Sign in to follow this  
Followers 0
JRSmile

DHCP traffic analyser

Started by JRSmile,

2 posts in this topic

#1 ·  Posted (edited)

Hi there,

a long long time ago... i found the time and need to add again something to the examples forum.

I'm currently trying to get better in packet analysing and wrote a proove of concept dhcp protocol analyser.

its no where near a completed state but just to give you a hint what can be done with winpcap.udf and fighting against bits/bytes and horrorbly written RFCs (http://www.networksorcery.com/enp/rfc/rfc1533.txt , http://www.networksorcery.com/enp/protocol/bootp/options.htm).

YOU WILL NEED THE WinPCap - Packet.dll UDF from here: ()

#region ;**** Directives created by AutoIt3Wrapper_GUI ****
#AutoIt3Wrapper_Change2CUI=y
#endregion ;**** Directives created by AutoIt3Wrapper_GUI ****
#include <array.au3>
#include <date.au3>
#include "Winpcap.au3"
$winpcap = _PcapSetup()
If ($winpcap = -1) Then
MsgBox(16, "Pcap error !", "WinPcap not found !")
Exit
EndIf
$pcap_devices = _PcapGetDeviceList()
If ($pcap_devices = -1) Then
MsgBox(16, "Pcap error !", _PcapGetLastError())
Exit
EndIf
For $i = 0 To UBound($pcap_devices) - 1
;~  ConsoleWrite($pcap_devices[$i][0] & " ==> " & $pcap_devices[$i][1] & @CRLF)
Next
$dev_ID = $pcap_devices[0][0]

$i = 0
$pcap = 0
$packet = 0
$pcapfile = 0
$prom = 1
$filter = "port 67" ; DHCP
$pcap = _PcapStartCapture($dev_ID, $filter, $prom)
If ($pcap = -1) Then
MsgBox(16, "Pcap error !", _PcapGetLastError())
Exit
EndIf
$linktype = _PcapGetLinkType($pcap)
If ($linktype[1] <> "EN10MB") Then
MsgBox(16, "Pcap error !", "This example only works for Ethernet captures")
Exit
EndIf
;~ AdlibRegister("stats", 1000 * 60)
While True
If IsPtr($pcap) Then ; If $pcap is a Ptr, then the capture is running
  $time0 = TimerInit()
  While (TimerDiff($time0) < 500) ; Retrieve packets from queue for maximum 500ms before returning to main loop, not to "hang" the window for user
   $packet = _PcapGetPacket($pcap)
   If IsInt($packet) Then ExitLoop
   $udpdata = _UDP_Parser($packet[3])
   $dhcpdata = _DHCP_Parser($udpdata)
  WEnd
EndIf
Sleep(1)
WEnd
_PcapFree()
Exit
Func Stats()
$s = _PcapGetStats($pcap)
Local $stats_txt = ""
For $a = 1 To UBound($s, 1) - 1
  $stats_txt &= $s[$a][1] & ":" & $s[$a][0] & @CRLF
Next
ConsoleWrite($stats_txt)
EndFunc   ;==>Stats
Func _UDP_Parser($data)
If BinaryMid($data, 13, 2) <> "0x0800" Then Return ; Ethertype
If BinaryMid($data, 24, 1) <> "0x11" Then Return ; UDP
Local $srcip = Number(BinaryMid($data, 27, 1)) & "." & Number(BinaryMid($data, 28, 1)) & "." & Number(BinaryMid($data, 29, 1)) & "." & Number(BinaryMid($data, 30, 1))
Local $dstip = Number(BinaryMid($data, 31, 1)) & "." & Number(BinaryMid($data, 32, 1)) & "." & Number(BinaryMid($data, 33, 1)) & "." & Number(BinaryMid($data, 34, 1))
Local $srcport = Number(BinaryMid($data, 35, 1)) * 256 + Number(BinaryMid($data, 36, 1))
Local $dstport = Number(BinaryMid($data, 37, 1)) * 256 + Number(BinaryMid($data, 38, 1))
Local $udplength = Number(BinaryMid($data, 39, 1)) * 256 + Number(BinaryMid($data, 40, 1))
Local $udpchecksum = Number(BinaryMid($data, 41, 1)) * 256 + Number(BinaryMid($data, 42, 1))
ConsoleWrite($srcip & ":" & $srcport & " ==> " & $dstip & ":" & $dstport & " Length: " & $udplength & @CRLF)
Local $udpdata = BinaryMid($data, 43, $udplength)
ConsoleWrite($udpdata & @CRLF)
Return $udpdata
EndFunc   ;==>_UDP_Parser
Func _DHCP_Parser($udpdata)
$op = Number(BinaryMid($udpdata, 1, 1))
Switch $op
  Case 1
   ConsoleWrite("Boot Request ")
  Case 2
   ConsoleWrite("Boot Reply ")
EndSwitch
$htype = Number(BinaryMid($udpdata, 2, 1))
Switch $htype
  Case 1
   ConsoleWrite("via Ethernet ")
  Case 6
   ConsoleWrite("via IEEE 802 ")
  Case 7
   ConsoleWrite("via ARCNET ")
EndSwitch
$hlen = Number(BinaryMid($udpdata, 3, 1))
Switch $hlen
  Case 6
   ConsoleWrite("and a Hardware address Length of a MAC address ")
  Case 2
   ConsoleWrite("and an Unknown Hardware address Length ")
EndSwitch
$hops = Number(BinaryMid($udpdata, 4, 1))
Switch $hops
  Case 0
   ConsoleWrite("send directly ")
  Case Else
   ConsoleWrite("relayed over " & $hops & " DHCP-Relay-Agents ")
EndSwitch
$xid = BinaryMid($udpdata, 5, 4)
ConsoleWrite("and a transaction ID of " & $xid & " ")
$secs = Number(BinaryMid($udpdata, 9, 1)) * 256 + Number(BinaryMid($udpdata, 10, 1))
ConsoleWrite("waiting since " & $secs & " seconds ")
$flags = Number(BinaryMid($udpdata, 11, 1)) ; easy implemetation
Switch $flags
  Case 0
   ConsoleWrite("with an old IP ")
  Case 1
   ConsoleWrite("without an old IP ")
EndSwitch
$ciaddr = Number(BinaryMid($udpdata, 13, 1)) & "." & Number(BinaryMid($udpdata, 14, 1)) & "." & Number(BinaryMid($udpdata, 15, 1)) & "." & Number(BinaryMid($udpdata, 16, 1))
$yiaddr = Number(BinaryMid($udpdata, 17, 1)) & "." & Number(BinaryMid($udpdata, 18, 1)) & "." & Number(BinaryMid($udpdata, 19, 1)) & "." & Number(BinaryMid($udpdata, 20, 1))
$siaddr = Number(BinaryMid($udpdata, 21, 1)) & "." & Number(BinaryMid($udpdata, 22, 1)) & "." & Number(BinaryMid($udpdata, 23, 1)) & "." & Number(BinaryMid($udpdata, 24, 1))
$giaddr = Number(BinaryMid($udpdata, 25, 1)) & "." & Number(BinaryMid($udpdata, 26, 1)) & "." & Number(BinaryMid($udpdata, 27, 1)) & "." & Number(BinaryMid($udpdata, 28, 1))
ConsoleWrite("ClientIP: " & $ciaddr & " Your IP: " & $yiaddr & " Server IP: " & $siaddr & " Relay-Agent-IP-Adress " & $giaddr & " ")
$chaddr = BinaryMid($udpdata, 29, 16)
$chaddr_mac = StringTrimLeft(BinaryMid($udpdata, 29, 6), 2)
$chaddr_pad = StringTrimLeft(BinaryMid($udpdata, 35, 10), 2)
ConsoleWrite("and a client identifier of " & $chaddr & " which results in a client MAC-Address of " & $chaddr_mac & " and padding, ")
$sname = StringReplace(BinaryToString(BinaryMid($udpdata, 45, 64)), Chr(0), "")
Switch $sname
  Case ""
   ConsoleWrite("requesting no special server ")
  Case Else
   ConsoleWrite("requesting Server-Name " & $sname & " ")
EndSwitch
$file = StringReplace(BinaryToString(BinaryMid($udpdata, 109, 128)), Chr(0), "")
Switch $file
  Case ""
   ConsoleWrite("with no boot-file specified ")
  Case Else
   ConsoleWrite("getting following Bootfile '" & $file & "' ")
EndSwitch
$options = StringReplace(BinaryToString(BinaryMid($udpdata, 237)), Chr(0), "")
ConsoleWrite("and the following options: " & $options)
ConsoleWrite(@CRLF)
If BitAND(BinaryMid($udpdata, 237, 4), 0x63825363) Then ; is a DHCP Package
  ConsoleWrite("DHCP options:" & @CRLF)
  _DHCP_Options_Parser(BinaryMid($udpdata, 241))
EndIf
EndFunc   ;==>_DHCP_Parser
Func _DHCP_Options_Parser($options)
$i = 1
Do
  $options_type = Number(BinaryMid($options, $i, 1))
  $length = Number(BinaryMid($options, $i + 1, 1))
  If $options_type = 0 Or $options_type = 255 Then $length = 1
  ConsoleWrite("Count: " & $i & " Option Type: " & $options_type & " Packet Length: " & $length & @CRLF)
  Switch $options_type
   Case 0 ; padding
   Case 1 ; Subnetmask
    $subnetmask = Number(BinaryMid($options, $i + 2, 1)) & "." & Number(BinaryMid($options, $i + 3, 1)) & "." & Number(BinaryMid($options, $i + 4, 1)) & "." & Number(BinaryMid($options, $i + 5, 1))
    ConsoleWrite("Subnetmask: " & $subnetmask & @CRLF)
   Case 2 ; time offset
    $time_offset = Number(BinaryMid($options, $i + 2, 4))
    ConsoleWrite("Time Offset: " & $time_offset & @CRLF)
   Case 3 ; Router Option             ; not working properly
   Case 6 ; DNS-Servers
    $dns_servers_count = $length/4
    for $j = 0 to $dns_servers_count-1
     $dns_servers = Number(BinaryMid($options, $i + 2 + ($j*4), 1)) & "." & Number(BinaryMid($options, $i + 3+ ($j*4), 1)) & "." & Number(BinaryMid($options, $i + 4+ ($j*4), 1)) & "." & Number(BinaryMid($options, $i + 5+ ($j*4), 1))
     ConsoleWrite("dns server: " & $dns_servers & @CRLF)
    Next
   Case 12; Client Hostname
    $Host_Name = StringReplace(BinaryToString(BinaryMid($options, $i + 2, $length)), Chr(0), "")
    ConsoleWrite("Host Name: " & $Host_Name & @CRLF)
   Case 43 ; Vendor-specific information
    $vendor_specific_info = StringReplace(BinaryToString(BinaryMid($options, $i + 2, $length)), Chr(0), "")
    ConsoleWrite("Vendor-specific information: " & $vendor_specific_info & @CRLF)
   Case 51 ; Address lease time           ; not working properly
    $lease_time = Number(BinaryMid($options, $i + 2, 4))
    $sNewDate = _DateAdd('s', $lease_time, _NowCalcDate())
    ConsoleWrite("Lease Time: " & $sNewDate & @CRLF)
   Case 53 ; DHCP Message type
    Switch Number(BinaryMid($options, $i + 2, 1))
     Case 1
      ConsoleWrite("DHCPDISCOVER" & @CRLF)
     Case 2
      ConsoleWrite("DHCPOFFER" & @CRLF)
     Case 3
      ConsoleWrite("DHCPREQUEST" & @CRLF)
     Case 4
      ConsoleWrite("DHCPDECLINE" & @CRLF)
     Case 5
      ConsoleWrite("DHCPACK" & @CRLF)
     Case 6
      ConsoleWrite("DHCPNAK" & @CRLF)
     Case 7
      ConsoleWrite("DHCPRELEASE" & @CRLF)
     Case 8
      ConsoleWrite("DHCPINFORM" & @CRLF)
     Case Else; Armageddon!!!
    EndSwitch
   Case 54 ; Server Identifier
    $server_identifier = Number(BinaryMid($options, $i + 2, 1)) & "." & Number(BinaryMid($options, $i + 3, 1)) & "." & Number(BinaryMid($options, $i + 4, 1)) & "." & Number(BinaryMid($options, $i + 5, 1))
    ConsoleWrite("Server Identifier: " & $server_identifier & @CRLF)
   Case 55 ; Parameter Request List
    $parameter_request_list = BinaryMid($options, $i + 2, $length)
    ConsoleWrite("Parameter Request List: " & $parameter_request_list & @CRLF)
   Case 60 ; Class-Identifier
    $class_identifier = StringReplace(BinaryToString(BinaryMid($options, $i + 2, $length)), Chr(0), "")
    ConsoleWrite("Class-Identifier: " & $class_identifier & @CRLF)
   Case 61 ; Identifier
    $identifier = BinaryMid($options, $i + 2, $length)
    ConsoleWrite("Identifier: " & $identifier & @CRLF)
   Case 81 ; FQDN
    $FQDN = StringReplace(BinaryToString(BinaryMid($options, $i + 2, $length)), Chr(0), "")
    ConsoleWrite("FQDN: " & $FQDN & @CRLF)
   Case 255 ; end
    $i = BinaryLen($options)
   Case Else; Armageddon!!!
  EndSwitch
  $i += (2 + $length)
Until $i >= BinaryLen($options) ; unclean but prevents the loop from continuing infinite if a counting error occures.
Return False ; until everything is in a 2d array.....
EndFunc   ;==>_DHCP_Options_Parser

traffic.au3

Edited by JRSmile 
$a=StringSplit("547275737420796F757220546563686E6F6C75737421","")For $b=1 To UBound($a)+(-1*-1*-1)step(2^4/8);&$b+=1*2/40*µ&Asc(4)Assign("c",Eval("c")&Chr(Dec($a[$b]&$a[$b+1])))''Chr("a")&"HI"Next;time_U&r34d,ths,U-may=get$the&c.l.u.e;b3st-regards,JRSmile;MsgBox(0x000000,"",Eval("c"));PiEs:d0nt+*b3.s4d.4ft3r.1st-try:-)

Share this post

Link to post
Share on other sites



#2 ·  Posted

This is great, thx very mutch

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0
Go To Topic Listing AutoIt Example Scripts

  • Similar Content

    • PINTO1927
      Address IP Static or DHCP
      By PINTO1927
      Hello guys,
      you can know, through a msgbox, if the connectivity of your computer is set to DHCP or static?
       
      Thank's
    • wakillon
      HttpHeaderWatcher v1.0.1.3 recreate full WinHttp Request in au3 format
      By wakillon
      HttpHeaderWatcher v1.0.1.3
       

      Some time ago, some members asked how to see the Http Requests.
      There are quite a few external applications but not in AutoIt!
      HttpHeaderWatcher in association with WinPcap, very modestly solves this lack.
       
      Once done this http watcher, i asked me : why not Re-build a WinHttp Request in AutoIt from a selected Request in one Click ?
      So i have added a "Create au3" button who open the WinHttp Request of your choice in AutoIt format in SciTE Editor.
      Voila voila, hope it can help ! 
      Buttons were made online with chimply.com the easy and free buttons generator !
      See Help for more infos.
      previous downloads : 253
      source and executable are available in the Download Section
      (Once the html file is downloaded, double click on it for start the download)
      Hope you like it !
    • wakillon
      HttpHeaderWatcher
      By wakillon
      Display Http Requests and response by analyzing http packets using winpcap
      and also recreate by one click the winhttp request to au3 format.
       
      Topic
       
    • JRSmile
      Opsview Windows Rest API Client
      By JRSmile
      Hi there folks,
      every two years or so i have a new script for you...
      below you will find my approach to get some infos from the opsview.com rest api.
      i might extend this to a full software but for now here is the basic authentication and information gathering of hashtags proove of concept.
      you will need the winhttp.au3 and oo_json.au3 (use the forum search), additional thanks to trancexx for being awesome.
    • 8218
      Measure traffic on one port
      By 8218
      I am looking into measuring the ammount of traffic on UDP port 69.
      I have no need for the packets or their contents, I just wanna know how much traffic is happening at the UDP 69 port (for TFTP Server connection).
      Can anyone point me in the right direction? AutoIT has so many integrated tools for TCP, but few for UDP. 
      Thanks