Fragroute – Network Firewall Testing & Packet Fragmentation Tool

Fragroute – A Network Packet Fragmentation & Firewall Testing Tool

Hello tech geeks how is the learning going so far? So as you might have gotten an idea about what this tool does and what is it used for so for that I will be covering some basic information about this tool. I am creating these series of Kali Linux in which I will try to cover tools from different categories from Kali Linux tools currently I am going to b covering Information Gathering section.

Fragroute intercepts modify and rewrite egress traffic destined for the specified host. Simply frag route fragments packets originating from our(attacker) system to the destination system. Its used by security personnel or hackers for evading firewalls, avoiding IDS/IPS detections & alerts etc. Also, pentesters use it to gather information from a highly secured remote host.

Implementing most of the attacks described in the Secure Networks “Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection” paper of January 1998.

Options – Fragroute

fragroute –f <lconfigfile> dst<destination>

-f – Config file on how frag route should work.

Default configuration file is at /etc/fragroute.conf. One can either use this default file or write a new configuration file. The custom file requires following rules to be written.

delay first|last|random <ms>
drop first|last|random <prob-%>
dup first|last|random <prob-%>
echo <string> ...
ip_chaff dup|opt|<ttl>
ip_frag <size> [old|new]
ip_opt lsrr|ssrr <ptr> <ip-addr> ...
ip_ttl <ttl>
ip_tos <tos>
order random|reverse
tcp_chaff cksum|null|paws|rexmit|seq|syn|<ttl>
tcp_opt mss|wscale <size>
tcp_seg <size> [old|new]

Fragroute Homepage:

Lab:1 Fragment large ping packets

This demonstrates large ping packets being fragmented in between 2 hosts, the attacker & target. The attacker has IP address & target has

1. In attacker, machine turn on Fragroute

Command: fragroute –f /etc/fragroute.conf<replace with your destination>

Now On another terminal to test this out what we can do is just run large ping as see if the ping request is being fragmented on to smaller chunks or not.

Now check the terminal running fragroute and see if the packets are fragmented or not.

As you can see that whole ping request packets are fragmented out into small chunks and then sent to the target.

Custom configuration

Suppose we have to increase TTL value & no of TCP segments in order to evade a firewall.

1. Make a new file.<here it is custconf>

Command: leafpad custconf <yourname here>

2.  In that file, type

tcp_seg 8 new   -    No of tcp segments(default is 4)

ip_frag 32      -    No of ip fragments(default is 24)

ip_chaff dup    -

ip_ttl 10       -    ttl 10

order random


Now the file looks like the following image. Remember not to include my description of what the parameter is, from the above field.

Now what you can do is specify your own custom config file to Fragroute and use it.

Command: fragroute –f custconf <replace "custconf" with your filename>

And now same as the previous step, you can run a large ping packet and then you can see the result in the terminal running fragroute.

And on the destination system, you can also check if the packets are coming through or not by using WireShark or TCP dump.

As you also know that Nmap also does the ping scan you can also run fragroute with Nmap and see if the IDS systems are bypassed or the firewall is configured properly or not.


Please enter your comment!
Please enter your name here