123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461 |
- /*
- * ZMap Copyright 2013 Regents of the University of Michigan
- *
- * Licensed under the Apache License, Version 2.0 (the "License"); you may not
- * use this file except in compliance with the License. You may obtain a copy
- * of the License at http://www.apache.org/licenses/LICENSE-2.0
- */
- // probe module for performing TCP SYN scans extended for probe response attacks
- #include <stdlib.h>
- #include <stdio.h>
- #include <stdint.h>
- #include <unistd.h>
- #include <string.h>
- #include <assert.h>
- #include "../../lib/includes.h"
- #include "../fieldset.h"
- #include "probe_modules.h"
- #include "packet.h"
- #include "../../lib/logger.h"
- #include <inttypes.h>
- #define ICMP_SMALLEST_SIZE 5
- #define ICMP_TIMXCEED_UNREACH_HEADER_SIZE
- probe_module_t module_tcp_synscan_pra_proberesponse;
- static uint32_t num_ports;
- int synscan_pra_global_initialize(struct state_conf *state)
- {
- num_ports = state->source_port_last - state->source_port_first + 1;
- return EXIT_SUCCESS;
- }
- int synscan_pra_init_perthread(void* buf, macaddr_t *src,
- macaddr_t *gw, port_h_t dst_port,
- __attribute__((unused)) void **arg_ptr)
- {
- memset(buf, 0, MAX_PACKET_SIZE);
- struct ether_header *eth_header = (struct ether_header *) buf;
- make_eth_header(eth_header, src, gw);
- struct ip *ip_header = (struct ip*)(ð_header[1]);
- uint16_t len = htons(sizeof(struct ip) + sizeof(struct tcphdr));
- make_ip_header(ip_header, IPPROTO_TCP, len);
- struct tcphdr *tcp_header = (struct tcphdr*)(&ip_header[1]);
- make_tcp_header(tcp_header, dst_port);
- return EXIT_SUCCESS;
- }
- int synscan_pra_make_packet(void *buf, ipaddr_n_t src_ip, ipaddr_n_t dst_ip,
- uint32_t *validation, int probe_num, __attribute__((unused)) void *arg)
- {
- // ipaddr_n_t = uint32_t
- struct ether_header *eth_header = (struct ether_header *)buf;
- struct ip *ip_header = (struct ip*)(ð_header[1]);
- struct tcphdr *tcp_header = (struct tcphdr*)(&ip_header[1]);
- uint32_t tcp_seq = validation[0];
- // needed to reach the correct destination
- ip_header->ip_dst.s_addr = dst_ip;
- uint32_t marker_value = 0;
- // how many bits to be used for IP and checksum
- int amount_bits_marker_value = zconf.markerbits_ip;
- int amount_bits_checksum = zconf.markerbits_checksum;
- if(!zconf.use_markervalue) {
- // further calculations are based on host byte order
- // lib/types.h:typedef uint32_t ipaddr_n_t; // IPv4 address network order
- // 1.2.3.4 -> 1.2 (based on amount of bits used)
- marker_value = ntohl(dst_ip) >> (32 - amount_bits_marker_value);
- }
- // take given IP address as marker value instead of destination address (Stage > 1)
- else {
- marker_value = (uint32_t)zconf.markervalue;
- }
- //log_debug("encoder", "marker value: 0x%.16" PRIX32, marker_value);
- // stores [destination IP][checksum(IP) | 0]
- /*
- 291 -> b"00000123" (hex) -> b"000123" (marker value: eg 3 bytes)
- -> chk = checksum(b"000123" -> b"00012300") = b"abcdefgh"
- -> b"000123" (marker value) + b"abcdefgh"[:checksum_len] (marker checksum)
- */
- uint64_t markervalue_and_checksum = 0;
- markervalue_and_checksum |= marker_value;
- // encode marker value:
- // 0x00000000 00AAAAAA -> 0xAAAAAA00 00000000
- markervalue_and_checksum <<= (64 - amount_bits_marker_value);
- if (amount_bits_checksum != 0) {
- // encode marker checksum:
- //log_info("encoder", "encoding checksum bits: %d", amount_bits_checksum);
- // 0xAAAAAA00 00000000 -> 0x00000000 AAAAAA00 -> 0xAAAAAA00
- uint32_t marker_value_for_checksum = (markervalue_and_checksum >> 32);
- //log_debug("encoder", "marker value for checksum: 0x%.8" PRIX32, marker_value_for_checksum);
- marker_value_for_checksum = htonl(marker_value_for_checksum);
- // checksum is calculated oder 4 bytes (padded from right with 0)
- // nw order -> fletcher32 -> host order -> nw order
- // return value: we need more space to shift more than 32 Bit (return value of fletcher32 if uint32_t)
- uint64_t sum_marker_value = (uint64_t)(fletcher32((uint16_t*)&marker_value_for_checksum, 2) & 0x00000000FFFFFFFF);
- //log_debug("encoder", "checksum: 0x%.16" PRIX64, sum_marker_value);
- // encode checksum:
- // 0x00000000 CCCCCCCC
- // 0xAAAAAA00 00000000 -> 0xAAAAAACC CCCCCC00
- // Unneeded trailing checksum bits don't need to be removed: just stop reading after x bits
- markervalue_and_checksum |= (sum_marker_value << (32 - amount_bits_marker_value));
- }
- int amount_bits_to_encode = amount_bits_marker_value + amount_bits_checksum;
- //printf("total bits to encode : %d\n", amount_bits_to_encode);
- //printf("%u\n", markervalue_and_checksum >> 32);
- //printf("Value to encode: 0x%.16" PRIX64 "\n", markervalue_and_checksum);
- // will be overwritten if marker type is given
- ip_header->ip_src.s_addr = src_ip;
- // will be overwritten if marker type is given
- tcp_header->th_sport = htons(get_src_port(num_ports, probe_num, validation));
- int bitpos = 1;
- // encoded bits so far
- int marker_bitcount = 0;
- //log_debug("encoder", "encoding %d bits: 0x%.16" PRIX64, amount_bits_to_encode, markervalue_and_checksum);
- // check for every available encoder marker to place destination address (+checksum)
- // order of encoding: dport, source ip, sport (source ip should not be equal to destination to avoid filtering)
- if (amount_bits_to_encode)
- while (bitpos <= 31 && marker_bitcount < amount_bits_to_encode) {
- if ((zconf.marker_encoding & bitpos) == 1) {
- //log_debug("encoder", "encoding to dport");
- if (!zconf.marker_encoding_dst_small) {
- // encode into destination port
- tcp_header->th_dport = htons((uint16_t)( (markervalue_and_checksum & 0xFFFF000000000000) >> 48) );
- } else {
- // if marker_encoding_mitigation: assume destination port is the only marker and limited
- // to 10 bits: 0->1023 (0000 0000 00 -> 1111 1111 11)
- tcp_header->th_dport = htons((uint16_t)( (markervalue_and_checksum & 0xFFC0000000000000) >> (64-10)) );
- // just use destination port, skip all other
- break;
- }
- marker_bitcount += 16;
- }
- else if ((zconf.marker_encoding & bitpos) == 2) {
- //log_debug("encoder", "encoding to src ip");
- // encode into source address
- ip_header->ip_src.s_addr = htonl((uint32_t)( (markervalue_and_checksum & (0xFFFFFFFF00000000 >> marker_bitcount)) >> (32 - marker_bitcount)) );
- //printf("source IP: %u\n", ip_header->ip_src.s_addr);
- marker_bitcount += 32;
- }
- else if ((zconf.marker_encoding & bitpos) == 4) {
- //log_debug("encoder", "encoding to sport");
- // encode into source port
- tcp_header->th_sport = htons((uint16_t)( (markervalue_and_checksum & (0xFFFF000000000000 >> marker_bitcount)) >> (48 - marker_bitcount)) );
- marker_bitcount += 16;
- }
- /*
- else if ((zconf.marker_encoding & bitpos) == 8) {
- }
- else if ((zconf.marker_encoding & bitpos) == 16) {
- }
- */
- bitpos <<= 1;
- }
- tcp_header->th_seq = tcp_seq;
- tcp_header->th_sum = 0;
- tcp_header->th_sum = tcp_checksum(sizeof(struct tcphdr),
- ip_header->ip_src.s_addr, ip_header->ip_dst.s_addr, tcp_header);
- ip_header->ip_sum = 0;
- ip_header->ip_sum = zmap_ip_checksum((unsigned short *) ip_header);
- return EXIT_SUCCESS;
- }
- void synscan_pra_print_packet(FILE *fp, void* packet)
- {
- struct ether_header *ethh = (struct ether_header *) packet;
- struct ip *iph = (struct ip *) ðh[1];
- struct tcphdr *tcph = (struct tcphdr *) &iph[1];
- fprintf(fp, "tcp { source: %u | dest: %u | seq: %u | checksum: %#04X }\n",
- ntohs(tcph->th_sport),
- ntohs(tcph->th_dport),
- ntohl(tcph->th_seq),
- ntohs(tcph->th_sum));
- fprintf_ip_header(fp, iph);
- fprintf_eth_header(fp, ethh);
- fprintf(fp, "------------------------------------------------------\n");
- }
- // scanner feedback is meant for first stage only
- int synscan_pra_validate_packet(const struct ip *ip_hdr, uint32_t len,
- __attribute__((unused))uint32_t *src_ip,
- uint32_t *validation)
- {
- //log_debug("decoder", "got feedback packet");
- if (zconf.use_markervalue) {
- //log_debug("decoder", "not collecting feedback: using marker value");
- return 0;
- }
- if ((zconf.marker_encoding & 2) == 2) {
- //log_debug("decoder", "not collecting feedback: spoofed address");
- // we won't get any answers for spoofed addresses -> only check in case of modes 1, 4, 5 (1+4)
- return 0;
- }
- if ((4*ip_hdr->ip_hl + sizeof(struct tcphdr)) > len) {
- //log_debug("decoder", "not collecting feedback: packet to large");
- // buffer not large enough to contain expected tcp header
- return 0;
- }
- // arriving packet
- uint16_t sport_remote = 0;
- uint16_t dport_remote = 0;
- uint32_t source_ip_remote = 0;
- uint32_t ack_remote = 0;
- // sent packet
- uint16_t sport_local = 0;
- //uint16_t sport_local_viamarker = 0;
- uint16_t dport_local = htons((uint16_t)zconf.target_port);
- if (ip_hdr->ip_p == IPPROTO_TCP) {
- //log_debug("decoder", "got TCP feedback");
- struct tcphdr *tcp = (struct tcphdr*)((char *) ip_hdr + 4*ip_hdr->ip_hl);
- sport_remote = tcp->th_sport;
- dport_remote = tcp->th_dport;
- ack_remote = tcp->th_ack;
- source_ip_remote = ip_hdr->ip_src.s_addr;
- }
- // in case of ICMP responses: extract IP and TCP structure
- else if (ip_hdr->ip_p == IPPROTO_ICMP) {
- //log_debug("decoder", "got ICMP feedback");
- if (((uint32_t) 4 * ip_hdr->ip_hl + ICMP_SMALLEST_SIZE) > len) {
- // buffer not large enough to contain expected icmp header
- //log_debug("decoder", "buffer not large enough to contain expected icmp header");
- return 0;
- }
- struct icmp *icmp_hdr = (struct icmp *) ((char *) ip_hdr + 4*ip_hdr->ip_hl);
- // for some packet types we must look inside the payload
- // TODO: add redirect?
- if (icmp_hdr->icmp_type == ICMP_TIMXCEED || icmp_hdr->icmp_type == ICMP_UNREACH) {
- //log_debug("decoder", "icmp type: %d, code: %d, checksum: %d",
- // icmp_hdr->icmp_type,
- // icmp_hdr->icmp_code,
- // ntohs(icmp_hdr->icmp_cksum));
- // get inner IP by skipping 4 bytes ICMP header, increment by unit size did not work
- struct ip *ip_inner_icmp = (struct ip *)(((char*)icmp_hdr) + 8);
- //log_debug("decoder", "ip hl in icmp: %d", ip_inner_icmp->ip_hl);
- struct tcphdr *tcp_inner_icmp = (struct tcphdr*)((char *) ip_inner_icmp + 4*ip_inner_icmp->ip_hl);
- // replace port and adress information
- // as we got the original message back we need to take the reverse order (src => dst, dst => srs)
- sport_remote = tcp_inner_icmp->th_dport;
- dport_remote = tcp_inner_icmp->th_sport;
- source_ip_remote = ip_inner_icmp->ip_dst.s_addr;
- // Avoid filtering duplicates on ICMP repsonses
- // ZMap sets source (remote) IP itself to filter out duplicates (see src/recv.c -> handle_packet())
- // ICMP responses can arrive from same source but "belong" to different targets -> replace source ip with
- // destination IP extracted from ICMP payload (the real intended target)
- //
- *src_ip = source_ip_remote;
- //log_debug("decoder", "extracted ICMP data: remote port source <-> dst: %d <-> %d",
- // ntohs(sport_remote),
- // ntohs(dport_remote));
- }
- else {
- //log_debug("decoder", "icmp message type was not checkable (other than ICMP_TIMXCEED or ICMP_UNREACH): %d",
- // icmp_hdr->icmp_type);
- return 0;
- }
- }
- else {
- // validation is based on IP, TCP and ICMP -> ignore all other
- //log_debug("decoder", "can't validate this protocol: %d", ip_hdr->ip_p);
- return 0;
- }
- uint16_t bitpos = 1;
- uint16_t marker_bitcount = 0;
- // extract source/destination port from source address (attack target)
- // destination IP = [[dport]...[sport]] -> sport (and dport) could be ommitted
- // we had at maximum markerbits_ip Bits to encode sport abd dport
- if (zconf.markerbits_ip) {
- uint32_t source_ip_remote_ho = ntohl(source_ip_remote);
- // remove not encoded bits if any
- int bits_to_remove = 32 - zconf.markerbits_ip;
- source_ip_remote_ho = (source_ip_remote_ho >> bits_to_remove) << bits_to_remove;
- while (bitpos <= 31 && marker_bitcount < zconf.markerbits_ip) {
- if ((zconf.marker_encoding & bitpos) == 1) {
- //log_debug("decoder", "decoding dport");
- if (!zconf.marker_encoding_dst_small) {
- // assume full destination port was encoded
- dport_local = (source_ip_remote_ho & 0xFFFF0000) >> 16;
- //log_debug("decoder", "decoded dport: %d", dport_local);
- marker_bitcount += 16;
- } else {
- //log_debug("decoder", "small encoding");
- // if marker encoding mitigation: assume destination port is the only marker (see encoding)
- dport_local = (source_ip_remote_ho & 0xFFC00000) >> (32-10);
- // just destination port, skip all other
- break;
- }
- dport_local = htons(dport_local);
- }
- else if ((zconf.marker_encoding & bitpos) == 4) {
- //log_debug("decoder", "decoding sport");
- sport_local = (source_ip_remote_ho & (0xFFFF0000 >> marker_bitcount)) >> (16 - marker_bitcount);
- //log_debug("decoder", "decoded sport: %d", sport_local);
- // [dst][src] -> [src][dst]: remove checksum bits from remote dst
- uint32_t dport_remote_ho = ntohs(dport_remote);
- dport_remote_ho = (dport_remote_ho >> zconf.markerbits_checksum) << zconf.markerbits_checksum;
- dport_remote = htons(dport_remote_ho);
- //log_debug("decoder", "changed remote dport to: %d", dport_remote_ho);
- marker_bitcount += 16;
- //sport_local_viamarker = 1;
- sport_local = htons(sport_local);
- }
- /*
- else if ((zconf.marker_encoding & bitpos) == 8) {
- }
- else if ((zconf.marker_encoding & bitpos) == 16) {
- }
- */
- bitpos <<= 1;
- }
- }
- //log_debug("decoder", "local src/dst -> remote src/dst: %d %d -> %d %d", ntohs(sport_local), ntohs(dport_local), ntohs(sport_remote), ntohs(dport_remote));
- // validate remote source port. Check via "&" as source port could be only partially encoded
- if ((dport_local & sport_remote) != dport_local) {
- //log_debug("decoder", "ports did not match: local dst != remote src -> %d != %d", ntohs(dport_local), ntohs(sport_remote));
- return 0;
- }
- // validate remote destination port: extracted via arriving IP address or local config
- //if ((sport_local_viamarker && (sport_local != dport_remote)) || !check_dst_port(ntohs(dport_remote), num_ports, validation)) {
- if (sport_local != dport_remote) {
- /*
- log_debug("decoder", "ports did not match: local src != remote dst -> %d != %d (via marker? %d)",
- ntohs(sport_local),
- ntohs(dport_remote),
- sport_local_viamarker);
- */
- return 0;
- }
- // validate tcp acknowledgement number
- if (ack_remote != 0 && ( htonl(ack_remote) != htonl(validation[0])+1 ) ) {
- //log_debug("decoder", "sequence number did not match");
- return 0;
- }
- //log_debug("decoder", "This was an answer packet!!!");
- return 1;
- }
- void synscan_pra_process_packet(const u_char *packet,
- __attribute__((unused)) uint32_t len, fieldset_t *fs)
- {
- //log_debug("encoder", "writing feedback packet to file");
- // Idea: how to correlate reponse <-> marker group? This has to be done by comparing
- // response IP addresses to groups.
- struct ip *ip_hdr = (struct ip *)&packet[sizeof(struct ether_header)];
- // WARNING: fields have to be written in the same order as defined in fields[]
- // That is the reason why this code looks a bit redundant
- if (ip_hdr->ip_p == IPPROTO_TCP) {
- //log_debug("encoder", "storing TCP response");
- struct tcphdr *tcp = (struct tcphdr*)((char *)ip_hdr + 4*ip_hdr->ip_hl);
- fs_add_uint64(fs, "sport", (uint64_t) ntohs(tcp->th_sport));
- fs_add_uint64(fs, "dport", (uint64_t) ntohs(tcp->th_dport));
- fs_add_uint64(fs, "seqnum", (uint64_t) ntohl(tcp->th_seq));
- fs_add_uint64(fs, "acknum", (uint64_t) ntohl(tcp->th_ack));
- fs_add_uint64(fs, "window", (uint64_t) ntohs(tcp->th_win));
- fs_add_string(fs, "daddr_inner_icmp", (char*) "(None)", 0);
- if (tcp->th_flags & TH_RST) { // RST packet
- fs_add_string(fs, "classification", (char*) "rst", 0);
- fs_add_uint64(fs, "success", 0);
- } else { // SYNACK packet
- fs_add_string(fs, "classification", (char*) "synack", 0);
- fs_add_uint64(fs, "success", 1);
- }
- }
- else {
- // prefiltering was already done in synscan_pra_validate_packet()
- //log_debug("encoder", "storing ICMP response");
- struct icmp *icmp_hdr = (struct icmp *) ((char *) ip_hdr + 4*ip_hdr->ip_hl);
- struct ip *ip_hdr_from_icmp = (struct ip *)(((char * )icmp_hdr) + 8);
- struct tcphdr *tcp = (struct tcphdr*)((char *)ip_hdr_from_icmp + 4*ip_hdr_from_icmp->ip_hl);
- // switch source/destination port: source is always the attacker
- fs_add_uint64(fs, "sport", (uint64_t) ntohs(tcp->th_dport));
- fs_add_uint64(fs, "dport", (uint64_t) ntohs(tcp->th_sport));
- fs_add_uint64(fs, "seqnum", (uint64_t) 0);
- fs_add_uint64(fs, "acknum", (uint64_t) 0);
- fs_add_uint64(fs, "window", (uint64_t) 0);
- fs_add_string(fs, "daddr_inner_icmp", make_ip_str(ip_hdr_from_icmp->ip_dst.s_addr), 0);
- if (icmp_hdr->icmp_type == ICMP_UNREACH)
- fs_add_string(fs, "classification", (char*) "icmp_unreach", 0);
- else if(icmp_hdr->icmp_type == ICMP_TIMXCEED)
- fs_add_string(fs, "classification", (char*) "icmp_timeexceed", 0);
- else
- fs_add_string(fs, "classification", (char*) "icmp_other", 0);
- fs_add_uint64(fs, "success", 1);
- }
- }
- static fielddef_t fields[] = {
- {.name = "sport", .type = "int", .desc = "TCP source port"},
- {.name = "dport", .type = "int", .desc = "TCP destination port"},
- {.name = "seqnum", .type = "int", .desc = "TCP sequence number"},
- {.name = "acknum", .type = "int", .desc = "TCP acknowledgement number"},
- {.name = "window", .type = "int", .desc = "TCP window"},
- {.name = "daddr_inner_icmp", .type="string", .desc = "Destination address of IP header contained in ICMP response"},
- {.name = "classification", .type="string", .desc = "packet classification"},
- {.name = "success", .type="int", .desc = "is response considered success"}
- };
- probe_module_t module_tcp_synscan_proberesponse = {
- .name = "tcp_synscan_pra",
- .packet_length = 54,
- //.packet_length = 82,
- .pcap_filter = "icmp || (tcp && tcp[13] & 4 != 0 || tcp[13] == 18)",
- .pcap_snaplen = 96,
- .port_args = 1,
- .global_initialize = &synscan_pra_global_initialize,
- .thread_initialize = &synscan_pra_init_perthread,
- .make_packet = &synscan_pra_make_packet,
- .print_packet = &synscan_pra_print_packet,
- .process_packet = &synscan_pra_process_packet,
- .validate_packet = &synscan_pra_validate_packet,
- .close = NULL,
- .helptext = "Extended TCP probe module for probe response attacks. ",
- .fields = fields,
- .numfields = 8};
|