packetfu 1.1.2 → 1.1.3

data/lib/packetfu/protos/arp.rb

@@ -0,0 +1,268 @@
+module PacketFu
+
+	# ARPHeader is a complete ARP struct, used in ARPPacket. 
+	#
+	# ARP is used to discover the machine address of nearby devices.
+	#
+	# See http://www.networksorcery.com/enp/protocol/arp.htm for details.
+	#
+	# ==== Header Definition
+	#
+	#	 Int16   :arp_hw          Default: 1       # Ethernet
+	#	 Int16   :arp_proto,      Default: 0x8000  # IP
+	#	 Int8    :arp_hw_len,     Default: 6
+	#	 Int8    :arp_proto_len,  Default: 4
+	#	 Int16   :arp_opcode,     Default: 1       # 1: Request, 2: Reply, 3: Request-Reverse, 4: Reply-Reverse
+	#	 EthMac  :arp_src_mac                      # From eth.rb
+	#	 Octets  :arp_src_ip                       # From ip.rb
+	#	 EthMac  :arp_dst_mac                      # From eth.rb
+	#	 Octets  :arp_dst_ip                       # From ip.rb
+	#	 String  :body
+	class ARPHeader < Struct.new(:arp_hw, :arp_proto, :arp_hw_len,
+															 :arp_proto_len, :arp_opcode,
+															 :arp_src_mac, :arp_src_ip,
+															 :arp_dst_mac, :arp_dst_ip,
+															 :body)
+		include StructFu
+
+		def initialize(args={})
+			src_mac = args[:arp_src_mac] || (args[:config][:eth_src] if args[:config])
+			src_ip_bin = args[:arp_src_ip]   || (args[:config][:ip_src_bin] if args[:config])
+
+			super( 
+				Int16.new(args[:arp_hw] || 1), 
+				Int16.new(args[:arp_proto] ||0x0800),
+				Int8.new(args[:arp_hw_len] || 6), 
+				Int8.new(args[:arp_proto_len] || 4), 
+				Int16.new(args[:arp_opcode] || 1),
+				EthMac.new.read(src_mac),
+				Octets.new.read(src_ip_bin),
+				EthMac.new.read(args[:arp_dst_mac]),
+				Octets.new.read(args[:arp_dst_ip]),
+				StructFu::String.new.read(args[:body])
+			)
+		end
+
+		# Returns the object in string form.
+		def to_s
+			self.to_a.map {|x| x.to_s}.join
+		end
+
+		# Reads a string to populate the object.
+		def read(str)
+			force_binary(str)
+			return self if str.nil?
+			self[:arp_hw].read(str[0,2])
+			self[:arp_proto].read(str[2,2])
+			self[:arp_hw_len].read(str[4,1])
+			self[:arp_proto_len].read(str[5,1])
+			self[:arp_opcode].read(str[6,2])
+			self[:arp_src_mac].read(str[8,6])
+			self[:arp_src_ip].read(str[14,4])
+			self[:arp_dst_mac].read(str[18,6])
+			self[:arp_dst_ip].read(str[24,4])
+			self[:body].read(str[28,str.size])
+			self
+		end
+
+		# Setter for the ARP hardware type.
+		def arp_hw=(i); typecast i; end
+		# Getter for the ARP hardware type.
+		def arp_hw; self[:arp_hw].to_i; end
+		# Setter for the ARP protocol.
+		def arp_proto=(i); typecast i; end
+		# Getter for the ARP protocol.
+		def arp_proto; self[:arp_proto].to_i; end
+		# Setter for the ARP hardware type length.
+		def arp_hw_len=(i); typecast i; end
+		# Getter for the ARP hardware type length.
+		def arp_hw_len; self[:arp_hw_len].to_i; end
+		# Setter for the ARP protocol length.
+		def arp_proto_len=(i); typecast i; end
+		# Getter for the ARP protocol length.
+		def arp_proto_len; self[:arp_proto_len].to_i; end
+		# Setter for the ARP opcode. 
+		def arp_opcode=(i); typecast i; end
+		# Getter for the ARP opcode. 
+		def arp_opcode; self[:arp_opcode].to_i; end
+		# Setter for the ARP source MAC address.
+		def arp_src_mac=(i); typecast i; end
+		# Getter for the ARP source MAC address.
+		def arp_src_mac; self[:arp_src_mac].to_s; end
+		# Getter for the ARP source IP address.
+		def arp_src_ip=(i); typecast i; end
+		# Setter for the ARP source IP address.
+		def arp_src_ip; self[:arp_src_ip].to_s; end
+		# Setter for the ARP destination MAC address.
+		def arp_dst_mac=(i); typecast i; end
+		# Setter for the ARP destination MAC address.
+		def arp_dst_mac; self[:arp_dst_mac].to_s; end
+		# Setter for the ARP destination IP address.
+		def arp_dst_ip=(i); typecast i; end
+		# Getter for the ARP destination IP address.
+		def arp_dst_ip; self[:arp_dst_ip].to_s; end
+
+		# Set the source MAC address in a more readable way.
+		def arp_saddr_mac=(mac)
+			mac = EthHeader.mac2str(mac)
+			self[:arp_src_mac].read(mac)
+			self.arp_src_mac
+		end
+
+		# Get a more readable source MAC address.
+		def arp_saddr_mac
+			EthHeader.str2mac(self[:arp_src_mac].to_s)
+		end
+
+		# Set the destination MAC address in a more readable way.
+		def arp_daddr_mac=(mac)
+			mac = EthHeader.mac2str(mac)
+			self[:arp_dst_mac].read(mac)
+			self.arp_dst_mac
+		end
+
+		# Get a more readable source MAC address.
+		def arp_daddr_mac
+			EthHeader.str2mac(self[:arp_dst_mac].to_s)
+		end
+
+		# Set a more readable source IP address. 
+		def arp_saddr_ip=(addr)
+			self[:arp_src_ip].read_quad(addr)
+		end
+
+		# Get a more readable source IP address. 
+		def arp_saddr_ip
+			self[:arp_src_ip].to_x
+		end
+
+		# Set a more readable destination IP address.
+		def arp_daddr_ip=(addr)
+			self[:arp_dst_ip].read_quad(addr)
+		end
+		
+		# Get a more readable destination IP address.
+		def arp_daddr_ip
+			self[:arp_dst_ip].to_x
+		end
+
+		# Readability aliases
+
+		alias :arp_src_mac_readable :arp_saddr_mac
+		alias :arp_dst_mac_readable :arp_daddr_mac
+		alias :arp_src_ip_readable :arp_saddr_ip
+		alias :arp_dst_ip_readable :arp_daddr_ip
+
+		def arp_proto_readable
+			"0x%04x" % arp_proto
+		end
+
+	end # class ARPHeader
+
+	# ARPPacket is used to construct ARP packets. They contain an EthHeader and an ARPHeader.
+	# == Example
+	#
+  #  require 'packetfu'
+	#  arp_pkt = PacketFu::ARPPacket.new(:flavor => "Windows")
+	#  arp_pkt.arp_saddr_mac="00:1c:23:44:55:66"  # Your hardware address
+	#  arp_pkt.arp_saddr_ip="10.10.10.17"  # Your IP address
+	#  arp_pkt.arp_daddr_ip="10.10.10.1"  # Target IP address
+	#  arp_pkt.arp_opcode=1  # Request
+	# 
+	#  arp_pkt.to_w('eth0')	# Inject on the wire. (requires root)
+  #  arp_pkt.to_f('/tmp/arp.pcap') # Write to a file.
+	#
+	# == Parameters
+	#
+	#  :flavor
+	#   Sets the "flavor" of the ARP packet. Choices are currently:
+	#     :windows, :linux, :hp_deskjet 
+	#  :eth
+	#   A pre-generated EthHeader object. If not specified, a new one will be created.
+	#  :arp
+	#   A pre-generated ARPHeader object. If not specificed, a new one will be created.
+	#  :config
+	#   A hash of return address details, often the output of Utils.whoami?
+	class ARPPacket < Packet
+
+		attr_accessor :eth_header, :arp_header
+
+		def self.can_parse?(str)
+			return false unless EthPacket.can_parse? str
+			return false unless str.size >= 28
+			return false unless str[12,2] == "\x08\x06"
+			true
+		end
+
+		def read(str=nil,args={})
+			raise "Cannot parse `#{str}'" unless self.class.can_parse?(str)
+			@eth_header.read(str)
+			@arp_header.read(str[14,str.size])
+			@eth_header.body = @arp_header
+			super(args)
+			self
+		end
+
+		def initialize(args={})
+			@eth_header = EthHeader.new(args).read(args[:eth])
+			@arp_header = ARPHeader.new(args).read(args[:arp]) 
+			@eth_header.eth_proto = "\x08\x06"
+			@eth_header.body=@arp_header
+
+			# Please send more flavors to todb+packetfu@planb-security.net.
+			# Most of these initial fingerprints come from one (1) sample.
+			case (args[:flavor].nil?) ? :nil : args[:flavor].to_s.downcase.intern
+			when :windows; @arp_header.body = "\x00" * 64				# 64 bytes of padding 
+			when :linux; @arp_header.body = "\x00" * 4 +				# 32 bytes of padding 
+				"\x00\x07\x5c\x14" + "\x00" * 4 +
+				"\x00\x0f\x83\x34" + "\x00\x0f\x83\x74" +
+				"\x01\x11\x83\x78" + "\x00\x00\x00\x0c" + 
+				"\x00\x00\x00\x00"
+			when :hp_deskjet; 																	# Pads up to 60 bytes.
+				@arp_header.body = "\xe0\x90\x0d\x6c" + 
+				"\xff\xff\xee\xee" + "\x00" * 4 + 
+				"\xe0\x8f\xfa\x18\x00\x20"	
+			else; @arp_header.body = "\x00" * 18								# Pads up to 60 bytes.
+			end
+
+			@headers = [@eth_header, @arp_header]
+			super
+		end
+
+		# Generates summary data for ARP packets.
+		def peek_format
+			peek_data = ["A  "]
+			peek_data << "%-5d" % self.to_s.size
+			peek_data << arp_saddr_mac
+			peek_data << "(#{arp_saddr_ip})"
+			peek_data << "->"
+			peek_data << case arp_daddr_mac
+										when "00:00:00:00:00:00"; "Bcast00"
+										when "ff:ff:ff:ff:ff:ff"; "BcastFF"
+										else; arp_daddr_mac
+										end
+			peek_data << "(#{arp_daddr_ip})"
+			peek_data << ":"
+			peek_data << case arp_opcode
+										when 1; "Requ"
+										when 2; "Repl"
+										when 3; "RReq"
+										when 4; "RRpl"
+										when 5; "IReq"
+										when 6; "IRpl"
+										else; "0x%02x" % arp_opcode
+										end
+			peek_data.join
+		end
+
+		# While there are lengths in ARPPackets, there's not
+		# much to do with them.
+		def recalc(args={})
+			@headers[0].inspect
+		end
+
+	end
+
+end
+
+# vim: nowrap sw=2 sts=0 ts=2 ff=unix ft=ruby

data/lib/packetfu/protos/eth.rb

@@ -0,0 +1,296 @@
+module PacketFu
+
+	# EthOui is the Organizationally Unique Identifier portion of a MAC address, used in EthHeader.
+	#
+	# See the OUI list at http://standards.ieee.org/regauth/oui/oui.txt
+	#
+	# ==== Header Definition
+	#
+	#  Fixnum   :b0
+	#  Fixnum   :b1
+	#  Fixnum   :b2
+	#  Fixnum   :b3
+	#  Fixnum   :b4
+	#  Fixnum   :b5
+	#  Fixnum   :local
+	#  Fixnum   :multicast
+	#  Int16    :oui,       Default: 0x1ac5 :)
+	class EthOui < Struct.new(:b5, :b4, :b3, :b2, :b1, :b0, :local, :multicast, :oui)
+
+		# EthOui is unusual in that the bit values do not enjoy StructFu typing.
+		def initialize(args={})
+			args[:local] ||= 0 
+			args[:oui] ||= 0x1ac # :)
+			args.each_pair {|k,v| args[k] = 0 unless v} 
+			super(args[:b5], args[:b4], args[:b3], args[:b2], 
+						args[:b1], args[:b0], args[:local], args[:multicast], 
+						args[:oui])
+		end
+
+		# Returns the object in string form.
+		def to_s
+			byte = 0
+			byte += 0b10000000 if b5.to_i == 1
+			byte += 0b01000000 if b4.to_i == 1
+			byte += 0b00100000 if b3.to_i == 1
+			byte += 0b00010000 if b2.to_i == 1
+			byte += 0b00001000 if b1.to_i == 1
+			byte += 0b00000100 if b0.to_i == 1
+			byte += 0b00000010 if local.to_i == 1
+			byte += 0b00000001 if multicast.to_i == 1
+			[byte,oui].pack("Cn")
+		end
+
+		# Reads a string to populate the object.
+		def read(str)
+			force_binary(str)
+			return self if str.nil?
+			if 1.respond_to? :ord
+				byte = str[0].ord
+			else
+				byte = str[0]
+			end
+			self[:b5] =        byte & 0b10000000 == 0b10000000 ? 1 : 0
+			self[:b4] =        byte & 0b01000000 == 0b01000000 ? 1 : 0
+			self[:b3] =        byte & 0b00100000 == 0b00100000 ? 1 : 0
+			self[:b2] =        byte & 0b00010000 == 0b00010000 ? 1 : 0
+			self[:b1] =        byte & 0b00001000 == 0b00001000 ? 1 : 0
+			self[:b0] =        byte & 0b00000100 == 0b00000100 ? 1 : 0
+			self[:local] =     byte & 0b00000010 == 0b00000010 ? 1 : 0
+			self[:multicast] = byte & 0b00000001 == 0b00000001 ? 1 : 0
+			self[:oui] =       str[1,2].unpack("n").first
+			self
+		end
+
+	end
+
+  # EthNic is the Network Interface Controler portion of a MAC address, used in EthHeader.
+	#
+	# ==== Header Definition
+	#
+	#  Fixnum :n1
+	#  Fixnum :n2
+	#  Fixnum :n3
+	#
+	class EthNic < Struct.new(:n0, :n1, :n2)
+
+		# EthNic does not enjoy StructFu typing.
+		def initialize(args={})
+			args.each_pair {|k,v| args[k] = 0 unless v} 
+			super(args[:n0], args[:n1], args[:n2])
+		end
+
+		# Returns the object in string form.
+		def to_s
+			[n0,n1,n2].map {|x| x.to_i}.pack("C3")
+		end
+		
+		# Reads a string to populate the object.
+		def read(str)
+			force_binary(str)
+			return self if str.nil?
+			self[:n0], self[:n1], self[:n2] = str[0,3].unpack("C3")
+			self
+		end
+
+	end
+
+	# EthMac is the combination of an EthOui and EthNic, used in EthHeader.
+	#
+	# ==== Header Definition
+	#
+	#   EthOui :oui  # See EthOui
+	#   EthNic :nic  # See EthNic
+	class EthMac < Struct.new(:oui, :nic)
+
+		def initialize(args={})
+			super(
+			EthOui.new.read(args[:oui]),
+			EthNic.new.read(args[:nic]))
+		end
+
+		# Returns the object in string form.
+		def to_s
+			"#{self[:oui]}#{self[:nic]}"
+		end
+
+		# Reads a string to populate the object.
+		def read(str)
+			force_binary(str)
+			return self if str.nil?
+			self.oui.read str[0,3]
+			self.nic.read str[3,3]
+			self
+		end
+
+	end
+
+	# EthHeader is a complete Ethernet struct, used in EthPacket. 
+	# It's the base header for all other protocols, such as IPHeader, 
+	# TCPHeader, etc. 
+	#
+	# For more on the construction on MAC addresses, see 
+	# http://en.wikipedia.org/wiki/MAC_address
+	#
+	# TODO: Need to come up with a good way of dealing with vlan
+	# tagging. Having a usually empty struct member seems weird,
+	# but there may not be another way to do it if I want to preserve
+	# the Eth-ness of vlan-tagged 802.1Q packets. Also, may as well
+	# deal with 0x88a8 as well (http://en.wikipedia.org/wiki/802.1ad)
+	#
+	# ==== Header Definition
+	#
+	#  EthMac  :eth_dst                     # See EthMac
+	#  EthMac  :eth_src                     # See EthMac
+	#  Int16   :eth_proto, Default: 0x8000  # IP 0x0800, Arp 0x0806
+	#  String  :body
+	class EthHeader < Struct.new(:eth_dst, :eth_src, :eth_proto, :body)
+		include StructFu
+
+		def initialize(args={})
+			super(
+				EthMac.new.read(args[:eth_dst]),
+				EthMac.new.read(args[:eth_src]),
+				Int16.new(args[:eth_proto] || 0x0800),
+				StructFu::String.new.read(args[:body])
+			)
+		end
+
+		# Setter for the Ethernet destination address.
+		def eth_dst=(i); typecast(i); end
+		# Getter for the Ethernet destination address.
+		def eth_dst; self[:eth_dst].to_s; end
+		# Setter for the Ethernet source address.
+		def eth_src=(i); typecast(i); end
+		# Getter for the Ethernet source address.
+		def eth_src; self[:eth_src].to_s; end
+		# Setter for the Ethernet protocol number.
+		def eth_proto=(i); typecast(i); end
+		# Getter for the Ethernet protocol number.
+		def eth_proto; self[:eth_proto].to_i; end
+
+		# Returns the object in string form.
+		def to_s
+			self.to_a.map {|x| x.to_s}.join
+		end
+
+		# Reads a string to populate the object.
+		def read(str)
+			force_binary(str)
+			return self if str.nil?
+			self[:eth_dst].read str[0,6]
+			self[:eth_src].read str[6,6]
+			self[:eth_proto].read str[12,2]
+			self[:body].read str[14,str.size]
+			self
+		end
+
+		# Converts a readable MAC (11:22:33:44:55:66) to a binary string. 
+		# Readable MAC's may be split on colons, dots, spaces, or underscores.
+		#
+		# irb> PacketFu::EthHeader.mac2str("11:22:33:44:55:66")
+		#
+		# #=> "\021\"3DUf"
+		def self.mac2str(mac)
+			if mac.split(/[:\x2d\x2e\x5f]+/).size == 6
+				ret =	mac.split(/[:\x2d\x2e\x20\x5f]+/).collect {|x| x.to_i(16)}.pack("C6")
+			else
+				raise ArgumentError, "Unkown format for mac address."
+			end
+			return ret
+		end
+
+		# Converts a binary string to a readable MAC (11:22:33:44:55:66). 
+		#
+		# irb> PacketFu::EthHeader.str2mac("\x11\x22\x33\x44\x55\x66")
+		#
+		# #=> "11:22:33:44:55:66"
+		def self.str2mac(mac='')
+			if mac.to_s.size == 6 && mac.kind_of?(::String)
+				ret = mac.unpack("C6").map {|x| sprintf("%02x",x)}.join(":")
+			end
+		end
+
+		# Sets the source MAC address in a more readable way.
+		def eth_saddr=(mac)
+			mac = EthHeader.mac2str(mac)
+			self[:eth_src].read mac
+			self[:eth_src]
+		end
+
+		# Gets the source MAC address in a more readable way. 
+		def eth_saddr
+			EthHeader.str2mac(self[:eth_src].to_s)
+		end
+
+		# Set the destination MAC address in a more readable way.
+		def eth_daddr=(mac)
+			mac = EthHeader.mac2str(mac)
+			self[:eth_dst].read mac
+			self[:eth_dst]
+		end
+
+		# Gets the destination MAC address in a more readable way. 
+		def eth_daddr
+			EthHeader.str2mac(self[:eth_dst].to_s)
+		end
+
+		# Readability aliases
+
+		alias :eth_dst_readable :eth_daddr
+		alias :eth_src_readable :eth_saddr
+
+		def eth_proto_readable
+			"0x%04x" % eth_proto
+		end
+
+	end
+
+	# EthPacket is used to construct Ethernet packets. They contain an
+	# Ethernet header, and that's about it.
+	#
+	# == Example
+	#
+	#   require 'packetfu'
+	#   eth_pkt = PacketFu::EthPacket.new
+	#   eth_pkt.eth_saddr="00:1c:23:44:55:66"
+	#   eth_pkt.eth_daddr="00:1c:24:aa:bb:cc"
+	#
+	#   eth_pkt.to_w('eth0') # Inject on the wire. (require root)
+	#
+	class	EthPacket < Packet
+		attr_accessor :eth_header
+
+		def self.can_parse?(str)
+			# XXX Temporary fix. Need to extend the EthHeader class to handle more.
+			valid_eth_types = [0x0800, 0x0806, 0x86dd]
+			return false unless str.size >= 14
+			type = str[12,2].unpack("n").first rescue nil
+			return false unless valid_eth_types.include? type
+			true
+		end
+
+		def read(str=nil,args={})
+			raise "Cannot parse `#{str}'" unless self.class.can_parse?(str)
+			@eth_header.read(str)
+			super(args)
+			return self
+		end
+
+		# Does nothing, really, since there's no length or
+		# checksum to calculate for a straight Ethernet packet.
+		def recalc(args={})
+			@headers[0].inspect
+		end
+
+		def initialize(args={})
+			@eth_header = EthHeader.new(args).read(args[:eth])
+			@headers = [@eth_header]
+			super
+		end
+
+	end
+
+end
+
+# vim: nowrap sw=2 sts=0 ts=2 ff=unix ft=ruby