A network scanning tool for sending fragmented IPv4 and IPv6 packets.
This version is under development. See
https://github.com/yahoo/synfrag/tree/
for the latest stable version!
synfrag is a network scanning and penetration testing tool used to craft and send fragmented and unfragmented IPv4 and IPv6 packets. It currently supports sending both TCP SYN, ICMP echo (ping), and ICMP6 echo packets. Various fragmentation configurations are also available. synfrag tries its best to read any replies sent by targeted hosts to determine if they are willing or able to respond.
The purpose of synfrag is to test host and network responses to fragmented requests. Many current routers implement access control lists (ACLs) in a manner that is unable to properly detect traffic inside fragmented IP packets, leading to situations where hosts are believed to be isolated from internet traffic by these ACLs. In some cases, specially crafted packets can bypass these router ACLs by taking advantage of their inability to properly process fragmented packets, exposing hosts to the internet unprotected.
Some operating systems implement a security mechanism that ignores fragmented TCP SYN packets, preventing connections from being established under the assumption that these packets are abnormal and specially designed to circumvent network protections. However, many of these operating systems do not implement the same protections for all protocols, allowing some fragmented traffic through while blocking others.
synfrag is currently under development and is missing some useful features. Namely, synfrag does not resolve hostnames nor discover the next-hop layer 2 address, and requires the user to specify these parameters.
Additionally, synfrag does not attempt to prevent the host operating system from interpreting any replies received from scanned hosts, meaning that after a scan the operating system may send a TCP RST packet to the scanned host, misinterpreting its reply as meant for the operating system. This can be worked around via firewall rules.
TCP SYN requests sent by synfrag currently all use the source port 44128. The same number is used for ICMP/6 echo packet IDs. When writing firewall rules to prevent the operating system from misinterpreting replies or to prevent synfrag scans, traffic sent to (or from) this port, or with this ICMP echo ID, can be discarded.
The following example uses synfrag to probe TCP port 22 via unfragmented IPv4. Note that the dstmac parameter is set to that of the router between the srcip's network and the dstip's network:
%sudo ./synfrag \
--srcip 10.72.122.120 \
--dstip 10.72.107.254 \
--interface eth1 \
--dstmac 00:00:0C:07:AC:01 \
--dstport 22 \
--test v4-tcp
Starting test "v4-tcp". Opening interface "eth1".
Ethernet Frame, ethertype 0x0800 (ETHERTYPE_IP)
Src MAC 00:1A:4B:C6:F5:2E
Dest MAC 00:00:0C:07:AC:01
IPv4 Packet:
Src IP: 10.72.122.120
Dst IP: 10.72.107.254
Protocol: 6 (IPPROTO_TCP)
Frag Offset: 0 (0 bytes)
Flags: 0 (None)
Iphl: 5 (20 bytes)
TCP Packet:
Src Port: 44128
Dst Port: 22
Seq Num: 637685203
Ack Num: 0
Flags: 2 (SYN)
Packet transmission successful, waiting for reply...
IPv4 Packet:
Src IP: 10.72.107.254
Dst IP: 10.72.122.120
Protocol: 6 (IPPROTO_TCP)
Frag Offset: 0 (0 bytes)
Flags: 2 (DF)
Iphl: 5 (20 bytes)
TCP Packet:
Src Port: 22
Dst Port: 44128
Seq Num: 392222197
Ack Num: 637685204
Flags: 18 (SYN, ACK)
Test was successful.In this example, synfrag will send a fragmented IPv4 TCP SYN packet to the target host, with the initial fragment padded out to 68 bytes. Most hosts will drop fragmented IPv4 TCP SYN packets, which is the case here. Note the target responds with an ICMP fragment reassembly time exceeded message, though synfrag will only see the reply if we increase the default timeout to 60 seconds.
sudo ./synfrag \
--srcip 10.72.122.120 \
--dstip 10.72.107.254 \
--interface eth1 \
--dstmac 00:00:0C:07:AC:01 \
--dstport 22 \
--test v4-frag-optioned-tcp \
--timeout 60
Starting test "v4-frag-optioned-tcp". Opening interface "eth1".
Ethernet Frame, ethertype 0x0800 (ETHERTYPE_IP)
Src MAC 00:1A:4B:C6:F5:2E
Dest MAC 00:00:0C:07:AC:01
IPv4 Packet:
Src IP: 10.72.122.120
Dst IP: 10.72.107.254
Protocol: 6 (IPPROTO_TCP)
Frag Offset: 0 (0 bytes)
Flags: 1 (MF)
Iphl: 13 (52 bytes)
TCP Packet:
Src Port: 44128
Dst Port: 22
Seq Num: 956140482
Ack Num: 2409889792
Flags: 2 (SYN)
IPv4 Packet:
Src IP: 10.72.122.120
Dst IP: 10.72.107.254
Protocol: 6 (IPPROTO_TCP)
Frag Offset: 1 (8 bytes)
Flags: 0 (None)
Iphl: 5 (20 bytes)
Packet transmission successful, waiting for reply...
IPv4 Packet:
Src IP: 10.72.107.254
Dst IP: 10.72.122.120
Protocol: 1 (IPPROTO_ICMP)
Frag Offset: 0 (0 bytes)
Flags: 0 (None)
Iphl: 5 (20 bytes)
ICMP Packet:
Type: 11 (Time Exceeded)
Code: 1 (Fragment Reassembly Time Exceeded)
Test failed.synfrag is released under the BSD license. synfrag includes BSD licensed code from libnet, and links against libpcap, also licensed under the BSD license.
Copyright 2012, Yahoo! Inc. All rights reserved.
John Eaglesham
Source code for stable versions of synfrag are available on Yahoo's github account, located at:
https://github.com/yahoo/synfrag/tree/
The current development branch is availble from the author's github tree, located at:
https://github.com/jeagle/synfrag/tree/
Add ability to use synfrag as a proxy (similar to netcat), allowing full connections to be tunneled through synfrag. Requires implementing more of a real TCP/IP stack.
Initial release as open source, thanks Yahoo!
Converted documentation to POD, added examples.
Fixed extra free() after timeout.
Print pretty flag names.
Allow users to specify a timeout period.
Internal release.