PIXILATE(1) BSD General Commands Manual PIXILATE(1)NAMEpixilate — parses an input file containing Cisco PIX 6.2x - PIX 6.3x
(normal mask) or Cisco IOS (inverted mask) access-list entries and gener‐
ates the corresponding packets. For information on writing PIX access
lists, see http://www.cisco.com/univercd/cc/td/doc/prod‐
uct/iaabu/pix/pix_62/cmdref/ab.htm#xtocid7 and
http://www.cisco.com/warp/public/707/confaccesslists.html#intro for Cisco
IOS access-lists.
pixilate — is currently capable of generating TCP/UDP/ICMP (various ICMP
types), and IGMP utilizing the Libnet 1.1.x library available from
http://www.packetfactory.net. NOTE: Libnet 1.0.x is NOT compatible."
OPTIONSpixilate [-f access-list] [-dDfghimopqrsSv]
The options are as follows:
-d destination ip address
Required argument. The Default destination IP address is
needed to ensure that the packet reaches the intended target
when an Extended ACL with 'any' as a destination or a Simple
ACL (0-99) is encountered. This IP should obviously be on
the inside of the firewall.
-D destination port
Default destination port to be used when destination port is
'any' If omitted, the default destination port is 80.
-f filename Required argument. Filename written in PIX 6.2x - PIX 6.3x
access-list format to be parsed.
-g gateway address
Optional parameter to specify gateway ip address. This
parameter is only used for ICMP redirect packet generation.
-h Displays pixilate usage.
-i ip id Optional parameter to specify ip id. This is useful when
attempting to identify a spoofed address that was generated
from pixilate when used in combination with -q sequence
number
-m permit|deny
Optional parameter to process only permit or only deny ACLs.
By default, pixilate generates packets for both permit and
deny ACLs.
-o filename Optional parameter to redirect standard output to filename.
Use in combination with -v for detailed statistics.
-p payload Optional parameter to specify payload.
-q sequence number
Optional parameter to specify sequence number. This is use‐
ful when attempting to identify a spoofed address that was
generated from pixilate when used in combination with -i ip
id
-r Input file specified by -f filename is a Cisco IOS formatted
access-list (inverted mask) rather than the default Cisco
PIX formatted access-list (normal mask).
-s source ip address
Default source IP address to be used when source address is
'any' If omitted, a random soure address is chosen.
-S source port
Default source port to be used when source port is 'any'. If
omitted, the default source port is 1025.
-v Verbose mode. Displays statistics for each packet sent.
EXAMPLE ACCESS LISTS
See the included example-acl.txt for several examples
access-list acl_ID {deny | permit} icmp {source_addr | local_addr}
{source_mask | local_mask} {destination_addr | remote_addr} {destina‐
tion_mask | remote_mask} icmp_type
access-list id {deny | permit} icmp {source_addr | local_addr}
{source_mask | local_mask} | object-group network_obj_grp_id {destina‐
tion_addr | remote_addr} {destination_mask | remote_mask} | object-group
network_obj_grp_id [icmp_type | object-group icmp_type_obj_grp_id]
access-list acl_ID {deny | permit} protocol {source_addr | local_addr}
{source_mask | local_mask}[operator port [port] {destination_addr |
remote_addr} {destination_mask | remote_mask} [operator port [port]
access-list id {deny | permit}{protocol | object-group proto‐
col_obj_grp_id {source_addr | local_addr} {source_mask | local_mask} |
object-group network_obj_grp_id [operator port [port] | object-group ser‐
vice_obj_grp_id] {destination_addr | remote_addr} {destination_mask |
remote_mask} | object-group network_obj_grp_id [operator port [port] |
object-group service_obj_grp_id]}
pixilate also supports its own internal payload literal that can be sup‐
plied at the end of any or all Extended (100-199) ACLs. The format for
this literal is payload "payload in quotes" See example-acl.txt. This
overides the -p option only for the specific ACL.
HOW PIXILATE INTERPRETS THE ACCESS-LIST
acl_ID Name of an access list. You can use either a name or number.
pixilate uses acl_ID to determine if the ACL is Simple (0-99) where only
the source address is known or Extended (100-199) where both the source
and destination addresses are known.
compiled Turbo ACLs are skipped by pixilate
deny pixilate keeps track of the number of deny acl packets sent for
informational purposes only. A packet is sent regardless of the acl being
marked permit or deny. destination_addr IP address of the network or
host to which the packet is being sent.
destination_mask Netmask to be applied to destination_addr, if the desti‐
nation address is a network mask. In this case, a random IP address valid
for the networkmask/netmask is randomly generated. If the -r option is
specified (Processing an IOS access-list), the destination_mask is
treated as an inverted mask and is "flipped" before processing. For exam‐
ple: 0.0.0.255 becomes 255.255.255.0
icmp_type pixilate is capable of generating echo-reply(0), unreach‐
able(3), redirect(5), echo(8), time-exceeded(11), timestamp-reply(13),
timestamp-request(14), mask-request(17), mask-reply(18) packets.
icmp_type can be referred to by the name or the protocol number. NOTE:
redirect (icmp_type 5) packets required the -g option.
local_addr address of network or host local to the Firewall.
local_mask netmask to be applied to local_addr if the local address is a
network mask. If the -r option is specified (Processing an IOS access-
list), the local_mask is treated as an inverted mask and is "flipped"
before processing. For example: 0.0.0.255 becomes 255.255.255.0
object-group object-group information is ignored by pixilate
object_grp_id object_group_id is ignored by pixilate operator The opera‐
tor compares the source ip address or destination ip address ports. Pos‐
sible operands include lt for less than, gt for greater than, eq of
equal, neq for not equal, and range for an inclusive range. pixilate
will randomly choose a source or destination port based on the operator.
permit keeps track of the number of permit acl packets sent for informa‐
tional purposes only. A packet is sent regardless of the acl being marked
permit or deny.
port services you permit or deny access to. You can specify ports by
either a literal name or a number in the range or 0 to 65535. If a port
is not specified one will be generated randomly. pixilate supports the
following PIX TCP port literals: bgp, chargen, cmd, citrix-ica, daytime,
discard, domain, echo, exec, finger, ftp, ftp-data, gopher, h323, host‐
name, http, ident, irc, klogin, kshell, lpd, nntp, pop2, pop3, pptp, rpc,
smtp, sqlnet, sunrpc, tacacs, talk, telnet, time, uucp, whois, and www.
pixilate supports the following PIX UDP port literals: biff, bootpc,
bootps, discard, dnsix, echo, mobile-ip, nameserver, netbios-dgm, net‐
bios-ns, ntp, rip, snmp, snmptrap, sunrpc, syslog, tacacs, talk, tftp,
time, who, and xdmcp. It is possible to specify a default source port
with the -S option, and a default destination port of -D If not speci‐
fied, the default source port is 1025 and the default destination port is
80.
protocol supported literals include icmp, tcp, udp, igmp. To match any
Internet protocol use the keyword ip.
source_address address of the network or host from with the packet is
being sent. pixilate is of course capable of spoofing source addresses.
If the keyword any is used, a source address is randomly generated unless
one is supplied with the -s option.
remote_addr IP address of the network or host remote to the firewall. It
is a good idea to specify a destination address that is behind the fire‐
wall *hint, hint* with the -d option.
remote_mask netmask to be applied to remote_addr, if the remote address
is a network mask. In this case, a random IP address valid for the net‐
workmask/netmask is randomly generated. If the -r option is specified
(Proccessing an IOS access-list), the remote_mask is treated as an
inverted mask and is "flipped" before processing. For example: 0.0.0.255
becomes 255.255.255.0
COMPATIBILITY
Requires libnet 1.1.x available at http://www.packetfactory.net pixilate
has been tested on FreeBSD 4.7 and Linux using automake 1.5 and autoconf
2.53
AUTHORS
This manual page was written by Kirby Kuehl
⟨vacuum@users.sourceforge.net.⟩ http://winfingerprint.sourceforge.net
BSD April 25, 2003 BSD
