Implement maddaddy task

README.md

@@ -38,8 +38,8 @@ red teams. *Once it stated, when using this tool you are assuming that any damag
 law infringements that some wrong action taken by you could cause is of your entire responsibility*.
 
 **Sponsoring**: I have not been running this project for profit. It is only a thing that I do at my spare time. It is a
-weekend project. I try to evolve it according to necessities I have been facing up during my information security
-professional career. If you liked it or it is being useful to you somehow and you really want to contribute
+weekend project. A pet project. I try to evolve it according to necessities I have been facing up during my information
+security professional career. If you liked it or it is being useful to you somehow and you really want to contribute
 with money, try to redirect it to a local charity institution, an ONG of your choice or even your own community.
 You can also do [pull requests](https://github.com/rafael-santiago/macgonuts/pulls) proposing improvements.
 Do some [bug report](https://github.com/rafael-santiago/macgonuts/issues) if a bug is annoying you. Maybe you should

src/cmd/macgonuts_exec.c

@@ -17,6 +17,7 @@
 #include <cmd/macgonuts_dnsspoof_task.h>
 #include <cmd/macgonuts_xablau_task.h>
 #include <cmd/macgonuts_caleaboqui_task.h>
+#include <cmd/macgonuts_maddaddy_task.h>
 #include <cmd/macgonuts_version_task.h>
 #include <cmd/macgonuts_banners.h>
 #include <macgonuts_status_info.h>
@@ -49,6 +50,7 @@ struct macgonuts_task_ctx {
  MACGONUTS_CMD_REGISTER_TASK(dnsspoof),
  MACGONUTS_CMD_REGISTER_TASK(xablau),
  MACGONUTS_CMD_REGISTER_TASK(caleaboqui),
+ MACGONUTS_CMD_REGISTER_TASK(maddaddy),
  MACGONUTS_CMD_REGISTER_TASK_ALIAS(xablau, neighscan),
  MACGONUTS_CMD_REGISTER_TASK_ALIAS(caleaboqui, shh),
  MACGONUTS_CMD_REGISTER_TASK(version),

src/cmd/macgonuts_maddaddy_task.c

@@ -0,0 +1,241 @@
+/*
+ * Copyright (c) 2023, Rafael Santiago
+ * All rights reserved.
+ *
+ * This source code is licensed under the BSD-style license found in the
+ * LICENSE file in the root directory of this source tree.
+ */
+#include <cmd/macgonuts_maddaddy_task.h>
+#include <cmd/macgonuts_option.h>
+#include <macgonuts_etherconv.h>
+#include <macgonuts_socket_common.h>
+#include <macgonuts_socket.h>
+#include <macgonuts_icmphdr.h>
+#include <macgonuts_ndphdr.h>
+#include <macgonuts_status_info.h>
+
+static int g_QuitMadDaddy = 0;
+
+static int do_mad_daddy(const char *iface, const uint8_t *hw_addrs, const size_t hw_addrs_size);
+
+static inline __attribute__((unused)) int send_fake_na(const macgonuts_socket_t rsk,
+ const uint8_t *ethbuf, const ssize_t ethbuf_size);
+
+static void sigint_watchdog(int signo);
+
+static uint8_t *preprocess_targets_array(char **targets, const size_t targets_nr, size_t *macs_buf_size);
+
+static uint8_t *preprocess_targets_array(char **targets, const size_t targets_nr, size_t *macs_buf_size);
+
+static inline int is_solicited_node_multicast_link(const uint8_t *ethbuf, const ssize_t ethbuf_size);
+
+static inline int is_solicited_node_multicast_proto(const uint8_t *ethbuf, const ssize_t ethbuf_size);
+
+static inline int is_ndp_ns(const uint8_t *ethbuf, const ssize_t ethbuf_size);
+
+static inline int should_dad_go_bad(const uint8_t *ethbuf, const ssize_t ethbuf_size,
+ const uint8_t *hw_addrs, const size_t hw_addrs_size);
+
+int macgonuts_maddaddy_task(void) {
+ int err = EXIT_FAILURE;
+ const char *lo_iface = macgonuts_get_option("lo-iface", NULL);
+ char **targets = NULL;
+ size_t targets_nr = 0;
+ uint8_t *hw_addrs = NULL;
+ size_t hw_addrs_size = 0;
+
+ if (lo_iface == NULL) {
+ macgonuts_si_error("--lo-iface option is missing.\n");
+ goto macgonuts_maddaddy_task_epilogue;
+ }
+
+ targets = macgonuts_get_array_option("targets", NULL, &targets_nr);
+ if (targets != NULL) {
+ hw_addrs = preprocess_targets_array(targets, targets_nr, &hw_addrs_size);
+ macgonuts_free_array_option_value(targets, targets_nr);
+ targets = NULL;
+ }
+
+ err = do_mad_daddy(lo_iface, hw_addrs, hw_addrs_size);
+
+macgonuts_maddaddy_task_epilogue:
+
+ if (hw_addrs != NULL) {
+ free(hw_addrs);
+ }
+
+ if (targets != NULL) {
+ macgonuts_free_array_option_value(targets, targets_nr);
+ }
+
+ return err;
+}
+
+int macgonuts_maddaddy_task_help(void) {
+ macgonuts_si_print("use: macgonuts maddady --lo-iface=<label> [ --targets=<hw-addr-list> ]\n");
+ return EXIT_SUCCESS;
+}
+
+static int do_mad_daddy(const char *iface, const uint8_t *hw_addrs, const size_t hw_addrs_size) {
+ char buf[256];
+ macgonuts_socket_t rsk = -1;
+ uint8_t ethbuf[1<<10];
+ ssize_t ethbuf_size = 0;
+
+ if (macgonuts_get_addr_from_iface_unix(buf, sizeof(buf) - 1, 6, iface) != EXIT_SUCCESS) {
+ macgonuts_si_error("interface `%s` does not support IPv6.\n");
+ return EXIT_FAILURE;
+ }
+
+ if (macgonuts_set_iface_promisc_on(iface) != EXIT_SUCCESS) {
+ macgonuts_si_error("unable to set %s to promisc mode.\n", iface);
+ return EXIT_FAILURE;
+ }
+
+ rsk = macgonuts_create_socket(iface, 1);
+ if (rsk == -1) {
+ macgonuts_si_error("unable to create raw socket.\n");
+ macgonuts_set_iface_promisc_off(iface);
+ return EXIT_FAILURE;
+ }
+
+ signal(SIGINT, sigint_watchdog);
+ signal(SIGTERM, sigint_watchdog);
+
+ while (!g_QuitMadDaddy) {
+ ethbuf_size = macgonuts_recvpkt(rsk, ethbuf, sizeof(ethbuf));
+ if (ethbuf_size > 0
+ && is_solicited_node_multicast_link(ethbuf, ethbuf_size)
+ && is_solicited_node_multicast_proto(ethbuf, ethbuf_size)
+ && is_ndp_ns(ethbuf, ethbuf_size)
+ && should_dad_go_bad(ethbuf, ethbuf_size, hw_addrs, hw_addrs_size)) {
+ send_fake_na(rsk, ethbuf, ethbuf_size);
+ }
+ usleep(10);
+ }
+
+ // TODO(Rafael): - Sniff network.
+ // - If hw_addrs is not null inspect relevant packets for relevant MAC address.
+ // - Being a NS send a fake NA.
+
+ macgonuts_release_socket(rsk);
+ macgonuts_set_iface_promisc_off(iface);
+
+ return EXIT_SUCCESS;
+}
+
+static void sigint_watchdog(int signo) {
+ g_QuitMadDaddy = 1;
+}
+
+static inline int send_fake_na(const macgonuts_socket_t rsk, const uint8_t *ethbuf, const ssize_t ethbuf_size) {
+ return EXIT_FAILURE;
+}
+
+static uint8_t *preprocess_targets_array(char **targets, const size_t targets_nr, size_t *macs_buf_size) {
+ char **target = targets;
+ char **targets_end = targets + targets_nr;
+ uint8_t *macs_buf = NULL;
+ uint8_t *mp = NULL;
+
+ *macs_buf_size = targets_nr * 6;
+ macs_buf = (uint8_t *)malloc(*macs_buf_size);
+
+ if (macs_buf == NULL) {
+ macgonuts_si_error("unable to allocate MAC bufs list.\n");
+ return NULL;
+ }
+
+ mp = macs_buf;
+
+ while (target != targets_end) {
+ if (macgonuts_get_raw_ether_addr(mp, 6, *target, strlen(*target)) != EXIT_SUCCESS) {
+ macgonuts_si_error("unable to pre-process MAC `%s`.\n", *target);
+ free(macs_buf);
+ return NULL;
+ }
+ target++;
+ mp += 6;
+ }
+
+ return macs_buf;
+}
+
+static inline int is_solicited_node_multicast_link(const uint8_t *ethbuf, const ssize_t ethbuf_size) {
+ return (ethbuf_size > 14 && ethbuf[0] == 0x33 && ethbuf[1] == 0x33 && ethbuf[2] == 0xFF);
+}
+
+static inline int is_solicited_node_multicast_proto(const uint8_t *ethbuf, const ssize_t ethbuf_size) {
+ return (ethbuf_size > 54 // INFO(Rafael): Ethernet frame size + IPv6 header size.
+ && ethbuf[12 ] == 0x86 // INFO(Rafael): IPv6 ether type.
+ && ethbuf[13 ] == 0xDD
+ && ethbuf[14 + 24] == 0xFF // INFO(Rafael): Solicited node multicast address.
+ && ethbuf[14 + 25] == 0x02
+ && ethbuf[14 + 26] == 0x00
+ && ethbuf[14 + 27] == 0x00
+ && ethbuf[14 + 28] == 0x00
+ && ethbuf[14 + 29] == 0x00
+ && ethbuf[14 + 30] == 0x00
+ && ethbuf[14 + 31] == 0x00
+ && ethbuf[14 + 32] == 0x00
+ && ethbuf[14 + 33] == 0x00
+ && ethbuf[14 + 34] == 0x00
+ && ethbuf[14 + 35] == 0x01
+ && ethbuf[14 + 36] == 0xFF
+ && ethbuf[14 + 37] == ethbuf[3]
+ && ethbuf[14 + 38] == ethbuf[4]
+ && ethbuf[14 + 39] == ethbuf[5]);
+}
+
+static inline int is_ndp_ns(const uint8_t *ethbuf, const ssize_t ethbuf_size) {
+ struct macgonuts_icmphdr_ctx icmp6;
+ struct macgonuts_ndp_nsna_hdr_ctx ndp;
+ int is = 0;
+
+ assert(ethbuf_size > 54);
+
+ memset(&icmp6, 0, sizeof(icmp6));
+ memset(&ndp, 0, sizeof(ndp));
+
+ if (macgonuts_read_icmp_pkt(&icmp6, &ethbuf[54], ethbuf_size - 54) != EXIT_SUCCESS
+ || icmp6.type != kNDPMsgTypeNeighborSolicitation) {
+ goto is_ndp_ns_epilogue;
+ }
+
+ if (macgonuts_read_ndp_nsna_pkt(&ndp, icmp6.payload, icmp6.payload_size) != EXIT_SUCCESS) {
+ goto is_ndp_ns_epilogue;
+ }
+
+ is = (ndp.target_addr[0] == 0xFE800000
+ && ndp.target_addr[1] == 0x0); // INFO(Rafael): Does it seems a link local unicast address?
+
+is_ndp_ns_epilogue:
+
+ macgonuts_release_ndp_nsna_hdr(&ndp);
+ macgonuts_release_icmphdr(&icmp6);
+
+ return is;
+}
+
+static inline int should_dad_go_bad(const uint8_t *ethbuf, const ssize_t ethbuf_size,
+ const uint8_t *hw_addrs, const size_t hw_addrs_size) {
+ const uint8_t *curr_hw_addr = NULL;
+ const uint8_t *hw_addrs_end = hw_addrs + hw_addrs_size;
+ int go_bad = 0;
+
+ assert(ethbuf_size > 14);
+
+ if (hw_addrs == NULL || hw_addrs_size == 0) {
+ return 1;
+ }
+
+ curr_hw_addr = hw_addrs;
+ while (curr_hw_addr < hw_addrs_end && !go_bad) {
+ go_bad = (memcmp(&ethbuf[6], curr_hw_addr, 6) == 0);
+ curr_hw_addr += 6;
+ }
+
+ return go_bad;
+}
+
+

src/cmd/macgonuts_maddaddy_task.h

@@ -0,0 +1,17 @@
+/*
+ * Copyright (c) 2023, Rafael Santiago
+ * All rights reserved.
+ *
+ * This source code is licensed under the BSD-style license found in the
+ * LICENSE file in the root directory of this source tree.
+ */
+#ifndef MACGONUTS_CMD_MACGONUTS_MADDADDY_TASK_H
+#define MACGONUTS_CMD_MACGONUTS_MADDADDY_TASK_H 1
+
+#include <macgonuts_types.h>
+
+int macgonuts_maddaddy_task(void);
+
+int macgonuts_maddaddy_task_help(void);
+
+#endif // MACGONUTS_CMD_MACGONUTS_MADDADDY_TASK_H