Playing with Hping3 alpha-2

O'Reilly recently featured an interview with Hping author Salvatore Sanfilippo titled Network Tool Development with hping3. Hping is a packet crafting tool with a long lineage. I recommend reading the interview if you'd like background on Hping and what the developer formerly known as antirez is doing. I downloaded hping3-alpha-2.tar.gz to a system running FreeBSD 5.3 BETA1 and gave it a try.

Before extracting and installing the new Hping3, you must have a Tcl interpreter installed. Tcl is required because Hping now works within a Tcl shell. It surprised me to see Tcl used in something other than Sguil. Here are highlights from the installation process:

fedorov:/home/hping3-alpha-2$ ./configure
build byteorder.c...
create byteorder.h...
===> Found Tclsh in: /usr/local/bin/tclsh8.4
--------------------------------------
system type: FREEBSD

LIBPCAP : PCAP=-lpcap
PCAP_INCLUDE :
MANPATH : /usr/local/man
USE_TCL : -DUSE_TCL
TCL_VER : 8.4
TCL_INC : -I/usr/local/include/tcl8.4
LIBTCL : -ltcl84 -lm -lpthread
TCLSH : /usr/local/bin/tclsh8.4

(to modify try configure --help)
--------------------------------------
creating Makefile...
creating dependences...
now you can try `make'
fedorov:/home/hping3-alpha-2$ make
...edited...
./hping3 -v
hping version 3.0.0-alpha-1
($Id: release.h,v 1.4 2004/04/09 23:38:56 antirez Exp $)

Here's what running Hping3 looks like. I followed some of the getting started tutorial. First I resolve a hostname and then I try to send an ICMP packet:

fedorov:/root# hping3
hping3> hping resolve www.taosecurity.com
64.235.253.7
hping3> hping send {ip{daddr=64.235.253.7}+icmp{type=8,code=0}}
Packet building error: 'Unknown keyword: 'ip{daddr''
in packet ip{daddr=64.235.253.7}+icmp{type=8,code=0}
hping3>

Notice how I got an error when I mistyped curly braces instead of parentheses. Below I fixed the error and sent a packet.

hping3> hping send {ip(daddr=64.235.253.7)+icmp(type=8,code=0)}
hping3>

Next I receive a packet on the wire within Hping3:

hping3> hping recv em0
ip(ihl=0x5,ver=0x4,tos=0x10,totlen=100,id=27545,fragoff=0,mf=0,df=1,rf=0,ttl=64,
proto=6,cksum=0x1530,saddr=192.168.0.2,daddr=10.200.211.99)+tcp(sport=22,dport=52662,
seq=1986375295,ack=1633085875,x2=0x0,off=8,flags=pa,win=32832,cksum=0x9f2c,
urp=0)+tcp.nop()+tcp.nop()+tcp.timestamp(val=395937185,ecr=244409221)+data
(str=\2b\\8e9\\c3\\b2\\\\ac\\a0\\ddV\\81\\c6\\d1\\f1\\89\\\\bc\\c8\\df\\a4\\bf\{fq\\8
e\\1d\\f6\\fd\\96\\83\\bd\\%\\c4\\02E\\cds\\b1\\%\\e4&\\a4\\9fZX!)
hping3>

This packet is represented in Ars Packet Description (APD) format, a standard developed by Antirez. Check the Hping wiki for more information.

Comments

Anonymous said…
would have been nice if you had put something that wasnt on the friggin webpage...
You're free to do better.

Popular posts from this blog

Zeek in Action Videos

New Book! The Best of TaoSecurity Blog, Volume 4

MITRE ATT&CK Tactics Are Not Tactics