Hide keyboard shortcuts

Hot-keys on this page

r m x p   toggle line displays

j k   next/prev highlighted chunk

0   (zero) top of page

1   (one) first highlighted chunk

1# SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved. 

2# 

3# This software is provided under under a slightly modified version 

4# of the Apache Software License. See the accompanying LICENSE file 

5# for more information. 

6# 

7 

8from impacket import structure 

9from impacket.ImpactPacket import ProtocolPacket 

10 

11class BootpPacket(ProtocolPacket, structure.Structure): 

12 commonHdr = ( 

13 ('op','b'), 

14 ('htype','b=1'), # 1 = Ether 

15 ('hlen','b=len(chaddr)'), 

16 ('hops','b=0'), 

17 ('xid','!L=0'), 

18 ('secs','!H=0'), 

19 ('flags','!H=0'), 

20 ('ciaddr','!L=0'), 

21 ('yiaddr','!L=0'), 

22 ('siaddr','!L=0'), 

23 ('giaddr','!L=0'), 

24 ('_chaddr','16s=chaddr'), 

25 ('chaddr','_','_chaddr[:hlen]'), 

26 ('sname','64s=""'), 

27 ('file','128s=""')) 

28 

29 def __init__(self, data = None, alignment = 0): 

30 structure.Structure.__init__(self, data, alignment) 

31 

32class DhcpPacket(ProtocolPacket, structure.Structure): 

33 # DHCP: https://www.ietf.org/rfc/rfc2131.txt 

34 # DHCP Options: https://www.ietf.org/rfc/rfc1533.txt 

35 # good list of options: http://www.networksorcery.com/enp/protocol/bootp/options.htm 

36 MAGIC_NUMBER = 0x63825363 

37 BOOTREQUEST = 1 

38 BOOTREPLY = 2 

39 

40 DHCPDISCOVER= 1 

41 DHCPOFFER = 2 

42 DHCPREQUEST = 3 

43 DHCPDECLINE = 4 

44 DHCPACK = 5 

45 DHCPNAK = 6 

46 DHCPRELEASE = 7 

47 DHCPINFORM = 8 

48 

49 options = { 

50 # 3. Vendor Extensions 

51 'pad':(0,'_'), 

52 'subnet-mask':(1,'!L'), 

53 'time-offset':(2,'!L'), 

54 'router':(3,'*!L'), 

55 'time-server':(4,'*!L'), 

56 'name-server':(5,'*!L'), 

57 'domain-name-server':(6,'*!L'), 

58 'log-server':(7,'*!L'), 

59 'cookie-server':(8,'*!L'), 

60 'lpr-server':(9,'*!L'), 

61 'impress-server':(10,'*!L'), 

62 'resource-locator-server':(11,'*!L'), 

63 'host-name':(12,':'), 

64 'boot-file-size':(13,'!H'), 

65 'merit-dump-file':(14,':'), 

66 'domain-name':(15,':'), 

67 'swap-server':(16,':'), 

68 'root-path':(17,':'), 

69 'extensions-path':(18,':'), 

70 

71 # 4. IP Layer Parameters per Host 

72 'ip-forwarding':(19,'B'), 

73 'non-local-source-routing':(20,'B'), 

74 'policy-filter':(21,'*!L'), 

75 'maximum-datagram-reassembly-size':(22,'!H'), 

76 'default-ip-ttl':(23,'B'), 

77 'path-mtu-aging-timeout':(24,'!L'), 

78 'path-mtu-plateau-table':(25,'*!H'), 

79 

80 # 5. IP Layer Parameters per Interface 

81 'interface-mtu':(26,'!H'), 

82 'all-subnets-are-local':(27,'B'), 

83 'broadcast-address':(28,'!L'), 

84 'perform-mask-discovery':(29,'B'), 

85 'mask-supplier':(30,'B'), 

86 'perform-router-discovery':(31,'B'), 

87 'router-solicitation-address':(32,'!L'), 

88 'static-route':(33,'*!L'), 

89 

90 # 6. Link Layer Parameters per Interface 

91 'trailer-encapsulation':(34,'B'), 

92 'arp-cache-timeout':(35,'!L'), 

93 'ethernet-encapsulation':(36,'B'), 

94 

95 # 7. TCP parameters 

96 'tcp-default-ttl':(37,'B'), 

97 'tcp-keepalive-interval':(38,'!L'), 

98 'tcp-keepalive-garbage':(39,'B'), 

99 

100 # 8. Application and Service parameters 

101 'nis-domain':(40,':'), 

102 'nis-servers':(41,'*!L'), 

103 'ntp-servers':(42,'*!L'), 

104 'vendor-specific':(43,':'), 

105 'netbios-name-server':(44,'*!L'), 

106 'netbios-datagrame-distribution-server':(45,'*!L'), 

107 'netbios-node-type':(46,'B'), 

108 'netbios-scope':(47,':'), 

109 'x11-font-server':(48,'*!L'), 

110 'x11-display-manager':(49,'*!L'), 

111 

112 

113 # 9. DHCP Extensions 

114 'requested-ip':(50,'!L'), 

115 'lease-time':(51,'!L'), 

116 'option-overload':(52,'B'), 

117 'message-type':(53,'B'), 

118 'server-id':(54,'!L'), 

119 'parameter-request-list':(55,':'), 

120 'message':(56,':'), 

121 'maximum-dhcp-message-size':(57,'!H'), 

122 'renewal-time':(58,'!L'), 

123 'rebinding-time':(59,'!L'), 

124 'vendor-class':(60,':'), 

125 'client-id':(61,':'), 

126 

127 # other non-rfc1533 options 

128 'slp-directory-agent':(78,':'), # https://www.ietf.org/rfc/rfc2610.txt 

129 'slp-service-scope':(79,':'), # https://www.ietf.org/rfc/rfc2610.txt 

130 'fully-qualified-domain-name':(81,':'), # https://www.ietf.org/rfc/rfc4702.txt 

131 'default-url': (114, ':'), # text (URL) - not defined in any RFC but assigned by IANA 

132 'auto-configuration':(116,'B'), # https://www.ietf.org/rfc/rfc2563.txt 

133 'domain-search-list':(119,':'), # https://www.ietf.org/rfc/rfc3397.txt 

134 'classless-route-121':(121, ':'), # https://www.ietf.org/rfc/rfc3442.txt 

135 'classless-route-249':(249, ':'), # https://web.archive.org/web/20140205135249/support.microsoft.com/kb/121005 

136 'proxy-autoconfig':(252,':'), 

137 'eof':(255,'_'), 

138 } 

139 

140 structure = ( 

141 ('cookie','!L'), 

142 ('_options',':=self.packOptions(options)'), 

143 ('options','_','self.unpackOptions(_options)')) 

144 

145 def __init__(self, data = None, alignment = 0): 

146 structure.Structure.__init__(self, data, alignment) 

147 

148 def packOptions(self, options): 

149 # options is an array of tuples: ('name',value) 

150 

151 answer = '' 

152 for name, value in options: 

153 code,format = self.options[name] 

154 val = self.pack(format, value) 

155 answer += '%c%c%s' % (code, len(val), val) 

156 

157 return answer 

158 

159 def getOptionNameAndFormat(self, optionCode): 

160 for k in self.options: 

161 code,format = self.options[k] 

162 if code == optionCode: return k, format 

163 return optionCode, ':' 

164 

165 def unpackOptions(self, options): 

166 # options is a string 

167 

168 # print '%r' % options 

169 answer = [] 

170 i = 0 

171 while i < len(options)-1: 

172 name, format = self.getOptionNameAndFormat(ord(options[i])) 

173 # size = self.calcUnpackSize(format, options[i+1:]) 

174 size = ord(options[i+1]) 

175 # print i, name, format, size 

176 value = self.unpack(format, options[i+2:i+2+size]) 

177 answer.append((name, value)) 

178 i += 2+size 

179 

180 return answer 

181 

182 def unpackParameterRequestList(self, options): 

183 return [self.getOptionNameAndFormat(ord(opt))[0] for opt in options] 

184 

185 def isAskingForProxyAutodiscovery(self): 

186 for opt in self.fields['options']: 

187 if opt[0] == 'parameter-request-list': 

188 for optCode in opt[1]: 

189 if ord(optCode) == 252: 

190 return True 

191 return False 

192 

193 def getOptionValue(self, name): 

194 for opt in self.fields['options']: 

195 if opt[0] == name: 

196 return opt[1] 

197 return None