Mainstay of network detection - nping User Guide

One 、 Preface

nping by nmap Subcommand for , and nmap It is also a free and open source detector , Just install nmap Can use nping, Support highly customized message customization and detection , This article will start from nping The five detection modes and the usage of each parameter are introduced in detail .

Two 、 Detection mode (PROBE MODES)

Enclosed nping man file Description of several supported detection modes ：

The following will explain the main and advanced usage from the above detection modes .

1.tcp Connection mode (--tcp-connect)

This mode contains -p、-g Two basic parameters , They are designated dest port、src port

1） Specify the destination port probe (-p/--dest-port)

nping --tcp-connect -p 80 192.168.1.1

Connected probes , You can see that the screen output is completed normally 80 Port of tcp Jianlian , Without specifying the number of detections, only... Is initiated by default 5 Time , The specified number of times is available -c Parameters .

-p Parameter can specify single or multiple ports , For example, specify specific ports ：

nping --tcp-connect -p 22,80,443 192.168.1.1

Specify the port range ：

nping --tcp-connect -p 22-443 192.168.1.1

2） Specify source port probe (-g/--source-port)

Use 65535 High port to target host 22 Port initiated probe ,-c The specified number of times is 1 Time ：

nping --tcp-connect -g 65535 -p 22 192.168.1.1 -c 1 

You can see that the client and the server normally complete the handshake (65535 -> 22), If it is a non open port , Then the received display is as follows ：

Client initiated SYN Apply for a handshake , Opposite end RST,ACK No .

2.tcp Detection mode (--tcp)

tcp Probe mode and tcp-connect The biggest difference in detection mode is , The former does not need to complete the establishment of an association , Relatively efficient , The following will expand the description from several commonly used parameters .

1） Specify source / Destination port (-p/-g)

nping --tcp -p 80 -c 1 192.168.1.1
nping --tcp -g 65535 -p 80 -c 1 192.168.1.1 

--tcp The parameters displayed in the mode are --tcp-connect Pattern The message fields under are more detailed ：

and --tcp-connect The obvious difference is --tcp Pattern There is no need to complete the establishment of the association , received SYN,ACK Then it is judged that the port is open , After that RST Disconnect , and nmap Of -sS Half open scan detection logic is consistent , This saves unnecessary interaction , Save traffic and improve detection efficiency .

2） Appoint tcp Sign a (--flags)

The specified identity can initiate any identity tcp Probe , For example, initiate a flag bit of SYN Request package for ：

nping --tcp -g 65535 -p 80 -c 1 --flags syn 192.168.1.1
nping --tcp -g 65535 -p 80 -c 1 --flags s 192.168.1.1

It's written in syn Or abbreviations s Will do , Not even case sensitive , It can also be used in combination with , such as SA namely SYN,ACK,PA namely PSH,ACK; Of course, you can also write it as 16 Base number , The scope is 0x00–0xFF, For example, specify 0x012 Hair SYN,ACK request ：

Not surprisingly, it is sent by the destination host RST Connection refused , Because from the point of view of the destination , This is an incomplete illegal handshake request .

3. Specify the window size (--win)

Specify client Window size by 1600 byte ：

nping --tcp -g 65535 -p 80 -c 1 --win 1600 192.168.1.1

Window size refers to the maximum number of bytes that can be processed by the local buffer at present , It is hoped that the packets sent from the opposite end will not exceed this value , At the same time, if viewed from the dimension of the size of a single packet, then and MTU of , The size of each contract is determined by both ends MTU The smallest party determines the maximum of each message size, If it exceeds, it needs to be sent in pieces .

3.udp Detection mode (--udp)

1） Specify the destination port probe (-p/--dest-port)

nping --udp -p 53 -c 1 192.168.1.197

The opposite end replied Port unreachabel Port unreachable , That means the port is closed or blocked by the firewall .

2） Specify the source port and destination port (-g/--source-port)

3） coordination payload Option to use (--data-string)

nping --udp -g 65535 -p 8080 -c 1 --data-string test 192.168.1.197

Set the... When initiating a probe udp paylaod, The premise is that the destination host can recognize payload And respond , Here we use socat On the destination host udp Monitoring and echo function ：

4.icmp Detection mode (--icmp)

Support for custom icmp There are relatively many parameters , It will explain in detail the common parameters that are not chicken ribs .

1） Appoint icmp type Launch a probe (--icmp-type)

nping Allows users to initiate custom icmp type、icmp code, Highly customized requests , But for active detection scenarios , There are not many common types , For the passive service type, it can come in handy .

launch icmp request：

nping --icmp --icmp-type 8 -c 1 192.168.1.1 

This is actually a normal icmp request , Statistics will also be made rtt Time delay , If you don't specify --icmp-type The default is 8.

If it is icmp reply:

nping --icmp --icmp-type 0 -c 1 192.168.1.1 

This is a meaningless request , In the view of the destination host , I didn't send it icmp request But I received icmp reply, The opposite end of an unexplained request must be ignored , It does not conform to the protocol interaction logic , But this bag can be sent out separately .

2） Appoint icmp code Launch a probe (--icmp-code)

Every icmp type Will correspond to a group icmp code, Used to refine the state .

For example, the goal is unreachable icmp type by 3, meanwhile icmp code by 3, The port unreachable request will be simulated (Port unreachabel)：

nping --icmp --icmp-type 3 --icmp-code 3 -c 1 192.168.1.1

Every icmp type Corresponding to a group of icmp code meaning , Referable IANA official Yes ICMP Agreed type and code Assignment instructions for .

3） Appoint icmp id Probe (--icmp-id)

seeing the name of a thing one thinks of its function , This parameter can specify icmp identifier, Used to filter specific ident message , Especially in large traffic scenarios , The peer host can accurately filter out the detection of a packet originated from the source , Set the range to ：0<=N<2^16, namely N∈[0-65536), For example, specify icmp id：

nping --icmp --icmp-code 0 --icmp-id 1024 -c 1 -vv 192.168.1.1  #-vv Parameters can show the output in detail 

It should be noted that , When the initiative is icmp Unreachable message , be icmp The head does not contain id Information .

4） Appoint icmp seq Probe (--icmp-seq)

and id The function is similar to , Appoint seq Serial number ：

nping --icmp --icmp-seq 1 -c 1 -v 192.168.1.1

adopt icmp.seq You can filter the specified serial number .

Obviously ,--icmp-id and --icmp-seq It can also be used at the same time ：

nping --icmp --icmp-id 1024 --icmp-seq 1 -c 1 -v 192.168.1.1

5.arp/rarp Detection mode (--arp)

1） Specify the probe type (--arp-type)

Appoint ARP Detection type of , It can be ARP It can also be RARP And corresponding reply message .

By sending... To the peer host arp message , Get the corresponding mac Address ：

nping --arp --arp-type arp -c 1 192.168.1.1

Similarly, you can also initiate arp-reply, Actively send your own to the opposite end MAC Address ：

nping --arp --arp-type arp-reply -c 1 192.168.1.1

2） Specify the sender's MAC Address (--arp-sender-mac)

This parameter allows you to specify mac Send to the peer host , Therefore, this behavior can be used to refresh the peer arp Address table , achieve arp The purpose of deception ：

nping --arp --arp-type arp-reply --arp-sender-mac 00:00:00:00:00:01 -c 1 192.168.1.1  

3） Specify the sender's IP Address (--arp-sender-ip)

Empathy , This parameter can be forged arp In the head send ip address Field , Let the peer host think arp The address request was sent from this source address , So it's going to be reply Give this source address ：

nping --arp --arp-type arp --arp-sender-ip 192.168.1.197  -c 1 192.168.1.1

and --arp-sender-ip Use it with , Can achieve forgery IP+ forge MAC, Send... To the broadcast domain arp request , And assign the request to the set fake address ：

nping --arp --arp-type arp --arp-sender-ip 192.168.1.197 --arp-sender-mac 00:0c:29:50:c6:dc -c 1 192.168.1.84

arp The request header is as follows ：

4） Specify the destination host MAC Address and IP Address (--arp-target-mac/--arp-target-ip)/ARP flooding

Use with the previous parameters , Appoint arp The head can be forged for all IP/MAC Field , For example, will 1.84 Tied to an incorrect MAC Address , Send... To the gateway host arp reply, Refresh 、 Fill its ARP surface ：

nping --arp --arp-type arp-reply --arp-target-mac 00:0C:29:BE:5A:26 --arp-target-ip 192.168.1.1 --arp-sender-ip 192.168.1.84 --arp-sender-mac 00:00:00:00:00:01 -c 1 192.168.1.1

When Binding forged IP-MAC When the address pair is large enough , Make the gateway arp Entries exhausted , Legitimate users cannot maintain the correct arp Address table , Will cause communication interruption , This behavior is often called arp Flood attack .

6. Route tracing in probe mode (--tr/--traceroute)

This mode can be applied to TCP/UDP/ICMP Detection mode , Do not apply to TCP Full connection and ARP Pattern .

When you want to confirm whether the link has packet loss , The opposite end is forbidden ping 了 , Only certain agreements have been released , Then this mode matches TCP/UDP/ICMP It can precisely control the protocol used for route tracking ,--tr The parameter will detect all routing nodes along the way , Some routes only forward but do not respond ( Commonly known as reject echo ) stay client In fact, the client does not respond to timeout .

Yes tcp/53 Port for route tracking ：

nping --tcp -p 53 --traceroute -c 12 --flags syn -v 119.29.29.29

Because the intranet uses openwrt Hijacking and forwarding ,--tr Only one jump will be seen , Here we use another machine for testing .

• there -c 12 That is to say, the whole command only initiates 12 A detection bag , It can be understood as only detecting the 12 Nodes , By default, each node is probed once .
• Finally, packet loss is displayed 5 individual (41.67%), It is not really packet loss , The probe is on the opposite end 53/dns Service port , Did not initiate dns query request , There is no need to respond at the opposite end , So for the detector , As long as the opposite end does not respond , It will be regarded as packet loss .

As I said before , Intermediate nodes may not respond , For security reasons, some policies will be set to prevent echo , but nping The unresponsive data will also be calculated into the packet loss rate for a comprehensive statistics , Judge according to the actual output , Don't rely too much on the final packet loss rate , In practice, it is also a good choice to use path tracking only as a specific protocol .

ICMP/UDP Empathy ：

nping --udp -p 53 --traceroute -c 12 -v 119.29.29.29
nping --icmp --traceroute -c 9 -v 114.114.114.114 

3、 ... and 、 Probe options in detail (OPTIONS)

1.IPv4 OPTIONS

It will be explained from the following common parameters V4 Parameter options ：

1） Specify source host (-S/--source-ip)

This parameter is literal , Specify the role of the source address , Other network cards can be specified IP, You can also specify any IP To forge , For example, specify a gateway IP To the destination host 1.197 send out 80 Port of syn Probe ：

nping --tcp -S 192.168.1.1 --flags syn -p 80 -c 1 192.168.1.197

This parameter is applicable to all IP Layer detection mode .

2） Specify the destination host (--dest-ip)

That is, specify the destination host , It's the same whether you add it or not , This parameter is carried by default

nping --icmp --icmp-type 8 -c 1 --dest-ip 192.168.1.1 192.168.1.197  # towards 1.1 and 1.197 launch icmp Probe 
nping --icmp --icmp-type 8 -c 1 --dest-ip 192.168.1.0/24  # To the whole C Start from the end icmp Probe 

3） Appoint identification(--id)

identification Field , It is very useful for the analysis of specified packages , It said ,icmp It can be done by --icmp-id And --icmp-seq To identify the message , It is convenient to accurately filter out the specific packets we send in the later stage , Similarly, other detection modes also have --id Field ,--id by IP Layer of identification, therefore arp No, .

Appoint tcp Detecting id Field , So we can write this as ：

nping --tcp -p 22 --id 1024 192.168.1.1 -v -c 1  # Appoint id by 102

udp Probe ：

nping --udp -p 8080 --id 1024 --data-string test 192.168.1.197 -c 1 -v

It can be done by ip.id Filter the specific messages we send , Then track udp.stream You can see a complete stream ：

4） Set the non fragmentation flag bit (--df)

namely Don't Fragment Not allowed to be divided into pieces , When the message size exceeds client and server Minimum of end negotiation MTU when , By default, partition transfer will be performed , This parameter specifies that sharding is not allowed , What you give is what you get , Even if the end-to-end processing cannot DROP It's still not allowed to split , This flag is located at IP layer , So it's all in IP This field can be set for protocols on or above the layer , Obviously support TCP、UDP、ICMP Three detection modes .

nping --tcp -p 80 --df 192.168.1.1 -c 1

You can see ,IP Layer of flag Marked by DF The fields are set to 1, It means that fragmentation is not allowed .

that , The same is true for other detection modes ：

nping --udp -p 53 --df 192.168.1.1 -c 1
nping --icmp --icmp-type 8 --df 192.168.1.1 -c 1

5） Set the life cycle (--ttl)

Appoint time to live, That is, the message life cycle , Every routing node ,ttl Minus one , If not set ttl, The system default will be read ttl value , Different OS Default ttl It will be different .

ttl stay IP Layer head , So of course ,ICMP/TCP/UDP Can be supported .

As specified ttl by 1：

nping --icmp --ttl 1 -c 1 -v 192.168.1.1 
nping --udp -p 53 --ttl 1 -c 1 -v 192.168.1.1 
nping --tcp -p 80 --ttl 1 -c 1 -v 192.168.1.1

Because the source end and the opposite end are directly connected , There is no need to pass through the routing node in the middle , therefore ttl Set to 1 It can also transmit data normally .

6） Set up MTU size (--mtu)

Specify the maximum transmission unit of the sender (Maximum Transmission Unit), If the set value is exceeded, it needs to be sent in pieces .

nping --tcp -p 80 --mtu 16 --data-length 1000 -v 192.168.1.197 -c 1  #--data-length Appoint payload size , Random fill 
nping --icmp --mtu 16 --data-length 1000 -v 192.168.1.197 -c 1
nping --udp --mtu 16 -v 192.168.1.197 -c 1

2. Echo mode (ECHO CLIENT/SERVER)

1）client and server End (--ec/--echo-client、--es/--echo-server)

These two parameters need to be used together , One as a server , One client , and iperf3 Of c/s The speed measurement mode is similar , but nping This parameter is used for detection , It is mainly used to continuously test the delay between points .

server End ：

nping --echo-server "public" -e ens192 -vvv  #public Any string , Want to be with client Corresponding 

client End ：

 nping --echo-client "public" 192.168.1.197 --tcp -p 80

2） Specify listening port (--ep/--echo-port)

This parameter can be added or not , Designated echo server Listening port of , No, the default is 9929 port

server End ：

nping --echo-server "public" -e ens192 -v3 --ep 10 --nc #--nc Verify without encryption , When this parameter is added, then client The end should also be added correspondingly 

client End ：

nping --echo-client "pubulic" 192.168.1.197 --tcp -p 80 --ep 10 --nc -c 2

3） One time monitoring (--once)

This parameter is used for server End , When client After the end of one complete probe at the terminal , Just shut it down server End monitoring .

server End ：

nping --echo-server "public" -e ens192 -v3 --nc --once

client End ：

nping --echo-client "pubulic" 192.168.1.197 --udp -p 8080 --nc -c 2 --once

3. Delay and rate (Timing&Performance)

1） Specify the probe delay / interval (--delay)

--delay Parameter can specify the delay interval between packets for each probe , This parameter can be used to bypass detection when the access frequency per unit time is restricted by the opposite end .

Every time 2s One second SYN Detection can be written as ：

nping --tcp -p 80,443 --flag syn -v --delay 2s -c 2 www.qq.com

Every time 10s Launch once udp Probe ：

nping --udp -p 53 -v -c 2 --delay 10s --data-length 16 192.168.1.197

icmp It can be ：

nping --icmp --icmp-type 8 -c 2 --delay 10s 192.168.1.1 

This parameter applies to all detection modes .

2） Specify the number of contracts per second (--rate)

By default ,nping Unit time 1s Send the bag only once , adopt --rate You can specify any value .

Take on the above icmp Probe , The specified contract quantity can be written as ：

nping --icmp --icmp-type 8 --rate 5 --delay 0.01s 192.168.1.1 

--rate The unit time is specified 5 A package ,--delay Set the contracting interval to 0.01s, You can quickly get the returned results .

Empathy ,tcp Of syn Probe ：

nping --tcp -p 80 -v --rate 10 192.168.1.197

This parameter also applies to all detection modes .

4. The other parameters

The above parameter description has been written in great detail , And some of them have been demonstrated , There are no more examples here , Detailed usage is available for reference man file .

Four 、 summary

The above covers nping For each probe , The function is not inferior to nmap, Some advanced features are nmap It can't cover , At the same time, their positioning is also different ,nping More inclined to network delay analysis 、 Path tracking and other scenarios ,nmap More suitable for port scanning .nping It is also an integral part of the security domain tools , Early information collection is crucial for penetration testing , It is also a sharp weapon in the attacker's pocket .

Incidental PDF edition ：