Tuesday, October 12, 2004

Playing with Hping3 alpha-2

O'Reilly recently featured an interview with Hping author Salvatore Sanfilippo titled Network Tool Development with hping3. Hping is a packet crafting tool with a long lineage. I recommend reading the interview if you'd like background on Hping and what the developer formerly known as antirez is doing. I downloaded hping3-alpha-2.tar.gz to a system running FreeBSD 5.3 BETA1 and gave it a try.

Before extracting and installing the new Hping3, you must have a Tcl interpreter installed. Tcl is required because Hping now works within a Tcl shell. It surprised me to see Tcl used in something other than Sguil. Here are highlights from the installation process:

fedorov:/home/hping3-alpha-2$ ./configure
build byteorder.c...
create byteorder.h...
===> Found Tclsh in: /usr/local/bin/tclsh8.4
--------------------------------------
system type: FREEBSD

LIBPCAP : PCAP=-lpcap
PCAP_INCLUDE :
MANPATH : /usr/local/man
USE_TCL : -DUSE_TCL
TCL_VER : 8.4
TCL_INC : -I/usr/local/include/tcl8.4
LIBTCL : -ltcl84 -lm -lpthread
TCLSH : /usr/local/bin/tclsh8.4

(to modify try configure --help)
--------------------------------------
creating Makefile...
creating dependences...
now you can try `make'
fedorov:/home/hping3-alpha-2$ make
...edited...
./hping3 -v
hping version 3.0.0-alpha-1
($Id: release.h,v 1.4 2004/04/09 23:38:56 antirez Exp $)

Here's what running Hping3 looks like. I followed some of the getting started tutorial. First I resolve a hostname and then I try to send an ICMP packet:

fedorov:/root# hping3
hping3> hping resolve www.taosecurity.com
64.235.253.7
hping3> hping send {ip{daddr=64.235.253.7}+icmp{type=8,code=0}}
Packet building error: 'Unknown keyword: 'ip{daddr''
in packet ip{daddr=64.235.253.7}+icmp{type=8,code=0}
hping3>

Notice how I got an error when I mistyped curly braces instead of parentheses. Below I fixed the error and sent a packet.

hping3> hping send {ip(daddr=64.235.253.7)+icmp(type=8,code=0)}
hping3>

Next I receive a packet on the wire within Hping3:

hping3> hping recv em0
ip(ihl=0x5,ver=0x4,tos=0x10,totlen=100,id=27545,fragoff=0,mf=0,df=1,rf=0,ttl=64,
proto=6,cksum=0x1530,saddr=192.168.0.2,daddr=10.200.211.99)+tcp(sport=22,dport=52662,
seq=1986375295,ack=1633085875,x2=0x0,off=8,flags=pa,win=32832,cksum=0x9f2c,
urp=0)+tcp.nop()+tcp.nop()+tcp.timestamp(val=395937185,ecr=244409221)+data
(str=\2b\\8e9\\c3\\b2\\\\ac\\a0\\ddV\\81\\c6\\d1\\f1\\89\\\\bc\\c8\\df\\a4\\bf\{fq\\8
e\\1d\\f6\\fd\\96\\83\\bd\\%\\c4\\02E\\cds\\b1\\%\\e4&\\a4\\9fZX!)
hping3>

This packet is represented in Ars Packet Description (APD) format, a standard developed by Antirez. Check the Hping wiki for more information.

2 comments:

Anonymous said...

would have been nice if you had put something that wasnt on the friggin webpage...

Richard Bejtlich said...

You're free to do better.