Commits

Erik Romijn  committed 32fb298

traffic interception with NIDS

  • Participants
  • Parent commits a77dab9

Comments (0)

Files changed (5)

File Twifi.xcodeproj/project.pbxproj

 		03F28BE4166A37C900E93C6D /* TWAppDelegate.m in Sources */ = {isa = PBXBuildFile; fileRef = 03F28BE3166A37C900E93C6D /* TWAppDelegate.m */; };
 		03F28BEE166A381300E93C6D /* MainMenu.xib in Resources */ = {isa = PBXBuildFile; fileRef = 03F28BED166A381300E93C6D /* MainMenu.xib */; };
 		03F28BF1166A3A1600E93C6D /* TWSniffer.m in Sources */ = {isa = PBXBuildFile; fileRef = 03F28BF0166A3A1600E93C6D /* TWSniffer.m */; };
-		03F28BF3166A3B0D00E93C6D /* libpcap.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 03F28BF2166A3B0D00E93C6D /* libpcap.dylib */; };
+		03F28BF6166A44EE00E93C6D /* libpcap.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 03F28BF2166A3B0D00E93C6D /* libpcap.dylib */; };
+		03F28BF8166A450300E93C6D /* libnet.1.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 03F28BF7166A450300E93C6D /* libnet.1.dylib */; };
+		03F28BF9166A451600E93C6D /* libnids.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 03F28BF4166A44A600E93C6D /* libnids.a */; };
+		03F28C01166A453F00E93C6D /* libgio-2.0.0.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 03F28BFA166A453F00E93C6D /* libgio-2.0.0.dylib */; };
+		03F28C02166A453F00E93C6D /* libglib-2.0.0.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 03F28BFB166A453F00E93C6D /* libglib-2.0.0.dylib */; };
+		03F28C03166A453F00E93C6D /* libgmodule-2.0.0.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 03F28BFC166A453F00E93C6D /* libgmodule-2.0.0.dylib */; };
+		03F28C04166A453F00E93C6D /* libgobject-2.0.0.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 03F28BFD166A453F00E93C6D /* libgobject-2.0.0.dylib */; };
+		03F28C05166A453F00E93C6D /* libgraph.5.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 03F28BFE166A453F00E93C6D /* libgraph.5.dylib */; };
+		03F28C06166A453F00E93C6D /* libgthread-2.0.0.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 03F28BFF166A453F00E93C6D /* libgthread-2.0.0.dylib */; };
+		03F28C07166A453F00E93C6D /* libgvc.6.dylib in Frameworks */ = {isa = PBXBuildFile; fileRef = 03F28C00166A453F00E93C6D /* libgvc.6.dylib */; };
 /* End PBXBuildFile section */
 
 /* Begin PBXFileReference section */
 		03F28BEF166A3A1600E93C6D /* TWSniffer.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = TWSniffer.h; sourceTree = "<group>"; };
 		03F28BF0166A3A1600E93C6D /* TWSniffer.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = TWSniffer.m; sourceTree = "<group>"; };
 		03F28BF2166A3B0D00E93C6D /* libpcap.dylib */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.dylib"; name = libpcap.dylib; path = usr/lib/libpcap.dylib; sourceTree = SDKROOT; };
+		03F28BF4166A44A600E93C6D /* libnids.a */ = {isa = PBXFileReference; lastKnownFileType = archive.ar; name = libnids.a; path = /usr/local/Cellar/libnids/1.24/lib/libnids.a; sourceTree = "<absolute>"; };
+		03F28BF7166A450300E93C6D /* libnet.1.dylib */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.dylib"; name = libnet.1.dylib; path = /usr/local/Cellar/libnet/1.1.4/lib/libnet.1.dylib; sourceTree = "<absolute>"; };
+		03F28BFA166A453F00E93C6D /* libgio-2.0.0.dylib */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.dylib"; name = "libgio-2.0.0.dylib"; path = "/usr/local/Cellar/glib/2.30.3/lib/libgio-2.0.0.dylib"; sourceTree = "<absolute>"; };
+		03F28BFB166A453F00E93C6D /* libglib-2.0.0.dylib */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.dylib"; name = "libglib-2.0.0.dylib"; path = "/usr/local/Cellar/glib/2.30.3/lib/libglib-2.0.0.dylib"; sourceTree = "<absolute>"; };
+		03F28BFC166A453F00E93C6D /* libgmodule-2.0.0.dylib */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.dylib"; name = "libgmodule-2.0.0.dylib"; path = "/usr/local/Cellar/glib/2.30.3/lib/libgmodule-2.0.0.dylib"; sourceTree = "<absolute>"; };
+		03F28BFD166A453F00E93C6D /* libgobject-2.0.0.dylib */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.dylib"; name = "libgobject-2.0.0.dylib"; path = "/usr/local/Cellar/glib/2.30.3/lib/libgobject-2.0.0.dylib"; sourceTree = "<absolute>"; };
+		03F28BFE166A453F00E93C6D /* libgraph.5.dylib */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.dylib"; name = libgraph.5.dylib; path = /usr/local/Cellar/graphviz/2.28.0/lib/libgraph.5.dylib; sourceTree = "<absolute>"; };
+		03F28BFF166A453F00E93C6D /* libgthread-2.0.0.dylib */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.dylib"; name = "libgthread-2.0.0.dylib"; path = "/usr/local/Cellar/glib/2.30.3/lib/libgthread-2.0.0.dylib"; sourceTree = "<absolute>"; };
+		03F28C00166A453F00E93C6D /* libgvc.6.dylib */ = {isa = PBXFileReference; lastKnownFileType = "compiled.mach-o.dylib"; name = libgvc.6.dylib; path = /usr/local/Cellar/graphviz/2.28.0/lib/libgvc.6.dylib; sourceTree = "<absolute>"; };
 /* End PBXFileReference section */
 
 /* Begin PBXFrameworksBuildPhase section */
 			isa = PBXFrameworksBuildPhase;
 			buildActionMask = 2147483647;
 			files = (
-				03F28BF3166A3B0D00E93C6D /* libpcap.dylib in Frameworks */,
+				03F28C01166A453F00E93C6D /* libgio-2.0.0.dylib in Frameworks */,
+				03F28C02166A453F00E93C6D /* libglib-2.0.0.dylib in Frameworks */,
+				03F28C03166A453F00E93C6D /* libgmodule-2.0.0.dylib in Frameworks */,
+				03F28C04166A453F00E93C6D /* libgobject-2.0.0.dylib in Frameworks */,
+				03F28C05166A453F00E93C6D /* libgraph.5.dylib in Frameworks */,
+				03F28C06166A453F00E93C6D /* libgthread-2.0.0.dylib in Frameworks */,
+				03F28C07166A453F00E93C6D /* libgvc.6.dylib in Frameworks */,
+				03F28BF9166A451600E93C6D /* libnids.a in Frameworks */,
+				03F28BF8166A450300E93C6D /* libnet.1.dylib in Frameworks */,
+				03F28BF6166A44EE00E93C6D /* libpcap.dylib in Frameworks */,
 				03F28BD1166A37C900E93C6D /* Cocoa.framework in Frameworks */,
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 		03F28BC1166A37C900E93C6D = {
 			isa = PBXGroup;
 			children = (
-				03F28BF2166A3B0D00E93C6D /* libpcap.dylib */,
 				03F28BD6166A37C900E93C6D /* Twifi */,
 				03F28BCF166A37C900E93C6D /* Frameworks */,
 				03F28BCD166A37C900E93C6D /* Products */,
 		03F28BCF166A37C900E93C6D /* Frameworks */ = {
 			isa = PBXGroup;
 			children = (
+				03F28BFA166A453F00E93C6D /* libgio-2.0.0.dylib */,
+				03F28BFB166A453F00E93C6D /* libglib-2.0.0.dylib */,
+				03F28BFC166A453F00E93C6D /* libgmodule-2.0.0.dylib */,
+				03F28BFD166A453F00E93C6D /* libgobject-2.0.0.dylib */,
+				03F28BFE166A453F00E93C6D /* libgraph.5.dylib */,
+				03F28BFF166A453F00E93C6D /* libgthread-2.0.0.dylib */,
+				03F28C00166A453F00E93C6D /* libgvc.6.dylib */,
+				03F28BF7166A450300E93C6D /* libnet.1.dylib */,
+				03F28BF4166A44A600E93C6D /* libnids.a */,
+				03F28BF2166A3B0D00E93C6D /* libpcap.dylib */,
 				03F28BD0166A37C900E93C6D /* Cocoa.framework */,
 				03F28BD2166A37C900E93C6D /* Other Frameworks */,
 			);
 				COMBINE_HIDPI_IMAGES = YES;
 				GCC_PRECOMPILE_PREFIX_HEADER = YES;
 				GCC_PREFIX_HEADER = "Twifi/Twifi-Prefix.pch";
+				HEADER_SEARCH_PATHS = /usr/local/include/;
 				INFOPLIST_FILE = "Twifi/Twifi-Info.plist";
+				LIBRARY_SEARCH_PATHS = (
+					"$(inherited)",
+					/usr/local/Cellar/libnids/1.24/lib,
+					/usr/local/Cellar/libnet/1.1.4/lib,
+					/usr/local/Cellar/glib/2.30.3/lib,
+					/usr/local/Cellar/graphviz/2.28.0/lib,
+				);
 				PRODUCT_NAME = "$(TARGET_NAME)";
 				WRAPPER_EXTENSION = app;
 			};
 				COMBINE_HIDPI_IMAGES = YES;
 				GCC_PRECOMPILE_PREFIX_HEADER = YES;
 				GCC_PREFIX_HEADER = "Twifi/Twifi-Prefix.pch";
+				HEADER_SEARCH_PATHS = /usr/local/include/;
 				INFOPLIST_FILE = "Twifi/Twifi-Info.plist";
+				LIBRARY_SEARCH_PATHS = (
+					"$(inherited)",
+					/usr/local/Cellar/libnids/1.24/lib,
+					/usr/local/Cellar/libnet/1.1.4/lib,
+					/usr/local/Cellar/glib/2.30.3/lib,
+					/usr/local/Cellar/graphviz/2.28.0/lib,
+				);
 				PRODUCT_NAME = "$(TARGET_NAME)";
 				WRAPPER_EXTENSION = app;
 			};

File Twifi.xcodeproj/xcuserdata/erik.xcuserdatad/xcdebugger/Breakpoints.xcbkptlist

+<?xml version="1.0" encoding="UTF-8"?>
+<Bucket
+   type = "1"
+   version = "1.0">
+   <FileBreakpoints>
+      <FileBreakpoint
+         shouldBeEnabled = "Yes"
+         ignoreCount = "0"
+         continueAfterRunningActions = "No"
+         filePath = "Twifi/TWSniffer.m"
+         timestampString = "376066993.24341"
+         startingColumnNumber = "9223372036854775807"
+         endingColumnNumber = "9223372036854775807"
+         startingLineNumber = "60"
+         endingLineNumber = "60"
+         landmarkName = "-handleStream:"
+         landmarkType = "5">
+      </FileBreakpoint>
+   </FileBreakpoints>
+   <ExceptionBreakpoints>
+      <ExceptionBreakpoint
+         shouldBeEnabled = "Yes"
+         ignoreCount = "0"
+         continueAfterRunningActions = "No"
+         scope = "0"
+         stopOnStyle = "0">
+      </ExceptionBreakpoint>
+   </ExceptionBreakpoints>
+</Bucket>

File Twifi.xcodeproj/xcuserdata/erik.xcuserdatad/xcschemes/Twifi.xcscheme

    <LaunchAction
       selectedDebuggerIdentifier = "Xcode.DebuggerFoundation.Debugger.LLDB"
       selectedLauncherIdentifier = "Xcode.DebuggerFoundation.Launcher.LLDB"
+      debugAsWhichUser = "root"
       launchStyle = "0"
       useCustomWorkingDirectory = "NO"
       buildConfiguration = "Debug"

File Twifi/TWSniffer.h

 //
 
 #import <Foundation/Foundation.h>
-#include <pcap.h>
+#include <sys/types.h>
+#include <sys/socket.h>
 #include <netinet/in.h>
-#include <netinet/tcp.h>
+#include <netinet/in_systm.h>
+#include <arpa/inet.h>
+#include <string.h>
+#include <stdio.h>
+#include "nids.h"
 
 @interface TWSniffer : NSObject
 
 - (void)do;
 
 @end
+
+
+@interface TWRequestData : NSObject
+@property(strong, nonatomic) NSString *type;
+@property(strong, nonatomic) NSString *url;
+@property(nonatomic) u_int *sourceIp;
+@end

File Twifi/TWSniffer.m

 
 @implementation TWSniffer
 
-/* Ethernet addresses are 6 bytes */
-#define ETHER_ADDR_LEN	6
+#define int_ntoa(x)	inet_ntoa(*((struct in_addr *)&x))
 
-/* Ethernet header */
-struct sniff_ethernet {
-    u_char ether_dhost[ETHER_ADDR_LEN]; /* Destination host address */
-    u_char ether_shost[ETHER_ADDR_LEN]; /* Source host address */
-    u_short ether_type; /* IP? ARP? RARP? etc */
-};
-
-/* IP header */
-struct sniff_ip {
-    u_char ip_vhl;		/* version << 4 | header length >> 2 */
-    u_char ip_tos;		/* type of service */
-    u_short ip_len;		/* total length */
-    u_short ip_id;		/* identification */
-    u_short ip_off;		/* fragment offset field */
-#define IP_RF 0x8000		/* reserved fragment flag */
-#define IP_DF 0x4000		/* dont fragment flag */
-#define IP_MF 0x2000		/* more fragments flag */
-#define IP_OFFMASK 0x1fff	/* mask for fragmenting bits */
-    u_char ip_ttl;		/* time to live */
-    u_char ip_p;		/* protocol */
-    u_short ip_sum;		/* checksum */
-    struct in_addr ip_src,ip_dst; /* source and dest address */
-};
-#define IP_HL(ip)		(((ip)->ip_vhl) & 0x0f)
-#define IP_V(ip)		(((ip)->ip_vhl) >> 4)
-
-/* TCP header */
-struct sniff_tcp {
-    u_short th_sport;	/* source port */
-    u_short th_dport;	/* destination port */
-    tcp_seq th_seq;		/* sequence number */
-    tcp_seq th_ack;		/* acknowledgement number */
-    
-    u_char th_offx2;	/* data offset, rsvd */
-#define TH_OFF(th)	(((th)->th_offx2 & 0xf0) >> 4)
-    u_char th_flags;
-#define TH_FIN 0x01
-#define TH_SYN 0x02
-#define TH_RST 0x04
-#define TH_PUSH 0x08
-#define TH_ACK 0x10
-#define TH_URG 0x20
-#define TH_ECE 0x40
-#define TH_CWR 0x80
-#define TH_FLAGS (TH_FIN|TH_SYN|TH_RST|TH_ACK|TH_URG|TH_ECE|TH_CWR)
-    u_short th_win;		/* window */
-    u_short th_sum;		/* checksum */
-    u_short th_urp;		/* urgent pointer */
-};
-
-/* ethernet headers are always exactly 14 bytes */
-#define SIZE_ETHERNET 14
+void *selfref;
 
 - (void)do
 {
-    char *dev, errbuf[PCAP_ERRBUF_SIZE];
+    // here we can alter libnids params, for instance:
+    // nids_params.n_hosts=256;
+    if (!nids_init ())
+    {
+        fprintf(stderr,"%s\n",nids_errbuf);
+        exit(1);
+    }
     
-    dev = pcap_lookupdev(errbuf);
-    if (dev == NULL) {
-        NSLog(@"Couldn't find default device: %s\n", errbuf);
-        return;
-    }
-    NSLog(@"Device: %s\n", dev);
-    
-    
-    pcap_t *handle;
-    struct bpf_program fp;
-    char filter_exp[] = "port 80";
-    bpf_u_int32 mask;		/* The netmask of our sniffing device */
-    bpf_u_int32 net;		/* The IP of our sniffing device */
-    
-    handle = pcap_open_live(dev, BUFSIZ, 1, 1000, errbuf);
-    if (handle == NULL) {
-        NSLog(@"Couldn't open device %s: %s\n", dev, errbuf);
-        return;
-    }
-    if (pcap_lookupnet(dev, &net, &mask, errbuf) == -1) {
-        NSLog(@"Can't get netmask for device %s\n", dev);
-        net = 0;
-        mask = 0;
-    }
-    if (pcap_compile(handle, &fp, filter_exp, 0, net) == -1) {
-        NSLog(@"Couldn't parse filter %s: %s\n", filter_exp, pcap_geterr(handle));
-        return;
-    }
-    if (pcap_setfilter(handle, &fp) == -1) {
-        NSLog(@"Couldn't install filter %s: %s\n", filter_exp, pcap_geterr(handle));
+    selfref = (__bridge void *)(self);
+    nids_register_tcp (tcp_callback);
+    nids_run ();
+}
+
+
+- (void)handleStream:(struct tcp_stream *)a_tcp
+{
+    if (a_tcp->nids_state == NIDS_JUST_EST)
+    {
+        if (a_tcp->addr.dest!=80) return;
+        a_tcp->client.collect++; // we want data received by a client
+        a_tcp->server.collect++; // and by a server, too
+        a_tcp->server.collect_urg++; // we want urgent data received by a
+        // server
+#ifdef WE_WANT_URGENT_DATA_RECEIVED_BY_A_CLIENT
+        a_tcp->client.collect_urg++; // if we don't increase this value,
+        // we won't be notified of urgent data
+        // arrival
+#endif
         return;
     }
     
-    pcap_loop(handle, 0, got_packet, NULL);
-    pcap_close(handle);
+    if (a_tcp->nids_state != NIDS_DATA) return;
+    struct half_stream *hlf;
+
+    if (a_tcp->client.count_new) return;
+    hlf = &a_tcp->server; // analogical
+    
+    
+    NSString *data = [NSString stringWithUTF8String:hlf->data];
+    TWRequestData *requestData = [self parseResponse:data];
+    requestData.sourceIp = a_tcp->addr.saddr;
+    
+    
 }
 
-void got_packet(u_char *args, const struct pcap_pkthdr *header, const u_char *packet)
+- (TWRequestData *)parseResponse:(NSString *)data
 {
-    const struct sniff_ethernet *ethernet; /* The ethernet header */
-    const struct sniff_ip *ip; /* The IP header */
-    const struct sniff_tcp *tcp; /* The TCP header */
-    const char *payload; /* Packet payload */
+    TWRequestData *requestData = [TWRequestData new];
+    NSString *urlPart;
     
-    u_int size_ip;
-    u_int size_tcp;
+    NSArray *lines = [data componentsSeparatedByCharactersInSet:[NSCharacterSet newlineCharacterSet]];
+    BOOL first = YES;
+    for (NSString *line in lines) {
+        if (first) {
+            NSArray *chunks = [line componentsSeparatedByString: @" "];
+            requestData.type = chunks[0];
+            urlPart = chunks[1];
+        } else {
+            NSArray *chunks = [line componentsSeparatedByString: @":"];
+            if ([chunks count] < 2) continue;
+            NSLog(@"found header %@", chunks);
+            NSString *key = chunks[0];
+            NSString *value = chunks[1];
+            
+            if ([key isEqualToString:@"Host"]) {
+                requestData.url = [[value stringByAppendingString:urlPart] stringByTrimmingCharactersInSet:[NSCharacterSet whitespaceAndNewlineCharacterSet]];
+            }
+        }
+        first = NO;
+    }
+    return requestData;
+}
 
-    ethernet = (struct sniff_ethernet*)(packet);
-	ip = (struct sniff_ip*)(packet + SIZE_ETHERNET);
-	size_ip = IP_HL(ip)*4;
-	if (size_ip < 20) {
-		printf("   * Invalid IP header length: %u bytes\n", size_ip);
-		return;
-	}
-	tcp = (struct sniff_tcp*)(packet + SIZE_ETHERNET + size_ip);
-	size_tcp = TH_OFF(tcp)*4;
-	if (size_tcp < 20) {
-		printf("   * Invalid TCP header length: %u bytes\n", size_tcp);
-		return;
-	}
-	payload = (u_char *)(packet + SIZE_ETHERNET + size_ip + size_tcp);
-    NSLog(@"%s", payload);
 
+
+void tcp_callback (struct tcp_stream *a_tcp, void ** this_time_not_needed)
+{
+    TWSniffer *sniffer = (__bridge TWSniffer *)selfref;
+    [sniffer handleStream:a_tcp];
 }
+
+
 @end
+
+
+@implementation TWRequestData
+
+
+
+@end