#!/usr/bin/perl -Tw
#################################
# Not the xmas scan in the nmap sense,
# but in the "lets light 'em up" sense.
# Actually, its not even a scan, just a 
# crap generator.
#
# Send packets with random settings from 
# any apparent source/port to any source/port.
#
# Requires:	Net::RawIP  (www.cpan.org)
#			root
#
# Notes:
# Be careful.  Aside from the obvious amount
# of blatantly bogus traffic you'll generate,
# I've seen this thing happily eat a p3-750 while
# sending traffic on dummy0.  On average, it'll
# send 10k packets in ~15 seconds.  Regardless of
# the validity of the packets, I think thats more
# than enough crap you'll wanna see pouring into 
# your machine.
#
# Bugs:
# 1) It was crashing when the source address was a 
# multicast address, but for some reason this 
# problem disappeared.  :shrug:
# 2) Doesn't check for properly formatted source/destination
# hosts.  If you can't give it proper arguments, then
# thats your own damn fault.
#
# (jhart@ccs.neu.edu) work/school
# 	and/or   
# (warchild@spoofed.org) home/play
#################################
use strict;
use diagnostics;
use locale;
use Socket;
use Net::RawIP;
use Getopt::Long;
$ENV{'PATH'} = "/usr/bin:/bin";
delete @ENV{qw(IFS CDPATH ENV BASH_ENV)};
my $saddr;	# source address
my $daddr;	# destination address
my $sport;	# source port
my $dport;	# destination port
my $num;		# number of packets to send
my $delay;	# delay between each packet (seconds)
my $flags;	# flags to set
my $data;		# data to send with packet
my $debug;
# get our options in place
GetOptions(	"src=s"	=>	\(my $opt_saddr),
			"dest=s"	=>	\(my $opt_daddr),
			"srcp=i"	=>	\(my $opt_sport),
			"destp=i"	=>	\(my $opt_dport),
			"num=i"	=>	\(my $opt_num),
			"delay=i"	=> 	\(my $opt_delay),
			"flags=s"	=>	\(my $opt_flags),
			"data=s"	=>	\(my $opt_data),
			"help"	=>	\(my $opt_help),
			"debug"	=>	\(my $opt_debug)) or die "$!\n";
# setup defaults if not given any options
if (defined($opt_help)) {
	print << "EOF" ;
	Send empty tcp packets to a desired host using random tcp headers.
	Optionally spoof the source address.
	REQUIRED:
	--dest <destination address>
	OPTIONS:
	--src <source address> 		(default: random)
	--srcp <source port>		(default: random)
	--destp <destination port>	(default: random)
	--num <number of packets>	(defualt: 5)
	--delay <delay (seconds)>	(default: 2)
	--flags <a|f|p|s|u>			(default: random)
	--data <data>				(default: none)
	--debug (Print constructed packet)
	--help (This message)
	Example:
	./xmas --dest 12.10.116.200 --destp 22 --num 1000 --delay 0 --data "foo"
	Captured by snort:
	06/23-08:49:27.625471 0:0:0:0:0:0 -> 0:0:0:0:0:0 type:0x800 len:0x39
	120.81.114.73:57760 -> 12.10.116.200:22 TCP TTL:162 TOS:0x5B ID:36828 IpLen:20 DgmLen:43 DF
	**U*P*S* Seq: 0xBF330583  Ack: 0x1197D019  Win: 0x21DB  TcpLen: 20  UrgPtr: 0x0
	foo
EOF
exit;
}
# parse the options and set defaults if needed
if (!defined($opt_num)) {
	$num = 5;
} else { $num = $opt_num; }
if (!defined($opt_delay)) {
	$delay = 2;
} else { $delay = $opt_delay; }
if (!defined($opt_data)) {
	$data = "";
} else { $data = $opt_data; }
if (defined($opt_debug)) {
	$debug = $opt_debug;
}
if (!defined($opt_daddr)) {
	print "Try 'xmas --help for options'\n";
} else {
	# sanity check the destination host first, resolve if needed.
	if ($opt_daddr =~ /^([\d.]+)$/) {
		if ($opt_debug) { print "Not resolving $1\n"; }
		$daddr = $1;
	} elsif ($opt_daddr =~ /^([\d.\w-]+)$/) {
		if ($opt_debug) { print "Resolving $1\n"; }
		my $packedip = gethostbyname($1) or die "Couldn't resolve $1: $!\n";
		$daddr = inet_ntoa($packedip);
	} else { die "Couldn't determine destination host format, wtf!\n"; }
	# now check the source host, resolve if needed.
	if (defined($opt_saddr)) {
	if ($opt_saddr =~ /^([\d.]+)$/) { $saddr = $1;
	} elsif ($opt_saddr =~ /^([\d.\w-]+)$/) {
		my $packedip = gethostbyname($1) or die "Coulding resolve $1: $!\n";
		$saddr = inet_ntoa($packedip);
	} else { die "Couldn't determine source host format, wtf!\n"; }
	}
	# pick out the flags
	#if (defined($opt_flags) && ($opt_flags =~ /[a]|[f]|[p]|[s]|[u]/i)) {
	#		my %flag_hash;
	#	foreach (split(//, $opt_flags)) {
	#	print "\l$_\n"; 
	#	unless (exists($flag_hash{$_})) {
	#		$flag_hash{$_} = 1;
	#		$flags .= $_;
	#	}
	#	}
	#} else { $flags = ""; }
	if (defined($opt_flags)) {
		my %seen; 
		$opt_flags =~ tr/afprsu//dsc;	
		my @uniq_flags = grep { ! $seen{$_} ++ } split(//, $opt_flags);
		foreach (@uniq_flags) { $flags .= $_; }
	} else { $flags = ""; }
	for(my $i = 0; $i < $num; $i++) { 
	if (!defined($opt_saddr)) {
        	$saddr = (int rand(256)).".".(int rand(256)).".".(int rand(256)).".".(int rand(256));
	} else { $saddr = $opt_saddr; }
	if (!defined($opt_sport)) {
		$sport = int rand(65536);
	} else { $sport = $opt_sport; }
	if (!defined($opt_dport)) {
		$dport = int rand(65536);
	} else { $dport = $opt_dport; }
		&xmas($saddr, $daddr, $sport, $dport, $data, $flags);
		sleep($delay);
	}
}
sub xmas {
my $source = shift;	# apparent source address
my $dest = shift;	# desired destination address
my $sport = shift;  # source port
my $dport = shift;	# destination port
my $data = shift;	# data, if any
my $flags = shift;	# flags, if any
print "Flags: $flags\n";
#############################
# IP header
# version ihl tos tot_len id frag_off ttl protocol check saddr daddr
# only version 4 is valid (IPv4), but uncomment if you like
my $version = 4;
# hack a TOS field
my $precedence = substr(unpack("B32", pack("N", int rand(8))), -3);
my $delay = substr(unpack("B32", pack("N", int rand(2))), -1);
my $thruput = substr(unpack("B32", pack("N", int rand(2))), -1); 
my $reliability = substr(unpack("B32", pack("N", int rand(2))), -1); 
my $reserved = substr(unpack("B32", pack("N", int rand(4))), -2);
my $bin_tos = $precedence . $delay . $thruput . $reliability . $reserved;
my $tos = unpack("N", pack("B32", substr("0" x 32 . $bin_tos,-32)));
my $tos_hex = substr(unpack("H32", pack("N", $tos)), -2);
my $id = int rand(65536);
my $ttl = int rand(256);
####################
# TCP header
# source dest seq ack_seq doff res1 res2 urg ack psh rst syn
# fin window check urg_ptr data
my ($ack, $fin, $psh, $rst, $syn, $urg);
$urg = ($flags =~ /u/) || int rand(2);
$ack = ($flags =~ /a/) || int rand(2);
$psh = ($flags =~ /p/) || int rand(2);
$rst = ($flags =~ /r/) || int rand(2);
$syn = ($flags =~ /s/) || int rand(2);
$fin = ($flags =~ /f/) || int rand(2);
# a 32 bit numbers
my $src_isn = int rand(4294967296);
my $src_ack = int rand(4294967296);
# 16-bit
my $window = int rand(65536);
if (defined($debug)) {
print "#################################\n";
print "    OUTGOING\n";
print "Source = $source $sport\n";
print "Destination = $dest $dport\n";
print "Seq = $src_isn\n";
print "Ack = $src_ack\n";
print "Window = $window\n";
print "AFPRSU = $ack$fin$psh$rst$syn$urg\n";
print "#################################\n";
}
my $xmas_pack = new Net::RawIP({
					ip => {
						id => $id,
						tos => $tos,
						ttl => $ttl,
						daddr => $dest,
						saddr => $source
						},
					tcp => {
						source => $sport,
						dest => $dport,
						seq => $src_isn,
						ack_seq => $src_ack,
						window => $window,
						ack => $ack,
						syn => $syn,
						rst => $rst,
						psh => $psh,
						fin => $fin,
						urg => $urg,
						data => $data 
					}
				});
$xmas_pack->send;
}