Provided by: sing_1.1-10_i386
sing - Send ICMP Nasty Garbage packets to network hosts
sing [-hVRnvqGQOBU] [-c count] [-T wait] [-p pattern] [-s datasize] [-F
bytes] [-i interface] [-S spoof] [-t ttl] [-TOS tos] [-l preload] [-M
os] [-L logfile] [-MAC hw_addr] [-x code] [type] host
sing is a tool that sends ICMP packets fully customized from command
line. The main purpose is to replace the niceful ping command with
certain enhancenments as the ability to send/read IP spoofed packets,
send MAC spoofed packets, send in addition to the ECHO REQUEST type
sent by default, many other ICMP types as Echo Reply, Address Mask
Request, Timestamp, Information Request,Router Solicitation and Router
It supports also the following ICMP error types: Redirect, Source
Quench, Time Exceeded, Destination Unreachable and Parameter Problem.
It can do a little fingerprinting, see the FINGERPRINTING TECHNIQUES
section to read more details about.
It can emulate certain OOSS sending Echo Request or Echo Reply packets.
See the MIMIC TECHNIQUES section for a more accurate information.
The host destination can also be specified as a list of gateways
(including destination) breaked by the ’%’ symbol meaning the use of a
Strict Source Routing IP Option (v.g. router1%router2%router3%host) or
the ’@’ symbol meaning the use of a Loose Source Routing IP Option
A long number of examples is given at the EXAMPLES section of this page
that shows a real use of this program.
MOST COMMON OPTIONS
-v Verbose mode.
-B Send a Bad ICMP Checksum on Information types.
Stop after sending (and receiving) count packets. Information
Fragment the entire ICMP packet with bytes size by fragment. Not
used on Solaris systems.
-G Set the IP header Don’t Fragment flag. Not used on Solaris
Interface (name or IP address) where listen on for replies.
If preload is specified, sing sends that many packets as fast as
possible before falling into its normal mode of behavior. Only
the super-user may use this option. Information types only.
Save the current session to the file logfile. If logfile exists
the data will be appended at end.
-M os Do mimic of the os specified when sending an Echo Request or
Echo Reply. os can be win, unix, linux, cisco, solaris or
Do MAC spoofing using the MAC hw_address (maybe to surpass
filtered switches). Be aware of using on an interface with a
datalink type different of Ethernet. The MAC address must be on
hexadecimal form and must be delimited by ’:’ (Example:
00:FF:AC:33:1:B). This option made use of the libnet library to
acces the network link layer. Only the super-user can use this
-n Don’t use name resolution.
-O Do fingerprinting to discover the target OS.
You may specify a pattern of bytes to fill out the packet you
send. This is useful for diagnosing data-dependent problems in
a network. For example, ‘-p INPACK’’ will cause the sent packet
to be filled with the word INPACK.
-q Quiet output. Nothing is displayed except the summary lines at
startup time and when finished.
-Q Totally quiet output. Absolutly nothing is displayed. Useful to
use within shell scripts.
-R Use Record Route IP Header Option on the ICMP packet.
Number of garbage bytes that will be sent on any ICMP packet.
With max the maximum possible will be sent.
IP address to be used as the source of the ICMP packet. This
force the use of the libpcap routines that puts your network
interface into promiscuous mode to be able to read the replies.
Only the super-user may use this option.
-t ttl Set the IP Time To Live field to ttl value.
Wait wait seconds between sending each packet. The default is to
wait for one second between each packet.
Set the IP Type Of Service field to tos value.
-U Set the IP header Unused bit flag. Be aware on *BSD systems
because the kernel set to 0 the IP header flags when using the
Reserved Bit so SING must revert to promiscuous mode to be able
to read the response with libpcap. Not used on Solaris systems.
-x, --xcode code|num|max
ICMP code to send. Code code valid for Destination Unreachable
(-du), Redirect (-red) and Time Exceeded (-tx) types. Numerical
code can be specified for the ICMP types that doesn’t have (Echo
Request, Information Request, Address Mask Request, Router
Solicitation, Router Advertisement, Source Quench, Parameter
Problem and Timestamp). Using max an ICMP code greater than the
admited ones will be sent. See the ICMP CODES section for a long
list of code types.
The type can be any of the following below:
Echo Request. Request sent to a host to receive an echo reply.
This is the type sent by default. This ICMP type is information.
Timestamp. Host request to receive the time of another host.
This ICMP type is information.
Address Mask Request. Used to find out a host network mask.
This ICMP type is information.
Information Request. Host request to receive an Info Reply from
another host. This ICMP type is information.
Destination Unreach. IP packet couldn’t be given. This ICMP
type is error.
Source Quench. IP packet is not given due a net congestion.
This ICMP type is error.
Redirect. Request to forward IP packets through another router.
This ICMP type is error.
-rta, --router_advert address[/preference]
Router Advertisement. Router trasmits one or more routers with
address address and preference preference. If this is ommited,
default preference 0 is given. This ICMP type is information.
Router Solicitation. Host requeriment for a message of one or
more routers. Like the previous, is a part of the messages
exchange Router Discovery and this ICMP type is information.
Time Exceeded. Time Exceeded for an IP packet. This ICMP type
Parameter Problem. Erroneous value on a variable of IP header.
This ICMP type is error.
-reply Echo Reply. Response to a Echo Request. This ICMP type is
LESS COMMON OPTIONS
The options can be any of the following:
-lt, --lifetime secs
Lifetime in seconds of the router announcement. Only valid with
Router Advertisement (-rta) type. 1800 seconds by default (30’).
-gw, --gateway address
Route gateway address on an ICMP Redirect (-red). By default
will be the spoof address (-S), if it has been specified, or the
outgoing IP address if it has not been specified.
-dest, --route_dest address
Route destination address on an ICMP Redirect (-red). This is a
required option when sending an ICMP Redirect.
-orig, --orig_host address
Original host within the IP header sent in the 64 bits data
field of an ICMP error. By default will be the same as the IP
of the host that sends the ICMP packet.
-psrc, --port_src port
Source port (tcp or udp) within the IP header sent in the 64
bits data field of an ICMP error. 0 by default.
-pdst, --port_dst port
Destination port (tcp or udp) within the IP header sent in the
64 bits data field of an ICMP error. 0 by default.
-prot, --protocol name|number
Protocol to be used within the IP header sent in the 64 bits
data field of an ICMP error. Must be a name from the
/etc/protocols or a protocol number. Only tcp, udp and icmp are
fully implemented, with other protocols the remaining of the 64
bits field are fulfilled with 0xFF. TCP by default.
ICMP id to be used with ICMP of Information types. Do not be
confused with the -ip_id option!.
Echo sequence number to be used with Echo Request or Echo Reply
types. Do not be confused with the -ip_seq option!.
Echo identificator within the IP header sent in the 64 bits data
field of an ICMP error when the IP header protocol of the 64
bits data field (-prot) is icmp. 0 by default.
Echo sequence number within the IP header sent in the 64 bits
data field of an ICMP error when the IP header protocol of the
64 bits data field (-prot) is icmp. 0 by default.
-ptr, --pointer byte
Pointer to erroneus byte byte on an ICMP packet showing a
parameter problem. Valid only on Parameter Problem type
Valid codes used with Destination Unreach, Redirect and Time Exceeded
- Used with Destination Unreach type (-du):
net-unreach (Net Unreachable) The destination net is unreachable.
host-unreach (Host Unreachable) The destination host is unreachable.
prot-unreach (Protocol Unreachable) desired protocol is unreachable to
port-unreach (Port Unreachable) desired port is unreachable to
frag-needed (Fragmentation Needed and Don’t Fragment was Set) Shows
that IP packet had to be fragmented because of its size but the sender
did not allowed it because the DF (DON’T FRAGMENT) flag was set.
sroute-fail (Source Route Failed) could’nt follow the route indicated
on IP packet.
net-unknown (Destination Network Unknown) Destination network is
host-unknown (Destination Host Unknown) Destination host unknown but
host-isolated (Source Host Isolated) Can’t reach destination host.
net-ano (Communication with Destination Network is Administratively
Prohibited) access network is denied through firewall or similar on
host-ano (Communication with Destination Host is Administratively
Prohibited) access host is denied through firewall or similar on
net-unr-tos (Destination Network Unreachable for Type of Service)
indicates on destination network that the Type Of Service (TOS) applied
for is not allowed.
host-unr-tos (Destination Host Unreachable for Type of Service) shows
that destination host is unreachable with applied TOS.
com-admin-prohib (Communication Administratively Prohibited) a router
can’t forward a packet because of administrative filter.
host-precedence-viol (Host Precedence Violation) IP packet precedence
is not allowed.
precedence-cutoff (Precedence cutoff in effect) a smaller IP packet
precedence has tried to be sent over the minimal impossed by network
- To be used with Redirect type (-red):
net (Redirect Datagram for the Network) shows that destination is a
host (Redirect Datagram for the Host) shows that destination is a host.
serv-net (Redirect Datagram for the Type Of Service and Network)
destination is a type of service and network.
serv-host (Redirect Datagram for the Type Of Service and Host)
destination is a type of service and host.
- to be used with Time Exceeded type (-tx):
ttl (Time to Live exceeded in Transit) time is over on an IP packet
frag (Fragment Reassembly Time Exceeded) could not reassembly all the
IP packet fragments.
With the -O option SING can use little techniques of remote OS
fingerprinting. To distinguish between Window$ boxes and the rest of
the world Ofir Arkin has discovered a simple method: Sending an ICMP
code that is not 0 within an ICMP Echo Request, a Window$ box respond
with a 0 code while the rest of the boxes would leave the code field
unchanged. See the SEE ALSO section.
With Solaris systems SING use a method discovered by me: Sending a
fragmented Addres Mask Request any Solaris system (tested from 2.5.1 to
Solaris8 Intel & SPARC) respond with an Address Mask of 0’s. Last
update!: Some people have noticed that HP-UX v11.0 respond the same
See the EXAMPLES section for examples.
With the -M option SING can try to emulate certain OS. At the moment
Window$98/Window$NT4 (win value), UNIX (unix value), Linux (linux
value), Cisco (cisco value), Solaris (solaris value) or Shiva (shiva
value) are the only accepted values. To emulate them SING changes its
normal behaviour about the IP header flags, the TTL, the initial ICMP
sequence number, the ICMP id and the ICMP data that each OS send. These
techniques are aplied only when using Echo Request or Echo Reply types.
sing can be easily used within shell scripts. Program returns the
following values to the shell:
0 Received at least 1 response from destination host.
1 General Error.
2 Packet sent OK but received no response.
3 Out of memory.
- Testing if www.solarisbox.xx is running the Solaris OS. Supposed no
sing -mask -O www.solarisbox.xx
- Testing if www.winbox.xx is running the Window$ OS:
sing -O www.winbox.xx
- Send Echos with garbage size of 32 bytes and fragments of 8 bytes to
sing -s 32 -F 8 www.provatina.xx
- Send Echos with data pattern IsSiNg and fragments of 8 bytes to the
host www.provatina.xx using Loose Source Routing via router1.xx and
sing -p IsSiNg -F 8 firstname.lastname@example.org@www.provatina.xx
- Send an ICMP packet Timestamp to host sepultura.hell. We spoof as
sing -tstamp -S 10.2.3.1 sepultura.hell
- Send an ICMP packet Router Solicitation to 10.13.1.0:
sing -rts 10.13.1.0
- Send an ICMP Router Advertisement to host death.es, saying that the
routers to use are: router1.xtc with preference 20, router2.xtc with
preference 50 and router3.xtc with default preference (0). We spoof as
sing -rta router1.xtc/20 -rta router2.xtc/50 -rta router3.xtc -S
- In response to a packet send with TCP source port 100 and destination
on port 90, we want to send and ICMP Redirect to dwdwah.xx to modify
its routing table with the following data: 10.12.12.12 as a gateway to
the host death.es masking the packet source as if it was sent from
sing -red -S infect.comx -gw 10.12.12.12 -dest death.es -x host -prot
tcp -psrc 100 -pdst 90 dwdwah.xx
- In response to an ICMP packet Echo Request sent with Echo Request id
100 and Echo Request sequence number 90, we want to send an ICMP
Redirect to the host araya.xx to modify its routing table with the
following data: the host pizza.death as a gateway to the host death.es,
masking the packet source as if it was sent from infect.comx host.
sing -red -S infect.comx -gw pizza.death -dest death.es -x host -prot
icmp -ip_id 100 -ip_seq 90 araya.xx
- We want to send an ICMP packet Destination Unreach to the host
10.2.3.4 saying that our TCP port number 20 connected with its TCP port
2100, is unreachable. We mask ourselves as host 10.1.1.1:
sing -du -S 10.1.1.1 -x port-unreach -prot tcp -psrc 2100 -pdst 20
- We want to send an ICMP packet Destination Unreach to host 10.2.3.4
saying that the host inferno.hell and its TCP port 69, connected with
his port TCP 666 in unreachable. We mask ourselves as gateway
sing -du -S router.comx -x host-unreach -prot tcp -psrc 666 -pdst 69
-orig inferno.hell 10.2.3.4
- We want to send a packet ICMP Source Quench to host ldg02.hell in
response to a packet destinated to host ldg00 with UDP protocol, source
port 100 and destination port 200. We mask ourselves as gateway
sing -sq -S 10.10.10.1 -prot udp -psrc 100 -pdst 200 -orig ldg00
- We want to send an ICMP packet Time Exceeded to host ldg02.hell in
response to a packet destinated to host ldg00 with UDP protocol, source
port 100 and destination port 200. We mask as gateway ldg04.hell:
sing -tx -S ldg04.hell -x frag -prot udp -psrc 100 -pdst 200 -orig
- We want to send an ICMP packet Address Mask Request and wait 10
seconds between sending each packet. We mask the packet with source
address of 10.2.3.4 and we send it to the address 10.0.1.255:
sing -mask -S 10.2.3.4 -T 10 10.0.1.255
- We want to send an ICMP packet Information Request to host deep.hell:
sing -info deep.hell
- We want to send an ICMP packet Echo Request to host black.hell with
the data pattern ’MyNameIsGump’:
sing -p MyNameIsGump black.hell
- We want to send ICMP packet Echo Request to 10.12.0.255 with the
following data pattern: D E A T H (blanks included). We will mask the
source address as 192.168.0.255:
sing -S 192.168.0.255 -p ’D E A T H’ 10.12.0.255
- We want to send an ICMP packet Destination Unreach to host
destination.death but sending it with an ICMP code bigger to the legal
ones adding also 60K of garbage data:
sing -du -x max -s 60000 destination.death
- We send an ICMP Parameter Problem to host misery.es saying that the
packet sent from the host dump.xorg with udp protocol, source port 13
and destination port 53, has an error on the IP header byte 13. We will
also add all garbage bytes as possible:
sing -S dump.xorg -param -ptr 13 -prot udp -psrc 13 -pdest 53 -s max
- We want to send an ICMP packet Timestamp to host www.danz.hell with
code 38 instead of code (0) as usual:
sing -tstamp -x 38 www.danz.hell
- Same as above without code 38 and using Loose Source Routing between
the routers cisco, 10.13.1.1 and wakeup.man:
sing -tstamp email@example.com@firstname.lastname@example.org
- Same as above using Strict Source Routing between the gateways:
sing -tstamp cisco%10.13.1.1%wakeup.man%www.danz.hell
- Using Record Route IP Option to see the route that takes to
sing -R ftp.target.xx
Postel, John, "Internet Control Message Protocol - DARPA Internet
Program Protocol Specification", RFC 792, USC/Information Sciences
Institute, September 1981.
Mogul, Jeffrey and John Postel, "Internet Standard Subnetting
Procedure", RFC 950, Stanford, USC/Information Sciences Institute,
Braden, Robert, "Requeriments for Internet Hosts - Communication
Layers", RFC 1122, USC/Information Sciences Institute, October 1989.
Deering, Stephen, "ICMP Router Discovery Messages", RFC 1256, Xerox
PARC, September 1991.
Baker, Fred, "Requeriments for IP Version 4 Routers", RFC 1812, Cisco
Systems, June 1995.
Arkin, Ofir, "ICMP usage in scanning", http://www.sys-
security.com/archive/papers/ICMP_Scanning.pdf, Sys-Security Group, July
The Linux source code, everything referent to network code and to ICMP
The original ping command was written by Mike Muuss.
sing is original from Alfredo Andres Omella, Slay <email@example.com>