The kernel intercepts the DHCP Discover package and plugs into the option 60 field

Network topology DHCP server ======== your laptop ======== your phone your laptop installs the 2.6 kernel version of the Linux distribution. The above network set up, notebook network port from the DHCP server to IP, you can surf the Internet. The wireless card of the laptop is set to AP mode, which allows your phone to connect and your phone to be able to surf the Internet. Your phone needs to be able to get IP directly from the DHCP server, and when your phone sends a DHCP Discover packet through your notebook, your notebook will be plugged into the option60 field (any value) in the packet. Experimental environment: The Linux 2.6.31 openwrt system replaces the notebook phone in the main realization idea: tamper with the packet implementation in the NETIF_RECEIVE_SKB function of the kernel/net/core/dev.c source file to insert option into the DHCP package The 60 field is the string ' dhcp-athx '. Because each SKB skb->dev->name indicates a NIC that receives this data frame, it is possible to differentiate the STA according to the value of this variable, thus implementing different STA tampering with different option 60 fields.

if(SKB) {Char*buf = (Char*) (skb->Mac_header); structIphdr *iph = (structIPHDR *) (BUF +Eth_hlen); structUdphdr *UDPH = (structUDPHDR *) (buf + Eth_hlen + -); if(((UnsignedChar*) BUF) [6] ==0x64//the first byte of my phone's MAC address&& (unsignedChar*) BUF) [ A] ==0x08&& (unsignedChar*) BUF) [ -] ==0x00 //the above is the IP packet key word&& (unsignedChar*) BUF) [ at] ==0x11 //UDP keyword&& (unsignedChar*) BUF) [ *] ==0x44 //Client Source Port&& (unsignedChar*) BUF) [Panax Notoginseng] ==0x43 //Server Destination Port&& (unsignedChar*) BUF) [ the] ==0x01 //DHCP client&& (unsignedChar*) BUF) [284] ==0x01 //DHCP Discover Package&& (unsignedChar*) BUF) [285] !=0x3c){//prevent modification of the bridge to the same copy of the machine            inti; PRINTK ("[%s:%d]before Packet length =% #4x Udplen =%d Iplen =%d Devname =%s\n", __function__, __line__, Skb->len, Udph->len, Iph->tot_len, skb->dev->name); PRINTK ("head = 0x%p end = 0x%p data = 0x%p tail = 0x%p\n", Skb->head, Skb->end, Skb->data, skb->tail);  for(i =0; I < skb->len; i++){                ifI2==0) PRINTK (" "); PRINTK ("%2.2x", ((unsignedChar*) (BUF) [i]); ifI -== the) PRINTK ("\ n"); } PRINTK ("\n\n\n\n"); unsignedChardataadd[ -] = {0x3c,0x05,'H','a','R','R','y'};//0x3c 0x05 ' H ' a ' R ' r ' y '            if(strcmp (Skb->dev->name,"Ath0") ==0) {memcpy (Dataadd+2,"Dhcp-ath0", strlen ("Dhcp-ath0")); dataadd[2+ strlen ("Dhcp-ath0") +1] =' /'; }Else if(strcmp (Skb->dev->name,"ath1") ==0) {memcpy (Dataadd+2,"dhcp-ath1", strlen ("dhcp-ath1")); dataadd[2+ strlen ("dhcp-ath1") +1] =' /'; }            //Expand Data Area            intNewlen =2+ strlen ("dhcp-ath1"); dataadd[1] = strlen ("dhcp-ath1");             Skb_put (SKB, Newlen); Iph->tot_len = Iph->tot_len +Newlen; UDPH->len = Udph->len +Newlen; Memmove (buf+285+ Newlen, buf +285, Skb->len-285-Newlen); memcpy (buf+285, Dataadd, Newlen); //Recalculate ChecksumUdph->check =0; SKB->csum = Skb_checksum (SKB, iph->ihl*4, SKB-&GT;LEN-IPH-&GT;IHL *4,0); UDPH->check = Csum_tcpudp_magic (iph->saddr, iph->daddr, SKB-&GT;LEN-IPH-&GT;IHL *4, IPPROTO_UDP, skb->csum); Iph->check =0;            Ip_send_check (IPH); PRINTK ("[%s:%d]after Packet length =% #4x Udplen =%d Iplen =%d Devname =%s\n", __function__, __line__, Skb->len, Udph->len, Iph->tot_len, skb->dev->name); PRINTK ("head = 0x%p end = 0x%p data = 0x%p tail = 0x%p\n", Skb->head, Skb->end, Skb->data, skb->tail);  for(i =0; I < skb->len; i++){                ifI2==0) PRINTK (" "); PRINTK ("%2.2x", ((unsignedChar*) (BUF) [i]); ifI -== the) PRINTK ("\ n"); } PRINTK ("\n\n\n\n"); }    }

：

　　

The kernel intercepts the DHCP Discover package and plugs into the option 60 field