Re: Any way to automatically change arbitrary headers of IP packets on-the-fly?
From: DJ Ether (dj_at_ethericmist.net)
Date: Wed, 13 Apr 2005 16:50:14 -0400 To: Joćo Paulo Caldas Campello <firstname.lastname@example.org>
Perhaps this tool will help you. I wrote it a long time ago. It allows
you to create any type of ipv4 packet and send them off at high speeds.
You can customize most parts of the IP and overlying protocol headers.
It's called `rain` and I believe it is in many ports on various distros,
but here is a version I never publically released (well until this list):
Hope you find it useful.
Joćo Paulo Caldas Campello wrote:
> Does anybody know any userland tool, Linux kernel module,
>iptables/netfilter module, or whatever mechanism to change arbitrary
>headers of IP packets on-the-fly as long as they traverse the IP
>stack? Is there any known paper regarding this subject?
> The whole story is that I'm doing some research and lab tests on
>semi-blind IP spoofing (i.e. Loose/Strict IP Source Routing) on
>borders routers and firewalls, so I need an easy way to alter the "IP
>Options" fields of IP packets to test if the routers/firewalls are
>vulnerable to IP spoofing (e.g. not doing ingress filtering) in
>conjunction with source routing techniques.
> Yes, I know most modern firewalls should just drop IP Options
>flagged packets, but not all firewalls do that with default
> Sure I can construct raw IP packets with the proper IP Options
>fields set on, but I'm also doing sort of a penetration test so I need
>a way to automate this task as the packets traverse the stack. This
>way I could still use well-known and proven penetration test tools
>such as port and vulnerability scanners, web spiders, and so on.
> I've already read Netfilter documentation (specially the "Linux
>netfilter Hacking HOWTO") so I know this kind of packet mangling can
>be done in userspace. I thought it could be done in the "MANGLE" table
>of netfilter, but I found no TARGET that achieves that nor any
>documentation about altering arbitrary IP headers.
>The question is:
> - Does already exist such a tool, module or whatever way to change
>arbitrary headers of IP packets on-the-fly or will I have to (try to)
>write one? =)
>Joćo Paulo Campello,
>Network Security Analyst,
>Tempest Security Technologies.