patronus_fati 0.8.0

data/lib/patronus_fati/message_parser.rb

@@ -0,0 +1,44 @@
+module PatronusFati
+  module MessageParser
+    # We receive some messages before we specifically request the abilities of
+    # the server, when this happens we'll attempt to map the data using the
+    # default attribute ordering that was provided by the Kismet server this
+    # client was coded against, this may not be entirely accurate, but will
+    # become accurate before we receive any meaningful data.
+    def self.parse(msg)
+      return unless (raw_data = handle_msg(msg))
+
+      unless (cap = get_model(raw_data[0]))
+        warn('Message received had unknown message type: ' + raw_data[0])
+        return
+      end
+
+      src_keys = cap.enabled_keys.empty? ? cap.attribute_keys : cap.enabled_keys
+      cap.new(Hash[src_keys.zip(raw_data[1])])
+    end
+
+    protected
+
+    def self.extract_data(data_line)
+      data_line.scan(PatronusFati::DATA_DELIMITER).map { |a, b| (a || b).tr("\x01", '') }
+    end
+
+    def self.get_model(mdl)
+      return unless PatronusFati::MessageModels.const_defined?(model_name(mdl))
+      PatronusFati::MessageModels.const_get(model_name(mdl))
+    end
+
+    def self.handle_msg(line)
+      resp = PatronusFati::SERVER_MESSAGE.match(line)
+      return unless resp
+
+      h = Hash[resp.names.zip(resp.captures)]
+
+      [h['header'], extract_data(h['data'])]
+    end
+
+    def self.model_name(hdr)
+      hdr.downcase.capitalize.to_sym
+    end
+  end
+end

data/lib/patronus_fati/message_processor/alert.rb

@@ -0,0 +1,15 @@
+module PatronusFati::MessageProcessor::Alert
+  include PatronusFati::MessageProcessor
+
+  def self.process(obj)
+    src_mac = PatronusFati::DataModels::Mac.first_or_create(mac: obj[:source])
+    dst_mac = PatronusFati::DataModels::Mac.first_or_create(mac: obj[:dest])
+    other_mac = PatronusFati::DataModels::Mac.first_or_create(mac: obj[:other])
+
+    PatronusFati::DataModels::Alert.first_or_create({created_at: obj.sec, \
+      message: obj[:text]}, {created_at: obj.sec, message: obj[:text], \
+      src_mac: src_mac, dst_mac: dst_mac, other_mac: other_mac})
+
+    nil
+  end
+end

data/lib/patronus_fati/message_processor/bssid.rb

@@ -0,0 +1,47 @@
+module PatronusFati::MessageProcessor::Bssid
+  include PatronusFati::MessageProcessor
+
+  def self.process(obj)
+    # We don't care about objects that would have expired already...
+    return if obj[:lasttime] < (Time.now.to_i - PatronusFati::AP_EXPIRATION)
+
+    # Ignore probe requests as their BSSID information is useless (the ESSID
+    # isn't present and it's coming from a client).
+    return unless %w(infrastructure adhoc).include?(obj.type.to_s)
+
+    ap_info = ap_data(obj.attributes)
+    access_point = PatronusFati::DataModels::AccessPoint.first_or_create({bssid: obj.bssid}, ap_info)
+
+    access_point.update(ap_info)
+    access_point.record_signal(obj.signal_dbm)
+    access_point.update_frequencies(obj.freqmhz)
+
+    nil
+  end
+
+  protected
+
+  def self.ap_data(attrs)
+    {
+      bssid: attrs[:bssid],
+      type: attrs[:type],
+      channel: attrs[:channel],
+
+      crypt_packets: attrs[:cryptpackets],
+      data_packets: attrs[:datapackets],
+      data_size: attrs[:datasize],
+
+      fragments: attrs[:fragments],
+      retries: attrs[:retries],
+
+      max_seen_rate: attrs[:maxseenrate],
+      duplicate_iv_pkts: attrs[:dupeivpackets],
+
+      range_ip: attrs[:rangeip],
+      netmask: attrs[:netmaskip],
+      gateway_ip: attrs[:gatewayip],
+
+      last_seen_at: Time.now.to_i
+    }.reject { |_, v| v.nil? }
+  end
+end

data/lib/patronus_fati/message_processor/capability.rb

@@ -0,0 +1,24 @@
+module PatronusFati::MessageProcessor::Capability
+  include PatronusFati::MessageProcessor
+
+  def self.process(obj)
+    # The capability detection for the capability command is broken. It
+    # returns the name of the command followed by the capabilities but the
+    # result of a request ignores that it also sends back the name of the
+    # command. We don't want to mess up our parsing so we work around it by
+    # ignoring these messages.
+    return if obj.name == 'CAPABILITY'
+    return unless PatronusFati::MessageModels.const_defined?(obj.name.downcase.capitalize)
+
+    target_cap = PatronusFati::MessageModels.const_get(obj.name.downcase.capitalize)
+    target_cap.supported_keys = obj.capabilities.split(',').map(&:to_sym)
+
+    keys_to_enable = target_cap.enabled_keys.map(&:to_s).join(',')
+
+    # Limit the amount of data kismet gives us to only the interesting stuff
+    return unless %w(ERROR PROTOCOLS ALERT BSSID SSID CLIENT CRITFAIL).include?(obj.name)
+
+    # Return the response to the server
+    "ENABLE #{obj.name} #{keys_to_enable}"
+  end
+end

data/lib/patronus_fati/message_processor/client.rb

@@ -0,0 +1,55 @@
+module PatronusFati::MessageProcessor::Client
+  include PatronusFati::MessageProcessor
+
+  def self.process(obj)
+    # We don't care about objects that would have expired already...
+    return if obj[:lasttime] < PatronusFati::DataModels::Client.current_expiration_threshold
+
+    client_info = client_data(obj.attributes)
+
+    client = PatronusFati::DataModels::Client.first_or_create({bssid: obj[:mac]}, client_info)
+    client.update(client_info)
+
+    client.record_signal(obj.signal_dbm)
+    client.update_frequencies(obj.freqmhz)
+
+    # Don't deal in associations that are outside of our connection expiration
+    # time...
+    return if obj[:lasttime] <= (Time.now.to_i - PatronusFati::CONNECTION_EXPIRATION)
+
+    # Handle the associations
+    unless obj[:bssid].nil? || obj[:bssid].empty? || obj[:bssid] == obj[:mac]
+      return unless (ap = PatronusFati::DataModels::AccessPoint.first(bssid: obj[:bssid]))
+      ap.seen!
+
+      conn = PatronusFati::DataModels::Connection.connected.first_or_create({client: client, access_point: ap})
+      conn.seen!
+    end
+
+    nil
+  end
+
+  protected
+
+  def self.client_data(attrs)
+    {
+      bssid: attrs[:mac],
+      channel: attrs[:channel],
+
+      crypt_packets: attrs[:cryptpackets],
+      data_packets: attrs[:datapackets],
+      data_size: attrs[:datasize],
+
+      fragments: attrs[:fragments],
+      retries: attrs[:retries],
+
+      max_seen_rate: attrs[:maxseenrate],
+
+      ip: attrs[:ip],
+      gateway_ip: attrs[:gatewayip],
+      dhcp_host: attrs[:dhcphost],
+
+      last_seen_at: Time.now.to_i
+    }.reject { |_, v| v.nil? }
+  end
+end

data/lib/patronus_fati/message_processor/critfail.rb

@@ -0,0 +1,8 @@
+module PatronusFati::MessageProcessor::Critfail
+  include PatronusFati::MessageProcessor
+
+  def self.process(opts)
+    puts ('Critical fail message: %s' % opts.message)
+    nil
+  end
+end

data/lib/patronus_fati/message_processor/error.rb

@@ -0,0 +1,7 @@
+module PatronusFati::MessageProcessor::Error
+  include PatronusFati::MessageProcessor
+
+  def self.process(opts)
+    warn('Failed command ID %i with error: %s' % [opts.cmdid, opts.text])
+  end
+end

data/lib/patronus_fati/message_processor/protocols.rb

@@ -0,0 +1,7 @@
+module PatronusFati::MessageProcessor::Protocols
+  include PatronusFati::MessageProcessor
+
+  def self.process(obj)
+    obj.protocols.split(',').map { |p| "CAPABILITY #{p}" }
+  end
+end

data/lib/patronus_fati/message_processor/ssid.rb

@@ -0,0 +1,48 @@
+module PatronusFati::MessageProcessor::Ssid
+  include PatronusFati::MessageProcessor
+
+  def self.process(obj)
+    # We don't care about objects that would have expired already...
+    return if obj[:lasttime] < (Time.now.to_i - PatronusFati::SSID_EXPIRATION)
+
+    ssid_info = ssid_data(obj.attributes)
+
+    if %w(beacon probe_response).include?(obj[:type])
+      access_point = PatronusFati::DataModels::AccessPoint.first(bssid: obj[:mac])
+      return unless access_point # Only happens with a corrupt message
+
+      ssid = PatronusFati::DataModels::Ssid.first_or_create({access_point: access_point, essid: ssid_info[:essid]}, ssid_info)
+      ssid.update(ssid_info)
+      access_point.seen!
+    elsif obj[:type] == 'probe_request'
+      client = PatronusFati::DataModels::Client.first(bssid: obj[:mac])
+
+      return if client.nil?
+      client.seen!
+
+      return if obj[:ssid].nil? || obj[:ssid].empty?
+      client.probes.first_or_create(essid: obj[:ssid])
+    else
+      # The only thing left is the 'file' type which no one seems to understand
+      #puts ('Unknown SSID type (%s): %s' % [obj[:type], obj.inspect])
+    end
+
+    nil
+  end
+
+  protected
+
+  def self.ssid_data(attrs)
+    {
+      beacon_info: attrs[:beaconinfo],
+      beacon_rate: attrs[:beaconrate],
+
+      cloaked:  attrs[:cloaked],
+      crypt_set: attrs[:cryptset].map(&:to_s),
+      essid: attrs[:ssid],
+      max_rate: attrs[:maxrate],
+
+      last_seen_at: Time.now.to_i
+    }.reject { |_, v| v.nil? }
+  end
+end

data/lib/patronus_fati/message_processor.rb

@@ -0,0 +1,52 @@
+module PatronusFati
+  module MessageProcessor
+    extend FactoryBase
+
+    def self.cleanup_models
+      @last_cleanup ||= Time.now.to_i
+
+      if @last_cleanup < (Time.now.to_i - 10)
+        @last_cleanup = Time.now.to_i
+
+        PatronusFati::DataModels::AccessPoint.inactive.reported_online.each do |ap|
+          ap.update(:reported_online => false)
+          PatronusFati.event_handler.event(:access_point, :offline, {'bssid' => ap.bssid, 'uptime' => ap.uptime})
+          ap.disconnect_clients!
+        end
+
+        PatronusFati::DataModels::Client.inactive.reported_online.each do |cli|
+          cli.update(:reported_online => false)
+          PatronusFati.event_handler.event(:client, :offline, {'bssid' => cli.bssid, 'uptime' => cli.uptime})
+          cli.disconnect!
+        end
+
+        PatronusFati::DataModels::Connection.inactive.connected.map(&:disconnect!)
+      end
+    end
+
+    def self.handle(message_obj)
+      result = factory(class_to_name(message_obj), message_obj)
+      cleanup_models
+      result
+    rescue => e
+      puts 'Error processing the following message object:'
+      puts message_obj.inspect
+      puts '%s: %s' % [e.class, e.message]
+      puts e.backtrace.join("\n")
+    end
+
+    def self.ignored_types
+      [:ack, :battery, :bssidsrc, :channel, :clisrc, :gps, :info, :kismet,
+       :plugin, :source, :status, :time]
+    end
+  end
+end
+
+require 'patronus_fati/message_processor/alert'
+require 'patronus_fati/message_processor/bssid'
+require 'patronus_fati/message_processor/capability'
+require 'patronus_fati/message_processor/client'
+require 'patronus_fati/message_processor/critfail'
+require 'patronus_fati/message_processor/error'
+require 'patronus_fati/message_processor/protocols'
+require 'patronus_fati/message_processor/ssid'

data/lib/patronus_fati/version.rb

@@ -0,0 +1,3 @@
+module PatronusFati
+  VERSION = '0.8.0'
+end

data/lib/patronus_fati.rb

@@ -0,0 +1,68 @@
+STDOUT.sync = true
+
+require 'date'
+require 'digest'
+require 'json'
+require 'openssl'
+require 'socket'
+require 'timeout'
+require 'thread'
+
+require 'dm-constraints'
+require 'dm-core'
+require 'dm-migrations'
+require 'dm-observer'
+require 'dm-timestamps'
+require 'dm-validations'
+
+require 'louis'
+
+require 'patronus_fati/consts'
+require 'patronus_fati/version'
+
+require 'patronus_fati/data_mapper/crypt_flags'
+require 'patronus_fati/data_mapper/null_table_prefix'
+
+require 'patronus_fati/cap_struct'
+require 'patronus_fati/connection'
+require 'patronus_fati/event_handler'
+require 'patronus_fati/factory_base'
+require 'patronus_fati/message_models'
+require 'patronus_fati/message_parser'
+require 'patronus_fati/message_processor'
+
+require 'patronus_fati/data_models/common'
+
+require 'patronus_fati/data_models/access_point'
+require 'patronus_fati/data_models/ap_frequency'
+require 'patronus_fati/data_models/ap_signal'
+require 'patronus_fati/data_models/alert'
+require 'patronus_fati/data_models/client'
+require 'patronus_fati/data_models/client_frequency'
+require 'patronus_fati/data_models/client_signal'
+require 'patronus_fati/data_models/connection'
+require 'patronus_fati/data_models/mac'
+require 'patronus_fati/data_models/probe'
+require 'patronus_fati/data_models/ssid'
+
+require 'patronus_fati/data_observers/access_point_observer'
+require 'patronus_fati/data_observers/alert_observer'
+require 'patronus_fati/data_observers/client_observer'
+require 'patronus_fati/data_observers/connection_observer'
+require 'patronus_fati/data_observers/ssid_observer'
+
+module PatronusFati
+  def self.event_handler
+    @event_handler ||= PatronusFati::EventHandler.new
+  end
+
+  def self.setup(kismet_server, kismet_port, database_uri)
+    #DataMapper::Logger.new('pf-db.log', :debug)
+    DataMapper.setup(:default, database_uri)
+    DataMapper.repository(:default).adapter.resource_naming_convention = PatronusFati::NullTablePrefix
+    DataMapper.finalize
+    DataMapper.auto_upgrade!
+
+    PatronusFati::Connection.new(kismet_server, kismet_port)
+  end
+end

data/patronus_fati.gemspec

@@ -0,0 +1,41 @@
+# -*- encoding: utf-8 -*-
+
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'patronus_fati/version'
+
+Gem::Specification.new do |gem|
+  gem.name          = "patronus_fati"
+  gem.version       = PatronusFati::VERSION
+  gem.authors       = [ "Sam Stelfox" ]
+  gem.license       = "LGPL"
+  gem.email         = [ "sstelfox@bedroomprogrammers.net" ]
+  gem.description   = %q{ A ruby implementation of the Kismet client protocol. }
+  gem.summary       = %q{ A ruby implementation of the Kismet client protocol. }
+  gem.homepage      = ""
+
+  gem.files         = `git ls-files`.split($/)
+  gem.executables   = gem.files.grep(%r{^bin/}).map{ |f| File.basename(f) }
+  gem.test_files    = gem.files.grep(%r{^(test|spec|features)/})
+  gem.require_paths = ["lib"]
+
+  gem.add_dependency 'dm-constraints'
+  gem.add_dependency 'dm-core'
+  gem.add_dependency 'dm-migrations'
+  gem.add_dependency 'dm-observer'
+  gem.add_dependency 'dm-sqlite-adapter'
+  gem.add_dependency 'dm-timestamps'
+  gem.add_dependency 'dm-validations'
+  gem.add_dependency 'louis', '~> 2.0'
+
+  gem.add_development_dependency 'database_cleaner'
+  gem.add_development_dependency 'dm-rspec'
+  gem.add_development_dependency 'dm-transactions'
+  gem.add_development_dependency 'rake'
+  gem.add_development_dependency 'rdoc'
+  gem.add_development_dependency 'pry'
+  gem.add_development_dependency 'redcarpet'
+  gem.add_development_dependency 'rspec'
+  gem.add_development_dependency 'simplecov'
+  gem.add_development_dependency 'yard'
+end

data/spec/data_models/access_point_spec.rb

@@ -0,0 +1,26 @@
+require 'spec_helper'
+
+RSpec.describe 'DataModels::AccessPoint' do
+  subject { PatronusFati::DataModels::AccessPoint }
+
+  let(:unsaved_instance) { subject.new(bssid: '12:34:56:00:00:01', type: 'infrastructure', channel: 1) }
+  let(:saved_instance)   { unsaved_instance.save }
+
+  it { expect(subject).to have_property(:bssid) }
+  it { expect(subject).to have_property(:type) }
+  it { expect(subject).to have_property(:channel) }
+  it { expect(subject).to have_property(:last_seen_at) }
+
+  it { expect(subject).to have_many(:connections) }
+  it { expect(subject).to have_many(:ssids) }
+
+  it { expect(subject).to have_many(:clients).through(:connections) }
+
+  it { expect(subject).to belong_to(:mac) }
+
+  it 'should associate to a MAC object before saving' do
+    expect(unsaved_instance.mac).to be_nil
+    unsaved_instance.save
+    expect(unsaved_instance.mac).to be_instance_of(PatronusFati::DataModels::Mac)
+  end
+end

data/spec/data_models/alert_spec.rb

@@ -0,0 +1,12 @@
+require 'spec_helper'
+
+RSpec.describe 'DataModels::Alert' do
+  subject { PatronusFati::DataModels::Alert }
+
+  it { expect(subject).to have_property(:created_at) }
+  it { expect(subject).to have_property(:message) }
+
+  it { expect(subject).to belong_to(:src_mac) }
+  it { expect(subject).to belong_to(:dst_mac) }
+  it { expect(subject).to belong_to(:other_mac) }
+end

data/spec/data_models/client_spec.rb

@@ -0,0 +1,25 @@
+require 'spec_helper'
+
+RSpec.describe 'DataModels::Client' do
+  subject { PatronusFati::DataModels::Client }
+
+  let(:unsaved_instance) { subject.new(bssid: '12:34:56:00:00:02') }
+  let(:saved_instance)   { unsaved_instance.save }
+
+  it { expect(subject).to have_property(:id) }
+  it { expect(subject).to have_property(:bssid) }
+  it { expect(subject).to have_property(:last_seen_at) }
+
+  it { expect(subject).to have_many(:probes) }
+
+  it { expect(subject).to have_many(:connections) }
+  it { expect(subject).to have_many(:access_points).through(:connections) }
+
+  it { expect(subject).to belong_to(:mac) }
+
+  it 'should associate to a MAC object before saving' do
+    expect(unsaved_instance.mac).to be_nil
+    unsaved_instance.save
+    expect(unsaved_instance.mac).to be_instance_of(PatronusFati::DataModels::Mac)
+  end
+end

data/spec/data_models/connection_spec.rb

@@ -0,0 +1,86 @@
+require 'spec_helper'
+
+RSpec.describe 'DataModels::Connection' do
+  subject { PatronusFati::DataModels::Connection }
+
+  let(:client_model) { PatronusFati::DataModels::Client }
+  let(:unsaved_client) { client_model.new(bssid: '11:22:33:00:00:00') }
+
+  let(:ap_model) { PatronusFati::DataModels::AccessPoint }
+  let(:unsaved_ap) { ap_model.new(bssid: '22:33:44:00:00:01', type: 'adhoc', channel: 6) }
+
+  let(:instance) { subject.new(client: unsaved_client, access_point: unsaved_ap) }
+
+  it { expect(subject).to have_property(:id) }
+
+  it { expect(subject).to have_property(:connected_at) }
+  it { expect(subject).to have_property(:disconnected_at) }
+
+  it { expect(subject).to belong_to(:access_point) }
+  it { expect(subject).to belong_to(:client) }
+
+  context '#active?' do
+    it 'should be true when a disconnection hasn\'t been registered' do
+      inst = instance
+      inst.disconnected_at = nil
+
+      expect(inst).to be_active
+    end
+
+    it 'should be false when a disconnection has been registered' do
+      inst = instance
+      inst.disconnected_at = Time.now
+
+      expect(inst).to_not be_active
+    end
+  end
+
+  context '#disconnect!' do
+    it 'should change an active instance to be inactive' do
+      inst = instance
+      inst.save
+
+      expect(inst).to be_active
+      inst.disconnect!
+      expect(inst).to_not be_active
+    end
+  end
+
+  context '#active scope' do
+    it 'should include active connections' do
+      inst = instance
+      inst.save
+
+      expect(inst).to be_active
+      expect(subject.active).to include(inst)
+    end
+
+    it 'should not include inactive connections' do
+      inst = instance
+      inst.save
+      inst.disconnect!
+
+      expect(inst).to_not be_active
+      expect(subject.active).to_not include(inst)
+    end
+  end
+
+  context '#inactive scope' do
+    it 'should not include active connections' do
+      inst = instance
+      inst.save
+
+      expect(inst).to be_active
+      expect(subject.inactive).to_not include(inst)
+    end
+
+    it 'should include inactive connections' do
+      inst = instance
+      inst.save
+      inst.disconnect!
+
+      expect(inst).to_not be_active
+      expect(subject.inactive).to include(inst)
+    end
+  end
+end

data/spec/data_models/mac_spec.rb

@@ -0,0 +1,26 @@
+require 'spec_helper'
+
+RSpec.describe 'DataModels::Mac' do
+  subject { PatronusFati::DataModels::Mac }
+
+  let(:unsaved_instance) { subject.new(mac: '00:12:34:00:00:00') }
+  let(:saved_instance)   { unsaved_instance.save }
+
+  it { expect(subject).to have_property(:mac) }
+  it { expect(subject).to have_property(:vendor) }
+
+  it { expect(subject).to have_many(:access_points) }
+  it { expect(subject).to have_many(:clients) }
+
+  it { expect(subject).to have_many(:dst_alerts) }
+  it { expect(subject).to have_many(:other_alerts) }
+  it { expect(subject).to have_many(:src_alerts) }
+
+  # This is a tad bit annoying, data mapper generates Ruby warnings about
+  # uninitialized instance variables.
+  it 'should set the vendor on the MAC object before saving' do
+    expect(unsaved_instance.vendor).to be_nil
+    unsaved_instance.save
+    expect(unsaved_instance.vendor).to_not be_nil
+  end
+end

data/spec/patronus_fati_spec.rb

@@ -0,0 +1,13 @@
+require 'spec_helper'
+
+RSpec.describe PatronusFati do
+  context 'VERSION' do
+    it 'should have a version' do
+      expect { PatronusFati::VERSION }.to_not raise_error
+    end
+
+    it 'should be properly formatted' do
+      expect(PatronusFati::VERSION).to match(/\d+\.\d+\.\d+([a-z])?/)
+    end
+  end
+end