Any way to automatically change arbitrary headers of IP packets on-the-fly?

["João Paulo Caldas Campello" <protecao@gmail.com>]

Hi,

    I've sent the message below to a bunch of other mailing lists, but
I think the topic is also pertinent to the netfilter-devel one. Sorry
if I'm wrong.

    I would like to know if there's a simple way (using netfilter) to
alter arbitrary headers of IP packets, specially the "IP Options"
fields, so I can do some research and sort of lab and penetration
tests regarding semi-blind IP spoofing (i.e. Loose/Strict IP Source
Routing).

Any help is appreciated,

Thanks,

João Paulo Campello.

---------- Forwarded message ----------
From: João Paulo Caldas Campello <protecao@gmail.com>
Date: Apr 11, 2005 7:39 PM
Subject: Any way to automatically change arbitrary headers of IP
packets on-the-fly?
To: pen-test@securityfocus.com
Cc: security-management@securityfocus.com,
secpapers@securityfocus.com, vuln-dev@securityfocus.com,
focus-linux@securityfocus.com, libnet@securityfocus.com,
firewalls@securityfocus.com, security-basics@securityfocus.com


Hi,

  Does anybody know any userland tool, Linux kernel module,
iptables/netfilter module, or whatever mechanism to change arbitrary
headers of IP packets on-the-fly as long as they traverse the IP
stack? Is there any known paper regarding this subject?

  The whole story is that I'm doing some research and lab tests on
semi-blind IP spoofing (i.e. Loose/Strict IP Source Routing) on
borders routers and firewalls, so I need an easy way to alter the "IP
Options" fields of IP packets to test if the routers/firewalls are
vulnerable to IP spoofing (e.g. not doing ingress filtering) in
conjunction with source routing techniques.

  Yes, I know most modern firewalls should just drop IP Options
flagged packets, but not all firewalls do that with default
configurations.

  Sure I can construct raw IP packets with the proper IP Options
fields set on, but I'm also doing sort of a penetration test so I need
a way to automate this task as the packets traverse the stack. This
way I could still use well-known and proven penetration test tools
such as port and vulnerability scanners, web spiders, and so on.

  I've already read Netfilter documentation (specially the "Linux
netfilter Hacking HOWTO") so I know this kind of packet mangling can
be done in userspace. I thought it could be done in the "MANGLE" table
of netfilter, but I found no TARGET that achieves that nor any
documentation about altering arbitrary IP headers.

The question is:

  - Does already exist such a tool, module or whatever way to change
arbitrary headers of IP packets on-the-fly or will I have to (try to)
write one? =)

Cheers,

João Paulo Campello,
Network Security Analyst,
Tempest Security Technologies.