User Controls

Assigning C structs into array?

  1. #1
    Merlin Houston
    I'm looking at this bit of code and from what I gather, we create an array, and cast/assign a portion to one struct and a portion to another. It took me a minute to understand what it's doing (originally was going to ask wtf is going on but I think I've got it correct).

    It's clever now that I think about it, but seems kind of hacky at the same time, is this an accepted thing? I could tack on any amount protocols to create a raw packet like this. Does this practice have a name?

    https://github.com/m0nad/ARP-Poison/blob/master/arp-poison.c

    #define PKTLEN sizeof(struct ether_header) + sizeof(struct ether_arp)
    ...
    char packet[PKTLEN];
    struct ether_header * eth = (struct ether_header *) packet;
    struct ether_arp * arp = (struct ether_arp *) (packet + sizeof(struct ether_header));

  2. #2
    SBTlauien African Astronaut
    Didn't I just post this link here? As far as the question goes, I'm new to C to know.
  3. #3
    Merlin Houston
    Originally posted by SBTlauien Didn't I just post this link here? As far as the question goes, I'm new to C to know.

    Yes you did. It inspired me to get back to C network programming.

    Anyway I'm still wondering if this practice has a particular name. Also going to try modifying the code to copy the structs in after the fact, so copying them into the array/memory side by side as opposed to the current code which is placing an empty array where the structs are.

    I also modified it to optionally take a victim MAC address (will post one sec). The ARP protocol has a field for target IP address too, but it doesn't seem to be used by anything.
    For example:
    Sender MAC: Me
    Sender IP: Me
    Target MAC: 0xFF / broadcast
    Target IP: Victim

    And all computers on my network will update the arp table (because of the broadcast MAC) even though I thought they would ignore it given that they aren't the target IP.
  4. #4
    SBTlauien African Astronaut
    Originally posted by Merlin Yes you did. It inspired me to get back to C network programming.

    This site here has some great examples. It's what I've been using. But I have been doing most of it on Android, so I can send packets and do network attacks via my phone. I know there are apps that do this, I like doing it on my own.

    How does the Arpspoof program work for you on your machines? I'm not getting many packets. It looks like a lot of the packets are repeats as well.
  5. #5
    TreyGowdy Houston
    Originally posted by SBTlauien This site here has some great examples. It's what I've been using. But I have been doing most of it on Android, so I can send packets and do network attacks via my phone. I know there are apps that do this, I like doing it on my own.

    How does the Arpspoof program work for you on your machines? I'm not getting many packets. It looks like a lot of the packets are repeats as well.

    It works well, I made a few modifications so it can take a victim MAC:
    https://github.com/shatwofiftysix/arp-poison/blob/master/arp-poison.c

    I'm not sure what you mean by "repeats" but it's sending the same packet over and over so it should be a repeat. Run wireshark and should be able to see lots of them. Mostly ARP is for making requests ("who has 192.168.100.1? tell 192.168.100.22"), this is an advertisement (I forget the right word), so you see: "192.168.100.1 is at ff:ff:ff:ff:ff:ff".

    Oh I also enabled packet forwarding and some iptables rules for NAT, otherwise your machine will just drop the victim traffic it gets.


    sysctl -w net.ipv4.ip_forward=1
    # permanent change:
    # echo 1 > /proc/sys/net/ipv4/ip_forward

    # probably not required, but maybe...
    # modprobe iptable_nat
    # iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE


    The IP and MAC used should be the gateway/router (and in my modification an optional victim too). The original program wasn't too clear about what addresses were actually supposed to be used.

    For debugging with wireshark:
    1. Make sure there are ARPs and that they have the expected info (and that they are the advertisement ARPs and not regular traffic - step 3 can help differentiate them if need be, nobody on your network will have DE:EA:D0:00:BE:EF and then search wireshark for that term)
    2. Look for victim traffic, hit a few http sites to make this easy
    3. Try a garbage MAC and traffic should break on the victim machines
  6. #6
    Lanny Bird of Courage
    I'm not sure if there's a name for it. It's a bit like struct packing, you can save some bytes by doing this if the structs aren't a multiple of word size, you can stuff some data into what would otherwise be padding. Maybe allocation is expensive for some reason as well so you can possibly save there. I'd consider it a pretty ugly practice though unless you profiled and it really makes a difference. Aside from just looking a little odd there's the fact that the memory has to be deallocated as a chunk so if you free one piece your other pointer silently becomes invalid as well. Actually I'm not even sure what would happen if you tried to free the second pointer, the allocator might not know how to handle that.
Jump to Top