JRSmile Posted November 9, 2011 Share Posted November 9, 2011 (edited) Hi there,a long long time ago... i found the time and need to add again something to the examples forum.I'm currently trying to get better in packet analysing and wrote a proove of concept dhcp protocol analyser.its no where near a completed state but just to give you a hint what can be done with winpcap.udf and fighting against bits/bytes and horrorbly written RFCs (http://www.networksorcery.com/enp/rfc/rfc1533.txt , http://www.networksorcery.com/enp/protocol/bootp/options.htm).YOU WILL NEED THE WinPCap - Packet.dll UDF from here: ()expandcollapse popup#region ;**** Directives created by AutoIt3Wrapper_GUI **** #AutoIt3Wrapper_Change2CUI=y #endregion ;**** Directives created by AutoIt3Wrapper_GUI **** #include <array.au3> #include <date.au3> #include "Winpcap.au3" $winpcap = _PcapSetup() If ($winpcap = -1) Then MsgBox(16, "Pcap error !", "WinPcap not found !") Exit EndIf $pcap_devices = _PcapGetDeviceList() If ($pcap_devices = -1) Then MsgBox(16, "Pcap error !", _PcapGetLastError()) Exit EndIf For $i = 0 To UBound($pcap_devices) - 1 ;~ ConsoleWrite($pcap_devices[$i][0] & " ==> " & $pcap_devices[$i][1] & @CRLF) Next $dev_ID = $pcap_devices[0][0] $i = 0 $pcap = 0 $packet = 0 $pcapfile = 0 $prom = 1 $filter = "port 67" ; DHCP $pcap = _PcapStartCapture($dev_ID, $filter, $prom) If ($pcap = -1) Then MsgBox(16, "Pcap error !", _PcapGetLastError()) Exit EndIf $linktype = _PcapGetLinkType($pcap) If ($linktype[1] <> "EN10MB") Then MsgBox(16, "Pcap error !", "This example only works for Ethernet captures") Exit EndIf ;~ AdlibRegister("stats", 1000 * 60) While True If IsPtr($pcap) Then ; If $pcap is a Ptr, then the capture is running $time0 = TimerInit() While (TimerDiff($time0) < 500) ; Retrieve packets from queue for maximum 500ms before returning to main loop, not to "hang" the window for user $packet = _PcapGetPacket($pcap) If IsInt($packet) Then ExitLoop $udpdata = _UDP_Parser($packet[3]) $dhcpdata = _DHCP_Parser($udpdata) WEnd EndIf Sleep(1) WEnd _PcapFree() Exit Func Stats() $s = _PcapGetStats($pcap) Local $stats_txt = "" For $a = 1 To UBound($s, 1) - 1 $stats_txt &= $s[$a][1] & ":" & $s[$a][0] & @CRLF Next ConsoleWrite($stats_txt) EndFunc ;==>Stats Func _UDP_Parser($data) If BinaryMid($data, 13, 2) <> "0x0800" Then Return ; Ethertype If BinaryMid($data, 24, 1) <> "0x11" Then Return ; UDP Local $srcip = Number(BinaryMid($data, 27, 1)) & "." & Number(BinaryMid($data, 28, 1)) & "." & Number(BinaryMid($data, 29, 1)) & "." & Number(BinaryMid($data, 30, 1)) Local $dstip = Number(BinaryMid($data, 31, 1)) & "." & Number(BinaryMid($data, 32, 1)) & "." & Number(BinaryMid($data, 33, 1)) & "." & Number(BinaryMid($data, 34, 1)) Local $srcport = Number(BinaryMid($data, 35, 1)) * 256 + Number(BinaryMid($data, 36, 1)) Local $dstport = Number(BinaryMid($data, 37, 1)) * 256 + Number(BinaryMid($data, 38, 1)) Local $udplength = Number(BinaryMid($data, 39, 1)) * 256 + Number(BinaryMid($data, 40, 1)) Local $udpchecksum = Number(BinaryMid($data, 41, 1)) * 256 + Number(BinaryMid($data, 42, 1)) ConsoleWrite($srcip & ":" & $srcport & " ==> " & $dstip & ":" & $dstport & " Length: " & $udplength & @CRLF) Local $udpdata = BinaryMid($data, 43, $udplength) ConsoleWrite($udpdata & @CRLF) Return $udpdata EndFunc ;==>_UDP_Parser Func _DHCP_Parser($udpdata) $op = Number(BinaryMid($udpdata, 1, 1)) Switch $op Case 1 ConsoleWrite("Boot Request ") Case 2 ConsoleWrite("Boot Reply ") EndSwitch $htype = Number(BinaryMid($udpdata, 2, 1)) Switch $htype Case 1 ConsoleWrite("via Ethernet ") Case 6 ConsoleWrite("via IEEE 802 ") Case 7 ConsoleWrite("via ARCNET ") EndSwitch $hlen = Number(BinaryMid($udpdata, 3, 1)) Switch $hlen Case 6 ConsoleWrite("and a Hardware address Length of a MAC address ") Case 2 ConsoleWrite("and an Unknown Hardware address Length ") EndSwitch $hops = Number(BinaryMid($udpdata, 4, 1)) Switch $hops Case 0 ConsoleWrite("send directly ") Case Else ConsoleWrite("relayed over " & $hops & " DHCP-Relay-Agents ") EndSwitch $xid = BinaryMid($udpdata, 5, 4) ConsoleWrite("and a transaction ID of " & $xid & " ") $secs = Number(BinaryMid($udpdata, 9, 1)) * 256 + Number(BinaryMid($udpdata, 10, 1)) ConsoleWrite("waiting since " & $secs & " seconds ") $flags = Number(BinaryMid($udpdata, 11, 1)) ; easy implemetation Switch $flags Case 0 ConsoleWrite("with an old IP ") Case 1 ConsoleWrite("without an old IP ") EndSwitch $ciaddr = Number(BinaryMid($udpdata, 13, 1)) & "." & Number(BinaryMid($udpdata, 14, 1)) & "." & Number(BinaryMid($udpdata, 15, 1)) & "." & Number(BinaryMid($udpdata, 16, 1)) $yiaddr = Number(BinaryMid($udpdata, 17, 1)) & "." & Number(BinaryMid($udpdata, 18, 1)) & "." & Number(BinaryMid($udpdata, 19, 1)) & "." & Number(BinaryMid($udpdata, 20, 1)) $siaddr = Number(BinaryMid($udpdata, 21, 1)) & "." & Number(BinaryMid($udpdata, 22, 1)) & "." & Number(BinaryMid($udpdata, 23, 1)) & "." & Number(BinaryMid($udpdata, 24, 1)) $giaddr = Number(BinaryMid($udpdata, 25, 1)) & "." & Number(BinaryMid($udpdata, 26, 1)) & "." & Number(BinaryMid($udpdata, 27, 1)) & "." & Number(BinaryMid($udpdata, 28, 1)) ConsoleWrite("ClientIP: " & $ciaddr & " Your IP: " & $yiaddr & " Server IP: " & $siaddr & " Relay-Agent-IP-Adress " & $giaddr & " ") $chaddr = BinaryMid($udpdata, 29, 16) $chaddr_mac = StringTrimLeft(BinaryMid($udpdata, 29, 6), 2) $chaddr_pad = StringTrimLeft(BinaryMid($udpdata, 35, 10), 2) ConsoleWrite("and a client identifier of " & $chaddr & " which results in a client MAC-Address of " & $chaddr_mac & " and padding, ") $sname = StringReplace(BinaryToString(BinaryMid($udpdata, 45, 64)), Chr(0), "") Switch $sname Case "" ConsoleWrite("requesting no special server ") Case Else ConsoleWrite("requesting Server-Name " & $sname & " ") EndSwitch $file = StringReplace(BinaryToString(BinaryMid($udpdata, 109, 128)), Chr(0), "") Switch $file Case "" ConsoleWrite("with no boot-file specified ") Case Else ConsoleWrite("getting following Bootfile '" & $file & "' ") EndSwitch $options = StringReplace(BinaryToString(BinaryMid($udpdata, 237)), Chr(0), "") ConsoleWrite("and the following options: " & $options) ConsoleWrite(@CRLF) If BitAND(BinaryMid($udpdata, 237, 4), 0x63825363) Then ; is a DHCP Package ConsoleWrite("DHCP options:" & @CRLF) _DHCP_Options_Parser(BinaryMid($udpdata, 241)) EndIf EndFunc ;==>_DHCP_Parser Func _DHCP_Options_Parser($options) $i = 1 Do $options_type = Number(BinaryMid($options, $i, 1)) $length = Number(BinaryMid($options, $i + 1, 1)) If $options_type = 0 Or $options_type = 255 Then $length = 1 ConsoleWrite("Count: " & $i & " Option Type: " & $options_type & " Packet Length: " & $length & @CRLF) Switch $options_type Case 0 ; padding Case 1 ; Subnetmask $subnetmask = Number(BinaryMid($options, $i + 2, 1)) & "." & Number(BinaryMid($options, $i + 3, 1)) & "." & Number(BinaryMid($options, $i + 4, 1)) & "." & Number(BinaryMid($options, $i + 5, 1)) ConsoleWrite("Subnetmask: " & $subnetmask & @CRLF) Case 2 ; time offset $time_offset = Number(BinaryMid($options, $i + 2, 4)) ConsoleWrite("Time Offset: " & $time_offset & @CRLF) Case 3 ; Router Option ; not working properly Case 6 ; DNS-Servers $dns_servers_count = $length/4 for $j = 0 to $dns_servers_count-1 $dns_servers = Number(BinaryMid($options, $i + 2 + ($j*4), 1)) & "." & Number(BinaryMid($options, $i + 3+ ($j*4), 1)) & "." & Number(BinaryMid($options, $i + 4+ ($j*4), 1)) & "." & Number(BinaryMid($options, $i + 5+ ($j*4), 1)) ConsoleWrite("dns server: " & $dns_servers & @CRLF) Next Case 12; Client Hostname $Host_Name = StringReplace(BinaryToString(BinaryMid($options, $i + 2, $length)), Chr(0), "") ConsoleWrite("Host Name: " & $Host_Name & @CRLF) Case 43 ; Vendor-specific information $vendor_specific_info = StringReplace(BinaryToString(BinaryMid($options, $i + 2, $length)), Chr(0), "") ConsoleWrite("Vendor-specific information: " & $vendor_specific_info & @CRLF) Case 51 ; Address lease time ; not working properly $lease_time = Number(BinaryMid($options, $i + 2, 4)) $sNewDate = _DateAdd('s', $lease_time, _NowCalcDate()) ConsoleWrite("Lease Time: " & $sNewDate & @CRLF) Case 53 ; DHCP Message type Switch Number(BinaryMid($options, $i + 2, 1)) Case 1 ConsoleWrite("DHCPDISCOVER" & @CRLF) Case 2 ConsoleWrite("DHCPOFFER" & @CRLF) Case 3 ConsoleWrite("DHCPREQUEST" & @CRLF) Case 4 ConsoleWrite("DHCPDECLINE" & @CRLF) Case 5 ConsoleWrite("DHCPACK" & @CRLF) Case 6 ConsoleWrite("DHCPNAK" & @CRLF) Case 7 ConsoleWrite("DHCPRELEASE" & @CRLF) Case 8 ConsoleWrite("DHCPINFORM" & @CRLF) Case Else; Armageddon!!! EndSwitch Case 54 ; Server Identifier $server_identifier = Number(BinaryMid($options, $i + 2, 1)) & "." & Number(BinaryMid($options, $i + 3, 1)) & "." & Number(BinaryMid($options, $i + 4, 1)) & "." & Number(BinaryMid($options, $i + 5, 1)) ConsoleWrite("Server Identifier: " & $server_identifier & @CRLF) Case 55 ; Parameter Request List $parameter_request_list = BinaryMid($options, $i + 2, $length) ConsoleWrite("Parameter Request List: " & $parameter_request_list & @CRLF) Case 60 ; Class-Identifier $class_identifier = StringReplace(BinaryToString(BinaryMid($options, $i + 2, $length)), Chr(0), "") ConsoleWrite("Class-Identifier: " & $class_identifier & @CRLF) Case 61 ; Identifier $identifier = BinaryMid($options, $i + 2, $length) ConsoleWrite("Identifier: " & $identifier & @CRLF) Case 81 ; FQDN $FQDN = StringReplace(BinaryToString(BinaryMid($options, $i + 2, $length)), Chr(0), "") ConsoleWrite("FQDN: " & $FQDN & @CRLF) Case 255 ; end $i = BinaryLen($options) Case Else; Armageddon!!! EndSwitch $i += (2 + $length) Until $i >= BinaryLen($options) ; unclean but prevents the loop from continuing infinite if a counting error occures. Return False ; until everything is in a 2d array..... EndFunc ;==>_DHCP_Options_Parsertraffic.au3 Edited November 9, 2011 by JRSmile $a=StringSplit("547275737420796F757220546563686E6F6C75737421","") For $b=1 To UBound($a)+(-1*-1*-1)step(2^4/8);&$b+=1*2/40*µ&Asc(4) Assign("c",Eval("c")&Chr(Dec($a[$b]&$a[$b+1])));''Chr("a")&"HI" Next ;time_U&r34d,ths,U-may=get$the&c.l.u.e;b3st-regards,JRSmile; MsgBox(0x000000,"",Eval("c"));PiEs:d0nt+*b3.s4d.4ft3r.1st-try:-) Link to comment Share on other sites More sharing options...
lgvlgv Posted December 8, 2012 Share Posted December 8, 2012 This is great, thx very mutch Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now