/**
* @brief Function to extract the header from a packet
*/
uint8_t extractHttpHdr (const char * udata)
{
uint32_t j = 0;
if (pending_more_hdr_data != 0)
{
j = strlen((const char *)hdr_data);
}
if (hdr_data == 0)
{
hdr_data = (unsigned char *)malloc(sizeof(unsigned char) * hdr_size);
if (hdr_data == 0)
{
if (DEBUG)
{
write(2, "\n\t[e] --- Unable to allocate sufficient memory!\n", 47);
}
shandler(0);
}
}
uint8_t eoh = 1;
uint32_t data_len = strlen((const char *)udata);
while (i < data_len && eoh != 0)
{
hdr_data[j++] = udata[i++];
/* HERE
* maybe check to see if system is little endian or big endian?
*/
if (i > 3 && (udata[i] == 0x0a && udata[i-1] == 0x0d && udata[i-2] == 0x0a && udata[i-3] == 0x0d))
{
if (DEBUG)
{
write(2, "\n\t[i] --- Found end of header with 0d0a 0d0a\n", 45);
}
eoh = 0;
}
else if (i > 3 && (udata[i] == 0x0d && udata[i-1] == 0x0a && udata[i-2] == 0x0d && udata[i-3] == 0x0a))
{
if (DEBUG)
{
write(2, "\n\t[i] --- Found end of header with 0a0d 0a0d\n", 45);
}
eoh = 0;
}
else if (j >= hdr_size-1)
{
if (DEBUG)
{
write(2, "\n\t[a] --- Resizing header\n", 26);
}
resizeHdr();
}
}
return (eoh);
}
void packet_listen(char * in_device, char * out_device, char * filter)
{
struct bpf_program fp;
bpf_u_int32 localnet, netmask; /* net addr holders */
char errorbuf[PCAP_ERRBUF_SIZE]; /* buffer to put error strings in */
fprintf( stderr, "Starting tap from %s to %s using filter:\n\t%s\n",
in_device, out_device, filter );
pd = pcap_open_live(in_device,
snaplen?snaplen:65535,
1,
500,
errorbuf);
if(pd == NULL)
{
fatal("start_sniffing(): interface %s open: %s\n", in_device, errorbuf);
}
if(pcap_compile(pd, &fp, filter, 1, netmask) < 0)
{
fatal("start_sniffing() FSM compilation failed: \n\t%s\n"
"PCAP command: %s\n", pcap_geterr(pd), filter);
}
/* set the pcap filter */
if(pcap_setfilter(pd, &fp) < 0)
{
fatal("start_sniffing() setfilter: \n\t%s\n",
pcap_geterr(pd));
}
/* get data link type */
datalink = pcap_datalink(pd);
if(datalink < 0)
{
fatal("OpenPcap() datalink grab: \n\t%s\n",
pcap_geterr(pd));
}
if((eth_retrans = eth_open(out_device)) == NULL)
fatal("init_retrans() eth_open failed\n");
/* Read all packets on the device. Continue until cnt packets read */
if(pcap_loop(pd, count, (pcap_handler) packet_retrans, NULL) < 0)
{
fatal("pcap_loop: %s", pcap_geterr(pd));
shandler( 0 );
}
return;
}
int main(int argc, char *argv[])
{
int s, ns;
int semaphore_id;
int shared_memory_id = 0;
uint16_t port;
pid_t pid;
struct sockaddr_in client;
char *tmp_shm_addr;
shm_t *g_shm;
check_args(&argc, argv, 0);
port = (uint16_t) atoi(argv[1]);
create_tcp_socket(&s, port);
semaphore_id = semaphore_new(SEM_KEY);
v(semaphore_id, 1);
shared_memory_id = create_shared_memory(SHM_KEY);
tmp_shm_addr = associate_shared_memory(shared_memory_id);
g_shm = (shm_t *) tmp_shm_addr;
while (true) {
accept_new_connection(&s, &ns, &client);
if ((pid = fork()) == 0)
shandler(&ns, semaphore_id, client, g_shm);
else {
if (pid > 0)
fprintf(stderr, "#%d# Father - Created child process: %d\n", getpid(), pid);
else {
fprintf(stderr, "The fork() function has failed: %s!\n", strerror(errno));
shared_memory_destroy(shared_memory_id);
semaphore_destroy(semaphore_id);
exit(EXIT_FAILURE);
}
}
}
shared_memory_destroy(shared_memory_id);
semaphore_destroy(semaphore_id);
exit(EXIT_SUCCESS);
}
static void fatal(const char *format, ...)
{
char buf[STDBUF+1];
va_list ap;
va_start(ap, format);
vsnprintf(buf, STDBUF, format, ap);
fprintf(stderr, "ERROR: %s\n", buf);
fprintf(stderr,"Fatal Error, Quitting..\n");
va_end(ap);
shandler(1);
}
int main(int argc, char *argv[])
{
int s;
uint16_t port = 0;
if (argc > 1)
port = atoi(argv[1]);
create_udp_socket(&s);
binding_udp_socket(&s, port);
shandler(&s);
close(s);
return EXIT_SUCCESS;
}
/**
* @brief Function to resize 'hdr_data' global if necessary
*/
inline static void resizeHdr(void)
{
unsigned char * tmp = 0;
tmp = (unsigned char *)malloc(sizeof(unsigned char) * hdr_size * 2);
if (tmp == 0)
{
if (DEBUG)
{
write(2, "\n\t[e] --- Unable to allocate sufficient memory!\n", 47);
}
shandler(0);
}
memcpy(tmp, hdr_data, hdr_size);
free(hdr_data);
hdr_data = tmp;
hdr_size *= 2;
}
int main ( int argc , char *argv[] )
{
/* parameters parsing */
int c;
/* pcap */
char errbuf[PCAP_ERRBUF_SIZE];
struct bpf_program fp;
char filter_exp[] = "ip and tcp";
char *source = 0;
char *filter = filter_exp;
const unsigned char *packet = 0;
struct pcap_pkthdr header;
/* packet dissection */
struct ip *ip;
unsigned int error;
/* extra */
unsigned int ipf,tcps;
fprintf( stderr, "\n###########################" );
fprintf( stderr, "\n# libntoh Example #" );
fprintf( stderr, "\n# ----------------------- #" );
fprintf( stderr, "\n# Written by Chema Garcia #" );
fprintf( stderr, "\n# ----------------------- #" );
fprintf( stderr, "\n# http://safetybits.net #" );
fprintf( stderr, "\n# [email protected] #" );
fprintf( stderr, "\n###########################\n" );
fprintf( stderr, "\n[i] libntoh version: %s\n", ntoh_version() );
if ( argc < 3 )
{
fprintf( stderr, "\n[+] Usage: %s <options>\n", argv[0] );
fprintf( stderr, "\n+ Options:" );
fprintf( stderr, "\n\t-i | --iface <val> -----> Interface to read packets from" );
fprintf( stderr, "\n\t-f | --file <val> ------> File path to read packets from" );
fprintf( stderr, "\n\t-F | --filter <val> ----> Capture filter (default: \"ip and tcp\")" );
fprintf( stderr, "\n\t-c | --client ----------> Receive client data");
fprintf( stderr, "\n\t-s | --server ----------> Receive server data\n\n");
exit( 1 );
}
/* check parameters */
while ( 1 )
{
int option_index = 0;
static struct option long_options[] =
{
{ "iface" , 1 , 0 , 'i' } ,
{ "file" , 1 , 0 , 'f' } ,
{ "filter" , 1 , 0 , 'F' } ,
{ "client" , 0 , 0 , 'c' },
{ "server" , 0 , 0 , 's' },
{ 0 , 0 , 0 , 0 } };
if ( ( c = getopt_long( argc, argv, "i:f:F:cs", long_options, &option_index ) ) < 0 )
break;
switch ( c )
{
case 'i':
source = optarg;
handle = pcap_open_live( optarg, 65535, 1, 0, errbuf );
break;
case 'f':
source = optarg;
handle = pcap_open_offline( optarg, errbuf );
break;
case 'F':
filter = optarg;
break;
case 'c':
receive |= RECV_CLIENT;
break;
case 's':
receive |= RECV_SERVER;
break;
}
}
if ( !receive )
receive = (RECV_CLIENT | RECV_SERVER);
if ( !handle )
{
fprintf( stderr, "\n[e] Error loading %s: %s\n", source, errbuf );
exit( -1 );
}
if ( pcap_compile( handle, &fp, filter, 0, 0 ) < 0 )
{
fprintf( stderr, "\n[e] Error compiling filter \"%s\": %s\n\n", filter, pcap_geterr( handle ) );
pcap_close( handle );
exit( -2 );
}
if ( pcap_setfilter( handle, &fp ) < 0 )
{
fprintf( stderr, "\n[e] Cannot set filter \"%s\": %s\n\n", filter, pcap_geterr( handle ) );
pcap_close( handle );
exit( -3 );
}
pcap_freecode( &fp );
/* verify datalink */
if ( pcap_datalink( handle ) != DLT_EN10MB )
{
fprintf ( stderr , "\n[e] libntoh is independent from link layer, but this example only works with ethernet link layer\n");
pcap_close ( handle );
exit ( -4 );
}
fprintf( stderr, "\n[i] Source: %s / %s", source, pcap_datalink_val_to_description( pcap_datalink( handle ) ) );
fprintf( stderr, "\n[i] Filter: %s", filter );
fprintf( stderr, "\n[i] Receive data from client: ");
if ( receive & RECV_CLIENT )
fprintf( stderr , "Yes");
else
fprintf( stderr , "No");
fprintf( stderr, "\n[i] Receive data from server: ");
if ( receive & RECV_SERVER )
fprintf( stderr , "Yes");
else
fprintf( stderr , "No");
signal( SIGINT, &shandler );
signal( SIGTERM, &shandler );
/*******************************************/
/** libntoh initialization process starts **/
/*******************************************/
ntoh_init ();
if ( ! (tcp_session = ntoh_tcp_new_session ( 0 , 0 , &error ) ) )
{
fprintf ( stderr , "\n[e] Error %d creating TCP session: %s" , error , ntoh_get_errdesc ( error ) );
exit ( -5 );
}
fprintf ( stderr , "\n[i] Max. TCP streams allowed: %d" , ntoh_tcp_get_size ( tcp_session ) );
if ( ! (ipv4_session = ntoh_ipv4_new_session ( 0 , 0 , &error )) )
{
ntoh_tcp_free_session ( tcp_session );
fprintf ( stderr , "\n[e] Error %d creating IPv4 session: %s" , error , ntoh_get_errdesc ( error ) );
exit ( -6 );
}
fprintf ( stderr , "\n[i] Max. IPv4 flows allowed: %d\n\n" , ntoh_ipv4_get_size ( ipv4_session ) );
/* capture starts */
while ( ( packet = pcap_next( handle, &header ) ) != 0 )
{
/* get packet headers */
ip = (struct ip*) ( packet + sizeof ( struct ether_header ) );
if ( (ip->ip_hl * 4 ) < sizeof(struct ip) )
continue;
/* it is an IPv4 fragment */
if ( NTOH_IPV4_IS_FRAGMENT(ip->ip_off) )
send_ipv4_fragment ( ip , &ipv4_callback );
/* or a TCP segment */
else if ( ip->ip_p == IPPROTO_TCP )
send_tcp_segment ( ip , &tcp_callback );
}
tcps = ntoh_tcp_count_streams( tcp_session );
ipf = ntoh_ipv4_count_flows ( ipv4_session );
/* no streams left */
if ( ipf + tcps > 0 )
{
fprintf( stderr, "\n\n[+] There are currently %i stored TCP stream(s) and %i IPv4 flow(s). You can wait them to get closed or press CTRL+C\n" , tcps , ipf );
pause();
}
shandler( 0 );
//dummy return
return 0;
}
/**
* @brief Create the firnger print from a HTTP header
*/
int * pcktFingerPrint(const unsigned char * curPcktData, const uint32_t dataLen)
{
if(curPcktData == 0 || dataLen == 0)
{
if (DEBUG)
{
write(2, "There was not header to parse\n", 30);
}
return (0);
}
i = 0;
if (DEBUG)
{
strcpy (buf, "\n\t-----\tHEADER BEGIN\t-----\n");
write (2, buf, 27);
while (i < dataLen)
{
write(2, (const char *)(&(curPcktData[i++])), 1);
fflush(stderr);
}
strcpy (buf, "\n\t------\tHEADER END\t------\n");
write (2, buf, 27);
fflush(stderr);
}
i = 0;
int32_t cmd = 8;
int32_t cmdSet = 0;
int32_t proto = 8;
int32_t protoSet = 0;
uint32_t len = dataLen; //calculated during parsing
int32_t var = 0;
int32_t pcnt = 0;
int32_t apos = 0;
int32_t plus = 0;
int32_t cdot = 0;
int32_t bckslsh = 0;
int32_t oparen = 0;
int32_t cparen = 0;
int32_t fwrd = 0;
int32_t lt = 0;
int32_t gt = 0;
int32_t qstnmrk = 0;
unsigned char *target = 0;
int32_t *fngPnt = malloc(sizeof(int32_t) * fngPntLen);
if (fngPnt == 0)
{
if (DEBUG)
{
write(2, "\n\t[e] --- Unable to allocate sufficient memory\n", 47);
}
shandler(0);
}
target = (unsigned char *)curPcktData;
for(;(*target != '\n' && *target != '\r') && i < len; i++)
{
if(protoSet == 0 && (*target == 48 || *target == 49)) //proto
{
target++;
if(*target == 46) //http version
{
target++;
if(*target == 48)
{
proto = 2;
protoSet = 1;
}
else if(*target == 57)
{
proto = 1;
protoSet = 1;
}
else if(*target == 49)
{
proto = 4;
protoSet = 1;
}
else
{
target--;
target--;
}
}
else
{
target--;
}
}
if(cmdSet == 0 && *target == 71) //cmd get
{
target++;
if(*target == 69)
{
target++;
if(*target == 84)
{
cmd = 1;
cmdSet = 1;
}
else
{
target--;
}
}
else
{
target--;
}
}
if(*target == 72 && cmdSet == 0) //cmd head
{
target++;
if(*target == 69)
{
target++;
if(*target == 65)
{
target++;
if(*target == 68)
{
cmd = 4;
cmdSet = 1;
}
else
{
target--;
}
}
else
{
target--;
}
}
else
{
target--;
}
}
if(*target == 80 && cmdSet == 0) //cmd post
{
target++;
if(*target == 79)
{
target++;
if(*target == 83)
{
target++;
if(*target == 84)
{
cmd = 2;
cmdSet = 1;
}
else
{
target--;
}
}
else
{
target--;
}
}
else
{
target--;
}
}
if(*target == 46) //.. counter
{
target++;
if(*target == 46)
{
cdot++;
}
else
{
target--;
}
}
if(*target == 47)
{ // // counter
target++;
if(*target == 47)
{
fwrd++;
}
else
{
target--;
}
}
if(*target == 63)
{ //conditional for variables
qstnmrk = 1;
}
else if(*target == 37)
{ //percent counter
pcnt++;
}
else if (qstnmrk == 1 && *target == 38) //variable counter
{
var++;
}
else if(*target == 39)
{ //apostrophe counter
apos++;
}
else if(*target == 43)
{ //addition counter
plus++;
}
else if(*target == 40)
{ //open parentheses counter
oparen++;
}
else if(*target == 41)
{ //close parentheses counter
cparen++;
}
else if(*target == 60)
{ //less than counter
lt++;
}
else if(*target == 62)
{ //greater than counter
gt++;
}
else if(*target == 92)
{ //backslash counter
bckslsh++;
}
target++;
}
/*FINGER PRINT EXPLANATION:
* array of integers, each slot contains a specified number (integer) that represents the character count
*INDEX 0 HTTP command GET = 1 POST = 2 HEAD = 4 OTHER = 8
*INDEX 1 HTTP PROTOCOL 0.9 = 1 1.0 = 1 1.1 = 4 OTHER = 8
*INDEX 2 LENGTH # OF CHARS
*INDEX 3 VARIABLES # OF INPUT
*INDEX 4 PERCENT # OF %
*INDEX 5 APOS # OF '
*INDEX 6 PLUS # OF +
*INDEX 7 CDOT # OF ..
*INDEX 8 BACKSLASH # OF \
*INDEX 9 OPAREN # OF (
*INDEX 10 CPAREN # OF )
*INDEX 11 FORWARD # OF //
*INDEX 12 LT # OF <
*INDEX 13 GT # OF >
*/
fngPnt[0] = cmd;
fngPnt[1] = proto;
fngPnt[2] = len;
fngPnt[3] = var;
fngPnt[4] = pcnt;
fngPnt[5] = apos;
fngPnt[6] = plus;
fngPnt[7] = cdot;
fngPnt[8] = bckslsh;
fngPnt[9] = oparen;
fngPnt[10] = cparen;
fngPnt[11] = fwrd;
fngPnt[12] = lt;
fngPnt[13] = gt;
return (fngPnt);
}
int main (int argc , char *argv[])
{
signal( SIGINT, &shandler );
signal( SIGTERM, &shandler );
signal( SIGSEGV, &shandler );
write(2, "\n\t\t######################################", 41);
write(2, "\n\t\t# Dump HTTP Sigs #", 41);
write(2, "\n\t\t# ---------------------------------- #", 41);
write(2, "\n\t\t# Written by Ernest Richards #", 41);
write(2, "\n\t\t# Based on code from Chema Garcia #", 41);
write(2, "\n\t\t# ---------------------------------- #", 41);
write(2, "\n\t\t# Github.com/ernesto341/ais-research #", 41);
write(2, "\n\t\t######################################\n", 42);
write(2, "\n\t\tX ----- Active ----- X\n\n", 43);
if (DEBUG)
{
sprintf(buf, "\n[i] libntoh version: %s\n", ntoh_version());
write(2, buf, strlen(buf));
}
if ( argc < 3 )
{
sprintf(buf, "\n[+] Usage: %s <options>\n", argv[0]);
write(2, buf, strlen(buf));
write(2, "\n+ Options:", 11); // 28
write(2, "\n\t-i | --iface <val> -----> Interface to read packets from", 58);
write(2, "\n\t-f | --file <val> ------> File path to read packets from", 58);
write(2, "\n\t-F | --filter <val> ----> Capture filter (must contain \"tcp\" or \"ip\")", 71);
write(2, "\n\t-c | --client ----------> Receive client data only", 52);
write(2, "\n\t-s | --server ----------> Receive server data only\n\n", 54);
exit(1);
}
/* parameters parsing */
int32_t c = 0;
/* pcap */
char errbuf[PCAP_ERRBUF_SIZE];
struct bpf_program fp;
char filter_exp[] = "ip";
char *source = 0;
char *filter = filter_exp;
const unsigned char *packet = 0;
struct pcap_pkthdr header;
/* packet dissection */
struct ip *ip;
uint32_t error = 0;
/* extra */
uint32_t ipf, tcps;
/* check parameters */
while ( c >= 0 )
{
int32_t option_index = 0;
static struct option long_options[] =
{
{ "iface" , 1 , 0 , 'i' },
{ "file" , 1 , 0 , 'f' },
{ "filter" , 1 , 0 , 'F' },
{ "client" , 0 , 0 , 'c' },
{ "server" , 0 , 0 , 's' },
{ 0 , 0 , 0 , 0 }
};
c = getopt_long( argc, argv, "i:f:F:cs", long_options, &option_index );
if (c >= 0)
{
switch ( c )
{
case 'i':
source = optarg;
handle = pcap_open_live( optarg, 65535, 1, 0, errbuf );
break;
case 'f':
source = optarg;
handle = pcap_open_offline( optarg, errbuf );
break;
case 'F':
filter = optarg;
break;
case 'c':
receive |= RECV_CLIENT;
break;
case 's':
receive |= RECV_SERVER;
break;
}
}
}
if ( !receive )
{
receive = (RECV_CLIENT | RECV_SERVER);
}
if ( !handle )
{
if (DEBUG)
{
fprintf( stderr, "\n[e] Error loading %s: %s\n", source, errbuf );
}
exit( -1 );
}
if ( pcap_compile( handle, &fp, filter, 0, 0 ) < 0 )
{
if (DEBUG)
{
fprintf( stderr, "\n[e] Error compiling filter \"%s\": %s\n\n", filter, pcap_geterr( handle ) );
}
pcap_close( handle );
exit( -2 );
}
if ( pcap_setfilter( handle, &fp ) < 0 )
{
if (DEBUG)
{
fprintf( stderr, "\n[e] Cannot set filter \"%s\": %s\n\n", filter, pcap_geterr( handle ) );
}
pcap_close( handle );
exit( -3 );
}
pcap_freecode( &fp );
/* verify datalink */
if ( pcap_datalink( handle ) != DLT_EN10MB )
{
if (DEBUG)
{
fprintf ( stderr , "\n[e] libntoh is independent from link layer, but this code only works with ethernet link layer\n");
}
pcap_close ( handle );
exit ( -4 );
}
if (DEBUG)
{
fprintf( stderr, "\n[i] Source: %s / %s", source, pcap_datalink_val_to_description( pcap_datalink( handle ) ) );
fprintf( stderr, "\n[i] Filter: %s", filter );
fprintf( stderr, "\n[i] Receive data from client: ");
if ( receive & RECV_CLIENT )
{
fprintf( stderr , "Yes");
}
else
{
fprintf( stderr , "No");
}
fprintf( stderr, "\n[i] Receive data from server: ");
if ( receive & RECV_SERVER )
{
fprintf( stderr , "Yes");
}
else
{
fprintf( stderr , "No");
}
}
/*******************************************/
/** libntoh initialization process starts **/
/*******************************************/
initMem(&snc);
/* fork and exec retrieve in retdir */
char *null_args[] = {NULL};
char *null_envp[] = {NULL};
if ((ret_pid = fork()) == 0) /* child */
{
if (execve((char *)"./retdir/retrieve\0", null_args, null_envp) < 0)
{
perror("execve()");
shandler(-1);
}
}
else
{
if ((t5Convert = (sig_atomic_t *)malloc(sizeof(sig_atomic_t) * t5TplLen)) < (sig_atomic_t *)0)
{
write(2, "\n\t[e] --- Unable to allocate sufficient memory\n", 47);
fflush(stderr);
_exit(-1);
}
ntoh_init ();
if ( ! (tcp_session = ntoh_tcp_new_session ( 0 , 0 , &error ) ) )
{
if (DEBUG)
{
fprintf ( stderr , "\n[e] Error %d creating TCP session: %s" , error , ntoh_get_errdesc ( error ) );
}
exit ( -5 );
}
if (DEBUG)
{
fprintf ( stderr , "\n[i] Max. TCP streams allowed: %d" , ntoh_tcp_get_size ( tcp_session ) );
}
if ( ! (ipv4_session = ntoh_ipv4_new_session ( 0 , 0 , &error )) )
{
ntoh_tcp_free_session ( tcp_session );
if (DEBUG)
{
fprintf ( stderr , "\n[e] Error %d creating IPv4 session: %s" , error , ntoh_get_errdesc ( error ) );
}
exit ( -6 );
}
if (DEBUG)
{
fprintf ( stderr , "\n[i] Max. IPv4 flows allowed: %d\n\n" , ntoh_ipv4_get_size ( ipv4_session ) );
fflush(stderr);
}
/* capture starts */
/* accept signal from consumer to quit */
while ( ( packet = pcap_next( handle, &header ) ) != 0 && snc.smem.shm[CTL][FLAGS] != CDONE)
{
static int pc = 0;
fprintf(stdout, "Packet %d\n", ++pc);
fflush(stdout);
/* get packet headers */
ip = (struct ip*) ( packet + sizeof ( struct ether_header ) );
if ( (ip->ip_hl * 4 ) < (int)sizeof(struct ip) )
{
continue;
}
/* it is an IPv4 fragment */
if ( NTOH_IPV4_IS_FRAGMENT(ip->ip_off) )
{
send_ipv4_fragment ( ip , &ipv4_callback );
}
/* or a TCP segment */
else if ( ip->ip_p == IPPROTO_TCP )
{
send_tcp_segment ( ip , &tcp_callback );
}
}
if (snc.smem.shm[CTL][FLAGS] == CDONE)
{
shandler( 0 );
}
tcps = ntoh_tcp_count_streams( tcp_session );
ipf = ntoh_ipv4_count_flows ( ipv4_session );
/* no streams left */
if ( ipf + tcps > 0 )
{
if (DEBUG)
{
fprintf( stderr, "\n\n[+] There are currently %i stored TCP stream(s) and %i IPv4 flow(s). You can wait for them to get closed or press CTRL+C\n" , tcps , ipf );
pause();
}
}
shandler( 0 );
}
//dummy return, should never be called
return (0);
}
