182 lines
6.8 KiB
Plaintext
182 lines
6.8 KiB
Plaintext
This short document is for users of hping-beta54 or prior versions
|
|
and helps to exploit all the new features of this hping6 release in a
|
|
short time. You may want to read the new man page anyway but the
|
|
following will help for sure:
|
|
|
|
=== release candidate 3 news
|
|
|
|
In this release a nasty bug with the checksum code was fixed.
|
|
If you experimented strange problems like some kind of packet
|
|
generated with a wrong checksum try this version.
|
|
|
|
Try the --scan option in the command line to see the port-scanner features.
|
|
|
|
Example of the --scan option usage:
|
|
|
|
# hping3 --scan known 1.2.3.4
|
|
|
|
Scanning 1.2.3.4 (1.2.3.4), port known
|
|
245 ports to scan, use -V to see all the replies
|
|
+----+-----------+---------+---+-----+-----+-----+
|
|
|port| serv name | flags |ttl| id | win | len |
|
|
+----+-----------+---------+---+-----+-----+-----+
|
|
9 discard : .S..A... 64 0 32767 44
|
|
13 daytime : .S..A... 64 0 32767 44
|
|
21 ftp : .S..A... 64 0 32767 44
|
|
22 ssh : .S..A... 64 0 32767 44
|
|
25 smtp : .S..A... 64 0 32767 44
|
|
37 time : .S..A... 64 0 32767 44
|
|
80 www : .S..A... 64 0 32767 44
|
|
111 sunrpc : .S..A... 64 0 32767 44
|
|
113 auth : .S..A... 64 0 32767 44
|
|
631 ipp : .S..A... 64 0 32767 44
|
|
3306 mysql : .S..A... 64 0 32767 44
|
|
6000 x11 : .S..A... 64 0 32767 44
|
|
6667 ircd : .S..A... 64 0 3072 44
|
|
All replies received. Done.
|
|
Not responding ports:
|
|
|
|
Check the man page for more information on the scan mode.
|
|
|
|
=== release candidate 2 news
|
|
|
|
. Now hping is able to send/parse source routed IP headers.
|
|
See the manpage for more info.
|
|
|
|
. Hping was almost rewrote, at least all the most important parts.
|
|
You should experiment a more readable, compact, fast to compile
|
|
code.
|
|
|
|
. The new option parsing code allows you to specify abbreviated
|
|
options. you can now use for example --tcp-ti instead of --tcp-timestamp
|
|
and so on.
|
|
|
|
. The new feature rand-dest allows to send the packet to random
|
|
IP addresses. This is very useful to do some Internet survey
|
|
or large subnet random scanning.
|
|
|
|
For example the follow command line will send TCP packets with the
|
|
SYN flag on to the port 80 of the 192.168.0.0/16 address space:
|
|
|
|
hping 192.168.x.x --rand-dest -p 80 -S
|
|
|
|
Every occurrence of 'x' is substituted with a random number
|
|
in the 0-255 range.
|
|
|
|
. The new feature rand-source allows to send packets with random
|
|
source addresses. Useful to test some DoS condition against firewalls
|
|
or TCP/IP stacks that implements some per-IP basis information
|
|
recording.
|
|
|
|
. The output was enhanced and fixed a bit.
|
|
|
|
. The "force incremental dest port" option (++<port>) now works with UDP
|
|
packets and works better with TCP, since it is more selective
|
|
with the incoming responses.
|
|
|
|
. Now you should be really able to set the sequence and acknowledge
|
|
number of the TCP packets. The rc1 code was broken because
|
|
atoi() was used to get a long unsigned value.
|
|
|
|
. The documentation (and the french translation) was updated
|
|
to reflect the changes.
|
|
|
|
=== release candidate 1 news
|
|
|
|
. Now hping works better on BSD, and works on Solaris. It should
|
|
be many times simplest to port it to an unsupported platform.
|
|
Problems with systems that uses 32bit pids are now fixed.
|
|
|
|
. The output is different to be more parseable and compact, example:
|
|
|
|
len=46 ip=192.168.1.1 flags=RA DF seq=0 ttl=255 id=0 win=0 rtt=0.5 ms
|
|
|
|
now the presence of the Don't fragment IP flag is signaled with 'DF'.
|
|
all the fields with a value are in the form 'field=value'.
|
|
|
|
. To specify the outgoing interface with -I is no longer needed,
|
|
hping will try to detect the right interface according to the
|
|
system routing table. Of course you can override it using -I.
|
|
|
|
. Instead to specify -i u10000 to get a speed of ten packets for second
|
|
you can just use --fast.
|
|
|
|
. Now --traceroute (-T) implies --ttl 1. You can override this using --ttl.
|
|
|
|
. Using hping as traceroute you have now RTT informations about the
|
|
hops.
|
|
|
|
. You can monitor a specific hop in traceroute mode, using the following
|
|
syntax:
|
|
|
|
hping6 -T www.yahoo.com --tr-keep-ttl --ttl 5
|
|
|
|
see the output:
|
|
|
|
HPING www.yahoo.com (ippp0 64.58.76.177): NO FLAGS are set, 40 headers + 0 dat
|
|
a bytes
|
|
5->TTL 0 during transit from 144.232.234.57 (sl-gw18-nyc-2-2.sprintlink.net)
|
|
5->RTT was: 136.9 ms
|
|
5->TTL 0 during transit from 144.232.234.57 (sl-gw18-nyc-2-2.sprintlink.net)
|
|
5->RTT was: 136.8 ms
|
|
5->TTL 0 during transit from 144.232.234.57 (sl-gw18-nyc-2-2.sprintlink.net)
|
|
5->RTT was: 136.9 ms
|
|
5->TTL 0 during transit from 144.232.234.57 (sl-gw18-nyc-2-2.sprintlink.net)
|
|
5->RTT was: 136.7 ms
|
|
|
|
--- www.yahoo.com hping statistic ---
|
|
4 packets tramitted, 0 packets received, 100% packet loss
|
|
round-trip min/avg/max = 136.7/136.8/136.9 ms
|
|
|
|
you get only information about the 5 hop, after Ctrl+C the round-trip
|
|
min/avg/max is calculated using the rtt of this hop.
|
|
|
|
. Using the option --tr-stop you can obtain that hping will exit
|
|
when the first matching packet that isn't an ICMP time exceeded
|
|
in transit is received, like the original traceroute. Without
|
|
this hping continue to send packets to the target host forever.
|
|
|
|
. You can use --tr-no-rtt to suppress the rtt information in traceroute
|
|
mode.
|
|
|
|
. With the --tcp-timestamp feature you can guess the uptime of some
|
|
remote systems. Example:
|
|
|
|
HPING www.hping.org (ippp0 192.70.106.166): S set, 40 headers + 0 data bytes
|
|
56 bytes from 192.70.106.166: flags=SA seq=0 ttl=49 id=28881 win=16080 rtt=105.0 ms
|
|
TCP timestamp: 258597761
|
|
|
|
56 bytes from 192.70.106.166: flags=SA seq=1 ttl=49 id=28882 win=16080 rtt=105.4 ms
|
|
TCP timestamp: 258597860
|
|
HZ seems 100
|
|
System uptime seems: 29 days, 22 hours, 19 minutes, 38 seconds
|
|
|
|
56 bytes from 192.70.106.166: flags=SA seq=2 ttl=49 id=28883 win=16080 rtt=105.1 ms
|
|
TCP timestamp: 258597960
|
|
HZ seems 100
|
|
System uptime seems: 29 days, 22 hours, 19 minutes, 39 seconds
|
|
|
|
|
|
--- www.hping.org hping statistic ---
|
|
3 packets tramitted, 3 packets received, 0% packet loss
|
|
round-trip min/avg/max = 105.0/105.2/105.4 ms
|
|
|
|
As you can see the first reply does not contain any uptime information
|
|
since at least two packets are needed to estimate the increment frequency
|
|
of the timestamp timer (that is HZ in the output).
|
|
|
|
. You can now use ICMP timestamp and address subnet mask requests.
|
|
Two shortcut are provided to use they: --icmp-ts and --icmp-addr.
|
|
|
|
. Now the sequence number handling is revisited to allow hping to
|
|
show the right rtt info even if the sequence number overflows.
|
|
|
|
. Now hping should never (hopefully) SIGBUS on sparc.
|
|
|
|
I hope you will find hping better to use and more powerful, these enhancements
|
|
were implemented thanks to many people that helped a lot with code and
|
|
new ideas, see the CHANGES file for more information and credits.
|
|
|
|
have fun,
|
|
antirez
|