Any way to automatically change arbitrary headers of IP packets on-the-fly?

From: João Paulo Caldas Campello (protecao_at_gmail.com)
Date: 04/12/05

  • Next message: Sebastian Muņiz: "Re: Any way to automatically change arbitrary headers of IP packets on-the-fly?" 
    Date: Mon, 11 Apr 2005 19:39:25 -0300
To: pen-test@securityfocus.com

    Hi,

       Does anybody know any userland tool, Linux kernel module,
    iptables/netfilter module, or whatever mechanism to change arbitrary
    headers of IP packets on-the-fly as long as they traverse the IP
    stack? Is there any known paper regarding this subject?

       The whole story is that I'm doing some research and lab tests on
    semi-blind IP spoofing (i.e. Loose/Strict IP Source Routing) on
    borders routers and firewalls, so I need an easy way to alter the "IP
    Options" fields of IP packets to test if the routers/firewalls are
    vulnerable to IP spoofing (e.g. not doing ingress filtering) in
    conjunction with source routing techniques.

       Yes, I know most modern firewalls should just drop IP Options
    flagged packets, but not all firewalls do that with default
    configurations.

       Sure I can construct raw IP packets with the proper IP Options
    fields set on, but I'm also doing sort of a penetration test so I need
    a way to automate this task as the packets traverse the stack. This
    way I could still use well-known and proven penetration test tools
    such as port and vulnerability scanners, web spiders, and so on.

       I've already read Netfilter documentation (specially the "Linux
    netfilter Hacking HOWTO") so I know this kind of packet mangling can
    be done in userspace. I thought it could be done in the "MANGLE" table
    of netfilter, but I found no TARGET that achieves that nor any
    documentation about altering arbitrary IP headers.

    The question is:

       - Does already exist such a tool, module or whatever way to change
    arbitrary headers of IP packets on-the-fly or will I have to (try to)
    write one? =)

    Cheers,

    João Paulo Campello,
    Network Security Analyst,
    Tempest Security Technologies.

  • Next message: Sebastian Muņiz: "Re: Any way to automatically change arbitrary headers of IP packets on-the-fly?"

    Relevant Pages

    • Re: sendfile(2) SF_NOPUSH flag proposal
      ... >> is still there for the headers and trailers, no matter what, ... from an external mbuf reference ... > Currently sendfilecan send the file in not full packets even ...
      (freebsd-arch)
    • Re: mbuf changes
      ... so that future packets can start out with enough head room. ... this doesn't take into account tunneling and encapsulation. ... the packets and the space in the mbuf is there anyway. ... For 32bit machines (60 bytes mbuf headers) this fits just fine. ...
      (freebsd-net)
    • Re: NIC acting promiscuously -- how to fix?
      ... Those headers should all have your MAC address in them ... mostly ARP "who-has" requests (sent to the broadcast MAC address). ... There is also a relatively small number of multicast packets -- most ...
      (freebsd-stable)
    • Any way to automatically change arbitrary headers of IP packets on-the-fly?
      ... headers of IP packets on-the-fly as long as they traverse the IP ... Options" fields of IP packets to test if the routers/firewalls are ... but I'm also doing sort of a penetration test so I need ...
      (Pen-Test)
    • Any way to automatically change arbitrary headers of IP packets on-the-fly?
      ... headers of IP packets on-the-fly as long as they traverse the IP ... Options" fields of IP packets to test if the routers/firewalls are ... but I'm also doing sort of a penetration test so I need ...
      (Vuln-Dev)