PREFACE:
=================================================
I'd like to start by saying that I will be covering many of the basic functions along with examples and explanations why you would want to use the tool in each scenario. In addition, I will hit on several advanced features for those who are familiar with the tool but not to the point where advanced knowledge of the application is grasped. I will be borrowing verbage (in some cases) from the developer because I feel that the developer has worded things in such ways that I cannot improve upon. By no means is this a cut & paste tutorial but I would like to make everyone aware that I will be borrowing info where it makes sense. For those who have been around here for awhile, you know that I preface my tutorials with this advanced warning in the event that someone finds a sentence or two from the original man pages for the app.

SCOPE: Part 2 in a series of 5 – Probing Continued
=================================================
The scope of this tutorial is limited to the more popular options used with packet crafting. I will not be covering *every* switch and combination thereof or I would be writing a 500 page book. If there is a particular switch/switch combo you don’t see covered, PM me and I will be happy to write a companion tutorial. Also, HPING has many other uses (port scanner, stack auditing, fire-walking, etc., etc.). I am also going to assume that readers of this tutorial already have a firm grasp on networking and standard protocols. If you do not, you wont benefit much from this series of tutorials. Like my NMAP series, I will start with very basic techniques and ramp up to the more complex in the last two. Again, all input, good or bad, is welcome.

Tool: HPING: http://www.hping.org/download.html
=================================================

Using HPING for host detection begins with just sending a packet and waiting for the reply. If no reply is received, the host is down, the packet has been filtered or the packet has been dropped. We will use this rule of thumb throughout the series of tutorials.


PART II

Port Probing Continued:
=================================================

When we last left off, we discussed several methods used to test for open ports. We can use TCP Flagged packet methods to detect open/closed ports *and* we can also use these same techniques to see how a device will handle a mal formed packet. Many people are under the false perception that a device will handle a mal formed packet cleanly; however, this is not always the case. Let’s continue.

NOTE: The syntax for HPING is flexible, that is, after the actual command HPING, you can specify the host first or last and switches can be ordered any way you like.

TCP Fin Packet:
=================================================

A technique also used to detect open and closed ports, and of course, online or offline hosts is a TCP Fin packet scan. An open port will normally drop a packet flagged with the FIN bit. A closed port will respond with an RST/ACK flagged packet. However, notice that a W2K3 server also sends a return packet with RST/ACK flagged no matter if the port is opened or closed. Hmmm, could this be a unique feature of the MS network stack? Hold that thought for later use.

Example 1: W2K3 Server with a FIN flagged packet sent to an open and closed port. 80 is open and 2 is closed.

[root@HorseyLand-Labs]# hping -F -c 1 -p 80 10.10.10.10

HPING 10.10.10.10 (eth0 10.10.10.10): F set, 40 headers + 0 data bytes
len=46 ip=10.10.10.10 ttl=128 id=29514 sport=80 flags=RA seq=0 win=0 rtt=1.4 ms

[root@HorseyLand-Labs]# hping -F -c 1 -p 2 10.10.10.10

HPING 10.10.10.10 (eth0 10.10.10.10): F set, 40 headers + 0 data bytes
len=46 ip=10.10.10.10 ttl=128 id=29556 sport=2 flags=RA seq=0 win=0 rtt=1.1 ms

Hmmm, notice the same response no matter if the port is open or closed.

Example 2: Fedora Core 1 with a FIN flagged packet sent to an open and closed port. 80 is open and 2 is closed.

[root@HorseyLand-Labs]# hping -F -c 1 -p 80 10.10.10.5

HPING 10.10.10.5 (eth0 10.10.10.5): F set, 40 headers + 0 data bytes
len=46 ip=10.10.10.5 ttl=128 id=29664 sport=80 flags=RA seq=0 win=0 rtt=0.5 ms

[root@HorseyLand-Labs]# hping -F -c 1 -p 2 10.10.10.5

HPING 10.10.10.5 (eth0 10.10.10.5): F set, 40 headers + 0 data bytes

--- 10.10.10.5 hping statistic ---
1 packets tramitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
root@HorseyLand-Labs# hping -F -c 1 -p 2 10.10.10.5

Notice that the Linux box dropped the packet when a FIN bit flagged packet was sent to a closed port and that Windows actually sent a return packet with the RST/ACK bits flagged. You are entering the realm of remote OS fingerprinting. More on this later but for now, I want you to see that based on stack behavior, certain port probing techniques are going to be less effective than others. Another thing to keep in mind is that a firewall, router or switch might be filtering at the time, so if a packet sent to a closed port gets dropped by a filtering device, you might assume (incorrectly) that a port is open/closed or that you are dealing with a particular OS when in reality, you’re not. Why is this important? I’ll explain later.

TCP Null Packet:
=================================================

Another technique is not to set any TCP flags. Again, based on the OS, the response may be that the packet is dropped or a return packet will be sent with a combination of flags set. One thing to consider with null packets is that many devices filter them by default because there is no real use for them. In my opinion, this is one of the less useful techniques (for port probes that is). Below is the syntax but I snipped out the results because again, depending on the OS, you’ll receive different responses (if the packet even makes it to the target host).

[root@HorseyLand-Labs]#hping 10.10.10.10 –c 1 –p 80

TCP Xmas Packet:
=================================================

The exact opposite of the null packet is the X-mas packet. Why the name? Because every flag is “lit” like a Christmas tree. Like the null packet, depending upon the target you’ll get any number of responses when sending an X-mas packet. Below is example syntax for a packet with every flag set. Once again, many devices filter these packets out because there is no use for them in a normal networking scenario and again, I feel it is another technique without much use (for port probes).

[root@HorseyLand-Labs]#hping 10.10.10.10-c 1 -F -S -R -P -A -U -X -Y –p 80


In this lesson we learned that different operating systems respond differently to certain packet flag combinations. We also discovered that port probing techniques will aid us in remote OS identification techniques (details in later lessons). In the next lesson we’re going to cover ICMP techniques as they relate to OS identification and firewall penetration (with tools such as LOKI).