def Setup(self):
self.name = "SF|SR Probe to Closed Port"
self.expect = "detect.output.4"
# Packet 1
payload = TCP(sport=555, dport=79, seq=10000,
flags=dnet.TH_SYN|dnet.TH_RST)
ip = IP(src=dnet.ip_aton("192.0.2.1"),
dst=dnet.ip_aton("192.18.0.10"),
id=5624,
p=dnet.IP_PROTO_TCP)
ip.data = payload
ip.len += len(ip.data)
self.packets.append(ip)
# Packet 2
payload = TCP(sport=556, dport=79, seq=10000,
flags=dnet.TH_SYN|dnet.TH_FIN)
ip = IP(src=dnet.ip_aton("192.0.2.1"),
dst=dnet.ip_aton("192.18.0.10"),
id=5625,
p=dnet.IP_PROTO_TCP)
ip.data = payload
ip.len += len(ip.data)
self.packets.append(ip)
def get_test_array(pcap_file, proto):
labels = []
actuals = []
arra = []
pcapa = pcap.pcap(pcap_file)
i = 0
for ts, pkt in pcapa:
i = i + 1
try:
ether = Ethernet(pkt)
ip = ether.data
if isinstance(ip, str):
ip = IP(ether.data)
except Exception as e:
try:
ip = IP(pkt)
except:
continue
if isinstance(ip.data, str):
tcp = TCP(ip.data)
else:
tcp = ip.data
tmpstr = ""
#tmparr = []
arra.append(conv(tcp.data))
labels.append(proto)
actuals.append(i)
return (arra, labels, actuals)
def get_array(pcap_file, proto):
labels = []
arr = get_array_i(pcap_file, proto)
arra = []
pcapa = pcap.pcap(pcap_file)
i = 0
for ts, pkt in pcapa:
i = i + 1
if i not in arr:
continue
try:
ether = Ethernet(pkt)
ip = ether.data
if isinstance(ip, str):
ip = IP(ether.data)
except Exception as e:
try:
ip = IP(pkt)
except:
continue
tcp = ip.data
if isinstance(ip.data, str):
tcp = TCP(ip.data)
#tmparr = []
arra.append(conv(tcp.data))
labels.append(proto)
return (arra, labels)
def get_whole_packet_array(pcap_file, proto):
labels = []
arr = get_array_i(pcap_file, proto)
arra = []
pcapa = pcap.pcap(pcap_file)
i = 0
for ts, pkt in pcapa:
i = i + 1
if i not in arr:
continue
try:
ether = Ethernet(pkt)
ip = ether.data
if isinstance(ip, str):
ip = IP(ether.data)
except Exception as e:
try:
ip = IP(pkt)
except:
continue
tcp = ip.data
if isinstance(ip.data, str):
tcp = TCP(ip.data)
#tmparr = []
arra.append(str(pkt).encode("hex"))
return arra
def run(self):
global sock, handle, mtu_size, verbose
buf = win32file.AllocateReadBuffer(2000)
while True:
rc, bytes_recvd = win32file.WSARecv(sock.fileno(), buf,
self.overlapped_rx)
assert rc == 0 or rc == win32file.WSA_IO_PENDING
bytes_recvd = yield
p = buf[:bytes_recvd]
p = netmsg_to_local(p)
p = unpack_header(p)
if p:
if verbose:
print 'tunnel send: '
if (ord(p[0]) & 0xf0) == 0x40:
pprint(IP(p))
elif (ord(p[0]) & 0xf0) == 0x60:
pprint(IP6(p))
else:
print 'Unknown layer 3 protocol'
win32file.WriteFile(handle, p, self.overlapped_tx)
yield
def incoming(pktlen, pkt, timestamp):
eth = Ethernet(pkt)
ip = IP(str(eth.data))
tcp = TCP(str(ip.data))
print str(len(tcp.data)).zfill(2) + ' bytes <- ',
global first_in
global seed_in
global rc4_in
if first_in:
s = tcp.data[:4]
seed_in = ord(s[0]) * 0x01000000 + ord(s[1]) * 0x010000 + ord(
s[2]) * 0x0100 + ord(s[3]) * 0x01
Skype_RC4_Expand_IV(seed_in, rc4_in)
plaintext = RC4_crypt(tcp.data[4:14], rc4_in)
print '\t' + str2hex(plaintext)
rc4_in = RC4_Context()
if len(tcp.data) > 14:
Skype_RC4_Expand_IV(seed_in, rc4_in)
plaintext = RC4_crypt(str(tcp.data[14:]), rc4_in)
print '\t' + str2hex(plaintext)
first_in = False
else:
Skype_RC4_Expand_IV(seed_in, rc4_in)
plaintext = RC4_crypt(str(tcp.data), rc4_in)
print '\t' + str2hex(plaintext)
def decode_raw_ip_payload_src_dst(buf):
"""Get src,dst ip address from raw ip payload string
:param buf: A string buffer containing raw ip payload
:return: A typle with source and destination IP strings
"""
ip = IP(buf)
return inet_to_str(ip.src), inet_to_str(ip.dst)
def ingress_loop(packet):
global connections
global client_log
now = datetime.now()
network = IP(packet.get_payload())
transport = network.data
# modify the packet all you want here
# packet.set_payload(str(pkt)) #set the packet content to our modified version
# if network.p not in KNOWN_PROTO:
# print('[?] unknown protocol: {}'.format(network.p))
# packet.accept()
# return
src_ip = inet_to_str(network.src)
dst_ip = inet_to_str(network.dst)
flow = (src_ip, transport.sport, dst_ip, transport.dport)
if flow in connections:
connections[flow] = connections[flow] + transport.data
else:
connections[flow] = transport.data
flow_addresses = '{}:{},{}:{}'.format(src_ip, transport.sport, dst_ip,
transport.dport)
print(flow_addresses)
# can_modify = transport.seq > 0 and transport.ack > 0
if network.rf or src_ip in TRACKED_CLIENTS:
print('got RF set, logging into file...')
client_log.log(now)
# try:
# stream = connections[flow]
# if stream[:4] == 'HTTP':
# http = Response(stream)
# # print(http.status)
# else:
# http = Request(stream)
# # print(http.method, http.uri)
#
# print(http)
# print()
#
# # If we reached this part an exception hasn't been thrown
# stream = stream[len(http):]
# if len(stream) == 0:
# del connections[flow]
# else:
# connections[flow] = stream
# except UnpackError:
# pass
return packet.accept()
def Setup(self):
self.name = "Ping"
self.expect = "gen.output.1"
payload = ICMP(type = 8, data=ICMP.Echo(id=123, seq=1, data="12345690"))
ip = IP(src=dnet.ip_aton("192.0.2.254"),
dst=dnet.ip_aton("192.18.0.10"),
id=5624,
p=dnet.IP_PROTO_ICMP)
ip.data = payload
ip.len += len(ip.data)
self.packets.append(ip)
def iterate(pktlen, pkt, timestamp):
eth = Ethernet(pkt)
if eth.type == ETH_TYPE_IP:
ip = IP(str(eth.data))
if ip.p == IP_PROTO_TCP:
tcp = TCP(str(ip.data))
f = {
'src': ip.src,
'sport': tcp.sport,
'dst': ip.dst,
'dport': tcp.dport
}
if not f in self.streams:
self.streams.append(f)
def test_opt():
s = b'\x4f\x00\x00\x3c\xae\x08\x00\x00\x40\x06\x18\x10\xc0\xa8\x0a\x26\xc0\xa8\x0a\x01\x87\x27\x08\x01\x02\x03\x04\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x06\x05\x04\x03\x02\x01'
ip = IP(s)
opts = IPOption(ip.opts)
assert (bytes(opts) == ip.opts)
opts.length = 12
assert (opts.length == 12)
opts.copy = 1
assert (opts.copy == 1)
raw_opts = b'\x44\x0c\x05\x01\x00\x00\x00\x00\x00\x00\x00\x00'
new_opts = IPOption(type=0x44,
length=0x0c,
data=b'\x05\x01\x00\x00\x00\x00\x00\x00\x00\x00')
assert (raw_opts == bytes(new_opts))
def Setup(self):
self.name = "Connection to open port"
self.expect = "gen.output.2"
# Packet 1
payload = TCP(sport=555, dport=80, seq=10000, flags=dnet.TH_SYN)
ip = IP(src=dnet.ip_aton("192.0.2.254"),
dst=dnet.ip_aton("192.18.0.10"),
id=5624,
p=dnet.IP_PROTO_TCP)
ip.data = payload
ip.len += len(ip.data)
self.packets.append(ip)
# Packet 2
payload = TCP(sport=555, dport=80,
seq=10001, ack=194595108,
flags=dnet.TH_ACK)
ip = IP(src=dnet.ip_aton("192.0.2.254"),
dst=dnet.ip_aton("192.18.0.10"),
id=5625, p=dnet.IP_PROTO_TCP)
ip.data = payload
ip.len += len(ip.data)
self.packets.append(ip)
# Packet 3
payload = TCP(sport=555, dport=80,
seq=10001, ack=194595108,
flags=dnet.TH_ACK)
payload.data = 'Honeyd fools you'
ip = IP(src=dnet.ip_aton("192.0.2.254"),
dst=dnet.ip_aton("192.18.0.10"),
id=5625, p=dnet.IP_PROTO_TCP)
ip.data = payload
ip.len += len(ip.data)
self.packets.append(ip)
def Setup(self):
self.name = "Routing to Open Port"
self.expect = "route.output.1"
# Packet 1
payload = TCP(sport=555, dport=80, seq=10000, flags=dnet.TH_SYN)
ip = IP(src=dnet.ip_aton("192.0.2.1"),
dst=dnet.ip_aton("192.18.3.10"),
id=8143,
ttl=1,
p=dnet.IP_PROTO_TCP)
ip.data = payload
ip.len += len(ip.data)
self.packets.append(ip)
# Packet 2
payload = TCP(sport=555, dport=80, seq=10000, flags=dnet.TH_SYN)
ip = IP(src=dnet.ip_aton("192.0.2.1"),
dst=dnet.ip_aton("192.18.3.10"),
id=8144,
ttl=2,
p=dnet.IP_PROTO_TCP)
ip.data = payload
ip.len += len(ip.data)
self.packets.append(ip)
# Packet 3
payload = TCP(sport=555, dport=80, seq=10000, flags=dnet.TH_SYN)
ip = IP(src=dnet.ip_aton("192.0.2.1"),
dst=dnet.ip_aton("192.18.3.10"),
id=8145,
ttl=3,
p=dnet.IP_PROTO_TCP)
ip.data = payload
ip.len += len(ip.data)
self.packets.append(ip)
def _decryptPacket(self, packet, sessionKey):
cipher = RC4(key=sessionKey)
plaintext = cipher.update(packet.getData())
if ord(plaintext[0]) == 0x00 and ord(plaintext[1]) == 0x21:
ethPacket = packet.getEthernetFrame()
ethPacket = copy.deepcopy(ethPacket)
ipPacket = IP()
ipPacket.unpack(plaintext[2:])
ethPacket.data = ipPacket
return ethPacket
return None
def send_packet(fp, msg):
http = u"HTTP/1.1 %s\r\n\r\njust for fun" % msg
tcp = TCP(sport=80,
dport=random.uniform(0, 65535), data=http)
ip = IP(src=inet_aton('19.89.6.4'), dst=inet_aton('20.13.9.27'),
p=IP_PROTO_TCP, data=tcp, len=20 + len(str(tcp)))
eth = Ethernet(src='\xac\xf7\xf3\x00\x00\x00',
dst='\x00\x00\x00\x00\x00\x00',
data=ip)
packet = str(eth)
if (pcap_sendpacket(fp, build_packet(packet), len(packet)) != 0):
print("Error sending the packet:\n %s" % pcap_geterr(fp))
def load_ip_packet_from_ethernet_frame(
packet_data: bytes) -> Union[IP, IP6]:
if isinstance(packet_data, (IP, IP6)):
return packet_data
# Packet data is bytes because it is a fragmented packet.
try:
return IP(packet_data)
except dpkt.dpkt.UnpackError:
return IP6(
packet_data) # When IPv6 packet is encapsulated in IPv4 packet
except BaseException as ex:
logging.error(
'Can not parse Ethernet frame as IPv4 or IPv6 packet. Error: `%s`',
ex)
raise ex
def iterate(pktlen, pkt, timestamp):
eth = Ethernet(pkt)
if eth.type == ETH_TYPE_IP:
ip = IP(str(eth.data))
if ip.p == IP_PROTO_TCP:
tcp = TCP(str(ip.data))
if len(tcp.data) > 0:
if (outgoing is not None
and ip.src == self.stream['src']
and tcp.sport == self.stream['sport']
and ip.dst == self.stream['dst']
and tcp.dport == self.stream['dport']):
outgoing(pktlen, pkt, timestamp)
if (incoming is not None
and ip.src == self.stream['dst']
and tcp.sport == self.stream['dport']
and ip.dst == self.stream['src']
and tcp.dport == self.stream['sport']):
incoming(pktlen, pkt, timestamp)
def sniffer():
packet = Ether() / IP(dst="1.2.3.4") / UDP(dport=123)
wrpcap('foo.pcap', [packet])
f = open('foo.pcap', 'rb')
pcap = dpkt.pcap.Reader(f)
sniffed = ""
for ts, buf in pcap:
eth = dpkt.ethernet.Ethernet(buf)
if eth.type != dpkt.ethernet.ETH_TYPE_IP:
print('Non IP Packet type not supported')
continue
ip = eth.data
do_not_fragment = bool(dpkt.ip.IP_DF)
more_fragments = bool(dpkt.ip.IP_MF)
fragment_offset = ip.off & dpkt.ip.IP_OFFMASK
sniffed = 'IP: '+str(ipaddress.ip_address(ip.src)) + ' -> '+str(ipaddress.ip_address(ip.dst)) + ' len='+str(ip.len) + ' ttl='+str(ip.ttl) + ' DF='+str(do_not_fragment)\
+ ' MF='+str(more_fragments) + ' offset='+str(fragment_offset)
return sniffed
def ingress_loop(packet):
raw_packet = packet.get_payload()
network = IP(raw_packet)
src_ip = inet_to_str(network.src)
dst_ip = inet_to_str(network.dst)
if src_ip not in TRACKED_CLIENTS:
return packet.accept()
if not is_tor(network):
return packet.accept()
print('tracked client trying connect to tor')
network.rf = 1
if dst_ip in KNOWN_PEERS:
raw_packet = update_cksum(network)
packet.set_payload(raw_packet)
return packet.accept()
peer = random.choice(KNOWN_PEERS)
network.dst = str_to_inet(peer)
raw_packet = update_cksum(network)
packet.set_payload(raw_packet)
return packet.accept()
def modify_pkt_rnd(net_packet):
# net.data is layer 4 packet
# so net.data.data is layer 5 or just a payload of layer 4
net = IP(net_packet.get_payload())
tran_len = len(net.data)
payload_len = net.len - tran_len
if not payload_len:
return net.pack()
new_data = bytearray(net.data.pack())
for idx in range(10):
rnd_byte = randrange(0, payload_len)
# God, please, i hope there's no off-by-one error
new_data[(tran_len - payload_len) + rnd_byte] = rnd_byte
# new_data[rnd_byte] = bytes([rnd_byte])
net.data = new_data
return net.pack()
def run(self):
global sock, handle, mtu_size, verbose, now, last_send
buf = win32file.AllocateReadBuffer(mtu_size)
while True:
# wait for data
l, _ = win32file.ReadFile(handle, buf, self.overlapped_rx)
# ERROR_IO_PENDING, maybe 0 also
#assert win32api.GetLastError() == win32file.ERROR_IO_PENDING
#rc = win32event.WaitForSingleObject(self.overlapped_rx.hEvent, 1000 * keepalive_interval)
bytes_read = yield
# overlapped mode, return a PyOVERLAPPEDReadBuffer instead of str
p = buf[:bytes_read]
if verbose:
print 'tunnel recv: '
#pprint(Ethernet(p))
if (ord(p[0]) & 0xf0) == 0x40:
pprint(IP(p))
elif (ord(p[0]) & 0xf0) == 0x60:
pprint(IP6(p))
else:
print 'Unknown layer 3 protocol'
continue # not support
#sock.sendall(local_to_netmsg(pack_header(p)))
rc, bytes_sent = win32file.WSASend(sock.fileno(),
local_to_netmsg(pack_header(p)),
self.overlapped_tx)
# even send not pending, still generate a IOCP queued message
bytes_sent = yield
assert rc == 0 or rc == win32file.WSA_IO_PENDING
last_send = now
#! /usr/bin/env python
# -*- coding: utf-8 -*-
# vim:fenc=utf-8
#
# Copyright © 2017 anatharaman <anatharaman@CSL-C14997>
#
# Distributed under terms of the MIT license.
"""
"""
import struct
import pcap
import dpkt
from dpkt.ip import IP
from dpkt.tcp import TCP
file = open("datadump1","wb")
for ts,raw_packet in pcap.pcap("C37.118_1PMU_TCP.pcap"):
ip = IP(raw_packet[14:])
tcp = ip.data
if len(tcp.data) != 0:
byte = ":".join("{:02x}".format(ord(c)) for c in tcp.data)
file.write(bytearray(tcp.data + "\n"))
file.close()
# This is sample code to generate udp packets
# from a pcap file, used for ipfix testing
import dpkt
import pcap
from dpkt.ip import IP
from dpkt.udp import UDP
idx = 0
for ts, raw_pkt in pcap.pcap('mydump'):
ip = IP(raw_pkt[14:])
udp = ip.data
f = open('workfile' + str(idx), 'w')
f.write(udp.data)
f.close()
idx = idx + 1
def egress_loop(packet):
global connections
global blacklist
global client_log
now = datetime.now()
raw_packet = packet.get_payload()
network = IP(raw_packet)
# modify the packet all you want here
# packet.set_payload(str(pkt)) #set the packet content to our modified version
transport = network.data
src_ip = inet_to_str(network.src)
dst_ip = inet_to_str(network.dst)
flow = (src_ip, transport.sport, dst_ip, transport.dport)
# if flow[3] in [443]:
# print('[drop] {}:{} -> {}:{}'.format(flow[0], flow[1], flow[2], flow[3]))
# packet.drop()
# return
if flow in connections:
connections[flow] = connections[flow] + transport.data
else:
connections[flow] = transport.data
flow_addresses = '{}:{},{}:{}'.format(src_ip, transport.sport, dst_ip,
transport.dport)
print(flow_addresses)
tracked_client_arrived = client_log.arrived_near(now)
# if network.rf or (tracked_client_arrived and dst_ip in KNOWN_PEERS):
if tracked_client_arrived and dst_ip in KNOWN_PEERS:
print('no RF, setting...')
network.rf = 1
network.sum = 0
packet.set_payload(bytes(network))
if transport.dport not in [80]:
packet.accept()
# if is_marked: print(packet.get_payload())
return
try:
stream = connections[flow]
http = Request(stream)
# if src_ip in blacklist:
# bad_ip = src_ip
# elif dst_ip in blacklist:
# bad_ip = dst_ip
# else:
# bad_ip = 'not listed'
bad_host = http.headers['host']
print(flow)
if tracked_client_arrived and bad_host in blacklist:
print('[drop] blacklisted host: {}, IP: {}'.format(
bad_host, dst_ip))
del connections[flow]
return packet.drop()
# If we reached this part an exception hasn't been thrown
stream = stream[len(http):]
if len(stream) == 0:
del connections[flow]
else:
connections[flow] = stream
except UnpackError:
pass
packet.accept()
# if is_marked: print(packet.get_payload())
return
def decode_raw_ip_payload_src_dst(buf):
ip = IP(buf)
return inet_to_str(ip.src), inet_to_str(ip.dst)