use of horse.wtf.nzyme.dot11.Dot11FrameInterceptor in project nzyme by lennartkoopmann.
the class BroadMonitorInterceptorSet method getInterceptors.
public List<Dot11FrameInterceptor> getInterceptors() {
ImmutableList.Builder<Dot11FrameInterceptor> interceptors = new ImmutableList.Builder<>();
interceptors.add(new Dot11FrameInterceptor<Dot11DisassociationFrame>() {
@Override
public void intercept(Dot11DisassociationFrame frame) {
String message = frame.transmitter() + " is disassociating from " + frame.destination() + " (" + frame.reasonString() + ")";
nzyme.notifyUplinks(new Notification(message, frame.meta().getChannel()).addField(FieldNames.TRANSMITTER, frame.transmitter()).addField(FieldNames.DESTINATION, frame.destination()).addField(FieldNames.REASON_CODE, frame.reasonCode()).addField(FieldNames.REASON_STRING, frame.reasonString()).addField(FieldNames.SUBTYPE, "disassoc"), frame.meta());
nzyme.forwardFrame(frame);
LOG.debug(message);
}
@Override
public byte forSubtype() {
return Dot11FrameSubtype.DISASSOCIATION;
}
@Override
public List<Class<? extends Alert>> raisesAlerts() {
return Collections.emptyList();
}
});
interceptors.add(new Dot11FrameInterceptor<Dot11AssociationRequestFrame>() {
@Override
public void intercept(Dot11AssociationRequestFrame frame) {
nzyme.getClients().registerAssociationRequestFrame(frame);
String message = frame.transmitter() + " is requesting to associate with " + frame.ssid() + " at " + frame.destination();
nzyme.notifyUplinks(new Notification(message, frame.meta().getChannel()).addField(FieldNames.TRANSMITTER, frame.transmitter()).addField(FieldNames.DESTINATION, frame.destination()).addField(FieldNames.SSID, frame.ssid() == null ? "[no SSID]" : frame.ssid()).addField(FieldNames.SUBTYPE, "assoc-req"), frame.meta());
nzyme.forwardFrame(frame);
LOG.debug(message);
}
@Override
public byte forSubtype() {
return Dot11FrameSubtype.ASSOCIATION_REQUEST;
}
@Override
public List<Class<? extends Alert>> raisesAlerts() {
return Collections.emptyList();
}
});
interceptors.add(new Dot11FrameInterceptor<Dot11AssociationResponseFrame>() {
@Override
public void intercept(Dot11AssociationResponseFrame frame) {
String message = frame.transmitter() + " answered association request from " + frame.destination() + ". Response: " + frame.response().toUpperCase() + " (" + frame.responseCode() + ")";
nzyme.notifyUplinks(new Notification(message, frame.meta().getChannel()).addField(FieldNames.TRANSMITTER, frame.transmitter()).addField(FieldNames.DESTINATION, frame.destination()).addField(FieldNames.RESPONSE_CODE, frame.responseCode()).addField(FieldNames.RESPONSE_STRING, frame.response()).addField(FieldNames.SUBTYPE, "assoc-resp"), frame.meta());
nzyme.forwardFrame(frame);
LOG.debug(message);
}
@Override
public byte forSubtype() {
return Dot11FrameSubtype.ASSOCIATION_RESPONSE;
}
@Override
public List<Class<? extends Alert>> raisesAlerts() {
return Collections.emptyList();
}
});
interceptors.add(new Dot11FrameInterceptor<Dot11AuthenticationFrame>() {
@Override
public void intercept(Dot11AuthenticationFrame frame) {
String message = "";
Map<String, Object> additionalFields = Maps.newHashMap();
switch(frame.algorithm()) {
case OPEN_SYSTEM:
switch(frame.transactionSequence()) {
case 1:
message = frame.transmitter() + " is requesting to authenticate with Open System (Open, WPA, WPA2, ...) " + "at " + frame.destination();
break;
case 2:
message = frame.transmitter() + " is responding to Open System (Open, WPA, WPA2, ...) authentication " + "request from " + frame.destination() + ". (" + frame.statusString() + ")";
additionalFields.put(FieldNames.RESPONSE_CODE, frame.statusCode());
additionalFields.put(FieldNames.RESPONSE_STRING, frame.statusString());
break;
default:
LOG.trace("Invalid Open System authentication transaction sequence number [{}]. " + "Skipping.", frame.transactionSequence());
return;
}
break;
case SAE:
switch(frame.transactionSequence()) {
case 1:
message = frame.transmitter() + " is requesting to authenticate using SAE (WPA3) at " + frame.destination();
break;
case 2:
message = frame.transmitter() + " is responding to SAE (WPA3) authentication " + "request from " + frame.destination() + ". (" + frame.statusString() + ")";
additionalFields.put(FieldNames.RESPONSE_CODE, frame.statusCode());
additionalFields.put(FieldNames.RESPONSE_STRING, frame.statusString());
break;
default:
LOG.trace("Invalid SAE authentication transaction sequence number [{}]. " + "Skipping.", frame.transactionSequence());
return;
}
break;
case SHARED_KEY:
switch(frame.transactionSequence()) {
case 1:
message = frame.transmitter() + " is requesting to authenticate using WEP at " + frame.destination();
break;
case 2:
message = frame.transmitter() + " is responding to WEP authentication request at " + frame.destination() + " with clear text challenge.";
break;
case 4:
message = frame.transmitter() + " is responding to WEP authentication request from " + frame.destination() + ". (" + frame.statusString() + ")";
additionalFields.put(FieldNames.RESPONSE_CODE, frame.statusCode());
additionalFields.put(FieldNames.RESPONSE_STRING, frame.statusString());
break;
default:
LOG.trace("Invalid WEP authentication transaction sequence number [{}]. " + "Skipping.", frame.transactionSequence());
return;
}
break;
}
nzyme.notifyUplinks(new Notification(message, frame.meta().getChannel()).addField(FieldNames.TRANSMITTER, frame.transmitter()).addField(FieldNames.DESTINATION, frame.destination()).addField(FieldNames.AUTH_ALGORITHM, frame.algorithm().toString().toLowerCase()).addField(FieldNames.TRANSACTION_SEQUENCE_NUMBER, frame.transactionSequence()).addField(FieldNames.SUBTYPE, "auth").addFields(additionalFields), frame.meta());
nzyme.forwardFrame(frame);
LOG.debug(message);
}
@Override
public byte forSubtype() {
return Dot11FrameSubtype.AUTHENTICATION;
}
@Override
public List<Class<? extends Alert>> raisesAlerts() {
return Collections.emptyList();
}
});
interceptors.add(new Dot11FrameInterceptor<Dot11BeaconFrame>() {
@Override
public void intercept(Dot11BeaconFrame frame) {
nzyme.getNetworks().registerBeaconFrame(frame);
String message;
if (!Strings.isNullOrEmpty(frame.ssid())) {
message = "Received beacon from " + frame.transmitter() + " for SSID " + frame.ssid();
} else {
// Broadcast beacon.
message = "Received broadcast beacon from " + frame.transmitter();
}
Dot11MetaInformation meta = frame.meta();
nzyme.notifyUplinks(new Notification(message, frame.meta().getChannel()).addField(FieldNames.TRANSMITTER, frame.transmitter()).addField(FieldNames.TRANSMITTER_FINGERPRINT, frame.transmitterFingerprint()).addField(FieldNames.SSID, Strings.isNullOrEmpty(frame.ssid()) ? "[no SSID]" : frame.ssid()).addField(FieldNames.SECURITY_FULL, frame.taggedParameters().getFullSecurityString()).addField(FieldNames.IS_WPA1, frame.taggedParameters().isWPA1()).addField(FieldNames.IS_WPA2, frame.taggedParameters().isWPA2()).addField(FieldNames.IS_WPA3, frame.taggedParameters().isWPA3()).addField(FieldNames.IS_WPS, frame.taggedParameters().isWPS()).addField(FieldNames.SUBTYPE, "beacon"), meta);
nzyme.forwardFrame(frame);
LOG.debug(message);
}
@Override
public byte forSubtype() {
return Dot11FrameSubtype.BEACON;
}
@Override
public List<Class<? extends Alert>> raisesAlerts() {
return Collections.emptyList();
}
});
interceptors.add(new Dot11FrameInterceptor<Dot11DeauthenticationFrame>() {
@Override
public void intercept(Dot11DeauthenticationFrame frame) {
String message = "Deauth: Transmitter " + frame.transmitter() + " is deauthenticating " + frame.destination() + " from BSSID " + frame.bssid() + " (" + frame.reasonString() + ")";
nzyme.notifyUplinks(new Notification(message, frame.meta().getChannel()).addField(FieldNames.TRANSMITTER, frame.transmitter()).addField(FieldNames.DESTINATION, frame.destination()).addField(FieldNames.BSSID, frame.bssid()).addField(FieldNames.REASON_CODE, frame.reasonCode()).addField(FieldNames.REASON_STRING, frame.reasonString()).addField(FieldNames.SUBTYPE, "deauth"), frame.meta());
nzyme.forwardFrame(frame);
LOG.debug(message);
}
@Override
public byte forSubtype() {
return Dot11FrameSubtype.DEAUTHENTICATION;
}
@Override
public List<Class<? extends Alert>> raisesAlerts() {
return Collections.emptyList();
}
});
interceptors.add(new Dot11FrameInterceptor<Dot11ProbeRequestFrame>() {
@Override
public void intercept(Dot11ProbeRequestFrame frame) {
nzyme.getClients().registerProbeRequestFrame(frame);
String message;
if (!frame.isBroadcastProbe()) {
message = "Probe request: " + frame.requester() + " is looking for " + frame.ssid();
} else {
message = "Probe request: " + frame.requester() + " is looking for any network. (null probe request)";
}
nzyme.notifyUplinks(new Notification(message, frame.meta().getChannel()).addField(FieldNames.SSID, frame.ssid() == null ? "[no SSID]" : frame.ssid()).addField(FieldNames.TRANSMITTER, frame.requester()).addField(FieldNames.SUBTYPE, "probe-req"), frame.meta());
nzyme.forwardFrame(frame);
LOG.debug(message);
}
@Override
public byte forSubtype() {
return Dot11FrameSubtype.PROBE_REQUEST;
}
@Override
public List<Class<? extends Alert>> raisesAlerts() {
return Collections.emptyList();
}
});
interceptors.add(new Dot11FrameInterceptor<Dot11ProbeResponseFrame>() {
@Override
public void intercept(Dot11ProbeResponseFrame frame) {
nzyme.getNetworks().registerProbeResponseFrame(frame);
String message;
if (frame.ssid() == null) {
message = frame.transmitter() + " responded to broadcast probe request from " + frame.destination();
} else {
message = frame.transmitter() + " responded to probe request from " + frame.destination() + " for " + frame.ssid();
}
nzyme.notifyUplinks(new Notification(message, frame.meta().getChannel()).addField(FieldNames.DESTINATION, frame.destination()).addField(FieldNames.TRANSMITTER, frame.transmitter()).addField(FieldNames.SSID, frame.ssid() == null ? "[no SSID]" : frame.ssid()).addField(FieldNames.SECURITY_FULL, frame.taggedParameters().getFullSecurityString()).addField(FieldNames.IS_WPA1, frame.taggedParameters().isWPA1()).addField(FieldNames.IS_WPA2, frame.taggedParameters().isWPA2()).addField(FieldNames.IS_WPA3, frame.taggedParameters().isWPA3()).addField(FieldNames.IS_WPS, frame.taggedParameters().isWPS()).addField(FieldNames.SUBTYPE, "probe-resp"), frame.meta());
nzyme.forwardFrame(frame);
LOG.debug(message);
}
@Override
public byte forSubtype() {
return Dot11FrameSubtype.PROBE_RESPONSE;
}
@Override
public List<Class<? extends Alert>> raisesAlerts() {
return Collections.emptyList();
}
});
return interceptors.build();
}
use of horse.wtf.nzyme.dot11.Dot11FrameInterceptor in project nzyme by lennartkoopmann.
the class SentryInterceptorSetTest method testProbeRespWithAlertDisabled.
@Test
public void testProbeRespWithAlertDisabled() throws MalformedFrameException, IllegalRawDataException, InterruptedException {
LoopbackUplink uplink = new LoopbackUplink();
NzymeLeader nzyme = new MockNzyme();
nzyme.registerUplink(uplink);
Sentry sentry = new Sentry(nzyme, 2);
try {
assertEquals(sentry.getSSIDs().size(), 0);
assertNull(uplink.getLastAlert());
Dot11FrameInterceptor interceptor = new SentryInterceptorSet(sentry, nzyme.getAlertsService(), false).getInterceptors().get(1);
interceptor.intercept(new Dot11ProbeResponseFrameParser(new MetricRegistry(), new Anonymizer(false, "")).parse(Frames.PROBE_RESP_1_PAYLOAD, Frames.PROBE_RESP_1_HEADER, META_NO_WEP));
Thread.sleep(2500);
assertEquals(sentry.getSSIDs().size(), 1);
assertTrue(sentry.knowsSSID("Home 5F48"));
assertNull(uplink.getLastAlert());
} finally {
sentry.stop();
}
}
use of horse.wtf.nzyme.dot11.Dot11FrameInterceptor in project nzyme by lennartkoopmann.
the class UnexpectedBSSIDInterceptorSetTest method testGetInterceptors.
@Test
public void testGetInterceptors() throws MalformedFrameException, IllegalRawDataException {
NzymeLeader nzyme = new MockNzyme();
LoopbackUplink loopback = new LoopbackUplink();
nzyme.registerUplink(loopback);
UnexpectedBSSIDInterceptorSet set = new UnexpectedBSSIDInterceptorSet(nzyme.getAlertsService(), nzyme.getConfiguration().dot11Networks());
assertEquals(set.getInterceptors().size(), 2);
for (Dot11FrameInterceptor interceptor : set.getInterceptors()) {
if (interceptor.forSubtype() == Dot11FrameSubtype.BEACON) {
assertEquals(interceptor.raisesAlerts(), new ArrayList<Class<? extends Alert>>() {
{
add(UnexpectedBSSIDBeaconAlert.class);
}
});
// Expected beacon.
interceptor.intercept(new Dot11BeaconFrameParser(new MetricRegistry(), new Anonymizer(false, "")).parse(Frames.BEACON_1_PAYLOAD, Frames.BEACON_1_HEADER, META_NO_WEP));
assertNull(loopback.getLastAlert());
// Beacon from a wrong BSSID but different network. Should not trigger.
interceptor.intercept(new Dot11BeaconFrameParser(new MetricRegistry(), new Anonymizer(false, "")).parse(Frames.BEACON_3_PAYLOAD, Frames.BEACON_3_HEADER, META_NO_WEP));
assertNull(loopback.getLastAlert());
// Unexpected beacon.
interceptor.intercept(new Dot11BeaconFrameParser(new MetricRegistry(), new Anonymizer(false, "")).parse(Frames.BEACON_WTF_SPOOFED_MAC_PAYLOAD, Frames.BEACON_WTF_SPOOFED_MAC_HEADER, META_NO_WEP));
assertNotNull(loopback.getLastAlert());
assertEquals(UnexpectedBSSIDBeaconAlert.class, loopback.getLastAlert().getClass());
}
loopback.clear();
if (interceptor.forSubtype() == Dot11FrameSubtype.PROBE_RESPONSE) {
assertEquals(interceptor.raisesAlerts(), new ArrayList<Class<? extends Alert>>() {
{
add(UnexpectedBSSIDProbeRespAlert.class);
}
});
// Expected probe-resp.
interceptor.intercept(new Dot11ProbeResponseFrameParser(new MetricRegistry(), new Anonymizer(false, "")).parse(Frames.PROBE_RESP_3_PAYLOAD, Frames.PROBE_RESP_3_HEADER, META_NO_WEP));
assertNull(loopback.getLastAlert());
// Probe-resp from a wrong BSSID but different network. Should not trigger.
interceptor.intercept(new Dot11ProbeResponseFrameParser(new MetricRegistry(), new Anonymizer(false, "")).parse(Frames.PROBE_RESP_1_PAYLOAD, Frames.PROBE_RESP_1_HEADER, META_NO_WEP));
assertNull(loopback.getLastAlert());
// Unexpected probe-resp.
interceptor.intercept(new Dot11ProbeResponseFrameParser(new MetricRegistry(), new Anonymizer(false, "")).parse(Frames.PROBE_RESP_WTF_SPOOFED_MAC_PAYLOAD, Frames.PROBE_RESP_WTF_SPOOFED_MAC_HEADER, META_NO_WEP));
assertNotNull(loopback.getLastAlert());
assertEquals(UnexpectedBSSIDProbeRespAlert.class, loopback.getLastAlert().getClass());
}
loopback.clear();
}
}
use of horse.wtf.nzyme.dot11.Dot11FrameInterceptor in project nzyme by lennartkoopmann.
the class UnexpectedFingerprintInterceptorSetTest method testGetInterceptors.
@Test
public void testGetInterceptors() throws MalformedFrameException, IllegalRawDataException {
NzymeLeader nzyme = new MockNzyme();
LoopbackUplink loopback = new LoopbackUplink();
nzyme.registerUplink(loopback);
UnexpectedFingerprintInterceptorSet set = new UnexpectedFingerprintInterceptorSet(nzyme.getAlertsService(), nzyme.getConfiguration().dot11Networks());
assertEquals(set.getInterceptors().size(), 2);
for (Dot11FrameInterceptor interceptor : set.getInterceptors()) {
reset(loopback, nzyme);
if (interceptor.forSubtype() == Dot11FrameSubtype.BEACON) {
assertEquals(interceptor.raisesAlerts(), new ArrayList<Class<? extends Alert>>() {
{
add(UnexpectedFingerprintBeaconAlert.class);
}
});
// Expected beacon.
interceptor.intercept(new Dot11BeaconFrameParser(new MetricRegistry(), new Anonymizer(false, "")).parse(Frames.BEACON_1_PAYLOAD, Frames.BEACON_1_HEADER, META_NO_WEP));
assertNull(loopback.getLastAlert());
reset(loopback, nzyme);
// Beacon with a wrong fingerprint but different BSSID. Should not trigger.
interceptor.intercept(new Dot11BeaconFrameParser(new MetricRegistry(), new Anonymizer(false, "")).parse(Frames.BEACON_3_PAYLOAD, Frames.BEACON_3_HEADER, META_NO_WEP));
assertNull(loopback.getLastAlert());
reset(loopback, nzyme);
// TODO: Unexpected fingerprint.
interceptor.intercept(new Dot11BeaconFrameParser(new MetricRegistry(), new Anonymizer(false, "")).parse(Frames.BEACON_2_PAYLOAD, Frames.BEACON_2_PAYLOAD, META_NO_WEP));
assertNotNull(loopback.getLastAlert());
assertEquals(UnexpectedFingerprintBeaconAlert.class, loopback.getLastAlert().getClass());
reset(loopback, nzyme);
}
if (interceptor.forSubtype() == Dot11FrameSubtype.PROBE_RESPONSE) {
assertEquals(interceptor.raisesAlerts(), new ArrayList<Class<? extends Alert>>() {
{
add(UnexpectedFingerprintProbeRespAlert.class);
}
});
// TODO: Don't have appropriate frames in library so creating them directly for this part of the test.
// Expected probe-resp.
interceptor.intercept(Dot11ProbeResponseFrame.create("WTF", "ff:ff:ff:ff:ff:ff", "00:c0:ca:95:68:3b", "dfac3abce0c722f9609343f7dfa208afa51a1c7decbd2eb6f96c78051f0a594b", new Dot11TaggedParameters(new MetricRegistry(), Dot11TaggedParameters.PROBERESP_TAGGED_PARAMS_POSITION, Frames.PROBE_RESP_1_PAYLOAD), META_NO_WEP, new byte[] {}, new byte[] {}));
assertNull(loopback.getLastAlert());
reset(loopback, nzyme);
// Probe-resp with a wrong fingerprint but different BSSID. Should not trigger.
interceptor.intercept(Dot11ProbeResponseFrame.create("WTF", "ff:ff:ff:ff:ff:ff", "0a:c0:ca:95:68:3b", "WRONGdfac3abce0c722f9609343f7dfa208afa51a1c7decbd2eb6f96c78051f0a594b", new Dot11TaggedParameters(new MetricRegistry(), Dot11TaggedParameters.PROBERESP_TAGGED_PARAMS_POSITION, Frames.PROBE_RESP_1_PAYLOAD), META_NO_WEP, new byte[] {}, new byte[] {}));
assertNull(loopback.getLastAlert());
reset(loopback, nzyme);
// Unexpected fingerprint.
interceptor.intercept(Dot11ProbeResponseFrame.create("WTF", "ff:ff:ff:ff:ff:ff", "00:c0:ca:95:68:3b", "WRONGdfac3abce0c722f9609343f7dfa208afa51a1c7decbd2eb6f96c78051f0a594b", new Dot11TaggedParameters(new MetricRegistry(), Dot11TaggedParameters.PROBERESP_TAGGED_PARAMS_POSITION, Frames.PROBE_RESP_1_PAYLOAD), META_NO_WEP, new byte[] {}, new byte[] {}));
assertNotNull(loopback.getLastAlert());
assertEquals(UnexpectedFingerprintProbeRespAlert.class, loopback.getLastAlert().getClass());
reset(loopback, nzyme);
}
}
}
use of horse.wtf.nzyme.dot11.Dot11FrameInterceptor in project nzyme by lennartkoopmann.
the class UnexpectedSSIDInterceptorSetTest method testGetInterceptors.
@Test
public void testGetInterceptors() throws MalformedFrameException, IllegalRawDataException {
NzymeLeader nzyme = new MockNzyme();
LoopbackUplink loopback = new LoopbackUplink();
nzyme.registerUplink(loopback);
UnexpectedSSIDInterceptorSet set = new UnexpectedSSIDInterceptorSet(nzyme.getAlertsService(), nzyme.getConfiguration().dot11Networks());
assertEquals(set.getInterceptors().size(), 2);
for (Dot11FrameInterceptor interceptor : set.getInterceptors()) {
if (interceptor.forSubtype() == Dot11FrameSubtype.BEACON) {
assertEquals(interceptor.raisesAlerts(), new ArrayList<Class<? extends Alert>>() {
{
add(UnexpectedSSIDBeaconAlert.class);
}
});
// Expected beacon.
interceptor.intercept(new Dot11BeaconFrameParser(new MetricRegistry(), new Anonymizer(false, "")).parse(Frames.BEACON_1_PAYLOAD, Frames.BEACON_1_HEADER, META_NO_WEP));
assertNull(loopback.getLastAlert());
// Beacon with a wrong SSID but different BSSID. Should not trigger.
interceptor.intercept(new Dot11BeaconFrameParser(new MetricRegistry(), new Anonymizer(false, "")).parse(Frames.BEACON_3_PAYLOAD, Frames.BEACON_3_HEADER, META_NO_WEP));
assertNull(loopback.getLastAlert());
// Unexpected beacon.
interceptor.intercept(new Dot11BeaconFrameParser(new MetricRegistry(), new Anonymizer(false, "")).parse(Frames.BEACON_WTF_WRONG_SSID_PAYLOAD, Frames.BEACON_WTF_WRONG_SSID_HEADER, META_NO_WEP));
assertNotNull(loopback.getLastAlert());
assertEquals(UnexpectedSSIDBeaconAlert.class, loopback.getLastAlert().getClass());
}
loopback.clear();
if (interceptor.forSubtype() == Dot11FrameSubtype.PROBE_RESPONSE) {
assertEquals(interceptor.raisesAlerts(), new ArrayList<Class<? extends Alert>>() {
{
add(UnexpectedSSIDProbeRespAlert.class);
}
});
// Expected probe-resp.
interceptor.intercept(new Dot11ProbeResponseFrameParser(new MetricRegistry(), new Anonymizer(false, "")).parse(Frames.PROBE_RESP_3_PAYLOAD, Frames.PROBE_RESP_3_HEADER, META_NO_WEP));
assertNull(loopback.getLastAlert());
// Probe-resp with a wrong SSID but different BSSID. Should not trigger.
interceptor.intercept(new Dot11ProbeResponseFrameParser(new MetricRegistry(), new Anonymizer(false, "")).parse(Frames.PROBE_RESP_1_PAYLOAD, Frames.PROBE_RESP_1_HEADER, META_NO_WEP));
assertNull(loopback.getLastAlert());
// Unexpected probe-resp.
interceptor.intercept(new Dot11ProbeResponseFrameParser(new MetricRegistry(), new Anonymizer(false, "")).parse(Frames.PROBE_RESP_WTF_WRONG_SSID_PAYLOAD, Frames.PROBE_RESP_WTF_WRONG_SSID_HEADER, META_NO_WEP));
assertNotNull(loopback.getLastAlert());
assertEquals(UnexpectedSSIDProbeRespAlert.class, loopback.getLastAlert().getClass());
}
loopback.clear();
}
}
Aggregations