Skip to main content


Transfer files via ICMP

hping --listen signature  --safe --icmp

on the other side we do:

hping --icmp -d 100 --sign signature --file /path/to/file.txt

Transfer files via TCP

hping  --listen signature --safe -p 22
hping -p 22 -d 100 --sign signature --file /path/to/file.txt

Testing Firewall Rules

There are different techniques to test firewall rules, generally we don't know/say that a specific machine is a firewall, we just want to understand from our machine which ports are filtered, so we are interested in understanding as much as possible about firewall rules.

Let's set up the scene, let's say we are inside a network and we want to understand what is firewalled, what we would ideally need is an external IP which does not have any specific firewall rules on, such as our trusted VPS.

Once this requirement is satisfied we can try different things, for example:

hping3 -S <vps_ip> -c 4 -p 80

at this point, if we get no response then, the port is filtered, while if we get an RA or an SA we know that the port probably is not filtered.

We tried to see if port 80 was filtered, but we can try now other ports, or write a script to understand which ports are or aren't filtered.

Of course SYN packets are not everything so we may try with different techniques, such as:

hping3 -c 1 -V -p 93 -s 5678 -Y <vps_ip>
# in this case we perform a NULL scan

We can also use some online services such as portquiz which keeps all TCP ports open for us, let's see an example:

hping3 -S -c 4 -p 80

Of course in this case we will be limited in testing only TCP rules on firewalls.


Firewalk is an active reconnaissance network security tool that attempts to determine what layer 4 protocols a given IP forwarding device will pass. Firewalk works by sending out TCP or UDP packets with a TTL one greater than the targeted gateway. If the gateway allows the traffic, it will forward the packets to the next hop where they will expire and elicit an ICMP_TIME_EXCEEDED message. If the gateway hostdoes not allow the traffic, it will likely drop the packets on the floor and we will see no response.

Reference: firewalk man page

This can be done in this way, by using a trusted VPS IP (without any strange firewall rules):

hping3 -z -t 1 -S <vps_ip> -p 80
# -z connects the command to the ctrl z on the keyboard so that every time we
# press it, the TTL is incremented by 1
# -t sets the initial TTL (in this case, we're using 1)
# -S sets the flag to SYN
# -p 80 sets the destination port to 80
# this can be done on both TCP/UDP and on multiple ports, to map firewall rules

If we don't have a VPS we can also use some online service which provides us an URL which has all ports open, for example: portquiz Anyway notice that portquiz only has all TCP ports open, so we cannot map UDP or other transport layer protocols firewall rules.

Let's see an example of firewalking with portquiz:

hping3 -z -t 1 -S -p <whatever_port>