Fragroute – A network packet fragmentation & firewall testing tool.

Fragroute  intercepts,  modifies,  and rewrites egress traffic destined  for the specified host. Simply frag route fragments packets originating from our(attacker) system to the destination system. Its used by security personnel or hackers for evading firewalls, avoiding IDS/IPS detections & alerts etc. Also pentesters use it to gather information from a highly secured remote host.

 

Options

fragroute –f <lconfigfile> dst<destination>

-f – Config file on how frag route should work.

Default configuration file is at /etc/fragroute.conf. One can either use this defaut file or write a new configuration file. Custom file requires following rules to be be written.

delay first|last|random <ms>

drop first|last|random <prob-%>

dup first|last|random <prob-%>

echo <string> ...

ip_chaff dup|opt|<ttl>

ip_frag <size> [old|new]

ip_opt lsrr|ssrr <ptr> <ip-addr> ...

ip_ttl <ttl>

ip_tos <tos>

order random|reverse

print

tcp_chaff cksum|null|paws|rexmit|seq|syn|<ttl>

tcp_opt mss|wscale <size>

tcp_seg <size> [old|new]

DESCRIPTION

fragroute  intercepts,  modifies,  and  rewrites egress traffic destined for the specified host, implementing most of the attacks described in the Secure Networks “Insertion, Evasion, and Denial of

Service: Eluding Network Intrusion Detection” paper of January 1998.

The options are as follows:

   -f file

Read ruleset from the specified file instead of /etc/fragroute.conf.

Unlike fragrouter, this program only affects packets originating from the local machine destined for a remote host.  Do not enable IP forwarding on the local machine.

RULESET

fragroute is composed of several modules which enable various configuration directives. Each directive operates on a logical packet queue handed to it by the previous rule.

     # string …

 

Ruleset comment, no-op.

  delay first|last|random ms

Delay the delivery of the first, last, or a randomly selected packet from the queue by ms milliseconds.

drop first|last|random prob-%

Drop the first, last, or a randomly selected packet from the queue with a probability of prob-% percent.

dup first|last|random prob-%

Duplicate the first, last, or a randomly selected packet from the queue with a probability of prob-% percent.

echo string

Echo the string argument(s) to standard output.

ip_chaff dup|opt|ttl

Interleave IP packets in the queue with duplicate IP packets containing different payloads, either scheduled for later delivery, carrying invalid IP options,  or  bearing  short  time-to-live values.

ip_frag size [old|new]

Fragment  each  packet  in  the queue into size-byte IP fragments, preserving the complete transport header in the first fragment. Optional fragment overlap may be specified as old or new, to favor newer or older data.

ip_opt lsrr|ssrr ptr ip-addr …

Add IP options to every packet, to enable loose or strict source routing. The route should be specified as list of IP addresses, and a bytewise pointer into them (e.g. the minimum  ptr  value is 4).

ip_ttl ttl

Set the IP time-to-live value of every packet to ttl.

ip_tos tos

Set the IP type-of-service bits for every packet to tos.

order random|reverse

Re-order the packets in the queue randomly, or in reverse.

print  Print each packet in the queue in tcpdump-style format.

  tcp_chaff cksum|null|paws|rexmit|seq|syn|ttl

Interleave  TCP  segments in the queue with duplicate TCP segments containing different payloads, either bearing invalid TCP checksums, null TCP control flags, older TCP timestamp options for   PAWS elimination, faked retransmits scheduled for later delivery, out-of-window sequence numbers, requests to re-synchronize sequence numbers mid-stream, or short time-to-live values.

  tcp_opt mss|wscale size

 

Add TCP options to every TCP packet, to set the maximum segment size or window scaling factor.

tcp_seg size [old|new]

Segment each TCP data segment in the queue into size-byte TCP segments. Optional segment overlap may be specified as old or new, to favor newer or older data.

Fragment large ping packets

This demonstrates large ping packets being fragmented in between 2 hosts, the attacker & target. The attacker has ipaddress 192.168.0.3 & target has 192.168.0.4

1. In attack machine turn on fragroute

Command : fragroute –f /etc/fragroute.conf  192.168.0.4<replace with your destination>

 

2. Open another terminal & ping large sized packet

Command : ping –s 10000 192.168.0.4<replace with your destination>

3. Check terminal in which frag route is running

Lab 2: Custom configuration

Suppose we have to increase ttl value & no of tcp segments inorder to evade a firewall.

 

1. Make a new file.<here it is custconf>

Command: leafpad custconf <yourname here>

2.  In that file, type

tcp_seg 8 new   -    No of tcp segments(default is 4)

ip_frag 32      -    No of ip fragments(default is 24)

ip_chaff dup    -

ip_ttl 10       -    ttl 10

order random

print

Now the file looks like the following image. Remember not to include my description of what the parameter is, from the above field.

 

3. Start frag route with this file & destination

Command: fragroute –f custconf <replace "custconf" with your filename> 192.168.0.4

4. Now ping using another terminal to the destination  with large packet size.

Commang : ping –s 20000 192.168.0.4

5. See  terminal on which frag route is running.

Optionally, check on the destination system with packet analysers like wireshark or tcpdump.