When mapping a complex network environment, relying on standard ICMP echo requests is akin to classical observation: it only provides a binary state of "up" or "down" and often collapses under the scrutiny of modern firewalls. To truly understand the topology and rule sets governing a network segment, we must treat the target infrastructure as a stateful black box. By deliberately crafting malformed or out-of-sequence packets—acting as controlled perturbations—we can analyze the resulting observables (RST packets, dropped frames, ICMP unreachables) to deduce the underlying routing logic.
hping3 is the ideal instrument for this type of granular, byte-level analysis
Most perimeter firewalls are stateful; they maintain an internal table of established connections. If we want to determine whether an intermediary device is actively tracking connection states or merely applying static Access Control Lists (ACLs), we can inject an "out-of-state" packet.
By sending an isolated TCP ACK packet—without the prerequisite SYN handshake—we force the firewall to make a decision based on its state table.
Analyzing the Observables:
No Response (Timeout): The packet was silently dropped. This strongly indicates a stateful firewall that recognized the ACK did not belong to an established session in its state table and discarded it.
TCP RST (Reset) Received: The packet bypassed the firewall and reached the target OS, which rejected it because it had no matching open socket. This indicates either a stateless firewall, a misconfigured stateful rule, or that you are on the same local subnet as the target.
When auditing older infrastructure or specific intrusion detection systems (IDS), you may encounter stateless packet inspection that relies heavily on reading the TCP header in a single contiguous frame. We can bypass these naive filters by fragmenting the TCP header across multiple IP packets.
The -f flag slices the packet into 16-byte fragments. If an intermediate stateless firewall is looking for a specific port signature or TCP flag combination, it may fail to reassemble the fragments in transit, allowing the payload to pass through to the target host (which will handle the reassembly natively).
Network boundaries often restrict outbound TCP/UDP traffic but leave ICMP open for diagnostic purposes. As an auditor, you need to verify if internal DLP systems are actually inspecting payloads or just looking at protocol headers. hping3 allows you to attach arbitrary data payloads to ICMP echo requests, effectively turning ping into a rudimentary data exfiltration tunnel.
-1: Sets the mode to ICMP.
-E: Specifies the file containing the payload (e.g., a dummy credit card number or a mock confidential string)
-d 150: Sets the data size to 150 bytes (ensure this matches or exceeds your file size).
If the packet successfully reaches an external listener, it proves that the network's egress filtering is blind to ICMP payloads, highlighting a critical architectural gap.
Path MTU Discovery (PMTUD) issues are the root cause of many elusive network latency and application-layer hanging issues. While ping can test MTU, hping3 allows you to test how specific TCP flags combined with large payloads are handled across the routing path.
-d 1472: The maximum data payload for a standard 1500 byte Ethernet frame (1500 - 20 byte IP header - 8 byte ICMP header).
-y: Sets the DF (Don't Fragment) bit.
If a router along the path has a lower MTU, it cannot fragment the packet and must drop it, returning an ICMP Fragmentation Needed message. This allows you to map exactly where the network bottleneck exists.