Hacking TCP/IP with tcpping
Sat Feb 14th 2004, 11:18pm
tcpping is a tool I wrote to determine network latency between two points despite ICMP
filtering. The idea is pretty much just like normal ping, but instead of using ICMP, it
sends TCP SYN packets to the target and times how long it takes to receive the subsequent
SYN/ACKs or RSTs.
It all started when I was shopping around various web hosting providers. Among other
criteria, I was trying to find one that didn't have too high of latency from my machines
here at home so working on them wouldn't be a complete lag fest. But a number of the
providers have ICMP filtered so you can't ping their web sites, and can't tell what the
latency is like.
The tool uses
libnet to
create and send off a fabricated SYN packet to the taget, and
libpcap to sniff for the return traffic. If the port
you choose (default 80) on the target server has a service listening, the target sends
back a SYN/ACK packet. Your local operating system gets this packet, doesn't know what to
do with it, and subsequently sends the target a RST packet. This is actually quite nice
since it cleans everything up so we can't be accused of creating tons of half-open TCP
connections. If you choose a port on the target that doesn't have a service listening
(and isn't filtered), the target sends back a RST packet. Your local OS just drops
these.
You can download it here. It's free
software under the new BSD license, anyone is welcome to download it, study it, modify it,
and/or redistribute it in either a proprietary or free fashion. I've tested it on Mac OS
X and Linux. You must be root to run it since it uses raw sockets.
Update Nov 3,
2008: thanks to Jim Wyllie for a patch to specify the timeout (-W <timeout>), move
the root check to after the options check, and to compile cleanly on gcc4. Thanks
Jim!
Here is some example output, by default pinging port 80 (where my web server is
running):
[6:22pm] luthien:~/proj/tcpping-% sudo ./tcpping sumatra
TCP PING sumatra.internal.kehlet.cx (10.16.74.2:80) on en1
SYN/ACK from 10.16.74.2: seq=1 ttl=64 time=1.047ms
SYN/ACK from 10.16.74.2: seq=2 ttl=64 time=0.965ms
SYN/ACK from 10.16.74.2: seq=3 ttl=64 time=1.081ms
SYN/ACK from 10.16.74.2: seq=4 ttl=64 time=1.245ms
^C
--- sumatra.internal.kehlet.cx TCP ping statistics ---
4 SYN packets transmitted, 4 SYN/ACKs and 0 RSTs received, 0.0% packet loss
round-trip min/avg/max = 0.965/1.084/1.245 ms
Here's the tool in action against port 92, which sends back RSTs (no service is running
on that port):
[6:22pm] luthien:~/proj/tcpping-% sudo ./tcpping -p 92 sumatra
TCP PING sumatra.internal.kehlet.cx (10.16.74.2:92) on en1
RST from 10.16.74.2: seq=1 ttl=64 time=0.862ms
RST from 10.16.74.2: seq=2 ttl=64 time=1.040ms
RST from 10.16.74.2: seq=3 ttl=64 time=1.019ms
RST from 10.16.74.2: seq=4 ttl=64 time=1.044ms
^C
--- sumatra.internal.kehlet.cx TCP ping statistics ---
4 SYN packets transmitted, 0 SYN/ACKs and 4 RSTs received, 0.0% packet loss
round-trip min/avg/max = 0.862/0.991/1.044 ms
With verbose mode (-v), the tools will show you the actual packets. Here's a site that's
filtering ICMP pings, but we can get around that with tcpping:
[11:08pm] luthien:~/proj/tcpping-% sudo ./tcpping -v www.apollohosting.com
TCP PING www.apollohosting.com (208.56.13.233:80) on en1
1076828929.146519 10.16.74.8:8674 -> 208.56.13.233:80 [S]
1076828929.238506 208.56.13.233:80 -> 10.16.74.8:8674 [SA]
SYN/ACK from 208.56.13.233: seq=1 ttl=48 time=90.847ms
1076828929.240317 10.16.74.8:8674 -> 208.56.13.233:80 [R]
1076828930.241348 10.16.74.8:61062 -> 208.56.13.233:80 [S]
1076828930.326531 208.56.13.233:80 -> 10.16.74.8:61062 [SA]
SYN/ACK from 208.56.13.233: seq=2 ttl=48 time=85.162ms
1076828930.328364 10.16.74.8:61062 -> 208.56.13.233:80 [R]
1076828931.329304 10.16.74.8:17802 -> 208.56.13.233:80 [S]
1076828931.412466 208.56.13.233:80 -> 10.16.74.8:17802 [SA]
SYN/ACK from 208.56.13.233: seq=3 ttl=48 time=83.164ms
1076828931.414274 10.16.74.8:17802 -> 208.56.13.233:80 [R]
1076828932.415249 10.16.74.8:60598 -> 208.56.13.233:80 [S]
1076828932.496567 208.56.13.233:80 -> 10.16.74.8:60598 [SA]
SYN/ACK from 208.56.13.233: seq=4 ttl=48 time=81.255ms
1076828932.498290 10.16.74.8:60598 -> 208.56.13.233:80 [R]
^C
--- www.apollohosting.com TCP ping statistics ---
4 SYN packets transmitted, 4 SYN/ACKs and 0 RSTs received, 0.0% packet loss
round-trip min/avg/max = 1.000/85.107/90.847 ms
You can see from above the behavior I described: we send a fake SYN packet, the target
sends back a SYN/ACK (at which point the tool prints out the timing information). Just
after that the local OS sends a RST to the target.
It's been fun to write. If you find it useful, please let me know.
On Sun Feb 15th 2004, 6:52pm, Steve Kehlet posted:
Turns out
hping has TCP ping
functionality and more. I'd recommend checking it out, it has a lot of
really cool features. I downloaded the version out of CVS and had it up
and running on my Mac OS X laptop in minutes.
On Wed Feb 18th 2004, 11:33am, eburrows posted:
Even if there is another utility out there to do the same, or similar
things, I think it's absolutely awsome that you wrote this. A really nifty
and useful tool, with some complex logic and understanding beind it. Just
awesome Steve.
On Sat Jul 24th 2004, 10:22pm, Guest posted:
Hi i dont; know how to use this comment "tcpping" , need install or change
to other format ?
Could you describe how to install and perform it .Thanks for your help
On Sun Jul 25th 2004, 4:05pm, Steve Kehlet posted:
Feel free to email me directly if you have any installation questions,
steven at kehlet dot cx. I would, however, point out this was more of an
experiment than a production-quality piece of software :-). Also, it will
likely only run on a Unix variant: Linux, *BSD, Mac OS X, etc. Try hping
for a very powerful, fully featured tcp ping client.
On Sun Jan 16th 2005, 11:55am, Clay posted:
I just saw this yesterday and it reminded me of this thread. A neat way to
troubleshoot networks, especially since network operators blocking all ICMP
types and codes seems to be growing in popularity.
Layer Four Traceroute:
http://oppleman.com/lft/
On Mon Jan 17th 2005, 6:07pm, Steve Kehlet posted:
Pretty cool stuff, I'm trying some traces through my company's firewall
right now. I see hping also has a similar TCP-based traceroute feature.
Definitely some handy tools to have!
On Fri Mar 17th 2006, 1:40pm, gareth posted:
great tool, have used it for the exact same reason it was developed.
On Sat Mar 15th 2008, 4:48am, Visitor posted:
plz hack i got a people she ip 192.168.1.10 pzl hack him i want hack him to
but i cant
On Sat Mar 15th 2008, 3:32pm, Clay posted:
wtf thats my ip plz no hax me
On Fri Jun 20th 2008, 5:34am, Visitor posted:
hay dont hack 192.168.1.10.
its on my network
my boss will kill me
On Sat Jul 26th 2008, 1:25pm, Visitor posted:
Haha, wow, you people are fucking retards, 192.168.1.whatever is on just
about everyone's network!
They are different computers INSIDE your own network, you can only access
that IP if you are IN that network.
On Sun Aug 17th 2008, 1:57pm, Jack Ryan posted:
-rotfl- Sounds like a 15 year old doesn't know what an internal ip address
is.
On Thu Aug 21st 2008, 5:22am, Visitor posted:
Reply:
On Fri Jun 20th 2008, 5:34am, Visitor posted:
hay dont hack 192.168.1.10.
its on my network
my boss will kill me
ahahahahahahahahahahahahahhahaahhahahaah thats preety cool hahahahahahha
:D:D:D:D
On Thu Aug 21st 2008, 10:36am, Steve Kehlet posted:
Enough with the 192.168.1.x jokes guys... :-) If you want a funny story
about turning a would-be-hacker loose on his own system, read
http://www.electric-escape.net/node/1475
On Thu Nov 13th 2008, 5:45pm, hk posted:
Ironic you release it under a BSD license but doesn't work on FreeBSD.
On Thu Nov 13th 2008, 6:00pm, Steve Kehlet posted:
Have you tried it on FreeBSD and it didn't work? Patches/bug reports
welcome.
On Mon Mar 23rd 2009, 8:13am, pat posted:
Thank you for publishing this code. Will use it on my multipath solution
:)). Thanx again
On Mon Apr 6th 2009, 10:22am, Igor posted:
Thanks for the utility! It failed to work at multihome host, so I had to
patch a little (insert deviceName into libnet_init call).
On Sat Sep 26th 2009, 1:15pm, bitmith posted:
Hi Steve, this is very nice tool which I used to use before, but I found
that you could achieve the same TCP connect (SYN/ACK) test with nmap -sS -p
T:<ports>
On Fri Jan 29th 2010, 6:02am, Jim Wyllie posted:
Hey Steve, I'm getting a segfault on my Linux router when running this guy.
It's a newer install of Ubuntu (and presumably an updated libnet) so that
might be it... but I'm not convinced of that yet. I'll get to some
debugging hopefully this weekend and send some patches.
On Fri Jan 29th 2010, 6:04am, Jim Wyllie posted:
Oh, and one other thing... there's a race condition with the program
terminating via Ctrl+C and the child printing the summary results. Doesn't
do anything too bad, but it will present the prompt and then write the
results. Kind of annoying. Patch coming for that too when I fix the other
bug :)
On Tue Feb 2nd 2010, 5:19pm, haktowr posted:
i dont believe this Program
if you want hack any computer use bifrost 1.2.1
you can download from my website
http://haktowr.6te.net
with bifrost You can create a File spy program and send it to your
friends and you see....
On Tue Feb 2nd 2010, 5:24pm, haktowr posted:
if you dont believe me sreach about bifrost 1.2.1
in youtube.com and you see how many people useing this program for hack
computers ... and i use bifrost ^_^ i have 20 victim ....
