Sunday, October 14, 2018

TCP module done???

First the good news, the tcp module, including reading in the tcp.xml from years ago seems to be done.

I ran nmap -O 192.168.x.0/24 against my local home network and saved a tcpdump file to disk while it was running.  Of course I forgot about it and it was listening while any traffic it could see was going out to the internet as well.  Currently satori.py is hard coded to read one specific .pcap file, which I then read in:

python3 satori.py | awk -F';' '$7 != "" { print $3, $6, $7 }' | sort -u


Output:
192.168.1.108 8192:128:1:52:M1460,N,W8,N,N,S:A Windows 7:5|Windows Server 2008:5
192.168.1.109 29200:64:1:60:M1460,S,T,N,W7:. Ubuntu 18.x:5
192.168.1.131 8760:64:0:52:M1460,N,W0,N,N,S:A Hewlett-Packard JetDirect:5
192.168.25.128 29200:64:1:60:M1460,S,T,N,W7:. Ubuntu 18.x:5
198.8.71.207 65535:128:1:52:M1460,N,W1,N,N,S:A Windows 7:5
207.198.x.38 8192:128:1:52:M1460,N,W8,N,N,S:A Windows 7:5|Windows Server 2008:5
207.198.x.39 8192:128:1:52:M1460,N,W8,N,N,S:A Windows 7:5|Windows Server 2008:5
207.198.x.40 8192:128:1:52:M1460,N,W8,N,N,S:A Windows 7:5|Windows Server 2008:5
207.198.x.41 8192:128:1:52:M1460,N,W8,N,N,S:A Windows 7:5|Windows Server 2008:5
207.198.x.42 8192:128:1:52:M1460,N,W8,N,N,S:A Windows 7:5|Windows Server 2008:5
209.15.x.11 8192:128:1:52:M1460,N,W8,N,N,S:A Windows 7:5|Windows Server 2008:5
209.15.x.8 8192:128:1:52:M1460,N,W8,N,N,S:A Windows 7:5|Windows Server 2008:5


Format above is just src IP, tcp fingerprint, OS guess.   In true satori fashion, the OS guess has a value associated with it, so that I can tie the different ones together and give a guess based on different protocol fingerprints.  Format is OS Guess:Weight  |  next OS Guess:Its weight    etc....

Full output from Satori looks like:

2018-10-14T01:50:57.063663;00:0C:29:5F:9F:42;192.168.25.128;TCP;S;29200:64:1:60:M1460,S,T,N,W7:.;Ubuntu 18.x:5

Date/Time in UTC, ISO Format; SRC MAC; SRC IP; What protocol it came from; In the case of TCP, if it was a S or SA; TCP Fingerprint; OS Guess w/ Weight

In the case of TCP, the SRC MAC is normally worthless as it will be the router, but for DHCP and others it is the Unique Identifier I need.

Now the minor bad news....

pypacker doesn't have any built in ability to read live packets, it only has its ppcap piece that has read in it for captured files.  I'm going to dink around with pcapy later and verify if I can use it to read live packets and just feed the packets in similar to the pypacket buffer.  I have high hopes, but be a few days until I get some time to verify.

So what is next...

  1. Add feature to read specific capture files from disk instead of a single hard coded one that I keep manually renaming to test.pcap!
  2. Investigate pcapy for live capture input into the script instead of just saved files
  3. Update tcp.xml as it is WAY out of date!
  4. Get setup on github or something similar (think I already have account) and publish this as I go
  5. Add a ton of error checking into this, currently only one try: except: clause in it and was only added due to last round of testing when things were blowing up on my nmap pcap file.

Sunday, October 7, 2018

Satori Rewrite?

Ok, it has been 3 years since the last time I posted on rewriting Satori.....

I sat down Friday after work with pypacker.  I put an hour or two into getting it to read packets with some example code and parse through tcp packets to at least get my TCP fingerprinting under way.  I bounced a question off of the developer (one earlier in the week when I was hoping to start and then again once I finally did).  He was helpful in both cases and by the end of Saturday I had code in place that properly dissects TCP packets.  I have 2 pieces to fix, one which has always been my nemesis, bit shifting, never really got it in my head how that works 15 years ago when I wrote Satori in Delphi and now that I rarely program this type of stuff anymore, no better off with python.   The difference in 2018 though is I'm not writing the protocol dissectors anymore!

Pypacker isn't really decided per se for what I'm using it for, it is really more for making your own packets, but it has the ability to decode them as well!  He already has the protocol stack built out for almost everything I need, just missing SMB.  Once I get through TCP, DHCP and a few others I'll start looking at that one, but it will be a bit down the road.

The one difference with this rewrite vs the one I claimed in 2015, 2014, 2013.....  I'm actually really interested it doing this this time.  Code will also all be open sourced this time around and project will be hosted out on something like github.

Time permitting today, I should have TCP, p0f v2 style and ettercap done.   I hope to have something in place as well to actually parse through the fingerprint files and spit out a guess at the OS.  While I'd prefer to do DHCP as my first one, as that was where I really enjoyed this the most, TCP seems like the most useful.  Once I get this done I'll look at p0fv3 that came out in the 2014 time frame as I was really winding down my work in this field.

Anyway, if you are doing any type of python and network type stuff, I highly recommend you check out pypacker.   I had tried doing this before with scapy, dpkt and a few others, but they were all a bit slow on convoluted for me and didn't have enough of the protocols already built out.  Or maybe they really did and I just wasn't motivated enough, can't really say. 

Its fun to be working on this project again after this long break.  Once I get it moving along, fingerprint files will be updated again as well.

Initial output:
192.168.25.128:36526 -> 216.58.217.34:443
 Flags: S ,Fingerprint: 29200:64:4096:60:M1460,S,T,N,W7:.
216.58.217.34:443 -> 192.168.25.128:36526
 Flags: SA ,Fingerprint: 64240:128:0:44:M1460:A

The 4096 part is due to bad bit shifting on my part to read the don't fragment bit (reading 1 bit out of 16 is so much fun).  I did a kludge elsewhere in the code, but now that i remember about bitshifting, may have to go back and rewrite that.  But 95% of the way there on TCP at this point!