Nemesis packet injection utility
"Nemesis attacks directed through fragrouter could be a most powerful combination for the system auditor to find security problems that could then be reported to the vendor(s), etc." - Curt Wilson in Global Incident Analysis Center Detects Report (SANS Institute - Nov 2000)
What is Nemesis?
Nemesis is a command-line network packet injection utility for UNIX-like and Windows systems. You might think of it as an EZ-bake packet oven or a manually controlled IP stack. With Nemesis, it is possible to generate and transmit packets from the command line or from within a shell script. Nemesis is developed and maintained by Jeff Nathan <jeff at snort dot org>.
[Jun 29 2003]
Nemesis 1.4beta3 Build 22 is the most functional version of Nemesis to date. Problems in the Windows version of Nemesis have been fixed by fixing LibnetNT.
[Feb 17 2003]
New in Build 18 is the -Z command line switch for the Windows version of Nemesis. The -Z command line switch will list the available network interfaces for use in link-layer injection.
[Feb 12 2003]
A Windows version of Nemesis is now available. Please test it out and see how well it compares to the version for UNIX-like systems.
[Feb 3 2003]
After a year and a half in hiatus, a new version of Nemesis is nearly complete. The current codebase has been almost entirely rewritten and all that remains before a full release of 1.4 is to complete the updates to the RIP protocol injector and to rewrite the OSPF injector. Rather than make users wait any longer, these beta versions available in the meantime.
Nemesis for UNIX-like systems
latest version: nemesis-1.4beta3.tar.gz Build 22 (ChangeLog) (CHECKSUM) [Jun 29 2003]
supported protocols: ARP, DNS, ETHERNET, ICMP, IGMP, IP, OSPF, RIP, TCP and UDP
supported platforms: *BSD(i), Linux, [Trusted] Solaris, Mac OS X
Nemesis for Windows systems
latest version: nemesis-1.4beta3.zip Build 22 (ChangeLog) (CHECKSUM) [Jun 29 2003]
supported protocols: ARP, DNS, ETHERNET, ICMP, IGMP, IP, OSPF, RIP, TCP and UDP
supported platforms: Windows 9x, Windows NT, Windows 2000, Windows XP
- nemesis tcp -v -S 192.168.1.1 -D 192.168.2.2 -fSA -y 22 -P foo
Send TCP packet (SYN/ACK) with payload from file 'foo' to target's ssh port from 192.168.1.1 to 192.168.2.2. (-v allows a stdout visual of current injected packet)
- nemesis udp -v -S 10.11.12.13 -D 10.1.1.2 -x 11111 -y 53 -P bindpkt
send UDP packet from 10.11.12.13:11111 to 10.1.1.2's name-service port with a payload read from a file 'bindpkt'. (again -v is used in order to see confirmation of our injected packet)
- nemesis icmp -S 10.10.10.3 -D 10.10.10.1 -G 10.10.10.3 -qR
send ICMP REDIRECT (network) packet from 10.10.10.3 to 10.10.10.1 with preferred gateway as source address. Here we want no output to go to stdout - which would be ideal as a component in a batch job via a shell script.
- nemesis arp -v -d ne0 -H 0:1:2:3:4:5 -S 10.11.30.5 -D 10.10.15.1
send ARP packet through device 'ne0' (eg. my OpenBSD pcmcia nic) from hardware source address 00:01:02:03:04:05 with IP source address 10.11.30.5 to destination IP address 10.10.15.1 with broadcast destination hardware address. In other words, who-has the mac address of 10.10.15.1, tell 10.11.30.5 - assuming 00:01:02:03:04:05 is the source mac address of our 'ne0' device.
nemesis-icmp - ICMP Protocol (The Nemesis Project)
nemesis-icmp [-vZ?] [-a ICMP-timestamp-request-reply-transmit-time ] [-b original-destination-IP-address ] [-B original-source-IP-address ] [-c ICMP-code ] [-d Ethernet-device ] [-D destination-IP-address ] [-e ICMP-ID ] [-f original-IP-fragmentation ] [-F fragmentation-options ] [-G preferred-gateway ] [-H source-MAC-address ] [-i ICMP-type ] [-I IP-ID ] [-j original-IP-TOS ] [-J original-IP-TTL ] [-l original-IP-options-file ] [-m ICMP-mask ] [-M destination-MAC-address ] [-o ICMP-timestamp-request-transmit-time ] [-O IP-options-file ] [-p original-IP-protocol ] [-P payload-file ] [-q ICMP-injection-mode ] [-r ICMP-timestamp-request-reply-received-time ] [-S source-IP-address ] [-t IP-TOS ] [-T IP-TTL ]
The Nemesis Project is designed to be a command line-based, portable human IP stack for UNIX-like and Windows systems. The suite is broken down by protocol, and should allow for useful scripting of injected packets from simple shell scripts.
nemesis-icmp provides an interface to craft and inject ICMP packets allowing the user to specify any portion of an ICMP packet as well as lower-level IP packet information.
-c ICMP-type Specify the ICMP-code within the ICMP header. -e ICMP-ID Specify the ICMP-ID within the ICMP header. -G preferred-gateway Specify the preferred-gateway-IP-address for ICMP redirect injection. -i ICMP-type Specify the ICMP-type within the ICMP header. -m address-mask Specify the IP-address-mask for ICMP address mask packets. -P payload-file This will case nemesis-icmp to use the specified payload-file as the payload when injecting ICMP packets. For packets injected using the raw interface (where -d is not used), the maximum payload size is 65387 bytes. For packets injected using the link layer interface (where -d IS used), the maximum payload size is 1352 bytes. Payloads can also be read from stdin by specifying ’-P -’ instead of a payload file.
Windows systems are limited to a maximum payload size of 1352 bytes for ICMP packets.
-q ICMP-injection-mode Specify the ICMP-injection-mode to use when injecting. Valid modes are:-qE (ICMP echo) -qM (ICMP address mask) -qU (ICMP unreachable) -qX (ICMP time exceeded) -qR (ICMP redirect) -qT (ICMP timestamp)
Only one mode may be specified at a time.
-s ICMP-sequence-number Specify the ICMP-sequence-number within the ICMP header. -v verbose-mode Display the injected packet in human readable form. Use twice to see a hexdump of the injected packet with printable ASCII characters on the right. Use three times for a hexdump without decoded ASCII.
ICMP TIMESTAMP OPTIONS
-a ICMP-timestamp-request-reply-transmit-time Specify the ICMP-timestamp-request-reply-transmit-time (the time a reply to an ICMP timestamp request was transmitted) within the ICMP timestamp header. -o ICMP-timestamp-request-transmit-time Specify the ICMP-timestamp-request-transmit-time (the time an ICMP timestamp request was transmitted) within the ICMP timestamp header. -r ICMP-timestamp-request-reply-received-time Specify the ICMP-timestamp-request-reply-received-time (the time a reply to an ICMP timestamp request was received) within the ICMP timestamp header.
ICMP ORIGINAL DATAGRAM OPTIONS
-b original-destination-IP-address Specify the original-destination-IP-address within an ICMP unreachable, redirect or time exceeded packet. -B original-source-IP-address Specify the original-source-IP-address within an ICMP unreachable, redirect or time exceeded packet. -f original-fragmentation-options Specify the original-IP-fragmentation-options within an ICMP unreachable, redirect or time exceeded packet. For more information reference the ’-F’ command line switch. -j original-IP-TOS Specify the original-IP-type-of-service (TOS) within an ICMP unreachable, redirect or time exceeded packet. -J original-IP-TTL Specify the original-IP-time-to-live (TTL) within an ICMP unreachable, redirect or time exceeded packet. -l original-IP-options-file This will cause nemesis-icmp to use the specified original-IP-options-file as the options when building the original IP header for the injected ICMP unreachable, redirect or time exceeded packet. IP options can be up to 40 bytes in length. The IP options file must be created manually based upon the desired options. IP options can also be read from stdin by specifying ’-O -’ instead of an IP-options-file. -p original-IP-protocol Specify the original-IP-protocol within an ICMP unrechable, redirect or time exceeded packet.
-D destination-IP-address Specify the destination-IP-address within the IP header. -F fragmentation-options (-F[D],[M],[R],[offset]) Specify the fragmentation options:-FD (don’t fragment) -FM (more fragments) -FR (reserved flag) -F <offset>
within the IP header. IP fragmentation options can be specified individually or combined into a single argument to the -F command line switch by separating the options with commas (eg. ’-FD,M’) or spaces (eg. ’-FM 223’). The IP fragmentation offset is a 13-bit field with valid values from 0 to 8189. Don’t fragment (DF), more fragments (MF) and the reserved flag (RESERVED or RB) are 1-bit fields.
NOTE: Under normal conditions, the reserved flag is unset.
-I IP-ID Specify the IP-ID within the IP header. -O IP-options-file This will cause nemesis-icmp to use the specified IP-options-file as the options when building the IP header for the injected packet. IP options can be up to 40 bytes in length. The IP options file must be created manually based upon the desired options. IP options can also be read from stdin by specifying ’-O -’ instead of an IP-options-file. -S source-IP-address Specify the source-IP-address within the IP header. -t IP-TOS Specify the IP-type-of-service (TOS) within the IP header. Valid type of service values:2 (Minimize monetary cost) 4 (Maximize reliability) 8 (Maximize throughput) 24 (Minimize delay)
NOTE: Under normal conditions, only one type of service is set within a packet. To specify multiple types, specify the sum of the desired values as the type of service.
-T IP-TTL IP-time-to-live (TTL) within the IP header.
DATA LINK OPTIONS
-d Ethernet-device Specify the name (for UNIX-like systems) or the number (for Windows systems) of the Ethernet-device to use (eg. fxp0, eth0, hme0, 1). -H source-MAC-address Specify the source-MAC-address (XX:XX:XX:XX:XX:XX). -M destination-MAC-address Specify the destintion-MAC-address (XX:XX:XX:XX:XX:XX). -Z list-network-interfaces Lists the available network interfaces by number for use in link-layer injection.
NOTE: This feature is only relevant to Windows systems.
Tools for creating TCP/IP packets
hping is a command-line oriented TCP/IP packet assembler/analyzer. The interface is inspired to the ping(8) unix command, but hping isn't only able to send ICMP echo requests. It supports TCP, UDP, ICMP and RAW-IP protocols, has a traceroute mode, the ability to send files between a covered channel, and many other features
* Firewall testing
* Advanced port scanning
* Network testing, using different protocols, TOS, fragmentation
* Manual path MTU discovery
* Advanced traceroute, under all the supported protocols
* Remote OS fingerprinting
* Remote uptime guessing
* TCP/IP stacks auditing
* hping can also be useful to students that are learning TCP/IP
Hping works on the following unix-like systems: Linux, FreeBSD, NetBSD, OpenBSD, Solaris, MacOs X, Windows.
Nemesis is a command-line network packet crafting and injection utility for UNIX-like and Windows systems. Nemesis, is well suited for testing Network Intrusion Detection Systems, firewalls, IP stacks and a variety of other tasks. As a command-line driven utility, Nemesis is perfect for automation and scripting.
Nemesis can natively craft and inject ARP, DNS, ETHERNET, ICMP, IGMP, IP, OSPF, RIP, TCP and UDP packets. Using the IP and the Ethernet injection modes, almost any custom packet can be crafted and injected.
* ARP/RARP, DNS, ETHERNET, ICMP, IGMP, IP, OSPF, RIP, TCP and UDP protocol support
* Layer 2 or Layer 3 injection
* Packet payload from file
* IP and TCP options from file
Scapy is a powerful interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more.
It can handle most classical tasks like scanning, tracerouting, probing, unit tests, attacks or network discovery (it can replace hping, 85% of nmap, arpspoof, arp-sk, arping, tcpdump, tethereal, p0f, etc.).
* Port Scanning
o SYN Scan
o Other TCP Scans
o UDP Scans
o IP Scan
* Host Discovery
o ARP Ping
o ICMP Ping
o TCP Ping
o UDP Ping
* OS Fingerprinting
* Sniffer - includes powerful facilities for traffic capture and analysis
* Wireless - can not only sniff and decode packets but also inject arbitrary packets
* Traceroute - standard ICMP Traceroute can be emulated
* Firewall/IDS Testing
o TCP Timestamp Filtering
o NAT Detection
Yersinia is a framework for performing layer 2 attacks.
It is designed to take advantage of some weakeness in different network protocols. It pretends to be a solid framework for analyzing and testing the deployed networks and systems.
* Attacks for the following network protocols are supported
o Spanning Tree Protocol (STP)
o Cisco Discovery Protocol (CDP)
o Dynamic Trunking Protocol (DTP)
o Dynamic Host Configuration Protocol (DHCP)
o Hot Standby Router Protocol (HSRP)
o Inter-Switch Link Protocol (ISL)
o VLAN Trunking Protocol (VTP)
SendIP is a command-line tool to send arbitrary IP packets. It has a large number of options to specify the content of every header of a RIP, RIPng, BGP, TCP, UDP, ICMP, or raw IPv4/IPv6 packet. It also allows any data to be added to the packet. Checksums can be calculated automatically, but if you wish to send out wrong checksums, that is supported too.
packETH is a Linux GUI packet generator tool for ethernet. It allows you to create and send any possible packet or sequence of packets on the ethernet.
* you can create and send any ethernet packet. Supported protocols:
o ethernet II, ethernet 802.3, 802.1q, QinQ
o ARP, IPv4, user defined network layer payload
o UDP, TCP, ICMP, IGMP, user defined transport layer payload
o RTP (payload with options to send sin wave of any frequency for G.711)
* sending sequence of packets
o delay between packets, number of packets to send
o sending with max speed, approaching the teoretical boundary
o change parameters while sending (change IP & mac address, UDP payload, 2 user defined bytes, etc.)
* saving configuration to a file and load from it - pcap format supported
Mausezahn is a fast traffic generator which allows you to send nearly every possible and impossible packet. Mausezahn can be used, for example, as a traffic generator to stress multicast networks, for penetration testing of firewalls and IDS, for simulating DoS attacks on networks, to find bugs in network software or appliances, for reconnaissance attacks using ping sweeps and port scans, or to test network behavior under strange circumstances. Mausezahn gives you full control over the network interface card and allows you to send any byte stream you want (even violating Ethernet rules).
Mausezahn can be used for example:
* As traffic generator (e. g. to stress multicast networks)
* To precisely measure jitter (delay variations) between two hosts (e. g. for VoIP-SLA verification)
* As didactical tool during a datacom lecture or for lab exercises
* For penetration testing of firewalls and IDS
* For DoS attacks on networks (for audit purposes of course)
* To find bugs in network software or appliances
* For reconnaissance attacks using ping sweeps and port scans
* To test network behaviour under strange circumstances (stress test, malformed packets, ...)
...and more. Mausezahn is basically a versatile packet creation tool on the command line with a simple syntax and context help. It could also be used within (bash-) scripts to perform combination of tests.