Ticket #76: patch

scapy.py

@@ -10664 +10664 @@
-# OS      - OS genre
-# details - OS description
-
-
-
-class p0fKnowledgeBase(KnowledgeBase):
-    def __init__(self, filename):
-        KnowledgeBase.__init__(self, filename)
@@ -10684 +10682 @@
-                l = tuple(l.split(":"))
-                if len(l) < 8:
-                    continue
-
+
+
+
+
+
-                #if li[0] not in self.ttl_range:
-                #    self.ttl_range.append(li[0])
-                #    self.ttl_range.sort()
@@ -10694 +10696 @@
-            self.base = None
-        f.close()
-
+def p0f_selectdb(flags):
+    # tested flags: S, R, A
+    if flags & 0x16 == 0x2:
+        # SYN
+        return p0f_kdb
+    elif flags & 0x16 == 0x12:
+        # SYN/ACK
+        return p0fa_kdb
+    elif flags & 0x16 in [ 0x4, 0x14 ]:
+        # RST RST/ACK
+        return p0fr_kdb
+    elif flags & 0x16 == 0x10:
+        # ACK
+        return p0fo_kdb
+    else:
+        return None
-
-def packet2p0f(pkt):
+    pkt = pkt.copy()
+    pkt = pkt.__class__(str(pkt))
-    while pkt.haslayer(IP) and pkt.haslayer(TCP):
-        pkt = pkt.getlayer(IP)
-        if isinstance(pkt.payload, TCP):
-            break
-        pkt = pkt.payload
-
+
-    if not isinstance(pkt, IP) or not isinstance(pkt.payload, TCP):
-        raise TypeError("Not a TCP/IP packet")
-
-
+
+
+
+
-    
-    #t = p0f_kdb.ttl_range[:]
-    #t += [pkt.ttl]
-    #t.sort()
-    #ttl=t[t.index(pkt.ttl)+1]
-    ttl = pkt.ttl
-
+
-    df = (pkt.flags & 2) / 2
-    ss = len(pkt)
-    # from p0f/config.h : PACKET_BIG = 100
-    if ss > 100:
-
-
+
+
+
+
+
+
+
+
+
+
+
-    ooo = ""
-    mss = -1
-    qqT = False
-    qqP = False
-    #qqBroken = False
-[TCP]
+.payload
-    for option in pkt.payload.options:
-        ilen -= 1
-        if option[0] == "MSS":
@@ -10758 +10789 @@
-            # FIXME: ilen
-    ooo = ooo[:-1]
-    if ooo == "": ooo = "."
-
+
-    win = pkt.payload.window
-    if mss != -1:
-
+mss != 0 and 
-            win = "S" + str(win/mss)
-        elif win % (mss + 40) == 0:
-            win = "T" + str(win/(mss+40))
-    
-
+
+
-    qq = ""
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-    if qqP:
-        qq += "P"
-[IP]
+
-        qq += "Z"
-[IP]
+
-        qq += "I"
-[TCP]
+.payload
-        qq += "U"
-[TCP]
+.payload
-        qq += "X"
-[TCP]
+.payload
-        qq += "A"
-    if qqT:
-        qq += "T"
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
-        qq += "D"
-
+: not handled yet
-
-    if qq == "":
-        qq = "."
-
-
-
-
-
-
-
+
-
-def p0f_correl(x,y):
-    d = 0
-
+
+
-    d += (x[0] == y[0] or y[0] == "*" or (y[0][0] == "%" and x[0].isdigit() and (int(x[0]) % int(y[0][1:])) == 0))
-    # ttl
-    d += (y[1] >= x[1] and y[1] - x[1] < 32)
-    for i in [2, 3, 5]:
-
+ or y[i] == '*'
-    xopt = x[4].split(",")
-    yopt = y[4].split(",")
-    if len(xopt) == len(yopt):
@@ -10827 +10874 @@
-
-
-def p0f(pkt):
-SYN
+packet
-p0f(packet) -> accuracy, [list of guesses]
-"""
-
+
+
+
+
+
-    if not pb:
-        warning("p0f base empty.")
-        return []
-
+#
-    r = []
-    sig = packet2p0f(pkt)
-    max = len(sig[4].split(",")) + 5
-    for b in pb:
-        d = p0f_correl(sig,b)
-        if d == max:
-            r.append((b[6], b[7], b[1] - pkt[IP].ttl))
-    return r
-            
-
-def prnp0f(pkt):
+    # we should print which DB we use
-    try:
-        r = p0f(pkt)
-    except:
-        return
-    if r == []:
-
+[1]
-    else:
-        r = r[0]
-    uptime = None
@@ -10863 +10913 @@
-        uptime = None
-    res = pkt.sprintf("%IP.src%:%TCP.sport% - " + r[0] + " " + r[1])
-    if uptime is not None:
-
+ (%TCP.flags%)
-    else:
-
+ (%TCP.flags%)
-    if r[2] is not None:
-        res += " (distance " + str(r[2]) + ")"
-    print res
@@ -10889 +10939 @@
-    raise TypeError("No timestamp option")
-
-
+def p0f_impersonate(pkt, osgenre, osdetails=None, extrahops=0, mtu=1500, uptime=None):
+    """Modifies pkt so that p0f will think it has been sent by a
+specific OS.  If osdetails is None, then we randomly pick up a
+personality matching osgenre.
+
+For now, only TCP Syn packets are supported.
+Some specifications of the p0f.fp file are not (yet) implemented.
+"""
+    pkt = pkt.copy()
+    #pkt = pkt.__class__(str(pkt))
+    while pkt.haslayer(IP) and pkt.haslayer(TCP):
+        pkt = pkt.getlayer(IP)
+        if isinstance(pkt.payload, TCP):
+            break
+        pkt = pkt.payload
+    
+    if not isinstance(pkt, IP) or not isinstance(pkt.payload, TCP):
+        raise TypeError("Not a TCP/IP packet")
+    
+    if uptime is None:
+        uptime = random.randint(120,100*60*60*24*365)
+    
+    db = p0f_selectdb(pkt.payload.flags)
+    pb = db.get_base()
+    if pb is None:
+        pb = []
+    pb = filter(lambda x: x[6] == osgenre, pb)
+    if osdetails:
+        pb = filter(lambda x: x[7] == osdetails, pb)
+    if db == p0fr_kdb:
+        # 'K' quirk <=> RST+ACK
+        if pkt.payload.flags & 0x4 == 0x4:
+            pb = filter(lambda x: 'K' in x[5], pb)
+        else:
+            pb = filter(lambda x: 'K' not in x[5], pb)
+    if not pb:
+        raise Scapy_Exception("No match in the p0f database")
+    pers = pb[random.randint(0, len(pb) - 1)]
+    
+    # options (we start with options because of MSS)
+    ## TODO: let the options already set if they are valid
+    options = []
+    if pers[4] != '.':
+        for opt in pers[4].split(','):
+            if opt[0] == 'M':
+                # MSS might have a maximum size because of window size
+                # specification
+                if pers[0][0] == 'S':
+                    maxmss = (2L**16-1) / int(pers[0][1:])
+                else:
+                    maxmss = (2L**16-1)
+                # If we have to randomly pick up a value, we cannot use
+                # scapy RandXXX() functions, because the value has to be
+                # set in case we need it for the window size value. That's
+                # why we use random.randint()
+                if opt[1:] == '*':
+                    options.append(('MSS', random.randint(1,maxmss)))
+                elif opt[1] == '%':
+                    coef = int(opt[2:])
+                    options.append(('MSS', coef*random.randint(1,maxmss/coef)))
+                else:
+                    options.append(('MSS', int(opt[1:])))
+            elif opt[0] == 'W':
+                if opt[1:] == '*':
+                    options.append(('WScale', RandByte()))
+                elif opt[1] == '%':
+                    coef = int(opt[2:])
+                    options.append(('WScale', coef*RandNum(min=1,
+                                                           max=(2L**8-1)/coef)))
+                else:
+                    options.append(('WScale', int(opt[1:])))
+            elif opt == 'T0':
+                options.append(('Timestamp', (0, 0)))
+            elif opt == 'T':
+                if 'T' in pers[5]:
+                    # FIXME: RandInt() here does not work (bug (?) in
+                    # TCPOptionsField.m2i often raises "OverflowError:
+                    # long int too large to convert to int" in:
+                    #    oval = struct.pack(ofmt, *oval)"
+                    # Actually, this is enough to often raise the error:
+                    #    struct.pack('I', RandInt())
+                    options.append(('Timestamp', (uptime, random.randint(1,2**32-1))))
+                else:
+                    options.append(('Timestamp', (uptime, 0)))
+            elif opt == 'S':
+                options.append(('SAckOK', ''))
+            elif opt == 'N':
+                options.append(('NOP', None))
+            elif opt == 'E':
+                options.append(('EOL', None))
+            ## FIXME: qqP not handled
+            else:
+                warning("unhandled TCP option " + opt)
+            pkt[TCP].options = options
+    
+    # window size
+    if pers[0] == '*':
+        pkt[TCP].window = RandShort()
+    elif pers[0].isdigit():
+        pkt[TCP].window = int(pers[0])
+    elif pers[0][0] == '%':
+        coef = int(pers[0][1:])
+        pkt[TCP].window = coef * RandNum(min=1,max=(2L**16-1)/coef)
+    elif pers[0][0] == 'T':
+        pkt[TCP].window = mtu * int(pers[0][1:])
+    elif pers[0][0] == 'S':
+        ## needs MSS set
+        MSS = filter(lambda x: x[0] == 'MSS', options)
+        if not filter(lambda x: x[0] == 'MSS', options):
+            raise Scapy_Exception("TCP window value requires MSS, and MSS option not set")
+        pkt[TCP].window = filter(lambda x: x[0] == 'MSS', options)[0][1] * int(pers[0][1:])
+    else:
+        raise Scapy_Exception('Unhandled window size specification')
+    
+    # ttl
+    pkt[IP].ttl = pers[1]+extrahops
+    # DF flag
+    pkt[IP].flags |= (2 * pers[2])
+    ## FIXME: ss (packet size) not handled (how ? may be with D quirk
+    ## if present)
+    # Quirks
+    if pers[5] != '.':
+        for qq in pers[5]:
+            ## FIXME: not handled: P, I, X, !
+            # T handled with the Timestamp option
+            if qq == 'Z': pkt.id = 0
+            elif qq == 'U': pkt.payload.urgptr = RandShort()
+            elif qq == 'A': pkt.payload.ack = RandInt()
+            elif qq == 'F':
+                if db == p0fo_kdb:
+                    pkt.payload.flags |= 0x20 # U
+                else:
+                    pkt.payload.flags |= RandChoice(8, 32, 40) #P / U / PU
+            elif qq == 'D' and db != p0fo_kdb:
+                pkt /= Raw(load=RandString(random.randint(1, 10))) # XXX p0fo.fp
+            elif qq == 'Q': pkt.payload.seq = pkt.payload.ack
+            #elif qq == '0': pkt.payload.seq = 0
+        if db == p0fr_kdb:
+            if '0' in pers[5]:
+                pkt.payload.seq = 0
+            elif pkt.payload.seq == 0:
+                pkt.payload.seq = RandInt()
+    
+    while pkt.underlayer:
+        pkt = pkt.underlayer
+    return pkt
-
-#################
-## Queso stuff ##
@@ -13202 +13403 @@
-    histfile = os.path.join(os.environ["HOME"], ".scapy_history")
-    padding = 1
-    p0f_base ="/etc/p0f/p0f.fp"
+    p0fa_base ="/etc/p0f/p0fa.fp"
+    p0fr_base ="/etc/p0f/p0fr.fp"
+    p0fo_base ="/etc/p0f/p0fo.fp"
-    queso_base ="/etc/queso.conf"
-    nmap_base ="/usr/share/nmap/nmap-os-fingerprints"
-    IPCountry_base = "GeoIPCountry4Scapy.gz"
@@ -13244 +13448 @@
-
-
-p0f_kdb = p0fKnowledgeBase(conf.p0f_base)
+p0fa_kdb = p0fKnowledgeBase(conf.p0fa_base)
+p0fr_kdb = p0fKnowledgeBase(conf.p0fr_base)
+p0fo_kdb = p0fKnowledgeBase(conf.p0fo_base)
-queso_kdb = QuesoKnowledgeBase(conf.queso_base)
-nmap_kdb = NmapKnowledgeBase(conf.nmap_base)
-IP_country_kdb = IPCountryKnowledgeBase(conf.IPCountry_base)