pancap/protocol/dhcpv4/response.go

77 lines
2.8 KiB
Go
Raw Normal View History

package dhcpv4
import (
"fmt"
"github.com/maride/pancap/common"
"github.com/google/gopacket/layers"
"log"
)
func (p *Protocol) processResponsePacket(dhcppacket layers.DHCPv4, ethernetpacket layers.Ethernet) {
p.addResponseEntry(dhcppacket.ClientIP.String(), dhcppacket.YourClientIP.String(), dhcppacket.ClientHWAddr.String(), ethernetpacket.SrcMAC.String())
}
2019-12-03 22:51:03 +00:00
// Generates the summary of all DHCP offer packets
func (p *Protocol) generateResponseSummary() string {
var tmpaddr []string
// Iterate over all responses
for _, r := range p.responses {
addition := ""
if r.askedFor {
addition = " which the client explicitly asked for."
}
tmpaddr = append(tmpaddr, fmt.Sprintf("%s offered %s IP address %s%s", r.serverMACAddr, r.destMACAddr, r.newIPAddr, addition))
}
// Draw as tree
2019-12-03 22:51:03 +00:00
return common.GenerateTree(tmpaddr)
}
// Adds a new response entry. If an IP address was already issued or a MAC asks multiple times for DNS, the case is examined further
func (p *Protocol) addResponseEntry(newIP string, yourIP string, destMAC string, serverMAC string) {
// Check if client asked for a specific address (which was granted by the DHCP server)
askedFor := false
if newIP == "0.0.0.0" {
// Yes, client asked for a specific address. Most likely not the first time in this network.
newIP = yourIP
askedFor = true
}
for _, r := range p.responses {
// Check for interesting cases
if r.destMACAddr == destMAC {
// The same client device received multiple IP addresses, let's examine further
if r.newIPAddr == newIP {
// the handed IP is the same - this is ok, just badly configured
if r.serverMACAddr == serverMAC {
// Same DHCP server answered.
log.Printf("MAC address %s received the same IP address multiple times via DHCP by the same server.", destMAC)
} else {
// Different DHCP servers answered, but with the same address - strange network, but ok...
log.Printf("MAC address %s received the same IP address multiple times via DHCP by different servers.", destMAC)
}
} else {
// far more interesting - one client received multiple addresses
if r.serverMACAddr == serverMAC {
// Same DHCP server answered.
log.Printf("MAC address %s received different IP addresses (%s, %s) multiple times via DHCP by the same server.", destMAC, r.newIPAddr, newIP)
} else {
// Different DHCP servers answered, with different addresses - possibly an attempt to build up MitM
log.Printf("MAC address %s received different IP addresses (%s, %s) multiple times via DHCP by different servers (%s, %s).", destMAC, r.newIPAddr, newIP, r.serverMACAddr, serverMAC)
}
}
}
}
// Add a response entry - even if we found some "strange" behavior before.
p.responses = append(p.responses, dhcpResponse{
destMACAddr: destMAC,
newIPAddr: newIP,
serverMACAddr: serverMAC,
askedFor: askedFor,
})
}