Search in sources :

Example 1 with NzymeLeader

use of horse.wtf.nzyme.NzymeLeader in project nzyme by lennartkoopmann.

the class SentryInterceptorSetTest method cleanSentry.

@BeforeMethod
public void cleanSentry() {
    NzymeLeader nzyme = new MockNzyme();
    nzyme.getDatabase().useHandle(handle -> handle.execute("DELETE FROM sentry_ssids;"));
    nzyme.getDatabase().useHandle(handle -> handle.execute("DELETE FROM alerts;"));
}
Also used : MockNzyme(horse.wtf.nzyme.MockNzyme) NzymeLeader(horse.wtf.nzyme.NzymeLeader) BeforeMethod(org.testng.annotations.BeforeMethod)

Example 2 with NzymeLeader

use of horse.wtf.nzyme.NzymeLeader in project nzyme by lennartkoopmann.

the class SentryInterceptorSetTest method testProbeRespWithAlertDisabled.

@Test
public void testProbeRespWithAlertDisabled() throws MalformedFrameException, IllegalRawDataException, InterruptedException {
    LoopbackUplink uplink = new LoopbackUplink();
    NzymeLeader nzyme = new MockNzyme();
    nzyme.registerUplink(uplink);
    Sentry sentry = new Sentry(nzyme, 2);
    try {
        assertEquals(sentry.getSSIDs().size(), 0);
        assertNull(uplink.getLastAlert());
        Dot11FrameInterceptor interceptor = new SentryInterceptorSet(sentry, nzyme.getAlertsService(), false).getInterceptors().get(1);
        interceptor.intercept(new Dot11ProbeResponseFrameParser(new MetricRegistry(), new Anonymizer(false, "")).parse(Frames.PROBE_RESP_1_PAYLOAD, Frames.PROBE_RESP_1_HEADER, META_NO_WEP));
        Thread.sleep(2500);
        assertEquals(sentry.getSSIDs().size(), 1);
        assertTrue(sentry.knowsSSID("Home 5F48"));
        assertNull(uplink.getLastAlert());
    } finally {
        sentry.stop();
    }
}
Also used : MockNzyme(horse.wtf.nzyme.MockNzyme) NzymeLeader(horse.wtf.nzyme.NzymeLeader) MetricRegistry(com.codahale.metrics.MetricRegistry) Anonymizer(horse.wtf.nzyme.dot11.anonymization.Anonymizer) Sentry(horse.wtf.nzyme.dot11.networks.sentry.Sentry) Dot11FrameInterceptor(horse.wtf.nzyme.dot11.Dot11FrameInterceptor) Dot11ProbeResponseFrameParser(horse.wtf.nzyme.dot11.parsers.Dot11ProbeResponseFrameParser) LoopbackUplink(horse.wtf.nzyme.notifications.uplinks.misc.LoopbackUplink) Test(org.testng.annotations.Test)

Example 3 with NzymeLeader

use of horse.wtf.nzyme.NzymeLeader in project nzyme by lennartkoopmann.

the class UnexpectedBSSIDInterceptorSetTest method testGetInterceptors.

@Test
public void testGetInterceptors() throws MalformedFrameException, IllegalRawDataException {
    NzymeLeader nzyme = new MockNzyme();
    LoopbackUplink loopback = new LoopbackUplink();
    nzyme.registerUplink(loopback);
    UnexpectedBSSIDInterceptorSet set = new UnexpectedBSSIDInterceptorSet(nzyme.getAlertsService(), nzyme.getConfiguration().dot11Networks());
    assertEquals(set.getInterceptors().size(), 2);
    for (Dot11FrameInterceptor interceptor : set.getInterceptors()) {
        if (interceptor.forSubtype() == Dot11FrameSubtype.BEACON) {
            assertEquals(interceptor.raisesAlerts(), new ArrayList<Class<? extends Alert>>() {

                {
                    add(UnexpectedBSSIDBeaconAlert.class);
                }
            });
            // Expected beacon.
            interceptor.intercept(new Dot11BeaconFrameParser(new MetricRegistry(), new Anonymizer(false, "")).parse(Frames.BEACON_1_PAYLOAD, Frames.BEACON_1_HEADER, META_NO_WEP));
            assertNull(loopback.getLastAlert());
            // Beacon from a wrong BSSID but different network. Should not trigger.
            interceptor.intercept(new Dot11BeaconFrameParser(new MetricRegistry(), new Anonymizer(false, "")).parse(Frames.BEACON_3_PAYLOAD, Frames.BEACON_3_HEADER, META_NO_WEP));
            assertNull(loopback.getLastAlert());
            // Unexpected beacon.
            interceptor.intercept(new Dot11BeaconFrameParser(new MetricRegistry(), new Anonymizer(false, "")).parse(Frames.BEACON_WTF_SPOOFED_MAC_PAYLOAD, Frames.BEACON_WTF_SPOOFED_MAC_HEADER, META_NO_WEP));
            assertNotNull(loopback.getLastAlert());
            assertEquals(UnexpectedBSSIDBeaconAlert.class, loopback.getLastAlert().getClass());
        }
        loopback.clear();
        if (interceptor.forSubtype() == Dot11FrameSubtype.PROBE_RESPONSE) {
            assertEquals(interceptor.raisesAlerts(), new ArrayList<Class<? extends Alert>>() {

                {
                    add(UnexpectedBSSIDProbeRespAlert.class);
                }
            });
            // Expected probe-resp.
            interceptor.intercept(new Dot11ProbeResponseFrameParser(new MetricRegistry(), new Anonymizer(false, "")).parse(Frames.PROBE_RESP_3_PAYLOAD, Frames.PROBE_RESP_3_HEADER, META_NO_WEP));
            assertNull(loopback.getLastAlert());
            // Probe-resp from a wrong BSSID but different network. Should not trigger.
            interceptor.intercept(new Dot11ProbeResponseFrameParser(new MetricRegistry(), new Anonymizer(false, "")).parse(Frames.PROBE_RESP_1_PAYLOAD, Frames.PROBE_RESP_1_HEADER, META_NO_WEP));
            assertNull(loopback.getLastAlert());
            // Unexpected probe-resp.
            interceptor.intercept(new Dot11ProbeResponseFrameParser(new MetricRegistry(), new Anonymizer(false, "")).parse(Frames.PROBE_RESP_WTF_SPOOFED_MAC_PAYLOAD, Frames.PROBE_RESP_WTF_SPOOFED_MAC_HEADER, META_NO_WEP));
            assertNotNull(loopback.getLastAlert());
            assertEquals(UnexpectedBSSIDProbeRespAlert.class, loopback.getLastAlert().getClass());
        }
        loopback.clear();
    }
}
Also used : MockNzyme(horse.wtf.nzyme.MockNzyme) UnexpectedBSSIDBeaconAlert(horse.wtf.nzyme.alerts.UnexpectedBSSIDBeaconAlert) NzymeLeader(horse.wtf.nzyme.NzymeLeader) MetricRegistry(com.codahale.metrics.MetricRegistry) Dot11FrameInterceptor(horse.wtf.nzyme.dot11.Dot11FrameInterceptor) Dot11BeaconFrameParser(horse.wtf.nzyme.dot11.parsers.Dot11BeaconFrameParser) UnexpectedBSSIDProbeRespAlert(horse.wtf.nzyme.alerts.UnexpectedBSSIDProbeRespAlert) Anonymizer(horse.wtf.nzyme.dot11.anonymization.Anonymizer) UnexpectedBSSIDBeaconAlert(horse.wtf.nzyme.alerts.UnexpectedBSSIDBeaconAlert) Alert(horse.wtf.nzyme.alerts.Alert) UnexpectedBSSIDProbeRespAlert(horse.wtf.nzyme.alerts.UnexpectedBSSIDProbeRespAlert) Dot11ProbeResponseFrameParser(horse.wtf.nzyme.dot11.parsers.Dot11ProbeResponseFrameParser) LoopbackUplink(horse.wtf.nzyme.notifications.uplinks.misc.LoopbackUplink) Test(org.testng.annotations.Test)

Example 4 with NzymeLeader

use of horse.wtf.nzyme.NzymeLeader in project nzyme by lennartkoopmann.

the class UnexpectedFingerprintInterceptorSetTest method testGetInterceptors.

@Test
public void testGetInterceptors() throws MalformedFrameException, IllegalRawDataException {
    NzymeLeader nzyme = new MockNzyme();
    LoopbackUplink loopback = new LoopbackUplink();
    nzyme.registerUplink(loopback);
    UnexpectedFingerprintInterceptorSet set = new UnexpectedFingerprintInterceptorSet(nzyme.getAlertsService(), nzyme.getConfiguration().dot11Networks());
    assertEquals(set.getInterceptors().size(), 2);
    for (Dot11FrameInterceptor interceptor : set.getInterceptors()) {
        reset(loopback, nzyme);
        if (interceptor.forSubtype() == Dot11FrameSubtype.BEACON) {
            assertEquals(interceptor.raisesAlerts(), new ArrayList<Class<? extends Alert>>() {

                {
                    add(UnexpectedFingerprintBeaconAlert.class);
                }
            });
            // Expected beacon.
            interceptor.intercept(new Dot11BeaconFrameParser(new MetricRegistry(), new Anonymizer(false, "")).parse(Frames.BEACON_1_PAYLOAD, Frames.BEACON_1_HEADER, META_NO_WEP));
            assertNull(loopback.getLastAlert());
            reset(loopback, nzyme);
            // Beacon with a wrong fingerprint but different BSSID. Should not trigger.
            interceptor.intercept(new Dot11BeaconFrameParser(new MetricRegistry(), new Anonymizer(false, "")).parse(Frames.BEACON_3_PAYLOAD, Frames.BEACON_3_HEADER, META_NO_WEP));
            assertNull(loopback.getLastAlert());
            reset(loopback, nzyme);
            // TODO: Unexpected fingerprint.
            interceptor.intercept(new Dot11BeaconFrameParser(new MetricRegistry(), new Anonymizer(false, "")).parse(Frames.BEACON_2_PAYLOAD, Frames.BEACON_2_PAYLOAD, META_NO_WEP));
            assertNotNull(loopback.getLastAlert());
            assertEquals(UnexpectedFingerprintBeaconAlert.class, loopback.getLastAlert().getClass());
            reset(loopback, nzyme);
        }
        if (interceptor.forSubtype() == Dot11FrameSubtype.PROBE_RESPONSE) {
            assertEquals(interceptor.raisesAlerts(), new ArrayList<Class<? extends Alert>>() {

                {
                    add(UnexpectedFingerprintProbeRespAlert.class);
                }
            });
            // TODO: Don't have appropriate frames in library so creating them directly for this part of the test.
            // Expected probe-resp.
            interceptor.intercept(Dot11ProbeResponseFrame.create("WTF", "ff:ff:ff:ff:ff:ff", "00:c0:ca:95:68:3b", "dfac3abce0c722f9609343f7dfa208afa51a1c7decbd2eb6f96c78051f0a594b", new Dot11TaggedParameters(new MetricRegistry(), Dot11TaggedParameters.PROBERESP_TAGGED_PARAMS_POSITION, Frames.PROBE_RESP_1_PAYLOAD), META_NO_WEP, new byte[] {}, new byte[] {}));
            assertNull(loopback.getLastAlert());
            reset(loopback, nzyme);
            // Probe-resp with a wrong fingerprint but different BSSID. Should not trigger.
            interceptor.intercept(Dot11ProbeResponseFrame.create("WTF", "ff:ff:ff:ff:ff:ff", "0a:c0:ca:95:68:3b", "WRONGdfac3abce0c722f9609343f7dfa208afa51a1c7decbd2eb6f96c78051f0a594b", new Dot11TaggedParameters(new MetricRegistry(), Dot11TaggedParameters.PROBERESP_TAGGED_PARAMS_POSITION, Frames.PROBE_RESP_1_PAYLOAD), META_NO_WEP, new byte[] {}, new byte[] {}));
            assertNull(loopback.getLastAlert());
            reset(loopback, nzyme);
            // Unexpected fingerprint.
            interceptor.intercept(Dot11ProbeResponseFrame.create("WTF", "ff:ff:ff:ff:ff:ff", "00:c0:ca:95:68:3b", "WRONGdfac3abce0c722f9609343f7dfa208afa51a1c7decbd2eb6f96c78051f0a594b", new Dot11TaggedParameters(new MetricRegistry(), Dot11TaggedParameters.PROBERESP_TAGGED_PARAMS_POSITION, Frames.PROBE_RESP_1_PAYLOAD), META_NO_WEP, new byte[] {}, new byte[] {}));
            assertNotNull(loopback.getLastAlert());
            assertEquals(UnexpectedFingerprintProbeRespAlert.class, loopback.getLastAlert().getClass());
            reset(loopback, nzyme);
        }
    }
}
Also used : MockNzyme(horse.wtf.nzyme.MockNzyme) Dot11TaggedParameters(horse.wtf.nzyme.dot11.Dot11TaggedParameters) NzymeLeader(horse.wtf.nzyme.NzymeLeader) MetricRegistry(com.codahale.metrics.MetricRegistry) Dot11FrameInterceptor(horse.wtf.nzyme.dot11.Dot11FrameInterceptor) UnexpectedFingerprintProbeRespAlert(horse.wtf.nzyme.alerts.UnexpectedFingerprintProbeRespAlert) Dot11BeaconFrameParser(horse.wtf.nzyme.dot11.parsers.Dot11BeaconFrameParser) Anonymizer(horse.wtf.nzyme.dot11.anonymization.Anonymizer) UnexpectedFingerprintProbeRespAlert(horse.wtf.nzyme.alerts.UnexpectedFingerprintProbeRespAlert) UnexpectedFingerprintBeaconAlert(horse.wtf.nzyme.alerts.UnexpectedFingerprintBeaconAlert) Alert(horse.wtf.nzyme.alerts.Alert) UnexpectedFingerprintBeaconAlert(horse.wtf.nzyme.alerts.UnexpectedFingerprintBeaconAlert) LoopbackUplink(horse.wtf.nzyme.notifications.uplinks.misc.LoopbackUplink) Test(org.testng.annotations.Test)

Example 5 with NzymeLeader

use of horse.wtf.nzyme.NzymeLeader in project nzyme by lennartkoopmann.

the class UnexpectedSSIDInterceptorSetTest method testGetInterceptors.

@Test
public void testGetInterceptors() throws MalformedFrameException, IllegalRawDataException {
    NzymeLeader nzyme = new MockNzyme();
    LoopbackUplink loopback = new LoopbackUplink();
    nzyme.registerUplink(loopback);
    UnexpectedSSIDInterceptorSet set = new UnexpectedSSIDInterceptorSet(nzyme.getAlertsService(), nzyme.getConfiguration().dot11Networks());
    assertEquals(set.getInterceptors().size(), 2);
    for (Dot11FrameInterceptor interceptor : set.getInterceptors()) {
        if (interceptor.forSubtype() == Dot11FrameSubtype.BEACON) {
            assertEquals(interceptor.raisesAlerts(), new ArrayList<Class<? extends Alert>>() {

                {
                    add(UnexpectedSSIDBeaconAlert.class);
                }
            });
            // Expected beacon.
            interceptor.intercept(new Dot11BeaconFrameParser(new MetricRegistry(), new Anonymizer(false, "")).parse(Frames.BEACON_1_PAYLOAD, Frames.BEACON_1_HEADER, META_NO_WEP));
            assertNull(loopback.getLastAlert());
            // Beacon with a wrong SSID but different BSSID. Should not trigger.
            interceptor.intercept(new Dot11BeaconFrameParser(new MetricRegistry(), new Anonymizer(false, "")).parse(Frames.BEACON_3_PAYLOAD, Frames.BEACON_3_HEADER, META_NO_WEP));
            assertNull(loopback.getLastAlert());
            // Unexpected beacon.
            interceptor.intercept(new Dot11BeaconFrameParser(new MetricRegistry(), new Anonymizer(false, "")).parse(Frames.BEACON_WTF_WRONG_SSID_PAYLOAD, Frames.BEACON_WTF_WRONG_SSID_HEADER, META_NO_WEP));
            assertNotNull(loopback.getLastAlert());
            assertEquals(UnexpectedSSIDBeaconAlert.class, loopback.getLastAlert().getClass());
        }
        loopback.clear();
        if (interceptor.forSubtype() == Dot11FrameSubtype.PROBE_RESPONSE) {
            assertEquals(interceptor.raisesAlerts(), new ArrayList<Class<? extends Alert>>() {

                {
                    add(UnexpectedSSIDProbeRespAlert.class);
                }
            });
            // Expected probe-resp.
            interceptor.intercept(new Dot11ProbeResponseFrameParser(new MetricRegistry(), new Anonymizer(false, "")).parse(Frames.PROBE_RESP_3_PAYLOAD, Frames.PROBE_RESP_3_HEADER, META_NO_WEP));
            assertNull(loopback.getLastAlert());
            // Probe-resp with a wrong SSID but different BSSID. Should not trigger.
            interceptor.intercept(new Dot11ProbeResponseFrameParser(new MetricRegistry(), new Anonymizer(false, "")).parse(Frames.PROBE_RESP_1_PAYLOAD, Frames.PROBE_RESP_1_HEADER, META_NO_WEP));
            assertNull(loopback.getLastAlert());
            // Unexpected probe-resp.
            interceptor.intercept(new Dot11ProbeResponseFrameParser(new MetricRegistry(), new Anonymizer(false, "")).parse(Frames.PROBE_RESP_WTF_WRONG_SSID_PAYLOAD, Frames.PROBE_RESP_WTF_WRONG_SSID_HEADER, META_NO_WEP));
            assertNotNull(loopback.getLastAlert());
            assertEquals(UnexpectedSSIDProbeRespAlert.class, loopback.getLastAlert().getClass());
        }
        loopback.clear();
    }
}
Also used : MockNzyme(horse.wtf.nzyme.MockNzyme) NzymeLeader(horse.wtf.nzyme.NzymeLeader) MetricRegistry(com.codahale.metrics.MetricRegistry) Dot11FrameInterceptor(horse.wtf.nzyme.dot11.Dot11FrameInterceptor) Dot11BeaconFrameParser(horse.wtf.nzyme.dot11.parsers.Dot11BeaconFrameParser) Anonymizer(horse.wtf.nzyme.dot11.anonymization.Anonymizer) Alert(horse.wtf.nzyme.alerts.Alert) UnexpectedSSIDProbeRespAlert(horse.wtf.nzyme.alerts.UnexpectedSSIDProbeRespAlert) UnexpectedSSIDBeaconAlert(horse.wtf.nzyme.alerts.UnexpectedSSIDBeaconAlert) Dot11ProbeResponseFrameParser(horse.wtf.nzyme.dot11.parsers.Dot11ProbeResponseFrameParser) UnexpectedSSIDProbeRespAlert(horse.wtf.nzyme.alerts.UnexpectedSSIDProbeRespAlert) UnexpectedSSIDBeaconAlert(horse.wtf.nzyme.alerts.UnexpectedSSIDBeaconAlert) LoopbackUplink(horse.wtf.nzyme.notifications.uplinks.misc.LoopbackUplink) Test(org.testng.annotations.Test)

Aggregations

NzymeLeader (horse.wtf.nzyme.NzymeLeader)56 MockNzyme (horse.wtf.nzyme.MockNzyme)55 Test (org.testng.annotations.Test)46 MetricRegistry (com.codahale.metrics.MetricRegistry)35 Anonymizer (horse.wtf.nzyme.dot11.anonymization.Anonymizer)35 LoopbackUplink (horse.wtf.nzyme.notifications.uplinks.misc.LoopbackUplink)35 Notification (horse.wtf.nzyme.notifications.Notification)21 FrameProcessor (horse.wtf.nzyme.processing.FrameProcessor)21 Dot11FrameInterceptor (horse.wtf.nzyme.dot11.Dot11FrameInterceptor)10 Dot11BeaconFrameParser (horse.wtf.nzyme.dot11.parsers.Dot11BeaconFrameParser)9 BeforeMethod (org.testng.annotations.BeforeMethod)9 Dot11ProbeResponseFrameParser (horse.wtf.nzyme.dot11.parsers.Dot11ProbeResponseFrameParser)7 Alert (horse.wtf.nzyme.alerts.Alert)6 AlertsService (horse.wtf.nzyme.alerts.service.AlertsService)5 Sentry (horse.wtf.nzyme.dot11.networks.sentry.Sentry)4 Dot11DeauthenticationFrameParser (horse.wtf.nzyme.dot11.parsers.Dot11DeauthenticationFrameParser)4 Dot11DeauthenticationFrame (horse.wtf.nzyme.dot11.frames.Dot11DeauthenticationFrame)3 Dot11DisassociationFrame (horse.wtf.nzyme.dot11.frames.Dot11DisassociationFrame)2 Dot11DisassociationFrameParser (horse.wtf.nzyme.dot11.parsers.Dot11DisassociationFrameParser)2 UUID (java.util.UUID)2