route_detector.pl
Latest Version is: 0.9
If you want information about new releases mailed to you, or have any suggestions, please contact me.
Description | Features | Bugs | ToDo | Requirements | Download | Output | Usage/Docs | Goals | Change Log
Description
Written by: MadHat at Unspecific.com
This scanner is intended to detect multi-homed boxes on a secured network. Signed ICMP packets are sent with spoofed source IPs to hosts on an internal, protected network. On the box where the spoofed IP is, the listener watches for the ICMP packet. The ICMP data is the IP address you are testing (the target on the inside network) and a MD5 hash of a secret and that same IP. In listen mode it takes the IP in the data field and the secret (specified on command line) and compares the hash. If it matches, then it knows it is a packet it is supposed to pay attention to. If the IP in the data field does not match the IP in the source address from the IP headers, it displays the information. On machines that are behind a NATed device they are all flagged. If you have several machines they will all have the same IP, so it is easy to determine if one if dual homed, since it will be the one that does not match the rest. If you are using a stateful firewall, it will usually block all echo-replies, having not seen the echo-request.
Description | Features | Bugs | ToDo | Requirements | Download | Output | Usage/Docs | Goals | Change Log
Features
- Command line 'key' to verify packets
- Timed listening (for automation/croned scanning)
- Max Packets, so it exists after receiving X number of packets, if there is no timeout set.
Description | Features | Bugs | ToDo | Requirements | Download | Output | Usage/Docs | Goals | Change Log
BUGS
Send your bugs to Bugs at Unspecific.com
With newer Linux kernels, we are seeing some issues with Net::RawIP. Here is an entry from someone else's FAQ that addresses the issue, but it is not working for me. ;)Q: I get sendto() at /usr/local/lib/perl/5.8.2/Net/RawIP.pm line 550? A: You are not allowed to send the constructed packet. Please check if you are running a packet filtering program (Linux: iptables -L or ipchains -L / FreeBSD: ipfw list). If that's not the case and you are trying to send an icmp redirect packet check if your system allows you to send redirect messages e.g. look at /proc/sys/net/ipv4/conf/all/*redirect or at sysctl net.ipv4.conf.default.send_redirects. Try sysctl -w net.inet.icmp.drop_redirect=0 under FreeBSD.With my testing, if you avoid the broadcast IP of your local subnet and the network address, it works fine.
for example, if I am on 192.168.1.7 on a /24, and I scan 192.168.1.1-254 it works fine, but if I include .0 or .255 in this example I get the error.
- Can not scan network or broadcast address of the machine it is running from. ('Feature' of Net::RawIP)
Description | Features | Bugs | ToDo | Requirements | Download | Output | Usage/Docs | Goals | Change Log
ToDo
- Added forking to scan faster. Easy, just need to add the code.
Description | Features | Bugs | ToDo | Requirements | Download | Output | Usage/Docs | Goals | Change Log
Requirements
- Perl >= 5.6
- Net::RawIP
- Marconi More details to come. For now, just download to same directory you are running the Sender from
Description | Features | Bugs | ToDo | Requirements | Download | Output | Usage/Docs | Goals | Change Log
Download
- route_detector.pl v0.9 - the script itself
Description | Features | Bugs | ToDo | Requirements | Download | Output | Usage/Docs | Goals | Change Log
Output
Listener$ sudo ./route_detector.pl -v -l -k unspecific Route Detector v0.1 by MadHat (at) Unpsecific.com Packet Received from: 192.168.100.3 Original IP Sent to: 192.168.1.0 WARNING: Packet came back from 192.168.100.3, but was sent to 192.168.1.0 Packet Received from: 192.168.1.1 Original IP Sent to: 192.168.1.1 Packet Received from: 192.168.1.3 Original IP Sent to: 192.168.1.3 ^C
Sender$ sudo ./route_detector.pl -v -k unspecific -s 172.21.1.56 -d 192.168.1.0/24 Route Detector v0.6 by MadHat (at) Unpsecific.com scanning 192.168.1.0/24 Sending Packets to 255 IPs Sending to 192.168.1.0 Sending to 192.168.1.1 Sending to 192.168.1.2 Sending to 192.168.1.3 ^C
NON-Verbose w/ NATed hosts
Listener$ sudo ./route_detector.pl -l -k unspecific WARNING: Packet came back from 172.16.0.1, but was sent to 192.168.3.0 WARNING: Packet came back from 172.16.0.1, but was sent to 192.168.3.1 WARNING: Packet came back from 172.16.0.1, but was sent to 192.168.3.6 WARNING: Packet came back from 172.16.0.1, but was sent to 192.168.3.9 WARNING: Packet came back from 172.16.0.1, but was sent to 192.168.3.11 WARNING: Packet came back from 172.16.0.1, but was sent to 192.168.3.12 WARNING: Packet came back from 172.16.0.1, but was sent to 192.168.3.16 WARNING: Packet came back from 172.16.0.1, but was sent to 192.168.3.18 WARNING: Packet came back from 172.16.0.1, but was sent to 192.168.3.20 WARNING: Packet came back from 172.16.0.1, but was sent to 192.168.3.21 ^C
Sender$ sudo ./route_detector.pl -k unspecific -s 172.21.1.56 -d 192.168.3.0/24 Sending Packets to 255 IPs ^C
Description | Features | Bugs | ToDo | Requirements | Download | Output | Usage/Docs | Goals | Change Log
Usage (output from ./http-scan.pl -h)
$ ./route_detector.pl Must have EUID == 0 to use Net::RawIP at ./route_detector.pl line 36 MUST BE RUN AS ROOT Route Detector v by MadHat (at) Unpsecific.com Usage: ./route_detector.pl -l | -d <remote_ip> [-s <source_ip>] [-v] [-k key]\ [-t <sec>] [-c <pact_count>] [-S <sec_delay> ] -l Listen Mode Sniffing for ICMP packets and looking for the right data. -d <remote_ip> Send Mode, sending 'signed' ICMP packets to <remote_ip> -s <source_ip> Spoofed Source IP, to be used with -d -k <key> Key used to 'sign' the data in the ICMP packet -i <interface> Interface, default eth0 -t <sec> Number of seconds to listen (-l) before exiting -S <sec_delay> Number of seconds to wait (0) between each packet -c <pact_count> Number of packets to listen for (-l) before exiting -v Verbose Add moe info about what is going on
Description | Features | Bugs | ToDo | Requirements | Download | Output | Usage/Docs | Goals | Change Log
Goals
Description | Features | Bugs | ToDo | Requirements | Download | Output | Usage/Docs | Goals | Change Log
Change Log
- 0.9
- Changed the output layout on verbose mode (-v)
- Output in Verbose mode (-v) now includes DNS entry of both target and resonder
- Added "Time" to verbose mode (-v) telling the number of seconds it took for the packet to make it's journey.
Time must be synced on both source and dest hosts if they are not the same host to be accurate.
I recommend using NTP
- 0.8
- Increased the speed by making the time between packets setable via the command-line (-S), default is 0
- I like incrementsing on simple things... ;^)
- 0.7
- Added DNS lookups with Verbose listening
- Removed some other data in Verbose listening
- 0.6
- First public release
Description | Features | Bugs | ToDo | Requirements | Download | Output | Usage/Docs | Goals | Change Log