DragonFly On-Line Manual Pages

PIXILATE(1)            DragonFly General Commands Manual           PIXILATE(1)

NAME
     pixilate - parses an input file containing Cisco PIX 6.2x - PIX 6.3x
     (normal mask) or Cisco IOS (inverted mask) access-list entries and
     generates the corresponding packets. For information on writing PIX
     access lists, see
     http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/ab.htm#xtocid7
     and http://www.cisco.com/warp/public/707/confaccesslists.html#intro for
     Cisco IOS access-lists.

     pixilate - is currently capable of generating TCP/UDP/ICMP (various ICMP
     types), and IGMP utilizing the Libnet 1.1.x library available from
     http://www.packetfactory.net. NOTE: Libnet 1.0.x is NOT compatible."

OPTIONS
     pixilate [-f access-list] [-dDfghimopqrsSv]

     The options are as follows:

     -d destination ip address
                        Required argument. The Default destination IP address
                        is needed to ensure that the packet reaches the
                        intended target when an Extended ACL with 'any' as a
                        destination or a Simple ACL (0-99) is encountered.
                        This IP should obviously be on the inside of the
                        firewall.

     -D destination port
                        Default destination port to be used when destination
                        port is 'any' If omitted, the default destination port
                        is 80.

     -f filename        Required argument. Filename written in PIX 6.2x - PIX
                        6.3x access-list format to be parsed.

     -g gateway address
                        Optional parameter to specify gateway ip address. This
                        parameter is only used for ICMP redirect packet
                        generation.

     -h                 Displays pixilate usage.

     -i ip id           Optional parameter to specify ip id. This is useful
                        when attempting to identify a spoofed address that was
                        generated from pixilate when used in combination with
                        -q sequence number

     -m permit|deny     Optional parameter to process only permit or only deny
                        ACLs. By default, pixilate generates packets for both
                        permit and deny ACLs.

     -o filename        Optional parameter to redirect standard output to
                        filename. Use in combination with -v for detailed
                        statistics.

     -p payload         Optional parameter to specify payload.

     -q sequence number
                        Optional parameter to specify sequence number. This is
                        useful when attempting to identify a spoofed address
                        that was generated from pixilate when used in
                        combination with -i ip id

     -r                 Input file specified by -f filename is a Cisco IOS
                        formatted access-list (inverted mask) rather than the
                        default Cisco PIX formatted access-list (normal mask).

     -s source ip address
                        Default source IP address to be used when source
                        address is 'any' If omitted, a random soure address is
                        chosen.

     -S source port     Default source port to be used when source port is
                        'any'. If omitted, the default source port is 1025.

     -v                 Verbose mode. Displays statistics for each packet
                        sent.

EXAMPLE ACCESS LISTS
     See the included example-acl.txt for several examples

     access-list acl_ID {deny | permit} icmp {source_addr | local_addr}
     {source_mask | local_mask} {destination_addr | remote_addr}
     {destination_mask | remote_mask} icmp_type

     access-list id {deny | permit} icmp {source_addr | local_addr}
     {source_mask | local_mask} | object-group network_obj_grp_id
     {destination_addr | remote_addr} {destination_mask | remote_mask} |
     object-group network_obj_grp_id [icmp_type | object-group
     icmp_type_obj_grp_id]

     access-list acl_ID {deny | permit} protocol {source_addr | local_addr}
     {source_mask | local_mask}[operator port [port] {destination_addr |
     remote_addr} {destination_mask | remote_mask} [operator port [port]

     access-list id {deny | permit}{protocol | object-group
     protocol_obj_grp_id {source_addr | local_addr} {source_mask | local_mask}
     | object-group network_obj_grp_id [operator port [port] | object-group
     service_obj_grp_id] {destination_addr | remote_addr} {destination_mask |
     remote_mask} | object-group network_obj_grp_id [operator port [port] |
     object-group service_obj_grp_id]}

     pixilate also supports its own internal payload literal that can be
     supplied at the end of any or all Extended (100-199) ACLs. The format for
     this literal is payload "payload in quotes" See example-acl.txt. This
     overides the -p option only for the specific ACL.

HOW PIXILATE INTERPRETS THE ACCESS-LIST
     acl_ID Name of an access list. You can use either a name or number.

     pixilate uses acl_ID to determine if the ACL is Simple (0-99) where only
     the source address is known or Extended (100-199) where both the source
     and destination addresses are known.

     compiled Turbo ACLs are skipped by pixilate

     deny pixilate keeps track of the number of deny acl packets sent for
     informational purposes only. A packet is sent regardless of the acl being
     marked permit or deny.  destination_addr IP address of the network or
     host to which the packet is being sent.

     destination_mask Netmask to be applied to destination_addr, if the
     destination address is a network mask. In this case, a random IP address
     valid for the networkmask/netmask is randomly generated. If the -r option
     is specified (Processing an IOS access-list), the destination_mask is
     treated as an inverted mask and is "flipped" before processing. For
     example: 0.0.0.255 becomes 255.255.255.0

     icmp_type pixilate is capable of generating echo-reply(0),
     unreachable(3), redirect(5), echo(8), time-exceeded(11), timestamp-
     reply(13), timestamp-request(14), mask-request(17), mask-reply(18)
     packets. icmp_type can be referred to by the name or the protocol number.
     NOTE: redirect (icmp_type 5) packets required the -g option.

     local_addr address of network or host local to the Firewall.

     local_mask netmask to be applied to local_addr if the local address is a
     network mask. If the -r option is specified (Processing an IOS access-
     list), the local_mask is treated as an inverted mask and is "flipped"
     before processing. For example: 0.0.0.255 becomes 255.255.255.0

     object-group object-group information is ignored by pixilate

     object_grp_id object_group_id is ignored by pixilate operator The
     operator compares the source ip address or destination ip address ports.
     Possible operands include lt for less than, gt for greater than, eq of
     equal, neq for not equal, and range for an inclusive range.  pixilate
     will randomly choose a source or destination port based on the operator.

     permit keeps track of the number of permit acl packets sent for
     informational purposes only. A packet is sent regardless of the acl being
     marked permit or deny.

     port services you permit or deny access to. You can specify ports by
     either a literal name or a number in the range or 0 to 65535. If a port
     is not specified one will be generated randomly.  pixilate supports the
     following PIX TCP port literals: bgp, chargen, cmd, citrix-ica, daytime,
     discard, domain, echo, exec, finger, ftp, ftp-data, gopher, h323,
     hostname, http, ident, irc, klogin, kshell, lpd, nntp, pop2, pop3, pptp,
     rpc, smtp, sqlnet, sunrpc, tacacs, talk, telnet, time, uucp, whois, and
     www.  pixilate supports the following PIX UDP port literals: biff,
     bootpc, bootps, discard, dnsix, echo, mobile-ip, nameserver, netbios-dgm,
     netbios-ns, ntp, rip, snmp, snmptrap, sunrpc, syslog, tacacs, talk, tftp,
     time, who, and xdmcp. It is possible to specify a default source port
     with the -S option, and a default destination port of -D If not
     specified, the default source port is 1025 and the default destination
     port is 80.

     protocol supported literals include icmp, tcp, udp, igmp. To match any
     Internet protocol use the keyword ip.

     source_address address of the network or host from with the packet is
     being sent.  pixilate is of course capable of spoofing source addresses.
     If the keyword any is used, a source address is randomly generated unless
     one is supplied with the -s option.

     remote_addr IP address of the network or host remote to the firewall. It
     is a good idea to specify a destination address that is behind the
     firewall *hint, hint* with the -d option.

     remote_mask netmask to be applied to remote_addr, if the remote address
     is a network mask. In this case, a random IP address valid for the
     networkmask/netmask is randomly generated. If the -r option is specified
     (Proccessing an IOS access-list), the remote_mask is treated as an
     inverted mask and is "flipped" before processing. For example: 0.0.0.255
     becomes 255.255.255.0

COMPATIBILITY
     Requires libnet 1.1.x available at http://www.packetfactory.net pixilate
     has been tested on FreeBSD 4.7 and Linux using automake 1.5 and autoconf
     2.53

AUTHORS
     This manual page was written by Kirby Kuehl
     <vacuum@users.sourceforge.net.> http://winfingerprint.sourceforge.net

DragonFly 6.5-DEVELOPMENT       April 25, 2003       DragonFly 6.5-DEVELOPMENT