Introduction
Network security testers constantly search for tools that can probe, evaluate, and sometimes bypass filtering devices such as firewalls, intrusion‑prevention systems (IPS), and deep‑packet‑inspection (DPI) appliances. One of the most versatile utilities in this arsenal is hping3, a command‑line packet generator and analyzer that mimics the functionality of the classic ping tool while allowing full control over TCP, UDP, ICMP, and raw IP headers. Because hping3 can craft packets with arbitrary flags, sequence numbers, TTL values, and payloads, it becomes an effective means to test whether a filtering device correctly implements its security policies or whether it can be tricked into allowing malicious traffic. This article explores how security testers can put to work hping3 to bypass filtering devices, the underlying techniques, practical command examples, and the ethical considerations that must accompany such testing.
Not the most exciting part, but easily the most useful.
What Is hping3?
hping3 is a network packet crafting utility written in C and maintained as an open‑source project. Unlike the standard ping command that only sends ICMP Echo Request packets, hping3 supports:
- TCP SYN, ACK, FIN, RST, PSH, URG flag manipulation
- UDP and ICMP packet generation
- Raw IP header control (TTL, TOS, fragmentation)
- Port scanning with customizable timing and source ports
- Traceroute functionality using any protocol
- DoS testing through flood modes (e.g.,
-i u1000for 1 ms intervals)
These capabilities make hping3 a Swiss‑army knife for network reconnaissance and for testing the robustness of stateful inspection, protocol validation, and anomaly‑detection mechanisms in filtering devices.
Why Filtering Devices Fail
Before diving into specific hping3 techniques, it is essential to understand the common reasons why firewalls, IPS/IDS, and DPI engines may let crafted packets slip through:
- Stateless Filtering – Devices that rely solely on static ACLs (Access Control Lists) may not track connection states, allowing packets that appear to belong to an allowed flow even if they are malformed.
- Protocol Normalization Gaps – Many devices normalize packet headers (e.g., removing illegal flag combinations). If the normalization engine is incomplete, specially crafted packets can bypass checks.
- Fragmentation Handling Errors – Improper reassembly of fragmented IP packets can cause the device to miss malicious payloads hidden in later fragments.
- TTL/Checksum Manipulation – Some devices use TTL or checksum values as heuristics; altering them can confuse rule sets that assume default values.
- Timing and Rate‑Based Evasion – Traffic that arrives at unusual intervals or with bursty patterns may evade detection thresholds.
hping3 gives testers the ability to manipulate each of these variables, turning theoretical weaknesses into practical test cases.
Core Techniques for Bypassing Filters with hping3
1. TCP Flag Smuggling
Many firewalls block inbound TCP connections on non‑standard ports but allow outbound traffic. By sending a SYN‑FIN packet (both SYN and FIN flags set) or a SYN‑RST packet, testers can probe whether the device correctly drops illegal flag combinations.
# Send a SYN+FIN packet to port 80 on the target
sudo hping3 -S -F -p 80 -c 1 192.0.2.10
If the firewall permits the packet, it may forward it to the internal host, where the host’s TCP stack will typically respond with a RST, revealing that the packet traversed the filter.
2. Source Port Spoofing
Stateful firewalls often allow return traffic only from the same source port used in the outbound request. By spoofing the source port to a value that the firewall considers “trusted,” the tester can trick the device into opening a temporary hole And it works..
# Spoof source port 53 (DNS) while scanning port 22 (SSH)
sudo hping3 -S -p 22 -s 53 -c 3 192.0.2.10
If the firewall’s rule set permits inbound traffic from source port 53, the SSH port may become reachable despite being otherwise blocked.
3. TTL Manipulation for Path‑Based Bypass
Some filters apply stricter rules to traffic that appears to have traversed many hops (high TTL). By lowering the TTL, the packet may be considered “local” and bypass certain checks.
# Send a TCP SYN with TTL=1 (hop limit)
sudo hping3 -S -p 443 --ttl 1 -c 2 192.0.2.10
A firewall that only inspects packets with TTL > 1 could allow this traffic, exposing a TTL‑based evasion vector.
4. Fragmentation Evasion
Splitting a malicious payload across multiple IP fragments can defeat devices that only examine the first fragment. hping3 can generate fragmented packets by adjusting the -f flag and fragment offset Easy to understand, harder to ignore. Surprisingly effective..
# Create a fragmented UDP packet (first fragment)
sudo hping3 -2 -p 53 -f -M 0 -L 8 -c 1 192.0.2.10
# Send the second fragment with payload data
sudo hping3 -2 -p 53 -f -M 8 -L 8 -d 32 -c 1 192.0.2.10
If the filter fails to reassemble correctly, the hidden payload may reach the target host undetected.
5. Packet Size and TOS Evasion
Some devices block traffic exceeding a certain size or with specific Type‑of‑Service (TOS) values. By crafting packets with unusual sizes or TOS bits, testers can verify whether the filter respects these policies Practical, not theoretical..
# Send a large TCP packet with TOS set to 0x10 (low‑delay)
sudo hping3 -S -p 80 -d 1400 --tos 0x10 -c 1 192.0.2.10
If the firewall allows this oversized, low‑delay packet, it may be vulnerable to fragmentation‑based DoS attacks.
6. ICMP Type/Code Manipulation
Firewalls often permit certain ICMP messages (e.Also, g. And , Echo Request) while dropping others (e. g.Here's the thing — , Destination Unreachable). By sending less common ICMP types, testers can confirm the granularity of the filter.
# Send an ICMP Timestamp Request (type 13)
sudo hping3 -1 -C 13 -c 2 192.0.2.10
A response indicates that the device forwards this ICMP type, which could be leveraged for covert channel communication.
7. Rate‑Based Evasion (Slow‑Loris Style)
Many IPS solutions trigger alerts only when traffic exceeds a threshold. By spacing packets at irregular intervals, testers can stay under the radar.
# Send a SYN flood with 1‑second interval (slow attack)
sudo hping3 -S -p 80 -i u1000000 -c 30 192.0.2.10
If the firewall does not detect the slow SYN flood, it suggests a weakness in rate‑limiting logic.
Step‑by‑Step Example: Bypassing a Simple Stateful Firewall
- Identify the target’s allowed outbound ports – Use a standard scan (
nmap -sS) to map open ports on the internal host. - Craft a spoofed inbound packet – Suppose the firewall allows outbound DNS (UDP/53). Send a UDP packet from source port 53 to an internal service that is otherwise blocked (e.g., port 22).
sudo hping3 -2 -p 22 -s 53 -c 5 10.0.0.5
- Observe the response – If the internal SSH daemon replies with a RST, the packet traversed the firewall, confirming the bypass.
- Report – Document the rule that allowed the spoofed source port, recommend tightening stateful inspection, and suggest enabling strict source‑port validation.
Scientific Explanation: How Packet Crafting Interacts with Filtering Logic
Filtering devices employ a combination of stateless ACLs, stateful inspection, and deep packet inspection.
- Stateless ACLs evaluate each packet in isolation based on header fields (source/destination IP, ports, protocol). hping3’s ability to set arbitrary fields directly tests these static rules.
- Stateful inspection tracks connection states (e.g., SYN‑SYN/ACK‑ACK). When a packet’s flag combination does not match any known state, a well‑implemented firewall should drop it. That said, if the device only checks for the presence of a SYN flag without validating the rest of the handshake, a crafted SYN‑FIN packet may be accepted.
- DPI engines parse application‑layer payloads after reassembly. Fragmentation attacks exploit the reassembly step; if the DPI only inspects the first fragment, malicious content hidden in later fragments passes unchecked.
Mathematically, the filtering decision can be modeled as a function F(packet) → {allow, drop}. hping3 expands the domain of packet by exposing dimensions (flags, TTL, fragment offset) that many implementations treat as constants, effectively searching for nulls in the decision surface where F erroneously returns allow.
Frequently Asked Questions
Q1: Do I need root privileges to use hping3?
A: Yes, because hping3 creates raw sockets to manipulate low‑level headers. Running it with sudo (or as root) is required on most Unix‑like systems And it works..
Q2: Can hping3 be used on Windows?
A: A native Windows binary exists, but many advanced features rely on raw socket support that is limited on newer Windows versions. Using a Linux VM or WSL (Windows Subsystem for Linux) is the most reliable approach.
Q3: How do I avoid triggering intrusion detection while testing?
A: Adopt low‑and‑slow techniques—use longer intervals (-i u500000 for 0.5 s) and limit the number of packets. Also, coordinate with the target organization and obtain explicit written permission Surprisingly effective..
Q4: Is fragment reassembly always required for bypass?
A: Not always. Some devices inspect each fragment individually and drop suspicious ones. That said, many commercial firewalls reassemble before DPI, making fragmentation a viable evasion path The details matter here..
Q5: What are the legal implications of using hping3?
A: Unauthorized scanning or packet injection is illegal in many jurisdictions (e.g., Computer Fraud and Abuse Act in the U.S.). Always work under a signed Rules of Engagement (RoE) and adhere to the scope defined by the client It's one of those things that adds up..
Best Practices for Ethical Security Testing with hping3
- Define Scope Clearly – List IP ranges, protocols, and specific devices that may be tested.
- Obtain Written Authorization – Include clauses that permit the use of packet‑crafting tools.
- Start with Low‑Impact Tests – Begin with single‑packet probes before moving to flood modes.
- Document Every Command – Keep a log of hping3 invocations, timestamps, and observed responses.
- Coordinate with Network Teams – Inform them of the testing schedule to avoid false alarms.
- Provide Remediation Recommendations – Suggest enabling strict flag validation, source‑port verification, and proper fragment reassembly.
Conclusion
hping3 is far more than a fancy ping utility; it is a powerful, low‑level packet generator that gives security testers the flexibility to probe, manipulate, and sometimes bypass filtering devices. Still, with great power comes responsibility—ethical considerations, proper authorization, and thorough documentation are non‑negotiable pillars of any legitimate security assessment. Plus, by mastering TCP flag smuggling, source‑port spoofing, TTL and fragmentation tricks, and rate‑based evasion, testers can uncover misconfigurations and weaknesses that conventional scanners might miss. When used responsibly, hping3 becomes an indispensable ally in the ongoing quest to harden network defenses against sophisticated evasion techniques But it adds up..
