1
/* $Id: logic_tree.c,v 1.10 2001/10/20 15:23:55 fygrave Exp $ */
3
** Copyright (C) 2001 Fyodor Yarochkin <fygrave@tigerteam.net>,
4
** Ofir Arkin <ofir@sys-security.com>
6
** This program is free software; you can redistribute it and/or modify
7
** it under the terms of the GNU General Public License as published by
8
** the Free Software Foundation; either version 2 of the License, or
9
** (at your option) any later version.
11
** All material for nonprofit, educational use only.
13
** This program is distributed in the hope that it will be useful,
14
** but WITHOUT ANY WARRANTY; without even the implied warranty of
15
** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16
** GNU General Public License for more details.
18
** You should have received a copy of the GNU General Public License
19
** along with this program; if not, write to the Free Software
20
** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
27
int do_logic(struct sockaddr_in to) {
28
rpack_t *udp_res, *icmpecho_res, *icmpts_res, *icmpam_res,
33
if ((udp_res = send_udp(to)) == NULL) {
34
fprintf(stderr, "Error while sending UDP query. Quiting\n");
39
/* make some generic calculations */
41
hdr_len = (udp_res->ip->ip_hl<<2) + 8;
43
/* precedence bits check */
45
if (((udp_res->ip->ip_tos) & 0xc0) != 0) {
47
/* if our ip->tos was 0xf8 we would get:
48
0xd8 --> from linux boxes
49
0xf8 --> from hpux/aix/??
50
0xc0 --> from cisco (may utilize it later
52
tree_message("Cisco IOS 11.x-12.x! Extreme Network Switches.Linux 2.0.x!2.2.x!2.4.x.");
54
/* received datagram size check */
56
if (ntohs(udp_res->ip->ip_len) != (hdr_len + UDP_LEN_ALL)) {
57
tree_message("Cisco IOS 11.x-12x! Extreme Network Switches.");
59
if (udp_checksum_ver(udp_res) == UDP_CKSUM_ZERO) {
60
fin_message("Extreme Network Switches.");
63
fin_message("Cisco IOS 11.x-12.x");
69
/* the whole datagram echo'ed */
70
tree_message("Linux kernel 2.0.x!2.2.x!2.4.x! Based.");
72
/* ttl test.. abit dodgy (would work precisely in LAN */
73
if (udp_res->ip->ip_ttl < 65) {
75
fin_message("Linux kernel 2.0.x");
78
tree_message("Linux kernel 2.2.x!2.4.x! Based.");
80
/* do ICMP ECHO REQUEST test here */
81
if ((icmpecho_res = send_icmpecho_req(to)) == NULL) {
82
fprintf(stderr, "Error while sending ICMP echo request.");
83
fin_message("Linux kernel 2.2.x! 2.4.x! assumed.");
86
tree_message("ICMP echo/echo reply are not filtered");
88
if (icmpecho_res->ip->ip_id == 0) {
89
fin_message("Linux 2.4.x kernel");
92
if (icmpecho_res->ip->ip_off & htons(IP_DF)) {
93
fin_message("Linux 2.4.x kernel");
96
fin_message("Linux 2.2.x/2.4.5+ kernel");
100
free_res(&icmpecho_res);
101
return retval; /* linux type diag done here */
102
} /* endif echo'ed dgrm size" */
104
/* tos doesn't have 0xc0 then... */
105
/* amount of echo'ed data check */
107
switch(ntohs(udp_res->ip->ip_len) - hdr_len - sizeof(struct ip)) {
109
tree_message("Sun Solaris 2.3-2.8! HP-UX 11.x!MacOS 7.x-9.x");
111
if ((icmpts_res = send_icmpts_req(to)) == NULL) {
112
fin_message("HP-UX 11.x!MacOS 7.x-9.x (no ts response received)");
115
free_res(&icmpts_res);
116
fin_message("Sun Solaris 2.3-2.8");
125
fin_message("3Com SuperStack II Switch SWNBBSI-CF,11.1.0.00S38\n"
126
"Nokia IPSO 3.2-2.3.1 releng 783-849\n"
127
"Ricoh Aficio AP4500 Network Laster Printer\n"
128
"Linux 2.0.x/2.2.x/2.4.x\n"
129
"Shiva AccessPort Bridge/Router Software V.2.1.0");
132
} /* switch (diff packlen */
135
/* ip tocal length integrity check */
137
/* XXX: make sure we do it right
139
switch (icmp_unreach_lencheck(udp_res)) {
140
case ICMPUNREACH_LEN_GT:
141
tree_message("IP total length field value is >20 bytes from the original");
142
tree_message("*** AIX!BSDI!NetBSD 1.1.x-1.2.x!MacOS X 1.0-1.2");
143
if (ip_checksum_ok(udp_res)) {
148
tree_message("BSDI. NetBSD 1.1.x-1.2.x! MacOS X 1.0-1.2");
149
if (udp_res->ip->ip_id != udp_res->orig_ip->ip_id) {
150
fin_message("Little endian BSDI/NetBSD 1.1.x-1.2.x! MacOS X 1.0-1.2");
154
fin_message("Big endian BSDI/NetBSD 1.1.x-1.2.x MacOS X 1.0-1.2");
160
case ICMPUNREACH_LEN_LS:
161
tree_message("IP total length field value is <20 bytes from the original");
162
tree_message("*** OpenBSD 2.6-2.9, Apollo Domain/OS SR 10.4 NFR IDS Appliance");
163
tree_message("*** Extreme Networks switch Network Systems Router NS6114 (NSC 6600 Series)");
164
tree_message("*** Cabletron Systems SSR 8000 Systems Software Version 3.1 B16");
165
switch(udp_checksum_ver(udp_res)) {
167
fin_message("Extreme Networks switch Network Systems Router NS6114 (NSC 6600 Series)");
168
fin_message("Cabletron Systems SSR 8000 Systems Software Version 3.1 B16");
172
fin_message("NFR IDS Appliance");
176
tree_message("OpenBSD 2.6-2.9, Apollo Domain/OS SR 10.4 NFR IDS Appliance");
180
if (ip_checksum_ok(udp_res)) {
181
fin_message(" OpenBSD 2.6-2.9");
185
fin_message("Apollo Domain/OS SR 10.4 NFR IDS Appliance");
191
case ICMPUNREACH_LEN_OK:
192
tree_message("IP total length field value is OK");
193
if(frag_bits_flipped(udp_res)) {
194
if (frag_bits_flipped(udp_res) == FRAG_BITS_ZERO) {
195
tree_message("Frag bits are zeroed");
196
fin_message("ULTRIX");
200
tree_message("Frag bits are flipped");
201
tree_message("*** FreeBSD 2.2.x - 4.1!NetBSD");
202
if (ip_checksum_ok(udp_res)) {
203
fin_message("FreeBSD 2.2.x - 4.1");
207
fin_message("NetBSD");
212
/* frags are not flipped */
213
tree_message("Frag bits are OK");
214
if ((icmpecho_res = send_icmpecho_req(to)) == NULL) {
215
fprintf(stderr, "Error while sending ICMP echo request.\n");
216
/* XXX: very generic msg */
217
fin_message("Windows Based. Open/Net/FreeBSD/DG-UX/HP-UX 10.x etc");
221
if (icmpecho_res->icmp->icmp_code) {
222
tree_message("ICMP code !=0");
223
/* XXX: to be expanded! */
224
if (!(icmpecho_res->ip->ip_off & htons(IP_DF))) {
225
tree_message("DF bit in icmp echo response not echoed");
226
if (icmpecho_res->ip->ip_ttl < 129) {
227
fin_message("Novell (FreeBSD 4.3-current(?)");
228
free_res(&icmpecho_res);
232
fin_message("Ultrix!HPUX 10.20(?)");
233
free_res(&icmpecho_res);
238
tree_message("DF bit in icmp echo response is echoed");
239
if (!(udp_res->ip->ip_off & htons(IP_DF))) {
240
tree_message("DF bit in icmp unreach is not echoed");
241
tree_message("OpenBSD 2.1-2.3,2.4-2.5!NetBSD 1.5, 1.4.1, 1.4!IBM OS/390");
242
if (udp_checksum_ver(udp_res) ==
244
fin_message("OpenBSD 2.1-2.3");
246
free_res(&icmpecho_res);
249
tree_message("OpenBSD 2.4-2.5!NetBSD"
250
" 1.5, 1.4.1, 1.4!IBM OS/390");
251
if (udp_res->ip->ip_ttl > 64) {
252
fin_message("OpenBSD 2.4-2.5!NetBSD 1.5, 1.4.1, 1.4");
254
free_res(&icmpecho_res);
257
fin_message("IBM OS/390");
259
free_res(&icmpecho_res);
263
free_res(&icmpecho_res);
264
if ((icmpir_res = send_icmpireq_req(to)) == NULL) {
265
fin_message("Unknown Unix (Accuracy dropped)");
268
/* XXX: yellow line here */
270
tree_message("OpenVMS!HPUX 10.x!DGUX!SunOS4.x");
271
if (((struct ip *)((char *)(udp_res->icmp) + 8))->ip_id !=
272
udp_res->orig_ip->ip_id) {
273
fin_message("OpenVMS with Digital TCP Services");
274
free_res(&icmpir_res);
278
tree_message("IP ID is ok");
279
tree_message("DGUX/HPUX 10.x/OpenVMS with "
280
"Process Software TCPWare!SunOS4.x");
281
if (!ip_checksum_ok(udp_res)) {
282
fin_message("HPUX 10.x");
283
free_res(&icmpir_res);
287
tree_message("DGUX/OpenVMS with Process Software TCPWare!SunOS4.x");
289
if (udp_checksum_ver(udp_res) == UDP_CKSUM_ZERO) {
290
tree_message("DGUX/Compaq Tru64!SunOS4.x");
291
if (udp_res->ip->ip_ttl > 64) {
292
fin_message("SunOS4.x");
294
free_res(&icmpecho_res);
297
fin_message("DGUX/Compaq Tru64");
299
free_res(&icmpecho_res);
304
free_res(&icmpir_res);
305
fin_message("OpenVMS with Process Software TCPWare");
308
tree_message("Microsoft Windows Family TCP stack");
309
if(icmpecho_res->ip->ip_ttl < 33) {
310
fin_message("Windows 95");
311
free_res(&icmpecho_res);
314
tree_message("Other Windows-based OS (ttl: %d)",icmpecho_res->ip->ip_ttl);
315
if (!icmpecho_res->ip->ip_tos) {
316
free_res(&icmpecho_res);
317
fin_message("Windows 2k. SP1, SP2/Windows XP");
320
free_res(&icmpecho_res);
321
tree_message("Other Windows-based OS (98/98SE/NTsp3-/NTsp4+)");
322
if ((icmpts_res = send_icmpts_req(to)) == NULL) {
323
tree_message("Windows NTsp3-!Windows NTsp4+");
324
if ((icmpam_res = send_icmpmaskreq_req(to)) == NULL) {
325
fin_message("Windows NTsp4+");
328
free_res(&icmpam_res);
329
fin_message("Windows NTsp3-");
333
tree_message("Windows 98/98SE/ME");
334
free_res(&icmpts_res);
335
if ((icmpam_res = send_icmpmaskreq_req(to)) == NULL) {
336
fin_message("Windows ME");
339
fin_message("Windows 98/98SE");
342
} /* if (send_icmpts_req */
346
} /* if(frag_flipped... */
349
} /* switch(icmp_unreach.. */
350
fin_message("UNKNOWN");
351
} /* else (tos) endif */
added
removed
logic_tree.c
