This repository has been archived by the owner on Jun 24, 2020. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 6
/
README
executable file
·763 lines (623 loc) · 30.9 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
--------------------------------------------------------------------------------
Hyenae Readme
--------------------------------------------------------------------------------
Hyenae
Advanced Network Packet Generator
Copyright (C) 2009 - 2010 Robin Richter
Contact : richterr@users.sourceforge.net
Homepage : http://sourceforge.net/projects/hyenae/
--------------------------------------------------------------------------------
1. About Hyenae
Hyenae is a highly flexible and platform independent network packet generator.
It allows you to reproduce low level ethernet attack scenarios (such as MITM,
DoS and DDoS) to reveal potential security vulnerabilities of your network.
Besides smart wildcard-based address randomization, a highly customizable
packet generation control and an interactive attack assistant, Hyenae comes
with a clusterable remote daemon for setting up distributed attack networks.
Hyenae was developed with ease-of-use in mind while still remaining flexible
and configurable. To realize this aim, Hyenae uses address patterns, which
will minimize the number of arguments you have to provide because all
necessary parameters, such as the way you want to randomize your addresses or
the IP address version to use, can be derived from the pattern format you
provided. See section 5, "Address Patterns", for more detailed information.
This utility suite was developed only for network security testing purposes
such as evaluation of firewall rules, flood detection and intrusion detection.
Hyenae's developers disclaim all liability for any direct, indirect or
consequential damages arising out of or connected with the use or misuse of
Hyenae Utility Suite. The user alone assumes all risks and responsibility of
his/her own actions associated with the use of the Hyenae Utility Suite. Every
effort has been made to supply accurate information related to Hyenae. It is
subject to change without prior notice.
--------------------------------------------------------------------------------
2. Current Features
* Platform independence
* Assisted ARP-Request flood setup
* Assisted ARP-Cache poisoning setup
* Assisted PPPoE session initiation flood setup
* Assisted Blind PPPoE session termination setup
* Assisted ICMP-Echo flood setup
* Assisted ICMP-Smurf attack setup
* Assisted ICMP based TCP-Connection reset setup
* Assisted TCP-SYN flood setup
* Assisted TCP-Land attack setup
* Assisted Blind TCP-Connection reset setup
* Assisted UDP flood setup
* Assisted DNS-Query flood setup
* Assisted DHCP-Discover flood setup
* Assisted DHCP starvation setup
* Assisted DHCP-Release forcing setup
* Assisted Cisco HSRP active router hijacking setup
* Customizable ARP-Reply based attacks
* Customizable PPPoE-Discover based attacks
* Customizable ICMP-Echo based attacks (IPv4 and IPv6)
* CUstomizable ICMP "Destination Unreachable" based attacks (IPv4)
* Customizable TCP based attacks (IPv4 and IPv6)
* Customizable UDP based attacks (IPv4 and IPv6)
* Customizable DNS-Query based attacks (IPv4 and IPv6)
* Customizable DHCP-Discover based attacks (IPv4)
* Customizable DHCP-Request based attacks (IPv4)
* Customizable DHCP-Release based attacks (IPv4)
* Customizable Cisco HSRP-Hello based attacks (IPv4)
* Customizable Cisco HSRP-Coup based attacks (IPv4)
* Customizable Cisco HSRP-Resign based attacks (IPv4)
* Random or fixed packet count and or attack duration
* Random or fixed send delay for breaking flood detections
* Pattern based packet address configuration
* Intelligent address and address protocol detection
* Smart wildcard-based randomization
* Daemon for setting up remote attack networks
* HyenaeFE QT-Frontend support
--------------------------------------------------------------------------------
3. Command Line Usage (hyenae)
hyenae (Starts attack assistant...)
hyenae fe_stop (Creates a frontend stop condition file,
should only be used by the HyenaeFE frontend)
hyenae -l (Prints all available network interfaces and exits)
hyenae -L (Prints all available attacks and exits)
hyenae -V (Prints version and exits)
hyenae -a arp-reply
-i | -I [Network interface name | index]
-s [Src HW-Address]
-d [Dst HW-Address]
-S [Snd HW-Address]-[Snd IP-Address (IPv4 only)]
-D [Trg HW-Address]-[Trg IP-Address (IPv4 only)]
OPTIONAL:
-r | -R [remote daemon address (Single) | address file (Clustered)]
-c [Min packet count]
-C [Max packet count]
-e [Min send delay (ms)]
-E [Max send delay (ms)]
-u [Min attack duration (ms)]
-U [Max attack duration (ms)]
-m (Set to ignore MTU limit)
-N (Set for cold run)
hyenae -a arp-request
-i | -I [Network interface name | index]
-s [Src HW-Address]
-d [Dst HW-Address]
-S [Snd HW-Address]-[Snd IP-Address (IPv4 only)]
-D [Trg HW-Address]-[Trg IP-Address (IPv4 only)]
OPTIONAL:
-r | -R [remote daemon address (Single) | address file (Clustered)]
-c [Min packet count]
-C [Max packet count]
-e [Min send delay (ms)]
-E [Max send delay (ms)]
-u [Min attack duration (ms)]
-U [Max attack duration (ms)]
-m (Set to ignore MTU limit)
-N (Set for cold run)
hyenae -a pppoe-discover
-i | -I [Network interface name | index]
-s [Src HW-Address]
-d [Dst HW-Address]
OPTIONAL:
-o [PPPoE Discovery Code]
-q [PPPoE Session ID Offset]
-Q [PPPoE Session ID Incrementation Steps]
-p | -P [Random payload length | Payload file]
-r | -R [remote daemon address (Single) | address file (Clustered)]
-c [Min packet count]
-C [Max packet count]
-e [Min send delay (ms)]
-E [Max send delay (ms)]
-u [Min attack duration (ms)]
-U [Max attack duration (ms)]
-m (Set to ignore MTU limit)
-N (Set for cold run)
hyenae -a icmp-echo
-i | -I [Network interface name | index]
-s [Src HW-Address]-[Src IP-Address (IPv4 or IPv6)]
-d [Dst HW-Address]-[Dst IP-Address (IPv4 or IPv6)]
OPTIONAL:
-t [IP Time To Live (TTL)]
-p | -P [Random payload length | Payload file]
-r | -R [remote daemon address (Single) | address file (Clustered)]
-c [Min packet count]
-C [Max packet count]
-e [Min send delay (ms)]
-E [Max send delay (ms)]
-u [Min attack duration (ms)]
-U [Max attack duration (ms)]
-A [Assumed IP-Address version on random address strips]
-m (Set to ignore MTU limit)
-N (Set for cold run)
hyenae -a icmp-unreach-tcp
-i | -I [Network interface name | index]
-s [Src HW-Address]-[Src IP-Address (IPv4 only)]
-d [Dst HW-Address]-[Dst IP-Address (IPv4 only)]
-S [TCP Src HW-Address]-[TCP Src IP-Address (IPv4 only)]@[TCP Src Port]
-D [TCP Dst HW-Address]-[TCP Dst IP-Address (IPv4 only)]@[TCP Dst Port]
OPTIONAL:
-o [ICMP Message Code]
-t [IP Time To Live (TTL)]
-k [TCP Achnkowledgement Number]
-w [TCP Window Size]
-q [TCP Sequence Number Offset]
-Q [TCP Sequence Number Incrementation Steps]
-r | -R [remote daemon address (Single) | address file (Clustered)]
-c [Min packet count]
-C [Max packet count]
-e [Min send delay (ms)]
-E [Max send delay (ms)]
-u [Min attack duration (ms)]
-U [Max attack duration (ms)]
-m (Set to ignore MTU limit)
-N (Set for cold run)
hyenae -a tcp
-i | -I [Network interface name | index]
-s [Src HW-Address]-[Src IP-Address (IPv4 or IPv6)]@[Src Port]
-d [Dst HW-Address]-[Dst IP-Address (IPv4 or IPv6)]@[Dst Port]
-f [TCP-Flags]
OPTIONAL:
-t [IP Time To Live (TTL)]
-k [TCP Achnkowledgement Number]
-w [TCP Window Size]
-q [TCP Sequence Number Offset]
-Q [TCP Sequence Number Incrementation Steps]
-p | -P [Random payload length | Payload file]
-r | -R [remote daemon address (Single) | address file (Clustered)]
-c [Min packet count]
-C [Max packet count]
-e [Min send delay (ms)]
-E [Max send delay (ms)]
-u [Min attack duration (ms)]
-U [Max attack duration (ms)]
-A [Assumed IP-Address version on random address strips]
-m (Set to ignore MTU limit)
-N (Set for cold run)
hyenae -a udp
-i | -I [Network interface name | index]
-s [Src HW-Address]-[Src IP-Address (IPv4 or IPv6)]@[Src Port]
-d [Dst HW-Address]-[Dst IP-Address (IPv4 or IPv6)]@[Dst Port]
OPTIONAL:
-t [IP Time To Live (TTL)]
-p | -P [Random payload length | Payload file]
-r | -R [remote daemon address (Single) | address file (Clustered)]
-c [Min packet count]
-C [Max packet count]
-e [Min send delay (ms)]
-E [Max send delay (ms)]
-u [Min attack duration (ms)]
-U [Max attack duration (ms)]
-A [Assumed IP-Address version on random address strips]
-m (Set to ignore MTU limit)
-N (Set for cold run)
hyenae -a dns-query
-i | -I [Network interface name | index]
-s [Src HW-Address]-[Src IP-Address (IPv4 or IPv6)]
-d [Dst HW-Address]-[Dst IP-Address (IPv4 or IPv6)]
-y [DNS query pattern]
OPTIONAL:
-t [IP Time To Live (TTL)]
-p | -P [Random payload length | Payload file]
-r | -R [remote daemon address (Single) | address file (Clustered)]
-c [Min packet count]
-C [Max packet count]
-e [Min send delay (ms)]
-E [Max send delay (ms)]
-u [Min attack duration (ms)]
-U [Max attack duration (ms)]
-A [Assumed IP-Address version on random address strips]
-m (Set to ignore MTU limit)
-N (Set for cold run)
hyenae -a dhcp-discover
-i | -I [Network interface name | index]
-s [Src HW-Address]-[Src IP-Address (IPv4 only)]
-d [Dst HW-Address]-[Dst IP-Address (IPv4 only)]
OPTIONAL:
-t [IP Time To Live (TTL)]
-S [Req IP-Address (IPv4 only)]
-p | -P [Random payload length | Payload file]
-r | -R [remote daemon address (Single) | address file (Clustered)]
-c [Min packet count]
-C [Max packet count]
-e [Min send delay (ms)]
-E [Max send delay (ms)]
-u [Min attack duration (ms)]
-U [Max attack duration (ms)]
-m (Set to ignore MTU limit)
-N (Set for cold run)
hyenae -a dhcp-request
-i | -I [Network interface name | index]
-s [Src HW-Address]-[Src IP-Address (IPv4 only)]
-d [Dst HW-Address]-[Dst IP-Address (IPv4 only)]
-D [Srv IP-Address (IPv4 only)]
OPTIONAL:
-t [IP Time To Live (TTL)]
-S [Req IP-Address (IPv4 only)]
-r | -R [remote daemon address (Single) | address file (Clustered)]
-c [Min packet count]
-C [Max packet count]
-e [Min send delay (ms)]
-E [Max send delay (ms)]
-u [Min attack duration (ms)]
-U [Max attack duration (ms)]
-m (Set to ignore MTU limit)
-N (Set for cold run)
hyenae -a dhcp-release
-i | -I [Network interface name | index]
-s [Src HW-Address]-[Src IP-Address (IPv4 only)]
-d [Dst HW-Address]-[Dst IP-Address (IPv4 only)]
-D [Srv IP-Address (IPv4 only)]
OPTIONAL:
-t [IP Time To Live (TTL)]
-p | -P [Random payload length | Payload file]
-r | -R [remote daemon address (Single) | address file (Clustered)]
-c [Min packet count]
-C [Max packet count]
-e [Min send delay (ms)]
-E [Max send delay (ms)]
-u [Min attack duration (ms)]
-U [Max attack duration (ms)]
-m (Set to ignore MTU limit)
-N (Set for cold run)
hyenae -a hsrp-hello
-i | -I [Network interface name | index]
-s [Src HW-Address]-[Src IP-Address (IPv4 only)]
-d [Virtual IP-Address (IPv4 only)]
-z [HSRP Priority]
OPTIONAL:
-t [IP Time To Live (TTL)]
-o [HSRP State Code]
-h [HSRP Auth. Data]
-g [HSRP Group Number]
-p | -P [Random payload length | Payload file]
-r | -R [remote daemon address (Single) | address file (Clustered)]
-c [Min packet count]
-C [Max packet count]
-e [Min send delay (ms)]
-E [Max send delay (ms)]
-u [Min attack duration (ms)]
-U [Max attack duration (ms)]
-m (Set to ignore MTU limit)
-N (Set for cold run)
hyenae -a hsrp-coup
-i | -I [Network interface name | index]
-s [Src HW-Address]-[Src IP-Address (IPv4 only)]
-d [Virtual IP-Address (IPv4 only)]
-z [HSRP Priority]
OPTIONAL:
-t [IP Time To Live (TTL)]
-o [HSRP State Code]
-h [HSRP Auth. Data]
-g [HSRP Group Number]
-p | -P [Random payload length | Payload file]
-r | -R [remote daemon address (Single) | address file (Clustered)]
-c [Min packet count]
-C [Max packet count]
-e [Min send delay (ms)]
-E [Max send delay (ms)]
-u [Min attack duration (ms)]
-U [Max attack duration (ms)]
-m (Set to ignore MTU limit)
-N (Set for cold run)
hyenae -a hsrp-resign
-i | -I [Network interface name | index]
-s [Src HW-Address]-[Src IP-Address (IPv4 only)]
-d [Virtual IP-Address (IPv4 only)]
-z [HSRP Priority]
OPTIONAL:
-t [IP Time To Live (TTL)]
-o [HSRP State Code]
-h [HSRP Auth. Data]
-g [HSRP Group Number]
-p | -P [Random payload length | Payload file]
-r | -R [remote daemon address (Single) | address file (Clustered)]
-c [Min packet count]
-C [Max packet count]
-e [Min send delay (ms)]
-E [Max send delay (ms)]
-u [Min attack duration (ms)]
-U [Max attack duration (ms)]
-m (Set to ignore MTU limit)
-N (Set for cold run)
-s Source address pattern
-d Destination address pattern. Is also used to define the virtual
IP-Address pattern on HSRP based attacks.
-S Secondary source address pattern. Defines the sender address on ARP-Based
attacks, the requested IP-Address on DHCP-Request attacks and the TCP
source address pattern on TCP based ICMP "Destination Unreachable"
attacks.
-D Secondary destination address pattern. Defines the target address on
ARP-Based attacks, the server identifier (IP-Address) on DHCP-Release
attacks and the TCP destination address pattern on TCP based ICMP
"Destination Unreachable" attacks.
-i Network interface to operate on (specified by name). This argument is
ignored on remote attacks.
-I Network interface to operate on (specified by index). A list
of all available network interfaces and their indexes can be obtained
by starting Hyenae with the -l option. This argument is ignored on remote
attacks.
-r Single remote attack. If set, Hyenae will execute the specified attack
on the Hyenae Daemon specified by the given server address pattern. A
server address pattern has the following pattern format:
// For plain connections
[IP-Address]@[Port]
// For password protected daemons
[IP-Addresss]@[Port]+[Password]
Hyenae will automatically recognize the provided IP address version.
Wildcards are not valid within server address patterns. The password
strip is only required when connecting to a Hyenae Daemon which has
activated password authentication. Note: Since Hyenae currently does not
support encrypted communication, your password is transferred in plain
text, and can be logged by others.
-R Clustered remote attack. If set, Hyenae will simultaneously execute the
specified attack using the Hyenae Daemons specified in the server file at
the given path. A server list file should have the following format:
# Comment
Server=[IP-Address]@[Port]
Server=[IP-Address]@[Port]+[Password]
...
Hyenae will automatically recognize the version of the IP address
provided. Wildcards are not valid within server address patterns. The
password strip is only required when connecting to a Hyenae Daemon which
has activated password authentication. Note: Since Hyenae currently does
not support encrypted communication, your password is transferred in
plain text, and can be logged by others.
-a Attack protocol. A list of all available attacks can be obtained by
starting Hyenae with the -L option.
-A IP address version to assume when a completely random IP strip is found
within an address pattern. This value can be either 4 or 6. By default
this is set to 4 (IPv4).
-t Defines the hop limit (TTL) on IP based attacks. The hop limit can be a
value between 1 and 255. If not set, a hop limit size of 128 will be
used.
-o Defines the ICMP "Destination Unreachable" message code on ICMP
"Destination Unreachable" based attacks, the PPPoE discover code on
PPPoE-Discover based attacks or the HSRP state code on HSRP based
attacks.
Valid values on PPPoE attacks:
padi (Active Discovery Initiation)
padt (Active Discovery Termination)
If not set, the default value is 'padi'.
Valid values on ICMP attacks:
network (Network Unreachable)
host (Host Unreachable)
protocol (Protocol Unreachable)
port (Port Unreachable)
If not set, the default value is 'network'.
Valid values on HSRP attacks:
init
learn
listen
speak
standby
active
If not set, the default value is 'init'.
-f TCP flags. This option is required on TCP attacks and defines the TCP
control flags to set for the generated packets. Valid values are any
combination of:
F (FIN)
S (SYN)
R (RST)
P (PSH)
A (ACK)
-k TCP acknowledgement number. Defines the TCP acknowledgement number to use
on TCP based attacks. If not set or set to 0, an acknowledgement number
of 0 will be used.
-w TCP window size. Defines the TCP window size to use on TCP based attacks.
If not set or set to 0, a window size of 0 will be used.
-q TCP sequence number / PPPoE session id. Defines the TCP sequence number
on TCP based, or the session id on PPPoE-Discover based attacks. If not
set or set to 0 on TCP based attacks, every generated packet (unless a
step value was given) will carry a completely randomized sequence number.
If set to 0 on PPPoE attacks, every generated packet (unless a step value
was given) will carry the session id 0. If a sequence number or session
id incrementation step value was given, this argument will be used as
the initial sequence number or session id to be incremented.
-Q TCP sequence number / PPPoE session id incrementation steps. If set, the
sequence number or session id of every generated packet will be
incremented by the given value.
-y DNS query pattern. A DNS query pattern is required on DNS-Query based
attacks to define the list of domain names to query. The list should have
the following format:
# Single DNS query
[www.domain1.com]
# Multiple DNS queries
[www.domain1.com],[www.domain2.com],...
-h Defines the HSRP authentification data field value and is required on
HSRP based attacks. If not set, the default auth. data will be used
instead. Auth. data values must not be longer than 8 characters.
-z Defines the HSRP priority field value and is required on HSRP based
attacks. This value can be any number betwen 1 up to 255.
-g Defines the HSRP group number on HSRP based attacks. This value can be
any number betwen 0 up to 255. If not set, the group number will be set
to 0.
-c Minimum number of packets to generate. If not set or set to 0, an
unlimited amount of packets will be generated, unless an attack duration
was set. If you provide a maximum number of packets to generate, the
minimum number of packets will be automatically set to one. If not set or
set to 0 on remote attacks, the packet limit of the daemon will be used
instead.
-C Maximum number of packets to generate. If not set or set to 0, the
specified minimum number of packets (-c X) will be generated. If no
minimum number of packets to generate is specified, an unlimited
amount of packets will be generated.
-e Minimum number of milliseconds to wait until the next packet is sent.
On HSRP based attacks the send delay will be used as the hello/hold time
field value and must not be greater than 255000. The hold time on HSRP
based attacks will be hello time multiplied by 3.
-E Maximum number of milliseconds that may pass before the next packet is
sent. If set, Hyenae will wait a random number of milliseconds between
the minimum (-e X or 0 if not set) and the maximum number (-E X) before
sending the next packet. This is useful for breaking flood detections.
On HSRP based attacks the send delay will be used as the hello/hold time
field value and must not be greater than 255000. The hold time on HSRP
based attacks will be hello time multiplied by 3.
-u Minimum attack duration in milliseconds. If not set or set to 0, the
attack duration will be endless, unless a packet count was given. If not
set or set to 0 on remote attacks, the attack duration limit of the
daemon will be used instead.
-U If set, Hyenae will stop the attack when a duration of a random number
of milliseconds between the minimum (-u X or 0 if not set) and the
maximum number (-U X) is reached.
-p Random packet payload. If set, a random data block (payload) of the
given length will be added to the generated packets (if supported by the
chosen attack type). By default all packets will be generated with an
empty data block. If the total length of the packet (including the
protocol headers) exceeds the MTU limit and Hyenae was called without the
-m option, an error occurs. The total length of a packet depends on IP
protocol and the attack type used. The default MTU limit is 1500 bytes.
-P File-based packet payload. If set, the contents of a file at the
given path will be added as the data block (payload) of the generated
packets. If the total length of the packet (including the protocol
headers) exceeds the MTU limit and Hyenae was called without the -m
option, an error occurs. The total length of a packet depends on IP
protocol and the attack type used. The default MTU limit is 1500 bytes.
-m If set, the default MTU limit of 1500 bytes will be ignored and even
packets with a length greater than 1500 bytes will by sent. If the packet
length exceeds the supported MTU limit, pcap will fail to write the data
to the network. You should never provide this option unless you know what
you are doing.
-N No sending (cold run). If set, Hyenae will start a run through its attack
routines without actually writing any data to the network. This can be
very useful to pre-check the generated packets or the remote daemon
behaviour before executing the actual attack.
-l Prints a list of all available network interfaces and exits.
-L Prints a list of all available attacks and exits.
-V Prints the current version of Hyenae and exits.
--------------------------------------------------------------------------------
4. Command Line Usage (hyenaed)
hyenaed -l (Prints all available network interfaces and exits)
hyenaed -V (Prints daemon version and exits)
hyenaed -i | -I [Network interface name | index]
-c &| -u [Packet count limit &| Attack duration limit]
OPTIONAL:
-a [IP-Address to bind to]
-p [Port to listen on]
-b [Max backlog connections]
-t [Trusted IP-Address list file]
-T [Untrusted IP-Address list file]
-A [Assumed IP-Address version on random address strips]
-m [Max client connections]
-k [Deamon password]
-f [log file]
-i Network interface to attack on (specified by name). This will not set
the network interface on which to listen for connections.
-I Network interface to attack on (specified by index). This will not set
the network interface on which to listen for connections. A list of all
available network interfaces and their indexes can be obtained by
starting Hyenae with the -l option.
-a IP address to bind the daemon's server socket to. If not given, the
daemon will bind to any capable network interface on this machine. The
Hyenae Daemon can not be bound to the network interface you want to
attack from.
-p The port number on which the daemon shall listen for incoming
connections. By default the daemon will listen on port 666.
-b Number of backlog connections the daemon shall handle. The default
value is 5.
-t Trusted IP address list. Specifies an IP list file which will be used as
a trusted list of IP addresses. If set, only clients using the specified
IP addresses will be allowed to connect to the daemon. An IP address list
has the following format:
# Comment
IP-Address=[IP-Address]
IP-Address=[IP-Address]
...
Wildcards are not valid within IP address list files.
-T Untrusted IP address list. Specifies an IP list file which will be
used as a list of untrusted IP addresses. If set, all clients using
the specified IP addresses will not be able to connect to the daemon. An
IP address list has the following format:
# Comment
IP-Address=[IP-Address]
IP-Address=[IP-Address]
...
Wildcards are not valid within IP address list files.
-A IP version the listening socket shall use. This can be either 4 or 6.
The default version is 4 (IPv4).
-c Packet limit for clients. Specifies the maximum number of packets a
single client can request to attack with. If not set or set to 0, you
must specify an attack duration limit.
-u Attack duration limit for clients. Specifies the maximum number of
milliseconds a single client can request to attack for. If not set or set
to 0, you must specify a packet limit.
-m Maximum number of clients allowed to connect. The default value is 10.
-k Password protection. If set, only clients which are using this password
will be able to control this daemon. Note: Since Hyenae currently does
not support encrypted communication, your password is transferred in
plain text, and can be logged by others.
-f Log-File path. By default, all daemon logs will be written to
/var/log/hyenaed.log on *nix systems or .\hyenaed.log on windows
systems.
-l Prints a list of all available network interfaces and exits.
-V Prints the current version of Hyenae and exits.
--------------------------------------------------------------------------------
5. Address Patterns
Hyenae uses address patterns to define the source and destination address
(and for ARP-Replies, sender and target as well) of the generated packets.
Each pattern can contain wildcards to randomize certain octets or even the
whole address strip or port. Hyenae uses an address adequate randomization
algorithm that makes sure to produce valid addresses. As an example, if you
have a pattern with an IP address strip like 25%.168.0.1, Hyenae will
recognize that it can only place a random value from 0 to 5 here. It will
also use the required notation (decimal or hexadecimal) and detect that the
specified address is an IPv4 address and will use the IPv4 protocol for the
given attack (if possible). Address patterns can have the following formats:
[HW-Address]-[IP-Address]@[Port]
[HW-Address]-[IP-Address]
[HW-Address]
Hyenae will automatically recognize the pattern and even every single
address format (HW, IPv4 or IPv4), so you don't have to pass extra arguments,
since everything we need to know can be derived from the given pattern. If you
want to randomize a complete address strip (HW-Address or IP-Address) simply
put a single % in it:
%-192.1%%.%.%%@%2%
This one will use a random hardware address and a partially randomized IP
address, adequate to the octet digits you specified. Notice that you can
even specify the number of random octet digits to create (but make sure that
the number of digits within the octet is valid for the used format), the last
octet of the IP address strip will be a random 2 digit value. The same works
within the port strip (separated by an '@'), the more wildcards you place,
the more digits the random port number will have. In the example above, the
port number will be 3 digits long and will also have a 2 within its center.
Here are some examples:
// Ok
00:D2:F%:D4:DD:%%-192.168.%%.%@%%
%-192.168.%%%.%@%%
00:D2:F%:D4:DD:%%-%@%%
%-%@%
%-%
// Error: HW address octets have a fixed length of 2 digits!
00:%:00::00:00:00-192.168.0.1@21
If you are using only a single wildcard as the IP address strip, Hyenae will
generate a complete random IP address. By default, Hyenae will interpret or
"assume" random IP address strips as IPv4 addresses. You can change the
assumed version by calling Hyenae with the -A option.
In some cases you will need to randomize a pattern equaly to another one. If
you are generating ARP packets for example, the source hardware address needs
equal the senders hardware address otherwise the packet will be droped by the
target host. In such a case, Hyenae will use an equal randomization on both of
the patterns (aas long as they match each other).
// HW-Address randomization on ARP packets
// HW-Address strip Will be equaly randomized
Source Pattern: %
Sender Pattern: %-192.168.0.1
// HW-Address strip Will be equaly randomized
Source Pattern: %%:22:33:44:55:66
Sender Pattern: %%:22:33:44:55:66-192.168.0.1
// HW-Adress strip won't be equaly randomized
Source Pattern: 11:%%:33:44:55:66
Sender Pattern: %%:22:33:44:55:66-192.168.0.1
--------------------------------------------------------------------------------