This repository has been archived by the owner on Apr 18, 2019. It is now read-only.
forked from je9000/synfrag
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Print pretty names for flags, pretty documentation, allow a user spec…
…ified timeout.
- Loading branch information
Showing
5 changed files
with
371 additions
and
16 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,116 @@ | ||
synfrag | ||
A network scanning tool for sending fragmented IPv4 and IPv6 packets. | ||
|
||
Description | ||
synfrag is a network scanning and penetration testing tool used to craft | ||
and send fragmented and unfragmented IPv4 and IPv6 packets. It currently | ||
supports sending both TCP SYN, ICMP echo (ping), and ICMP6 echo packets. | ||
Various fragmentation configurations are also available. synfrag tries | ||
its best to read any replies sent by targeted hosts to determine if they | ||
are willing or able to respond. | ||
|
||
The purpose of synfrag is to test host and network responses to | ||
fragmented requests. Many current routers implement access control lists | ||
(ACLs) in a manner that is unable to properly detect traffic inside | ||
fragmented IP packets, leading to situations where hosts are believed to | ||
be isolated from internet traffic by these ACLs. In some cases, | ||
specially crafted packets can bypass these router ACLs by taking | ||
advantage of their inability to properly process fragmented packets, | ||
exposing hosts to the internet unprotected. | ||
|
||
Some operating systems implement a security mechanism that ignores | ||
fragmented TCP SYN packets, preventing connections from being | ||
established under the assumption that these packets are abnormal and | ||
specially designed to circumvent network protections. However, many of | ||
these operating systems do not implement the same protections for all | ||
protocols, allowing some fragmented traffic through while blocking | ||
others. | ||
|
||
Notes | ||
synfrag is currently under development and is missing some useful | ||
features. Namely, synfrag does not resolve hostnames nor discover the | ||
next-hop layer 2 address, and requires the user to specify these | ||
parameters. | ||
|
||
Additionally, synfrag does not attempt to prevent the host operating | ||
system from interpreting any replies received from scanned hosts, | ||
meaning that after a scan the operating system may send a TCP RST packet | ||
to the scanned host, misinterpreting its reply as meant for the | ||
operating system. This can be worked around via firewall rules. | ||
|
||
TCP SYN requests sent by synfrag currently all use the source port | ||
44128. The same number is used for ICMP/6 echo packet IDs. When writing | ||
firewall rules to prevent the operating system from misinterpreting | ||
replies or to prevent synfrag scans, traffic sent to (or from) this | ||
port, or with this ICMP echo ID, can be discarded. | ||
|
||
Examples | ||
The following is a simple example test using synfrag to probe TCP port | ||
22 via unfragmented IPv4. Note that the dstmac parameter is set to that | ||
of the router between the srcip's network and the dstip's network: | ||
|
||
%sudo ./synfrag \ | ||
--srcip 10.72.122.120 | ||
--dstip 10.72.107.254 \ | ||
--interface eth1 \ | ||
--dstmac 00:00:0C:07:AC:01 \ | ||
--dstport 22 \ | ||
--test v4-tcp | ||
Starting test "v4-tcp". Opening interface "eth1". | ||
|
||
Ethernet Frame, ethertype 2048 | ||
Src MAC 00:1A:4B:C6:F5:2E | ||
Dest MAC 00:00:0C:07:AC:01 | ||
|
||
IPv4 Packet: | ||
Src IP: 10.72.122.120 | ||
Dst IP: 10.72.107.254 | ||
Protocol: 6 | ||
Frag Offset: 0 | ||
Flags: 0 | ||
Iphl: 5 | ||
|
||
TCP Packet: | ||
Src Port: 44128 | ||
Dst Port: 22 | ||
Seq Num: 6026158 | ||
Ack Num: 0 | ||
Syn: 1 | ||
Ack: 0 | ||
Rst: 0 | ||
|
||
Packet transmission successful, waiting for reply... | ||
|
||
IPv4 Packet: | ||
Src IP: 10.72.107.254 | ||
Dst IP: 10.72.122.120 | ||
Protocol: 6 | ||
Frag Offset: 0 | ||
Flags: 2 | ||
Iphl: 5 | ||
|
||
TCP Packet: | ||
Src Port: 22 | ||
Dst Port: 44128 | ||
Seq Num: 321403012 | ||
Ack Num: 6026159 | ||
Syn: 1 | ||
Ack: 1 | ||
Rst: 0 | ||
|
||
Test was successful. | ||
|
||
License | ||
synfrag is released under the BSD license. synfrag includes BSD licensed | ||
code from libnet, and links against libpcap, also licensed under the BSD | ||
license. | ||
|
||
Copyright | ||
Copyright Yahoo! Inc, 2012 | ||
|
||
Author | ||
John Eaglesham | ||
|
||
Changes | ||
1.0 - 20120209 | ||
Initial release as open source. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
tcp_flag_names[0] = NULL; | ||
tcp_flag_names[1] = "CWR"; | ||
tcp_flag_names[2] = "ECN"; | ||
tcp_flag_names[3] = "URG"; | ||
tcp_flag_names[4] = "ACK"; | ||
tcp_flag_names[5] = "PSH"; | ||
tcp_flag_names[6] = "RST"; | ||
tcp_flag_names[7] = "SYN"; | ||
tcp_flag_names[8] = "FIN"; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
/* | ||
* Copyright (c) 2012, Yahoo! Inc All rights reserved. | ||
* | ||
* Redistribution and use in source and binary forms, with or without | ||
* modification, are permitted provided that the following conditions are met: | ||
* | ||
* Redistributions of source code must retain the above copyright notice, | ||
* this list of conditions and the following disclaimer. Redistributions | ||
* in binary form must reproduce the above copyright notice, this list | ||
* of conditions and the following disclaimer in the documentation and/or | ||
* other materials provided with the distribution. | ||
* | ||
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" | ||
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | ||
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | ||
* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS | ||
* BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, | ||
* OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF | ||
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS | ||
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN | ||
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | ||
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF | ||
* THE POSSIBILITY OF SUCH DAMAGE. | ||
* | ||
* Author: John Eaglesham | ||
*/ | ||
|
||
char *tcp_flags_to_names( unsigned char ); | ||
char *icmp_type_to_name( unsigned char ); | ||
char *icmp_code_to_name( unsigned char, unsigned char ); |
Oops, something went wrong.