Пример #1
0
        private void AnalyzeLLMNR(Packet packet)
        {
            if (!(packet is EthernetPacket))
                return;

            // IPv4 y IPv6
            if (packet.PayloadPacket.PayloadPacket is UdpPacket)
            {
                // Respuestas de LLMNR. De aqui podemos capturar el nombre.
                if ((((UdpPacket)(packet.PayloadPacket.PayloadPacket)).SourcePort == 5355) && (((EthernetPacket)packet).Type == EthernetPacketType.IpV4))
                {
                    LLMNR.LLMNRAnswer LLMNRAnswer = new LLMNR.LLMNRAnswer(packet.PayloadPacket.PayloadPacket.PayloadData);

                    //  Solo lo cojemos las respuestas que son de tipo PTR o de tipo A
                    if (LLMNRAnswer.isPtrResponse == true && LLMNRAnswer.computerName != string.Empty)
                    {
                        Neighbor neighbor = Program.CurrentProject.data.GetNeighbor(((EthernetPacket)(packet)).SourceHwAddress);

                        if (neighbor == null)
                        {
                            neighbor = new Neighbor();
                            neighbor.computerName = LLMNRAnswer.computerName;
                            neighbor.AddIP(LLMNRAnswer.ipAddress);
                            neighbor.physicalAddress = ((EthernetPacket)(packet)).SourceHwAddress;
                            Program.CurrentProject.data.AddNeighbor(neighbor);
                            NewNeighbor(this, new NeighborEventArgs(neighbor));
                        }
                        else
                        {
                            neighbor.computerName = LLMNRAnswer.computerName;
                            Program.CurrentProject.data.AddNeighbor(neighbor);
                        }
                    }
                }


                if ((((EthernetPacket)packet).Type == EthernetPacketType.IpV4) && (((UdpPacket)(packet.PayloadPacket.PayloadPacket)).DestinationPort == 5355))
                {
                    SynchronizedCollection<Attack> lstAttacks = Program.CurrentProject.data.GetAttacks();

                    // En caso de MITM ARP -> Si el equipo está intentando restablecer su tabla ARP ... se le vuelve a envenenar
                    foreach (Attack attk in lstAttacks.Where(A => A.attackType == AttackType.WpadIPv4 && A.attackStatus == AttackStatus.Attacking))
                    {
                        MitmAttack mitmAtt = (MitmAttack)attk;
                        if (((IPv4Packet)((EthernetPacket)packet).PayloadPacket).SourceAddress.Equals(mitmAtt.t2.ip))
                            WpadIPv4Attack.Instance.GenerateLLMNRResponse(packet);
                    }

                }

                if ((((EthernetPacket)packet).Type == EthernetPacketType.IpV6) && (((UdpPacket)(packet.PayloadPacket.PayloadPacket)).DestinationPort == 5355))
                {
                    SynchronizedCollection<Attack> lstAttacks = Program.CurrentProject.data.GetAttacks();

                    // En caso de MITM ARP -> Si el equipo está intentando restablecer su tabla ARP ... se le vuelve a envenenar
                    foreach (Attack attk in lstAttacks.Where(A => A.attackType == AttackType.WpadIPv6 && A.attackStatus == AttackStatus.Attacking))
                    {
                        MitmAttack mitmAtt = (MitmAttack)attk;
                        if (((IPv6Packet)((EthernetPacket)packet).PayloadPacket).SourceAddress.Equals(mitmAtt.t2.ip))
                            WpadIPv6Attack.Instance.GenerateLLMNRResponse(packet);
                    }
                }
            }
        }