ECCouncil Exam Questions

Why does the host respond to hping2 and not ping packet?

You ping a target IP to check if the host is up. You do not get a response. You suspect ICMP is blocked at the firewall. Next you use hping2 tool to ping the target host and you get a response. Why does the host respond to hping2 and not ping packet?

[ceh]# ping 10.2.3.4

PING 10.2.3.4 (10.2.3.4) from 10.2.3.80 : 56(84) bytes of data.

— 10.2.3.4 ping statistics —

3 packets transmitted, 0 packets received, 100% packet loss

[ceh]# ./hping2 -c 4 -n -i 2 10.2.3.4

HPING 10.2.3.4 (eth0 10.2.3.4): NO FLAGS are set, 40 headers +

0 data bytes

len=46 ip=10.2.3.4 flags=RA seq=0 ttl=128 id=54167 win=0 rtt=0.8 ms

len=46 ip=10.2.3.4 flags=RA seq=1 ttl=128 id=54935 win=0 rtt=0.7 ms

len=46 ip=10.2.3.4 flags=RA seq=2 ttl=128 id=55447 win=0 rtt=0.7 ms

len=46 ip=10.2.3.4 flags=RA seq=3 ttl=128 id=55959 win=0 rtt=0.7 ms

— 10.2.3.4 hping statistic —

4 packets tramitted, 4 packets received, 0% packet loss

round-trip min/avg/max = 0.7/0.8/0.8 ms

A.
ping packets cannot bypass firewalls

B.
you must use ping 10.2.3.4 switch

C.
hping2 uses TCP instead of ICMP by default

D.
hping2 uses stealth TCP packets to connect

Explanation:
Default protocol is TCP, by default hping2 will send tcp headers to target host’s port 0 with a winsize of 64 without any tcp flag on. Often this is the best way to do an ‘hide ping’, useful when target is behind a firewall that drop ICMP. Moreover a tcp null-flag to port 0 has a good probability of not being logged.