int main(int argc, char **argv){
extern char *optarg;
int r, sel;
fd_set sset, rset;
#if defined(sun) || defined(__sun) || defined (__linux__)
struct timeval timeout;
#endif
struct target_ipv6 targetipv6;
static struct option longopts[] = {
{"interface", required_argument, 0, 'i'},
{"src-address", required_argument, 0, 's'},
{"dst-address", required_argument, 0, 'd'},
{"hop-limit", required_argument, 0, 'A'},
{"dst-opt-hdr", required_argument, 0, 'u'},
{"dst-opt-u-hdr", required_argument, 0, 'U'},
{"hbh-opt-hdr", required_argument, 0, 'H'},
{"frag-hdr", required_argument, 0, 'y'},
{"link-src-addr", required_argument, 0, 'S'},
{"link-dst-addr", required_argument, 0, 'D'},
{"target", required_argument, 0, 't'},
{"router", no_argument, 0, 'r'},
{"solicited", no_argument, 0, 'c'},
{"override", no_argument, 0, 'o'},
{"target-addr-opt", required_argument, 0, 'E'},
{"add-target-opt", no_argument, 0, 'e'},
{"block-src-addr", required_argument, 0, 'j'},
{"block-dst-addr", required_argument, 0, 'k'},
{"block-link-src-addr", required_argument, 0, 'J'},
{"block-link-dst-addr", required_argument, 0, 'K'},
{"block-target-addr", required_argument, 0, 'w'},
{"accept-src-addr", required_argument, 0, 'b'},
{"accept-dst-addr", required_argument, 0, 'g'},
{"accept-link-src-addr", required_argument, 0, 'B'},
{"accept-link-dst-addr", required_argument, 0, 'G'},
{"accept-target-addr", required_argument, 0, 'W'},
{"flood-sources", required_argument, 0, 'F'},
{"flood-targets", required_argument, 0, 'T'},
{"loop", no_argument, 0, 'l'},
{"sleep", required_argument, 0, 'z'},
{"listen", no_argument, 0, 'L'},
{"verbose", no_argument, 0, 'v'},
{"help", no_argument, 0, 'h'},
{0, 0, 0, 0 }
};
char shortopts[]= "i:s:d:A:u:U:H:y:S:D:t:roceE:j:k:J:K:w:b:g:B:G:W:T:F:lz:vhL";
char option;
if(argc<=1){
usage();
exit(EXIT_FAILURE);
}
hoplimit=255;
/* Initialize filters structure */
if(init_filters(&filters) == -1){
puts("Error initializing internal data structure");
exit(EXIT_FAILURE);
}
if(init_iface_data(&idata) == FAILURE){
puts("Error initializing internal data structure");
exit(EXIT_FAILURE);
}
while((r=getopt_long(argc, argv, shortopts, longopts, NULL)) != -1) {
option= r;
switch(option) {
case 'i': /* Interface */
strncpy(idata.iface, optarg, IFACE_LENGTH-1);
idata.iface[IFACE_LENGTH-1]=0;
idata.iface_f=TRUE;
break;
case 's': /* IPv6 Source Address */
if(idata.srcaddr_f){
puts("Error: Multiple '-s' options have been specified");
exit(EXIT_FAILURE);
}
if((charptr = strtok_r(optarg, "/", &lasts)) == NULL){
puts("Error in Source Address");
exit(EXIT_FAILURE);
}
if ( inet_pton(AF_INET6, charptr, &(idata.srcaddr)) <= 0){
puts("inet_pton(): Source Address not valid");
exit(EXIT_FAILURE);
}
idata.srcaddr_f = 1;
if((charptr = strtok_r(NULL, " ", &lasts)) != NULL){
idata.srcpreflen = atoi(charptr);
if(idata.srcpreflen>128){
puts("Prefix length error in IPv6 Source Address");
exit(EXIT_FAILURE);
}
sanitize_ipv6_prefix(&(idata.srcaddr), idata.srcpreflen);
idata.srcprefix_f=1;
}
break;
case 'd': /* IPv6 Destination Address */
strncpy( targetipv6.name, optarg, NI_MAXHOST);
targetipv6.name[NI_MAXHOST-1]= 0;
targetipv6.flags= AI_CANONNAME;
if( (r=get_ipv6_target(&targetipv6)) != 0){
if(r < 0){
printf("Unknown Destination: %s\n", gai_strerror(targetipv6.res));
}
else{
puts("Unknown Destination: No IPv6 address found for specified destination");
}
exit(1);
}
idata.dstaddr= targetipv6.ip6;
idata.dstaddr_f = 1;
break;
case 'A': /* Hop Limit */
hoplimit= atoi(optarg);
hoplimit_f=1;
break;
case 'y': /* Fragment header */
nfrags= atoi(optarg);
if(nfrags < 8){
puts("Error in Fragmentation option: Fragment Size must be at least 8 bytes");
exit(EXIT_FAILURE);
}
nfrags = (nfrags +7) & 0xfff8;
idata.fragh_f= 1;
break;
case 'u': /* Destinations Options Header */
if(ndstopthdr >= MAX_DST_OPT_HDR){
puts("Too many Destination Options Headers");
exit(EXIT_FAILURE);
}
hdrlen= atoi(optarg);
if(hdrlen < 8){
puts("Bad length in Destination Options Header");
exit(EXIT_FAILURE);
}
hdrlen = ((hdrlen+7)/8) * 8;
dstopthdrlen[ndstopthdr]= hdrlen;
if( (dstopthdr[ndstopthdr]= malloc(hdrlen)) == NULL){
puts("Not enough memory for Destination Options Header");
exit(EXIT_FAILURE);
}
ptrhdr= dstopthdr[ndstopthdr] + 2;
ptrhdrend= dstopthdr[ndstopthdr] + hdrlen;
while( ptrhdr < ptrhdrend){
if( (ptrhdrend-ptrhdr)>257)
pad= 257;
else
pad= ptrhdrend-ptrhdr;
if(!insert_pad_opt(ptrhdr, ptrhdrend, pad)){
puts("Destination Options Header Too Big");
exit(EXIT_FAILURE);
}
ptrhdr= ptrhdr + pad;
}
*(dstopthdr[ndstopthdr]+1)= (hdrlen/8)-1;
ndstopthdr++;
dstopthdr_f=1;
break;
case 'U': /* Destination Options Header (Unfragmentable Part) */
if(ndstoptuhdr >= MAX_DST_OPT_U_HDR){
puts("Too many Destination Options Headers (Unfragmentable Part)");
exit(EXIT_FAILURE);
}
hdrlen= atoi(optarg);
if(hdrlen < 8){
puts("Bad length in Destination Options Header (Unfragmentable Part)");
exit(EXIT_FAILURE);
}
hdrlen = ((hdrlen+7)/8) * 8;
dstoptuhdrlen[ndstoptuhdr]= hdrlen;
if( (dstoptuhdr[ndstoptuhdr]= malloc(hdrlen)) == NULL){
puts("Not enough memory for Destination Options Header (Unfragmentable Part)");
exit(EXIT_FAILURE);
}
ptrhdr= dstoptuhdr[ndstoptuhdr]+2;
ptrhdrend= dstoptuhdr[ndstoptuhdr] + hdrlen;
while( ptrhdr < ptrhdrend){
if( (ptrhdrend-ptrhdr)>257)
pad= 257;
else
pad= ptrhdrend-ptrhdr;
if(!insert_pad_opt(ptrhdr, ptrhdrend, pad)){
puts("Destination Options Header (Unfragmentable Part) Too Big");
exit(EXIT_FAILURE);
}
ptrhdr = ptrhdr + pad;
}
*(dstoptuhdr[ndstoptuhdr]+1)= (hdrlen/8) - 1;
ndstoptuhdr++;
dstoptuhdr_f=1;
break;
case 'H': /* Hop-by-Hop Options Header */
if(nhbhopthdr >= MAX_HBH_OPT_HDR){
puts("Too many Hop-by-Hop Options Headers");
exit(EXIT_FAILURE);
}
hdrlen= atoi(optarg);
if(hdrlen < 8){
puts("Bad length in Hop-by-Hop Options Header");
exit(EXIT_FAILURE);
}
hdrlen = ((hdrlen+7)/8) * 8;
hbhopthdrlen[nhbhopthdr]= hdrlen;
if( (hbhopthdr[nhbhopthdr]= malloc(hdrlen)) == NULL){
puts("Not enough memory for Hop-by-Hop Options Header");
exit(EXIT_FAILURE);
}
ptrhdr= hbhopthdr[nhbhopthdr] + 2;
ptrhdrend= hbhopthdr[nhbhopthdr] + hdrlen;
while( ptrhdr < ptrhdrend){
if( (ptrhdrend-ptrhdr)>257)
pad= 257;
else
pad= ptrhdrend-ptrhdr;
if(!insert_pad_opt(ptrhdr, ptrhdrend, pad)){
puts("Hop-by-Hop Options Header Too Big");
exit(EXIT_FAILURE);
}
ptrhdr = ptrhdr + pad;
}
*(hbhopthdr[nhbhopthdr]+1)= (hdrlen/8) - 1;
nhbhopthdr++;
hbhopthdr_f=1;
break;
case 'S': /* Source Ethernet address */
if(ether_pton(optarg, &(idata.hsrcaddr), sizeof(idata.hsrcaddr)) == 0){
puts("Error in Source link-layer address.");
exit(EXIT_FAILURE);
}
idata.hsrcaddr_f = 1;
break;
case 'D': /* Destination Ethernet Address */
if(ether_pton(optarg, &(idata.hdstaddr), sizeof(idata.hdstaddr)) == 0){
puts("Error in Source link-layer address.");
exit(EXIT_FAILURE);
}
idata.hdstaddr_f = 1;
break;
case 't': /* NA Target address */
if((charptr = strtok_r(optarg, "/", &lasts)) == NULL){
puts("Target Address not valid");
exit(EXIT_FAILURE);
}
if ( inet_pton(AF_INET6, charptr, &targetaddr) <= 0){
puts("inet_pton(): Target Address not valid");
exit(EXIT_FAILURE);
}
targetaddr_f = 1;
if((charptr = strtok_r(NULL, " ", &lasts)) != NULL){
targetpreflen = atoi(charptr);
if(targetpreflen>128){
puts("Prefix length error in Target Address");
exit(EXIT_FAILURE);
}
sanitize_ipv6_prefix(&targetaddr, targetpreflen);
targetprefix_f=1;
}
break;
case 'r': /* "Router" flag */
router_f = ND_NA_FLAG_ROUTER;
break;
case 'o': /* "Override" flag */
override_f = ND_NA_FLAG_OVERRIDE;
break;
case 'c': /* Solicited flag */
solicited_f = ND_NA_FLAG_SOLICITED;
break;
case 'E': /* Target link-layer option */
tllaopt_f = 1;
if(ether_pton(optarg, &linkaddr[nlinkaddr], sizeof(struct ether_addr)) == 0){
puts("Error in Source link-layer address option.");
exit(EXIT_FAILURE);
}
nlinkaddr++;
tllaopta_f=1;
break;
case 'e': /* Add target link-layer option */
tllaopt_f = 1;
break;
case 'j': /* IPv6 Source Address (block) filter */
if(filters.nblocksrc >= MAX_BLOCK_SRC){
puts("Too many IPv6 Source Address (block) filters.");
exit(EXIT_FAILURE);
}
if((pref = strtok_r(optarg, "/", &lasts)) == NULL){
printf("Error in IPv6 Source Address (block) filter number %u.\n", \
filters.nblocksrc+1);
exit(EXIT_FAILURE);
}
if ( inet_pton(AF_INET6, pref, &(filters.blocksrc[filters.nblocksrc])) <= 0){
printf("Error in IPv6 Source Address (block) filter number %u.", \
filters.nblocksrc+1);
exit(EXIT_FAILURE);
}
if((charptr = strtok_r(NULL, " ", &lasts)) == NULL){
filters.blocksrclen[filters.nblocksrc] = 128;
}
else{
filters.blocksrclen[filters.nblocksrc] = atoi(charptr);
if(filters.blocksrclen[filters.nblocksrc]>128){
printf("Length error in IPv6 Source Address (block) filter number %u.\n", \
filters.nblocksrc+1);
exit(EXIT_FAILURE);
}
}
sanitize_ipv6_prefix(&(filters.blocksrc[filters.nblocksrc]), filters.blocksrclen[filters.nblocksrc]);
(filters.nblocksrc)++;
break;
case 'k': /* IPv6 Destination Address (block) filter */
if(filters.nblockdst >= MAX_BLOCK_DST){
puts("Too many IPv6 Destination Address (block) filters.");
exit(EXIT_FAILURE);
}
if((pref = strtok_r(optarg, "/", &lasts)) == NULL){
printf("Error in IPv6 Destination Address (block) filter number %u.\n", \
filters.nblockdst+1);
exit(EXIT_FAILURE);
}
if ( inet_pton(AF_INET6, pref, &(filters.blockdst[filters.nblockdst])) <= 0){
printf("Error in IPv6 Source Address (block) filter number %u.", \
filters.nblockdst+1);
exit(EXIT_FAILURE);
}
if((charptr = strtok_r(NULL, " ", &lasts)) == NULL){
filters.blockdstlen[filters.nblockdst] = 128;
}
else{
filters.blockdstlen[filters.nblockdst] = atoi(charptr);
if(filters.blockdstlen[filters.nblockdst]>128){
printf("Length error in IPv6 Source Address (block) filter number %u.\n", \
filters.nblockdst+1);
exit(EXIT_FAILURE);
}
}
sanitize_ipv6_prefix(&(filters.blockdst[filters.nblockdst]), filters.blockdstlen[filters.nblockdst]);
(filters.nblockdst)++;
break;
case 'J': /* Link Source Address (block) filter */
if(filters.nblocklinksrc > MAX_BLOCK_LINK_SRC){
puts("Too many link-layer Source Address (accept) filters.");
exit(EXIT_FAILURE);
}
if(ether_pton(optarg, &(filters.blocklinksrc[filters.nblocklinksrc]), sizeof(struct ether_addr)) == 0){
printf("Error in link-layer Source Address (blick) filter number %u.\n", \
filters.nblocklinksrc+1);
exit(EXIT_FAILURE);
}
(filters.nblocklinksrc)++;
break;
case 'K': /* Link Destination Address (block) filter */
if(filters.nblocklinkdst > MAX_BLOCK_LINK_DST){
puts("Too many link-layer Destination Address (block) filters.");
exit(EXIT_FAILURE);
}
if(ether_pton(optarg, &(filters.blocklinkdst[filters.nblocklinkdst]), sizeof(struct ether_addr)) == 0){
printf("Error in link-layer Destination Address (blick) filter number %u.\n", \
filters.nblocklinkdst+1);
exit(EXIT_FAILURE);
}
filters.nblocklinkdst++;
break;
case 'b': /* IPv6 Source Address (accept) filter */
if(filters.nacceptsrc > MAX_ACCEPT_SRC){
puts("Too many IPv6 Source Address (accept) filters.");
exit(EXIT_FAILURE);
}
if((pref = strtok_r(optarg, "/", &lasts)) == NULL){
printf("Error in IPv6 Source Address (accept) filter number %u.\n", \
filters.nacceptsrc+1);
exit(EXIT_FAILURE);
}
if ( inet_pton(AF_INET6, pref, &(filters.acceptsrc[filters.nacceptsrc])) <= 0){
printf("Error in IPv6 Source Address (accept) filter number %u.\n", \
filters.nacceptsrc+1);
exit(EXIT_FAILURE);
}
if((charptr = strtok_r(NULL, " ", &lasts)) == NULL){
filters.acceptsrclen[filters.nacceptsrc] = 128;
}
else{
filters.acceptsrclen[filters.nacceptsrc] = atoi(charptr);
if(filters.acceptsrclen[filters.nacceptsrc]>128){
printf("Length error in IPv6 Source Address (accept) filter number %u.\n", \
filters.nacceptsrc+1);
exit(EXIT_FAILURE);
}
}
sanitize_ipv6_prefix(&(filters.acceptsrc[filters.nacceptsrc]), filters.acceptsrclen[filters.nacceptsrc]);
(filters.nacceptsrc)++;
filters.acceptfilters_f=1;
break;
case 'g': /* IPv6 Destination Address (accept) filter */
if(filters.nacceptdst > MAX_ACCEPT_DST){
puts("Too many IPv6 Destination Address (accept) filters.");
exit(EXIT_FAILURE);
}
if((pref = strtok_r(optarg, "/", &lasts)) == NULL){
printf("Error in IPv6 Destination Address (accept) filter number %u.\n", \
filters.nacceptdst+1);
exit(EXIT_FAILURE);
}
if ( inet_pton(AF_INET6, pref, &(filters.acceptdst[filters.nacceptdst])) <= 0){
printf("Error in IPv6 Source Address (accept) filter number %u.\n", \
filters.nacceptdst+1);
exit(EXIT_FAILURE);
}
if((charptr = strtok_r(NULL, " ", &lasts)) == NULL){
filters.acceptdstlen[filters.nacceptdst] = 128;
}
else{
filters.acceptdstlen[filters.nacceptdst] = atoi(charptr);
if(filters.acceptdstlen[filters.nacceptdst] > 128){
printf("Length error in IPv6 Source Address (accept) filter number %u.\n", \
filters.nacceptdst+1);
exit(EXIT_FAILURE);
}
}
sanitize_ipv6_prefix(&(filters.acceptdst[filters.nacceptdst]), filters.acceptdstlen[filters.nacceptdst]);
(filters.nacceptdst)++;
filters.acceptfilters_f=1;
break;
case 'B': /* Link-layer Source Address (accept) filter */
if(filters.nacceptlinksrc > MAX_ACCEPT_LINK_SRC){
puts("Too many link-later Source Address (accept) filters.");
exit(EXIT_FAILURE);
}
if(ether_pton(optarg, &(filters.acceptlinksrc[filters.nacceptlinksrc]), sizeof(struct ether_addr)) == 0){
printf("Error in link-layer Source Address (accept) filter number %u.\n", \
filters.nacceptlinksrc+1);
exit(EXIT_FAILURE);
}
(filters.nacceptlinksrc)++;
filters.acceptfilters_f=1;
break;
case 'G': /* Link Destination Address (accept) filter */
if(filters.nacceptlinkdst > MAX_ACCEPT_LINK_DST){
puts("Too many link-layer Destination Address (accept) filters.");
exit(EXIT_FAILURE);
}
if(ether_pton(optarg, &(filters.acceptlinkdst[filters.nacceptlinkdst]), sizeof(struct ether_addr)) == 0){
printf("Error in link-layer Destination Address (accept) filter number %u.\n",\
filters.nacceptlinkdst+1);
exit(EXIT_FAILURE);
}
(filters.nacceptlinkdst)++;
filters.acceptfilters_f=1;
break;
case 'w': /* ND Target Address (block) filter */
if(filters.nblocktarget > MAX_BLOCK_TARGET){
puts("Too many Target Address (block) filters.");
exit(EXIT_FAILURE);
}
if((pref = strtok_r(optarg, "/", &lasts)) == NULL){
printf("Error in Target Address (block) filter number %u.\n", filters.nblocktarget+1);
exit(EXIT_FAILURE);
}
if ( inet_pton(AF_INET6, pref, &(filters.blocktarget[filters.nblocktarget])) <= 0){
printf("Error in Target Address (block) filter number %u.\n", filters.nblocktarget+1);
exit(EXIT_FAILURE);
}
if((charptr = strtok_r(NULL, " ", &lasts)) == NULL){
filters.blocktargetlen[filters.nblocktarget] = 128;
}
else{
filters.blocktargetlen[filters.nblocktarget] = atoi(charptr);
if(filters.blocktargetlen[filters.nblocktarget]>128){
printf("Length error in Target Address (block) filter number %u.\n", filters.nblocktarget+1);
exit(EXIT_FAILURE);
}
}
sanitize_ipv6_prefix(&(filters.blocktarget[filters.nblocktarget]), filters.blocktargetlen[filters.nblocktarget]);
filters.nblocktarget++;
break;
case 'W': /* ND Target Address (accept) filter */
if(filters.naccepttarget >= MAX_ACCEPT_TARGET){
puts("Too many Target Address (accept) filters.");
exit(EXIT_FAILURE);
}
if((pref = strtok_r(optarg, "/", &lasts)) == NULL){
printf("Error in Target Address (accept) filter number %u.\n", filters.naccepttarget+1);
exit(EXIT_FAILURE);
}
if ( inet_pton(AF_INET6, pref, &(filters.accepttarget[filters.naccepttarget])) <= 0){
printf("Error in Target Address (accept) filter number %u.\n", filters.naccepttarget+1);
exit(EXIT_FAILURE);
}
if((charptr = strtok_r(NULL, " ", &lasts)) == NULL){
filters.accepttargetlen[filters.naccepttarget] = 128;
}
else{
filters.accepttargetlen[filters.naccepttarget] = atoi(charptr);
if(filters.accepttargetlen[filters.naccepttarget]>128){
printf("Length error in Target Address (accept) filter number %u.\n", \
filters.naccepttarget+1);
exit(EXIT_FAILURE);
}
}
sanitize_ipv6_prefix(&(filters.accepttarget[filters.naccepttarget]), filters.accepttargetlen[filters.naccepttarget]);
filters.naccepttarget++;
filters.acceptfilters_f=1;
break;
case 'L': /* "Listen mode */
listen_f = 1;
break;
case 'T': /* Flood targets */
ntargets= atoi(optarg);
if(ntargets == 0){
puts("Invalid number of Target Addresses in option -T");
exit(EXIT_FAILURE);
}
floodt_f= 1;
break;
case 'F': /* Flood sources */
nsources= atoi(optarg);
if(nsources == 0){
puts("Invalid number of sources in option -F");
exit(EXIT_FAILURE);
}
floods_f= 1;
break;
case 'l': /* "Loop mode */
loop_f = 1;
break;
case 'z': /* Sleep option */
nsleep=atoi(optarg);
if(nsleep==0){
puts("Invalid number of seconds in '-z' option");
exit(EXIT_FAILURE);
}
sleep_f=1;
break;
case 'v': /* Be verbose */
idata.verbose_f++;
break;
case 'h': /* Help */
print_help();
exit(EXIT_FAILURE);
break;
default:
usage();
exit(EXIT_FAILURE);
break;
} /* switch */
} /* while(getopt) */
if(geteuid()) {
puts("na6 needs root privileges to run.");
exit(EXIT_FAILURE);
}
if(!idata.iface_f){
puts("Must specify the network interface with the -i option");
exit(EXIT_FAILURE);
}
if(load_dst_and_pcap(&idata, LOAD_PCAP_ONLY) == FAILURE){
puts("Error while learning Souce Address and Next Hop");
exit(EXIT_FAILURE);
}
release_privileges();
if(listen_f && loop_f){
puts("'Error: listen' mode and 'loop' mode are incompatible");
exit(EXIT_FAILURE);
}
if(listen_f && floodt_f){
puts("Error: 'listen' mode and 'flood targets' are incompatible");
exit(EXIT_FAILURE);
}
if(pcap_compile(idata.pfd, &pcap_filter, PCAP_ICMPV6_NS_FILTER, 0, PCAP_NETMASK_UNKNOWN) == -1){
printf("pcap_compile(): %s", pcap_geterr(idata.pfd));
exit(EXIT_FAILURE);
}
if(pcap_setfilter(idata.pfd, &pcap_filter) == -1){
printf("pcap_setfilter(): %s", pcap_geterr(idata.pfd));
exit(EXIT_FAILURE);
}
pcap_freecode(&pcap_filter);
srandom(time(NULL));
if(!(idata.srcaddr_f) && !floods_f){
/* When randomizing a link-local IPv6 address, select addresses that belong to the
prefix fe80::/64 (that's what a link-local address looks-like in legitimate cases).
The KAME implementation discards addresses in which the second high-order 16 bits
(srcaddr.s6_addr16[1] in our case) are not zero.
*/
if(idata.ip6_local_flag){
idata.srcaddr= idata.ip6_local;
}
else{
if ( inet_pton(AF_INET6, "fe80::", &(idata.srcaddr)) <= 0){
puts("inet_pton(): Error when converting address");
exit(EXIT_FAILURE);
}
randomize_ipv6_addr(&(idata.srcaddr), &(idata.srcaddr), 64);
}
}
/*
If the flood option ("-F") has been specified, but no prefix has been specified,
select the random Source Addresses from the link-local unicast prefix (fe80::/64).
*/
if(floods_f && !idata.srcprefix_f){
if ( inet_pton(AF_INET6, "fe80::", &(idata.srcaddr)) <= 0){
puts("inet_pton(): Error when converting address");
exit(EXIT_FAILURE);
}
randomize_ipv6_addr(&(idata.srcaddr), &(idata.srcaddr), 64);
idata.srcpreflen=64;
}
if(!idata.dstaddr_f){ /* Destination Address defaults to all-nodes (ff02::1) */
if( inet_pton(AF_INET6, ALL_NODES_MULTICAST_ADDR, &(idata.dstaddr)) <= 0){
puts("inet_pton(): Error converting all-nodes multicast address");
exit(EXIT_FAILURE);
}
}
if(!idata.hdstaddr_f) /* Destination link-layer address defaults to all-nodes */
if(ether_pton(ETHER_ALLNODES_LINK_ADDR, &(idata.hdstaddr), sizeof(idata.hdstaddr)) == 0){
puts("ether_pton(): Error converting all-nodes multicast address");
exit(EXIT_FAILURE);
}
if(tllaopt_f && !tllaopta_f){ /* The value of the target link-layer address */
linkaddr[0] = idata.hsrcaddr; /* option defaults to the Ethernet Source Address */
nlinkaddr++;
}
/*
If the flood target option ("-T") was specified, but no prefix was specified,
select the random Target Addresses from the link-local unicast prefix (fe80::/64).
*/
if(floodt_f && !targetprefix_f){
if ( inet_pton(AF_INET6, "fe80::", &targetaddr) <= 0){
puts("inet_pton(): Error when converting address");
exit(EXIT_FAILURE);
}
randomize_ipv6_addr(&targetaddr, &targetaddr, 64);
targetpreflen=64;
}
if(!floods_f)
nsources=1;
if(!floodt_f)
ntargets=1;
if(!sleep_f)
nsleep=1;
if(!idata.fragh_f && dstoptuhdr_f){
puts("Dst. Options Header (Unfragmentable Part) set, but Fragmentation not specified");
exit(EXIT_FAILURE);
}
if(idata.verbose_f){
print_attack_info(&idata);
}
/* Set initial contents of the attack packet */
init_packet_data(&idata);
/* Fire a Neighbor Advertisement if a IPv6 Destination Address or an Ethernet
* Destination Address were specified
*/
if((idata.dstaddr_f || idata.hdstaddr_f) && (targetaddr_f || floodt_f)){
if(send_packet(&idata, NULL, NULL) == FAILURE){
puts("Error while sending packet");
exit(EXIT_FAILURE);
}
if(idata.verbose_f)
puts("Initial attack packet(s) sent successfully.");
if(loop_f){
if(idata.verbose_f)
printf("Now sending Neighbor Advertisements every %u second%s...\n", nsleep, \
((nsleep>1)?"s":""));
while(loop_f){
sleep(nsleep);
if(send_packet(&idata, NULL, NULL) == FAILURE){
puts("Error while sending packet");
exit(EXIT_FAILURE);
}
}
exit(EXIT_SUCCESS);
}
}
if(listen_f){
FD_ZERO(&sset);
FD_SET(idata.fd, &sset);
if(idata.verbose_f){
print_filters(&idata, &filters);
puts("Listening to incoming ICMPv6 Neighbor Solicitation messages...");
}
while(listen_f){
rset= sset;
#if defined(sun) || defined(__sun) || defined(__linux__)
timeout.tv_usec=1000;
timeout.tv_sec= 0;
if((sel=select(idata.fd+1, &rset, NULL, NULL, &timeout)) == -1){
#else
if((sel=select(idata.fd+1, &rset, NULL, NULL, NULL)) == -1){
#endif
if(errno == EINTR){
continue;
}
else{
puts("Error in select()");
exit(EXIT_FAILURE);
}
}
#if defined(sun) || defined(__sun) || defined(__linux__)
if(TRUE){
#else
if(sel && FD_ISSET(idata.fd, &rset)){
#endif
/* Read a Neighbor Solicitation message */
if((r=pcap_next_ex(idata.pfd, &pkthdr, &pktdata)) == -1){
printf("pcap_next_ex(): %s", pcap_geterr(idata.pfd));
exit(EXIT_FAILURE);
}
else if(r == 1 && pktdata != NULL){
/* XXX Code assumes no IPv6 Extension Headers */
pkt_ether = (struct ether_header *) pktdata;
pkt_ipv6 = (struct ip6_hdr *)((char *) pkt_ether + idata.linkhsize);
pkt_ns = (struct nd_neighbor_solicit *) ((char *) pkt_ipv6 + MIN_IPV6_HLEN);
pkt_icmp6= (struct icmp6_hdr *) pkt_ns;
/* XXX This should probably be removed when pcap filter problem is solved */
if(pkt_ipv6->ip6_nxt != IPPROTO_ICMPV6 || pkt_icmp6->icmp6_type != ND_NEIGHBOR_SOLICIT || \
pkt_icmp6->icmp6_code != 0)
continue;
accepted_f=0;
if(idata.type == DLT_EN10MB && !(idata.flags & IFACE_LOOPBACK)){
if(filters.nblocklinksrc){
if(match_ether(filters.blocklinksrc, filters.nblocklinksrc, &(pkt_ether->src))){
if(idata.verbose_f>1)
print_filter_result(&idata, pktdata, BLOCKED);
continue;
}
}
if(filters.nblocklinkdst){
if(match_ether(filters.blocklinkdst, filters.nblocklinkdst, &(pkt_ether->dst))){
if(idata.verbose_f>1)
print_filter_result(&idata, pktdata, BLOCKED);
continue;
}
}
}
if(filters.nblocksrc){
if(match_ipv6(filters.blocksrc, filters.blocksrclen, filters.nblocksrc, &(pkt_ipv6->ip6_src))){
if(idata.verbose_f>1)
print_filter_result(&idata, pktdata, BLOCKED);
continue;
}
}
if(filters.nblockdst){
if(match_ipv6(filters.blockdst, filters.blockdstlen, filters.nblockdst, &(pkt_ipv6->ip6_dst))){
if(idata.verbose_f>1)
print_filter_result(&idata, pktdata, BLOCKED);
continue;
}
}
if(filters.nblocktarget){
if(match_ipv6(filters.blocktarget, filters.blocktargetlen, filters.nblocktarget, &(pkt_ns->nd_ns_target))){
if(idata.verbose_f>1)
print_filter_result(&idata, pktdata, BLOCKED);
continue;
}
}
if(idata.type == DLT_EN10MB && !(idata.flags & IFACE_LOOPBACK)){
if(filters.nacceptlinksrc){
if(match_ether(filters.acceptlinksrc, filters.nacceptlinksrc, &(pkt_ether->src)))
accepted_f=1;
}
if(filters.nacceptlinkdst && !accepted_f){
if(match_ether(filters.acceptlinkdst, filters.nacceptlinkdst, &(pkt_ether->dst)))
accepted_f= 1;
}
}
if(filters.nacceptsrc && !accepted_f){
if(match_ipv6(filters.acceptsrc, filters.acceptsrclen, filters.nacceptsrc, &(pkt_ipv6->ip6_src)))
accepted_f= 1;
}
if(filters.nacceptdst && !accepted_f){
if(match_ipv6(filters.acceptdst, filters.acceptdstlen, filters.nacceptdst, &(pkt_ipv6->ip6_dst)))
accepted_f=1;
}
if(filters.naccepttarget && !accepted_f){
if(match_ipv6(filters.accepttarget, filters.accepttargetlen, filters.naccepttarget, &(pkt_ns->nd_ns_target)))
accepted_f=1;
}
if(filters.acceptfilters_f && !accepted_f){
if(idata.verbose_f>1)
print_filter_result(&idata, pktdata, BLOCKED);
continue;
}
if(idata.verbose_f)
print_filter_result(&idata, pktdata, ACCEPTED);
/* Send a Neighbor Advertisement */
if(send_packet(&idata, pkthdr, pktdata) == FAILURE){
puts("Error while sending packet");
exit(EXIT_FAILURE);
}
}
}
}
exit(EXIT_SUCCESS);
}
if(!((idata.dstaddr_f || idata.hdstaddr_f) && (targetaddr_f || floodt_f)) && !listen_f){
puts("Error: Nothing to send! (Destination Address or ND Target Address missing?)");
exit(EXIT_FAILURE);
}
exit(EXIT_SUCCESS);
}
/*
* Function: init_packet_data()
*
* Initialize the contents of the attack packet (Ethernet header, IPv6 Header, and ICMPv6 header)
* that are expected to remain constant for the specified attack.
*/
void init_packet_data(struct iface_data *idata){
struct dlt_null *dlt_null;
ethernet= (struct ether_header *) buffer;
dlt_null= (struct dlt_null *) buffer;
v6buffer = buffer + idata->linkhsize;
ipv6 = (struct ip6_hdr *) v6buffer;
if(idata->type == DLT_EN10MB){
ethernet->ether_type = htons(ETHERTYPE_IPV6);
if(!(idata->flags & IFACE_LOOPBACK)){
ethernet->src = idata->hsrcaddr;
ethernet->dst = idata->hdstaddr;
}
}
else if(idata->type == DLT_NULL){
dlt_null->family= PF_INET6;
}
#if defined (__OpenBSD__)
else if(idata->type == DLT_LOOP){
dlt_null->family= htonl(PF_INET6);
}
#endif
ipv6->ip6_flow=0;
ipv6->ip6_vfc= 0x60;
ipv6->ip6_hlim= hoplimit;
ipv6->ip6_src= idata->srcaddr;
ipv6->ip6_dst= idata->dstaddr;
prev_nh = (unsigned char *) &(ipv6->ip6_nxt);
ptr = (unsigned char *) v6buffer + MIN_IPV6_HLEN;
if(hbhopthdr_f){
hbhopthdrs=0;
while(hbhopthdrs < nhbhopthdr){
if((ptr+ hbhopthdrlen[hbhopthdrs]) > (v6buffer+ idata->mtu)){
puts("Packet too large while processing HBH Opt. Header");
exit(EXIT_FAILURE);
}
*prev_nh = IPPROTO_HOPOPTS;
prev_nh = ptr;
memcpy(ptr, hbhopthdr[hbhopthdrs], hbhopthdrlen[hbhopthdrs]);
ptr = ptr + hbhopthdrlen[hbhopthdrs];
hbhopthdrs++;
}
}
if(dstoptuhdr_f){
dstoptuhdrs=0;
while(dstoptuhdrs < ndstoptuhdr){
if((ptr+ dstoptuhdrlen[dstoptuhdrs]) > (v6buffer+ idata->mtu)){
puts("Packet too large while processing Dest. Opt. Header (Unfrag. Part)");
exit(EXIT_FAILURE);
}
*prev_nh = IPPROTO_DSTOPTS;
prev_nh = ptr;
memcpy(ptr, dstoptuhdr[dstoptuhdrs], dstoptuhdrlen[dstoptuhdrs]);
ptr = ptr + dstoptuhdrlen[dstoptuhdrs];
dstoptuhdrs++;
}
}
/* Everything that follows is the Fragmentable Part of the packet */
fragpart = ptr;
if(idata->fragh_f){
/* Check that we are able to send the Unfragmentable Part, together with a
Fragment Header and a chunk data over our link layer
*/
if( (fragpart+sizeof(fraghdr)+nfrags) > (v6buffer+idata->mtu)){
printf("Unfragmentable part too large for current MTU (%u bytes)\n", idata->mtu);
exit(EXIT_FAILURE);
}
/* We prepare a separete Fragment Header, but we do not include it in the packet to be sent.
This Fragment Header will be used (an assembled with the rest of the packet by the
send_packet() function.
*/
memset(&fraghdr, 0, FRAG_HDR_SIZE);
*prev_nh = IPPROTO_FRAGMENT;
prev_nh = (unsigned char *) &fraghdr;
}
if(dstopthdr_f){
dstopthdrs=0;
while(dstopthdrs < ndstopthdr){
if((ptr+ dstopthdrlen[dstopthdrs]) > (v6buffer+idata->max_packet_size)){
puts("Packet too large while processing Dest. Opt. Header (should be using the Frag. option?)");
exit(EXIT_FAILURE);
}
*prev_nh = IPPROTO_DSTOPTS;
prev_nh = ptr;
memcpy(ptr, dstopthdr[dstopthdrs], dstopthdrlen[dstopthdrs]);
ptr = ptr + dstopthdrlen[dstopthdrs];
dstopthdrs++;
}
}
*prev_nh = IPPROTO_ICMPV6;
if( (ptr+sizeof(struct nd_neighbor_advert)) > (v6buffer+idata->max_packet_size)){
puts("Packet too large while inserting Neighbor Advertisement header (should be using Frag. option?)");
exit(EXIT_FAILURE);
}
na= (struct nd_neighbor_advert *) ptr;
na->nd_na_type = ND_NEIGHBOR_ADVERT;
na->nd_na_code = 0;
na->nd_na_flags_reserved = router_f | solicited_f | override_f;
na->nd_na_target = targetaddr;
ptr += sizeof(struct nd_neighbor_advert);
if(tllaopt_f && nlinkaddr==1){
if( (ptr+sizeof(struct nd_opt_tlla)) <= (v6buffer+idata->max_packet_size) ){
tllaopt = (struct nd_opt_tlla *) ptr;
tllaopt->type= ND_OPT_TARGET_LINKADDR;
tllaopt->length= TLLA_OPT_LEN;
memcpy(tllaopt->address, linkaddr[0].a, ETH_ALEN);
ptr += sizeof(struct nd_opt_tlla);
}
else{
puts("Packet Too Large while processing target link-layer address option");
exit(EXIT_FAILURE);
}
}
startofprefixes=ptr;
}
/*
* Function: send_packet()
*
* Initialize the remaining fields of the Neighbor Advertisement Message, and
* send the attack packet(s).
*/
int send_packet(struct iface_data *idata, struct pcap_pkthdr *pkthdr, const u_char *pktdata){
if(pktdata == NULL){
sources=0;
}
else{ /* Sending a response to a Neighbor Solicitation message */
pkt_ether = (struct ether_header *) pktdata;
pkt_ipv6 = (struct ip6_hdr *)((char *) pkt_ether + idata->linkhsize);
pkt_ns = (struct nd_neighbor_solicit *) ((char *) pkt_ipv6 + MIN_IPV6_HLEN);
/* If the IPv6 Source Address of the incoming Neighbor Solicitation is the unspecified
address (::), the Neighbor Advertisement must be directed to the IPv6 all-nodes
multicast address (and the Ethernet Destination address should be 33:33:33:00:00:01).
Otherwise, the Neighbor Advertisement is sent to the IPv6 Source Address (and
Ethernet Source Address) of the incoming Neighbor Solicitation message
*/
pkt_ipv6addr = &(pkt_ipv6->ip6_src);
na->nd_na_flags_reserved = router_f | solicited_f | override_f;
if(IN6_IS_ADDR_UNSPECIFIED(pkt_ipv6addr)){
if ( inet_pton(AF_INET6, ALL_NODES_MULTICAST_ADDR, &(ipv6->ip6_dst)) <= 0){
puts("inetr_pton(): Error converting all-nodes multicast address");
return(FAILURE);
}
if(ether_pton(ETHER_ALLNODES_LINK_ADDR, &(ethernet->dst), ETHER_ADDR_LEN) == 0){
puts("ether_pton(): Error converting all-nodes link-local address");
return(FAILURE);
}
}
else{
ipv6->ip6_dst = pkt_ipv6->ip6_src;
ethernet->dst = pkt_ether->src;
/*
Set the "Solicited" flag if NS was sent from an address other than the unspecified
address (i.e., the response will be unicast).
*/
na->nd_na_flags_reserved = na->nd_na_flags_reserved | ND_NA_FLAG_SOLICITED;
}
pkt_ipv6addr = &(pkt_ipv6->ip6_dst);
/*
If the Neighbor Solicitation message was directed to a unicast address (unlikely), the
IPv6 Source Address and the Ethernet Source Address of the Neighbor Advertisement are set
to the IPv6 Destination Address and the Ethernet Destination Address of the incoming
Neighbor Solicitation, respectively. Otherwise, the IPv6 Source Address is set to the
ND Target Address (unless a specific IPv6 Source Address was specified with the "-s"
option), and the Ethernet is set to that specified by the "-S" option (or randomized).
*/
if(IN6_IS_ADDR_MULTICAST(pkt_ipv6addr)){
if( !idata->srcaddr_f && IN6_IS_ADDR_LINKLOCAL(&(pkt_ns->nd_ns_target)) )
ipv6->ip6_src = pkt_ns->nd_ns_target;
else
ipv6->ip6_src = idata->srcaddr;
ethernet->src = idata->hsrcaddr;
sources=0;
multicastdst_f=1;
}
else{
ipv6->ip6_src = pkt_ipv6->ip6_dst;
ethernet->src = pkt_ether->dst;
sources=nsources;
multicastdst_f=0;
}
na->nd_na_target= pkt_ns->nd_ns_target;
}
do{
if(floods_f && (pktdata==NULL || (pktdata != NULL && multicastdst_f))){
/*
Randomizing the IPv6 Source address based on the prefix specified by
"srcaddr" and prefix length.
*/
randomize_ipv6_addr(&(ipv6->ip6_src), &(idata->srcaddr), idata->srcpreflen);
if(!idata->hsrcaddr_f){
randomize_ether_addr(&(ethernet->src));
}
if(tllaopt_f && !tllaopta_f){
memcpy(tllaopt->address, ethernet->src.a, ETH_ALEN);
}
}
targets=0;
do{
if(floodt_f){
/*
Randomizing the ND Target Address based on the prefix specified by "targetaddr"
and targetpreflen.
*/
randomize_ipv6_addr(&(na->nd_na_target), &targetaddr, targetpreflen);
}
/*
* If a single target link-layer address option is to be included, it is included
* by init_packet_data()
*/
if(nlinkaddr==1)
linkaddrs=1;
else
linkaddrs=0;
do{
newdata_f=0;
ptr=startofprefixes;
while(linkaddrs<nlinkaddr && ((ptr+sizeof(struct nd_opt_tlla))-v6buffer)<=idata->max_packet_size){
tllaopt = (struct nd_opt_tlla *) ptr;
tllaopt->type= ND_OPT_TARGET_LINKADDR;
tllaopt->length= TLLA_OPT_LEN;
memcpy(tllaopt->address, linkaddr[linkaddrs].a, ETH_ALEN);
ptr += sizeof(struct nd_opt_tlla);
linkaddrs++;
newdata_f=1;
}
na->nd_na_cksum = 0;
na->nd_na_cksum = in_chksum(v6buffer, na, ptr-((unsigned char *)na), IPPROTO_ICMPV6);
if(!idata->fragh_f){
ipv6->ip6_plen = htons((ptr - v6buffer) - MIN_IPV6_HLEN);
if((nw=pcap_inject(idata->pfd, buffer, ptr - buffer)) == -1){
printf("pcap_inject(): %s\n", pcap_geterr(idata->pfd));
return(FAILURE);
}
if(nw != (ptr-buffer)){
printf("pcap_inject(): only wrote %lu bytes (rather than %lu bytes)\n", (LUI) nw, \
(LUI) (ptr-buffer));
return(FAILURE);
}
}
else{
ptrend= ptr;
ptr= fragpart;
fptr = fragbuffer;
fipv6 = (struct ip6_hdr *) (fragbuffer + ETHER_HDR_LEN);
fptrend = fptr + ETHER_HDR_LEN+MIN_IPV6_HLEN+MAX_IPV6_PAYLOAD;
memcpy(fptr, buffer, fragpart-buffer);
fptr = fptr + (fragpart-buffer);
if( (fptr+FRAG_HDR_SIZE)> fptrend){
puts("Unfragmentable Part is Too Large");
return(FAILURE);
}
memcpy(fptr, (char *) &fraghdr, FRAG_HDR_SIZE);
fh= (struct ip6_frag *) fptr;
fh->ip6f_ident=random();
startoffragment = fptr + FRAG_HDR_SIZE;
/*
* Check that the selected fragment size is not larger than the largest
* fragment size that can be sent
*/
if(nfrags <= (fptrend - fptr))
fragsize=nfrags;
else
fragsize= (fptrend-fptr) & IP6F_OFF_MASK;
m=IP6F_MORE_FRAG;
while((ptr< ptrend) && m==IP6F_MORE_FRAG){
fptr= startoffragment;
if( (ptrend-ptr) <= fragsize){
fragsize= ptrend-ptr;
m=0;
}
memcpy(fptr, ptr, fragsize);
fh->ip6f_offlg = (htons(ptr-fragpart) & IP6F_OFF_MASK) | m;
ptr+=fragsize;
fptr+=fragsize;
fipv6->ip6_plen = htons((fptr - fragbuffer) - MIN_IPV6_HLEN - ETHER_HDR_LEN);
if((nw=pcap_inject(idata->pfd, fragbuffer, fptr - fragbuffer)) == -1){
printf("pcap_inject(): %s\n", pcap_geterr(idata->pfd));
return(FAILURE);
}
if(nw != (fptr- fragbuffer)){
printf("pcap_inject(): only wrote %lu bytes (rather than %lu bytes)\n"\
, (LUI) nw, (LUI) (ptr-buffer));
return(FAILURE);
}
}
}
}while(linkaddrs<nlinkaddr && newdata_f);
targets++;
}while(targets<ntargets);
sources++;
}while(sources<nsources);
return(SUCCESS);
}
/*
* Function: usage()
*
* Prints the syntax of the na6 tool
*/
void usage(void){
puts("usage: na6 -i INTERFACE [-s SRC_ADDR[/LEN]] [-d DST_ADDR] [-S LINK_SRC_ADDR] "
"[-y FRAG_SIZE] [-u DST_OPT_HDR_SIZE] [-U DST_OPT_U_HDR_SIZE] [-H HBH_OPT_HDR_SIZE] "
"[-D LINK-DST-ADDR] [-t TARGET_ADDR[/LEN]] [-r] [-c] [-o] [-E LINK_ADDR] [-e] "
"[-j PREFIX[/LEN]] [-k PREFIX[/LEN]] [-J LINK_ADDR] [-K LINK_ADDR] [-w PREFIX[/LEN]] "
"[-b PREFIX[/LEN]] [-g PREFIX[/LEN]] [-B LINK_ADDR] [-G LINK_ADDR] [-W PREFIX[/LEN]] "
"[-F N_SOURCES] [-T N_TARGETS] [-L | -l] [-z] [-v] [-V] [-h]");
}
/*
* Function: print_help()
*
* Prints help information for the na6 tool
*/
void print_help(void){
puts(SI6_TOOLKIT);
puts("na6: Security Assessment tool for attack vectors based on NA messages\n");
usage();
puts("\nOPTIONS:\n"
" --interface, -i Network interface\n"
" --src-address, -s IPv6 Source Address\n"
" --dst-address, -d IPv6 Destination Address\n"
" --frag-hdr. -y Fragment Header\n"
" --dst-opt-hdr, -u Destination Options Header (Fragmentable Part)\n"
" --dst-opt-u-hdr, -U Destination Options Header (Unfragmentable Part)\n"
" --hbh-opt-hdr, -H Hop by Hop Options Header\n"
" --link-src-address, -S Link-layer Destination Address\n"
" --link-dst-address, -D Link-layer Source Address\n"
" --target, -t ND IPv6 Target Address\n"
" --target-lla-opt, -E Source link-layer address option\n"
" --add-tlla-opt, -e Add Source link-layer address option\n"
" --router, -r Set the 'Router Flag'\n"
" --solicited, -c Set the 'Solicited' flag\n"
" --override, -o Set the 'Override' flag\n"
" --block-src, -j Block IPv6 Source Address prefix\n"
" --block-dst, -k Block IPv6 Destination Address prefix\n"
" --block-link-src, -J Block Ethernet Source Address\n"
" --block-link-dst, -K Block Ethernet Destination Address\n"
" --block-target, -w Block ND Target IPv6 prefix\n"
" --accept-src, -b Accept IPv6 Source Addres prefix\n"
" --accept-dst, -g Accept IPv6 Destination Addres prefix\n"
" --accept-link-src, -B Accept Ethernet Source Address\n"
" --accept-link-dst, -G Accept Ethernet Destination Address\n"
" --accept-target, -W Accept ND Target IPv6 prefix\n"
" --flood-targets, -T Flood with NA's for multiple Target Addresses\n"
" --flood-sources, -F Number of Source Addresses to forge randomly\n"
" --listen, -L Listen to Neighbor Solicitation messages\n"
" --loop, -l Send periodic Neighbor Advertisements\n"
" --sleep, -z Pause between sending NA messages\n"
" --help, -h Print help for the na6 tool\n"
" --verbose, -v Be verbose\n"
"\n"
"Programmed by Fernando Gont for SI6 Networks <http://www.si6networks.com>\n"
"Please send any bug reports to <*****@*****.**>\n"
);
}
int main(int argc, char **argv){
extern char *optarg;
int r;
static struct option longopts[] = {
{"interface", required_argument, 0, 'i'},
{"src-address", required_argument, 0, 's'},
{"dst-address", required_argument, 0, 'd'},
{"hop-limit", required_argument, 0, 'A'},
{"dst-opt-hdr", required_argument, 0, 'u'},
{"dst-opt-u-hdr", required_argument, 0, 'U'},
{"hbh-opt-hdr", required_argument, 0, 'H'},
{"frag-hdr", required_argument, 0, 'y'},
{"link-src-address", required_argument, 0, 'S'},
{"link-dst-address", required_argument, 0, 'D'},
{"target-address", required_argument, 0, 't'},
{"source-lla-opt", required_argument, 0, 'E'},
{"add-slla-opt", no_argument, 0, 'e'},
{"flood-sources", required_argument, 0, 'F'},
{"flood-targets", required_argument, 0, 'T'},
{"loop", no_argument, 0, 'l'},
{"sleep", no_argument, 0, 'z'},
{"verbose", no_argument, 0, 'v'},
{"help", no_argument, 0, 'h'},
{0, 0, 0, 0 }
};
char shortopts[]= "i:s:d:A:u:U:H:y:S:D:t:eE:F:T:lz:vh";
char option;
if(argc<=1){
usage();
exit(EXIT_FAILURE);
}
hoplimit=255;
if(init_iface_data(&idata) == FAILURE){
puts("Error initializing internal data structure");
exit(EXIT_FAILURE);
}
while((r=getopt_long(argc, argv, shortopts, longopts, NULL)) != -1) {
option =r;
switch(option) {
case 'i': /* Interface */
strncpy(idata.iface, optarg, IFACE_LENGTH-1);
idata.iface[IFACE_LENGTH-1]=0;
idata.iface_f=1;
break;
case 's': /* IPv6 Source Address */
if((charptr = strtok_r(optarg, "/", &lasts)) == NULL){
puts("inet_pton(): address not valid");
exit(EXIT_FAILURE);
}
if ( inet_pton(AF_INET6, charptr, &(idata.srcaddr)) <= 0){
puts("inet_pton(): address not valid");
exit(EXIT_FAILURE);
}
idata.srcaddr_f = 1;
if((charptr = strtok_r(NULL, " ", &lasts)) != NULL){
idata.srcpreflen = atoi(charptr);
if(idata.srcpreflen>128){
puts("Prefix length error in IPv6 Source Address");
exit(EXIT_FAILURE);
}
sanitize_ipv6_prefix(&(idata.srcaddr), idata.srcpreflen);
idata.srcprefix_f=1;
}
break;
case 'd': /* IPv6 Destination Address */
if( inet_pton(AF_INET6, optarg, &(idata.dstaddr)) <= 0){
puts("inet_pton(): address not valid");
exit(EXIT_FAILURE);
}
idata.dstaddr_f = 1;
break;
case 'A': /* Hop Limit */
hoplimit= atoi(optarg);
hoplimit_f=1;
break;
case 'y': /* Fragment header */
nfrags= atoi(optarg);
if(nfrags < 8){
puts("Error in Fragmentation option: Fragment Size must be at least 8 bytes");
exit(EXIT_FAILURE);
}
nfrags = (nfrags +7) & 0xfff8;
idata.fragh_f= 1;
break;
case 'u': /* Destinations Options Header */
if(ndstopthdr >= MAX_DST_OPT_HDR){
puts("Too many Destination Options Headers");
exit(EXIT_FAILURE);
}
hdrlen= atoi(optarg);
if(hdrlen < 8){
puts("Bad length in Destination Options Header");
exit(EXIT_FAILURE);
}
hdrlen = ((hdrlen+7)/8) * 8;
dstopthdrlen[ndstopthdr]= hdrlen;
if( (dstopthdr[ndstopthdr]= malloc(hdrlen)) == NULL){
puts("Not enough memory for Destination Options Header");
exit(EXIT_FAILURE);
}
ptrhdr= dstopthdr[ndstopthdr] + 2;
ptrhdrend= dstopthdr[ndstopthdr] + hdrlen;
while( ptrhdr < ptrhdrend){
if( (ptrhdrend-ptrhdr)>257)
pad= 257;
else
pad= ptrhdrend-ptrhdr;
if(!insert_pad_opt(ptrhdr, ptrhdrend, pad)){
puts("Destination Options Header Too Big");
exit(EXIT_FAILURE);
}
ptrhdr= ptrhdr + pad;
}
*(dstopthdr[ndstopthdr]+1)= (hdrlen/8)-1;
ndstopthdr++;
dstopthdr_f=1;
break;
case 'U': /* Destination Options Header (Unfragmentable Part) */
if(ndstoptuhdr >= MAX_DST_OPT_U_HDR){
puts("Too many Destination Options Headers (Unfragmentable Part)");
exit(EXIT_FAILURE);
}
hdrlen= atoi(optarg);
if(hdrlen < 8){
puts("Bad length in Destination Options Header (Unfragmentable Part)");
exit(EXIT_FAILURE);
}
hdrlen = ((hdrlen+7)/8) * 8;
dstoptuhdrlen[ndstoptuhdr]= hdrlen;
if( (dstoptuhdr[ndstoptuhdr]= malloc(hdrlen)) == NULL){
puts("Not enough memory for Destination Options Header (Unfragmentable Part)");
exit(EXIT_FAILURE);
}
ptrhdr= dstoptuhdr[ndstoptuhdr]+2;
ptrhdrend= dstoptuhdr[ndstoptuhdr] + hdrlen;
while( ptrhdr < ptrhdrend){
if( (ptrhdrend-ptrhdr)>257)
pad= 257;
else
pad= ptrhdrend-ptrhdr;
if(!insert_pad_opt(ptrhdr, ptrhdrend, pad)){
puts("Destination Options Header (Unfragmentable Part) Too Big");
exit(EXIT_FAILURE);
}
ptrhdr = ptrhdr + pad;
}
*(dstoptuhdr[ndstoptuhdr]+1)= (hdrlen/8) - 1;
ndstoptuhdr++;
dstoptuhdr_f=1;
break;
case 'H': /* Hop-by-Hop Options Header */
if(nhbhopthdr >= MAX_HBH_OPT_HDR){
puts("Too many Hop-by-Hop Options Headers");
exit(EXIT_FAILURE);
}
hdrlen= atoi(optarg);
if(hdrlen < 8){
puts("Bad length in Hop-by-Hop Options Header");
exit(EXIT_FAILURE);
}
hdrlen = ((hdrlen+7)/8) * 8;
hbhopthdrlen[nhbhopthdr]= hdrlen;
if( (hbhopthdr[nhbhopthdr]= malloc(hdrlen)) == NULL){
puts("Not enough memory for Hop-by-Hop Options Header");
exit(EXIT_FAILURE);
}
ptrhdr= hbhopthdr[nhbhopthdr] + 2;
ptrhdrend= hbhopthdr[nhbhopthdr] + hdrlen;
while( ptrhdr < ptrhdrend){
if( (ptrhdrend-ptrhdr)>257)
pad= 257;
else
pad= ptrhdrend-ptrhdr;
if(!insert_pad_opt(ptrhdr, ptrhdrend, pad)){
puts("Hop-by-Hop Options Header Too Big");
exit(EXIT_FAILURE);
}
ptrhdr = ptrhdr + pad;
}
*(hbhopthdr[nhbhopthdr]+1)= (hdrlen/8) - 1;
nhbhopthdr++;
hbhopthdr_f=1;
break;
case 'S': /* Source Ethernet address */
if(ether_pton(optarg, &(idata.hsrcaddr), sizeof(idata.hsrcaddr)) == 0){
puts("Error in Source link-layer address.");
exit(EXIT_FAILURE);
}
idata.hsrcaddr_f = 1;
break;
case 'D': /* Destination Ethernet Address */
if(ether_pton(optarg, &(idata.hdstaddr), sizeof(idata.hdstaddr)) == 0){
puts("Error in Source link-layer address.");
exit(EXIT_FAILURE);
}
idata.hdstaddr_f = 1;
break;
case 't': /* NA Target address */
if((charptr = strtok_r(optarg, "/", &lasts)) == NULL){
puts("Target Address not valid");
exit(EXIT_FAILURE);
}
if ( inet_pton(AF_INET6, charptr, &targetaddr) <= 0){
puts("inet_pton(): Target Address not valid");
exit(EXIT_FAILURE);
}
targetaddr_f = 1;
if((charptr = strtok_r(NULL, " ", &lasts)) != NULL){
targetpreflen = atoi(charptr);
if(targetpreflen>128){
puts("Prefix length error in Target Address");
exit(EXIT_FAILURE);
}
sanitize_ipv6_prefix(&targetaddr, targetpreflen);
targetprefix_f=1;
}
break;
case 'E': /* Source link-layer option */
sllopt_f = 1;
if(ether_pton(optarg, &linkaddr[nlinkaddr], sizeof(struct ether_addr)) == 0){
puts("Error in Source link-layer address option.");
exit(EXIT_FAILURE);
}
sllopta_f=1;
nlinkaddr++;
break;
case 'e': /* Add Source link-layer option */
sllopt_f = 1;
break;
case 'F': /* Flood sources */
nsources= atoi(optarg);
if(nsources == 0){
puts("Invalid number of sources in option -F");
exit(EXIT_FAILURE);
}
floods_f= 1;
break;
case 'T': /* Flood targets */
ntargets= atoi(optarg);
if(ntargets == 0){
puts("Invalid number of Target Addresses in option -T");
exit(EXIT_FAILURE);
}
floodt_f= 1;
break;
case 'l': /* "Loop mode */
loop_f = 1;
break;
case 'z': /* Sleep option */
nsleep=atoi(optarg);
if(nsleep==0){
puts("Invalid number of seconds in '-z' option");
exit(EXIT_FAILURE);
}
sleep_f=1;
break;
case 'v': /* Be verbose */
idata.verbose_f=1;
break;
case 'h': /* Help */
print_help();
exit(EXIT_FAILURE);
break;
default:
usage();
exit(EXIT_FAILURE);
break;
} /* switch */
} /* while(getopt) */
if(geteuid()) {
puts("ns6 needs root privileges to run.");
exit(EXIT_FAILURE);
}
if(!idata.iface_f){
puts("Must specify the network interface with the -i option");
exit(EXIT_FAILURE);
}
if(!targetaddr_f){
puts("Must specify a ND target address with the '-t' option");
exit(EXIT_FAILURE);
}
if(load_dst_and_pcap(&idata, LOAD_PCAP_ONLY) == FAILURE){
puts("Error while learning Souce Address and Next Hop");
exit(EXIT_FAILURE);
}
release_privileges();
if(pcap_compile(idata.pfd, &pcap_filter, PCAP_NOPACKETS_FILTER, PCAP_OPT, PCAP_NETMASK_UNKNOWN) == -1){
printf("pcap_compile(): %s", pcap_geterr(idata.pfd));
exit(EXIT_FAILURE);
}
if(pcap_setfilter(idata.pfd, &pcap_filter) == -1){
printf("pcap_setfilter(): %s", pcap_geterr(idata.pfd));
exit(EXIT_FAILURE);
}
pcap_freecode(&pcap_filter);
srandom(time(NULL));
/*
If the IPv6 Source Address has not been specified, and the "-F" (flood) option has
not been specified, select a random link-local unicast address.
*/
if(!idata.srcaddr_f && !floods_f){
/*
When randomizing a link-local IPv6 address, select addresses that belong to the
prefix fe80::/64 (that's what a link-local address looks-like in legitimate cases).
The KAME implementation discards addresses in which the second highe-order 16 bits
(srcaddr.s6_addr16[1] in our case) are not zero.
*/
if ( inet_pton(AF_INET6, "fe80::", &(idata.srcaddr)) <= 0){
puts("inet_pton(): Error when converting address");
exit(EXIT_FAILURE);
}
randomize_ipv6_addr(&(idata.srcaddr), &(idata.srcaddr), 64);
}
/*
If the flood option ("-F") has been specified, but no prefix has been specified,
select the random Source Addresses from the link-local unicast prefix (fe80::/64).
*/
if(floods_f && !idata.srcprefix_f){
if ( inet_pton(AF_INET6, "fe80::", &(idata.srcaddr)) <= 0){
puts("inet_pton(): Error when converting address");
exit(EXIT_FAILURE);
}
randomize_ipv6_addr(&(idata.srcaddr), &(idata.srcaddr), 64);
idata.srcpreflen=64;
}
/*
If the flood target option ("-T") was specified, but no prefix was specified,
select the random Target Addresses from the link-local unicast prefix (fe80::/64).
*/
if(floodt_f && !targetprefix_f){
if ( inet_pton(AF_INET6, "fe80::", &(targetaddr)) <= 0){
puts("inet_pton(): Error when converting address");
exit(EXIT_FAILURE);
}
randomize_ipv6_addr(&(targetaddr), &(targetaddr), 64);
targetpreflen=64;
}
if(!floodt_f)
ntargets=1;
if(!idata.dstaddr_f){ /* Destination Address defaults to all-nodes (ff02::1) */
if( inet_pton(AF_INET6, ALL_NODES_MULTICAST_ADDR, &(idata.dstaddr)) <= 0){
puts("inet_pton(): address not valid");
exit(EXIT_FAILURE);
}
}
if(!idata.hsrcaddr_f && !floods_f) /* Source link-layer address is randomized by default */
randomize_ether_addr(&(idata.hsrcaddr));
if(sllopt_f && !sllopta_f){ /* The value of the source link-layer address option */
linkaddr[0]= idata.hsrcaddr; /* defaults to the source Ethernet address */
nlinkaddr++;
}
if(!idata.hdstaddr_f) /* Destination link-layer address defaults to all-nodes */
if(ether_pton(ETHER_ALLNODES_LINK_ADDR, &(idata.hdstaddr), sizeof(idata.hdstaddr)) == 0){
puts("ether_pton(): Error converting all-nodes multicast address");
exit(EXIT_FAILURE);
}
if(!floods_f)
nsources=1;
if(!sleep_f)
nsleep=1;
if( !idata.fragh_f && dstoptuhdr_f){
puts("Dst. Options Header (Unfragmentable Part) set, but Fragmentation not specified");
exit(EXIT_FAILURE);
}
if(idata.verbose_f){
print_attack_info(&idata);
}
/* Set initial contents of the attack packet */
init_packet_data(&idata);
/* Fire a Neighbor Solicitarion message */
send_packet(&idata);
if(idata.verbose_f)
puts("Initial attack packet(s) sent successfully.");
if(loop_f && idata.verbose_f)
printf("Now sending Neighbor Solicitations every %u second%s...\n", nsleep, \
((nsleep>1)?"s":""));
while(loop_f){
sleep(nsleep);
send_packet(&idata);
}
exit(EXIT_SUCCESS);
}
int main(int argc, char **argv){
extern char *optarg;
char *endptr; /* Used by strtoul() */
fd_set sset, rset;
struct timeval timeout;
int r, sel;
time_t curtime, start, lastecho=0;
static struct option longopts[] = {
{"interface", required_argument, 0, 'i'},
{"link-src-addr", required_argument, 0, 'S'},
{"link-dst-addr", required_argument, 0, 'D'},
{"src-address", required_argument, 0, 's'},
{"dst-address", required_argument, 0, 'd'},
{"hop-limit", required_argument, 0, 'A'},
{"dst-opt-hdr", required_argument, 0, 'u'},
{"dst-opt-u-hdr", required_argument, 0, 'U'},
{"hbh-opt-hdr", required_argument, 0, 'H'},
{"frag-hdr", required_argument, 0, 'y'},
{"ipv6-length", required_argument, 0, 'q'},
{"jumbo-length", required_argument, 0, 'Q'},
{"payload-size", required_argument, 0, 'P'},
{"loop", no_argument, 0, 'l'},
{"sleep", required_argument, 0, 'z'},
{"listen", no_argument, 0, 'L'},
{"verbose", no_argument, 0, 'v'},
{"help", no_argument, 0, 'h'}
};
char shortopts[]= "i:s:d:A:u:U:H:y:S:D:q:Q:P:lz:Lvh";
char option;
if(argc<=1){
usage();
exit(EXIT_FAILURE);
}
hoplimit=64+random()%180;
init_iface_data(&idata);
while((r=getopt_long(argc, argv, shortopts, longopts, NULL)) != -1) {
option= r;
switch(option) {
case 'i': /* Interface */
strncpy(idata.iface, optarg, IFACE_LENGTH-1);
idata.iface[IFACE_LENGTH-1]=0;
idata.ifindex= if_nametoindex(idata.iface);
idata.iface_f=TRUE;
break;
case 's': /* IPv6 Source Address */
if(idata.srcaddr_f){
puts("Error: Multiple '-s' options have been specified");
exit(EXIT_FAILURE);
}
if((charptr = strtok_r(optarg, "/", &lasts)) == NULL){
puts("Error in Source Address");
exit(EXIT_FAILURE);
}
if ( inet_pton(AF_INET6, charptr, &(idata.srcaddr)) <= 0){
puts("inet_pton(): Source Address not valid");
exit(EXIT_FAILURE);
}
idata.srcaddr_f = 1;
if((charptr = strtok_r(NULL, " ", &lasts)) != NULL){
idata.srcpreflen = atoi(charptr);
if(idata.srcpreflen>128){
puts("Prefix length error in IPv6 Source Address");
exit(EXIT_FAILURE);
}
sanitize_ipv6_prefix(&(idata.srcaddr), idata.srcpreflen);
idata.srcprefix_f=1;
}
break;
case 'd': /* IPv6 Destination Address */
if( inet_pton(AF_INET6, optarg, &(idata.dstaddr)) <= 0){
puts("inet_pton(): address not valid");
exit(EXIT_FAILURE);
}
idata.dstaddr_f = 1;
break;
case 'A': /* Hop Limit */
hoplimit= atoi(optarg);
hoplimit_f=1;
break;
case 'u': /* Destinations Options Header */
if(ndstopthdr >= MAX_DST_OPT_HDR){
puts("Too many Destination Options Headers");
exit(EXIT_FAILURE);
}
hdrlen= atoi(optarg);
if(hdrlen < 8){
puts("Bad length in Destination Options Header");
exit(EXIT_FAILURE);
}
hdrlen = ((hdrlen+7)/8) * 8;
dstopthdrlen[ndstopthdr]= hdrlen;
if( (dstopthdr[ndstopthdr]= malloc(hdrlen)) == NULL){
puts("Not enough memory for Destination Options Header");
exit(EXIT_FAILURE);
}
ptrhdr= dstopthdr[ndstopthdr] + 2;
ptrhdrend= dstopthdr[ndstopthdr] + hdrlen;
while( ptrhdr < ptrhdrend){
if( (ptrhdrend-ptrhdr)>257)
pad= 257;
else
pad= ptrhdrend-ptrhdr;
if(!insert_pad_opt(ptrhdr, ptrhdrend, pad)){
puts("Destination Options Header Too Big");
exit(EXIT_FAILURE);
}
ptrhdr= ptrhdr + pad;
}
*(dstopthdr[ndstopthdr]+1)= (hdrlen/8)-1;
ndstopthdr++;
dstopthdr_f=1;
break;
case 'U': /* Destination Options Header (Unfragmentable Part) */
if(ndstoptuhdr >= MAX_DST_OPT_U_HDR){
puts("Too many Destination Options Headers (Unfragmentable Part)");
exit(EXIT_FAILURE);
}
hdrlen= atoi(optarg);
if(hdrlen < 8){
puts("Bad length in Destination Options Header (Unfragmentable Part)");
exit(EXIT_FAILURE);
}
hdrlen = ((hdrlen+7)/8) * 8;
dstoptuhdrlen[ndstoptuhdr]= hdrlen;
if( (dstoptuhdr[ndstoptuhdr]= malloc(hdrlen)) == NULL){
puts("Not enough memory for Destination Options Header (Unfragmentable Part)");
exit(EXIT_FAILURE);
}
ptrhdr= dstoptuhdr[ndstoptuhdr]+2;
ptrhdrend= dstoptuhdr[ndstoptuhdr] + hdrlen;
while( ptrhdr < ptrhdrend){
if( (ptrhdrend-ptrhdr)>257)
pad= 257;
else
pad= ptrhdrend-ptrhdr;
if(!insert_pad_opt(ptrhdr, ptrhdrend, pad)){
puts("Destination Options Header (Unfragmentable Part) Too Big");
exit(EXIT_FAILURE);
}
ptrhdr = ptrhdr + pad;
}
*(dstoptuhdr[ndstoptuhdr]+1)= (hdrlen/8) - 1;
ndstoptuhdr++;
dstoptuhdr_f=1;
break;
case 'H': /* Hop-by-Hop Options Header */
if(nhbhopthdr >= MAX_HBH_OPT_HDR){
puts("Too many Hop-by-Hop Options Headers");
exit(EXIT_FAILURE);
}
hdrlen= atoi(optarg);
if(hdrlen <= 8){
puts("Bad length in Hop-by-Hop Options Header");
exit(EXIT_FAILURE);
}
hdrlen = ((hdrlen+7)/8) * 8;
hbhopthdrlen[nhbhopthdr]= hdrlen;
if( (hbhopthdr[nhbhopthdr]= malloc(hdrlen)) == NULL){
puts("Not enough memory for Hop-by-Hop Options Header");
exit(EXIT_FAILURE);
}
ptrhdr= hbhopthdr[nhbhopthdr] + 2;
ptrhdrend= hbhopthdr[nhbhopthdr] + hdrlen;
while( ptrhdr < ptrhdrend){
if( (ptrhdrend-ptrhdr)>257)
pad= 257;
else
pad= ptrhdrend-ptrhdr;
if(!insert_pad_opt(ptrhdr, ptrhdrend, pad)){
puts("Hop-by-Hop Options Header Too Big");
exit(EXIT_FAILURE);
}
ptrhdr = ptrhdr + pad;
}
*(hbhopthdr[nhbhopthdr]+1)= (hdrlen/8) - 1;
nhbhopthdr++;
hbhopthdr_f=1;
break;
case 'y': /* Fragment header */
nfrags= atoi(optarg);
if(nfrags < 8){
puts("Error in Fragmentation option: Fragment Size must be at least 8 bytes");
exit(EXIT_FAILURE);
}
nfrags = (nfrags +7) & 0xfff8;
fragh_f= 1;
break;
case 'S': /* Source Ethernet address */
if(ether_pton(optarg, &(idata.hsrcaddr), sizeof(idata.hsrcaddr)) == 0){
puts("Error in Source link-layer address.");
exit(EXIT_FAILURE);
}
idata.hsrcaddr_f = 1;
break;
case 'D': /* Destination Ethernet Address */
if(ether_pton(optarg, &(idata.hdstaddr), sizeof(idata.hdstaddr)) == 0){
puts("Error in Source link-layer address.");
exit(EXIT_FAILURE);
}
idata.hdstaddr_f = 1;
break;
case 'P': /* Payload Size*/
icmp6psize= atoi(optarg);
icmp6psize= (icmp6psize<<2) >> 2; /* The Redirected Header has a granularity of 8 bytes */
icmp6psize_f= 1;
break;
case 'q': /* IPv6 Payload Length */
if((ul_res = strtoul(optarg, &endptr, 0)) == ULONG_MAX){
perror("Error in 'TCP Sequence NUmber' parameter");
exit(EXIT_FAILURE);
}
if(endptr != optarg){
ip6length = ul_res;
ip6length_f=1;
}
break;
case 'Q': /* Jumbo Payload Length */
if((ul_res = strtoul(optarg, &endptr, 0)) == ULONG_MAX){
perror("Error in 'TCP Sequence NUmber' parameter");
exit(EXIT_FAILURE);
}
if(endptr != optarg){
jplength = ul_res;
jplength_f=1;
}
break;
case 'l': /* "Loop mode */
loop_f = 1;
break;
case 'z': /* Sleep option */
nsleep=atoi(optarg);
if(nsleep==0){
puts("Invalid number of seconds in '-z' option");
exit(EXIT_FAILURE);
}
sleep_f=1;
break;
case 'L': /* "Listen mode */
listen_f = 1;
break;
case 'v': /* Be verbose */
idata.verbose_f++;
break;
case 'h': /* Help */
print_help();
exit(EXIT_FAILURE);
break;
default:
usage();
exit(EXIT_FAILURE);
break;
} /* switch */
} /* while(getopt) */
if(geteuid()) {
puts("jumbo6 needs root privileges to run.");
exit(EXIT_FAILURE);
}
if(!idata.iface_f){
if(idata.dstaddr_f && IN6_IS_ADDR_LINKLOCAL(&(idata.dstaddr))){
puts("Must specify a network interface for link-local destinations");
exit(EXIT_FAILURE);
}
else if(idata.listen_f){
puts("Must specify a network interface when employing the 'listenging' mode");
exit(EXIT_FAILURE);
}
}
if(listen_f && loop_f){
puts("'Error: listen' mode and 'loop' mode are incompatible");
exit(EXIT_FAILURE);
}
if(!idata.dstaddr_f && !listen_f){ /* Must specify IPv6 Destination Address if listening mode not used */
puts("IPv6 Destination Address not specified (and listening mode not selected)");
exit(EXIT_FAILURE);
}
if(load_dst_and_pcap(&idata, LOAD_SRC_NXT_HOP) == FAILURE){
puts("Error while learning Souce Address and Next Hop");
exit(EXIT_FAILURE);
}
release_privileges();
srandom(time(NULL));
if((idata.ip6_local_flag && idata.ip6_global_flag) && !idata.srcaddr_f)
localaddr_f=1;
if(!idata.ether_flag){
randomize_ether_addr(&idata.ether);
idata.ether_flag=1;
}
if(!idata.ip6_local_flag){
ether_to_ipv6_linklocal(&idata.ether, &idata.ip6_local);
}
if(!sleep_f)
nsleep=QUERY_TIMEOUT;
if( !fragh_f && dstoptuhdr_f){
puts("Dst. Options Header (Unfragmentable Part) set, but Fragmentation not specified");
exit(EXIT_FAILURE);
}
if(idata.verbose_f){
print_attack_info(&idata);
}
/*
Set filter for receiving Neighbor Solicitations, ICMPv6 Echo Responses, and ICMPv6 Parameter Problem
*/
if(pcap_compile(idata.pfd, &pcap_filter, PCAP_ICMPV6_NS_FILTER, PCAP_OPT, PCAP_NETMASK_UNKNOWN) == -1){
printf("pcap_compile(): %s", pcap_geterr(idata.pfd));
exit(EXIT_FAILURE);
}
if(pcap_setfilter(idata.pfd, &pcap_filter) == -1){
printf("pcap_setfilter(): %s", pcap_geterr(idata.pfd));
exit(EXIT_FAILURE);
}
pcap_freecode(&pcap_filter);
/* Set initial contents of the attack packet */
init_packet_data(&idata);
/* Fire a packet if a IPv6 Destination Address was specified */
if(idata.dstaddr_f){
FD_ZERO(&sset);
FD_SET(idata.fd, &sset);
start= time(NULL);
while(1){
curtime=time(NULL);
if(!loop_f && (curtime - start) >= QUERY_TIMEOUT){
break;
}
if((curtime - lastecho) >= nsleep){
lastecho=curtime;
puts("Sending ICMPv6 Echo Request....\n");
if(send_packet(&idata, NULL, NULL) == -1){
puts("Error sending packet");
exit(EXIT_FAILURE);
}
}
rset= sset;
timeout.tv_usec=0;
timeout.tv_sec= nsleep;
if((sel=select(idata.fd+1, &rset, NULL, NULL, &timeout)) == -1){
if(errno == EINTR){
continue;
}
else{
puts("Error in select()");
exit(EXIT_FAILURE);
}
}
if(sel == 0)
continue;
/* Read a packet (Echo Reply, Neighbor Solicitation, or ICMPv6 Error */
if((r=pcap_next_ex(idata.pfd, &pkthdr, &pktdata)) == -1){
printf("pcap_next_ex(): %s", pcap_geterr(idata.pfd));
exit(EXIT_FAILURE);
}
else if(r == 0){
continue; /* Should never happen */
}
pkt_ether = (struct ether_header *) pktdata;
pkt_ipv6 = (struct ip6_hdr *)((char *) pkt_ether + ETHER_HDR_LEN);
pkt_icmp6 = (struct icmp6_hdr *) ((char *) pkt_ipv6 + sizeof(struct ip6_hdr));
pkt_ns= (struct nd_neighbor_solicit *) pkt_icmp6;
pkt_end = (unsigned char *) pktdata + pkthdr->caplen;
if( (pkt_end - pktdata) < (ETHER_HDR_LEN + MIN_IPV6_HLEN))
continue;
if(pkt_ipv6->ip6_nxt == IPPROTO_ICMPV6){
if(pkt_icmp6->icmp6_type == ND_NEIGHBOR_SOLICIT){
if( (pkt_end - (unsigned char *) pkt_ns) < sizeof(struct nd_neighbor_solicit))
continue;
/*
If the addresses that we're using are not actually configured on the local system
(i.e., they are "spoofed", we must check whether it is a Neighbor Solicitation for
one of our addresses, and respond with a Neighbor Advertisement. Otherwise, the kernel
will take care of that.
*/
if(!localaddr_f && is_eq_in6_addr(&(pkt_ns->nd_ns_target), &idata.srcaddr)){
if(send_neighbor_advert(&idata, idata.pfd, pktdata) == -1){
puts("Error sending Neighbor Advertisement");
exit(EXIT_FAILURE);
}
}
}
else if( (pkt_icmp6->icmp6_type == ICMP6_ECHO_REPLY) || (pkt_icmp6->icmp6_type == ICMP6_PARAM_PROB)){
if( (pkt_end - (unsigned char *) pkt_icmp6) < sizeof(struct icmp6_hdr))
continue;
/*
Do a preliminar validation check on the ICMPv6 packet (packet size, Source Address,
and Destination Address).
*/
if(!valid_icmp6_response(&idata, pkthdr, pktdata)){
continue;
}
switch(pkt_icmp6->icmp6_type){
case ICMP6_ECHO_REPLY:
print_icmp6_echo(&idata, pkthdr, pktdata);
break;
case ICMP6_PARAM_PROB:
print_icmp6_error(&idata, pkthdr, pktdata);
break;
}
}
}
}
exit(EXIT_SUCCESS);
}
if(!idata.dstaddr_f){
puts("Error: Nothing to send! (Destination Address left unspecified)");
exit(EXIT_FAILURE);
}
exit(EXIT_SUCCESS);
}
int main(int argc, char **argv){
extern char *optarg;
fd_set sset, rset;
struct timeval timeout;
int r, sel;
time_t curtime, start, lastfrag1=0;
/* Arrays for storing the Flow ID samples */
u_int32_t test1[NSAMPLES], test2[NSAMPLES];
unsigned int ntest1=0, ntest2=0;
unsigned char testtype;
static struct option longopts[] = {
{"interface", required_argument, 0, 'i'},
{"src-address", required_argument, 0, 's'},
{"dst-address", required_argument, 0, 'd'},
{"hop-limit", required_argument, 0, 'A'},
{"link-src-addr", required_argument, 0, 'S'},
{"link-dst-addr", required_argument, 0, 'D'},
{"protocol", required_argument, 0, 'P'},
{"dst-port", no_argument, 0, 'p'},
{"flow-label-policy", no_argument, 0, 'W'},
{"verbose", no_argument, 0, 'v'},
{"help", no_argument, 0, 'h'}
};
char shortopts[]= "i:s:d:A:S:D:P:p:Wvh";
char option;
if(argc<=1){
usage();
exit(EXIT_FAILURE);
}
srandom(time(NULL));
hoplimit=64+random()%180;
if(init_iface_data(&idata) == FAILURE){
puts("Error initializing internal data structure");
exit(EXIT_FAILURE);
}
while((r=getopt_long(argc, argv, shortopts, longopts, NULL)) != -1) {
option= r;
switch(option) {
case 'i': /* Interface */
strncpy(idata.iface, optarg, IFACE_LENGTH-1);
idata.iface[IFACE_LENGTH-1]=0;
idata.ifindex= if_nametoindex(idata.iface);
idata.iface_f=TRUE;
break;
case 's': /* IPv6 Source Address */
if((charptr = strtok_r(optarg, "/", &lasts)) == NULL){
puts("Error in Source Address");
exit(EXIT_FAILURE);
}
if ( inet_pton(AF_INET6, charptr, &(idata.srcaddr)) <= 0){
puts("inet_pton(): Source Address not valid");
exit(EXIT_FAILURE);
}
idata.srcaddr_f = 1;
if((charptr = strtok_r(NULL, " ", &lasts)) != NULL){
srcpreflen = atoi(charptr);
if(srcpreflen>128){
puts("Prefix length error in IPv6 Source Address");
exit(EXIT_FAILURE);
}
sanitize_ipv6_prefix(&(idata.srcaddr), srcpreflen);
srcprefix_f=1;
}
break;
case 'd': /* IPv6 Destination Address */
if( inet_pton(AF_INET6, optarg, &(idata.dstaddr)) <= 0){
puts("inet_pton(): address not valid");
exit(EXIT_FAILURE);
}
idata.dstaddr_f = 1;
break;
case 'A': /* Hop Limit */
hoplimit= atoi(optarg);
hoplimit_f=1;
break;
case 'S': /* Source Ethernet address */
if(ether_pton(optarg, &(idata.hsrcaddr), sizeof(idata.hsrcaddr)) == 0){
puts("Error in Source link-layer address.");
exit(EXIT_FAILURE);
}
idata.hsrcaddr_f = 1;
break;
case 'D': /* Destination Ethernet Address */
if(ether_pton(optarg, &(idata.hdstaddr), sizeof(idata.hdstaddr)) == 0){
puts("Error in Source link-layer address.");
exit(EXIT_FAILURE);
}
idata.hdstaddr_f = 1;
break;
case 'P': /* Protocol */
if(strncmp(optarg, "tcp", MAX_STRING_SIZE) == 0 || \
strncmp(optarg, "TCP", MAX_STRING_SIZE) == 0){
protocol= IPPROTO_TCP;
}
else if(strncmp(optarg, "udp", MAX_STRING_SIZE) == 0 || \
strncmp(optarg, "UDP", MAX_STRING_SIZE) == 0){
protocol= IPPROTO_UDP;
}
else{
puts("Unknown protocol type (valid types: 'tcp', 'udp')");
exit(EXIT_FAILURE);
}
protocol_f= 1;
break;
case 'p': /* Destination port */
dstport= atoi(optarg);
dstport_f=1;
break;
case 'W': /* Assess the Flow Label generation policy of the target */
flowidp_f= 1;
break;
case 'v': /* Be verbose */
idata.verbose_f++;
break;
case 'h': /* Help */
print_help();
exit(EXIT_FAILURE);
break;
default:
usage();
exit(EXIT_FAILURE);
break;
} /* switch */
} /* while(getopt) */
if(geteuid()) {
puts("flow6 needs root privileges to run.");
exit(EXIT_FAILURE);
}
if(!idata.iface_f){
if(idata.dstaddr_f && IN6_IS_ADDR_LINKLOCAL(&(idata.dstaddr))){
puts("Must specify a network interface for link-local destinations");
exit(EXIT_FAILURE);
}
}
if(load_dst_and_pcap(&idata, LOAD_SRC_NXT_HOP) == FAILURE){
puts("Error while learning Souce Address and Next Hop");
exit(EXIT_FAILURE);
}
release_privileges();
if( !fragh_f && dstoptuhdr_f){
puts("Dst. Options Header (Unfragmentable Part) set, but Fragmentation not specified");
exit(EXIT_FAILURE);
}
if(idata.verbose_f){
print_attack_info();
}
if(!idata.dstaddr_f){
puts("Error: Nothing to send! (Destination Address left unspecified)");
exit(EXIT_FAILURE);
}
/* Assess the Flow ID generation policy */
if(flowidp_f){
if(dstport_f && !protocol_f){
puts("Error: Must specify a protocol if the port number is specified");
exit(EXIT_FAILURE);
}
if(!protocol_f){
protocol= IPPROTO_TCP;
dstport= 80;
}
else if(!dstport_f){
if(protocol == IPPROTO_TCP)
dstport= 80;
else
dstport= 53;
}
puts("Identifying the 'Flow ID' generation policy of the target node....");
if(protocol == IPPROTO_TCP){
tcpwin= ((u_int16_t) random() + 1500) & (u_int16_t)0x7f00;
tcpseq= random();
baseport= 50000+ random()%10000;
lastport= baseport;
}
/*
Set filter for receiving Neighbor Solicitations, and TCP segments
*/
if(pcap_compile(idata.pfd, &pcap_filter, PCAP_NSTCP_FILTER, PCAP_OPT, PCAP_NETMASK_UNKNOWN) == -1){
printf("pcap_compile(): %s", pcap_geterr(idata.pfd));
exit(EXIT_FAILURE);
}
if(pcap_setfilter(idata.pfd, &pcap_filter) == -1){
printf("pcap_setfilter(): %s", pcap_geterr(idata.pfd));
exit(EXIT_FAILURE);
}
pcap_freecode(&pcap_filter);
FD_ZERO(&sset);
FD_SET(idata.fd, &sset);
start= time(NULL);
lastfrag1=0;
ntest1=0;
ntest2=0;
testtype= FIXED_ORIGIN;
if(srcprefix_f){
randprefix= idata.srcaddr;
randpreflen=srcpreflen;
}
else{
randprefix= idata.srcaddr;
randpreflen=64;
sanitize_ipv6_prefix(&randprefix, randpreflen);
}
while(1){
curtime=time(NULL);
if( testtype==FIXED_ORIGIN && ((curtime - start) >= ID_ASSESS_TIMEOUT || ntest1 >= NSAMPLES)){
testtype= MULTI_ORIGIN;
addr_sig= random();
addr_key= random();
start= curtime;
continue;
}
else if( testtype==MULTI_ORIGIN && ((curtime - start) >= ID_ASSESS_TIMEOUT || ntest2 >= NSAMPLES)){
break;
}
if((curtime - lastfrag1) >= 1){
if(testtype == FIXED_ORIGIN){
for(i=0; i<NSAMPLES; i++){
if(send_fid_probe() == -1){
puts("Error while sending packet");
exit(EXIT_FAILURE);
}
lastport++;
}
}
else{
for(i=0; i<NSAMPLES; i++){
randomize_ipv6_addr(&(idata.srcaddr), &randprefix, randpreflen);
/*
* Two words of the Source IPv6 Address are specially encoded such that we only respond
* to Neighbor Solicitations that target those addresses, and accept ICMPv6 Echo Replies
* only if they are destined to those addresses
*/
idata.srcaddr.s6_addr16[5]= addr_sig;
idata.srcaddr.s6_addr16[7] = idata.srcaddr.s6_addr16[6] ^ addr_key;
if(send_neighbor_solicit(&idata, &(idata.dstaddr)) == -1){
puts("Error while sending Neighbor Solicitation");
exit(EXIT_FAILURE);
}
if(send_fid_probe() == -1){
puts("Error while sending packet");
exit(EXIT_FAILURE);
}
lastport++;
}
}
lastfrag1=curtime;
continue;
}
rset= sset;
timeout.tv_usec=0;
timeout.tv_sec= 1;
if((sel=select(idata.fd+1, &rset, NULL, NULL, &timeout)) == -1){
if(errno == EINTR){
continue;
}
else{
puts("Error in select()");
exit(EXIT_FAILURE);
}
}
if(sel == 0)
continue;
/* Read a packet (Echo Reply, or Neighbor Solicitation) */
if((r=pcap_next_ex(idata.pfd, &pkthdr, &pktdata)) == -1){
printf("pcap_next_ex(): %s", pcap_geterr(idata.pfd));
exit(EXIT_FAILURE);
}
else if(r == 0){
continue; /* Should never happen */
}
pkt_ether = (struct ether_header *) pktdata;
pkt_ipv6 = (struct ip6_hdr *)((char *) pkt_ether + idata.linkhsize);
pkt_icmp6 = (struct icmp6_hdr *) ((char *) pkt_ipv6 + sizeof(struct ip6_hdr));
pkt_end = (unsigned char *) pktdata + pkthdr->caplen;
if( (pkt_end - pktdata) < (idata.linkhsize + MIN_IPV6_HLEN))
continue;
if(pkt_ipv6->ip6_nxt == IPPROTO_ICMPV6 && pkt_icmp6->icmp6_type == ND_NEIGHBOR_SOLICIT){
pkt_ns= (struct nd_neighbor_solicit *) pkt_icmp6;
if( (pkt_end - (unsigned char *) pkt_ns) < sizeof(struct nd_neighbor_solicit))
continue;
/*
If the addresses that we're using are not actually configured on the local system
(i.e., they are "spoofed", we must check whether it is a Neighbor Solicitation for
one of our addresses, and respond with a Neighbor Advertisement. Otherwise, the kernel
will take care of that.
*/
if(testtype==FIXED_ORIGIN){
if(!localaddr_f && is_eq_in6_addr(&(pkt_ns->nd_ns_target), &(idata.srcaddr))){
if(send_neighbor_advert(&idata, idata.pfd, pktdata) == -1){
puts("Error sending Neighbor Advertisement");
exit(EXIT_FAILURE);
}
}
}
else{
if(pkt_ns->nd_ns_target.s6_addr16[5] != addr_sig || \
pkt_ns->nd_ns_target.s6_addr16[7] != (pkt_ns->nd_ns_target.s6_addr16[6] ^ addr_key))
continue;
if(send_neighbor_advert(&idata, idata.pfd, pktdata) == -1){
puts("Error sending Neighbor Advertisement");
exit(EXIT_FAILURE);
}
}
}
else if(pkt_ipv6->ip6_nxt == protocol){
/* Perform TCP-specific validation checks */
if(protocol == IPPROTO_TCP){
if( (pkt_end - (unsigned char *) pkt_ipv6) < \
(sizeof(struct ip6_hdr) + sizeof(struct tcp_hdr)))
continue;
pkt_tcp= (struct tcp_hdr *) ((unsigned char *)pkt_ipv6 + sizeof(struct ip6_hdr));
/*
* The TCP Destination Port must correspond to one of the ports that we have used as
* TCP Source Port
*/
if(ntohs(pkt_tcp->th_dport) < baseport || ntohs(pkt_tcp->th_dport) > lastport)
continue;
/* The Source Port must be that to which we're sending our TCP segments */
if(ntohs(pkt_tcp->th_sport) != dstport)
continue;
/* The TCP Acknowledgement Number must ack our SYN */
if(ntohl(pkt_tcp->th_ack) != tcpseq+1)
continue;
/* We sample Flow ID's only on SYN/ACKs */
if( (pkt_tcp->th_flags & ~TH_SYN) == 0 || (pkt_tcp->th_flags & TH_ACK) == 0)
continue;
/* The TCP checksum must be valid */
if(in_chksum(pkt_ipv6, pkt_tcp, pkt_end-((unsigned char *)pkt_tcp), IPPROTO_TCP) != 0)
continue;
}
/* Perform UDP-specific validation checks */
else if(protocol == IPPROTO_UDP){
if( (pkt_end - (unsigned char *) pkt_ipv6) < \
(sizeof(struct ip6_hdr) + sizeof(struct udp_hdr)))
continue;
pkt_udp= (struct udp_hdr *) ((unsigned char *)pkt_ipv6 + sizeof(struct ip6_hdr));
/*
* The UDP Destination Port must correspond to one of the ports that we have used as
* the UDP Source Port
*/
if(ntohs(pkt_udp->uh_dport) < baseport || ntohs(pkt_udp->uh_dport) > lastport)
continue;
/* The Source Port must be that to which we're sending our UDP datagrams */
if(ntohs(pkt_udp->uh_sport) != dstport)
continue;
/* The UDP checksum must be valid */
if(in_chksum(pkt_ipv6, pkt_udp, pkt_end-((unsigned char *)pkt_udp), IPPROTO_UDP) != 0)
continue;
}
if(testtype==FIXED_ORIGIN){
if(!is_eq_in6_addr(&(pkt_ipv6->ip6_dst), &(idata.srcaddr))){
continue;
}
if(ntest1 >= NSAMPLES)
continue;
test1[ntest1]= ntohl(pkt_ipv6->ip6_flow) & 0x000fffff;
ntest1++;
}
else{
if(pkt_ipv6->ip6_dst.s6_addr16[5] != addr_sig || \
pkt_ipv6->ip6_dst.s6_addr16[7] != (pkt_ipv6->ip6_dst.s6_addr16[6] ^ addr_key)){
continue;
}
if(ntest2 >= NSAMPLES)
continue;
test2[ntest2]= ntohl(pkt_ipv6->ip6_flow) & 0x000fffff;
ntest2++;
}
}
}
if(idata.verbose_f > 1){
printf("Sampled %u Flow Labels from single-origin probes\n", ntest1);
for(i=0; i<ntest1; i++)
printf("#%02u: %05x\n", (i+1), test1[i]);
printf("\nSampled %u Flow Labels from multi-origin probes\n", ntest2);
for(i=0; i<ntest2; i++)
printf("#%02u: %05x\n", (i+1), test2[i]);
puts("");
}
if(ntest1 < 10 || ntest2 < 10){
puts("Error: Didn't receive enough response packets");
exit(EXIT_FAILURE);
}
if(predict_flow_id(test1, ntest1, test2, ntest2) == -1){
puts("Error in predict_flow_id()");
exit(EXIT_FAILURE);
}
exit(EXIT_SUCCESS);
}
exit(EXIT_SUCCESS);
}
