CyberShell/UAHCode
1
0
Fork 0
Code

final work on Port Scan

Browse Source
This commit is contained in:
Andrew Woodlee 2022-12-03 19:12:00 -06:00
parent df06753e1a
commit d61e25e18f
3 changed files with 10349 additions and 196 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

469
CPE449/portScanDetection/anw0044.c
View File

@ -17,6 +17,7 @@ struct scanTypes
u_int halfOpen;
u_int udp;
u_int attemptedScans;
u_int totalPacketsPerAttack;
u_int xmas;
} scansInFile;
@ -46,21 +47,24 @@ struct tcpDictionary
{
struct tcpFlagsSet tcpFlags;
int packetNumInGroup;
uint timesSeen;
struct scanTypesBools scanTypes;
uint16_t srcPort;
uint16_t port;
uint16_t dstPort;
uint16_t srcIP;
uint16_t dstIP;
char *srcIP;
char *dstIP;
} currentTCPPacket;
struct udpPacket
{
uint16_t timesSeen;
uint16_t srcPort;
uint16_t port;
uint16_t dstPort;
uint16_t srcIP;
uint16_t dstIP;
} currentUDPPacket;
char *srcIP;
char *dstIP;
};
// Provided structures
struct pcap_pkthdr *pcapHeaderStruct;
@ -80,17 +84,13 @@ void addToTable(int key, void *data);
void printScans();
// Global variables and constants
int *seqNums;
uint *portNums;
int connectScans = 0;
const int TCP_DICTIONARY_SIZE = 100000;
const char *ErrorMSG = "Must provide input file.\n";
uint8_t *shost;
uint8_t *dhost;
ENTRY *search;
ENTRY entry;
@ -98,7 +98,6 @@ int main(int argc, char **argv)
{
if (hcreate(TCP_DICTIONARY_SIZE) == 0)
{
printf("error");
hcreate(50000);
};
if (argc < 3)
@ -107,7 +106,7 @@ int main(int argc, char **argv)
return 0;
}
seqNums = malloc(TCP_DICTIONARY_SIZE * TCP_DICTIONARY_SIZE * sizeof(int));
portNums = malloc(TCP_DICTIONARY_SIZE * TCP_DICTIONARY_SIZE * sizeof(uint));
char errbuf[PCAP_ERRBUF_SIZE];
char *pcapFileName = argv[2];
@ -124,12 +123,13 @@ int main(int argc, char **argv)
void printScans()
{
printf("Null: %d\n", scansInFile.null);
printf("Xmas: %d\n", scansInFile.xmas);
printf("UDP: %d\n", scansInFile.udp);
printf("Half-open: %d\n", scansInFile.halfOpen);
printf("Connect: %d\n", scansInFile.connect);
printf("Attempted scans: %d\n", scansInFile.attemptedScans);
printf("Null: %u\n", scansInFile.null);
printf("Xmas: %u\n", scansInFile.xmas);
printf("UDP: %u\n", scansInFile.udp);
printf("Half-open: %u\n", scansInFile.halfOpen);
printf("Connect: %u\n", scansInFile.connect);
printf("Attempted scans: %u\n", scansInFile.attemptedScans);
printf("Total packets per attack: %u\n", scansInFile.totalPacketsPerAttack);
}
void myHandler(
@ -167,33 +167,70 @@ void myHandler(
u_char protocol = *(ip_header + 9);
struct udpPacket currentUDPPacket;
if ( protocol == IPPROTO_ICMP)
/*
UDP scan is not successful if ICMP is returned
*/
if (protocol == IPPROTO_ICMP)
{
search = seachTable(currentUDPPacket.port);
struct udpPacket *prevUDPPacket;
if (search != NULL) prevUDPPacket = search->data;
scansInFile.udp--;
if (search != NULL)
prevUDPPacket = search->data;
icmp_header = packet + ethHeaderLength + ipHeaderLength;
icmpHeaderStruct = (struct icmphdr *)icmp_header;
if (icmpHeaderStruct->type == ICMP_DEST_UNREACH)
{
scansInFile.udp--;
scansInFile.attemptedScans++;
}
}
// UDP scan is successful if no response from server or response.
if (protocol == IPPROTO_UDP)
{
struct udpPacket *prevUDPPacket;
udp_header = packet + ethHeaderLength + ipHeaderLength;
udpHeaderStruct = (struct udphdr *)udp_header;
currentUDPPacket.port= ntohs(udpHeaderStruct->source);
addToTable(currentUDPPacket.port, &currentUDPPacket);
if (udpHeaderStruct->uh_dport == 53)
currentUDPPacket.port = ntohs(udpHeaderStruct->source);
search = seachTable(currentUDPPacket.port);
if (search != NULL)
prevUDPPacket = search->data;
currentUDPPacket.dstPort = ntohs(udpHeaderStruct->dest);
currentUDPPacket.srcPort = ntohs(udpHeaderStruct->source);
if (currentUDPPacket.dstPort == 53 || currentUDPPacket.srcPort == 53)
{
return;
}
// response from server
if (search != NULL && currentUDPPacket.dstPort == prevUDPPacket->port)
{
scansInFile.totalPacketsPerAttack++;
scansInFile.attemptedScans++;
scansInFile.udp++;
}
currentUDPPacket.timesSeen++;
if (search != NULL && prevUDPPacket->timesSeen > 1)
{
scansInFile.udp--;
addToTable(currentUDPPacket.port, &currentUDPPacket);
return;
}
addToTable(currentUDPPacket.port, &currentUDPPacket);
scansInFile.udp++;
return;
}
@ -210,7 +247,6 @@ void myHandler(
tcpHeaderLength = tcpHeaderLength * 4;
tcpHeaderStruct = (struct tcphdr *)tcp_header;
const bool ACKflag = (tcpHeaderStruct->ack == 1);
const bool RSTflag = (tcpHeaderStruct->rst == 1);
const bool SYNflag = (tcpHeaderStruct->syn == 1);
@ -231,197 +267,242 @@ void myHandler(
TCP SYN flag is set when connection is made and when server sends back SYN/ACK
ACK flag set when server sends back SYN/ACK, and when client sends response to SYN/ACK
TCP Half-open:
SYN, SYN/ACK, RST
Connect scan:
Open state:
SYN is first
SYN, ACK is second
RST is last
*/
search = seachTable(currentTCPPacket.port);
// printf("Packet Num: %d\n", currentTCPPacket.packetNumInGroup);
/*
returns a value when
*/
// first packet
const uint16_t srcPort = ntohs(tcpHeaderStruct->th_sport);
const uint16_t dstPort = ntohs(tcpHeaderStruct->th_dport);
// struct in_addr_t srcIP = ipHeaderStruct->ip_src.s_addr;
struct tcpDictionary *prevPacket;
if (search!=NULL) prevPacket = search->data;
const uint16_t dstPort = ntohs(tcpHeaderStruct->dest);
const uint16_t srcPort = ntohs(tcpHeaderStruct->source);
char *srcIP = inet_ntoa(ipHeaderStruct->ip_dst);
if (search == NULL || srcPort == prevPacket->port
|| dstPort == prevPacket->port)
currentTCPPacket.packetNumInGroup = 0;
portNums[currentTCPPacket.port]++;
// start of packet for Half-open and Connect
if (SYNflag && !ACKflag && !RSTflag && !FINflag && !PSHflag && !URGflag)
{
search = seachTable(currentTCPPacket.srcPort);
currentTCPPacket.port = dstPort;
currentTCPPacket.srcPort = srcPort;
currentTCPPacket.dstPort = dstPort;
currentTCPPacket.packetNumInGroup = 1;
portNums[dstPort] = 1;
currentTCPPacket.packetNumInGroup = 0;
if (ACKflag || RSTflag)
{
return;
}
// start of packet for Half-open and Connect
if (SYNflag && !ACKflag && !RSTflag && !FINflag && !PSHflag && !URGflag)
addToTable(currentTCPPacket.dstPort, &currentTCPPacket);
return;
}
else if (FINflag)
{
// Xmas pattern
if (PSHflag && URGflag)
{
scansInFile.xmas++;
currentTCPPacket.port = dstPort;
currentTCPPacket.packetNumInGroup = 1;
// hdestroy();
// hcreate(TCP_DICTIONARY_SIZE);
addToTable(currentTCPPacket.dstPort, &currentTCPPacket);
addToTable(currentTCPPacket.port, &currentTCPPacket);
return;
}
// else one of the other scans
else
{
if (FINflag)
{
// Xmas pattern
if (PSHflag && URGflag)
{
scansInFile.xmas++;
currentTCPPacket.port = dstPort;
currentTCPPacket.packetNumInGroup = 1;
addToTable(currentTCPPacket.port, &currentTCPPacket);
return;
}
}
// NULL pattern
if (!SYNflag && !ACKflag &&
!RSTflag && !FINflag &&
!PSHflag && !URGflag)
{
currentTCPPacket.port = dstPort;
currentTCPPacket.packetNumInGroup = 1;
addToTable(currentTCPPacket.port, &currentTCPPacket);
return;
}
}
}
else
// NULL pattern
if (!SYNflag && !ACKflag &&
!RSTflag && !FINflag &&
!PSHflag && !URGflag)
{
// printf("found\n");
// found packet
prevPacket = search->data;
scansInFile.null++;
scansInFile.totalPacketsPerAttack++;
currentTCPPacket.port = dstPort;
currentTCPPacket.packetNumInGroup = 1;
addToTable(currentTCPPacket.port, &currentTCPPacket);
return;
}
currentTCPPacket.packetNumInGroup++;
// does last packet match X-Mas pattern?
if (prevPacket->tcpFlags.PSH &&
prevPacket->tcpFlags.FIN &&
prevPacket->tcpFlags.URG)
struct tcpDictionary *prevPacket;
// SYN, ACK
if (ACKflag && SYNflag)
{
for (uint i = 0; i < TCP_DICTIONARY_SIZE; i++)
{
// printf("Run\n");
if (FINflag)
search = seachTable(i);
if (currentTCPPacket.dstPort == 1029 && search != NULL)
{
// Xmas pattern
if (PSHflag && URGflag)
printf("\nSYN ACK flag");
printf("\n\nDST port: %d\n", currentTCPPacket.dstPort);
printf("\nSRC port: %d\n", currentTCPPacket.srcPort);
}
if (search != NULL && i == currentTCPPacket.dstPort)
{
prevPacket = search->data;
scansInFile.totalPacketsPerAttack++;
const uint16_t dstPort = ntohs(tcpHeaderStruct->dest);
const uint16_t srcPort = ntohs(tcpHeaderStruct->source);
char *srcIP = inet_ntoa(ipHeaderStruct->ip_dst);
// does last packet match X-Mas pattern?
if (prevPacket->tcpFlags.PSH &&
prevPacket->tcpFlags.FIN &&
prevPacket->tcpFlags.URG)
{
// scansInFile.xmas++;
if (FINflag)
{
// Xmas pattern
if (PSHflag && URGflag)
{
scansInFile.xmas++;
currentTCPPacket.port = dstPort;
currentTCPPacket.packetNumInGroup = 1;
addToTable(currentTCPPacket.port, &currentTCPPacket);
return;
}
}
scansInFile.xmas--;
scansInFile.attemptedScans++;
currentTCPPacket.packetNumInGroup = 0;
return;
}
else if (prevPacket->tcpFlags.SYN)
{
// printf("SYN, ACK Port %u\n", currentTCPPacket.dstPort);
currentTCPPacket.packetNumInGroup++;
scansInFile.totalPacketsPerAttack++;
currentTCPPacket.port = dstPort;
currentTCPPacket.packetNumInGroup = 1;
addToTable(currentTCPPacket.port, &currentTCPPacket);
}
}
}
return;
}
// RST, ACK
else if (ACKflag && RSTflag)
{
for (uint i = 0; i < TCP_DICTIONARY_SIZE; i++)
{
search = seachTable(i);
if (search != NULL && i == currentTCPPacket.dstPort)
{
prevPacket = search->data;
// printf("\nRST ACK\n");
// printf("\nDST port: %d\n", currentTCPPacket.dstPort);
// printf("\nSRC port: %d\n", currentTCPPacket.srcPort);
const uint16_t dstPort = ntohs(tcpHeaderStruct->dest);
const uint16_t srcPort = ntohs(tcpHeaderStruct->source);
char *srcIP = inet_ntoa(ipHeaderStruct->ip_dst);
// does last packet match X-Mas pattern?
if (prevPacket->tcpFlags.PSH &&
prevPacket->tcpFlags.FIN &&
prevPacket->tcpFlags.URG)
{
if (FINflag)
{
// Xmas pattern
if (PSHflag && URGflag)
{
portNums[dstPort] = dstPort;
scansInFile.xmas++;
currentTCPPacket.port = dstPort;
currentTCPPacket.packetNumInGroup = 1;
addToTable(currentTCPPacket.port, &currentTCPPacket);
return;
}
}
scansInFile.xmas--;
scansInFile.attemptedScans++;
scansInFile.totalPacketsPerAttack++;
currentTCPPacket.packetNumInGroup = 0;
return;
}
// connect scan complete
else if (prevPacket->tcpFlags.ACK && prevPacket->dstPort == i)
{
portNums[dstPort] = dstPort;
scansInFile.connect++;
scansInFile.totalPacketsPerAttack++;
return;
}
if (!prevPacket->tcpFlags.SYN && !prevPacket->tcpFlags.ACK &&
!prevPacket->tcpFlags.RST && !prevPacket->tcpFlags.FIN &&
!prevPacket->tcpFlags.PSH && !prevPacket->tcpFlags.URG)
{
scansInFile.totalPacketsPerAttack++;
scansInFile.null--;
}
}
}
return;
}
// ACK flag
else if (ACKflag && !SYNflag &&
!PSHflag && !FINflag &&
!RSTflag && !URGflag)
{
for (uint i = 0; i < TCP_DICTIONARY_SIZE; i++)
{
search = seachTable(i);
if (currentTCPPacket.dstPort == 1029 && search != NULL)
{
printf("\nACK flag");
printf("\n\nDST port: %d\n", currentTCPPacket.dstPort);
printf("\nSRC port: %d\n", currentTCPPacket.srcPort);
}
if (search != NULL && i == currentTCPPacket.dstPort)
{
printf("\nFound port: %d\n", currentTCPPacket.srcPort);
portNums[dstPort]++;
prevPacket = search->data;
const uint16_t dstPort = ntohs(tcpHeaderStruct->dest);
const uint16_t srcPort = ntohs(tcpHeaderStruct->source);
char *srcIP = inet_ntoa(ipHeaderStruct->ip_dst);
if (prevPacket->tcpFlags.ACK &&
prevPacket->tcpFlags.SYN)
{
scansInFile.totalPacketsPerAttack++;
addToTable(currentTCPPacket.dstPort, &currentTCPPacket);
return;
}
// addToTable(currentTCPPacket.dstPort, &currentTCPPacket);
}
return;
}
}
else if (RSTflag)
{
for (uint i = 0; i < TCP_DICTIONARY_SIZE; i++)
{
search = seachTable(i);
// printf("\nDST port: %d\n", currentTCPPacket.dstPort);
// printf("\nSRC port: %d\n", currentTCPPacket.srcPort);
if (search != NULL)
{
// printf("\nFound port: %d\n", currentTCPPacket.port);
portNums[dstPort]++;
prevPacket = search->data;
const uint16_t dstPort = ntohs(tcpHeaderStruct->dest);
const uint16_t srcPort = ntohs(tcpHeaderStruct->source);
char *srcIP = inet_ntoa(ipHeaderStruct->ip_dst);
if (prevPacket->tcpFlags.SYN && prevPacket->tcpFlags.ACK)
{
portNums[dstPort] = dstPort;
scansInFile.halfOpen++;
scansInFile.totalPacketsPerAttack++;
return;
}
}
scansInFile.xmas++;
if (ACKflag && RSTflag)
{
scansInFile.xmas--;
scansInFile.attemptedScans++;
// printf("XMas\n");
currentTCPPacket.packetNumInGroup = 0;
return;
}
return;
}
// ACK and SYN current
else if (SYNflag && ACKflag &&
!RSTflag && !FINflag &&
!PSHflag && !URGflag)
{
currentTCPPacket.packetNumInGroup++;
if (prevPacket->tcpFlags.SYN && prevPacket->tcpFlags.ACK)
{
addToTable(currentTCPPacket.port, &currentTCPPacket);
return;
}
addToTable(currentTCPPacket.port, &currentTCPPacket);
return;
}
// ACK and SYN prev
// Connect and half-open
else if (prevPacket->tcpFlags.ACK && prevPacket->tcpFlags.SYN &&
!prevPacket->tcpFlags.FIN && !prevPacket->tcpFlags.PSH &&
!prevPacket->tcpFlags.RST && !prevPacket->tcpFlags.URG)
{
if (RSTflag){
scansInFile.halfOpen++;
addToTable(currentTCPPacket.port, &currentTCPPacket);
currentTCPPacket.packetNumInGroup = 0;
return;
}
else if (ACKflag)
{
currentTCPPacket.packetNumInGroup++;
addToTable(currentTCPPacket.port, &currentTCPPacket);
return;
}
}
// ACK prev
// Connect successful?
else if (prevPacket->tcpFlags.ACK && !prevPacket->tcpFlags.SYN &&
!prevPacket->tcpFlags.FIN && !prevPacket->tcpFlags.PSH &&
!prevPacket->tcpFlags.RST && !prevPacket->tcpFlags.URG)
{
// yes
if (RSTflag){
scansInFile.connect++;
currentTCPPacket.packetNumInGroup = 0;
return;
}
// no
else if (ACKflag)
{
currentTCPPacket.packetNumInGroup++;
addToTable(currentTCPPacket.port, &currentTCPPacket);
return;
}
}
// ACK prev, SYN current
else if (SYNflag && !ACKflag && !RSTflag && !FINflag && !PSHflag && !URGflag && prevPacket->tcpFlags.ACK)
{
currentTCPPacket.packetNumInGroup++;
addToTable(currentTCPPacket.port, &currentTCPPacket);
return;
}
// Filtered for
else if (!SYNflag && !ACKflag &&
!RSTflag && !FINflag &&
!PSHflag && !URGflag &&
prevPacket->tcpFlags.SYN)
{
scansInFile.attemptedScans++;
}
// scans for
else if (prevPacket->tcpFlags.SYN &&
!SYNflag && !ACKflag &&
RSTflag && !FINflag &&
!PSHflag && !URGflag)
{
return;
}
}
}

10055
CPE449/portScanDetection/out.txt
View File

File diff suppressed because it is too large Load Diff

21
CPE449/portScanDetection/test-files Executable file
View File

@ -0,0 +1,21 @@
#!/bin/bash
echo "udp_scan.pcap: "
./anw0044.exe -i udp_scan.pcap
echo "halfopen.pcap: "
./anw0044.exe -i halfopen.pcap
echo "null_scan.pcap: "
./anw0044.exe -i null_scan.pcap
echo "noscan.pcap: "
./anw0044.exe -i noscan.pcap
echo "connect_scan.pcap: "
./anw0044.exe -i connect_scan.pcap