быстрый универсальный генератор пакетов с Cisco-cli (a fast versatile packet generator with Cisco-cli)
DIRECT MODE HOWTO
How to specify hexadecimal digits:
Many arguments allow direct byte input. Bytes are represented as
two hexadecimal digits. Multiple bytes must be separated either
by spaces, colons, or dashes - whichever you prefer. The
following byte strings are equivalent:
"aa:bb cc-dd-ee ff 01 02 03-04 05"
"aa bb cc dd ee ff:01:02:03:04 05"
To begin with, you may want to send an arbitrary fancy (possibly
invalid) frame right through your network card:
mausezahn ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:08:00:ca:fe:ba:be
or equivalent but more readable:
mausezahn ff:ff:ff:ff:ff:ff-ff:ff:ff:ff:ff:ff-08:00-ca:fe:ba:be
Basic operations:
All major command line options are listed when you execute
mausezahn without arguments. For practical usage, keep the
following special (not so widely known) options in mind:
-r Multiplies the specified delay with a
random value.
-p <length> Pad the raw frame to specified length
(using random bytes).
-P <ASCII Payload> Use the specified ASCII payload.
-f <filename> Read the ASCII payload from a file.
-F <filename> Read the hexadecimal payload from a file.
-S Simulation mode: DOES NOT put anything on
the wire.
This is typically combined with one of
the verbose
modes (-v or V).
Many options require a keyword or a number but the -t option is
an exception since it requires both a packet type (such as ip,
udp, dns, etc) and an argument string which is specific for that
packet type. Here are some simple examples:
mausezahn -t help
mausezahn -t tcp help
mausezahn eth3 -t udp sp=69,dp=69,p=ca:fe:ba:be
Note: Don't forget that on the CLI the Linux shell (usually the
Bash) interprets spaces as a delimiting character. That is, if
you are specifying an argument that consists of multiple words
with spaces in between, you MUST group these within quotes. For
example, instead of
mausezahn eth0 -t udp sp=1,dp=80,p=00:11:22:33
you could either omit the spaces
mausezahn eth0 -t udp sp=1,dp=80,p=00:11:22:33
or, for greater safety, use quotes:
mausezahn eth0 -t udp "sp=1,dp=80,p=00:11:22:33"
In order to monitor what's going on, you can enable the verbose
mode using the -v option. The opposite is the quiet mode (-q)
which will keep mausezahn absolutely quiet (except for error
messages and warnings.)
Don't confuse the payload argument p=... with the padding option
-p. The latter is used outside the quotes!
The automatic packet builder:
An important argument is -t which invokes a packet builder.
Currently there are packet builders for ARP, BPDU, CDP, IP,
partly ICMP, UDP, TCP, RTP, DNS, and SYSLOG. (Additionally you
can insert a VLAN tag or a MPLS label stack but this works
independently of the packet builder.)
You get context specific help for every packet builder using the
help keyword, such as:
mausezahn -t bpdu help
mausezahn -t tcp help
For every packet you may specify an optional payload. This can be
done either via hexadecimal notation using the payload (or short
p) argument or directly as ASCII text using the -P option:
mausezahn eth0 -t ip -P "Hello World" #
ASCII payload
mausezahn eth0 -t ip p=68:65:6c:6c:6f:20:77:6f:72:6c:64 #
hex payload
mausezahn eth0 -t ip "proto=89, \
p=68:65:6c:6c:6f:20:77:6f:72:6c:64, \ #
same with other
ttl=1"
# IP arguments
Note: The raw link access mode only accepts hexadecimal payloads
(because you specify everything in hexadecimal here.)
Packet count and delay:
By default only one packet is sent. If you want to send more
packets then use the count option -c <count>. When count is zero
then mausezahn will send forever. By default, mausezahn sends at
maximum speed (and this is really fast ;-)). If you don't want to
overwhelm your network devices or have other reasons to send at a
slower rate then you might want to specify a delay using the -d
<delay> option.
If you only specify a numeric value it is interpreted in
microsecond units. Alternatively, for easier use, you might
specify units such as seconds, sec, milliseconds, or msec. (You
can also abbreviate this with s or m.) Note: Don't use spaces
between the value and the unit! Here are typical examples:
Send an infinite number of frames as fast as possible:
mausezahn -c 0 "aa bb cc dd ...."
Send 100,000 frames with a 50 msec interval:
mausezahn -c 100000 -d 50msec "aa bb cc dd ...."
Send an unlimited number of BPDU frames in a 2 second interval:
mausezahn -c 0 -d 2s -t bpdu conf
Note: mausezahn does not support fractional numbers. If you want
to specify for example 2.5 seconds then express this in
milliseconds (2500 msec).
Source and destination addresses:
As a mnemonic trick keep in mind that all packets run from "A" to
"B". You can always specify source and destination MAC addresses
using the -a and -b options, respectively. These options also
allow keywords such as rand, own, bpdu, cisco, and others.
Similarly, you can specify source and destination IP addresses
using the -A and -B options, respectively. These options also
support FQDNs (i.e. domain names) and ranges such as
192.168.0.0/24 or 10.0.0.11-10.0.3.22. Additionally, the source
address option supports the rand keyword (ideal for "attacks").
Note: When you use the packet builder for IP-based packets (e.g.
UDP or TCP) then mausezahn automatically cares about correct MAC
and IP addresses (i.e. it performs ARP, DHCP, and DNS for you).
But when you specify at least a single link-layer address (or any
other L2 option such as a VLAN tag or MPLS header) then ARP is
disabled and you must care for the Ethernet destination address
for yourself.
Layer-2:
`-- Direct link access:
mausezahn allows you to send ANY chain of bytes directly through
your Ethernet interface:
mausezahn eth0 "ff:ff:ff:ff:ff:ff ff:ff:ff:ff:ff:ff 00:00
ca:fe:ba:be"
This way you can craft every packet you want but you must do it
by hand. Note: On Wi-Fi interfaces the header is much more
complicated and automatically created by the Wi-Fi driver. As an
example to introduce some interesting options, lets continuously
send frames at max speed with random source MAC address and
broadcast destination address, additionally pad the frame to 1000
bytes:
mausezahn eth0 -c 0 -a rand -b bcast -p 1000 "08 00 aa bb cc
dd"
The direct link access supports automatic padding using the -p
<total frame length> option. This allows you to pad a raw L2
frame to the desired length. You must specify the total length,
and the total frame length must have at least 15 bytes for
technical reasons. Zero bytes are used for padding.
`-- ARP:
mausezahn provides a simple interface to the ARP packet. You can
specify the ARP method (request|reply) and up to four arguments:
sendermac, targetmac, senderip, targetip, or short smac, tmac,
sip, tip. By default, an ARP reply is sent with your own
interface addresses as source MAC and IP address, and a broadcast
destination MAC and IP address. Send a gratuitous ARP request (as
used for duplicate IP address detection):
mausezahn eth0 -t arp
ARP cache poisoning:
mausezahn eth0 -t arp "reply, senderip=192.168.0.1,
targetmac=00:00:0c:01:02:03, \
targetip=172.16.1.50"
where by default your interface MAC address will be used as
sendermac, senderip denotes the spoofed IP address, targetmac and
targetip identifies the receiver. By default, the Ethernet source
address is your interface MAC and the destination address is the
broadcast address. You can change this using the flags -a and -b.
`-- BPDU:
mausezahn provides a simple interface to the 802.1D BPDU frame
format (used to create the Spanning Tree in bridged networks). By
default, standard IEEE 802.1D BPDUs are sent and it is assumed
that your computer wants to become the root bridge (rid=bid).
Optionally the 802.3 destination address can be a specified MAC
address, broadcast, own MAC, or Cisco's PVST+ MAC address. The
destination MAC can be specified using the -b command which,
besides MAC addresses, accepts keywords such as bcast, own, pvst,
or stp (default). PVST+ is supported as well. Simply specify the
VLAN for which you want to send a BPDU:
mausezahn eth0 -t bpdu "vlan=123, rid=2000"
See mausezahn -t bpdu help for more details.
`-- CDP:
mausezahn can send Cisco Discovery Protocol (CDP) messages since
this protocol has security relevance. Of course lots of dirty
tricks are possible; for example arbitrary TLVs can be created
(using the hex-payload argument for example
p=00:0e:00:07:01:01:90) and if you want to stress the CDP
database of some device, mausezahn can send each CDP message with
another system-id using the change keyword:
mausezahn -t cdp change -c 0
Some routers and switches may run into deep problems ;-) See
mausezahn -t cdp help for more details.
`-- 802.1Q VLAN Tags:
mausezahn allows simple VLAN tagging for IP (and other higher
layer) packets. Simply use the option -Q <[CoS:]VLAN>, such as
-Q 10 or -Q 3:921. By default CoS=0. For example send a TCP
packet in VLAN 500 using CoS=7:
mausezahn eth0 -t tcp -Q 7:500 "dp=80, flags=rst, p=aa:aa:aa"
You can create as many VLAN tags as you want! This is interesting
to create QinQ encapsulations or VLAN hopping: Send a UDP packet
with VLAN tags 100 (outer) and 651 (inner):
mausezahn eth0 -t udp "dp=8888, sp=13442" -P "Mausezahn is
great" -Q 100,651
Don't know if this is useful anywhere but at least it is
possible:
mausezahn eth0 -t udp "dp=8888, sp=13442" -P "Mausezahn is
great" \
-Q 6:5,7:732,5:331,5,6
Mix it with MPLS:
mausezahn eth0 -t udp "dp=8888, sp=13442" -P "Mausezahn is
great" -Q 100,651 -M 314
When in raw Layer 2 mode you must create the VLAN tag completely
by yourself. For example if you want to send a frame in VLAN 5
using CoS 0 simply specify 81:00 as type field and for the next
two bytes the CoS (PCP), DEI (CFI), and VLAN ID values (all
together known as TCI):
mausezahn eth0 -b bc -a rand "81:00 00:05 08:00 aa-aa-aa-aa-aa-
aa-aa-aa-aa"
`-- MPLS labels:
mausezahn allows you to insert one or more MPLS headers. Simply
use the option -M <label:CoS:TTL:BoS> where only the label is
mandatory. If you specify a second number it is interpreted as
the experimental bits (the CoS usually). If you specify a third
number it is interpreted as TTL. By default the TTL is set to
255. The Bottom of Stack flag is set automatically, otherwise the
frame would be invalid, but if you want you can also set or unset
it using the S (set) and s (unset) argument. Note that the BoS
must be the last argument in each MPLS header definition. Here
are some examples:
Use MPLS label 214:
mausezahn eth0 -M 214 -t tcp "dp=80" -P "HTTP..." -B myhost.com
Use three labels (the 214 is now the outer):
mausezahn eth0 -M 9999,51,214 -t tcp "dp=80" -P "HTTP..." -B
myhost.com
Use two labels, one with CoS=5 and TTL=1, the other with CoS=7:
mausezahn eth0 -M 100:5:1,500:7 -t tcp "dp=80" -P "HTTP..." -B
myhost.com
Unset the BoS flag (which will result in an invalid frame):
mausezahn eth0 -M 214:s -t tcp "dp=80" -P "HTTP..." -B
myhost.com
Layer 3-7:
IP, UDP, and TCP packets can be padded using the -p option.
Currently 0x42 is used as padding byte ('the answer'). You cannot
pad DNS packets (would be useless anyway).
`-- IP:
mausezahn allows you to send any malformed or correct IP packet.
Every field in the IP header can be manipulated. The IP addresses
can be specified via the -A and -B options, denoting the source
and destination address, respectively. You can also specify an
address range or a host name (FQDN). Additionally, the source
address can also be random. By default the source address is your
interface IP address and the destination address is a broadcast
address. Here are some examples:
ASCII payload:
mausezahn eth0 -t ip -A rand -B 192.168.1.0/24 -P "hello
world"
Hexadecimal payload:
mausezahn eth0 -t ip -A 10.1.0.1-10.1.255.254 -B
255.255.255.255 p=ca:fe:ba:be
Will use correct source IP address:
mausezahn eth0 -t ip -B www.xyz.com
The Type of Service (ToS) byte can either be specified directly
by two hexadecimal digits, which means you can also easily set
the Explicit Congestion Notification (ECN) bits (LSB 1 and 2), or
you may only want to specify a common DSCP value (bits 3-8) using
a decimal number (0..63):
Packet sent with DSCP = Expedited Forwarding (EF):
mausezahn eth0 -t ip
dscp=46,ttl=1,proto=1,p=08:00:5a:a2:de:ad:be:af
If you leave the checksum as zero (or unspecified) the correct
checksum will be automatically computed. Note that you can only
use a wrong checksum when you also specify at least one L2 field
manually.
`-- UDP:
mausezahn supports easy UDP datagram generation. Simply specify
the destination address (-B option) and optionally an arbitrary
source address (-A option) and as arguments you may specify the
port numbers using the dp (destination port) and sp (source port)
arguments and a payload. You can also easily specify a whole port
range which will result in sending multiple packets. Here are
some examples:
Send test packets to the RTP port range:
mausezahn eth0 -B 192.168.1.1 -t udp "dp=16384-32767, \
p=A1:00:CC:00:00:AB:CD:EE:EE:DD:DD:00"
Send a DNS request as local broadcast (often a local router
replies):
mausezahn eth0 -t udp
dp=53,p=c5-2f-01-00-00-01-00-00-00-00-00-00-03-77-77-\
77-03-78-79-7a-03-63-6f-6d-00-00-01-00-01"
Additionally you may specify the length and checksum using the
len and sum arguments (will be set correctly by default). Note:
several protocols have same arguments such as len (length) and
sum (checksum). If you specified a UDP type packet (via -t udp)
and want to modify the IP length, then use the alternate keyword
iplen and ipsum. Also note that you must specify at least one L2
field which tells mausezahn to build everything without the help
of your kernel (the kernel would not allow modifying the IP
checksum and the IP length).
`-- ICMP:
mausezahn currently only supports the following ICMP methods:
PING (echo request), Redirect (various types), Unreachable
(various types). Additional ICMP types will be supported in
future. Currently you would need to tailor them by yourself, e.g.
using the IP packet builder (setting proto=1). Use the mausezahn
-t icmp help for help on currently implemented options.
`-- TCP:
mausezahn allows you to easily tailor any TCP packet. Similarly
as with UDP you can specify source and destination port (ranges)
using the sp and dp arguments. Then you can directly specify the
desired flags using an "|" as delimiter if you want to specify
multiple flags. For example, a SYN-Flood attack against host
1.1.1.1 using a random source IP address and periodically using
all 1023 well-known ports could be created via:
mausezahn eth0 -A rand -B 1.1.1.1 -c 0 -t tcp "dp=1-1023,
flags=syn" \
-P "Good morning! This is a SYN Flood Attack.
\
We apologize for any inconvenience."
Be careful with such SYN floods and only use them for firewall
testing. Check your legal position! Remember that a host with an
open TCP session only accepts packets with correct socket
information (addresses and ports) and a valid TCP sequence number
(SQNR). If you want to try a DoS attack by sending a RST-flood
and you do NOT know the target's initial SQNR (which is normally
the case) then you may want to sweep through a range of sequence
numbers:
mausezahn eth0 -A legal.host.com -B target.host.com \
-t tcp "sp=80,dp=80,s=1-4294967295"
Fortunately, the SQNR must match the target host's
acknowledgement number plus the announced window size. Since the
typical window size is something between 40000 and 65535 you are
MUCH quicker when using an increment via the ds argument:
mausezahn eth0 -A legal.host.com -B target.host.com \
-t tcp "sp=80, dp=80, s=1-4294967295, ds=40000"
In the latter case mausezahn will only send 107375 packets
instead of 4294967295 (which results in a duration of
approximately 1 second compared to 11 hours!). Of course you can
tailor any TCP packet you like. As with other L4 protocols
mausezahn builds a correct IP header but you can additionally
access every field in the IP packet (also in the Ethernet frame).
`-- DNS:
mausezahn supports UDP-based DNS requests or responses. Typically
you may want to send a query or an answer. As usual, you can
modify every flag in the header. Here is an example of a simple
query:
mausezahn eth0 -B mydns-server.com -t dns "q=www.ibm.com"
You can also create server-type messages:
mausezahn eth0 -A spoofed.dns-server.com -B target.host.com \
"q=www.topsecret.com, a=172.16.1.1"
The syntax according to the online help (-t dns help) is:
query|q = <name>[:<type>] ............. where type is per
default "A"
(and class is always
"IN")
answer|a = [<type>:<ttl>:]<rdata> ...... ttl is per default 0.
= [<type>:<ttl>:]<rdata>/[<type>:<ttl>:]<rdata>/...
Note: If you only use the 'query' option then a query is sent. If
you additionally add an 'answer' then an answer is sent.
Examples:
q = www.xyz.com
q = www.xyz.com, a=192.168.1.10
q = www.xyz.com, a=A:3600:192.168.1.10
q = www.xyz.com, a=CNAME:3600:abc.com/A:3600:192.168.1.10
Please try out mausezahn -t dns help to see the many other
optional command line options.
`-- RTP and VoIP path measurements:
mausezahn can send arbitrary Real Time Protocol (RTP) packets. By
default a classical G.711 codec packet of 20 ms segment size and
160 bytes is assumed. You can measure jitter, packet loss, and
reordering along a path between two hosts running mausezahn. The
jitter measurement is either done following the variance low-pass
filtered estimation specified in RFC 3550 or using an alternative
"real-time" method which is even more precise (the RFC-method is
used by default). For example on Host1 you start a transmission
process:
mausezahn -t rtp -B 192.168.1.19
And on Host2 (192.168.1.19) a receiving process which performs
the measurement:
mausezahn -T rtp
Note that the option flag with the capital "T" means that it is a
server RTP process, waiting for incoming RTP packets from any
mausezahn source. In case you want to restrict the measurement to
a specific source or you want to perform a bidirectional
measurement, you must specify a stream identifier. Here is an
example for bidirectional measurements which logs the running
jitter average in a file:
Host1# mausezahn -t rtp id=11:11:11:11 -B 192.168.2.2 &
Host1# mausezahn -T rtp id=22:22:22:22 "log, path=/tmp/mz/"
Host2# mausezahn -t rtp id=22:22:22:22 -B 192.168.1.1 &
Host2# mausezahn -T rtp id=11:11:11:11 "log, path=/tmp/mz/"
In any case the measurements are printed continuously onto the
screen; by default it looks like this:
0.00 0.19 0.38
0.57
|-------------------------|-------------------------|-------------------------|
#########
0.07 msec
####################
0.14 msec
##
0.02 msec
###
0.02 msec
#########
0.07 msec
####
0.03 msec
#########
0.07 msec
#############
0.10 msec
##
0.02 msec
###########################################
0.31 msec
#########
0.07 msec
##############################################
0.33 msec
###############
0.11 msec
##########
0.07 msec
###############
0.11 msec
##########################################################
0.42 msec
#####
0.04 msec
More information is shown using the txt keyword:
mausezahn -T rtp txt
Got 100 packets from host 192.168.0.3: 0 lost (0 absolute
lost), 1 out of order
Jitter_RFC (low pass filtered) = 30 usec
Samples jitter (min/avg/max) = 1/186/2527 usec
Delta-RX (min/avg/max) = 2010/20167/24805 usec
Got 100 packets from host 192.168.0.3: 0 lost (0 absolute
lost), 1 out of order
Jitter_RFC (low pass filtered) = 17 usec
Samples jitter (min/avg/max) = 1/53/192 usec
Delta-RX (min/avg/max) = 20001/20376/20574 usec
Got 100 packets from host 192.168.0.3: 0 lost (0 absolute
lost), 1 out of order
Jitter_RFC (low pass filtered) = 120 usec
Samples jitter (min/avg/max) = 0/91/1683 usec
Delta-RX (min/avg/max) = 18673/20378/24822 usec
See mausezahn -t rtp help and mz -T rtp help for more details.
`-- Syslog:
The traditional Syslog protocol is widely used even in
professional networks and is sometimes vulnerable. For example
you might insert forged Syslog messages by spoofing your source
address (e.g. impersonate the address of a legit network device):
mausezahn -t syslog sev=3 -P "You have been mausezahned." -A
10.1.1.109 -B 192.168.7.7
See mausezahn -t syslog help for more details.