📄 tcp_handshake.cc
字号:
begin = options.find_first_not_of('"'); end = options.find_first_of(' '); while (begin != string::npos && end != string::npos) { if (k < sizeof(opt_order)) opt_order[k++] = options.substr(begin, end)[0]; else ui->msg("[%s] Too many options specified\n", get_name()); begin=options.find_first_not_of(' ', end); end = options.find_first_of(' ', begin); } // sanity check to make sure no UNKNOWN // options were specified in the fingerprint while (k-- > 0) { if (opt_order[k] != 'N' && opt_order[k] != 'M' && opt_order[k] != 'W' && opt_order[k] != 'S' && opt_order[k] != 'T') { ui->msg("[%s] Unknown TCP option %c in fingerprint (%s=%s)\n", get_name(), opt_order[k], kwd, val); return FAIL; } } fin_opt = opt_order; options_map.insert(pair<int, string>(os_id, fin_opt)); } else if (!strncasecmp(kwd, "tcp_syn_ack_wscale", strlen("tcp_syn_ack_wscale"))) { if (val[0] == 'N' || val[0] == 'n'){ wscale_map.insert(pair<int, int>(os_id, -1)); } else if (val[0] >= '0' && val[0] <= '9') { errno = 0; int j = strtol(val, NULL, 0); if (errno == ERANGE) { ui->msg("tcp_handshake::parse_keyword() bad value for keyword(%s=%s)", kwd, val); return FAIL; } wscale_map.insert(pair<int, int>(os_id, j)); } else ui->msg("[%s] Unknown value (%s=%s)\n", kwd, val); } else if (!strncasecmp(kwd, "tcp_syn_ack_tsval", strlen("tcp_syn_ack_tsval"))) { if (val[0] == 'N' || val[0] == 'n') vl = 2; else if (val[0] == '!') vl = 1; else if (val[0] == '0') vl = 0; tsval.insert(pair<int, unsigned int>(os_id, vl)); } else if (!strncasecmp(kwd, "tcp_syn_ack_tsecr", strlen("tcp_syn_ack_tsecr"))) { if (val[0] == 'N' || val[0] == 'n') vl = 2; else if (val[0] == '!') vl = 1; else if (val[0] == '0') vl = 0; tsecr.insert(pair<int, unsigned int>(os_id, vl)); } else ui->msg("[%s] Unknown keyword %s\n", get_name()); return OK;};int TCP_Handshake_Mod::get_tcpopts_pack(Target *tg, TCP *tcp) { union tcp_options to; struct timeval tv; if ((gettimeofday(&tv, NULL)) < 0) { ui->msg("[%s] gettimeofday failed: %s\n", get_name(), strerror(errno)); return FAIL; } srand(time(NULL)); tcp->set_src(inet_ntoa(tg->get_interface_addr())); //CHANGE PORT tcp->set_srcport(rand()); tcp->set_dstport(tg->get_port(IPPROTO_TCP, XPROBE_TARGETP_OPEN)); tcp->set_ttl(64); tcp->set_win(5840); tcp->set_flags(TH_SYN); tcp->set_tos(0x10); tcp->set_fragoff(IP_DF); tcp->set_seq(rand()); to.one_word = 1460; tcp->set_tcpopt(TCPOPT_MAXSEG, TCPOLEN_MAXSEG, to); memset(&to, 0, sizeof(to.unknown)); tcp->set_tcpopt(TCPOPT_SACK_PERMITTED, TCPOLEN_SACK_PERMITTED, to); to.two_dwords[0] = tv.tv_usec; //usi++ will do htonl() tcp->set_tcpopt(TCPOPT_TIMESTAMP, TCPOLEN_TIMESTAMP, to); memset(&to, 0, sizeof(to.unknown)); tcp->set_tcpopt(TCPOPT_NOP, 1, to); to.one_byte = 0; tcp->set_tcpopt(TCPOPT_WINDOW, TCPOLEN_WINDOW, to); return OK;}void TCP_Handshake_Mod::generate_signature(Target *tg, TCP *pack, TCP *orig) { string keyword, value; unsigned int ttl; char buf[100];/*# #IP header of the TCP SYN ACK# tcp_syn_ack_tos = [0, <value>]# tcp_syn_ack_df = [0 , 1 ]# tcp_syn_ack_ip_id = [0 , !0, SENT ]# tcp_syn_ack_ttl = [>< decimal num]## #Information from the TCP header# tcp_syn_ack_ack = [<value>]# tcp_syn_ack_window_size = [<value>]# tcp_syn_ack_options_order = ["order"]# tcp_syn_ack_wscale = [<value>, NONE] tcp_syn_ack_tsval = [0, !0, NONE] tcp_syn_ack_tsecr = [0, !0, NONE]*/ if (!pack->timeout()) { keyword="tcp_syn_ack_tos"; memset(buf, 0, sizeof(buf)); if (pack->get_tos() == 0) value="0"; else { snprintf(buf, sizeof(buf), "0x%x", pack->get_tos()); value = buf; } tg->signature(keyword, value); /* following checkpoing values for TCP ttl: * 32, 60, 64, 128, 255 */ keyword="tcp_syn_ack_ttl"; ttl = pack->get_ttl() + tg->get_distance(); value = "<"; if (ttl <= 32) value.append("32"); else if (ttl <= 60) value.append("60"); else if (ttl <= 64) value.append("64"); else if (ttl <= 128) value.append("128"); else if (ttl <= 255) value.append("255"); tg->signature(keyword, value); keyword="tcp_syn_ack_df"; memset(buf, 0, sizeof(buf)); snprintf(buf, sizeof(buf), "%d", pack->get_fragoff() & IP_DF ? 1 : 0); tg->signature(keyword.c_str(), buf); keyword = "tcp_syn_ack_ip_id"; if (pack->get_id() == 0) value = "0"; else if (pack->get_id() == orig->get_id()) value = "SENT"; else value = "!0"; tg->signature(keyword, value); keyword = "tcp_syn_ack_ack"; memset(buf, 0, sizeof(buf)); snprintf(buf, sizeof(buf), "%d", pack->get_ack() - orig->get_seq()); tg->signature(keyword.c_str(), buf); keyword = "tcp_syn_ack_window_size"; memset(buf, 0, sizeof(buf)); snprintf(buf, sizeof(buf), "%d", pack->get_win()); tg->signature(keyword.c_str(), buf); keyword="tcp_syn_ack_options_order"; value=""; for (ttl=0; ttl < sizeof(opt_order); ttl++) { switch(opt_order[ttl]) { case 'N': value.append("NOP "); break; case 'M': value.append("MSS "); break; case 'W': value.append("WSCALE "); break; case 'S': value.append("SACK "); break; case 'T': value.append("TIMESTAMP "); break; } } tg->signature(keyword, value); keyword="tcp_syn_ack_wscale"; if (wscale == -1) value = "NONE"; else { memset(buf, 0, sizeof(buf)); snprintf(buf, sizeof(buf), "%d", wscale); value = buf; } tg->signature(keyword, value); if (got_timestamp) { keyword = "tcp_syn_ack_tsval"; if (timestamps[0] == 0) value = "0"; else value = "!0"; tg->signature(keyword, value); keyword= "tcp_syn_ack_tsecr"; if (timestamps[1] == 0) value = "0"; else value = "!0"; tg->signature(keyword, value); } else { tg->signature("tcp_syn_ack_tsval", "NONE"); tg->signature("tcp_syn_ack_tsecr", "NONE"); } } else { tg->signature("# No TCP SYN ACK reply received", ""); tg->signature("tcp_syn_ack_tos", ""); tg->signature("tcp_syn_ack_df", ""); tg->signature("tcp_syn_ack_ip_id", ""); tg->signature("tcp_syn_ack_ttl", ""); tg->signature("tcp_syn_ack_ack", ""); tg->signature("tcp_syn_ack_window_size", ""); tg->signature("tcp_syn_ack_options_order", ""); tg->signature("tcp_syn_ack_wscale", ""); tg->signature("tcp_syn_ack_tsval", ""); tg->signature("tcp_syn_ack_tsecr", ""); }}/* initialization function */int tcp_handshake_mod_init(Xprobe_Module_Hdlr *pt, char *nm) { TCP_Handshake_Mod *tcp_handshake = new TCP_Handshake_Mod; tcp_handshake->set_name(nm); xprobe_mdebug(XPROBE_DEBUG_MODULES, "Initializing the TCP handshake module\n"); pt->register_module(tcp_handshake); pt->add_keyword(tcp_handshake->get_id(), "tcp_syn_ack_ttl"); pt->add_keyword(tcp_handshake->get_id(), "tcp_syn_ack_ip_id"); pt->add_keyword(tcp_handshake->get_id(), "tcp_syn_ack_tos"); pt->add_keyword(tcp_handshake->get_id(), "tcp_syn_ack_df"); pt->add_keyword(tcp_handshake->get_id(), "tcp_syn_ack_ack"); pt->add_keyword(tcp_handshake->get_id(), "tcp_syn_ack_window_size"); pt->add_keyword(tcp_handshake->get_id(), "tcp_syn_ack_options_order"); pt->add_keyword(tcp_handshake->get_id(), "tcp_syn_ack_wscale"); pt->add_keyword(tcp_handshake->get_id(), "tcp_syn_ack_tsval"); pt->add_keyword(tcp_handshake->get_id(), "tcp_syn_ack_tsecr");return OK;}int TCP_Handshake_Ttl_Check::check_param(TCP *p, TCP *o, OS_Matrix *os) { int retval=OK; if (!p->timeout()) retval = add_param(p->get_ttl(), o->get_ttl(), os); return retval;}int TCP_Handshake_Ip_Id_Check::check_param(TCP *p, TCP *o, OS_Matrix *os) { int retval = OK; if (!p->timeout()) retval = add_param(p->get_id(), o->get_id(), os); return retval;}int TCP_Handshake_Tos_Check::check_param(TCP *p, TCP *o, OS_Matrix *os) { int retval = OK; if (!p->timeout()) retval = add_param(p->get_tos(), o->get_tos(), os); return retval;}int TCP_Handshake_Df_Bit_Check::check_param(TCP *p, TCP *o, OS_Matrix *os) { int retval = OK; if (!p->timeout()) retval = add_param(((p->get_fragoff() & IP_DF) != 0), ((o->get_fragoff() & IP_DF) != 0), os); return retval;}int TCP_Handhake_Ack_Check::check_param(TCP *p, TCP *o, OS_Matrix *os) { int retval = OK; if (!p->timeout()) retval = add_param(p->get_ack() - o->get_seq(), 0, os); return retval;}int TCP_Handshake_Window_Check::check_param(TCP *p, TCP *o, OS_Matrix *os) { int retval = OK; if (!p->timeout()) retval = add_param(p->get_win(), o->get_win(), os); return retval;}⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -