r给出了比较流行的包构造程序
在ubuntu下构造包,GUI可使用packeth,CLI下可使用mz(貌似它没有在上面的wiki中列出)。GUI的比较简单,看着点就行,这里主要介绍mz这款工具,因为本人比较喜欢在CLI下工作,内容不理解的地方参见mz(1)。
mz是一款快速的通用的包构造程序,使用C编写,能让你构造任何可能的和不可能的包。其使用方法如下:
mz支持两种模式:直接模式(direct mode)、多线程交互模式
在直接模式下,你可用直接在shell命令行构造包,每一个包的参数可在命令行中指定。直接模式支持两种构包方案:一是raw-layer-2方案,在这种方案下,可以指定包每一个字节;二是higher-layey方案,在这种方案下可以使用包构造器接口(packet builder interfaces)(使用-t选项)。
使用raw-layer-2方案,以16进制序列直接指定期望的帧,如:
-
mz eth0 "00:ab:cd:ef:00 00:00:00:00:00:01 08:00 ca:fe:ba:be"
在上面的例子中可以看出,每个字节使用分号或者空格分割。raw-layer-2下支持的选项有-a, -b, -c, -p,帧长度必须大于等于15.
higher-layer 方案可通过-t
选项启用,该选项激活一个包构造器(packet builder)。除了packet_type外,可指定一个可选的arg_string,arg_string包含包特定的参数,如TCP标志,端口号等
The interactive mode is an advanced multi-threaded configuration mode with its own command line interface (CLI). This mode allows you to create an arbitrary
number of packet types and streams in parallel, each with different parameters. The interactive mode utilizes a completely redesigned and more flexible proto‐
col framework called MOPS (Mausezahn's Own Packet System). The look and feel of the CLI is very similar to the Cisco IOS(tm) command line. You can start the
interactive mode by executing Mausezahn with the -x argument (an optional port number may follow, otherwise it is 25542). Then use Telnet to connect to this
Mausezahn instance (the default login expects the user 'mz' with password 'mz', and enable password 'mops'; you can change this in /etc/mausezahn/mz.cfg).
More information about the interactive mode and MOPS is provided on the Mausezahn website.
OPTIONS
Mausezahn provides a built-in context-specific help. Simply append the keyword help to the configuration options.
mz最重要的选项如下:
-v 详细模式. -V更详细
-S 模拟模式,不往线路上放任何东西, 常和-v一起使用
-q 安静模式(只输出警告和错误)
-c
指定包发送次数,默认为1,0表示无线次
-d
指定发包间隔。delay的值默认为微妙,也可指定毫秒(如100m)和秒(如1s)
-p
将原始(raw)帧填充到指定长度(使用字节0)。注意,对于原始二层帧,指定的长度对应于帧的总长度;而对于高层包代表额外填充的字节。
-a
指定源MAC
-b
指定目的MAC
-A
指定源IP
-B
指定目的IP
-t
使用内建的包构造器创建指定类型的包,当前支持的包类型有arp, bpdu, ip, udp, tcp, rtp, and dns. There
is currently also a limited support for ICMP. Enter -t help to verify which packet builders your actual Mausezahn version supports. Also, for any par‐
ticular packet type, for example tcp enter mz -t tcp help to receive a context specific help.
-T
Make this Mausezahn instance the receiving station. Currently (version 0.30) only rtp is an option here and provides precise jitter measurements. For
this purpose start another Mausezahn instance on the sending station and the local receiving station will output jitter statistics. See mz -T rtp help
for a detailed help.
-Q <[CoS:]vlan> [, <[CoS:]vlan>, ...]
Specify 802.1Q VLAN tag and optional Class of Service. An arbitrary number of VLAN tags can be specified (that is you can simulate QinQ or even QinQin‐
QinQ...). Multiple tags must be separated via a comma or a period (e. g. "5:10,20,2:30"). VLAN tags are not supported for ARP and BPDU packets (in
which case you could specify the whole frame in hex using the raw layer 2 interface of Mausezahn).
-M [, ]
Specify a MPLS label or even a MPLS label stack. Optionally for each label the experimental bits (usually the Class of Service, CoS) and the Time To
Live (TTL) can be specified. And if you are really crazy you can set/unset the Bottom of Stack (BoS) bit at each label using the S (set) and s (unset)
option. By default the BoS is set automatically and correctly. Any other setting will lead to invalid frames. Enter -M help for detailed instructions
and examples.
-P
Specify a cleartext payload. Alternatively each packet type supports a hexadecimal specification of the payload (see for example -t udp help).
-f
Read the ASCII payload from the specified file.
-F
Read the HEX payload from the specified file. Actually this file must be also an ASCII file (text file) but must contain hexadecimal digits, e. g.
"aa:bb:cc:0f:e6...". You can use also spaces as separation characters.
COMBINATION OF RANGES
When multiple ranges are specified, e. g. destination port ranges AND destination address ranges, then all possible combinations of ports and addresses are
used for packet generation. Furthermore, this can be mixed with other ranges e. g. a TCP sequence number range. Note that combining ranges can lead to a very
huge number of frames to be sent. As a rule of thumb you can assume that about 100,000 frames are sent in a fraction of one second, depending on your network
interface.
DISCLAIMER AND WARNING
Mausezahn has been designed as fast traffic generator so you can easily overwhelm a LAN segment with myriads of packets. And because Mausezahn should also
support security audits it is also possible to create malicious or “invalid” packets, SYN floods, port and address sweeps, DNS and ARP poisoning, etc.
Therefore, don't use this tool when you are not aware of possible consequences or have only little knowledge about networks and data communication. If you
abuse Mausezahn for 'unallowed' attacks and get caught, or damage something of your own, then this is completely your fault. So the safest solution is to try
it out in a lab environment.
EXAMPLES
Send BPDU frames for VLAN 5 as used with Cisco's PVST+ type of STP. Per default Mausezahn assumes that you want to become the root bridge:
# mz eth0 -c 0 -d 2s -t bpdu vlan=5
Perform a CAM table overflow attack:
# mz eth0 -c 128000 -a rand -p 64
Perform a SYN flood attack to another VLAN using VLAN hopping. This only works if you are connected to the same VLAN which is configured as native VLAN on the
trunk. We assume that the victim VLAN is VLAN 100 and the native VLAN is VLAN 5. Lets attack every host in VLAN 100 which use a IP prefix of 10.100.100.0/24,
also try out all ports between 1 and 1023 and use a random source IP address:
# mz eth0 -c 0 -Q 5,100 -t tcp "flags=syn,dp=1-1023" -p 20 -A rand -B 10.100.100.0/24
Send IP multicast packets to the multicast group 230.1.1.1 using a UDP header with destination port 32000 and set the IP DSCP field to EF (46). Send one frame
every 10 msec:
# mz eth0 -c 0 -d 10msec -B 230.1.1.1 -t udp "dp=32000,dscp=46" -P "Multicast test packet"
Send UDP packets to the destination host target.anynetwork.foo using all possible destination ports and send every packet with all possible source addresses
of the range 172.30.0.0/16; additionally use a source port of 666 and three MPLS labels, 100, 200, and 300, the outer (300) with QoS field 5. Send the frame
with a VLAN tag 420 and CoS 6; eventually pad with 1000 bytes and repeat the whole thing 10 times:
# mz eth0 -Q 6:420 -M 100,200,300:5 -A 172.30.0.0/16 -B target.anynetwork.foo -t udp "sp=666,dp=1-65535" -p 1000 -c 10
Send six forged Syslog messages with severity 3 to a Syslog server 10.1.1.9; use a forged source IP address 192.168.33.42 and let Mausezahn decide which local
interface to use. Use an inter-packet delay of 10 seconds:
# mz -t syslog sev=3 -P "Main reactor reached critical temperature." -A 192.168.33.42 -B 10.1.1.9 -c 6 -d 10s
Send an invalid TCP packet with only a 5 byte payload as layer-2 broadcast and also use the broadcast MAC address as source address. The target should be
10.1.1.6 but use a broadcast source address. The source and destination port shall be 145 and the window size 0. Set the TCP flags SYN, URG, and RST simulta‐
neously and sweep through the whole TCP sequence number space with an increment of 1500. Finally set the urgent pointer to 666, i. e. pointing to nowhere:
# mz -t tcp "flags=syn|urg|rst, sp=145, dp=145, win=0, s=0-4294967295, ds=1500, urg=666" -a bcast -b bcast -A bcast -B 10.1.1.6 -p 5
阅读(2162) | 评论(0) | 转发(0) |
