From 2f23cbc73bf566a9bb7822833bcf6dbcaa3f748d Mon Sep 17 00:00:00 2001 From: Joao Eriberto Mota Filho Date: Thu, 19 Jan 2017 15:34:33 -0200 Subject: [PATCH] Updated manpage --- man/generate-man.sh | 2 +- man/packit.8 | 110 +++++++++++++++++++++----------------------- man/packit.txt | 105 ++++++++++++++++++++---------------------- 3 files changed, 104 insertions(+), 113 deletions(-) diff --git a/man/generate-man.sh b/man/generate-man.sh index 1bd606b..ce3c1f0 100755 --- a/man/generate-man.sh +++ b/man/generate-man.sh @@ -4,7 +4,7 @@ # Copyright 2016 Joao Eriberto Mota Filho # This file is under BSD-3-Clause -P_DATA="18 Jan 2017" +P_DATA="19 Jan 2017" P_NAME=packit P_VERSION=1.5 P_MANLEVEL=8 diff --git a/man/packit.8 b/man/packit.8 index 780f5f7..a1beb99 100644 --- a/man/packit.8 +++ b/man/packit.8 @@ -1,5 +1,5 @@ .\" Text automatically generated by txt2man -.TH packit 8 "18 Jan 2017" "packit-1.5" "Packet analysis and injection tool" +.TH packit 8 "19 Jan 2017" "packit-1.5" "Packet analysis and injection tool" .SH NAME \fBPackit \fP- packet analysis and injection tool \fB @@ -26,7 +26,7 @@ Packit is a network auditing tool. It's value is derived from its ability to customize, \fIinject\fP, monitor, and manipulate IP traffic. By allowing you to define (spoof) all TCP, UDP, ICMP, IP, ARP, RARP and Ethernet header options, -Packit can be useful in testing firewalls, intrusion detection systems, port +Packit can be useful to test firewalls, intrusion detection systems, port scanning, simulating network traffic and general TCP/IP auditing. Packit is also an excellent tool for learning TCP/IP. .SH PACKIT BASE OPTIONS @@ -34,7 +34,7 @@ also an excellent tool for learning TCP/IP. .B \fB-m\fP mode Select a runtime mode. Currently supported modes -are \fIcapture\fP, \fIinject\fP and trace. The default is \fIinject\fP. +are \fIcapture\fP, \fIinject\fP and trace. The default mode is \fIinject\fP. .SH PACKET CAPTURE OPTIONS \fBPacket\fP \fIcapture\fP options are as follows: .TP @@ -94,9 +94,9 @@ Display hexadecimal & ascii dump of each packet up to snap length bytes. \fIexpression\fP Selects which packets should be displayed. If no \fIexpression\fP is given, all packets are displayed. This option is based in pcap -library. See the \fBtcpdump\fP(1) manpage for more detailed information. +library. See the \fBpcap-filter\fP(7) manpage for more detailed information. .SH PACKET INJECTION AND TRACE -\fBPacket\fP injection is used to define and \fIinject\fP IP based network traffic onto +\fBPacket\fP injection is used to define and \fIinject\fP a network traffic onto your network. You have the ability to define essentially any ARP, IP, TCP, UDP, ICMP and Ethernet header value. This can be valuable in a number of ways, including testing firewalls, intrusion detection systems, simulating traffic @@ -301,8 +301,7 @@ Debian systems this \fIfile\fP can be found at /usr/share/doc/\fBpackit\fP/ICMP. \fB-C\fP code Specify the ICMP code. See docs/ICMP.txt for details on codes. On Debian systems this \fIfile\fP can be found at /usr/share/doc/\fBpackit\fP/ICMP.txt. -.PP -ECHO REQUEST / ECHO REPLY OPTIONS +.SS ICMP ECHO REQUEST AND ECHO REPLY OPTIONS .TP .B \fB-N\fP id number @@ -311,10 +310,8 @@ by default. .TP .B \fB-Q\fP sequence number -Define the 16-bit ICMP sequence number. This value is random by -default. -.PP -UNREACHABLE / REDIRECT / TIME EXCEEDED OPTIONS +Define the 16-bit ICMP sequence number. This value is random by default. +.SS ICMP UNREACHABLE OR REDIRECT OR TIME EXCEEDED OPTIONS .TP .B \fB-g\fP gateway @@ -356,8 +353,7 @@ Define the Type of Service of the original packet. See the \fB-P\fP \fIprotocol\fP Define the \fIprotocol\fP of the original packet. This option defaults to UDP. -.PP -MASK REQUEST / MASK REPLY OPTIONS +.SS MASK REQUEST AND MASK REPLY OPTIONS .TP .B \fB-N\fP id number @@ -373,8 +369,7 @@ default. \fB-G\fP address mask Define the address network mask. The default value for this option is 255.255.255.0. -.PP -TIMESTAMP REQUEST / TIMESTAMP REPLY OPTIONS +.SS TIMESTAMP REQUEST AND TIMESTAMP REPLY OPTIONS .TP .B \fB-N\fP id number @@ -410,11 +405,11 @@ Define the ARP / RARP / IRARP operation type. The valid options are as follows: .RS .IP \(bu 3 -1 : ARP Request (Default for ARP packages.) +1 : ARP Request (Default for ARP packages) .IP \(bu 3 2 : ARP Reply .IP \(bu 3 -3 : Reverse ARP Request (Default for RARP packages.) +3 : Reverse ARP Request (Default for RARP packages) .IP \(bu 3 4 : Reverse ARP Reply .IP \(bu 3 @@ -433,11 +428,11 @@ Use a random target host IP address. .TP .B \fB-Y\fP target ethernet address -The ethernet (hardware) address of the target host. +The Ethernet (hardware) address of the target host. .TP .B \fB-YR\fP -Usage a random target host ethernet address. +Usage a random target host Ethernet address. .TP .B \fB-x\fP sender IP address @@ -449,70 +444,70 @@ Use a random sender host IP address. .TP .B \fB-X\fP sender ethernet address -The ethernet (hardware) address of the sender host. +The Ethernet (hardware) address of the sender host. .TP .B \fB-XR\fP -Usage a random sender host ethernet address. +Usage a random sender host Ethernet address. .SH ETHERNET HEADER OPTIONS This section documents the Ethernet header command-line options. .TP .B \fB-e\fP src ethernet address -The ethernet (hardware) address the packet will appear to come from. +The Ethernet (hardware) address the packet will appear to come from. +If not defined, the original Ethernet address will be used. .TP .B \fB-eR\fP -Use a random source ethernet address. If you define this, you will most -likely need to define the destination ethernet header value as well. When -using either \fB-e\fP or \fB-E\fP, you enable link level packet injection and enable -link level packet injection and the destination cannot be auto-defined -while injecting in this manner. +Use a random source Ethernet address. If you define this, you will most +likely need to define the destination Ethernet header value as well. When +using either \fB-e\fP or \fB-E\fP, you enable link level packet injection and the +destination cannot be auto-defined while injecting in this manner. .TP .B \fB-E\fP dst ethernet address -The ethernet (hardware) of the next routable \fIinterface\fP the packet +The Ethernet (hardware) of the next routable \fIinterface\fP which the packet will cross while making it's way to the destination. .TP .B \fB-ER\fP -Use a random destination ethernet address. The following two rules should +Use a random destination Ethernet address. The following two rules should be followed if you actually want the destination to receive the packets you're sending: .RS .IP 1. 4 If the destination exists beyond your default route (gateway), -the destination ethernet address should be set to the default -routes address should be set to the default routes ethernet -address. This can typically be found by using the \fBarp\fP(8) command. +the destination Ethernet address should be set to the default +routes Ethernet address. This can typically be found by using +the \fBarp\fP(8) command. .IP 2. 4 If the destination exists on your subnet, the destination -ethernet address should be set to its ethernet address. This -can typically be found by using the arp command. +Ethernet address should be set to its Ethernet address. This +can typically be found by using the \fBarp\fP(8) command. .SH PACKET CAPTURE EXAMPLES -To print all TCP communications that doesn't revolve around SSH (port 22): +Print all TCP communications that doesn't revolve around SSH (port 22): .PP .nf .fam C - packit -m cap 'tcp and not port 22' + # packit -m cap 'tcp and not port 22' .fam T .fi -To print the start and end packets (the SYN and FIN pack- ets) of each TCP +Print the start and end packets (the SYN and FIN packets) of each TCP conversation that involves a non-local host, don't resolve addresses and display hex/ascii dump of the packet: .PP .nf .fam C - packit -m cap -nX 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst net localnet' + # packit -m cap -nX 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst net localnet' .fam T .fi -To write the first 10 ICMP packets captured to a \fIfile\fP: +Write the first 10 ICMP packets captured to a \fIfile\fP: .PP .nf .fam C - packit -m cap -c 10 -w /tmp/mylog 'icmp' + # packit -m cap -c 10 -w /tmp/mylog 'icmp' .fam T .fi @@ -522,7 +517,7 @@ host '192.168.0.1' and watch for a response: .PP .nf .fam C - packit -t icmp -s 3.1.33.7 -d 192.168.0.1 -c 10 -h + # packit -t icmp -s 3.1.33.7 -d 192.168.0.1 -c 10 -h .fam T .fi @@ -531,18 +526,18 @@ address mask of 255.255.255.0: .PP .nf .fam C - packit -t icmp -K 18 -d 127.0.0.1 -N 211 -G 255.255.255.0 + # packit -t icmp -K 18 -d 127.0.0.1 -N 211 -G 255.255.255.0 .fam T .fi Inject 5 TCP packets from random hosts to 'www.example.com' with the SYN flag -set, a window size of 666, a random source ethernet address, a destination -ethernet address of 00:53:00:0f:00:0d, with a payload of "HI JOHN", displaying +set, a window size of 666, a random source Ethernet address, a destination +Ethernet address of 00:53:00:0f:00:0d, with a payload of "HI JOHN", displaying each packet injected. .PP .nf .fam C - packit -sR -d www.example.com -F S -c 5 -W 666 -eR -E 00:53:00:0f:00:0d -p 'HI JOHN' -v + # packit -sR -d www.example.com -F S -c 5 -W 666 -eR -E 00:53:00:0f:00:0d -p 'HI JOHN' -v .fam T .fi @@ -550,18 +545,18 @@ or simplifying the MAC address: .PP .nf .fam C - packit -sR -d www.example.com -F S -c 5 -W 666 -eR -E 0:53:0:f:00:d -p 'HI JOHN' -v + # packit -sR -d www.example.com -F S -c 5 -W 666 -eR -E 0:53:0:f:00:d -p 'HI JOHN' -v .fam T .fi Inject a total of 1000 TCP packets in 20 packet per second bursts from 192.168.0.1 on port 403 to 192.168.0.20 on port 80 with the SYN and RST -flags set, a sequence number of 12345678910 and a source ethernet address +flags set, a sequence number of 12345678910 and a source Ethernet address of 0:0:0:0:0:0: .PP .nf .fam C - packit -s 192.168.0.1 -d 192.168.0.20 -S 403 -D 80 -F SR -q 12345678910 -c 1000 -b 20 -e 0:0:0:0:0:0 + # packit -s 192.168.0.1 -d 192.168.0.20 -S 403 -D 80 -F SR -q 12345678910 -c 1000 -b 20 -e 0:0:0:0:0:0 .fam T .fi @@ -570,17 +565,17 @@ with the SYN flag set and display each packet we send: .PP .nf .fam C - packit -s 10.22.41.6 -d 172.16.1.3 -D 1-1024 -F S -v + # packit -s 10.22.41.6 -d 172.16.1.3 -D 1-1024 -F S -v .fam T .fi Inject a broadcast ARP reply stating that 4.3.2.1 is at 00:53:00:01:02:03. -Also, spoof the source ethernet address for a little more authenticity and +Also, spoof the source Ethernet address for a little more authenticity and supply the payload in hex: .PP .nf .fam C - packit -t arp -A 2 -x 4.3.2.1 -X 5:4:3:2:1:0 -e 00:53:00:01:02:03 -p '0x 70 61 63 6B 69 74' + # packit -t arp -A 2 -x 4.3.2.1 -X 5:4:3:2:1:0 -e 00:53:00:01:02:03 -p '0x 70 61 63 6B 69 74' .fam T .fi @@ -589,7 +584,7 @@ Appear as a DNS response by using a UDP source port of 53 (DNS): .PP .nf .fam C - packit -m trace -t UDP -d 192.168.2.35 -S 53 + # packit -m trace -t UDP -d 192.168.2.35 -S 53 .fam T .fi @@ -597,15 +592,15 @@ Appear as HTTP traffic by using TCP port 80: .PP .nf .fam C - packit -m trace -t TCP -d www.google.com -S 80 -FS + # packit -m trace -t TCP -d www.google.com -S 80 -FS .fam T .fi .SH SEE ALSO -\fBpcap\fP(3), \fBpcap-filter\fP(7), \fBtcpdump\fP(1) +\fBarp\fP(8), \fBpcap\fP(3), \fBpcap-filter\fP(7), \fBtcpdump\fP(1) .SH BUGS .IP \(bu 3 -Due to limitations in some versions of *BSD, specifying arbitrary ethernet +Due to limitations in some versions of *BSD, specifying arbitrary Ethernet and/or ARP header data may not be supported. .IP \(bu 3 ARP \fIcapture\fP data is incomplete. @@ -615,6 +610,7 @@ to https://github.com/eribertomota/\fBpackit\fP/issues .SH AUTHOR The original autor of \fBpackit\fP is Darren Bounds. The current project maintainer is Joao Eriberto Mota Filho. There are other new authors. Please, see AUTHORS -\fIfile\fP. +\fIfile\fP in source code. To help in development, see CONTRIBUTING.md. On Debian +systems, these files will be available at /usr/share/doc/\fBpackit\fP/. .PP -The latest version can be found at https://github.com/eribertomota/\fBpackit\fP +The latest version of Packit can be found at https://github.com/eribertomota/\fBpackit\fP diff --git a/man/packit.txt b/man/packit.txt index e740a3f..22f9e8c 100644 --- a/man/packit.txt +++ b/man/packit.txt @@ -53,11 +53,11 @@ PACKET CAPTURE OPTIONS library. See the pcap-filter(7) manpage for more detailed information. PACKET INJECTION AND TRACE - Packet injection is used to define and inject IP based network traffic onto + Packet injection is used to define and inject a network traffic onto your network. You have the ability to define essentially any ARP, IP, TCP, UDP, ICMP and Ethernet header value. This can be valuable in a number of ways, including testing firewalls, intrusion detection systems, simulating traffic - flow and general TCP/IP auditing. + flow and general TCP/IP auditing. CHOOSE A PROTOCOL -t protocol @@ -190,17 +190,14 @@ ICMP HEADER OPTIONS -C code Specify the ICMP code. See docs/ICMP.txt for details on codes. On Debian systems this file can be found at /usr/share/doc/packit/ICMP.txt. - ECHO REQUEST / ECHO REPLY OPTIONS - + ICMP ECHO REQUEST AND ECHO REPLY OPTIONS -N id number Define the 16-bit ICMP identification number. This value is random by default. -Q sequence number - Define the 16-bit ICMP sequence number. This value is random by - default. - - UNREACHABLE / REDIRECT / TIME EXCEEDED OPTIONS + Define the 16-bit ICMP sequence number. This value is random by default. + ICMP UNREACHABLE OR REDIRECT OR TIME EXCEEDED OPTIONS -g gateway Define the gateway in which to redirect traffic to. This option is only used for ICMP redirects (type 5). @@ -217,7 +214,6 @@ ICMP HEADER OPTIONS defaults to 128. -M id Define the IP ID of the original packet. This option defaults to random. - -O type of service Define the Type of Service of the original packet. See the -o option for the possible values. @@ -225,8 +221,7 @@ ICMP HEADER OPTIONS Define the protocol of the original packet. This option defaults to UDP. - MASK REQUEST / MASK REPLY OPTIONS - + MASK REQUEST AND MASK REPLY OPTIONS -N id number Define the 16-bit ICMP identification number. This value is random by default. @@ -237,8 +232,7 @@ ICMP HEADER OPTIONS Define the address network mask. The default value for this option is 255.255.255.0. - TIMESTAMP REQUEST / TIMESTAMP REPLY OPTIONS - + TIMESTAMP REQUEST AND TIMESTAMP REPLY OPTIONS -N id number Define the 16-bit ICMP identification number. This value is random by default. @@ -263,9 +257,9 @@ ARP AND RARP HEADER OPTIONS Define the ARP / RARP / IRARP operation type. The valid options are as follows: - - 1 : ARP Request (Default for ARP packages.) + - 1 : ARP Request (Default for ARP packages) - 2 : ARP Reply - - 3 : Reverse ARP Request (Default for RARP packages.) + - 3 : Reverse ARP Request (Default for RARP packages) - 4 : Reverse ARP Reply - 5 : Inverse ARP Request - 6 : Inverse ARP Reply @@ -274,110 +268,110 @@ ARP AND RARP HEADER OPTIONS The IP address of the target host. -yR Use a random target host IP address. -Y target ethernet address - The ethernet (hardware) address of the target host. - -YR Usage a random target host ethernet address. + The Ethernet (hardware) address of the target host. + -YR Usage a random target host Ethernet address. -x sender IP address The IP address of the sender host. -xR Use a random sender host IP address. -X sender ethernet address - The ethernet (hardware) address of the sender host. - -XR Usage a random sender host ethernet address. + The Ethernet (hardware) address of the sender host. + -XR Usage a random sender host Ethernet address. ETHERNET HEADER OPTIONS This section documents the Ethernet header command-line options. -e src ethernet address - The ethernet (hardware) address the packet will appear to come from. - -eR Use a random source ethernet address. If you define this, you will most - likely need to define the destination ethernet header value as well. When - using either -e or -E, you enable link level packet injection and enable - link level packet injection and the destination cannot be auto-defined - while injecting in this manner. + The Ethernet (hardware) address the packet will appear to come from. + If not defined, the original Ethernet address will be used. + -eR Use a random source Ethernet address. If you define this, you will most + likely need to define the destination Ethernet header value as well. When + using either -e or -E, you enable link level packet injection and the + destination cannot be auto-defined while injecting in this manner. -E dst ethernet address - The ethernet (hardware) of the next routable interface the packet + The Ethernet (hardware) of the next routable interface which the packet will cross while making it's way to the destination. - -ER Use a random destination ethernet address. The following two rules should + -ER Use a random destination Ethernet address. The following two rules should be followed if you actually want the destination to receive the packets you're sending: 1. If the destination exists beyond your default route (gateway), - the destination ethernet address should be set to the default - routes address should be set to the default routes ethernet - address. This can typically be found by using the arp(8) command. + the destination Ethernet address should be set to the default + routes Ethernet address. This can typically be found by using + the arp(8) command. 2. If the destination exists on your subnet, the destination - ethernet address should be set to its ethernet address. This - can typically be found by using the arp command. + Ethernet address should be set to its Ethernet address. This + can typically be found by using the arp(8) command. PACKET CAPTURE EXAMPLES - To print all TCP communications that doesn't revolve around SSH (port 22): + Print all TCP communications that doesn't revolve around SSH (port 22): - packit -m cap 'tcp and not port 22' + # packit -m cap 'tcp and not port 22' - To print the start and end packets (the SYN and FIN pack- ets) of each TCP + Print the start and end packets (the SYN and FIN packets) of each TCP conversation that involves a non-local host, don't resolve addresses and display hex/ascii dump of the packet: - packit -m cap -nX 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst net localnet' + # packit -m cap -nX 'tcp[tcpflags] & (tcp-syn|tcp-fin) != 0 and not src and dst net localnet' - To write the first 10 ICMP packets captured to a file: + Write the first 10 ICMP packets captured to a file: - packit -m cap -c 10 -w /tmp/mylog 'icmp' + # packit -m cap -c 10 -w /tmp/mylog 'icmp' PACKET INJECTION EXAMPLES Inject 10 ICMP type 8 (echo request) packets from host '3.1.33.7' to host '192.168.0.1' and watch for a response: - packit -t icmp -s 3.1.33.7 -d 192.168.0.1 -c 10 -h + # packit -t icmp -s 3.1.33.7 -d 192.168.0.1 -c 10 -h Inject an ICMP type 18 (mask reply) packet with an ICMP id of 211 and an address mask of 255.255.255.0: - packit -t icmp -K 18 -d 127.0.0.1 -N 211 -G 255.255.255.0 + # packit -t icmp -K 18 -d 127.0.0.1 -N 211 -G 255.255.255.0 Inject 5 TCP packets from random hosts to 'www.example.com' with the SYN flag - set, a window size of 666, a random source ethernet address, a destination - ethernet address of 00:53:00:0f:00:0d, with a payload of "HI JOHN", displaying + set, a window size of 666, a random source Ethernet address, a destination + Ethernet address of 00:53:00:0f:00:0d, with a payload of "HI JOHN", displaying each packet injected. - packit -sR -d www.example.com -F S -c 5 -W 666 -eR -E 00:53:00:0f:00:0d -p 'HI JOHN' -v + # packit -sR -d www.example.com -F S -c 5 -W 666 -eR -E 00:53:00:0f:00:0d -p 'HI JOHN' -v or simplifying the MAC address: - packit -sR -d www.example.com -F S -c 5 -W 666 -eR -E 0:53:0:f:00:d -p 'HI JOHN' -v + # packit -sR -d www.example.com -F S -c 5 -W 666 -eR -E 0:53:0:f:00:d -p 'HI JOHN' -v Inject a total of 1000 TCP packets in 20 packet per second bursts from 192.168.0.1 on port 403 to 192.168.0.20 on port 80 with the SYN and RST - flags set, a sequence number of 12345678910 and a source ethernet address + flags set, a sequence number of 12345678910 and a source Ethernet address of 0:0:0:0:0:0: - packit -s 192.168.0.1 -d 192.168.0.20 -S 403 -D 80 -F SR -q 12345678910 -c 1000 -b 20 -e 0:0:0:0:0:0 + # packit -s 192.168.0.1 -d 192.168.0.20 -S 403 -D 80 -F SR -q 12345678910 -c 1000 -b 20 -e 0:0:0:0:0:0 Inject a TCP packets from 10.22.41.6 to 172.16.1.3 on ports ranging from 1-1024 with the SYN flag set and display each packet we send: - packit -s 10.22.41.6 -d 172.16.1.3 -D 1-1024 -F S -v + # packit -s 10.22.41.6 -d 172.16.1.3 -D 1-1024 -F S -v Inject a broadcast ARP reply stating that 4.3.2.1 is at 00:53:00:01:02:03. - Also, spoof the source ethernet address for a little more authenticity and + Also, spoof the source Ethernet address for a little more authenticity and supply the payload in hex: - packit -t arp -A 2 -x 4.3.2.1 -X 5:4:3:2:1:0 -e 00:53:00:01:02:03 -p '0x 70 61 63 6B 69 74' + # packit -t arp -A 2 -x 4.3.2.1 -X 5:4:3:2:1:0 -e 00:53:00:01:02:03 -p '0x 70 61 63 6B 69 74' TRACE ROUTE EXAMPLES Appear as a DNS response by using a UDP source port of 53 (DNS): - packit -m trace -t UDP -d 192.168.2.35 -S 53 + # packit -m trace -t UDP -d 192.168.2.35 -S 53 Appear as HTTP traffic by using TCP port 80: - packit -m trace -t TCP -d www.google.com -S 80 -FS + # packit -m trace -t TCP -d www.google.com -S 80 -FS SEE ALSO - pcap(3), pcap-filter(7), tcpdump(1) + arp(8), pcap(3), pcap-filter(7), tcpdump(1) BUGS - - Due to limitations in some versions of *BSD, specifying arbitrary ethernet + - Due to limitations in some versions of *BSD, specifying arbitrary Ethernet and/or ARP header data may not be supported. - ARP capture data is incomplete. @@ -388,6 +382,7 @@ BUGS AUTHOR The original autor of packit is Darren Bounds. The current project maintainer is Joao Eriberto Mota Filho. There are other new authors. Please, see AUTHORS - file in source code. On Debian systems, the file will be available at /usr/share/doc/packit/. + file in source code. To help in development, see CONTRIBUTING.md. On Debian + systems, these files will be available at /usr/share/doc/packit/. - The latest version can be found at https://github.com/eribertomota/packit + The latest version of Packit can be found at https://github.com/eribertomota/packit