HexInject is a network packet injector and sniffer tool that enables authorized security professionals to craft, inject, and analyze network packets at the hexadecimal level. It’s useful for protocol testing, vulnerability assessment, network troubleshooting, and authorized penetration testing. HexInject allows fine-grained control over packet construction and transmission.
This tool is strictly for authorized network testing on systems and networks you own or have explicit written permission to test. Unauthorized packet injection or network sniffing is illegal. Always obtain proper authorization before testing any network.
sudo apt-get update
sudo apt-get install hexinject
# Or from source
git clone https://github.com/securityzealot/hexinject.git
cd hexinject
make
sudo make install
brew install hexinject
# Or compile from source
git clone https://github.com/securityzealot/hexinject.git
cd hexinject
make
sudo make install
git clone https://github.com/securityzealot/hexinject.git
cd hexinject
# Requirements
# libpcap-dev (Debian/Ubuntu): sudo apt-get install libpcap-dev
# On macOS: brew install libpcap
./configure
make
sudo make install
# Verify
hexinject --version
hexinject --help
hexinject -v
| Command | Description |
|---|
hexinject -i eth0 -h hexdata | Inject hex packet on interface |
hexinject -i eth0 -S source_IP -D dest_IP | Inject to specific IPs |
hexinject -l interface | List available interfaces |
hexinject -s interface | Sniff packets on interface |
# List network interfaces
hexinject -l
# Sniff on eth0
hexinject -s eth0
# Sniff with verbose output
hexinject -s eth0 -v
# Sniff on specific interface
hexinject -s wlan0
# Sniff on loopback
hexinject -s lo
| Command | Description |
|---|
hexinject -l | List all network interfaces |
hexinject -i eth0 -test | Test interface connectivity |
hexinject -i eth0 -mtu | Check MTU size |
hexinject -i eth0 -stats | Display interface statistics |
# View all available interfaces
hexinject -l
# Detailed interface information
hexinject -l -v
# Test specific interface
hexinject -i eth0 -test
# Check MTU
hexinject -i eth0 -mtu
# Interface statistics
hexinject -i eth0 -stats
# IPv6 interface
hexinject -i eth0 -ipv6
| Command | Description |
|---|
hexinject -s eth0 | Sniff packets on interface |
hexinject -s eth0 -c num | Capture num packets and exit |
hexinject -s eth0 -f "filter" | Apply capture filter |
hexinject -s eth0 -w file.pcap | Write to PCAP file |
# Continuous sniffing
hexinject -s eth0
# Capture 100 packets
hexinject -s eth0 -c 100
# Capture with filter
hexinject -s eth0 -f "tcp port 80"
# Save to PCAP
hexinject -s eth0 -w traffic.pcap
# HTTP traffic only
hexinject -s eth0 -f "tcp port 80 or port 443" -w web_traffic.pcap
# DNS traffic
hexinject -s eth0 -f "udp port 53" -w dns_queries.pcap
# SSH traffic
hexinject -s eth0 -f "tcp port 22"
# Detailed packet information
hexinject -s eth0 -v
# Very verbose (hex dump)
hexinject -s eth0 -vv
# With source/destination info
hexinject -s eth0 -v -S -D
# Complete packet analysis
hexinject -s eth0 -vv -S -D -p tcp
| Command | Description |
|---|
hexinject -i eth0 -h "hexdata" | Inject custom hex packet |
hexinject -i eth0 -f file.hex | Inject from hex file |
hexinject -i eth0 -c num -h hex | Inject num times |
hexinject -i eth0 -d delay -h hex | Delay between injections |
# Simple hex injection
hexinject -i eth0 -h "45000014000040000611e94c7f0000017f000001"
# Inject multiple times
hexinject -i eth0 -c 5 -h "4500001c000040004011e9247f0000017f000001"
# With delay between packets (milliseconds)
hexinject -i eth0 -d 1000 -c 10 -h "hexdata"
# Load packet from file
hexinject -i eth0 -f custom_packet.hex
Hex packets follow network protocol format:
IPv4 Header (20 bytes):
45 00 00 1c = Version(4), Header Length(4), ToS(8), Total Length(16)
00 00 = Identification
40 00 = Flags(3), Fragment Offset(13)
40 = TTL
06 = Protocol (6=TCP)
e924 = Header Checksum
7f00 0001 = Source IP (127.0.0.1)
7f00 0001 = Destination IP (127.0.0.1)
TCP Header (20 bytes minimum):
Source Port, Destination Port, Sequence Number, Acknowledgement Number, etc.
# ICMP Echo Request (ping)
# 45 00 00 54 (IP header start)
hexinject -i eth0 -h "4500005400004000401100007f0000017f0000018000f7ff0001000061626364..."
# UDP packet
# Protocol 11 instead of 06 (TCP)
hexinject -i eth0 -h "4500002800004000401100007f0000017f00000100350035001400a74865..."
# TCP SYN packet
# Flags: SYN (0x02)
hexinject -i eth0 -h "45000028000040004006e9247f0000017f00000100500001000000000000000050020200..."
| Flag | Description |
|---|
-S source_ip | Set source IP |
-D dest_ip | Set destination IP |
-sport port | Set source port |
-dport port | Set destination port |
-ttl num | Set TTL (Time To Live) |
-flag flags | Set TCP flags |
# Set source and destination
hexinject -i eth0 -S 192.168.1.100 -D 192.168.1.1 -h "hexdata"
# TCP packet to specific port
hexinject -i eth0 -S 10.0.0.10 -D 10.0.0.20 -sport 54321 -dport 80
# Lower TTL for testing
hexinject -i eth0 -ttl 1 -h "hexdata"
# Multiple TTL values
for ttl in {1..30}; do
hexinject -i eth0 -ttl $ttl -S 192.168.1.100 -D 8.8.8.8
done
# TCP flags
hexinject -i eth0 -flag SYN -S 192.168.1.100 -D 192.168.1.1
| Command | Description |
|---|
hexinject -f packet.hex -i eth0 | Inject from hex file |
hexinject -s eth0 -w capture.pcap | Sniff to PCAP file |
hexinject -r file.pcap | Read/replay PCAP file |
hexinject -convert file.pcap file.hex | Convert PCAP to hex |
# Create custom packet hex file
cat > tcp_syn.hex << EOF
# TCP SYN packet to port 80
45 00 00 28 00 00 40 00 40 06 e9 24 7f 00 00 01 7f 00 00 01
00 50 00 50 00 00 00 00 00 00 00 00 50 02 20 00 66 66 00 00
EOF
# Inject from file
hexinject -i eth0 -f tcp_syn.hex
# Capture to PCAP
hexinject -s eth0 -w network_traffic.pcap
# Read and replay PCAP
hexinject -r network_traffic.pcap -i eth0
# Convert PCAP to hex for modification
hexinject -convert network_traffic.pcap traffic.hex
# Edit and re-inject
# (Edit traffic.hex with hex editor)
hexinject -i eth0 -f traffic.hex
# ICMP test
hexinject -s eth0 -f "icmp" -c 10
# TCP port scanning
for port in 22 80 443 3306; do
hexinject -i eth0 -S 192.168.1.100 -dport $port -flag SYN -h "hexdata"
done
# UDP scanning
for port in 53 123 161 389; do
hexinject -i eth0 -sport 54321 -dport $port -h "udp_packet.hex"
done
# Traceroute using increasing TTL
for ttl in {1..30}; do
echo "TTL: $ttl"
hexinject -i eth0 -ttl $ttl -S 192.168.1.100 -D 8.8.8.8 -h "probe_packet.hex" &
sleep 1
done
# High-frequency packet injection
hexinject -i eth0 -c 1000 -d 0 -h "test_packet.hex"
# Variable delay between packets
for i in {1..100}; do
DELAY=$((RANDOM % 1000))
hexinject -i eth0 -d $DELAY -h "packet.hex" &
done
| Filter | Description |
|---|
tcp port 80 | TCP port 80 only |
udp port 53 | UDP DNS traffic |
icmp | ICMP (ping) packets |
tcp.flags.syn==1 | TCP SYN packets |
http | HTTP traffic |
# HTTP traffic only
hexinject -s eth0 -f "tcp port 80 or tcp port 8080"
# DNS queries and responses
hexinject -s eth0 -f "udp port 53"
# SSH traffic
hexinject -s eth0 -f "tcp port 22"
# ICMP and DNS
hexinject -s eth0 -f "icmp or udp port 53"
# Exclude localhost
hexinject -s eth0 -f "not src 127.0.0.1 and not dst 127.0.0.1"
# Document authorization
cat > hexinject_assessment.txt << EOF
HexInject Network Assessment
Date: $(date)
Authorized Tester: [Name]
Target Network: [Network Range]
Scope: [Specific Tests]
Approval: [Authorization]
EOF
# Begin assessment
hexinject -s eth0 -f "tcp" -v | tee assessment_results.log
# Test for IP fragmentation handling
hexinject -i eth0 -h "fragmented_ip_packet.hex"
# Test for oversized packets
hexinject -i eth0 -mtu 65535
# Test protocol compliance
hexinject -i eth0 -f malformed_packets.hex
# Document findings
hexinject -s eth0 -w test_results.pcap
#!/bin/bash
# Continuous network monitoring
# Create packet capture
hexinject -s eth0 -w traffic_$(date +%Y%m%d_%H%M%S).pcap &
PID=$!
# Monitor for suspicious patterns
sleep 300 # 5 minute capture
# Stop capture
kill $PID
# Analyze
hexinject -r traffic_*.pcap -v
# Fast packet injection with minimal delay
hexinject -i eth0 -c 1000 -d 0 -h "lightweight_packet.hex"
# Single interface focus
hexinject -i eth0 (fastest for single interface)
# Batch file operations
cat packet_list.txt | while read packet; do
hexinject -i eth0 -h "$packet"
done
# Large PCAP capture with rotation
hexinject -s eth0 -w capture.pcap -l 1000000
# Ring buffer capture (limited memory)
hexinject -s eth0 -ring-buffer 100M
# Most operations require root/administrator
sudo hexinject -s eth0
# Check current permissions
id
# Grant capabilities (Linux)
sudo setcap cap_net_raw=ep $(which hexinject)
# List available interfaces
hexinject -l
# Check interface status
ip link show (Linux)
ifconfig (macOS)
# Enable promiscuous mode
sudo ip link set eth0 promisc on
# Test interface
hexinject -i eth0 -test
# Verify hex data validity
hexinject -i eth0 -validate "hexdata"
# Check packet structure
hexinject -i eth0 -check "hexdata"
# Verbose error output
hexinject -i eth0 -h "hexdata" -vv
# Sniff and export to tcpdump format
hexinject -s eth0 -w capture.pcap
# Read with tcpdump
tcpdump -r capture.pcap
# Real-time analysis
hexinject -s eth0 | tcpdump -i - -n
# Capture for Wireshark analysis
hexinject -s eth0 -w analysis.pcap
# Open in Wireshark
wireshark analysis.pcap &
# Analyze specific flows
wireshark analysis.pcap -Y "tcp.port == 443"
#!/bin/bash
# Automated test suite
INTERFACE="eth0"
TARGET="192.168.1.1"
# Test 1: ICMP
hexinject -i $INTERFACE -S 192.168.1.100 -D $TARGET -h "icmp_packet.hex"
# Test 2: DNS
hexinject -i $INTERFACE -sport 54321 -dport 53 -h "dns_query.hex"
# Test 3: HTTP
hexinject -i $INTERFACE -sport 54321 -dport 80 -h "http_request.hex"
# Capture results
hexinject -s $INTERFACE -c 100 -w results.pcap
- tcpdump - Network packet capture
- Wireshark - GUI packet analyzer
- tshark - Command-line Wireshark
- scapy - Python packet manipulation
- netcat - Network utility
- hping3 - Advanced packet generator
