How to Use Hping for Network Scanning and Firewall TestingHping is a powerful command-line network tool used to craft and transmit custom TCP/IP packets. It’s commonly used for network scanning, firewall testing, path MTU discovery, and performance measurement. Unlike higher-level scanners, Hping gives fine-grained control over packet fields (flags, headers, payloads), allowing security professionals and network administrators to test how devices respond to unusual or maliciously crafted traffic.
This article covers installation, basic and advanced scanning techniques, firewall testing strategies, practical examples, common pitfalls, and defensive measures. It assumes familiarity with TCP/IP basics and Linux command line. Use Hping responsibly on networks you own or have explicit permission to test.
Table of contents
- What is Hping?
- Installing Hping
- Basic usage and options
- Common scanning techniques
- TCP SYN scan
- TCP connect-like scan
- ACK scan for firewall ruleset discovery
- UDP scanning
- ICMP-based probes
- Firewall testing strategies
- Identifying stateful vs. stateless behavior
- Evasion techniques and fragmentation
- TTL and routing-related tests
- Advanced features
- Packet forging and custom flags
- Payload and timing control (DoS considerations)
- Scripting and automation
- Interpreting results
- Safety, legality, and ethics
- Defensive guidance for administrators
- Practical examples and recipes
- Troubleshooting and tips
- References and further reading
What is Hping?
Hping is a command-line utility that crafts network packets at the IP level and sends them to specified targets. It supports TCP, UDP, ICMP, and raw IP protocols, and can manipulate TCP flags, sequence numbers, fragmentation, and more. Hping is often used in security testing because it reveals how hosts, firewalls, and intrusion detection systems handle atypical or malicious traffic.
Key fact: Hping operates at the packet level and provides greater control than higher-level scanners.
Installing Hping
On most Linux distributions, Hping3 (the maintained version) is available from package repositories:
-
Debian/Ubuntu:
sudo apt update sudo apt install hping3 -
Fedora:
sudo dnf install hping -
Arch Linux:
sudo pacman -S hping
On macOS, use Homebrew:
brew install hping You can also compile from source if needed (useful for older versions or custom builds).
Basic usage and options
Hping’s basic syntax:
hping3 [options] <host> Common options:
- -S, -A, -F, -P, -R, -U, -X, -Y — set specific TCP flags (SYN, ACK, FIN, PSH, RST, URG, etc.)
- -p
— destination port - -s
— source port - -c
— number of packets to send - -i
— packet interval (e.g., u1000 for microseconds) - -d
— data size (payload) - -a
— spoof source address - -f — fragment packets
- -n — numeric output (don’t resolve names)
- –tcp-timestamp — enable TCP timestamp option
- -V — verbose
Use sudo/root for raw packet operations.
Common scanning techniques
TCP SYN scan
A SYN scan mimics the start of a TCP handshake. It’s stealthier than a full connect scan because it often doesn’t complete the handshake.
Example:
sudo hping3 -S -p 80 -c 3 target.example.com Interpretation:
- SYN-ACK response indicates port is open.
- RST response usually indicates closed port.
- No response may indicate filtered or dropped traffic.
TCP connect-like scan
Use the -M and -L flags to manipulate sequence numbers or use -S with other flags and complete the handshake manually if needed. Hping is less convenient for full connects than tools like netcat or Nmap, but it can simulate connects by sending sequences of packets.
ACK scan for firewall ruleset discovery
An ACK scan helps reveal whether a firewall is stateful or simply filters based on ports.
Example:
sudo hping3 -A -p 80 -c 3 target.example.com Interpretation:
- RST reply suggests no stateful filtering and port is reachable.
- No reply suggests the packet was filtered by a firewall.
UDP scanning
UDP is connectionless; Hping can send UDP packets and check for ICMP port unreachable responses.
Example:
sudo hping3 --udp -p 53 -c 3 target.example.com Interpretation:
- ICMP Port Unreachable => port closed.
- No response => port open|filtered.
ICMP-based probes
ICMP echo requests can check reachability or elicit responses from devices and network devices.
Example:
sudo hping3 --icmp -c 3 target.example.com Firewall testing strategies
Identifying stateful vs. stateless behavior
- Send ACK-only packets to closed ports. RST replies indicate stateless filtering; silence suggests stateful firewalls dropping unmatched packets.
- Send SYN packets with spoofed source addresses to test if state is maintained.
Evasion techniques and fragmentation
- Fragment packets to test whether firewall reassembly is performed:
sudo hping3 -f -S -p 80 target.example.com - Use small fragments to bypass naive filters that do not reassemble.
TTL and routing-related tests
- Manipulate TTL to discover firewall or router behavior at different hops:
sudo hping3 -S -p 80 -t 1 target.example.com - Increase TTL to see if devices farther down the path respond differently.
Advanced features
Packet forging and custom flags
You can combine flags and craft unusual TCP flag combinations that can trigger bugs or misconfigurations:
sudo hping3 -S -F -P -R -p 80 -c 5 target.example.com This sends packets with SYN, FIN, PSH, and RST set; responses can reveal poorly implemented TCP stacks or IDS signatures.
Payload and timing control (use carefully)
Adjust payload size and timing to measure throughput or stress systems:
sudo hping3 -S -p 80 -d 1200 -i u1000 --flood target.example.com Note: –flood sends packets as fast as possible — can cause DoS. Only use on authorized targets.
Scripting and automation
Combine Hping in scripts to automate scans and parse outputs. Example (bash):
for p in 22 80 443; do sudo hping3 -S -p $p -c 2 -n target.example.com | grep "flags" done Interpreting results
- SYN-ACK: service likely open.
- RST: closed (but reachable).
- No response: filtered or silently dropped.
- ICMP Port Unreachable (for UDP): closed.
- Unusual TCP flag responses: possible intrusion detection triggers, misconfiguration, or TCP stack bugs.
When results are ambiguous, repeat tests with different packet sizes, fragmentation, TTLs, or source ports to rule out transient network issues.
Safety, legality, and ethics
- Only test networks you own or have explicit permission to test. Unauthorized scanning and firewall testing can be illegal and cause service disruption.
- Avoid –flood and aggressive timings on production networks.
- Document tests and obtain written authorization for penetration tests.
Defensive guidance for administrators
- Implement stateful firewall rules and perform deep packet inspection to detect forged packets.
- Reassemble fragments before filtering to prevent evasion.
- Rate-limit ICMP and malformed TCP flags.
- Monitor for unusual TCP flag combinations and IP spoofing.
- Keep systems patched to avoid TCP stack vulnerabilities revealed by malformed packets.
Practical examples and recipes
-
Quick SYN probe of a range:
for ip in 192.168.1.{1..254}; do sudo hping3 -S -p 22 -c 1 -q $ip | grep "flags" done -
Test firewall behavior (ACK scan):
sudo hping3 -A -p 80 -c 3 target.example.com -
Fragmentation evasion test:
sudo hping3 -f -S -p 80 -d 120 target.example.com -
UDP DNS probe:
sudo hping3 --udp -p 53 -c 3 target.example.com
Troubleshooting and tips
- Run as root for raw sockets.
- Use -n to speed up scans by skipping DNS resolution.
- If behind NAT, spoofed-source tests may not return replies — interpret accordingly.
- Combine Hping with tcpdump or Wireshark to view traffic on the wire:
sudo tcpdump -i eth0 host target.example.com and port 80
Closing notes
Hping is a flexible, low-level tool ideal for nuanced network and firewall testing. Its strength is precise packet control; its risk is causing unintended disruptions if misused. Use it with care, proper authorization, and supporting packet capture to validate behavior. For broader scanning needs, combine Hping with other tools like Nmap, Wireshark, and firewall logs to build a complete picture.
Leave a Reply