public void ReceiveAndHandleReply_NBNS_InvalidFlags_NotInNetwork()
{
var clientActioner = new ClientMockActioner
{
ReceiveBuffer = new Byte[] {
0x81, 0xc6, 0x85, 0x03, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x20, 0x46, 0x48, 0x46,
0x41, 0x45, 0x42, 0x45, 0x45, 0x43, 0x4e, 0x46, 0x41, 0x46, 0x43, 0x45, 0x50, 0x46, 0x49, 0x46,
0x4a, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x00, 0x00, 0x20,
0x00, 0x01, 0x00, 0x00, 0x00, 0xa5, 0x00, 0x06, 0x00, 0x00, 0xc0, 0xa8, 0x01, 0x18
},
ReceiveEndPoint = new IPEndPoint(IPAddress.Parse(RemoteAddress), RemoteNBNSPort)
};
using (var client = new Socket(SocketType.Dgram, ProtocolType.Udp))
{
SpoofDetectionResult result = new NameServiceClientImpl().ReceiveAndHandleReply(client, Protocol.NBNS, new Byte[] { 0x00, 0x00 },
clientActioner);
Assert.AreEqual("NBNS target not in network", result.ErrorMessage);
Assert.AreEqual(ConfidenceLevel.FalsePositive, result.Confidence);
Assert.AreEqual(false, result.Detected);
Assert.AreEqual(RemoteAddress, result.Endpoint.Address.ToString());
Assert.AreEqual(RemoteNBNSPort, result.Endpoint.Port);
Assert.IsNull(result.Response);
Assert.AreEqual(Protocol.Unknown, result.Protocol);
}
}
public void ReceiveAndHandleReply_mDNS_InvalidFlags_RequestCase()
{
var clientActioner = new ClientMockActioner
{
//apple-tv.local Responder Response
ReceiveBuffer = new Byte[] {
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x08, 0x61, 0x70, 0x70,
0x6c, 0x65, 0x2d, 0x74, 0x76, 0x05, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x00, 0x00, 0x01, 0x00, 0x01,
0x00, 0x00, 0x00, 0x78, 0x00, 0x04, 0xc0, 0xa8, 0x01, 0x18
},
ReceiveEndPoint = new IPEndPoint(IPAddress.Parse(RemoteAddress), RemotemDNSPort)
};
using (var client = new Socket(SocketType.Dgram, ProtocolType.Udp))
{
SpoofDetectionResult result = new NameServiceClientImpl().ReceiveAndHandleReply(client, Protocol.mDNS, new Byte[] { 0x00, 0x00 },
clientActioner);
Assert.AreEqual("Received mDNS query but expected response", result.ErrorMessage);
Assert.AreEqual(ConfidenceLevel.FalsePositive, result.Confidence);
Assert.AreEqual(false, result.Detected);
Assert.AreEqual(RemoteAddress, result.Endpoint.Address.ToString());
Assert.AreEqual(RemotemDNSPort, result.Endpoint.Port);
Assert.IsNull(result.Response);
Assert.AreEqual(Protocol.Unknown, result.Protocol);
}
}
public void ReceiveAndHandleReply_NBNS_Detected()
{
var clientActioner = new ClientMockActioner
{
//WPAD-PROXY Responder Response
ReceiveBuffer = new Byte[] {
0x81, 0xc6, 0x85, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x20, 0x46, 0x48, 0x46,
0x41, 0x45, 0x42, 0x45, 0x45, 0x43, 0x4e, 0x46, 0x41, 0x46, 0x43, 0x45, 0x50, 0x46, 0x49, 0x46,
0x4a, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x00, 0x00, 0x20,
0x00, 0x01, 0x00, 0x00, 0x00, 0xa5, 0x00, 0x06, 0x00, 0x00, 0xc0, 0xa8, 0x01, 0x18
},
ReceiveEndPoint = new IPEndPoint(IPAddress.Parse(RemoteAddress), RemoteNBNSPort)
};
using (var client = new Socket(SocketType.Dgram, ProtocolType.Udp))
{
SpoofDetectionResult result = new NameServiceClientImpl().ReceiveAndHandleReply(client, Protocol.NBNS, new Byte[] { 0x00, 0x00 },
clientActioner);
Assert.AreEqual(RemoteAddress, result.Response);
Assert.AreEqual(ConfidenceLevel.Low, result.Confidence);
Assert.AreEqual(true, result.Detected);
Assert.AreEqual(RemoteAddress, result.Endpoint.Address.ToString());
Assert.AreEqual(RemoteNBNSPort, result.Endpoint.Port);
Assert.IsNull(result.ErrorMessage);
Assert.AreEqual(Protocol.NBNS, result.Protocol);
}
}
public void ReceiveAndHandleReply_LLMNR_InvalidFlags()
{
var clientActioner = new ClientMockActioner
{
ReceiveBuffer = new Byte[] {
0x8e, 0x32, 0xDE, 0xAD, 0x00, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x08, 0x50, 0x72, 0x6f,
0x78, 0x79, 0x53, 0x76, 0x63, 0x00, 0x00, 0x01, 0x00, 0x01, 0x08, 0x50, 0x72, 0x6f, 0x78, 0x79,
0x53, 0x76, 0x63, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00, 0x1e, 0x00, 0x04, 0xc0, 0xa8,
0x01, 0x18
},
ReceiveEndPoint = new IPEndPoint(IPAddress.Parse(RemoteAddress), RemoteLLMNRPort)
};
using (var client = new Socket(SocketType.Dgram, ProtocolType.Udp))
{
SpoofDetectionResult result = new NameServiceClientImpl().ReceiveAndHandleReply(client, Protocol.LLMNR, new Byte[] { 0x00, 0x00 },
clientActioner);
Assert.AreEqual("Did not expect LLMNR flags other than 0x8000", result.ErrorMessage);
Assert.AreEqual(ConfidenceLevel.FalsePositive, result.Confidence);
Assert.AreEqual(false, result.Detected);
Assert.AreEqual(RemoteAddress, result.Endpoint.Address.ToString());
Assert.AreEqual(RemoteLLMNRPort, result.Endpoint.Port);
Assert.IsNull(result.Response);
Assert.AreEqual(Protocol.Unknown, result.Protocol);
}
}
public void ReceiveAndHandleReply_DeterministicFuzz()
{
Parallel.For(0, 10000, (i) =>
{
using (var client = new Socket(SocketType.Dgram, ProtocolType.Udp))
{
var clientActioner = new ClientMockActioner
{
ReceiveBuffer = DeterministicFuzzer.GenerateByteArray(i),
ReceiveEndPoint = new IPEndPoint(IPAddress.Parse(RemoteAddress), RemoteLLMNRPort)
};
SpoofDetectionResult result = new NameServiceClientImpl().ReceiveAndHandleReply(client,
Protocol.LLMNR, new Byte[] { 0x00, 0x00 },
clientActioner);
if (result == null)
{
return;
}
Assert.IsNull(result.Response);
Assert.AreEqual(ConfidenceLevel.FalsePositive, result.Confidence);
Assert.AreEqual(false, result.Detected);
Assert.AreEqual(RemoteAddress, result.Endpoint.Address.ToString());
Assert.AreEqual(RemoteLLMNRPort, result.Endpoint.Port);
Assert.IsNotNull(result.ErrorMessage);
Assert.AreEqual(Protocol.Unknown, result.Protocol);
}
});
}
public void ReceiveAndHandleReply_LLMNR_Detected()
{
var clientActioner = new ClientMockActioner
{
//ProxySvc Responder Response
ReceiveBuffer = new Byte[] {
0x8e, 0x32, 0x80, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x08, 0x50, 0x72, 0x6f,
0x78, 0x79, 0x53, 0x76, 0x63, 0x00, 0x00, 0x01, 0x00, 0x01, 0x08, 0x50, 0x72, 0x6f, 0x78, 0x79,
0x53, 0x76, 0x63, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00, 0x1e, 0x00, 0x04, 0xc0, 0xa8,
0x01, 0x18
},
ReceiveEndPoint = new IPEndPoint(IPAddress.Parse(RemoteAddress), RemoteLLMNRPort)
};
using (var client = new Socket(SocketType.Dgram, ProtocolType.Udp))
{
SpoofDetectionResult result = new NameServiceClientImpl().ReceiveAndHandleReply(client, Protocol.LLMNR, new Byte[] { 0x00, 0x00 },
clientActioner);
Assert.AreEqual(RemoteAddress, result.Response);
Assert.AreEqual(ConfidenceLevel.Low, result.Confidence);
Assert.AreEqual(true, result.Detected);
Assert.AreEqual(RemoteAddress, result.Endpoint.Address.ToString());
Assert.AreEqual(RemoteLLMNRPort, result.Endpoint.Port);
Assert.IsNull(result.ErrorMessage);
Assert.AreEqual(Protocol.LLMNR, result.Protocol);
}
}
public void ReceiveAndHandleReply_EmptyResponse()
{
var clientActioner = new ClientMockActioner
{
ReceiveBuffer = new Byte[] { },
ReceiveEndPoint = new IPEndPoint(IPAddress.Parse(RemoteAddress), RemoteLLMNRPort)
};
using (var client = new Socket(SocketType.Dgram, ProtocolType.Udp))
{
SpoofDetectionResult result = new NameServiceClientImpl().ReceiveAndHandleReply(client,
Protocol.LLMNR, new Byte[] { 0x00, 0x00 },
clientActioner);
Assert.IsNull(result);
}
}
public void SendRequestTest_mDNS_appletv()
{
var clientActioner = new ClientMockActioner();
using (var client = new Socket(SocketType.Dgram, ProtocolType.Udp))
{
Byte[] transactionId =
new NameServiceClientImpl().SendRequest(client, Protocol.mDNS, "appletv", "192.168.1.255", clientActioner);
Byte[] expectedDatagram = transactionId.Concat(
new Byte[] { 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x07, 0x61, 0x70, 0x70, 0x6C, 0x65
, 0x74, 0x76, 0x05, 0x6C, 0x6F, 0x63, 0x61, 0x6C, 0x00, 0x00, 0x01, 0x00, 0x01 }
).ToArray();
CollectionAssert.AreEqual(new Byte[] { 0x00, 0x00 }, transactionId);
CollectionAssert.AreEqual(expectedDatagram, clientActioner.LastSendDatagram);
Assert.AreEqual("224.0.0.251", clientActioner.LastSendHostname);
Assert.AreEqual(RemotemDNSPort, clientActioner.LastSendPort);
}
}
public void SendRequestTest_NBNS_WPAD()
{
var clientActioner = new ClientMockActioner();
using (var client = new Socket(SocketType.Dgram, ProtocolType.Udp))
{
Byte[] transactionId =
new NameServiceClientImpl().SendRequest(client, Protocol.NBNS, "WPAD", "192.168.1.255", clientActioner);
Byte[] expectedDatagram = transactionId.Concat(
new Byte[] { 0x01, 0x10, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x46, 0x48, 0x46, 0x41, 0x45
, 0x42, 0x45, 0x45, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x43
, 0x41, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x43, 0x41, 0x00, 0x00, 0x20, 0x00, 0x01 }
).ToArray();
CollectionAssert.AreEqual(expectedDatagram, clientActioner.LastSendDatagram);
Assert.AreEqual("192.168.1.255", clientActioner.LastSendHostname);
Assert.AreEqual(RemoteNBNSPort, clientActioner.LastSendPort);
}
}
public void SendRequestTest_LLMNR_WPAD()
{
var clientActioner = new ClientMockActioner();
using (var client = new Socket(SocketType.Dgram, ProtocolType.Udp))
{
Byte[] transactionId =
new NameServiceClientImpl().SendRequest(client, Protocol.LLMNR, "WPAD", "192.168.1.255", clientActioner);
Byte[] expectedDatagram = transactionId.Concat(
new Byte[] { 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x57, 0x50, 0x41, 0x44, 0x00, 0x00, 0x01, 0x00, 0x01 }
).ToArray();
//Console.WriteLine(BitConverter.ToString(expectedDatagram));
//Console.WriteLine(BitConverter.ToString(udpClientActioner.LastSendDatagram));
CollectionAssert.AreEqual(expectedDatagram, clientActioner.LastSendDatagram);
Assert.AreEqual("192.168.1.255", clientActioner.LastSendHostname);
Assert.AreEqual(RemoteLLMNRPort, clientActioner.LastSendPort);
}
}
