Sunday, October 20, 2013

BASH: Rogue DHCP Detector

不久前在公司里有人的电脑中毒了,然后还会自行分发 DHCP 给其他电脑,搞得不上不下。 结果用 Wireshark 找到凶手把它干掉了。
可是不可能要自己24小时开着 Wireshark 吧? 而且我又要离开公司了,有点放不下心。 上网找了一些 rogue dhcp detection 的资料,只是要简单的 rogue dhcp 侦测。结果都没有我要的,Windows 的是有 (按我参考)。
只好写个自己的版本,script 的流程是:
  1. 自造一个 .pcap 文件 (text2pcap)
  2. 网络嗅探 with filter (tcpdump)
  3. 从播之前制造的 .pcap 文件 (tcpreply)
  4. 把嗅探到的 网络封包 (packet)  处理+检测
以下的 script,基本上你只有几个变数(variable)要更改:
  1. tmp1file     <-- 网络嗅探后第一个文件
  2. tmp2file     <-- 加工处理,撤除一些没用的纵行(column)
  3. tmp3file     <-- 加工处理,撤除重复的封包 (也就是来自一样的 DHCP 服务器的封包)
  4. thePHfile   <-- packet 的 HEX 文件
  5. thePfile       <-- 从HEX转换成.pcap的文件
  6. authoriseIP <-- 你 DHCP 服务器的 IP
  7. IF                  <-- 你 DHCP 服务器的网卡

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
#!/bin/bash

tmp1file='/tmp/dhcp-raw.tmp'    # The initial sniff result
tmp2file='/tmp/dhcp-result.tmp' # The column removed result
tmp3file='/tmp/dhcp-uniq.tmp'   # The result without duplicate packet
thePHfile='/tmp/DHCP-Request-6.txt'     # The packet HEX file
thePfile='/tmp/DHCP-Request-6.pcap'     # The packet .PCAP file
authoriseIP='192.168.0.1'         # Your authorised DHCP server's IP
IF='eth0'                       # Your server's network interface

/bin/rm $tmp1file $tmp2file $tmp3file $thePHfile $thePfile 2&>/dev/null

function pcktRepyCapt { # Packet Replay & Capture
        /usr/sbin/tcpdump -e -i eth0 "udp src port 67 && udp dst port 68" -nnq > $tmp1file 2>/dev/null &        # Sniff UDP packet, we want source port is 67 & destination port is 68, which is a DHCP offer behavior, and also the task to background
        i=5     # The packet replay interval
        while [ $i -ge 1 ]; do
                /bin/ping -c 2 127.0.0.1 >/dev/null     # delay for 2 second before proceed to packet replay, just in case the packet replay too fast and those DHCP servers are not able to receive your packet
                /usr/bin/tcpreplay --intf1=$IF $thePfile 2&>/dev/null   # Replay packet
                i=$(($i-1))
        done
        #/bin/kill `jobs -p` 2&>/dev/null       # Terminate the previous background task
        /bin/kill `ps -A|grep tcpdump|awk '{print $1}'` 2&>/dev/null    # Terminate the previous background task
}

function processRaw {   # Remove unwanted column
        while read -r myArray; do
                echo ${myArray:15}
        done < $tmp1file
}

function queryUniq {    # Sort the packet and remove duplicate line
        while IFS=$',' read -r -a myVar; do     # Read each line into array form and use the COMMA symbol as seperator
                if [ -z "${myVar[2]}" ]; then
                        #IF EMPTY THEN STOP
                        break
                fi
                echo ${myVar[0]}, ${myVar[1]}, ${myVar[2]}, ${myVar[3]}
        done < $tmp2file
}

function pcktAnalyse {  # Check IP
        while IFS=$',' read -r -a myVarr; do    # Reach each line into array form and use the COMMA symbol as seperator
                theIP=`echo ${myVarr[2]} | awk '{print $3}'`    # Basically the IP is located at the third column of the third column in each line
                theMAC=`echo ${myVarr[0]} | awk '{print $1}'`   # And the ethernet address is located at the first column of the first column in each line
                len2sub=`expr ${#theIP} - 3`
                thesub=${theIP:0:$len2sub}      # The extracted the IP come with the source port, remove for better display
                if [ $thesub != "$authoriseIP" ]; then  # IP comparison, if the IP is not the authorised IP, it will show the line below with ethernet & IP address
                        echo -e "There is non-authorised DHCP server in the network, MAC=$theMAC and IP=$thesub"
                        break
                fi
        done < $tmp3file
}

function pcktGen {      # Create packet (.PCAP) file
        srcMAC='aa bb cc dd ee ff'      # Source Ethernet Address
        dstMAC='ff ff ff ff ff ff'      # Destination Address (broadcast address)
        echo -e "0000  $dstMAC $srcMAC 08 00 45 00   .......PV..F..E.
0010  01 48 00 00 40 00 40 11 39 a6 00 00 00 00 ff ff   .H..@.@.9.......
0020  ff ff 00 44 00 43 01 34 9c bb 01 01 06 00 16 6d   ...D.C.4.......m
0030  44 66 00 04 00 00 00 00 00 00 00 00 00 00 00 00   Df..............
0040  00 00 00 00 00 00 00 50 56 97 00 46 00 00 00 00   .......PV..F....
0050  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0060  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0070  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0080  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0090  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00a0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00b0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00c0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00d0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00e0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00f0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0100  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0110  00 00 00 00 00 00 63 82 53 63 35 01 01 3d 07 01   ......c.Sc5..=..
0120  00 50 56 97 00 46 39 02 05 dc 3c 0d 64 68 63 70   .PV..F9...<.dhcp
0130  63 64 20 34 2e 30 2e 31 35 37 0b 01 79 21 03 06   cd 4.0.157..y!..
0140  0f 1c 33 3a 3b 77 ff 00 00 00 00 00 00 00 00 00   ..3:;w..........
0150  00 00 00 00 00 00                                 ......"> $thePHfile
        /usr/bin/text2pcap $thePHfile $thePfile 2&>/dev/null    # This command convert the HEX file into PCAP file
}

pcktGen         # Create packet (.PCAP) file
pcktRepyCapt    # Packet Replay and Capture
processRaw > $tmp2file 2>/dev/null      # Remove unwanted column
queryUniq | /usr/bin/sort -u > $tmp3file 2>/dev/null    # Sort the packet and remove duplicate line
pcktAnalyse     # Check IP
如果你任何疑问/有更好的方法,请email到我的电邮 nick_khor@hotmail.com 谢谢