NETLEAK(8) Network Leak Detection Client NETLEAK(8)NAMEnetleak - Network Leak Finder client
SYNOPSISnetleak [OPTIONS] <targets>
DESCRIPTIONnetleak is a small perl script that tries to detect connectivety
between network segments. It is mostly useful for large organizations
that have private local area networks physically separated or fire‐
walled from the Internet but who are unsure if any rogue paths or
"leaks" still allow network flow.
netleak achieves this simply by sending out spoofed packets into the
internal network and if any packet is received on the external network
a leak has been detected. Because of this, netleak is an active system
consisting of a client ( this ) that spews out packets on one network
and a server ( netleakd(8) ) which waits for packet on the other net‐
work.
OPTIONS
targets is a space-delimited list of ip-addresses or hostnames. Use
CIDR-block notation to specify ranges, e.g. "192.168.1.0/24" will leak-
test a C-block.
--fast Only send packets to the network & broadcast address. This will
speed up the sweep significantly but could result in some leaks
not being detected.
--cfile <file>
Use alternate configuration file. netleak will by default look
for ~/.netleak /usr/local/etc/netleak.conf and
/etc/netleak.conf. Command-line arguments always overrides any‐
thing from any configuration file.
--tfile <file>
Read targets from file. The format is one host per line in
either hostname-format or CIDR-notation.
--spoof <target>
Specify the host waiting for packets on the other network, i.e.
the Internet.
--protocol <ip|icmp|udp|all>
Use the designated protocol to send packets. all triggers IP
ICMP and UDP. Default is currently ICMP.
IP: Will craft raw IP-packets with a malicious IP-header and
provoke the target hosts to generate an ICMP Parameter Problem
error message. Most routers should let such a packet through
depending on their interpretation of RFC1812. The end-host
should according to RFC1122 try to validate the packet and gen‐
erate our desired response. This feature is sort of experimen‐
tal but should yield the best results. If you encounter a router
that doesn't let this type of packet through please let me know!
It appears that NAT-devices reacts differently to these packets.
I've tested it on Speedstream and a Cisco 667 where the former
would let them through and the latter would drop them.
ICMP: Will send a normal ICMP echo request that may trigger an
ICMP echo response message with the datafields intact, thus pre‐
serving the signature. This option is the only one my Cisco 667
won't drop.
UDP: Will send an UDP packet with source & destination port set
to 0. This should trigger an ICMP response which hopefully will
have the datafield copied to it. Depending on what OS the tar‐
geted host is running you might get different results. Linux
2.6.7 copies the datafield nicely but I've observed that Win‐
dows2000 won't copy further than the IP-headersize + 8 bytes
which therefore only includes the UDP-header.
Since routers react differently (One brand might drop ICMP
whereas another only accepts exactly that) I suggest you use the
--all option.
--signature <string>
A string inside each packet used for identifying packets that
made it into the external network. By default netleak will use
"IP:" as prefix and the internal ip-address as postfix. This way
packets recieved by netleakd(8) will contain the internal ip-
address of the host that knew a path out.
You probably won't need to fiddle with this option unless you
want to run netleak from several locations and need to differen‐
ciate them on the internet.
NOTE!! You *must* use the same signature for both netleak and
netleakd(8) or you won't get any results at all!
--interface <iface>
Which network interface to send packets on. Defaults to eth0
--policy
How fast to send packets. Defaults to "fast" which is as fast as
it can. Use a slower policy if you fear the network is being
saturated.
--verbose
Enable verbose mode
--help Show help information
EXAMPLES
Test block "10.0.0.0/24" for leaks to the Internet while netleakd is
running on 192.0.34.166:
#$ netleak--spoof 192.0.34.166 10.0.0.0/24
Test targets read from file using IP, ICMP & UDP with 192.0.34.166 lis‐
tening on the internet for packets with signature "MYSIG" in it.
#$ netleak--targets blocks.txt --spoof 192.0.34.166 --protocol all
--signature 'MYSIG:'
BUGS
If you find any please let me know.
AUTHOR
Jonas Hansen <jonas.v.hansen@gmail.com>
FILES
~/.netleak
/etc/netleak.conf
/usr/local/etc/netleak.conf
SEE ALSOnetleakd(8)NETLEAK(8) JANUARY 2005 NETLEAK(8)
