Transfer files via ICMP
hping 192.168.10.66 --listen signature --safe --icmp
on the other side we do:
hping 192.168.10.44 --icmp -d 100 --sign signature --file /path/to/file.txt
Transfer files via TCP
hping 192.168.10.66 --listen signature --safe -p 22
hping -p 22 -d 100 --sign signature --file /path/to/file.txt
Testing Firewall Rules
There are different techniques to test firewall rules, generally we don't know/say that a specific machine is a firewall, we just want to understand from our machine which ports are filtered, so we are interested in understanding as much as possible about firewall rules.
Let's set up the scene, let's say we are inside a network and we want to understand what is firewalled, what we would ideally need is an external IP which does not have any specific firewall rules on, such as our trusted VPS.
Once this requirement is satisfied we can try different things, for example:
hping3 -S <vps_ip> -c 4 -p 80
at this point, if we get no response then, the port is filtered, while if we get an RA or an SA we know that the port probably is not filtered.
We tried to see if port 80 was filtered, but we can try now other ports, or write a script to understand which ports are or aren't filtered.
Of course SYN packets are not everything so we may try with different techniques, such as:
hping3 -c 1 -V -p 93 -s 5678 -Y <vps_ip> # in this case we perform a NULL scan
We can also use some online services such as portquiz which keeps all TCP ports open for us, let's see an example:
hping3 -S portquiz.net -c 4 -p 80
Of course in this case we will be limited in testing only TCP rules on firewalls.
Firewalk is an active reconnaissance network security tool that attempts to
determine what layer 4 protocols a given IP forwarding device will pass.
Firewalk works by sending out TCP or UDP packets with a TTL one greater than the
targeted gateway. If the gateway allows the traffic, it will forward the packets
to the next hop where they will expire and elicit an
If the gateway hostdoes not allow the traffic, it will likely drop the packets
on the floor and we will see no response.
Reference: firewalk man page
This can be done in this way, by using a trusted VPS IP (without any strange firewall rules):
hping3 -z -t 1 -S <vps_ip> -p 80 # -z connects the command to the ctrl z on the keyboard so that every time we # press it, the TTL is incremented by 1 # -t sets the initial TTL (in this case, we're using 1) # -S sets the flag to SYN # -p 80 sets the destination port to 80 # this can be done on both TCP/UDP and on multiple ports, to map firewall rules
If we don't have a VPS we can also use some online service which provides us an URL which has all ports open, for example: portquiz Anyway notice that portquiz only has all TCP ports open, so we cannot map UDP or other transport layer protocols firewall rules.
Let's see an example of firewalking with portquiz:
hping3 -z -t 1 -S portquiz.net -p <whatever_port>