Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
tree: a0006f6101
Fetching contributors…

Cannot retrieve contributors at this time

212 lines (157 sloc) 6.018 kb

synfrag

A network scanning tool for sending fragmented IPv4 and IPv6 packets.

Description

synfrag is a network scanning and penetration testing tool used to craft and send fragmented and unfragmented IPv4 and IPv6 packets. It currently supports sending both TCP SYN, ICMP echo (ping), and ICMP6 echo packets. Various fragmentation configurations are also available. synfrag tries its best to read any replies sent by targeted hosts to determine if they are willing or able to respond.

The purpose of synfrag is to test host and network responses to fragmented requests. Many current routers implement access control lists (ACLs) in a manner that is unable to properly detect traffic inside fragmented IP packets, leading to situations where hosts are believed to be isolated from internet traffic by these ACLs. In some cases, specially crafted packets can bypass these router ACLs by taking advantage of their inability to properly process fragmented packets, exposing hosts to the internet unprotected.

Some operating systems implement a security mechanism that ignores fragmented TCP SYN packets, preventing connections from being established under the assumption that these packets are abnormal and specially designed to circumvent network protections. However, many of these operating systems do not implement the same protections for all protocols, allowing some fragmented traffic through while blocking others.

Notes

synfrag is currently under development and is missing some useful features. Namely, synfrag does not resolve hostnames nor discover the next-hop layer 2 address, and requires the user to specify these parameters.

Additionally, synfrag does not attempt to prevent the host operating system from interpreting any replies received from scanned hosts, meaning that after a scan the operating system may send a TCP RST packet to the scanned host, misinterpreting its reply as meant for the operating system. This can be worked around via firewall rules.

TCP SYN requests sent by synfrag currently all use the source port 44128. The same number is used for ICMP/6 echo packet IDs. When writing firewall rules to prevent the operating system from misinterpreting replies or to prevent synfrag scans, traffic sent to (or from) this port, or with this ICMP echo ID, can be discarded.

Examples

v4-tcp

The following example uses synfrag to probe TCP port 22 via unfragmented IPv4. Note that the dstmac parameter is set to that of the router between the srcip's network and the dstip's network:

 %sudo ./synfrag \
  --srcip 10.72.122.120 \
  --dstip 10.72.107.254 \
  --interface eth1 \
  --dstmac 00:00:0C:07:AC:01 \
  --dstport 22 \
  --test v4-tcp
 Starting test "v4-tcp". Opening interface "eth1".
 
 Ethernet Frame, ethertype 0x0800 (ETHERTYPE_IP)
  Src MAC 00:1A:4B:C6:F5:2E
  Dest MAC 00:00:0C:07:AC:01
 
 IPv4 Packet:
  Src IP: 10.72.122.120
  Dst IP: 10.72.107.254
  Protocol: 6 (IPPROTO_TCP)
  Frag Offset: 0 (0 bytes)
  Flags: 0 (None)
  Iphl: 5 (20 bytes)
 
 TCP Packet:
  Src Port: 44128
  Dst Port: 22
  Seq Num: 637685203
  Ack Num: 0
  Flags: 2 (SYN)
 
 Packet transmission successful, waiting for reply...
 
 IPv4 Packet:
  Src IP: 10.72.107.254
  Dst IP: 10.72.122.120
  Protocol: 6 (IPPROTO_TCP)
  Frag Offset: 0 (0 bytes)
  Flags: 2 (DF)
  Iphl: 5 (20 bytes)
 
 TCP Packet:
  Src Port: 22
  Dst Port: 44128
  Seq Num: 392222197
  Ack Num: 637685204
  Flags: 18 (SYN, ACK)
 
 Test was successful.

v4-frag-optioned-tcp

In this example, synfrag will send a fragmented IPv4 TCP SYN packet to the target host, with the initial fragment padded out to 68 bytes. Most hosts will drop fragmented IPv4 TCP SYN packets, which is the case here. Note the target responds with an ICMP fragment reassembly time exceeded message, though synfrag will only see the reply if we increase the default timeout to 60 seconds.

 sudo ./synfrag \
  --srcip 10.72.122.120 \
  --dstip 10.72.107.254 \
  --interface eth1 \
  --dstmac 00:00:0C:07:AC:01 \
  --dstport 22 \
  --test v4-frag-optioned-tcp \
  --timeout 60
 Starting test "v4-frag-optioned-tcp". Opening interface "eth1".
 
 Ethernet Frame, ethertype 0x0800 (ETHERTYPE_IP)
  Src MAC 00:1A:4B:C6:F5:2E
  Dest MAC 00:00:0C:07:AC:01
 
 IPv4 Packet:
  Src IP: 10.72.122.120
  Dst IP: 10.72.107.254
  Protocol: 6 (IPPROTO_TCP)
  Frag Offset: 0 (0 bytes)
  Flags: 1 (MF)
  Iphl: 13 (52 bytes)
 
 TCP Packet:
  Src Port: 44128
  Dst Port: 22
  Seq Num: 956140482
  Ack Num: 2409889792
  Flags: 2 (SYN)
 
 IPv4 Packet:
  Src IP: 10.72.122.120
  Dst IP: 10.72.107.254
  Protocol: 6 (IPPROTO_TCP)
  Frag Offset: 1 (8 bytes)
  Flags: 0 (None)
  Iphl: 5 (20 bytes)
 
 Packet transmission successful, waiting for reply...
 
 IPv4 Packet:
  Src IP: 10.72.107.254
  Dst IP: 10.72.122.120
  Protocol: 1 (IPPROTO_ICMP)
  Frag Offset: 0 (0 bytes)
  Flags: 0 (None)
  Iphl: 5 (20 bytes)
 
 ICMP Packet:
  Type: 11 (Time Exceeded)
  Code: 1 (Fragment Reassembly Time Exceeded)
 
 Test failed.

License

synfrag is released under the BSD license. synfrag includes BSD licensed code from libnet, and links against libpcap, also licensed under the BSD license.

Copyright

Copyright 2012, Yahoo! Inc. All rights reserved.

Author

John Eaglesham

Source Code

Source code for stable versions of synfrag are available on Yahoo's github account, located at:

https://github.com/yahoo/synfrag/tree/

The current development branch is availble from the author's github tree, located at:

https://github.com/jeagle/synfrag/tree/

To-do

Add ability to use synfrag as a proxy (similar to netcat), allowing full connections to be tunneled through synfrag. Requires implementing more of a real TCP/IP stack.

Changes

1.1 - 20120215

Initial release as open source, thanks Yahoo!

Converted documentation to POD, added examples.

Fixed extra free() after timeout.

Print pretty flag names.

Allow users to specify a timeout period.

1.0 - 20120209

Internal release.

Jump to Line
Something went wrong with that request. Please try again.