patronus_fati 0.8.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 1c1a12b8f0a8ff63c98abf53579cfd947510a80c
+  data.tar.gz: 7a5394b19d5f7e1be5fb162b49504acbed419070
+SHA512:
+  metadata.gz: 88dbe30dea62bfbbbdfa609eb701f83209650eb30db168c07a4ab4b7e0af6441377facfb89fb4b80e1bac0cecb869c5eb05aaf182fb6d7ca55ddeef324617cca
+  data.tar.gz: 4513aab2a201d98b3aeaeed2c61b253118a6cae3d10c18053bbc77cbf5af1df2d437342bfa0cca7f823379f9a2b0e745c2526c146e314e7f649457d0a1e42027

data/.gitignore

@@ -0,0 +1,20 @@
+*.gem
+*.rbc
+*.db
+*.db-journal
+*.log
+.bundle
+.config
+.yardoc
+Gemfile.lock
+InstalledFiles
+_yardoc
+coverage
+doc/
+lib/bundler/man
+pkg
+rdoc
+spec/reports
+test/tmp
+test/version_tmp
+tmp

data/.rspec

@@ -0,0 +1,2 @@
+--color
+--require spec_helper

data/.yardopts

@@ -0,0 +1 @@
+--default-return void --private --protected

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in patronus_fati.gemspec
+gemspec

data/LICENSE

@@ -0,0 +1,165 @@
+                   GNU LESSER GENERAL PUBLIC LICENSE
+                       Version 3, 29 June 2007
+
+ Copyright (C) 2007 Free Software Foundation, Inc. <http://fsf.org/>
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+
+  This version of the GNU Lesser General Public License incorporates
+the terms and conditions of version 3 of the GNU General Public
+License, supplemented by the additional permissions listed below.
+
+  0. Additional Definitions.
+
+  As used herein, "this License" refers to version 3 of the GNU Lesser
+General Public License, and the "GNU GPL" refers to version 3 of the GNU
+General Public License.
+
+  "The Library" refers to a covered work governed by this License,
+other than an Application or a Combined Work as defined below.
+
+  An "Application" is any work that makes use of an interface provided
+by the Library, but which is not otherwise based on the Library.
+Defining a subclass of a class defined by the Library is deemed a mode
+of using an interface provided by the Library.
+
+  A "Combined Work" is a work produced by combining or linking an
+Application with the Library.  The particular version of the Library
+with which the Combined Work was made is also called the "Linked
+Version".
+
+  The "Minimal Corresponding Source" for a Combined Work means the
+Corresponding Source for the Combined Work, excluding any source code
+for portions of the Combined Work that, considered in isolation, are
+based on the Application, and not on the Linked Version.
+
+  The "Corresponding Application Code" for a Combined Work means the
+object code and/or source code for the Application, including any data
+and utility programs needed for reproducing the Combined Work from the
+Application, but excluding the System Libraries of the Combined Work.
+
+  1. Exception to Section 3 of the GNU GPL.
+
+  You may convey a covered work under sections 3 and 4 of this License
+without being bound by section 3 of the GNU GPL.
+
+  2. Conveying Modified Versions.
+
+  If you modify a copy of the Library, and, in your modifications, a
+facility refers to a function or data to be supplied by an Application
+that uses the facility (other than as an argument passed when the
+facility is invoked), then you may convey a copy of the modified
+version:
+
+   a) under this License, provided that you make a good faith effort to
+   ensure that, in the event an Application does not supply the
+   function or data, the facility still operates, and performs
+   whatever part of its purpose remains meaningful, or
+
+   b) under the GNU GPL, with none of the additional permissions of
+   this License applicable to that copy.
+
+  3. Object Code Incorporating Material from Library Header Files.
+
+  The object code form of an Application may incorporate material from
+a header file that is part of the Library.  You may convey such object
+code under terms of your choice, provided that, if the incorporated
+material is not limited to numerical parameters, data structure
+layouts and accessors, or small macros, inline functions and templates
+(ten or fewer lines in length), you do both of the following:
+
+   a) Give prominent notice with each copy of the object code that the
+   Library is used in it and that the Library and its use are
+   covered by this License.
+
+   b) Accompany the object code with a copy of the GNU GPL and this license
+   document.
+
+  4. Combined Works.
+
+  You may convey a Combined Work under terms of your choice that,
+taken together, effectively do not restrict modification of the
+portions of the Library contained in the Combined Work and reverse
+engineering for debugging such modifications, if you also do each of
+the following:
+
+   a) Give prominent notice with each copy of the Combined Work that
+   the Library is used in it and that the Library and its use are
+   covered by this License.
+
+   b) Accompany the Combined Work with a copy of the GNU GPL and this license
+   document.
+
+   c) For a Combined Work that displays copyright notices during
+   execution, include the copyright notice for the Library among
+   these notices, as well as a reference directing the user to the
+   copies of the GNU GPL and this license document.
+
+   d) Do one of the following:
+
+       0) Convey the Minimal Corresponding Source under the terms of this
+       License, and the Corresponding Application Code in a form
+       suitable for, and under terms that permit, the user to
+       recombine or relink the Application with a modified version of
+       the Linked Version to produce a modified Combined Work, in the
+       manner specified by section 6 of the GNU GPL for conveying
+       Corresponding Source.
+
+       1) Use a suitable shared library mechanism for linking with the
+       Library.  A suitable mechanism is one that (a) uses at run time
+       a copy of the Library already present on the user's computer
+       system, and (b) will operate properly with a modified version
+       of the Library that is interface-compatible with the Linked
+       Version.
+
+   e) Provide Installation Information, but only if you would otherwise
+   be required to provide such information under section 6 of the
+   GNU GPL, and only to the extent that such information is
+   necessary to install and execute a modified version of the
+   Combined Work produced by recombining or relinking the
+   Application with a modified version of the Linked Version. (If
+   you use option 4d0, the Installation Information must accompany
+   the Minimal Corresponding Source and Corresponding Application
+   Code. If you use option 4d1, you must provide the Installation
+   Information in the manner specified by section 6 of the GNU GPL
+   for conveying Corresponding Source.)
+
+  5. Combined Libraries.
+
+  You may place library facilities that are a work based on the
+Library side by side in a single library together with other library
+facilities that are not Applications and are not covered by this
+License, and convey such a combined library under terms of your
+choice, if you do both of the following:
+
+   a) Accompany the combined library with a copy of the same work based
+   on the Library, uncombined with any other library facilities,
+   conveyed under the terms of this License.
+
+   b) Give prominent notice with the combined library that part of it
+   is a work based on the Library, and explaining where to find the
+   accompanying uncombined form of the same work.
+
+  6. Revised Versions of the GNU Lesser General Public License.
+
+  The Free Software Foundation may publish revised and/or new versions
+of the GNU Lesser General Public License from time to time. Such new
+versions will be similar in spirit to the present version, but may
+differ in detail to address new problems or concerns.
+
+  Each version is given a distinguishing version number. If the
+Library as you received it specifies that a certain numbered version
+of the GNU Lesser General Public License "or any later version"
+applies to it, you have the option of following the terms and
+conditions either of that published version or of any later version
+published by the Free Software Foundation. If the Library as you
+received it does not specify a version number of the GNU Lesser
+General Public License, you may choose any version of the GNU Lesser
+General Public License ever published by the Free Software Foundation.
+
+  If the Library as you received it specifies that a proxy can decide
+whether future versions of the GNU Lesser General Public License shall
+apply, that proxy's public statement of acceptance of any version is
+permanent authorization for you to choose that version for the
+Library.

data/README.md

@@ -0,0 +1,29 @@
+# PatronusFati
+
+The Patron of Fate is an implementation of the Kismet client protocol in Ruby.
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+    gem 'patronus_fati'
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install patronus_fati
+
+## Usage
+
+TODO: Write usage instructions here
+
+## Contributing
+
+1. Fork it
+2. Create your feature branch (`git checkout -b my-new-feature`)
+3. Commit your changes (`git commit -am 'Add some feature'`)
+4. Push to the branch (`git push origin my-new-feature`)
+5. Create new Pull Request

data/Rakefile

@@ -0,0 +1,21 @@
+require "bundler/gem_tasks"
+
+task :environment do
+  base_path = File.expand_path(File.join(File.dirname(__FILE__), 'lib'))
+  $LOAD_PATH.unshift(base_path) unless $LOAD_PATH.include?(base_path)
+
+  require 'patronus_fati'
+end
+
+task :database => [:environment] do
+  DataMapper.setup(:default, ENV['DATABASE_URL'] || 'sqlite::memory:')
+  DataMapper.repository(:default).adapter.resource_naming_convention = PatronusFati::NullTablePrefix
+  DataMapper.finalize
+  DataMapper.auto_upgrade!
+end
+
+desc "Start a pry session with the code loaded"
+task :console => [:database, :environment] do
+  require 'pry'
+  pry
+end

data/bin/patronus_fati

@@ -0,0 +1,54 @@
+#!/usr/bin/env ruby
+
+$:.push(File.expand_path(File.join('..', '..', 'lib'), __FILE__))
+
+require 'optparse'
+require 'dm-sqlite-adapter'
+require 'patronus_fati'
+
+options = {
+  'database' => 'sqlite::memory:',
+  'port'   => 2501,
+  'server' => '127.0.0.1'
+}
+
+OptionParser.new(nil, 32, '  ') do |opts|
+  opts.on('-d', '--db-path DB_PATH', 'Path where SQLite database will be stored') do |path|
+    options['database'] = ('sqlite://%s' % File.expand_path(path))
+  end
+
+  opts.on('-s', '--server SERVER', 'IP or hostname of running kismet server.') do |srv|
+    options['server'] = srv
+  end
+
+  opts.on('-p', '--port PORT', 'Port that kismet server is running on.') do |port|
+    options['port'] = port.to_i
+  end
+end.parse(ARGV)
+
+def exception_logger(tag)
+  yield
+rescue Interrupt
+  warn('Quitting...')
+rescue => e
+  puts "(#{tag}) Rescued from error: #{e.message}"
+  puts e.backtrace
+end
+
+exception_logger('process') do
+  connection = PatronusFati.setup(options['server'], options['port'], options['database'])
+  connection.connect
+
+  PatronusFati.event_handler.on(:any) do |asset_type, event_type, msg, opts|
+    puts JSON.generate({asset_type: asset_type, event_type: event_type, data: msg, additional_data: opts, timestamp: Time.now})
+  end
+
+  while (line = connection.read_queue.pop)
+    next unless (obj = PatronusFati::MessageParser.parse(line))
+    responses = PatronusFati::MessageProcessor.handle(obj)
+
+    Array(responses).each { |msg| connection.write(msg) }
+  end
+
+  connection.disconnect
+end

data/kismet_configs/pat_fat_startup.sh

@@ -0,0 +1,3 @@
+#!/bin/bash
+
+sudo /usr/bin/kismet_server --no-logging --config-file patronus_fati_kismet.conf --daemonize --silent

data/kismet_configs/patronus_fati_kismet.conf

@@ -0,0 +1,88 @@
+version=2009-newcore
+servername=PatronusFatiKismet
+
+logdefault=Kismet
+logprefix=/tmp/patronus_fati_kismet
+logtemplate=%p%n-%D-%t-%i.%l
+
+hidedata=false
+
+allowplugins=true
+
+ncsource=wlan0
+
+#preferredchannels=
+
+# How many channels per second do we hop?  (1-10)
+channelvelocity=5
+
+channellist=IEEE80211b:1:3,6:3,11:3,2,7,3,8,4,9,5,10
+channellist=IEEE80211a:36,40,44,48,52,56,60,64,149,153,157,161,165
+channellist=IEEE80211ab:1:3,6:3,11:3,2,7,3,8,4,9,5,10,36,40,44,48,52,56,60,64,149,153,157,161,165
+
+listen=tcp://0.0.0.0:2501
+allowedhosts=0.0.0.0/0
+maxclients=5
+
+maxbacklog=5000
+
+# OUI file, expected format 00:11:22<tab>manufname
+# IEEE OUI file used to look up manufacturer info.  We default to the
+# wireshark one since most people have that.
+ouifile=/etc/manuf
+ouifile=/usr/share/wireshark/wireshark/manuf
+ouifile=/usr/share/wireshark/manuf
+
+gps=false
+gpstype=gpsd
+gpshost=localhost:2947
+gpsreconnect=true
+
+# Do we export packets over tun/tap virtual interfaces?
+tuntap_export=false
+tuntap_device=kistap0
+
+#alert=ADHOCCONFLICT,5/min,1/sec
+alert=AIRJACKSSID,5/min,1/sec
+alert=APSPOOF,10/min,1/sec
+alert=BCASTDISCON,5/min,2/sec
+alert=BSSTIMESTAMP,5/min,1/sec
+#alert=CHANCHANGE,5/min,1/sec
+alert=CRYPTODROP,5/min,1/sec
+alert=DISASSOCTRAFFIC,10/min,1/sec
+alert=DEAUTHFLOOD,5/min,2/sec
+alert=DEAUTHCODEINVALID,5/min,1/sec
+alert=DISCONCODEINVALID,5/min,1/sec
+alert=DHCPNAMECHANGE,5/min,1/sec
+alert=DHCPOSCHANGE,5/min,1/sec
+alert=DHCPCLIENTID,5/min,1/sec
+alert=DHCPCONFLICT,10/min,1/sec
+alert=NETSTUMBLER,5/min,1/sec
+alert=LUCENTTEST,5/min,1/sec
+alert=LONGSSID,5/min,1/sec
+alert=MSFBCOMSSID,5/min,1/sec
+alert=MSFDLINKRATE,5/min,1/sec
+alert=MSFNETGEARBEACON,5/min,1/sec
+alert=NULLPROBERESP,5/min,1/sec
+alert=PROBENOJOIN,5/min,1/sec
+
+# Controls behavior of the APSPOOF alert.  SSID may be a literal match (ssid=) or
+# a regex (ssidregex=) if PCRE was available when kismet was built. The allowed
+# MAC list must be comma-separated and enclosed in quotes if there are multiple
+# MAC addresses allowed. MAC address masks are allowed.
+#apspoof=Foo1:ssidregex="(?i:foobar)",validmacs=00:11:22:33:44:55
+#apspoof=Foo2:ssid="Foobar",validmacs="00:11:22:33:44:55,aa:bb:cc:dd:ee:ff"
+
+# How often (in seconds) do we write all our data files (0 to disable)
+writeinterval=0
+
+enablesound=false
+enablespeech=false
+
+logtypes=netxml
+
+pcapdumpformat=ppi
+
+# Where state info, etc, is stored.  You shouldnt ever need to change this.
+# This is a directory.
+configdir=%h/.kismet/

data/lib/patronus_fati/cap_struct.rb

@@ -0,0 +1,97 @@
+module PatronusFati
+  # Class generator similar to a struct but allows for using a hash as an
+  # unordered initializer. This was designed to work as an initializer for
+  # capability classes and thus has a few additional methods written in to
+  # support this functionality.
+  module CapStruct
+    # Creates a new dynamic class with the provided attributes.
+    #
+    # @param [Array<Symbol>] args The list of attributes of getters and
+    #   setters.
+    def self.new(*args)
+      Class.new do
+        @attributes_keys = args.map(&:to_sym).dup.freeze
+        @supported_keys = []
+
+        # Any unspecified data filter will default to just returning the same
+        # value passed in.
+        @data_filters = Hash.new(Proc.new { |i| i })
+
+        # Returns the keys that are valid for this class (effectively it's
+        # attributes)
+        #
+        # @return [Array<Symbol>]
+        def self.attribute_keys
+          @attributes_keys
+        end
+
+        # Call and return the resulting value of the data filter requested.
+        #
+        # @param [Symbol] attr
+        # @param [Object] value
+        # @return [Object]
+        def self.data_filter(attr, value)
+          @data_filters[attr].call(value)
+        end
+
+        # Set the data filter to the provided block.
+        #
+        # @param [Symbol] attr
+        def self.set_data_filter(*attr)
+          blk = Proc.new
+          Array(attr).each { |a| @data_filters[a] = blk }
+        end
+
+        # Return the intersection of our known attribute keys and the keys that
+        # the server has claimed to support. The order is important to be
+        # consistent between all returned runs of this.
+        #
+        # @return [Array<Symbol>]
+        def self.enabled_keys
+          attribute_keys & supported_keys
+        end
+
+        # Return the keys the server has claimed to support (and maintain the order).
+        #
+        # @return [Array<Symbol>]
+        def self.supported_keys
+          @supported_keys
+        end
+
+        # Set the keys supported by the server.
+        #
+        # @param [Array<Symbol>] sk
+        def self.supported_keys=(sk)
+          @supported_keys = sk
+        end
+
+        attr_reader :attributes
+
+        def [](key)
+          @attributes[key.to_sym]
+        end
+
+        def []=(key, val)
+          if self.class.attribute_keys.include?(key.to_sym)
+            @attributes[key.to_sym] = self.class.data_filter(key.to_sym, val)
+          end
+        end
+
+        # Configure and setup the instance with all the valid parameters for
+        # the dynamic class.
+        #
+        # @attrs [Symbol=>Object] attrs
+        def initialize(attrs)
+          @attributes = {}
+          attrs.each { |k, v| self[k] = v }
+        end
+
+        # Define all the appropriate setters and getters for this dynamic class.
+        args.each do |a|
+          define_method(a.to_sym) { self[a] }
+          define_method("#{a}=".to_sym) { |val| self[a] = val }
+        end
+      end
+    end
+  end
+end

data/lib/patronus_fati/connection.rb

@@ -0,0 +1,85 @@
+module PatronusFati
+  class Connection
+    attr_reader :port, :read_queue, :server, :write_queue
+
+    def initialize(server, port)
+      @server = server
+      @port = port
+    end
+
+    def connect
+      establish_connection
+
+      self.read_queue = Queue.new
+      self.write_queue = Queue.new
+
+      start_read_thread
+      start_write_thread
+    end
+
+    def connected?
+      !socket.nil?
+    end
+
+    def disconnect
+      return unless connected?
+
+      Thread.kill(read_thread)
+      Thread.kill(write_thread)
+
+      socket.close
+
+      self.socket = nil
+      self.read_queue = nil
+      self.write_queue = nil
+    end
+
+    def write(msg)
+      write_queue.push(msg)
+    end
+
+    protected
+
+    attr_accessor :read_thread, :socket, :write_thread
+    attr_writer :read_queue, :write_queue
+
+    def establish_connection
+      return if connected?
+      @socket = TCPSocket.new(server, port)
+    end
+
+    def start_read_thread
+      self.read_thread = Thread.new do
+        begin
+          while (line = socket.readline)
+            read_queue << line
+          end
+        rescue Timeout::Error
+          # Connection timed out...
+          exit 1
+        rescue EOFError
+          # We lost our connection...
+          exit 2
+        rescue => e
+          puts ('Unknown issue reading from socket: %s' % e.message)
+          exit 3
+        end
+      end
+    end
+
+    def start_write_thread
+      self.write_thread = Thread.new do
+        begin
+          count = 0
+          while (msg = write_queue.pop)
+            socket.write("!%i %s\r\n" % [count, msg])
+            count += 1
+          end
+        rescue => e
+          puts ('Unknown issue writing to socket: %s' % e.message)
+          exit 1
+        end
+      end
+    end
+  end
+end

data/lib/patronus_fati/consts.rb

@@ -0,0 +1,85 @@
+module PatronusFati
+  BSSID_TYPE_MAP = {
+    0   => 'infrastructure',
+    1   => 'adhoc',
+    2   => 'probe',
+    3   => 'turbocell',
+    4   => 'data',
+    255 => 'mixed',
+    256 => 'remove'
+  }
+
+  # 'DS' is short for distribution system, it has something to do with packet
+  # domains 'BSS' (the prefix on BSSID) but it's clear that identifier is more
+  # than what I thought it was...
+  CLIENT_TYPE_MAP = {
+    0 => 'unknown',
+    1 => 'from_ds',
+    2 => 'to_ds',
+    3 => 'inter_ds',
+    4 => 'established',
+    5 => 'adhoc',
+    6 => 'remove'
+  }
+
+  DATA_DELIMITER = /(\x01[^\x01]+\x01)|(\S+)/
+
+  # This map was retrieved from a combination of the packet_ieee80211.h header
+  # file and dumpfile_netxml.cc source in the kismet git repo.
+  SSID_CRYPT_MAP = {
+    0 => 'None',
+    1 => 'Unknown',
+    (1 << 1) => 'WEP',
+    (1 << 2) => 'Layer3',
+    (1 << 3) => 'WEP40',
+    (1 << 4) => 'WEP104',
+    (1 << 5) => 'WPA+TKIP',
+    (1 << 6) => 'WPA', # Appears deprecated but still in the kismet source
+    (1 << 7) => 'WPA+PSK',
+    (1 << 8) => 'WPA+AES-OCB',
+    (1 << 9) => 'WPA+AES-CCM',
+    (1 << 10) => 'WPA Migration Mode',
+    (1 << 11) => 'WPA+EAP', # Not a value that shows up in kismet exports... Bonus?
+    (1 << 12) => 'WPA+LEAP',
+    (1 << 13) => 'WPA+TTLS',
+    (1 << 14) => 'WPA+TLS',
+    (1 << 15) => 'WPA+PEAP',
+    (1 << 20) => 'ISAKMP',
+    (1 << 21) => 'PPTP',
+    (1 << 22) => 'Fortress',
+    (1 << 23) => 'Keyguard',
+    (1 << 24) => 'Unknown Protected',
+    (1 << 25) => 'Unknown Non-WEP',
+    (1 << 26) => 'WPS'
+  }
+
+  SSID_CRYPT_MAP_INVERTED = Hash[SSID_CRYPT_MAP.map { |k, v| [v, k] }]
+
+  SSID_TYPE_MAP = {
+    0 => 'beacon',
+    1 => 'probe_response',
+    2 => 'probe_request',
+    3 => 'file'
+  }
+
+  SERVER_MESSAGE = /
+    (?<header> [A-Z]+){0}
+    (?<data> .+){0}
+
+    ^\*\g<header>:\s+\g<data>$
+  /x
+
+  # Number of seconds before we consider an access point as offline
+  AP_EXPIRATION = 300
+
+  # Number of seconds before we consider a client as no longer within range.
+  CLIENT_EXPIRATION = 1800
+
+  # How long before a connection between a client and an access point is
+  # consider no longer actively connected.
+  CONNECTION_EXPIRATION = 1800
+
+  # Number of seconds before we consider an access point no longer advertising an
+  # SSID.
+  SSID_EXPIRATION = 300
+end