From 865a5bb1714dd1fb937aa86d9c86c4fb07d6c32b Mon Sep 17 00:00:00 2001 From: srinivas11789 Date: Tue, 7 May 2019 06:09:32 -0700 Subject: [PATCH] :trident: lan gateway identification - rework the mac logic/relation --- Source/Module/communication_details_fetch.py | 6 +- Source/Module/device_details_fetch.py | 16 +- Source/Module/malicious_traffic_identifier.py | 2 +- Source/Module/pcap_reader.py | 13 +- Source/Module/plot_lan_network.py | 208 ++++++++++-------- 5 files changed, 139 insertions(+), 106 deletions(-) diff --git a/Source/Module/communication_details_fetch.py b/Source/Module/communication_details_fetch.py index eca965c..0214b98 100644 --- a/Source/Module/communication_details_fetch.py +++ b/Source/Module/communication_details_fetch.py @@ -14,11 +14,11 @@ class trafficDetailsFetch(): def __init__(self, option): for host in memory.destination_hosts: - if not memory.destination_hosts[host]: + if "domain_name" not in memory.destination_hosts[host]: if option == "whois": - memory.destination_hosts[host] = self.whois_info_fetch(host) + memory.destination_hosts[host]["domain_name"] = self.whois_info_fetch(host) else: - memory.destination_hosts[host] = self.dns(host) + memory.destination_hosts[host]["domain_name"] = self.dns(host) def whois_info_fetch(self, ip): try: diff --git a/Source/Module/device_details_fetch.py b/Source/Module/device_details_fetch.py index 72ed20a..07d0d76 100644 --- a/Source/Module/device_details_fetch.py +++ b/Source/Module/device_details_fetch.py @@ -20,17 +20,17 @@ def __init__(self, option="ieee"): self.target_oui_database = option def fetch_info(self): - for ip in memory.lan_hosts: + for mac in memory.lan_hosts: if self.target_oui_database == "api": - memory.lan_hosts[ip]["device_vendor"] = self.oui_identification_via_api(memory.lan_hosts[ip]["mac"]) + memory.lan_hosts[mac]["device_vendor"] = self.oui_identification_via_api(mac) else: - memory.lan_hosts[ip]["device_vendor"], memory.lan_hosts[ip]["vendor_address"] = self.oui_identification_via_ieee(memory.lan_hosts[ip]["mac"]) - mac = memory.lan_hosts[ip]["mac"].replace(":",".") - if ":" in ip: - ip_san = ip.replace(":",".") + memory.lan_hosts[mac]["device_vendor"], memory.lan_hosts[mac]["vendor_address"] = self.oui_identification_via_ieee(mac) + mac_san = mac.replace(":",".") + if ":" in memory.lan_hosts[mac]["ip"]: + ip_san = memory.lan_hosts[mac]["ip"].replace(":",".") else: - ip_san = ip - memory.lan_hosts[ip]["node"] = ip_san+"\n"+mac+"\n"+memory.lan_hosts[ip]['device_vendor'] + ip_san = memory.lan_hosts[mac]["ip"] + memory.lan_hosts[mac]["node"] = ip_san+"\n"+mac_san+"\n"+memory.lan_hosts[mac]['device_vendor'] def oui_identification_via_api(self, mac): url = "http://macvendors.co/api/" + mac diff --git a/Source/Module/malicious_traffic_identifier.py b/Source/Module/malicious_traffic_identifier.py index 75cf146..ee46119 100644 --- a/Source/Module/malicious_traffic_identifier.py +++ b/Source/Module/malicious_traffic_identifier.py @@ -19,7 +19,7 @@ def __init__(self): def malicious_traffic_detection(self, src, dst, port): very_well_known_ports = [443] # used to differentiate possible mal vs serious mal well_known_ports = [20, 21, 22, 23, 25, 53, 69, 80, 161, 179, 389, 443] - if (dst in memory.destination_hosts and memory.destination_hosts[dst] == "NotResolvable") or port not in well_known_ports: + if (dst in memory.destination_hosts and memory.destination_hosts[dst]["domain_name"] == "NotResolvable") or port not in well_known_ports: return 1 else: return 0 diff --git a/Source/Module/pcap_reader.py b/Source/Module/pcap_reader.py index b0895ab..5c744e8 100644 --- a/Source/Module/pcap_reader.py +++ b/Source/Module/pcap_reader.py @@ -112,22 +112,21 @@ def analyse_packet_data(self): else: source_private_ip = key1 # IntraNetwork Hosts list - memory.lan_hosts[packet[IP].src] = {"mac": packet[eth_layer].src} - memory.lan_hosts[packet[IP].dst] = {"mac": packet[eth_layer].dst} + memory.lan_hosts[packet[eth_layer].src] = {"ip": packet[IP].src} + memory.lan_hosts[packet[eth_layer].dst] = {"ip": packet[IP].dst} elif private_source: # Internetwork packet key = packet[IP].src + "/" + packet[IP].dst + "/" + tcp_dst source_private_ip = key # IntraNetwork vs InterNetwork Hosts list - memory.lan_hosts[packet[IP].src] = {"mac": packet[eth_layer].src} - memory.destination_hosts[packet[IP].dst] = {} + memory.lan_hosts[packet[eth_layer].src] = {"ip": packet[IP].src} + memory.destination_hosts[packet[eth_layer].dst] = {"ip": packet[IP].dst} elif private_destination: # Internetwork packet #print(packet.show()) key = packet[IP].dst + "/" + packet[IP].src + "/" + tcp_src source_private_ip = key # IntraNetwork vs InterNetwork Hosts list - memory.lan_hosts[packet[IP].dst] = {"mac": packet[eth_layer].dst} - memory.destination_hosts[packet[IP].src] = {} - + memory.lan_hosts[packet[eth_layer].dst] = {"ip": packet[IP].dst} + memory.destination_hosts[packet[IP].src] = {"mac": packet[eth_layer].src} elif "ICMP" in packet: key = packet[IP].src + "/" + packet[IP].dst + "/" + "ICMP" source_private_ip = key diff --git a/Source/Module/plot_lan_network.py b/Source/Module/plot_lan_network.py index f1547bd..dab5a95 100644 --- a/Source/Module/plot_lan_network.py +++ b/Source/Module/plot_lan_network.py @@ -28,7 +28,7 @@ def __init__(self, filename, path, option="Tor"): 'fontcolor': 'black', 'bgcolor': 'grey', 'rankdir': 'BT', - 'dpi':'600' + 'dpi':'1000' }, 'nodes': { 'fontname': 'Helvetica', @@ -76,7 +76,7 @@ def draw_graph(self,option="All"): f.attr(rankdir='LR', size='8,5') f.attr('node', shape='doublecircle') - f.node('defaultGateway') + #f.node('defaultGateway') f.attr('node', shape='circle') @@ -99,38 +99,44 @@ def draw_graph(self,option="All"): map_dst = dst # Lan Host - if src not in memory.lan_hosts: - curr_node = map_src + if memory.packet_db[session]["Ethernet"]["src"] not in memory.lan_hosts: + curr_node = map_src+"\n"+memory.packet_db[session]["Ethernet"]["src"].replace(":",".") f.node(curr_node) else: - curr_node = memory.lan_hosts[src]["node"] + curr_node = memory.lan_hosts[memory.packet_db[session]["Ethernet"]["src"]]["node"] f.node(curr_node) # Destination if dst in memory.destination_hosts: - destination = 'defaultGateway' - dlabel = memory.destination_hosts[dst] + if memory.destination_hosts[dst]["mac"] in memory.lan_hosts: + destination = memory.lan_hosts[memory.destination_hosts[dst]["mac"]]["node"] + dlabel = memory.destination_hosts[dst]["domain_name"] + else: + destination = memory.destination_hosts[dst]["mac"].replace(":",".") + destination += "\n"+"PossibleGateway" + dlabel = memory.destination_hosts[dst]["domain_name"] else: - if dst in memory.lan_hosts: - destination = memory.lan_hosts[dst]["node"] + if memory.packet_db[session]["Ethernet"]["dst"] in memory.lan_hosts: + destination = memory.lan_hosts[memory.packet_db[session]["Ethernet"]["dst"]]["node"] dlabel = "" else: - destination = dst + destination = map_dst+"\n"+memory.packet_db[session]["Ethernet"]["dst"].replace(":",".") dlabel = "" - if session in memory.possible_tor_traffic: - f.edge(curr_node, destination, label='TOR: ' + str(map_dst) ,color="white") - elif session in memory.possible_mal_traffic: - f.edge(curr_node, destination, label='Malicious: ' + str(map_dst) ,color="red") - else: - if port == "443": - f.edge(curr_node, destination, label='HTTPS: ' + map_dst +": "+dlabel, color = "blue") - if port == "80": - f.edge(curr_node, destination, label='HTTP: ' + map_dst +": "+dlabel, color = "green") - if port == "ICMP": - f.edge(curr_node, destination, label='ICMP: ' + str(map_dst) ,color="black") - if port == "53": - f.edge(curr_node, destination, label='DNS: ' + str(map_dst) ,color="orange") + if curr_node != destination: + if session in memory.possible_tor_traffic: + f.edge(curr_node, destination, label='TOR: ' + str(map_dst) ,color="white") + elif session in memory.possible_mal_traffic: + f.edge(curr_node, destination, label='Malicious: ' + str(map_dst) ,color="red") + else: + if port == "443": + f.edge(curr_node, destination, label='HTTPS: ' + map_dst +": "+dlabel, color = "blue") + if port == "80": + f.edge(curr_node, destination, label='HTTP: ' + map_dst +": "+dlabel, color = "green") + if port == "ICMP": + f.edge(curr_node, destination, label='ICMP: ' + str(map_dst) ,color="black") + if port == "53": + f.edge(curr_node, destination, label='DNS: ' + str(map_dst) ,color="orange") elif option == "HTTP": for session in self.sessions: @@ -147,27 +153,31 @@ def draw_graph(self,option="All"): map_dst = dst # Lan Host - if src not in memory.lan_hosts: - curr_node = map_src + if memory.packet_db[session]["Ethernet"]["src"] not in memory.lan_hosts: + curr_node = map_src+"\n"+memory.packet_db[session]["Ethernet"]["src"].replace(":",".") f.node(curr_node) else: - curr_node = memory.lan_hosts[src]["node"] + curr_node = memory.lan_hosts[memory.packet_db[session]["Ethernet"]["src"]]["node"] f.node(curr_node) - - # Destination Host + + # Destination if dst in memory.destination_hosts: - destination = 'defaultGateway' - dlabel = memory.destination_hosts[dst] + if memory.destination_hosts[dst]["mac"] in memory.lan_hosts: + destination = memory.lan_hosts[memory.destination_hosts[dst]["mac"]]["node"] + dlabel = memory.destination_hosts[dst]["domain_name"] + else: + destination = memory.destination_hosts[dst]["mac"].replace(":",".") + destination += "\n"+"PossibleGateway" + dlabel = memory.destination_hosts[dst]["domain_name"] else: - if dst in memory.lan_hosts: - destination = memory.lan_hosts[dst]["node"] + if memory.packet_db[session]["Ethernet"]["dst"] in memory.lan_hosts: + destination = memory.lan_hosts[memory.packet_db[session]["Ethernet"]["dst"]]["node"] dlabel = "" else: - destination = dst + destination = map_dst+"\n"+memory.packet_db[session]["Ethernet"]["dst"].replace(":",".") dlabel = "" - - if port == "80": + if port == "80" and curr_node != destination: f.edge(curr_node, destination, label='HTTP: ' + str(map_dst)+": "+dlabel, color = "green") elif option == "HTTPS": @@ -185,27 +195,31 @@ def draw_graph(self,option="All"): map_dst = dst # Lan Host - if src not in memory.lan_hosts: - curr_node = map_src + if memory.packet_db[session]["Ethernet"]["src"] not in memory.lan_hosts: + curr_node = map_src+"\n"+memory.packet_db[session]["Ethernet"]["src"].replace(":",".") f.node(curr_node) else: - curr_node = memory.lan_hosts[src]["node"] + curr_node = memory.lan_hosts[memory.packet_db[session]["Ethernet"]["src"]]["node"] f.node(curr_node) - # Destination Host + # Destination if dst in memory.destination_hosts: - destination = 'defaultGateway' - dlabel = memory.destination_hosts[dst] + if memory.destination_hosts[dst]["mac"] in memory.lan_hosts: + destination = memory.lan_hosts[memory.destination_hosts[dst]["mac"]]["node"] + dlabel = memory.destination_hosts[dst]["domain_name"] + else: + destination = memory.destination_hosts[dst]["mac"].replace(":",".") + destination += "\n"+"PossibleGateway" + dlabel = memory.destination_hosts[dst]["domain_name"] else: - if dst in memory.lan_hosts: - destination = memory.lan_hosts[dst]["node"] + if memory.packet_db[session]["Ethernet"]["dst"] in memory.lan_hosts: + destination = memory.lan_hosts[memory.packet_db[session]["Ethernet"]["dst"]]["node"] dlabel = "" else: - destination = dst + destination = map_dst+"\n"+memory.packet_db[session]["Ethernet"]["dst"].replace(":",".") dlabel = "" - - if port == "443": + if port == "443" and curr_node != destination: f.edge(curr_node, destination, label='HTTPS: ' + str(map_dst)+": "+dlabel, color = "blue") elif option == "Tor": @@ -223,27 +237,32 @@ def draw_graph(self,option="All"): map_dst = dst # Lan Host - if src not in memory.lan_hosts: - curr_node = map_src + if memory.packet_db[session]["Ethernet"]["src"] not in memory.lan_hosts: + curr_node = map_src+"\n"+memory.packet_db[session]["Ethernet"]["src"].replace(":",".") f.node(curr_node) else: - curr_node = memory.lan_hosts[src]["node"] + curr_node = memory.lan_hosts[memory.packet_db[session]["Ethernet"]["src"]]["node"] f.node(curr_node) - # Destination Host + # Destination if dst in memory.destination_hosts: - destination = 'defaultGateway' - dlabel = memory.destination_hosts[dst] + if memory.destination_hosts[dst]["mac"] in memory.lan_hosts: + destination = memory.lan_hosts[memory.destination_hosts[dst]["mac"]]["node"] + dlabel = memory.destination_hosts[dst]["domain_name"] + else: + destination = memory.destination_hosts[dst]["mac"].replace(":",".") + destination += "\n"+"PossibleGateway" + dlabel = memory.destination_hosts[dst]["domain_name"] else: - if dst in memory.lan_hosts: - destination = memory.lan_hosts[dst]["node"] + if memory.packet_db[session]["Ethernet"]["dst"] in memory.lan_hosts: + destination = memory.lan_hosts[memory.packet_db[session]["Ethernet"]["dst"]]["node"] dlabel = "" else: - destination = dst + destination = map_dst+"\n"+memory.packet_db[session]["Ethernet"]["dst"].replace(":",".") dlabel = "" - if session in memory.possible_tor_traffic: + if session in memory.possible_tor_traffic and curr_node != destination: f.edge(curr_node, destination, label='TOR: ' + str(map_dst) ,color="white") elif option == "Malicious": @@ -262,26 +281,31 @@ def draw_graph(self,option="All"): map_dst = dst # Lan Host - if src not in memory.lan_hosts: - curr_node = map_src + if memory.packet_db[session]["Ethernet"]["src"] not in memory.lan_hosts: + curr_node = map_src+"\n"+memory.packet_db[session]["Ethernet"]["src"].replace(":",".") f.node(curr_node) else: - curr_node = memory.lan_hosts[src]["node"] + curr_node = memory.lan_hosts[memory.packet_db[session]["Ethernet"]["src"]]["node"] f.node(curr_node) - # Destination Host + # Destination if dst in memory.destination_hosts: - destination = 'defaultGateway' - dlabel = memory.destination_hosts[dst] + if memory.destination_hosts[dst]["mac"] in memory.lan_hosts: + destination = memory.lan_hosts[memory.destination_hosts[dst]["mac"]]["node"] + dlabel = memory.destination_hosts[dst]["domain_name"] + else: + destination = memory.destination_hosts[dst]["mac"].replace(":",".") + destination += "\n"+"PossibleGateway" + dlabel = memory.destination_hosts[dst]["domain_name"] else: - if dst in memory.lan_hosts: - destination = memory.lan_hosts[dst]["node"] + if memory.packet_db[session]["Ethernet"]["dst"] in memory.lan_hosts: + destination = memory.lan_hosts[memory.packet_db[session]["Ethernet"]["dst"]]["node"] dlabel = "" else: - destination = dst + destination = map_dst+"\n"+memory.packet_db[session]["Ethernet"]["dst"].replace(":",".") dlabel = "" - if session in memory.possible_mal_traffic: + if session in memory.possible_mal_traffic and curr_node != destination: f.edge(curr_node, destination, label='Malicious: ' + str(map_dst) ,color="red") elif option == "ICMP": @@ -297,26 +321,31 @@ def draw_graph(self,option="All"): map_dst = dst # Lan Host - if src not in memory.lan_hosts: - curr_node = map_src + if memory.packet_db[session]["Ethernet"]["src"] not in memory.lan_hosts: + curr_node = map_src+"\n"+memory.packet_db[session]["Ethernet"]["src"].replace(":",".") f.node(curr_node) else: - curr_node = memory.lan_hosts[src]["node"] + curr_node = memory.lan_hosts[memory.packet_db[session]["Ethernet"]["src"]]["node"] f.node(curr_node) - # Destination Host + # Destination if dst in memory.destination_hosts: - destination = 'defaultGateway' - dlabel = memory.destination_hosts[dst] + if memory.destination_hosts[dst]["mac"] in memory.lan_hosts: + destination = memory.lan_hosts[memory.destination_hosts[dst]["mac"]]["node"] + dlabel = memory.destination_hosts[dst]["domain_name"] + else: + destination = memory.destination_hosts[dst]["mac"].replace(":",".") + destination += "\n"+"PossibleGateway" + dlabel = memory.destination_hosts[dst]["domain_name"] else: - if dst in memory.lan_hosts: - destination = memory.lan_hosts[dst]["node"] + if memory.packet_db[session]["Ethernet"]["dst"] in memory.lan_hosts: + destination = memory.lan_hosts[memory.packet_db[session]["Ethernet"]["dst"]]["node"] dlabel = "" else: - destination = dst + destination = map_dst+"\n"+memory.packet_db[session]["Ethernet"]["dst"].replace(":",".") dlabel = "" - if protocol == "ICMP": + if protocol == "ICMP" and curr_node != destination: f.edge(curr_node, destination, label='ICMP: ' + str(map_dst) ,color="black") elif option == "DNS": @@ -332,32 +361,37 @@ def draw_graph(self,option="All"): map_dst = dst # Lan Host - if src not in memory.lan_hosts: - curr_node = map_src + if memory.packet_db[session]["Ethernet"]["src"] not in memory.lan_hosts: + curr_node = map_src+"\n"+memory.packet_db[session]["Ethernet"]["src"].replace(":",".") f.node(curr_node) else: - curr_node = memory.lan_hosts[src]["node"] + curr_node = memory.lan_hosts[memory.packet_db[session]["Ethernet"]["src"]]["node"] f.node(curr_node) - # Destination Host + # Destination if dst in memory.destination_hosts: - destination = 'defaultGateway' - dlabel = memory.destination_hosts[dst] + if memory.destination_hosts[dst]["mac"] in memory.lan_hosts: + destination = memory.lan_hosts[memory.destination_hosts[dst]["mac"]]["node"] + dlabel = memory.destination_hosts[dst]["domain_name"] + else: + destination = memory.destination_hosts[dst]["mac"].replace(":",".") + destination += "\n"+"PossibleGateway" + dlabel = memory.destination_hosts[dst]["domain_name"] else: - if dst in memory.lan_hosts: - destination = memory.lan_hosts[dst]["node"] + if memory.packet_db[session]["Ethernet"]["dst"] in memory.lan_hosts: + destination = memory.lan_hosts[memory.packet_db[session]["Ethernet"]["dst"]]["node"] dlabel = "" else: - destination = dst + destination = map_dst+"\n"+memory.packet_db[session]["Ethernet"]["dst"].replace(":",".") dlabel = "" - if port == "53": + if port == "53" and curr_node != destination: f.edge(curr_node, destination, label='DNS: ' + str(map_dst) ,color="orange") self.apply_styles(f,self.styles) f.render() - + def main(): # draw example pcapfile = pcap_reader.PcapEngine('examples/torExample.pcap', "scapy")