Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help 
NETLEAK(8)		 Network Leak Detection	Client		    NETLEAK(8)

NAME
       netleak - Network Leak Finder client

SYNOPSIS
       netleak [OPTIONS] <targets>

DESCRIPTION
       netleak	is  a  small perl script that tries to detect connectivety be-
       tween network segments. It is mostly  useful  for  large	 organizations
       that  have  private  local  area	networks physically separated or fire-
       walled from the Internet	but who	are  unsure  if	 any  rogue  paths  or
       "leaks" still allow network flow.

       netleak	achieves  this	simply by sending out spoofed packets into the
       internal	network	and if any packet is received on the external  network
       a  leak has been	detected. Because of this, netleak is an active	system
       consisting of a client (	this ) that spews out packets on  one  network
       and  a  server (	netleakd(8) ) which waits for packet on	the other net-
       work.

OPTIONS
       targets is a space-delimited list of  ip-addresses  or  hostnames.  Use
       CIDR-block notation to specify ranges, e.g. "192.168.1.0/24" will leak-
       test a C-block.

       --fast Only  send packets to the	network	& broadcast address. This will
	      speed up the sweep significantly but could result	in some	 leaks
	      not being	detected.

       --cfile <file>
	      Use  alternate configuration file.  netleak will by default look
	      for	~/.netleak	 /usr/local/etc/netleak.conf	   and
	      /etc/netleak.conf.  Command-line arguments always	overrides any-
	      thing from any configuration file.

       --tfile <file>
	      Read  targets  from file.	The format is one host per line	in ei-
	      ther hostname-format or CIDR-notation.

       --spoof <target>
	      Specify the host waiting for packets on the other	network,  i.e.
	      the Internet.

       --protocol <ip|icmp|udp|all>
	      Use  the	designated  protocol to	send packets.  all triggers IP
	      ICMP and UDP.  Default is	currently ICMP.

	      IP: Will craft raw IP-packets with  a  malicious	IP-header  and
	      provoke  the  target hosts to generate an	ICMP Parameter Problem
	      error message. Most routers should let such a packet through de-
	      pending on their interpretation of RFC1812.  The end-host	should
	      according	to RFC1122 try to validate the packet and generate our
	      desired response.	 This feature  is  sort	 of  experimental  but
	      should  yield  the  best results.	If you encounter a router that
	      doesn't let this type of packet through please let me know!

	      It appears that NAT-devices reacts differently to	these packets.
	      I've tested it on	Speedstream and	a Cisco	667 where  the	former
	      would let	them through and the latter would drop them.

	      ICMP:  Will  send	a normal ICMP echo request that	may trigger an
	      ICMP echo	response message with the datafields intact, thus pre-
	      serving the signature. This option is the	only one my Cisco  667
	      won't drop.

	      UDP:  Will send an UDP packet with source	& destination port set
	      to 0. This should	trigger	an ICMP	response which hopefully  will
	      have  the	 datafield copied to it. Depending on what OS the tar-
	      geted host is running you	might  get  different  results.	 Linux
	      2.6.7  copies  the  datafield nicely but I've observed that Win-
	      dows2000 won't copy further than the  IP-headersize  +  8	 bytes
	      which therefore only includes the	UDP-header.

	      Since  routers  react  differently  (One	brand  might drop ICMP
	      whereas another only accepts exactly that) I suggest you use the
	      --all option.

       --signature <string>
	      A	string inside each packet used for  identifying	 packets  that
	      made  it	into the external network. By default netleak will use
	      "IP:" as prefix and the internal ip-address as postfix. This way
	      packets recieved by netleakd(8) will contain the internal	ip-ad-
	      dress of the host	that knew a path out.

	      You probably won't need to fiddle	with this  option  unless  you
	      want to run netleak from several locations and need to differen-
	      ciate them on the	internet.

	      NOTE!!   You  *must* use the same	signature for both netleak and
	      netleakd(8) or you won't get any results at all!

       --interface <iface>
	      Which network interface to send packets on. Defaults to eth0

       --policy
	      How fast to send packets.	Defaults to "fast" which is as fast as
	      it can. Use a slower policy if you fear  the  network  is	 being
	      saturated.

       --verbose
	      Enable verbose mode

       --help Show help	information

EXAMPLES
       Test  block  "10.0.0.0/24"  for leaks to	the Internet while netleakd is
       running on 192.0.34.166:

       #$ netleak --spoof 192.0.34.166 10.0.0.0/24

       Test targets read from file using IP, ICMP & UDP	with 192.0.34.166 lis-
       tening on the internet for packets with signature "MYSIG" in it.

       #$ netleak --targets blocks.txt	--spoof	 192.0.34.166  --protocol  all
       --signature 'MYSIG:'

BUGS
       If you find any please let me know.

AUTHOR
       Jonas Hansen <jonas.v.hansen@gmail.com>

FILES
       ~/.netleak

       /etc/netleak.conf

       /usr/local/etc/netleak.conf

SEE ALSO
       netleakd(8)

NETLEAK(8)			 JANUARY 2005			    NETLEAK(8)

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=netleak&sektion=8&manpath=FreeBSD+Ports+15.0.quarterly>

home | help