hping3 Cheat Sheet
Custom TCP/UDP/ICMP packet crafting for firewall testing, traceroute, and port probing on authorized hosts.
Overview
hping3 sends crafted TCP, UDP, and ICMP packets for firewall rule validation, idle scans, traceroute, and OS fingerprinting on authorized targets. Do not use flood modes outside explicit stress-test scope.
Authorized testing only. Use only on systems, networks, and accounts you own or have explicit written permission to test. Unauthorized access is illegal.
Install
sudo apt install -y hping3Essential commands
TCP SYN to port (like half-open scan)
sudo hping3 -S -p 80 -c 1 target.exampleICMP ping
hping3 -1 target.exampleUDP probe
hping3 -2 -p 53 -c 3 target.exampleCommon workflows
SYN scan port range
sudo hping3 -S -p ++80-443 target.exampleACK scan (map firewall rules)
sudo hping3 -A -p 80 -c 3 target.exampleTraceroute —
sudo hping3 -1 -V -d 120 -t 1 target.examplesudo hping3 -S -p 443 -T 1 -V target.exampleIdle scan (advanced, needs zombie host) —
sudo hping3 -S -a ZOMBIE_IP -p 80 -s 5000 -c 1 target.exampleBanner grab (TCP) —
hping3 -S -p 80 -c 1 target.exampleor raw data
echo "GET / HTTP/1.0\r\n\r\n" | hping3 -p 80 -d 100 -c 1 target.example --file -WARNING: disruptive — scope only
sudo hping3 -S --flood -p 80 target.exampleFlags reference
-1 | ICMP mode |
|---|---|
-2 | UDP mode |
-S | SYN flag |
-A | ACK flag |
-F | FIN flag |
-p PORT | Destination port |
-s PORT | Base source port |
-c COUNT | Packet count |
-a IP | Spoofed source IP |
-d SIZE | Data size |
-t TTL | Initial TTL |
-T | Traceroute mode |
-V | Verbose |
--flood | Flood mode (dangerous) |
--rand-source | Random source IPs |
Tips
- Prefer nmap for comprehensive scans; hping3 for single-packet firewall tests.
- ACK scans help infer stateful firewall behavior on authorized pentests.
- --flood and --rand-source can cause outages and legal issues—avoid unless written approval.
- Run with sudo when using raw sockets (-S, -A, etc.).