tcp_handshake.cc

xprobe package sources code

/*
**
** Copyright (C) 2001, 2002, 2003 Meder Kydyraliev
**
** Copyright (C) 2001, 2002, 2003  Fyodor Yarochkin <fygrave@tigerteam.net>,
**                                  Ofir Arkin       <ofir@sys-security.com>
**
** This program is free software; you can redistribute it and/or modify
** it under the terms of the GNU General Public License as published by
** the Free Software Foundation; either version 2 of the License, or
** (at your option) any later version.
**
**
** This program is distributed in the hope that it will be useful,
** but WITHOUT ANY WARRANTY; without even the implied warranty of
** MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
** GNU General Public License for more details.
**
** You should have received a copy of the GNU General Public License
** along with this program; if not, write to the Free Software
** Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
*/

#include "xprobe.h"
#define _XPROBE_MODULE
#include "xplib.h"
#include "xprobe_module.h"
#include "xprobe_module_hdlr.h"
#include "target.h"
#include "interface.h"
#include "tcp_handshake.h"

extern Interface *ui;


TCP_Handshake_Mod::TCP_Handshake_Mod(void): Xprobe_Module(XPROBE_MODULE_OSTEST, 
		"fingerprint:tcp_hshake","TCP Handshake fingerprinting module") { 

	TCP_Handshake_Ttl_Check *ttlc = new TCP_Handshake_Ttl_Check;
	TCP_Handshake_Ip_Id_Check *ipidc = new TCP_Handshake_Ip_Id_Check;
	TCP_Handshake_Tos_Check *tosc = new TCP_Handshake_Tos_Check;
	TCP_Handshake_Df_Bit_Check *dfbc = new TCP_Handshake_Df_Bit_Check;
	TCP_Handhake_Ack_Check *ackc = new TCP_Handhake_Ack_Check;
	TCP_Handshake_Window_Check *winc = new TCP_Handshake_Window_Check;

	kwd_chk.insert(pair<string, Xprobe_Module_Param_TCP *>("tcp_syn_ack_ttl", ttlc));
	kwd_chk.insert(pair<string, Xprobe_Module_Param_TCP *>("tcp_syn_ack_ip_id", ipidc));
	kwd_chk.insert(pair<string, Xprobe_Module_Param_TCP *>("tcp_syn_ack_tos", tosc));
	kwd_chk.insert(pair<string, Xprobe_Module_Param_TCP *>("tcp_syn_ack_df", dfbc));
	kwd_chk.insert(pair<string, Xprobe_Module_Param_TCP *>("tcp_syn_ack_ack", ackc));
	kwd_chk.insert(pair<string, Xprobe_Module_Param_TCP *>("tcp_syn_ack_window_size", winc));
	memset(opt_order, 0, sizeof(opt_order));
	wscale = -1;
	got_timestamp = false;

}

TCP_Handshake_Mod::~TCP_Handshake_Mod(void) {
	map <string, Xprobe_Module_Param_TCP *>::iterator m_i;

	for (m_i = kwd_chk.begin(); m_i != kwd_chk.end(); m_i++)
		delete m_i->second;
}

int TCP_Handshake_Mod::init(void) {

    xprobe_debug(XPROBE_DEBUG_MODULES, "%s module initialized\n", get_name());
    return OK;
}


int TCP_Handshake_Mod::exec(Target *tg, OS_Matrix *os) {
	map<string, Xprobe_Module_Param_TCP *>::iterator m_i;
	TCP *request = new TCP(inet_ntoa(tg->get_addr()));
	char tcp_options[40], buf[1024];
	int done=0, ret, len;
	unsigned int tse, tsv;
	struct timeval tv;
	struct in_addr local=tg->get_interface_addr(), remote=tg->get_addr();
	TCP sn(inet_ntoa(local));

	tv = tg->get_rtt();

	sn.init_device(tg->get_interface(), 0, 1500);
	sn.timeout(tv);
    xprobe_debug(XPROBE_DEBUG_MODULES, "--%s module has been executed against: %s\n", get_name(),
            inet_ntoa(tg->get_addr()));
	if (get_tcpopts_pack(tg, request)) {
		ui->msg("[%s] send_tcpopts() failed\n");
		return FAIL;
	}
	request->sendpack("");
	while(!done) {
		ret = sn.sniffpack(buf, sizeof(buf));
		if (!sn.timeout()) {
			if (sn.get_src() == remote.s_addr &&
				request->get_dstport() == sn.get_srcport() ) {
				done = 1;
				xprobe_debug(XPROBE_DEBUG_MODULES, "[%s] Got reply.\n", get_name());
			}
		} else
			done = 1; // timeout
	}
	if (!sn.timeout())
		if (sn.get_flags() == (TH_SYN|TH_ACK)) {
			xprobe_debug(XPROBE_DEBUG_MODULES, "[%s] Got SYN ACK packet.\n", get_name());
			memset(tcp_options, 0, sizeof(tcp_options));
			len = sn.get_tcpopt(tcp_options)-20;
			parse_options(tcp_options, len);
			for (m_i = kwd_chk.begin(); m_i != kwd_chk.end(); m_i++)
				m_i->second->check_param(&sn, request, os);
			for (w_i = wscale_map.begin(); w_i != wscale_map.end(); w_i++)
				if (w_i->second == wscale) {
					os->add_result(get_id(), w_i->first, XPROBE_MATCH_YES);
				} else
					os->add_result(get_id(), w_i->first, XPROBE_MATCH_NO);
			for (o_i = options_map.begin(); o_i != options_map.end(); o_i++)
				if (o_i->second == opt_order) {
					os->add_result(get_id(), o_i->first, XPROBE_MATCH_YES);
				} else 
					os->add_result(get_id(), o_i->first, XPROBE_MATCH_NO);
			if (got_timestamp) {
				if (timestamps[0] == 0)
					tsv = 0;
				else
					tsv = 1;

				if (timestamps[1] == 0)
					tse = 0;
				else 
					tse = 1;
				for (ts_i = tsval.begin(); ts_i != tsval.end(); ts_i++)
					if (ts_i->second == tsv)
						os->add_result(get_id(), ts_i->first, XPROBE_MATCH_YES);
				for (ts_i = tsecr.begin(); ts_i != tsecr.end(); ts_i++)
					if (ts_i->second == tse)
						os->add_result(get_id(), ts_i->first, XPROBE_MATCH_YES);
			} else {
				for (ts_i = tsval.begin(); ts_i != tsval.end(); ts_i++)  
					if (ts_i->second == 2) /* NONE */
						os->add_result(get_id(), ts_i->first, XPROBE_MATCH_YES);
				for (ts_i = tsecr.begin(); ts_i != tsecr.end(); ts_i++)
					if (ts_i->second == 2) /* NONE */
						os->add_result(get_id(), ts_i->first, XPROBE_MATCH_YES);
			}
			if (tg->generate_sig())
				generate_signature(tg, &sn, request);
		} else {
			xprobe_debug(XPROBE_DEBUG_MODULES, "[%s] Did not receive SYN ACK packet.\n", get_name());
		}
	return OK;
}

int TCP_Handshake_Mod::parse_options(char *tcp_options, int len) {
	int lenparsed, optlen= 0;
	unsigned int k=0;

	xprobe_debug(XPROBE_DEBUG_MODULES, "[%s] Length of options: %d. Options are:\n",get_name(), len);
	// Parse TCP options, like OpenBSD does in /sys/netinet/tcp_input.c
	memset(opt_order, 0, sizeof(opt_order));
	for (lenparsed = 0; lenparsed < len; lenparsed += optlen) {
		if (tcp_options[lenparsed] == TCPOPT_NOP) {
			optlen=1;
			xprobe_mdebug(XPROBE_DEBUG_MODULES, "NOP\n");
			if (k < sizeof(opt_order))
				opt_order[k++]='N';
			continue;
		} else if (tcp_options[lenparsed] == TCPOPT_EOL) {
			xprobe_mdebug(XPROBE_DEBUG_MODULES, "EOL\n");
			if (len - lenparsed > 1)
				// something fucked up, we have end of list
				// but we are not done yet
				xprobe_debug(XPROBE_DEBUG_MODULES, "[%s] Got TCPOPT_EOL not at the end of options", get_name());
				break;
		} else  {
			// avoid evil packets that only have
			// option w/o lenght
			if (lenparsed + 1 < len)
				optlen = tcp_options[lenparsed+1];
			else
				// something is really fucked
				// we have option but do not have
				// its length
				return FAIL;
		}
		// alrighty, check for a fucked up packs
		// make sure that len reported in the pack
		// fits into our buffer
		if (optlen > len - lenparsed) {
			ui->msg("Option length reported in packet is greater than total options length\n");
			return FAIL;
		}

		// at this point have optlen bytes in tcp_options;
		// if optlen for some particular option is fucked up
		// we assign it correct value and try to parse further,
		// however neither data is parsed, nor we add option to
		// opt_order
		switch(tcp_options[lenparsed]) {
			case TCPOPT_WINDOW:	
				xprobe_mdebug(XPROBE_DEBUG_MODULES, "WSCALE ");
				if (optlen != TCPOLEN_WINDOW) {
					xprobe_debug(XPROBE_DEBUG_MODULES, "[%s] Bad TCPOPT_WINDOW len %d", get_name(), optlen);
					optlen = TCPOLEN_WINDOW;
					continue;
				} else {
					wscale = tcp_options[lenparsed+2];
					xprobe_debug(XPROBE_DEBUG_MODULES, "%d \n", wscale);
					if (k < sizeof(opt_order))
						opt_order[k++]='W';
				}
				break;
			case TCPOPT_TIMESTAMP:
				xprobe_mdebug(XPROBE_DEBUG_MODULES, "TIMESTAMP\n");
				if (optlen != TCPOLEN_TIMESTAMP) {
					xprobe_debug(XPROBE_DEBUG_MODULES, "[%s] Bad TCPOPT_TIMESTAMP len %d", get_name(), optlen);
					optlen = TCPOLEN_TIMESTAMP;
					continue;
				} 
				// we are guaranteed to have 8 bytes of option data at tcp_options+lenparsed
				memcpy(&timestamps[0], tcp_options+lenparsed+2, 4);
				memcpy(&timestamps[1], tcp_options+lenparsed+6, 4);
				xprobe_debug(XPROBE_DEBUG_MODULES, "[%s] Timestamps: %d %d\n", get_name(), ntohl(timestamps[0]),ntohl(timestamps[1]));
				if (k < sizeof(opt_order))
					opt_order[k++]='T';
				got_timestamp = true;
				break;
			case TCPOPT_MAXSEG:
				xprobe_mdebug(XPROBE_DEBUG_MODULES, "MSS\n");
				if (optlen != TCPOLEN_MAXSEG) {
					xprobe_debug(XPROBE_DEBUG_MODULES, "[%s] Bad TCPOPT_MAXSEG len %d", get_name(), optlen);
					optlen = TCPOLEN_MAXSEG;
					continue;
				}
				if (k < sizeof(opt_order))
					opt_order[k++] = 'M';
				break;
			case TCPOPT_SACK_PERMITTED:
				xprobe_mdebug(XPROBE_DEBUG_MODULES, "SACK\n");
				if (optlen != TCPOLEN_SACK_PERMITTED) {
					xprobe_debug(XPROBE_DEBUG_MODULES, "[%s] Bad TCPOPT_SACK_PERMITTED len %d", get_name(), optlen);
					optlen = TCPOLEN_SACK_PERMITTED;
					continue;
				}
				if (k < sizeof(opt_order))
					opt_order[k++] = 'S';
				break;
			default:
				ui->msg("[%s] Remote hosts proposed TCP option in SYNACK packet please report\n");
		}

	}
	
    return OK;
}

int TCP_Handshake_Mod::fini(void) {
    xprobe_debug(XPROBE_DEBUG_MODULES, "%s module has been deinitilized\n", get_name());
    return OK;
}

int TCP_Handshake_Mod::parse_keyword(int os_id, const char *kwd, const char *val)  {
	unsigned int vl;
	map<string, Xprobe_Module_Param_TCP *>::iterator m_i;
	
	xprobe_debug(XPROBE_DEBUG_MODULES, "Parsing for %i : %s  = %s\n", os_id,  kwd, val);
    
	for (m_i = kwd_chk.begin(); m_i != kwd_chk.end(); m_i++){
		if (m_i->first == kwd)
			return (m_i->second->parse_param(os_id, val));
	}
	/* parse "tcp_syn_ack_options_order" keyword
	 * following values are accepted:
	 * NOP MSS WSCALE SACK TIMESTAMP
	 */
	if (!strncasecmp(kwd, "tcp_syn_ack_options_order", strlen("tcp_syn_ack_options_order"))) {
		string options(val), fin_opt;
		string::size_type begin, end;
		unsigned int k=0;

		memset(opt_order, 0, sizeof(opt_order));
		//for the loop to work and parse last param
		// last char should be  `"' anyway
		options[options.size()-1] = ' ';