| 1 | --- scapy.py.orig 2008-01-13 23:23:08.000000000 +0100 |
|---|
| 2 | +++ scapy.py 2008-01-13 23:20:41.000000000 +0100 |
|---|
| 3 | @@ -10693,8 +10693,6 @@ def locate_ip(ip): |
|---|
| 4 | # OS - OS genre |
|---|
| 5 | # details - OS description |
|---|
| 6 | |
|---|
| 7 | - |
|---|
| 8 | - |
|---|
| 9 | class p0fKnowledgeBase(KnowledgeBase): |
|---|
| 10 | def __init__(self, filename): |
|---|
| 11 | KnowledgeBase.__init__(self, filename) |
|---|
| 12 | @@ -10713,7 +10711,11 @@ class p0fKnowledgeBase(KnowledgeBase): |
|---|
| 13 | l = tuple(l.split(":")) |
|---|
| 14 | if len(l) < 8: |
|---|
| 15 | continue |
|---|
| 16 | - li = map(int,l[1:4]) |
|---|
| 17 | + def a2i(x): |
|---|
| 18 | + if x.isdigit(): |
|---|
| 19 | + return int(x) |
|---|
| 20 | + return x |
|---|
| 21 | + li = map(a2i, l[1:4]) |
|---|
| 22 | #if li[0] not in self.ttl_range: |
|---|
| 23 | # self.ttl_range.append(li[0]) |
|---|
| 24 | # self.ttl_range.sort() |
|---|
| 25 | @@ -10723,37 +10725,66 @@ class p0fKnowledgeBase(KnowledgeBase): |
|---|
| 26 | self.base = None |
|---|
| 27 | f.close() |
|---|
| 28 | |
|---|
| 29 | +def p0f_selectdb(flags): |
|---|
| 30 | + # tested flags: S, R, A |
|---|
| 31 | + if flags & 0x16 == 0x2: |
|---|
| 32 | + # SYN |
|---|
| 33 | + return p0f_kdb |
|---|
| 34 | + elif flags & 0x16 == 0x12: |
|---|
| 35 | + # SYN/ACK |
|---|
| 36 | + return p0fa_kdb |
|---|
| 37 | + elif flags & 0x16 in [ 0x4, 0x14 ]: |
|---|
| 38 | + # RST RST/ACK |
|---|
| 39 | + return p0fr_kdb |
|---|
| 40 | + elif flags & 0x16 == 0x10: |
|---|
| 41 | + # ACK |
|---|
| 42 | + return p0fo_kdb |
|---|
| 43 | + else: |
|---|
| 44 | + return None |
|---|
| 45 | |
|---|
| 46 | def packet2p0f(pkt): |
|---|
| 47 | + pkt = pkt.copy() |
|---|
| 48 | + pkt = pkt.__class__(str(pkt)) |
|---|
| 49 | while pkt.haslayer(IP) and pkt.haslayer(TCP): |
|---|
| 50 | pkt = pkt.getlayer(IP) |
|---|
| 51 | if isinstance(pkt.payload, TCP): |
|---|
| 52 | break |
|---|
| 53 | pkt = pkt.payload |
|---|
| 54 | - |
|---|
| 55 | + |
|---|
| 56 | if not isinstance(pkt, IP) or not isinstance(pkt.payload, TCP): |
|---|
| 57 | raise TypeError("Not a TCP/IP packet") |
|---|
| 58 | - if pkt.payload.flags & 0x13 != 0x02: #S,!A,!F |
|---|
| 59 | - raise TypeError("Not a syn packet") |
|---|
| 60 | + #if pkt.payload.flags & 0x7 != 0x02: #S,!F,!R |
|---|
| 61 | + # raise TypeError("Not a SYN or SYN/ACK packet") |
|---|
| 62 | + |
|---|
| 63 | + db = p0f_selectdb(pkt.payload.flags) |
|---|
| 64 | |
|---|
| 65 | #t = p0f_kdb.ttl_range[:] |
|---|
| 66 | #t += [pkt.ttl] |
|---|
| 67 | #t.sort() |
|---|
| 68 | #ttl=t[t.index(pkt.ttl)+1] |
|---|
| 69 | ttl = pkt.ttl |
|---|
| 70 | - |
|---|
| 71 | + |
|---|
| 72 | df = (pkt.flags & 2) / 2 |
|---|
| 73 | ss = len(pkt) |
|---|
| 74 | # from p0f/config.h : PACKET_BIG = 100 |
|---|
| 75 | if ss > 100: |
|---|
| 76 | - ss = 0 |
|---|
| 77 | - |
|---|
| 78 | + if db == p0fr_kdb: |
|---|
| 79 | + # p0fr.fp: "Packet size may be wildcarded. The meaning of |
|---|
| 80 | + # wildcard is, however, hardcoded as 'size > |
|---|
| 81 | + # PACKET_BIG'" |
|---|
| 82 | + ss = '*' |
|---|
| 83 | + else: |
|---|
| 84 | + ss = 0 |
|---|
| 85 | + if db == p0fo_kdb: |
|---|
| 86 | + # p0fo.fp: "Packet size MUST be wildcarded." |
|---|
| 87 | + ss = '*' |
|---|
| 88 | + |
|---|
| 89 | ooo = "" |
|---|
| 90 | mss = -1 |
|---|
| 91 | qqT = False |
|---|
| 92 | qqP = False |
|---|
| 93 | #qqBroken = False |
|---|
| 94 | - ilen = (pkt[TCP].dataofs << 2) - 20 # from p0f.c |
|---|
| 95 | + ilen = (pkt.payload.dataofs << 2) - 20 # from p0f.c |
|---|
| 96 | for option in pkt.payload.options: |
|---|
| 97 | ilen -= 1 |
|---|
| 98 | if option[0] == "MSS": |
|---|
| 99 | @@ -10783,60 +10814,85 @@ def packet2p0f(pkt): |
|---|
| 100 | if ilen > 0: |
|---|
| 101 | qqP = True |
|---|
| 102 | else: |
|---|
| 103 | - ooo += "?," |
|---|
| 104 | + if type(option[0]) is str: |
|---|
| 105 | + ooo += "?%i," % TCPOptions[1][option[0]] |
|---|
| 106 | + else: |
|---|
| 107 | + ooo += "?%i," % option[0] |
|---|
| 108 | # FIXME: ilen |
|---|
| 109 | ooo = ooo[:-1] |
|---|
| 110 | if ooo == "": ooo = "." |
|---|
| 111 | - |
|---|
| 112 | + |
|---|
| 113 | win = pkt.payload.window |
|---|
| 114 | if mss != -1: |
|---|
| 115 | - if win % mss == 0: |
|---|
| 116 | + if mss != 0 and win % mss == 0: |
|---|
| 117 | win = "S" + str(win/mss) |
|---|
| 118 | elif win % (mss + 40) == 0: |
|---|
| 119 | win = "T" + str(win/(mss+40)) |
|---|
| 120 | - win = str(win) |
|---|
| 121 | - |
|---|
| 122 | + win = str(win) |
|---|
| 123 | + |
|---|
| 124 | qq = "" |
|---|
| 125 | - |
|---|
| 126 | + |
|---|
| 127 | + if db == p0fr_kdb: |
|---|
| 128 | + if pkt.payload.flags & 0x10 == 0x10: |
|---|
| 129 | + # p0fr.fp: "A new quirk, 'K', is introduced to denote |
|---|
| 130 | + # RST+ACK packets" |
|---|
| 131 | + qq += "K" |
|---|
| 132 | + # The two next cases should also be only for p0f*r*, but although |
|---|
| 133 | + # it's not documented (or I have not noticed), p0f seems to |
|---|
| 134 | + # support the '0' and 'Q' quirks on any databases (or at the least |
|---|
| 135 | + # "classical" p0f.fp). |
|---|
| 136 | + if pkt.payload.seq == pkt.payload.ack: |
|---|
| 137 | + # p0fr.fp: "A new quirk, 'Q', is used to denote SEQ number |
|---|
| 138 | + # equal to ACK number." |
|---|
| 139 | + qq += "Q" |
|---|
| 140 | + if pkt.payload.seq == 0: |
|---|
| 141 | + # p0fr.fp: "A new quirk, '0', is used to denote packets |
|---|
| 142 | + # with SEQ number set to 0." |
|---|
| 143 | + qq += "0" |
|---|
| 144 | if qqP: |
|---|
| 145 | qq += "P" |
|---|
| 146 | - if pkt[IP].id == 0: |
|---|
| 147 | + if pkt.id == 0: |
|---|
| 148 | qq += "Z" |
|---|
| 149 | - if pkt[IP].options != '': |
|---|
| 150 | + if pkt.options != '': |
|---|
| 151 | qq += "I" |
|---|
| 152 | - if pkt[TCP].urgptr != 0: |
|---|
| 153 | + if pkt.payload.urgptr != 0: |
|---|
| 154 | qq += "U" |
|---|
| 155 | - if pkt[TCP].reserved != 0: |
|---|
| 156 | + if pkt.payload.reserved != 0: |
|---|
| 157 | qq += "X" |
|---|
| 158 | - if pkt[TCP].ack != 0: |
|---|
| 159 | + if pkt.payload.ack != 0: |
|---|
| 160 | qq += "A" |
|---|
| 161 | if qqT: |
|---|
| 162 | qq += "T" |
|---|
| 163 | - if pkt[TCP].flags & 40 != 0: |
|---|
| 164 | - # U or P |
|---|
| 165 | - qq += "F" |
|---|
| 166 | - if not isinstance(pkt[TCP].payload, NoPayload): |
|---|
| 167 | + if db == p0fo_kdb: |
|---|
| 168 | + if pkt.payload.flags & 0x20 != 0: |
|---|
| 169 | + # U |
|---|
| 170 | + # p0fo.fp: "PUSH flag is excluded from 'F' quirk checks" |
|---|
| 171 | + qq += "F" |
|---|
| 172 | + else: |
|---|
| 173 | + if pkt.payload.flags & 0x28 != 0: |
|---|
| 174 | + # U or P |
|---|
| 175 | + qq += "F" |
|---|
| 176 | + if db != p0fo_kdb and not isinstance(pkt.payload.payload, NoPayload): |
|---|
| 177 | + # p0fo.fp: "'D' quirk is not checked for." |
|---|
| 178 | qq += "D" |
|---|
| 179 | - # FIXME : "!" - broken options segment |
|---|
| 180 | + # FIXME : "!" - broken options segment: not handled yet |
|---|
| 181 | |
|---|
| 182 | if qq == "": |
|---|
| 183 | qq = "." |
|---|
| 184 | |
|---|
| 185 | - return (win, |
|---|
| 186 | - ttl, |
|---|
| 187 | - df, |
|---|
| 188 | - ss, |
|---|
| 189 | - ooo, |
|---|
| 190 | - qq) |
|---|
| 191 | + return (db, (win, ttl, df, ss, ooo, qq)) |
|---|
| 192 | |
|---|
| 193 | def p0f_correl(x,y): |
|---|
| 194 | d = 0 |
|---|
| 195 | - # wwww can be "*" or "%nn" |
|---|
| 196 | + # wwww can be "*" or "%nn". "Tnn" and "Snn" should work fine with |
|---|
| 197 | + # the x[0] == y[0] test. |
|---|
| 198 | d += (x[0] == y[0] or y[0] == "*" or (y[0][0] == "%" and x[0].isdigit() and (int(x[0]) % int(y[0][1:])) == 0)) |
|---|
| 199 | # ttl |
|---|
| 200 | d += (y[1] >= x[1] and y[1] - x[1] < 32) |
|---|
| 201 | - for i in [2, 3, 5]: |
|---|
| 202 | - d += (x[i] == y[i]) |
|---|
| 203 | + for i in [2, 5]: |
|---|
| 204 | + d += (x[i] == y[i] or y[i] == '*') |
|---|
| 205 | + # '*' has a special meaning for ss |
|---|
| 206 | + d += x[3] == y[3] |
|---|
| 207 | xopt = x[4].split(",") |
|---|
| 208 | yopt = y[4].split(",") |
|---|
| 209 | if len(xopt) == len(yopt): |
|---|
| 210 | @@ -10856,31 +10912,34 @@ def p0f_correl(x,y): |
|---|
| 211 | |
|---|
| 212 | |
|---|
| 213 | def p0f(pkt): |
|---|
| 214 | - """Passive OS fingerprinting: which OS emitted this TCP SYN ? |
|---|
| 215 | + """Passive OS fingerprinting: which OS emitted this TCP packet ? |
|---|
| 216 | p0f(packet) -> accuracy, [list of guesses] |
|---|
| 217 | """ |
|---|
| 218 | - pb = p0f_kdb.get_base() |
|---|
| 219 | + db, sig = packet2p0f(pkt) |
|---|
| 220 | + if db: |
|---|
| 221 | + pb = db.get_base() |
|---|
| 222 | + else: |
|---|
| 223 | + pb = [] |
|---|
| 224 | if not pb: |
|---|
| 225 | warning("p0f base empty.") |
|---|
| 226 | return [] |
|---|
| 227 | - s = len(pb[0][0]) |
|---|
| 228 | + #s = len(pb[0][0]) |
|---|
| 229 | r = [] |
|---|
| 230 | - sig = packet2p0f(pkt) |
|---|
| 231 | max = len(sig[4].split(",")) + 5 |
|---|
| 232 | for b in pb: |
|---|
| 233 | d = p0f_correl(sig,b) |
|---|
| 234 | if d == max: |
|---|
| 235 | r.append((b[6], b[7], b[1] - pkt[IP].ttl)) |
|---|
| 236 | return r |
|---|
| 237 | - |
|---|
| 238 | |
|---|
| 239 | def prnp0f(pkt): |
|---|
| 240 | + # we should print which DB we use |
|---|
| 241 | try: |
|---|
| 242 | r = p0f(pkt) |
|---|
| 243 | except: |
|---|
| 244 | return |
|---|
| 245 | if r == []: |
|---|
| 246 | - r = ("UNKNOWN", "[" + ":".join(map(str, packet2p0f(pkt))) + ":?:?]", None) |
|---|
| 247 | + r = ("UNKNOWN", "[" + ":".join(map(str, packet2p0f(pkt)[1])) + ":?:?]", None) |
|---|
| 248 | else: |
|---|
| 249 | r = r[0] |
|---|
| 250 | uptime = None |
|---|
| 251 | @@ -10892,9 +10951,9 @@ def prnp0f(pkt): |
|---|
| 252 | uptime = None |
|---|
| 253 | res = pkt.sprintf("%IP.src%:%TCP.sport% - " + r[0] + " " + r[1]) |
|---|
| 254 | if uptime is not None: |
|---|
| 255 | - res += pkt.sprintf(" (up: " + str(uptime/3600) + " hrs)\n -> %IP.dst%:%TCP.dport%") |
|---|
| 256 | + res += pkt.sprintf(" (up: " + str(uptime/3600) + " hrs)\n -> %IP.dst%:%TCP.dport% (%TCP.flags%)") |
|---|
| 257 | else: |
|---|
| 258 | - res += pkt.sprintf("\n -> %IP.dst%:%TCP.dport%") |
|---|
| 259 | + res += pkt.sprintf("\n -> %IP.dst%:%TCP.dport% (%TCP.flags%)") |
|---|
| 260 | if r[2] is not None: |
|---|
| 261 | res += " (distance " + str(r[2]) + ")" |
|---|
| 262 | print res |
|---|
| 263 | @@ -10918,6 +10977,221 @@ pkt2uptime(pkt, [HZ=100])""" |
|---|
| 264 | raise TypeError("No timestamp option") |
|---|
| 265 | |
|---|
| 266 | |
|---|
| 267 | +def p0f_impersonate(pkt, osgenre=None, osdetails=None, signature=None, |
|---|
| 268 | + extrahops=0, mtu=1500, uptime=None): |
|---|
| 269 | + """Modifies pkt so that p0f will think it has been sent by a |
|---|
| 270 | +specific OS. If osdetails is None, then we randomly pick up a |
|---|
| 271 | +personality matching osgenre. If osgenre and signature are also None, |
|---|
| 272 | +we use a local signature (using p0f_getlocalsigs). If signature is |
|---|
| 273 | +specified (as a tuple), we use the signature. |
|---|
| 274 | + |
|---|
| 275 | +For now, only TCP Syn packets are supported. |
|---|
| 276 | +Some specifications of the p0f.fp file are not (yet) implemented.""" |
|---|
| 277 | + pkt = pkt.copy() |
|---|
| 278 | + #pkt = pkt.__class__(str(pkt)) |
|---|
| 279 | + while pkt.haslayer(IP) and pkt.haslayer(TCP): |
|---|
| 280 | + pkt = pkt.getlayer(IP) |
|---|
| 281 | + if isinstance(pkt.payload, TCP): |
|---|
| 282 | + break |
|---|
| 283 | + pkt = pkt.payload |
|---|
| 284 | + |
|---|
| 285 | + if not isinstance(pkt, IP) or not isinstance(pkt.payload, TCP): |
|---|
| 286 | + raise TypeError("Not a TCP/IP packet") |
|---|
| 287 | + |
|---|
| 288 | + if uptime is None: |
|---|
| 289 | + uptime = random.randint(120,100*60*60*24*365) |
|---|
| 290 | + |
|---|
| 291 | + db = p0f_selectdb(pkt.payload.flags) |
|---|
| 292 | + if osgenre: |
|---|
| 293 | + pb = db.get_base() |
|---|
| 294 | + if pb is None: |
|---|
| 295 | + pb = [] |
|---|
| 296 | + pb = filter(lambda x: x[6] == osgenre, pb) |
|---|
| 297 | + if osdetails: |
|---|
| 298 | + pb = filter(lambda x: x[7] == osdetails, pb) |
|---|
| 299 | + elif signature: |
|---|
| 300 | + pb = [signature] |
|---|
| 301 | + else: |
|---|
| 302 | + pb = p0f_getlocalsigs()[db] |
|---|
| 303 | + if db == p0fr_kdb: |
|---|
| 304 | + # 'K' quirk <=> RST+ACK |
|---|
| 305 | + if pkt.payload.flags & 0x4 == 0x4: |
|---|
| 306 | + pb = filter(lambda x: 'K' in x[5], pb) |
|---|
| 307 | + else: |
|---|
| 308 | + pb = filter(lambda x: 'K' not in x[5], pb) |
|---|
| 309 | + if not pb: |
|---|
| 310 | + raise Scapy_Exception("No match in the p0f database") |
|---|
| 311 | + pers = pb[random.randint(0, len(pb) - 1)] |
|---|
| 312 | + |
|---|
| 313 | + # options (we start with options because of MSS) |
|---|
| 314 | + ## TODO: let the options already set if they are valid |
|---|
| 315 | + options = [] |
|---|
| 316 | + if pers[4] != '.': |
|---|
| 317 | + for opt in pers[4].split(','): |
|---|
| 318 | + if opt[0] == 'M': |
|---|
| 319 | + # MSS might have a maximum size because of window size |
|---|
| 320 | + # specification |
|---|
| 321 | + if pers[0][0] == 'S': |
|---|
| 322 | + maxmss = (2L**16-1) / int(pers[0][1:]) |
|---|
| 323 | + else: |
|---|
| 324 | + maxmss = (2L**16-1) |
|---|
| 325 | + # If we have to randomly pick up a value, we cannot use |
|---|
| 326 | + # scapy RandXXX() functions, because the value has to be |
|---|
| 327 | + # set in case we need it for the window size value. That's |
|---|
| 328 | + # why we use random.randint() |
|---|
| 329 | + if opt[1:] == '*': |
|---|
| 330 | + options.append(('MSS', random.randint(1,maxmss))) |
|---|
| 331 | + elif opt[1] == '%': |
|---|
| 332 | + coef = int(opt[2:]) |
|---|
| 333 | + options.append(('MSS', coef*random.randint(1,maxmss/coef))) |
|---|
| 334 | + else: |
|---|
| 335 | + options.append(('MSS', int(opt[1:]))) |
|---|
| 336 | + elif opt[0] == 'W': |
|---|
| 337 | + if opt[1:] == '*': |
|---|
| 338 | + options.append(('WScale', RandByte())) |
|---|
| 339 | + elif opt[1] == '%': |
|---|
| 340 | + coef = int(opt[2:]) |
|---|
| 341 | + options.append(('WScale', coef*RandNum(min=1, |
|---|
| 342 | + max=(2L**8-1)/coef))) |
|---|
| 343 | + else: |
|---|
| 344 | + options.append(('WScale', int(opt[1:]))) |
|---|
| 345 | + elif opt == 'T0': |
|---|
| 346 | + options.append(('Timestamp', (0, 0))) |
|---|
| 347 | + elif opt == 'T': |
|---|
| 348 | + if 'T' in pers[5]: |
|---|
| 349 | + # FIXME: RandInt() here does not work (bug (?) in |
|---|
| 350 | + # TCPOptionsField.m2i often raises "OverflowError: |
|---|
| 351 | + # long int too large to convert to int" in: |
|---|
| 352 | + # oval = struct.pack(ofmt, *oval)" |
|---|
| 353 | + # Actually, this is enough to often raise the error: |
|---|
| 354 | + # struct.pack('I', RandInt()) |
|---|
| 355 | + options.append(('Timestamp', (uptime, random.randint(1,2**32-1)))) |
|---|
| 356 | + else: |
|---|
| 357 | + options.append(('Timestamp', (uptime, 0))) |
|---|
| 358 | + elif opt == 'S': |
|---|
| 359 | + options.append(('SAckOK', '')) |
|---|
| 360 | + elif opt == 'N': |
|---|
| 361 | + options.append(('NOP', None)) |
|---|
| 362 | + elif opt == 'E': |
|---|
| 363 | + options.append(('EOL', None)) |
|---|
| 364 | + elif opt[0] == '?': |
|---|
| 365 | + if int(opt[1:]) in TCPOptions[0]: |
|---|
| 366 | + optname = TCPOptions[0][int(opt[1:])][0] |
|---|
| 367 | + optstruct = TCPOptions[0][int(opt[1:])][1] |
|---|
| 368 | + options.append((optname, |
|---|
| 369 | + struct.unpack(optstruct, |
|---|
| 370 | + RandString(struct.calcsize(optstruct))._fix()))) |
|---|
| 371 | + else: |
|---|
| 372 | + options.append((int(opt[1:]), '')) |
|---|
| 373 | + ## FIXME: qqP not handled |
|---|
| 374 | + else: |
|---|
| 375 | + warning("unhandled TCP option " + opt) |
|---|
| 376 | + pkt.payload.options = options |
|---|
| 377 | + |
|---|
| 378 | + # window size |
|---|
| 379 | + if pers[0] == '*': |
|---|
| 380 | + pkt.payload.window = RandShort() |
|---|
| 381 | + elif pers[0].isdigit(): |
|---|
| 382 | + pkt.payload.window = int(pers[0]) |
|---|
| 383 | + elif pers[0][0] == '%': |
|---|
| 384 | + coef = int(pers[0][1:]) |
|---|
| 385 | + pkt.payload.window = coef * RandNum(min=1,max=(2L**16-1)/coef) |
|---|
| 386 | + elif pers[0][0] == 'T': |
|---|
| 387 | + pkt.payload.window = mtu * int(pers[0][1:]) |
|---|
| 388 | + elif pers[0][0] == 'S': |
|---|
| 389 | + ## needs MSS set |
|---|
| 390 | + MSS = filter(lambda x: x[0] == 'MSS', options) |
|---|
| 391 | + if not filter(lambda x: x[0] == 'MSS', options): |
|---|
| 392 | + raise Scapy_Exception("TCP window value requires MSS, and MSS option not set") |
|---|
| 393 | + pkt.payload.window = filter(lambda x: x[0] == 'MSS', options)[0][1] * int(pers[0][1:]) |
|---|
| 394 | + else: |
|---|
| 395 | + raise Scapy_Exception('Unhandled window size specification') |
|---|
| 396 | + |
|---|
| 397 | + # ttl |
|---|
| 398 | + pkt.ttl = pers[1]-extrahops |
|---|
| 399 | + # DF flag |
|---|
| 400 | + pkt.flags |= (2 * pers[2]) |
|---|
| 401 | + ## FIXME: ss (packet size) not handled (how ? may be with D quirk |
|---|
| 402 | + ## if present) |
|---|
| 403 | + # Quirks |
|---|
| 404 | + if pers[5] != '.': |
|---|
| 405 | + for qq in pers[5]: |
|---|
| 406 | + ## FIXME: not handled: P, I, X, ! |
|---|
| 407 | + # T handled with the Timestamp option |
|---|
| 408 | + if qq == 'Z': pkt.id = 0 |
|---|
| 409 | + elif qq == 'U': pkt.payload.urgptr = RandShort() |
|---|
| 410 | + elif qq == 'A': pkt.payload.ack = RandInt() |
|---|
| 411 | + elif qq == 'F': |
|---|
| 412 | + if db == p0fo_kdb: |
|---|
| 413 | + pkt.payload.flags |= 0x20 # U |
|---|
| 414 | + else: |
|---|
| 415 | + pkt.payload.flags |= RandChoice(8, 32, 40) #P / U / PU |
|---|
| 416 | + elif qq == 'D' and db != p0fo_kdb: |
|---|
| 417 | + pkt /= Raw(load=RandString(random.randint(1, 10))) # XXX p0fo.fp |
|---|
| 418 | + elif qq == 'Q': pkt.payload.seq = pkt.payload.ack |
|---|
| 419 | + #elif qq == '0': pkt.payload.seq = 0 |
|---|
| 420 | + #if db == p0fr_kdb: |
|---|
| 421 | + # '0' quirk is actually not only for p0fr.fp (see |
|---|
| 422 | + # packet2p0f()) |
|---|
| 423 | + if '0' in pers[5]: |
|---|
| 424 | + pkt.payload.seq = 0 |
|---|
| 425 | + elif pkt.payload.seq == 0: |
|---|
| 426 | + pkt.payload.seq = RandInt() |
|---|
| 427 | + |
|---|
| 428 | + while pkt.underlayer: |
|---|
| 429 | + pkt = pkt.underlayer |
|---|
| 430 | + return pkt |
|---|
| 431 | + |
|---|
| 432 | +def p0f_getlocalsigs(): |
|---|
| 433 | + """This function returns a dictionary of signatures indexed by p0f |
|---|
| 434 | +db (e.g., p0f_kdb, p0fa_kdb, ...) for the local TCP/IP stack. |
|---|
| 435 | + |
|---|
| 436 | +You need to have your firewall at least accepting the TCP packets |
|---|
| 437 | +from/to a high port (30000 <= x <= 40000) on your loopback interface. |
|---|
| 438 | + |
|---|
| 439 | +Please note that the generated signatures come from the loopback |
|---|
| 440 | +interface and may (are likely to) be different than those generated on |
|---|
| 441 | +"normal" interfaces.""" |
|---|
| 442 | + pid = os.fork() |
|---|
| 443 | + port = random.randint(30000, 40000) |
|---|
| 444 | + if pid > 0: |
|---|
| 445 | + # parent: sniff |
|---|
| 446 | + result = {} |
|---|
| 447 | + def addresult(res): |
|---|
| 448 | + # TODO: wildcard window size in some cases? and maybe some |
|---|
| 449 | + # other values? |
|---|
| 450 | + if res[0] not in result: |
|---|
| 451 | + result[res[0]] = [res[1]] |
|---|
| 452 | + else: |
|---|
| 453 | + if res[1] not in result[res[0]]: |
|---|
| 454 | + result[res[0]].append([res[1]]) |
|---|
| 455 | + # XXX could we try with a "normal" interface using other hosts |
|---|
| 456 | + iface = conf.route.route('127.0.0.1')[0] |
|---|
| 457 | + # each packet is seen twice: S + RA, S + SA + A + FA + A |
|---|
| 458 | + # XXX are the packets also seen twice on non Linux systems ? |
|---|
| 459 | + count=14 |
|---|
| 460 | + pl = sniff(iface=iface, filter='tcp and port ' + str(port), count = count, timeout=3) |
|---|
| 461 | + map(addresult, map(packet2p0f, pl)) |
|---|
| 462 | + os.waitpid(pid,0) |
|---|
| 463 | + elif pid < 0: |
|---|
| 464 | + log_runtime.error("fork error") |
|---|
| 465 | + else: |
|---|
| 466 | + # child: send |
|---|
| 467 | + # XXX erk |
|---|
| 468 | + time.sleep(1) |
|---|
| 469 | + s1 = socket.socket(socket.AF_INET, type = socket.SOCK_STREAM) |
|---|
| 470 | + # S & RA |
|---|
| 471 | + try: |
|---|
| 472 | + s1.connect(('127.0.0.1', port)) |
|---|
| 473 | + except socket.error: |
|---|
| 474 | + pass |
|---|
| 475 | + # S, SA, A, FA, A |
|---|
| 476 | + s1.bind(('127.0.0.1', port)) |
|---|
| 477 | + s1.connect(('127.0.0.1', port)) |
|---|
| 478 | + # howto: get an RST w/o ACK packet |
|---|
| 479 | + s1.close() |
|---|
| 480 | + os._exit(0) |
|---|
| 481 | + return result |
|---|
| 482 | |
|---|
| 483 | ################# |
|---|
| 484 | ## Queso stuff ## |
|---|
| 485 | @@ -13236,6 +13510,9 @@ extensions_paths: path or list of paths |
|---|
| 486 | histfile = os.path.join(os.environ["HOME"], ".scapy_history") |
|---|
| 487 | padding = 1 |
|---|
| 488 | p0f_base ="/etc/p0f/p0f.fp" |
|---|
| 489 | + p0fa_base ="/etc/p0f/p0fa.fp" |
|---|
| 490 | + p0fr_base ="/etc/p0f/p0fr.fp" |
|---|
| 491 | + p0fo_base ="/etc/p0f/p0fo.fp" |
|---|
| 492 | queso_base ="/etc/queso.conf" |
|---|
| 493 | nmap_base ="/usr/share/nmap/nmap-os-fingerprints" |
|---|
| 494 | IPCountry_base = "GeoIPCountry4Scapy.gz" |
|---|
| 495 | @@ -13278,6 +13555,9 @@ if PCAP: |
|---|
| 496 | |
|---|
| 497 | |
|---|
| 498 | p0f_kdb = p0fKnowledgeBase(conf.p0f_base) |
|---|
| 499 | +p0fa_kdb = p0fKnowledgeBase(conf.p0fa_base) |
|---|
| 500 | +p0fr_kdb = p0fKnowledgeBase(conf.p0fr_base) |
|---|
| 501 | +p0fo_kdb = p0fKnowledgeBase(conf.p0fo_base) |
|---|
| 502 | queso_kdb = QuesoKnowledgeBase(conf.queso_base) |
|---|
| 503 | nmap_kdb = NmapKnowledgeBase(conf.nmap_base) |
|---|
| 504 | IP_country_kdb = IPCountryKnowledgeBase(conf.IPCountry_base) |
|---|