Using External Packet Crafting Tools (Scapy, Hping3) with Nmap

Learn how to combine Nmap with external packet crafting tools like Scapy and Hping3 for deeper network analysis, bypassing security mechanisms, and conducting advanced reconnaissance.
by İbrahim Korucuoğlu ( @siberoloji) |
Tags:
Categories:

  5 minute read  

In the realm of cybersecurity, network reconnaissance and penetration testing often rely on powerful, flexible tools that can analyze and manipulate network traffic. Nmap (Network Mapper) has long been a staple in the toolkit of network administrators and ethical hackers due to its robust scanning and network mapping capabilities. However, for scenarios requiring customized packet creation, testing firewall behavior, or simulating unusual traffic, external packet crafting tools like Scapy and Hping3 can significantly enhance Nmap’s effectiveness.

This article explores how Scapy and Hping3 complement Nmap, enabling deeper network analysis, bypassing security mechanisms, and conducting advanced reconnaissance.

Why Combine Nmap with Packet Crafting Tools?

Nmap is a highly versatile network scanner capable of host discovery, port scanning, OS fingerprinting, and vulnerability detection. But its packet manipulation features, while powerful, are standardized and sometimes too rigid for complex testing scenarios.

That’s where packet crafting tools like Scapy and Hping3 come in. These tools offer granular control over every field in a packet, allowing security professionals to:

  • Evade intrusion detection/prevention systems (IDS/IPS)
  • Analyze firewall rule sets
  • Simulate malformed or non-standard traffic
  • Test the robustness of custom protocols or services
  • Forge packets to test spoofing and session hijacking scenarios

By using these tools in conjunction with Nmap, testers can conduct comprehensive and stealthy network assessments.

Overview of Scapy

Scapy is a Python-based interactive packet manipulation program. It allows users to create, send, sniff, and dissect packets. Scapy supports multiple protocols (TCP, UDP, ICMP, DNS, etc.) and offers scripting capabilities for automation.

Key Features of Scapy

  • Full control over packet layers and fields
  • Protocol fuzzing and traffic simulation
  • Built-in packet dissection
  • Integration with other Python tools/libraries
  • Can work as a replacement for hping, arping, and traceroute

Overview of Hping3

Hping3 is a command-line oriented TCP/IP packet assembler and analyzer. It is similar to the classic ping command but far more powerful. It can send custom TCP/IP packets and measure responses.

Key Features of Hping3

  • Custom TCP, UDP, and ICMP packet crafting
  • Traceroute mode
  • Firewall testing
  • TCP stack auditing
  • Idle scanning

Unlike Scapy, which is script-based, Hping3 is ideal for quick terminal-based testing and port probing with specific flags.

Using Scapy with Nmap

Although Scapy and Nmap are distinct tools, they can complement each other in various workflows. Here are some practical scenarios where combining them proves effective.

1. Verifying Nmap Results with Custom Probes

After performing a basic Nmap scan like:

nmap -sS -p 80,443 192.168.1.1

You can verify open ports using Scapy:

from scapy.all import *

ip = IP(dst="192.168.1.1")
syn = TCP(dport=80, sport=RandShort(), flags="S")
response = sr1(ip/syn, timeout=2)

if response and response.haslayer(TCP) and response.getlayer(TCP).flags == 0x12:
    print("Port 80 is open.")

This helps confirm that Nmap’s results were accurate, and the port responded with a SYN-ACK.

2. Bypassing IDS with Custom TCP Handshakes

Nmap’s scans can be flagged by IDS/IPS. Scapy allows you to manually complete handshakes with random timing and headers to evade detection.

syn = IP(dst="192.168.1.1")/TCP(dport=22, flags="S")
syn_ack = sr1(syn)
ack = IP(dst="192.168.1.1")/TCP(dport=22, sport=syn_ack[TCP].dport, seq=syn_ack.ack, ack=syn_ack.seq+1, flags="A")
send(ack)

This manual handshake, spread out over several seconds, may slip past anomaly detection systems that look for rapid SYN packets.

3. Crafting Malformed Packets

To test how a target system handles malformed packets (useful for fuzzing or exploit development):

packet = IP(dst="192.168.1.1", options="\x00\x00")/TCP(dport=80, flags="S")
send(packet)

You can compare the system’s behavior against Nmap’s structured packet sending and see what breaks or gets logged.

Using Hping3 with Nmap

Hping3 offers a simple command-line interface for sending custom-crafted packets. It is useful for active probing, bypassing firewalls, and checking system responses.

1. Testing Firewall Rules

After using Nmap to detect a filtered port:

nmap -sS -p 23 192.168.1.1

If Nmap shows the port as “filtered”, you can test it with Hping3:

hping3 -S -p 23 -c 1 192.168.1.1

If there’s no response, it’s likely dropped by a firewall. Try bypassing with a fragmented packet:

hping3 -S -p 23 --frag -c 1 192.168.1.1

Some packet filters don’t reassemble fragments properly, allowing packets through.

2. Idle Scan Complement

Nmap supports idle scanning using a third-party zombie host. You can identify suitable zombie hosts using Hping3:

hping3 -S -p 80 -c 3 192.168.1.100

By observing IP ID increments, you can verify if the host is idle (no traffic). Nmap can then use this host for a stealthy idle scan:

nmap -sI 192.168.1.100 192.168.1.1

This allows scanning without sending packets from your own IP address.

3. Simulating SYN Flood Attacks for Defense Testing

You can simulate a light SYN flood using Hping3 to test how intrusion detection or firewalls respond:

hping3 -S --flood -p 80 192.168.1.1

Note: Use responsibly and only on systems you have permission to test.

Combining All Three in a Workflow

A typical penetration test might use all three tools like this:

  1. Initial Discovery with Nmap:

    nmap -sS -T4 -A 192.168.1.1

  2. Targeted Port Testing with Hping3:

    hping3 -S -p 80 -c 1 192.168.1.1

  3. Crafting Non-Standard Probes with Scapy:

    pkt = IP(dst="192.168.1.1")/TCP(dport=80, flags="FPU")
send(pkt)

  4. Result Verification and IDS Evasion via Scapy:

    Perform slow, randomized handshakes and monitor IDS alerts.

Security and Ethical Considerations

While tools like Scapy, Hping3, and Nmap are powerful, they can also be misused. It’s crucial to:

  • Only scan systems you are authorized to test
  • Understand the legal implications in your jurisdiction
  • Monitor your own testing environment for impact on systems and bandwidth

Ethical hacking frameworks (such as the OSSTMM or PTES) emphasize responsible use, logging, and communication with clients or stakeholders.

Conclusion

Nmap remains a powerful and versatile network scanner. But when paired with external packet crafting tools like Scapy and Hping3, it becomes part of a much broader toolkit for advanced reconnaissance, stealth testing, and firewall analysis.

Whether you’re verifying scan results, crafting unique packets to test protocol handling, or evading detection systems, Scapy and Hping3 allow a level of customization and flexibility that Nmap alone can’t offer. Learning to use them in tandem will significantly enhance your capability as a network security professional or penetration tester.

Further Reading & Resources:


< Analyzing Responses for Deeper Insights with NmapExploring Third-Party Nmap Tools and Add-Ons >