Manpages

−i

Specify the interface to accept packets on.

−p

Preserve the entire protocol header in the first fragment. This is useful in bypassing packet filters that deny short IP fragments.

−g

Specify a hop along a loose source routed path. Can be used more than once to build a chain of hop points.

−G

Positions the "hop counter" within the list of hosts in the path of a source routed packet. Should be a multiple of 4. Can be set past the length of the loose source routed path to implement Anthony Osborne’s Windows IP source routing attack of September 1999.

−B1

baseline-1: Normal IP forwarding.

−F1

frag-1: Send data in ordered 8-byte IP fragments.

−F2

frag-2: Send data in ordered 24-byte IP fragments.

−F3

frag-3: Send data in ordered 8-byte IP fragments, with one fragment sent out of order.

−F4

frag-4: Send data in ordered 8-byte IP fragments, duplicating the penultimate fragment in each packet.

−F5

frag-5: Send data in out of order 8-byte IP fragments, duplicating the penultimate fragment in each packet.

−F6

frag-6: Send data in ordered 8-byte IP fragments, sending the marked last fragment first.

−F7

frag-7: Send data in ordered 16-byte IP fragments, preceding each fragment with an 8-byte null data fragment that overlaps the latter half of it. This amounts to the forward-overlapping 16-byte fragment rewriting the null data back to the real attack.

−T1

tcp-1: Complete TCP handshake, send fake FIN and RST (with bad checksums) before sending data in ordered 1-byte segments.

−T3

tcp-3: Complete TCP handshake, send data in ordered 1-byte segments, duplicating the penultimate segment of each original TCP packet.

−T4

tcp-4: Complete TCP handshake, send data in ordered 1-byte segments, sending an additional 1-byte segment which overlaps the penultimate segment of each original TCP packet with a null data payload.

−T5

tcp-5: Complete TCP handshake, send data in ordered 2-byte segments, preceding each segment with a 1-byte null data segment that overlaps the latter half of it. This amounts to the forward-overlapping 2-byte segment rewriting the null data back to the real attack.

−T7

tcp-7: Complete TCP handshake, send data in ordered 1-byte segments interleaved with 1-byte null segments for the same connection but with drastically different sequence numbers.

−T8

tcp-8: Complete TCP handshake, send data in ordered 1-byte segments with one segment sent out of order.

−T9

tcp-9: Complete TCP handshake, send data in out of order 1-byte segments.

−C2

tcbc-2: Complete TCP handshake, send data in ordered 1-byte segments interleaved with SYN packets for the same connection parameters.

−C3

tcbc-3: Do not complete TCP handshake, but send null data in ordered 1-byte segments as if one had occured. Then, complete a TCP handshake with same connection parameters, and send the real data in ordered 1-byte segments.

−R1

tcbt-1: Complete TCP handshake, shut connection down with a RST, re-connect with drastically different sequence numbers and send data in ordered 1-byte segments.

−I2

ins-2: Complete TCP handshake, send data in ordered 1-byte segments but with bad TCP checksums.

−I3

ins-3: Complete TCP handshake, send data in ordered 1-byte segments but with no ACK flag set.

−M1

misc-1: Thomas Lopatic’s Windows NT 4 SP2 IP fragmentation attack of July 1997 (see http://www.dataprotect.com/ntfrag/ for details). This attack has only been implemented for UDP.

−M2

misc-2: John McDonald’s Linux IP chains IP fragmentation attack of July 1998 (see http://www.dataprotect.com/ipchains/ for details). This attack has only been implement for TCP and UDP.