GSP
Quick Navigator

Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
Previous VPSs
* Sign Up! *

Support
Contact Us
Online Help
Handbooks
Domain Status
Man Pages

FAQ
Virtual Servers
Pricing
Billing
Technical

Network
Facilities
Connectivity
Topology Map

Miscellaneous
Server Agreement
Year 2038
Credits
 

USA Flag

 

 

Man Pages


Manual Reference Pages  -  PIXILATE (1)

NAME

pixilate - parses an input file containing Cisco PIX 6.2x - PIX 6.3x (normal mask) or Cisco IOS (inverted mask) access-list entries and generates the corresponding packets. For information on writing PIX access lists, see http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/ab.htm#xtocid7 and http://www.cisco.com/warp/public/707/confaccesslists.html#intro for Cisco IOS access-lists.

pixilate - is currently capable of generating TCP/UDP/ICMP (various ICMP types), and IGMP utilizing the Libnet 1.1.x library available from http://www.packetfactory.net. NOTE: Libnet 1.0.x is NOT compatible."

CONTENTS

Options
Example Access Lists
How Pixilate Interprets The Access-list
Compatibility
Authors

OPTIONS

pixilate [-f access-list] [-dDfghimopqrsSv]

The options are as follows:
-d destination ip address
  Required argument. The Default destination IP address is needed to ensure that the packet reaches the intended target when an Extended ACL with ’any’ as a destination or a Simple ACL (0-99) is encountered. This IP should obviously be on the inside of the firewall.
-D destination port
  Default destination port to be used when destination port is ’any’ If omitted, the default destination port is 80.
-f filename Required argument. Filename written in PIX 6.2x - PIX 6.3x access-list format to be parsed.
-g gateway address
  Optional parameter to specify gateway ip address. This parameter is only used for ICMP redirect packet generation.
-h Displays pixilate usage.
-i ip id Optional parameter to specify ip id. This is useful when attempting to identify a spoofed address that was generated from pixilate when used in combination with -q sequence number
-m permit|deny
  Optional parameter to process only permit or only deny ACLs. By default, pixilate generates packets for both permit and deny ACLs.
-o filename Optional parameter to redirect standard output to filename. Use in combination with -v for detailed statistics.
-p payload Optional parameter to specify payload.
-q sequence number
  Optional parameter to specify sequence number. This is useful when attempting to identify a spoofed address that was generated from pixilate when used in combination with -i ip id
-r Input file specified by -f filename is a Cisco IOS formatted access-list (inverted mask) rather than the default Cisco PIX formatted access-list (normal mask).
-s source ip address
  Default source IP address to be used when source address is ’any’ If omitted, a random soure address is chosen.
-S source port
  Default source port to be used when source port is ’any’. If omitted, the default source port is 1025.
-v Verbose mode. Displays statistics for each packet sent.

EXAMPLE ACCESS LISTS

See the included example-acl.txt for several examples

access-list acl_ID {deny | permit} icmp {source_addr | local_addr} {source_mask | local_mask} {destination_addr | remote_addr} {destination_mask | remote_mask} icmp_type

access-list id {deny | permit} icmp {source_addr | local_addr} {source_mask | local_mask} | object-group network_obj_grp_id {destination_addr | remote_addr} {destination_mask | remote_mask} | object-group network_obj_grp_id [icmp_type | object-group icmp_type_obj_grp_id]

access-list acl_ID {deny | permit} protocol {source_addr | local_addr} {source_mask | local_mask}[operator port [port] {destination_addr | remote_addr} {destination_mask | remote_mask} [operator port [port]

access-list id {deny | permit}{protocol | object-group protocol_obj_grp_id {source_addr | local_addr} {source_mask | local_mask} | object-group network_obj_grp_id [operator port [port] | object-group service_obj_grp_id] {destination_addr | remote_addr} {destination_mask | remote_mask} | object-group network_obj_grp_id [operator port [port] | object-group service_obj_grp_id]}

pixilate also supports its own internal payload literal that can be supplied at the end of any or all Extended (100-199) ACLs. The format for this literal is payload "payload in quotes" See example-acl.txt. This overides the -p option only for the specific ACL.

HOW PIXILATE INTERPRETS THE ACCESS-LIST

acl_ID Name of an access list. You can use either a name or number.

pixilate uses acl_ID to determine if the ACL is Simple (0-99) where only the source address is known or Extended (100-199) where both the source and destination addresses are known.

compiled Turbo ACLs are skipped by pixilate

deny pixilate keeps track of the number of deny acl packets sent for informational purposes only. A packet is sent regardless of the acl being marked permit or deny. destination_addr IP address of the network or host to which the packet is being sent.

destination_mask Netmask to be applied to destination_addr, if the destination address is a network mask. In this case, a random IP address valid for the networkmask/netmask is randomly generated. If the -r option is specified (Processing an IOS access-list), the destination_mask is treated as an inverted mask and is "flipped" before processing. For example: 0.0.0.255 becomes 255.255.255.0

icmp_type pixilate is capable of generating echo-reply(0), unreachable(3), redirect(5), echo(8), time-exceeded(11), timestamp-reply(13), timestamp-request(14), mask-request(17), mask-reply(18) packets. icmp_type can be referred to by the name or the protocol number. NOTE: redirect (icmp_type 5) packets required the -g option.

local_addr address of network or host local to the Firewall.

local_mask netmask to be applied to local_addr if the local address is a network mask. If the -r option is specified (Processing an IOS access-list), the local_mask is treated as an inverted mask and is "flipped" before processing. For example: 0.0.0.255 becomes 255.255.255.0

object-group object-group information is ignored by pixilate

object_grp_id object_group_id is ignored by pixilate operator The operator compares the source ip address or destination ip address ports. Possible operands include lt for less than, gt for greater than, eq of equal, neq for not equal, and range for an inclusive range. pixilate will randomly choose a source or destination port based on the operator.

permit keeps track of the number of permit acl packets sent for informational purposes only. A packet is sent regardless of the acl being marked permit or deny.

port services you permit or deny access to. You can specify ports by either a literal name or a number in the range or 0 to 65535. If a port is not specified one will be generated randomly. pixilate supports the following PIX TCP port literals: bgp, chargen, cmd, citrix-ica, daytime, discard, domain, echo, exec, finger, ftp, ftp-data, gopher, h323, hostname, http, ident, irc, klogin, kshell, lpd, nntp, pop2, pop3, pptp, rpc, smtp, sqlnet, sunrpc, tacacs, talk, telnet, time, uucp, whois, and www. pixilate supports the following PIX UDP port literals: biff, bootpc, bootps, discard, dnsix, echo, mobile-ip, nameserver, netbios-dgm, netbios-ns, ntp, rip, snmp, snmptrap, sunrpc, syslog, tacacs, talk, tftp, time, who, and xdmcp. It is possible to specify a default source port with the -S option, and a default destination port of -D If not specified, the default source port is 1025 and the default destination port is 80.

protocol supported literals include icmp, tcp, udp, igmp. To match any Internet protocol use the keyword ip.

source_address address of the network or host from with the packet is being sent. pixilate is of course capable of spoofing source addresses. If the keyword any is used, a source address is randomly generated unless one is supplied with the -s option.

remote_addr IP address of the network or host remote to the firewall. It is a good idea to specify a destination address that is behind the firewall *hint, hint* with the -d option.

remote_mask netmask to be applied to remote_addr, if the remote address is a network mask. In this case, a random IP address valid for the networkmask/netmask is randomly generated. If the -r option is specified (Proccessing an IOS access-list), the remote_mask is treated as an inverted mask and is "flipped" before processing. For example: 0.0.0.255 becomes 255.255.255.0

COMPATIBILITY

Requires libnet 1.1.x available at http://www.packetfactory.net pixilate has been tested on FreeBSD 4.7 and Linux using automake 1.5 and autoconf 2.53

AUTHORS

This manual page was written by
.An Kirby Kuehl Aq vacuum@users.sourceforge.net. http://winfingerprint.sourceforge.net
Search for    or go to Top of page |  Section 1 |  Main Index


Powered by GSP Visit the GSP FreeBSD Man Page Interface.
Output converted with manServer 1.07.