|---=============================================================------ .
   [wINJECT v0.96b] by moofz@bonbon.net  http://big.badlink.net          ;
<========================================================>  30-Dec-2001 

Dist Note:  wINJECT may NOT be distributed or bundled with any product
            that is sold for commercial profit without the explicit
            permission of the author.

DISCLAIMER: The information contained in this text is legal 'as is'
            but I can in no way be held responsible for illegal use
            of this material or any damage caused.  Be careful :)

<=======================================================================>
                          -+ wINJECT +-
                       [drugs for Windows]

                      .:[Table of content]:.
                        1. Welcome and NEWS! (new lowlevel shit!)
                        2. Getting started
                        3. Limitations and warnings
                        4. Protocol info 
                        5. lowlevel: Thoughts
                        6. Last words


<=======================================================================>
                        .:[Welcome and NEWS!]:.

Welcome to THE packet injector for Windows 9x & Windows 2k.

First I would like to point out that this is a BETA version of wINJECT.
This means a lot of limitations and you may also get dumb and annoying
warnings when you build packets. I will try as hard as possible to make
this a usefull program. This release is actually quite usefull. It includes
some great features and I am very happy with it.

+NEWS+ +NEWS+ +NEWS+ +NEWS+ +NEWS+ +NEWS+ +NEWS+ +NEWS+ +NEWS+ +NEWS+

Major change: Switched to Winsock2! so if you still are using ws1.1 then
download the free DUN1.3 & WS2 updates for Windows95.

 http://www.microsoft.com/windows95/downloads/contents/WURecommended/S_WUNetworking/dun13win95/Default.asp
 http://www.microsoft.com/windows95/downloads/contents/WUAdminTools/S_WUNetworkingTools/W95Sockets2/Default.asp

  Note: First install the DUN13, and then the WS2 update.

wINJECT now also runs on Windows 2000 (but without the lowlevel functions).
NOTE: There is a flaw/limitation in Win2k that prevents fragmented packets to
be sent [I can only say: "Use Win9x for maximum control!"].

NEW: import CommView binary packets. Just save packets as binary and
open with wINJECT. This feature is for the lazy hackers.

[lowlevel: WinSock Extension]:
This is cool! If wINJECT is running then you can send raw packets from
YOUR OWN program. For more info check out the included wsockext.txt
file. If you create an example I can include then mail it to me.
ASM, Delphi, C, C++, Fortran - anything that can use winsock is welcome.

[lowlevel: IP Changer]: More possible directions: User_X will let you
enter the exact IP you want. Up_X & Down_X use another method which
can be faster than normal Up & Down.

Magic Snooper:
This is for finding the initial MagicID. Usage is simple:
You are offline, press the "Magic Snooper" flag and go online. Wait and
hopefully it will show you the MagicID to use. If it does, the press
the save button.

"Better" support for weird modems (especially internals). Select COMX in the
settings if COM1-4 does not work for you. Note: the IP Changer
DOES NOT work when you use COMX so if the IP Changer is important then
get an external modem. When using this method you are also limited to
packet sizes less than 549 bytes (IP_TotLen). It will not warn you.

NetBIOS first level encoding:
When you select [Chars] as input format then you will notice a new button
(it illustrates a split). This is for NetBIOS packets.

Example: (assume your computer name is "polka")
then you enter "polka00". The <00> is interpreted as hex and is the
NetBIOS service. Hit the small button and it will encode it to:

"FAEPEMELEBCACACACACACACACACACAAA"

I have included a list of NB services in the [Protocol info] section.

[Random IP] enhanced: now you can write 194.239.168.x and it will randomize
the 'x'.

If you have a packets that have [Random IP] fields then they are rebuild
for every loop in Project_Injection.

<=======================================================================>
                     .:[Getting started]:.

Ok, so you want to build a packet? then let me tell you what you MUST
include in it. The first layer is the IP layer and minimum length is
20 bytes.

This is the IP Header layout:

   4 bit ip_v     ;version          = 4
   4 bit ip_hl    ;header length    = 5 (headersize / 4)
   8 bit ip_tos   ;type of service  = 0 is normal
  16 bit ip_len   ;total length     = minimum 20 
  16 bit ip_id    ;identification   = anything from 0 to 65535
  16 bit ip_off   ;fragment offset  = 0 is normal 
   8 bit ip_ttl   ;time to live     = 64 is normal
   8 bit ip_p     ;protocol         = next protocol (icmp=1, tcp=6, udp=17)
  16 bit ip_cksum ;checksum         = always use a [Checksum] field here 
  32 bit ip_src   ;source addr      = from this IP
  32 bit ip_dst   ;destination addr = to this IP

Open one of the included examples and then start from there. It is
a lot easier than starting from scratch.
ALSO; download a TCP/IP primer or some unix exploits that deal
with raw sockets, you can learn a lot from them.

I think these will help you in most cases:

TCP/IP Illustrated at:
http://www.bitpunk.com/tcpip_ill/
http://www.yenigul.net/tcpip/

RFC archive at:
http://www.faqs.org/rfcs/

How to add/edit a field:
Click on "New" or double click on a item from the list. 

If you start from scratch then the Layer is "1" (it must be!).
Then enter a Name. It could start with ip_ but YOU decide.
Select a format you would like to enter:

Decimal:   Most of the times you use this one (0 -> 9)
Hex:       Sometimes it is easier to enter in hex (0 -> f) (sniffed packets)
Chars:     (or bytes) Use this when you enter characters. Ex when
           you make an ICMP echo request (or a dns packet). 

Checksum:   This field is for auto calc checksum, only one per layer!
IP:         When you enter an IP
Dynamic IP: This will insert you current IP when online
Random IP:  Just a random IP from 0.0.0.0 to 255.255.255.255 (use x for random)
GlobalIP1+2: If you select these, then it takes the IPs from the "Global IP"
             button in the main dialog.

Click the "Pseudo data" option if you are making TCP/IP or UDP packets
with real checksums.

Then you enter a bit/byte size if it is not set.
NOTE: Legal bit values: 1 to 16, 32 which should cover most situations.

Then you enter the value (also; if it is not set).
Click OK, and if you dont get a warning then it "should" be ok.

Build the rest of the packet and hit then inject button. Done..
Off it goes,  easy? you bet!


<=======================================================================>
                  .:[Limitations and warnings]:.

Bit related warnings:
When you add a 16 or 32 bit field then the bits/bytes are swapped (network
byte order).

Future releases will include more options! I hope.

Next limitation: also called ("Bad bit: #001")
This is illegal, and I will show you why.

# Name  Size  Value
1 --    b: 15 --
1 --    b: 2  --
1 --    b: 7  --

Concentrate on the Size fields :)
If you add up these you get 24 bits, that is 3 bytes. The problem
is that when wINJECT adds them it tries to stop at 8/16 bit and then
store the result in another buffer. So it first gets the 15 bit,
BUT: then it sees then next 2 which will be 17 bit and that is TOO much.

In future releases I will try to fix this. With this release you
just have to think a little yourself. Yeah, I am sorry! Make sure
wINJECT can add the bits so they end on 8/16 bit.

Like this one:
# Name  Size  Value
1 --    b: 15 --
1 --    b: 1  --
1 --    b: 1  --
1 --    b: 7  --

       
<=======================================================================>
                       .:[Protocol info]:.

I have collected some protocol information to help beginners build
packets.

IP HEADER:
-----------------------------------------
   4 bit ip_v       ;version
   4 bit ip_hl      ;header length 
   8 bit ip_tos     ;type of service 
  16 bit ip_len     ;total length 
  16 bit ip_id      ;identification 
  16 bit ip_off     ;fragment offset field 
   8 bit ip_ttl     ;time to live 
   8 bit ip_p       ;protocol 
  16 bit ip_cksum   ;checksum 
  32 bit ip_src     ;source address 
  32 bit ip_dst     ;destination address 
-----------------------------------------

ICMP HEADER:
---------------------
  8 bit type
  8 bit code
  16 bit checksum
  16 bit id
  16 bit seq
---------------------

Assigned Internet Protocol Numbers rfc1700

Decimal    Keyword     Protocol                         References
-------    -------     --------                         ----------
     0                 Reserved                              [JBP]
     1     ICMP        Internet Control Message       [RFC792,JBP]
     2     IGMP        Internet Group Management     [RFC1112,JBP]
     3     GGP         Gateway-to-Gateway              [RFC823,MB]
     4     IP          IP in IP (encasulation)               [JBP]
     5     ST          Stream                 [RFC1190,IEN119,JWF]
     6     TCP         Transmission Control           [RFC793,JBP]
     7     UCL         UCL                                    [PK]
     8     EGP         Exterior Gateway Protocol     [RFC888,DLM1]
     9     IGP         any private interior gateway          [JBP]
    10     BBN-RCC-MON BBN RCC Monitoring                    [SGC]
    11     NVP-II      Network Voice Protocol         [RFC741,SC3]
    12     PUP         PUP                             [PUP,XEROX]
    13     ARGUS       ARGUS                                [RWS4]
    14     EMCON       EMCON                                 [BN7]
    15     XNET        Cross Net Debugger            [IEN158,JFH2]
    16     CHAOS       Chaos                                 [NC3]
    17     UDP         User Datagram                  [RFC768,JBP]
    18     MUX         Multiplexing                    [IEN90,JBP]
    19     DCN-MEAS    DCN Measurement Subsystems           [DLM1]
    20     HMP         Host Monitoring                [RFC869,RH6]
    21     PRM         Packet Radio Measurement              [ZSU]
    22     XNS-IDP     XEROX NS IDP               [ETHERNET,XEROX]
    23     TRUNK-1     Trunk-1                              [BWB6]
    24     TRUNK-2     Trunk-2                              [BWB6]
    25     LEAF-1      Leaf-1                               [BWB6]
    26     LEAF-2      Leaf-2                               [BWB6]
    27     RDP         Reliable Data Protocol         [RFC908,RH6]
    28     IRTP        Internet Reliable Transaction  [RFC938,TXM]
    29     ISO-TP4     ISO Transport Protocol Class 4 [RFC905,RC77]
    30     NETBLT      Bulk Data Transfer Protocol    [RFC969,DDC1]
    31     MFE-NSP     MFE Network Services Protocol  [MFENET,BCH2]
    32     MERIT-INP   MERIT Internodal Protocol             [HWB]
    33     SEP         Sequential Exchange Protocol        [JC120]
    34     3PC         Third Party Connect Protocol         [SAF3]
    35     IDPR        Inter-Domain Policy Routing Protocol [MXS1]
    36     XTP         XTP                                   [GXC]
    37     DDP         Datagram Delivery Protocol            [WXC]
    38     IDPR-CMTP   IDPR Control Message Transport Proto [MXS1]
    39     TP++        TP++ Transport Protocol               [DXF]
    40     IL          IL Transport Protocol                [DXP2]
    41     SIP         Simple Internet Protocol              [SXD]
    42     SDRP        Source Demand Routing Protocol       [DXE1]
    43     SIP-SR      SIP Source Route                      [SXD]
    44     SIP-FRAG    SIP Fragment                          [SXD]
    45     IDRP        Inter-Domain Routing Protocol   [Sue Hares]
    46     RSVP        Reservation Protocol           [Bob Braden]
    47     GRE         General Routing Encapsulation     [Tony Li]
    48     MHRP        Mobile Host Routing Protocol[David Johnson]
    49     BNA         BNA                          [Gary Salamon]
    50     SIPP-ESP    SIPP Encap Security Payload [Steve Deering]
    51     SIPP-AH     SIPP Authentication Header  [Steve Deering]
    52     I-NLSP      Integrated Net Layer Security  TUBA [GLENN]
    53     SWIPE       IP with Encryption                    [JI6]
    54     NHRP        NBMA Next Hop Resolution Protocol
 55-60                 Unassigned                            [JBP]
    61                 any host internal protocol            [JBP]
    62     CFTP        CFTP                            [CFTP,HCF2]
    63                 any local network                     [JBP]
    64     SAT-EXPAK   SATNET and Backroom EXPAK             [SHB]
    65     KRYPTOLAN   Kryptolan                            [PXL1]
    66     RVD         MIT Remote Virtual Disk Protocol      [MBG]
    67     IPPC        Internet Pluribus Packet Core         [SHB]
    68                 any distributed file system           [JBP]
    69     SAT-MON     SATNET Monitoring                     [SHB]
    70     VISA        VISA Protocol                        [GXT1]
    71     IPCV        Internet Packet Core Utility          [SHB]
    72     CPNX        Computer Protocol Network Executive  [DXM2]
    73     CPHB        Computer Protocol Heart Beat         [DXM2]
    74     WSN         Wang Span Network                     [VXD]
    75     PVP         Packet Video Protocol                 [SC3]
    76     BR-SAT-MON  Backroom SATNET Monitoring            [SHB]
    77     SUN-ND      SUN ND PROTOCOL-Temporary             [WM3]
    78     WB-MON      WIDEBAND Monitoring                   [SHB]
    79     WB-EXPAK    WIDEBAND EXPAK                        [SHB]
    80     ISO-IP      ISO Internet Protocol                 [MTR]
    81     VMTP        VMTP                                 [DRC3]
    82     SECURE-VMTP SECURE-VMTP                          [DRC3]
    83     VINES       VINES                                 [BXH]
    84     TTP         TTP                                   [JXS]
    85     NSFNET-IGP  NSFNET-IGP                            [HWB]
    86     DGP         Dissimilar Gateway Protocol     [DGP,ML109]
    87     TCF         TCF                                  [GAL5]
    88     IGRP        IGRP                            [CISCO,GXS]
    89     OSPFIGP     OSPFIGP                      [RFC1583,JTM4]
    90     Sprite-RPC  Sprite RPC Protocol            [SPRITE,BXW]
    91     LARP        Locus Address Resolution Protocol     [BXH]
    92     MTP         Multicast Transport Protocol          [SXA]
    93     AX.25       AX.25 Frames                         [BK29]
    94     IPIP        IP-within-IP Encapsulation Protocol   [JI6]
    95     MICP        Mobile Internetworking Control Pro.   [JI6]
    96     SCC-SP      Semaphore Communications Sec. Pro.    [HXH]
    97     ETHERIP     Ethernet-within-IP Encapsulation     [RXH1]
    98     ENCAP       Encapsulation Header         [RFC1241,RXB3]
    99                 any private encryption scheme         [JBP]
   100     GMTP        GMTP                                 [RXB5]
101-254                Unassigned                            [JBP]
    255                Reserved                              [JBP]


ICMP TYPE NUMBERS

The Internet Control Message Protocol (ICMP) has many messages that
are identified by a "type" field.

Type    Name                                    Reference
----    -------------------------               ---------
  0     Echo Reply                               [RFC792]
  1     Unassigned                                  [JBP]
  2     Unassigned                                  [JBP]
  3     Destination Unreachable                  [RFC792]
  4     Source Quench                            [RFC792]
  5     Redirect                                 [RFC792]
  6     Alternate Host Address                      [JBP]
  7     Unassigned                                  [JBP]
  8     Echo                                     [RFC792]
  9     Router Advertisement                    [RFC1256]
 10     Router Selection                        [RFC1256]
 11     Time Exceeded                            [RFC792]
 12     Parameter Problem                        [RFC792]
 13     Timestamp                                [RFC792]
 14     Timestamp Reply                          [RFC792]
 15     Information Request                      [RFC792]
 16     Information Reply                        [RFC792]
 17     Address Mask Request                     [RFC950]
 18     Address Mask Reply                       [RFC950]
 19     Reserved (for Security)                    [Solo]
 20-29  Reserved (for Robustness Experiment)        [ZSu]
 30     Traceroute                              [RFC1393]
 31     Datagram Conversion Error               [RFC1475]
 32     Mobile Host Redirect              [David Johnson]
 33     IPv6 Where-Are-You                 [Bill Simpson]
 34     IPv6 I-Am-Here                     [Bill Simpson]
 35     Mobile Registration Request        [Bill Simpson]
 36     Mobile Registration Reply          [Bill Simpson]
 37-255 Reserved                                    [JBP]

Many of these ICMP types have a "code" field.  Here we list the types
again with their assigned code fields.

Type    Name                                    Reference
----    -------------------------               ---------
  0     Echo Reply                               [RFC792]
        Codes
            0  No Code

  1     Unassigned                                  [JBP]
  2     Unassigned                                  [JBP]

  3     Destination Unreachable                  [RFC792]
        Codes
            0  Net Unreachable
            1  Host Unreachable
            2  Protocol Unreachable
            3  Port Unreachable
            4  Fragmentation Needed and Don't Fragment was Set
            5  Source Route Failed
            6  Destination Network Unknown
            7  Destination Host Unknown
            8  Source Host Isolated
            9  Communication with Destination Network is
               Administratively Prohibited
           10  Communication with Destination Host is
               Administratively Prohibited
           11  Destination Network Unreachable for Type of Service
           12  Destination Host Unreachable for Type of Service

  4     Source Quench                            [RFC792]
        Codes
            0  No Code

  5     Redirect                                 [RFC792]
        Codes
            0  Redirect Datagram for the Network (or subnet)
            1  Redirect Datagram for the Host
            2  Redirect Datagram for the Type of Service and Network
            3  Redirect Datagram for the Type of Service and Host

  6     Alternate Host Address                      [JBP]
        Codes
            0  Alternate Address for Host

  7     Unassigned                                  [JBP]

  8     Echo                                     [RFC792]
        Codes
            0  No Code

  9     Router Advertisement                    [RFC1256]
        Codes
            0  No Code

 10     Router Selection                        [RFC1256]
        Codes
            0  No Code

 11     Time Exceeded                            [RFC792]
        Codes
            0  Time to Live exceeded in Transit
            1  Fragment Reassembly Time Exceeded

 12     Parameter Problem                        [RFC792]
        Codes
            0  Pointer indicates the error
            1  Missing a Required Option        [RFC1108]
            2  Bad Length

 13     Timestamp                                [RFC792]
        Codes
            0  No Code

 14     Timestamp Reply                          [RFC792]
        Codes
            0  No Code

 15     Information Request                      [RFC792]
        Codes
            0  No Code

 16     Information Reply                        [RFC792]
        Codes
            0  No Code

 17     Address Mask Request                     [RFC950]
        Codes
            0  No Code

 18     Address Mask Reply                       [RFC950]
        Codes
            0  No Code

 19     Reserved (for Security)                    [Solo]

 20-29  Reserved (for Robustness Experiment)        [ZSu]

 30     Traceroute                              [RFC1393]

 31     Datagram Conversion Error               [RFC1475]

 32     Mobile Host Redirect              [David Johnson]

 33     IPv6 Where-Are-You                 [Bill Simpson]

 34     IPv6 I-Am-Here                     [Bill Simpson]

 35     Mobile Registration Request        [Bill Simpson]

 36     Mobile Registration Reply          [Bill Simpson]


NetBIOS Services:
The table below lists some common services that names can be bound to
and the hex value that denotes that service:
  
  Unique Names 
  computer_name 00 Workstation Service or base computer name 
  computer_name 20 Server Service 
  domain_name 1B Domain Master Browser 
  computer_name 03 Messenger Service 
  user_name 03 Messenger Service 
  domain_name 1D Master Browser 
  computer_name 06 Remote Access Server Service 
  computer_name 1F NetDDE Service 
  computer_name 21 RAS Client Service 
  computer_name BE Network Monitor Agent 
  computer_name BF Network Monitor Application {any spaces are replaced with +s} 
  
  Group Names 
  domain_name 00 Domain Name 
  domain_name 1C Domain Controller {A PDC will also have unique Domain Name 1B} 
  domain_name 1E Browser Service Elections 

<=======================================================================>
                       .:[lowlevel: Thoughts]:.

Here are some ideas that show how powerful wINJECT really is or will be.

Lets start with the IP Changer concept. First it looks quite harmless but
in the hands of creative users it can be the opposite.
People have said to me: "Yah, so we can change to another ip. Phh big deal!"
and when I told them the more exotic use then they got that funny dreaming
look in their eyes.

"Normal use"
1. Banned IP: then jump to another IP.
2. If you suspect that someone is sending you "bad" packets then
   jump to another IP and feel secure for some time.

Exotic:
3. Change to the IP of your ISPs DNS server. There exists some
   misconfigured dial-in equipment out there. [This is not my idea!]
   You should have a fake DNS server setup before you do this, else you
   are just flooded with lookup requests that cant be answered.
   Look at the DNS logs and select the most used search engine or web
   site. Copy the website and next time a lookup request comes in then
   pass the IP of your machine to them. You are in control! you can
   send them anywhere you want.
    
4. Nuke victim, jump to his IP and continue whatever he was doing.
   This is a feature I think will be included in future versions of
   wINJECT. It will be able to take over ANY TCP/IP connection. If it
   detects an active connection when it jumped to a new IP then a message
   box will pop up and ask if you want to hijack it :)  quite powerful!

Stealth Ping:
I found a way to discover which IPs that are in use at my ISP
(other dialin users). This can be used as a "stealth ping" but is only
possible if your ISP is strict and has anti spoofing on.

Let me give you an example:
Most ISPs filter packets that has spoofed source adresses. If I am
on 194.239.168.1 then I cant send packets with a source IP that is outside
the range of my ISP. Some ISPs allow you to send as 194.239.168.2
but MY ISP filters the packet if 194.239.168.2 is not in use.

OK, so pretend that I am 194.239.168.1 again. If I send a packet
with:
 source_ip=194.239.168.2
 destination_ip=194.239.168.1

and my sniffer picks up a packet from .2 then there is another user on .2
but if I dont see anything come in, then it is not in use.
It doesnt get more stealth than this.

NEW Features:

Counter and Random Fields:
In future you will get these 2 field types. Especially the Counter field
will be useful when making DNS attacks, but also TCP spoofing will be
possible. Anything that is hard because we need to increase a field in the
packet will be easier in the future.

The Random field is for the "tester". Imagine sending tons of random
packets out and then hope it triggers a NEW bug in a system. Ahh lots
of fun.

lowlevel: WinSock Extension
This one makes it possible for WinSock users to send RAW/Spoofed packets from
their own program. When the "Raw_Reading" feature is ready then you can
make scanners, probes - everything from your program. Make your own diag
programs you always wanted to do but couldnt because of WinSock limitations.
I give WinSock programmers what Microsoft didnt give them - and I hope
they will appreciate it ;)

lowlevel: Net Nose
I am making a sniffer !!  yeah :) then you dont have to switch between
wINJECT and the sniffer you use now. You will also be able to copy
the sniffed packet to the editor with a few clicks. Most of the code
is already done - but the stability is missing.
I hope it is ready for next release. But it depends on the response from
the users.

NIC/ADSL/CABLE support for Windows 95/98 users:   (YEAAAH !!!)
I have an ADSL connection now, so NIC development can start.

This and more is what you can expect to see from me, BUT (big but ;)
only if people start to pay what the program is worth. I cant continue
the development without money so I beg you:

   PLEASE send me some money... [especially if you use it at work]

  thank you !
     
<=======================================================================>
                       .:[Last words]:.

Yep, that was all for this release of wINJECT, Remember, if you
find bugs, have any suggestions, ideas, packets, comments, other things
related to wINJECT (except source code questions), then mail me!!

BYE! and enjoy!
[moofz@bonbon.net]
<=======================================================================>
                        -+ wINJECT +-
                      [drugs for Windows]
<=======================================================================>
