Fragrouter

Description :

Fragrouter is a network intrusion detection evasion toolkit.One of the most interesting facts about Fragrouter is that it is not an attack tool itself, rather it is an enabling technology that allows other attacks to avoid detection by network intrusion detection systems. For example, Fragrouter could be used to obfuscate a phf attack against a web server, a buffer overflow attack against a DNS server, or any number of other attacks.

 Work :

Fragrouter works by accepting IP packets routed to it by another system, fragmenting those packets according to one of the schemes first described by Ptacek and Newsham and described below, then transmitting the fragmented packets to the target host. The schemes used by Fragrouter to fragment the incoming packets are as follows:

baseline-1: Send the original data in a single TCP data segment.

frag-1: Send the original data in a single TCP data segment, which is broken into 8-byte IP fragments and sent in order.

frag-2: Send the original data in a single TCP data segment, which is broken into 24-byte IP fragments and sent in order.

frag-3: Send the original data in a single TCP data segment which is broken into 8-byte IP fragments, with one of those fragments sent out of order.

frag-4: Send the original data in a single TCP data segment which is broken into 8-byte IP fragments, with the next to last fragment sent twice.

frag-5: Send the original data in a single TCP data segment which is broken into 8-byte IP fragments, sent completely out of order with the next to last fragment sent twice.

frag-6: Send the original data in a single TCP data segment which is broken into 8-byte IP fragments, sending the marked last fragment before any of the others.

frag-7: Send the original data in a single TCP data segment which is broken into 16-byte IP fragments, preceding each fragment with an 8-byte null data fragment that overlaps the latter half of it. This amounts to the forward-overlapping 16-byte fragment rewriting the null data back to the real attack.

tcp-1: Complete a TCP handshake, send fake FIN and RST (with bad checksums) before sending data in ordered 1-byte segments.

tcp-3: Complete a TCP handshake, send data in ordered 1-byte segments, duplicating the next to last segment of each original TCP packet.

tcp-4: Complete a TCP handshake, send data in ordered 1-byte segments, sending an additional 1-byte segment which overlaps the next to last segment of each original TCP packet with a null data payload.

tcp-5: Complete a TCP handshake, send data in ordered 2-byte segments, preceding each segment with a 1-byte null data segment that overlaps the latter half of it. This amounts to the forward-overlapping 2-byte segment rewriting the null data back to the real attack.

tcp-7: Complete a TCP handshake, send data in ordered 1-byte segments interleaved with 1-byte null segments for the same connection but with drastically different sequence numbers.

tcp-8: Complete a TCP handshake, send data in ordered 1-byte segments, with one segment sent out of order.

tcp-9: Complete a TCP handshake, send data in out of order 1-byte segments.

tcb-2: Complete TCP handshake, send data in ordered 1-byte segments interleaved with SYN packets for the same connection parameters.

tcb-3: Do not complete TCP handshake, but send null data in ordered 1-byte segments as if one had occurred. Then, complete a TCP handshake with the same connection parameters, and send the real data in ordered 1-byte segments.

tcbt-1: Complete TCP handshake, shut connection down with a RST, re-connect with drastically different sequence numbers and send data in ordered 1-byte segments.

ins-2: Complete TCP handshake, send data in ordered 1-byte segments but with bad TCP checksums.

ins-3: Complete TCP handshake, send data in ordered 1-byte segments but with no ACK flag set.

misc-1: Thomas Lopatic’s Windows NT 4 SP2 IP fragmentation attack of July 1997.

misc-2: John McDonald’s Linux IP chains IP fragmentation attack of July 1998.

Usage

    Syntax

     fragrouter [-i interface] [-p] [-g hop] [-G hopcount] ATTACK

Options

 -B1: base-1: normal IP forwarding
 -F1: frag-1: ordered 8-byte IP fragments
 -F2: frag-2: ordered 24-byte IP fragments
 -F3: frag-3: ordered 8-byte IP fragments, one out of order
 -F4: frag-4: ordered 8-byte IP fragments, one duplicate
 -F5: frag-5: out of order 8-byte fragments, one duplicate
 -F6: frag-6: ordered 8-byte fragments, marked last frag first
 -F7: frag-7: ordered 16-byte fragments, fwd-overwriting
 -T1: tcp-1:  3-whs, bad TCP checksum FIN/RST, ordered 1-byte segments
 -T3: tcp-3:  3-whs, ordered 1-byte segments, one duplicate
 -T4: tcp-4:  3-whs, ordered 1-byte segments, one overwriting
 -T5: tcp-5:  3-whs, ordered 2-byte segments, fwd-overwriting
 -T7: tcp-7:  3-whs, ordered 1-byte segments, interleaved null segments
 -T8: tcp-8:  3-whs, ordered 1-byte segments, one out of order
 -T9: tcp-9:  3-whs, out of order 1-byte segments
 -C2: tcbc-2: 3-whs, ordered 1-byte segments, interleaved SYNs
 -C3: tcbc-3: ordered 1-byte null segments, 3-whs, ordered 1-byte segments
 -R1: tcbt-1: 3-whs, RST, 3-whs, ordered 1-byte segments
 -I2: ins-2:  3-whs, ordered 1-byte segments, bad TCP checksums
 -I3: ins-3:  3-whs, ordered 1-byte segments, no ACK set
 -M1: misc-1: Windows NT 4 SP2 - http://www.dataprotect.com/ntfrag/
 -M2: misc-2: Linux IP chains - http://www.dataprotect.com/ipchains/

Example

cyborg@cyborg:~$ sudo fragrouter -i eth0 -F1
fragrouter: frag-1: ordered 8-byte IP fragments
^Z
[1]+  Stopped                 sudo fragrouter -i eth0 -F1
cyborg@cyborg:~$ sudo fragrouter -i eth0 -F2
fragrouter: frag-2: ordered 24-byte IP fragments
^Z
[2]+  Stopped                 sudo fragrouter -i eth0 -F2

Testing your Firewall with fragrouter

source : http://flylib.com/books/en/3.105.1.82/1/

To test your firewall(s) using fragrouter, you will need two systems in addition to your firewall/packet filter. This is because fragrouter cannot by design be run on the same system from which you’re testing (according to the documentation, this is to prevent abuse). In this example, we have three systems. The firewall, our scanner box called Host-A, the iplog machine called Host-B, and thefragrouter system called Host-C.

Figure 10.3. Testing packet filters with fragrouter.

Fragrouter

We’ll assume you’ve already set up Host-A and Host-B as outlined here. Our Host-C system is an aged Redhat 7.2 system, and while this OS has been End-Of-Lifed (EOL) by Redhat, security updates are still available from the FedoraLegacy.org project for at least another year and a half after the EOL date (at least). So it’s a safe, supported OS that should not expose you to any additional unreasonable risk from using it in a testing environment. That long-winded startup aside, you’ll need to installfragrouter on the system (which incidentally, we have only gotten to run on older Redhat systems, which is why we brought all this up!).

On Host-A: Set the default route to Host-B using Host-C as the gateway:

[[email protected] root]# route add host Host-B gateway Host-B)

On Host-C: Install and start fragrouter:

[[email protected] root]# fragrouter -F1 fragrouter: frag-1 started

On Host-A, start your TCP connections, nmap attacks, and so on and watch the output on Host-B’s iplogtraffic. Additionally, return traffic from Host-B to Host-A will not pass through fragrouter, which is handy if you’re also testing more advanced things such as combining your firewall with an IDS. In general, the output you’re going to see on Host-B will be the same as the nonfragmentation tests. In fact, you can perform fragmentation tests using nmap with the -f flag. However, what’s nice aboutfragrouter is that you’re able to test any application you want in a fragmented state (web, NFS, mail, and so on). When it comes to demonstrating what the risk is from fragmentation attacks, this is a fantastic way to do it.

In closing, the scope of this test is specifically to verify that rules you know are in place and are not susceptible to fragmentation attacks. For example, you’ve already verified that outbound rules are working with your firewalls, and you’re testing their ability to deal with complex packet fragmentation (or you just want to see if your packet filtering on the switch/router actually works!).

0 Comments

Leave a reply

CONTACT US

We're are building as a community and a team. Be a part of it.

Sending

©2017 Ztrela Knowledge Solutions Pvt. Ltd

Log in with your credentials

Forgot your details?