107 (eth0 192.168.0.107): NO FLAGS are set, 40 headers + 0 data bytes
len=40 ip=192.168.0.107 ttl=64 DF id=0 sport=0 flags=RA seq=0 win=0 rtt=0.6 ms
len=40 ip=192.168.0.107 ttl=64 DF id=0 sport=0 flags=RA seq=1 win=0 rtt=0.5 ms
^C
--- 192.168.0.107 hping statistic ---
3 packets tramitted, 2 packets received, 34% packet loss
round-trip min/avg/max = 0.5/0.6/0.6 ms
记录 《--可以看到SPT的起始端口是2,在依次加1,如果使用了 -k 选项,SPT 将会一直是 2 ;
Jul 28 07:54:44 linuxer-desktop kernel: [ 755.883483] scan or attackIN=eth0 OUT= MAC=00:0c:29:80:6c:a2:00:1e:ec:c8:1f:b5:08:00 SRC=192.168.0.101 DST=192.168.0.107 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=60381 PROTO=TCP SPT=2 DPT=0 WINDOW=512 RES=0x00 URGP=0
Jul 28 07:54:45 linuxer-desktop kernel: [ 756.883579] scan or attackIN=eth0 OUT= MAC=00:0c:29:80:6c:a2:00:1e:ec:c8:1f:b5:08:00 SRC=192.168.0.101 DST=192.168.0.107 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=47720 PROTO=TCP SPT=3 DPT=0 WINDOW=512 RES=0x00 URGP=0
《2》-p : (--destport),默认是发送到对方的0 端口,可以通过 -p 选项定制,+13 表示当接受到返回的包后将目标端口增加13,++13表示每发送一个包就将目标端口增加13;
本文转自 Tenderrain 51CTO博客,原文链接:http://blog.51cto.com/tenderrain/1975730