static void display_headers(struct packet_object *po)
{
/* it is at least 26... rounding up */
char time[28];
char tmp1[MAX_ASCII_ADDR_LEN];
char tmp2[MAX_ASCII_ADDR_LEN];
char flags[8];
char *p = flags;
char proto[5];
memset(flags, 0, sizeof(flags));
memset(proto, 0, sizeof(proto));
fprintf(stdout, "\n\n");
/* remove the final '\n' */
strncpy(time, ctime((time_t *)&po->ts.tv_sec), 28);
time[strlen(time)-1] = 0;
/* displat the date */
fprintf(stdout, "%s\n", time);
//fprintf(stdout, "%x %x\n", (u_int)po->ts.tv_sec, (u_int)po->ts.tv_usec);
if (GBL_OPTIONS->ext_headers) {
/* display the mac addresses */
mac_addr_ntoa(po->L2.src, tmp1);
mac_addr_ntoa(po->L2.dst, tmp2);
fprintf(stdout, "%17s --> %17s\n", tmp1, tmp2 );
}
/* calculate the flags */
if (po->L4.flags & TH_SYN) *p++ = 'S';
if (po->L4.flags & TH_FIN) *p++ = 'F';
if (po->L4.flags & TH_RST) *p++ = 'R';
if (po->L4.flags & TH_ACK) *p++ = 'A';
if (po->L4.flags & TH_PSH) *p++ = 'P';
/* determine the proto */
switch(po->L4.proto) {
case NL_TYPE_TCP:
strncpy(proto, "TCP", 3);
break;
case NL_TYPE_UDP:
strncpy(proto, "UDP", 3);
break;
}
/* display the ip addresses */
ip_addr_ntoa(&po->L3.src, tmp1);
ip_addr_ntoa(&po->L3.dst, tmp2);
fprintf(stdout, "%s %s:%d --> %s:%d | %s\n", proto, tmp1, ntohs(po->L4.src),
tmp2, ntohs(po->L4.dst),
flags);
fprintf(stdout, "\n");
}
static void display_headers(struct packet_object *po)
{
char tmp1[MAX_ASCII_ADDR_LEN];
char tmp2[MAX_ASCII_ADDR_LEN];
char flags[8];
char *p = flags;
char proto[5];
memset(flags, 0, sizeof(flags));
memset(proto, 0, sizeof(proto));
/* display the date. ec_ctime() has no newline at end. */
fprintf(stdout, "\n\n%s [%lu]\n", ec_ctime(&po->ts), po->ts.tv_usec);
if (GBL_OPTIONS->ext_headers) {
/* display the mac addresses */
mac_addr_ntoa(po->L2.src, tmp1);
mac_addr_ntoa(po->L2.dst, tmp2);
fprintf(stdout, "%17s --> %17s\n", tmp1, tmp2 );
}
/* calculate the flags */
if (po->L4.flags & TH_SYN) *p++ = 'S';
if (po->L4.flags & TH_FIN) *p++ = 'F';
if (po->L4.flags & TH_RST) *p++ = 'R';
if (po->L4.flags & TH_ACK) *p++ = 'A';
if (po->L4.flags & TH_PSH) *p++ = 'P';
/* determine the proto */
switch(po->L4.proto) {
case NL_TYPE_TCP:
strncpy(proto, "TCP", 3);
break;
case NL_TYPE_UDP:
strncpy(proto, "UDP", 3);
break;
}
/* display the ip addresses */
ip_addr_ntoa(&po->L3.src, tmp1);
ip_addr_ntoa(&po->L3.dst, tmp2);
fprintf(stdout, "%s %s:%d --> %s:%d | %s\n", proto, tmp1, ntohs(po->L4.src),
tmp2, ntohs(po->L4.dst),
flags);
fprintf(stdout, "\n");
}
/*
* parses the discovery message and send the spoofed reply
*/
static void dhcp_spoofing_disc(struct packet_object *po)
{
char dhcp_hdr[LIBNET_DHCPV4_H];
struct libnet_dhcpv4_hdr *dhcp;
char tmp[MAX_ASCII_ADDR_LEN];
DEBUG_MSG("dhcp_spoofing_disc");
/* no more ip available in the pool */
if (dhcp_free_ip == SLIST_END(&dhcp_ip_pool.ips))
return;
/* get a local copy of the dhcp header */
memcpy(dhcp_hdr, po->DATA.data, LIBNET_DHCPV4_H);
dhcp = (struct libnet_dhcpv4_hdr *)dhcp_hdr;
/* use the same dhcp header, but change the type of the message */
dhcp->dhcp_opcode = LIBNET_DHCP_REPLY;
/* this is a dhcp OFFER */
dhcp_options[2] = DHCP_OFFER;
/* set the free ip from the pool */
dhcp->dhcp_yip = ip_addr_to_int32(&dhcp_free_ip->ip.addr);
/* set it in the header */
dhcp->dhcp_sip = ip_addr_to_int32(&GBL_IFACE->ip.addr);
/* set it in the options */
ip_addr_cpy((u_char*)dhcp_options + 5, &GBL_IFACE->ip);
/* send the packet */
send_dhcp_reply(&GBL_IFACE->ip, dhcp_addr_reply(&po->L3.src), po->L2.src, (u_char*)dhcp_hdr, (u_char*)dhcp_options, dhcp_optlen);
USER_MSG("DHCP spoofing: fake OFFER [%s] ", mac_addr_ntoa(po->L2.src, tmp));
USER_MSG("offering %s \n", ip_addr_ntoa(&dhcp_free_ip->ip, tmp));
/* move the pointer to the next ip */
dhcp_free_ip = LIST_NEXT(dhcp_free_ip, next);
}
void get_hw_info(void)
{
u_long ip;
struct libnet_ether_addr *ea;
bpf_u_int32 network, netmask;
char pcap_errbuf[PCAP_ERRBUF_SIZE];
/* dont touch the interface reading from file */
if (!GBL_LNET->lnet || GBL_OPTIONS->read) {
DEBUG_MSG("get_hw_info: skipping... (not initialized)");
return;
}
DEBUG_MSG("get_hw_info");
/* get the ip address */
ip = libnet_get_ipaddr4(GBL_LNET->lnet);
/* if ip is equal to -1 there was an error */
if (ip != (u_long)~0) {
/* the interface has an ip address */
if (ip != 0)
GBL_IFACE->configured = 1;
/* save the ip address */
ip_addr_init(&GBL_IFACE->ip, AF_INET, (char *)&ip);
if (pcap_lookupnet(GBL_OPTIONS->iface, &network, &netmask, pcap_errbuf) == -1)
ERROR_MSG("%s", pcap_errbuf);
ip_addr_init(&GBL_IFACE->network, AF_INET, (char *)&network);
/* the user has specified a different netmask, use it */
if (GBL_OPTIONS->netmask) {
struct in_addr net;
/* sanity check */
if (inet_aton(GBL_OPTIONS->netmask, &net) == 0)
FATAL_ERROR("Invalid netmask %s", GBL_OPTIONS->netmask);
ip_addr_init(&GBL_IFACE->netmask, AF_INET, (char *)&net);
} else
ip_addr_init(&GBL_IFACE->netmask, AF_INET, (char *)&netmask);
} else
DEBUG_MSG("get_hw_info: NO IP on %s", GBL_OPTIONS->iface);
/* get the mac address */
ea = libnet_get_hwaddr(GBL_LNET->lnet);
if (ea != NULL)
memcpy(GBL_IFACE->mac, ea->ether_addr_octet, MEDIA_ADDR_LEN);
else
DEBUG_MSG("get_hw_info: NO MAC for %s", GBL_OPTIONS->iface);
/* get the MTU */
GBL_IFACE->mtu = get_iface_mtu(GBL_OPTIONS->iface);
/* check the mtu */
if (GBL_IFACE->mtu > INT16_MAX)
FATAL_ERROR("MTU too large");
USER_MSG("%6s ->\t%s ", GBL_OPTIONS->iface,
mac_addr_ntoa(GBL_IFACE->mac, pcap_errbuf));
USER_MSG("%16s ", ip_addr_ntoa(&GBL_IFACE->ip, pcap_errbuf));
USER_MSG("%16s\n\n", ip_addr_ntoa(&GBL_IFACE->netmask, pcap_errbuf) );
/* if not in bridged sniffing, return */
if (GBL_SNIFF->type != SM_BRIDGED)
return;
ip = libnet_get_ipaddr4(GBL_LNET->lnet_bridge);
/* if ip is equal to -1 there was an error */
if (ip != (u_long)~0) {
ip_addr_init(&GBL_BRIDGE->ip, AF_INET, (char *)&ip);
if (pcap_lookupnet(GBL_OPTIONS->iface_bridge, &network, &netmask, pcap_errbuf) == -1)
ERROR_MSG("%s", pcap_errbuf);
ip_addr_init(&GBL_BRIDGE->network, AF_INET, (char *)&network);
ip_addr_init(&GBL_BRIDGE->netmask, AF_INET, (char *)&netmask);
} else
DEBUG_MSG("get_hw_info: NO IP on %s", GBL_OPTIONS->iface_bridge);
ea = libnet_get_hwaddr(GBL_LNET->lnet_bridge);
if (ea != NULL)
memcpy(GBL_BRIDGE->mac, ea->ether_addr_octet, MEDIA_ADDR_LEN);
else
DEBUG_MSG("get_hw_info: NO MAC for %s", GBL_OPTIONS->iface_bridge);
/* get the MTU */
GBL_BRIDGE->mtu = get_iface_mtu(GBL_OPTIONS->iface_bridge);
if (GBL_BRIDGE->mtu > INT16_MAX)
FATAL_ERROR("MTU too large");
USER_MSG("%6s ->\t%s ", GBL_OPTIONS->iface_bridge,
mac_addr_ntoa(GBL_BRIDGE->mac, pcap_errbuf));
USER_MSG("%16s ", ip_addr_ntoa(&GBL_BRIDGE->ip, pcap_errbuf));
USER_MSG("%16s\n\n", ip_addr_ntoa(&GBL_BRIDGE->netmask, pcap_errbuf) );
/* some sanity checks */
if (GBL_BRIDGE->mtu != GBL_IFACE->mtu)
FATAL_ERROR("The two interfaces must have the same MTU.");
if (!memcmp(GBL_BRIDGE->mac, GBL_IFACE->mac, MEDIA_ADDR_LEN))
FATAL_ERROR("The two bridged interfaces must be phisically different");
}
/* Parse the arp packets */
static void parse_arp(struct packet_object *po)
{
char tmp[MAX_ASCII_ADDR_LEN];
char tmp2[MAX_ASCII_ADDR_LEN];
struct ip_list *t;
/* if arp poisonin is not running, do nothing */
if (!is_mitm_active("arp"))
return;
/* don't add our addresses */
if (!ip_addr_cmp(&EC_GBL_IFACE->ip, &po->L3.src))
return;
if (!memcmp(&EC_GBL_IFACE->mac, &po->L2.src, MEDIA_ADDR_LEN))
return;
/* don't add undefined address */
if (ip_addr_is_zero(&po->L3.src))
return;
/* search in target 1 */
if (EC_GBL_TARGET1->all_ip) {
if (add_to_victims(&arp_group_one, po) == E_SUCCESS)
USER_MSG("autoadd: %s %s added to GROUP1\n", ip_addr_ntoa(&po->L3.src, tmp), mac_addr_ntoa(po->L2.src, tmp2));
} else {
LIST_FOREACH(t, &EC_GBL_TARGET1->ips, next)
if (!ip_addr_cmp(&t->ip, &po->L3.src))
if (add_to_victims(&arp_group_one, po) == E_SUCCESS)
USER_MSG("autoadd: %s %s added to GROUP1\n", ip_addr_ntoa(&po->L3.src, tmp), mac_addr_ntoa(po->L2.src, tmp2));
}
/* search in target 2 */
if (EC_GBL_TARGET2->all_ip) {
if (add_to_victims(&arp_group_two, po) == E_SUCCESS)
USER_MSG("autoadd: %s %s added to GROUP2\n", ip_addr_ntoa(&po->L3.src, tmp), mac_addr_ntoa(po->L2.src, tmp2));
} else {
LIST_FOREACH(t, &EC_GBL_TARGET2->ips, next)
if (!ip_addr_cmp(&t->ip, &po->L3.src))
if (add_to_victims(&arp_group_two, po) == E_SUCCESS)
USER_MSG("autoadd: %s %s added to GROUP2\n", ip_addr_ntoa(&po->L3.src, tmp), mac_addr_ntoa(po->L2.src, tmp2));
}
}
/*
* details for a connection
*/
static void curses_connection_detail(void *conn)
{
struct conn_tail *c = (struct conn_tail *)conn;
char tmp[MAX_ASCII_ADDR_LEN];
char *proto = "";
char name[MAX_HOSTNAME_LEN];
unsigned int row = 0;
DEBUG_MSG("curses_connection_detail");
/* if the object already exist, set the focus to it */
if (wdg_conn_detail) {
wdg_destroy_object(&wdg_conn_detail);
wdg_conn_detail = NULL;
}
wdg_create_object(&wdg_conn_detail, WDG_WINDOW, WDG_OBJ_WANT_FOCUS);
wdg_set_title(wdg_conn_detail, "Connection detail:", WDG_ALIGN_LEFT);
wdg_set_size(wdg_conn_detail, 1, 2, 75, 23);
wdg_set_color(wdg_conn_detail, WDG_COLOR_SCREEN, EC_COLOR);
wdg_set_color(wdg_conn_detail, WDG_COLOR_WINDOW, EC_COLOR);
wdg_set_color(wdg_conn_detail, WDG_COLOR_BORDER, EC_COLOR_BORDER);
wdg_set_color(wdg_conn_detail, WDG_COLOR_FOCUS, EC_COLOR_FOCUS);
wdg_set_color(wdg_conn_detail, WDG_COLOR_TITLE, EC_COLOR_TITLE);
wdg_draw_object(wdg_conn_detail);
wdg_set_focus(wdg_conn_detail);
/* add the destroy callback */
wdg_add_destroy_key(wdg_conn_detail, CTRL('Q'), NULL);
/* print the information */
wdg_window_print(wdg_conn_detail, 1, ++row, "Source MAC address : %s",
mac_addr_ntoa(c->co->L2_addr1, tmp));
wdg_window_print(wdg_conn_detail, 1, ++row, "Destination MAC address : %s",
mac_addr_ntoa(c->co->L2_addr2, tmp));
++row;
wdg_window_print(wdg_conn_detail, 1, ++row, "Source IP address : %s",
ip_addr_ntoa(&(c->co->L3_addr1), tmp));
if (host_iptoa(&(c->co->L3_addr1), name) == E_SUCCESS)
wdg_window_print(wdg_conn_detail, 1, ++row, "Source hostname : %s",
name);
#ifdef HAVE_GEOIP
if (GBL_CONF->geoip_support_enable)
wdg_window_print(wdg_conn_detail, 1, ++row, "Source location : %s",
geoip_country_by_ip(&c->co->L3_addr1));
#endif
wdg_window_print(wdg_conn_detail, 1, ++row, "Destination IP address : %s",
ip_addr_ntoa(&(c->co->L3_addr2), tmp));
if (host_iptoa(&(c->co->L3_addr2), name) == E_SUCCESS)
wdg_window_print(wdg_conn_detail, 1, ++row, "Destination hostname : %s", name);
#ifdef HAVE_GEOIP
if (GBL_CONF->geoip_support_enable)
wdg_window_print(wdg_conn_detail, 1, ++row, "Destination location : %s",
geoip_country_by_ip(&c->co->L3_addr2));
#endif
++row;
switch (c->co->L4_proto) {
case NL_TYPE_UDP:
proto = "UDP";
break;
case NL_TYPE_TCP:
proto = "TCP";
break;
}
wdg_window_print(wdg_conn_detail, 1, ++row, "Protocol : %s", proto);
wdg_window_print(wdg_conn_detail, 1, ++row, "Source port : %-5d %s",
ntohs(c->co->L4_addr1), service_search(c->co->L4_addr1, c->co->L4_proto));
wdg_window_print(wdg_conn_detail, 1, ++row, "Destination port : %-5d %s",
ntohs(c->co->L4_addr2), service_search(c->co->L4_addr2, c->co->L4_proto));
row++;
wdg_window_print(wdg_conn_detail, 1, ++row, "--> %d <-- %d total: %d ", c->co->tx, c->co->rx, c->co->xferred);
row++;
if (c->co->DISSECTOR.user) {
wdg_window_print(wdg_conn_detail, 1, ++row, "Account : %s / %s", c->co->DISSECTOR.user, c->co->DISSECTOR.pass);
if (c->co->DISSECTOR.info)
wdg_window_print(wdg_conn_detail, 1, ++row, "Additional Info : %s", c->co->DISSECTOR.info);
}
}
/*
* parses the request and send the spoofed reply
*/
static void dhcp_spoofing_req(struct packet_object *po)
{
char dhcp_hdr[LIBNET_DHCPV4_H];
struct libnet_dhcpv4_hdr *dhcp;
u_int8 *options, *opt, *end;
struct ip_addr client, server;
char tmp[MAX_ASCII_ADDR_LEN];
DEBUG_MSG("dhcp_spoofing_req");
/* get a local copy of the dhcp header */
memcpy(dhcp_hdr, po->DATA.data, LIBNET_DHCPV4_H);
dhcp = (struct libnet_dhcpv4_hdr *)dhcp_hdr;
/* get the pointers to options */
options = po->DATA.data + LIBNET_DHCPV4_H;
end = po->DATA.data + po->DATA.len;
/* use the same dhcp header, but change the type of the message */
dhcp->dhcp_opcode = LIBNET_DHCP_REPLY;
/*
* if the client is requesting a particular IP address,
* release it. so we don't mess the network too much...
* only change the router ip ;)
*/
/* get the requested ip */
if ((opt = get_dhcp_option(DHCP_OPT_RQ_ADDR, options, end)) != NULL)
ip_addr_init(&client, AF_INET, opt + 1);
else {
/* search if the client already has the ip address */
if (dhcp->dhcp_cip != 0) {
ip_addr_init(&client, AF_INET, (u_char *)&dhcp->dhcp_cip);
} else
return;
}
/* set the requested ip */
dhcp->dhcp_yip = ip_addr_to_int32(&client.addr);
/* this is a dhcp ACK */
dhcp_options[2] = DHCP_ACK;
/*
* if it is a request after an offer from a server,
* spoof its ip to be stealth.
*/
if ((opt = get_dhcp_option(DHCP_OPT_SRV_ADDR, options, end)) != NULL) {
/* get the server id */
ip_addr_init(&server, AF_INET, opt + 1);
/* set it in the header */
dhcp->dhcp_sip = ip_addr_to_int32(&server.addr);
/* set it in the options */
ip_addr_cpy((u_char*)dhcp_options + 5, &server);
send_dhcp_reply(&server, dhcp_addr_reply(&po->L3.src), po->L2.src, (u_char*)dhcp_hdr, (u_char*)dhcp_options, dhcp_optlen);
} else {
/*
* the request does not contain an identifier,
* use our ip address
*/
dhcp->dhcp_sip = ip_addr_to_int32(&GBL_IFACE->ip.addr);
/* set it in the options */
ip_addr_cpy((u_char*)dhcp_options + 5, &GBL_IFACE->ip);
send_dhcp_reply(&GBL_IFACE->ip, dhcp_addr_reply(&po->L3.src), po->L2.src, (u_char*)dhcp_hdr, (u_char*)dhcp_options, dhcp_optlen);
}
USER_MSG("DHCP spoofing: fake ACK [%s] ", mac_addr_ntoa(po->L2.src, tmp));
USER_MSG("assigned to %s \n", ip_addr_ntoa(&client, tmp));
}
/*
* details for a connection
*/
static void gtkui_connection_detail(void)
{
GtkTreeIter iter;
GtkTreeModel *model;
GtkTextBuffer *textbuf;
char line[200];
struct conn_tail *c = NULL;
char tmp[MAX_ASCII_ADDR_LEN];
char *proto = "";
char name[MAX_HOSTNAME_LEN];
DEBUG_MSG("gtk_connection_detail");
model = GTK_TREE_MODEL (ls_conns);
if (gtk_tree_selection_get_selected (GTK_TREE_SELECTION (selection), &model, &iter)) {
gtk_tree_model_get (model, &iter, 9, &c, -1);
} else
return; /* nothing is selected */
if(!c || !c->co)
return;
textbuf = gtkui_details_window("Connection Details");
snprintf(line, 200, "Source MAC address : %s\n", mac_addr_ntoa(c->co->L2_addr1, tmp));
gtkui_details_print(textbuf, line);
snprintf(line, 200, "Destination MAC address : %s\n\n", mac_addr_ntoa(c->co->L2_addr2, tmp));
gtkui_details_print(textbuf, line);
snprintf(line, 200, "Source IP address : \t%s\n", ip_addr_ntoa(&(c->co->L3_addr1), tmp));
gtkui_details_print(textbuf, line);
if (host_iptoa(&(c->co->L3_addr1), name) == ESUCCESS) {
snprintf(line, 200, " %s\n", name);
gtkui_details_print(textbuf, line);
}
snprintf(line, 200, "Destination IP address : \t%s\n", ip_addr_ntoa(&(c->co->L3_addr2), tmp));
gtkui_details_print(textbuf, line);
if (host_iptoa(&(c->co->L3_addr2), name) == ESUCCESS) {
snprintf(line, 200, " %s\n", name);
gtkui_details_print(textbuf, line);
}
gtkui_details_print(textbuf, "\n");
/* Protocol */
switch (c->co->L4_proto) {
case NL_TYPE_UDP:
proto = "UDP";
break;
case NL_TYPE_TCP:
proto = "TCP";
break;
}
snprintf(line, 200, "Protocol: \t\t\t%s\n", proto);
gtkui_details_print(textbuf, line);
snprintf(line, 200, "Source port: \t\t%-5d %s\n", ntohs(c->co->L4_addr1), service_search(c->co->L4_addr1, c->co->L4_proto));
gtkui_details_print(textbuf, line);
snprintf(line, 200, "Destination port: \t%-5d %s\n\n", ntohs(c->co->L4_addr2), service_search(c->co->L4_addr2, c->co->L4_proto));
gtkui_details_print(textbuf, line);
snprintf(line, 200, "Transferred bytes: %d\n\n", c->co->xferred);
gtkui_details_print(textbuf, line);
/* Login Information */
if (c->co->DISSECTOR.user) {
snprintf(line, 200, "Account: \t%s / %s", c->co->DISSECTOR.user, c->co->DISSECTOR.pass);
gtkui_details_print(textbuf, line);
if (c->co->DISSECTOR.info) {
snprintf(line, 200, " Additional Info: %s\n", c->co->DISSECTOR.info);
gtkui_details_print(textbuf, line);
}
}
}
