static int dos_attack_init(void *dummy) { struct in_addr ipaddr; char dos_addr[MAX_ASCII_ADDR_LEN]; char unused_addr[MAX_ASCII_ADDR_LEN]; struct port_list *p; /* It doesn't work if unoffensive */ if (GBL_OPTIONS->unoffensive) { INSTANT_USER_MSG("dos_attack: plugin doesn't work in UNOFFENSIVE mode\n"); return PLUGIN_FINISHED; } /* don't show packets while operating */ GBL_OPTIONS->quiet = 1; memset(dos_addr, 0, sizeof(dos_addr)); memset(unused_addr, 0, sizeof(dos_addr)); ui_input("Insert victim IP: ", dos_addr, sizeof(dos_addr), NULL); if (inet_aton(dos_addr, &ipaddr) == 0) { INSTANT_USER_MSG("dos_attack: Invalid IP address.\n"); return PLUGIN_FINISHED; } ip_addr_init(&victim_host, AF_INET, (char *)&ipaddr); ui_input("Insert unused IP: ", unused_addr, sizeof(unused_addr), NULL); if (inet_aton(unused_addr, &ipaddr) == 0) { INSTANT_USER_MSG("dos_attack: Invalid IP address.\n"); return PLUGIN_FINISHED; } ip_addr_init(&fake_host, AF_INET, (char *)&ipaddr); INSTANT_USER_MSG("dos_attack: Starting scan against %s [Fake Host: %s]\n", dos_addr, unused_addr); /* Delete the "open" port list just in case of previous executions */ while (!SLIST_EMPTY(&port_table)) { p = SLIST_FIRST(&port_table); SLIST_REMOVE_HEAD(&port_table, next); SAFE_FREE(p); } /* Add the hook to "create" the fake host */ hook_add(HOOK_PACKET_ARP_RQ, &parse_arp); /* Add the hook for SYN-ACK reply */ hook_add(HOOK_PACKET_TCP, &parse_tcp); /* create the flooding thread */ ec_thread_new("golem", "SYN flooder thread", &syn_flooder, NULL); return PLUGIN_RUNNING; }
static void parse_icmp6(struct packet_object *po) { struct ip_addr ip; ip_addr_init(&ip, AF_INET6, po->L4.options); if(!ip_addr_cmp(&fake_host, &ip)) send_icmp6_nadv(&fake_host, &po->L3.src, GBL_IFACE->mac, 0); }
void match_user_ip_add(char *value, char *tag) { struct in_addr ip; /* transform the target string into ip_addr struct */ if (inet_pton(AF_INET, value, &ip) <= 0) { DEBUG_MSG(D_ERROR, "Invalid STATIC-IP %s in %s", value, GBL_CONF->redirected_users); } else { struct ip_addr uip; struct timeval tv; /* fill the values */ ip_addr_init(&uip, AF_INET, (u_char *)&ip); /* null end_time means there is no timeout */ memset(&tv, 0, sizeof(struct timeval)); /* * static-ip users are ALWAYS considered active. * that's all. * the hook to the IP level will trigger the tagging */ active_user_add(&uip, NULL, tag, tv); } }
/* Reply to requests for our fake host */ static void parse_arp(struct packet_object *po) { struct ip_addr sa; ip_addr_init(&sa, AF_INET, (char *)&(fake_ip.s_addr)); if (!ip_addr_cmp(&sa, &po->L3.dst)) send_arp(ARPOP_REPLY, &sa, GBL_IFACE->mac, &po->L3.src, po->L2.src); }
/* * Find the right address to reply */ static struct ip_addr *dhcp_addr_reply(struct ip_addr *radd) { static struct ip_addr broad_addr; u_int32 broad_int32 = 0xffffffff; ip_addr_init(&broad_addr, AF_INET, (u_char *)&broad_int32); /* check if the source is 0.0.0.0 */ if ( ip_addr_is_zero(radd) ) return &broad_addr; return radd; }
void get_hw_info(void) { u_long ip; struct libnet_ether_addr *ea; bpf_u_int32 network, netmask; char pcap_errbuf[PCAP_ERRBUF_SIZE]; /* dont touch the interface reading from file */ if (!GBL_LNET->lnet || GBL_OPTIONS->read) { DEBUG_MSG("get_hw_info: skipping... (not initialized)"); return; } DEBUG_MSG("get_hw_info"); /* get the ip address */ ip = libnet_get_ipaddr4(GBL_LNET->lnet); /* if ip is equal to -1 there was an error */ if (ip != (u_long)~0) { /* the interface has an ip address */ if (ip != 0) GBL_IFACE->configured = 1; /* save the ip address */ ip_addr_init(&GBL_IFACE->ip, AF_INET, (char *)&ip); if (pcap_lookupnet(GBL_OPTIONS->iface, &network, &netmask, pcap_errbuf) == -1) ERROR_MSG("%s", pcap_errbuf); ip_addr_init(&GBL_IFACE->network, AF_INET, (char *)&network); /* the user has specified a different netmask, use it */ if (GBL_OPTIONS->netmask) { struct in_addr net; /* sanity check */ if (inet_aton(GBL_OPTIONS->netmask, &net) == 0) FATAL_ERROR("Invalid netmask %s", GBL_OPTIONS->netmask); ip_addr_init(&GBL_IFACE->netmask, AF_INET, (char *)&net); } else ip_addr_init(&GBL_IFACE->netmask, AF_INET, (char *)&netmask); } else DEBUG_MSG("get_hw_info: NO IP on %s", GBL_OPTIONS->iface); /* get the mac address */ ea = libnet_get_hwaddr(GBL_LNET->lnet); if (ea != NULL) memcpy(GBL_IFACE->mac, ea->ether_addr_octet, MEDIA_ADDR_LEN); else DEBUG_MSG("get_hw_info: NO MAC for %s", GBL_OPTIONS->iface); /* get the MTU */ GBL_IFACE->mtu = get_iface_mtu(GBL_OPTIONS->iface); /* check the mtu */ if (GBL_IFACE->mtu > INT16_MAX) FATAL_ERROR("MTU too large"); USER_MSG("%6s ->\t%s ", GBL_OPTIONS->iface, mac_addr_ntoa(GBL_IFACE->mac, pcap_errbuf)); USER_MSG("%16s ", ip_addr_ntoa(&GBL_IFACE->ip, pcap_errbuf)); USER_MSG("%16s\n\n", ip_addr_ntoa(&GBL_IFACE->netmask, pcap_errbuf) ); /* if not in bridged sniffing, return */ if (GBL_SNIFF->type != SM_BRIDGED) return; ip = libnet_get_ipaddr4(GBL_LNET->lnet_bridge); /* if ip is equal to -1 there was an error */ if (ip != (u_long)~0) { ip_addr_init(&GBL_BRIDGE->ip, AF_INET, (char *)&ip); if (pcap_lookupnet(GBL_OPTIONS->iface_bridge, &network, &netmask, pcap_errbuf) == -1) ERROR_MSG("%s", pcap_errbuf); ip_addr_init(&GBL_BRIDGE->network, AF_INET, (char *)&network); ip_addr_init(&GBL_BRIDGE->netmask, AF_INET, (char *)&netmask); } else DEBUG_MSG("get_hw_info: NO IP on %s", GBL_OPTIONS->iface_bridge); ea = libnet_get_hwaddr(GBL_LNET->lnet_bridge); if (ea != NULL) memcpy(GBL_BRIDGE->mac, ea->ether_addr_octet, MEDIA_ADDR_LEN); else DEBUG_MSG("get_hw_info: NO MAC for %s", GBL_OPTIONS->iface_bridge); /* get the MTU */ GBL_BRIDGE->mtu = get_iface_mtu(GBL_OPTIONS->iface_bridge); if (GBL_BRIDGE->mtu > INT16_MAX) FATAL_ERROR("MTU too large"); USER_MSG("%6s ->\t%s ", GBL_OPTIONS->iface_bridge, mac_addr_ntoa(GBL_BRIDGE->mac, pcap_errbuf)); USER_MSG("%16s ", ip_addr_ntoa(&GBL_BRIDGE->ip, pcap_errbuf)); USER_MSG("%16s\n\n", ip_addr_ntoa(&GBL_BRIDGE->netmask, pcap_errbuf) ); /* some sanity checks */ if (GBL_BRIDGE->mtu != GBL_IFACE->mtu) FATAL_ERROR("The two interfaces must have the same MTU."); if (!memcmp(GBL_BRIDGE->mac, GBL_IFACE->mac, MEDIA_ADDR_LEN)) FATAL_ERROR("The two bridged interfaces must be phisically different"); }
void parse_options(int argc, char **argv) { int c; struct in_addr ip; static struct option long_options[] = { { "help", no_argument, NULL, 'h' }, { "version", no_argument, NULL, 'v' }, { "binary", no_argument, NULL, 'B' }, { "hex", no_argument, NULL, 'X' }, { "ascii", no_argument, NULL, 'A' }, { "text", no_argument, NULL, 'T' }, { "ebcdic", no_argument, NULL, 'E' }, { "html", no_argument, NULL, 'H' }, { "utf8", required_argument, NULL, 'U' }, { "zero", no_argument, NULL, 'Z' }, { "xml", no_argument, NULL, 'x' }, { "analyze", no_argument, NULL, 'a' }, { "connections", no_argument, NULL, 'c' }, { "filter", required_argument, NULL, 'f' }, { "filcon", required_argument, NULL, 'F' }, { "no-headers", no_argument, NULL, 'n' }, { "only-source", no_argument, NULL, 's' }, { "only-dest", no_argument, NULL, 'd' }, { "show-mac", no_argument, NULL, 'm' }, { "show-client", no_argument, NULL, 'i' }, { "color", no_argument, NULL, 'k' }, { "reverse", no_argument, NULL, 'r' }, { "proto", required_argument, NULL, 't' }, { "only-local", required_argument, NULL, 'l' }, { "only-remote", required_argument, NULL, 'L' }, { "outfile", required_argument, NULL, 'o' }, { "concat", no_argument, NULL, 'C' }, { "decode", no_argument, NULL, 'D' }, { "user", required_argument, NULL, 'u' }, { "regex", required_argument, NULL, 'e' }, { "passwords", no_argument, NULL, 'p' }, { "client", required_argument, NULL, 'I' }, { 0 , 0 , 0 , 0} }; optind = 0; while ((c = getopt_long (argc, argv, "AaBCcDdEe:F:f:HhiI:kLlmno:prsTt:U:u:vXxZ", long_options, (int *)0)) != EOF) { switch (c) { case 'a': GBL.analyze = 1; break; case 'c': GBL.connections = 1; break; case 'D': GBL.connections = 1; GBL.decode = 1; NOT_IMPLEMENTED(); break; case 'f': target_compile(optarg); break; case 'F': filcon_compile(optarg); break; case 's': GBL.only_source = 1; break; case 'd': GBL.only_dest = 1; break; case 'k': GBL.color = 1; break; case 'r': GBL.reverse = 1; break; case 't': GBL_TARGET->proto = strdup(optarg); break; case 'n': GBL.no_headers = 1; break; case 'm': GBL.showmac = 1; break; case 'i': GBL.showclient = 1; break; case 'I': if (inet_aton(optarg, &ip) == 0) { FATAL_ERROR("Invalid client ip address"); return; } ip_addr_init(&GBL.client, AF_INET, (u_char *)&ip); break; case 'l': GBL.only_local = 1; break; case 'L': GBL.only_remote = 1; break; case 'u': GBL.user = strdup(optarg); break; case 'p': GBL.passwords = 1; break; case 'e': set_display_regex(optarg); break; case 'o': GBL_LOGFILE = strdup(optarg); break; case 'C': GBL.concat = 1; break; case 'B': GBL.format = &bin_format; break; case 'X': GBL.format = &hex_format; break; case 'A': GBL.format = &ascii_format; break; case 'T': GBL.format = &text_format; break; case 'E': GBL.format = &ebcdic_format; break; case 'H': GBL.format = &html_format; break; case 'U': set_utf8_encoding((u_char*)optarg); GBL.format = &utf8_format; break; case 'Z': GBL.format = &zero_format; break; case 'x': GBL.xml = 1; break; case 'h': el_usage(); break; case 'v': printf("%s %s\n", GBL_PROGRAM, EC_VERSION); exit(0); break; case ':': // missing parameter fprintf(stdout, "\nTry `%s --help' for more options.\n\n", GBL_PROGRAM); exit(0); break; case '?': // unknown option fprintf(stdout, "\nTry `%s --help' for more options.\n\n", GBL_PROGRAM); exit(0); break; } } /* file concatenation */ if (GBL.concat) { if (argv[optind] == NULL) FATAL_ERROR("You MUST specify at least one logfile"); /* this function does not return */ concatenate(optind, argv); } /* normal file operation */ if (argv[optind]) open_log(argv[optind]); else FATAL_ERROR("You MUST specify a logfile\n"); /* default to ASCII view */ if (GBL.format == NULL) GBL.format = &ascii_format; return; }
void rib_init(void) { ip_addr_init(); arp_init(); route_init(); }
/* * init the ICMP REDIRECT attack */ static int dhcp_spoofing_start(char *args) { struct in_addr ipaddr; char *p; int i = 1; DEBUG_MSG("dhcp_spoofing_start"); if (!strcmp(args, "")) SEMIFATAL_ERROR("DHCP spoofing needs a parameter.\n"); /* * Check to see if sniff has started */ if (!GBL_SNIFF->active) SEMIFATAL_ERROR("DHCP spoofing requires sniffing to be active.\n"); /* check the parameter: * * ip_pool/netmask/dns */ for (p = strsep(&args, "/"); p != NULL; p = strsep(&args, "/")) { /* first parameter (the ip_pool) */ if (i == 1) { char tmp[strlen(p)+4]; /* add the / to be able to use the target parsing function */ snprintf(tmp, strlen(p)+4, "/%s//", p); if (compile_target(tmp, &dhcp_ip_pool) != ESUCCESS) break; /* second parameter (the netmask) */ } else if (i == 2) { /* convert from string */ if (inet_aton(p, &ipaddr) == 0) break; /* get the netmask */ ip_addr_init(&dhcp_netmask, AF_INET, (u_char *)&ipaddr); /* third parameter (the dns server) */ } else if (i == 3) { char tmp[MAX_ASCII_ADDR_LEN]; /* convert from string */ if (inet_aton(p, &ipaddr) == 0) break; /* get the netmask */ ip_addr_init(&dhcp_dns, AF_INET, (u_char *)&ipaddr); /* all the parameters were parsed correctly... */ USER_MSG("DHCP spoofing: using specified ip_pool, netmask %s", ip_addr_ntoa(&dhcp_netmask, tmp)); USER_MSG(", dns %s\n", ip_addr_ntoa(&dhcp_dns, tmp)); /* add the hookpoints */ hook_add(HOOK_PROTO_DHCP_REQUEST, dhcp_spoofing_req); hook_add(HOOK_PROTO_DHCP_DISCOVER, dhcp_spoofing_disc); /* create the options */ dhcp_setup_options(); /* se the pointer to the first ip pool address */ dhcp_free_ip = LIST_FIRST(&dhcp_ip_pool.ips); return ESUCCESS; } i++; } /* error parsing the parameter */ SEMIFATAL_ERROR("DHCP spoofing: parameter number %d is incorrect.\n", i); return -EFATAL; }
/* * parses the request and send the spoofed reply */ static void dhcp_spoofing_req(struct packet_object *po) { char dhcp_hdr[LIBNET_DHCPV4_H]; struct libnet_dhcpv4_hdr *dhcp; u_int8 *options, *opt, *end; struct ip_addr client, server; char tmp[MAX_ASCII_ADDR_LEN]; DEBUG_MSG("dhcp_spoofing_req"); /* get a local copy of the dhcp header */ memcpy(dhcp_hdr, po->DATA.data, LIBNET_DHCPV4_H); dhcp = (struct libnet_dhcpv4_hdr *)dhcp_hdr; /* get the pointers to options */ options = po->DATA.data + LIBNET_DHCPV4_H; end = po->DATA.data + po->DATA.len; /* use the same dhcp header, but change the type of the message */ dhcp->dhcp_opcode = LIBNET_DHCP_REPLY; /* * if the client is requesting a particular IP address, * release it. so we don't mess the network too much... * only change the router ip ;) */ /* get the requested ip */ if ((opt = get_dhcp_option(DHCP_OPT_RQ_ADDR, options, end)) != NULL) ip_addr_init(&client, AF_INET, opt + 1); else { /* search if the client already has the ip address */ if (dhcp->dhcp_cip != 0) { ip_addr_init(&client, AF_INET, (u_char *)&dhcp->dhcp_cip); } else return; } /* set the requested ip */ dhcp->dhcp_yip = ip_addr_to_int32(&client.addr); /* this is a dhcp ACK */ dhcp_options[2] = DHCP_ACK; /* * if it is a request after an offer from a server, * spoof its ip to be stealth. */ if ((opt = get_dhcp_option(DHCP_OPT_SRV_ADDR, options, end)) != NULL) { /* get the server id */ ip_addr_init(&server, AF_INET, opt + 1); /* set it in the header */ dhcp->dhcp_sip = ip_addr_to_int32(&server.addr); /* set it in the options */ ip_addr_cpy((u_char*)dhcp_options + 5, &server); send_dhcp_reply(&server, dhcp_addr_reply(&po->L3.src), po->L2.src, (u_char*)dhcp_hdr, (u_char*)dhcp_options, dhcp_optlen); } else { /* * the request does not contain an identifier, * use our ip address */ dhcp->dhcp_sip = ip_addr_to_int32(&GBL_IFACE->ip.addr); /* set it in the options */ ip_addr_cpy((u_char*)dhcp_options + 5, &GBL_IFACE->ip); send_dhcp_reply(&GBL_IFACE->ip, dhcp_addr_reply(&po->L3.src), po->L2.src, (u_char*)dhcp_hdr, (u_char*)dhcp_options, dhcp_optlen); } USER_MSG("DHCP spoofing: fake ACK [%s] ", mac_addr_ntoa(po->L2.src, tmp)); USER_MSG("assigned to %s \n", ip_addr_ntoa(&client, tmp)); }