packetfu 1.0.0 → 1.0.2.pre

data/lib/packetfu/pcap.rb

@@ -266,8 +266,8 @@ module PacketFu
 		# that readfile clears any existing packets, since that seems to be the
 		# typical use.
 		def readfile(file)
-			f = File.open(file, "rb") {|f| f.read}
-			self.read! f
+			fdata = File.open(file, "rb") {|f| f.read}
+			self.read! fdata
 		end
 
 		# file_to_array() translates a libpcap file into an array of packets.
@@ -416,7 +416,7 @@ module PacketFu
 
 			# set_byte_order is pretty much totally deprecated.
 			def set_byte_order(byte_order)
-				PacketFu.instance_variable_set("@byte_order",byte_order)
+				PacketFu.instance_variable_set(:@byte_order,byte_order)
 				return true
 			end
 
@@ -450,7 +450,7 @@ module PacketFu
 				arr = args[:arr] || args[:array] || []
 				ts = args[:ts] || args[:timestamp] || Time.now.to_i
 				ts_inc = args[:ts_inc] || args[:timestamp_increment]
-				pkts = PcapFile.new.array_to_file(:endian => PacketFu.instance_variable_get("@byte_order"),
+				pkts = PcapFile.new.array_to_file(:endian => PacketFu.instance_variable_get(:@byte_order),
 																					:arr => arr,
 																					:ts => ts,
 																					:ts_inc => ts_inc)
@@ -468,7 +468,7 @@ module PacketFu
 				append = args[:append]
 				Read.set_byte_order(byte_order) if [:big, :little].include? byte_order
 				pf = PcapFile.new
-				pf.array_to_file(:endian => PacketFu.instance_variable_get("@byte_order"),
+				pf.array_to_file(:endian => PacketFu.instance_variable_get(:@byte_order),
 												 :arr => arr,
 												 :ts => ts,
 												 :ts_inc => ts_inc)

data/lib/packetfu/{arp.rb → protos/arp.rb}

@@ -173,13 +173,29 @@ module PacketFu
 
 		attr_accessor :eth_header, :arp_header
 
+		def self.can_parse?(str)
+			return false unless EthPacket.can_parse? str
+			return false unless str.size >= 28
+			return false unless str[12,2] == "\x08\x06"
+			true
+		end
+
+		def read(str=nil,args={})
+			raise "Cannot parse `#{str}'" unless self.class.can_parse?(str)
+			@eth_header.read(str)
+			@arp_header.read(str[14,str.size])
+			@eth_header.body = @arp_header
+			super(args)
+			self
+		end
+
 		def initialize(args={})
 			@eth_header = EthHeader.new(args).read(args[:eth])
 			@arp_header = ARPHeader.new(args).read(args[:arp]) 
 			@eth_header.eth_proto = "\x08\x06"
 			@eth_header.body=@arp_header
 
-			# Please send more flavors to todb-packetfu@planb-security.net.
+			# Please send more flavors to todb+packetfu@planb-security.net.
 			# Most of these initial fingerprints come from one (1) sample.
 			case (args[:flavor].nil?) ? :nil : args[:flavor].to_s.downcase.intern
 			when :windows; @arp_header.body = "\x00" * 64				# 64 bytes of padding 
@@ -197,7 +213,6 @@ module PacketFu
 
 			@headers = [@eth_header, @arp_header]
 			super
-
 		end
 
 		# Generates summary data for ARP packets.

data/lib/packetfu/{eth.rb → protos/eth.rb}

@@ -245,10 +245,15 @@ module PacketFu
 	class	EthPacket < Packet
 		attr_accessor :eth_header
 
-		def initialize(args={})
-			@eth_header = EthHeader.new(args).read(args[:eth])
-			@headers = [@eth_header]
-			super
+		def self.can_parse?(str)
+			str.size >= 14
+		end
+
+		def read(str=nil,args={})
+			raise "Cannot parse `#{str}'" unless self.class.can_parse?(str)
+			@eth_header.read(str)
+			super(args)
+			return self
 		end
 
 		# Does nothing, really, since there's no length or
@@ -257,6 +262,12 @@ module PacketFu
 			@headers[0].inspect
 		end
 
+		def initialize(args={})
+			@eth_header = EthHeader.new(args).read(args[:eth])
+			@headers = [@eth_header]
+			super
+		end
+
 	end
 
 end

data/lib/packetfu/protos/hsrp.rb

@@ -0,0 +1,200 @@
+module PacketFu
+
+	# HSRPHeader is a complete HSRP struct, used in HSRPPacket. HSRP is typically used for
+	# fault-tolerant default gateway in IP routing environment.
+	#
+	# For more on HSRP packets, see http://www.networksorcery.com/enp/protocol/hsrp.htm
+	#
+	# Submitted by fropert@packetfault.org. Thanks, Francois!
+	#
+	# ==== Header Definition
+	#
+	#   Int8    :hsrp_version      Default: 0     # Version
+	#   Int8    :hsrp_opcode                      # Opcode
+	#   Int8    :hsrp_state                       # State
+	#   Int8    :hsrp_hellotime    Default: 3     # Hello Time
+	#   Int8    :hsrp_holdtime     Default: 10    # Hold Time
+	#   Int8    :hsrp_priority                    # Priority
+	#   Int8    :hsrp_group                       # Group
+	#   Int8    :hsrp_reserved     Default: 0     # Reserved
+	#   String  :hsrp_password                    # Authentication Data
+	#   Octets  :hsrp_vip                         # Virtual IP Address
+	#   String  :body
+	class HSRPHeader < Struct.new(:hsrp_version, :hsrp_opcode, :hsrp_state,
+								  :hsrp_hellotime, :hsrp_holdtime,
+								  :hsrp_priority, :hsrp_group,
+								  :hsrp_reserved, :hsrp_password,
+								  :hsrp_vip, :body)
+
+		include StructFu
+
+		def initialize(args={})
+			super(
+				Int8.new(args[:hsrp_version] || 0),
+				Int8.new(args[:hsrp_opcode]),
+				Int8.new(args[:hsrp_state]),
+				Int8.new(args[:hsrp_hellotime] || 3),
+				Int8.new(args[:hsrp_holdtime] || 10),
+				Int8.new(args[:hsrp_priority]),
+				Int8.new(args[:hsrp_group]),
+				Int8.new(args[:hsrp_reserved] || 0),
+				StructFu::String.new.read(args[:hsrp_password] || "cisco\x00\x00\x00"),
+				Octets.new.read(args[:hsrp_vip] || ("\x00" * 4)),
+				StructFu::String.new.read(args[:body])
+			)
+		end
+
+		# Returns the object in string form.
+		def to_s
+			self.to_a.map {|x| x.to_s}.join
+		end
+
+		# Reads a string to populate the object.
+		def read(str)
+			force_binary(str)
+			return self if str.nil?
+			self[:hsrp_version].read(str[0,1])
+			self[:hsrp_opcode].read(str[1,1])
+			self[:hsrp_state].read(str[2,1])
+			self[:hsrp_hellotime].read(str[3,1])
+			self[:hsrp_holdtime].read(str[4,1])
+			self[:hsrp_priority].read(str[5,1])
+			self[:hsrp_group].read(str[6,1])
+			self[:hsrp_reserved].read(str[7,1])
+			self[:hsrp_password].read(str[8,8])
+			self[:hsrp_vip].read(str[16,4])
+			self[:body].read(str[20,str.size]) if str.size > 20
+			self
+		end
+
+		# Setter for the type.
+		def hsrp_version=(i); typecast i; end
+		# Getter for the type.
+		def hsrp_version; self[:hsrp_version].to_i; end
+		# Setter for the type.
+		def hsrp_opcode=(i); typecast i; end
+		# Getter for the type.
+		def hsrp_opcode; self[:hsrp_opcode].to_i; end
+		# Setter for the type.
+		def hsrp_state=(i); typecast i; end
+		# Getter for the type.
+		def hsrp_state; self[:hsrp_state].to_i; end
+		# Setter for the type.
+		def hsrp_hellotime=(i); typecast i; end
+		# Getter for the type.
+		def hsrp_hellotime; self[:hsrp_hellotime].to_i; end
+		# Setter for the type.
+		def hsrp_holdtime=(i); typecast i; end
+		# Getter for the type.
+		def hsrp_holdtime; self[:hsrp_holdtime].to_i; end
+		# Setter for the type.
+		def hsrp_priority=(i); typecast i; end
+		# Getter for the type.
+		def hsrp_priority; self[:hsrp_priority].to_i; end
+		# Setter for the type.
+		def hsrp_group=(i); typecast i; end
+		# Getter for the type.
+		def hsrp_group; self[:hsrp_group].to_i; end
+		# Setter for the type.
+		def hsrp_reserved=(i); typecast i; end
+		# Getter for the type.
+		def hsrp_reserved; self[:hsrp_reserved].to_i; end
+
+		def hsrp_addr=(addr)
+			self[:hsrp_vip].read_quad(addr)
+		end
+
+		# Returns a more readable IP source address.
+		def hsrp_addr
+			self[:hsrp_vip].to_x
+		end
+
+
+	end
+
+	# HSRPPacket is used to construct HSRP Packets. They contain an EthHeader, an IPHeader, and a UDPHeader.
+	#
+	# == Example
+	#
+	#  hsrp_pkt.new
+	#  hsrp_pkt.hsrp_opcode = 0
+	#  hsrp_pkt.hsrp_state = 16
+	#  hsrp_pkt.hsrp_priority = 254
+	#  hsrp_pkt.hsrp_group = 1
+	#  hsrp_pkt.hsrp_vip = 10.100.100.254
+	#  hsrp_pkt.recalc
+	#  hsrp_pkt.to_f('/tmp/hsrp.pcap')
+	#
+	# == Parameters
+	#
+	#  :eth
+	#   A pre-generated EthHeader object.
+	#  :ip
+	#   A pre-generated IPHeader object.
+	#  :udp
+	#   A pre-generated UDPHeader object.
+	#  :flavor
+	#   TODO: HSRP packets don't tend have any flavor.
+	#  :config
+	#   A hash of return address details, often the output of Utils.whoami?
+	class HSRPPacket < Packet
+
+		attr_accessor :eth_header, :ip_header, :udp_header, :hsrp_header
+
+		def self.can_parse?(str)
+			return false unless str.size >= 54
+			return false unless EthPacket.can_parse? str
+			return false unless IPPacket.can_parse? str
+			return false unless UDPPacket.can_parse? str
+			temp_packet = UDPPacket.new
+			temp_packet.read(str)
+			if temp_packet.ip_ttl == 1 and [temp_packet.udp_sport,temp_packet.udp_dport] == [1985,1985] 
+				return true
+			else 
+				return false
+			end
+		end
+
+		def read(str=nil, args={})
+			raise "Cannot parse `#{str}'" unless self.class.can_parse?(str)
+			@eth_header.read(str)
+			@ip_header.read(str[14,str.size])
+			@eth_header.body = @ip_header
+			@udp_header.read(str[14+(@ip_header.ip_hlen),str.size])
+			@ip_header.body = @udp_header
+			@hsrp_header.read(str[14+(@ip_header.ip_hlen)+8,str.size])
+			@udp_header.body = @hsrp_header
+			super(args)
+			self
+		end
+
+		def initialize(args={})
+			@eth_header = EthHeader.new(args).read(args[:eth])
+			@ip_header = IPHeader.new(args).read(args[:ip])
+			@ip_header.ip_proto = 0x11
+			@udp_header = UDPHeader.new(args).read(args[:udp])
+			@hsrp_header = HSRPHeader.new(args).read(args[:hsrp])
+			@udp_header.body = @hsrp_header
+			@ip_header.body = @udp_header
+			@eth_header.body = @ip_header
+			@headers = [@eth_header, @ip_header, @udp_header, @hsrp_header]
+			super
+		end
+
+		# Peek provides summary data on packet contents.
+		def peek(args={})
+			peek_data = ["H "]
+			peek_data << "%-5d" % self.to_s.size
+			peek_data << "%-21s" % "#{self.hsrp_vip}:#{self.hsrp_group}:#{self.hsrp_password}"
+			peek_data << "%23s" % "U:"
+			peek_data << "%-21s" % "#{self.ip_saddr}:#{self.udp_sport}"
+			peek_data << "->"
+			peek_data << "%21s" % "#{self.ip_daddr}:#{self.udp_dport}"
+			peek_data.join
+		end
+
+	end
+
+end
+
+# vim: nowrap sw=2 sts=0 ts=2 ff=unix ft=ruby

data/lib/packetfu/{icmp.rb → protos/icmp.rb}

@@ -114,7 +114,26 @@ module PacketFu
 	class ICMPPacket < Packet
 
 		attr_accessor :eth_header, :ip_header, :icmp_header
-		
+
+		def self.can_parse?(str)
+			return false unless str.size >= 54
+			return false unless EthPacket.can_parse? str
+			return false unless IPPacket.can_parse? str
+			return false unless str[23,1] == "\x01"
+			return true
+		end
+
+		def read(str=nil, args={})
+			raise "Cannot parse `#{str}'" unless self.class.can_parse?(str)
+			@eth_header.read(str)
+			@ip_header.read(str[14,str.size])
+			@eth_header.body = @ip_header
+			@icmp_header.read(str[14+(@ip_header.ip_hlen),str.size])
+			@ip_header.body = @icmp_header
+			super(args)
+			self
+		end
+
 		def initialize(args={})
 			@eth_header = EthHeader.new(args).read(args[:eth])
 			@ip_header = IPHeader.new(args).read(args[:ip])

data/lib/packetfu/{invalid.rb → protos/invalid.rb}

@@ -30,6 +30,20 @@ module PacketFu
 	class	InvalidPacket < Packet
 		attr_accessor :invalid_header
 
+		# Any packet is potentially an invalid packet
+		def self.can_parse?(str)
+			true
+		end
+
+		def self.layer
+			0
+		end
+
+		def read(str=nil,args={})
+			@invalid_header.read(str)
+			self
+		end
+
 		def initialize(args={})
 			@invalid_header = 	(args[:invalid] || InvalidHeader.new)
 			@headers = [@invalid_header]

data/lib/packetfu/{ip.rb → protos/ip.rb}

@@ -175,6 +175,11 @@ module PacketFu
 			(ip_hl * 4) + body.to_s.length
 		end
 
+		# Return the claimed header length 
+		def ip_hlen
+			(ip_hl * 4)
+		end
+
 		# Calculate the true checksum of the packet.
 		# (Yes, this is the long way to do it, but it's e-z-2-read for mathtards like me.)
 		def ip_calc_sum
@@ -289,6 +294,30 @@ module PacketFu
 
 		attr_accessor :eth_header, :ip_header
 
+		def self.can_parse?(str)
+			return false unless str.size >= 34
+			return false unless EthPacket.can_parse? str
+			if str[12,2] == "\x08\x00"
+				if 1.respond_to? :ord
+					ipv = str[14,1][0].ord >> 4
+				else
+					ipv = str[14,1][0] >> 4
+				end
+				return true if ipv == 4 
+			else
+				return false
+			end
+		end
+
+		def read(str=nil, args={})
+			raise "Cannot parse `#{str}'" unless self.class.can_parse?(str)
+			@eth_header.read(str)
+			@ip_header.read(str[14,str.size])
+			@eth_header.body = @ip_header
+			super(args) 
+			self
+		end
+
 		# Creates a new IPPacket object. 
 		def initialize(args={})
 			@eth_header = EthHeader.new(args).read(args[:eth])

data/lib/packetfu/{ipv6.rb → protos/ipv6.rb}

@@ -203,12 +203,27 @@ module PacketFu
 
 		attr_accessor :eth_header, :ipv6_header
 
+		def self.can_parse?(str)
+			return false unless EthPacket.can_parse? str
+			return false unless str.size >= 54
+			return false unless str[12,2] == "\x86\xdd"
+			true
+		end
+
+		def read(str=nil,args={})
+			raise "Cannot parse `#{str}'" unless self.class.can_parse?(str)
+			@eth_header.read(str)
+			@ipv6_header.read(str[14,str.size])
+			@eth_header.body = @ipv6_header
+			super(args)
+			self
+		end
+
 		def initialize(args={})
 			@eth_header = (args[:eth] || EthHeader.new)
 			@ipv6_header = (args[:ipv6]	|| IPv6Header.new)
 			@eth_header.eth_proto = 0x86dd
 			@eth_header.body=@ipv6_header
-
 			@headers = [@eth_header, @ipv6_header]
 			super
 		end

data/lib/packetfu/{tcp.rb → protos/tcp.rb}

@@ -920,8 +920,32 @@ module PacketFu
 	#   A hash of return address details, often the output of Utils.whoami?
 	class TCPPacket < Packet
 
-		attr_accessor :eth_header, :ip_header, :tcp_header, :headers
-		
+		attr_accessor :eth_header, :ip_header, :tcp_header
+
+		def self.can_parse?(str)
+			return false unless str.size >= 54
+			return false unless EthPacket.can_parse? str
+			return false unless IPPacket.can_parse? str
+			return false unless str[23,1] == "\x06"
+			return true
+		end
+
+		def read(str=nil, args={})
+			raise "Cannot parse `#{str}'" unless self.class.can_parse?(str)
+			@eth_header.read(str)
+			@ip_header.read(str[14,str.size])
+			@eth_header.body = @ip_header
+			if args[:strip]
+				tcp_len = str[16,2].unpack("n")[0] - 20
+				@tcp_header.read(str[14+(@ip_header.ip_hlen),tcp_len])
+			else
+				@tcp_header.read(str[14+(@ip_header.ip_hlen),str.size])
+			end
+			@ip_header.body = @tcp_header
+			super(args)
+			self
+		end
+
 		def initialize(args={})
 			@eth_header = 	(args[:eth] || EthHeader.new)
 			@ip_header 	= 	(args[:ip]	|| IPHeader.new)