In addition to the discovery techniques that it can perform , hping3 can also be used to perform port scans. This specific article demonstrates how we can use hping3 to perform a TCP stealth scan.
To use hping3 to perform a TCP stealth scan, you will need to have a remote system that is running accessible network services over TCP. In the examples provided, an instance of Metasploitable2 is used to perform this task.You could use any other target for your practice.
In addition to the discovery capabilities that have already been mentioned, hping3 can also be used to perform a TCP port scan. To perform a port scan with hping3, we need to use the --scan mode with an integer value to indicate the port number to be scanned:
In the example provided, a SYN scan was performed against TCP port 80 of the IP address indicated. The -S option identifies the TCP flags activated in the packet sent to the remote system. The table indicates the attributes of the packet received in response. As indicated by the output, a SYN+ACK response was received, thereby indicating that port 80 is open on the target host. Additionally, we can scan multiple ports by passing a comma-delimited series of port numbers as follows:
In the scan output provided, you can see that the results are only displayed in the case that a SYN+ACK response is received. Note that the response associated with the SYN request sent to port 443 is not displayed. As indicated in the output, we can view all of the responses by increasing the verbosity with the -v option. Additionally, a sequential range of ports can be scanned by passing the first and last port address valued, separated by a dash notation as follows:
In the example provided, the 100 port scan was sufficient to identify several services on the Metasploitable2 system. However, to perform a scan of all possible TCP ports, all of the possible port address values need to be scanned. The portions of the TCP header that define the source and destination port addresses are both 16 bits in length, and each bit can retain a value of 1 or 0. As such, there are 216 or 65,536 possible TCP port addresses. For the total possible address space to be scanned, a port range of 0 to 65535 needs to be supplied as follows:
hping3 differs from some of the other tools that have been mentioned since it doesn't have a SYN scanning mode, but rather, it allows you to specify the TCP flag bits that are activated when the TCP packets are sent. In the example provided in this article, the -S option instructed hping3 to use the SYN flag for the TCP packets that were sent.
No comments:
Post a Comment