public IPPacket(EthPacket eth) : base(eth.data) { if (!isIP() && !isIPv6()) throw new Exception("Not an IP packet!"); start = base.LayerStart() + base.LayerLength(); if (eth.CodeGenerated) { this.CodeGenerated = true; if (isIPv6()) { data->m_IBuffer[start] = 0x60; data->m_IBuffer[start + 1] = 0x00; this.TTL = 0xff; } else { data->m_IBuffer[start] = 0x45; this.DiffServicesField = 0x00; this.Identification = 23950; this.FragmentOffset = 0; this.Flags = 0x40; this.TTL = 128; } } if (isIPv6()) length = 40; else length = (uint)((data->m_IBuffer[start] & 0xf) * 4); }
public static TCPPacket MakePortClosedPacket(byte[] fromMac, byte[] toMac, byte[] fromIP, byte[] toIP, ushort fromPort, ushort toPort, uint ackNumber) { EthPacket e = new EthPacket(60); e.FromMac = fromMac; e.ToMac = toMac; e.Proto = new byte[2] { 0x08, 0x00 }; IPPacket ip = new IPPacket(e); ip.DestIP = new IPAddress(fromIP); ip.SourceIP = new IPAddress(toIP); ip.NextProtocol = 0x06; ip.TotalLength = 40; ip.HeaderChecksum = ip.GenerateIPChecksum; TCPPacket tcp = new TCPPacket(ip); tcp.SourcePort = fromPort; tcp.DestPort = toPort; tcp.SequenceNumber = (uint)0; tcp.AckNumber = ackNumber; tcp.WindowSize = 8192; tcp.ACK = true; tcp.RST = true; tcp.Checksum = tcp.GenerateChecksum; tcp.Outbound = true; return(tcp); }
public ARPPacket(EthPacket eth) : base(eth.data) { if (!isARP()) throw new Exception("Not an ARP packet!"); start = base.LayerStart() + base.LayerLength(); length = this.Length() - base.LayerLength(); if (eth.CodeGenerated) { HardwareType = 1; ProtocolType = 0x0800; HardwareSize = 0x06; ProtocolSize = 4; ARPOpcode = 0x0002; } }
public ARPPacket(EthPacket eth) : base(eth.data) { if (!isARP()) { throw new Exception("Not an ARP packet!"); } start = base.LayerStart() + base.LayerLength(); length = this.Length() - base.LayerLength(); if (eth.CodeGenerated) { HardwareType = 1; ProtocolType = 0x0800; HardwareSize = 0x06; ProtocolSize = 4; ARPOpcode = 0x0002; } }
public static TCPPacket MakeSynPacket(byte[] fromMac, byte[] toMac, byte[] fromIP, byte[] toIP, ushort fromPort, ushort toPort) { EthPacket e = new EthPacket(60); e.FromMac = fromMac; e.ToMac = toMac; e.Proto = new byte[2] { 0x08, 0x00 }; IPPacket ip = new IPPacket(e); ip.DestIP = new IPAddr(fromIP); ip.SourceIP = new IPAddr(toIP); ip.NextProtocol = 0x06; ip.TotalLength = 40; ip.HeaderChecksum = ip.GenerateIPChecksum; TCPPacket tcp = new TCPPacket(ip); tcp.SourcePort = fromPort; tcp.DestPort = toPort; tcp.SequenceNumber = (uint)new Random().Next(); tcp.AckNumber = 0; tcp.WindowSize = 8192; tcp.SYN = true; tcp.Checksum = tcp.GenerateChecksum; tcp.Outbound = true; return tcp; }
public IPPacket(EthPacket eth) : base(eth.data) { if (!isIP() && !isIPv6()) { throw new Exception("Not an IP packet!"); } start = base.LayerStart() + base.LayerLength(); if (eth.CodeGenerated) { this.CodeGenerated = true; if (isIPv6()) { data->m_IBuffer[start] = 0x60; data->m_IBuffer[start + 1] = 0x00; this.TTL = 0xff; } else { data->m_IBuffer[start] = 0x45; this.DiffServicesField = 0x00; this.Identification = 23950; this.FragmentOffset = 0; this.Flags = 0x40; this.TTL = 128; } } if (isIPv6()) { length = 40; } else { length = (uint)((data->m_IBuffer[start] & 0xf) * 4); } }
public unsafe void ProcessLoop() { // Allocate and initialize packet structures ETH_REQUEST Request = new ETH_REQUEST(); INTERMEDIATE_BUFFER PacketBuffer = new INTERMEDIATE_BUFFER(); IntPtr PacketBufferIntPtr = Marshal.AllocHGlobal(Marshal.SizeOf(PacketBuffer)); try { win32api.ZeroMemory(PacketBufferIntPtr, Marshal.SizeOf(PacketBuffer)); Request.hAdapterHandle = adapterHandle; Request.EthPacket.Buffer = PacketBufferIntPtr; Modules = new ModuleList(this); Modules.LoadExternalModules(); Modules.UpdateModuleOrder(); string folder = Configuration.ConfigurationManagement.Instance.ConfigurationPath; folder = folder + System.IO.Path.DirectorySeparatorChar + "pcapLogs"; if (!System.IO.Directory.Exists(folder)) System.IO.Directory.CreateDirectory(folder); string f = folder + System.IO.Path.DirectorySeparatorChar + "blocked-" + inter.Name + "-" + DateTime.Now.ToBinary() + ".pcap"; pcaplog = new PcapFileWriter(f); INTERMEDIATE_BUFFER* PacketPointer; while (true) { hEvent.WaitOne(); while (Ndisapi.ReadPacket(hNdisapi, ref Request)) { PacketPointer = (INTERMEDIATE_BUFFER*)PacketBufferIntPtr; Packet pkt = new EthPacket(PacketPointer).MakeNextLayerPacket(); if (pkt.Outbound) { inter.DataOut.AddBits(pkt.Length()); } else { inter.DataIn.AddBits(pkt.Length()); } bool drop = false; bool log = false; if (this.Filtering) { for (int x = 0; x < Modules.Count; x++) { NDISModule fm = Modules.GetModule(x); int pmr = fm.PacketMain(ref pkt); if (pmr == null) continue; if ((pmr & (int)PacketMainReturnType.LogPacket) == (int)PacketMainReturnType.LogPacket) { log = true; } if ((pmr & (int)PacketMainReturnType.Drop) == (int)PacketMainReturnType.Drop) { drop = true; break; } } } if (!drop && !DropAll) { if (pkt.Outbound) Ndisapi.SendPacketToAdapter(hNdisapi, ref Request); else Ndisapi.SendPacketToMstcp(hNdisapi, ref Request); } if(log) pcaplog.AddPacket(pkt.Data(), (int)pkt.Length()); } //OM NOM NOM PASTA! while (processQueue.Count != 0) { Packet pkt = processQueue.Dequeue().MakeNextLayerPacket(); if (pkt.Outbound) { inter.DataOut.AddBits(pkt.Length()); } else { inter.DataIn.AddBits(pkt.Length()); } bool drop = false; bool log = false; if (this.Filtering) { for (int x = 0; x < Modules.Count; x++) { NDISModule fm = Modules.GetModule(x); int pmr = fm.PacketMain(ref pkt); if (pmr == 0) continue; if ((pmr & (int)PacketMainReturnType.LogPacket) == (int)PacketMainReturnType.LogPacket) { log = true; } if ((pmr & (int)PacketMainReturnType.Drop) == (int)PacketMainReturnType.Drop) { drop = true; break; } } } if (!drop && !DropAll) { if (pkt.Outbound) Ndisapi.SendPacketToAdapter(hNdisapi, ref Request); else Ndisapi.SendPacketToMstcp(hNdisapi, ref Request); } if (log) pcaplog.AddPacket(pkt.Data(), (int)pkt.Length()); } hEvent.Reset(); } } catch (Exception tae) { Marshal.FreeHGlobal(PacketBufferIntPtr); } }
public override PacketMainReturnType interiorMain(ref Packet in_packet) { PacketMainReturnType pmr; LogEvent le; float av = 0; if (in_packet.ContainsLayer(Protocol.TCP)) { // if we're in cloaked mode, respond with the SYN ACK // More information about this in the GUI code and help string if (data.cloaked_mode && ((TCPPacket)in_packet).SYN && !((TCPPacket)in_packet).ACK) { TCPPacket from = (TCPPacket)in_packet; EthPacket eth = new EthPacket(60); eth.FromMac = Adapter.GetAdapterInformation().InterfaceInformation.GetPhysicalAddress().GetAddressBytes(); eth.ToMac = from.FromMac; eth.Proto = new byte[2] { 0x08, 0x00 }; IPPacket ip = new IPPacket(eth); ip.DestIP = from.SourceIP; ip.SourceIP = from.DestIP; ip.NextProtocol = 0x06; ip.TotalLength = 40; ip.HeaderChecksum = ip.GenerateIPChecksum; TCPPacket tcp = new TCPPacket(ip); tcp.SourcePort = from.DestPort; tcp.DestPort = from.SourcePort; tcp.SequenceNumber = (uint)new Random().Next(); tcp.AckNumber = 0; tcp.WindowSize = 8192; tcp.SYN = true; tcp.ACK = true; tcp.Checksum = tcp.GenerateChecksum; tcp.Outbound = true; Adapter.SendPacket(tcp); } try { TCPPacket packet = (TCPPacket)in_packet; // if the IP is in the blockcache, then return if (data.BlockCache == null) data.BlockCache = new SerializableDictionary<IPAddr, IPObj>(); IPAddr source = packet.SourceIP; if (data.BlockCache.ContainsKey(source)) { pmr = PacketMainReturnType.Drop; return pmr; } // checking for TTL allows us to rule out the local network // Don't check for TCP flags because we can make an educated guess that if 100+ of our ports are // fingered with a short window, we're being scanned. this will detect syn, ack, null, xmas, etc. scans. if ((!packet.Outbound) && (packet.TTL < 250) && packet.SYN && !packet.ACK) { IPObj tmp; if (ip_table == null) ip_table = new Dictionary<IPAddr, IPObj>(); if (ip_table.ContainsKey(source)) tmp = (IPObj)ip_table[source]; else tmp = new IPObj(source); // add the port to the ipobj, set the access time, and update the table tmp.addPort(packet.DestPort); //tmp.time(packet.PacketTime); ip_table[source] = tmp; av = tmp.getAverage(); // if they've touched more than 100 ports in less than 30 seconds and the average // packet time was less than 2s, something's wrong if (tmp.getTouchedPorts().Count >= 100 && (!tmp.Reported) && tmp.getAverage() < 2000 ) { pmr = PacketMainReturnType.Log | PacketMainReturnType.Allow; le = new LogEvent(String.Format(multistring.GetString("Touched Ports"), source.ToString(), tmp.getTouchedPorts().Count, tmp.getAverage()), this); LogCenter.Instance.LogEvent(le); // set the reported status of the IP address ip_table[source].Reported = true; // add the address to the potential list of IPs and to the local SESSION-BASED list if (!data.blockImmediately) { potentials.Add(source, ip_table[source]); detect.addPotential(source); } // else we want to block it immediately else data.BlockCache.Add(source, ip_table[source]); return pmr; } } } catch (Exception e) { LogCenter.Instance.LogException(e); return PacketMainReturnType.Allow; } } // This will detect UDP knockers. typically UDP scans are slower, but are combined with SYN scans // (-sSU in nmap) so we'll be sure to check for these guys too. else if (in_packet.ContainsLayer(Protocol.UDP)) { try { UDPPacket packet = (UDPPacket)in_packet; IPAddr source = packet.SourceIP; // if the source addr is in the block cache, return if (data.BlockCache.ContainsKey(source)) { return PacketMainReturnType.Drop; } if ((!packet.Outbound) && (packet.TTL < 250) && (!packet.isDNS())) { IPObj tmp; if (ip_table.ContainsKey(source)) tmp = (IPObj)ip_table[source]; else tmp = new IPObj(source); tmp.addPort(packet.DestPort); //tmp.time(packet.PacketTime); ip_table[source] = tmp; av = tmp.getAverage(); if ((tmp.getTouchedPorts().Count >= 100) && (!tmp.Reported) && (tmp.getAverage() < 2000)) { pmr = PacketMainReturnType.Log | PacketMainReturnType.Allow; le = new LogEvent(String.Format(multistring.GetString("Touched Ports"), source.ToString(), tmp.getTouchedPorts().Count, tmp.getAverage()), this); LogCenter.Instance.LogEvent(le); ip_table[source].Reported = true; if (!data.blockImmediately) { potentials.Add(source, ip_table[source]); detect.addPotential(source); } else data.BlockCache.Add(source, ip_table[source]); return pmr; } } } catch (Exception e) { LogCenter.Instance.LogException(e); return PacketMainReturnType.Allow; } } return PacketMainReturnType.Allow; }
public EETHPacket(EthPacket eth) : base(eth.data) { }
public EETHPacket(EthPacket eth) : base(eth.data) { }