3
* ** Copyright (C) 2001-2005 Fyodor Yarochkin <fygrave@tigerteam.net>,
4
* ** Ofir Arkin <ofir@sys-security.com>
5
* ** Meder Kydyraliev <meder@o0o.nu>
7
* ** This program is free software; you can redistribute it and/or modify
8
* ** it under the terms of the GNU General Public License as published by
9
* ** the Free Software Foundation; either version 2 of the License, or
10
* ** (at your option) any later version.
13
* ** This program is distributed in the hope that it will be useful,
14
* ** but WITHOUT ANY WARRANTY; without even the implied warranty of
15
* ** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16
* ** GNU General Public License for more details.
18
* ** You should have received a copy of the GNU General Public License
19
* ** along with this program; if not, write to the Free Software
20
* ** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
24
#define _XPROBE_MODULE
26
#include "xprobe_module.h"
27
#include "xprobe_module_hdlr.h"
29
#include "interface.h"
34
extern Cmd_Opts *copts;
36
int tcp_rst_mod_init(Xprobe_Module_Hdlr *pt, char *nm) {
37
TCP_Rst_Mod *rst = new TCP_Rst_Mod;
39
xprobe_mdebug(XPROBE_DEBUG_MODULES, "Initializing the TCP RST module\n");
40
pt->register_module(rst);
41
pt->add_keyword(rst->get_id(), "tcp_rst_df");
42
pt->add_keyword(rst->get_id(), "tcp_rst_ip_id_1");
43
pt->add_keyword(rst->get_id(), "tcp_rst_ip_id_2");
44
pt->add_keyword(rst->get_id(), "tcp_rst_ip_id_strategy");
45
pt->add_keyword(rst->get_id(), "tcp_rst_ttl");
46
pt->add_keyword(rst->get_id(), "tcp_rst_reply");
50
TCP_Rst_Mod::TCP_Rst_Mod(void): Xprobe_Module(XPROBE_MODULE_OSTEST, "fingerprint:tcp_rst", "TCP RST fingerprinting module") {
51
TCP_Rst_Df_Bit_Check *df_check = new TCP_Rst_Df_Bit_Check;
52
TCP_Rst_Ip_Id_Check *id_check_one = new TCP_Rst_Ip_Id_Check;
53
TCP_Rst_Ip_Id_Check *id_check_two = new TCP_Rst_Ip_Id_Check;
54
TCP_Rst_Ttl_Check *ttl_check = new TCP_Rst_Ttl_Check;
55
TCP_Rst_Ip_Id_Strategy *strat_check = new TCP_Rst_Ip_Id_Strategy;
56
TCP_Rst_Reply_Check *reply_check = new TCP_Rst_Reply_Check;
58
kwd_chk.insert(pair<string, Xprobe_Module_Param_TCP *>("tcp_rst_df", df_check));
59
kwd_chk.insert(pair<string, Xprobe_Module_Param_TCP *>("tcp_rst_ip_id_1", id_check_one));
60
kwd_chk.insert(pair<string, Xprobe_Module_Param_TCP *>("tcp_rst_ip_id_2", id_check_two));
61
kwd_chk.insert(pair<string, Xprobe_Module_Param_TCP *>("tcp_rst_ip_id_strategy", strat_check));
62
kwd_chk.insert(pair<string, Xprobe_Module_Param_TCP *>("tcp_rst_ttl", ttl_check));
63
kwd_chk.insert(pair<string, Xprobe_Module_Param_TCP *>("tcp_rst_reply", reply_check));
66
TCP_Rst_Mod::~TCP_Rst_Mod(void) {
67
map<string, Xprobe_Module_Param_TCP *>::iterator m_i;
69
for (m_i = kwd_chk.begin(); m_i != kwd_chk.end(); m_i++) {
75
int TCP_Rst_Mod::parse_keyword(int os_id, const char *kwd, const char *val) {
76
map<string, Xprobe_Module_Param_TCP *>::iterator m_i;
78
if ((m_i = kwd_chk.find(kwd)) == kwd_chk.end()) {
79
ui->error("%s: unknown keyword %s", get_name(), kwd);
82
return m_i->second->parse_param(os_id, val);
85
int TCP_Rst_Mod::init(void) {
86
xprobe_debug(XPROBE_DEBUG_MODULES, "%s module initialized\n", get_name());
90
int TCP_Rst_Mod::exec(Target *tg, OS_Matrix *os) {
92
bool second_packet = false;
94
struct in_addr local = tg->get_interface_addr(), remote = tg->get_addr();
96
map<string, Xprobe_Module_Param_TCP *>::iterator m_i;
98
TCP request(inet_ntoa(remote));
99
TCP sn(inet_ntoa(local)), sample1(inet_ntoa(local));
101
if (tg->get_port(IPPROTO_TCP, XPROBE_TARGETP_CLOSED) == -1) {
102
// ui->msg("[-] %s Module execution aborted (no closed TCP port known)\n", get_name());
103
xprobe_debug(XPROBE_DEBUG_MODULES, "[%s] Sending probe to port 65535\n", get_name());
107
request.set_src(local.s_addr);
108
request.set_dst(remote.s_addr);
109
request.set_srcport(rand());
110
request.set_dstport(tg->get_port(IPPROTO_TCP, XPROBE_TARGETP_CLOSED));
112
request.set_win(6840);
113
request.set_flags(TH_SYN);
114
request.set_tos(0x10);
115
request.set_fragoff(IP_DF);
116
request.set_seq(rand());
118
request.set_id(rand());
121
sn.init_device(tg->get_interface(), 0, 1500);
124
request.sendpack("");
126
ret = sn.sniffpack(buf, sizeof(buf));
128
if (sn.get_src() == remote.s_addr && request.get_dstport() == sn.get_srcport() &&
129
request.get_srcport() == sn.get_dstport()) {
135
if (done && !sn.timeout() && (sn.get_flags() & TH_RST) == TH_RST) {
136
if (!second_packet) {
137
xprobe_debug(XPROBE_DEBUG_MODULES, "[%s] Got first RST packet. Sending second\n", get_name());
139
request.set_srcport(rand());
140
request.set_id(rand());
141
request.set_seq(rand());
142
request.set_tcpsum(0);
145
request.sendpack("");
148
xprobe_debug(XPROBE_DEBUG_MODULES, "[%s] Got second RST packet.\n", get_name());
156
// we got two packets
157
for (m_i = kwd_chk.begin(); m_i != kwd_chk.end(); m_i++) {
158
if (m_i->first == "tcp_rst_ip_id_strategy") {
159
m_i->second->check_param(&sn, &sample1, os);
161
m_i->second->check_param(&sn, &request, os);
164
if (tg->generate_sig())
165
generate_signature(tg, &sample1, &request, &sn);
169
void TCP_Rst_Mod::generate_signature(Target *tg, TCP *pack, TCP *orig, TCP *second) {
170
string keyword, value;
174
* tcp_rst_reply = [y,n]
176
* tcp_rst_ip_id_1=[0, !0, SENT]
177
* tcp_rst_ip_id_2=[0, !0, SENT]
178
* tcp_rst_ip_id_strategy=[R, I, 0]
179
* tcp_rst_ttl = [<> decimal num]
182
if (pack->timeout() || second->timeout()) {
183
tg->signature("tcp_rst_reply", "n");
184
tg->signature("tcp_rst_df", "0");
185
tg->signature("tcp_rst_ip_id_1", "!0");
186
tg->signature("tcp_rst_ip_id_2", "!0");
187
tg->signature("tcp_rst_ip_id_strategy", "I");
188
tg->signature("tcp_rst_ttl", "<255");
191
tg->signature("tcp_rst_reply", "y");
192
keyword = "tcp_rst_df";
193
if (pack->get_fragoff() & IP_DF) {
198
tg->signature(keyword.c_str(), value.c_str());
199
keyword= "tcp_rst_ip_id_1";
200
if (pack->get_id() == 0) {
202
} else if (pack->get_id() == orig->get_id()) {
207
tg->signature(keyword.c_str(), value.c_str());
208
keyword= "tcp_rst_ip_id_2";
209
tg->signature(keyword.c_str(), value.c_str());
210
keyword="tcp_rst_ttl";
211
ttl = pack->get_ttl() + tg->get_distance();
223
tg->signature(keyword.c_str(), value.c_str());
224
keyword="tcp_rst_ip_id_strategy";
225
id_diff = second->get_id() - pack->get_id();
226
if (id_diff > 256 || id_diff < 0) {
228
} else if (id_diff > 0 && id_diff <= 256) {
230
} else if (id_diff == 0) {
233
tg->signature(keyword.c_str(), value.c_str());
237
int TCP_Rst_Mod::fini(void) {
238
xprobe_debug(XPROBE_DEBUG_MODULES, "%s module has been deinitilized\n", get_name());
242
int TCP_Rst_Df_Bit_Check::check_param(TCP *p, TCP *o, OS_Matrix *os) {
244
o=o; //suspend compiler warning
246
retval = add_param(((p->get_fragoff() & IP_DF) != 0), 0, os);
250
int TCP_Rst_Ip_Id_Check::check_param(TCP *p, TCP *o, OS_Matrix *os) {
253
retval = add_param(p->get_id(), o->get_id(), os);
257
int TCP_Rst_Ttl_Check::check_param(TCP *p, TCP *o, OS_Matrix *os) {
260
retval = add_param(p->get_ttl(), o->get_ttl(), os);
264
int TCP_Rst_Ip_Id_Strategy::check_param(TCP *p, TCP *o, OS_Matrix *os) {
267
retval = add_param(p->get_id(), o->get_id(), os);
271
int TCP_Rst_Reply_Check::check_param(TCP *p, TCP *o, OS_Matrix *os) {
272
int gotp=p->timeout() ? 0 : 1;
275
add_param(gotp, 0, os);