hz}dZddlZddlZddlZddlmZmZddlmZddl m Z m Z ddl m Z ddlmZmZmZddlmZmZmZdd lmZdd lmZmZmZdd lmZgd Zeed e_dZ dZ!dZ"dZ#dZ$dZ%dZ&dZ'ddddddZ(Gdde)Z*Gdde)Z+Gdd e)Z,Gd!d"e)Z-Gd#d$e)Z.Gd%d&eZ/e/ejZ0d'Z1d3d*Z2d+Z3d,Z4d-Z5d.Z6d/Z7d0Z8 d4d2Z9dS)5z+ Clone of p0f v3 passive OS fingerprinting N) KnowledgeBase select_path)conf)raworb) NoPayload)IPTCP TCPOptions)HTTP HTTPRequest HTTPResponse)IPv6)RandByte RandShort RandString)warning)z/etc/p0fz/usr/share/p0fz /opt/localzp0f.fp(<#msswssoksackts)rrrcNeZdZgdZdZedZedZdZdS) TCP_Signature olayoutquirks ip_opt_lenip_verttlrwinwin_typewscale pay_classts1c ||_||_||_||_||_||_||_||_| |_| |_ | |_ dSNr$) selfr%r&r'r(r)rr*r+r,r-r.s U/mounts/lovelace/software/anaconda3/lib/python3.11/site-packages/scapy/modules/p0f.py__init__zTCP_Signature.__init__4sS  $    "c |j}tfd}|dkr|j}|jdzdz }|jdzr |d|jjr |d|jjr|d|jr |dnG|jd kr |d n0|j }d }|j r |d |j dzr |d|t}|j }|jd zr |d|jd kr |d |jjr|jd kr |dn|jr |d|jjr |dn|jr |d|jjr |d|jrdnd }d } d } d } d} |jdzdz } t-|| d}|r%t/|d }|d krA|dd}| dt1|zz } |dr |dn|dkr|dd}| dz } u t/|d}n#t4$r|dYnwxYw|d|}|t6vr4t8d |d}| dt6|zz } |rdt;j|znd}t1||kr |dn|dkr|dks|dkr |dnn||kr |dn|r0t;j||}t1|dkr|d }|dkr|} n|dkr|} | d kr |d!nr|d"kr@|d } | s |d#|dr#|jj r|jjs |d$n+|dks|d%ks|t1|kr |dn ||d}|%| dd&} || |||| |d| || S)'zi Receives a TCP packet (assuming it's valid), and returns a TCP_Signature object c2|dSr0)add)namer&s r2addqz'TCP_Signature.from_packet..addqKs JJt     r4rrecn0+dfid+rid-flowseq-ack-ack+urgf+uptr+pushf+rrNzeol+%i,opt+znop,badz%s,r "exwsr!ts1-ts2+r)!versionsetr)ihltosflagsevilDFidhlimfltcr windowseqAackUurgptrPpayloaddataofsrrlenstrip IndexErrortcp_options_p0fr structcalcsizeunpackS)clspktr(r9r)r'tcpr*r-rr,r.r%optlenxonumolenovalofmtoptsizer&s @r2 from_packetzTCP_Signature.from_packetBs       Q;;'C'A++Jw+& U y~ T y| T 6 DKKK1U (CJv V v% U #hj 9* +  DKKK 7a<< DLLL 9; w!||V W  DLLL 9;  DMMMM Z  DMMM 9;  DNNN+AA! +"b( HHfWXX 6 qt99DqyyabbE9s1vv--777##!DLLLqyyabbE6! 1Q4yy   U  QtV9D&&!!}T*1-5?4#8887;B!fod3333q66G##DKKK199byyD2IIU %.wU +%}T488t99>>#'7Dqyy"!%!B;; DLLL"1g") DLLL7) )CIK) DLLL!88tbyyD3q66MMDKKK$%%Am6 n#2#,s7FJS#tVU^`cddds6I I%$I%c t|d\}}}}}}}} |d\}} } |dkrdnt|} |ddkrt|dddfnt|df\}} t|}|dkrdnt|}|dkr d t}}n|dd d krt|d dt}}nn|d d krt|ddt }}nC|dd dkrt|d dt }}nt|t}}| dkrdnt| }|r-td| dD}nt}| dkrdnt| dk}||||| ||||||d }|| fS)z| Parses a TCP sig line and returns a tuple consisting of a TCP_Signature object and bad_ttl as bool r!,*rR-NTFrrrr%rmtuc3K|]}|VdSr0.0qs r2 z-TCP_Signature.from_raw_sig..s"<Q>Q;S$UGVV//#..q%czzs3xx03B3CH t,,SXXuDU WYY 3JJbbCHH C<< CC 2A2Y%   qrr^^\CC 1X__ qrr^^\CC 2A2Y%   qrr^^\CC ZZC||U  !<<&,,s*;*;<<<<.s"11!111111r4z%i:%i+%i:%i:%i:%i,%i:%s:%s:%i) joinr&r(r) guess_distr'rr*r,r%r-)r1r&fmtss r2__str__zTCP_Signature.__str__so11T[11111- 4;*TX*>*>?DHdh <9 9r4N __name__ __module__ __qualname__ __slots__r3 classmethodryrrrr4r2r#r#0sIIII   veve[vep[@r4r#cNeZdZgdZdZedZedZdZdS)HTTP_Signaturehttp_verhdrhdr_sethabsentswcL||_||_||_||_||_dSr0r)r1rrrrrs r2r3zHTTP_Signature.__init__s)    r4ct|tj}d}||}|dkr|d|t |z}n|}|}|dd\}}d|vrd}nd|vrd}ntd d }g} t} |dD]c} | d \} } }|rF| }| | |f| | | d vr|}dt| }|||| d|S) zl Receives an HTTP packet (assuming it's valid), and returns a HTTP_Signature object s rRNz rz1.0rz1.1zHTTP version is not 1.0/1.1rH:) User-AgentServer)rr refindrgdecoder ValueErrorrTrrhappendr7tuple)rorp http_payloadcrlfcrlf crlfcrlfIndexheaders first_linerr headers_foundr header_liner8rvaluers r2ryzHTTP_Signature.from_packetst 3s8+,, $))(33 B  "#AMCMM$A#ABGG"G..""%mmFA66 G J  HH j HH:;; ;  %%"==00  K(22377ND!U  $$dE]333 D!!!333BM""s8S'4444r4ct|d\}}}}|dkrdnt|}g}tjd|D]p}|d\} } } | ddkr)|| dd | ddd fP|| | ddd fqt |} td | D} t|d }||| | ||S)zM Parses an HTTP sig line and returns a HTTP_Signature object rr|rRz ,(?![^\[]*\])=r?rNTFc36K|]}|d |dVdS)rrNr)rheaders r2rz.HTTP_Signature.from_raw_sig..&s/II&vayIF1IIIIIIIr4r{)rrrerrrrr)rorrhorderrexpswr new_horderrr8rrrrs r2rzHTTP_Signature.from_raw_sigs* '-Xq&9&9#VWe22S h/88 > >F#--c22ND!UAw#~~!!48U1R4[$"?@@@@!!4qte"<====JIICIIIIIGMM#..//s8S'7E:::r4cddfd|jD}d}||j||jfz}|S)N)HostrDatez Content-Typerr{c3:K|]\}}|vr|n|d|dVdS)z=[]Nr)rnvskipvals r2rz)HTTP_Signature.__str__..-s@VVTQALLqq111aaa.@VVVVVVr4z %i:%s::%s)rrrr)r1rrrrs @r2rzHTTP_Signature.__str__*sOJhhVVVVTXVVVVV 4=#tw/ /r4Nrrr4r2rrst???I#5#5[#5J;;[;(r4rceZdZddgZdZdS) MTU_Recordlabel_idrc<||_t||_dSr0)rrrr1rrs r2r3zMTU_Record.__init__7s  x==r4Nrrrrr3rr4r2rr4s-U#I!!!!!r4rceZdZgdZdZdS) TCP_Record)rrrcj||_t|\}}||_||_dSr0)rr#rrr)r1rrrrs r2r3zTCP_Record.__init__?s2  $11(;; W r4Nrrr4r2rr<s....Ir4rceZdZddgZdZdS) HTTP_RecordrrcR||_t||_dSr0)rrrrrs r2r3zHTTP_Record.__init__Is"  !..x88r4Nrrr4r2rrFs-U#I99999r4rc8eZdZdZdZdZd dZdZdZdZ dS) p0fKnowledgeBasez self.base = { "mtu" (str): [sig(tuple), ...] "tcp"/"http" (str): { direction (str): [sig(tuple), ...] } } self.labels = (label(tuple), ...) c t|j}n&#t$rtd|jYdSwxYwi|_g|_||t|j|_|dS)NzCan't open base %s) openfilename Exceptionrbaselabels _parse_filerclose)r1fs r2 lazy_initzp0fKnowledgeBase.lazy_initXs T]##AA    ($- 8 8 8 FF    DK((   s ::cd}|D]}|ddvr|}|ddkrt|ddd\}}|dkrg|j|<|j|}g||jvr |gi|j|<n||j|vrg|j||<|j||}|d\}}} |}|d krJ|dkrt} n|d krt } n |d krt } || || -|d kr\|dz }|dkr|j| Zt| d \} } } }|j| | | |f|dkrBtd| dD}|j|xx|fz cc<dS)zS Parses p0f.fp file and stores the data with described structures. rRr); [rrr = rrqhttplabelrsysc3K|]}|VdSr0rrr8s r2rz/p0fKnowledgeBase._parse_file..s"%F%Ftd%F%F%F%F%F%Fr4r{N) rhrrrrrrrrrr)r1filerlinesection direction curr_recordsparamrval record_classtcr8flavor sys_namess r2rzp0fKnowledgeBase._parse_filees*( :( :DAw+%%::<>%'''1  E))'1  F**'2  '' Xs(C(CDDDDg%%MH%'' **3/// )/Q&Aq$K&&1dF';<<<<e^^ %%F%Fsyy~~%F%F%F F FIK)))i\9)))Q( :( :r4Ncg}|jd|D]g}|j|j}|d|d}}|rA||kr;|r||vr||jM||jh|S)a{Get TCP signatures that match an OS genre and details (if specified). If osdetails isn't specified, then we pick all signatures that match osgenre. Examples: >>> p0fdb.get_sigs_by_os("request", "Linux", "2.6") >>> p0fdb.get_sigs_by_os("response", "Windows", "8") >>> p0fdb.get_sigs_by_os("request", "FreeBSD") rqrr)rrrrr) r1rosgenre osdetailssigs tcp_recordrr8rs r2get_sigs_by_oszp0fKnowledgeBase.get_sigs_by_oss)E*95 0 0JK 34E 8U1X&D 07d??0 F** JN333KK /// r4cDt|\}}d}d}|jd|D]}|j}d} |j} |j|jkr$|jdkr| |jdkrdhnhdz} | |jkr2| |jz | z} | |jz |jz} |s| dd hz s| d d hz rd } |j|jkr|jr|j|jkrn*|j|jks|j|jz tkrd } |j dkr|j |j ks6|j dkr|j |j ks|j dkr|j |j kr(|j tkr|j|jkrJna|j t kr|j|jzrln?|j t"kr|s |j|krn|j t$kr|r |j|kr|j|j} | |j|jz | f}| s| d dkr|cS|s|}|s|}|r|S|r|SdS)a; Finds the best match for the given signature and direction. If a match is found, returns a tuple consisting of: - label: the matched label - dist: guessed distance from the packet source - fuzzy: whether the match is fuzzy Returns None if no match was found NrqFrRrr@>r=r>r?r=r>r?r;Trr)detect_win_multirrr&r%r(r'rr)MAX_DISTrr,r-r+rr*rrrrr)r1rr win_multiuse_mtugmatchfmatchrrsfuzzy ref_quirksdeletedaddedrmatchs r2tcp_find_matchzp0fKnowledgeBase.tcp_find_matchs.b11 7)E*958 8 JBEJzRZ''yB")q..vhh>R>R>RR RY&&% 1Z?#bi/29<w$6EUENt jjzdkr_ fd}|sp|j|j} jojo jjv}||f}|ddkr|cS|s|}|r|ndS)a Finds the best match for the given signature and direction. If a match is found, returns a tuple consisting of: - label: the matched label - dishonest: whether the software was detected as dishonest Returns None if no match was found NrrRrcd}tj}jD]}|}||krE|dj|dkr(|dz }||kr|dj|dk(||kr.|dsdSjD]}|d|dkrdS|}|dj|dvrdS|dz }dS)NrrrFT)rgr)phihdr_lenkhorig_phiphr rs r2headers_correlz8p0fKnowledgeBase.http_find_match..headers_correlsbf++ &B"H==a5BF3KN22q==a5BF3KN22g~~!!u)#(55"$&--B!!u1~~',uuu .' !uBF3KN22$uu1HCCtr4r) rrrrrgrrrr) r1rrr  http_recordrr dishonestrr s ` @r2http_find_matchz p0fKnowledgeBase.http_find_matchs$9V,Y75 5 KB{b  R[BK%?%?J+ ::2: *++a//      :">## K 45E>"%>BE,>II&EQx3  )vvT)r4cd|jdD]!}||jkr|j|jcS"dS)z Finds a match for the given MTU. If a match is found, returns the label string. Returns None if no match was found rN)rrrr)r1r mtu_records r2mtu_find_matchzp0fKnowledgeBase.mtu_find_match9sG )E* 8 8Jjn$${:#67777%tr4r0) rrr__doc__rrrrrr!rr4r2rrNs   .:.:.:`,KKKZ?*?*?*B     r4rc*dD]}||kr||z cSdS)N) @r)r)ottls r2rrHs9" $;;#:    r4rrHc#K||d|}|D]}|Vt|t|z D]}|VdS)z& Parsing of 'a:b:c:d:e' lines N)rrangerg)rr delimiterdefaultaeltrs r2rrNsr 9bqb!A 1s1vv:   r4c|}|to3|tp|t}|st d|S)z Validate that the packet is an IPv4/IPv6 and TCP packet. If the packet is valid, a copy is returned. If not, TypeError is raised. zNot a TCP/IP packet)copyhaslayerr r r TypeError)rpvalids r2validate_packetr4Ys` ((**C LL   J3<<#3#3#Is||D7I7IE /-... Jr4c|j}|j}|r|dkrdS|dfdtz dfdtz dz df|tzdfdg}|jr||dz df|jdkr`|dt z df|dt z dz df||t zdf|D]\}}||zs ||z |fcSdS) z Figure out if window size is a multiplier of MSS or MTU. Receives a TCP signature and returns the multiplier and whether mtu should be used d)rRFF T)r7T)rr*MIN_TCP4r.rr(MIN_TCP6)rrr*optionsdivr s r2rres) &C &C #))y e % 2 u% x G v*b%())) yA~~x/000x",e4555h-...&& WSy &9g% % % % & 9r4cRt|}|t|}|tjjr7|tjjrd}nd}t|}n|tj rt t|tj }|tkrd}n|tkrd}ntdt|}ntd||fS)zz Returns a p0f signature of the packet, and the direction. Raises TypeError if the packet isn't valid for p0f responserequestzNot an HTTP payloadz"Not a SYN, SYN/ACK, or HTTP packet)r4 __class__rr rWrnr`r#ryrer guess_payload_classr rr2r)rprrrs r2 packet2p0frCs #  C --C ! !C 3x~> s8>  ""II!I'',, S  >++CC0@,A,ABB [ !II | # #"II122 2((--<===  >r4c&t|}d}|jjD] \}}|dkr|}|sdS|jdkr |tzn |t z}t stddSt |S)z Fingerprints the MTU based on the maximum segment size specified in TCP options. If a match was found, returns the label. If not returns None rMSSNrp0f base empty.) r4rer<rSr:r;p0fdbget_baserr!)rprr8rrs r2fingerprint_mturIs #  C C{* e 5==C t!kQ..3>>S8^C >>  !"""t    $ $$r4ct|\}}tstddSt |t rt||St||S)NrF)rCrGrHr isinstancer#rr)rprrs r2p0frLsu__NC >>  !"""t#}%%5##C333$$S)444r4c t|}n#t$rYdSwxYwt|\}}t|t}|dk}|r|rdnd}n|rdnd}|d|zdz}g fd }|rd nd } || |d |r|d } | ddkrdnd} || | ddz| dzt | dkr/|ddd| dD|r|d|dn|rdnd} || d|dt||d z }|dz }t|dS)z+Calls p0f and prints a user-friendly outputNr@SYNzSYN+ACKz HTTP Requestz HTTP Responsez2.-[ %IP.src%:%TCP.sport% -> %IP.dst%:%TCP.dport% (z) ]- | cBd|dd|ddS)Nz| 8rr)r)r8rfieldss r2 add_fieldzprnp0f..add_fields, uuu566666r4Clientrz%IP.src%:%TCP.sport%rr!AppOSr rr Sysz, c3K|]}|VdSr0rrs r2rzprnp0f..s"&A&At&A&A&A&A&A&Ar4rDistanceUNKNOWNzRaw sigrHz`____ ) rLrrCrKr#sprintfrgrstrprint) rprrr is_tcp_sig to_serverpkt_typeresrR cli_or_svrr app_or_osrQs @r2prnp0frfs HH  __NCC//JY&ID%4559%.C>>O ++JXUXcc d dC F77777'4HJ Ij#++&<==>>> (!"1X__EE$  )U1X^eAh6777 u::?? IeTYY&A&Aa&A&A&AAA B B B  ( Ij!A$ ' ' '&1DDE  )Y''' IiS"""2776??C9C #JJJJJs  !!r7c t|s|stdt}|jdz}|rBt |t rt |\} } ntdt sg} n&|dkrdnd} t | ||} fd| D} | stdtj | } | jd krj| jkrtd | j} jd kr| j|z _| jd krt'd ng_d| vrBxjdzc_d| vr&jd krtjdd_nId _nAxjdzc_d| vrd _n%jd krtjdd_d| vr#xjtjddzc_d| vr jd zn jdz_nT| j|z _d| vrtjdd_d| vr#xjtjddzc_dt7|j}|d}|d}fd|ddD}g}| jd D]}|d!kr| jt@kr d| j!z}nd}| j"d krW|r)d |cxkr|krnn|#d|fn|#dtjd"|fn|#d| j"fnn|d#kr| j$d krd$}d%| vrZ|r)d&|cxkr|krnn|#d|fn,|#dtjd'|dz fn|r)d |cxkr|krnn|#d|fn|#dtKfn|#d| j$fn|d(kr|\}}d)| vrd }n+||}n&|d |cxkrd+ksntjd,d-}d.| vr-|dkr'|d |cxkrd+ksntjdd/}nd }|#d||ffn|d0kr|#d1n|d2kr|#d3n|d*dd4kr)|#d5d6| vrt'd7n|d8krtj gd9dz }d:|d zz}tMtOj(|)}|#d;tOj*||fnt'd<|||_| jtVkr | j!|_,n| jt@kr9d=|D}|std>|d d| j!z|_,n| jtZkr+| j!tjdd| j!zz|_,nS| jt\kr|| j!z|_,n3| jt^krta|_,nt'd?d@| vrd |_1n%|j1d krtjdd/|_1dA| vr6|xjdBzc_|j2d krtjdd/|_2ndC| vr|xjdDzc_d |_2dE| vr6|xjdFzc_|j3d krtjdd|_3ndG| vr|xjdHzc_dI| vr |jdJzn |jdKz|_| j4r@|j5s8tmj7tMtjddLMzntq|_5S)NaModifies pkt so that p0f will think it has been sent by a specific OS. Either osgenre or signature is required to impersonate. If signature is specified (as a raw string), we use the signature. signature format: "ip_ver:ttl:ip_opt_len:mss:window,wscale:opt_layout:quirks:pay_class" If osgenre is specified, we randomly pick a signature with a label that matches osgenre (and osdetails, if specified). Note: osgenre is case sensitive ("linux" -> "Linux" etc.), and osdetails is a substring of a label flavor ("7", "8" and "7 or 8" will all match the label "s:win:Windows:7 or 8") For now, only TCP SYN/SYN+ACK packets are supported.z0osgenre or signature is required to impersonate!zUnsupported signature typerr@r?cJg|]}|jdks|jjk| S)rR)r(rS)rrrps r2 z#p0f_impersonate..s1MMMa18r>>QX5L5L5L5L5Lr4zNo match in the p0f databaserRz#Can't convert between IPv4 and IPv6rrzUnhandled IPv4 option fieldr=r>rir?r;rr<r@ic4t|tr|ndSr0)rKr)rs r2int_onlyz!p0f_impersonate..int_onlyAs c**4ss4r4rEWScalec&g|] }|Srr)rorns r2rjz#p0f_impersonate..Fs!MMMqxx{{MMMr4 Timestamp)NNr{rr6rrOrNrrPNlxlwrQlnop)NOPNr)SAckOKrHeol)EOLNrJzUnhandled opt+ quirkr)rLrhrMz!%iISAckzUnhandled TCP option %sc*g|]}|ddk|S)rrEr)rrss r2rjz#p0f_impersonate..s!333QQqTU]]q]]]r4z5TCP window value requires MSS, and MSS option not setz#Unhandled window size specificationrBrDirCrFirEr$rGr!irL)load)9r4rr rWrKr]r#rr2rGrHrrandomchoicer(rSr&r)r'rr<rZrandintrVr[r\r]dictgetr%rr+rr*rrr,rrrkrl_fixrmrr^rrrrr_rarcr-rer raw_layerr)rprr signature extrahopsruptimerqtcp_typerrrrr& orig_optsmss_hintws_hintts_hintr<optmaxmssmaxwsr.ts2sack_len optstructrand_valrrns` @r2p0f_impersonaters  #  C M9MKLLL c(CyK(H" i % % :"// ::FC899 9~~ GDD%-%5%5 :I'' 7IFFDNMMM4MMM =;<< <mD!! zRCK3:55>??? ZF {a'I% >Q   1 2 2 2 2CK 6>> II II6Q;;#^Ay99CF II II1955 F?? GGv~dD11 1GG(,CI$$CI#v+F+F#GHHHHsw/0000 D[[zRV##R2#7#7#7#7%#7#7#7#7#7'':;;;;&.UQY2O2O'PQQQQ?1#7#7#7#7%#7#7#7#7#7'':;;;;(**'=>>>>#*56666 D[[HC#Q____u____nS*BCCH$4$4;q3 .I66C NNK#s4 5 5 5 5 E\\ NN= ) ) ) ) E\\ NN> * * * * !W   NN= ) ) )./// F]]}%5%5%566:H(a-0I!&/)"<"<==BBDDH NNFFM)X$F$FG H H H H -s 3 3 3  |&&W  % %33'333 VTUU UVAY(  % %Wv~a)1GHHH  % %37]  % %[[ 5666  A.I..  W 7a<<nQ 22CG 6   T & X :??955CJ F   U $,$6$6 D  CIz&.B2G2G'H'HIII ICkk Jr4)rrH)NNNrr7N):r"rrkr scapy.datarr scapy.configr scapy.compatrr scapy.packetrscapy.layers.inetr r r scapy.layers.httpr r rscapy.layers.inet6rscapy.volatilerrr scapy.errorr _p0fpathsp0f_baser:r;rrrrrrrjobjectr#rrrrrrGrrr4rrCrIrLrfrrr4r2rs8  11111111!!!!!!!!""""""1111111111==========######:::::::::: 8 8 8  Ix00            rrrrrFrrrjKKKKKVKKK^!!!!!!!!99999&999ttttt}tttn ''    ><%%%0 5 5 5)))XBF26HHHHHHr4