HPING 參數(shù)
-h --help 顯示幫助
-v --version 版本信息
-c N --count 指定發(fā)送N個數(shù)據(jù)包
-i --interval 包發(fā)送間隔時間(單位是毫秒) 缺省時間是1秒,此功能在增加傳輸率上很重要,在idle/spoofing掃描時此
功能也會被用到,你可以參考hping-howto獲得更多信息
--fast 每秒發(fā)10個數(shù)據(jù)包,(似乎可用作dos攻擊,沒測試過,不忍拿同學(xué)開刀)
--faster Alias for -i u1
--flood This is ways faster than to specify the -i u0 option
-n -nmeric 數(shù)字輸出,象征性輸出主機地址(用處不大)
-q -quiet 退出 (什么都不會輸出,除了開始結(jié)訴時間)
-I --interface interface name 指定網(wǎng)絡(luò)接口, 多網(wǎng)卡的時候用.
-V --verbose 顯示很多信息,TCP回應(yīng)一般如下:
len=46 ip=192.168.1.1 flags=RADF seq=0 ttl=255 id=0 win=0 rtt=0.4ms tos=0 iplen=40 seq=0 ack=1380893504 sum=2010 urp=0
-D --debug 進入debug模式 當你遇到麻煩時,比如用hping遇到一些不合你習(xí)慣的時候,你可以用此模式修改
hping,(INTERFACE DETECTION,DATA LINK LAYER ACCESS,INTERFACE SETTINGS,.......)
-z --BIND 快捷鍵的使用 (按自己個人喜好設(shè)定吧)
-Z --unbind 消除快捷鍵
協(xié)議選擇項
-0 --rawip RAW Ip模式,在此模式下,HPING會發(fā)送帶數(shù)據(jù)的IP 頭,....原文:
RAW IP mode, in this mode hping3 will send IP header with data appended with --signature
and/or --file, see also --ipproto that allows you to set the ip protocol field.
-1 --icmp ICMP模式, 此模式下HPING會發(fā)送IGMP應(yīng)答報文,你可以用--icmptype –icmpcode 選項發(fā)送其
他類型/模式的ICMP 報文
-2 --udp UDP 模式,缺省下,HPING會發(fā)送UDP報文到主機的0端口你可以用--baseport --destport --keep
選項指定其模式
-8 --scan Scan 模式
-9 --listen str hping的listen模式,用此模式,HPING會接收指定的數(shù)據(jù)
比如:hping --listen TEST 接收數(shù)據(jù)如下時:234-09 sdflkjs45-TESThello_world 會顯示 hello_word
IP 選項
-a --spoof IP 偽造IP攻擊,防火墻就不會記錄你的真實IP了,當然,回應(yīng)的包你也接收不到.
hping3 -1 -a 8.8.8.8 58.30.34.18 -c 1 發(fā)送的是icmp 8 0 數(shù)據(jù)包, 但源地址是8.8.8.8
--rand-source用隨機的原地址 hping3 -1 --rand-source 58.30.34.18
--rand-dest 使用目的隨機目的地址如 hping3 -I eth0 -1 58.30.34.x --rand-dest -c 10
-t --ttl num 選項可以指定發(fā)出包的TTL值
hping3 -1 -t 2 58.30.34.18 -c 1 將發(fā)送生存時間為2的icmp 8 0 數(shù)據(jù)包請求
這選項一般和--traceroute 或--bind 一齊用,比如:hping 1.1.1.1 -t 1 --traceroute
-N --id 設(shè)置IP頭部的16位標識(分片用), 設(shè)置時為10進制數(shù).
-H --ipproto Set the ip protocol in RAW IP mode
-W --winid UNIX ,WINDIWS的id回應(yīng)不同, 這選項可以讓你的ID回應(yīng)和WINDOWS 一樣
-r --rel 更改ID,可以讓ID曾遞減輸出,詳見HPING-HOWTO
-f --frag 更改包的FRAG ,這可以測試對方對于包碎片的處理能力,缺省的'virtual mtu'是16字節(jié),
-x --morefrag 此功能可以發(fā)送碎片使主機忙于恢復(fù)碎片而造成主機的拒絕服務(wù)
-y -dontfrag 發(fā)送不可恢復(fù)的IP碎片,這可以讓你了解更多的MTU PATH DISCOVERY
-o --tos hex_tos TOS=TYPE OF SERVICE (0x00 默認����, 0 x02 費用, 0 x04 可靠���, 0 x08 吞吐��,0 x10延遲)
-G --rroute 記錄路由, 可以看到詳悉的數(shù)據(jù), 最多可以經(jīng)過9個路由, 即使主機屏蔽了ICMP報文路由只涉及IP, 所
以任可以記錄, 在TCP UDP下也可以記錄路由的.
-g --fragoff fragment offset value set the fragment offset
-m --mtu mtu value 用此項后 ID數(shù)值變得很大 50000沒指定此項時3000-20000左右
ICMP 選項
-C --icmptype 指定ICMP類型,缺省是ICMP ECHO REQUEST
-K --icmpcode 指定ICMP代號,缺省0
--icmp-ipver 把IP版本也插入IP 頭,
--icmp-iphlen 設(shè)置IP頭的長度,缺省為5 (32字節(jié))
--icmp-iplen 設(shè)置IP包長度
--icmp-ipid 設(shè)置ICMP報文IP頭的ID,缺省是RANDOM
--icmp-ipproto 設(shè)置協(xié)議的,缺省是TCP
--icmp-cksum 設(shè)置校驗和的
--icmp-ts Alias for --icmptype 13 (to send ICMP timestamp requests)
--icmp-addr Alias for --icmptype 17 (to send ICMP address mask requests)
TCP/UDP 選項
-s --baseport sPort hping用源端口猜測回應(yīng)的包,它從一個基本端口計數(shù),每收一個包,端口也加1,
這規(guī)則你可以自己定義,如用-k --keep可以使端口不會增加,每次的基本端口是隨機的
-p --deskport [+][+]desk port 設(shè)置目標端口缺省為0,一個加號為:每發(fā)送一個請求包到達后,
端口加1兩個加號為:每發(fā)一個包,端口數(shù)加1
--keep keep still source port, see --baseport for more information.
-w --win Set TCP window size. Default is 64.
-O --tcpoff Set fake tcp data offset. Normal data offset is tcphdrlen / 4.
-M --tcpseq 設(shè)置TCP序列數(shù),
-L --tcpck 設(shè)置TCP ack 的
-Q --seqnum 搜集序列號, 這對于你分析TCP序列號有很大作用,例如:
#hping2 win98 --seqnum -p 139 -S -i u1 -I eth0
HPING uaz (eth0 192.168.4.41): S set, 40 headers + 0 data bytes
2361294848 +2361294848
2411626496 +50331648
2545844224 +134217728
2713616384 +167772160
2881388544 +167772160
3049160704 +167772160
3216932864 +167772160
3384705024 +167772160
3552477184 +167772160
3720249344 +167772160
3888021504 +167772160
4055793664 +167772160
4223565824 +167772160
第一排是序列號,第2排是應(yīng)答的序列號,所以你可以預(yù)見主機的序列號
(三次握手后,數(shù)值基本不再變,定在167772160了)
-b --badcksum 發(fā)出一個錯誤校驗和的UDP/TCP 包
--tcp-mss Enable the TCP MSS option and set it to the given value.
--tcp-timestamp Enable the TCP timestamp option, and try to guess the timestamp update frequency and
the remote system uptime.
-F -fin Set FIN tcp flag
-S --syn Set SYN tcp flag.
-R --rst Set RST tcp flag.
-P --push Set PUSH tcp flag.
-A --ack Set ACK tcp flag.
-U --urg Set URG tcp flag.
-X --xmas Set Xmas tcp flag.
-Y --ymas Set Ymas tcp flag.
其他:
-d --data data size 設(shè)置包大小,注意:指定DATA 為40時,輸出如下:
HPING www.yahoo.com (ppp0 204.71.200.67): NO FLAGS are set, 40 headers + 40 data bytes
-E --file filename 指定包內(nèi)容如FILENAME里的一樣
-j --dump Dump received packets in hex.
-J --print Dump received packets's printable characters. -B --safe
-B --safe 確保數(shù)據(jù)完整發(fā)出 例如:要發(fā)送A 的/etc/passwd給B
[host_a]# hping2 host_b --udp -p 53 -d 100 --sign signature --safe --file /etc/passwd
[host_b]# hping2 host_a --listen signature --safe --icmp
-u --end 如果你用了--FILE 項,當EOF到達后,此項可以幫助你自動停止接收無用的數(shù)據(jù),
-T --traceroute 路由模式
--tr -keep-ttl 一個和路由有關(guān)的項,
Keep the TTL fixed in traceroute mode, so you can monitor just one hop in the route.
For example, to monitor how the 5th hop changes or how its RTT changes you can try
hping3 host --traceroute --ttl 5 --tr-keep-ttl.
--tr-stop 當ICMP一旦不可到達時,自動停止發(fā)送
--tr-no-rrt 在路由模式里不顯示RTT 信息,
--tcpexitcode 在某些規(guī)則下可探知主機是否存活
-e --sign signat ure 指定包頭的內(nèi)容
Fill first signature length bytes of data with signature. If the signature length is bigger than data size an error message
will be displayed. If you don't specify the data size hping will use the signature size as data size. This option can be used
safely with --file filename option, remainder data space will be filled using filename.
TCP OUTPUT FORWAT
The standard TCP output format is the following:
len=46 ip=192.168.1.1 flags=RA DF seq=0 ttl=255 id=0 win=0 rtt=0.4 ms
len is the size, in bytes, of the data captured from the data link layer excluding the
data link header size. This may not match the IP datagram size due to low level transport
layer padding.
ip is the source ip address.
flags are the TCP flags, R for RESET, S for SYN, A for ACK, F for FIN, P for PUSH, U for
URGENT, X for not standard 0x40, Y for not standard 0x80.
If the reply contains DF the IP header has the don't fragment bit set.
seq is the sequence number of the packet, obtained using the source port for TCP/UDP
packets, the sequence field for ICMP packets.
id is the IP ID field.
win is the TCP window size.
rtt is the round trip time in milliseconds.
If you run hping using the V
command line switch it will display additional information
about the packet, example:
len=46 ip=192.168.1.1 flags=RA DF seq=0 ttl=255 id=0 win=0 rtt=0.4 ms tos=0 iplen=40 seq=0
ack=1223672061 sum=e61d urp=0
tos is the type of service field of the IP header.
iplen is the IP total len field.
seq and ack are the sequence and acknowledge 32bit numbers in the TCP header.
sum is the TCP header checksum value.
urp is the TCP urgent pointer value.
UDP OUTPUT FORMAT
The standard output format is:
len=46 ip=192.168.1.1 seq=0 ttl=64 id=0 rtt=6.0 ms
The field meaning is just the same as the TCP output meaning of the same fields.
ICMP OUTPUT FORMAT
An example of ICMP output is:
ICMP Port Unreachable from ip=192.168.1.1 name=nano.marmoc.net
It is very simple to understand. It starts with the string "ICMP" followed by the
description of the ICMP error, Port Unreachable in the example. The ip field is the IP source
address of the IP datagram containing the ICMP error, the name field is just the numerical
address resolved to a name (a dns PTR request) or UNKNOWN if the resolution failed.
The ICMP Time exceeded during transit or reassembly format is a bit different:
TTL 0 during transit from ip=192.168.1.1 name=nano.marmoc.net
TTL 0 during reassembly from ip=192.70.106.25 name=UNKNOWN
The only difference is the description of the error, it starts with TTL 0.
