Nemesis packet injection utility

"Nemesis attacks directed through fragrouter could be a most powerful combination for the system auditor to find security problems that could then be reported to the vendor(s), etc." - Curt Wilson in Global Incident Analysis Center Detects Report (SANS Institute - Nov 2000)

What is Nemesis?

Nemesis is a command-line network packet injection utility for UNIX-like and Windows systems. You might think of it as an EZ-bake packet oven or a manually controlled IP stack. With Nemesis, it is possible to generate and transmit packets from the command line or from within a shell script. Nemesis is developed and maintained by Jeff Nathan <jeff at snort dot org>.

News

[Jun 29 2003]
Nemesis 1.4beta3 Build 22 is the most functional version of Nemesis to date. Problems in the Windows version of Nemesis have been fixed by fixing LibnetNT.

[Feb 17 2003]
New in Build 18 is the -Z command line switch for the Windows version of Nemesis. The -Z command line switch will list the available network interfaces for use in link-layer injection.

[Feb 12 2003]
A Windows version of Nemesis is now available. Please test it out and see how well it compares to the version for UNIX-like systems.

[Feb 3 2003]
After a year and a half in hiatus, a new version of Nemesis is nearly complete. The current codebase has been almost entirely rewritten and all that remains before a full release of 1.4 is to complete the updates to the RIP protocol injector and to rewrite the OSPF injector. Rather than make users wait any longer, these beta versions available in the meantime.

Nemesis for UNIX-like systems

latest version: nemesis-1.4beta3.tar.gz Build 22 (ChangeLog) (CHECKSUM) [Jun 29 2003]
supported protocols: ARP, DNS, ETHERNET, ICMP, IGMP, IP, OSPF, RIP, TCP and UDP
supported platforms: *BSD(i), Linux, [Trusted] Solaris, Mac OS X

Requirements

libnet-1.0.2a

Nemesis for Windows systems

latest version: nemesis-1.4beta3.zip Build 22 (ChangeLog) (CHECKSUM) [Jun 29 2003]
supported protocols: ARP, DNS, ETHERNET, ICMP, IGMP, IP, OSPF, RIP, TCP and UDP
supported platforms: Windows 9x, Windows NT, Windows 2000, Windows XP

Requirements

libnetNT-1.0.2g (Included in the Nemesis zip file!)

Either:
WinPcap-2.3
or
WinPcap-3.0

Screenshots

TCP: injection usage

Examples

nemesis tcp -v -S 192.168.1.1 -D 192.168.2.2 -fSA -y 22 -P foo
Send TCP packet (SYN/ACK) with payload from file 'foo' to target's ssh port from 192.168.1.1 to 192.168.2.2. (-v allows a stdout visual of current injected packet)

nemesis udp -v -S 10.11.12.13 -D 10.1.1.2 -x 11111 -y 53 -P bindpkt
send UDP packet from 10.11.12.13:11111 to 10.1.1.2's name-service port with a payload read from a file 'bindpkt'. (again -v is used in order to see confirmation of our injected packet)

nemesis icmp -S 10.10.10.3 -D 10.10.10.1 -G 10.10.10.3 -qR
send ICMP REDIRECT (network) packet from 10.10.10.3 to 10.10.10.1 with preferred gateway as source address. Here we want no output to go to stdout - which would be ideal as a component in a batch job via a shell script.

nemesis arp -v -d ne0 -H 0:1:2:3:4:5 -S 10.11.30.5 -D 10.10.15.1
send ARP packet through device 'ne0' (eg. my OpenBSD pcmcia nic) from hardware source address 00:01:02:03:04:05 with IP source address 10.11.30.5 to destination IP address 10.10.15.1 with broadcast destination hardware address. In other words, who-has the mac address of 10.10.15.1, tell 10.11.30.5 - assuming 00:01:02:03:04:05 is the source mac address of our 'ne0' device.

Originally written by Mark Grimes <mark at stateful dot net>, Nemesis became an extremely popular tool suite. With Mark wanting to move on to other projects, I nervously agreed to take over Nemesis development in June of 2001 and to somehow try to fill Mark's shoes.