def decode(pkt): decoded_pkt = [] # EAPOL if pkt.haslayer(EAPOL): ether_frame = pkt.getlayer(Ether) decoded_pkt.append({'ip': '0.0.0.0', 'mac': ether_frame.src, 'time': time.time(), 'acq': 'eapol', 'valid': 2}) decoded_pkt.append({'ip': '0.0.0.0', 'mac': ether_frame.dst, 'time': time.time(), 'acq': 'eapol', 'valid': 2}) # DHCP if pkt.haslayer(DHCP): dhcp_frame = pkt.getlayer(DHCP) ether_frame = pkt.getlayer(Ether) if dhcp_frame.server_id != None: valid = arp.metric(dhcp_frame.requested_addr) decoded_pkt.append({'ip': dhcp_frame.requested_addr, 'mac': ether_frame.src, 'time': time.time(), 'acq': 'dhcp', 'valid': valid}) # IP if pkt.haslayer(IP): ip_frame = pkt.getlayer(IP) ether_frame = pkt.getlayer(Ether) valid = arp.metric(ip_frame.src) valid2 = arp.metric(ip_frame.dst) decoded_pkt.append({'ip': ip_frame.src, 'mac': ether_frame.src, 'time': time.time(), 'acq': 'ip', 'valid': valid}) decoded_pkt.append({'ip': ip_frame.dst, 'mac': ether_frame.dst, 'time': time.time(), 'acq': 'ip', 'valid': valid2}) # ARP if pkt.haslayer(ARP): arp_frame = pkt.getlayer(ARP) valid = arp.metric(arp_frame.psrc) decoded_pkt.append({'ip': arp_frame.psrc, 'mac': arp_frame.hwsrc, 'time': time.time(), 'acq': 'arp', 'valid': valid}) log.warning(str(decoded_pkt)) return json.dumps(decoded_pkt[0])
def mitm(iface, data): log.default('Detecting MITM => ' + str(data['ip']) + ' = ' + str(data['mac'])) db_data = data['res'] i_data_ip = data['ip'] i_data_mac = data['mac'] i_data_acq = data['acq'] i_data_metric = data['valid'] i_data_time = data['time'] db_data_ip = db_data['ip'] db_data_mac = db_data['mac'] db_data_acq = db_data['acq'] db_data_metric = db_data['valid'] db_data_time = db_data['last_seen'] # both macs are the same exists, i_db_data = db.find_mac(i_data_mac) # asset exists is true # checking if host previous_ip is up arp_packet = ARP(pdst=db_data_ip) ans, un = sr(arp_packet) if len(ans.sessions()) >= 1: # host is alive db.add_detection_time(time.time() - i_data_time) log.error('MITM Detected => IP: ' + i_db_data['ip'] + ', MAC: ' + i_db_data['mac'] + ' ::: Spoofing Client ::: IP: ' + i_data_ip + ', MAC: ' + db_data_mac) # add mitigation # delete incoming arp entry and keep new one arp.delete_entry(iface, i_data_ip) arp.add_entry(iface, db_data_ip, db_data_mac) else: # possible DOS; metric = arp.metric(db_data_ip) if metric != 1: # authorized client has been blocked # checking last time seen if (i_data_time - db_data_time) < arp.ttl(iface): # add detection db.add_detection_time(time.time() - i_data_time) # confirmed dos arp.delete_entry(iface, i_data_ip) log.error('MITM Detected => IP: ' + i_db_data['ip'] + ', MAC: ' + i_db_data['mac'] + ' ::: Spoofing Client ::: IP: ' + i_data_ip + ', MAC: ' + db_data_mac)
def decide(iface, sio, data, log): metric = arp.metric(data['ip']) if data['res']['ip'] != data['ip']: previous_ip = data['res']['ip'] if previous_ip == '0.0.0.0': # capture through EAPOL ip = data['ip'] mac = data['mac'] seen = data['time'] db.update_arp(seen, mac, metric) arp.add_entry(iface, ip, mac) else: # not eapol mitm.mitm(iface, data) # checking if host is alive #arp_packet = ARP(pdst=previous_ip) #ans, un = sr(arp_packet) #if len(ans.sessions()) >= 1: #host is alive # mitm detected # mitm.mitm(data) #else: #host not alive; new incoming arp request #if int(time.time() - data['res']['last_seen']) >= arp.ttl(iface): # new request ; add # delete previous ip from db and arp # arp.delete_entry(iface, previous_ip) # db.delete_entry(previous_ip, data['res']['mac']) # arp.add_entry(iface, data['ip'], data['mac']) else: # update time seen seen = data['time'] mac = data['mac'] ip = data['ip'] db.update_arp(seen, mac, metric) arp.update_entry(iface, ip, mac)
def add_arp(iface, data): conn = init() metric = arp.metric(data['ip']) conn.cursor().execute('insert into arp(ip, mac, last_seen, acq, valid) values(?, ?, ?, ?, ?)', (data['ip'], data['mac'], data['time'], data['acq'], metric)) conn.commit() d.success('Added DB ARP entry => ' + data['ip'] + ' = ' + data['mac'])