[TOOL] Packet Excalibur, Network Packet Engine

From: support@securiteam.com
Date: 10/19/02

Previous message: support@securiteam.com: "[UNIX] Default Installation Insecurity in MS WMP for Sparc/Solaris"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: support@securiteam.com
To: list@securiteam.com
Date: 19 Oct 2002 16:27:36 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

Packet Excalibur, Network Packet Engine
------------------------------------------------------------------------

DETAILS

Packet Excalibur is a multi-platform graphical and scriptable network
packet engine with extensible text based protocol descriptions.

Introduction:
SecurityBugware thought that network transmissions were nothing more than
a set of protocols piled a-top of each other. And those protocols could be
described as a fixed set of semantics and grammar rules.

That algorithmic could easily deal with semantics and grammar rules. And
that a slick GUI was better than endless command lines.

Solution:
So SecurityBugware built a "packet" engine that would understand basic
semantics to describe protocols and utterly simple logic to process them.
And they tried to keep it simple, to keep it useful, so they thought it as
a GUI.

This is free software, distributed under the GNU public license, works
under both Microsoft and Linux operating systems. It is built using solely
GNU compilers (gcc and mingw).

You will be able to decide packet attributes from physical layer to the
top, to sniff and spoof packets (packet generator) in a single interface,
to build scripts in the GUI, to define additional protocols in simple text
files.

Some sample protocols definitions, scripts, and packets are provided.
You're welcome to contribute and forward yours to SecurityBugware for
future release.

Below is some sample definition file, it describes the IP protocol in a
file named "iso-3 Internet Protocol (IP).def", fields are used in the GUI
to build and to decode packets:

       $bit=4 $desc="Version" $default=4
       $value=4 $desc="IPv4"
       $value=5 $desc="ST Datagram Mode"

       $bit=4 $desc="Header length" $default=5
       $value=5 $desc="No options (5x32bits)"
       $function=@ip-opt-len $desc="Has options (5+opt.len/32)"
$rfc="iso-3 IP Options.def" $rfc_option

       $byte=1 $desc="Type of Service" $default=0
       $value=0x00 $desc="normal (query)"
       $value=0x02 $desc="min cost (NNTP)"
       $value=0x03 $desc="Flash"
       $value=0x04 $desc="max reliable (IGP)"
       $value=0x05 $desc="CRITIC/ECP"
       $value=0x06 $desc="Internetwork Control"
       $value=0x07 $desc="Network Control"
       $value=0x08 $desc="max through. (data)"
       $value=0x10 $desc="min delay (control)"

       $byte=2 $desc="IP datagram len" $default=@ip-data-len
       $value=40 $desc="IP+TCP only"
       $function=@ip-data-len $desc="IP datagram len"

$byte=2 $desc="IP id"

       $bit=1 $desc="Fragment flags" $default=0
       $value=0 $desc="reserved"
       $value=1 $desc="unknown"

       $bit=1 $desc="Fragment ?" $default=1
       $value=0 $desc="do"
       $value=1 $desc="don't"

       $bit=1 $desc="Fragmented ?" $default=0
       $value=0 $desc="no"
       $value=1 $desc="yes"

$bit=13 $desc="Fragment offset" $default=0
$value=0 $desc="no fragment"

$byte=1 $desc="Time to Live (TTL)" $default=128
$value=128 $desc="half max hopes"

       $byte=1 $desc="Protocol" $default=6
       $value=0 $desc="Hop-by-Hop"
       $value=1 $desc="ICMP" $rfc="iso-4 Int
Ctrl Msg Proto (ICMP).def"
       $value=3 $desc="Gateway-to-Gateway"
       $value=4 $desc="CMCC Gateway Monitoring Message"
       $value=5 $desc="ST"
       $value=6 $desc="TCP" $rfc="iso-4 Trans
Ctrl Proto (TCP).def"
       $value=7 $desc="UCL"
       $value=9 $desc="Secure"
       $value=10 $desc="BBN RCC Monitoring"
       $value=11 $desc="NVP"
       $value=12 $desc="PUP"
       $value=13 $desc="Pluribus"
       $value=14 $desc="Telenet"
       $value=15 $desc="XNET"
       $value=16 $desc="Chaos"
       $value=17 $desc="UDP" $rfc="iso-4 User
Datagram Proto (UDP).def"
       $value=18 $desc="Multiplexing"
       $value=19 $desc="DCN"
       $value=20 $desc="TAC Monitoring"
       $value=43 $desc="Routing (Type 0)"
       $value=44 $desc="Fragment"
       $value=50 $desc="Encapsulating Security Payload" $rfc="iso-3-n Ecap
Sec Payload.def"
       $value=51 $desc="Authentication"
       $value=59 $desc="Nothing next"
       $value=60 $desc="Destination Options"
       $value=63 $desc="Any Local Network"
       $value=64 $desc="SATNET and Backroom EXPAK"
       $value=65 $desc="MIT Subnet Support"
       $value=69 $desc="SATNET Monitoring"
       $value=71 $desc="Internet Packet Core Utility"
       $value=76 $desc="Backroom SATNET Monitoring"
       $value=78 $desc="WIDEBAND Monitoring"
       $value=79 $desc="WIDEBAND EXPAK"

$byte=2 $desc="IP header checksum" $default=@ip-checksum
$function=@ip-checksum $desc="IP checksum"

$dotted=4 $desc="Source IP"
$function=@my-ip-addr $desc="this adapter ip"

$dotted=4 $desc="Dest. IP"
$function=@my-ip-addr $desc="this adapter ip"

In short all protocols are described with the simple field semantic:

[[type]=[size]] {element description} {default value}
{ {value=[value set]} {value description} {value defines rfc {rfc
an option to current iso}} }

See Packet Excalibur documentation for details.

ADDITIONAL INFORMATION

The information has been provided by <mailto:jitsu@securitybugware.org>
Jitsu-Disk of SecurityBugware.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Previous message: support@securiteam.com: "[UNIX] Default Installation Insecurity in MS WMP for Sparc/Solaris"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

[NEWS] Downgrading the Oracle Native Authentication
... Get your security news from a reliable source. ... Oracle native authentication protocols are typical challenge-response ... After some negotiation the client sends the username. ... calls it packet version ...
(Securiteam)
iptables questions
... FORWARD chain because if no connection has been established from my ... the packet will be handled by the INPUT ... supported and how would I go about having other protocols recognised? ...
(comp.os.linux.security)
Re: failed shields up test
... Try to ping one - you'll probably get a response, ... Now, plug the cable back in, and fire up that packet sniffer on "this" ... protocols that can be found in an IP packet (see figure 3.1 in RFC0791 ...
(alt.os.linux.suse)
Re: failed shields up test
... Try to ping one - you'll probably get a response, ... Now, plug the cable back in, and fire up that packet sniffer on "this" ... protocols that can be found in an IP packet (see figure 3.1 in RFC0791 ...
(alt.os.linux.suse)
Re: Cisco IOS Denial of Service that affects most Cisco IOS routers- requires power cycle to recove
... > protocols is not yet public AFAIK. ... The router has problems if it receives a packet, content irrelevant, ... world's premier technical IT security event! ...
(Incidents)