Packet Construction The packet construction directory contains software for specifying, creating, transmitting and replaying packets of data on a network. o cryptcat TCP/IP swiss army knife extended with twofish encryption - Cryptcat is a simple Unix utility which reads and writes data across network connections, using TCP or UDP protocol while encrypting the data being transmitted. It is designed to be a reliable "back-end" tool that can be used directly or easily driven by other programs and scripts. At the same time, it is a feature-rich network debugging and exploration tool, since it can create almost any kind of connection you would need and has several interesting built-in capabilities. o fake fake has been designed to switch in backup servers on a LAN. In particular it has been designed to backup Mail, Web and Proxy servers during periods of both unscheduled and scheduled down time. Fake allows you to take over the IP address of another machine in the LAN by bringing up an additional interface and making use of ARP spoofing. The additional interface can be either a physical interface or an IP alias. o fragrouter fragrouter is a program for routing network traffic in such a way as to elude most network intrusion detection systems. The attacks implemented correspond to those listed in the Secure Networks "Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection" paper of January 1998. o ipsentinel ipsentinel tries to prevent unauthorized usage of IPs within the local ethernet broadcast domain by giving an answer to ARP-requests. After receiving such a faked reply, the requesting party stores the told MAC in its ARP-table and will send future packets to this MAC. Because this MAC is invalid, the host with the invalid IP can not be reached. HOMEPAGE o IRPAS: Internetwork Routing Protocol Attack Suite IRPAS is a packet construction utility that interoperates with a number of protocols such as cdp (Cisco Discovery Protocol), IGRP (Interior Gateway Routing Protocol), IRDP (ICMP Router Discovery Protocol), HRSP (Hot Standby Router Protocol) amongst a long list of other interesting things. o ISIC: IP Stack Integrity Checker The purpose of ISIC is to test the stability of an IP Stack and its component stacks (TCP, UDP, ICMP et. al.) It does this by generating random packets of the desired protocol. The packets can have tendancies. ie by default all packets have a 50% chance of having IP Options. The packets are then sent against the target machine to either penetrate its firewall rules or find bugs in the IP stack. o libdnet libdnet provides a simplified, portable interface to several low-level networking routines, including network address manipulation, kernel arp(4) cache and route(4) table lookup and manipulation, network firewalling, network interface lookup and manipulation, and raw IP packet and Ethernet frame transmission. o libnet libnet is a collection of routines to help with the construction and handling of network packets. It provides a portable framework for low-level network packet shaping, handling and injection. Libnet features portable packet creation interfaces at the IP layer and link layer, as well as a host of supplementary and complementary functionality. o nemesis Nemesis is a command-line network packet crafting and injection utility for UNIX-like and Windows systems. It can natively craft and inject ARP, DNS, ETHERNET, ICMP, IGMP, IP, OSPF, RIP, TCP and UDP packets. Using the IP and the Ethernet injection modes, almost any custom packet can be crafted and injected. o netcat (nc) The nc (or netcat) utility is used for just about anything under the sun involving TCP or UDP. It can open TCP connections, send UDP packets, listen on arbitrary TCP and UDP ports, do port scanning, and deal with both IPv4 and IPv6. Unlike telnet(1), nc scripts nicely, and separates error messages onto standard error instead of sending them to standard output, as telnet(1), does with some. Wiretapped provides various versions of netcat, including the original l0pht version, the OpenBSD re-write, and the GNU rewrite. o netsed netsed is small and handful utility designed to alter the contents of packets forwarded thru your network in real time. It is really useful for network hackers in black-box protocol auditing, fuzz-alike experiments, fooling people, content filtering etc. o netwag Netwag is a graphical (Tcl/Tk) front end for netwox (see below). Netwag provides users with the ability to search amongst tools provided by netwox, run tools in a new window, or in a text zone, keep a history of commands, and exchange data using two integrated clipboards. o netwib Netwib is a network library, for network administrators and network hackers. Its objective is to easily create network programs. This library provides network functionnalities for Ethernet, IP, UDP, TCP, ICMP, ARP and RARP protocols. It supports spoofing, sniffing, client and server creation. Furthermore, netwib contains high level functions dealing with data storage and handling. Using all these functions, you can quickly create a network test program. o netwox Netwox is a toolbox for network administrators and network hackers. Netwox contains over 90 tools using network library netwib. Some tools are only a simplified implementation, while others are very sophisticated. Netwag is a graphical front-end to netwox. o Paketto Keiretsu The Paketto Keiretsu is a collection of tools that use new and unusual strategies for manipulating TCP/IP networks. They tap functionality within existing infrastructure and stretch protocols beyond what they were originally intended for. It includes Scanrand, an unusually fast network service and topology discovery system, Minewt, a user space NAT/MAT router, Linkcat, which presents a Ethernet link to stdio, Paratrace, which traces network paths without spawning new connections, and Phentropy, which uses OpenQVIS to render arbitrary amounts of entropy from data sources in three dimensional phase space. o packit Packit is a network auditing tool. Its value is derived from its ability to customize, inject, monitor, and manipulate IP traffic. By allowing you to define (spoof) nearly all TCP, UDP, ICMP, IP, ARP, RARP, and Ethernet header options, Packit can be useful in testing firewalls, intrusion detection systems, port scanning, simulating network traffic, and general TCP/IP auditing. Packit is also an excellent tool for learning TCP/IP. o rain rain is a powerful tool for testing stability of hardware and software utilizing IP protocols. It offers its users the capability of creating their own packets with a wide variety of command line options. o scapy Scapy is a powerful interactive packet manipulation program. It is able to forge or decode packets of a wide number of protocols, send them on the wire, capture them, match requests and replies, and much more. It can easily handle most classical tasks like scanning, tracerouting, probing, unit tests, attacks or network discovery (it can replace hping, 85% of nmap, arpspoof, arp-sk, arping, tcpdump, tethereal, p0f, etc.). It also performs very well at a lot of other specific tasks that most other tools can't handle, like sending invalid frames, injecting your own 802.11 frames, combining technics (VLAN hopping+ARP cache poisoning, VOIP decoding on WEP encrypted channel, ...), etc. o SendIP SendIP is a commandline tool to allow sending arbitrary IP packets. It has a large number of command line options to specify the content of every header of a RIP, TCP, UDP, ICMP or raw IPv4 and IPv6 packet. It also allows any data to be added to the packet. Checksums can be calculated automatically, but if you wish to send out wrong checksums, that is supported too. o socat socat is a relay for bidirectional data transfer between two independent data channels. Each of these data channels may be a file, pipe, device (serial line etc. or a pseudo terminal), a socket (UNIX, IP4, IP6 - raw, UDP, TCP), an SSL socket, proxy CONNECT connection, a file descriptor (stdin etc.), the GNU line editor, a program, or a combination of two of these. These modes include generation of "listening" sockets, pipes and pseudo terminals. o Socket Script Socket Script is a simple scripting language to access sockets. It was designed to provide users with a quick and easy scripting language to make powerfull networking applications, without the need to learn C or complicated socket code. o tcpreplay tcpreplay is aimed at testing the performance of a NIDS by replaying real background network traffic in which to hide attacks. tcpreplay allows you to control the speed at which the traffic is replayed, and can replay arbitrary tcpdump traces. Unlike programmatically-generated artificial traffic which doesn't exercise the application/protocol inspection that a NIDS performs, and doesn't reproduce the real-world anomalies that appear on production networks (asymmetric routes, traffic bursts/lulls, fragmentation, retransmissions, etc.), tcpreplay allows for exact replication of real traffic seen on real networks. o TTCP TTCP is a benchmarking tool for determining TCP and UDP performance between 2 systems. o yersinia Yersinia is a network tool designed to take advantage of some weakeness in different network protocols. It pretends to be a solid framework for analyzing and testing the deployed networks and systems. (Note: This list of software and information available at Wiretapped is not exhaustive. Users are encouraged to browse and search the archive and read any available "-README.txt" files that are available)