HPING3 Network Tool Overview

Questions and Answers

What does the TTL field in an IP packet signify?

• The time it takes for a packet to reach its destination
• The maximum number of routers the packet can traverse (correct)
• The number of data packets lost during transmission
• The maximum size of the packet

Traceroute utilizes the TTL field to identify the routers on the path to its destination.

True (A)

What command is used to execute HPING3?

hping3 host [options]

HPING3 can be used to scan ports using TCP and other _____ flags.

SYN

Match HPING3 functionalities with their descriptions:

Scan ports = Using SYN, ACK and other flags Discover hosts = Identifying live devices on the network Perform foot printing = Gathering information about the network configuration Sniffing = Interception of data packets in transit

What command is used to send a flood of TCP packets to a specified port using hping3?

hping3 -c 10000 -S -d 120 -p 21 --flood (A)

The hping3 tool shows replies when using flood mode.

False (B)

What is one common port and its associated service?

HTTP and port 80

A port is a logical number between 0 and ________.

65,535

Match the following services with their corresponding port numbers:

HTTP = 80 POP3 = 110 FTP = 21 SSH = 22

Which of the following statements about port scanning programs is true?

They can report ports as open, closed, or filtered. (D)

ISPs typically encourage their customers to perform port scans freely.

False (B)

What is the purpose of performing host discovery in a network reconnaissance?

To reduce IP ranges into a list of active or interesting hosts.

What mode does the command 'hping3 192.168.44.36 -2' set?

UDP mode (B)

In HPING3, setting the SYN flag (-S) sends a SYN packet to the target.

True (A)

What response will closed ports give when scanned with the SYN flag set in HPING3?

RST/ACK

By default, HPING3 sends packets to port ______.

0

Match the following HPING3 modes with their functions:

-1 = ICMP mode -2 = UDP mode -8 = Scan mode -9 = Listen mode

What is the correct command to specify a source port of 44567 and a destination port of 80?

hping3 192.168.44.36 -s 44567 -p 80 (A)

Using -F flag alone in HPING3 will send a FIN packet to the target.

True (A)

What command can be used to listen for HTTP traffic on eth0 and save the output to a file?

hping3 -9 HTTP -I eth0 > output_file

The command 'hping3 192.168.135.138 -FPU -p 21 -c 5' sends packets with flags F, P, and U to port ______.

21

When using HPING3 scan mode, how do open ports typically respond?

SYN/ACK (A)

Flashcards are hidden until you start studying

Study Notes

HPING3 Overview

• HPING3 is a command-line network tool used for sending custom TCP/IP packets
• Functions similarly to ping but utilizes TCP instead of ICMP
• Works when ICMP is blocked, providing network information through TCP
• Can scan ports, discover hosts, perform footprinting, sniffing and file transfers

HPING3 Modes

• Offers modes for different network tasks, like Raw IP, ICMP, UDP, Scan and Listen
• Raw IP mode: hping3 192.168.44.36 -1
• ICMP mode: hping3 192.168.44.36 -2
• UDP mode: hping3 192.168.44.36 -2
• Scan mode: hping3 192.168.44.36 -8
• Listen mode: hping3 192.168.44.36 -9

HPING3 Flags

• Used to specify TCP flags in the packets
• SYN: -S
• ACK: -A
• RST: -R
• FIN: -F
• PUSH: -P
• URG: -U
• XMAS: -X
• YMAS: -Y

HPING3 Port Specification

• Uses port 0 as the default destination
• Uses a random/dynamic port as the default source
• The source port can be set with the -s option
• The destination port can be set with the -p option

Useful HPING3 Probes: Scan Mode

• Works by sending packets without any flags set to the target
• Verbose mode (-V) provides information
• For closed ports, the target responds with RST/ACK
• For open ports, the target does not respond
• When using the SYN flag (-S), the behaviour changes:
  • Closed ports respond with RST/ACK
  • Open ports respond with SYN/ACK

Useful HPING3 Probes: FIN, PUSH and URG

• Use flags -FPU to send FIN, PUSH, and URG flags
• Closed ports respond with RST/ACK
• Open ports do not respond

Useful HPING3 Probes: Listen Mode

• Used to listen for network traffic on a specific interface
• Saves captured traffic to a file: hping3 -9 HTTP -I eth0 > output_file
• Intercepts HTTP traffic, can be used to analyze web requests

Useful HPING3 Probes: DoS Attack

• A Denial-of-Service (DoS) attack can be launched with the following parameters:
  • -c 10000 - send 10,000 packets
  • -d 120 - size of each packet
  • -S - set SYN flag
  • -w 64 - TCP header window size
  • -p 21 - target port
  • --flood - flood mode
  • --rand - choose random source port
• It's crucial to understand the ethical implications and potential consequences of DoS attacks.

Network Tracing

• Traceroute leverages the Time To Live (TTL) field of IP packets
• Each router decrements the TTL by 1, allowing Traceroute to identify routers along the path to a destination

Network Scanning

• The initial phase of network reconnaissance involves identifying active hosts within an IP range
• Following host discovery, hackers gather more information about the live hosts, including:
  • Open ports and running services
  • Operating system

Port Scanning

• Port scanners are tools used for identifying open ports on a host
• An example of a popular port scanner is NMAP
• Some ISPs restrict port scanning activities
• Port scanners provide information on open ports, closed ports, filtered ports, associated services, and potential operating systems

Computer Ports

• An endpoint for communication
• Represented by a logical number between 0 and 65,535
• Each port corresponds to a running service
• Common examples include HTTP (port 80) and POP3 (port 110)
• Approximately 1,000 common ports are widely used.