hping wiki

Differences for page idle scan

Current version compared with version Sun May 16 11:48:40 GMT 2004

...
- [Fyodor] writes in his paper *Idle scanning and related [IPID] games*: `Almost four years ago, security researcher Antirez posted an innovative new TCP port scanning technique. Idlescan, as it has become known, allows for completely blind port scanning. Attackers can actually scan a target without sending a single packet to the target from their own IP address! Instead, a clever side-channel attack allows for the scan to be bounced off a dumb "zombie" host. Intrusion detection system (IDS) reports will finger the innocent zombie as the attacker. Besides being extraordinarily stealthy, this scan type permits mapping out IP-based trust relationships between machines.`
+ HI
+ Welcome to the [hping] wiki.
  
- Read the full paper [link http://www.insecure.org/nmap/idlescan.html here].
+ ===What's Hping?===
  
- The following is my original posting to the [Bugtraq] mailing list. It was sent in Decenber 1998! A lot of time ago.
+ hping is a free packet generator and analyzer for the [TCP/IP] protocol. Hping is one of the de-facto tools for security auditing and testing of firewalls and networks, and was used to exploit the [Idle Scan] scanning technique now implemented in the [Nmap] port scanner. The new version of hping, hping3, is scriptable using the [Tcl] language and implements an engine for string based, human readable description of TCP/IP packets, so that the programmer can write scripts related to low level TCP/IP packet manipulation and analysis in a very short time.
  
-    Hi,
-          I have uncovered a new tcp port scan method.
-          Instead all others it allows you to scan using spoofed
-          packets, so scanned hosts can't see your real address.
-          In order to perform this i use three well known tcp/ip
-          implementation peculiarities of most OS:
-  
-            (1) * hosts reply SYN|ACK to SYN if tcp target port is open,
-              reply RST|ACK if tcp target port is closed.
-  
-            (2) * You can know the number of packets that hosts are sending
-              using id ip header field. See my previous posting 'about the ip
-              header' in this ml.
-  
-            (3) * hosts reply RST to SYN|ACK, reply nothing to RST.
-  
-  
-          The Players:
-  
-            host A - evil host, the attacker.
-            host B - silent host.
-            host C - victim host.
-  
-          A is your host.
-          B is a particular host: It must not send any packets while
-            you are scanning C. There are a lot of 'zero traffic' hosts
-            in internet, especially in the night :)
-          C is the victim, it must be vulnerable to SYN scan.
-  
-          I've called this scan method 'dumb host scan' in honour of host
-          B characteristics.
-  
-  
-          How it works:
-  
-          Host A monitors number of outgoing packets from B using id iphdr.
-          You can do this simply using hping:
-  
-  #hping B -r
-  HPING B (eth0 xxx.yyy.zzz.jjj): no flags are set, 40 data bytes
-  60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=0 ttl=64 id=41660 win=0 time=1.2 ms
-  60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=1 ttl=64 id=+1 win=0 time=75 ms
-  60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=2 ttl=64 id=+1 win=0 time=91 ms
-  60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=3 ttl=64 id=+1 win=0 time=90 ms
-  60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=4 ttl=64 id=+1 win=0 time=91 ms
-  60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=5 ttl=64 id=+1 win=0 time=87 ms
-  -cut-
-  ..
-  .
-  
-          As you can see, id increases are always 1. So this host have the
-          characteristics that host B should to own.
-  
-          Now host A sends SYN to port X of C spoofing from B.
-          (using hping => 0.67 is very easy, http://www.kyuzz.org/antirez)
-          if port X of C is open, host C will send SYN|ACK to B (yes,
-          host C don't know that the real sender is A). In this
-          case host B replies to SYN|ACK with a RST.
-          If we send to host C a few of SYN it will reply to B with a few
-          of SYN|ACK, so B will reply to C a few of RST... so
-          we'll see that host B is sending packets!
-  
-  .
-  ..
-  -cut-
-  60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=17 ttl=64 id=+1 win=0 time=96 ms
-  60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=18 ttl=64 id=+1 win=0 time=80 ms
-  60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=19 ttl=64 id=+2 win=0 time=83 ms
-  60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=20 ttl=64 id=+3 win=0 time=94 ms
-  60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=21 ttl=64 id=+1 win=0 time=92 ms
-  60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=22 ttl=64 id=+2 win=0 time=82 ms
-  -cut-
-  ..
-  .
-  
-          The port is open!
-  
-          Instead, if port X of C is closed sending to C a few
-          of SYN spoofed from B, it will reply with RST to B, and
-          B will not reply (see 3). So we'll see that host B is not sending
-          any packet:
-  
-  .
-  ..
-  -cut-
-  60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=52 ttl=64 id=+1 win=0 time=85 ms
-  60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=53 ttl=64 id=+1 win=0 time=83 ms
-  60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=54 ttl=64 id=+1 win=0 time=93 ms
-  60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=55 ttl=64 id=+1 win=0 time=74 ms
-  60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=56 ttl=64 id=+1 win=0 time=95 ms
-  60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=57 ttl=64 id=+1 win=0 time=81 ms
-  -cut-
-  ..
-  .
-  
-          The port is closed.
-  
-          All this can appear complicated to perform, but using two sessions
-          of hping on Linux virtual consoles or under X makes it more simple.
-          First session listen host B: hping B -r
-          Second session send spoofed SYN: hping C -a B -S
-  
-          Sorry if my english is not so clear.
-          However this posting is not adequate to describe exaustively
-          this scan method, so i'll write a paper on this topic, specially
-          about how to implement this in a port scanner (i.e. nmap), and
-          about players characteristics and OS used.
-  
-  happy new year,
-  antirez
-  + Like most tools used in computer security, hping is useful to security experts, but there are a lot of applications related to network testing and system administration.
+ For more information see the [what's hping] page.
+ 
+ === About this site===
+ 
+ The aim of this site is to create a collaborative environment to document hping, share programming tips and hping scripts, and much more. *Many topics can be discussed here*, including topics related to security tools programming, Tcl, networking, as long as the author creates the wiki page and titles it appropriately.
+ The key point here is non-spam content of course, and to make sure contents are not copyrighted.
+ The moderator of this wiki is [Salvatore Sanfilippo] (aka `antirez`).
+ 
+ The Hping official site is at [link http://www.hping.org www.hping.org].
+ 
+ If you want to download source code or binary distributions of hping, go to the [Download] page.
+ 
+ {Please, if you think this site is insecure because every page is editable read this}:
+ 
+ [Why I can edit every page of this site]
+ 
+ Most of the vandalized pages here are from people that think they found a vulnerability in the site because all pages are editable!
+ 
+ ===News===
+ -> Federico Biancuzzi interviewed me about [hping3] for onlamp.com. The interview can be found [link http://www.onlamp.com/pub/a/security/2004/10/07/hping_interview.html here].
+ -> *hping3.0.0 {alpha 2} released*. [Download] It.
+ -> *hping2.0.0 Release Candidate 3* released. [Download] It.
+ ===Starting points of interest===
+ -> [What's hping]
+ -> [hping3 API]
+ -> [Getting started with hping3]
+ -> [Open bugs]
+ -> [Requests for new features]
+ -> [External tutorials and articles]
+ -> [TCP/IP]
+ -> [Idle scan]
+ -> [Good security tools]
+ -> [Hping2 win32 version]
+ -> [Hping3 vs MacosX]
+ -> [link http://wiki.tcl.tk The Tcl Language] (See also the local [Tcl] page).
+ -> [link http://www.invece.org/tclwise/ Tclwise - an online book on Tcl authored by the hping author.]
+ ===About this site===
+ -> [What's a Wiki]
+ -> [How to create a new page] (and [Copyrights])
+ -> [How to add an image in a wiki page]
+ -> [Graffiti] (test page, to experiment with this wiki)
+ -> [Misc pages] (other pages possibly unrelated to hping, will be moved asap)
+ ===More free software from the hping author===
+ -> *Visitors* a fast web log analyzer, home page [link http://www.hping.org/visitors/ here]
+ -> *Xadsen* a Google Adsense monitor for X, home page [link http://www.hping.org/xadsen/ here]
+ -> *PHP Interactive* a web based interactive shell for PHP, home page [link http://www.hping.org/phpinteractive here].
+ -> *The Jim Interpreter* a small footprint implementation of the [Tcl] programming language, home page [link http://jim.berlios.de here]
+ 
+ If you are interested in business models for free software projects
+ [link http://www.invece.org/article/financing.html Financing your Free Software with Google AdSense] can
+ be an interesting read.
+ 
+ ===More sites from the hping author===
+ 
+ -> The [link http://code.google.com/p/redis Redis] key-value store.
+ -> A [link http://antifavicon.com favicon.ico generator] web service.
+ -> [link http://mandelbrot.collettivamente.com Mandelbrot Fractals Real-Time Generator]
+ -> [link http://www.invece.org/blog/ Ragusa Ibla]
+ -> [link http://collettivamente.com Archivio Gruppi di Discussione]

The following is the old page content