summaryrefslogtreecommitdiff
path: root/staging/mopsrx_arp.c
blob: 0aac15234fdffc6affe43f425e98c05f1871c7b0 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
/*
 * Mausezahn - A fast versatile traffic generator
 * Copyright (C) 2008-2010 Herbert Haas
 * 
 * This program is free software; you can redistribute it and/or modify it under
 * the terms of the GNU General Public License version 2 as published by the 
 * Free Software Foundation.
 * 
 * This program is distributed in the hope that it will be useful, but WITHOUT 
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
 * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more 
 * details.
 * 
 * You should have received a copy of the GNU General Public License along with 
 * this program; if not, see http://www.gnu.org/licenses/gpl-2.0.html
 * 
*/

#include "mz.h"
#include "mops.h"
#include "cli.h"

// Starts an ARP RX thread for *every* device in the device_list.
// (Except for the loopback interface)
// 
// RETURN VALUE: 0 upon success,
//               1 upon error.
// 
int mops_rx_arp ()
{
	int i;
	
	for (i=0; i<device_list_entries; i++) {
		if (mz_strcmp(device_list[i].dev, "lo", 2)==0) continue; // omit loopback!
		if (pthread_create( &(device_list[i].arprx_thread), 
				    NULL, 
				    rx_arp, 
				    &device_list[i])) { // give thread a pointer to that device_list entry
			printf("xxxxxxxxxx\n");
			return 1; // Error creating thread
		} else {
			if (verbose) {
				fprintf(stderr, " Started ARP monitor on device %s.\n", 
					device_list[i].dev);
			}
		}
	}
	return 0;
}


// Thread function to receive ARP responses for a given device. 
// Runs forever - until Mausezahn stops (see clean_up())
// 
// Argument: pointer to device_struct!
// 
// 
// 
void *rx_arp (void *arg) 
{
	char errbuf[PCAP_ERRBUF_SIZE];
   	struct pcap  *p_arp;
	struct bpf_program filter;
	char filter_str[] = "arp";  // We want to analyze both requests and responses!
	struct device_struct *dev =  (struct device_struct*) arg;
	
	// FYI, possible filter string is also:
	// "eth.dst==00:05:4e:51:01:b5 and arp and arp.opcode==2";
	
	p_arp = pcap_open_live (dev->dev, 
			    100,         // max num of bytes to read
			    1,           // 1 if promiscuous mode
			    PCAP_READ_TIMEOUT_MSEC,  // read timeout 'until error' (-1 = indefinitely)
			    errbuf);

	if (p_arp == NULL) {
		fprintf(stderr," rx_arp: [ERROR] %s\n",errbuf);
		return NULL; // TODO: Should return pointer to error message or something similar
	}
   
	dev->p_arp = p_arp; // also assign pointer to a global which is needed for clean_up
   
	if ( pcap_compile(p_arp, 
			  &filter,        // the compiled version of the filter
			  filter_str,     // text version of filter
			  0,              // 1 = optimize
			  0)              // netmask
	     == -1) {
		fprintf(stderr," rx_arp: [ERROR] Error calling pcap_compile\n"); 
		return NULL;
	}

	if ( pcap_setfilter(p_arp, &filter) == -1)	{
		fprintf(stderr," rx_arp: [ERROR] Error setting pcap filter\n");
		pcap_perror(p_arp, " rx_arp: ");
		return NULL;
	}
   
	if (pcap_setdirection(p_arp, PCAP_D_IN) == -1) {
		pcap_perror(p_arp, " rx_arp: ");
		return NULL;
	}
   
	again:
	pcap_loop (p_arp, 
		   1,               // number of packets to wait
		   got_arp_packet,  // name of callback function
		   (u_char*) dev);           // optional additional arguments for callback function
	goto again;
	
	pthread_exit(NULL); // destroy thread
   return NULL;
}


void got_arp_packet (u_char                   *args, 
		     const struct pcap_pkthdr *header, // statistics about the packet (see 'struct pcap_pkthdr')
		     const u_char             *packet)             // the bytestring sniffed  
{
	const struct struct_ethernet *ethernet;
	const struct struct_arp      *arp;
	int                          size_ethernet = sizeof(struct struct_ethernet);
	struct device_struct         *dev          = (struct device_struct*) args;

	u_int8_t 
		da[6],   // eth da
		sa[6],   // eth sa
		smac[6],  // source hw address
		sip[4],  // source protocol address
		tmac[6],  // target hw address
		tip[4];  // target protocol address
	u_int16_t op;    // operation
	u_int32_t sec, nsec;
	u_int8_t *x;
	
	// These are the most important lines here:
	ethernet = (struct struct_ethernet*)(packet);
	arp      = (struct struct_arp*)(packet+size_ethernet);
	sec      = (u_int32_t) header->ts.tv_sec;
	nsec     = (u_int32_t) ((header->ts.tv_usec) * 1000);
	
	op = arp->arp_op; // note that we don't have network byte order anymore!
	                  // tmact is: 
                          //          100 instead of 00:01 (request)
	                  //          200 instead of 00:02 (response)

	memcpy((void*) da, (void*) ethernet->eth_da, 6);
	memcpy((void*) sa, (void*) ethernet->eth_sa, 6);
	memcpy((void*) smac, (void*) arp->arp_smac, 6);
	memcpy((void*) sip, (void*) arp->arp_sip, 4);
	memcpy((void*) tmac, (void*) arp->arp_tmac, 6);
	memcpy((void*) tip, (void*) arp->arp_tip, 4);
		
	// Only handle the packet if it is really an ARP response!
	////AND if it is not sent by THIS host! (not possible, we only scan inbound!)
	x = (u_int8_t*) & op;
	if  (*(x+1) == 0x02) { 
		// ARP RESPONSE: Update ARP table
		arptable_add(dev, sa, da, smac, sip, sec, nsec);
	} else if  (*(x+1) == 0x01) {
		// ARP REQUEST: Detect poisoning attacks
		arpwatch(dev, sa, da, smac, sip, tmac, tip, sec, nsec);
	}
	

	
	
	// ARP binding consists of: sip (IP) - smac (MAC)
	// 
	// User alert, 2 possibilities:
	// 
	//   1. Learned new binding: does smac belong to sip? 
	// 
	//   2. Alert: Mismatch of stored versus announced sip-to-smac binding
	// 
	// In both cases user action: [Learn] [Ignore] [Attack] [Amok Attack]
	// Countermeasures: Mausezahn him!
	//
	// ALSO correct ARP tables of other hosts, especially on the default gateway
	// that is, send arp replies with true binding
   	// 
	// Finally: Create logging message

}



// Add new entry in device-specific ARP table
// but first check if already existing or change.
// 
// RETURN VALUE: 0 upon success
//               1 upon error
// 
int arptable_add(struct device_struct *dev, 
		 u_int8_t *sa, 
		 u_int8_t *da, 
		 u_int8_t *smac, 
		 u_int8_t *sip, 
		 u_int32_t sec, 
		 u_int32_t nsec)
{
	struct arp_table_struct *prev=NULL, *cur = dev->arp_table; 
	int i=0, alert=0;

	// If SA and SMAC are different this might be a MITM !!!
	if (compare_mac(smac, sa)) alert=1;
	
	// Check if IP (sip) is already existing in arp table:
	while (cur!=NULL) {
		if (compare_ip(sip, cur->sip)==0) { // IP found!
			timestamp_hms(cur->when);
			if (da[0]==0xff) cur->bc_resp++; 
			else  cur->uni_resp++;
			if (compare_mac(smac, cur->smac)==0) { 
				// entry identical !
				cur->sec=sec;
				cur->nsec=nsec;
				return 0;
			} else {
				// entry with other MAC address found !
				if (cur->locked==0) {
					cur->changed++;
					memcpy((void*) cur->smac_prev, (void*) cur->smac, 6);
					memcpy((void*) cur->smac, (void*) smac, 6);
					cur->sec_prev=cur->sec;
					cur->nsec_prev=cur->nsec;
					cur->sec=sec; 
					cur->nsec=nsec;
					if (alert) cur->flags|=0x02;
				}
				return 0;
			}
		}
		prev = cur;
		cur = cur->next; 
		i++;
	}
	
	// If we get here, then there was no entry for that IP yet!
	// Create new arp_table entry:
	cur = (struct arp_table_struct *) malloc(sizeof(struct arp_table_struct));
	if (cur==NULL) return 1;

	// Append element:
	if (dev->arp_table==NULL) dev->arp_table = cur;
	else prev->next = cur;
	
	memcpy((void*) cur->sa, (void*) sa, 6);
	memcpy((void*) cur->smac, (void*) smac, 6);
	cur->smac_prev[0]=0x00;
	cur->smac_prev[1]=0x00;
	cur->smac_prev[2]=0x00;
	cur->smac_prev[3]=0x00;
	cur->smac_prev[4]=0x00;
	cur->smac_prev[5]=0x00;
	memcpy((void*) cur->sip, (void*) sip, 4);
	if (da[0]==0xff) { 
		cur->bc_resp=1;
		cur->uni_resp=0;
	} else {
		cur->bc_resp=0;
		cur->uni_resp=1;	
	}
	cur->changed=1;
	cur->locked=0;
	cur->dynamic=1;
	cur->flags=0;
	cur->sec=sec;
	cur->nsec=nsec; 
	cur->sec_prev=0;
	cur->nsec_prev=0;
	cur->index=i+1; // I assume users prefer to count from 1.
	timestamp_hms(cur->when);
	if (alert) cur->flags|=0x02;
	cur->next=NULL;
	return 0;
}
   


// Validate ARP requests
int arpwatch(struct device_struct *dev, 
	     u_int8_t *sa, 
	     u_int8_t *da, 
	     u_int8_t *smac, 
	     u_int8_t *sip, 
	     u_int8_t *tmac,
	     u_int8_t *tip,
	     u_int32_t sec,
	     u_int32_t nsec)
{
	// Unicast requests are considered as anomaly
	
	if ((da[0]&0x01)==0) { // broadcast bit NOT set?
		fprintf(stderr, "NOTE: Non-broadcast ARP request from %02x:%02x:%02x:%02x:%02x:%02x\n",
			sa[0], sa[1], sa[2], sa[3], sa[4], sa[5]);
	}
	
	return 0;
}