查看: 1551|回复: 2
|
BASH: Rogue DHCP Detector
[复制链接]
|
|
最近写了个简单的bash script, 想分享一下。
script 的流程是:
- 自造一个 .pcap 文件 (text2pcap)
- Sniff packet with filter (tcpdump)
- Replay 之前制造的 .pcap 文件 (tcpreply)
- 把 sniffed 到的 packet 处理+检测
以下的 script,基本上只有几个variable要更改:
- tmp1file <-- sniffed 的后第一个文件
- tmp2file <-- 加工处理,撤除一些没用的 column
- tmp3file <-- 加工处理,撤除重复的 packet (也就是来自一样的 DHCP server's packet)
- thePHfile <-- packet 的 HEX 文件
- thePfile <-- 从 HEX 转换成 .pcap 的文件
- authoriseIP <-- DHCP server 的 IP
- IF <-- Server network interface
- #!/bin/bash
- tmp1file='/tmp/dhcp-raw.tmp' # The initial sniff result
- tmp2file='/tmp/dhcp-result.tmp' # The column removed result
- tmp3file='/tmp/dhcp-uniq.tmp' # The result without duplicate packet
- thePHfile='/tmp/DHCP-Request-6.txt' # The packet HEX file
- thePfile='/tmp/DHCP-Request-6.pcap' # The packet .PCAP file
- authoriseIP='192.168.1.1' # Your authorised DHCP server's IP
- IF='eth0' # Your server's network interface
- /bin/rm $tmp1file $tmp2file $tmp3file $thePHfile $thePfile 2&>/dev/null
- function pcktRepyCapt { # Packet Replay & Capture
- /usr/sbin/tcpdump -e -i eth0 "udp src port 67 && udp dst port 68" -nnq > $tmp1file 2>/dev/null & # Sniff UDP packet, we want source port is 67 & destination port is 68, which is a DHCP offer behavior, and also the task to background
- i=5 # The packet replay interval
- while [ $i -ge 1 ]; do
- /bin/ping -c 2 127.0.0.1 >/dev/null # delay for 2 second before proceed to packet replay, just in case the packet replay too fast and those DHCP servers are not able to receive your packet
- /usr/bin/tcpreplay --intf1=$IF $thePfile 2&>/dev/null # Replay packet
- i=$(($i-1))
- done
- #/bin/kill `jobs -p` 2&>/dev/null # Terminate the previous background task
- /bin/kill `ps -A|grep tcpdump|awk '{print $1}'` 2&>/dev/null # Terminate the previous background task
- }
- function processRaw { # Remove unwanted column
- while read -r myArray; do
- echo ${myArray:15}
- done < $tmp1file
- }
- function queryUniq { # Sort the packet and remove duplicate line
- while IFS=$',' read -r -a myVar; do # Read each line into array form and use the COMMA symbol as seperator
- if [ -z "${myVar[2]}" ]; then
- #IF EMPTY THEN STOP
- break
- fi
- echo ${myVar[0]}, ${myVar[1]}, ${myVar[2]}, ${myVar[3]}
- done < $tmp2file
- }
- function pcktAnalyse { # Check IP
- while IFS=$',' read -r -a myVarr; do # Reach each line into array form and use the COMMA symbol as seperator
- theIP=`echo ${myVarr[2]} | awk '{print $3}'` # Basically the IP is located at the third column of the third column in each line
- theMAC=`echo ${myVarr[0]} | awk '{print $1}'` # And the ethernet address is located at the first column of the first column in each line
- len2sub=`expr ${#theIP} - 3`
- thesub=${theIP:0:$len2sub} # The extracted the IP come with the source port, remove for better display
- if [ $thesub != "$authoriseIP" ]; then # IP comparison, if the IP is not the authorised IP, it will show the line below with ethernet & IP address
- echo -e "There is non-authorised DHCP server in the network, MAC=$theMAC and IP=$thesub"
- break
- fi
- done < $tmp3file
- }
- function pcktGen { # Create packet (.PCAP) file
- srcMAC='aa bb cc dd ee ff' # Source Ethernet Address
- dstMAC='ff ff ff ff ff ff' # Destination Address (broadcast address)
- echo -e "0000 $dstMAC $srcMAC 08 00 45 00 .......PV..F..E.
- 0010 01 48 00 00 40 00 40 11 39 a6 00 00 00 00 ff ff .H..@.@.9.......
- 0020 ff ff 00 44 00 43 01 34 9c bb 01 01 06 00 16 6d ...D.C.4.......m
- 0030 44 66 00 04 00 00 00 00 00 00 00 00 00 00 00 00 Df..............
- 0040 00 00 00 00 00 00 00 50 56 97 00 46 00 00 00 00 .......PV..F....
- 0050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
- 0060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
- 0070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
- 0080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
- 0090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
- 00a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
- 00b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
- 00c0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
- 00d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
- 00e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
- 00f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
- 0100 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
- 0110 00 00 00 00 00 00 63 82 53 63 35 01 01 3d 07 01 ......c.Sc5..=..
- 0120 00 50 56 97 00 46 39 02 05 dc 3c 0d 64 68 63 70 .PV..F9...<.dhcp
- 0130 63 64 20 34 2e 30 2e 31 35 37 0b 01 79 21 03 06 cd 4.0.157..y!..
- 0140 0f 1c 33 3a 3b 77 ff 00 00 00 00 00 00 00 00 00 ..3:;w..........
- 0150 00 00 00 00 00 00 ......"> $thePHfile
- /usr/bin/text2pcap $thePHfile $thePfile 2&>/dev/null # This command convert the HEX file into PCAP file
- }
- pcktGen # Create packet (.PCAP) file
- pcktRepyCapt # Packet Replay and Capture
- processRaw > $tmp2file 2>/dev/null # Remove unwanted column
- queryUniq | /usr/bin/sort -u > $tmp3file 2>/dev/null # Sort the packet and remove duplicate line
- pcktAnalyse # Check IP
复制代码 希望可以帮到有需要的人,如果你有更好的意见或疑问,欢迎.
tq 本帖最后由 nick_khor 于 23-10-2013 07:16 PM 编辑
|
|
|
|
|
|
|
|
发表于 24-10-2013 11:43 AM
|
显示全部楼层
tcpdump -w /tmp/DHCP-Request-6.pcap就可以省略pcap generation部分。要Hex的话,就用-X option。 |
|
|
|
|
|
|
|
楼主 |
发表于 24-10-2013 05:05 PM
|
显示全部楼层
chfl4gs_ 发表于 24-10-2013 11:43 AM
tcpdump -w /tmp/DHCP-Request-6.pcap就可以省略pcap generation部分。要Hex的话,就用-X option。
了解,可是为什么 tcpdump 可以省略 pcap generation 部分咧?
因为我的 pcap generation 是把 packet Hex 转换成 pcap, 然后再replay pcap + sniff。
|
|
|
|
|
|
|
| |
本周最热论坛帖子
|