support for passive fingerprint

antifork · Dec 26, 2002 · 94d65e1 · 94d65e1
1 parent 5324b93
commit 94d65e1
Show file tree

Hide file tree

Showing 9 changed files with 276 additions and 18 deletions.
diff --git a/TODO b/TODO
@@ -12,15 +12,14 @@ TODO for the lmap
       + test the wifi decoder under wifi card different from cisco
 
    + IPv6 decoder
-      + implement ARP for ipv6
+      + check if ARP for ipv6 is correct or if we have to implement NDIS
+      + passive fingerprint does not support IPv6
 
    + ICMP decoder
       + what information can we catch from this ?
          + if ICMP TTL excedeed it can be a ruoter
       + add to the bucket structure these infos
 
-   + remove the hex_format function !! it is NOT thread safe !!
-
    + passive fingerprint
 
    + set the iface config and default gw

diff --git a/include/lmap.h b/include/lmap.h
@@ -45,13 +45,8 @@
 
 #define SPRINTF(x) ((size_t)sprintf x)
 
-#define ADD_STAT(x)  (GBL_STAT->x)++
-#define GET_STAT(x)  (GBL_STAT->x)
-
-
 extern void do_nothing(void);
 
-
 #endif   /*  LMAP_H */
 
 /* EOF */

diff --git a/include/lmap_fingerprint.h b/include/lmap_fingerprint.h
@@ -4,10 +4,47 @@
 
 extern int fingerprint_init(void);
 extern char * fingerprint_search(char *m);
+extern char * fingerprint_alloc(void);
+extern char * fingerprint_destroy(char **finger);
+extern void fingerprint_push(char *finger, int param, int value);
+
+/*
+ *  The fingerprint database has the following structure:                  
+ *                                                                         
+ *  WWWW:MSS:TTL:WS:S:N:D:T:F:LEN:OS                                       
+ *                                                                         
+ *  WWWW: 4 digit hex field indicating the TCP Window Size                 
+ *  MSS : 4 digit hex field indicating the TCP Option Maximum Segment Size 
+ *        if omitted in the packet or unknown it is "_MSS"                 
+ *  TTL : 2 digit hex field indicating the IP Time To Live                 
+ *  WS  : 2 digit hex field indicating the TCP Option Window Scale         
+ *        if omitted in the packet or unknown it is "WS"                   
+ *  S   : 1 digit field indicating if the TCP Option SACK permitted is true
+ *  N   : 1 digit field indicating if the TCP Options contain a NOP        
+ *  D   : 1 digit field indicating if the IP Don't Fragment flag is set    
+ *  T   : 1 digit field indicating if the TCP Timestamp is present         
+ *  F   : 1 digit ascii field indicating the flag of the packet            
+ *        S = SYN                                                          
+ *        A = SYN + ACK                                                    
+ *  LEN : 2 digit hex field indicating the length of the packet            
+ *        if irrilevant or unknown it is "LT"                              
+ *  OS  : an ascii string representing the OS                              
+ */
+
 
 enum {
    FINGER_LEN = 28,
    OS_LEN     = 60,
+   FINGER_WINDOW     = 1,
+   FINGER_MSS        = 2,
+   FINGER_TTL        = 3,
+   FINGER_WS         = 4,
+   FINGER_SACK       = 5,
+   FINGER_NOP        = 6,
+   FINGER_DF         = 7,
+   FINGER_TIMESTAMP  = 8,
+   FINGER_TCPFLAG    = 9,
+   FINGER_LT         = 10,
 };
 
 #endif

diff --git a/include/lmap_inet.h b/include/lmap_inet.h
@@ -33,6 +33,24 @@ extern int ip_addr_init(struct ip_addr *sa, int type, char *addr);
 extern const char *ip_addr_ntoa(struct ip_addr *sa, char *dst);
 extern const char *ip_addr_details(struct ip_addr *sa, char *dst);
 
+#ifdef WORDS_BIGENDIAN        
+   #define ptohs(x) ( (u_int16)                       \
+                      ((u_int16)*((u_int8 *)x+1)<<8|  \
+                      (u_int16)*((u_int8 *)x+0)<<0)   \
+                    )
+
+   #define ptohl(x) ( (u_int32)*((u_int8 *)x+3)<<24|  \
+                      (u_int32)*((u_int8 *)x+2)<<16|  \
+                      (u_int32)*((u_int8 *)x+1)<<8|   \
+                      (u_int32)*((u_int8 *)x+0)<<0    \
+                    )
+#else
+   #define ptohs(x) *(u_int16 *)(x)
+   #define ptohl(x) *(u_int32 *)(x)
+#endif
+
+
+
 #endif
 
 /* EOF */

diff --git a/src/lmap_db.c b/src/lmap_db.c
@@ -101,10 +101,11 @@ void db_bucket_send(struct bucket *b)
    USER_MSG(" --> dest    %d", ntohs(b->L4->port_dst));
    USER_MSG(" --> proto   0x%04x", ntohs(b->L4->proto));
    USER_MSG(" --> finger  %s\n", b->L4->fingerprint);
+   SAFE_FREE(b->L4->fingerprint);
    SAFE_FREE(b->L4);
 
-   USER_MSG("L5 INFO\n");
-   SAFE_FREE(b->L5);
+//   USER_MSG("L5 INFO\n");
+//   SAFE_FREE(b->L5);
 }
 
 

diff --git a/src/lmap_decoder_ip.c b/src/lmap_decoder_ip.c
@@ -21,6 +21,7 @@
 #include <lmap.h>
 #include <lmap_decode.h>
 #include <lmap_inet.h>
+#include <lmap_fingerprint.h>
 
 /* globals */
 
@@ -36,6 +37,7 @@ struct ip_header {
    u_int16  tot_len;
    u_int16  id;
    u_int16  frag_off;
+#define IP_DF 0x4000
    u_int8   ttl;
    u_int8   protocol;
    u_int16  check;
@@ -82,6 +84,17 @@ FUNC_DECODER(decode_ip)
    BUCKET->L3->proto = htons(LL_TYPE_IP);
    BUCKET->L3->ttl = ip->ttl;
 
+   /* if there is a TCP packet, try to passive fingerprint it */
+   if (ip->protocol == LN_TYPE_TCP) {
+      /* initialize passive fingerprint */
+      BUCKET->L4->fingerprint = fingerprint_alloc();
+
+      /* collect ifos for passive fingerprint */
+      fingerprint_push(BUCKET->L4->fingerprint, FINGER_TTL, ip->ttl);
+      fingerprint_push(BUCKET->L4->fingerprint, FINGER_DF, ntohs(ip->frag_off) & IP_DF);
+      fingerprint_push(BUCKET->L4->fingerprint, FINGER_LT, ip->ihl * 4);
+   }
+
 #if 0
    if (ip->ihl * 4 != sizeof(struct ip_header))
       USER_MSG(" --> IP OPTIONS PRESENT (%d byte)\n", (ip->ihl * 4) - sizeof(struct ip_header));

diff --git a/src/lmap_decoder_ip6.c b/src/lmap_decoder_ip6.c
@@ -21,6 +21,7 @@
 #include <lmap.h>
 #include <lmap_decode.h>
 #include <lmap_inet.h>
+#include <lmap_fingerprint.h>
 
 /* globals */
 
@@ -82,6 +83,19 @@ FUNC_DECODER(decode_ip6)
    BUCKET->L3->proto = htons(LL_TYPE_IP6);
    BUCKET->L3->ttl = ip6->hop_limit;
 
+   /* if there is a TCP packet, try to passive fingerprint it */
+   if (ip6->next_hdr == LN_TYPE_TCP) {
+      /* initialize passive fingerprint */
+      BUCKET->L4->fingerprint = fingerprint_alloc();
+
+      /* collect ifos for passive fingerprint */
+      fingerprint_push(BUCKET->L4->fingerprint, FINGER_TTL, ip6->hop_limit);
+      /* XXX - where is don't fragment flag in IPv6 ? */
+      fingerprint_push(BUCKET->L4->fingerprint, FINGER_DF, 0);
+      /* XXX - how to calculate the header + options length in IPv6 ? */
+      fingerprint_push(BUCKET->L4->fingerprint, FINGER_LT, 0);
+   }
+
    switch (ip6->next_hdr) {
       case 0:
 	 USER_MSG(" --> option  Hop-By-Hop");

diff --git a/src/lmap_decoder_tcp.c b/src/lmap_decoder_tcp.c
@@ -20,6 +20,7 @@
 
 #include <lmap.h>
 #include <lmap_decode.h>
+#include <lmap_fingerprint.h>
 
 
 /* globals */
@@ -48,6 +49,14 @@ struct tcp_header {
    u_int16  urp;        /* urgent pointer */
 };
 
+/* tcp options */
+#define TCPOPT_EOL              0
+#define TCPOPT_NOP              1
+#define TCPOPT_MAXSEG           2
+#define TCPOPT_WSCALE           3
+#define TCPOPT_SACKOK           4
+#define TCPOPT_TIMESTAMP        8
+
 
 /* protos */
 
@@ -85,14 +94,64 @@ FUNC_DECODER(decode_tcp)
    /* this is TCP */
    BUCKET->L4->proto = htons(LN_TYPE_TCP);
 
-#if 0
-   if (tcp->off * 4 != sizeof(struct tcp_header))
-      USER_MSG(" --> TCP OPTIONS PRESENT (%d bytes)\n", 
-                      (tcp->off * 4) - sizeof(struct tcp_header) );
-
-   USER_MSG(" --> data    %d bytes\n", DECODE_DATALEN - DECODED_LEN);
-#endif
+   /* 
+    * complete the passive fingerprint
+    * we are intereste only in SYN or SYN+ACK packets 
+    * else we can destroy the fingerprint
+    */
 
+   if (tcp->flags & TH_SYN) {
+
+      u_char *opt_start, *opt_end;
+
+      opt_start = (u_char *)(tcp + 1);
+      opt_end = (u_char *)((int)tcp + tcp->off * 4);
+
+      fingerprint_push(BUCKET->L4->fingerprint, FINGER_WINDOW, ntohs(tcp->win));
+      fingerprint_push(BUCKET->L4->fingerprint, FINGER_TCPFLAG, (tcp->flags & TH_ACK) ? 1 : 0);
+      /* this should be added to the len of ip header */
+      fingerprint_push(BUCKET->L4->fingerprint, FINGER_LT, tcp->off * 4);
+
+      while (opt_start < opt_end) {
+         switch (*opt_start) {
+            case TCPOPT_EOL: 
+               /* end option EXIT */
+               opt_start = opt_end;
+               break;
+            case TCPOPT_NOP:
+               fingerprint_push(BUCKET->L4->fingerprint, FINGER_NOP, 1);
+               opt_start++;
+               break;
+            case TCPOPT_SACKOK:
+               fingerprint_push(BUCKET->L4->fingerprint, FINGER_SACK, 1);
+               opt_start += 2;
+               break;
+            case TCPOPT_MAXSEG:
+               opt_start += 2;
+               fingerprint_push(BUCKET->L4->fingerprint, FINGER_MSS, ntohs(ptohs(opt_start)));
+               opt_start += 2;
+               break;
+            case TCPOPT_WSCALE:
+               opt_start += 2;
+               fingerprint_push(BUCKET->L4->fingerprint, FINGER_WS, *opt_start);
+               opt_start++;
+               break;
+            case TCPOPT_TIMESTAMP:
+               fingerprint_push(BUCKET->L4->fingerprint, FINGER_TIMESTAMP, 1);
+               opt_start++;
+               opt_start += (*opt_start - 1);
+               break;
+            default:
+               opt_start++;
+               opt_start += (*opt_start - 1);
+               break;
+         }
+      }
+
+   } else {
+      fingerprint_destroy(&BUCKET->L4->fingerprint);
+   }
+
    return NULL;
 }