/* * Nagini v0.01 - simple TCP packetlogger by sacrine * .. 1 kleine neger .. * NETRIC SECURITY 2003 * * includes: * - Log functionality * - Can run in background * * More options will be included in (if it depends on me) next versions * * * * Special Thanks go to: * gloomy, eSDee, ilja, ntronic * * Greets: * atje, The_Itch, ThePike, Laurens, powerpork, * psycoder, Remy, {}, Scrippie and whole #netric :) * * * * If there are any questions/remarks or even bugs that you discovered, * Please mail me at sacrine@netric.org * * Weetjes en Nieuwtjes: * * - Je bent gespuis als je niet af en toe samba(l) eet * - The_Itch stemt SP * - soul en gloomy zijn tegen een jointje op Rock Werchter * - atje is gestopt met drinken * - Xatr0z heeft wel degelijk de nederlandse nationaliteit * * Volgende keer weer meer nieuwtjes en weetjes uit Netric land, * Tot ziens ;) * */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #define LOG_SIZE 50 #define JUNK_SIZE 1024 #define BUF_SIZE 1024 #define PCKT_SIZE 65535 #define VERSION "Nagini v0.01" #define BACKGROUND 0 struct pckts_list { char p_size[PCKT_SIZE]; int bytes; int from_lenght; struct iphdr *ip; struct tcphdr *tcp; } pckts; struct ip_list { unsigned int ip_lenght:4; unsigned int ip_version:4; unsigned char ip_tos; unsigned short ip_total_lenght; unsigned short ip_id; unsigned short ip_flags; unsigned char ip_ttl; unsigned char ip_protocol; unsigned short ip_cksum; unsigned int ip_source; } ip; struct tcp_list { unsigned short tcp_source_port; unsigned short tcp_dest_port; unsigned int tcp_seqno; unsigned int tcp_ackno; unsigned int tcp_res1:4, tcp_hlen:4, tcp_fin:1, tcp_syn:1, tcp_rst:1, tcp_psh:1, tcp_ack:1, tcp_urg:1, tcp_res2:2; unsigned short tcp_winsize; unsigned short tcp_cksum; unsigned short tcp_urgent; } tcp; int bground(void) { pid_t dummy; int fdescr; int vorkje; if((dummy = getppid()) != 1) { signal(SIGTTOU, SIG_IGN); signal(SIGTTIN, SIG_IGN); signal(SIGTSTP, SIG_IGN); vorkje = fork(); if(vorkje < 0) { perror("fork()"); exit(-1); } if(vorkje > 0) { fprintf(stdout,"[+] Now running in background.. pid=[%u]\n\n",vorkje); exit(0); } setpgrp(); fdescr=open("/dev/tty", O_RDWR); if(fdescr >= 0) { ioctl(fdescr, TIOCNOTTY, (char *)NULL); close(fdescr); } } for(fdescr = 0;fdescr < 1024;fdescr++) errno = 0; chdir("/"); umask(0); } void usage(char *x) { fprintf(stdout,"Usage: %s [l:Bvh]\n" "\t-l\t-\tspecified logfile\n" "\t-B\t-\trun in background\n" "\t-v\t-\tdisplay version info\n" "\t-h\t-\tshows this help function\n\n",x); exit(0); } int main(int c, char *v[]) { char pfile[LOG_SIZE]; int opts; int sock; FILE *LOG=NULL; static char junk[JUNK_SIZE]; static char buf[BUF_SIZE]; struct ip_list *iph; struct tcp_list *tcph; struct sockaddr_in ader; short int sin_family; unsigned short int sin_port; struct in_addr sin_addr; unsigned char sin_zero[8]; struct protoent *pe; struct servent *pnr; struct servent *pnr2; char timebuf[50]; time_t curtime; struct tm *loctime; curtime = time (NULL); loctime = localtime (&curtime); int i; int on=0; fprintf(stdout,"\n%s TCP packetlogger by sacrine\n" "NETRIC SECURITY 2003 - sacrine@netric.org\n\n",VERSION); if (getuid() != 0) { fprintf(stderr,"This program requires root priviledges\n..aborting\n"); exit(-1); } else { fprintf(stdout,"[+] Logged in as root\n\n"); } while((opts=getopt(c,v,"Bhl:v"))!=EOF) { switch(opts) { case 'l': memset(pfile,0x00,sizeof(pfile)); strncpy(pfile,optarg,sizeof(pfile)-1); LOG=fopen(pfile,"w+"); if(!LOG) { perror("file()"); exit(-1); } fprintf(stdout,"[+] Writing results to: %s\n",pfile); break; case 'B': on=1; break; case 'v': fprintf(stdout,"%s\n",VERSION); break; case 'h': usage(v[0] == NULL ? "help function:" : v[0]); exit(0); break; default: break; } } if(!LOG) { if(on) { fprintf(stderr,"Sorry, you need to specify a logfile with the -l option for this!\n" "..Aborting\n\n"); exit(-1); } else { LOG = stdout; } } else if(on && LOG) { bground(); } if((sock=socket(AF_INET, SOCK_RAW, 0x06))<0) { perror("socket()"); exit(-1); } while(1) { pckts.from_lenght = sizeof ader; memset(pckts.p_size,0x00,sizeof(pckts.p_size)); pckts.bytes = recvfrom( sock, pckts.p_size, sizeof (pckts.p_size)-1, 0, (struct sockaddr *)&ader, &pckts.from_lenght ); memset(timebuf,0x00,sizeof(timebuf)); snprintf(timebuf,sizeof(timebuf)-1,"%s", asctime (loctime)); for(i = 0; i < sizeof(timebuf); i++) if (timebuf[i] == 0x0a) timebuf[i] = 0x00; fprintf(LOG,"[%s]",timebuf); fprintf(LOG," Recieved %d bytes from ", pckts.bytes); fflush(LOG); fprintf(LOG,"%s ", inet_ntoa(ader.sin_addr)); fflush(LOG); (struct ip *) iph = (struct ip *)pckts.p_size; pe = getprotobynumber(iph->ip_protocol); if (pe == NULL) { perror("protocol()"); return(-1); } fprintf(LOG,"- IP hdr lenght=[%d] ", iph->ip_lenght); fflush(LOG); fprintf(LOG,"(%s)", pe->p_name); fflush(LOG); (struct tcp *) tcph = (struct tcp *)(pckts.p_size + (4*iph->ip_lenght)); pnr = getservbyport(tcph->tcp_source_port,pe->p_name); if(pnr == NULL) { fprintf(LOG," src port:%d ",ntohs(tcph->tcp_source_port)); fflush(LOG); } else { fprintf(LOG," src port:%s ", pnr->s_name); fflush(LOG); } pnr2 = getservbyport(tcph->tcp_dest_port,pe->p_name); if(pnr2 == NULL) { fprintf(LOG," dest port:%d\n",ntohs(tcph->tcp_dest_port)); fflush(LOG); } else { fprintf(LOG," dest port:%s\n", pnr2->s_name); fflush(LOG); } } return(0); }