Getting started
===========
Log in as the root user (you need this to send and receive raw packets).
To enter the hping3 interactive shell, just type:
# hping3
without any argument. If hping was compiled with Tcl scripting capabilities you should see a prompt. The prompt will accept any Tcl command, it's actually a Tcl shell, what's special about it is that there is a new command calledhping, and support for big numbers using commands like +, -, and so on.
As first try, you can type a simple command and see the result: hping3.0.0-alpha-1> hping resolve www.google.com
66.102.9.104
66.102.9.104
The hping command should be called with a subcommand as a first argument (resolve in the example) and additional arguments according to the particular subcommand. The hping resolve command is used to convert a hostname to an IP address.
hping3.0.0-alpha-1> hping send {ip(daddr=192.168.1.8)+icmp(type=8,code=0)}This command means "send an ICMP echo request packet to 192.168.1.8". Many details of the packet can be omitted. For example we didn't specify our source address (that will default to the real source address of the sender, the one of the outgoing interface), nor the IP or ICMP checksum. hping will compute them for us.
Let's check what tcpdump running at 192.168.1.8 detected:
tcpdump: listening on eth0
19:09:16.556695 192.168.1.6 > 192.168.1.8: icmp: echo request [ttl 0]
19:09:16.556803 192.168.1.8 > 192.168.1.6: icmp: echo replyOur ICMP packet reached the destination, that kindly replied with an ICMP echo reply packet.
19:09:16.556695 192.168.1.6 > 192.168.1.8: icmp: echo request [ttl 0]
19:09:16.556803 192.168.1.8 > 192.168.1.6: icmp: echo replyOur ICMP packet reached the destination, that kindly replied with an ICMP echo reply packet.
It's better to recall for a second the previous command, to analyze it better:
hping3.0.0-alpha-1> hping send {ip(daddr=192.168.1.8)+icmp(type=8,code=0)}
As you can see, there are { and } surrounding the packet description. This is required by Tcl in order to quote the string so that special characters will not be interpreted. Quoting with {} in Tcl is just like to quote with "" in most other languages, with the difference that no escapes are recognized inside {} quoting. The second thing to note is the format we used to describe the packet. That's called APD, and was introduced with hping3 itself. The APD syntax is trivial, and there is a simple way to figure how to generate a given packet, because hping3 use this format to send packets, but also to receive packets as we will see in a moment.
We can use any of the Tcl abilities in hping scripts.The following hping script will send the same ICMP packet we already sent to 192.168.1.8, but using different TTL values, from 5 to 10.
foreach i [list 5 6 7 8 9 10] {
hping send "ip(daddr=192.168.1.8,ttl=$i)+icmp(type=8,code=0)"
}With scripts longer then one line it can be a good idea to write the script with a text editor, and then run it using hping:
hping send "ip(daddr=192.168.1.8,ttl=$i)+icmp(type=8,code=0)"
}With scripts longer then one line it can be a good idea to write the script with a text editor, and then run it using hping:
# hping exec foo.htcl
Packet reception
Another very important subcommand of hping is hping recv, that is used to capture packets from the specified interface. The simplest usage is the following:
hping3.0.0-alpha-1> hping recv eth0
ip(ihl=0x5,ver=0x4,tos=0x00,totlen=52,id=42833,fragoff=0,mf=0,df=1,rf=0,ttl=54,proto=6,cksum=0xd53a,saddr=192.106.224.132,daddr=192.168.1.6)+tcp(sport=6667,dport=52466,seq=2163829654,ack=3105171942,x2=0x0,off=8,flags=a,win=2848,cksum=0x99bd,urp=0)+tcp.nop()+tcp.nop()+tcp.timestamp(val=181365875,ecr=104872758)
hping recv returns a Tcl list, where every element is a packet.At every call, hping recv eth0 will return the packet(s) in queue. If there is no packet to receive the command will block until one is available.
ip(ihl=0x5,ver=0x4,tos=0x00,totlen=52,id=42833,fragoff=0,mf=0,df=1,rf=0,ttl=54,proto=6,cksum=0xd53a,saddr=192.106.224.132,daddr=192.168.1.6)+tcp(sport=6667,dport=52466,seq=2163829654,ack=3105171942,x2=0x0,off=8,flags=a,win=2848,cksum=0x99bd,urp=0)+tcp.nop()+tcp.nop()+tcp.timestamp(val=181365875,ecr=104872758)
hping recv returns a Tcl list, where every element is a packet.At every call, hping recv eth0 will return the packet(s) in queue. If there is no packet to receive the command will block until one is available.
If you don't want hping recv to block forever, you can specify an additional argument. One more argument will tell hping the max number of packets to return in a single call.
while 1 {
set p [lindex [hping recv eth0] 0]
puts "[hping getfield ip saddr $p] -> [hping getfield ip ttl $p]"
}The first line is just a while loop that will repeat the script provided as second argument forever. The second line,set p [lindex [hping recv eth0] 0] gets the next packet, the lindex command is used to extract the packet from the Tcl list (and the 0 argument tells lindex to get the first packet).
set p [lindex [hping recv eth0] 0]
puts "[hping getfield ip saddr $p] -> [hping getfield ip ttl $p]"
}The first line is just a while loop that will repeat the script provided as second argument forever. The second line,set p [lindex [hping recv eth0] 0] gets the next packet, the lindex command is used to extract the packet from the Tcl list (and the 0 argument tells lindex to get the first packet).
The second line of code, puts "...", print on the screen the source IP address and the TTL value of the packet. To extract fiels from packets there is the command hping getfield (see the specific page for more information as usually).
If you execute this script, you'll get an output similar to the following:
# ./hping3 exec /tmp/test.tcl
192.168.1.6 -> 128
192.168.1.20 -> 128
192.168.1.6 -> 128
192.168.1.20 -> 128
the script will dump the packets until you press ctrl+C.
To execute an hping script, call the hping program with "exec" as first argument followed by the name of the script and the arguments.
# hping exec hping.htcl www.hping.org
No comments:
Post a Comment