- Forum
- UNIX/Linux Programming
- IP Spoofing
IP Spoofing
I want to create a C++ program to implement IP spoofing. In my college my teacher told us that we are goin to use 3 PCs (i.e. one source, one dest. and one hacker/attacker) I'm completely new to networkin(i.e.IP related things). So please tell me steps to implement c++ program for IP spoofing. I found following program on internet but I haven't understood a bit of it. So please explain me or give me few links which will help me understand and solve my problem.
CODE I FOUND:
#include <iostream>
#include <cstdlib>
#include <cstring> // For memcpy()
#include <sys/socket.h>
#include <netinet/in.h> // IPPROTO_ICMP
#include <netinet/ip.h> // struct ip
#include <netinet/ip_icmp.h> // stuct icmp
#include <arpa/inet.h> // inet_ntoa, inet_addr
using namespace std;
class IP
{
struct ip ip;
public:
IP()
{
ip.ip_v = 0x4;
ip.ip_tos = 0x0;
ip.ip_sum = 0x0;
}
IP(char * src_addr, char * dst_addr)
{
ip.ip_v = 0x4;
ip.ip_tos = 0x0;
ip.ip_sum = 0x0;
ip.ip_src.s_addr = inet_addr(src_addr);
ip.ip_dst.s_addr = inet_addr(dst_addr);
}
void set_header_len(int hl) { ip.ip_hl = hl; }
void set_len(int len) { ip.ip_len = htons(len); }
unsigned short get_len() { return ntohs(ip.ip_len); }
struct ip * get_addr() { return &ip; }
void set_id(int id) { ip.ip_id = htons(id); }
void set_offset(int offset) { ip.ip_off = offset; }
void set_ttl(int ttl) { ip.ip_ttl = ttl; }
void set_proto(int p) { ip.ip_p = p; }
void set_sum(unsigned short sum){ ip.ip_sum = sum; }
};
class ICMP
{
struct icmp icmp;
public:
ICMP()
{
icmp.icmp_id = 1234; // Any arbitrary unsigned int
icmp.icmp_seq = 0;
icmp.icmp_cksum = 0x0;
}
struct icmp * get_addr() { return &icmp; }
void set_type(unsigned int type) { icmp.icmp_type = type; }
unsigned int get_type() { return icmp.icmp_type; }
void set_code(unsigned int code) { icmp.icmp_code = code; }
void set_cksum(unsigned short sum) { icmp.icmp_cksum = sum; }
};
/*
Function to calculate the checksum required for the
ip_sum and icmp_cksum fields.
The checksum is the one's complement of the one's
complement sum of all the 16 bit words in the header.
*/
unsigned short checksum(unsigned short *addr, int len)
{
int nleft = len;
int sum = 0;
unsigned short *w = addr;
unsigned short answer = 0;
while (nleft > 1)
{
sum += *w++;
nleft -= 2;
}
if (nleft == 1)
{
*(unsigned char *) (&answer) = *(unsigned char *) w;
sum += answer;
}
sum = (sum >> 16) + (sum & 0xFFFF);
sum += (sum >> 16);
answer = ~sum;
return (answer);
}
int main(int argc, char * argv[])
{
unsigned char * packet;
int sd;
const int on = 1;
struct sockaddr_in sockaddr;
char * src;
char * dst;
if(argc == 3)
{
src = argv[1];
dst = argv[2];
}
else
{
cout<<"Usage :"<<endl;
cout<<argv[0]<<" source destination"<<endl;
exit(1);
}
// IP header
IP ip_pkt(src, dst);
ip_pkt.set_header_len(0x5);
ip_pkt.set_id(12830);
ip_pkt.set_offset(0x0);
ip_pkt.set_ttl(64);
ip_pkt.set_len(60);
ip_pkt.set_proto(IPPROTO_ICMP);
ip_pkt.set_sum(checksum((u_short *)ip_pkt.get_addr(), sizeof(struct ip)));
// ICMP header
ICMP icmp_pkt;
icmp_pkt.set_type(ICMP_ECHO);
icmp_pkt.set_code(0);
icmp_pkt.set_cksum(checksum((u_short *)icmp_pkt.get_addr(), 8));
/*
Allocate memory for the packet and copy
the IP header first, then the ICMP header
after an offset of 20 bytes.
*/
packet = (unsigned char *) malloc(ip_pkt.get_len());
memcpy(packet, ip_pkt.get_addr(), sizeof(struct ip));
memcpy(packet + 20, icmp_pkt.get_addr(), 8);
/*
Create a raw socket so that kernel doesn't interfere
with the headers of the custom packet.
*/
if ((sd = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0)
{
cout<<"Couldn't create raw socket"<<endl;
exit(1);
}
if (setsockopt(sd, IPPROTO_IP, IP_HDRINCL, &on, sizeof(on)) < 0)
{
cout<<"setsockopt() failed"<<endl;
exit(1);
}
memset(&sockaddr, 0, sizeof(sockaddr));
sockaddr.sin_family = AF_INET;
sockaddr.sin_addr.s_addr = inet_addr(dst);
// Send the packet
if(sendto(sd, packet, ip_pkt.get_len(), 0, (struct sockaddr *)&sockaddr,
sizeof(struct sockaddr)) < 0)
{
cout<<"Packet couldn't be sent"<<endl;
exit(1);
}
cout<<"Packet sent!"<<endl;
return 0;
}
CODE I FOUND:
#include <iostream>
#include <cstdlib>
#include <cstring> // For memcpy()
#include <sys/socket.h>
#include <netinet/in.h> // IPPROTO_ICMP
#include <netinet/ip.h> // struct ip
#include <netinet/ip_icmp.h> // stuct icmp
#include <arpa/inet.h> // inet_ntoa, inet_addr
using namespace std;
class IP
{
struct ip ip;
public:
IP()
{
ip.ip_v = 0x4;
ip.ip_tos = 0x0;
ip.ip_sum = 0x0;
}
IP(char * src_addr, char * dst_addr)
{
ip.ip_v = 0x4;
ip.ip_tos = 0x0;
ip.ip_sum = 0x0;
ip.ip_src.s_addr = inet_addr(src_addr);
ip.ip_dst.s_addr = inet_addr(dst_addr);
}
void set_header_len(int hl) { ip.ip_hl = hl; }
void set_len(int len) { ip.ip_len = htons(len); }
unsigned short get_len() { return ntohs(ip.ip_len); }
struct ip * get_addr() { return &ip; }
void set_id(int id) { ip.ip_id = htons(id); }
void set_offset(int offset) { ip.ip_off = offset; }
void set_ttl(int ttl) { ip.ip_ttl = ttl; }
void set_proto(int p) { ip.ip_p = p; }
void set_sum(unsigned short sum){ ip.ip_sum = sum; }
};
class ICMP
{
struct icmp icmp;
public:
ICMP()
{
icmp.icmp_id = 1234; // Any arbitrary unsigned int
icmp.icmp_seq = 0;
icmp.icmp_cksum = 0x0;
}
struct icmp * get_addr() { return &icmp; }
void set_type(unsigned int type) { icmp.icmp_type = type; }
unsigned int get_type() { return icmp.icmp_type; }
void set_code(unsigned int code) { icmp.icmp_code = code; }
void set_cksum(unsigned short sum) { icmp.icmp_cksum = sum; }
};
/*
Function to calculate the checksum required for the
ip_sum and icmp_cksum fields.
The checksum is the one's complement of the one's
complement sum of all the 16 bit words in the header.
*/
unsigned short checksum(unsigned short *addr, int len)
{
int nleft = len;
int sum = 0;
unsigned short *w = addr;
unsigned short answer = 0;
while (nleft > 1)
{
sum += *w++;
nleft -= 2;
}
if (nleft == 1)
{
*(unsigned char *) (&answer) = *(unsigned char *) w;
sum += answer;
}
sum = (sum >> 16) + (sum & 0xFFFF);
sum += (sum >> 16);
answer = ~sum;
return (answer);
}
int main(int argc, char * argv[])
{
unsigned char * packet;
int sd;
const int on = 1;
struct sockaddr_in sockaddr;
char * src;
char * dst;
if(argc == 3)
{
src = argv[1];
dst = argv[2];
}
else
{
cout<<"Usage :"<<endl;
cout<<argv[0]<<" source destination"<<endl;
exit(1);
}
// IP header
IP ip_pkt(src, dst);
ip_pkt.set_header_len(0x5);
ip_pkt.set_id(12830);
ip_pkt.set_offset(0x0);
ip_pkt.set_ttl(64);
ip_pkt.set_len(60);
ip_pkt.set_proto(IPPROTO_ICMP);
ip_pkt.set_sum(checksum((u_short *)ip_pkt.get_addr(), sizeof(struct ip)));
// ICMP header
ICMP icmp_pkt;
icmp_pkt.set_type(ICMP_ECHO);
icmp_pkt.set_code(0);
icmp_pkt.set_cksum(checksum((u_short *)icmp_pkt.get_addr(), 8));
/*
Allocate memory for the packet and copy
the IP header first, then the ICMP header
after an offset of 20 bytes.
*/
packet = (unsigned char *) malloc(ip_pkt.get_len());
memcpy(packet, ip_pkt.get_addr(), sizeof(struct ip));
memcpy(packet + 20, icmp_pkt.get_addr(), 8);
/*
Create a raw socket so that kernel doesn't interfere
with the headers of the custom packet.
*/
if ((sd = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0)
{
cout<<"Couldn't create raw socket"<<endl;
exit(1);
}
if (setsockopt(sd, IPPROTO_IP, IP_HDRINCL, &on, sizeof(on)) < 0)
{
cout<<"setsockopt() failed"<<endl;
exit(1);
}
memset(&sockaddr, 0, sizeof(sockaddr));
sockaddr.sin_family = AF_INET;
sockaddr.sin_addr.s_addr = inet_addr(dst);
// Send the packet
if(sendto(sd, packet, ip_pkt.get_len(), 0, (struct sockaddr *)&sockaddr,
sizeof(struct sockaddr)) < 0)
{
cout<<"Packet couldn't be sent"<<endl;
exit(1);
}
cout<<"Packet sent!"<<endl;
return 0;
}
The code is well commented, and those comments explain what's going on.
The task is an advanced topic. You must understand networking before you tackle this task. So do that first.
The task is an advanced topic. You must understand networking before you tackle this task. So do that first.
What you have there OP is an absolute basic illustration of the concept. What this does is construct the packet from scratch, then it lies about the address in the source field and sends it out. You'll note that this isn't all that useful since there isn't any actual meaning accompanying the packet. You could use it for a ping flood maybe, but there are much more elegant ways to execute a DoS.
I don't mean to undermine kbw with this next paragraph. This is an advanced topic and you should put some effort into studying it. On the other hand though, this is an interesting topic that will take at least a year of studying on your part before you can put it all together. Having had the kind of instructors that do this kind of lab experiment with students, I can pretty much guarantee that they aren't going to leave you with anything like a functional understanding of this concept. So here is my outline:
Generally in order for this to be of any use you'll want to modify useful packets as they are going out. A pretty simple way to do this is to set your computer's proxy server for loopback and have an app running on your machine that modifies the source IP address on each packet before sending it on its way. Now since you've admitted to being a novice with regards to networking I'll tell you that the problem with this is that most useful protocols require two way communication and the target PC will respond to the spoofed address instead of your machine resulting in a time out. To fix that you'll also need what is known as a "promiscuous" network driver running on the machine sending out the spoofed packets. What this is, is a network driver that captures all of the traffic on a the current subnet instead of just the traffic that is meant for the machine it is running on. You'll probably want to filter for just the address being spoofed at the driver level if for no other reason than to keep things clean. Even though the two way communication is facilitated between the attacking machine and the target, you'll notice that the machine being impersonated is also receiving the responses from the target as well. For the most part, this isn't going to matter since the machine that is being spoofed isn't expecting the responses so it will usually just throw them away. But it's important to note that this is a highly visible attack that is easily detectable by authoritative machines.
I don't mean to undermine kbw with this next paragraph. This is an advanced topic and you should put some effort into studying it. On the other hand though, this is an interesting topic that will take at least a year of studying on your part before you can put it all together. Having had the kind of instructors that do this kind of lab experiment with students, I can pretty much guarantee that they aren't going to leave you with anything like a functional understanding of this concept. So here is my outline:
Generally in order for this to be of any use you'll want to modify useful packets as they are going out. A pretty simple way to do this is to set your computer's proxy server for loopback and have an app running on your machine that modifies the source IP address on each packet before sending it on its way. Now since you've admitted to being a novice with regards to networking I'll tell you that the problem with this is that most useful protocols require two way communication and the target PC will respond to the spoofed address instead of your machine resulting in a time out. To fix that you'll also need what is known as a "promiscuous" network driver running on the machine sending out the spoofed packets. What this is, is a network driver that captures all of the traffic on a the current subnet instead of just the traffic that is meant for the machine it is running on. You'll probably want to filter for just the address being spoofed at the driver level if for no other reason than to keep things clean. Even though the two way communication is facilitated between the attacking machine and the target, you'll notice that the machine being impersonated is also receiving the responses from the target as well. For the most part, this isn't going to matter since the machine that is being spoofed isn't expecting the responses so it will usually just throw them away. But it's important to note that this is a highly visible attack that is easily detectable by authoritative machines.
An overview of the code suggests that it is based on BSD sockets. I would recommend going through Beej's n/w pgmg: http://beej.us/guide/bgnet/. It has good stuff presented in a condensed and easy to understand manner.
Topic archived. No new replies allowed.