Home > Articles

  • Print
  • + Share This
This chapter is from the book

Exercise 5: hping2


Before an aggressor can successfully attack or exploit an organization, a certain level of reconnaissance must be performed. The aggressor must collect enough information about the target to have a solid understanding of the network, services, and probable vulnerabilities of the network she is attacking. Another tool to assist in that reconnaissance is hping2. hping2 is a network tool that sends custom ICMP, UDP, and TCP packets and displays target replies the same way ping does with ICMP replies. In addition to the normal ICMP functionality, hping2 can handle fragmentation, arbitrary packet body, and size. It can also be used to transfer files under supported protocols. This tool is useful for testing firewall rules, spoofed port scanning, network performance, packet sizes, TOS (type of service), fragmentation, path MTU discovery, file transfer, traceroute with different protocols, firewalk-like usage, remote OS fingerprinting, TCP/IP stack auditing, and much more.


The objective of this exercise is to provide an understanding of what an attacker can learn about your system from outside your organization. You will also learn how stealth mode can be used to protect the identity of the scanner.


Challenge Procedure

The following are the steps that you will perform for this exercise:

  1. Download and install hping2.

  2. Verify that you have an IP address bound to your NIC.

  3. Use hping2 to determine if a host is active. Use your host as the target for all scans, and use your actual IP address, not a local host, or

  4. Use hping2 to determine if a service is active. The target service will depend on your host configuration. The SSH service (port 22) may be a good service to scan for.

  5. Perform a stealth scan on your system with hping2.

Challenge Procedure Step-by-Step

The following are the detailed steps you will perform to install and run hping2 on your system:

  1. Create a folder called sans in the /usr/local directory using the following:

  2. cd /usr/local

    mkdir sans

    Figure 6.40

  3. Now, download hping2 from http://www.hping.org/hping2.0.0-rc1.tar.gz.

  4. Copy hping2 to the tools directory using the following:

  5. cp hping2.0.0-rc1.tar.gz /usr/local/tools

    cd /usr/local/tools

    Figure 6.41

  6. Now, install hping2. Use the following:

    tar zxf hping2.0.0-rc1.tar.gz

    Change the directory to hping2.0.0-rc1 using the following command:

    cd hping2

    Figure 6.42

  7. Edit the configure shell script so that it will correctly set the search path for the man files. To do this, use vi to edit the file:

  8. vi configure

    Figure 6.43

  9. Search for the line that sets the man path variable:


    After you type the slash key (/), the cursor goes to the bottom of the screen. Enter the search value and press Enter to execute the search.

    Figure 6.44

  11. Use your cursor keys to position your cursor to the right of the "e" in "echo."

  12. Change the remainder of the line by typing C (make sure you capitalize the C). The last part of the command should disappear. Enter the following:

    manpath | cut –f1 –d:´

    The last character in the previous line is the backward apostrophe, which is usually found to the left of the 1 key on a PC keyboard.

    Figure 6.45

  13. Press the Esc key to complete the change. Then, save the change and quit vi by typing the following:

  14. wq!

  15. Run configure to prepare the Makefile for compilation of hping2:

  16. ./configure

    Figure 6.46

  17. Run make to compile hping2.

  18. Figure 6.47

    After you type make, the system will compile the program and display several messages on the screen.

    Figure 6.48

  19. After make completes, run make install.

  20. Figure 6.49

  21. Now, use hping2 to determine if a host is active:

  22. hping2 –S –p 22

    Use the actual IP address of your system. Do not use

    Figure 6.50

    Challenge Question: What is the primary difference between hping2 and the standard ping utility?

  23. Use hping2 to see if the host is running the SSH Service. This is done by typing the following command:

  24. hping2 –S –p 22

    Figure 6.51

    Challenge Question: What is the benefit of hping2 displaying the TCP flags that were set in the return packets?

    Challenge Question: Notice that the return packets have the SYN/ACK flags set, which is the second stage of the TCP three-way handshake. What does this indicate?

  25. Next, use hping2 to scan a remote system and hide its identity. This is done by typing the following command:

  26. hping2 –a -S

    Figure 6.52

    Notice that no packets came back to the scanning system. That's because the spoofing option made the packets appear to be coming from another host.

Challenge Question: How can an attacker performing reconnaissance use spoofing?

Additional Reading

Find additional information on hping at http://www.hping.org.


hping2 is a powerful, stealthy tool that can be used to find remote hosts and determine the services running on the remote hosts. You have learned how a scan can use spoofing to hide the identity of the scanning system. Remember this when you start reviewing log files for evidence of scans performed on your system. Just because it says it came from Host A does not mean it did.

  • + Share This
  • 🔖 Save To Your Account