include docker repos

... skip emobility since it is a dev repo
2025-07-02 01:27:27 -04:00 · 2017-10-13 18:58:14 +00:00
parent f1ada16414
commit 0d5d80b1e3
152 changed files with 22265 additions and 0 deletions
--- a/docker/p0f/tools/Makefile
+++ b/docker/p0f/tools/Makefile
@ -0,0 +1,18 @@
+#
+# p0f - Makefile for tools
+# ------------------------
+#
+# Copyright (C) 2012 by Michal Zalewski <lcamtuf@coredump.cx>
+#
+# Distributed under the terms and conditions of GNU LGPL.
+#
+
+CC      = gcc
+CFLAGS  = -g -ggdb -Wall -Wno-format -funsigned-char
+LDFLAGS =
+TARGETS = p0f-client p0f-sendsyn p0f-sendsyn6
+
+all: $(TARGETS)
+
+clean:
+	rm -f -- $(TARGETS) *.exe *.o a.out *~ core core.[1-9][0-9]* *.stackdump 2>/dev/null
--- a/docker/p0f/tools/README-TOOLS
+++ b/docker/p0f/tools/README-TOOLS
@ -0,0 +1,16 @@
+This directory contains several helper tools mentioned in ../README:
+
+  p0f-sendsyn.c   - a tool for gathering new SYN+ACK signatures
+
+  p0f-sendsyn6.c  - the same, for IPv6 destinations
+
+  p0f-client.c    - simple API client tool for p0f -s mode
+
+Note that IPv6 addresses need to be passed to the utilities in a fully-expanded
+form (i.e., no ::).
+
+To build any of these programs, simply type 'make progname', e.g.:
+
+  make p0f-sendsyn
+
+If that fails, you can drop me a mail at lcamtuf@coredump.cx.
--- a/docker/p0f/tools/p0f-client.c
+++ b/docker/p0f/tools/p0f-client.c
@ -0,0 +1,215 @@
+/*
+   p0f-client - simple API client
+   ------------------------------
+
+   Can be used to query p0f API sockets.
+
+   Copyright (C) 2012 by Michal Zalewski <lcamtuf@coredump.cx>
+
+   Distributed under the terms and conditions of GNU LGPL.
+
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <string.h>
+#include <netdb.h>
+#include <errno.h>
+#include <ctype.h>
+#include <time.h>
+
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <sys/types.h>
+#include <sys/time.h>
+#include <sys/socket.h>
+#include <sys/un.h>
+
+#include "../types.h"
+#include "../config.h"
+#include "../alloc-inl.h"
+#include "../debug.h"
+#include "../api.h"
+
+/* Parse IPv4 address into a buffer. */
+
+static void parse_addr4(char* str, u8* ret) {
+
+  u32 a1, a2, a3, a4;
+
+  if (sscanf(str, "%u.%u.%u.%u", &a1, &a2, &a3, &a4) != 4)
+    FATAL("Malformed IPv4 address.");
+
+  if (a1 > 255 || a2 > 255 || a3 > 255 || a4 > 255)
+    FATAL("Malformed IPv4 address.");
+
+  ret[0] = a1;
+  ret[1] = a2;
+  ret[2] = a3;
+  ret[3] = a4;
+
+}
+
+
+/* Parse IPv6 address into a buffer. */
+
+static void parse_addr6(char* str, u8* ret) {
+
+  u32 seg = 0;
+  u32 val;
+
+  while (*str) {
+
+    if (seg == 8) FATAL("Malformed IPv6 address (too many segments).");
+
+    if (sscanf((char*)str, "%x", &val) != 1 ||
+        val > 65535) FATAL("Malformed IPv6 address (bad octet value).");
+
+    ret[seg * 2] = val >> 8;
+    ret[seg * 2 + 1] = val;
+
+    seg++;
+
+    while (isxdigit(*str)) str++;
+    if (*str) str++;
+
+  }
+
+  if (seg != 8) FATAL("Malformed IPv6 address (don't abbreviate).");
+
+}
+
+
+int main(int argc, char** argv) {
+
+  u8 tmp[128];
+  struct tm* t;
+
+  static struct p0f_api_query q;
+  static struct p0f_api_response r;
+
+  static struct sockaddr_un sun;
+
+  s32  sock;
+  time_t ut;
+
+  if (argc != 3) {
+    ERRORF("Usage: p0f-client /path/to/socket host_ip\n");
+    exit(1);
+  }
+
+  q.magic = P0F_QUERY_MAGIC;
+
+  if (strchr(argv[2], ':')) {
+
+    parse_addr6(argv[2], q.addr);
+    q.addr_type = P0F_ADDR_IPV6;
+
+  } else {
+
+    parse_addr4(argv[2], q.addr);
+    q.addr_type = P0F_ADDR_IPV4;
+
+  }
+
+  sock = socket(PF_UNIX, SOCK_STREAM, 0);
+
+  if (sock < 0) PFATAL("Call to socket() failed.");
+
+  sun.sun_family = AF_UNIX;
+
+  if (strlen(argv[1]) >= sizeof(sun.sun_path))
+    FATAL("API socket filename is too long for sockaddr_un (blame Unix).");
+
+  strcpy(sun.sun_path, argv[1]);
+
+  if (connect(sock, (struct sockaddr*)&sun, sizeof(sun)))
+    PFATAL("Can't connect to API socket.");
+
+  if (write(sock, &q, sizeof(struct p0f_api_query)) !=
+      sizeof(struct p0f_api_query)) FATAL("Short write to API socket.");
+
+  if (read(sock, &r, sizeof(struct p0f_api_response)) !=
+      sizeof(struct p0f_api_response)) FATAL("Short read from API socket.");
+  
+  close(sock);
+
+  if (r.magic != P0F_RESP_MAGIC)
+    FATAL("Bad response magic (0x%08x).\n", r.magic);
+
+  if (r.status == P0F_STATUS_BADQUERY)
+    FATAL("P0f did not understand the query.\n");
+
+  if (r.status == P0F_STATUS_NOMATCH) {
+    SAYF("No matching host in p0f cache. That's all we know.\n");
+    return 0;
+  }
+
+  ut = r.first_seen;
+  t = localtime(&ut);
+  strftime((char*)tmp, 128, "%Y/%m/%d %H:%M:%S", t);
+
+  SAYF("First seen    = %s\n", tmp);
+
+  ut = r.last_seen;
+  t = localtime(&ut);
+  strftime((char*)tmp, 128, "%Y/%m/%d %H:%M:%S", t);
+
+  SAYF("Last update   = %s\n", tmp);
+
+  SAYF("Total flows   = %u\n", r.total_conn);
+
+  if (!r.os_name[0])
+    SAYF("Detected OS   = ???\n");
+  else
+    SAYF("Detected OS   = %s %s%s%s\n", r.os_name, r.os_flavor,
+         (r.os_match_q & P0F_MATCH_GENERIC) ? " [generic]" : "",
+         (r.os_match_q & P0F_MATCH_FUZZY) ? " [fuzzy]" : "");
+
+  if (!r.http_name[0])
+    SAYF("HTTP software = ???\n");
+  else
+    SAYF("HTTP software = %s %s (ID %s)\n", r.http_name, r.http_flavor,
+         (r.bad_sw == 2) ? "is fake" : (r.bad_sw ? "OS mismatch" : "seems legit"));
+
+  if (!r.link_type[0])
+    SAYF("Network link  = ???\n");
+  else
+    SAYF("Network link  = %s\n", r.link_type);
+
+  if (!r.language[0])
+    SAYF("Language      = ???\n");
+  else
+    SAYF("Language      = %s\n", r.language);
+
+
+  if (r.distance == -1)
+    SAYF("Distance      = ???\n");
+  else
+    SAYF("Distance      = %u\n", r.distance);
+
+  if (r.last_nat) {
+    ut = r.last_nat;
+    t = localtime(&ut);
+    strftime((char*)tmp, 128, "%Y/%m/%d %H:%M:%S", t);
+    SAYF("IP sharing    = %s\n", tmp);
+  }
+
+  if (r.last_chg) {
+    ut = r.last_chg;
+    t = localtime(&ut);
+    strftime((char*)tmp, 128, "%Y/%m/%d %H:%M:%S", t);
+    SAYF("Sys change    = %s\n", tmp);
+  }
+
+  if (r.uptime_min) {
+    SAYF("Uptime        = %u days %u hrs %u min (modulo %u days)\n", 
+         r.uptime_min / 60 / 24, (r.uptime_min / 60) % 24, r.uptime_min % 60,
+         r.up_mod_days);
+  }
+
+  return 0;
+
+}
+
--- a/docker/p0f/tools/p0f-sendsyn.c
+++ b/docker/p0f/tools/p0f-sendsyn.c
@ -0,0 +1,185 @@
+/*
+   p0f-sendsyn - SYN sender
+   ------------------------
+
+   This trivial utility sends 8 SYN packets to open ports on destination hosts,
+   and lets you capture SYN+ACK signatures. The problem with SYN+ACK
+   fingerprinting is that on some systems, the response varies depending on the
+   use of window scaling, timestamps, or selective ACK in the initial SYN - so
+   this utility is necessary to exercise all the code paths.
+
+   Copyright (C) 2012 by Michal Zalewski <lcamtuf@coredump.cx>
+
+   Distributed under the terms and conditions of GNU LGPL.
+
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <string.h>
+#include <netdb.h>
+#include <errno.h>
+
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <sys/types.h>
+#include <sys/time.h>
+#include <sys/socket.h>
+
+#include "../types.h"
+#include "../config.h"
+#include "../alloc-inl.h"
+#include "../debug.h"
+#include "../tcp.h"
+
+
+/* Do a basic IPv4 TCP checksum. */
+
+static void tcp_cksum(u8* src, u8* dst, struct tcp_hdr* t, u8 opt_len) {
+
+  u32 sum, i;
+  u8* p;
+
+  if (opt_len % 4) FATAL("Packet size not aligned to 4.");
+
+  t->cksum = 0;
+
+  sum = PROTO_TCP + sizeof(struct tcp_hdr) + opt_len;
+
+  p = (u8*)t;
+
+  for (i = 0; i < sizeof(struct tcp_hdr) + opt_len; i += 2, p += 2)
+    sum += (*p << 8) + p[1];
+
+  p = src;
+
+  for (i = 0; i < 4; i += 2, p += 2) sum += (*p << 8) + p[1];
+
+  p = dst;
+
+  for (i = 0; i < 4; i += 2, p += 2) sum += (*p << 8) + p[1];
+
+  t->cksum = htons(~(sum + (sum >> 16)));
+
+}
+
+
+/* Parse IPv4 address into a buffer. */
+
+static void parse_addr(char* str, u8* ret) { 
+
+  u32 a1, a2, a3, a4;
+
+  if (sscanf(str, "%u.%u.%u.%u", &a1, &a2, &a3, &a4) != 4)
+    FATAL("Malformed IPv4 address.");
+
+  if (a1 > 255 || a2 > 255 || a3 > 255 || a4 > 255)
+    FATAL("Malformed IPv4 address.");
+
+  ret[0] = a1;
+  ret[1] = a2;
+  ret[2] = a3;
+  ret[3] = a4;
+
+} 
+
+
+#define W(_x) (_x) >> 8, (_x) & 0xff
+#define D(_x) (_x) >> 24, ((_x) >> 16) & 0xff, ((_x) >> 8) & 0xff, (_x) & 0xff
+
+#define EOL       TCPOPT_EOL
+#define NOP       TCPOPT_NOP
+#define MSS(_x)   TCPOPT_MAXSEG, 4, W(_x)
+#define WS(_x)    TCPOPT_WSCALE, 3, (_x)
+#define SOK       TCPOPT_SACKOK, 2
+#define TS(_x,_y) TCPOPT_TSTAMP, 10, D(_x), D(_y)
+
+/* There are virtually no OSes that do not send MSS. Support for RFC 1323
+   and 2018 is not given, so we have to test various combinations here. */
+
+static u8 opt_combos[8][24] = {
+
+  { MSS(SPECIAL_MSS), NOP, EOL },                           /* 6  */
+
+  { MSS(SPECIAL_MSS), SOK, NOP, EOL },                      /* 8  */
+
+  { MSS(SPECIAL_MSS), WS(5), NOP, EOL },                    /* 9  */
+
+  { MSS(SPECIAL_MSS), WS(5), SOK, NOP, EOL },               /* 12 */
+
+  { MSS(SPECIAL_MSS), TS(1337, 0), NOP, EOL },              /* 17 */
+
+  { MSS(SPECIAL_MSS), SOK, TS(1337, 0), NOP, EOL },         /* 19 */
+
+  { MSS(SPECIAL_MSS), WS(5), TS(1337, 0), NOP, EOL },       /* 20 */
+
+  { MSS(SPECIAL_MSS), WS(5), SOK,  TS(1337, 0), NOP, EOL }  /* 22 */
+
+};
+
+
+int main(int argc, char** argv) {
+
+  static struct sockaddr_in sin;
+  char one = 1;
+  s32  sock;
+  u32  i;
+
+  static u8 work_buf[MIN_TCP4 + 24];
+
+  struct ipv4_hdr* ip4 = (struct ipv4_hdr*)work_buf;
+  struct tcp_hdr*  tcp = (struct tcp_hdr*)(ip4 + 1);
+  u8 *opts = work_buf + MIN_TCP4;
+
+
+  if (argc != 4) {
+    ERRORF("Usage: p0f-sendsyn your_ip dst_ip port\n");
+    exit(1);
+  }
+
+  parse_addr(argv[1], ip4->src);
+  parse_addr(argv[2], ip4->dst);
+
+  sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
+
+  if (sock < 0) PFATAL("Can't open raw socket (you need to be root).");
+
+  if (setsockopt(sock, IPPROTO_IP, IP_HDRINCL, (char*)&one, sizeof(char)))
+    PFATAL("setsockopt() on raw socket failed.");
+
+  sin.sin_family = PF_INET;
+  
+  memcpy(&sin.sin_addr.s_addr, ip4->dst, 4);
+
+  ip4->ver_hlen  = 0x45;
+  ip4->tot_len   = htons(MIN_TCP4 + 24);
+  ip4->ttl       = 192;
+  ip4->proto     = PROTO_TCP;
+
+  tcp->dport     = htons(atoi(argv[3]));
+  tcp->seq       = htonl(0x12345678);
+  tcp->doff_rsvd = ((sizeof(struct tcp_hdr) + 24) / 4) << 4;
+  tcp->flags     = TCP_SYN;
+  tcp->win       = htons(SPECIAL_WIN);
+
+  for (i = 0; i < 8; i++) {
+
+    tcp->sport = htons(65535 - i);
+
+    memcpy(opts, opt_combos[i], 24);
+    tcp_cksum(ip4->src, ip4->dst, tcp, 24);
+
+    if (sendto(sock, work_buf, sizeof(work_buf), 0, (struct sockaddr*)&sin,
+        sizeof(struct sockaddr_in)) < 0) PFATAL("sendto() fails.");
+
+    usleep(100000);
+
+  }
+
+  SAYF("Eight packets sent! Check p0f output to examine responses, if any.\n");
+
+  return 0;
+
+}
+
--- a/docker/p0f/tools/p0f-sendsyn6.c
+++ b/docker/p0f/tools/p0f-sendsyn6.c
@ -0,0 +1,198 @@
+/*
+   p0f-sendsyn6 - IPv6 SYN sender
+   ------------------------------
+
+   This trivial utility sends 8 SYN packets to open ports on destination hosts,
+   and lets you capture SYN+ACK signatures. The problem with SYN+ACK
+   fingerprinting is that on some systems, the response varies depending on the
+   use of window scaling, timestamps, or selective ACK in the initial SYN - so
+   this utility is necessary to exercise all the code paths.
+   
+   Note that the IPv6 variant will not compile properly if you don't have
+   IPv6-enabled libc; and will not work unless your kernel actually supports
+   IPv6.
+
+   Copyright (C) 2012 by Michal Zalewski <lcamtuf@coredump.cx>
+
+   Distributed under the terms and conditions of GNU LGPL.
+
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <string.h>
+#include <netdb.h>
+#include <errno.h>
+#include <ctype.h>
+
+#include <netinet/in.h>
+#include <arpa/inet.h>
+#include <sys/types.h>
+#include <sys/time.h>
+#include <sys/socket.h>
+
+#include "../types.h"
+#include "../config.h"
+#include "../alloc-inl.h"
+#include "../debug.h"
+#include "../tcp.h"
+
+
+/* Do a basic IPv6 TCP checksum. */
+
+static void tcp_cksum(u8* src, u8* dst, struct tcp_hdr* t, u8 opt_len) {
+
+  u32 sum, i;
+  u8* p;
+
+  if (opt_len % 4) FATAL("Packet size not aligned to 4.");
+
+  t->cksum = 0;
+
+  sum = PROTO_TCP + sizeof(struct tcp_hdr) + opt_len;
+
+  p = (u8*)t;
+
+  for (i = 0; i < sizeof(struct tcp_hdr) + opt_len; i += 2, p += 2)
+    sum += (*p << 8) + p[1];
+
+  p = src;
+
+  for (i = 0; i < 16; i += 2, p += 2) sum += (*p << 8) + p[1];
+
+  p = dst;
+
+  for (i = 0; i < 16; i += 2, p += 2) sum += (*p << 8) + p[1];
+
+  t->cksum = htons(~(sum + (sum >> 16)));
+
+}
+
+
+/* Parse IPv6 address into a buffer. */
+
+static void parse_addr(char* str, u8* ret) { 
+
+  u32 seg = 0;
+  u32 val;
+  
+  while (*str) {
+
+    if (seg == 8) FATAL("Malformed IPv6 address (too many segments).");
+
+    if (sscanf((char*)str, "%x", &val) != 1 ||
+        val > 65535) FATAL("Malformed IPv6 address (bad octet value).");
+
+    ret[seg * 2] = val >> 8;
+    ret[seg * 2 + 1] = val;
+
+    seg++;
+
+    while (isxdigit(*str)) str++;
+    if (*str) str++;
+
+  }
+
+  if (seg != 8) FATAL("Malformed IPv6 address (don't abbreviate).");
+
+} 
+
+
+#define W(_x) (_x) >> 8, (_x) & 0xff
+#define D(_x) (_x) >> 24, ((_x) >> 16) & 0xff, ((_x) >> 8) & 0xff, (_x) & 0xff
+
+#define EOL       TCPOPT_EOL
+#define NOP       TCPOPT_NOP
+#define MSS(_x)   TCPOPT_MAXSEG, 4, W(_x)
+#define WS(_x)    TCPOPT_WSCALE, 3, (_x)
+#define SOK       TCPOPT_SACKOK, 2
+#define TS(_x,_y) TCPOPT_TSTAMP, 10, D(_x), D(_y)
+
+/* There are virtually no OSes that do not send MSS. Support for RFC 1323
+   and 2018 is not given, so we have to test various combinations here. */
+
+static u8 opt_combos[8][24] = {
+
+  { MSS(SPECIAL_MSS), NOP, EOL },                           /* 6  */
+
+  { MSS(SPECIAL_MSS), SOK, NOP, EOL },                      /* 8  */
+
+  { MSS(SPECIAL_MSS), WS(5), NOP, EOL },                    /* 9  */
+
+  { MSS(SPECIAL_MSS), WS(5), SOK, NOP, EOL },               /* 12 */
+
+  { MSS(SPECIAL_MSS), TS(1337, 0), NOP, EOL },              /* 17 */
+
+  { MSS(SPECIAL_MSS), SOK, TS(1337, 0), NOP, EOL },         /* 19 */
+
+  { MSS(SPECIAL_MSS), WS(5), TS(1337, 0), NOP, EOL },       /* 20 */
+
+  { MSS(SPECIAL_MSS), WS(5), SOK,  TS(1337, 0), NOP, EOL }  /* 22 */
+
+};
+
+int main(int argc, char** argv) {
+
+  static struct sockaddr_in6 sin;
+  char one = 1;
+  s32  sock;
+  u32  i;
+
+  static u8 work_buf[MIN_TCP6 + 24];
+
+  struct ipv6_hdr* ip6 = (struct ipv6_hdr*)work_buf;
+  struct tcp_hdr*  tcp = (struct tcp_hdr*)(ip6 + 1);
+  u8 *opts = work_buf + MIN_TCP6;
+
+
+  if (argc != 4) {
+    ERRORF("Usage: p0f-sendsyn your_ip dst_ip port\n");
+    exit(1);
+  }
+
+  parse_addr(argv[1], ip6->src);
+  parse_addr(argv[2], ip6->dst);
+
+  sock = socket(AF_INET, SOCK_RAW, IPPROTO_IPV6);
+
+  if (sock < 0) PFATAL("Can't open raw socket (you need to be root).");
+
+  if (setsockopt(sock, IPPROTO_IP, IP_HDRINCL, (char*)&one, sizeof(char)))
+    PFATAL("setsockopt() on raw socket failed.");
+
+  sin.sin6_family = PF_INET6;
+  
+  memcpy(&sin.sin6_addr, ip6->dst, 16);
+
+  ip6->ver_tos = ntohl(6 << 24);
+  ip6->pay_len = ntohs(sizeof(struct tcp_hdr) + 24);
+  ip6->proto   = PROTO_TCP;
+  ip6->ttl     = 192;
+
+  tcp->dport     = htons(atoi(argv[3]));
+  tcp->seq       = htonl(0x12345678);
+  tcp->doff_rsvd = ((sizeof(struct tcp_hdr) + 24) / 4) << 4;
+  tcp->flags     = TCP_SYN;
+  tcp->win       = htons(SPECIAL_WIN);
+
+  for (i = 0; i < 8; i++) {
+
+    tcp->sport = htons(65535 - i);
+
+    memcpy(opts, opt_combos[i], 24);
+    tcp_cksum(ip6->src, ip6->dst, tcp, 24);
+
+    if (sendto(sock, work_buf, sizeof(work_buf), 0, (struct sockaddr*)&sin,
+        sizeof(struct sockaddr_in6)) < 0) PFATAL("sendto() fails.");
+
+    usleep(100000);
+
+  }
+
+  SAYF("Eight packets sent! Check p0f output to examine responses, if any.\n");
+
+  return 0;
+
+}
+