fragrouter(8) - Linux man page
Name
fragrouter - network intrusion detection evasion toolkit
Synopsis
fragrouter [ -i interface ] [ -p ] [ -g hop ] [ -G hopcount ] ATTACK
Description
Fragrouter is a program for routing network traffic in such a way as to elude most network intrusion detection systems.
Most attacks implemented correspond to those listed in the Secure Networks ''Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection'' paper of January 1998.
Options
- -i
Specify the interface to accept packets on.
-p
Preserve the entire protocol header in the first fragment. This is useful in bypassing packet filters that deny short IP fragments.
-g
Specify a hop along a loose source routed path. Can be used more than once to build a chain of hop points.
-G
Positions the "hop counter" within the list of hosts in the path of a source routed packet. Should be a multiple of 4. Can be set past the length of the loose source routed path to implement Anthony Osborne's Windows IP source routing attack of September 1999.
- The following attack options are mutually exclusive - you may only specify one type of attack to run at a time.
- -B1
baseline-1: Normal IP forwarding.
-F1
frag-1: Send data in ordered 8-byte IP fragments.
-F2
frag-2: Send data in ordered 24-byte IP fragments.
-F3
frag-3: Send data in ordered 8-byte IP fragments, with one fragment sent out of order.
-F4
frag-4: Send data in ordered 8-byte IP fragments, duplicating the penultimate fragment in each packet.
-F5
frag-5: Send data in out of order 8-byte IP fragments, duplicating the penultimate fragment in each packet.
-F6
frag-6: Send data in ordered 8-byte IP fragments, sending the marked last fragment first.
-F7
frag-7: Send data in ordered 16-byte IP fragments, preceding each fragment with an 8-byte null data fragment that overlaps the latter half of it. This amounts to the forward-overlapping 16-byte fragment rewriting the null data back to the real attack.
-T1
tcp-1: Complete TCP handshake, send fake FIN and RST (with bad checksums) before sending data in ordered 1-byte segments.
-T3
tcp-3: Complete TCP handshake, send data in ordered 1-byte segments, duplicating the penultimate segment of each original TCP packet.
-T4
tcp-4: Complete TCP handshake, send data in ordered 1-byte segments, sending an additional 1-byte segment which overlaps the penultimate segment of each original TCP packet with a null data payload.
-T5
tcp-5: Complete TCP handshake, send data in ordered 2-byte segments, preceding each segment with a 1-byte null data segment that overlaps the latter half of it. This amounts to the forward-overlapping 2-byte segment rewriting the null data back to the real attack.
-T7
tcp-7: Complete TCP handshake, send data in ordered 1-byte segments interleaved with 1-byte null segments for the same connection but with drastically different sequence numbers.
-T8
tcp-8: Complete TCP handshake, send data in ordered 1-byte segments with one segment sent out of order.
-T9
tcp-9: Complete TCP handshake, send data in out of order 1-byte segments.
-C2
tcbc-2: Complete TCP handshake, send data in ordered 1-byte segments interleaved with SYN packets for the same connection parameters.
-C3
tcbc-3: Do not complete TCP handshake, but send null data in ordered 1-byte segments as if one had occured. Then, complete a TCP handshake with same connection parameters, and send the real data in ordered 1-byte segments.
-R1
tcbt-1: Complete TCP handshake, shut connection down with a RST, re-connect with drastically different sequence numbers and send data in ordered 1-byte segments.
-I2
ins-2: Complete TCP handshake, send data in ordered 1-byte segments but with bad TCP checksums.
-I3
ins-3: Complete TCP handshake, send data in ordered 1-byte segments but with no ACK flag set.
-M1
misc-1: Thomas Lopatic's Windows NT 4 SP2 IP fragmentation attack of July 1997 (see http://www.dataprotect.com/ntfrag/ for details). This attack has only been implemented for UDP.
-M2
misc-2: John McDonald's Linux IP chains IP fragmentation attack of July 1998 (see http://www.dataprotect.com/ipchains/ for details). This attack has only been implement for TCP and UDP.
- The following attack options are mutually exclusive - you may only specify one type of attack to run at a time.
See Also
tcpdump(8), tcpreplay(8), pcap(3), libnet(3)
Author
Dug Song, Anzen Computing.
The current version is available via HTTP:
Bugs
IP options will carry across all fragments of a packet. Fragrouter is not smart enough to determine which IP options are valid only in the first fragment. This is considered a feature, not a bug. :-)
Similarly, TCP options will carry across all segments of a split TCP packet - except for null data packets preceding a forward overwrite, which lack any TCP options in order to elude TCP PAWS elimination.
Please send bug reports to nidsbench@anzen.com.