mz - Online in the Cloud

This is the command mz that can be run in the OnWorks free hosting provider using one of our multiple free online workstations such as Ubuntu Online, Fedora Online, Windows online emulator or MAC OS online emulator

PROGRAM:

NAME


mz - a fast versatile packet generator

SYNOPSIS


mz [options]<arg_string> | <hex_string>

DESCRIPTION


Mausezahn is a free fast traffic generator written in C which allows you to send nearly
every possible and impossible packet.
Mausezahn can also be used for example as didactical tool in network labs or for security
audits including penetration and DoS testing. As traffic generator Mausezahn is for
example used test IP multicast or VoIP networks. Speeds close to the Ethernet limit are
reachable (depending on the hardware platform, especially the quality of the network
interface card).

USAGE


Mausezahn supports two modes, direct mode and a multi-threaded interactive mode.

The direct mode allows you to create a packet directly on the Linux/UN*X shell and every
packet parameter is specified in the argument list when calling Mausezahn.

The interactive mode is an advanced multi-threaded configuration mode with its own command
line interface (CLI). This mode allows you to create an arbitrary number of packet types
and streams in parallel, each with different parameters. The interactive mode utilizes a
completely redesigned and more flexible protocol framework called MOPS (Mausezahn's Own
Packet System). The look and feel of the CLI is very similar to the Cisco IOS(tm) command
line. You can start the interactive mode by executing Mausezahn with the -x argument (an
optional port number may follow, otherwise it is 25542). Then use Telnet to connect to
this Mausezahn instance (the default login expects the user 'mz' with password 'mz', and
enable password 'mops'; you can change this in /etc/mausezahn/mz.cfg). More information
about the interactive mode and MOPS is provided on the Mausezahn website.

The direct mode supports two specification schemes: The raw-layer-2 scheme, where every
single byte to be sent can be specified, and higher-layer scheme, where packet builder
interfaces are used (using the -t option).
To use the raw-layer-2 scheme, simply specify the desired frame as hexadecimal sequence
(the hex_string), such as

mz eth0 "00:ab:cd:ef:00 00:00:00:00:00:01 08:00 ca:fe:ba:be"

In this example, the spaces within the byte string are optional and separate the Ethernet
fields (destination and source address, type field, and a short payload). The only
additional options supported are -a, -b, -c, and -p. The frame length MUST be greater or
equal 15 bytes.
The higher-layer scheme is enabled using the -t <packet_type> option. This option
activates a packet builder and besides the packet_type an optional arg_string can be
specified. The arg_string contains packet-specific parameters, such as TCP flags, port
numbers, etc; see the EXAMPLES below.

Note that Mausezahn requires root privileges. Please see the Mausezahn User's Guide for
more details or use Mausezahn's command line help.

OPTIONS


Mausezahn provides a built-in context-specific help. Simply append the keyword help to the
configuration options.
The most important options are:

-v Verbose mode. Capital -V is even more verbose.

-S Simulation mode, i. e. don't put anything on the wire. This is typically combined
with the verbose mode.

-q Quiet mode (only warnings and errors are displayed).

-c <count>
Send the packet count times (default: 1, infinite: 0).

-d <delay>
Apply delay between transmissions. The delay value can be specified in usec
(default, no additional unit needed), or in msec (e. g. 100m or 100msec), or in
seconds (e. g. 100s or 100sec). Note: MOPS also supports nanosecond delay
granulation if you need it (see: interactive mode).

-p <lenght>
Pad the raw frame to specified length (using zero bytes). Note that for raw layer 2
frames the specified length defines the whole frame length, while for higher layer
packets the number of additional padding bytes are specified.

-a <Src_MAC|keyword>
Use specified source mac address (use hex notation such as 00:00:aa:bb:cc:dd). By
default the interface MAC address will be used. The keywords rand and own refer to
a random MAC address (only unicast addresses are created) and the own address,
respectively. You can also use the keywords mentioned below (although broadcast-
type source addresses are officially invalid).

-b <Dst_MAC|keyword>
Use specified destination mac address. By default a broadcast is sent in raw layer
2 mode or the destination hosts/gateways interface MAC address in normal (IP) mode.
You can use the same keywords as mentioned above as well as bc (or bcast), cisco,
and stp. Please note that for the destination MAC address the rand keyword is
supported but creates a random address only once, even when you send multiple
packets.

-A <Src_IP|range|rand>
Use specified source IP address (default is own interface IP). Optionally the
keyword rand can again be used for a random source IP address or a range can be
specified, such as 192.168.1.1-192.168.1.100 or 10.1.0.0/16. Also a DNS name can be
specified for which Mausezahn tries to determine the corresponding IP address
automatically.

-B <Dst_IP|range>
Use specified destination IP address (default is broadcast i. e. 255.255.255.255).
As with the source address (see above) you can also specify a range or a DNS name.

-t <packet_type>
Create the specified packet type using the built-in packet builder. Currently
supported packet types are: arp, bpdu, ip, udp, tcp, rtp, and dns. There is
currently also a limited support for ICMP. Enter -t help to verify which packet
builders your actual Mausezahn version supports. Also, for any particular packet
type, for example tcp enter mz -t tcp help to receive a context specific help.

-T <packet_type>
Make this Mausezahn instance the receiving station. Currently (version 0.30) only
rtp is an option here and provides precise jitter measurements. For this purpose
start another Mausezahn instance on the sending station and the local receiving
station will output jitter statistics. See mz -T rtp help for a detailed help.

-Q <[CoS:]vlan> [, <[CoS:]vlan>, ...]
Specify 802.1Q VLAN tag and optional Class of Service. An arbitrary number of VLAN
tags can be specified (that is you can simulate QinQ or even QinQinQinQ...).
Multiple tags must be separated via a comma or a period (e. g. "5:10,20,2:30").
VLAN tags are not supported for ARP and BPDU packets (in which case you could
specify the whole frame in hex using the raw layer 2 interface of Mausezahn).

-M <label[:cos[:ttl]][bos]> [, <label...>]
Specify a MPLS label or even a MPLS label stack. Optionally for each label the
experimental bits (usually the Class of Service, CoS) and the Time To Live (TTL)
can be specified. And if you are really crazy you can set/unset the Bottom of Stack
(BoS) bit at each label using the S (set) and s (unset) option. By default the BoS
is set automatically and correctly. Any other setting will lead to invalid frames.
Enter -M help for detailed instructions and examples.

-P <ASCII_payload>
Specify a cleartext payload. Alternatively each packet type supports a hexadecimal
specification of the payload (see for example -t udp help).

-f <filename>
Read the ASCII payload from the specified file.

-F <filename>
Read the HEX payload from the specified file. Actually this file must be also an
ASCII file (text file) but must contain hexadecimal digits, e. g.
"aa:bb:cc:0f:e6...". You can use also spaces as separation characters.

COMBINATION OF RANGES


When multiple ranges are specified, e. g. destination port ranges AND destination address
ranges, then all possible combinations of ports and addresses are used for packet
generation. Furthermore, this can be mixed with other ranges e. g. a TCP sequence number
range. Note that combining ranges can lead to a very huge number of frames to be sent. As
a rule of thumb you can assume that about 100,000 frames are sent in a fraction of one
second, depending on your network interface.

DISCLAIMER AND WARNING


Mausezahn has been designed as fast traffic generator so you can easily overwhelm a LAN
segment with myriads of packets. And because Mausezahn should also support security audits
it is also possible to create malicious or “invalid” packets, SYN floods, port and address
sweeps, DNS and ARP poisoning, etc.
Therefore, don't use this tool when you are not aware of possible consequences or have
only little knowledge about networks and data communication. If you abuse Mausezahn for
'unallowed' attacks and get caught, or damage something of your own, then this is
completely your fault. So the safest solution is to try it out in a lab environment.

EXAMPLES


Send BPDU frames for VLAN 5 as used with Cisco's PVST+ type of STP. Per default Mausezahn
assumes that you want to become the root bridge:

# mz eth0 -c 0 -d 2s -t bpdu vlan=5

Perform a CAM table overflow attack:

# mz eth0 -c 128000 -a rand -p 64

Perform a SYN flood attack to another VLAN using VLAN hopping. This only works if you are
connected to the same VLAN which is configured as native VLAN on the trunk. We assume
that the victim VLAN is VLAN 100 and the native VLAN is VLAN 5. Lets attack every host in
VLAN 100 which use a IP prefix of 10.100.100.0/24, also try out all ports between 1 and
1023 and use a random source IP address:

# mz eth0 -c 0 -Q 5,100 -t tcp "flags=syn,dp=1-1023" -p 20 -A rand -B 10.100.100.0/24

Send IP multicast packets to the multicast group 230.1.1.1 using a UDP header with
destination port 32000 and set the IP DSCP field to EF (46). Send one frame every 10 msec:

# mz eth0 -c 0 -d 10msec -B 230.1.1.1 -t udp "dp=32000,dscp=46" -P "Multicast test packet"

Send UDP packets to the destination host target.anynetwork.foo using all possible
destination ports and send every packet with all possible source addresses of the range
172.30.0.0/16; additionally use a source port of 666 and three MPLS labels, 100, 200, and
300, the outer (300) with QoS field 5. Send the frame with a VLAN tag 420 and CoS 6;
eventually pad with 1000 bytes and repeat the whole thing 10 times:

# mz eth0 -Q 6:420 -M 100,200,300:5 -A 172.30.0.0/16 -B target.anynetwork.foo -t udp
"sp=666,dp=1-65535" -p 1000 -c 10

Send six forged Syslog messages with severity 3 to a Syslog server 10.1.1.9; use a forged
source IP address 192.168.33.42 and let Mausezahn decide which local interface to use. Use
an inter-packet delay of 10 seconds:

# mz -t syslog sev=3 -P "Main reactor reached critical temperature." -A 192.168.33.42 -B
10.1.1.9 -c 6 -d 10s

Send an invalid TCP packet with only a 5 byte payload as layer-2 broadcast and also use
the broadcast MAC address as source address. The target should be 10.1.1.6 but use a
broadcast source address. The source and destination port shall be 145 and the window size
0. Set the TCP flags SYN, URG, and RST simultaneously and sweep through the whole TCP
sequence number space with an increment of 1500. Finally set the urgent pointer to 666, i.
e. pointing to nowhere:

# mz -t tcp "flags=syn|urg|rst, sp=145, dp=145, win=0, s=0-4294967295, ds=1500, urg=666"
-a bcast -b bcast -A bcast -B 10.1.1.6 -p 5

Use mz online using onworks.net services



Latest Linux & Windows online programs