eJPT Junior Penetration Tester
ShopAuthorPatreonHTB Pro Labs
eCPPTv2 Certified Professional Penetration Tester
eCPPTv2 Certified Professional Penetration Tester
  • 🍕eCPPTv2 Study
  • Author
  • Certification
    • 🟢Exam Description
    • Register
  • RFS Tips
    • 🟢Before the Exam
    • 🟢Prepare your Setup
    • 🟢Questions?
    • 🎓Learn more... Get eCPPTv2
    • 🟢Start Hacking
  • Reports
    • PwnDoc Documentation
    • 🟢Templates
  • Methodology
    • 🟢To Scan a Network
    • 🟢To Attack a Linux Machine
    • 🟢To Attack a Windows Machine
    • 🟠Linux Privilege Escalation
    • Windows Privilege Escalation
    • Linux Post Exploitation
    • Windows Post Exploitation
    • Pivoting Methodology
  • Web Tools
    • Why these Tools
    • Rev Shells
    • MD5 Crack
    • CyberChef
    • SecLists
    • WADcoms
    • LOLBAS
    • GTFOBins
  • Network Security
    • Information Gathering
      • Intro
      • Passive / Active
      • OSINT
      • Social Media
      • Infrastructure
      • DNS
        • NSlookup
        • Dig
        • fierce
        • DNSenum
        • DNSmap
        • DNSrecon
      • Host Discovery
        • Fping
        • Hping
        • Nmap
      • Maltego
      • Foca
      • Breach Data
    • Scanning
      • Intro
      • Wireshark
        • Promiscuous Interface
        • 🟢Filters
        • Colors
        • Follow Stream
      • Scan Types
      • 🟢Hping3
      • Nmap
      • 💚eCPPTv2 - Firewall IDS Evasion
    • 🟢Enumeration
    • Sniffing & MitM Attacks
      • Passive
      • Active
      • MiTM
        • Local to Remote
        • DHCP Spoofing
        • LLMNR Poisoning
        • NBT-NS Poisoning
      • Tools
        • Dsniff
        • Wireshark
        • TCPDump
        • Ethercap
    • Exploitation
    • Post Exploitation
    • Social Engineering
    • Anonymity
  • Linux Exploitation
    • Introduction
    • Information Gathering
      • Remote Enumeration
        • Enum NFS
        • rpcbind
        • SMB
        • SMTP
      • Local Enumeration
        • Network Info
        • System Info
    • Exploitation over the Network
      • Samba
        • UserMap CVE-2007-2447
        • SymLink Directory Traversal
        • SambaCry CVE-2017-7494
        • Writeable Share to RCE
      • PHP CGI
      • Ruby DRB RMI port 8787
      • JAVA RMI Registry - port 1099
      • Exploiting Java Deserialization
      • TomCat
      • Password Spray Attack
      • Shellshock
      • Heartbleed
    • Post Exploitation
      • Intro
      • msfconsole scripts
      • Privilege Escalation
        • Docker
          • Unix Sockets Exploitation
        • Restricted Shells
        • Cracking Shadow File
        • 🟢Dump Memory Credentials
        • 🟢Dump SWAP Credentials
        • 🟢Shared Object Libraries
        • Kernel Exploits
          • Dirty Cow
          • Stack Clash
          • DCCP
          • Race Condition
          • msfconsole
      • Lateral Movement
        • Samba
          • Dump Samba Secrets
        • SSH
          • SSH Hijacking
          • Steal SSH credentials
        • VPNPivot
        • Dump Firefox Credentials
        • Sniffing
      • Data Exfiltration
      • Maintaining Access
        • HTTPS
        • Reverse Shells
        • Custom Services
  • Metasploit
    • Notes
    • 🟢Detect Live Hosts with Metasploit
    • 🟢Port Scanning with Metasploit
    • Network Services Scanning
    • Payloads
    • Exploitation with Metasploit
    • Post Exploitation with Metasploit
  • System Security
    • Page 5
  • Web App Security
    • Best Academy
    • HTTP
      • Basics
      • Encoding
      • Same Origin
      • Cookies
      • Sessions
      • Web Proxies
    • Enumerating
      • Infrastructure
      • Mapping Application
    • Tools
    • XSS
      • Free Courses
      • XSS Types
      • Attack Types
    • SQL Injection
    • CMSs
  • Powershell for Pentesters
    • Page 2
  • Wi-Fi Security
    • Page 6
  • Commands Notes
    • 🟢Information Gathering
    • 🟢Host Discovery
    • 🟢Scanning
    • 🟢Enumeration
    • 🟢MSFVenom
  • Pivoting
    • Tips
    • Socks4 vs Socks5
    • Pivoting Techniques
    • Meterpreter
    • SSH
    • Proxy Chains
    • 🟢Chisel
    • Socat
  • Buffer OverFlow
    • Tips for Bof in eCPPTv2
    • Computerphile - Buffer Overflow
    • The Cyber Mentor - BoF
  • 🟢TryHackMe Rooms
    • 🟢Privilege Escalation
      • LazyAdmin
      • LinuxPrivEsc
      • Empline
      • Windows 10 Privesc
    • 🟢Pivoting
      • Wreath Network
      • VulnNetInternal
    • 🟢Buffer Overflow
      • Gatekeeper
      • Buffer Overflow Prep
    • 🟢Metasploit
      • RP Metasploit
      • Metasploit Intro
  • Community Exam Tips
    • Exploits
    • Shells
    • PrivEsc
    • Report
    • BoF
    • Wordlists
    • 🟢Articles - Exam Reviews
    • 🟢Videos - Exam Reviews
  • Free Courses
    • Page 1
  • Paid Courses
    • Page 3
  • After Exam
    • Page 4
Powered by GitBook
On this page

Was this helpful?

  1. Network Security
  2. Scanning

Hping3

hping3 -S -p 80 -c 3 <IP>
usage: hping3 host [options]
  -h  --help      show this help
  -v  --version   show version
  -c  --count     packet count
  -i  --interval  wait (uX for X microseconds, for example -i u1000)
      --fast      alias for -i u10000 (10 packets for second)
      --faster    alias for -i u1000 (100 packets for second)
      --flood      sent packets as fast as possible. Don't show replies.
  -n  --numeric   numeric output
  -q  --quiet     quiet
  -I  --interface interface name (otherwise default routing interface)
  -V  --verbose   verbose mode
  -D  --debug     debugging info
  -z  --bind      bind ctrl+z to ttl           (default to dst port)
  -Z  --unbind    unbind ctrl+z
      --beep      beep for every matching packet received
Mode
  default mode     TCP
  -0  --rawip      RAW IP mode
  -1  --icmp       ICMP mode
  -2  --udp        UDP mode
  -8  --scan       SCAN mode.
                   Example: hping --scan 1-30,70-90 -S www.target.host
  -9  --listen     listen mode
IP
  -a  --spoof      spoof source address
  --rand-dest      random destionation address mode. see the man.
  --rand-source    random source address mode. see the man.
  -t  --ttl        ttl (default 64)
  -N  --id         id (default random)
  -W  --winid      use win* id byte ordering
  -r  --rel        relativize id field          (to estimate host traffic)
  -f  --frag       split packets in more frag.  (may pass weak acl)
  -x  --morefrag   set more fragments flag
  -y  --dontfrag   set don't fragment flag
  -g  --fragoff    set the fragment offset
  -m  --mtu        set virtual mtu, implies --frag if packet size > mtu
  -o  --tos        type of service (default 0x00), try --tos help
  -G  --rroute     includes RECORD_ROUTE option and display the route buffer
  --lsrr           loose source routing and record route
  --ssrr           strict source routing and record route
  -H  --ipproto    set the IP protocol field, only in RAW IP mode
ICMP
  -C  --icmptype   icmp type (default echo request)
  -K  --icmpcode   icmp code (default 0)
      --force-icmp send all icmp types (default send only supported types)
      --icmp-gw    set gateway address for ICMP redirect (default 0.0.0.0)
      --icmp-ts    Alias for --icmp --icmptype 13 (ICMP timestamp)
      --icmp-addr  Alias for --icmp --icmptype 17 (ICMP address subnet mask)
      --icmp-help  display help for others icmp options
UDP/TCP
  -s  --baseport   base source port             (default random)
  -p  --destport   [+][+]<port> destination port(default 0) ctrl+z inc/dec
  -k  --keep       keep still source port
  -w  --win        winsize (default 64)
  -O  --tcpoff     set fake tcp data offset     (instead of tcphdrlen / 4)
  -Q  --seqnum     shows only tcp sequence number
  -b  --badcksum   (try to) send packets with a bad IP checksum
                   many systems will fix the IP checksum sending the packet
                   so you'll get bad UDP/TCP checksum instead.
  -M  --setseq     set TCP sequence number
  -L  --setack     set TCP ack
  -F  --fin        set FIN flag
  -S  --syn        set SYN flag
  -R  --rst        set RST flag
  -P  --push       set PUSH flag
  -A  --ack        set ACK flag
  -U  --urg        set URG flag
  -X  --xmas       set X unused flag (0x40)
  -Y  --ymas       set Y unused flag (0x80)
  --tcpexitcode    use last tcp->th_flags as exit code
  --tcp-mss        enable the TCP MSS option with the given value
  --tcp-timestamp  enable the TCP timestamp option to guess the HZ/uptime
Common
  -d  --data       data size                    (default is 0)
  -E  --file       data from file
  -e  --sign       add 'signature'
  -j  --dump       dump packets in hex
  -J  --print      dump printable characters
  -B  --safe       enable 'safe' protocol
  -u  --end        tell you when --file reached EOF and prevent rewind
  -T  --traceroute traceroute mode              (implies --bind and --ttl 1)
  --tr-stop        Exit when receive the first not ICMP in traceroute mode
  --tr-keep-ttl    Keep the source TTL fixed, useful to monitor just one hop
  --tr-no-rtt       Don't calculate/show RTT information in traceroute mode
ARS packet description (new, unstable)
  --apd-send       Send the packet described with APD (see docs/APD.txt)
sudo hping3 -h
sudo hping3 -1 0.0.0.0 -c 3
sudo hping3 --icmp-ts 0.0.0.0 -c 3 -V   ( 
sudo hping3 -2 0.0.0.0 -c 3 -V 
sudo hping3 -S 0.0.0.0 -c 3
sudo hping3 -S 0.0.0.0 -c 3 -p 80
Send different TCP flags
sudo hping3 -F 0.0.0.0 -c 3      (FIN Flag)
sudo hping3 -U 0.0.0.0 -c 3      (URG Flag)
sudo hping3 -X 0.0.0.0 -c 3      (XMS Package)
sudo hping3 -Y 0.0.0.0 -c 3      (YMS Flag)
sudo hping3 -F -P -U 0.0.0.0 -c 3 
sudo hping3 -1 0.0.0.x --rand-dest -I eth0 
PreviousScan TypesNextNmap

Last updated 2 years ago

Was this helpful?

🟢