def decode(pkt):
decoded_pkt = []
# EAPOL
if pkt.haslayer(EAPOL):
ether_frame = pkt.getlayer(Ether)
decoded_pkt.append({'ip': '0.0.0.0', 'mac': ether_frame.src, 'time': time.time(), 'acq': 'eapol', 'valid': 2})
decoded_pkt.append({'ip': '0.0.0.0', 'mac': ether_frame.dst, 'time': time.time(), 'acq': 'eapol', 'valid': 2})
# DHCP
if pkt.haslayer(DHCP):
dhcp_frame = pkt.getlayer(DHCP)
ether_frame = pkt.getlayer(Ether)
if dhcp_frame.server_id != None:
valid = arp.metric(dhcp_frame.requested_addr)
decoded_pkt.append({'ip': dhcp_frame.requested_addr, 'mac': ether_frame.src, 'time': time.time(), 'acq': 'dhcp', 'valid': valid})
# IP
if pkt.haslayer(IP):
ip_frame = pkt.getlayer(IP)
ether_frame = pkt.getlayer(Ether)
valid = arp.metric(ip_frame.src)
valid2 = arp.metric(ip_frame.dst)
decoded_pkt.append({'ip': ip_frame.src, 'mac': ether_frame.src, 'time': time.time(), 'acq': 'ip', 'valid': valid})
decoded_pkt.append({'ip': ip_frame.dst, 'mac': ether_frame.dst, 'time': time.time(), 'acq': 'ip', 'valid': valid2})
# ARP
if pkt.haslayer(ARP):
arp_frame = pkt.getlayer(ARP)
valid = arp.metric(arp_frame.psrc)
decoded_pkt.append({'ip': arp_frame.psrc, 'mac': arp_frame.hwsrc, 'time': time.time(), 'acq': 'arp', 'valid': valid})
log.warning(str(decoded_pkt))
return json.dumps(decoded_pkt[0])
def mitm(iface, data):
log.default('Detecting MITM => ' + str(data['ip']) + ' = ' + str(data['mac']))
db_data = data['res']
i_data_ip = data['ip']
i_data_mac = data['mac']
i_data_acq = data['acq']
i_data_metric = data['valid']
i_data_time = data['time']
db_data_ip = db_data['ip']
db_data_mac = db_data['mac']
db_data_acq = db_data['acq']
db_data_metric = db_data['valid']
db_data_time = db_data['last_seen']
# both macs are the same
exists, i_db_data = db.find_mac(i_data_mac) # asset exists is true
# checking if host previous_ip is up
arp_packet = ARP(pdst=db_data_ip)
ans, un = sr(arp_packet)
if len(ans.sessions()) >= 1:
# host is alive
db.add_detection_time(time.time() - i_data_time)
log.error('MITM Detected => IP: ' + i_db_data['ip'] + ', MAC: ' + i_db_data['mac'] + ' ::: Spoofing Client ::: IP: ' + i_data_ip + ', MAC: ' + db_data_mac)
# add mitigation
# delete incoming arp entry and keep new one
arp.delete_entry(iface, i_data_ip)
arp.add_entry(iface, db_data_ip, db_data_mac)
else:
# possible DOS;
metric = arp.metric(db_data_ip)
if metric != 1:
# authorized client has been blocked
# checking last time seen
if (i_data_time - db_data_time) < arp.ttl(iface):
# add detection
db.add_detection_time(time.time() - i_data_time)
# confirmed dos
arp.delete_entry(iface, i_data_ip)
log.error('MITM Detected => IP: ' + i_db_data['ip'] + ', MAC: ' + i_db_data['mac'] + ' ::: Spoofing Client ::: IP: ' + i_data_ip + ', MAC: ' + db_data_mac)
def decide(iface, sio, data, log):
metric = arp.metric(data['ip'])
if data['res']['ip'] != data['ip']:
previous_ip = data['res']['ip']
if previous_ip == '0.0.0.0':
# capture through EAPOL
ip = data['ip']
mac = data['mac']
seen = data['time']
db.update_arp(seen, mac, metric)
arp.add_entry(iface, ip, mac)
else:
# not eapol
mitm.mitm(iface, data)
# checking if host is alive
#arp_packet = ARP(pdst=previous_ip)
#ans, un = sr(arp_packet)
#if len(ans.sessions()) >= 1:
#host is alive
# mitm detected
# mitm.mitm(data)
#else:
#host not alive; new incoming arp request
#if int(time.time() - data['res']['last_seen']) >= arp.ttl(iface):
# new request ; add
# delete previous ip from db and arp
# arp.delete_entry(iface, previous_ip)
# db.delete_entry(previous_ip, data['res']['mac'])
# arp.add_entry(iface, data['ip'], data['mac'])
else:
# update time seen
seen = data['time']
mac = data['mac']
ip = data['ip']
db.update_arp(seen, mac, metric)
arp.update_entry(iface, ip, mac)
def add_arp(iface, data):
conn = init()
metric = arp.metric(data['ip'])
conn.cursor().execute('insert into arp(ip, mac, last_seen, acq, valid) values(?, ?, ?, ?, ?)', (data['ip'], data['mac'], data['time'], data['acq'], metric))
conn.commit()
d.success('Added DB ARP entry => ' + data['ip'] + ' = ' + data['mac'])