Any way to automatically change arbitrary headers of IP packets on-the-fly?

From: Joćo Paulo Caldas Campello (protecao_at_gmail.com)
Date: 04/12/05

  • Next message: psiphon_at_infosecguides.com: "Re: 'in-line' pentest and pentest linux distro?"
    Date: Tue, 12 Apr 2005 15:17:02 -0300
    To: pen-test@securityfocus.com
    
    

    Hi,

      Does anybody know any userland tool, Linux kernel module,
    iptables/netfilter module, or whatever mechanism to change arbitrary
    headers of IP packets on-the-fly as long as they traverse the IP
    stack? Is there any known paper regarding this subject?

      The whole story is that I'm doing some research and lab tests on
    semi-blind IP spoofing (i.e. Loose/Strict IP Source Routing) on
    borders routers and firewalls, so I need an easy way to alter the "IP
    Options" fields of IP packets to test if the routers/firewalls are
    vulnerable to IP spoofing (e.g. not doing ingress filtering) in
    conjunction with source routing techniques.

      Yes, I know most modern firewalls should just drop IP Options
    flagged packets, but not all firewalls do that with default
    configurations.

      Sure I can construct raw IP packets with the proper IP Options
    fields set on, but I'm also doing sort of a penetration test so I need
    a way to automate this task as the packets traverse the stack. This
    way I could still use well-known and proven penetration test tools
    such as port and vulnerability scanners, web spiders, and so on.

      I've already read Netfilter documentation (specially the "Linux
    netfilter Hacking HOWTO") so I know this kind of packet mangling can
    be done in userspace. I thought it could be done in the "MANGLE" table
    of netfilter, but I found no TARGET that achieves that nor any
    documentation about altering arbitrary IP headers.

    The question is:

      - Does already exist such a tool, module or whatever way to change
    arbitrary headers of IP packets on-the-fly or will I have to (try to)
    write one? =)

    Cheers,

    Joćo Paulo Campello,
    Network Security Analyst,
    Tempest Security Technologies.


  • Next message: psiphon_at_infosecguides.com: "Re: 'in-line' pentest and pentest linux distro?"