Mausezahn User's Guide http://www.perihel.at/sec/mz/mops.

html

Mausezahn User's Guide

Part Two - Interactive Mode (MOPS)

Author: Herbert Haas
Address:
herbert AT perihel DOT at
http://www.perihel.at/sec/mz

Revision: 0.38.1
Date: 2010-02-10
Copyright: Copyright (c) 2007-2009 by Herbert Haas.

Contents

1 Note
2 What is Mausezahn?
3 Disclaimer and License
4 First steps
5 Defining packets
5.1 General packet options
5.2 Configuring protocol types
5.3 Configuring a greater interval
6 Load prepared configurations
7 What's next?
8 Dear users

1 Note
This User's Guide explains Mausezahn's interactive mode relying on
Mausezahn's Own Packet System (MOPS). Most new and all more
sophisticated features are implemented inside this subsystem. MOPS
provides an interactive command line interface (similar as the famous
Cisco CLI) and is multi-threaded, allowing you to create an arbitrary
number of transmission and scanning process(es).

The legacy mode aka direct mode* (which allows you to create frames and
packets right from the Linux command line) is still supported and is
described in this document.

1 de 14 13-04-2011 05:35
Mausezahn User's Guide http://www.perihel.at/sec/mz/mops.html

2 What is Mausezahn?
Mausezahn is a fast traffic generator written in C which allows you to
send nearly every possible and impossible packet. Mausezahn can be used
for example

As traffic generator (e. g. to stress multicast networks)

For penetration testing of firewalls and IDS
For DoS attacks on networks (for audit purposes of
course)
To find bugs in network software or appliances
For reconnaissance attacks using ping sweeps and port
scans
To test network behaviour under strange circumstances
(stress test, malformed packets, ...)
As didactical tool during lab exercises

...and more. Mausezahn is basically a versatile packet creation tool on the

command line with a simple syntax and online help. It could also be used
within (bash-) scripts to perform combination of tests.

Currently Mausezahn is only available for Linux (and other UNIX-like)

platforms. There will be no Windows version.

3 Disclaimer and License

Mausezahn is basically a traffic generator as well as a network and firewall
testing tool. Don't use this tool when you are not aware of its
consequences or have only little knowledge about networks and data
communication. If you abuse Mausezahn for unallowed attacks and get
caught, or damage something of your own, then this is completely your
fault.

Since version 0.33 Mausezahn is licensed under GPLv2

4 First steps
Using the interactive mode requires to start Mausezahn as server:

# mz -x

2 de 14 13-04-2011 05:35
Mausezahn User's Guide http://www.perihel.at/sec/mz/mops.html

Now you can Telnet to that server using the default port number 25542,
but also an arbitrary port number can be specified:

# mz -x 99
Mausezahn accepts incoming Telnet connections on port 99.
mz: Problems opening config file. Will use defaults

Either from another terminal or from another host try to Telnet to the
Mausezahn server:

harpo$ telnet groucho 99

Trying 192.168.0.4...
Connected to groucho.
Escape character is '^]'.

------------------------------------------
Mausezahn, version 0.38
Copyright (C) 2007-2009 by Herbert Haas.
------------------------------------------

Mausezahn comes with ABSOLUTELY NO WARRANTY; for details

type 'warranty'. This is free software, and you are welcome
to redistribute it under certain conditions; see COPYING
(included in the Mausezahn source package) for details.

For Mausezahn NEWS visit http://www.perihel.at/sec/mz/

Username: mz
Password: mz

mz-0.38> enable
Password: mops
mz-0.38#

It is recommended to configure your own login credentials in

/etc/mausezahn/mz.cfg, such as:

user = herbert
password = TopSecret
enable = MauseZa#n42

Since you reached the Mausezahn prompt, lets try some first commands.
You can use the '?' character at any time for a contect-sensitive help.

First try out the show command:

3 de 14 13-04-2011 05:35
Mausezahn User's Guide http://www.perihel.at/sec/mz/mops.html

mz-0.38# show ?
packet Show defined packets interfaces Show detailed
interface information mops Show MOPS details set List
general packet parameters arp Show the advanced
Mausezahn ARP table license Show license and warranty
details

Mausezahn maintains its own ARP table and observes anomalies. There is
an entry for every physical interface (however this host has only one):

mz-0.38# sh arp
Intf Index IP address MAC address last Ch UCast BCast Info
----------------------------------------------------------------------------------
eth0 [1] D 192.168.0.1 00:09:5b:9a:15:84 23:44:41 1 1 0 0000

The column Ch tells us that the announced MAC address has only changed
one time (= when it was learned). The columns Ucast and BCast tell us
how often this entry was announced via unicast or broadcast respectively.

Let's check our interfaces:

mz-0.38# show interface

Available network interfaces:

real real used (fake) used (fake)

device IPv4 address MAC address IPv4 address MAC address
----------------------------------------------------------------------------------
> eth0 192.168.0.4 00:30:05:76:2e:8d 192.168.0.4 00:30:05:76
lo 127.0.0.1 00:00:00:00:00:00 127.0.0.1 00:00:00:00

2 interfaces found.
Default interface is eth0.

5 Defining packets
Let's check the current packet list:

4 de 14 13-04-2011 05:35
Mausezahn User's Guide http://www.perihel.at/sec/mz/mops.html

mz-0.38# sh packet
Packet layer flags: E=Ethernet, S=SNAP, Q=802.1Q, M=MPLS, I/i=IP/delivery_off, U=U

PktID PktName Layers Proto Size State Device Delay

1 sysARP_servic... E----- ARP 60 config lo 100 msec

1 packets defined, 0 active.

We notice that there is already one system-defined packet process; it has

been created and used only once (during startup) by Mausezahn's ARP
service. Currently its state is config which means that the process is
sleeping.

5.1 General packet options

Now let's create our own packet process and therefore switch into the
global configuration mode:

mz-0.38# configure term

mz-0.38(config)# packet
Allocated new packet PKT0002 at slot 2

mz-0.38(config-pkt-2)# ?
...
name Assign a unique name
description Assign a packet description text
bind Select the network interface
count Configure the packet count value
delay Configure the inter-packet delay
interval Configure a greater interval
type Specify packet type
mac Configure packet's MAC addresses
tag Configure tags
payload Configure a payload
port Configure packet's port numbers
end End packet configuration mode
ethernet Configure frame's Ethernet, 802.2, 802.3, or SNAP settings
ip Configure packet's IP settings
udp Configure packet's UDP header parameters
tcp Configure packet's TCP header parameters

Here are a lot of options but normally you only need a few of them. When
you configure lots of different packets you might assign a reasonable name
and description for them:

5 de 14 13-04-2011 05:35
Mausezahn User's Guide http://www.perihel.at/sec/mz/mops.html

mz-0.38(config-pkt-2)# name Test

mz-0.38(config-pkt-2)# desc This is just a test

You can e. g. change the default settings for the source and destination
MAC/IP addresses using the mac and ip commands:

mz-0.38(config-pkt-2)# ip address dest 10.1.1.0 /24

mz-0.38(config-pkt-2)# ip addr source random

In the example above we configured a range of addresses (all hosts in the

network 10.1.1.0 should be addressed). Additionally we spoof our source
IP address.

Of course We can add one or more VLAN and/or MPLS tag(s):

mz-0.38(config-pkt-2)# tag ?
dot1q Configure 802.1Q (and 802.1P) parameters
mpls Configure MPLS label stack

mz-0.38(config-pkt-2)# tag dot ?

Configure 802.1Q tags:

VLAN[:CoS] [VLAN[:CoS]] ...
remove <tag-nr> | all
cfi | nocfi [<tag-nr>]
The leftmost tag is the outer tag in the frame
Remove one or more tags (<tag-nr> starts with 1),
by default the first (=leftmost,outer) tag is remo
keyword 'all' can be used instead of tag numbers.
Set or unset the CFI-bit in any tag (by default
assuming the first tag).

mz-0.38(config-pkt-2)# tag dot 1:7 200:5

Configure count and delay:

6 de 14 13-04-2011 05:35
Mausezahn User's Guide http://www.perihel.at/sec/mz/mops.html

mz-0.38(config-pkt-2)# count 1000

mz-0.38(config-pkt-2)# delay ?
delay <value> [hour | min | sec | msec | usec | nsec]

Specify the inter-packet delay in hours, minutes, seconds, milliseconds, microsec

or nanoseconds. The default unit is milliseconds (i. e. when no unit is given).

mz-0.38(config-pkt-2)# delay 1 msec

Inter-packet delay set to 0 sec and 1000000 nsec

mz-0.38(config-pkt-2)#

5.2 Configuring protocol types

Mausezahn's interactive mode supports a growing list of protocols and
only relies on the MOPS architecture (and not on libnet as it is the case
with the legacy direct mode):

7 de 14 13-04-2011 05:35
Mausezahn User's Guide http://www.perihel.at/sec/mz/mops.html

mz-0.38(config-pkt-2)# type
Specify a packet type from the following list:

arp
bpdu
igmp
ip
lldp
tcp
udp

mz-0.38(config-pkt-2)# type tcp

mz-0.38(config-pkt-2-tcp)#
....
seqnr Configure the TCP sequence number
acknr Configure the TCP acknowledgement number
hlen Configure the TCP header length
reserved Configure the TCP reserved field
flags Configure a combination of TCP flags at once
cwr Set or unset the TCP CWR flag
ece Set or unset the TCP ECE flag
urg Set or unset the TCP URG flag
ack set or unset the TCP ACK flag
psh set or unset the TCP PSH flag
rst set or unset the TCP RST flag
syn set or unset the TCP SYN flag
fin set or unset the TCP FIN flag
window Configure the TCP window size
checksum Configure the TCP checksum
urgent-pointer Configure the TCP urgend pointer
options Configure TCP options
end End TCP configuration mode

mz-0.38(config-pkt-2-tcp)# flags syn fin rst

Current setting is: --------------------RST-SYN-FIN

mz-0.38(config-pkt-2-tcp)# end
mz-0.38(config-pkt-2)# paylo ascii This is a dummy payload for my first packet
mz-0.38(config-pkt-2)# end

Now configure another packet, for example let's assume we want an LLDP
process:

8 de 14 13-04-2011 05:35
Mausezahn User's Guide http://www.perihel.at/sec/mz/mops.html

mz-0.38(config)# packet
Allocated new packet PKT0003 at slot 3

mz-0.38(config-pkt-3)# ty lldp
mz-0.38(config-pkt-3-lldp)# exit
mz-0.38(config)# exit

In the above example we only use the default LLDP settings and don't
configure further LLDP options or TLVs.

Back in the top level of the CLI let's verify what we had done:

mz-0.38# sh pa
Packet layer flags: E=Ethernet, S=SNAP, Q=802.1Q, M=MPLS, I/i=IP/delivery_off, U=U

PktID PktName Layers Proto Size State Device Delay Co

1 sysARP_servic... E----- ARP 60 config lo 100 msec
2 Test E-Q-IT 125 config eth0 1000 usec 1
3 PKT0003 E----- LLDP 36 config eth0 30 sec

3 packets defined, 0 active.

The column Layers indicates which major protocols have been combined.
For example the packet with packet-id 2 ("Test") utilizes Ethernet (E), IP
(I), and TCP (T). Additionally an 802.1Q tag (Q) has been inserted.

Now start one of these packet processes:

mz-0.38# start slot 3

Activate [3]

mz-0.38# sh pac
Packet layer flags: E=Ethernet, S=SNAP, Q=802.1Q, M=MPLS, I/i=IP/delivery_off, U=U

PktID PktName Layers Proto Size State Device Delay Co

1 sysARP_servic... E----- ARP 60 config lo 100 msec
2 Test E-Q-IT 125 config eth0 1000 usec 1
3 PKT0003 E----- LLDP 36 config eth0 30 sec

3 packets defined, 1 active.

Let's have a more detailed look at a specific packet process:

9 de 14 13-04-2011 05:35
Mausezahn User's Guide http://www.perihel.at/sec/mz/mops.html

mz-0.38# sh pac 2
Packet [2] Test
Description: This is just a test
State: config, Count=1000, delay=1000 usec (0 s 1000000 nsec), interval= (undefine
Headers:
Ethernet: 00-30-05-76-2e-8d => ff-ff-ff-ff-ff-ff [0800 after 802.1Q tag]
Auto-delivery is ON (that is, the actual MAC is adapted upon transmission)
802.1Q: 0 tag(s); (VLAN:CoS)
IP: SA=192.168.0.4 (not random) (no range)
DA=255.255.255.255 (no range)
ToS=0x00 proto=17 TTL=255 ID=0 offset=0 flags: -|-|-
len=49664(correct) checksum=0x2e8d(correct)
TCP: 83 bytes segment size (including TCP header)
SP=0 (norange) (not random), DP=0 (norange) (not random)
SQNR=3405691582 (start 0, stop 4294967295, delta 0) -- ACKNR=0 (invalid)
Flags: ------------------------SYN----, reserved field is 00, urgent pointer
Announced window size= 100
Offset= 0 (times 32 bit; value is valid), checksum= ffff (valid)
(No TCP options attached) - 0 bytes defined
Payload size: 43 bytes
Frame size: 125 bytes

1 ff:ff:ff:ff:ff:ff:00:30 05:76:2e:8d:81:00:e0:01 81:00:a0:c8:08:00:45:00 00

33 fa:e4:c0:a8:00:04:ff:ff ff:ff:00:00:00:00:ca:fe ba:be:00:00:00:00:a0:07 00
65 05:ac:04:02:08:0a:19:35 90:c3:00:00:00:00:01:03 03:05:54:68:69:73:20:69 73
97 79:20:70:61:79:6c:6f:61 64:20:66:6f:72:20:6d:79 20:66:69:72:73:74:20:70 61

mz-0.38#

If you want to stop one or more packet processes, use the stop
command. The "emergency stop" is when you use stop all:

mz-0.38# stop all

Stopping
[3] PKT0003

Stopped 1 transmission processe(s)

The launch command provides a shortcut for commonly used packet

processes. For example to behave like a STP-capable bridge we want to
start an BPDU process with typical parameters:

10 de 14 13-04-2011 05:35
Mausezahn User's Guide http://www.perihel.at/sec/mz/mops.html

mz-0.38# laun bpdu

Allocated new packet sysBPDU at slot 5

mz-0.38# sh pac
Packet layer flags: E=Ethernet, S=SNAP, Q=802.1Q, M=MPLS, I/i=IP/delivery_off, U=U

PktID PktName Layers Proto Size State Device Delay

1 sysARP_servic... E----- ARP 60 config lo 100 msec
2 Test E-Q-IT 125 config eth0 1000 usec
3 PKT0003 E----- LLDP 36 config eth0 30 sec
4 PKT0004 E---I- IGMP 46 config eth0 100 msec
5 sysBPDU ES---- BPDU 29 active eth0 2 sec

5 packets defined, 1 active.

Now a Configuration BPDU is sent every 2 seconds, claiming to be the root

bridge (and usually confusing the LAN. Note that only packet 5 (i. e. the
last row) is active and therefore sending packets while all other packets are
in state config (i. e. they have been configured but they are not doing
anything at the moment).

5.3 Configuring a greater interval

Sometimes you may want to send a burst of packets at a greater interval:

mz-0.38(config)# pac 2
Modify packet parameters for packet Test [2]

mz-0.38(config-pkt-2)# interv
Configure a greater packet interval in days, hours, minutes, or seconds

Arguments: <value> <days | hours | minutes | seconds>

Use a zero value to disable an interval.

mz-0.38(config-pkt-2)# interv 1 h

mz-0.38(config-pkt-2)# count 10

mz-0.38(config-pkt-2)# delay 15 usec

Inter-packet delay set to 0 sec and 15000 nsec

Now this packet is sent ten times with an inter-packet delay of 15

microsecond and this is repeated every hour. When you look at the packet
list, an interval is indicated with the additional flag 'i' when inactive or 'I'

11 de 14 13-04-2011 05:35
Mausezahn User's Guide http://www.perihel.at/sec/mz/mops.html

when active:

mz-0.38# sh pa
Packet layer flags: E=Ethernet, S=SNAP, Q=802.1Q, M=MPLS, I/i=IP/delivery_off, U=U

PktID PktName Layers Proto Size State Device Delay

1 sysARP_servic... E----- ARP 60 config lo 100 msec
2 Test E-Q-IT 125 config-i eth0 15 usec
3 PKT0003 E----- LLDP 36 config eth0 30 sec
4 PKT0004 E---I- IGMP 46 config eth0 100 msec
5 sysBPDU ES---- BPDU 29 active eth0 2 sec

5 packets defined, 1 active.

mz-0.38# start sl 2
Activate [2]

mz-0.38# sh pa
Packet layer flags: E=Ethernet, S=SNAP, Q=802.1Q, M=MPLS, I/i=IP/delivery_off, U=U

PktID PktName Layers Proto Size State Device Delay

1 sysARP_servic... E----- ARP 60 config lo 100 msec
2 Test E-Q-IT 125 config+I eth0 15 usec
3 PKT0003 E----- LLDP 36 config eth0 30 sec
4 PKT0004 E---I- IGMP 46 config eth0 100 msec
5 sysBPDU ES---- BPDU 29 active eth0 2 sec

5 packets defined, 1 active.

Note that the flag 'I' indicates that an interval has been specified for packet
2. The process is not active at the moment (only packet 5 is active here)
but it will become active in a regular interval. You can verify the actual
interval when viewing the packet details via the show packet 2 command.

6 Load prepared configurations

You can prepare packet configurations using the same commands as you
would type them in on the CLI and then load them to the CLI.

For example assume we have prepared a file 'test.mops' containing:

12 de 14 13-04-2011 05:35
Mausezahn User's Guide http://www.perihel.at/sec/mz/mops.html

configure terminal
packet
name IGMP_TEST
desc This is only a demonstration how to load a file to mops
type igmp

Then we can add this packet configuration to our packet list using the load
command:

mz-0.38# load test.mops

Read commands from test.mops...

Allocated new packet PKT0002 at slot 2

mz-0.38# sh pa
Packet layer flags: E=Ethernet, S=SNAP, Q=802.1Q, M=MPLS, I/i=IP/delivery_off, U=U

PktID PktName Layers Proto Size State Device Delay

1 sysARP_servic... E----- ARP 60 config lo 100 msec
2 IGMP_TEST E---I- IGMP 46 config eth0 100 msec

2 packets defined, 0 active.

7 What's next?
The following features are planned, some of them are already experimental
and will be available soon:

Other basic protocols, including RTP

Scanning processes
Logging processes
IPv6
Custom protocols via XML
Object oriented configuration
Benchmarking according RFC 2544 (device under tests)

and many others (the true list is much longer). Also a GUI is in preparation
(which will surely not replace the CLI).

8 Dear users
Mausezahn is still under heavy development and you may expect new
features very soon.

13 de 14 13-04-2011 05:35
Mausezahn User's Guide http://www.perihel.at/sec/mz/mops.html

Please report to herbert AT perihel DOT at regarding:

Bugs
Important features you miss
How you used Mausezahn (I am really interested in
practical problems)
Interesting observations with Mausezahn at the network

14 de 14 13-04-2011 05:35