mirror of
				https://gitlab.alpinelinux.org/alpine/aports.git
				synced 2025-10-26 14:02:00 +01:00 
			
		
		
		
	
		
			
				
	
	
		
			229 lines
		
	
	
		
			6.7 KiB
		
	
	
	
		
			Diff
		
	
	
	
	
	
			
		
		
	
	
			229 lines
		
	
	
		
			6.7 KiB
		
	
	
	
		
			Diff
		
	
	
	
	
	
| >From 21773ccf18a5fc49d35e510a8797b0a1e83858c4 Mon Sep 17 00:00:00 2001
 | |
| From: Stefan Tomanek <stefan@pico.ruhr.de>
 | |
| Date: Sun, 20 Nov 2011 21:32:53 +0100
 | |
| Subject: [PATCH 3/3] arpspoof: allow selection of source hw address
 | |
| 
 | |
| In certain networks, sending with the wrong hardware source address can
 | |
| jeopardize the network connection of the host running arpspoof. This
 | |
| patch makes it possible to specify whether arpspoof should use the own
 | |
| hardware address or the one of the real host when resetting the arp
 | |
| table of the target systems; it is also possible to use both.
 | |
| 
 | |
| Signed-off-by: Stefan Tomanek <stefan@pico.ruhr.de>
 | |
| ---
 | |
|  arpspoof.8 |    9 +++++-
 | |
|  arpspoof.c |   90 ++++++++++++++++++++++++++++++++++++++++++-----------------
 | |
|  2 files changed, 72 insertions(+), 27 deletions(-)
 | |
| 
 | |
| --- a/arpspoof.8	2012-03-14 13:33:30.000000000 -0600
 | |
| +++ b/arpspoof.8	2012-03-14 13:36:18.898055700 -0600
 | |
| @@ -9,7 +9,7 @@
 | |
|  .na
 | |
|  .nf
 | |
|  .fi
 | |
| -\fBarpspoof\fR [\fB\-i \fIinterface\fR] [\fB\-t \fItarget\fR] [\fB\-r\fR] \fIhost\fR
 | |
| +\fBarpspoof\fR [\fB\-i \fIinterface\fR] [\fB\-c \fIown|host|both\fR] [\fB\-t \fItarget\fR] [\fB\-r\fR] \fIhost\fR
 | |
|  .SH DESCRIPTION
 | |
|  .ad
 | |
|  .fi
 | |
| @@ -23,6 +23,13 @@
 | |
|  .SH OPTIONS
 | |
|  .IP "\fB-i \fIinterface\fR"
 | |
|  Specify the interface to use.
 | |
| +.IP "\fB-c \fIown|host|both\fR"
 | |
| +Specify which hardware address t use when restoring the arp configuration;
 | |
| +while cleaning up, packets can be send with the own address as well as with
 | |
| +the address of the host. Sending packets with a fake hw address can disrupt
 | |
| +connectivity with certain switch/ap/bridge configurations, however it works
 | |
| +more reliably than using the own address, which is the default way arpspoof
 | |
| +cleans up afterwards.
 | |
|  .IP "\fB-t \fItarget\fR"
 | |
|  Specify a particular host to ARP poison (if not specified, all hosts
 | |
|  on the LAN). Repeat to specify multiple hosts.
 | |
| --- a/arpspoof.c	2012-03-14 13:33:30.000000000 -0600
 | |
| +++ b/arpspoof.c	2012-03-14 13:34:11.134060364 -0600
 | |
| @@ -40,37 +40,36 @@
 | |
|  static char *intf;
 | |
|  static int poison_reverse;
 | |
|  
 | |
| +static uint8_t *my_ha = NULL;
 | |
| +static uint8_t *brd_ha = "\xff\xff\xff\xff\xff\xff";
 | |
| +
 | |
| +static int cleanup_src_own = 1;
 | |
| +static int cleanup_src_host = 0;
 | |
| +
 | |
|  static void
 | |
|  usage(void)
 | |
|  {
 | |
|  	fprintf(stderr, "Version: " VERSION "\n"
 | |
| -		"Usage: arpspoof [-i interface] [-t target] [-r] host\n");
 | |
| +		"Usage: arpspoof [-i interface] [-c own|host|both] [-t target] [-r] host\n");
 | |
|  	exit(1);
 | |
|  }
 | |
|  
 | |
|  static int
 | |
| -arp_send(libnet_t *l, int op, u_int8_t *sha,
 | |
| -	 in_addr_t spa, u_int8_t *tha, in_addr_t tpa)
 | |
| +arp_send(libnet_t *l, int op,
 | |
| +	u_int8_t *sha, in_addr_t spa,
 | |
| +	u_int8_t *tha, in_addr_t tpa,
 | |
| +	u_int8_t *me)
 | |
|  {
 | |
|  	int retval;
 | |
|  
 | |
| -	if (sha == NULL &&
 | |
| -	    (sha = (u_int8_t *)libnet_get_hwaddr(l)) == NULL) {
 | |
| -		return (-1);
 | |
| -	}
 | |
| -	if (spa == 0) {
 | |
| -		if ((spa = libnet_get_ipaddr4(l)) == -1)
 | |
| -			return (-1);
 | |
| -	}
 | |
| -	if (tha == NULL)
 | |
| -		tha = "\xff\xff\xff\xff\xff\xff";
 | |
| -	
 | |
| +	if (!me) me = sha;
 | |
| +
 | |
|  	libnet_autobuild_arp(op, sha, (u_int8_t *)&spa,
 | |
|  			     tha, (u_int8_t *)&tpa, l);
 | |
| -	libnet_build_ethernet(tha, sha, ETHERTYPE_ARP, NULL, 0, l, 0);
 | |
| +	libnet_build_ethernet(tha, me, ETHERTYPE_ARP, NULL, 0, l, 0);
 | |
|  	
 | |
|  	fprintf(stderr, "%s ",
 | |
| -		ether_ntoa((struct ether_addr *)sha));
 | |
| +		ether_ntoa((struct ether_addr *)me));
 | |
|  
 | |
|  	if (op == ARPOP_REQUEST) {
 | |
|  		fprintf(stderr, "%s 0806 42: arp who-has %s tell %s\n",
 | |
| @@ -129,7 +128,7 @@
 | |
|  		/* XXX - force the kernel to arp. feh. */
 | |
|  		arp_force(ip);
 | |
|  #else
 | |
| -		arp_send(l, ARPOP_REQUEST, NULL, 0, NULL, ip);
 | |
| +		arp_send(l, ARPOP_REQUEST, NULL, 0, NULL, ip, NULL);
 | |
|  #endif
 | |
|  		sleep(1);
 | |
|  	}
 | |
| @@ -156,17 +155,23 @@
 | |
|  	int fw = arp_find(spoof.ip, &spoof.mac);
 | |
|  	int bw = poison_reverse && targets[0].ip && arp_find_all();
 | |
|  	int i;
 | |
| +	int rounds = (cleanup_src_own*5 + cleanup_src_host*5);
 | |
|  
 | |
|  	fprintf(stderr, "Cleaning up and re-arping targets...\n");
 | |
| -	for (i = 0; i < 5; i++) {
 | |
| +	for (i = 0; i < rounds; i++) {
 | |
|  		struct host *target = targets;
 | |
|  		while(target->ip) {
 | |
| +			uint8_t *src_ha = NULL;
 | |
| +			if (cleanup_src_own && (i%2 || !cleanup_src_host)) {
 | |
| +				src_ha = my_ha;
 | |
| +			}
 | |
|  			/* XXX - on BSD, requires ETHERSPOOF kernel. */
 | |
|  			if (fw) {
 | |
|  				arp_send(l, ARPOP_REPLY,
 | |
|  					 (u_int8_t *)&spoof.mac, spoof.ip,
 | |
| -					 (target->ip ? (u_int8_t *)&target->mac : NULL),
 | |
| -					 target->ip);
 | |
| +					 (target->ip ? (u_int8_t *)&target->mac : brd_ha),
 | |
| +					 target->ip,
 | |
| +					 src_ha);
 | |
|  				/* we have to wait a moment before sending the next packet */
 | |
|  				sleep(1);
 | |
|  			}
 | |
| @@ -174,7 +179,8 @@
 | |
|  				arp_send(l, ARPOP_REPLY,
 | |
|  					 (u_int8_t *)&target->mac, target->ip,
 | |
|  					 (u_int8_t *)&spoof.mac,
 | |
| -					 spoof.ip);
 | |
| +					 spoof.ip,
 | |
| +					 src_ha);
 | |
|  				sleep(1);
 | |
|  			}
 | |
|  			target++;
 | |
| @@ -193,6 +199,7 @@
 | |
|  	char libnet_ebuf[LIBNET_ERRBUF_SIZE];
 | |
|  	int c;
 | |
|  	int n_targets;
 | |
| +	char *cleanup_src = NULL;
 | |
|  
 | |
|  	spoof.ip = 0;
 | |
|  	intf = NULL;
 | |
| @@ -202,7 +209,7 @@
 | |
|  	/* allocate enough memory for target list */
 | |
|  	targets = calloc( argc+1, sizeof(struct host) );
 | |
|  
 | |
| -	while ((c = getopt(argc, argv, "ri:t:h?V")) != -1) {
 | |
| +	while ((c = getopt(argc, argv, "ri:t:c:h?V")) != -1) {
 | |
|  		switch (c) {
 | |
|  		case 'i':
 | |
|  			intf = optarg;
 | |
| @@ -214,6 +221,9 @@
 | |
|  		case 'r':
 | |
|  			poison_reverse = 1;
 | |
|  			break;
 | |
| +		case 'c':
 | |
| +			cleanup_src = optarg;
 | |
| +			break;
 | |
|  		default:
 | |
|  			usage();
 | |
|  		}
 | |
| @@ -229,6 +239,29 @@
 | |
|  		usage();
 | |
|  	}
 | |
|  
 | |
| +	if (!cleanup_src || strcmp(cleanup_src, "own")==0) { /* default! */
 | |
| +		/* only use our own hw address when cleaning up,
 | |
| +		 * not jeopardizing any bridges on the way to our
 | |
| +		 * target
 | |
| +		 */
 | |
| +		cleanup_src_own = 1;
 | |
| +		cleanup_src_host = 0;
 | |
| +	} else if (strcmp(cleanup_src, "host")==0) {
 | |
| +		/* only use the target hw address when cleaning up;
 | |
| +		 * this can screw up some bridges and scramble access
 | |
| +		 * for our own host, however it resets the arp table
 | |
| +		 * more reliably
 | |
| +		 */
 | |
| +		cleanup_src_own = 0;
 | |
| +		cleanup_src_host = 1;
 | |
| +	} else if (strcmp(cleanup_src, "both")==0) {
 | |
| +		cleanup_src_own = 1;
 | |
| +		cleanup_src_host = 1;
 | |
| +	} else {
 | |
| +		errx(1, "Invalid parameter to -c: use 'own' (default), 'host' or 'both'.");
 | |
| +		usage();
 | |
| +	}
 | |
| +
 | |
|  	if ((spoof.ip = libnet_name2addr4(l, argv[0], LIBNET_RESOLVE)) == -1)
 | |
|  		usage();
 | |
|  	
 | |
| @@ -253,6 +286,10 @@
 | |
|  		}
 | |
|  	}
 | |
|  
 | |
| +	if ((my_ha = (u_int8_t *)libnet_get_hwaddr(l)) == NULL) {
 | |
| +		errx(1, "Unable to determine own mac address");
 | |
| +	}
 | |
| +
 | |
|  	signal(SIGHUP, cleanup);
 | |
|  	signal(SIGINT, cleanup);
 | |
|  	signal(SIGTERM, cleanup);
 | |
| @@ -260,11 +297,12 @@
 | |
|  	for (;;) {
 | |
|  		struct host *target = targets;
 | |
|  		while(target->ip) {
 | |
| -			arp_send(l, ARPOP_REPLY, NULL, spoof.ip,
 | |
| -				(target->ip ? (u_int8_t *)&target->mac : NULL),
 | |
| -				target->ip);
 | |
| +			arp_send(l, ARPOP_REPLY, my_ha, spoof.ip,
 | |
| +				(target->ip ? (u_int8_t *)&target->mac : brd_ha),
 | |
| +				target->ip,
 | |
| +				my_ha);
 | |
|  			if (poison_reverse) {
 | |
| -				arp_send(l, ARPOP_REPLY, NULL, target->ip, (uint8_t *)&spoof.mac, spoof.ip);
 | |
| +				arp_send(l, ARPOP_REPLY, my_ha, target->ip, (uint8_t *)&spoof.mac, spoof.ip, my_ha);
 | |
|  			}
 | |
|  			target++;
 | |
|  		}
 |