Man page of FRAGROUTER
FRAGROUTER
Section: Maintenance Commands (8)
Updated: 26 April 1999
Index of this MAN page
Back To MAN Pages From BackTrack 5 R1 Master List
NAME
fragrouter - network intrusion detection evasion toolkit
SYNOPSIS
fragrouter
[
-i
interface
] [
-p
] [
-g
hop
] [
-G
hopcount
]
ATTACK
DESCRIPTION
Fragrouter
is a program for routing network traffic in such a way as to elude
most network intrusion detection systems.
Most attacks implemented correspond to those listed in the Secure
Networks ``Insertion, Evasion, and Denial of Service: Eluding Network
Intrusion Detection'' paper of January 1998.
OPTIONS
- -i
-
Specify the interface to accept packets on.
- -p
-
Preserve the entire protocol header in the first fragment. This is
useful in bypassing packet filters that deny short IP fragments.
- -g
-
Specify a hop along a loose source routed path. Can be used more than
once to build a chain of hop points.
- -G
-
Positions the "hop counter" within the list of hosts in the path of a
source routed packet. Should be a multiple of 4. Can be set past the
length of the loose source routed path to implement Anthony Osborne's
Windows IP source routing attack of September 1999.
The following attack options are mutually exclusive - you may only
specify one type of attack to run at a time.
- -B1
-
baseline-1: Normal IP forwarding.
- -F1
-
frag-1: Send data in ordered 8-byte IP fragments.
- -F2
-
frag-2: Send data in ordered 24-byte IP fragments.
- -F3
-
frag-3: Send data in ordered 8-byte IP fragments, with one
fragment sent out of order.
- -F4
-
frag-4: Send data in ordered 8-byte IP fragments, duplicating
the penultimate fragment in each packet.
- -F5
-
frag-5: Send data in out of order 8-byte IP fragments,
duplicating the penultimate fragment in each packet.
- -F6
-
frag-6: Send data in ordered 8-byte IP fragments, sending the
marked last fragment first.
- -F7
-
frag-7: Send data in ordered 16-byte IP fragments, preceding
each fragment with an 8-byte null data fragment that overlaps the
latter half of it. This amounts to the forward-overlapping 16-byte
fragment rewriting the null data back to the real attack.
- -T1
-
tcp-1: Complete TCP handshake, send fake FIN and RST (with bad
checksums) before sending data in ordered 1-byte segments.
- -T3
-
tcp-3: Complete TCP handshake, send data in ordered 1-byte
segments, duplicating the penultimate segment of each original TCP
packet.
- -T4
-
tcp-4: Complete TCP handshake, send data in ordered 1-byte
segments, sending an additional 1-byte segment which overlaps the
penultimate segment of each original TCP packet with a null data
payload.
- -T5
-
tcp-5: Complete TCP handshake, send data in ordered 2-byte
segments, preceding each segment with a 1-byte null data segment that
overlaps the latter half of it. This amounts to the
forward-overlapping 2-byte segment rewriting the null data back to the
real attack.
- -T7
-
tcp-7: Complete TCP handshake, send data in ordered 1-byte
segments interleaved with 1-byte null segments for the same connection
but with drastically different sequence numbers.
- -T8
-
tcp-8: Complete TCP handshake, send data in ordered 1-byte
segments with one segment sent out of order.
- -T9
-
tcp-9: Complete TCP handshake, send data in out of order 1-byte
segments.
- -C2
-
tcbc-2: Complete TCP handshake, send data in ordered 1-byte
segments interleaved with SYN packets for the same connection
parameters.
- -C3
-
tcbc-3: Do not complete TCP handshake, but send null data in
ordered 1-byte segments as if one had occured. Then, complete a TCP
handshake with same connection parameters, and send the real data in
ordered 1-byte segments.
- -R1
-
tcbt-1: Complete TCP handshake, shut connection down with a RST,
re-connect with drastically different sequence numbers and send data in
ordered 1-byte segments.
- -I2
-
ins-2: Complete TCP handshake, send data in ordered 1-byte
segments but with bad TCP checksums.
- -I3
-
ins-3: Complete TCP handshake, send data in ordered 1-byte
segments but with no ACK flag set.
- -M1
-
misc-1: Thomas Lopatic's Windows NT 4 SP2 IP fragmentation
attack of July 1997 (see
http://www.dataprotect.com/ntfrag/
for details). This attack has only been implemented for UDP.
- -M2
-
misc-2: John McDonald's Linux IP chains IP fragmentation attack
of July 1998 (see
http://www.dataprotect.com/ipchains/
for details). This attack has only been implement for TCP and UDP.
SEE ALSO
tcpdump(8), tcpreplay(8), pcap(3), libnet(3)
AUTHOR
Dug Song, Anzen Computing.
The current version is available via HTTP:
-
http://www.anzen.com/research/nidsbench/
BUGS
IP options will carry across all fragments of a packet. Fragrouter is
not smart enough to determine which IP options are valid only in the
first fragment. This is considered a feature, not a bug. :-)
Similarly, TCP options will carry across all segments of a split TCP
packet - except for null data packets preceding a forward overwrite,
which lack any TCP options in order to elude TCP PAWS elimination.
Please send bug reports to nidsbench@anzen.com.
Index
- NAME
-
- SYNOPSIS
-
- DESCRIPTION
-
- OPTIONS
-
- SEE ALSO
-
- AUTHOR
-
- BUGS
-
This document was created by
man2html,
using the manual pages.
Time: 07:34:21 GMT, September 13, 2011
Printable version of this article