1 /*
2     This file is part of Kismet
3 
4     Kismet is free software; you can redistribute it and/or modify
5     it under the terms of the GNU General Public License as published by
6     the Free Software Foundation; either version 2 of the License, or
7     (at your option) any later version.
8 
9     Kismet is distributed in the hope that it will be useful,
10       but WITHOUT ANY WARRANTY; without even the implied warranty of
11     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
12     GNU General Public License for more details.
13 
14     You should have received a copy of the GNU General Public License
15     along with Kismet; if not, write to the Free Software
16     Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
17 */
18 
19 #ifndef __PACKETSIGNATURES_H__
20 #define __PACKETSIGNATURES_H__
21 
22 #include "config.h"
23 #ifdef HAVE_STDINT
24 #include <stdint.h>
25 #endif
26 #ifdef HAVE_INTTYPES_H
27 #include <inttypes.h>
28 #endif
29 
30 const uint8_t LOR_MAC[] = {0x01, 0x00, 0x00, 0x00, 0x20, 0xF6};
31 const uint8_t NUL_MAC[] = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
32 const uint8_t NETS_MAC[] = {0x01, 0x60, 0x1d, 0x00, 0x01, 0x00};
33 
34 // LLC packets with control field U func UI (we handle a lot of things with these headers)
35 const uint8_t LLC_UI_SIGNATURE[] = {0xAA, 0xAA, 0x03};
36 
37 // Offset for the start of the LLC frame
38 const unsigned int LLC_OFFSET = 0;
39 
40 // Offset for all LLC-fragment protocols
41 const unsigned int LLC_UI_OFFSET = 3;
42 
43 // LLC packets that look like probe info (netstumbler and lucent)
44 const uint8_t PROBE_LLC_SIGNATURE[] = {0x00, 0x60, 0x1D};
45 
46 // "All" is all we need to match at this offset.  We matched the LLC already so
47 // we can use a very small fragment
48 // This catches "All your 802.11b are belong to us"
49 const uint8_t NETSTUMBLER_323_SIGNATURE[] = {0x41, 0x6C, 0x6C};
50 // "Flu" again is all we need to match at this offset.
51 // This catches "Flurble gronk bloopit, bnip Frundletrune"
52 const uint8_t NETSTUMBLER_322_SIGNATURE[] = {0x46, 0x6C, 0x75};
53 // "   " is the beginning of the .30
54 // "          Intentionally blank"
55 const uint8_t NETSTUMBLER_330_SIGNATURE[] = {0x20, 0x20, 0x20};
56 const uint8_t NETSTUMBLER_OFFSET = 12;
57 
58 // Lucent link test signatures
59 const uint8_t LUCENT_TEST_SIGNATURE[] = {0x00, 0x01, 0x02, 0x03};
60 const uint8_t LUCENT_OFFSET = 12;
61 
62 const uint8_t CISCO_SIGNATURE[] = {0x00, 0x00, 0x0C, 0x20, 0x00};
63 const unsigned int CDP_ELEMENT_LEN = 5;
64 
65 const uint8_t FORTRESS_SIGNATURE[] = {0x00, 0x00, 0x00, 0x88, 0x95};
66 
67 // WPA/WPA2 identifiers
68 const uint8_t WPA_OUI[] = {0x00, 0x50, 0xF2};
69 const uint8_t RSN_OUI[] = {0x00, 0x0F, 0xAC};
70 
71 // WPS identifier
72 const uint8_t WPS_SIG[] = {0x00, 0x50, 0xF2, 0x04};
73 
74 const uint8_t DOT1X_PROTO[] = {0x88, 0x8e};
75 const uint8_t DOT1X_OFFSET = LLC_UI_OFFSET + 5;
76 const uint8_t DOT1X_HEADER_SIZE = 4;
77 
78 const uint8_t EAP_OFFSET = 4;
79 const uint8_t EAP_PACKET_SIZE = 5;
80 
81 const uint8_t EAP_CODE_REQUEST = 1;
82 const uint8_t EAP_CODE_RESPONSE = 2;
83 const uint8_t EAP_CODE_SUCCESS = 3;
84 const uint8_t EAP_CODE_FAILURE = 4;
85 const uint8_t EAP_TYPE_TLS  = 13;
86 const uint8_t EAP_TYPE_LEAP = 17;
87 const uint8_t EAP_TYPE_TTLS = 21;
88 const uint8_t EAP_TYPE_PEAP = 25;
89 
90 
91 const uint8_t ARP_SIGNATURE[] = {0x08, 0x06};
92 const unsigned int ARP_OFFSET = 6;
93 const uint8_t ARP_PACKET_SIZE = 30;
94 
95 const uint8_t DHCPD_SIGNATURE[] = {0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x43, 0x00, 0x44};
96 const unsigned int DHCPD_OFFSET = 24;
97 
98 const unsigned int IP_OFFSET = 17;
99 const uint8_t IP_HEADER_SIZE = 11;
100 
101 const uint8_t UDP_SIGNATURE[] = {0x11};
102 const unsigned int UDP_OFFSET = 28;
103 
104 const uint8_t TCP_SIGNATURE[] = {0x06};
105 const unsigned int TCP_OFFSET = 28;
106 const unsigned int TCP_HEADER_SIZE = 11;
107 
108 const uint8_t NETBIOS_TCP_OFFSET = 204;
109 const uint8_t NETBIOS_OFFSET = 133;
110 
111 // netbios LLC signature
112 const uint8_t NETBIOS_SIGNATURE[] = {0xF0, 0xF0, 0x03};
113 
114 // IPX LLC signature
115 const uint8_t IPX_SIGNATURE[] = {0xE0, 0xE0, 0x03};
116 
117 // IAPP
118 const unsigned int IAPP_OFFSET = 36;
119 const uint8_t IAPP_HEADER_SIZE = 2;
120 const uint8_t IAPP_PDUHEADER_SIZE = 3;
121 
122 const uint16_t IAPP_PORT = 2313;
123 
124 const uint16_t ISAKMP_PORT = 500;
125 const uint8_t ISAKMP_OFFSET = UDP_OFFSET + 8;
126 const unsigned int ISAKMP_PACKET_SIZE = 14;
127 const uint8_t ISAKMP_EXCH_NONE = 0;
128 const uint8_t ISAKMP_EXCH_BASE = 1;
129 const uint8_t ISAKMP_EXCH_IDPROT = 2;
130 const uint8_t ISAKMP_EXCH_AUTHONLY = 3;
131 const uint8_t ISAKMP_EXCH_AGGRESS = 4;
132 const uint8_t ISAKMP_EXCH_INFORM = 5;
133 const uint8_t ISAKMP_EXCH_TRANS = 6;
134 const uint8_t ISAKMP_EXCH_QUICK = 32;
135 const uint8_t ISAKMP_EXCH_NEWGRP = 33;
136 
137 // PPTP
138 const uint16_t PPTP_PORT = 1723;
139 
140 const mac_addr msfopcode_mac = mac_addr("90:E9:75:00:00:00/FF:FF:FF:00:00:00");
141 
142 #endif
143