Monday, September 26, 2016

using HPING3 to scan host/ports

beside NMAP also HPING3 can be used to check how a destination host reacts different when receiving different TCP flags.

remember the "normal"three way TCP handshake is SYN => SYN/ACK => ACK
sending requests viotlating the protocol and different responses wheter a port is open or not can also disclose the exsitence of a service or if host is up and down.

hping3 -S <destination host>
sends a normal SYN flag. open ports will response with a SA  (syn/ack) response. closed ports with R for reset or no response.

hping3 -A <destination host>
... sends direct an ACK to the destination host. Normally respond will be RST because no former communication was done and ACK is the last message in the three way TCP handshake.

example (ACK with hping3 to open port)

as you can see, no response gets received.

example (ACK with hping3 to non existing port)

response with R flag (reset) received. 

more hping3 examples:
icmp request (ping): hping3 -1 <destination host> 
other TCP flags -F (FIN), -P (PSH), -U (URG), -R (RST), -X (XMAS similar to -F -P -U).

A good configured firewall will skip all traffic except SYN flags on open ports. a good example for that is 
hping3 -c 1 -p 80 -A