Table of Contents
fragrouter - network intrusion detection evasion toolkit
fragrouter [ -i interface ] [ -p ] [ -g hop ] [ -G hopcount ] ATTACK
Fragrouter is a program for routing network traffic in such a way as to
elude most network intrusion detection systems.
Most attacks implemented
correspond to those listed in the Secure Networks ``Insertion, Evasion,
and Denial of Service: Eluding Network Intrusion Detection'' paper of January
1998.
- -i
- Specify the interface to accept packets on.
- -p
- Preserve
the entire protocol header in the first fragment. This is useful in bypassing
packet filters that deny short IP fragments.
- -g
- Specify a hop along a loose
source routed path. Can be used more than once to build a chain of hop
points.
- -G
- Positions the "hop counter" within the list of hosts in the
path of a source routed packet. Should be a multiple of 4. Can be set past
the length of the loose source routed path to implement Anthony Osborne's
Windows IP source routing attack of September 1999.
The following attack
options are mutually exclusive - you may only specify one type of attack
to run at a time.
- -B1
- baseline-1 : Normal IP forwarding.
- -F1
- frag-1 : Send
data in ordered 8-byte IP fragments.
- -F2
- frag-2 : Send data in ordered 24-byte
IP fragments.
- -F3
- frag-3 : Send data in ordered 8-byte IP fragments, with
one fragment sent out of order.
- -F4
- frag-4 : Send data in ordered 8-byte
IP fragments, duplicating the penultimate fragment in each packet.
- -F5
- frag-5 : Send data in out of order 8-byte IP fragments, duplicating the
penultimate fragment in each packet.
- -F6
- frag-6 : Send data in ordered 8-byte
IP fragments, sending the marked last fragment first.
- -F7
- frag-7 : Send
data in ordered 16-byte IP fragments, preceding each fragment with an 8-byte
null data fragment that overlaps the latter half of it. This amounts to
the forward-overlapping 16-byte fragment rewriting the null data back to
the real attack.
- -T1
- tcp-1 : Complete TCP handshake, send fake FIN and RST
(with bad checksums) before sending data in ordered 1-byte segments.
- -T3
- tcp-3 : Complete TCP handshake, send data in ordered 1-byte segments, duplicating
the penultimate segment of each original TCP packet.
- -T4
- tcp-4 : Complete
TCP handshake, send data in ordered 1-byte segments, sending an additional
1-byte segment which overlaps the penultimate segment of each original
TCP packet with a null data payload.
- -T5
- tcp-5 : Complete TCP handshake,
send data in ordered 2-byte segments, preceding each segment with a 1-byte
null data segment that overlaps the latter half of it. This amounts to
the forward-overlapping 2-byte segment rewriting the null data back to the
real attack.
- -T7
- tcp-7 : Complete TCP handshake, send data in ordered 1-byte
segments interleaved with 1-byte null segments for the same connection
but with drastically different sequence numbers.
- -T8
- tcp-8 : Complete TCP
handshake, send data in ordered 1-byte segments with one segment sent out
of order.
- -T9
- tcp-9 : Complete TCP handshake, send data in out of order
1-byte segments.
- -C2
- tcbc-2 : Complete TCP handshake, send data in ordered
1-byte segments interleaved with SYN packets for the same connection parameters.
- -C3
- tcbc-3 : Do not complete TCP handshake, but send null data in ordered
1-byte segments as if one had occured. Then, complete a TCP handshake with
same connection parameters, and send the real data in ordered 1-byte segments.
- -R1
- tcbt-1 : Complete TCP handshake, shut connection down with a RST, re-connect
with drastically different sequence numbers and send data in ordered 1-byte
segments.
- -I2
- ins-2 : Complete TCP handshake, send data in ordered 1-byte
segments but with bad TCP checksums.
- -I3
- ins-3 : Complete TCP handshake,
send data in ordered 1-byte segments but with no ACK flag set.
- -M1
- misc-1
: Thomas Lopatic's Windows NT 4 SP2 IP fragmentation attack of July 1997
(see http://www.dataprotect.com/ntfrag/
for details). This attack has only
been implemented for UDP.
- -M2
- misc-2 : John McDonald's Linux IP chains IP
fragmentation attack of July 1998 (see http://www.dataprotect.com/ipchains/
for details). This attack has only been implement for TCP and UDP.
tcpdump(8), tcpreplay(8), pcap(3), libnet(3)
Dug Song, Anzen
Computing.
The current version is available via HTTP:
http://www.anzen.com/research/nidsbench/
IP options will carry across all fragments of a packet. Fragrouter
is not smart enough to determine which IP options are valid only in the
first fragment. This is considered a feature, not a bug. :-)
Similarly, TCP
options will carry across all segments of a split TCP packet - except for
null data packets preceding a forward overwrite, which lack any TCP options
in order to elude TCP PAWS elimination.
Please send bug reports to nidsbench@anzen.com.
Table of Contents