Explore Various Network Scanning Techniques using Hping3

Hping2/Hping3 is a command-line-oriented network scanning and packet crafting tool for the TCP/IP protocol that sends ICMP echo requests and supports TCP, UDP, ICMP, and raw-IP protocols. Using Hping, you can study the behavior of an idle host and gain information about the target such as the services that the host offers, the ports supporting the services, and the OS of the target.

A Kali Linux Terminal window appears. In the terminal window, type hping3 -A [Target IP Address] -p 80 -c 5 (here, the target machine is Windows Server 2022 [10.10.1.22]) and press Enter.

In a result, the number of packets sent and received is equal, indicating that the respective port is open, as shown in the screenshot

In this command, -A specifies setting the ACK flag, -p specifies the port to be scanned (here, 80), and -c specifies the packet count (here, 5).

The ACK scan sends an ACK probe packet to the target host; no response means that the port is filtered. If an RST response returns, this means that the port is closed.

In the terminal window, type hping3 -8 0-100 -S [Target IP Address] -V (here, the target machine is Windows Server 2022 [10.10.1.22]) and press Enter.

In this command, -8 specifies a scan mode, -p specifies the range of ports to be scanned (here, 0-100), and -V specifies the verbose mode.

The result appears, displaying the open ports along with the name of service running on each open port, as shown in the screenshot.

In the terminal window, type hping3 -F -P -U [Target IP Address] -p 80 -c 5 (here, the target machine is Windows Server 2022 [10.10.1.22]) and press Enter.

In this command, -F specifies setting the FIN flag, -P specifies setting the PUSH flag, -U specifies setting the URG flag, -c specifies the packet count (here, 5), and -p specifies the port to be scanned (here, 80).

The results demonstrate that the number of packets sent and received is equal, thereby indicating that the respective port is open, as shown in the screenshot.

FIN, PUSH, and URG scan the port on the target IP address. If a port is open on the target, you will receive a response. If the port is closed, Hping will return an RST response.

In the terminal window, type hping3 –scan 0-100 -S [Target IP Address] (here, the target machine is Windows Server 2022 [10.10.1.22]) and press Enter.

The result appears displaying the open ports and names of the services running on the target IP address, as shown in the screenshot.

In this command, –scan specifies the port range to scan, 0-100 specifies the range of ports to be scanned, and -S specifies setting the SYN flag.

In the TCP stealth scan, the TCP packets are sent to the target host; if a SYN+ACK response is received, it indicates that the ports are open.

In the terminal window, type hping3 -1 [Target IP Address] -p 80 -c 5 to perform ICMP scan (here, the target machine is Windows Server 2022 [10.10.1.22]) and press Enter

In this command, -1 specifies ICMP ping scan, -c specifies the packet count (here, 5), and -p specifies the port to be scanned (here, 80).

7.Explore Various Network Scanning Techniques using Hping3

The results demonstrate that hping has sent ICMP echo requests to 10.10.1.22 and received ICMP replies which determines that the host is up.

Apart from the aforementioned port scanning and service discovery techniques, you can also use the following scanning techniques to perform a port and service discovery on a target network using Hping3.

◦ Entire subnet scan for live host: hping3 -1 [Target Subnet] –rand- dest -I eth0

◦ UDP scan: hping3 -2 [Target IP Address] -p 80 -c 5

This concludes the demonstration of discovering open ports and services running on the live hosts in the target network using Hping3.