Kali Linux渗透基础知识整理(二)漏洞扫描_FreeBuf-爱微帮
&& &&& Kali Linux渗透基础知识整理(二…
* 原创作者:sysorem,本文属FreeBuf原创奖励计划漏洞扫描网络流量网络流量就是网络上传输的数据量。TCP协议TCP是因特网中的传输层协议,使用三次握手协议建立连接。当主动方发出SYN连接请求后,等待对方回答SYN+ACK ,并最终对对方的 SYN 执行 ACK 确认。这种建立连接的方法可以防止产生错误的连接,TCP使用的流量控制协议是可变大小的滑动窗口协议。连接建立TCP三次握手的过程如下:(1)客户端发送SYN(SEQ=x)报文给服务器端,进入SYN_SEND状态。(2)服务器端收到SYN报文,回应一个SYN (SEQ=y)ACK(ACK=x+1)报文,进入SYN_RECV状态。(3)客户端收到服务器端的SYN报文,回应一个ACK(ACK=y+1)报文,进入Established状态。三次握手完成,TCP客户端和服务器端成功地建立连接,可以开始传输数据了。连接终止建立一个连接需要三次握手,而终止一个连接要经过四次握手,这是由TCP的半关闭(half-close)造成的。(1) 某个应用进程首先调用close,称该端执行“主动关闭”(active close)该端的TCP于是发送一个FIN分节,表示数据发送完毕。(2) 接收到这个FIN的对端执行 “被动关闭”(passive close),这个FIN由TCP确认。注意:FIN的接收也作为一个文件结束符(end-of-file)传递给接收端应用进程,放在已排队等候该应用进程接收的任何其他数据之后,因为,FIN的接收意味着接收端应用进程在相应连接上再无额外数据可接收。(3) 一段时间后,接收到这个文件结束符的应用进程将调用close关闭它的套接字。这导致它的TCP也发送一个FIN。(4) 接收这个最终FIN的原发送端TCP(即执行主动关闭的那一端)确认这个FIN。UDP协议UDP协议全称是用户数据报协议 ,在网络中它与TCP协议一样用于处理数据包,是一种无连接的协议。在OSI模型中,在第四层——传输层,处于IP协议的上一层。UDP有不提供数据包分组、组装和不能对数据包进行排序的缺点,也就是说,当报文发送之后,是无法得知其是否安全完整到达的。UDP用来支持那些需要在计算机之间传输数据的网络应用。包括网络视频会议系统在内的众多的客户/服务器模式的网络应用都需要使用UDP协议。ICMP协议ICMP是(Internet Control Message Protocol)Internet控制报文协议。它是TCP/IP协议族的一个子协议,用于在IP主机、路由器之间传递控制消息。控制消息是指网络通不通、主机是否可达、路由是否可用等网络本身的消息。这些控制消息虽然并不传输用户数据,但是对于用户数据的传递起着重要的作用。ping命令使用的就是ICMP协议NmapNmap在渗透测试中经常用到,它不仅可以用来确定目标网络上计算机的存活状态,而且可以扫描各个计算机的操作系统、开放端口、服务,还有可能获得用户的证书。熟练掌握Nmap的用法,可以极大的提高渗透测试技术。命令结构nmap -sS -T2 -p 1-500 192.168.1.1 -oN metscan.txtnmap 命令后跟的是扫描类型,第一个参数sS代表隐蔽扫描,第二个参数T2是timing选项,设置了nmap扫描时的速度、流量;第三个参数-p设置了需要扫描的端口,后面的192.168.1.1是扫描目标,可以是ip地址,也可以设置为网段地址;扫描目标后跟着输出选项,可以将扫描结果保存成文件,供测试人员分析。实例应用识别系统、TCP扫描、SYN 扫描、ACK扫描、UDP 扫描... …识别系统:nmap -O -Pn URI (-Pn 禁用Nmap网络发现功能,假定所有系统都是活动的)图中结果显示为Windows操作系统TCP扫描端口扫描中最稳定的,利用的是TCP三次握手TCP扫描通常用于收集有关目标的更多信息,但是会和目标主机建立一个完成的TCP连接。nmap -sT -Pn URI图中结果显示开放了telnet、http等服务-sT TCP连接扫描(s=&哪种类型扫描? ==&t TCP类型)SYN 扫描:TCP两次握手(隐藏扫描,速度快,nmap缺省参数)nmap -sS -Pn URI&-sS (-s =& 哪种扫描类型?S=& SYN)ACK 扫描:ACK扫描,用于确定TCP端口是否被防火墙过滤nmap -sA -Pn URI-sS (-s =& 哪种扫描类型?A=& ACK)UDP 扫描DHCP,DNS,SNMP,TFTP等都使用了UDP协议UDP扫描会评估目标系统上的UDP端口,可以确认UDP端口是开放还是被防火墙过滤。nmap -sU URIU=& UDP, V=&版本信息 (-sV UDP扫描中添加版本扫描信息)不存在-PN参数(从UDP协议去理解,你发了就ok管他收没收到)Timing模板timing参数可以指定nmap扫描的速度。其中各个选项如下:T0:paranoid 慢速网络扫描,串行扫描,两次扫描间隔5分钟。扫描速度极慢。T1:Sneky 慢速网络扫描,串行扫描,两次扫描间隔15秒,扫描速度较慢。T2:Polite 中速网络扫描,串行扫描,两次扫描间隔400毫秒,扫描速度慢。T3:Normal 中速网络扫描,并行扫描,两次扫描间隔0秒,扫描速度正常。T4:Aggressive 快速网络扫描,并行扫描,两次扫描间隔0秒,扫描速度较快。T5:Normal 快速网络扫描,并行扫描,两次扫描间隔0秒,扫描速度极快。扫描端口 -p Portnmap -sS -p PORT URI**nmap -sS -p 80,135,2.168.1.1上图扫描80、135、端口,结果只有80端口开放扫描IP段nmap 192.168.1.1-255 #扫描192.168.1.1-192.168.1.255所有IPnmap 192.168.1.1/24 #扫描192.168.1.1-192.168.1.255所有IPnmap -iL IPL.txt #扫描IPL.txt中保存的所有IP输出保存选项-oN 保存为文本文件-oX 保存为XML文件-oG 保存为GREPable输出-oS 脚本输出nmap -oN metscan.txt 192.168.154.134 #将扫描结果保存到metscan.txt文件。hping3hping3是一款面向TCP/IP协议的免费的数据包生成和分析工具。Hping是用于对防火墙和网络执行安全审计和测试的事实上的工具之一。hping3可使用Tcl语言编写脚本,实施了一个引擎,可用于对TCP/IP数据包进行基于字符串、人可读的描述等。命令结构hping3 -c 1000 -d 120 -S -w 64 -p 80 —flood —rand-source&www. -c 1000&发送的数据包的数量。 -d 120&发送到目标机器的每个数据包的大小。 -S&只发送SYN数据包。 -w 64&TCP窗口大小。 -p 80&目的地端口。 --flood&尽可能快地发送数据包,不需要考虑显示入站回复。洪水攻击模式。 --rand-source&使用随机性的源头IP地址。还可以使用-a或–spoof来隐藏主机名。 www.&目的地IP地址或目标机器的IP地址。实例应用:SYN泛洪攻击(DOS)NessusNessus 是目前全世界最多人使用的系统漏洞扫描与分析软件 Nessus是安全漏洞自动收集工具,它可同时远程或者在主机上进行检测,扫描各种开放端口的服务器漏洞,是一款综合性漏洞检测工具。由于Kali中没有自带Nessus,因此我们需要安装。但是Nessus在Linux下的安装比较复杂,因此我们选择在Windows下安装并且使用Nessus。由于专业版的Nessus需要收费,所以我们选择了家庭版。提出申请够,Nessus会给你一个家庭版的序列号,输入后就开始下载。下载完成后,通过用户名密码进入nessus。然后添加一个漏洞诊断对象。点击start按钮,开始漏洞诊断。查看漏洞诊断结果。导出报告:扫描完成后可以在在Export中将诊断结果导出为报告。其格式可以为Nessus、pdf、html、CSV、nessus DB。whatwebWhatWeb是一款网站指纹识别工具,主要针对的问题是:“这个网站使用的什么技术?”WhatWeb可以告诉你网站搭建使用的程序,包括何种CMS系统、什么博客系统、Javascript库、web服务器、内嵌设备等。WhatWeb有超过900个插件,并且可以识别版本号、email地址、账号、web框架、SQL错误等等。简单用法:whatweb URI例如 whatweb&www.sysorem.xyz从返回的结果可以看到该网站Web服务器软件为Apache 2.2.15,地区为US,邮箱为master@sysorem.xyz,支持Html5,服务器操作系统为Red Hat Linux,IP地址为52.91.79.239,网站也使用了Jquery库,网站是基于Wordpress 4.5.3DirBusterDirButer是一个多线程的基于Java的应用程序设计蛮力Web/应用服务器上的模糊测试工具,主要用于扫描目录和文件名。运行在CLIdirbuster -H -u&/&-l 字典文件使用Guidirbuster -u&/例如:DirButer扫出的一些目录和文件名。joomscanJoomla Security Scanner的特点1.确切的版本探测(可以探测出使用的Joomla整站程序的版本)2.常见的Joomla!基于web应用程序防火墙探测。3.搜索已知的Joomla安全漏洞和它的组件。4.文本和HTML格式的检测报告.5.立即的软件更新能力先随便找个基于Joomla的网站,例如http://37.60.253.96/joomscan -u&http://37.60.253.96/扫描结果,一堆漏洞及expwpscanWPScan是一款针对wwordpress的安全扫描软件;WPScan可以扫描出wordpress的版本,主题,插件,后台用户以及爆破后台用户密码等。简单命令wpscan —url URI —enumerate p #扫描插件wpscan —url URI —enumerate u #扫描后台用户通过用户名爆破密码wpscan —url URI—wordlist DIC.lst —username USER&例如执行 wpscan —url&www.sysorem.xyz&—enumerate u*本文原创作者:sysorem,转载须注明来自
点击展开全文
悄悄告诉你
更多同类文章
还可知道有多少人阅读过此篇文章哦
阅读原文和更多同类文章
可微信扫描右侧二维码关注后
还可知道有多少人阅读过此篇文章哦
国内关注度最高的全球互联网安全新媒体
您的【关注和订阅】是作者不断前行的动力
本站文章来自网友的提交收录,如需删除可进入
删除,或发送邮件到 bang@ 联系我们,
(C)2014&&版权所有&&&|&&&
京ICP备号-2&&&&京公网安备34hping3(8) - Linux man page
hping3 - send (almost) arbitrary TCP/IP packets to network hosts
hping3 [ -hvnqVDzZ012WrfxykQbFSRPAUXYjJBuTG ] [ -c count ] [ -i wait ] [ --fast ] [ -I
interface ] [ -9 signature ] [ -a host ] [ -t ttl ] [ -N ip id ] [ -H ip protocol
] [ -g fragoff ] [ -m mtu ] [ -o tos ] [ -C icmp type ] [ -K icmp code ] [ -s
source port ] [ -p[+][+] dest port ] [ -w tcp window ] [ -O tcp offset ] [ -M tcp sequence
number ] [ -L tcp ack ] [ -d data size ] [ -E filename ] [ -e signature ] [ --icmp-ipver
version ] [ --icmp-iphlen length ] [ --icmp-iplen length ] [ --icmp-ipid id ] [ --icmp-ipproto
protocol ] [ --icmp-cksum checksum ] [ --icmp-ts ] [ --icmp-addr ] [ --tcpexitcode ] [ --tcp-timestamp ] [
--tr-stop ] [ --tr-keep-ttl ] [ --tr-no-rtt ] [ --rand-dest ] [ --rand-source ] [ --beep ] hostname
Description
hping3 is a network tool able to send custom TCP/IP packets and to display target replies like ping program does with ICMP replies. hping3 handle
fragmentation, arbitrary packets body and size and can be used in order to transfer files encapsulated under supported protocols. Using hping3 you are able to
perform at least the following stuff:
- Test firewall rules - Advanced port scanning - Test net performance using different protocols, packet size, TOS (type of service) and fragmentation. -
Path MTU discovery - Transferring files between even really fascist firewall rules. - Traceroute-like under different protocols. - Firewalk-like usage. -
Remote OS fingerprinting. - TCP/IP stack auditing. - A lot of others.
It's also a good didactic tool to learn TCP/IP. hping3 is developed and maintained by
and is licensed under GPL version 2.
Development is open so you can send me patches, suggestion and affronts without inhibitions.
Hping Site
primary site at . You can found both the stable release and the instruction to download the latest source code at
Base Options
Show an help screen on standard output, so you can pipe to less.
-v --version
Show version information and API used to access to data link layer, linux sock packet or libpcap.
-c --count count
Stop after sending (and receiving) count response packets. After last packet was send hping3 wait COUNTREACHED_TIMEOUT seconds target host replies.
You are able to tune COUNTREACHED_TIMEOUT editing hping3.h
-i --interval
Wait the specified number of seconds or micro seconds between sending each packet. --interval X set wait to X seconds, --interval uX set wait
to X micro seconds. The default is to wait one second between each packet. Using hping3 to transfer files tune this option is really important in order to
increase transfer rate. Even using hping3 to perform idle/spoofing scanning you should tune this option, see HPING3-HOWTO for more information.
Alias for -i u10000. Hping will send 10 packets for second.
Alias for -i u1. Faster then --) (but not as fast as your computer can send packets due to the signal-driven design).
Sent packets as fast as possible, without taking care to show incoming replies. This is ways faster than to specify the -i u0 option.
-n --numeric
Numeric output only, No attempt will be made to lookup symbolic names for host addresses.
-q --quiet
Quiet output. Nothing is displayed except the summary lines at startup time and when finished.
-I --interface interface name
By default on linux and BSD systems hping3 uses default routing interface. In other systems or when there is no default route hping3 uses the first
non-loopback interface. However you are able to force hping3 to use the interface you need using this option. Note: you don't need to specify the whole name,
for example -I et will match eth0 ethernet0 myet1 et cetera. If no interfaces match hping3 will try to use lo.
-V --verbose
Enable verbose output. TCP replies will be shown as follows:
len=46 ip=192.168.1.1 flags=RA DF seq=0 ttl=255 id=0 win=0 rtt=0.4 ms tos=0 iplen=40 seq=0 ack= sum=2010 urp=0
-D --debug
Enable debug mode, it's useful when you experience some problem with hping3. When debug mode is enabled you will get more information about interface
detection, data link layer access, interface settings, options parsing, fragmentation, HCMP protocol and other stuff.
Bind CTRL+Z to time to live (TTL) so you will able to increment/decrement ttl of outgoing packets pressing CTRL+Z once or twice.
-Z --unbind
Unbind CTRL+Z so you will able to stop hping3.
Beep for every matching received packet (but not for ICMP errors).
Protocol Selection
Default protocol is TCP, by default hping3 will send tcp headers to target host's port 0 with a winsize of 64 without any tcp flag on. Often this is the
best way to do an 'hide ping', useful when target is behind a firewall that drop ICMP. Moreover a tcp null-flag to port 0 has a good probability of not being
-0 --rawip
RAW IP mode, in this mode hping3 will send IP header with data appended with --signature and/or --file, see also --ipproto that allows you to set the ip
protocol field.
ICMP mode, by default hping3 will send ICMP echo-request, you can set other ICMP type/code using --icmptype --icmpcode options.
UDP mode, by default hping3 will send udp to target host's port 0. UDP header tunable options are the following: --baseport, --destport,
Scan mode, the option expects an argument that describes groups of ports to scan. port groups are comma separated: a number describes just a single port, so
1,2,3 means port 1, 2 and 3. ranges are specified using a start-end notation, like 1-1000, that tell hping to scan ports between 1 and 1000 (included). the
special word all is an alias for 0-65535, while the special word known includes all the ports listed in /etc/services.
Groups can be combined, so the following command line will scan ports between 1 and 1000 AND port 8888 AND ports listed in /etc/services: hping --scan
1-,known -S
Groups can be negated (subtracted) using a ! character as prefix, so the following command line will scan all the ports NOT listed in /etc/services in the
range 1-1024: hping --scan '1-1024,!known' -S
Keep in mind that while hping seems much more like a port scanner in this mode, most of the hping switches are still honored, so for example to perform a SYN
scan you need to specify the -S option, you can change the TCP windows size, TTL, control the IP fragmentation as usually, and so on. The only real
difference is that the standard hping behaviors are encapsulated into a scanning algorithm.
Tech note: The scan mode uses a two-processes design, with shared memory for synchronization. The scanning algorithm is still not optimal, but already
quite fast.
Hint: unlike most scanners, hping shows some interesting info about received packets, the IP ID, TCP win, TTL, and so on, don't forget to look at this
additional information when you perform a scan! Sometimes they shows interesting details.
-9 --listen signature
HPING3 listen mode, using this option hping3 waits for packet that contain signature and dump from signature end to packet's end. For example
if hping3 --listen TEST reads a packet that contain 234-09sdflkjs45-TESThello_world it will display hello_world.
Ip Related Options
-a --spoof hostname
Use this option in order to set a fake IP source address, this option ensures that target will not gain your real address. However replies will be sent to
spoofed address, so you will can't see them. In order to see how it's possible to perform spoofed/idle scanning see the HPING3-HOWTO.
--rand-source
This option enables the random source mode. hping will send packets with random source address. It is interesting to use this option to stress
firewall state tables, and other per-ip basis dynamic tables inside the TCP/IP stacks and firewall software.
--rand-dest
This option enables the random destination mode. hping will send the packets to random addresses obtained following the rule you specify as the
target host. You need to specify a numerical IP address as target host like 10.0.0.x. All the occurrences of x will be replaced with a random
number in the range 0-255. So to obtain Internet IP addresses in the whole IPv4 space use something like hping x.x.x.x --rand-dest. If you are not sure
about what kind of addresses your rule is generating try to use the --debug switch to display every new destination address generated. When this option
is turned on, matching packets will be accept from all the destinations.
Warning: when this option is enabled hping can't detect the right outgoing interface for the packets, so you should use the --interface option to
select the desired outgoing interface.
-t --ttl time to live
Using this option you can set TTL (time to live) of outgoing packets, it's likely that you will use this with --traceroute or --bind
options. If in doubt try 'hping3
-t 1 --traceroute'.
Set ip-&id field. Default id is random but if fragmentation is turned on and id isn't specified it will be getpid() & 0xFF, to implement a
better solution is in TODO list.
-H --ipproto
Set the ip protocol in RAW IP mode.
-W --winid
id from Windows* systems before Win2k has different byte ordering, if this option is enable hping3 will properly display id replies from those
Display id increments instead of id. See the HPING3-HOWTO for more information. Increments aren't computed as id[N]-id[N-1] but using packet loss
compensation. See relid.c for more information.
Split packets in more fragments, this may be useful in order to test IP stacks fragmentation performance and to test if some packet filter is so weak that
can be passed using tiny fragments (anachronistic). Default 'virtual mtu' is 16 bytes. see also --mtu option.
-x --morefrag
Set more fragments IP flag, use this option if you want that target host send an ICMP time-exceeded during reassembly.
-y --dontfrag
Set don't fragment IP flag, this can be used to perform MTU path discovery.
-g --fragoff fragment offset value
Set the fragment offset.
-m --mtu mtu value
Set different 'virtual mtu' than 16 when fragmentation is enabled. If packets size is greater that 'virtual mtu' fragmentation is automatically turned
-o --tos hex_tos
Set Type Of Service (TOS), for more information try --tos help.
-G --rroute
Record route. Includes the RECORD_ROUTE option in each packet sent and displays the route buffer of returned packets. Note that the IP header is only large
enough for nine such routes. Many hosts ignore or discard this option. Also note that using hping you are able to use record route even if target host filter
ICMP. Record route is an IP option, not an ICMP option, so you can use record route option even in TCP and UDP mode.
Icmp Related Options
-C --icmptype type
Set icmp type, default is ICMP echo request (implies --icmp).
-K --icmpcode code
Set icmp code, default is 0 (implies --icmp).
--icmp-ipver
Set IP version of IP header contained into ICMP data, default is 4.
--icmp-iphlen
Set IP header length of IP header contained into ICMP data, default is 5 (5 words of 32 bits).
--icmp-iplen
Set IP packet length of IP header contained into ICMP data, default is the real length.
--icmp-ipid
Set IP id of IP header contained into ICMP data, default is random.
--icmp-ipproto
Set IP protocol of IP header contained into ICMP data, default is TCP.
--icmp-cksum
Set ICMP checksum, for default is the valid checksum.
Alias for --icmptype 13 (to send ICMP timestamp requests).
--icmp-addr
Alias for --icmptype 17 (to send ICMP address mask requests).
TCP/UDP RELATED OPTIONS
-s --baseport source port
hping3 uses source port in order to guess replies sequence number. It starts with a base source port number, and increase this number for each packet sent.
When packet is received sequence number can be computed as replies.dest.port - base.source.port. Default base source port is random, using this option
you are able to set different number. If you need that source port not be increased for each sent packet use the -k --keep option.
-p --destport [+][+]dest port
Set destination port, default is 0. If '+' character precedes dest port number (i.e. +1024) destination port will be increased for each reply received. If
double '+' precedes dest port number (i.e. ++1024), destination port will be increased for each packet sent. By default destination port can be modified
interactively using CTRL+z.
keep still source port, see --baseport for more information.
Set TCP window size. Default is 64.
-O --tcpoff
Set fake tcp data offset. Normal data offset is tcphdrlen / 4.
-M --setseq
Set the TCP sequence number.
-L --setack
Set the TCP ack.
-Q --seqnum
This option can be used in order to collect sequence numbers generated by target host. This can be useful when you need to analyze whether TCP sequence
number is predictable. Output example:
#hping3 win98 --seqnum -p 139 -S -i u1 -I eth0
HPING uaz (eth0 192.168.4.41): S set, 40 headers + 0 data bytes
+The first column reports the sequence number, the second difference between current and last sequence number. As you can see target host's sequence numbers
are predictable.
-b --badcksum
Send packets with a bad UDP/TCP checksum.
--tcp-timestamp
Enable the TCP timestamp option, and try to guess the timestamp update frequency and the remote system uptime.
Set FIN tcp flag.
Set SYN tcp flag.
Set RST tcp flag.
Set PUSH tcp flag.
Set ACK tcp flag.
Set URG tcp flag.
Set Xmas tcp flag.
Set Ymas tcp flag.
Common Options
-d --data data size
Set packet body size. Warning, using --data 40 hping3 will not generate 0 byte packets but protocol_header+40 bytes. hping3 will display packet size
information as first line output, like this: HPING
(ppp0 204.71.200.67): NO FLAGS are set, 40 headers + 40 data bytes
-E --file filename
Use filename contents to fill packet's data.
-e --sign signature
Fill first signature length bytes of data with signature. If the signature length is bigger than data size an error message will be
displayed. If you don't specify the data size hping will use the signature size as data size. This option can be used safely with --file filename
option, remainder data space will be filled using filename.
Dump received packets in hex.
-J --print
Dump received packets' printable characters.
Enable safe protocol, using this option lost packets in file transfers will be resent. For example in order to send file /etc/passwd from host A to host B
you may use the following:
# hping3 host_b --udp -p 53 -d 100 --sign signature --safe --file /etc/passwd
# hping3 host_a --listen signature --safe --icmp
If you are using --file filename option, tell you when EOF has been reached. Moreover prevent that other end accept more packets. Please, for more
information see the HPING3-HOWTO.
-T --traceroute
Traceroute mode. Using this option hping3 will increase ttl for each ICMP time to live 0 during transit received. Try hping3 host
--traceroute. This option implies --bind and --ttl 1. You can override the ttl of 1 using the --ttl option. Since 2.0.0 stable it prints RTT
information.
--tr-keep-ttl
Keep the TTL fixed in traceroute mode, so you can monitor just one hop in the route. For example, to monitor how the 5th hop changes or how its RTT changes
you can try hping3 host --traceroute --ttl 5 --tr-keep-ttl.
If this option is specified hping will exit once the first packet that isn't an ICMP time exceeded is received. This better emulates the traceroute
--tr-no-rtt
Don't show RTT information in traceroute mode. The ICMP time exceeded RTT information aren't even calculated if this option is set.
--tcpexitcode
Exit with last received packet tcp-&th_flag as exit code. Useful for scripts that need, for example, to known if the port 999 of some host reply with
SYN/ACK or with RST in response to SYN, i.e. the service is up or down.
Tcp Output Format
The standard TCP output format is the following:
len=46 ip=192.168.1.1 flags=RA DF seq=0 ttl=255 id=0 win=0 rtt=0.4 ms
len is the size, in bytes, of the data captured from the data link layer excluding the data link header size. This may not match the IP datagram size
due to low level transport layer padding.
ip is the source ip address.
flags are the TCP flags, R for RESET, S for SYN, A for ACK, F for FIN, P for PUSH, U for URGENT, X for not standard 0x40, Y for not standard 0x80.
If the reply contains DF the IP header has the don't fragment bit set.
seq is the sequence number of the packet, obtained using the source port for TCP/UDP packets, the sequence field for ICMP packets.
id is the IP ID field.
win is the TCP window size.
rtt is the round trip time in milliseconds.
If you run hping using the -V command line switch it will display additional information about the packet, example:
len=46 ip=192.168.1.1 flags=RA DF seq=0 ttl=255 id=0 win=0 rtt=0.4 ms tos=0 iplen=40 seq=0 ack= sum=e61d urp=0
tos is the type of service field of the IP header.
iplen is the IP total len field.
seq and ack are the sequence and acknowledge 32bit numbers in the TCP header.
sum is the TCP header checksum value.
urp is the TCP urgent pointer value.
Udp Output Format
The standard output format is:
len=46 ip=192.168.1.1 seq=0 ttl=64 id=0 rtt=6.0 ms
The field meaning is just the same as the TCP output meaning of the same fields.
Icmp Output Format
An example of ICMP output is:
ICMP Port Unreachable from ip=192.168.1.1 name=nano.marmoc.net
It is very simple to understand. It starts with the string "ICMP" followed by the description of the ICMP error, Port Unreachable in the example. The ip
field is the IP source address of the IP datagram containing the ICMP error, the name field is just the numerical address resolved to a name (a dns PTR
request) or UNKNOWN if the resolution failed.
The ICMP Time exceeded during transit or reassembly format is a bit different:
TTL 0 during transit from ip=192.168.1.1 name=nano.marmoc.net
TTL 0 during reassembly from ip=192.70.106.25 name=UNKNOWN
The only difference is the description of the error, it starts with TTL 0.
Salvatore Sanfilippo &&, with the help of the people mentioned in AUTHORS file and at
Even using the --end and --safe options to transfer files the final packet will be padded with 0x00 bytes.
Data is read without care about alignment, but alignment is enforced in the data structures. This will not be a problem under i386 but, while usually the
TCP/IP headers are naturally aligned, may create problems with different processors and bogus packets if there is some unaligned access around the code
(hopefully none).
On solaris hping does not work on the loopback interface. This seems a solaris problem, as stated in the tcpdump-workers mailing list, so the libpcap can't
do nothing to handle it properly.
(8), (8), (8), (1)
Site Search
