14 14 # 15 15 # You should have received a copy of the GNU General Public License 16 16 # along with this program. If not, see <http://www.gnu.org/licenses/>. 17 - 17 + import sys 18 + if (sys.version_info > (3, 0)): 19 + PY2OR3 = "PY3" 20 + else: 21 + sys.exit("This version only supports python3.\nTry python3 ./Pcredz") 18 22 try: 19 - import pcap 23 + import pylibpcap as pcap 24 + from pylibpcap.pcap import rpcap 20 25 except ImportError: 21 - print 'libpcap not installed.\ntry : apt-get remove python-pypcap && apt-get install python-libpcap\nOn Mac OS X download http://downloads.sourceforge.net/project/pylibpcap/pylibpcap/0.6.4/pylibpcap-0.6.4.tar.gz \ntar xvf pylibpcap-0.6.4.tar.gz && cd pylibpcap-0.6.4\n./setup.py install' 22 - exit() 26 + print("libpcap not installed.\ntry : apt install python3-pip && pip3 install Cython && pip3 install python-libpcap") 27 + exit() 28 + 23 29 import logging 24 30 import argparse 25 31 import os 27 33 import socket 28 34 import struct 29 35 import subprocess 30 - import sys 31 36 import threading 32 37 import time 38 + import codecs 33 39 from base64 import b64decode 34 40 from threading import Thread 35 41 36 42 def ShowWelcome(): 37 - Message = 'Pcredz 1 .0.0\nAuthor: Laurent Gaffie\nPlease send bugs/comments/pcaps to: [email protected] \nThis script will extract NTLM (http,ldap,smb,sql,etc), Kerberos,\nFTP, HTTP Basic and credit card data from a given pcap file or from a live interface.\n'38 - print Message 43 + Message = 'Pcredz 2 .0.0\nAuthor: Laurent Gaffie\nPlease send bugs/comments/pcaps to: [email protected] \nThis script will extract NTLM (http,ldap,smb,sql,etc), Kerberos,\nFTP, HTTP Basic and credit card data from a given pcap file or from a live interface.\n' 44 + print( Message) 39 45 40 46 parser = argparse.ArgumentParser(description='Pcredz 1.0.0\nAuthor: Laurent Gaffie') 41 47 m_group=parser.add_mutually_exclusive_group() 49 55 options = parser.parse_args() 50 56 51 57 if options.fname is None and options.dir_path is None and options.interface is None: 52 - print '\n\033[1m\033[31m -f or -d or -i mandatory option missing.\033[0m\n'53 - parser.print_help()54 - exit(-1) 58 + print( '\n\033[1m\033[31m -f or -d or -i mandatory option missing.\033[0m\n') 59 + parser.print_help() 60 + exit(-1)55 61 56 62 ShowWelcome() 57 63 Verbose = options.Verbose 62 68 timestamp = options.timestamp 63 69 start_time = time.time() 64 70 65 - http_userfields = ['log','login', 'wpname', 'ahd_username', 'unickname', 'nickname', 'user', 'user_name', 66 - 'alias', 'pseudo', 'email', 'username', '_username', 'userid', 'form_loginname', 'loginname', 67 - 'login_id', 'loginid', 'session_key', 'sessionkey', 'pop_login', 'uid', 'id', 'user_id', 'screename', 68 - 'uname', 'ulogin', 'acctname', 'account', 'member', 'mailaddress', 'membername', 'login_username', 69 - 'login_email', 'loginusername', 'loginemail', 'uin', 'sign-in', 'j_username'] 71 + http_userfields = [b 'log',b 'login', b 'wpname', b 'ahd_username', b 'unickname', b 'nickname', b 'user', b 'user_name', 72 + b 'alias', b 'pseudo', b 'email', b 'username', b '_username', b 'userid', b 'form_loginname', b 'loginname', 73 + b 'login_id', b 'loginid', b 'session_key', b 'sessionkey', b 'pop_login', b 'uid', b 'id', b 'user_id', b 'screename', 74 + b 'uname', b 'ulogin', b 'acctname', b 'account', b 'member', b 'mailaddress', b 'membername', b 'login_username', 75 + b 'login_email', b 'loginusername', b 'loginemail', b 'uin', b 'sign-in', b 'j_username'] 70 76 71 - http_passfields = ['ahd_password', 'pass', 'password', '_password', 'passwd', 'session_password', 'sessionpassword', 72 - 'login_password', 'loginpassword', 'form_pw', 'pw', 'userpassword', 'pwd', 'upassword', 'login_password', 73 - 'passwort', 'passwrd', 'wppassword', 'upasswd', 'j_password'] 77 + http_passfields = [b 'ahd_password', b 'pass', b 'password', b '_password', b 'passwd', b 'session_password', b 'sessionpassword', 78 + b 'login_password', b 'loginpassword', b 'form_pw', b 'pw', b 'userpassword', b 'pwd', b 'upassword', b 'login_password', 79 + b 'passwort', b 'passwrd', b 'wppassword', b 'upasswd', b 'j_password'] 74 80 75 81 Filename = str(os.path.join(os.path.dirname(__file__),"CredentialDump-Session.log")) 76 82 l= logging.getLogger('Credential-Session') 77 83 l.addHandler(logging.FileHandler(Filename,'a')) 78 84 79 85 if activate_cc: 80 - print ' CC number scanning activated\n' 86 + print( " CC number scanning activated\n" ) 81 87 else: 82 - print ' CC number scanning is deactivated\n' 88 + print( " CC number scanning is deactivated\n" ) 83 89 84 90 def PrintPacket(Filename,Message): 85 - if Verbose == True:86 - return True87 - if os.path.isfile(Filename) == True:88 - with open(Filename,"r") as filestr:89 - if re.search(re.escape(Message), filestr.read()):90 - filestr.close()91 - return False92 - else:93 - return True94 - else:95 - return True 91 + if Verbose == True: 92 + return True 93 + if os.path.isfile(Filename) == True: 94 + with open(Filename,"r") as filestr: 95 + if re.search(re.escape(Message), filestr.read()): 96 + filestr.close() 97 + return False 98 + else: 99 + return True 100 + else: 101 + return True96 102 97 103 def IsCookedPcap(version): 98 - Cooked = re.search('Linux \"cooked\"', version)99 - TcpDump = re.search('Ethernet', version)100 - Wifi = re.search('802.11', version)101 - if Wifi:102 - print ' Using 802.11 format\n' 103 - return 1104 - if Cooked:105 - print ' Using Linux Cooked format\n' 106 - return 2107 - if TcpDump:108 - print ' Using TCPDump format\n' 109 - return 3110 - else:111 - print ' Unknown format, trying TCPDump format\n' 112 - return 3 104 + Cooked = re.search(b 'Linux \"cooked\"', version) 105 + TcpDump = re.search(b 'Ethernet', version) 106 + Wifi = re.search(b '802.11', version) 107 + if Wifi: 108 + print( " Using 802.11 format\n" ) 109 + return 1 110 + if Cooked: 111 + print( " Using Linux Cooked format\n" ) 112 + return 2 113 + if TcpDump: 114 + print( " Using TCPDump format\n" ) 115 + return 3 116 + else: 117 + print( " Unknown format, trying TCPDump format\n" ) 118 + return 3113 119 114 - protocols={6:'tcp', 115 - 17:'udp',116 - 1:'icmp',117 - 2:'igmp',118 - 3:'ggp',119 - 4:'ipcap',120 - 5:'ipstream',121 - 8:'egp',122 - 9:'igrp',123 - 29:'ipv6oipv4',124 - } 120 + protocols = {6:'tcp', 121 + 17:'udp', 122 + 1:'icmp', 123 + 2:'igmp', 124 + 3:'ggp', 125 + 4:'ipcap', 126 + 5:'ipstream', 127 + 8:'egp', 128 + 9:'igrp', 129 + 29:'ipv6oipv4', 130 + }125 131 126 132 def luhn(n): 127 - r = [int(ch) for ch in str(n)][::-1]128 - return (sum(r[0::2]) + sum(sum(divmod(d*2,10)) for d in r[1::2])) % 10 == 0 133 + r = [int(ch) for ch in str(n)][::-1] 134 + return (sum(r[0::2]) + sum(sum(divmod(d*2,10)) for d in r[1::2])) % 10 == 0129 135 130 136 def Is_Anonymous(data): 131 - LMhashLen = struct.unpack('<H',data[14:16])[0]132 - if LMhashLen == 0 or LMhashLen == 1:133 - return False134 - else:135 - return True 137 + LMhashLen = struct.unpack('<H',data[14:16])[0] 138 + if LMhashLen == 0 or LMhashLen == 1: 139 + return False 140 + else: 141 + return True136 142 137 143 def ParseCTX1Hash(data): 138 - def decrypt(ct):139 - pt = ''140 - last = 0141 - for i in range(0, len(ct), 4):142 - pc = dec_letter(ct[i:i+4], last) 143 - pt += pc144 - last ^= ord(pc)145 - return pt 144 + def decrypt(ct): 145 + pt = '' 146 + last = 0 147 + for i in range(0, len(ct), 4): 148 + pc = dec_letter(ct[i:i+4], last) 149 + pt += pc 150 + last ^= ord(pc) 151 + return pt146 152 147 - def dec_letter(ct, last=0):148 - c = (ord(ct[2]) - 1) & 0x0f149 - d = (ord(ct[3]) - 1) & 0x0f150 - x = c*16+d151 - pc = chr(x^last)152 - return pc 153 + def dec_letter(ct, last=0): 154 + c = (ord(ct[2]) - 1) & 0x0f 155 + d = (ord(ct[3]) - 1) & 0x0f 156 + x = c*16+d 157 + pc = chr(x^last) 158 + return pc153 159 154 - x = re.sub('[^A-P]', '', data.upper())155 - return str(decrypt(x)) 160 + x = re.sub('[^A-P]', '', data.upper()) 161 + return str(decrypt(x))156 162 157 163 def ParseNTLMHash(data,Challenge): 158 - PacketLen = len(data)159 - if PacketLen > 0:160 - SSPIStart = data[:]161 - LMhashLen = struct.unpack('<H',data[14:16])[0]162 - LMhashOffset = struct.unpack('<H',data[16:18])[0]163 - LMHash = SSPIStart[LMhashOffset:LMhashOffset+LMhashLen]. encode ( "hex").upper()164 - NthashLen = struct.unpack('<H',data[22:24])[0]165 - NthashOffset = struct.unpack('<H',data[24:26])[0] 164 + PacketLen = len(data) 165 + if PacketLen > 0: 166 + SSPIStart = data[:] 167 + LMhashLen = struct.unpack('<H',data[14:16])[0] 168 + LMhashOffset = struct.unpack('<H',data[16:18])[0] 169 + LMHash = codecs . encode ( SSPIStart[LMhashOffset:LMhashOffset+LMhashLen], "hex").upper() 170 + NthashLen = struct.unpack('<H',data[22:24])[0] 171 + NthashOffset = struct.unpack('<H',data[24:26])[0]166 172 167 - if NthashLen == 24:168 - NtHash = SSPIStart[NthashOffset:NthashOffset+NthashLen]. encode ( "hex").upper()169 - DomainLen = struct.unpack('<H',data[30:32])[0]170 - DomainOffset = struct.unpack('<H',data[32:34])[0]171 - Domain = SSPIStart[DomainOffset:DomainOffset+DomainLen].replace (' \x00' , ' ' )172 - UserLen = struct.unpack('<H',data[38:40])[0]173 - UserOffset = struct.unpack('<H',data[40:42])[0]174 - User = SSPIStart[UserOffset:UserOffset+UserLen].replace (' \x00' , ' ' )175 - writehash = User+"::"+Domain+":"+LMHash+":"+NtHash+":"+Challenge 176 - return "NTLMv1 complete hash is: %s\n"%(writehash), User+"::"+Domain 173 + if NthashLen == 24: 174 + NtHash = codecs . encode ( SSPIStart[NthashOffset:NthashOffset+NthashLen], "hex").upper() 175 + DomainLen = struct.unpack('<H',data[30:32])[0] 176 + DomainOffset = struct.unpack('<H',data[32:34])[0] 177 + Domain = SSPIStart[DomainOffset:DomainOffset+DomainLen].strip (b " \x00" ) 178 + UserLen = struct.unpack('<H',data[38:40])[0] 179 + UserOffset = struct.unpack('<H',data[40:42])[0] 180 + User = SSPIStart[UserOffset:UserOffset+UserLen].strip (b " \x00" ) 181 + writehash = '%s::%s:%s:%s:%s' % (User.decode('latin-1'),Domain.decode('latin-1'), LMHash.decode('latin-1'), NtHash.decode('latin-1'), Challenge.decode('latin-1')) 182 + return "NTLMv1 complete hash is: %s\n"%(writehash), User. decode ( ' latin - 1 ' ) +"::"+Domain. decode ( ' latin - 1 ' ) 177 183 178 - if NthashLen > 60:179 - NtHash = SSPIStart[NthashOffset:NthashOffset+NthashLen]. encode ( "hex").upper()180 - DomainLen = struct.unpack('<H',data[30:32])[0]181 - DomainOffset = struct.unpack('<H',data[32:34])[0]182 - Domain = SSPIStart[DomainOffset:DomainOffset+DomainLen].replace (' \x00' , ' ' )183 - UserLen = struct.unpack('<H',data[38:40])[0]184 - UserOffset = struct.unpack('<H',data[40:42])[0]185 - User = SSPIStart[UserOffset:UserOffset+UserLen].replace (' \x00' , ' ' )186 - writehash = User+"::"+Domain+":"+Challenge+":"+NtHash[:32]+":"+NtHash[32:] 187 - return "NTLMv2 complete hash is: %s\n"%(writehash),User+"::"+Domain188 - else:189 - return False 184 + if NthashLen > 60: 185 + NtHash = codecs . encode ( SSPIStart[NthashOffset:NthashOffset+NthashLen], "hex").upper() 186 + DomainLen = struct.unpack('<H',data[30:32])[0] 187 + DomainOffset = struct.unpack('<H',data[32:34])[0] 188 + Domain = SSPIStart[DomainOffset:DomainOffset+DomainLen].strip (b " \x00" ) 189 + UserLen = struct.unpack('<H',data[38:40])[0] 190 + UserOffset = struct.unpack('<H',data[40:42])[0] 191 + User = SSPIStart[UserOffset:UserOffset+UserLen].strip (b " \x00" ) 192 + writehash = '%s::%s:%s:%s:%s' % (User.decode('latin-1'),Domain.decode('latin-1'), Challenge.decode('latin-1'), NtHash[:32].decode('latin-1'), NtHash[32:].decode('latin-1')) 193 + return "NTLMv2 complete hash is: %s\n"%(writehash),User. decode ( ' latin - 1 ' ) +"::"+Domain. decode ( ' latin - 1 ' ) 194 + else: 195 + return False190 196 191 197 def ParseMSKerbv5TCP(Data): 192 - MsgType = Data[21:22]193 - EncType = Data[43:44]194 - MessageType = Data[32:33]195 - if MsgType == "\x0a" and EncType == "\x17" and MessageType =="\x02":196 - if Data[49:53] == "\xa2\x36\x04\x34" or Data[49:53] == "\xa2\x35\x04\x33":197 - HashLen = struct.unpack('<b',Data[50:51])[0]198 - if HashLen == 54:199 - Hash = Data[53:105]200 - SwitchHash = Hash[16:]+Hash[0:16]201 - NameLen = struct.unpack('<b',Data[153:154])[0]202 - Name = Data[154:154+NameLen]203 - DomainLen = struct.unpack('<b',Data[154+NameLen+3:154+NameLen+4])[0]204 - Domain = Data[154+NameLen+4:154+NameLen+4+DomainLen]205 - BuildHash = " $krb5pa$23$" + Name+ "$"+ Domain+ "$dummy$"+ SwitchHash .encode('hex')206 - return 'MSKerb hash found: %s\n'%(BuildHash),"$krb5pa$23$"+Name+"$"+Domain+"$dummy$"207 - if Data[44:48] == "\xa2\x36\x04\x34" or Data[44:48] == "\xa2\x35\x04\x33":208 - HashLen = struct.unpack('<b',Data[47:48])[0]209 - Hash = Data[48:48+HashLen]210 - SwitchHash = Hash[16:]+Hash[0:16]211 - NameLen = struct.unpack('<b',Data[HashLen+96:HashLen+96+1])[0]212 - Name = Data[HashLen+97:HashLen+97+NameLen]213 - DomainLen = struct.unpack('<b',Data[HashLen+97+NameLen+3:HashLen+97+NameLen+4])[0]214 - Domain = Data[HashLen+97+NameLen+4:HashLen+97+NameLen+4+DomainLen]215 - BuildHash = " $krb5pa$23$" + Name+ "$"+ Domain+ "$dummy$"+ SwitchHash .encode('hex')216 - return 'MSKerb hash found: %s\n'%(BuildHash),"$krb5pa$23$"+Name+"$"+Domain+"$dummy$" 198 + MsgType = Data[21:22] 199 + EncType = Data[43:44] 200 + MessageType = Data[32:33] 201 + if MsgType == b "\x0a" and EncType == b "\x17" and MessageType ==b "\x02": 202 + if Data[49:53] == b "\xa2\x36\x04\x34" or Data[49:53] == b "\xa2\x35\x04\x33": 203 + HashLen = struct.unpack('<b',Data[50:51])[0] 204 + if HashLen == 54: 205 + Hash = Data[53:105] 206 + SwitchHash = Hash[16:]+Hash[0:16] 207 + NameLen = struct.unpack('<b',Data[153:154])[0] 208 + Name = Data[154:154+NameLen] 209 + DomainLen = struct.unpack('<b',Data[154+NameLen+3:154+NameLen+4])[0] 210 + Domain = Data[154+NameLen+4:154+NameLen+4+DomainLen] 211 + BuildHash = ' $krb5pa$23$% s % s % s % s % s ' % ( Name. decode ( ' latin - 1 ' ) , "$", Domain. decode ( ' latin - 1 ' ) , "$dummy$", codecs .encode(SwitchHash , 'hex'). decode ( ' latin - 1 ' ) ) 212 + return 'MSKerb hash found: %s\n'%(BuildHash),"$krb5pa$23$"+Name. decode ( ' latin - 1 ' ) +"$"+Domain. decode ( ' latin - 1 ' ) +"$dummy$" 213 + if Data[44:48] == b "\xa2\x36\x04\x34" or Data[44:48] == b "\xa2\x35\x04\x33": 214 + HashLen = struct.unpack('<b',Data[47:48])[0] 215 + Hash = Data[48:48+HashLen] 216 + SwitchHash = Hash[16:]+Hash[0:16] 217 + NameLen = struct.unpack('<b',Data[HashLen+96:HashLen+96+1])[0] 218 + Name = Data[HashLen+97:HashLen+97+NameLen] 219 + DomainLen = struct.unpack('<b',Data[HashLen+97+NameLen+3:HashLen+97+NameLen+4])[0] 220 + Domain = Data[HashLen+97+NameLen+4:HashLen+97+NameLen+4+DomainLen] 221 + BuildHash = ' $krb5pa$23$% s % s % s % s % s ' % ( Name. decode ( ' latin - 1 ' ) , "$", Domain. decode ( ' latin - 1 ' ) , "$dummy$", codecs .encode(SwitchHash , 'hex'). decode ( ' latin - 1 ' ) ) 222 + return 'MSKerb hash found: %s\n'%(BuildHash),"$krb5pa$23$"+Name. decode ( ' latin - 1 ' ) +"$"+Domain. decode ( ' latin - 1 ' ) +"$dummy$"217 223 218 - else:219 - Hash = Data[48:100]220 - SwitchHash = Hash[16:]+Hash[0:16]221 - NameLen = struct.unpack('<b',Data[148:149])[0]222 - Name = Data[149:149+NameLen]223 - DomainLen = struct.unpack('<b',Data[149+NameLen+3:149+NameLen+4])[0]224 - Domain = Data[149+NameLen+4:149+NameLen+4+DomainLen]225 - BuildHash = " $krb5pa$23$" + Name+ "$"+ Domain+ "$dummy$"+ SwitchHash .encode('hex')226 - return 'MSKerb hash found: %s\n'%(BuildHash),"$krb5pa$23$"+Name+"$"+Domain+"$dummy$"227 - else:228 - return False 224 + else: 225 + Hash = Data[48:100] 226 + SwitchHash = Hash[16:]+Hash[0:16] 227 + NameLen = struct.unpack('<b',Data[148:149])[0] 228 + Name = Data[149:149+NameLen] 229 + DomainLen = struct.unpack('<b',Data[149+NameLen+3:149+NameLen+4])[0] 230 + Domain = Data[149+NameLen+4:149+NameLen+4+DomainLen] 231 + BuildHash = ' $krb5pa$23$% s % s % s % s % s ' % ( Name. decode ( ' latin - 1 ' ) , "$", Domain. decode ( ' latin - 1 ' ) , "$dummy$", codecs .encode(SwitchHash , 'hex'). decode ( ' latin - 1 ' ) ) 232 + return 'MSKerb hash found: %s\n'%(BuildHash),"$krb5pa$23$"+Name. decode ( ' latin - 1 ' ) +"$"+Domain. decode ( ' latin - 1 ' ) +"$dummy$" 233 + else: 234 + return False229 235 230 236 def ParseMSKerbv5UDP(Data): 231 - MsgType = Data[17:18]232 - EncType = Data[39:40]233 - if MsgType == "\x0a" and EncType == "\x17":234 - if Data[40:44] == "\xa2\x36\x04\x34" or Data[40:44] == "\xa2\x35\x04\x33":235 - HashLen = struct.unpack('<b',Data[41:42])[0]236 - if HashLen == 54:237 - Hash = Data[44:96]238 - SwitchHash = Hash[16:]+Hash[0:16]239 - NameLen = struct.unpack('<b',Data[144:145])[0]240 - Name = Data[145:145+NameLen]241 - DomainLen = struct.unpack('<b',Data[145+NameLen+3:145+NameLen+4])[0]242 - Domain = Data[145+NameLen+4:145+NameLen+4+DomainLen]243 - BuildHash = " $krb5pa$23$" + Name+ "$"+ Domain+ "$dummy$"+ SwitchHash .encode('hex')244 - return 'MSKerb hash found: %s\n'%(BuildHash),"$krb5pa$23$"+Name+"$"+Domain+"$dummy$"245 - if HashLen == 53:246 - Hash = Data[44:95]247 - SwitchHash = Hash[16:]+Hash[0:16]248 - NameLen = struct.unpack('<b',Data[143:144])[0]249 - Name = Data[144:144+NameLen]250 - DomainLen = struct.unpack('<b',Data[144+NameLen+3:144+NameLen+4])[0]251 - Domain = Data[144+NameLen+4:144+NameLen+4+DomainLen]252 - BuildHash = " $krb5pa$23$" + Name+ "$"+ Domain+ "$dummy$"+ SwitchHash .encode('hex')253 - return 'MSKerb hash found: %s\n'%(BuildHash),"$krb5pa$23$"+Name+"$"+Domain+"$dummy$" 237 + MsgType = Data[17:18] 238 + EncType = Data[39:40] 239 + if MsgType == b "\x0a" and EncType == b "\x17": 240 + if Data[40:44] == b "\xa2\x36\x04\x34" or Data[40:44] == b "\xa2\x35\x04\x33": 241 + HashLen = struct.unpack('<b',Data[41:42])[0] 242 + if HashLen == 54: 243 + Hash = Data[44:96] 244 + SwitchHash = Hash[16:]+Hash[0:16] 245 + NameLen = struct.unpack('<b',Data[144:145])[0] 246 + Name = Data[145:145+NameLen] 247 + DomainLen = struct.unpack('<b',Data[145+NameLen+3:145+NameLen+4])[0] 248 + Domain = Data[145+NameLen+4:145+NameLen+4+DomainLen] 249 + BuildHash = ' $krb5pa$23$% s % s % s % s % s ' % ( Name. decode ( ' latin - 1 ' ) , "$", Domain. decode ( ' latin - 1 ' ) , "$dummy$", codecs .encode(SwitchHash , 'hex'). decode ( ' latin - 1 ' ) ) 250 + return 'MSKerb hash found: %s\n'%(BuildHash),"$krb5pa$23$"+Name. decode ( ' latin - 1 ' ) +"$"+Domain. decode ( ' latin - 1 ' ) +"$dummy$" 251 + if HashLen == 53: 252 + Hash = Data[44:95] 253 + SwitchHash = Hash[16:]+Hash[0:16] 254 + NameLen = struct.unpack('<b',Data[143:144])[0] 255 + Name = Data[144:144+NameLen] 256 + DomainLen = struct.unpack('<b',Data[144+NameLen+3:144+NameLen+4])[0] 257 + Domain = Data[144+NameLen+4:144+NameLen+4+DomainLen] 258 + BuildHash = ' $krb5pa$23$% s % s % s % s % s ' % ( Name. decode ( ' latin - 1 ' ) , "$", Domain. decode ( ' latin - 1 ' ) , "$dummy$", codecs .encode(SwitchHash , 'hex'). decode ( ' latin - 1 ' ) ) 259 + return 'MSKerb hash found: %s\n'%(BuildHash),"$krb5pa$23$"+Name. decode ( ' latin - 1 ' ) +"$"+Domain. decode ( ' latin - 1 ' ) +"$dummy$"254 260 255 - else:256 - HashLen = struct.unpack('<b',Data[48:49])[0]257 - Hash = Data[49:49+HashLen]258 - SwitchHash = Hash[16:]+Hash[0:16]259 - NameLen = struct.unpack('<b',Data[HashLen+97:HashLen+97+1])[0]260 - Name = Data[HashLen+98:HashLen+98+NameLen]261 - DomainLen = struct.unpack('<b',Data[HashLen+98+NameLen+3:HashLen+98+NameLen+4])[0]262 - Domain = Data[HashLen+98+NameLen+4:HashLen+98+NameLen+4+DomainLen]263 - BuildHash = " $krb5pa$23$" + Name+ "$"+ Domain+ "$dummy$"+ SwitchHash .encode('hex')264 - return 'MSKerb hash found: %s\n'%(BuildHash),"$krb5pa$23$"+Name+"$"+Domain+"$dummy$" 261 + else: 262 + HashLen = struct.unpack('<b',Data[48:49])[0] 263 + Hash = Data[49:49+HashLen] 264 + SwitchHash = Hash[16:]+Hash[0:16] 265 + NameLen = struct.unpack('<b',Data[HashLen+97:HashLen+97+1])[0] 266 + Name = Data[HashLen+98:HashLen+98+NameLen] 267 + DomainLen = struct.unpack('<b',Data[HashLen+98+NameLen+3:HashLen+98+NameLen+4])[0] 268 + Domain = Data[HashLen+98+NameLen+4:HashLen+98+NameLen+4+DomainLen] 269 + BuildHash = ' $krb5pa$23$% s % s % s % s % s ' % ( Name. decode ( ' latin - 1 ' ) , "$", Domain. decode ( ' latin - 1 ' ) , "$dummy$", codecs .encode(SwitchHash , 'hex'). decode ( ' latin - 1 ' ) ) 270 + return 'MSKerb hash found: %s\n'%(BuildHash),"$krb5pa$23$"+Name. decode ( ' latin - 1 ' ) +"$"+Domain. decode ( ' latin - 1 ' ) +"$dummy$"265 271 266 - else:267 - return False 272 + else: 273 + return False268 274 269 275 270 276 def ParseSNMP(data): 271 - SNMPVersion = data[4:5]272 - if SNMPVersion == "\x00":273 - StrLen = struct.unpack('<b',data[6:7])[0]274 - return 'Found SNMPv1 Community string: %s\n'%(data[7:7+StrLen])275 - if data[3:5] == "\x01\x01":276 - StrLen = struct.unpack('<b',data[6:7])[0]277 - return 'Found SNMPv2 Community string: %s\n'%(data[7:7+StrLen]) 277 + SNMPVersion = data[4:5] 278 + if SNMPVersion == b "\x00": 279 + StrLen = struct.unpack('<b',data[6:7])[0] 280 + return 'Found SNMPv1 Community string: %s\n'%(data[7:7+StrLen]. decode ( ' latin - 1 ' ) ) 281 + if data[3:5] == b "\x01\x01": 282 + StrLen = struct.unpack('<b',data[6:7])[0] 283 + return 'Found SNMPv2 Community string: %s\n'%(data[7:7+StrLen]. decode ( ' latin - 1 ' ) )278 284 279 285 280 286 def ParseSMTP(data): 281 - basic = data[0:len(data)-2]282 - OpCode = ['HELO','EHLO','MAIL','RCPT','SIZE','DATA','QUIT','VRFY','EXPN','RSET']283 - if data[0:4] not in OpCode:284 - try:285 - Basestr = b64decode(basic)286 - if len(Basestr)>1:287 - if Basestr.decode('ascii'):288 - return 'SMTP decoded Base64 string: %s\n'%(Basestr)289 - except:290 - pass 287 + basic = data[0:len(data)-2] 288 + OpCode = [b 'HELO',b 'EHLO',b 'MAIL',b 'RCPT',b 'SIZE',b 'DATA',b 'QUIT',b 'VRFY',b 'EXPN',b 'RSET'] 289 + if data[0:4] not in OpCode: 290 + try: 291 + Basestr = b64decode(basic) 292 + if len(Basestr)>1: 293 + if Basestr.decode('ascii'): 294 + return 'SMTP decoded Base64 string: %s\n'%(Basestr. decode ( ' latin - 1 ' ) ) 295 + except: 296 + pass291 297 292 298 def ParseSqlClearTxtPwd(Pwd): 293 - Pwd = map(ord,Pwd.replace('\xa5','')) 294 - Pw = [] 295 - for x in Pwd: 296 - Pw.append(hex(x ^ 0xa5)[::-1][:2].replace("x","0").decode('hex')) 297 - return ''.join(Pw) 299 + Pwd = Pwd.decode('latin-1') 300 + Pwd = map(ord,Pwd.replace('\xa5','')) 301 + Pw = b'' 302 + for x in Pwd: 303 + Pw += codecs.decode(hex(x ^ 0xa5)[::-1][:2].replace("x", "0"), 'hex') 304 + return Pw.decode('latin-1') 298 305 299 306 def ParseMSSQLPlainText(data): 300 - UsernameOffset = struct.unpack('<h',data[48:50])[0]301 - PwdOffset = struct.unpack('<h',data[52:54])[0]302 - AppOffset = struct.unpack('<h',data[56:58])[0]303 - PwdLen = AppOffset-PwdOffset304 - UsernameLen = PwdOffset-UsernameOffset305 - PwdStr = ParseSqlClearTxtPwd(data[8+PwdOffset:8+PwdOffset+PwdLen])306 - UserName = data[8+UsernameOffset:8+UsernameOffset+UsernameLen].decode('utf-16le')307 - return "MSSQL Username: %s Password: %s"%(UserName, PwdStr) 307 + UsernameOffset = struct.unpack('<h',data[48:50])[0] 308 + PwdOffset = struct.unpack('<h',data[52:54])[0] 309 + AppOffset = struct.unpack('<h',data[56:58])[0] 310 + PwdLen = AppOffset-PwdOffset 311 + UsernameLen = PwdOffset-UsernameOffset 312 + PwdStr = ParseSqlClearTxtPwd(data[8+PwdOffset:8+PwdOffset+PwdLen]) 313 + UserName = data[8+UsernameOffset:8+UsernameOffset+UsernameLen].decode('utf-16le') 314 + return "MSSQL Username: %s Password: %s"%(UserName, PwdStr)308 315 309 316 def Decode_Ip_Packet(s): 310 - d={}311 - d['version']=(ord ( s[0]) & 0xf0) >> 4312 - d['header_len']=ord ( s[0]) & 0x0f313 - d['tos']=ord ( s[1]) 314 - d['total_len']=socket.ntohs(struct.unpack('H',s[2:4])[0])315 - d['id']=socket.ntohs(struct.unpack('H',s[4:6])[0])316 - d['flags']=(ord ( s[6]) & 0xe0) >> 5317 - d['fragment_offset']=socket.ntohs(struct.unpack('H',s[6:8])[0] & 0x1f)318 - d['ttl']=ord ( s[8]) 319 - d['protocol']=ord ( s[9]) 320 - d['checksum']=socket.ntohs(struct.unpack('H',s[10:12])[0])321 - d['source_address']=pcap .ntoa (struct . unpack ( ' i ' , s[12:16])[ 0 ] ) 322 - d['destination_address']=pcap .ntoa (struct . unpack ( ' i ' , s[16:20])[ 0 ] ) 323 - if d['header_len']>5:324 - d['options']=s[20:4*(d['header_len']-5)]325 - else:326 - d['options']=None327 - d['data']=s[4*d['header_len']:]328 - return d 317 + d={} 318 + d['version']=(s[0] & 0xf0) >> 4 319 + d['header_len']=s[0] & 0x0f 320 + d['tos']=s[1] 321 + d['total_len']=socket.ntohs(struct.unpack('H',s[2:4])[0]) 322 + d['id']=socket.ntohs(struct.unpack('H',s[4:6])[0]) 323 + d['flags']=(s[6] & 0xe0) >> 5 324 + d['fragment_offset']=socket.ntohs(struct.unpack('H',s[6:8])[0] & 0x1f) 325 + d['ttl']=s[8] 326 + d['protocol']=s[9] 327 + # d['checksum']=socket.ntohs(struct.unpack('H',s[10:12])[0]) 328 + d['source_address']=socket .inet_ntoa (s[12:16]) 329 + d['destination_address']=socket .inet_ntoa (s[16:20]) 330 + if d['header_len']>5: 331 + d['options']=s[20:4*(d['header_len']-5)] 332 + else: 333 + d['options']=None 334 + d['data']=s[4*d['header_len']:] 335 + return d329 336 330 - def Print_Packet_Details(decoded,SrcPort,DstPort, packet_num ): 331 - if timestamp:332 - ts = '[%f] ' % time.time()333 - else:334 - ts = ''335 - try:336 - return '% s %sprotocol: %s %s:%s > %s:%s' % (str ( packet_num ) , ts, protocols[decoded['protocol']],decoded['source_address'],SrcPort, 337 + def Print_Packet_Details(decoded,SrcPort,DstPort): 338 + if timestamp: 339 + ts = '[%f] ' % time.time() 340 + else: 341 + ts = '' 342 + try: 343 + return '%sprotocol: %s %s:%s > %s:%s' % (ts, protocols[decoded['protocol']],decoded['source_address'],SrcPort,337 344 decoded['destination_address'], DstPort) 338 - except:339 - return '%s % s %s:%s > %s:%s' % (str ( packet_num ) , ts,decoded['source_address'],SrcPort, 345 + except: 346 + return '%s%s:%s > %s:%s' % (ts, decoded['source_address'],SrcPort,340 347 decoded['destination_address'], DstPort) 341 348 342 349 343 - def ParseDataRegex(decoded, SrcPort, DstPort, packet_num ): 344 - HTTPUser = None345 - HTTPass = None346 - for user in http_userfields:347 - user = re.findall('(%s=[^&]+)' % user, decoded['data'], re.IGNORECASE)348 - if user:349 - HTTPUser = user 350 + def ParseDataRegex(decoded, SrcPort, DstPort): 351 + HTTPUser = None 352 + HTTPass = None 353 + for user in http_userfields: 354 + user = re.findall(b '(%s=[^&]+)' % user, decoded['data'], re.IGNORECASE) 355 + if user: 356 + HTTPUser = user 357 + 358 + for password in http_passfields: 359 + passw = re.findall(b'(%s=[^&]+)' % password, decoded['data'], re.IGNORECASE) 360 + if passw: 361 + HTTPass = passw 350 362 351 - for password in http_passfields: 352 - passw = re.findall('(% s =[^& ]+ ) ' % password , decoded['data'], re . IGNORECASE )353 - if passw: 354 - HTTPass = passw 363 + SMTPAuth = re.search(b'AUTH LOGIN|AUTH PLAIN', decoded['data']) 364 + Basic64 = re.findall(b '(? < =Authorization : Basic ) [^\ n ]* ', decoded['data']) 365 + FTPUser = re.findall(b'(?<=USER )[^\r]*', decoded['data']) 366 + FTPPass = re.findall(b'(?<=PASS )[^\r]*', decoded['data']) 367 + HTTPNTLM2 = re.findall(b'(?<=WWW-Authenticate: NTLM )[^\\r]*', decoded['data']) 368 + HTTPNTLM3 = re.findall(b'(?<=Authorization: NTLM )[^\\r]*', decoded['data']) 369 + NTLMSSP1 = re.findall(b'NTLMSSP\x00\x01\x00\x00\x00.*[^EOF]*', decoded['data']) 370 + NTLMSSP2 = re.findall(b'NTLMSSP\x00\x02\x00\x00\x00.*[^EOF]*', decoded['data'],re.DOTALL) 371 + NTLMSSP3 = re.findall(b'NTLMSSP\x00\x03\x00\x00\x00.*[^EOF]*', decoded['data'],re.DOTALL) 355 372 356 - SMTPAuth = re.search('AUTH LOGIN|AUTH PLAIN', decoded['data']) 357 - Basic64 = re.findall('(?<=Authorization: Basic )[^\n]*', decoded['data']) 358 - FTPUser = re.findall('(?<=USER )[^\r]*', decoded['data']) 359 - FTPPass = re.findall('(?<=PASS )[^\r]*', decoded['data']) 360 - HTTPNTLM2 = re.findall('(?<=WWW-Authenticate: NTLM )[^\\r]*', decoded['data']) 361 - HTTPNTLM3 = re.findall('(?<=Authorization: NTLM )[^\\r]*', decoded['data']) 362 - NTLMSSP1 = re.findall('NTLMSSP\x00\x01\x00\x00\x00.*[^EOF]*', decoded['data']) 363 - NTLMSSP2 = re.findall('NTLMSSP\x00\x02\x00\x00\x00.*[^EOF]*', decoded['data'],re.DOTALL) 364 - NTLMSSP3 = re.findall('NTLMSSP\x00\x03\x00\x00\x00.*[^EOF]*', decoded['data'],re.DOTALL) 373 + CTX1_USR = re.findall(b'<UserName>(.*?)</UserName><Password encoding="ctx1">', decoded['data']) 374 + CTX1_PWD = re.findall(b'<Password encoding="ctx1">(.*?)</Password>', decoded['data']) 365 375 366 - CTX1_USR = re.findall('<UserName>(.*?)</UserName><Password encoding="ctx1">', decoded['data']) 367 - CTX1_PWD = re.findall('<Password encoding="ctx1">(.*?)</Password>', decoded['data']) 376 + if CTX1_USR and CTX1_PWD: 377 + HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort) 378 + try: 379 + CTX1_USR = CTX1_USR[0] 380 + CTX1_PWD = ParseCTX1Hash(CTX1_PWD[0]) 381 + CTX1_CREDS = CTX1_USR + ':' + CTX1_PWD 382 + Message = 'Found CTX1 encoded password: %s\n'%CTX1_CREDS 383 + print(HeadMessage + '\n' + Message) 384 + except: 385 + pass 368 386 369 - if CTX1_USR and CTX1_PWD: 370 - HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort) 371 - try: 372 - CTX1_USR = CTX1_USR[0] 373 - CTX1_PWD = ParseCTX1Hash(CTX1_PWD[0]) 374 - CTX1_CREDS = CTX1_USR + ':' + CTX1_PWD 375 - Message = 'Found CTX1 encoded password: %s\n'%CTX1_CREDS 376 - print HeadMessage + '\n' + Message 377 - except: 378 - pass 387 + if activate_cc: 388 + CCMatch = re.findall(b'.{30}[^\d][3456][0-9]{3}[\s-]*[0-9]{4}[\s-]*[0-9]{4}[\s-]*[0-9]{4}[^\d]', decoded['data'],re.DOTALL) 389 + CC = re.findall(b'[^\d][456][0-9]{3}[\s-]*[0-9]{4}[\s-]*[0-9]{4}[\s-]*[0-9]{4}[^\d]', decoded['data']) 390 + else: 391 + CCMatch = False 392 + CC = False 393 + if Basic64: 394 + basic = b''.join(Basic64) 395 + HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort) 396 + try: 397 + Message = 'Found HTTP Basic authentication: %s\n'%(b64decode(basic).decode('latin-1')) 398 + if PrintPacket(Filename,Message): 399 + l.warning(HeadMessage) 400 + l.warning(Message) 401 + print(HeadMessage+'\n'+Message) 402 + except: 403 + pass 379 404 380 - if activate_cc: 381 - CCMatch = re.findall('.{30}[^\d][3456][0-9]{3}[\s-]*[0-9]{4}[\s-]*[0-9]{4}[\s-]*[0-9]{4}[^\d]', decoded['data'],re.DOTALL) 382 - CC = re.findall('[^\d][456][0-9]{3}[\s-]*[0-9]{4}[\s-]*[0-9]{4}[\s-]*[0-9]{4}[^\d]', decoded['data']) 383 - else: 384 - CCMatch = False 385 - CC = False 386 - if Basic64: 387 - basic = ''.join(Basic64) 388 - HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort,packet_num) 389 - try: 390 - Message = 'Found HTTP Basic authentication: %s\n'%(b64decode(basic)) 391 - if PrintPacket(Filename,Message): 392 - l.warning(HeadMessage) 393 - l.warning(Message) 394 - print HeadMessage+'\n'+Message 395 - except: 396 - pass 405 + if DstPort == 1433 and decoded['data'][20:22]== b"\x10\x01" and len(NTLMSSP1) <=0: 406 + HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort) 407 + Message = ParseMSSQLPlainText(decoded['data'][20:]) 408 + if PrintPacket(Filename,Message): 409 + l.warning(HeadMessage) 410 + l.warning(Message) 411 + print(HeadMessage+'\n'+Message) 397 412 398 - if DstPort == 1433 and decoded['data'][20:22]=="\x10\x01" and len(NTLMSSP1) <=0: 399 - HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort,packet_num) 400 - Message = ParseMSSQLPlainText(decoded['data'][20:]) 401 - if PrintPacket(Filename,Message): 402 - l.warning(HeadMessage) 403 - l.warning(Message )404 - print HeadMessage+'\n'+Message 413 + if DstPort == 88 and protocols[decoded['protocol']] == 'tcp': 414 + Message = ParseMSKerbv5TCP(decoded['data'][20:]) 415 + if Message: 416 + HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort) 417 + if PrintPacket(Filename,Message[1]): 418 + l.warning(HeadMessage ) 419 + l.warning(Message[0]) 420 + print(HeadMessage+'\n'+Message[0]) 405 421 406 - if DstPort == 88 and protocols. has_key ( decoded [ ' protocol ' ] ) and protocols [decoded['protocol']] == 'tcp ':407 - Message = ParseMSKerbv5TCP (decoded['data'][20 :])408 - if Message:409 - HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort, packet_num )410 - if PrintPacket(Filename,Message[1]):411 - l.warning(HeadMessage)412 - l.warning(Message[0])413 - print HeadMessage+'\n'+Message[0] 422 + if DstPort == 88 and protocols[decoded['protocol']] == 'udp ': 423 + Message = ParseMSKerbv5UDP (decoded['data'][8 :]) 424 + if Message: 425 + HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort) 426 + if PrintPacket(Filename,Message[1]): 427 + l.warning(HeadMessage) 428 + l.warning(Message[0]) 429 + print( HeadMessage+'\n'+Message[0]) 414 430 415 - if DstPort == 88 and protocols.has_key(decoded['protocol']) and protocols[decoded['protocol']] == 'udp': 416 - Message = ParseMSKerbv5UDP (decoded['data'][8:])417 - if Message:418 - HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort, packet_num )419 - if PrintPacket(Filename,Message[ 1 ] ):420 - l.warning(HeadMessage)421 - l.warning(Message[ 0 ] )422 - print HeadMessage+'\n'+Message[ 0 ] 431 + if DstPort == 161: 432 + Message = ParseSNMP (decoded['data'][8:]) 433 + if Message: 434 + HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort) 435 + if PrintPacket(Filename,Message): 436 + l.warning(HeadMessage) 437 + l.warning(Message) 438 + print( HeadMessage+'\n'+Message) 423 439 424 - if DstPort == 161 :425 - Message = ParseSNMP(decoded['data'][8:]) 426 - if Message: 427 - HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort, packet_num )428 - if PrintPacket(Filename,Message): 429 - l.warning(HeadMessage) 430 - l.warning(Message )431 - print HeadMessage+'\n'+Message 440 + if DstPort == 143 : 441 + IMAPAuth = re.findall(b'(?<=LOGIN \")[^\r]*', decoded['data']) 442 + if IMAPAuth: 443 + HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort) 444 + Message = 'Found IMAP login: "%s"\n'%(''.join(IMAPAuth[0].decode('latin-1'))) 445 + if PrintPacket(Filename,Message): 446 + l.warning(HeadMessage ) 447 + l.warning(Message) 448 + print(HeadMessage+'\n'+Message) 432 449 433 - if DstPort == 143 :434 - IMAPAuth = re.findall('(?<=LOGIN \")[^\r]*', decoded['data']) 435 - if IMAPAuth: 436 - HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort,packet_num) 437 - Message = 'Found IMAP login: "%s\n'%(''.join(IMAPAuth)) 438 - if PrintPacket(Filename,Message): 439 - l.warning(HeadMessage) 440 - l.warning(Message) 441 - print HeadMessage+'\n'+Message 450 + if DstPort == 110 : 451 + if FTPUser: 452 + global POPUser 453 + POPUser = b''.join(FTPUser) 454 + if FTPPass: 455 + try: 456 + POPUser 457 + HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort) 458 + Message = 'Found POP credentials %s:%s\n'%(POPUser.decode('latin-1'), b''.join(FTPPass).decode('latin-1')) 459 + del POPUser 460 + if PrintPacket(Filename,Message): 461 + l.warning(HeadMessage) 462 + l.warning(Message) 463 + print(HeadMessage+'\n'+Message) 464 + except NameError: 465 + pass 442 466 443 - if DstPort == 110 :444 - if FTPUser: 445 - global POPUser 446 - POPUser = ''.join(FTPUser) 447 - if FTPPass: 448 - try: 449 - POPUser 450 - HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort,packet_num) 451 - Message = 'Found POP credentials %s:%s\n'%(POPUser,''.join(FTPPass)) 452 - del POPUser 453 - if PrintPacket(Filename,Message): 454 - l.warning(HeadMessage) 455 - l.warning(Message) 456 - print HeadMessage+'\n'+Message 457 - except NameError: 458 - pass 467 + if DstPort == 80 : 468 + if (HTTPUser and HTTPass): 469 + try: 470 + host = re.findall(b"(Host: [^\n]+)", decoded['data']) 471 + get_path = re.findall(b"(GET [^\n]+)", decoded['data']) 472 + post_path = re.findall(b"(POST [^\n]+)", decoded['data']) 473 + HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort) 474 + Message = 'Found possible HTTP authentication %s:%s\n' % (HTTPUser[0].decode('latin-1'), HTTPass[0].decode('latin-1')) 475 + if host: 476 + Message += '%s\n' % host[0].decode('latin-1').strip('\r') 477 + if get_path: 478 + Message += 'Full path: %s\n' % get_path[0].decode('latin-1').strip('\r') 479 + if post_path: 480 + Message += 'Full path: %s\n' % post_path[0].decode('latin-1').strip('\r') 481 + if PrintPacket(Filename,Message): 482 + l.warning(HeadMessage) 483 + l.warning(Message) 484 + print(HeadMessage+'\n'+Message) 485 + except: 486 + pass 459 487 460 - if DstPort == 80: 461 - if (HTTPUser and HTTPass): 462 - try: 463 - host = re.findall("(Host: [^\n]+)", decoded['data']) 464 - get_path = re.findall("(GET [^\n]+)", decoded['data']) 465 - post_path = re.findall("(POST [^\n]+)", decoded['data']) 466 - HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort,packet_num) 467 - Message = 'Found possible HTTP authentication %s:%s\n' % (HTTPUser[0], HTTPass[0]) 468 - if host: 469 - Message += '%s\n' % host[0].strip('\r') 470 - if get_path: 471 - Message += 'Full path: %s\n' % get_path[0].strip('\r') 472 - if post_path: 473 - Message += 'Full path: %s\n' % post_path[0].strip('\r') 474 - if PrintPacket(Filename,Message): 475 - l.warning(HeadMessage) 476 - l.warning(Message) 477 - print HeadMessage+'\n'+Message 478 - except: 479 - pass 488 + if DstPort == 25 and SMTPAuth or DstPort == 587 and SMTPAuth: 489 + global SMTPAuthentication 490 + SMTPAuthentication = '1' 480 491 481 - if DstPort == 25 and SMTPAuth or DstPort == 587 and SMTPAuth :482 - global SMTPAuthentication 483 - SMTPAuthentication = ' 1 ' 492 + if DstPort == 25 or DstPort == 587: 493 + try: 494 + SMTPAuthentication 495 + Message = ParseSMTP(decoded['data'][20:]) 496 + if Message: 497 + HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort) 498 + #del SMTPAuthentication (Not needed in this case.) 499 + if PrintPacket(Filename,Message): 500 + l.warning(HeadMessage) 501 + l.warning(Message) 502 + print(HeadMessage+'\n'+Message) 503 + except NameError: 504 + pass 484 505 485 - if DstPort == 25 or DstPort == 587: 486 - try: 487 - SMTPAuthentication 488 - Message = ParseSMTP(decoded['data'][20:]) 489 - if Message: 490 - HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort,packet_num) 491 - del SMTPAuthentication 492 - if PrintPacket(Filename,Message): 493 - l.warning(HeadMessage) 494 - l.warning(Message) 495 - print HeadMessage+'\n'+Message 496 - except NameError: 497 - pass 506 + if FTPUser: 507 + global UserID 508 + UserID = b''.join(FTPUser) 498 509 499 - if FTPUser: 500 - global UserID 501 - UserID = ''.join(FTPUser) 510 + if FTPPass and DstPort == 21: 511 + try: 512 + HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort) 513 + Message = 'FTP User: %s\n'%(UserID.decode('latin-1')) 514 + Message+= 'FTP Pass: %s\n'%(b''.join(FTPPass).decode('latin-1')) 515 + del UserID 516 + if PrintPacket(Filename,Message): 517 + l.warning(HeadMessage) 518 + l.warning(Message) 519 + print(HeadMessage+'\n'+Message) 520 + except: 521 + pass 502 522 503 - if FTPPass and DstPort == 21: 504 - try: 505 - HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort,packet_num) 506 - Message = 'FTP User: %s\n'%(UserID) 507 - Message+= 'FTP Pass: %s\n'%(''.join(FTPPass)) 508 - del UserID 509 - if PrintPacket(Filename,Message): 510 - l.warning(HeadMessage) 511 - l.warning(Message) 512 - print HeadMessage+'\n'+Message 513 - except: 514 - pass 523 + if SrcPort == 445: 524 + SMBRead_userfields = [b'Administrator',b'user', b'email', b'username', b'session_key', b'sessionkey'] 525 + SMBRead_passfields = [b'cpassword',b'password', b'pass', b'password', b'_password', b'passwd', b'pwd'] 526 + for password in SMBRead_passfields: 527 + passw = re.findall(b'(?<=%s )[^\\r]*'%(password), decoded['data'], re.IGNORECASE) 528 + if passw: 529 + Message = "Found a password in an SMB read operation:\n%s:\n\"[%s]\""%(password.decode('latin-1'), b''.join(passw).decode('latin-1')) 530 + HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort) 531 + if PrintPacket(Filename,Message): 532 + l.warning(HeadMessage) 533 + l.warning(Message) 534 + print(HeadMessage+'\n'+Message) 515 535 516 - if SrcPort == 445: 517 - SMBRead_userfields = ['Administrator','user', 'email', 'username', 'session_key', 'sessionkey'] 518 - SMBRead_passfields = ['cpassword','password', 'pass', 'password', '_password', 'passwd', 'pwd'] 519 - for password in SMBRead_passfields: 520 - passw = re.findall('(?<=%s )[^\\r]*'%(password), decoded['data'], re.IGNORECASE) 521 - if passw: 522 - Message = "Found a password in an SMB read operation:\n%s:\n%s"%(password, passw) 523 - HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort,packet_num) 524 - if PrintPacket(Filename,Message): 525 - l.warning(HeadMessage) 526 - l.warning(Message) 527 - print HeadMessage+'\n'+Message 536 + for users in SMBRead_userfields: 537 + user = re.findall(b'(?<=%s )[^\\r]*'%(users), decoded['data'], re.IGNORECASE) 538 + if user: 539 + Message = "Found a username in an SMB read operation:\n%s:\n\"[%s]\""%(users.decode('latin-1'), b''.join(user).decode('latin-1')) 540 + HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort) 541 + if PrintPacket(Filename,Message): 542 + l.warning(HeadMessage) 543 + l.warning(Message) 544 + print(HeadMessage+'\n'+Message) 528 545 529 - for users in SMBRead_userfields: 530 - user = re.findall('(?<=%s )[^\\r]*'%(users), decoded['data'], re.IGNORECASE) 531 - if user: 532 - Message = "Found a username in an SMB read operation:\n%s:\n%s"%(users, user) 533 - HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort,packet_num) 534 - if PrintPacket(Filename,Message): 535 - l.warning(HeadMessage) 536 - l.warning(Message) 537 - print HeadMessage+'\n'+Message 538 546 547 + if NTLMSSP2: 548 + global Chall 549 + Chall = codecs.encode(b''.join(NTLMSSP2)[24:32],'hex') 539 550 540 - if NTLMSSP2: 541 - global Chall 542 - Chall = ''.join(NTLMSSP2)[24:32].encode('hex') 551 + if NTLMSSP3: 552 + try: 553 + NTLMPacket = b''.join(NTLMSSP3) 554 + if Is_Anonymous(NTLMPacket): 543 555 544 - if NTLMSSP3: 545 - try: 546 - NTLMPacket = ''.join(NTLMSSP3) 547 - if Is_Anonymous(NTLMPacket): 548 - try: 549 - Chall 550 - except NameError: 551 - pass 552 - else: 553 - HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort,packet_num) 554 - Message = ParseNTLMHash(NTLMPacket,Chall) 555 - del Chall 556 - if PrintPacket(Filename,Message[1]): 557 - l.warning(HeadMessage) 558 - l.warning(Message[0]) 559 - print HeadMessage+'\n'+Message[0] 560 - except: 561 - pass 556 + HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort) 557 + Message = ParseNTLMHash(NTLMPacket,Chall) 558 + del Chall 559 + if PrintPacket(Filename,Message[1]): 560 + l.warning(HeadMessage) 561 + l.warning(Message[0]) 562 + print(HeadMessage+'\n'+Message[0]) 563 + except: 564 + pass 562 565 563 - if HTTPNTLM2:564 - try:565 - Packet = b64decode(''.join(HTTPNTLM2))566 - global HTTPChall567 - if re.findall('NTLMSSP\x00\x02\x00\x00\x00.*[^EOF]*', Packet,re.DOTALL):568 - HTTPChall = ' ' .join (Packet) [24:32]. encode ( 'hex')569 - except:570 - pass 566 + if HTTPNTLM2: 567 + try: 568 + Packet = b64decode(b ''.join(HTTPNTLM2)) 569 + global HTTPChall 570 + if re.findall(b 'NTLMSSP\x00\x02\x00\x00\x00.*[^EOF]*', Packet,re.DOTALL): 571 + HTTPChall = codecs .encode (Packet[24:32], 'hex') 572 + except: 573 + pass571 574 572 - if HTTPNTLM3:573 - try:574 - Packet = b64decode(''.join(HTTPNTLM3))575 - if re.findall('NTLMSSP\x00\x03\x00\x00\x00.*[^EOF]*', Packet,re.DOTALL):576 - if Is_Anonymous(Packet):577 - try:578 - HTTPChall579 - except NameError:580 - pass581 - else:582 - HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort, packet_num )583 - Message = ParseNTLMHash(Packet,HTTPChall)584 - del HTTPChall585 - if PrintPacket(Filename,Message[1]):586 - l.warning(HeadMessage)587 - l.warning(Message[0])588 - print HeadMessage+'\n'+Message[0]589 - except:590 - pass 575 + if HTTPNTLM3: 576 + try: 577 + Packet = b64decode(b ''.join(HTTPNTLM3)) 578 + if re.findall(b 'NTLMSSP\x00\x03\x00\x00\x00.*[^EOF]*', Packet,re.DOTALL): 579 + if Is_Anonymous(Packet): 580 + try: 581 + HTTPChall 582 + except NameError: 583 + pass 584 + else: 585 + HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort) 586 + Message = ParseNTLMHash(Packet,HTTPChall) 587 + del HTTPChall 588 + if PrintPacket(Filename,Message[1]): 589 + l.warning(HeadMessage) 590 + l.warning(Message[0]) 591 + print( HeadMessage+'\n'+Message[0]) 592 + except: 593 + pass591 594 592 - if CC:593 - CreditCard = re.sub("\D", "", ''.join(CC).strip())594 - CMatch = ''.join(CCMatch).strip()595 - if len(CreditCard)<=16:596 - if luhn(CreditCard):597 - HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort, packet_num )598 - MessageCC = 'Possible valid CC (Luhn check OK): %s\n'%(CreditCard)599 - MessageMatch= 'Please verify this match ( %s )\n'%('\033[1m\033[31m'+CMatch+'\033[0m')600 - if PrintPacket(Filename,MessageCC):601 - l.warning(HeadMessage)602 - l.warning(MessageCC+MessageMatch)603 - print HeadMessage+'\n'+MessageCC+'\n'+MessageMatch604 - else:605 - pass 595 + if CC: 596 + CreditCard = re.sub(b "\D", b "", b ''.join(CC).strip()) 597 + CMatch = b ''.join(CCMatch).strip() 598 + if len(CreditCard)<=16: 599 + if luhn(CreditCard. decode ( ' latin - 1 ' ) ): 600 + HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort) 601 + MessageCC = 'Possible valid CC (Luhn check OK): %s\n'%(CreditCard. decode ( ' latin - 1 ' ) ) 602 + MessageMatch= 'Please verify this match ( %s )\n'%('\033[1m\033[31m'+CMatch. decode ( ' latin - 1 ' ) +'\033[0m') 603 + if PrintPacket(Filename,MessageCC): 604 + l.warning(HeadMessage) 605 + l.warning(MessageCC+MessageMatch) 606 + print( HeadMessage+'\n'+MessageCC+'\n'+MessageMatch) 607 + else: 608 + pass606 609 607 - def Print_Packet_Cooked(pktlen, data , timestamp, packet_num ): 608 - if not data:609 - return610 - if data[14:16]=='\x08\x00':611 - decoded=Decode_Ip_Packet(data[16:])612 - SrcPort = struct.unpack('>H',decoded['data'][0:2])[0]613 - DstPort = struct.unpack('>H',decoded['data'][2:4])[0]614 - ParseDataRegex(decoded, SrcPort, DstPort, packet_num ) 610 + def Print_Packet_Cooked(pktlen, timestamp, data ): 611 + if not data: 612 + return 613 + if data[14:16]== b '\x08\x00': 614 + decoded=Decode_Ip_Packet(data[16:]) 615 + SrcPort = struct.unpack('>H',decoded['data'][0:2])[0] 616 + DstPort = struct.unpack('>H',decoded['data'][2:4])[0] 617 + ParseDataRegex(decoded, SrcPort, DstPort)615 618 616 - def Print_Packet_800dot11(pktlen, data , timestamp, packet_num ): 617 - if not data:618 - return619 - if data[32:34]=='\x08\x00':620 - decoded=Decode_Ip_Packet(data[34:])621 - SrcPort = struct.unpack('>H',decoded['data'][0:2])[0]622 - DstPort = struct.unpack('>H',decoded['data'][2:4])[0]623 - ParseDataRegex(decoded, SrcPort, DstPort, packet_num ) 619 + def Print_Packet_800dot11(pktlen, timestamp, data ): 620 + if not data: 621 + return 622 + if data[32:34]== b '\x08\x00': 623 + decoded=Decode_Ip_Packet(data[34:]) 624 + SrcPort = struct.unpack('>H',decoded['data'][0:2])[0] 625 + DstPort = struct.unpack('>H',decoded['data'][2:4])[0] 626 + ParseDataRegex(decoded, SrcPort, DstPort)624 627 625 - def Print_Packet_Tcpdump(pktlen, data , timestamp, packet_num ): 626 - if not data:627 - return628 - if data[12:14]=='\x08\x00':629 - decoded= Decode_Ip_Packet(data[14:])630 - if len(decoded['data']) >= 2:631 - SrcPort= struct.unpack('>H',decoded['data'][0:2])[0]632 - else:633 - SrcPort = 0634 - if len(decoded['data']) > 2:635 - DstPort = struct.unpack('>H',decoded['data'][2:4])[0]636 - else:637 - DstPort = 0638 - ParseDataRegex(decoded, SrcPort, DstPort, packet_num ) 628 + def Print_Packet_Tcpdump(pktlen, timestamp, data ): 629 + if not data: 630 + return 631 + if data[12:14]== b '\x08\x00': 632 + decoded= Decode_Ip_Packet(data[14:]) 633 + if len(decoded['data']) >= 2: 634 + SrcPort= struct.unpack('>H',decoded['data'][0:2])[0] 635 + else: 636 + SrcPort = 0 637 + if len(decoded['data']) > 2: 638 + DstPort = struct.unpack('>H',decoded['data'][2:4])[0] 639 + else: 640 + DstPort = 0 641 + ParseDataRegex(decoded, SrcPort, DstPort)639 642 640 643 def loop_packets(pcap_object, func): 641 - packet = pcap_object. next ( ) 642 - pnum = 1 643 - while packet: 644 - func(packet[0], packet[1], packet[2], pnum) 645 - pnum += 1 646 - packet = pcap_object.next() 644 + for x in pcap_object: 645 + func(x[0], x[1], x[2]) 646 + 647 647 648 648 def decode_file(fname,res): 649 - if interface != None:650 - try:651 - p = pcap.pcapObject() 652 - net, mask = pcap.lookupnet(interface) 653 - p.open_live(interface, 1600, 0, 100) 654 - Message = "Pcredz live capture started, using:%s\nStarting timestamp (%s) corresponds to %s"%(interface, time.time(), time.strftime('%x %X')) 655 - print Message 656 - l.warning(Message) 657 - while 1: 658 - thread = Thread(target = loop_packets, args = (p, Print_Packet_Tcpdump)) 659 - thread.daemon=True 660 - thread.start() 661 - try: 662 - while thread.is_alive(): 663 - thread.join(timeout=1) 664 - except: 665 - raise 666 - except (KeyboardInterrupt, SystemExit): 667 - print '\n\nCRTL-C hit...\nCleaning up...' 668 - sys.exit() 669 - else: 670 - try: 671 - p = pcap.pcapObject() 672 - p.open_offline(fname) 673 - l.warning('\n\nPcredz started, using:%s file'%(fname)) 674 - Version = IsCookedPcap(res) 675 - if Version == 1: 676 - thread = Thread(target = loop_packets, args = (p, Print_Packet_Cooked)) 677 - thread.daemon=True 678 - thread.start() 679 - try: 680 - while thread.is_alive(): 681 - thread.join(timeout=1) 682 - except (KeyboardInterrupt, SystemExit): 683 - print '\n\nCRTL-C hit..Cleaning up...' 684 - threading.Event().set() 685 - if Version == 2: 686 - thread = Thread(target = loop_packets, args = (p, Print_Packet_Cooked)) 687 - thread.daemon=True 688 - thread.start() 689 - try: 690 - while thread.is_alive(): 691 - thread.join(timeout=1) 692 - except (KeyboardInterrupt, SystemExit): 693 - print '\n\nCRTL-C hit..Cleaning up...' 694 - threading.Event().set() 695 - if Version == 3: 649 + if interface != None: 650 + try: 651 + from pylibpcap.pcap import sniff 652 + Message = "Pcredz live capture started, using:%s\nStarting timestamp (%s) corresponds to %s"%(interface, time.time(), time.strftime('%x %X')) 653 + print(Message) 654 + l.warning(Message) 655 + p = sniff(interface, filters="", count=-1, promisc=1) 656 + while p: 657 + thread = Thread(target = loop_packets, args = (p, Print_Packet_Tcpdump)) 658 + thread.daemon=True 659 + thread.start() 660 + try: 661 + while thread.is_alive(): 662 + thread.join(timeout=1) 663 + except: 664 + raise 665 + except (KeyboardInterrupt, SystemExit): 666 + print("\n\nCRTL-C hit..Cleaning up...") 667 + threading.Event().set() 696 668 697 - thread = Thread(target = loop_packets, args = (p, Print_Packet_Tcpdump)) 698 - thread.daemon=True 699 - thread.start() 700 - try: 701 - while thread.is_alive(): 702 - thread.join(timeout=1) 703 - except (KeyboardInterrupt, SystemExit): 704 - print '\n\nCRTL-C hit..Cleaning up...' 705 - threading.Event().set() 669 + else: 670 + try: 671 + p = rpcap(fname) 672 + l.warning('\n\nPcredz started, using:%s file'%(fname)) 673 + Version = IsCookedPcap(res) 674 + if Version == 1: 675 + thread = Thread(target = loop_packets, args = (p, Print_Packet_Cooked)) 676 + thread.daemon=True 677 + thread.start() 678 + try: 679 + while thread.is_alive(): 680 + thread.join(timeout=1) 681 + except (KeyboardInterrupt, SystemExit): 682 + print("\n\nCRTL-C hit..Cleaning up...") 683 + threading.Event().set() 684 + if Version == 2: 685 + thread = Thread(target = loop_packets, args = (p, Print_Packet_Cooked)) 686 + thread.daemon=True 687 + thread.start() 688 + try: 689 + while thread.is_alive(): 690 + thread.join(timeout=1) 691 + except (KeyboardInterrupt, SystemExit): 692 + print("\n\nCRTL-C hit..Cleaning up...") 693 + threading.Event().set() 694 + if Version == 3: 695 + thread = Thread(target = loop_packets, args = (p, Print_Packet_Tcpdump)) 696 + thread.daemon=True 697 + thread.start() 698 + try: 699 + while thread.is_alive(): 700 + thread.join(timeout=1) 701 + except (KeyboardInterrupt, SystemExit): 702 + print("\n\nCRTL-C hit..Cleaning up...") 703 + threading.Event().set() 706 704 707 - except Exception:708 - print ' Can\'t parse %s' %(fname) 705 + except Exception: 706 + print( " Can\'t parse %s" %(fname)) 707 + sys.exit(1) 709 708 710 709 def Run(): 711 - try:712 - if dir_path != None:713 - for root, dirs, files in os.walk(dir_path, topdown=False):714 - for capfile in files:715 - FilePath = os.path.join(root, capfile)716 - Start_Time = time.time()717 - print ' \nParsing: %s' %(FilePath)718 - p = subprocess.Popen(["file", FilePath], stdout=subprocess.PIPE)719 - res, err = p.communicate()720 - decode_file(FilePath,res)721 - Seconds = time.time() - Start_Time722 - FileSize = 'File size %.3g Mo'%(os.stat(FilePath).st_size/(1024*1024.0))723 - if Seconds>60:724 - minutes = Seconds/60725 - Message = '\n%s parsed in: %.3g minutes (%s).\n'%(FilePath, minutes, FileSize)726 - print Message727 - l.warning(Message)728 - if Seconds<60:729 - Message = '\n%s parsed in: %.3g seconds (%s).\n'%(FilePath, Seconds, FileSize)730 - print Message731 - l.warning(Message)732 - 733 - if fname != None: 734 - p = subprocess.Popen(["file", fname], stdout=subprocess.PIPE) 735 - res, err = p.communicate() 736 - decode_file(fname,res) 737 - Seconds = time.time() - start_time 738 - FileSize = 'File size %.3g Mo'%(os.stat(fname).st_size/(1024*1024.0)) 739 - if Seconds>60: 740 - minutes = Seconds/60 741 - Message = '\n%s parsed in: %.3g minutes (%s).\n'%(fname, minutes, FileSize) 742 - print Message 743 - l.warning(Message) 744 - if Seconds<60: 745 - Message = '\n%s parsed in: %.3g seconds (%s).\n'%(fname, Seconds, FileSize) 746 - print Message 747 - l.warning(Message) 748 - 749 - if interface != None: 750 - decode_file(fname,'') 710 + try: 711 + if dir_path != None: 712 + for root, dirs, files in os.walk(dir_path, topdown=False): 713 + for capfile in files: 714 + FilePath = os.path.join(root, capfile) 715 + Start_Time = time.time() 716 + print( " \nParsing: %s" %(FilePath)) 717 + p = subprocess.Popen(["file", FilePath], stdout=subprocess.PIPE) 718 + res, err = p.communicate() 719 + decode_file(FilePath,res) 720 + Seconds = time.time() - Start_Time 721 + FileSize = 'File size %.3g Mo'%(os.stat(FilePath).st_size/(1024*1024.0)) 722 + if Seconds>60: 723 + minutes = Seconds/60 724 + Message = '\n%s parsed in: %.3g minutes (%s).\n'%(FilePath, minutes, FileSize) 725 + print( Message) 726 + l.warning(Message) 727 + if Seconds<60: 728 + Message = '\n%s parsed in: %.3g seconds (%s).\n'%(FilePath, Seconds, FileSize) 729 + print( Message) 730 + l.warning(Message)751 731 752 - except: 753 - raise 732 + if fname != None: 733 + p = subprocess.Popen(["file", fname], stdout=subprocess.PIPE) 734 + res, err = p.communicate() 735 + decode_file(fname,res) 736 + Seconds = time.time() - start_time 737 + FileSize = 'File size %.3g Mo'%(os.stat(fname).st_size/(1024*1024.0)) 738 + if Seconds>60: 739 + minutes = Seconds/60 740 + Message = '\n%s parsed in: %.3g minutes (%s).\n'%(fname, minutes, FileSize) 741 + print(Message) 742 + l.warning(Message) 743 + if Seconds<60: 744 + Message = '\n%s parsed in: %.3g seconds (%s).\n'%(fname, Seconds, FileSize) 745 + print(Message) 746 + l.warning(Message) 754 747 748 + if interface != None: 749 + decode_file(fname,'') 755 750 751 + except: 752 + raise 756 753 757 754 Run() 758 755
