| skipped 306 lines |
307 | 307 | | d['data']=s[4*d['header_len']:] |
308 | 308 | | return d |
309 | 309 | | |
310 | | - | def Print_Packet_Details(decoded,SrcPort,DstPort): |
| 310 | + | def Print_Packet_Details(decoded,SrcPort,DstPort,packet_num): |
311 | 311 | | if timestamp: |
312 | 312 | | ts = '[%f] ' % time.time() |
313 | 313 | | else: |
314 | 314 | | ts = '' |
315 | 315 | | try: |
316 | | - | return '%sprotocol: %s %s:%s > %s:%s' % (ts, protocols[decoded['protocol']],decoded['source_address'],SrcPort, |
| 316 | + | return '%s %sprotocol: %s %s:%s > %s:%s' % (str(packet_num),ts, protocols[decoded['protocol']],decoded['source_address'],SrcPort, |
317 | 317 | | decoded['destination_address'], DstPort) |
318 | 318 | | except: |
319 | | - | return '%s%s:%s > %s:%s' % (ts,decoded['source_address'],SrcPort, |
| 319 | + | return '%s %s%s:%s > %s:%s' % (str(packet_num),ts,decoded['source_address'],SrcPort, |
320 | 320 | | decoded['destination_address'], DstPort) |
321 | 321 | | |
322 | 322 | | |
323 | | - | def ParseDataRegex(decoded, SrcPort, DstPort): |
| 323 | + | def ParseDataRegex(decoded, SrcPort, DstPort, packet_num): |
324 | 324 | | HTTPUser = None |
325 | 325 | | HTTPass = None |
326 | 326 | | for user in http_userfields: |
| skipped 23 lines |
350 | 350 | | CC = False |
351 | 351 | | if Basic64: |
352 | 352 | | basic = ''.join(Basic64) |
353 | | - | HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort) |
| 353 | + | HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort,packet_num) |
354 | 354 | | try: |
355 | 355 | | Message = 'Found HTTP Basic authentication: %s\n'%(b64decode(basic)) |
356 | 356 | | if PrintPacket(Filename,Message): |
| skipped 4 lines |
361 | 361 | | pass |
362 | 362 | | |
363 | 363 | | if DstPort == 1433 and decoded['data'][20:22]=="\x10\x01" and len(NTLMSSP1) <=0: |
364 | | - | HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort) |
| 364 | + | HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort,packet_num) |
365 | 365 | | Message = ParseMSSQLPlainText(decoded['data'][20:]) |
366 | 366 | | if PrintPacket(Filename,Message): |
367 | 367 | | l.warning(HeadMessage) |
| skipped 3 lines |
371 | 371 | | if DstPort == 88 and protocols.has_key(decoded['protocol']) and protocols[decoded['protocol']] == 'tcp': |
372 | 372 | | Message = ParseMSKerbv5TCP(decoded['data'][20:]) |
373 | 373 | | if Message: |
374 | | - | HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort) |
| 374 | + | HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort,packet_num) |
375 | 375 | | if PrintPacket(Filename,Message[1]): |
376 | 376 | | l.warning(HeadMessage) |
377 | 377 | | l.warning(Message[0]) |
| skipped 2 lines |
380 | 380 | | if DstPort == 88 and protocols.has_key(decoded['protocol']) and protocols[decoded['protocol']] == 'udp': |
381 | 381 | | Message = ParseMSKerbv5UDP(decoded['data'][8:]) |
382 | 382 | | if Message: |
383 | | - | HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort) |
| 383 | + | HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort,packet_num) |
384 | 384 | | if PrintPacket(Filename,Message[1]): |
385 | 385 | | l.warning(HeadMessage) |
386 | 386 | | l.warning(Message[0]) |
| skipped 2 lines |
389 | 389 | | if DstPort == 161: |
390 | 390 | | Message = ParseSNMP(decoded['data'][8:]) |
391 | 391 | | if Message: |
392 | | - | HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort) |
| 392 | + | HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort,packet_num) |
393 | 393 | | if PrintPacket(Filename,Message): |
394 | 394 | | l.warning(HeadMessage) |
395 | 395 | | l.warning(Message) |
| skipped 2 lines |
398 | 398 | | if DstPort == 143: |
399 | 399 | | IMAPAuth = re.findall('(?<=LOGIN \")[^\r]*', decoded['data']) |
400 | 400 | | if IMAPAuth: |
401 | | - | HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort) |
| 401 | + | HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort,packet_num) |
402 | 402 | | Message = 'Found IMAP login: "%s\n'%(''.join(IMAPAuth)) |
403 | 403 | | if PrintPacket(Filename,Message): |
404 | 404 | | l.warning(HeadMessage) |
| skipped 7 lines |
412 | 412 | | if FTPPass: |
413 | 413 | | try: |
414 | 414 | | POPUser |
415 | | - | HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort) |
| 415 | + | HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort,packet_num) |
416 | 416 | | Message = 'Found POP credentials %s:%s\n'%(POPUser,''.join(FTPPass)) |
417 | 417 | | del POPUser |
418 | 418 | | if PrintPacket(Filename,Message): |
| skipped 9 lines |
428 | 428 | | host = re.findall("(Host: [^\n]+)", decoded['data']) |
429 | 429 | | get_path = re.findall("(GET [^\n]+)", decoded['data']) |
430 | 430 | | post_path = re.findall("(POST [^\n]+)", decoded['data']) |
431 | | - | HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort) |
| 431 | + | HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort,packet_num) |
432 | 432 | | Message = 'Found possible HTTP authentication %s:%s\n' % (HTTPUser[0], HTTPass[0]) |
433 | 433 | | if host: |
434 | 434 | | Message += '%s\n' % host[0].strip('\r') |
| skipped 17 lines |
452 | 452 | | SMTPAuthentication |
453 | 453 | | Message = ParseSMTP(decoded['data'][20:]) |
454 | 454 | | if Message: |
455 | | - | HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort) |
| 455 | + | HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort,packet_num) |
456 | 456 | | del SMTPAuthentication |
457 | 457 | | if PrintPacket(Filename,Message): |
458 | 458 | | l.warning(HeadMessage) |
| skipped 8 lines |
467 | 467 | | |
468 | 468 | | if FTPPass and DstPort == 21: |
469 | 469 | | try: |
470 | | - | HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort) |
| 470 | + | HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort,packet_num) |
471 | 471 | | Message = 'FTP User: %s\n'%(UserID) |
472 | 472 | | Message+= 'FTP Pass: %s\n'%(''.join(FTPPass)) |
473 | 473 | | del UserID |
| skipped 11 lines |
485 | 485 | | passw = re.findall('(?<=%s )[^\\r]*'%(password), decoded['data'], re.IGNORECASE) |
486 | 486 | | if passw: |
487 | 487 | | Message = "Found a password in an SMB read operation:\n%s:\n%s"%(password, passw) |
488 | | - | HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort) |
| 488 | + | HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort,packet_num) |
489 | 489 | | if PrintPacket(Filename,Message): |
490 | 490 | | l.warning(HeadMessage) |
491 | 491 | | l.warning(Message) |
| skipped 3 lines |
495 | 495 | | user = re.findall('(?<=%s )[^\\r]*'%(users), decoded['data'], re.IGNORECASE) |
496 | 496 | | if user: |
497 | 497 | | Message = "Found a username in an SMB read operation:\n%s:\n%s"%(users, user) |
498 | | - | HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort) |
| 498 | + | HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort,packet_num) |
499 | 499 | | if PrintPacket(Filename,Message): |
500 | 500 | | l.warning(HeadMessage) |
501 | 501 | | l.warning(Message) |
| skipped 13 lines |
515 | 515 | | except NameError: |
516 | 516 | | pass |
517 | 517 | | else: |
518 | | - | HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort) |
| 518 | + | HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort,packet_num) |
519 | 519 | | Message = ParseNTLMHash(NTLMPacket,Chall) |
520 | 520 | | del Chall |
521 | 521 | | if PrintPacket(Filename,Message[1]): |
| skipped 22 lines |
544 | 544 | | except NameError: |
545 | 545 | | pass |
546 | 546 | | else: |
547 | | - | HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort) |
| 547 | + | HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort,packet_num) |
548 | 548 | | Message = ParseNTLMHash(Packet,HTTPChall) |
549 | 549 | | del HTTPChall |
550 | 550 | | if PrintPacket(Filename,Message[1]): |
| skipped 8 lines |
559 | 559 | | CMatch = ''.join(CCMatch).strip() |
560 | 560 | | if len(CreditCard)<=16: |
561 | 561 | | if luhn(CreditCard): |
562 | | - | HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort) |
| 562 | + | HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort,packet_num) |
563 | 563 | | MessageCC = 'Possible valid CC (Luhn check OK): %s\n'%(CreditCard) |
564 | 564 | | MessageMatch= 'Please verify this match ( %s )\n'%('\033[1m\033[31m'+CMatch+'\033[0m') |
565 | 565 | | if PrintPacket(Filename,MessageCC): |
| skipped 3 lines |
569 | 569 | | else: |
570 | 570 | | pass |
571 | 571 | | |
572 | | - | def Print_Packet_Cooked(pktlen, data, timestamp): |
| 572 | + | def Print_Packet_Cooked(pktlen, data, timestamp, packet_num): |
573 | 573 | | if not data: |
574 | 574 | | return |
575 | 575 | | if data[14:16]=='\x08\x00': |
576 | 576 | | decoded=Decode_Ip_Packet(data[16:]) |
577 | 577 | | SrcPort = struct.unpack('>H',decoded['data'][0:2])[0] |
578 | 578 | | DstPort = struct.unpack('>H',decoded['data'][2:4])[0] |
579 | | - | ParseDataRegex(decoded, SrcPort, DstPort) |
| 579 | + | ParseDataRegex(decoded, SrcPort, DstPort, packet_num) |
580 | 580 | | |
581 | | - | def Print_Packet_800dot11(pktlen, data, timestamp): |
| 581 | + | def Print_Packet_800dot11(pktlen, data, timestamp, packet_num): |
582 | 582 | | if not data: |
583 | 583 | | return |
584 | 584 | | if data[32:34]=='\x08\x00': |
585 | 585 | | decoded=Decode_Ip_Packet(data[34:]) |
586 | 586 | | SrcPort = struct.unpack('>H',decoded['data'][0:2])[0] |
587 | 587 | | DstPort = struct.unpack('>H',decoded['data'][2:4])[0] |
588 | | - | ParseDataRegex(decoded, SrcPort, DstPort) |
| 588 | + | ParseDataRegex(decoded, SrcPort, DstPort, packet_num) |
589 | 589 | | |
590 | | - | def Print_Packet_Tcpdump(pktlen, data, timestamp): |
| 590 | + | def Print_Packet_Tcpdump(pktlen, data, timestamp, packet_num): |
591 | 591 | | if not data: |
592 | 592 | | return |
593 | 593 | | if data[12:14]=='\x08\x00': |
| skipped 6 lines |
600 | 600 | | DstPort = struct.unpack('>H',decoded['data'][2:4])[0] |
601 | 601 | | else: |
602 | 602 | | DstPort = 0 |
603 | | - | ParseDataRegex(decoded, SrcPort, DstPort) |
| 603 | + | ParseDataRegex(decoded, SrcPort, DstPort, packet_num) |
| 604 | + | |
| 605 | + | def loop_packets(pcap_object, func): |
| 606 | + | packet = pcap_object.next() |
| 607 | + | pnum = 1 |
| 608 | + | while packet: |
| 609 | + | func(packet[0], packet[1], packet[2], pnum) |
| 610 | + | pnum += 1 |
| 611 | + | packet = pcap_object.next() |
604 | 612 | | |
605 | 613 | | def decode_file(fname,res): |
606 | 614 | | if interface != None: |
| skipped 16 lines |
623 | 631 | | l.warning('\n\nPcredz started, using:%s file'%(fname)) |
624 | 632 | | Version = IsCookedPcap(res) |
625 | 633 | | if Version == 1: |
626 | | - | thread = Thread(target = p.dispatch, args = (0, Print_Packet_Cooked)) |
| 634 | + | thread = Thread(target = loop_packets, args = (p, Print_Packet_Cooked)) |
627 | 635 | | thread.daemon=True |
628 | 636 | | thread.start() |
629 | 637 | | try: |
| skipped 3 lines |
633 | 641 | | print '\n\nCRTL-C hit..Cleaning up...' |
634 | 642 | | threading.Event().set() |
635 | 643 | | if Version == 2: |
636 | | - | thread = Thread(target = p.dispatch, args = (0, Print_Packet_Cooked)) |
| 644 | + | thread = Thread(target = loop_packets, args = (p, Print_Packet_Cooked)) |
637 | 645 | | thread.daemon=True |
638 | 646 | | thread.start() |
639 | 647 | | try: |
| skipped 4 lines |
644 | 652 | | threading.Event().set() |
645 | 653 | | if Version == 3: |
646 | 654 | | |
647 | | - | thread = Thread(target = p.dispatch, args = (0, Print_Packet_Tcpdump)) |
| 655 | + | thread = Thread(target = loop_packets, args = (p, Print_Packet_Tcpdump)) |
648 | 656 | | thread.daemon=True |
649 | 657 | | thread.start() |
650 | 658 | | try: |
| skipped 57 lines |