#!/usr/local/bin/perl -w
#
# Copied from Fall, 98 2600 Magazine
# Written by miff
# 
# Create your own TCP packets.
#

use Socket;
use strict qw(refs, subs);

#####Source and Destination Parameters, must change these
my $target_box = "bach";
my $target_low_port = "1";
my $target_hi_port = "1024";
my $source_box = "mozart";
my $source_starting_port = "10000";

tcpsp00f($target_box,$target_low_port,$target_hi_port,$source_box,$source_starting_port); 

sub tcpsp00f {
	my ($dest_host,$dest_port_low,$dest_port_hi,$src_host,$src_port) = @_;

	###### Set constants
	my ($PROTO_RAW) = 255; ###### From /etc/protocols
	my ($PROTO_IP) = 0;
	my ($IP_HDRINCL) = 1; ##### We set the ip header

	###### Resolve source/destination
	$dest_host = (gethostbyname($dest_host))[4];
	$src_host = (gethostbyname($src_host))[4];

	###### Open raw socket
	socket(S, AF_INET, SOCK_RAW, $PROTO_RAW) || die $!;
	
	###### Raw socket should be open, now set socket up
	setsockopt(S, $PROTO_IP, $IP_HDRINCL, 1);	

	my ($port) = $dest_port_low;

	print "\n INITIATING SCAN \n\n";
	while ($port <= $dest_port_hi) {
		$src_port++;
		###### Build a TCP Header
		my ($packet) = givehead($src_host, $src_port, $dest_host, $port, $data);
		my ($dest) = pack('S n a4 x8', AF_INET, $port, $dest_host);
		
		###### Send packet
		send (S,$packet,0, $dest);
		$port++;
	}

	print "\n Packets sent \n\n";
}

sub givehead {
	my ($src_host, $src_port, $dest_host, $dest_port, $data) = @_;

	###### Build the options of the TCP packet and call TCP Header checksum
	my $hdr_cksum = 0; 	####### We set it to zero so we can calculate it
	my $zero = 0; 		####### might need a zero from time to time
	my $proto_tcp = 6;
	my ($tcplength) =20;
	###### IF YOU ADD DATA, MAKE SURE TO ADD ITS PACKED LENGTH TO TCPLEGNTH!!  
	
	my $syn = 790047533;	 ###### Random syn number, keep under 32 bits..
	my $ack = 0;
	my $tcp_4bit_hdrlen = "5";	##### 5 * 4 bytes = 20 bytes
	my $tcp_4bit_reserved = "0";
	my $hdr_n_reserved = $tcp_4bit_hdrlen . $tcp_4bit_reserved;
	my $tcp_urg_bit = 0;
	my $tcp_ack_bit = 0;
	my $tcp_psh_bit = 0;
	my $tcp_rst_bit = 0;
	my $tcp_syn_bit = 1;
	my $tcp_fin_bit = 0;
	###### Put together 2 reserved fields and the 6 flags to pack as a binary

	my $tcp_codebits = $zero . $zero . $tcp_urg_bit . $tcp_ack_bit . $tcp_psh_bit .
		$tcp_rst_bit . $tcp_syn_bit . $tcp_bin_bit;
	my $tcp_windowsize = 8124;	###### default window size
	my $tcp_urgent_pointer = 0;

	###### The following is not a tcp header per se, but a psuedo header
	###### used to calculate the tcp checksum.
	my ($pseudo_tcp) = pack ('a4 a4 C C 
					n n n
					N N
					H2 B8
					n v n',
			$src_host,$dest_host,$zero,$proto_tcp,
			$tcplegnth,$src_port,$dest_port,
			$syn,$ack,
			$hdr_n_reserved,$tcp_codebits,
			$tcp_windowsize,$zero,$tcp_urgent_pointer);

	my ($tcp_chksum) = &checkfro($pseudo_tcp);

	###### Build options of IP packet
	my $ip_version = "4";
	my $ip_hedlen = "5";
	my $ver_n_hlen = $ip_version . $ip_hedlen;
	my $ip_tos = "00";
	my ($totlength) = $tcplength + 20;

	###### We pack totlength into 2 bytes in the packet
	my $ip_fragment_id = 31337;
	my $ip_3bit_flags = "010";	###### IP fragmentation flags
	my $ip_13bit_fragoffset = "0000000000000";	###### Fragment offset
	my $ip_flags_n_frags = $ip_3bit_flags . $ip_13bit_fragoffset;
	my $ip_ttl = 64;

	###### We have proto_tcp from above... my $proto_tcp = 6;
	###### We have hdr_checksum from above...
	###### All source and destinations info is passwd to us (it gets set in
	###### parent routine).
	###### Change $syn and $ack above in tcp section
	###### in fact, everything else in the packet is set above

	my ($hdr) = pack('H2 H2 n n
				B16 C2
				n a4 a4
				n n
				N N
				H2 B8
				n vn',
		$ver_n_hlen, $ip_tos, $totlength, $ip_fragment_id,
		$ip_flags_n_frags,$ip_ttl,$proto_tcp,
		$hdr_cksum, $src_host, $dest_host,
		##### End of ip header, begin tcp header
		$src_port, $dest_port,
		$syn,$ack,
		$hdr_n_reserved,$tcp_codebits,
		$tcp_windowsize,$tcp_chksum,$tcp_urgent_pointer);

	return $hdr;
}

sub checkfro {
	my (
		$msg	###### The message to checkfro
	) = @_;

	my ($len_msg,	###### The legnth of the message
	    $num_short,	###### Number of short words in the message
	    $short,	###### One short word
	    $chk	###### The checkfro
	    );

	$len_msg = length($msg);
	$num_short = $len_msg / 2;
	$chk = 0;
	foreach $short (unpack("S$num_short", $msg)) {
		$chk += $short;
	}	
	$chk += unpack("C", substr($msg, $len_msg -1, 1)) if $len_msg % 2;
	$chk = ($chk >> 16) + ($chk & 0xffff);
	return(~(($chk >> 16) + $chk) & 0xffff);
}