1 /*
2     Nast
3 
4     This program is free software; you can redistribute it and/or modify
5     it under the terms of the GNU General Public License as published by
6     the Free Software Foundation; either version 2 of the License, or
7     (at your option) any later version.
8 
9     This program is distributed in the hope that it will be useful,
10     but WITHOUT ANY WARRANTY; without even the implied warranty of
11     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
12     GNU General Public License for more details.
13 
14     You should have received a copy of the GNU General Public License
15     along with this program; if not, write to the Free Software
16     Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
17 
18 */
19 
20 #include "include/nast.h"
21 
handle_ARP(FILE * output)22 void handle_ARP (FILE *output)
23 {
24    struct nast_arp_hdr *arp;
25    struct libnet_ethernet_hdr *eptr;
26    u_short ether_type;
27 
28    eptr = (struct libnet_ethernet_hdr *) packet;
29    arp = (struct nast_arp_hdr *) (packet+offset);
30    ether_type = ntohs(eptr->ether_type);
31 
32    if (ether_type == ETHERTYPE_ARP)
33      {
34 	n_print("princ",line_s,row_s,lg,"\n---[ ARP ]-----------------------------------------------------------\n");
35 	n_print("princ",line_s=line_s+2,row_s,lg,"%s", nast_hex_ntoa (eptr->ether_shost));
36 	n_print("princ",line_s,28,lg," -> ");
37 	n_print("princ",line_s,33,lg, "%s\n", nast_hex_ntoa (eptr->ether_dhost));
38 
39 	switch (ntohs(arp->ar_op))
40 	  {
41 	   case 1:
42 	       {
43 		  n_print("princ",++line_s,row_s,lg,"Type: ARP request: ");
44 		  n_print("princ",line_s,20,lg,"Who has %d.%d.%d.%d? ",arp->__ar_tip[0],arp->__ar_tip[1],arp->__ar_tip[2],arp->__ar_tip[3]);
45 		  n_print("princ",line_s,46,lg,"Tell %d.%d.%d.%d\n",arp->__ar_sip[0],arp->__ar_sip[1],arp->__ar_sip[2],arp->__ar_sip[3]);
46 	       }
47 	     break;
48 	   case 2:
49 	       {
50 		  n_print("princ",++line_s,row_s,lg,"Type: ARP reply: ");
51 		  n_print("princ",line_s,20,lg,"%d.%d.%d.%d is at %s\n",arp->__ar_sip[0],arp->__ar_sip[1],arp->__ar_sip[2],arp->__ar_sip[3], nast_hex_ntoa (eptr->ether_shost));
52 	       }
53 	     break;
54 	   case 8:
55 	     n_print("princ",++line_s,row_s,lg,"Type: InARP request");
56 	     break;
57 	   case 9:
58 	     n_print("princ",++line_s,row_s,lg,"Type: InARP reply");
59 	     break;
60 	   default:
61 	     n_print("princ",++line_s,row_s,lg,"Type: Unknown Opcode");
62 	     break;
63 	  }
64 
65 	n_print("princ",++line_s,row_s,lg,"Hardware size: %d - ", arp->ar_hln);
66 	n_print("princ",line_s,30,lg,"Protocol size: %d\n", arp->ar_pln);
67 
68      }
69 
70    else  if (eptr->ether_type == ETHERTYPE_REVARP)
71      {
72 	n_print("princ",line_s,row_s,lg,"\n---[ RARP ]----------------------------------------------------------\n");
73 	n_print("princ",line_s=line_s+2,row_s,lg,"%s" , nast_hex_ntoa (eptr->ether_shost));
74 	n_print("princ",line_s,28,lg," -> ");
75 	n_print("princ",line_s,33,lg,"%s\n", nast_hex_ntoa (eptr->ether_dhost));
76 	switch (ntohs(arp->ar_op))
77 	  {
78 	   case 3:
79 	     n_print("princ",++line_s,row_s,lg,"Type: RARP request");
80 	     break;
81 	   case 4:
82 	     n_print("princ",++line_s,row_s,lg,"Type: RARP reply");
83 	     break;
84 	   case 8:
85 	     n_print("princ",++line_s,row_s,lg,"Type: InARP request");
86 	     break;
87 	   case 9:
88 	     n_print("princ",++line_s,row_s,lg,"Type: InARP reply");
89 	     break;
90 	   default:
91 	     n_print("princ",++line_s,row_s,lg,"Type: Unknown Opcode");
92 	     break;
93 
94 	  }
95 
96 	n_print("princ",++line_s,row_s,lg,"Hardware size: %d  ",arp->ar_hln);
97 	n_print("princ",++line_s,30,lg,"Protocol size: %d\n",arp->ar_pln);
98 
99      }
100    n_print("princ",++line_s,0,lg,"Packet Number: %d",npkt);
101 
102    if(!graph)
103    	printf("\n");
104    ++line_s;
105    row_s=0;
106 }
107 
108 /* This function is important: control ARP response and verify that no-one is making arp-poisoning in LAN
109  * NB_ It's important that you run this function when U are sure that no-one is making arp-poisoning, so I can
110  * retrive a truly ip-mac list to confront the next ARP response with
111  *
112  * PS: ARP_RESPONSE have not broadcast destination like REQUEST
113  */
114 
115 /* car : control arp response */
car(char * dev,int lg)116 int car (char *dev,int lg)
117 {
118    struct host *list;
119    u_short i,n;
120    char ebuf[PCAP_ERRBUF_SIZE];
121    struct nast_arp_hdr *arp;
122    int line;
123 
124    line=6;
125 
126 #ifdef HAVE_LIBNCURSES
127    if (graph)
128      init_scr();
129 #endif
130 
131    if (lg)
132      {
133 	openfile();
134 	n_print (NULL,0,0,lg,"Logging to file... \n");
135 	fflush (stdout);
136         n_print (NULL,0,0,lg,"NAST Control ARP Poisoning Report\n\n");
137 	n_print (NULL,0,0,lg,"Made on %s\n\n", timed);
138      }
139 
140    list = malloc (sizeof (struct host) * 255); /* to implement like list */
141 
142    n_print ("princ",1,1,lg,"I'll build a truly MAC-IP list...\n\n");
143    n_print ("princ",2,1,lg,"(Press a key)\n");
144    getchar();
145    n_print ("princ",3,1,lg,"- Waiting please... \n");
146    fflush (stdout);
147 
148    if ((list = map_lan(dev, 0, &n))==NULL)
149      {
150 	if(w_error(0, "\nCan't build truly host list! mmhhh!\nReport bug to author please\n\n")==-1)
151 		return(1);
152      }
153    if (n==0)
154      {
155 	if(w_error(0, "What are you doing? You are alone in this network!\n")==-1)
156 		return(1);
157      }
158 
159    n_print ("princ",4,1,lg,"- Now let me sniff arp-response on the network...\n\n");
160 
161    /* open pcap sniffer */
162    if ((pcap_lookupnet(dev, &netp, &maskp, ebuf))==-1)
163      {
164 	w_error(1, "pcap_lookupnet error: %s\n", ebuf);
165      }
166    if ((descr = pcap_open_live(dev, BUFSIZ, PROMISC, 10, ebuf))==NULL)
167      {
168 	w_error(1, "pcap_open_live error: %s\n", ebuf);
169      }
170    if ((pcap_compile (descr, &fp, "arp", 0, netp))==-1)
171      {
172 	w_error(1, "pcap_compile error\n");
173      }
174    if ((pcap_setfilter (descr, &fp))==-1)
175      {
176 	w_error(1, "pcap_setfilter error\n");
177      }
178 
179    /* demonize */
180    if (demonize)
181      bkg();
182 
183    /* now sniff */
184    while (1)
185      {
186 	if ((packet = (u_char *) pcap_next (descr, &hdr))==NULL) continue;
187 
188        	if (handle_ethernet(packet)!=ETHERTYPE_ARP) continue; /* this is a paranoic test */
189 	arp = (struct nast_arp_hdr *) (packet+offset);
190 
191 	if (ntohs (arp->ar_op)==2)
192 	  {
193 	     for (i=0; i<n; i++)
194 	       {
195 	          /* ricerco nel db l'ip di interesse (i) */
196 		  if (!memcmp(arp->__ar_sip, list[i].ip, 4))
197 		    {
198 		       n_print ("princ",line,1,lg,"Verifing: %d.%d.%d.%d ", arp->__ar_sip[0], arp->__ar_sip[1], arp->__ar_sip[2], arp->__ar_sip[3]);
199 		       n_print ("princ",line,27,lg,"Is %s ?\t", nast_hex_ntoa(arp->__ar_sha));
200 
201 		       if (memcmp(arp->__ar_sha, list[i].mac, ETHER_ADDR_LEN))
202 			 n_print ("princ",line,40,lg,"Warning! Truly is %s, possible ARP-Poisoning!!!\n", nast_hex_ntoa (list[i].mac));
203 		       else
204 			 n_print ("princ",line,40,lg,"Correct\n");
205 
206 		       ++line;
207 
208 		       break;
209 		    }
210 	       }
211 	  }
212      }
213 
214    if (lg) n_print (NULL,0,0,lg,"\ndone\n");
215    return 0;
216 }
217