SNMP and S7COMM protocols added

assets/payload/redirect-ports.sh

@@ -3,16 +3,16 @@
 # redirects ports below 1024 to a higher range using iptables, so they can be used without elevated rights
 # MySQL SIP (3306 and 5060) are left out because they are >= 1024 anyways
 
-#             ECHO  FTP   HTTP  HTTPS SMB (NETBIOS UDP & TCP) SSH   TELNET MODBUS
-protocol=(    "tcp" "tcp" "tcp" "tcp" "udp" "udp"  "tcp" "tcp" "tcp" "tcp" "tcp")
-origin=(       7     21    80    443   137   138    139   22    23    445   502)
-destination=( 28144 28169 28217 28580 28274 28275 28276 28159 28160 28582 28639) # simply offset by 1024 + 27113
+#             ECHO  FTP   HTTP  HTTPS S7COMM SNMP SMB (NETBIOS UDP & TCP) SSH   TELNET MODBUS
+protocol=(    "tcp" "tcp" "tcp" "tcp" "tcp" "udp" "udp" "udp"  "tcp" "tcp" "tcp" "tcp" "tcp" )
+origin=(       7     21    80    443   102	 161   137   138    139   22    23    445   502 )
+destination=( 28144 28169 28217 28580 28239 28298 28274 28275 28276 28159 28160 28582 28639 ) # simply offset by 1024 + 27113
 length=${#protocol[@]} # count protocol elements
 
 # for (( i=0; i<$length; i++ ))
 #for i in `seq 0 9` # fix for android's annoyingly limited bash
 
-for i in 0 1 2 3 4 5 6 7 8 9 10 # another fix for devices missing the seq command
+for i in 0 1 2 3 4 5 6 7 8 9 10 11 12# another fix for devices missing the seq command
 
 do
 	# echo ${protocol[$i]} ${origin[$i]} ${destination[$i]} # debug

build.gradle

@@ -21,12 +21,14 @@ dependencies {
     compile files('libs/nineoldandroids-2.4.0.jar')
     compile 'com.android.support:support-v4:18.0.0'
     //compile fileTree(dir: 'libs', include: '*.jar')
+    compile files('libs/snmp4j-agent-2.3.3.jar')
     compile files('libs/swipelistview-1.0.jar')
     compile files('libs/sshlib-v1.1.jar')
     compile files('libs/chart-library2.2.jar')
     //compile files('libs/jlan-5.jar')
     compile files('libs/alfresco-jlan.jar')
     compile files('libs/cryptix-jce-provider.jar')
+    compile 'org.snmp4j:snmp4j:1.10.1'
 }
 
 android {

pom.xml

@@ -78,6 +78,9 @@
 			<type>jar</type>
 		</dependency>
     </dependencies>
+
+
+
 	<build>
 		<finalName>${project.artifactId}</finalName>
 		<sourceDirectory>src</sourceDirectory>
@@ -149,4 +152,7 @@
             </snapshots>
         </repository>
     </repositories>
+
+
+
 </project>

res/values/protocols.xml

@@ -9,6 +9,8 @@
         <item>HTTPS</item>
         <item>MySQL</item>
         <item>MODBUS</item>
+        <item>S7COMM</item>
+        <item>SNMP</item>
         <item>SIP</item>
         <item>SMB</item>
         <item>SSH</item>
@@ -22,7 +24,9 @@
         <item>A protocol to exchange or transfer hypertext. It is the foundation of data communication for the World Wide Web</item>
         <item>The same as HTTP, but using a secure connections based on SSL/TLS</item>
         <item>The world\'s second most widely used relational database management system</item>
-        <item>ISC SCADA MODBUS</item>
+        <item>ICS SCADA MODBUS</item>
+        <item>Siemens SIMATIC Communication Protocol</item>
+        <item>Simple Network Monitoring Protocol</item>
         <item>A protocol for VoIP (Voice over IP) services</item>
         <item>A protocol used for providing shared access to files, printers, serial ports, and miscellaneous communications between nodes on a network</item>
         <item>A network protocol that provides file access, file transfer, and file management functionalities over any reliable data stream</item>

src/de/tudarmstadt/informatik/hostage/protocol/MODBUS.java

@@ -57,7 +57,8 @@ public class MODBUS implements Protocol {
     public static final int READ_INPUT_REGISTERS = 4;
     public static final int WRITE_COIL = 5;
     public static final int WRITE_SINGLE_REGISTER = 6;
-    public static final int MODBUS_SERVICE = 17;
+    public static final int MODBUS_SERVICE = 17; //for detection using metasploit module
+    public static final int MODBUS_DISCOVER=1;
 
     //public static final int WRITE_MULTIPLE_COILS = 15; Not sure of these commands
     //public static final int WRITE_MULTIPLE_REGISTERS = 16; Not sure of these commands
@@ -122,8 +123,9 @@ public class MODBUS implements Protocol {
         switch (requestType){
 
             case MODBUS_SERVICE:
-                responsePackets.add(new Packet(request,getDeviceInfo()));
+               // responsePackets.add(new Packet(request,getDeviceInfo()));
                 responsePackets.add(new Packet(getDeviceInfo()+"\r\n","EE:FF:66:88:GH:JI:DJ"));
+                System.out.println(responsePackets);
                 break;
 
             case READ_INPUT_REGISTERS:
@@ -433,7 +435,7 @@ public class MODBUS implements Protocol {
             requestType = READ_HOLDING_REGISTERS;
         }
 
-       // System.out.println(requestType);
+       System.out.println(requestType);
         return requestType;
 
 

src/de/tudarmstadt/informatik/hostage/protocol/S7COMM.java

@@ -0,0 +1,47 @@
+package de.tudarmstadt.informatik.hostage.protocol;
+
+import java.util.List;
+
+import de.tudarmstadt.informatik.hostage.wrapper.Packet;
+
+/**
+ * Created by root on 06.07.15.
+ */
+public class S7COMM implements Protocol {
+    @Override
+    public int getPort() {
+        return 102;
+    }
+
+    @Override
+    public boolean isClosed() {
+        return false;
+    }
+
+    @Override
+    public boolean isSecure() {
+        return false;
+    }
+
+    @Override
+    public List<Packet> processMessage(Packet requestPacket) {
+
+        byte[] request = requestPacket.getBytes();
+
+        for(int i=0; i<=request.length;i++) {
+            System.out.println(request[i]);
+        }
+
+        return null;
+    }
+
+    @Override
+    public TALK_FIRST whoTalksFirst() {
+        return null;
+    }
+
+    @Override
+    public String toString(){
+        return "S7COMM";
+    }
+}

src/de/tudarmstadt/informatik/hostage/protocol/SNMP.java

@@ -0,0 +1,183 @@
+package de.tudarmstadt.informatik.hostage.protocol;
+
+import java.io.File;
+import java.io.IOException;
+import java.util.List;
+
+import de.tudarmstadt.informatik.hostage.wrapper.Packet;
+
+import org.alfresco.jlan.server.auth.spnego.OID;
+import org.snmp4j.TransportMapping;
+import org.snmp4j.agent.BaseAgent;
+import org.snmp4j.agent.CommandProcessor;
+import org.snmp4j.agent.DuplicateRegistrationException;
+import org.snmp4j.agent.MOGroup;
+import org.snmp4j.agent.ManagedObject;
+import org.snmp4j.agent.mo.MOTableRow;
+import org.snmp4j.agent.mo.snmp.RowStatus;
+import org.snmp4j.agent.mo.snmp.SnmpCommunityMIB;
+import org.snmp4j.agent.mo.snmp.SnmpNotificationMIB;
+import org.snmp4j.agent.mo.snmp.SnmpTargetMIB;
+import org.snmp4j.agent.mo.snmp.StorageType;
+import org.snmp4j.agent.mo.snmp.VacmMIB;
+import org.snmp4j.agent.security.MutableVACM;
+import org.snmp4j.mp.MPv3;
+import org.snmp4j.security.SecurityLevel;
+import org.snmp4j.security.SecurityModel;
+import org.snmp4j.security.USM;
+import org.snmp4j.smi.Address;
+import org.snmp4j.smi.GenericAddress;
+import org.snmp4j.smi.Integer32;
+import org.snmp4j.smi.OctetString;
+import org.snmp4j.smi.Variable;
+import org.snmp4j.transport.TransportMappings;
+
+/**
+ * Created by root on 06.07.15.
+ */
+public class SNMP extends BaseAgent implements Protocol {
+    @Override
+    public int getPort() {
+        return 161;
+    }
+
+    @Override
+    public boolean isClosed() {
+        return false;
+    }
+
+    @Override
+    public boolean isSecure() {
+        return false;
+    }
+
+    @Override
+    public List<Packet> processMessage(Packet requestPacket) {
+        return null;
+    }
+
+    @Override
+    public TALK_FIRST whoTalksFirst() {
+        return null;
+    }
+
+    @Override
+    public String toString(){
+        return "SNMP";
+    }
+
+
+    private String address;
+
+    public SNMP(String address) throws IOException {
+
+        super(new File("conf.agent"), new File("bootCounter.agent"),
+                new CommandProcessor(
+                        new OctetString(MPv3.createLocalEngineID())));
+        this.address = address;
+    }
+
+    @Override
+    protected void registerManagedObjects() {
+
+    }
+
+    @Override
+    protected void unregisterManagedObjects() {
+
+    }
+
+    @Override
+    protected void addUsmUser(USM usm) {
+
+    }
+
+
+    @Override
+    protected void addNotificationTargets(SnmpTargetMIB snmpTargetMIB, SnmpNotificationMIB snmpNotificationMIB) {
+
+    }
+
+    @Override
+    protected void addViews(VacmMIB vacmMIB) {
+
+        vacmMIB.addGroup(SecurityModel.SECURITY_MODEL_SNMPv2c, new OctetString("cpublic"), new OctetString("v1v2group"), StorageType.nonVolatile);
+
+        vacmMIB.addAccess(new OctetString("v1v2group"), new OctetString("public"),
+        SecurityModel.SECURITY_MODEL_ANY, SecurityLevel.NOAUTH_NOPRIV,
+        MutableVACM.VACM_MATCH_EXACT, new OctetString("fullReadView"),
+        new OctetString("fullWriteView"), new OctetString("fullNotifyView"), StorageType.nonVolatile);
+
+        vacmMIB.addViewTreeFamily(new OctetString("fullReadView"), new org.snmp4j.smi.OID("1.3"),
+        new OctetString(), VacmMIB.vacmViewIncluded, StorageType.nonVolatile);
+    }
+
+    @Override
+    protected void addCommunities(SnmpCommunityMIB snmpCommunityMIB) {
+
+        Variable[] com2sec = new Variable[] { new OctetString("public"),
+
+                new OctetString("cpublic"), // security name
+
+                getAgent().getContextEngineID(), // local engine ID
+
+                new OctetString("public"), // default context name
+
+                new OctetString(), // transport tag
+
+                new Integer32(StorageType.nonVolatile), // storage type
+
+                new Integer32(RowStatus.active) // row status
+
+        };
+
+        MOTableRow row = snmpCommunityMIB.getSnmpCommunityEntry().createRow(
+
+        new OctetString("public2public").toSubIndex(true), com2sec);
+
+        snmpCommunityMIB.getSnmpCommunityEntry().addRow((SnmpCommunityMIB.SnmpCommunityEntryRow) row);
+    }
+
+    public void start() throws IOException {
+
+        init();
+        // This method reads some old config from a file and causes
+        // unexpected behavior.
+        // loadConfig(ImportModes.REPLACE_CREATE);
+        addShutdownHook();
+        getServer().addContext(new OctetString("public"));
+        finishInit();
+        run();
+        sendColdStartNotification();
+    }
+
+
+    protected void initTransportMappings() throws IOException {
+        transportMappings = new TransportMapping[1];
+        Address addr = GenericAddress.parse(address);
+
+        TransportMapping tm = TransportMappings.getInstance()
+        .createTransportMapping(addr);
+        transportMappings[0] = tm;
+    }
+
+
+    public void registerManagedObject(ManagedObject mo) {
+        try {
+            server.register(mo, null);
+            } catch (DuplicateRegistrationException ex) {
+
+            throw new RuntimeException(ex);
+              }
+
+    }
+
+
+    public void unregisterManagedObject(MOGroup moGroup){
+        moGroup.unregisterMOs(server,getContext(moGroup));
+    }
+
+
+
+
+}

src/de/tudarmstadt/informatik/hostage/protocol/SNMPUtils/MOCreator.java

@@ -0,0 +1,26 @@
+package de.tudarmstadt.informatik.hostage.protocol.SNMPUtils;
+
+
+import org.snmp4j.agent.mo.MOAccessImpl;
+import org.snmp4j.agent.mo.MOScalar;
+import org.snmp4j.smi.OID;
+import org.snmp4j.smi.OctetString;
+import org.snmp4j.smi.Variable;
+
+/**
+ * Created by root on 06.07.15.
+ */
+public class MOCreator {
+
+    public static MOScalar createReadOnly(OID oid, Object value){
+        return new MOScalar(oid, MOAccessImpl.ACCESS_READ_ONLY,getVariable(value));
+    }
+
+    private static Variable getVariable(Object value){
+        if(value instanceof String) {
+            return new OctetString((String) value);
+        }
+        throw new IllegalArgumentException("Ummanaged Type:"+value.getClass());
+    }
+
+}

src/de/tudarmstadt/informatik/hostage/protocol/SNMPUtils/MOTableBuilder.java

@@ -0,0 +1,87 @@
+package de.tudarmstadt.informatik.hostage.protocol.SNMPUtils;
+
+import org.snmp4j.agent.MOAccess;
+import org.snmp4j.agent.mo.DefaultMOMutableRow2PC;
+import org.snmp4j.agent.mo.DefaultMOTable;
+import org.snmp4j.agent.mo.MOColumn;
+import org.snmp4j.agent.mo.MOMutableTableModel;
+import org.snmp4j.agent.mo.MOTable;
+import org.snmp4j.agent.mo.MOTableIndex;
+import org.snmp4j.agent.mo.MOTableSubIndex;
+import org.snmp4j.smi.OID;
+import org.snmp4j.smi.SMIConstants;
+import org.snmp4j.smi.Variable;
+
+import java.util.ArrayList;
+import java.util.List;
+
+/**
+ * Created by root on 06.07.15.
+ */
+public class MOTableBuilder {
+
+    private MOTableSubIndex[] subIndexes = new MOTableSubIndex[] { new MOTableSubIndex(
+            SMIConstants.SYNTAX_INTEGER) };
+    private MOTableIndex indexDef = new MOTableIndex(subIndexes, false);
+
+    private final List<MOColumn> columns = new ArrayList<MOColumn>();
+    private final List<Variable[]> tableRows = new ArrayList<Variable[]>();
+    private int currentRow = 0;
+    private int currentCol = 0;
+
+    private OID tableRootOid;
+
+    private int colTypeCnt = 0;
+
+
+    /**
+     * Specified oid is the root oid of this table
+     */
+    public MOTableBuilder(OID oid) {
+        this.tableRootOid = oid;
+    }
+
+    /**
+     * Adds all column types {@link MOColumn} to this table.
+     * Important to understand that you must add all types here before
+     * adding any row values
+     *
+     * @param syntax use {@link SMIConstants}
+     * @param access
+     * @return
+     */
+    public MOTableBuilder addColumnType(int syntax, MOAccess access) {
+        colTypeCnt++;
+        columns.add(new MOColumn(colTypeCnt, syntax, access));
+        return this;
+    }
+
+
+    public MOTableBuilder addRowValue(Variable variable) {
+        if (tableRows.size() == currentRow) {
+            tableRows.add(new Variable[columns.size()]);
+        }
+        tableRows.get(currentRow)[currentCol] = variable;
+        currentCol++;
+        if (currentCol >= columns.size()) {
+            currentRow++;
+            currentCol = 0;
+        }
+        return this;
+    }
+
+    public MOTable build() {
+        DefaultMOTable ifTable = new DefaultMOTable(tableRootOid, indexDef,
+                columns.toArray(new MOColumn[0]));
+        MOMutableTableModel model = (MOMutableTableModel) ifTable.getModel();
+        int i = 1;
+
+        for (Variable[] variables : tableRows) {
+            model.addRow(new DefaultMOMutableRow2PC(new OID(String.valueOf(i)),
+                    variables));
+            i++;
+        }
+        ifTable.setVolatile(true);
+        return ifTable;
+    }
+}