DragonFly On-Line Manual Pages
PIXILATE(1) DragonFly General Commands Manual PIXILATE(1)
NAME
pixilate - parses an input file containing Cisco PIX 6.2x - PIX 6.3x
(normal mask) or Cisco IOS (inverted mask) access-list entries and
generates the corresponding packets. For information on writing PIX
access lists, see
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/ab.htm#xtocid7
and http://www.cisco.com/warp/public/707/confaccesslists.html#intro for
Cisco IOS access-lists.
pixilate - is currently capable of generating TCP/UDP/ICMP (various ICMP
types), and IGMP utilizing the Libnet 1.1.x library available from
http://www.packetfactory.net. NOTE: Libnet 1.0.x is NOT compatible."
OPTIONS
pixilate [-f access-list] [-dDfghimopqrsSv]
The options are as follows:
-d destination ip address
Required argument. The Default destination IP address
is needed to ensure that the packet reaches the
intended target when an Extended ACL with 'any' as a
destination or a Simple ACL (0-99) is encountered.
This IP should obviously be on the inside of the
firewall.
-D destination port
Default destination port to be used when destination
port is 'any' If omitted, the default destination port
is 80.
-f filename Required argument. Filename written in PIX 6.2x - PIX
6.3x access-list format to be parsed.
-g gateway address
Optional parameter to specify gateway ip address. This
parameter is only used for ICMP redirect packet
generation.
-h Displays pixilate usage.
-i ip id Optional parameter to specify ip id. This is useful
when attempting to identify a spoofed address that was
generated from pixilate when used in combination with
-q sequence number
-m permit|deny Optional parameter to process only permit or only deny
ACLs. By default, pixilate generates packets for both
permit and deny ACLs.
-o filename Optional parameter to redirect standard output to
filename. Use in combination with -v for detailed
statistics.
-p payload Optional parameter to specify payload.
-q sequence number
Optional parameter to specify sequence number. This is
useful when attempting to identify a spoofed address
that was generated from pixilate when used in
combination with -i ip id
-r Input file specified by -f filename is a Cisco IOS
formatted access-list (inverted mask) rather than the
default Cisco PIX formatted access-list (normal mask).
-s source ip address
Default source IP address to be used when source
address is 'any' If omitted, a random soure address is
chosen.
-S source port Default source port to be used when source port is
'any'. If omitted, the default source port is 1025.
-v Verbose mode. Displays statistics for each packet
sent.
EXAMPLE ACCESS LISTS
See the included example-acl.txt for several examples
access-list acl_ID {deny | permit} icmp {source_addr | local_addr}
{source_mask | local_mask} {destination_addr | remote_addr}
{destination_mask | remote_mask} icmp_type
access-list id {deny | permit} icmp {source_addr | local_addr}
{source_mask | local_mask} | object-group network_obj_grp_id
{destination_addr | remote_addr} {destination_mask | remote_mask} |
object-group network_obj_grp_id [icmp_type | object-group
icmp_type_obj_grp_id]
access-list acl_ID {deny | permit} protocol {source_addr | local_addr}
{source_mask | local_mask}[operator port [port] {destination_addr |
remote_addr} {destination_mask | remote_mask} [operator port [port]
access-list id {deny | permit}{protocol | object-group
protocol_obj_grp_id {source_addr | local_addr} {source_mask | local_mask}
| object-group network_obj_grp_id [operator port [port] | object-group
service_obj_grp_id] {destination_addr | remote_addr} {destination_mask |
remote_mask} | object-group network_obj_grp_id [operator port [port] |
object-group service_obj_grp_id]}
pixilate also supports its own internal payload literal that can be
supplied at the end of any or all Extended (100-199) ACLs. The format for
this literal is payload "payload in quotes" See example-acl.txt. This
overides the -p option only for the specific ACL.
HOW PIXILATE INTERPRETS THE ACCESS-LIST
acl_ID Name of an access list. You can use either a name or number.
pixilate uses acl_ID to determine if the ACL is Simple (0-99) where only
the source address is known or Extended (100-199) where both the source
and destination addresses are known.
compiled Turbo ACLs are skipped by pixilate
deny pixilate keeps track of the number of deny acl packets sent for
informational purposes only. A packet is sent regardless of the acl being
marked permit or deny. destination_addr IP address of the network or
host to which the packet is being sent.
destination_mask Netmask to be applied to destination_addr, if the
destination address is a network mask. In this case, a random IP address
valid for the networkmask/netmask is randomly generated. If the -r option
is specified (Processing an IOS access-list), the destination_mask is
treated as an inverted mask and is "flipped" before processing. For
example: 0.0.0.255 becomes 255.255.255.0
icmp_type pixilate is capable of generating echo-reply(0),
unreachable(3), redirect(5), echo(8), time-exceeded(11), timestamp-
reply(13), timestamp-request(14), mask-request(17), mask-reply(18)
packets. icmp_type can be referred to by the name or the protocol number.
NOTE: redirect (icmp_type 5) packets required the -g option.
local_addr address of network or host local to the Firewall.
local_mask netmask to be applied to local_addr if the local address is a
network mask. If the -r option is specified (Processing an IOS access-
list), the local_mask is treated as an inverted mask and is "flipped"
before processing. For example: 0.0.0.255 becomes 255.255.255.0
object-group object-group information is ignored by pixilate
object_grp_id object_group_id is ignored by pixilate operator The
operator compares the source ip address or destination ip address ports.
Possible operands include lt for less than, gt for greater than, eq of
equal, neq for not equal, and range for an inclusive range. pixilate
will randomly choose a source or destination port based on the operator.
permit keeps track of the number of permit acl packets sent for
informational purposes only. A packet is sent regardless of the acl being
marked permit or deny.
port services you permit or deny access to. You can specify ports by
either a literal name or a number in the range or 0 to 65535. If a port
is not specified one will be generated randomly. pixilate supports the
following PIX TCP port literals: bgp, chargen, cmd, citrix-ica, daytime,
discard, domain, echo, exec, finger, ftp, ftp-data, gopher, h323,
hostname, http, ident, irc, klogin, kshell, lpd, nntp, pop2, pop3, pptp,
rpc, smtp, sqlnet, sunrpc, tacacs, talk, telnet, time, uucp, whois, and
www. pixilate supports the following PIX UDP port literals: biff,
bootpc, bootps, discard, dnsix, echo, mobile-ip, nameserver, netbios-dgm,
netbios-ns, ntp, rip, snmp, snmptrap, sunrpc, syslog, tacacs, talk, tftp,
time, who, and xdmcp. It is possible to specify a default source port
with the -S option, and a default destination port of -D If not
specified, the default source port is 1025 and the default destination
port is 80.
protocol supported literals include icmp, tcp, udp, igmp. To match any
Internet protocol use the keyword ip.
source_address address of the network or host from with the packet is
being sent. pixilate is of course capable of spoofing source addresses.
If the keyword any is used, a source address is randomly generated unless
one is supplied with the -s option.
remote_addr IP address of the network or host remote to the firewall. It
is a good idea to specify a destination address that is behind the
firewall *hint, hint* with the -d option.
remote_mask netmask to be applied to remote_addr, if the remote address
is a network mask. In this case, a random IP address valid for the
networkmask/netmask is randomly generated. If the -r option is specified
(Proccessing an IOS access-list), the remote_mask is treated as an
inverted mask and is "flipped" before processing. For example: 0.0.0.255
becomes 255.255.255.0
COMPATIBILITY
Requires libnet 1.1.x available at http://www.packetfactory.net pixilate
has been tested on FreeBSD 4.7 and Linux using automake 1.5 and autoconf
2.53
AUTHORS
This manual page was written by Kirby Kuehl
<vacuum@users.sourceforge.net.> http://winfingerprint.sourceforge.net
DragonFly 6.5-DEVELOPMENT April 25, 2003 DragonFly 6.5-DEVELOPMENT