Arp sp00fing c0de

asiainfo-secli · Jul 26, 2005 · aafb4a0 · aafb4a0
1 parent db7794d
commit aafb4a0
Show file tree

Hide file tree

Showing 19 changed files with 330 additions and 191 deletions.
diff --git a/CHANGELOG b/CHANGELOG
@@ -2,6 +2,21 @@
 
 UNRELEASED
 
+o Added the --spoof_mac option, which asks Nmap to use the given MAC
+  address for all of the raw ethernet frames it sends.  The MAC given
+  can take several formats.  If it is simply the string "0", Nmap
+  chooses a completely random MAC for the session.  If the given
+  string is an even number of hex digits (with the pairs optionally
+  separated by a colon), Nmap will use those as the MAC.  If less than
+  12 hex digits are provided, Nmap fills in the remainder of the 6
+  bytes with random values.  If the argument isn't a 0 or hex string,
+  Nmap looks through the nmap-mac-prefixes to find a vendor name
+  containing the given string (it is case insensitive).  If a match is
+  found, Nmap uses the vendor's OUI (3-byte prefix) and fills out the
+  remaining 3 bytes randomly.  Valid --spoof_mac argument examples are
+  "Apple", "0", "01:02:03:04:05:06", "deadbeefcafe", "0020F2", and
+  "Cisco".
+
 o Fixed a problem where Nmap compilation would use header files from
   the libpcap included with Nmap even when it was linking to a system
   libpcap.  Thanks to Solar Designer (solar(a)openwall.com) and Okan

diff --git a/MACLookup.cc b/MACLookup.cc
@@ -221,3 +221,26 @@ const char *MACPrefix2Corp(const u8 *prefix) {
   ent = findMACEntry(MacCharPrefix2Key(prefix));
   return (ent)? ent->vendor : NULL;
 }
+
+/* Takes a string and looks through the table for a vendor name which
+   contains that string.  Sets the first three bytes in mac_data and
+   returns true for the first matching entry found.  If no entries
+   match, leaves mac_data untouched and returns false.  Note that this
+   is not particularly efficient and so should be rewriteen if it is
+   called often */
+bool MACCorp2Prefix(const char *vendorstr, u8 *mac_data) {
+  if (!vendorstr) fatal("%s: vendorstr is NULL", __FUNCTION__);
+  if (!mac_data) fatal("%s: mac_data is NULL", __FUNCTION__);
+  if (!initialized) InitializeTable();
+
+  for(int i = 0; i < MacTable.table_capacity; i++ ) {
+    if (MacTable.table[i])
+      if (strcasestr(MacTable.table[i]->vendor, vendorstr)) {
+	mac_data[0] = MacTable.table[i]->prefix >> 16;
+	mac_data[1] = (MacTable.table[i]->prefix >> 8) & 0xFF;
+	mac_data[2] = MacTable.table[i]->prefix & 0xFF;
+	return true;
+      }
+  }
+  return false;
+}
diff --git a/MACLookup.h b/MACLookup.h
@@ -111,4 +111,12 @@
    is some other error. */
 const char *MACPrefix2Corp(const u8 *prefix);
 
+/* Takes a string and looks through the table for a vendor name which
+   contains that string.  Sets the first three bytes in mac_data and
+   returns true for the first matching entry found.  If no entries
+   match, leaves mac_data untouched and returns false.  Note that this
+   is not particularly efficient and so should be rewriteen if it is
+   called often */
+bool MACCorp2Prefix(const char *vendorstr, u8 *mac_data);
+
 #endif /* MACLOOKUP_H */
diff --git a/Makefile.in b/Makefile.in
@@ -1,4 +1,4 @@
-export NMAP_VERSION = 3.83.SOC2
+export NMAP_VERSION = 3.83.SOC3
 NMAP_NAME= nmap
 NMAP_URL= http://www.insecure.org/nmap/
 NMAP_PLATFORM=@host@

diff --git a/NmapOps.cc b/NmapOps.cc
@@ -242,6 +242,7 @@ void NmapOps::Initialize() {
 #endif
   if (xsl_stylesheet) free(xsl_stylesheet);
   xsl_stylesheet = strdup(tmpxsl);
+  spoof_mac_set = false;
 }
 
 bool NmapOps::TCPScan() {
@@ -269,7 +270,7 @@ bool NmapOps::RawScan() {
 void NmapOps::ValidateOptions() {
 
   if (pingtype == PINGTYPE_UNKNOWN) {
-    if (isr00t && af() == AF_INET) pingtype = PINGTYPE_TCP|PINGTYPE_TCP_USE_ACK|PINGTYPE_ICMP_PING;
+    if (isr00t && af() == AF_INET) pingtype = DEFAULT_PING_TYPES;
     else pingtype = PINGTYPE_TCP; // if nonr00t or IPv6
     num_ping_ackprobes = 1;
     ping_ackprobes[0] = DEFAULT_TCP_PROBE_PORT;
@@ -480,3 +481,8 @@ void NmapOps::setXSLStyleSheet(char *xslname) {
   if (xsl_stylesheet) free(xsl_stylesheet);
   xsl_stylesheet = xslname? strdup(xslname) : NULL;
 }
+
+void NmapOps::setSpoofMACAddress(u8 *mac_data) {
+  memcpy(spoof_mac, mac_data, 6);
+  spoof_mac_set = true;
+}
diff --git a/NmapOps.h b/NmapOps.h
@@ -220,6 +220,11 @@ class NmapOps {
      should be skipped */
   char *XSLStyleSheet() { return xsl_stylesheet; }
 
+  /* Sets the spoofed MAC address */
+  void setSpoofMACAddress(u8 *mac_data);
+  /* Gets the spoofed MAC address, but returns NULL if it hasn't been set */
+  const u8 *spoofMACAddress() { return spoof_mac_set? spoof_mac : NULL; }
+
   int max_ips_to_scan; // Used for Random input (-iR) to specify how 
                        // many IPs to try before stopping. 0 means unlimited.
   int extra_payload_length; /* These two are for --data_length op */
@@ -290,5 +295,7 @@ class NmapOps {
   bool pTrace; // Whether packet tracing has been enabled
   bool vTrace; // Whether version tracing has been enabled
   char *xsl_stylesheet;
+  u8 spoof_mac[6];
+  bool spoof_mac_set;
 };
 
diff --git a/config.h b/config.h
@@ -103,7 +103,7 @@
 #ifndef CONFIG_H
 #define CONFIG_H
 
-/* #undef PCAP_TIMEOUT_IGNORED */
+#define PCAP_TIMEOUT_IGNORED 1
 
 #define HAVE_STRUCT_IP 1
 
@@ -123,15 +123,15 @@
 
 #define HAVE_STRING_H 1
 
-/* #undef HAVE_GETOPT_H */
+#define HAVE_GETOPT_H 1
 
 #define HAVE_STRINGS_H 1
 
 #define HAVE_PWD_H 1
 
 /* #undef HAVE_BSTRING_H */
 
-#define WORDS_BIGENDIAN 1
+/* #undef WORDS_BIGENDIAN */
 
 #define HAVE_MEMORY_H 1
 
@@ -142,29 +142,29 @@
 
 #define HAVE_SYS_PARAM_H 1
 
-#define HAVE_SYS_SOCKIO_H 1
+/* #undef HAVE_SYS_SOCKIO_H */
 
 /* #undef HAVE_PCRE_H */
 
-/* #undef HAVE_PCRE_PCRE_H */
+#define HAVE_PCRE_PCRE_H 1
 
 #define BSD_NETWORKING 1
 
-/* #undef HAVE_INET_ATON */
+#define HAVE_INET_ATON 1
 
-/* #undef HAVE_STRCASESTR */
+#define HAVE_STRCASESTR 1
 
 /* #undef HAVE_GETOPT_LONG */
 
-#define IN_ADDR_DEEPSTRUCT 1
+/* #undef IN_ADDR_DEEPSTRUCT */
 
 /* #undef HAVE_NETINET_IN_SYSTEM_H */
 
 /* #undef HAVE_SOCKADDR_SA_LEN */
 
 #define HAVE_NETINET_IF_ETHER_H 1
 
-/* #undef HAVE_OPENSSL */
+#define HAVE_OPENSSL 1
 
 /* #undef STUPID_SOLARIS_CHECKSUM_BUG */
 
@@ -191,10 +191,10 @@ extern "C" int gethostname (char *, unsigned int);
 #endif
 
 /* #undef DEC */
-/* #undef LINUX */
+#define LINUX 1
 /* #undef FREEBSD */
 /* #undef OPENBSD */
-#define SOLARIS 1
+/* #undef SOLARIS */
 /* #undef SUNOS */
 /* #undef BSDI */
 /* #undef IRIX */

diff --git a/docs/nmap.1 b/docs/nmap.1
@@ -500,10 +500,27 @@ while ethernet frames work best on the many Windows versions where
 Microsoft has disabled raw sockets support.  Nmap still uses raw IP
 packets when there is no other choice (such as non-ethernet
 connections).
+.TP
 .B --send_ip
 Asks Nmap to send packets via raw IP sockets rather than sending lower
 level ethernet frames.  It is the complement to the --send-eth
 option.discussed previously.
+.TP
+.B \--spoof_mac [mac, prefix, or vendor substring]
+Ask Nmap to use the given MAC address for all of the raw ethernet
+frames it sends.  The MAC given can take several formats.  If it is
+simply the string "0", Nmap chooses a completely random MAC for the
+session.  If the given string is an even number of hex digits (with
+the pairs optionally separated by a colon), Nmap will use those as the
+MAC.  If less than 12 hex digits are provided, Nmap fills in the
+remainder of the 6 bytes with random values.  If the argument isn't a
+0 or hex string, Nmap looks through the nmap-mac-prefixes to find a
+vendor name containing the given string (it is case insensitive).  If
+a match is found, Nmap uses the vendor's OUI (3-byte prefix) and fills
+out the remaining 3 bytes randomly.  Valid --spoof_mac argument
+examples are "Apple", "0", "01:02:03:04:05:06", "deadbeefcafe",
+"0020F2", and "Cisco".
+.TP
 .B \-f
 This option causes the requested scan (including ping scans) to use
 tiny fragmented IP packets.  The idea is to split up the TCP header

diff --git a/docs/nmap.usage.txt b/docs/nmap.usage.txt
@@ -1,4 +1,4 @@
-Nmap 3.83.SOC2 Usage: nmap [Scan Type(s)] [Options] <host or net list>
+Nmap 3.83.SOC3 Usage: nmap [Scan Type(s)] [Options] <host or net list>
 Some Common Scan Types ('*' options require root privileges)
 * -sS TCP SYN stealth port scan (default if privileged (root))
   -sT TCP connect() port scan (default for unprivileged users)

diff --git a/docs/nmap_manpage.html b/docs/nmap_manpage.html
@@ -461,15 +461,15 @@ <H2>OPTIONS</H2><PRE>
               or  other  scan  types,  have  a  look  at  http://nmap6.source-
               forge.net/ .
 
-       <B>--send-eth</B>
+       <B>--send_eth</B>
               Asks Nmap to send packets at the raw ethernet (data link)  layer
               rather  than  the  higher  IP (network) layer.  By default, Nmap
               chooses the one which is generally best for the platform  it  is
               running on.  Raw sockets (IP layer) are generally most efficient
               for UNIX machines, while ethernet frames work best on  the  many
               Windows  versions  where Microsoft has disabled raw sockets sup-
               port.  Nmap still uses raw IP packets when  there  is  no  other
-              choice  (such as non-ethernet connections).  <B>--send-ip</B> Asks Nmap
+              choice  (such as non-ethernet connections).  <B>--send_ip</B> Asks Nmap
               to send packets via raw IP sockets  rather  than  sending  lower
               level  ethernet  frames.  It is the complement to the --send-eth
               option.discussed  previously.   <B>-f</B>  This   option   causes   the
@@ -544,7 +544,7 @@ <H2>OPTIONS</H2><PRE>
               URL  is  often  more useful, but the local filesystem locaton of
               nmap.xsl is used by default for privacy reasons.
 
-       <B>--no-stylesheet</B>
+       <B>--no_stylesheet</B>
               Specify this option to prevent Nmap  from  associating  any  XSL
               stylesheet with its XML output.  The xml-stylesheet directive is
               omitted.

diff --git a/libdnet-stripped/Makefile b/libdnet-stripped/Makefile
@@ -22,7 +22,7 @@ pkglibdir = $(libdir)/libdnet
 pkgincludedir = $(includedir)/libdnet
 top_builddir = .
 am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
-INSTALL = config/install-sh -c
+INSTALL = /usr/bin/install -c
 install_sh_DATA = $(install_sh) -c -m 644
 install_sh_PROGRAM = $(install_sh) -c
 install_sh_SCRIPT = $(install_sh) -c
@@ -34,8 +34,8 @@ POST_INSTALL = :
 NORMAL_UNINSTALL = :
 PRE_UNINSTALL = :
 POST_UNINSTALL = :
-build_triplet = sparc-sun-solaris2.9
-host_triplet = sparc-sun-solaris2.9
+build_triplet = x86_64-unknown-linux-gnu
+host_triplet = x86_64-unknown-linux-gnu
 DIST_COMMON = README $(am__configure_deps) $(srcdir)/Makefile.am \
 	$(srcdir)/Makefile.in $(srcdir)/dnet-config.in \
 	$(top_srcdir)/Makefile.am.common $(top_srcdir)/configure \
@@ -118,11 +118,11 @@ INSTALL_PROGRAM = ${INSTALL}
 INSTALL_SCRIPT = ${INSTALL}
 INSTALL_STRIP_PROGRAM = ${SHELL} $(install_sh) -c -s
 LDFLAGS = 
-LIBOBJS =  err$U.o strsep$U.o arp-ioctl$U.o eth-dlpi$U.o fw-none$U.o intf$U.o ip-cooked$U.o route-bsd$U.o tun-none$U.o
-LIBS = -lsocket -lnsl 
+LIBOBJS =  strlcat$U.o strlcpy$U.o arp-ioctl$U.o eth-linux$U.o fw-ipchains$U.o intf$U.o ip$U.o route-linux$U.o tun-linux$U.o
+LIBS = 
 LIBTOOL = $(SHELL) $(top_builddir)/libtool
 LN_S = ln -s
-LTLIBOBJS =  err$U.lo strsep$U.lo arp-ioctl$U.lo eth-dlpi$U.lo fw-none$U.lo intf$U.lo ip-cooked$U.lo route-bsd$U.lo tun-none$U.lo
+LTLIBOBJS =  strlcat$U.lo strlcpy$U.lo arp-ioctl$U.lo eth-linux$U.lo fw-ipchains$U.lo intf$U.lo ip$U.lo route-linux$U.lo tun-linux$U.lo
 MAINT = #
 MAINTAINER_MODE_FALSE = 
 MAINTAINER_MODE_TRUE = #
@@ -140,7 +140,7 @@ PYTHON_FALSE =
 PYTHON_TRUE = #
 RANLIB = ranlib
 SET_MAKE = 
-SHELL = /bin/bash
+SHELL = /bin/sh
 STRIP = strip
 TCLINC = 
 TCLLIB = 
@@ -164,26 +164,26 @@ am__quote =
 am__tar = ${AMTAR} chof - "$$tardir"
 am__untar = ${AMTAR} xf -
 bindir = ${exec_prefix}/bin
-build = sparc-sun-solaris2.9
+build = x86_64-unknown-linux-gnu
 build_alias = 
-build_cpu = sparc
-build_os = solaris2.9
-build_vendor = sun
+build_cpu = x86_64
+build_os = linux-gnu
+build_vendor = unknown
 datadir = ${prefix}/share
 exec_prefix = ${prefix}
-host = sparc-sun-solaris2.9
+host = x86_64-unknown-linux-gnu
 host_alias = 
-host_cpu = sparc
-host_os = solaris2.9
-host_vendor = sun
+host_cpu = x86_64
+host_os = linux-gnu
+host_vendor = unknown
 includedir = ${prefix}/include
 infodir = ${prefix}/info
 install_sh = /home/fyodor/nmap/libdnet-stripped/config/install-sh
 libdir = ${exec_prefix}/lib
 libexecdir = ${exec_prefix}/libexec
 localstatedir = ${prefix}/var
 mandir = ${prefix}/man
-mkdir_p = $(mkinstalldirs)
+mkdir_p = mkdir -p --
 oldincludedir = /usr/include
 prefix = /usr/local
 program_transform_name = s,x,x,