STRLCPY/PCredz

Merge pull request #18 from Yotamho/master

Output relative PCAP packet number for each credentials extraction

lgandx committed with GitHub 6 years ago

f0016656

2 parents
0e109d81
2180e5e9

Total 1 files

■ ■ ■ ■ ■ ■

Pcredz

		skipped 326 lines
327	327		d['data']=s[4*d['header_len']:]
328	328		return d
329	329
330		-	def Print_Packet_Details(decoded,SrcPort,DstPort):
	330	+	def Print_Packet_Details(decoded,SrcPort,DstPort,packet_num):
331	331		if timestamp:
332	332		ts = '[%f] ' % time.time()
333	333		else:
334	334		ts = ''
335	335		try:
336		-	return '%sprotocol: %s %s:%s > %s:%s' % (ts, protocols[decoded['protocol']],decoded['source_address'],SrcPort,
	336	+	return '%s %sprotocol: %s %s:%s > %s:%s' % (str(packet_num),ts, protocols[decoded['protocol']],decoded['source_address'],SrcPort,
337	337		decoded['destination_address'], DstPort)
338	338		except:
339		-	return '%s%s:%s > %s:%s' % (ts,decoded['source_address'],SrcPort,
	339	+	return '%s %s%s:%s > %s:%s' % (str(packet_num),ts,decoded['source_address'],SrcPort,
340	340		decoded['destination_address'], DstPort)
341	341
342	342
343		-	def ParseDataRegex(decoded, SrcPort, DstPort):
	343	+	def ParseDataRegex(decoded, SrcPort, DstPort, packet_num):
344	344		HTTPUser = None
345	345		HTTPass = None
346	346		for user in http_userfields:
		skipped 38 lines
385	385		CC = False
386	386		if Basic64:
387	387		basic = ''.join(Basic64)
388		-	HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort)
	388	+	HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort,packet_num)
389	389		try:
390	390		Message = 'Found HTTP Basic authentication: %s\n'%(b64decode(basic))
391	391		if PrintPacket(Filename,Message):
		skipped 4 lines
396	396		pass
397	397
398	398		if DstPort == 1433 and decoded['data'][20:22]=="\x10\x01" and len(NTLMSSP1) <=0:
399		-	HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort)
	399	+	HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort,packet_num)
400	400		Message = ParseMSSQLPlainText(decoded['data'][20:])
401	401		if PrintPacket(Filename,Message):
402	402		l.warning(HeadMessage)
		skipped 3 lines
406	406		if DstPort == 88 and protocols.has_key(decoded['protocol']) and protocols[decoded['protocol']] == 'tcp':
407	407		Message = ParseMSKerbv5TCP(decoded['data'][20:])
408	408		if Message:
409		-	HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort)
	409	+	HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort,packet_num)
410	410		if PrintPacket(Filename,Message[1]):
411	411		l.warning(HeadMessage)
412	412		l.warning(Message[0])
		skipped 2 lines
415	415		if DstPort == 88 and protocols.has_key(decoded['protocol']) and protocols[decoded['protocol']] == 'udp':
416	416		Message = ParseMSKerbv5UDP(decoded['data'][8:])
417	417		if Message:
418		-	HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort)
	418	+	HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort,packet_num)
419	419		if PrintPacket(Filename,Message[1]):
420	420		l.warning(HeadMessage)
421	421		l.warning(Message[0])
		skipped 2 lines
424	424		if DstPort == 161:
425	425		Message = ParseSNMP(decoded['data'][8:])
426	426		if Message:
427		-	HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort)
	427	+	HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort,packet_num)
428	428		if PrintPacket(Filename,Message):
429	429		l.warning(HeadMessage)
430	430		l.warning(Message)
		skipped 2 lines
433	433		if DstPort == 143:
434	434		IMAPAuth = re.findall('(?<=LOGIN \")[^\r]*', decoded['data'])
435	435		if IMAPAuth:
436		-	HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort)
	436	+	HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort,packet_num)
437	437		Message = 'Found IMAP login: "%s\n'%(''.join(IMAPAuth))
438	438		if PrintPacket(Filename,Message):
439	439		l.warning(HeadMessage)
		skipped 7 lines
447	447		if FTPPass:
448	448		try:
449	449		POPUser
450		-	HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort)
	450	+	HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort,packet_num)
451	451		Message = 'Found POP credentials %s:%s\n'%(POPUser,''.join(FTPPass))
452	452		del POPUser
453	453		if PrintPacket(Filename,Message):
		skipped 9 lines
463	463		host = re.findall("(Host: [^\n]+)", decoded['data'])
464	464		get_path = re.findall("(GET [^\n]+)", decoded['data'])
465	465		post_path = re.findall("(POST [^\n]+)", decoded['data'])
466		-	HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort)
	466	+	HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort,packet_num)
467	467		Message = 'Found possible HTTP authentication %s:%s\n' % (HTTPUser[0], HTTPass[0])
468	468		if host:
469	469		Message += '%s\n' % host[0].strip('\r')
		skipped 17 lines
487	487		SMTPAuthentication
488	488		Message = ParseSMTP(decoded['data'][20:])
489	489		if Message:
490		-	HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort)
	490	+	HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort,packet_num)
491	491		del SMTPAuthentication
492	492		if PrintPacket(Filename,Message):
493	493		l.warning(HeadMessage)
		skipped 8 lines
502	502
503	503		if FTPPass and DstPort == 21:
504	504		try:
505		-	HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort)
	505	+	HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort,packet_num)
506	506		Message = 'FTP User: %s\n'%(UserID)
507	507		Message+= 'FTP Pass: %s\n'%(''.join(FTPPass))
508	508		del UserID
		skipped 11 lines
520	520		passw = re.findall('(?<=%s )[^\\r]*'%(password), decoded['data'], re.IGNORECASE)
521	521		if passw:
522	522		Message = "Found a password in an SMB read operation:\n%s:\n%s"%(password, passw)
523		-	HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort)
	523	+	HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort,packet_num)
524	524		if PrintPacket(Filename,Message):
525	525		l.warning(HeadMessage)
526	526		l.warning(Message)
		skipped 3 lines
530	530		user = re.findall('(?<=%s )[^\\r]*'%(users), decoded['data'], re.IGNORECASE)
531	531		if user:
532	532		Message = "Found a username in an SMB read operation:\n%s:\n%s"%(users, user)
533		-	HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort)
	533	+	HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort,packet_num)
534	534		if PrintPacket(Filename,Message):
535	535		l.warning(HeadMessage)
536	536		l.warning(Message)
		skipped 13 lines
550	550		except NameError:
551	551		pass
552	552		else:
553		-	HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort)
	553	+	HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort,packet_num)
554	554		Message = ParseNTLMHash(NTLMPacket,Chall)
555	555		del Chall
556	556		if PrintPacket(Filename,Message[1]):
		skipped 22 lines
579	579		except NameError:
580	580		pass
581	581		else:
582		-	HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort)
	582	+	HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort,packet_num)
583	583		Message = ParseNTLMHash(Packet,HTTPChall)
584	584		del HTTPChall
585	585		if PrintPacket(Filename,Message[1]):
		skipped 8 lines
594	594		CMatch = ''.join(CCMatch).strip()
595	595		if len(CreditCard)<=16:
596	596		if luhn(CreditCard):
597		-	HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort)
	597	+	HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort,packet_num)
598	598		MessageCC = 'Possible valid CC (Luhn check OK): %s\n'%(CreditCard)
599	599		MessageMatch= 'Please verify this match ( %s )\n'%('\033[1m\033[31m'+CMatch+'\033[0m')
600	600		if PrintPacket(Filename,MessageCC):
		skipped 3 lines
604	604		else:
605	605		pass
606	606
607		-	def Print_Packet_Cooked(pktlen, data, timestamp):
	607	+	def Print_Packet_Cooked(pktlen, data, timestamp, packet_num):
608	608		if not data:
609	609		return
610	610		if data[14:16]=='\x08\x00':
611	611		decoded=Decode_Ip_Packet(data[16:])
612	612		SrcPort = struct.unpack('>H',decoded['data'][0:2])[0]
613	613		DstPort = struct.unpack('>H',decoded['data'][2:4])[0]
614		-	ParseDataRegex(decoded, SrcPort, DstPort)
	614	+	ParseDataRegex(decoded, SrcPort, DstPort, packet_num)
615	615
616		-	def Print_Packet_800dot11(pktlen, data, timestamp):
	616	+	def Print_Packet_800dot11(pktlen, data, timestamp, packet_num):
617	617		if not data:
618	618		return
619	619		if data[32:34]=='\x08\x00':
620	620		decoded=Decode_Ip_Packet(data[34:])
621	621		SrcPort = struct.unpack('>H',decoded['data'][0:2])[0]
622	622		DstPort = struct.unpack('>H',decoded['data'][2:4])[0]
623		-	ParseDataRegex(decoded, SrcPort, DstPort)
	623	+	ParseDataRegex(decoded, SrcPort, DstPort, packet_num)
624	624
625		-	def Print_Packet_Tcpdump(pktlen, data, timestamp):
	625	+	def Print_Packet_Tcpdump(pktlen, data, timestamp, packet_num):
626	626		if not data:
627	627		return
628	628		if data[12:14]=='\x08\x00':
		skipped 6 lines
635	635		DstPort = struct.unpack('>H',decoded['data'][2:4])[0]
636	636		else:
637	637		DstPort = 0
638		-	ParseDataRegex(decoded, SrcPort, DstPort)
	638	+	ParseDataRegex(decoded, SrcPort, DstPort, packet_num)
	639	+
	640	+	def loop_packets(pcap_object, func):
	641	+	packet = pcap_object.next()
	642	+	pnum = 1
	643	+	while packet:
	644	+	func(packet[0], packet[1], packet[2], pnum)
	645	+	pnum += 1
	646	+	packet = pcap_object.next()
639	647
640	648		def decode_file(fname,res):
641	649		if interface != None:
		skipped 16 lines
658	666		l.warning('\n\nPcredz started, using:%s file'%(fname))
659	667		Version = IsCookedPcap(res)
660	668		if Version == 1:
661		-	thread = Thread(target = p.dispatch, args = (0, Print_Packet_Cooked))
	669	+	thread = Thread(target = loop_packets, args = (p, Print_Packet_Cooked))
662	670		thread.daemon=True
663	671		thread.start()
664	672		try:
		skipped 3 lines
668	676		print '\n\nCRTL-C hit..Cleaning up...'
669	677		threading.Event().set()
670	678		if Version == 2:
671		-	thread = Thread(target = p.dispatch, args = (0, Print_Packet_Cooked))
	679	+	thread = Thread(target = loop_packets, args = (p, Print_Packet_Cooked))
672	680		thread.daemon=True
673	681		thread.start()
674	682		try:
		skipped 4 lines
679	687		threading.Event().set()
680	688		if Version == 3:
681	689
682		-	thread = Thread(target = p.dispatch, args = (0, Print_Packet_Tcpdump))
	690	+	thread = Thread(target = loop_packets, args = (p, Print_Packet_Tcpdump))
683	691		thread.daemon=True
684	692		thread.start()
685	693		try:
		skipped 58 lines