documentmz

Mausezahn User's Guide

Part Two - Interactive Mode (MOPS)

Author: Herbert Haas

Address:herbert AT perihel DOT athttp://www.perihel.at/sec/mz

Revision: 0.38.1

Date: 2010-02-10

Copyright: Copyright (c) 2007-2009 by Herbert Haas.

Contents

1 Note2 What is Mausezahn?3 Disclaimer and License4 First steps5 Defining packets

5.1 General packet options5.2 Configuring protocol types5.3 Configuring a greater interval

6 Load prepared configurations7 What's next?8 Dear users

1 NoteThis User's Guide explains Mausezahn's interactive mode relying onMausezahn's Own Packet System (MOPS). Most new and all moresophisticated features are implemented inside this subsystem. MOPSprovides an interactive command line interface (similar as the famousCisco CLI) and is multi-threaded, allowing you to create an arbitrarynumber of transmission and scanning process(es).

The legacy mode aka direct mode* (which allows you to create frames andpackets right from the Linux command line) is still supported and isdescribed in this document.

Mausezahn User's Guide http://www.perihel.at/sec/mz/mops.html

1 de 14 13-04-2011 05:35

2 What is Mausezahn?Mausezahn is a fast traffic generator written in C which allows you tosend nearly every possible and impossible packet. Mausezahn can be usedfor example

As traffic generator (e. g. to stress multicast networks)For penetration testing of firewalls and IDSFor DoS attacks on networks (for audit purposes ofcourse)To find bugs in network software or appliancesFor reconnaissance attacks using ping sweeps and portscansTo test network behaviour under strange circumstances(stress test, malformed packets, ...)As didactical tool during lab exercises

...and more. Mausezahn is basically a versatile packet creation tool on thecommand line with a simple syntax and online help. It could also be usedwithin (bash-) scripts to perform combination of tests.

Currently Mausezahn is only available for Linux (and other UNIX-like)platforms. There will be no Windows version.

3 Disclaimer and LicenseMausezahn is basically a traffic generator as well as a network and firewalltesting tool. Don't use this tool when you are not aware of itsconsequences or have only little knowledge about networks and datacommunication. If you abuse Mausezahn for unallowed attacks and getcaught, or damage something of your own, then this is completely yourfault.

Since version 0.33 Mausezahn is licensed under GPLv2

4 First stepsUsing the interactive mode requires to start Mausezahn as server:

# mz -x


2 de 14 13-04-2011 05:35

Now you can Telnet to that server using the default port number 25542,but also an arbitrary port number can be specified:

# mz -x 99Mausezahn accepts incoming Telnet connections on port 99.mz: Problems opening config file. Will use defaults

Either from another terminal or from another host try to Telnet to theMausezahn server:

harpo$ telnet groucho 99Trying 192.168.0.4...Connected to groucho.Escape character is '^]'.

------------------------------------------Mausezahn, version 0.38Copyright (C) 2007-2009 by Herbert Haas.------------------------------------------

Mausezahn comes with ABSOLUTELY NO WARRANTY; for detailstype 'warranty'. This is free software, and you are welcometo redistribute it under certain conditions; see COPYING(included in the Mausezahn source package) for details.

For Mausezahn NEWS visit http://www.perihel.at/sec/mz/

Username: mzPassword: mz

mz-0.38> enablePassword: mopsmz-0.38#

It is recommended to configure your own login credentials in/etc/mausezahn/mz.cfg, such as:

user = herbertpassword = TopSecretenable = MauseZa#n42

Since you reached the Mausezahn prompt, lets try some first commands.You can use the '?' character at any time for a contect-sensitive help.

First try out the show command:


3 de 14 13-04-2011 05:35

mz-0.38# show ?packet Show defined packets interfaces Show detailedinterface information mops Show MOPS details set Listgeneral packet parameters arp Show the advancedMausezahn ARP table license Show license and warrantydetails

Mausezahn maintains its own ARP table and observes anomalies. There isan entry for every physical interface (however this host has only one):

mz-0.38# sh arpIntf Index IP address MAC address last Ch UCast BCast Info----------------------------------------------------------------------------------eth0 [1] D 192.168.0.1 00:09:5b:9a:15:84 23:44:41 1 1 0 0000

The column Ch tells us that the announced MAC address has only changedone time (= when it was learned). The columns Ucast and BCast tell ushow often this entry was announced via unicast or broadcast respectively.

Let's check our interfaces:

mz-0.38# show interfaceAvailable network interfaces:

real real used (fake) used (fake) device IPv4 address MAC address IPv4 address MAC address----------------------------------------------------------------------------------> eth0 192.168.0.4 00:30:05:76:2e:8d 192.168.0.4 00:30:05:76 lo 127.0.0.1 00:00:00:00:00:00 127.0.0.1 00:00:00:00

2 interfaces found.Default interface is eth0.

5 Defining packetsLet's check the current packet list:


4 de 14 13-04-2011 05:35

mz-0.38# sh packetPacket layer flags: E=Ethernet, S=SNAP, Q=802.1Q, M=MPLS, I/i=IP/delivery_off, U=U

PktID PktName Layers Proto Size State Device Delay

1 sysARP_servic... E----- ARP 60 config lo 100 msec

1 packets defined, 0 active.

We notice that there is already one system-defined packet process; it hasbeen created and used only once (during startup) by Mausezahn's ARPservice. Currently its state is config which means that the process issleeping.

5.1 General packet options

Now let's create our own packet process and therefore switch into theglobal configuration mode:

mz-0.38# configure term

mz-0.38(config)# packetAllocated new packet PKT0002 at slot 2

mz-0.38(config-pkt-2)# ?...name Assign a unique namedescription Assign a packet description textbind Select the network interfacecount Configure the packet count valuedelay Configure the inter-packet delayinterval Configure a greater intervaltype Specify packet typemac Configure packet's MAC addressestag Configure tagspayload Configure a payloadport Configure packet's port numbersend End packet configuration modeethernet Configure frame's Ethernet, 802.2, 802.3, or SNAP settingsip Configure packet's IP settingsudp Configure packet's UDP header parameterstcp Configure packet's TCP header parameters

Here are a lot of options but normally you only need a few of them. Whenyou configure lots of different packets you might assign a reasonable nameand description for them:


5 de 14 13-04-2011 05:35

mz-0.38(config-pkt-2)# name Testmz-0.38(config-pkt-2)# desc This is just a test

You can e. g. change the default settings for the source and destinationMAC/IP addresses using the mac and ip commands:

mz-0.38(config-pkt-2)# ip address dest 10.1.1.0 /24mz-0.38(config-pkt-2)# ip addr source random

In the example above we configured a range of addresses (all hosts in thenetwork 10.1.1.0 should be addressed). Additionally we spoof our sourceIP address.

Of course We can add one or more VLAN and/or MPLS tag(s):

mz-0.38(config-pkt-2)# tag ? dot1q Configure 802.1Q (and 802.1P) parameters mpls Configure MPLS label stack

mz-0.38(config-pkt-2)# tag dot ?Configure 802.1Q tags:

VLAN[:CoS] [VLAN[:CoS]] ... The leftmost tag is the outer tag in the frame remove <tag-nr> | all Remove one or more tags (<tag-nr> starts with 1), by default the first (=leftmost,outer) tag is remo keyword 'all' can be used instead of tag numbers. cfi | nocfi [<tag-nr>] Set or unset the CFI-bit in any tag (by default assuming the first tag).

mz-0.38(config-pkt-2)# tag dot 1:7 200:5

Configure count and delay:


6 de 14 13-04-2011 05:35

mz-0.38(config-pkt-2)# count 1000

mz-0.38(config-pkt-2)# delay ?delay <value> [hour | min | sec | msec | usec | nsec]

Specify the inter-packet delay in hours, minutes, seconds, milliseconds, microsecor nanoseconds. The default unit is milliseconds (i. e. when no unit is given).

mz-0.38(config-pkt-2)# delay 1 msecInter-packet delay set to 0 sec and 1000000 nsec

mz-0.38(config-pkt-2)#

5.2 Configuring protocol types

Mausezahn's interactive mode supports a growing list of protocols andonly relies on the MOPS architecture (and not on libnet as it is the casewith the legacy direct mode):


7 de 14 13-04-2011 05:35

mz-0.38(config-pkt-2)# typeSpecify a packet type from the following list:

arp bpdu igmp ip lldp tcp udp

mz-0.38(config-pkt-2)# type tcp

mz-0.38(config-pkt-2-tcp)#....seqnr Configure the TCP sequence numberacknr Configure the TCP acknowledgement numberhlen Configure the TCP header lengthreserved Configure the TCP reserved fieldflags Configure a combination of TCP flags at oncecwr Set or unset the TCP CWR flagece Set or unset the TCP ECE flagurg Set or unset the TCP URG flagack set or unset the TCP ACK flagpsh set or unset the TCP PSH flagrst set or unset the TCP RST flagsyn set or unset the TCP SYN flagfin set or unset the TCP FIN flagwindow Configure the TCP window sizechecksum Configure the TCP checksumurgent-pointer Configure the TCP urgend pointeroptions Configure TCP optionsend End TCP configuration mode

mz-0.38(config-pkt-2-tcp)# flags syn fin rstCurrent setting is: --------------------RST-SYN-FIN

mz-0.38(config-pkt-2-tcp)# endmz-0.38(config-pkt-2)# paylo ascii This is a dummy payload for my first packetmz-0.38(config-pkt-2)# end

Now configure another packet, for example let's assume we want an LLDPprocess:


8 de 14 13-04-2011 05:35

mz-0.38(config)# packetAllocated new packet PKT0003 at slot 3

mz-0.38(config-pkt-3)# ty lldpmz-0.38(config-pkt-3-lldp)# exitmz-0.38(config)# exit

In the above example we only use the default LLDP settings and don'tconfigure further LLDP options or TLVs.

Back in the top level of the CLI let's verify what we had done:

mz-0.38# sh paPacket layer flags: E=Ethernet, S=SNAP, Q=802.1Q, M=MPLS, I/i=IP/delivery_off, U=U

PktID PktName Layers Proto Size State Device Delay Co 1 sysARP_servic... E----- ARP 60 config lo 100 msec 2 Test E-Q-IT 125 config eth0 1000 usec 1 3 PKT0003 E----- LLDP 36 config eth0 30 sec


The column Layers indicates which major protocols have been combined.For example the packet with packet-id 2 ("Test") utilizes Ethernet (E), IP(I), and TCP (T). Additionally an 802.1Q tag (Q) has been inserted.

Now start one of these packet processes:

mz-0.38# start slot 3Activate [3]

mz-0.38# sh pacPacket layer flags: E=Ethernet, S=SNAP, Q=802.1Q, M=MPLS, I/i=IP/delivery_off, U=U

PktID PktName Layers Proto Size State Device Delay Co 1 sysARP_servic... E----- ARP 60 config lo 100 msec 2 Test E-Q-IT 125 config eth0 1000 usec 1 3 PKT0003 E----- LLDP 36 config eth0 30 sec


Let's have a more detailed look at a specific packet process:


9 de 14 13-04-2011 05:35

mz-0.38# sh pac 2Packet [2] TestDescription: This is just a testState: config, Count=1000, delay=1000 usec (0 s 1000000 nsec), interval= (undefineHeaders: Ethernet: 00-30-05-76-2e-8d => ff-ff-ff-ff-ff-ff [0800 after 802.1Q tag] Auto-delivery is ON (that is, the actual MAC is adapted upon transmission) 802.1Q: 0 tag(s); (VLAN:CoS) IP: SA=192.168.0.4 (not random) (no range) DA=255.255.255.255 (no range) ToS=0x00 proto=17 TTL=255 ID=0 offset=0 flags: -|-|- len=49664(correct) checksum=0x2e8d(correct) TCP: 83 bytes segment size (including TCP header) SP=0 (norange) (not random), DP=0 (norange) (not random) SQNR=3405691582 (start 0, stop 4294967295, delta 0) -- ACKNR=0 (invalid) Flags: ------------------------SYN----, reserved field is 00, urgent pointer Announced window size= 100 Offset= 0 (times 32 bit; value is valid), checksum= ffff (valid) (No TCP options attached) - 0 bytes defined Payload size: 43 bytes Frame size: 125 bytes

1 ff:ff:ff:ff:ff:ff:00:30 05:76:2e:8d:81:00:e0:01 81:00:a0:c8:08:00:45:00 00 33 fa:e4:c0:a8:00:04:ff:ff ff:ff:00:00:00:00:ca:fe ba:be:00:00:00:00:a0:07 00 65 05:ac:04:02:08:0a:19:35 90:c3:00:00:00:00:01:03 03:05:54:68:69:73:20:69 73 97 79:20:70:61:79:6c:6f:61 64:20:66:6f:72:20:6d:79 20:66:69:72:73:74:20:70 61

mz-0.38#

If you want to stop one or more packet processes, use the stopcommand. The "emergency stop" is when you use stop all:

mz-0.38# stop allStopping[3] PKT0003

Stopped 1 transmission processe(s)

The launch command provides a shortcut for commonly used packetprocesses. For example to behave like a STP-capable bridge we want tostart an BPDU process with typical parameters:


10 de 14 13-04-2011 05:35

mz-0.38# laun bpduAllocated new packet sysBPDU at slot 5

mz-0.38# sh pacPacket layer flags: E=Ethernet, S=SNAP, Q=802.1Q, M=MPLS, I/i=IP/delivery_off, U=U

PktID PktName Layers Proto Size State Device Delay 1 sysARP_servic... E----- ARP 60 config lo 100 msec 2 Test E-Q-IT 125 config eth0 1000 usec 3 PKT0003 E----- LLDP 36 config eth0 30 sec 4 PKT0004 E---I- IGMP 46 config eth0 100 msec 5 sysBPDU ES---- BPDU 29 active eth0 2 sec


Now a Configuration BPDU is sent every 2 seconds, claiming to be the rootbridge (and usually confusing the LAN. Note that only packet 5 (i. e. thelast row) is active and therefore sending packets while all other packets arein state config (i. e. they have been configured but they are not doinganything at the moment).

5.3 Configuring a greater interval

Sometimes you may want to send a burst of packets at a greater interval:

mz-0.38(config)# pac 2Modify packet parameters for packet Test [2]

mz-0.38(config-pkt-2)# intervConfigure a greater packet interval in days, hours, minutes, or seconds

Arguments: <value> <days | hours | minutes | seconds>

Use a zero value to disable an interval.

mz-0.38(config-pkt-2)# interv 1 h

mz-0.38(config-pkt-2)# count 10

mz-0.38(config-pkt-2)# delay 15 usecInter-packet delay set to 0 sec and 15000 nsec

Now this packet is sent ten times with an inter-packet delay of 15microsecond and this is repeated every hour. When you look at the packetlist, an interval is indicated with the additional flag 'i' when inactive or 'I'


11 de 14 13-04-2011 05:35

when active:


PktID PktName Layers Proto Size State Device Delay 1 sysARP_servic... E----- ARP 60 config lo 100 msec 2 Test E-Q-IT 125 config-i eth0 15 usec 3 PKT0003 E----- LLDP 36 config eth0 30 sec 4 PKT0004 E---I- IGMP 46 config eth0 100 msec 5 sysBPDU ES---- BPDU 29 active eth0 2 sec


mz-0.38# start sl 2Activate [2]


PktID PktName Layers Proto Size State Device Delay 1 sysARP_servic... E----- ARP 60 config lo 100 msec 2 Test E-Q-IT 125 config+I eth0 15 usec 3 PKT0003 E----- LLDP 36 config eth0 30 sec 4 PKT0004 E---I- IGMP 46 config eth0 100 msec 5 sysBPDU ES---- BPDU 29 active eth0 2 sec


Note that the flag 'I' indicates that an interval has been specified for packet2. The process is not active at the moment (only packet 5 is active here)but it will become active in a regular interval. You can verify the actualinterval when viewing the packet details via the show packet 2 command.

6 Load prepared configurationsYou can prepare packet configurations using the same commands as youwould type them in on the CLI and then load them to the CLI.

For example assume we have prepared a file 'test.mops' containing:


12 de 14 13-04-2011 05:35

configure terminalpacketname IGMP_TESTdesc This is only a demonstration how to load a file to mopstype igmp

Then we can add this packet configuration to our packet list using the loadcommand:

mz-0.38# load test.mopsRead commands from test.mops...

Allocated new packet PKT0002 at slot 2


PktID PktName Layers Proto Size State Device Delay 1 sysARP_servic... E----- ARP 60 config lo 100 msec 2 IGMP_TEST E---I- IGMP 46 config eth0 100 msec


7 What's next?The following features are planned, some of them are already experimentaland will be available soon:

Other basic protocols, including RTPScanning processesLogging processesIPv6Custom protocols via XMLObject oriented configurationBenchmarking according RFC 2544 (device under tests)

and many others (the true list is much longer). Also a GUI is in preparation(which will surely not replace the CLI).

8 Dear usersMausezahn is still under heavy development and you may expect newfeatures very soon.


13 de 14 13-04-2011 05:35

Please report to herbert AT perihel DOT at regarding:

BugsImportant features you missHow you used Mausezahn (I am really interested inpractical problems)Interesting observations with Mausezahn at the network


14 de 14 13-04-2011 05:35

documentmz

Documents