various fix and improvement after another developer meeting

bonsaiviking · Nov 10, 2003 · f1b7fdd · f1b7fdd
1 parent 7544c5e
commit f1b7fdd
Show file tree

Hide file tree

Showing 20 changed files with 196 additions and 47 deletions.
diff --git a/CHANGELOG b/CHANGELOG
@@ -58,6 +58,8 @@ NG-0.7.0    ????????
       + mouse event are supported
    !! offline sniffing actually does not bind to any NICs
 
+   +++ too many other improvements to be listed here +++
+
 
 0.6.b       20030710
 

diff --git a/TODO b/TODO
@@ -29,6 +29,7 @@ this is the unofficial and floating in time roadmap:
 
    + FIXING
       - get_iface_mtu for win32
+      - dissect_free_session
 
 Nov 2003:
 
@@ -73,7 +74,7 @@ Dec 2003:
 
    + PLUGINS
       - convert all the old plugins
-      - check for poisoner
+      - finger plugin on multiple ports
 
    + BINDER
 

diff --git a/include/ec_globals.h b/include/ec_globals.h
@@ -1,5 +1,5 @@
 
-/* $Id: ec_globals.h,v 1.43 2003/11/05 09:31:08 alor Exp $ */
+/* $Id: ec_globals.h,v 1.44 2003/11/10 22:46:24 alor Exp $ */
 
 #ifndef EC_GLOBALS_H
 #define EC_GLOBALS_H
@@ -21,6 +21,9 @@ struct ec_conf {
    int arp_storm_delay;
    int arp_poison_warm_up;
    int arp_poison_delay;
+   int arp_poison_icmp;
+   int arp_poison_reply;
+   int arp_poison_request;
    int connection_timeout;
    int connection_idle;
    int connection_buffer;

diff --git a/include/ec_send.h b/include/ec_send.h
@@ -1,5 +1,5 @@
 
-/* $Id: ec_send.h,v 1.7 2003/11/01 15:52:58 alor Exp $ */
+/* $Id: ec_send.h,v 1.8 2003/11/10 22:46:24 alor Exp $ */
 
 #ifndef EC_SEND_H
 #define EC_SEND_H
@@ -13,7 +13,8 @@ extern int send_to_L3(struct packet_object *po);
 extern int send_to_bridge(struct packet_object *po);
 
 extern int send_arp(u_char type, struct ip_addr *sip, u_int8 *smac, struct ip_addr *tip, u_int8 *tmac);
-extern int send_icmp_echo(u_char type, struct ip_addr *sip, struct ip_addr *tip);
+extern int send_L2_icmp_echo(u_char type, struct ip_addr *sip, struct ip_addr *tip, u_int8 *tmac);
+extern int send_L3_icmp_echo(u_char type, struct ip_addr *sip, struct ip_addr *tip);
 extern int send_icmp_redir(u_char type, struct ip_addr *sip, struct ip_addr *gw, struct packet_object *po);
 
 extern u_int8 MEDIA_BROADCAST[MEDIA_ADDR_LEN];

diff --git a/man/etter.conf.5.in b/man/etter.conf.5.in
@@ -14,7 +14,7 @@
 .\"  along with this program; if not, write to the Free Software
 .\"  Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
 .\"
-.\"  $Id: etter.conf.5.in,v 1.14 2003/10/28 21:52:20 alor Exp $
+.\"  $Id: etter.conf.5.in,v 1.15 2003/11/10 22:46:24 alor Exp $
 .\"
 .de Sp
 .if n .sp
@@ -91,6 +91,22 @@ value is expressed in seconds. You can increase this value (to try fool the
 IDS) up to the timeout of the ARP cache (it depends on the operating system
 poisoned).
 
+.TP
+.B arp_poison_icmp
+Enable the sending of a spoofed ICMP message to force the targets to make an
+arp request. This will create an arp entry in the host's cache, so ettercap
+will be able to win the race condition and poison the target. Useful against
+targets that don't accept gratuitous arp if the entry is not in the cache.
+
+.TP
+.B arp_poison_reply
+Use ARP replies to poison the targets. This is the classic attack.
+
+.TP
+.B arp_poison_request
+Use ARP request to poison the targets. Useful against targets that cache even
+arp request values.
+
 
 
 .TP 20

diff --git a/man/ettercap.8.in b/man/ettercap.8.in
@@ -14,7 +14,7 @@
 .\"  along with this program; if not, write to the Free Software
 .\"  Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
 .\"
-.\"  $Id: ettercap.8.in,v 1.46 2003/11/05 09:31:11 alor Exp $
+.\"  $Id: ettercap.8.in,v 1.47 2003/11/10 22:46:24 alor Exp $
 .\"
 .de Sp
 .if n .sp
@@ -198,7 +198,7 @@ If a mitm method requires some parameters you can specify them after the colon.
 The following mitm attack are available:
 .RS
 .TP
-\fBarp\fR ([remote])
+\fBarp\fR ([remote],[oneway])
 This method implement the ARP poisoning mitm attack. ARP
 request/reply are sent to the victims to poison their ARP cache. Once the cache
 has been poisoned the victims will send all packets to the attacker which, in
@@ -207,7 +207,7 @@ turn, can modify them and forward to the real destination.
 In silent mode (-z option) only the first target is selected, if you want to
 poison multiple target in silent mode use the -j option to load a list from a
 file.
-.br
+.Sp
 You can select empty targets and they will be expanded as 'ANY' (all the host in
 the LAN). The target list is joined with the hosts list (created by the arp
 scan) and the result is used to determine the victims of the attack.
@@ -218,6 +218,10 @@ the gw in the TARGETS, ettercap will sniff only connection between them, but to
 enable ettercap to sniff connections that passes thru the gw, you have to use
 this parameter.
 .Sp
+The parameter "oneway" will force ettercap to poison only from TARGET1 to
+TARGET2. Useful if you want to poison only the client and not the router (where
+an arp watcher can be in place).
+.Sp
 Example:
 .Sp
 the targets are: /10.0.0.1-5/ /10.0.0.15-20/

diff --git a/plug-ins/chk_poison/chk_poison.c b/plug-ins/chk_poison/chk_poison.c
@@ -20,7 +20,7 @@
     along with this program; if not, write to the Free Software
     Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
 
-    $Id: chk_poison.c,v 1.2 2003/11/05 10:10:06 lordnaga Exp $
+    $Id: chk_poison.c,v 1.3 2003/11/10 22:46:24 alor Exp $
 */
 
 
@@ -125,8 +125,8 @@ static int chk_poison_init(void *dummy)
 
    /* Send spoofed ICMP echo request to each victim */
    SLIST_FOREACH(p, &poison_table, next) {
-      for (i=0; i<=1; i++) {
-         send_icmp_echo(ICMP_ECHO, &(p->ip[i]), &(p->ip[!i]));   
+      for (i = 0; i <= 1; i++) {
+         send_L3_icmp_echo(ICMP_ECHO, &(p->ip[i]), &(p->ip[!i]));   
          usleep(GBL_CONF->arp_storm_delay * 1000);
       }
    }
@@ -143,7 +143,7 @@ static int chk_poison_init(void *dummy)
 
    /* We'll parse the list twice to avoid too long results printing */
    SLIST_FOREACH(p, &poison_table, next) {
-      for (i=0; i<=1; i++)
+      for (i = 0; i <= 1; i++)
          if (p->poison_success[i])
             poison_any = 1;
          else

diff --git a/plug-ins/scan_poisoner/scan_poisoner.c b/plug-ins/scan_poisoner/scan_poisoner.c
@@ -21,7 +21,7 @@
     along with this program; if not, write to the Free Software
     Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
 
-    $Id: scan_poisoner.c,v 1.2 2003/11/09 13:23:11 lordnaga Exp $
+    $Id: scan_poisoner.c,v 1.3 2003/11/10 22:46:24 alor Exp $
 */
 
 
@@ -110,7 +110,7 @@ static int scan_poisoner_init(void *dummy)
 
    /* Send ICMP echo request to each target */
    LIST_FOREACH(h1, &GBL_HOSTLIST, next) {
-      send_icmp_echo(ICMP_ECHO, &GBL_IFACE->ip, &h1->ip);   
+      send_L3_icmp_echo(ICMP_ECHO, &GBL_IFACE->ip, &h1->ip);   
       usleep(GBL_CONF->arp_storm_delay * 1000);
    }
 

diff --git a/share/etter.conf b/share/etter.conf
@@ -18,6 +18,9 @@ ec_uid = 65534                # nobody is the default
 arp_storm_delay = 10          # milliseconds
 arp_poison_warm_up = 1        # seconds
 arp_poison_delay = 30         # seconds
+arp_poison_icmp = 1           # boolean
+arp_poison_reply = 1          # boolean
+arp_poison_request = 0        # boolean
 
 [connections]
 connection_timeout = 300      # seconds

diff --git a/src/dissectors/ec_ssh.c b/src/dissectors/ec_ssh.c
@@ -17,7 +17,7 @@
     along with this program; if not, write to the Free Software
     Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
 
-    $Id: ec_ssh.c,v 1.13 2003/10/29 20:41:08 alor Exp $
+    $Id: ec_ssh.c,v 1.14 2003/11/10 22:46:24 alor Exp $
 */
 
 #include <ec.h>
@@ -27,6 +27,9 @@
 #include <ec_streambuf.h>
 #include <ec_checksum.h>
 
+/* don't include kreberos. RH sux !! */
+#define OPENSSL_NO_KRB5 1
+
 #include <openssl/ssl.h>
 #include <zlib.h>
 
@@ -129,13 +132,13 @@ FUNC_DECODER(dissector_ssh)
     * off performs only banner catching.
     */
 
-   if (!GBL_CONF->aggressive_dissectors || session_get(&s, ident, DISSECT_IDENT_LEN) == -ENOTFOUND) { 
+   if ((!GBL_CONF->aggressive_dissectors || GBL_OPTIONS->unoffensive) || session_get(&s, ident, DISSECT_IDENT_LEN) == -ENOTFOUND) { 
       SAFE_FREE(ident);
       /* Create the session on first server's cleartext packet */
-      if(!memcmp(PACKET->DATA.data,"SSH-",4) && FROM_SERVER("ssh", PACKET)) {
+      if(!memcmp(PACKET->DATA.data,"SSH-", 4) && FROM_SERVER("ssh", PACKET)) {
 
          /* Only if we are interested on key substitution */         
-         if(GBL_CONF->aggressive_dissectors) {
+         if (GBL_CONF->aggressive_dissectors && !GBL_OPTIONS->unoffensive) {
             dissect_create_session(&s, PACKET);
             SAFE_CALLOC(s->data, sizeof(ssh_session_data), 1);
             session_put(s);

diff --git a/src/ec_capture.c b/src/ec_capture.c
@@ -17,7 +17,7 @@
     along with this program; if not, write to the Free Software
     Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
 
-    $Id: ec_capture.c,v 1.26 2003/10/29 22:38:19 alor Exp $
+    $Id: ec_capture.c,v 1.27 2003/11/10 22:46:24 alor Exp $
 */
 
 #include <ec.h>
@@ -88,7 +88,7 @@ void capture_init(void)
       USER_MSG("Listening on %s...\n\n", GBL_OPTIONS->iface);
 
    /* set the snaplen to maximum */
-   GBL_PCAP->snaplen = INT16_MAX;
+   GBL_PCAP->snaplen = UINT16_MAX;
 
    /* 
     * open the interface from GBL_OPTIONS (user specified)

diff --git a/src/ec_conf.c b/src/ec_conf.c
@@ -17,7 +17,7 @@
     along with this program; if not, write to the Free Software
     Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
 
-    $Id: ec_conf.c,v 1.22 2003/10/25 21:57:42 alor Exp $
+    $Id: ec_conf.c,v 1.23 2003/11/10 22:46:24 alor Exp $
 */
 
 #include <ec.h>
@@ -41,6 +41,9 @@ static struct conf_entry mitm[] = {
    { "arp_storm_delay", NULL },
    { "arp_poison_delay", NULL },
    { "arp_poison_warm_up", NULL },
+   { "arp_poison_icmp", NULL },
+   { "arp_poison_reply", NULL },
+   { "arp_poison_request", NULL },
    { NULL, NULL },
 };
 
@@ -127,6 +130,9 @@ static void init_structures(void)
    set_pointer((struct conf_entry *)&mitm, "arp_storm_delay", &GBL_CONF->arp_storm_delay);
    set_pointer((struct conf_entry *)&mitm, "arp_poison_warm_up", &GBL_CONF->arp_poison_warm_up);
    set_pointer((struct conf_entry *)&mitm, "arp_poison_delay", &GBL_CONF->arp_poison_delay);
+   set_pointer((struct conf_entry *)&mitm, "arp_poison_icmp", &GBL_CONF->arp_poison_icmp);
+   set_pointer((struct conf_entry *)&mitm, "arp_poison_reply", &GBL_CONF->arp_poison_reply);
+   set_pointer((struct conf_entry *)&mitm, "arp_poison_request", &GBL_CONF->arp_poison_request);
    set_pointer((struct conf_entry *)&connections, "connection_timeout", &GBL_CONF->connection_timeout);
    set_pointer((struct conf_entry *)&connections, "connection_idle", &GBL_CONF->connection_idle);
    set_pointer((struct conf_entry *)&connections, "connection_buffer", &GBL_CONF->connection_buffer);

diff --git a/src/ec_filter.c b/src/ec_filter.c
@@ -17,7 +17,7 @@
     along with this program; if not, write to the Free Software
     Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
 
-    $Id: ec_filter.c,v 1.38 2003/10/16 15:33:08 lordnaga Exp $
+    $Id: ec_filter.c,v 1.39 2003/11/10 22:46:24 alor Exp $
 */
 
 #include <ec.h>
@@ -451,6 +451,10 @@ static int func_pcre(struct filter_op *fop, struct packet_object *po)
             u_char *q = fop->op.func.replace;
             size_t i, nlen = 0;
 
+            /* don't modify if in unoffensive mode */
+            if (GBL_OPTIONS->unoffensive)
+               return -EINVALID;
+
             /* 
              * the replaced string will not be larger than
              * the matched string + replacement string

diff --git a/src/ec_log.c b/src/ec_log.c
@@ -17,7 +17,7 @@
     along with this program; if not, write to the Free Software
     Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
 
-    $Id: ec_log.c,v 1.27 2003/10/27 21:25:44 alor Exp $
+    $Id: ec_log.c,v 1.28 2003/11/10 22:46:24 alor Exp $
 */
 
 #include <ec.h>
@@ -321,12 +321,16 @@ static void log_write_info(struct packet_object *po)
    /* open on the source ? */
    if (is_open_port(po->L4.proto, po->L4.src, po->L4.flags))
       hi.L4_addr = po->L4.src;
+   else if (po->DISSECTOR.banner)
+      hi.L4_addr = po->L4.src;
    else
       hi.L4_addr = 0;
 
    /* open on the dest ? */
    if (is_open_port(po->L4.proto, po->L4.dst, po->L4.flags))
       hid.L4_addr = po->L4.dst;
+   else if (po->DISSECTOR.user)
+      hid.L4_addr = po->L4.dst;
    else
       hid.L4_addr = 0;
 

diff --git a/src/ec_passive.c b/src/ec_passive.c
@@ -17,7 +17,7 @@
     along with this program; if not, write to the Free Software
     Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
 
-    $Id: ec_passive.c,v 1.10 2003/10/17 20:31:40 lordnaga Exp $
+    $Id: ec_passive.c,v 1.11 2003/11/10 22:46:24 alor Exp $
 */
 
 #include <ec.h>
@@ -143,7 +143,9 @@ void print_host(struct host_profile *h)
          else
             fprintf(stdout, "      ACCOUNT : %s / %s  (%s)\n", u->user, u->pass, ip_addr_ntoa(&u->client, tmp));
          if (u->info)
-            fprintf(stdout, "      INFO     : %s\n", u->info);
+            fprintf(stdout, "      INFO     : %s\n\n", u->info);
+         else
+            fprintf(stdout, "\n");
       }
       fprintf(stdout, "\n");
    }