|--fast||Only send packets to the network & broadcast address. This will speed up the sweep significantly but could result in some leaks not being detected.|
|--cfile lt;filegt;||Use alternate configuration file. netleak will by default look for ~/.netleak /usr/local/etc/netleak.conf and /etc/netleak.conf. Command-line arguments always overrides anything from any configuration file.|
|--tfile lt;filegt;||Read targets from file. The format is one host per line in either hostname-format or CIDR-notation.|
|--spoof lt;targetgt;||Specify the host waiting for packets on the other network, i.e. the Internet.|
Use the designated protocol to send packets.
UDP. Default is currently
IP: Will craft raw IP-packets with a malicious IP-header and provoke the target hosts to generate an ICMP Parameter Problem error message. Most routers should let such a packet through depending on their interpretation of RFC1812. The end-host should according to RFC1122 try to validate the packet and generate our desired response. This feature is sort of experimental but should yield the best results. If you encounter a router that doesnt let this type of packet through please let me know!
It appears that NAT-devices reacts differently to these packets. Ive tested it on Speedstream and a Cisco 667 where the former would let them through and the latter would drop them.
ICMP: Will send a normal ICMP echo request that may trigger an ICMP echo response message with the datafields intact, thus preserving the signature. This option is the only one my Cisco 667 wont drop.
UDP: Will send an UDP packet with source & destination port set to 0. This should trigger an ICMP response which hopefully will have the datafield copied to it. Depending on what OS the targeted host is running you might get different results. Linux 2.6.7 copies the datafield nicely but Ive observed that Windows2000 wont copy further than the IP-headersize + 8 bytes which therefore only includes the UDP-header.
Since routers react differently (One brand might drop ICMP whereas another only accepts exactly that) I suggest you use the --all option.
A string inside each packet used for identifying packets that made it
into the external network. By default
netleak will use "IP:" as prefix and the internal ip-address as postfix. This
way packets recieved by
netleakd(8) will contain the internal ip-address of
the host that knew a path out.
You probably wont need to fiddle with this option unless you want to run netleak from several locations and need to differenciate them on the internet.
NOTE!! You *must* use the same signature for both netleak and netleakd(8) or you wont get any results at all!
|--interface lt;ifacegt;||Which network interface to send packets on. Defaults to eth0|
|--policy||How fast to send packets. Defaults to "fast" which is as fast as it can. Use a slower policy if you fear the network is being saturated.|
|--verbose||Enable verbose mode|
|--help||Show help information|
Test block "10.0.0.0/24" for leaks to the Internet while netleakd is running on 18.104.22.168:
#$ netleak --spoof 22.214.171.124 10.0.0.0/24
Test targets read from file using IP, ICMP & UDP with 126.96.36.199 listening on the internet for packets with signature "MYSIG" in it.
#$ netleak --targets blocks.txt --spoof 188.8.131.52 --protocol all --signature MYSIG:
If you find any please let me know.
Jonas Hansen <firstname.lastname@example.org>
|NETLEAK(8)||NETLEAK (8)||JANUARY 2005|