route_detector.pl
How many routes out of your network can you find?

Latest Version is: 0.9

If you want information about new releases mailed to you, or have any suggestions, please contact me.



Description | Features | Bugs | ToDo | Requirements | Download | Output | Usage/Docs | Goals | Change Log

Description

Written by: MadHat at Unspecific.com

This scanner is intended to detect multi-homed boxes on a secured network. Signed ICMP packets are sent with spoofed source IPs to hosts on an internal, protected network. On the box where the spoofed IP is, the listener watches for the ICMP packet. The ICMP data is the IP address you are testing (the target on the inside network) and a MD5 hash of a secret and that same IP. In listen mode it takes the IP in the data field and the secret (specified on command line) and compares the hash. If it matches, then it knows it is a packet it is supposed to pay attention to. If the IP in the data field does not match the IP in the source address from the IP headers, it displays the information. On machines that are behind a NATed device they are all flagged. If you have several machines they will all have the same IP, so it is easy to determine if one if dual homed, since it will be the one that does not match the rest. If you are using a stateful firewall, it will usually block all echo-replies, having not seen the echo-request.


Description | Features | Bugs | ToDo | Requirements | Download | Output | Usage/Docs | Goals | Change Log

Features

  • Command line 'key' to verify packets
  • Timed listening (for automation/croned scanning)
  • Max Packets, so it exists after receiving X number of packets, if there is no timeout set.

Description | Features | Bugs | ToDo | Requirements | Download | Output | Usage/Docs | Goals | Change Log

BUGS

Send your bugs to Bugs at Unspecific.com

With newer Linux kernels, we are seeing some issues with Net::RawIP. Here is an entry from someone else's FAQ that addresses the issue, but it is not working for me. ;)
Q: I get sendto() at /usr/local/lib/perl/5.8.2/Net/RawIP.pm line 550?
A: You are not allowed to send the constructed packet. Please check if you
are running a packet filtering program (Linux: iptables -L or ipchains -L / 
FreeBSD: ipfw list). If that's not the case and you are trying to send an
icmp redirect packet check if your system allows you to send redirect
messages e.g. look at /proc/sys/net/ipv4/conf/all/*redirect or at
sysctl net.ipv4.conf.default.send_redirects. 
Try sysctl -w net.inet.icmp.drop_redirect=0 under FreeBSD.
With my testing, if you avoid the broadcast IP of your local subnet and the network address, it works fine.

for example, if I am on 192.168.1.7 on a /24, and I scan 192.168.1.1-254 it works fine, but if I include .0 or .255 in this example I get the error.
  • Can not scan network or broadcast address of the machine it is running from. ('Feature' of Net::RawIP)

Description | Features | Bugs | ToDo | Requirements | Download | Output | Usage/Docs | Goals | Change Log

ToDo

  • Added forking to scan faster. Easy, just need to add the code.

Description | Features | Bugs | ToDo | Requirements | Download | Output | Usage/Docs | Goals | Change Log

Requirements

  • Perl >= 5.6
  • Net::RawIP
  • Marconi More details to come. For now, just download to same directory you are running the Sender from

Description | Features | Bugs | ToDo | Requirements | Download | Output | Usage/Docs | Goals | Change Log

Download


Description | Features | Bugs | ToDo | Requirements | Download | Output | Usage/Docs | Goals | Change Log

Output

Listener
$ sudo ./route_detector.pl -v -l -k unspecific
Route Detector v0.1 by MadHat (at) Unpsecific.com
Packet Received from: 192.168.100.3
Original IP Sent to:  192.168.1.0
WARNING: Packet came back from 192.168.100.3, but was sent to 192.168.1.0
Packet Received from: 192.168.1.1
Original IP Sent to:  192.168.1.1
Packet Received from: 192.168.1.3
Original IP Sent to:  192.168.1.3
^C


Sender
$ sudo ./route_detector.pl -v -k unspecific -s 172.21.1.56 -d 192.168.1.0/24
Route Detector v0.6 by MadHat (at) Unpsecific.com
scanning 192.168.1.0/24
Sending Packets to 255 IPs
Sending to 192.168.1.0
Sending to 192.168.1.1
Sending to 192.168.1.2
Sending to 192.168.1.3
^C


NON-Verbose w/ NATed hosts

Listener
$ sudo ./route_detector.pl -l -k unspecific
WARNING: Packet came back from 172.16.0.1, but was sent to 192.168.3.0
WARNING: Packet came back from 172.16.0.1, but was sent to 192.168.3.1
WARNING: Packet came back from 172.16.0.1, but was sent to 192.168.3.6
WARNING: Packet came back from 172.16.0.1, but was sent to 192.168.3.9
WARNING: Packet came back from 172.16.0.1, but was sent to 192.168.3.11
WARNING: Packet came back from 172.16.0.1, but was sent to 192.168.3.12
WARNING: Packet came back from 172.16.0.1, but was sent to 192.168.3.16
WARNING: Packet came back from 172.16.0.1, but was sent to 192.168.3.18
WARNING: Packet came back from 172.16.0.1, but was sent to 192.168.3.20
WARNING: Packet came back from 172.16.0.1, but was sent to 192.168.3.21
^C


Sender
$ sudo ./route_detector.pl -k unspecific -s 172.21.1.56 -d 192.168.3.0/24
Sending Packets to 255 IPs
^C

Description | Features | Bugs | ToDo | Requirements | Download | Output | Usage/Docs | Goals | Change Log

Usage (output from ./http-scan.pl -h)

$ ./route_detector.pl
Must have EUID == 0 to use Net::RawIP at ./route_detector.pl line 36
MUST BE RUN AS ROOT
Route Detector v by MadHat (at) Unpsecific.com
Usage:
./route_detector.pl -l | -d <remote_ip> [-s <source_ip>] [-v] [-k key]\
        [-t <sec>] [-c <pact_count>] [-S <sec_delay> ]

    -l  Listen Mode  Sniffing for ICMP packets and looking for the right data.
    -d <remote_ip>   Send Mode, sending 'signed' ICMP packets to <remote_ip>
    -s <source_ip>   Spoofed Source IP, to be used with -d
    -k <key>         Key used to 'sign' the data in the ICMP packet
    -i <interface>   Interface, default eth0
    -t <sec>         Number of seconds to listen (-l) before exiting
    -S <sec_delay>   Number of seconds to wait (0) between each packet
    -c <pact_count>  Number of packets to listen for (-l) before exiting
    -v  Verbose      Add moe info about what is going on



Description | Features | Bugs | ToDo | Requirements | Download | Output | Usage/Docs | Goals | Change Log

Goals




Description | Features | Bugs | ToDo | Requirements | Download | Output | Usage/Docs | Goals | Change Log

Change Log

  • 0.9
    • Changed the output layout on verbose mode (-v)
    • Output in Verbose mode (-v) now includes DNS entry of both target and resonder
    • Added "Time" to verbose mode (-v) telling the number of seconds it took for the packet to make it's journey.
      Time must be synced on both source and dest hosts if they are not the same host to be accurate.
      I recommend using NTP
  • 0.8
    • Increased the speed by making the time between packets setable via the command-line (-S), default is 0
    • I like incrementsing on simple things... ;^)
  • 0.7
    • Added DNS lookups with Verbose listening
    • Removed some other data in Verbose listening
  • 0.6
    • First public release

Description | Features | Bugs | ToDo | Requirements | Download | Output | Usage/Docs | Goals | Change Log