Add macaddr uniqueness (#1862)

* Fix build time key grabbing

* Add mac address uniqueness

* stubbed

* First run

* Fix windows

* fmt

Author: hulto

implants/lib/host_unique/Cargo.toml

@@ -6,8 +6,9 @@ edition = "2021"
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 
 [dependencies]
-uuid = { workspace = true, features = ["v4", "fast-rng"] }
+uuid = { workspace = true, features = ["v4", "v5", "fast-rng"] }
 log = { workspace = true }
+netstat = { workspace = true }
 
 [target.'cfg(target_os = "windows")'.dependencies]
 winreg = { workspace = true }

implants/lib/host_unique/src/lib.rs

@@ -4,6 +4,8 @@ mod env;
 pub use env::Env;
 mod file;
 pub use file::File;
+mod mac_addr;
+pub use mac_addr::MacAddr;
 mod registry;
 pub use registry::Registry;
 
@@ -46,5 +48,6 @@ pub fn defaults() -> Vec<Box<dyn HostIDSelector>> {
             target_os = "netbsd"
         ))]
         Box::new(File::new_with_file("/etc/system-id")),
+        Box::<MacAddr>::default(),
     ]
 }

implants/lib/host_unique/src/mac_addr.rs

@@ -0,0 +1,57 @@
+use uuid::Uuid;
+
+use crate::HostIDSelector;
+
+#[derive(Default)]
+pub struct MacAddr {}
+
+impl MacAddr {
+    /// Returns the first non-zero MAC address from a sorted list of network interfaces.
+    fn get_mac_bytes(&self) -> Option<[u8; 6]> {
+        let mut interfaces = netstat::list_interfaces().ok()?;
+        interfaces.sort_by(|a, b| a.iface_name.cmp(&b.iface_name));
+
+        for iface in interfaces {
+            if iface.mac_address != [0u8; 6] {
+                return Some(iface.mac_address);
+            }
+        }
+        None
+    }
+}
+
+impl HostIDSelector for MacAddr {
+    fn get_name(&self) -> String {
+        "mac_address".to_string()
+    }
+
+    fn get_host_id(&self) -> Option<Uuid> {
+        let mac_bytes = self.get_mac_bytes()?;
+        Some(Uuid::new_v5(&Uuid::NAMESPACE_OID, &mac_bytes))
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn test_mac_addr_deterministic() {
+        let selector = MacAddr::default();
+        let id_one = selector.get_host_id();
+        let id_two = selector.get_host_id();
+
+        assert!(id_one.is_some(), "expected a MAC-based host id");
+        assert_eq!(id_one, id_two, "MAC-based host id must be deterministic");
+    }
+
+    #[test]
+    fn test_mac_addr_is_v5_uuid() {
+        let selector = MacAddr::default();
+        if let Some(id) = selector.get_host_id() {
+            let s = id.to_string();
+            // UUID v5 has the version nibble '5' as the 13th hex character
+            assert!(s.contains("-5"), "expected a v5 UUID, got: {}", s);
+        }
+    }
+}

implants/lib/netstat/Cargo.toml

@@ -10,13 +10,20 @@ log = { workspace = true }
 [target.'cfg(target_os = "windows")'.dependencies]
 windows-sys = { workspace = true, features = [
     "Win32_Foundation",
-    "Win32_Networking",
+    "Win32_Networking_WinSock",
     "Win32_NetworkManagement_IpHelper",
+    "Win32_NetworkManagement_Ndis",
     "Win32_System_ProcessStatus",
     "Win32_System_Threading",
     "Win32_System_Diagnostics_ToolHelp",
 ]}
 
+[target.'cfg(target_os = "linux")'.dependencies]
+libc = { workspace = true }
+
+[target.'cfg(target_os = "freebsd")'.dependencies]
+libc = { workspace = true }
+
 [target.'cfg(target_os = "macos")'.dependencies]
 libc = { workspace = true }
 byteorder = { workspace = true }

implants/lib/netstat/src/freebsd.rs

@@ -1,5 +1,8 @@
-use super::{ConnectionState, NetstatEntry, SocketType};
 use anyhow::Result;
+use std::collections::HashMap;
+use std::net::{IpAddr, Ipv4Addr, Ipv6Addr};
+
+use super::{ConnectionState, InterfaceEntry, NetstatEntry, SocketType};
 
 pub fn netstat() -> Result<Vec<NetstatEntry>> {
     // TODO: Implement FreeBSD sysctl using net.inet.tcp.pcblist
@@ -8,6 +11,86 @@ pub fn netstat() -> Result<Vec<NetstatEntry>> {
     Ok(Vec::new())
 }
 
+struct IfaceData {
+    mac: [u8; 6],
+    ipv4: Option<IpAddr>,
+    ipv6: Option<IpAddr>,
+}
+
+pub fn list_interfaces() -> Result<Vec<InterfaceEntry>> {
+    let mut ifaddrs_ptr: *mut libc::ifaddrs = std::ptr::null_mut();
+
+    unsafe {
+        if libc::getifaddrs(&mut ifaddrs_ptr) != 0 {
+            return Err(anyhow::anyhow!(
+                "getifaddrs failed: {}",
+                std::io::Error::last_os_error()
+            ));
+        }
+    }
+
+    let mut ifaces: HashMap<String, IfaceData> = HashMap::new();
+
+    unsafe {
+        let mut cur = ifaddrs_ptr;
+        while !cur.is_null() {
+            let ifa = &*cur;
+
+            if !ifa.ifa_addr.is_null() {
+                let name = std::ffi::CStr::from_ptr(ifa.ifa_name)
+                    .to_string_lossy()
+                    .to_string();
+                let family = (*ifa.ifa_addr).sa_family as i32;
+                let entry = ifaces.entry(name).or_insert(IfaceData {
+                    mac: [0u8; 6],
+                    ipv4: None,
+                    ipv6: None,
+                });
+
+                match family {
+                    libc::AF_LINK => {
+                        let sdl = &*(ifa.ifa_addr as *const libc::sockaddr_dl);
+                        if sdl.sdl_alen == 6 {
+                            let mac_offset = sdl.sdl_nlen as usize;
+                            let data_ptr = sdl.sdl_data.as_ptr().add(mac_offset) as *const u8;
+                            entry
+                                .mac
+                                .copy_from_slice(std::slice::from_raw_parts(data_ptr, 6));
+                        }
+                    }
+                    libc::AF_INET => {
+                        if entry.ipv4.is_none() {
+                            let sin = &*(ifa.ifa_addr as *const libc::sockaddr_in);
+                            let bytes = sin.sin_addr.s_addr.to_ne_bytes();
+                            entry.ipv4 = Some(IpAddr::V4(Ipv4Addr::from(bytes)));
+                        }
+                    }
+                    libc::AF_INET6 => {
+                        if entry.ipv6.is_none() {
+                            let sin6 = &*(ifa.ifa_addr as *const libc::sockaddr_in6);
+                            entry.ipv6 = Some(IpAddr::V6(Ipv6Addr::from(sin6.sin6_addr.s6_addr)));
+                        }
+                    }
+                    _ => {}
+                }
+            }
+
+            cur = ifa.ifa_next;
+        }
+
+        libc::freeifaddrs(ifaddrs_ptr);
+    }
+
+    Ok(ifaces
+        .into_iter()
+        .map(|(name, data)| InterfaceEntry {
+            iface_name: name,
+            mac_address: data.mac,
+            ip_address: data.ipv4.or(data.ipv6),
+        })
+        .collect())
+}
+
 #[cfg(test)]
 mod tests {
     use super::*;
@@ -18,4 +101,13 @@ mod tests {
         assert!(result.is_ok());
         assert_eq!(result.unwrap().len(), 0);
     }
+
+    #[test]
+    fn test_list_interfaces() {
+        let result = list_interfaces();
+        assert!(result.is_ok());
+
+        let interfaces = result.unwrap();
+        assert!(!interfaces.is_empty(), "Should have at least one interface");
+    }
 }

implants/lib/netstat/src/lib.rs

@@ -94,3 +94,32 @@ pub fn netstat() -> Result<Vec<NetstatEntry>> {
     )))]
     return Ok(Vec::new());
 }
+
+#[derive(Debug, Clone, PartialEq)]
+pub struct InterfaceEntry {
+    pub iface_name: String,
+    pub mac_address: [u8; 6],
+    pub ip_address: Option<IpAddr>,
+}
+
+pub fn list_interfaces() -> Result<Vec<InterfaceEntry>> {
+    #[cfg(target_os = "linux")]
+    return linux::list_interfaces();
+
+    #[cfg(target_os = "macos")]
+    return macos::list_interfaces();
+
+    #[cfg(target_os = "windows")]
+    return windows::list_interfaces();
+
+    #[cfg(target_os = "freebsd")]
+    return freebsd::list_interfaces();
+
+    #[cfg(not(any(
+        target_os = "linux",
+        target_os = "macos",
+        target_os = "windows",
+        target_os = "freebsd"
+    )))]
+    return Ok(Vec::new());
+}

implants/lib/netstat/src/linux.rs

@@ -4,7 +4,7 @@ use std::fs;
 use std::net::{IpAddr, Ipv4Addr, Ipv6Addr};
 use std::path::Path;
 
-use super::{ConnectionState, NetstatEntry, SocketType};
+use super::{ConnectionState, InterfaceEntry, NetstatEntry, SocketType};
 
 pub fn netstat() -> Result<Vec<NetstatEntry>> {
     let mut entries = Vec::new();
@@ -294,6 +294,82 @@ fn read_process_name(pid: u32) -> Result<String> {
     ))
 }
 
+struct IfaceData {
+    mac: [u8; 6],
+    ipv4: Option<IpAddr>,
+    ipv6: Option<IpAddr>,
+}
+
+pub fn list_interfaces() -> Result<Vec<InterfaceEntry>> {
+    let mut ifaddrs_ptr: *mut libc::ifaddrs = std::ptr::null_mut();
+
+    unsafe {
+        if libc::getifaddrs(&mut ifaddrs_ptr) != 0 {
+            return Err(anyhow::anyhow!(
+                "getifaddrs failed: {}",
+                std::io::Error::last_os_error()
+            ));
+        }
+    }
+
+    let mut ifaces: HashMap<String, IfaceData> = HashMap::new();
+
+    unsafe {
+        let mut cur = ifaddrs_ptr;
+        while !cur.is_null() {
+            let ifa = &*cur;
+
+            if !ifa.ifa_addr.is_null() {
+                let name = std::ffi::CStr::from_ptr(ifa.ifa_name)
+                    .to_string_lossy()
+                    .to_string();
+                let family = (*ifa.ifa_addr).sa_family as i32;
+                let entry = ifaces.entry(name).or_insert(IfaceData {
+                    mac: [0u8; 6],
+                    ipv4: None,
+                    ipv6: None,
+                });
+
+                match family {
+                    libc::AF_PACKET => {
+                        let sll = &*(ifa.ifa_addr as *const libc::sockaddr_ll);
+                        if sll.sll_halen == 6 {
+                            entry.mac.copy_from_slice(&sll.sll_addr[..6]);
+                        }
+                    }
+                    libc::AF_INET => {
+                        if entry.ipv4.is_none() {
+                            let sin = &*(ifa.ifa_addr as *const libc::sockaddr_in);
+                            let bytes = sin.sin_addr.s_addr.to_ne_bytes();
+                            entry.ipv4 = Some(IpAddr::V4(Ipv4Addr::from(bytes)));
+                        }
+                    }
+                    libc::AF_INET6 => {
+                        if entry.ipv6.is_none() {
+                            let sin6 = &*(ifa.ifa_addr as *const libc::sockaddr_in6);
+                            entry.ipv6 = Some(IpAddr::V6(Ipv6Addr::from(sin6.sin6_addr.s6_addr)));
+                        }
+                    }
+                    _ => {}
+                }
+            }
+
+            cur = ifa.ifa_next;
+        }
+
+        libc::freeifaddrs(ifaddrs_ptr);
+    }
+
+    Ok(ifaces
+        .into_iter()
+        .map(|(name, data)| InterfaceEntry {
+            iface_name: name,
+            mac_address: data.mac,
+            ip_address: data.ipv4.or(data.ipv6),
+        })
+        .collect())
+}
+
 #[cfg(test)]
 mod tests {
     use super::*;
@@ -389,4 +465,23 @@ mod tests {
         assert!(found, "Our test socket should appear in netstat results");
         Ok(())
     }
+
+    #[test]
+    fn test_list_interfaces() {
+        let result = list_interfaces();
+        assert!(result.is_ok());
+
+        let interfaces = result.unwrap();
+        assert!(!interfaces.is_empty(), "Should have at least one interface");
+
+        // Loopback interface should exist on Linux
+        let has_lo = interfaces.iter().any(|i| i.iface_name == "lo");
+        assert!(has_lo, "Loopback interface 'lo' should be present");
+    }
+
+    #[test]
+    fn print_interfaces() {
+        let result = list_interfaces();
+        println!("debug {:?}", result)
+    }
 }