Softpanorama (slightly skeptical) Open Source Software Educational Society

May the source be with you, but remember the KISS principle ;-)

Packet Generation Tools

Local cretinism is the historical curse of the security

Internet Control Message Protocol ICMP is service oriented protocol that is used mainly as a feedback/query mechanism for the IP protocol and routing. It's defined by RFC 792 - Internet Control Message Protocol (http://www.ietf.org/rfc/rfc0792.txt ).

There are two types of ICMP messages.

• Connection related messages (if a packet or a connection has problems on the IP layer), for example: 

  • Time to live expired (mostly seen during traceroutes) - type 11 code 0

  • Fragmentation needed, but don't fragment flag set - type 3 code 4 (see below)

  • Port unreachable (UDP connection to non-listening port) - type 3 code 3
     

• Standalone ICMP messages (pings). The sending side initializes the identifier (used to identify Echo requests aimed at different destination hosts) and sequence number (if multiple Echo Requests are sent to the same destination host), adds some data to the data field and sends the ICMP Echo to the destination host. In the ICMP header, the code equals zero. The recipient should only change the type to ECHO Reply and return the datagram to the sender (and the checksum of the ICMP header).

HPING2 is a popular network tool that can generate custom ICMP/UDP/TCP packets and to display target replies like ping does with ICMP replies. HPING2 handles fragmentation, arbitrary packet body and size and can be used in order to transfer files under supported protocols.

Several other less popular tools also allow to generate ICMP datagrams.

Those datagrams can be used for various tasks: firewall checks, to check if particular host is alive, OS Fingerprinting, etc.  Here is some additional info from hping wiki:

In order to identify the connection/packet on which error ICMPs are sent, several bytes of the original packet are quoted inside the error packet. The RFC calls for quoting the entire IP header + 64bit (8 bytes) of the original packet's layer 4. For offending TCP/IP and UDP packets, this is enough to get the IP protocol, source IP, destination IP, and the source and destination ports, which is usually enough information to identify the offending connection. This is also used by some state keeping firewalls to pass the ICMP without an explicit rule allowing ICMP, based on it's relevance for the connection. Standalone ICMP packets
These are packets that are potentially unrelated to any other connection. They mean to perform an operation in and on themselves. These packets are usually defined in pairs, where one is the "request", and the other is the "response".

Typical messages seen on the internet:
Echo request/reply (Ping) - type 8 (request) and type 0 (reply)

Typically, the response message has a type that is one more than the request message. The noteable exception to this rule is the "echo request" message (aka "ping"), that is type 8, while the echo reply message is type 0.
 Common ICMP related connectivity problems
 Tunneled connections, such as ADSL PPPoE or PPTP connections, typically lower the maximum transfer unit MTU. This means a packet needs to be fragmented in order to fit the narrower pipe of the tunneled connection. Many hosts employ an algorithm called "path MTU discovery", or PMTU. This algorithm relies heavilly on dropped packets being reported using the ICMP "Fragmentation needed but don't fragment set" message (type 3 code 4). Sadly, some over-eager firewall admins block all ICMP messages, type 3 code 4 included. This results in attempts to download large files/email to hang indefenitely, as big packets are repeatedly sent, repeatedly dropped, and the ICMP that reports this drop is dropped as well. Worse, this problem only happend with some sites, as the problem is really not on the user's end at all.
The way to deal with this problem is to decrease the maximum segment size MSS advertised on the initial TCP/IP SYN packet. This can be achieve by either configuring the firewall that does the NAT (clamp MSS in IPTables), or by setting each machine's MTU to match that of the ADSL (1450 is a good value for ethernet based home networks).

Old News ;-)

[Aug 20, 2008] freshmeat.net Project details for Mausezahn

Mausezahn is a fast traffic generator which allows you to send nearly every possible and impossible packet. Mausezahn can be used, for example, as a traffic generator to stress multicast networks, for penetration testing of firewalls and IDS, for simulating DoS attacks on networks, to find bugs in network software or appliances, for reconnaissance attacks using ping sweeps and port scans, or to test network behavior under strange circumstances. Mausezahn gives you full control over the network interface card and allows you to send any byte stream you want (even violating Ethernet rules). Release focus: Code cleanup Changes: The tarball supports easier building of the binary via cmake. Furthermore, Mausezahn has now been licensed clearly under the GPLv2 (there was some confusion in the previous version). The Syslog protocol is now supported. Minor bugs have been fixed.

Hping for suse

Index of /repositories/home:/peternixon/openSUSE_Factory/src

hping-2.0.0-5.16.src.rpm 06-Sep-2007 15:19 105K [ ] hping-2.0.0-5.24.src.rpm 06-Sep-2007 ... Apache/2.2.6 (Linux/SUSE) Server at download.opensuse.org Port 80.
download.opensuse.org/repositories/home:/peternixon/openSUSE_Factory/src/ - 5k -

Neohapsis Archives - SecurityFocus-Linux - Re Packet Creator - From aridgeimg

You could try any of the tools below:

hping2.tgz - one of the best tools for building ICMP/TCP/UDP packets from
the command line. Useful for port scanning, network mapping, and general
purpose network security research. [H]
isic.tgz - a Libnet based tool for generating garbage Ethernet/IP/UDP/TCP
traffic [H]
sing.tgz - another tool for generating ICMP datagrams [H]
sendip.tgz - a nice command-line tool for generating IP, IPv6, UDP, TCP, and
RIP traffic that is under active development. [H]
sendpkt.tgz - another command-line packet generation tools
mpac.tgz - a packet generation tool that allows you to specify a file for
each layer (TCP,IP,Ethernet)
nemesis.tgz - Another Libnet based "packet-injection" suite that support
OSPF and IGMP along with the usual [H]
nasl.tgz - NASL is the language used by Nessus scanner to conduct
vulnerability checks.
packedit.tgz - contains editcap, a utility from ethereal for modifying
captured tcpdump files and tcpreplay, for replaying captured tcpdump files.

To get them all in one Linux Distro, go to
http://trinux.sourceforge.net/
 

Alan Ridgeway
---------------------------------------------
I was a peripheral visionary.
I could see the future,
but only way off to the side.
  --Steven Wright
--------------------------------------------

FreshPorts -- net-mgmt-sing sing 1.1 / net-mgmt  

Tool for sending customized ICMP packets

To add the package: pkg_add -r sing

Also listed in: security
required to build: net/libnet
http://heanet.dl.sourceforge.net/sourceforge/sing/

http://aleron.dl.sourceforge.net/sourceforge/sing/ http://umn.dl.sourceforge.net/sourceforge/sing/

ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/

CVSWeb : Sources : Main Web Site : PortsMon

Sing is a little tool that sends ICMP packets fully customized from command line. The main purpose is to replace/complement the niceful ping command with certain enhancements as:

• Send fragmented packets (Linux and BSD).
• Send monster packets > 65534 (Linux and BSD).
• Send/read spoofed packets.
• Send many ICMP Information types in addition to the ECHO REQUEST type sent by default as Address Mask Request, Timestamp, Information Request, Router Solicitation and Router Advertisement.
• Send many ICMP error types: Redirect, Source Quench, Time Exceeded, Destination Unreach and Parameter Problem.
• Send to host with Loose or Strict Source Routing.
• Use little fingerprinting techniques to discover Windows or Solaris boxes.
• Send ICMP packets emulating certain OS: Cisco, Solaris, Linux, Shiva, Unix and Windows at the moment.

WWW: http://sourceforge.net/projects/sing/ --Roman <roman@xpert.com>

Recommended Links

• Trinux Packages Sniffers and Network Analyzers
  These tools put the NIC into the promiscuous mode to capture traffic at the link layer. Sniffing may or may not be legal on your network.
   
  • tcpdump.tgz - the original *nix sniffer
  • ethereal.tgz - console version of Ethereal
  • ngrep.tgz - applies regexes to network traffic, besides being a general purpose sniffer [H]
  • ipgrab.tgz - another libpcap based sniffer that provides verbose, but easy-to-read protocol decodes [H]
  • nstreams.tgz - another libpcap network monitor that identifies streams (IPs endpoints & protocols)
  • iptraf.tgz - a curses-based network analysis tool
  • trafshow.tgz - a nice curses monitoring program
  • darkstat.tgz - statistics gathering similar to ntop. [H]
  • ipaudit.tgz - contains two pcap monitoring tools (ipstrings and ipaudit)
  • pof.tgz - performs passive OS detection
  • sniffit.tgz - command-line/menu driven sniffer [H]
  • dsniff.tgz - a sniffer and much more including SSH,SSL,TCP hijacking [H]
  • utcpdump.tgz - stripped down verison of tcpdump 3.4 small enough to put on the Trinux boot floppy for basic troubleshooting.
  • angst.tgz - a "active" sniffer for capturing packets on switched LANs [H]
  • ettercap.tgz - A curses-based sniffer that utilizes ARP spoofing to sniff across switches.[H]
  • vomit.tgz - pcap based sniffer for decoding Cisco IP Phone conversations. [H ]
  Packet Generators
  These tools can be use to build and send custom TCP/IP packets. While many of these tools have similar (or even overlapping) features, they all have their niche.
  • dnet.tgz - nice little tool from libdnet. [H]
  • hping2.tgz - one of the best tools for building ICMP/TCP/UDP packets from the command line. Useful for port scanning, network mapping, and general purpose network security research. [H]
  • irpas.tgz - a very nasty set of tools that if I told you about it I might get fired ;) - [
  • isic.tgz - a Libnet based tool for generating garbage Ethernet/IP/UDP/TCP traffic [H]
  • nemesis.tgz - Another Libnet based "packet-injection" suite that support OSPF and IGMP along with the usual [H]
  • sing.tgz - another tool for generating ICMP datagrams [H]
  • packit.tgz - network auditing tool. Its value is derived from its ability to customize, inject, monitor, and manipulate IP traffic. [H]
  • packedit.tgz - contains editcap, a utility from ethereal for modifying captured tcpdump files and tcpreplay, for replaying captured tcpdump files.
  • frgroutr.tgz - fragments traffic to evade IDS or other security devices
  • sendip.tgz - a nice command-line tool for generating IP, IPv6, UDP, TCP, and RIP traffic that is under active development. [H]
  • sendpkt.tgz - another command-line packet generation tools
  • mpac.tgz - a packet generation tool that allows you to specify a file for each layer (TCP,IP,Ethernet)
  • nasl.tgz - NASL is the language used by Nessus scanner to conduct vulnerability checks.
• solaris ping
•  SourceForge.net/SING  SING v1.1, written by Alfredo Andres Omella
• The 'ping' utility from the iputils package with Redhat Linux based on Kernel 2.2.14.
• Nemesis v1.1, written by obecian (http://www.packetfactory.net/Projects/Nemesis) (http://www.packetninja.net/nemesis/).
• Icmpenum v1.1.1, written by Simple Nomad (http://razor.bindview.com).
• Intrusion Detection Articles, Links, and Whitepapers (Honeypots, Intrusion Detection, Incident Response)

Hping2

SourceForge.net Project Info - hping2

written by antirez. Packet Filter, latency testing tool. Similar to Firewalk.

• hping3.0.0 alpha 2 released. Download It.
• hping2.0.0 Release Candidate 3 released. Download It.

hping2 is a network tool able to send custom ICMP/UDP/TCP packets and to display target replies like ping does with ICMP replies. It handles fragmentation and arbitrary packet body and size, and can be used to transfer files under supported protocols. Using hping2, you can test firewall rules, perform (spoofed) port scanning, test network performance using different protocols, do path MTU discovery, perform traceroute-like actions under different protocols, fingerprint remote operating systems, audit TCP/IP stacks, etc.

More information on this package can be found on:

• hping wiki
• Hping tutorial, Philippe Bogaerts
• Idle Scanning and related IPID games, Fyodor
• The hping Idle Host Scan, Erik J. Kamerling
• Packet Crafting via HPing, Don
• Testing IDS rulesets with HPing, Don
• A Hacker's-Eye View, Don Parker
• Testing Connectivity Protocols, Joseph D. Sloan
• Hping tutorial, Philippe Bogaerts
• Phrack 60 - Firewall spotting and networks analisys with a broken CRC
• Debian web site.

Firewalk

Active reconnaissance network security tool by Mike D. Schiffman
License: BSD
 

Firewalk is an active reconnaissance network security tool that attempts to determine what layer 4 protocols a given IP forwarding device will pass.

Firewalk works by sending out TCP or UDP packets with a TTL one greater than the targeted gateway. If the gateway allows the traffic, it will forward the packets to the next hop where they will expire and elicit an
ICMP_TIME_EXCEEDED message. If the gateway hostdoes not allow the traffic, it will likely drop the packets on the floor and we will see no response.

URL: http://www.packetfactory.net/projects/firewalk/Firewalk

RPM Search firewalk-5.0-1.2.fc5.rf.i386.rpm

Firewalk: Can Attackers See Through Your Firewall?, Firewalking, Strategic Scanning and Assessments of Remote Hosts (SSARH),

Recommended Articles

The Story of the PING Program

9th USENIX Security Symposium Paper Defeating TCP/IP Stack Fingerprinting  Matthew Smart, G. Robert Malan, Farnam Jahanian

A practical approach for defeating Nmap OS-Fingerprinting

[PDF] ICMP Usage in Scanning. Complete how-to
- Cached - Similar pages

From: Ofir Arkin <ofir_at_sys-security.com>
Date: Mon, 4 Jun 2001 01:17:44 -0700
I am pleased to announce the availability of version 3.0 of my research
paper "ICMP Usage In Scanning".

Version 3.0 introduces significant changes made to the text.

The paper now starts with an introduction to the ICMP Protocol. The
introduction explains what is the ICMP protocol; it?s message types, and
where and when we should expect to see these.

The following chapters are divided into several subjects ranging from Host
Detection to Passive Operating System Fingerprinting.

An effort was made to offer more illustrations, examples and diagrams in
order to explain and illustrate the different issues involved with the ICMP
protocol?s usage in scanning.

The paper is divided into the following chapters:
 

- Chapter 1 is the Introduction
- Chapter 2 is an Introduction to the ICMP Protocol
- Chapter 3 deals with Host Detection methods using the ICMP Protocol
- Chapter 4 handles Advanced Host Detection methods using the ICMP Protocol
- Chapter 5 talks about the technique known as "Inverse Mapping"
- Chapter 6 goes through the traceroute functionality
- Chapter 7 is dedicated to Active Operating System Fingerprinting using the
ICMP
  Protocol. The chapter is divided into four parts:

        - Regular queries
        - Crafted queries
        - Error Messages
        - Futuristic Methods

- Chapter 8 explains the Usage of ICMP in the Passive Operating System
  Fingerprinting Process. This is a new chapter, which was added with this
version.
- Chapter 9 suggests strategies when building a correct rule base with a
Firewall
- Chapter 10 is dedicated to acknowledgments

The various appendixes offer:

- Several tables presented in the text
- Some Host based Security measures available with Linux based on Kernel
2.4.x and
  with Sun Solaris 8.
- A snort rule base for dealing with the ICMP tricks illustrated within the
text.

The new version can be downloaded from The Sys-Security Group?s web site in
PDF and ZIP formats. This is due to the large size of the PDF file.

http://www.sys-security.com/archive/papers/ICMP_Scanning_v3.0.zip
The file size is ~ 1.75mb when zipped

http://www.sys-security.com/archive/papers/ICMP_Usage_v3.0.pdf
The file size is ~ 5.39mb.  

LISA 2002 - 16th Systems Administration Conference - Paper Over-Zealous Security Administrators Are Breaking the Internet Richard van den Berg - Trust Factory b.v. Phil Dibowitz - University of Southern California

SANS Intrusion Detection FAQ How can attacker use ICMP for reconnaissance

Hping tutorial, Philippe Bogaerts

Idle Scanning and related IPID games, Fyodor

The hping Idle Host Scan, Erik J. Kamerling

Packet Crafting via HPing, Don

Testing IDS rulesets with HPing, Don

A Hacker's-Eye View, Don Parker

Testing Connectivity Protocols, Joseph D. Sloan

Hping tutorial, Philippe Bogaerts

Phrack 60 - Firewall spotting and networks analisys with a broken CRC

TCP-IP Applications FAQ

Path MTU Discovery

Enable ICMP router discovery

pintday.org Magnification Attacks Smurf and Fraggle

Passive Network Discovery for Real Time Situation Awareness

[PDF] Active Probing with ICMP Packets

How to verify that Snort is operating

You can manually check Snort using the "ICMP Large ICMP Packet" rule. In order for this test to work, you'll need to make sure you have not disabled the "ICMP Large ICMP Packet" rule and that it's possible to send an ICMP packet larger than 800 bytes from a network defined as $EXTERNAL_NET into the network defined as $HOME_NET (see your snort.conf file and How to define Snort's configuration variables). If those conditions are met, either of the following should trigger an alert: ping -s 1024 {target host} (Linux) or ping -l 1024 (target host) (Windows). If neither test works, then Snort likely isn't working and/or packets aren't getting through. A brute force troubleshooting method is to add some simple rules to the very bottom of your snort.conf:

• alert ip any any -> any any (msg:"Got an IP Packet"; classtype:not-suspicious; sid:2000000; rev:1;)
• alert icmp any any -> any any (msg:"Got an ICMP Packet"; classtype:not-suspicious; sid:2000001; rev:1;)
• alert icmp any any -> any any (msg:"ICMP Large ICMP Packet"; dsize:>800; reference:arachnids,246; classtype:bad-unknown; sid:2000499; rev:4;)

The first two rules should generate an alert upon seeing any IP or ICMP packet, respectively. Since they will trigger on every single packet on the network these aren't rules you want to run on a heavily loaded production segment! Run them on a smaller or test segment if necessary. The last rule is a copy of SID (rule) 499 (Note that Snort.org reserves SID 1-1,000,000 for "official" rules. See the Snort User's Manual at Snort.org) modified to make it much more loose to increase alert generation for our testing purposes. Normally you'll want to avoid loose rules since they lead to false positives.

Created: May 16, 1997; Last modified: August 20, 2008