public static TCPPacket MakePortClosedPacket(byte[] fromMac, byte[] toMac, byte[] fromIP, byte[] toIP, ushort fromPort, ushort toPort, uint ackNumber)
{
EthPacket e = new EthPacket(60);
e.FromMac = fromMac;
e.ToMac = toMac;
e.Proto = new byte[2] {
0x08, 0x00
};
IPPacket ip = new IPPacket(e);
ip.DestIP = new IPAddress(fromIP);
ip.SourceIP = new IPAddress(toIP);
ip.NextProtocol = 0x06;
ip.TotalLength = 40;
ip.HeaderChecksum = ip.GenerateIPChecksum;
TCPPacket tcp = new TCPPacket(ip);
tcp.SourcePort = fromPort;
tcp.DestPort = toPort;
tcp.SequenceNumber = (uint)0;
tcp.AckNumber = ackNumber;
tcp.WindowSize = 8192;
tcp.ACK = true;
tcp.RST = true;
tcp.Checksum = tcp.GenerateChecksum;
tcp.Outbound = true;
return(tcp);
}
public IPPacket(EthPacket eth)
: base(eth.data)
{
if (!isIP() && !isIPv6())
throw new Exception("Not an IP packet!");
start = base.LayerStart() + base.LayerLength();
if (eth.CodeGenerated)
{
this.CodeGenerated = true;
if (isIPv6())
{
data->m_IBuffer[start] = 0x60;
data->m_IBuffer[start + 1] = 0x00;
this.TTL = 0xff;
}
else
{
data->m_IBuffer[start] = 0x45;
this.DiffServicesField = 0x00;
this.Identification = 23950;
this.FragmentOffset = 0;
this.Flags = 0x40;
this.TTL = 128;
}
}
if (isIPv6())
length = 40;
else
length = (uint)((data->m_IBuffer[start] & 0xf) * 4);
}
public unsafe override PacketMainReturn interiorMain(ref Packet in_packet)
{
lock (padlock)
{
if (theirMac == null)
return null;
EthPacket e = (EthPacket)in_packet;
if ((e.Proto[0] & 0x01) == 0x01 && (CompareMac(theirMac, e.FromMac) && CompareMac(myMac, e.ToMac) || (CompareMac(theirMac, e.ToMac) && CompareMac(myMac, e.FromMac))))
{
INTERMEDIATE_BUFFER* IB = e.IB;
rc4.SetKeyState(key);
INTERMEDIATE_BUFFER* iba = (INTERMEDIATE_BUFFER*)Marshal.AllocHGlobal(Marshal.SizeOf(new INTERMEDIATE_BUFFER()));
iba->m_dwDeviceFlags = IB->m_dwDeviceFlags;
iba->m_Flags = IB->m_Flags;
iba->m_Length = IB->m_Length;
iba->m_qLink = IB->m_qLink;
for (int x = 12; x < IB->m_Length; x++)
{
iba->m_IBuffer[x] = (byte)(IB->m_IBuffer[x] ^ rc4.Next());
}
EthPacket nPacket = new EthPacket(iba);
nPacket.FromMac = e.FromMac;
nPacket.ToMac = e.ToMac;
nPacket.Proto = new byte[2];
nPacket.Proto[0] = (byte)(0xFE & e.Proto[0]);
nPacket.Proto[1] = e.Proto[1];
adapter.ProcessPacket(nPacket);
return new PacketMainReturn("SimpleMacEncryption") { returnType = PacketMainReturnType.Drop };
}
}
return null;
}
public ARPPacket(EthPacket eth)
: base(eth.data)
{
if (!isARP())
throw new Exception("Not an ARP packet!");
start = base.LayerStart() + base.LayerLength();
length = this.Length() - base.LayerLength();
if (eth.CodeGenerated)
{
HardwareType = 1;
ProtocolType = 0x0800;
HardwareSize = 0x06;
ProtocolSize = 4;
ARPOpcode = 0x0002;
}
}
public ARPPacket(EthPacket eth)
: base(eth.data)
{
if (!isARP())
{
throw new Exception("Not an ARP packet!");
}
start = base.LayerStart() + base.LayerLength();
length = this.Length() - base.LayerLength();
if (eth.CodeGenerated)
{
HardwareType = 1;
ProtocolType = 0x0800;
HardwareSize = 0x06;
ProtocolSize = 4;
ARPOpcode = 0x0002;
}
}
public void threadMain()
{
while (true)
{
if (Enabled)
{
EthPacket ep = new EthPacket(42);
ep.FromMac = PhysicalAddress.Parse("F07BCB8F7AC5").GetAddressBytes();
ep.ToMac = PhysicalAddress.Parse("FFFFFFFFFFFF").GetAddressBytes();
ep.Proto = new byte[2] { 0x08, 0x06 };
ARPPacket arpp = new ARPPacket(ep);
arpp.ASenderMac = ep.FromMac;
arpp.ASenderIP = IPAddress.Parse("192.168.0.1");
arpp.ATargetMac = ep.ToMac;
arpp.ATargetIP = IPAddress.Parse("192.168.0.255");
adapter.SendPacket(arpp);
}
Thread.Sleep(1000);
}
}
public static TCPPacket MakeSynPacket(byte[] fromMac, byte[] toMac, byte[] fromIP, byte[] toIP, ushort fromPort, ushort toPort)
{
EthPacket e = new EthPacket(60);
e.FromMac = fromMac;
e.ToMac = toMac;
e.Proto = new byte[2] { 0x08, 0x00 };
IPPacket ip = new IPPacket(e);
ip.DestIP = new IPAddress(fromIP);
ip.SourceIP = new IPAddress(toIP);
ip.NextProtocol = 0x06;
ip.TotalLength = 40;
ip.HeaderChecksum = ip.GenerateIPChecksum;
TCPPacket tcp = new TCPPacket(ip);
tcp.SourcePort = fromPort;
tcp.DestPort = toPort;
tcp.SequenceNumber = (uint)new Random().Next();
tcp.AckNumber = 0;
tcp.WindowSize = 8192;
tcp.SYN = true;
tcp.Checksum = tcp.GenerateChecksum;
tcp.Outbound = true;
return tcp;
}
public IPPacket(EthPacket eth)
: base(eth.data)
{
if (!isIP() && !isIPv6())
{
throw new Exception("Not an IP packet!");
}
start = base.LayerStart() + base.LayerLength();
if (eth.CodeGenerated)
{
this.CodeGenerated = true;
if (isIPv6())
{
data->m_IBuffer[start] = 0x60;
data->m_IBuffer[start + 1] = 0x00;
this.TTL = 0xff;
}
else
{
data->m_IBuffer[start] = 0x45;
this.DiffServicesField = 0x00;
this.Identification = 23950;
this.FragmentOffset = 0;
this.Flags = 0x40;
this.TTL = 128;
}
}
if (isIPv6())
{
length = 40;
}
else
{
length = (uint)((data->m_IBuffer[start] & 0xf) * 4);
}
}
unsafe void ProcessLoop()
{
// Allocate and initialize packet structures
ETH_REQUEST Request = new ETH_REQUEST();
INTERMEDIATE_BUFFER PacketBuffer = new INTERMEDIATE_BUFFER();
IntPtr PacketBufferIntPtr = Marshal.AllocHGlobal(Marshal.SizeOf(PacketBuffer));
try
{
win32api.ZeroMemory(PacketBufferIntPtr, Marshal.SizeOf(PacketBuffer));
Request.hAdapterHandle = adapterHandle;
Request.EthPacket.Buffer = PacketBufferIntPtr;
modules = new ModuleList(this);
modules.LoadExternalModules();
modules.UpdateModuleOrder();
string folder = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData);
folder = folder + System.IO.Path.DirectorySeparatorChar + "firebwall";
if (!System.IO.Directory.Exists(folder))
System.IO.Directory.CreateDirectory(folder);
folder = folder + System.IO.Path.DirectorySeparatorChar + "pcapLogs";
if (!System.IO.Directory.Exists(folder))
System.IO.Directory.CreateDirectory(folder);
string f = folder + System.IO.Path.DirectorySeparatorChar + "blocked-" + this.InterfaceInformation.Name + "-" + PcapCreator.Instance.GetNewDate() + ".pcap";
pcaplog = new PcapFileWriter(f);
INTERMEDIATE_BUFFER* PacketPointer;
while (true)
{
hEvent.WaitOne();
while (Ndisapi.ReadPacket(hNdisapi, ref Request))
{
PacketPointer = (INTERMEDIATE_BUFFER*)PacketBufferIntPtr;
//PacketBuffer = (INTERMEDIATE_BUFFER)Marshal.PtrToStructure(PacketBufferIntPtr, typeof(INTERMEDIATE_BUFFER));
Packet pkt = new EthPacket(PacketPointer).MakeNextLayerPacket();
if (pkt.Outbound)
{
OutBandwidth.AddBits(pkt.Length());
}
else
{
InBandwidth.AddBits(pkt.Length());
}
bool drop = false;
bool edit = false;
if (enabled)
{
for (int x = 0; x < modules.Count; x++)
{
FirewallModule fm = modules.GetModule(x);
PacketMainReturn pmr = fm.PacketMain(ref pkt);
if (pmr == null)
continue;
if ((pmr.returnType & PacketMainReturnType.Log) == PacketMainReturnType.Log && pmr.logMessage != null)
{
LogCenter.Instance.Push(pmr);
}
if ((pmr.returnType & PacketMainReturnType.Drop) == PacketMainReturnType.Drop)
{
drop = true;
break;
}
if ((pmr.returnType & PacketMainReturnType.Edited) == PacketMainReturnType.Edited)
{
edit = true;
}
}
}
if (!drop)
{
if (pkt.Outbound)
Ndisapi.SendPacketToAdapter(hNdisapi, ref Request);
else
Ndisapi.SendPacketToMstcp(hNdisapi, ref Request);
}
else
pcaplog.AddPacket(pkt.Data(), (int)pkt.Length());
}
//OM NOM NOM PASTA!
while (processQueue.Count != 0)
{
Packet pkt = processQueue.Dequeue().MakeNextLayerPacket();
if (pkt.Outbound)
{
OutBandwidth.AddBits(pkt.Length());
}
else
{
InBandwidth.AddBits(pkt.Length());
}
bool drop = false;
bool edit = false;
if (enabled)
{
for (int x = 0; x < modules.Count; x++)
{
FirewallModule fm = modules.GetModule(x);
PacketMainReturn pmr = fm.PacketMain(ref pkt);
if (pmr == null)
continue;
if ((pmr.returnType & PacketMainReturnType.Log) == PacketMainReturnType.Log && pmr.logMessage != null)
{
LogCenter.Instance.Push(pmr.Module, pmr.logMessage);
}
if ((pmr.returnType & PacketMainReturnType.Drop) == PacketMainReturnType.Drop)
{
drop = true;
break;
}
if ((pmr.returnType & PacketMainReturnType.Edited) == PacketMainReturnType.Edited)
{
edit = true;
}
}
}
if (!drop)
{
if (pkt.Outbound)
Ndisapi.SendPacketToAdapter(hNdisapi, ref Request);
else
Ndisapi.SendPacketToMstcp(hNdisapi, ref Request);
}
else
pcaplog.AddPacket(pkt.Data(), (int)pkt.Length());
}
hEvent.Reset();
}
}
catch (Exception tae)
{
Marshal.FreeHGlobal(PacketBufferIntPtr);
}
}
public EETHPacket(EthPacket eth)
: base(eth.data)
{
}
public override PacketMainReturn interiorMain(ref Packet in_packet)
{
PacketMainReturn pmr;
float av = 0;
if (in_packet.ContainsLayer(Protocol.TCP))
{
// if we're in cloaked mode, respond with the SYN ACK
// More information about this in the GUI code and help string
if (data.cloaked_mode && ((TCPPacket)in_packet).SYN)
{
TCPPacket from = (TCPPacket)in_packet;
EthPacket eth = new EthPacket(60);
eth.FromMac = adapter.InterfaceInformation.GetPhysicalAddress().GetAddressBytes();
eth.ToMac = from.FromMac;
eth.Proto = new byte[2] { 0x08, 0x00 };
IPPacket ip = new IPPacket(eth);
ip.DestIP = from.SourceIP;
ip.SourceIP = from.DestIP;
ip.NextProtocol = 0x06;
ip.TotalLength = 40;
ip.HeaderChecksum = ip.GenerateIPChecksum;
TCPPacket tcp = new TCPPacket(ip);
tcp.SourcePort = from.DestPort;
tcp.DestPort = from.SourcePort;
tcp.SequenceNumber = (uint)new Random().Next();
tcp.AckNumber = 0;
tcp.WindowSize = 8192;
tcp.SYN = true;
tcp.ACK = true;
tcp.Checksum = tcp.GenerateChecksum;
tcp.Outbound = true;
adapter.SendPacket(tcp);
}
try
{
TCPPacket packet = (TCPPacket)in_packet;
// if the IP is in the blockcache, then return
if (data.BlockCache.ContainsKey(packet.SourceIP))
{
pmr = new PacketMainReturn(this);
pmr.returnType = PacketMainReturnType.Drop;
return pmr;
}
// checking for TTL allows us to rule out the local network
// Don't check for TCP flags because we can make an educated guess that if 100+ of our ports are
// fingered with a short window, we're being scanned. this will detect syn, ack, null, xmas, etc. scans.
if ((!packet.Outbound) && (packet.TTL < 250))
{
IPObj tmp;
if (ip_table.ContainsKey(packet.SourceIP))
tmp = (IPObj)ip_table[packet.SourceIP];
else
tmp = new IPObj(packet.SourceIP);
// add the port to the ipobj, set the access time, and update the table
tmp.addPort(packet.DestPort);
tmp.time(packet.PacketTime);
ip_table[packet.SourceIP] = tmp;
av = tmp.getAverage();
// if they've touched more than 100 ports in less than 30 seconds and the average
// packet time was less than 2s, something's wrong
if (tmp.getTouchedPorts().Count >= 100 && (!tmp.Reported) &&
tmp.getAverage() < 2000 )
{
pmr = new PacketMainReturn(this);
pmr.returnType = PacketMainReturnType.Log | PacketMainReturnType.Allow;
pmr.logMessage = string.Format("{0} touched {1} ports with an average of {2}\n", packet.SourceIP,
tmp.getTouchedPorts().Count, tmp.getAverage());
// set the reported status of the IP address
ip_table[packet.SourceIP].Reported = true;
// add the address to the potential list of IPs and to the local SESSION-BASED list
if (!data.blockImmediately)
{
potentials.Add(packet.SourceIP, ip_table[packet.SourceIP]);
detect.addPotential(packet.SourceIP);
}
// else we want to block it immediately
else
data.BlockCache.Add(packet.SourceIP, ip_table[packet.SourceIP]);
return pmr;
}
}
}
catch (Exception e)
{
pmr = new PacketMainReturn(this);
pmr.returnType = PacketMainReturnType.Log;
pmr.logMessage = String.Format("{0}\n{1}\n", e.Message, e.StackTrace);
return pmr;
}
}
// This will detect UDP knockers. typically UDP scans are slower, but are combined with SYN scans
// (-sSU in nmap) so we'll be sure to check for these guys too.
else if (in_packet.ContainsLayer(Protocol.UDP))
{
try
{
UDPPacket packet = (UDPPacket)in_packet;
// if the source addr is in the block cache, return
if (data.BlockCache.ContainsKey(packet.SourceIP))
{
pmr = new PacketMainReturn(this);
pmr.returnType = PacketMainReturnType.Drop;
return pmr;
}
if ((!packet.Outbound) && (packet.TTL < 250) &&
(!packet.isDNS()))
{
IPObj tmp;
if (ip_table.ContainsKey(packet.SourceIP))
tmp = (IPObj)ip_table[packet.SourceIP];
else
tmp = new IPObj(packet.SourceIP);
tmp.addPort(packet.DestPort);
tmp.time(packet.PacketTime);
ip_table[packet.SourceIP] = tmp;
av = tmp.getAverage();
if ((tmp.getTouchedPorts().Count >= 100) && (!tmp.Reported) &&
(tmp.getAverage() < 2000))
{
pmr = new PacketMainReturn(this);
pmr.returnType = PacketMainReturnType.Log | PacketMainReturnType.Allow;
pmr.logMessage = string.Format("{0} touched {1} ports with an average of {2}\n", packet.SourceIP,
tmp.getTouchedPorts().Count, tmp.getAverage());
ip_table[packet.SourceIP].Reported = true;
if (!data.blockImmediately)
{
potentials.Add(packet.SourceIP, ip_table[packet.SourceIP]);
detect.addPotential(packet.SourceIP);
}
else
data.BlockCache.Add(packet.SourceIP, ip_table[packet.SourceIP]);
return pmr;
}
}
}
catch (Exception e)
{
pmr = new PacketMainReturn(this);
pmr.returnType = PacketMainReturnType.Log;
pmr.logMessage = String.Format("{0}\n{1}\n", e.Message, e.StackTrace);
return pmr;
}
}
return null;
}
public EETHPacket(EthPacket eth)
: base(eth.data)
{
}
