STRLCPY/PCredz

Print relative PCAP packet number for each credentials extraction
yotamh committed 7 years ago

2180e5e9

1 parent 306167d9

Revision indexing in progress... (symbol navigation in revisions will be accurate after indexed)

Total 1 files

■ ■ ■ ■ ■ ■

Pcredz

		skipped 306 lines
307	307		d['data']=s[4*d['header_len']:]
308	308		return d
309	309
310		-	def Print_Packet_Details(decoded,SrcPort,DstPort):
	310	+	def Print_Packet_Details(decoded,SrcPort,DstPort,packet_num):
311	311		if timestamp:
312	312		ts = '[%f] ' % time.time()
313	313		else:
314	314		ts = ''
315	315		try:
316		-	return '%sprotocol: %s %s:%s > %s:%s' % (ts, protocols[decoded['protocol']],decoded['source_address'],SrcPort,
	316	+	return '%s %sprotocol: %s %s:%s > %s:%s' % (str(packet_num),ts, protocols[decoded['protocol']],decoded['source_address'],SrcPort,
317	317		decoded['destination_address'], DstPort)
318	318		except:
319		-	return '%s%s:%s > %s:%s' % (ts,decoded['source_address'],SrcPort,
	319	+	return '%s %s%s:%s > %s:%s' % (str(packet_num),ts,decoded['source_address'],SrcPort,
320	320		decoded['destination_address'], DstPort)
321	321
322	322
323		-	def ParseDataRegex(decoded, SrcPort, DstPort):
	323	+	def ParseDataRegex(decoded, SrcPort, DstPort, packet_num):
324	324		HTTPUser = None
325	325		HTTPass = None
326	326		for user in http_userfields:
		skipped 23 lines
350	350		CC = False
351	351		if Basic64:
352	352		basic = ''.join(Basic64)
353		-	HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort)
	353	+	HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort,packet_num)
354	354		try:
355	355		Message = 'Found HTTP Basic authentication: %s\n'%(b64decode(basic))
356	356		if PrintPacket(Filename,Message):
		skipped 4 lines
361	361		pass
362	362
363	363		if DstPort == 1433 and decoded['data'][20:22]=="\x10\x01" and len(NTLMSSP1) <=0:
364		-	HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort)
	364	+	HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort,packet_num)
365	365		Message = ParseMSSQLPlainText(decoded['data'][20:])
366	366		if PrintPacket(Filename,Message):
367	367		l.warning(HeadMessage)
		skipped 3 lines
371	371		if DstPort == 88 and protocols.has_key(decoded['protocol']) and protocols[decoded['protocol']] == 'tcp':
372	372		Message = ParseMSKerbv5TCP(decoded['data'][20:])
373	373		if Message:
374		-	HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort)
	374	+	HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort,packet_num)
375	375		if PrintPacket(Filename,Message[1]):
376	376		l.warning(HeadMessage)
377	377		l.warning(Message[0])
		skipped 2 lines
380	380		if DstPort == 88 and protocols.has_key(decoded['protocol']) and protocols[decoded['protocol']] == 'udp':
381	381		Message = ParseMSKerbv5UDP(decoded['data'][8:])
382	382		if Message:
383		-	HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort)
	383	+	HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort,packet_num)
384	384		if PrintPacket(Filename,Message[1]):
385	385		l.warning(HeadMessage)
386	386		l.warning(Message[0])
		skipped 2 lines
389	389		if DstPort == 161:
390	390		Message = ParseSNMP(decoded['data'][8:])
391	391		if Message:
392		-	HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort)
	392	+	HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort,packet_num)
393	393		if PrintPacket(Filename,Message):
394	394		l.warning(HeadMessage)
395	395		l.warning(Message)
		skipped 2 lines
398	398		if DstPort == 143:
399	399		IMAPAuth = re.findall('(?<=LOGIN \")[^\r]*', decoded['data'])
400	400		if IMAPAuth:
401		-	HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort)
	401	+	HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort,packet_num)
402	402		Message = 'Found IMAP login: "%s\n'%(''.join(IMAPAuth))
403	403		if PrintPacket(Filename,Message):
404	404		l.warning(HeadMessage)
		skipped 7 lines
412	412		if FTPPass:
413	413		try:
414	414		POPUser
415		-	HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort)
	415	+	HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort,packet_num)
416	416		Message = 'Found POP credentials %s:%s\n'%(POPUser,''.join(FTPPass))
417	417		del POPUser
418	418		if PrintPacket(Filename,Message):
		skipped 9 lines
428	428		host = re.findall("(Host: [^\n]+)", decoded['data'])
429	429		get_path = re.findall("(GET [^\n]+)", decoded['data'])
430	430		post_path = re.findall("(POST [^\n]+)", decoded['data'])
431		-	HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort)
	431	+	HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort,packet_num)
432	432		Message = 'Found possible HTTP authentication %s:%s\n' % (HTTPUser[0], HTTPass[0])
433	433		if host:
434	434		Message += '%s\n' % host[0].strip('\r')
		skipped 17 lines
452	452		SMTPAuthentication
453	453		Message = ParseSMTP(decoded['data'][20:])
454	454		if Message:
455		-	HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort)
	455	+	HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort,packet_num)
456	456		del SMTPAuthentication
457	457		if PrintPacket(Filename,Message):
458	458		l.warning(HeadMessage)
		skipped 8 lines
467	467
468	468		if FTPPass and DstPort == 21:
469	469		try:
470		-	HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort)
	470	+	HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort,packet_num)
471	471		Message = 'FTP User: %s\n'%(UserID)
472	472		Message+= 'FTP Pass: %s\n'%(''.join(FTPPass))
473	473		del UserID
		skipped 11 lines
485	485		passw = re.findall('(?<=%s )[^\\r]*'%(password), decoded['data'], re.IGNORECASE)
486	486		if passw:
487	487		Message = "Found a password in an SMB read operation:\n%s:\n%s"%(password, passw)
488		-	HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort)
	488	+	HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort,packet_num)
489	489		if PrintPacket(Filename,Message):
490	490		l.warning(HeadMessage)
491	491		l.warning(Message)
		skipped 3 lines
495	495		user = re.findall('(?<=%s )[^\\r]*'%(users), decoded['data'], re.IGNORECASE)
496	496		if user:
497	497		Message = "Found a username in an SMB read operation:\n%s:\n%s"%(users, user)
498		-	HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort)
	498	+	HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort,packet_num)
499	499		if PrintPacket(Filename,Message):
500	500		l.warning(HeadMessage)
501	501		l.warning(Message)
		skipped 13 lines
515	515		except NameError:
516	516		pass
517	517		else:
518		-	HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort)
	518	+	HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort,packet_num)
519	519		Message = ParseNTLMHash(NTLMPacket,Chall)
520	520		del Chall
521	521		if PrintPacket(Filename,Message[1]):
		skipped 22 lines
544	544		except NameError:
545	545		pass
546	546		else:
547		-	HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort)
	547	+	HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort,packet_num)
548	548		Message = ParseNTLMHash(Packet,HTTPChall)
549	549		del HTTPChall
550	550		if PrintPacket(Filename,Message[1]):
		skipped 8 lines
559	559		CMatch = ''.join(CCMatch).strip()
560	560		if len(CreditCard)<=16:
561	561		if luhn(CreditCard):
562		-	HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort)
	562	+	HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort,packet_num)
563	563		MessageCC = 'Possible valid CC (Luhn check OK): %s\n'%(CreditCard)
564	564		MessageMatch= 'Please verify this match ( %s )\n'%('\033[1m\033[31m'+CMatch+'\033[0m')
565	565		if PrintPacket(Filename,MessageCC):
		skipped 3 lines
569	569		else:
570	570		pass
571	571
572		-	def Print_Packet_Cooked(pktlen, data, timestamp):
	572	+	def Print_Packet_Cooked(pktlen, data, timestamp, packet_num):
573	573		if not data:
574	574		return
575	575		if data[14:16]=='\x08\x00':
576	576		decoded=Decode_Ip_Packet(data[16:])
577	577		SrcPort = struct.unpack('>H',decoded['data'][0:2])[0]
578	578		DstPort = struct.unpack('>H',decoded['data'][2:4])[0]
579		-	ParseDataRegex(decoded, SrcPort, DstPort)
	579	+	ParseDataRegex(decoded, SrcPort, DstPort, packet_num)
580	580
581		-	def Print_Packet_800dot11(pktlen, data, timestamp):
	581	+	def Print_Packet_800dot11(pktlen, data, timestamp, packet_num):
582	582		if not data:
583	583		return
584	584		if data[32:34]=='\x08\x00':
585	585		decoded=Decode_Ip_Packet(data[34:])
586	586		SrcPort = struct.unpack('>H',decoded['data'][0:2])[0]
587	587		DstPort = struct.unpack('>H',decoded['data'][2:4])[0]
588		-	ParseDataRegex(decoded, SrcPort, DstPort)
	588	+	ParseDataRegex(decoded, SrcPort, DstPort, packet_num)
589	589
590		-	def Print_Packet_Tcpdump(pktlen, data, timestamp):
	590	+	def Print_Packet_Tcpdump(pktlen, data, timestamp, packet_num):
591	591		if not data:
592	592		return
593	593		if data[12:14]=='\x08\x00':
		skipped 6 lines
600	600		DstPort = struct.unpack('>H',decoded['data'][2:4])[0]
601	601		else:
602	602		DstPort = 0
603		-	ParseDataRegex(decoded, SrcPort, DstPort)
	603	+	ParseDataRegex(decoded, SrcPort, DstPort, packet_num)
	604	+
	605	+	def loop_packets(pcap_object, func):
	606	+	packet = pcap_object.next()
	607	+	pnum = 1
	608	+	while packet:
	609	+	func(packet[0], packet[1], packet[2], pnum)
	610	+	pnum += 1
	611	+	packet = pcap_object.next()
604	612
605	613		def decode_file(fname,res):
606	614		if interface != None:
		skipped 16 lines
623	631		l.warning('\n\nPcredz started, using:%s file'%(fname))
624	632		Version = IsCookedPcap(res)
625	633		if Version == 1:
626		-	thread = Thread(target = p.dispatch, args = (0, Print_Packet_Cooked))
	634	+	thread = Thread(target = loop_packets, args = (p, Print_Packet_Cooked))
627	635		thread.daemon=True
628	636		thread.start()
629	637		try:
		skipped 3 lines
633	641		print '\n\nCRTL-C hit..Cleaning up...'
634	642		threading.Event().set()
635	643		if Version == 2:
636		-	thread = Thread(target = p.dispatch, args = (0, Print_Packet_Cooked))
	644	+	thread = Thread(target = loop_packets, args = (p, Print_Packet_Cooked))
637	645		thread.daemon=True
638	646		thread.start()
639	647		try:
		skipped 4 lines
644	652		threading.Event().set()
645	653		if Version == 3:
646	654
647		-	thread = Thread(target = p.dispatch, args = (0, Print_Packet_Tcpdump))
	655	+	thread = Thread(target = loop_packets, args = (p, Print_Packet_Tcpdump))
648	656		thread.daemon=True
649	657		thread.start()
650	658		try:
		skipped 57 lines

Print relative PCAP packet number for each credentials extraction