public static TCPPacket MakePortClosedPacket(byte[] fromMac, byte[] toMac, byte[] fromIP, byte[] toIP, ushort fromPort, ushort toPort, uint ackNumber) { EthPacket e = new EthPacket(60); e.FromMac = fromMac; e.ToMac = toMac; e.Proto = new byte[2] { 0x08, 0x00 }; IPPacket ip = new IPPacket(e); ip.DestIP = new IPAddress(fromIP); ip.SourceIP = new IPAddress(toIP); ip.NextProtocol = 0x06; ip.TotalLength = 40; ip.HeaderChecksum = ip.GenerateIPChecksum; TCPPacket tcp = new TCPPacket(ip); tcp.SourcePort = fromPort; tcp.DestPort = toPort; tcp.SequenceNumber = (uint)0; tcp.AckNumber = ackNumber; tcp.WindowSize = 8192; tcp.ACK = true; tcp.RST = true; tcp.Checksum = tcp.GenerateChecksum; tcp.Outbound = true; return(tcp); }
// accepts IPPacket, checks if ICMP public ICMPPacket(IPPacket eth) : base(eth.data) { if (!isICMP()) { throw new Exception("Not an ICMP packet!"); } start = base.LayerStart() + base.LayerLength(); }
public UDPPacket(IPPacket eth) : base(eth.data) { if (!isUDP()) throw new Exception("Not a UDP packet!"); if (eth.CodeGenerated) { this.CodeGenerated = true; } start = base.LayerStart() + base.LayerLength(); }
public ICMPv6Packet(IPPacket eth) : base(eth.data) { if (!isICMPv6()) throw new Exception("Not an ICMPv6 packet!"); start = base.LayerStart() + base.LayerLength(); if (eth.CodeGenerated) { this.CodeGenerated = true; } length = base.TotalLength; }
public UDPPacket(IPPacket eth) : base(eth.data) { if (!isUDP()) { throw new Exception("Not a UDP packet!"); } if (eth.CodeGenerated) { this.CodeGenerated = true; } start = base.LayerStart() + base.LayerLength(); }
public TCPPacket(IPPacket eth) : base(eth.data) { if (!isTCP()) throw new Exception("Not a TCP packet!"); start = base.LayerStart() + base.LayerLength(); if (eth.CodeGenerated) { this.CodeGenerated = true; data->m_IBuffer[start + 12] = 0x50; } length = (uint)((data->m_IBuffer[start + 12] >> 4) * 4); }
public ICMPv6Packet(IPPacket eth) : base(eth.data) { if (!isICMPv6()) { throw new Exception("Not an ICMPv6 packet!"); } start = base.LayerStart() + base.LayerLength(); if (eth.CodeGenerated) { this.CodeGenerated = true; } length = base.TotalLength; }
public TCPPacket(IPPacket eth) : base(eth.data) { if (!isTCP()) { throw new Exception("Not a TCP packet!"); } start = base.LayerStart() + base.LayerLength(); if (eth.CodeGenerated) { this.CodeGenerated = true; data->m_IBuffer[start + 12] = 0x50; } length = (uint)((data->m_IBuffer[start + 12] >> 4) * 4); }
public static TCPPacket MakeSynPacket(byte[] fromMac, byte[] toMac, byte[] fromIP, byte[] toIP, ushort fromPort, ushort toPort) { EthPacket e = new EthPacket(60); e.FromMac = fromMac; e.ToMac = toMac; e.Proto = new byte[2] { 0x08, 0x00 }; IPPacket ip = new IPPacket(e); ip.DestIP = new IPAddr(fromIP); ip.SourceIP = new IPAddr(toIP); ip.NextProtocol = 0x06; ip.TotalLength = 40; ip.HeaderChecksum = ip.GenerateIPChecksum; TCPPacket tcp = new TCPPacket(ip); tcp.SourcePort = fromPort; tcp.DestPort = toPort; tcp.SequenceNumber = (uint)new Random().Next(); tcp.AckNumber = 0; tcp.WindowSize = 8192; tcp.SYN = true; tcp.Checksum = tcp.GenerateChecksum; tcp.Outbound = true; return tcp; }
public override PacketMainReturnType interiorMain(ref Packet in_packet) { PacketMainReturnType pmr; LogEvent le; float av = 0; if (in_packet.ContainsLayer(Protocol.TCP)) { // if we're in cloaked mode, respond with the SYN ACK // More information about this in the GUI code and help string if (data.cloaked_mode && ((TCPPacket)in_packet).SYN && !((TCPPacket)in_packet).ACK) { TCPPacket from = (TCPPacket)in_packet; EthPacket eth = new EthPacket(60); eth.FromMac = Adapter.GetAdapterInformation().InterfaceInformation.GetPhysicalAddress().GetAddressBytes(); eth.ToMac = from.FromMac; eth.Proto = new byte[2] { 0x08, 0x00 }; IPPacket ip = new IPPacket(eth); ip.DestIP = from.SourceIP; ip.SourceIP = from.DestIP; ip.NextProtocol = 0x06; ip.TotalLength = 40; ip.HeaderChecksum = ip.GenerateIPChecksum; TCPPacket tcp = new TCPPacket(ip); tcp.SourcePort = from.DestPort; tcp.DestPort = from.SourcePort; tcp.SequenceNumber = (uint)new Random().Next(); tcp.AckNumber = 0; tcp.WindowSize = 8192; tcp.SYN = true; tcp.ACK = true; tcp.Checksum = tcp.GenerateChecksum; tcp.Outbound = true; Adapter.SendPacket(tcp); } try { TCPPacket packet = (TCPPacket)in_packet; // if the IP is in the blockcache, then return if (data.BlockCache == null) data.BlockCache = new SerializableDictionary<IPAddr, IPObj>(); IPAddr source = packet.SourceIP; if (data.BlockCache.ContainsKey(source)) { pmr = PacketMainReturnType.Drop; return pmr; } // checking for TTL allows us to rule out the local network // Don't check for TCP flags because we can make an educated guess that if 100+ of our ports are // fingered with a short window, we're being scanned. this will detect syn, ack, null, xmas, etc. scans. if ((!packet.Outbound) && (packet.TTL < 250) && packet.SYN && !packet.ACK) { IPObj tmp; if (ip_table == null) ip_table = new Dictionary<IPAddr, IPObj>(); if (ip_table.ContainsKey(source)) tmp = (IPObj)ip_table[source]; else tmp = new IPObj(source); // add the port to the ipobj, set the access time, and update the table tmp.addPort(packet.DestPort); //tmp.time(packet.PacketTime); ip_table[source] = tmp; av = tmp.getAverage(); // if they've touched more than 100 ports in less than 30 seconds and the average // packet time was less than 2s, something's wrong if (tmp.getTouchedPorts().Count >= 100 && (!tmp.Reported) && tmp.getAverage() < 2000 ) { pmr = PacketMainReturnType.Log | PacketMainReturnType.Allow; le = new LogEvent(String.Format(multistring.GetString("Touched Ports"), source.ToString(), tmp.getTouchedPorts().Count, tmp.getAverage()), this); LogCenter.Instance.LogEvent(le); // set the reported status of the IP address ip_table[source].Reported = true; // add the address to the potential list of IPs and to the local SESSION-BASED list if (!data.blockImmediately) { potentials.Add(source, ip_table[source]); detect.addPotential(source); } // else we want to block it immediately else data.BlockCache.Add(source, ip_table[source]); return pmr; } } } catch (Exception e) { LogCenter.Instance.LogException(e); return PacketMainReturnType.Allow; } } // This will detect UDP knockers. typically UDP scans are slower, but are combined with SYN scans // (-sSU in nmap) so we'll be sure to check for these guys too. else if (in_packet.ContainsLayer(Protocol.UDP)) { try { UDPPacket packet = (UDPPacket)in_packet; IPAddr source = packet.SourceIP; // if the source addr is in the block cache, return if (data.BlockCache.ContainsKey(source)) { return PacketMainReturnType.Drop; } if ((!packet.Outbound) && (packet.TTL < 250) && (!packet.isDNS())) { IPObj tmp; if (ip_table.ContainsKey(source)) tmp = (IPObj)ip_table[source]; else tmp = new IPObj(source); tmp.addPort(packet.DestPort); //tmp.time(packet.PacketTime); ip_table[source] = tmp; av = tmp.getAverage(); if ((tmp.getTouchedPorts().Count >= 100) && (!tmp.Reported) && (tmp.getAverage() < 2000)) { pmr = PacketMainReturnType.Log | PacketMainReturnType.Allow; le = new LogEvent(String.Format(multistring.GetString("Touched Ports"), source.ToString(), tmp.getTouchedPorts().Count, tmp.getAverage()), this); LogCenter.Instance.LogEvent(le); ip_table[source].Reported = true; if (!data.blockImmediately) { potentials.Add(source, ip_table[source]); detect.addPotential(source); } else data.BlockCache.Add(source, ip_table[source]); return pmr; } } } catch (Exception e) { LogCenter.Instance.LogException(e); return PacketMainReturnType.Allow; } } return PacketMainReturnType.Allow; }
// accepts IPPacket, checks if ICMP public ICMPPacket(IPPacket eth) : base(eth.data) { if (!isICMP()) throw new Exception("Not an ICMP packet!"); start = base.LayerStart() + base.LayerLength(); }