Commit cd4a3432 authored by Devon Kearns's avatar Devon Kearns

Imported Upstream version 3.a2.ds2

Lead developer and maintainer:
Salvatore Sanfilippo <>
Regular contributors:
Nicolas Jombart <>
Denis Ducamp <>
Yann Berthier <>
Stephane Aubert <>
Other contributors:
Brieuc Jeunhomme <>
Mika <>
Alfonso De Gregorio <>
Francesco Potorti` <>
Daniel Ginsburg <>
Steve Bleazard <>
Also thanks to the following people for testing, bug reports, ideas,
minor patches, documentation fixes:
Valeriano Bedeschi <>
Lorenzo Cavallaro <>
awgn roofing <>
Darren Reed <avalon@COOMBS.ANU.EDU.AU>
Lance Spitzner <>
Stefano Brandimarte <>
"roy kozzer" <>
Jason Lunz <>
Domenico Andreoli <>
Gian-Luca Dei Rossi <>
Marco D'Itri <>
Rui Miguel Barbosa Machado <>
David Bar <>
David Coppa <>
Shachar Shemesh <>
Brieuc Jeunhomme <>
Hans-Joachim Knobloch <>
Olivier Warin <>
Note: if you aren't in this list for an oversight, please inform me.
Please, use this procedure to report hping3 bugs
- If you are able to use a Wiki:
Go to and use the 'edit' button to
add your bug report.
- If you can't use the Wiki:
Follow the istructions at but instead to add
the bug report in the hping web site, write me an email.
$Id: CHANGES,v 1.2 2004/03/29 23:12:04 antirez Exp $
30Mar2004 - First public release of hping3
21Jun2004 - Added --beep and --flood command line options.
22Jun2004 - hping3-alpha-2 released
This diff is collapsed.
You can compile hping3 at least under:
But hping3 is beta, for now it was mostly tested only in Linux,
this should change soon now that the first beta is out.
Note that starting from hping3 libpcap should be used
with all the kind of systems, including Linux.
please, follows this steps:
$ ./configure (first try ./configure --help)
$ vi Makefile (optional)
$ make
$ su
# make install
FreeBSD, OpenBSD, NetBSD
You will need the libpcap and the gmake utility installed on your system.
$ ./configure
$ gmake
$ su (or calife)
# gmake install
NOTE: You should take care about your net/bpf.h file installing on
BSD systems (specially with OpenBSD). If your original bpf.h was
overwritten with the libpcap one probably hping will not work
with over some interface.
For example if you use the libpcap bpf.h on OpenBSD hping will
not work over PPP interfaces.
$ export CC="gcc"
$ ./configure
$ gmake
$ su
# gmake install
To setuid hping3 is like to open the port to script kiddies
for now. Don't do it in any real multiuser and otherwise
security-sensitive system.
See the BUGS manual section.
# $smu-mark$
# $name:$
# $author: Salvatore Sanfilippo 'antirez'$
# $copyright: Copyright (C) 1999 by Salvatore Sanfilippo$
# $license: This software is under GPL version 2 of license$
# $date: Sun Jul 25 17:56:15 MET DST 1999$
# $rev: 3$
CC= gcc
#uncomment the following if you need libpcap based build under linux
#(not raccomanded)
ARSOBJ = ars.o apd.o split.o rapd.o
OBJ= main.o getifname.o getlhs.o \
parseoptions.o datafiller.o \
datahandler.o gethostname.o \
binding.o getusec.o opensockraw.o \
logicmp.o waitpacket.o resolve.o \
sendip.o sendicmp.o sendudp.o \
sendtcp.o cksum.o statistics.o \
usage.o version.o antigetopt.o \
sockopt.o listen.o \
sendhcmp.o memstr.o rtt.o \
relid.o sendip_handler.o \
libpcap_stuff.o memlockall.o memunlockall.o \
memlock.o memunlock.o ip_opt_build.o \
display_ipopt.o sendrawip.o signal.o send.o \
strlcpy.o arsglue.o random.o scan.o \
hstring.o script.o interface.o \
adbuf.o hex.o apdutils.o sbignum.o \
sbignum-tables.o $(ARSOBJ)
all: .depend hping3
dep: .depend
@echo Making dependences
@$(CC) -MM *.c > .depend
libars.a: $(ARSOBJ)
$(AR) rc $@ $^
$(RANLIB) $@
hping3: byteorder.h $(OBJ)
$(CC) -o hping3 $(CCOPT) $(DEBUG) $(OBJ) -L/usr/local/lib $(PCAP) @SOLARISLIB@ @TCL_LIB@
./hping3 -v
@echo "use \`make strip' to strip hping3 binary"
@echo "use \`make install' to install hping3"
hping3-static: byteorder.h $(OBJ)
$(CC) -static -o hping3-static $(CCOPT) $(DEBUG) $(OBJ) -L/usr/local/lib $(PCAP) @SOLARISLIB@ @TCL_LIB@ -ldl
rm -rf hping3 *.o libars.a
rm -rf hping3 *.o byteorder byteorder.h systype.h Makefile libars.a .depend
install: hping3
cp -f hping3 /usr/sbin/
chmod 755 /usr/sbin/hping3
ln -s /usr/sbin/hping3 /usr/sbin/hping
ln -s /usr/sbin/hping3 /usr/sbin/hping2
@if [ -d ${INSTALL_MANPATH}/man8 ]; then \
cp ./docs/hping3.8 ${INSTALL_MANPATH}/man8; \
chmod 644 ${INSTALL_MANPATH}/man8/hping3.8; \
else \
echo "@@@@@@ WARNING @@@@@@"; \
echo "Can't install the man page: ${INSTALL_MANPATH}/man8 does not exist"; \
strip: hping3
@ls -l ./hping3
strip hping3
@ls -l ./hping3
include .depend
Read the README file to know about the new features in general.
------ hping3 alpha2 -------
Two new features for the command line interface.
1) Using the --beep option hping will produce a beep for every matching
packet received (not for ICMP errors).
2) The --flood option to send packets as fast as possible. This
is much faster than "-i u1", because it's actually an endless
loop and in this mode hping will not care to read/show replies
at all.
------ hping3 alpha1 -------
Read the docs/API.txt for information about scripting capabilties.
Check the libs directory for examples of hping scripts.
Try the --scan option in the command line to see the port-scanner features.
Example of the --scan option usage:
# hping3 --scan known -S
Scanning (, port known
245 ports to scan, use -V to see all the replies
|port| serv name | flags |ttl| id | win | len |
9 discard : .S..A... 64 0 32767 44
13 daytime : .S..A... 64 0 32767 44
21 ftp : .S..A... 64 0 32767 44
22 ssh : .S..A... 64 0 32767 44
25 smtp : .S..A... 64 0 32767 44
37 time : .S..A... 64 0 32767 44
80 www : .S..A... 64 0 32767 44
111 sunrpc : .S..A... 64 0 32767 44
113 auth : .S..A... 64 0 32767 44
631 ipp : .S..A... 64 0 32767 44
3306 mysql : .S..A... 64 0 32767 44
6000 x11 : .S..A... 64 0 32767 44
6667 ircd : .S..A... 64 0 3072 44
All replies received. Done.
Not responding ports:
hping3 README file
hping3 is a network tool able to send custom TCP/IP
packets and to display target replies like ping do with
ICMP replies. hping3 can handle fragmentation, and
almost arbitrary packet size and content, using the
command line interface.
Since version 3, hping implements scripting capabilties,
read the API.txt file under the /docs directory to know
more about it.
As a command line utility, hping is useful to test at
many kind of networking devices like firewalls, routers,
and so. It can be used as a traceroute alike program over all
the supported protocols, firewalk usage, OS fingerprinting,
port-scanner (see the --scan option introduced with hping3),
TCP/IP stack auditing.
It's also really a good didactic tool to learn TCP/IP.
Using Tcl/Tk scripting much more can be done, because
while the hping3 packet generation code is actually the
hping2 put there mainly for compatibility with the command
line interface, all the real news are about scripting.
See the libs directory for example scripts. To run
the example scripts type:
hping3 exec ScriptName.htcl <arguments, if required>
hping3 is developed and manteined by
with the help of other hackers, and comes under GPL version
2 of license. Development is open so you can send me
patches/suggestions/affronts without inhibitions.
Please check the AUTHORS file for a list of people that
contribued with code, ideas, bug reports.
Also vim developer, for tcpdump and GNU in general.
For the hping3 API check docs/API.txt
You can find documentation about hping3 specific functions
Make sure to check the page at
The hping3 primary download site is the following:
How to get the hping3 source code from the anonymous CVS server
$ cvs -d login
CVS will ask for the password, just press enter, no password is required
than type the following to download the full source code.
$ cvs -z8 -d checkout hping3s
How to update your source code tree
change the current directory to /somewhere/hping2, than just type:
$ cvs update
A supported unix-like OS, gcc, root access.
Tcl/Tk is optional but strongly suggested.
see INSTALL file.
have fun,
WARNING: Also try `grep FIXME *.c'
HPING2 bugs will no longer be handled, the hping2 code inside hping3
is just a compatibility layer that will be dropped once the command
line interface will be reimplemented as an hping script itself.
DONE - split/rapd for IGRP (me)
DONE - add more flags and broadcast address to 'hping iflist'. (me)
DONE - ARS's apd and rapd support for IP and TCP options (me)
- TUN/TAP support -- virtual interface creation, with Tcl channels
- in 'hping recv' a timeout of zero or -1 should be specified using
keyword like 'dontblock' and 'forever', like a number of packets
equal to zero should be specified using the 'all' keyword.
- compression primitives 'hping zip', 'hping unzip'.
- recv should support -nobadsum and -notrunc to don't receive packets
containing layers with the bad checksum or truncated flags set.
- 'hping recvraw' should support a -split option to return the raw data
splitted in layers in a flat TCL list where elements are:
{layer0name binary0 layer1name binary1 ...}
- Ability to specify the outgoing interface regardless of the
destination IP address. (Should be impossible without datalink access)
- 'hping setif ?-promisc? ?-broadcast? ifname'
- 'hping build ?-nocompile? packet' APD->binary
- 'hping describe packet' binary->APD
- IPv6 support in ARS (some still-non-working patch received)
- The hping standard library. that's the real development area
to make the scripting capabilities useful. The library should
contain a reasonable number of functions to make it more handy,
and a number of standard exploits should be rewritten in hping
as examples. Also support for fragmentation, TCP reassembly,
and so on will be useful.
- A short way to invoke scripts in 'path' (/usr/local/lib/hping/*.htcl),
something like: "hping script.htcl". Hping may sense it's an .htlc
file and not a strange-locking domain name ;) and perform a lookup
in the standard library of scripts (~/.hping/*.htcl for example).
- Convert all the raw-socket stuff (used in output) to datalink.
- Implement a scanner, with random nmap and hping features, and also:
FIN scan follwed by a SYN scan, this can be useful
since many admins limit the incoming SYN packets, so the
SYN or connect() scan is too slow, while the FIN scan
show filtered ports as open. We can do a FIN scan, then scan
the ports that appears to be open with SYN. Should
be both fast and accurate.
TODO (about TCL scripting, but for future releases)
- 'hping iflist' should include the link header length (or -1 if it's unknown)
- 'hping recv' and 'recvraw' should have a -layer2 option to return the whole
level 2 frame. The same for 'hping send' and 'hping sendraw'.
- 'hping guesslhs' should run the ipv4 header detection and return the lhs
This diff is collapsed.
/* adbuf.h - header file for adbuf.c
* Copyright(C) 2001-2002 Salvatore Sanfilippo <>
* All rights reserved.
* See the LICENSE file for COPYRIGHT and PERMISSION notice */
/* $Id: adbuf.h,v 2003/08/31 17:24:00 antirez Exp $ */
#ifndef _ADBUF_H
#define _ADBUF_H
#include <sys/types.h>
struct adbuf {
char *buf;
size_t size; /* total buffer size */
size_t left; /* unused buffer size */
/* the size of data stored is just size-left */
#define ADBUF_INCR 256 /* note that this MUST BE >= 1 */
#define adbuf_used(b) ((b)->size - (b)->left)
#define adbuf_ptr(b) ((b)->buf)
/* Rawly create an adbuf object. 's' is supposed to be some heap
* memory already allocated, with some nul-term string inside */
#define adbuf_from_heapstring(b,s) \
do { b->buf = s; b->left = 0; b->size = strlen(s); } while(0)
int adbuf_init(struct adbuf *b);
void adbuf_free(struct adbuf *b);
int adbuf_reset(struct adbuf *b);
int adbuf_add(struct adbuf *b, void *data, size_t len);
int adbuf_addchar(struct adbuf *b, int c);
int adbuf_strcat(struct adbuf *b, char *string);
int adbuf_cat(struct adbuf *a, struct adbuf *b);
int adbuf_cut(struct adbuf *b, size_t count);
int adbuf_ltrim(struct adbuf *b, size_t count);
int adbuf_rtrim(struct adbuf *b, size_t count);
int adbuf_add_long(struct adbuf *b, long l);
int adbuf_add_ulong(struct adbuf *b, unsigned long l);
int adbuf_clone(struct adbuf *src, struct adbuf *dst);
int adbuf_printf(struct adbuf *dst, const char *fmt, ...);
#endif /* _ADBUF_H */
/* antigetopt -- a getopt replacement
* Copyright(C) 2001 Salvatore Sanfilippo <>
* This software is released under the GPL license
* see the COPYING file for more information */
/* $Id: antigetopt.c,v 1.2 2003/09/01 00:22:06 antirez Exp $ */
/* TODO:
* argument list sanity check */
#include <stdlib.h>
#include <string.h>
#include <stdio.h>
#include "antigetopt.h"
/* global vars */
char *ago_optarg = NULL;
char *ago_optname = NULL;
char ago_optchar = '\0';
/* static vars */
static struct ago_exception {
int (*tester)(void);
char *msg;
} ago_exceptions[3] = {
static int ago_exception_bits[] = { AGO_EXCEPT0, AGO_EXCEPT1, AGO_EXCEPT2 };
/* static functions */
static struct ago_optlist
*ago_lookup(struct ago_optlist *list, char *arg, int *islong, int *amb);
static int strinitcmp(char *a, char *b);
/*----------------------------- implementation ------------------------------ */
int antigetopt(int argc, char **argv, struct ago_optlist *list)
static char **save_argv = NULL;
static char *chain = NULL;
static int endoptions = 0;
struct ago_optlist *opt;
int islong;
/* Reset */
if (argv == NULL) {
save_argv = NULL;
chain = NULL;
endoptions = 0;
return AGO_RESET;
} else {
if (save_argv == NULL) {
save_argv = argv+1; /* skips the argv[0] */
/* XXX: argument list sanity check */
if (chain) {
if (*chain == '\0')
chain = NULL;
else {
if ((opt = ago_lookup(list, chain, &islong, NULL))
== NULL)
if (!(opt->ao_flags & AGO_NOARG)) {
/* the if expression maybe false if the
* argument is optional */
if (chain[1] == '\0' && *save_argv)
ago_optarg = *save_argv++;
/* while it is mandatory for the NEEDARG type */
else if (opt->ao_flags & AGO_NEEDARG)
return AGO_REQARG;
return opt->ao_id;
argv = save_argv;
/* handle the "--" special option */
if (*argv && strcmp(*argv, "--") == 0) {
endoptions = 1;
while(*argv) {
/* The option must start with '-' */
if (!endoptions && argv[0][0] == '-' && argv[0][1] != '\0') {
int amb;
/* note: ago_lookup also sets ago_optname */
if ((opt = ago_lookup(list, argv[0], &islong, &amb))
== NULL)
return amb ? AGO_AMBIG : AGO_UNKNOWN;
/* handle the collapsed short options */
if (!islong && argv[0][2] != '\0') {
chain = argv[0]+1;
goto chain_start;
/* if the option require or may have an argument */
ago_optarg = NULL;
/* If the argument is needed we get the next argv[]
* element without care about what it contains */
if (opt->ao_flags & AGO_NEEDARG) {
if (argv[1] == NULL)
return AGO_REQARG;
ago_optarg = argv[1];
/* If the argument is optional we only recognize it
* as argument if it does not starts with '-' */
else if (opt->ao_flags & AGO_OPTARG) {
if (argv[1] && argv[1][0] != '-') {
ago_optarg = argv[1];
save_argv = argv+1;
return opt->ao_id;
} else {
save_argv = argv+1;
ago_optarg = argv[0];
ago_optchar = '\0';
ago_optname = NULL;
return AGO_ALONE;
return AGO_EOF;
#define UNK_SHORT_ERRSTRING "invalid option -- %c\n"
#define UNK_LONG_ERRSTRING "unrecognized option `--%s'\n"
#define ARG_SHORT_ERRSTRING "option requires an argument -- %c\n"
#define ARG_LONG_ERRSTRING "option `--%s' requires an argument\n"
#define AMB_ERRSTRING "option `--%s' is ambiguos\n"
#define IERR_ERRSTRING "internal error. ago_gnu_error() called with " \
"a bad error code (%d)\n"
void ago_gnu_error(char *pname, int error)
if (pname)
fprintf(stderr, "%s: ", pname);
switch(error) {
if (ago_optname)
fprintf(stderr, UNK_LONG_ERRSTRING,
fprintf(stderr, UNK_SHORT_ERRSTRING,
if (ago_optname)
fprintf(stderr, ARG_LONG_ERRSTRING,
fprintf(stderr, ARG_SHORT_ERRSTRING,
fprintf(stderr, AMB_ERRSTRING, ago_optname);
fprintf(stderr, IERR_ERRSTRING, error);
int ago_set_exception(int except_nr, int (*tester)(void), char *msg)
if (tester == NULL || msg == NULL || except_nr < 0 || except_nr >= 3)
return -1;
ago_exceptions[except_nr].tester = tester;
ago_exceptions[except_nr].msg = msg;
return 0;
/*-------------------------- static functions ------------------------------- */
struct ago_optlist
*ago_lookup(struct ago_optlist *list, char *arg, int *islong, int *amb)
int i;
/* ago_lookup can be receive as `arg' a pointer to a
* long argument, like --option, a pointer to a short
* argument like -O, or just a pointer to a char sequence
* in the case of collapsed short arguments like -abcde. */
/* Clear the 'ambiguos' flag, used to report the caller
* an ambiguos option abbreviation error */
if (amb) *amb = 0;
if (*arg == '-') /* skips the first - if any */
switch(*arg) {
case '\0':
return NULL;
case '-':
*islong = 1;
arg++; /* skip the last - */
*islong = 0;
/* search the argument in the list */
if (*islong) {
int retval;
struct ago_optlist *last = NULL;
while(!(list->ao_flags & AGO_ENDOFLIST)) {
ago_optname = arg;
ago_optchar = '\0';
if ((retval = strinitcmp(arg, list->ao_long)) != 0) {
switch(retval) {
case 1:
if (last) {
if (amb) *amb = 1;
return NULL;
last = list;
case 2:
goto ok;
if (last) {
ago_optname = last->ao_long;
list = last;
goto ok;
} else {
ago_optchar = *arg;
ago_optname = NULL;
while(!(list->ao_flags & AGO_ENDOFLIST)) {
if (*arg == list->ao_short)