/** * @brief Function to extract the header from a packet */ uint8_t extractHttpHdr (const char * udata) { uint32_t j = 0; if (pending_more_hdr_data != 0) { j = strlen((const char *)hdr_data); } if (hdr_data == 0) { hdr_data = (unsigned char *)malloc(sizeof(unsigned char) * hdr_size); if (hdr_data == 0) { if (DEBUG) { write(2, "\n\t[e] --- Unable to allocate sufficient memory!\n", 47); } shandler(0); } } uint8_t eoh = 1; uint32_t data_len = strlen((const char *)udata); while (i < data_len && eoh != 0) { hdr_data[j++] = udata[i++]; /* HERE * maybe check to see if system is little endian or big endian? */ if (i > 3 && (udata[i] == 0x0a && udata[i-1] == 0x0d && udata[i-2] == 0x0a && udata[i-3] == 0x0d)) { if (DEBUG) { write(2, "\n\t[i] --- Found end of header with 0d0a 0d0a\n", 45); } eoh = 0; } else if (i > 3 && (udata[i] == 0x0d && udata[i-1] == 0x0a && udata[i-2] == 0x0d && udata[i-3] == 0x0a)) { if (DEBUG) { write(2, "\n\t[i] --- Found end of header with 0a0d 0a0d\n", 45); } eoh = 0; } else if (j >= hdr_size-1) { if (DEBUG) { write(2, "\n\t[a] --- Resizing header\n", 26); } resizeHdr(); } } return (eoh); }
void packet_listen(char * in_device, char * out_device, char * filter) { struct bpf_program fp; bpf_u_int32 localnet, netmask; /* net addr holders */ char errorbuf[PCAP_ERRBUF_SIZE]; /* buffer to put error strings in */ fprintf( stderr, "Starting tap from %s to %s using filter:\n\t%s\n", in_device, out_device, filter ); pd = pcap_open_live(in_device, snaplen?snaplen:65535, 1, 500, errorbuf); if(pd == NULL) { fatal("start_sniffing(): interface %s open: %s\n", in_device, errorbuf); } if(pcap_compile(pd, &fp, filter, 1, netmask) < 0) { fatal("start_sniffing() FSM compilation failed: \n\t%s\n" "PCAP command: %s\n", pcap_geterr(pd), filter); } /* set the pcap filter */ if(pcap_setfilter(pd, &fp) < 0) { fatal("start_sniffing() setfilter: \n\t%s\n", pcap_geterr(pd)); } /* get data link type */ datalink = pcap_datalink(pd); if(datalink < 0) { fatal("OpenPcap() datalink grab: \n\t%s\n", pcap_geterr(pd)); } if((eth_retrans = eth_open(out_device)) == NULL) fatal("init_retrans() eth_open failed\n"); /* Read all packets on the device. Continue until cnt packets read */ if(pcap_loop(pd, count, (pcap_handler) packet_retrans, NULL) < 0) { fatal("pcap_loop: %s", pcap_geterr(pd)); shandler( 0 ); } return; }
int main(int argc, char *argv[]) { int s, ns; int semaphore_id; int shared_memory_id = 0; uint16_t port; pid_t pid; struct sockaddr_in client; char *tmp_shm_addr; shm_t *g_shm; check_args(&argc, argv, 0); port = (uint16_t) atoi(argv[1]); create_tcp_socket(&s, port); semaphore_id = semaphore_new(SEM_KEY); v(semaphore_id, 1); shared_memory_id = create_shared_memory(SHM_KEY); tmp_shm_addr = associate_shared_memory(shared_memory_id); g_shm = (shm_t *) tmp_shm_addr; while (true) { accept_new_connection(&s, &ns, &client); if ((pid = fork()) == 0) shandler(&ns, semaphore_id, client, g_shm); else { if (pid > 0) fprintf(stderr, "#%d# Father - Created child process: %d\n", getpid(), pid); else { fprintf(stderr, "The fork() function has failed: %s!\n", strerror(errno)); shared_memory_destroy(shared_memory_id); semaphore_destroy(semaphore_id); exit(EXIT_FAILURE); } } } shared_memory_destroy(shared_memory_id); semaphore_destroy(semaphore_id); exit(EXIT_SUCCESS); }
static void fatal(const char *format, ...) { char buf[STDBUF+1]; va_list ap; va_start(ap, format); vsnprintf(buf, STDBUF, format, ap); fprintf(stderr, "ERROR: %s\n", buf); fprintf(stderr,"Fatal Error, Quitting..\n"); va_end(ap); shandler(1); }
int main(int argc, char *argv[]) { int s; uint16_t port = 0; if (argc > 1) port = atoi(argv[1]); create_udp_socket(&s); binding_udp_socket(&s, port); shandler(&s); close(s); return EXIT_SUCCESS; }
/** * @brief Function to resize 'hdr_data' global if necessary */ inline static void resizeHdr(void) { unsigned char * tmp = 0; tmp = (unsigned char *)malloc(sizeof(unsigned char) * hdr_size * 2); if (tmp == 0) { if (DEBUG) { write(2, "\n\t[e] --- Unable to allocate sufficient memory!\n", 47); } shandler(0); } memcpy(tmp, hdr_data, hdr_size); free(hdr_data); hdr_data = tmp; hdr_size *= 2; }
int main ( int argc , char *argv[] ) { /* parameters parsing */ int c; /* pcap */ char errbuf[PCAP_ERRBUF_SIZE]; struct bpf_program fp; char filter_exp[] = "ip and tcp"; char *source = 0; char *filter = filter_exp; const unsigned char *packet = 0; struct pcap_pkthdr header; /* packet dissection */ struct ip *ip; unsigned int error; /* extra */ unsigned int ipf,tcps; fprintf( stderr, "\n###########################" ); fprintf( stderr, "\n# libntoh Example #" ); fprintf( stderr, "\n# ----------------------- #" ); fprintf( stderr, "\n# Written by Chema Garcia #" ); fprintf( stderr, "\n# ----------------------- #" ); fprintf( stderr, "\n# http://safetybits.net #" ); fprintf( stderr, "\n# [email protected] #" ); fprintf( stderr, "\n###########################\n" ); fprintf( stderr, "\n[i] libntoh version: %s\n", ntoh_version() ); if ( argc < 3 ) { fprintf( stderr, "\n[+] Usage: %s <options>\n", argv[0] ); fprintf( stderr, "\n+ Options:" ); fprintf( stderr, "\n\t-i | --iface <val> -----> Interface to read packets from" ); fprintf( stderr, "\n\t-f | --file <val> ------> File path to read packets from" ); fprintf( stderr, "\n\t-F | --filter <val> ----> Capture filter (default: \"ip and tcp\")" ); fprintf( stderr, "\n\t-c | --client ----------> Receive client data"); fprintf( stderr, "\n\t-s | --server ----------> Receive server data\n\n"); exit( 1 ); } /* check parameters */ while ( 1 ) { int option_index = 0; static struct option long_options[] = { { "iface" , 1 , 0 , 'i' } , { "file" , 1 , 0 , 'f' } , { "filter" , 1 , 0 , 'F' } , { "client" , 0 , 0 , 'c' }, { "server" , 0 , 0 , 's' }, { 0 , 0 , 0 , 0 } }; if ( ( c = getopt_long( argc, argv, "i:f:F:cs", long_options, &option_index ) ) < 0 ) break; switch ( c ) { case 'i': source = optarg; handle = pcap_open_live( optarg, 65535, 1, 0, errbuf ); break; case 'f': source = optarg; handle = pcap_open_offline( optarg, errbuf ); break; case 'F': filter = optarg; break; case 'c': receive |= RECV_CLIENT; break; case 's': receive |= RECV_SERVER; break; } } if ( !receive ) receive = (RECV_CLIENT | RECV_SERVER); if ( !handle ) { fprintf( stderr, "\n[e] Error loading %s: %s\n", source, errbuf ); exit( -1 ); } if ( pcap_compile( handle, &fp, filter, 0, 0 ) < 0 ) { fprintf( stderr, "\n[e] Error compiling filter \"%s\": %s\n\n", filter, pcap_geterr( handle ) ); pcap_close( handle ); exit( -2 ); } if ( pcap_setfilter( handle, &fp ) < 0 ) { fprintf( stderr, "\n[e] Cannot set filter \"%s\": %s\n\n", filter, pcap_geterr( handle ) ); pcap_close( handle ); exit( -3 ); } pcap_freecode( &fp ); /* verify datalink */ if ( pcap_datalink( handle ) != DLT_EN10MB ) { fprintf ( stderr , "\n[e] libntoh is independent from link layer, but this example only works with ethernet link layer\n"); pcap_close ( handle ); exit ( -4 ); } fprintf( stderr, "\n[i] Source: %s / %s", source, pcap_datalink_val_to_description( pcap_datalink( handle ) ) ); fprintf( stderr, "\n[i] Filter: %s", filter ); fprintf( stderr, "\n[i] Receive data from client: "); if ( receive & RECV_CLIENT ) fprintf( stderr , "Yes"); else fprintf( stderr , "No"); fprintf( stderr, "\n[i] Receive data from server: "); if ( receive & RECV_SERVER ) fprintf( stderr , "Yes"); else fprintf( stderr , "No"); signal( SIGINT, &shandler ); signal( SIGTERM, &shandler ); /*******************************************/ /** libntoh initialization process starts **/ /*******************************************/ ntoh_init (); if ( ! (tcp_session = ntoh_tcp_new_session ( 0 , 0 , &error ) ) ) { fprintf ( stderr , "\n[e] Error %d creating TCP session: %s" , error , ntoh_get_errdesc ( error ) ); exit ( -5 ); } fprintf ( stderr , "\n[i] Max. TCP streams allowed: %d" , ntoh_tcp_get_size ( tcp_session ) ); if ( ! (ipv4_session = ntoh_ipv4_new_session ( 0 , 0 , &error )) ) { ntoh_tcp_free_session ( tcp_session ); fprintf ( stderr , "\n[e] Error %d creating IPv4 session: %s" , error , ntoh_get_errdesc ( error ) ); exit ( -6 ); } fprintf ( stderr , "\n[i] Max. IPv4 flows allowed: %d\n\n" , ntoh_ipv4_get_size ( ipv4_session ) ); /* capture starts */ while ( ( packet = pcap_next( handle, &header ) ) != 0 ) { /* get packet headers */ ip = (struct ip*) ( packet + sizeof ( struct ether_header ) ); if ( (ip->ip_hl * 4 ) < sizeof(struct ip) ) continue; /* it is an IPv4 fragment */ if ( NTOH_IPV4_IS_FRAGMENT(ip->ip_off) ) send_ipv4_fragment ( ip , &ipv4_callback ); /* or a TCP segment */ else if ( ip->ip_p == IPPROTO_TCP ) send_tcp_segment ( ip , &tcp_callback ); } tcps = ntoh_tcp_count_streams( tcp_session ); ipf = ntoh_ipv4_count_flows ( ipv4_session ); /* no streams left */ if ( ipf + tcps > 0 ) { fprintf( stderr, "\n\n[+] There are currently %i stored TCP stream(s) and %i IPv4 flow(s). You can wait them to get closed or press CTRL+C\n" , tcps , ipf ); pause(); } shandler( 0 ); //dummy return return 0; }
/** * @brief Create the firnger print from a HTTP header */ int * pcktFingerPrint(const unsigned char * curPcktData, const uint32_t dataLen) { if(curPcktData == 0 || dataLen == 0) { if (DEBUG) { write(2, "There was not header to parse\n", 30); } return (0); } i = 0; if (DEBUG) { strcpy (buf, "\n\t-----\tHEADER BEGIN\t-----\n"); write (2, buf, 27); while (i < dataLen) { write(2, (const char *)(&(curPcktData[i++])), 1); fflush(stderr); } strcpy (buf, "\n\t------\tHEADER END\t------\n"); write (2, buf, 27); fflush(stderr); } i = 0; int32_t cmd = 8; int32_t cmdSet = 0; int32_t proto = 8; int32_t protoSet = 0; uint32_t len = dataLen; //calculated during parsing int32_t var = 0; int32_t pcnt = 0; int32_t apos = 0; int32_t plus = 0; int32_t cdot = 0; int32_t bckslsh = 0; int32_t oparen = 0; int32_t cparen = 0; int32_t fwrd = 0; int32_t lt = 0; int32_t gt = 0; int32_t qstnmrk = 0; unsigned char *target = 0; int32_t *fngPnt = malloc(sizeof(int32_t) * fngPntLen); if (fngPnt == 0) { if (DEBUG) { write(2, "\n\t[e] --- Unable to allocate sufficient memory\n", 47); } shandler(0); } target = (unsigned char *)curPcktData; for(;(*target != '\n' && *target != '\r') && i < len; i++) { if(protoSet == 0 && (*target == 48 || *target == 49)) //proto { target++; if(*target == 46) //http version { target++; if(*target == 48) { proto = 2; protoSet = 1; } else if(*target == 57) { proto = 1; protoSet = 1; } else if(*target == 49) { proto = 4; protoSet = 1; } else { target--; target--; } } else { target--; } } if(cmdSet == 0 && *target == 71) //cmd get { target++; if(*target == 69) { target++; if(*target == 84) { cmd = 1; cmdSet = 1; } else { target--; } } else { target--; } } if(*target == 72 && cmdSet == 0) //cmd head { target++; if(*target == 69) { target++; if(*target == 65) { target++; if(*target == 68) { cmd = 4; cmdSet = 1; } else { target--; } } else { target--; } } else { target--; } } if(*target == 80 && cmdSet == 0) //cmd post { target++; if(*target == 79) { target++; if(*target == 83) { target++; if(*target == 84) { cmd = 2; cmdSet = 1; } else { target--; } } else { target--; } } else { target--; } } if(*target == 46) //.. counter { target++; if(*target == 46) { cdot++; } else { target--; } } if(*target == 47) { // // counter target++; if(*target == 47) { fwrd++; } else { target--; } } if(*target == 63) { //conditional for variables qstnmrk = 1; } else if(*target == 37) { //percent counter pcnt++; } else if (qstnmrk == 1 && *target == 38) //variable counter { var++; } else if(*target == 39) { //apostrophe counter apos++; } else if(*target == 43) { //addition counter plus++; } else if(*target == 40) { //open parentheses counter oparen++; } else if(*target == 41) { //close parentheses counter cparen++; } else if(*target == 60) { //less than counter lt++; } else if(*target == 62) { //greater than counter gt++; } else if(*target == 92) { //backslash counter bckslsh++; } target++; } /*FINGER PRINT EXPLANATION: * array of integers, each slot contains a specified number (integer) that represents the character count *INDEX 0 HTTP command GET = 1 POST = 2 HEAD = 4 OTHER = 8 *INDEX 1 HTTP PROTOCOL 0.9 = 1 1.0 = 1 1.1 = 4 OTHER = 8 *INDEX 2 LENGTH # OF CHARS *INDEX 3 VARIABLES # OF INPUT *INDEX 4 PERCENT # OF % *INDEX 5 APOS # OF ' *INDEX 6 PLUS # OF + *INDEX 7 CDOT # OF .. *INDEX 8 BACKSLASH # OF \ *INDEX 9 OPAREN # OF ( *INDEX 10 CPAREN # OF ) *INDEX 11 FORWARD # OF // *INDEX 12 LT # OF < *INDEX 13 GT # OF > */ fngPnt[0] = cmd; fngPnt[1] = proto; fngPnt[2] = len; fngPnt[3] = var; fngPnt[4] = pcnt; fngPnt[5] = apos; fngPnt[6] = plus; fngPnt[7] = cdot; fngPnt[8] = bckslsh; fngPnt[9] = oparen; fngPnt[10] = cparen; fngPnt[11] = fwrd; fngPnt[12] = lt; fngPnt[13] = gt; return (fngPnt); }
int main (int argc , char *argv[]) { signal( SIGINT, &shandler ); signal( SIGTERM, &shandler ); signal( SIGSEGV, &shandler ); write(2, "\n\t\t######################################", 41); write(2, "\n\t\t# Dump HTTP Sigs #", 41); write(2, "\n\t\t# ---------------------------------- #", 41); write(2, "\n\t\t# Written by Ernest Richards #", 41); write(2, "\n\t\t# Based on code from Chema Garcia #", 41); write(2, "\n\t\t# ---------------------------------- #", 41); write(2, "\n\t\t# Github.com/ernesto341/ais-research #", 41); write(2, "\n\t\t######################################\n", 42); write(2, "\n\t\tX ----- Active ----- X\n\n", 43); if (DEBUG) { sprintf(buf, "\n[i] libntoh version: %s\n", ntoh_version()); write(2, buf, strlen(buf)); } if ( argc < 3 ) { sprintf(buf, "\n[+] Usage: %s <options>\n", argv[0]); write(2, buf, strlen(buf)); write(2, "\n+ Options:", 11); // 28 write(2, "\n\t-i | --iface <val> -----> Interface to read packets from", 58); write(2, "\n\t-f | --file <val> ------> File path to read packets from", 58); write(2, "\n\t-F | --filter <val> ----> Capture filter (must contain \"tcp\" or \"ip\")", 71); write(2, "\n\t-c | --client ----------> Receive client data only", 52); write(2, "\n\t-s | --server ----------> Receive server data only\n\n", 54); exit(1); } /* parameters parsing */ int32_t c = 0; /* pcap */ char errbuf[PCAP_ERRBUF_SIZE]; struct bpf_program fp; char filter_exp[] = "ip"; char *source = 0; char *filter = filter_exp; const unsigned char *packet = 0; struct pcap_pkthdr header; /* packet dissection */ struct ip *ip; uint32_t error = 0; /* extra */ uint32_t ipf, tcps; /* check parameters */ while ( c >= 0 ) { int32_t option_index = 0; static struct option long_options[] = { { "iface" , 1 , 0 , 'i' }, { "file" , 1 , 0 , 'f' }, { "filter" , 1 , 0 , 'F' }, { "client" , 0 , 0 , 'c' }, { "server" , 0 , 0 , 's' }, { 0 , 0 , 0 , 0 } }; c = getopt_long( argc, argv, "i:f:F:cs", long_options, &option_index ); if (c >= 0) { switch ( c ) { case 'i': source = optarg; handle = pcap_open_live( optarg, 65535, 1, 0, errbuf ); break; case 'f': source = optarg; handle = pcap_open_offline( optarg, errbuf ); break; case 'F': filter = optarg; break; case 'c': receive |= RECV_CLIENT; break; case 's': receive |= RECV_SERVER; break; } } } if ( !receive ) { receive = (RECV_CLIENT | RECV_SERVER); } if ( !handle ) { if (DEBUG) { fprintf( stderr, "\n[e] Error loading %s: %s\n", source, errbuf ); } exit( -1 ); } if ( pcap_compile( handle, &fp, filter, 0, 0 ) < 0 ) { if (DEBUG) { fprintf( stderr, "\n[e] Error compiling filter \"%s\": %s\n\n", filter, pcap_geterr( handle ) ); } pcap_close( handle ); exit( -2 ); } if ( pcap_setfilter( handle, &fp ) < 0 ) { if (DEBUG) { fprintf( stderr, "\n[e] Cannot set filter \"%s\": %s\n\n", filter, pcap_geterr( handle ) ); } pcap_close( handle ); exit( -3 ); } pcap_freecode( &fp ); /* verify datalink */ if ( pcap_datalink( handle ) != DLT_EN10MB ) { if (DEBUG) { fprintf ( stderr , "\n[e] libntoh is independent from link layer, but this code only works with ethernet link layer\n"); } pcap_close ( handle ); exit ( -4 ); } if (DEBUG) { fprintf( stderr, "\n[i] Source: %s / %s", source, pcap_datalink_val_to_description( pcap_datalink( handle ) ) ); fprintf( stderr, "\n[i] Filter: %s", filter ); fprintf( stderr, "\n[i] Receive data from client: "); if ( receive & RECV_CLIENT ) { fprintf( stderr , "Yes"); } else { fprintf( stderr , "No"); } fprintf( stderr, "\n[i] Receive data from server: "); if ( receive & RECV_SERVER ) { fprintf( stderr , "Yes"); } else { fprintf( stderr , "No"); } } /*******************************************/ /** libntoh initialization process starts **/ /*******************************************/ initMem(&snc); /* fork and exec retrieve in retdir */ char *null_args[] = {NULL}; char *null_envp[] = {NULL}; if ((ret_pid = fork()) == 0) /* child */ { if (execve((char *)"./retdir/retrieve\0", null_args, null_envp) < 0) { perror("execve()"); shandler(-1); } } else { if ((t5Convert = (sig_atomic_t *)malloc(sizeof(sig_atomic_t) * t5TplLen)) < (sig_atomic_t *)0) { write(2, "\n\t[e] --- Unable to allocate sufficient memory\n", 47); fflush(stderr); _exit(-1); } ntoh_init (); if ( ! (tcp_session = ntoh_tcp_new_session ( 0 , 0 , &error ) ) ) { if (DEBUG) { fprintf ( stderr , "\n[e] Error %d creating TCP session: %s" , error , ntoh_get_errdesc ( error ) ); } exit ( -5 ); } if (DEBUG) { fprintf ( stderr , "\n[i] Max. TCP streams allowed: %d" , ntoh_tcp_get_size ( tcp_session ) ); } if ( ! (ipv4_session = ntoh_ipv4_new_session ( 0 , 0 , &error )) ) { ntoh_tcp_free_session ( tcp_session ); if (DEBUG) { fprintf ( stderr , "\n[e] Error %d creating IPv4 session: %s" , error , ntoh_get_errdesc ( error ) ); } exit ( -6 ); } if (DEBUG) { fprintf ( stderr , "\n[i] Max. IPv4 flows allowed: %d\n\n" , ntoh_ipv4_get_size ( ipv4_session ) ); fflush(stderr); } /* capture starts */ /* accept signal from consumer to quit */ while ( ( packet = pcap_next( handle, &header ) ) != 0 && snc.smem.shm[CTL][FLAGS] != CDONE) { static int pc = 0; fprintf(stdout, "Packet %d\n", ++pc); fflush(stdout); /* get packet headers */ ip = (struct ip*) ( packet + sizeof ( struct ether_header ) ); if ( (ip->ip_hl * 4 ) < (int)sizeof(struct ip) ) { continue; } /* it is an IPv4 fragment */ if ( NTOH_IPV4_IS_FRAGMENT(ip->ip_off) ) { send_ipv4_fragment ( ip , &ipv4_callback ); } /* or a TCP segment */ else if ( ip->ip_p == IPPROTO_TCP ) { send_tcp_segment ( ip , &tcp_callback ); } } if (snc.smem.shm[CTL][FLAGS] == CDONE) { shandler( 0 ); } tcps = ntoh_tcp_count_streams( tcp_session ); ipf = ntoh_ipv4_count_flows ( ipv4_session ); /* no streams left */ if ( ipf + tcps > 0 ) { if (DEBUG) { fprintf( stderr, "\n\n[+] There are currently %i stored TCP stream(s) and %i IPv4 flow(s). You can wait for them to get closed or press CTRL+C\n" , tcps , ipf ); pause(); } } shandler( 0 ); } //dummy return, should never be called return (0); }