| skipped 326 lines |
327 | 327 | | d['data']=s[4*d['header_len']:] |
328 | 328 | | return d |
329 | 329 | | |
330 | | - | def Print_Packet_Details(decoded,SrcPort,DstPort): |
| 330 | + | def Print_Packet_Details(decoded,SrcPort,DstPort,packet_num): |
331 | 331 | | if timestamp: |
332 | 332 | | ts = '[%f] ' % time.time() |
333 | 333 | | else: |
334 | 334 | | ts = '' |
335 | 335 | | try: |
336 | | - | return '%sprotocol: %s %s:%s > %s:%s' % (ts, protocols[decoded['protocol']],decoded['source_address'],SrcPort, |
| 336 | + | return '%s %sprotocol: %s %s:%s > %s:%s' % (str(packet_num),ts, protocols[decoded['protocol']],decoded['source_address'],SrcPort, |
337 | 337 | | decoded['destination_address'], DstPort) |
338 | 338 | | except: |
339 | | - | return '%s%s:%s > %s:%s' % (ts,decoded['source_address'],SrcPort, |
| 339 | + | return '%s %s%s:%s > %s:%s' % (str(packet_num),ts,decoded['source_address'],SrcPort, |
340 | 340 | | decoded['destination_address'], DstPort) |
341 | 341 | | |
342 | 342 | | |
343 | | - | def ParseDataRegex(decoded, SrcPort, DstPort): |
| 343 | + | def ParseDataRegex(decoded, SrcPort, DstPort, packet_num): |
344 | 344 | | HTTPUser = None |
345 | 345 | | HTTPass = None |
346 | 346 | | for user in http_userfields: |
| skipped 38 lines |
385 | 385 | | CC = False |
386 | 386 | | if Basic64: |
387 | 387 | | basic = ''.join(Basic64) |
388 | | - | HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort) |
| 388 | + | HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort,packet_num) |
389 | 389 | | try: |
390 | 390 | | Message = 'Found HTTP Basic authentication: %s\n'%(b64decode(basic)) |
391 | 391 | | if PrintPacket(Filename,Message): |
| skipped 4 lines |
396 | 396 | | pass |
397 | 397 | | |
398 | 398 | | if DstPort == 1433 and decoded['data'][20:22]=="\x10\x01" and len(NTLMSSP1) <=0: |
399 | | - | HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort) |
| 399 | + | HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort,packet_num) |
400 | 400 | | Message = ParseMSSQLPlainText(decoded['data'][20:]) |
401 | 401 | | if PrintPacket(Filename,Message): |
402 | 402 | | l.warning(HeadMessage) |
| skipped 3 lines |
406 | 406 | | if DstPort == 88 and protocols.has_key(decoded['protocol']) and protocols[decoded['protocol']] == 'tcp': |
407 | 407 | | Message = ParseMSKerbv5TCP(decoded['data'][20:]) |
408 | 408 | | if Message: |
409 | | - | HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort) |
| 409 | + | HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort,packet_num) |
410 | 410 | | if PrintPacket(Filename,Message[1]): |
411 | 411 | | l.warning(HeadMessage) |
412 | 412 | | l.warning(Message[0]) |
| skipped 2 lines |
415 | 415 | | if DstPort == 88 and protocols.has_key(decoded['protocol']) and protocols[decoded['protocol']] == 'udp': |
416 | 416 | | Message = ParseMSKerbv5UDP(decoded['data'][8:]) |
417 | 417 | | if Message: |
418 | | - | HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort) |
| 418 | + | HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort,packet_num) |
419 | 419 | | if PrintPacket(Filename,Message[1]): |
420 | 420 | | l.warning(HeadMessage) |
421 | 421 | | l.warning(Message[0]) |
| skipped 2 lines |
424 | 424 | | if DstPort == 161: |
425 | 425 | | Message = ParseSNMP(decoded['data'][8:]) |
426 | 426 | | if Message: |
427 | | - | HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort) |
| 427 | + | HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort,packet_num) |
428 | 428 | | if PrintPacket(Filename,Message): |
429 | 429 | | l.warning(HeadMessage) |
430 | 430 | | l.warning(Message) |
| skipped 2 lines |
433 | 433 | | if DstPort == 143: |
434 | 434 | | IMAPAuth = re.findall('(?<=LOGIN \")[^\r]*', decoded['data']) |
435 | 435 | | if IMAPAuth: |
436 | | - | HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort) |
| 436 | + | HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort,packet_num) |
437 | 437 | | Message = 'Found IMAP login: "%s\n'%(''.join(IMAPAuth)) |
438 | 438 | | if PrintPacket(Filename,Message): |
439 | 439 | | l.warning(HeadMessage) |
| skipped 7 lines |
447 | 447 | | if FTPPass: |
448 | 448 | | try: |
449 | 449 | | POPUser |
450 | | - | HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort) |
| 450 | + | HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort,packet_num) |
451 | 451 | | Message = 'Found POP credentials %s:%s\n'%(POPUser,''.join(FTPPass)) |
452 | 452 | | del POPUser |
453 | 453 | | if PrintPacket(Filename,Message): |
| skipped 9 lines |
463 | 463 | | host = re.findall("(Host: [^\n]+)", decoded['data']) |
464 | 464 | | get_path = re.findall("(GET [^\n]+)", decoded['data']) |
465 | 465 | | post_path = re.findall("(POST [^\n]+)", decoded['data']) |
466 | | - | HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort) |
| 466 | + | HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort,packet_num) |
467 | 467 | | Message = 'Found possible HTTP authentication %s:%s\n' % (HTTPUser[0], HTTPass[0]) |
468 | 468 | | if host: |
469 | 469 | | Message += '%s\n' % host[0].strip('\r') |
| skipped 17 lines |
487 | 487 | | SMTPAuthentication |
488 | 488 | | Message = ParseSMTP(decoded['data'][20:]) |
489 | 489 | | if Message: |
490 | | - | HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort) |
| 490 | + | HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort,packet_num) |
491 | 491 | | del SMTPAuthentication |
492 | 492 | | if PrintPacket(Filename,Message): |
493 | 493 | | l.warning(HeadMessage) |
| skipped 8 lines |
502 | 502 | | |
503 | 503 | | if FTPPass and DstPort == 21: |
504 | 504 | | try: |
505 | | - | HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort) |
| 505 | + | HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort,packet_num) |
506 | 506 | | Message = 'FTP User: %s\n'%(UserID) |
507 | 507 | | Message+= 'FTP Pass: %s\n'%(''.join(FTPPass)) |
508 | 508 | | del UserID |
| skipped 11 lines |
520 | 520 | | passw = re.findall('(?<=%s )[^\\r]*'%(password), decoded['data'], re.IGNORECASE) |
521 | 521 | | if passw: |
522 | 522 | | Message = "Found a password in an SMB read operation:\n%s:\n%s"%(password, passw) |
523 | | - | HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort) |
| 523 | + | HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort,packet_num) |
524 | 524 | | if PrintPacket(Filename,Message): |
525 | 525 | | l.warning(HeadMessage) |
526 | 526 | | l.warning(Message) |
| skipped 3 lines |
530 | 530 | | user = re.findall('(?<=%s )[^\\r]*'%(users), decoded['data'], re.IGNORECASE) |
531 | 531 | | if user: |
532 | 532 | | Message = "Found a username in an SMB read operation:\n%s:\n%s"%(users, user) |
533 | | - | HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort) |
| 533 | + | HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort,packet_num) |
534 | 534 | | if PrintPacket(Filename,Message): |
535 | 535 | | l.warning(HeadMessage) |
536 | 536 | | l.warning(Message) |
| skipped 13 lines |
550 | 550 | | except NameError: |
551 | 551 | | pass |
552 | 552 | | else: |
553 | | - | HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort) |
| 553 | + | HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort,packet_num) |
554 | 554 | | Message = ParseNTLMHash(NTLMPacket,Chall) |
555 | 555 | | del Chall |
556 | 556 | | if PrintPacket(Filename,Message[1]): |
| skipped 22 lines |
579 | 579 | | except NameError: |
580 | 580 | | pass |
581 | 581 | | else: |
582 | | - | HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort) |
| 582 | + | HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort,packet_num) |
583 | 583 | | Message = ParseNTLMHash(Packet,HTTPChall) |
584 | 584 | | del HTTPChall |
585 | 585 | | if PrintPacket(Filename,Message[1]): |
| skipped 8 lines |
594 | 594 | | CMatch = ''.join(CCMatch).strip() |
595 | 595 | | if len(CreditCard)<=16: |
596 | 596 | | if luhn(CreditCard): |
597 | | - | HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort) |
| 597 | + | HeadMessage = Print_Packet_Details(decoded,SrcPort,DstPort,packet_num) |
598 | 598 | | MessageCC = 'Possible valid CC (Luhn check OK): %s\n'%(CreditCard) |
599 | 599 | | MessageMatch= 'Please verify this match ( %s )\n'%('\033[1m\033[31m'+CMatch+'\033[0m') |
600 | 600 | | if PrintPacket(Filename,MessageCC): |
| skipped 3 lines |
604 | 604 | | else: |
605 | 605 | | pass |
606 | 606 | | |
607 | | - | def Print_Packet_Cooked(pktlen, data, timestamp): |
| 607 | + | def Print_Packet_Cooked(pktlen, data, timestamp, packet_num): |
608 | 608 | | if not data: |
609 | 609 | | return |
610 | 610 | | if data[14:16]=='\x08\x00': |
611 | 611 | | decoded=Decode_Ip_Packet(data[16:]) |
612 | 612 | | SrcPort = struct.unpack('>H',decoded['data'][0:2])[0] |
613 | 613 | | DstPort = struct.unpack('>H',decoded['data'][2:4])[0] |
614 | | - | ParseDataRegex(decoded, SrcPort, DstPort) |
| 614 | + | ParseDataRegex(decoded, SrcPort, DstPort, packet_num) |
615 | 615 | | |
616 | | - | def Print_Packet_800dot11(pktlen, data, timestamp): |
| 616 | + | def Print_Packet_800dot11(pktlen, data, timestamp, packet_num): |
617 | 617 | | if not data: |
618 | 618 | | return |
619 | 619 | | if data[32:34]=='\x08\x00': |
620 | 620 | | decoded=Decode_Ip_Packet(data[34:]) |
621 | 621 | | SrcPort = struct.unpack('>H',decoded['data'][0:2])[0] |
622 | 622 | | DstPort = struct.unpack('>H',decoded['data'][2:4])[0] |
623 | | - | ParseDataRegex(decoded, SrcPort, DstPort) |
| 623 | + | ParseDataRegex(decoded, SrcPort, DstPort, packet_num) |
624 | 624 | | |
625 | | - | def Print_Packet_Tcpdump(pktlen, data, timestamp): |
| 625 | + | def Print_Packet_Tcpdump(pktlen, data, timestamp, packet_num): |
626 | 626 | | if not data: |
627 | 627 | | return |
628 | 628 | | if data[12:14]=='\x08\x00': |
| skipped 6 lines |
635 | 635 | | DstPort = struct.unpack('>H',decoded['data'][2:4])[0] |
636 | 636 | | else: |
637 | 637 | | DstPort = 0 |
638 | | - | ParseDataRegex(decoded, SrcPort, DstPort) |
| 638 | + | ParseDataRegex(decoded, SrcPort, DstPort, packet_num) |
| 639 | + | |
| 640 | + | def loop_packets(pcap_object, func): |
| 641 | + | packet = pcap_object.next() |
| 642 | + | pnum = 1 |
| 643 | + | while packet: |
| 644 | + | func(packet[0], packet[1], packet[2], pnum) |
| 645 | + | pnum += 1 |
| 646 | + | packet = pcap_object.next() |
639 | 647 | | |
640 | 648 | | def decode_file(fname,res): |
641 | 649 | | if interface != None: |
| skipped 16 lines |
658 | 666 | | l.warning('\n\nPcredz started, using:%s file'%(fname)) |
659 | 667 | | Version = IsCookedPcap(res) |
660 | 668 | | if Version == 1: |
661 | | - | thread = Thread(target = p.dispatch, args = (0, Print_Packet_Cooked)) |
| 669 | + | thread = Thread(target = loop_packets, args = (p, Print_Packet_Cooked)) |
662 | 670 | | thread.daemon=True |
663 | 671 | | thread.start() |
664 | 672 | | try: |
| skipped 3 lines |
668 | 676 | | print '\n\nCRTL-C hit..Cleaning up...' |
669 | 677 | | threading.Event().set() |
670 | 678 | | if Version == 2: |
671 | | - | thread = Thread(target = p.dispatch, args = (0, Print_Packet_Cooked)) |
| 679 | + | thread = Thread(target = loop_packets, args = (p, Print_Packet_Cooked)) |
672 | 680 | | thread.daemon=True |
673 | 681 | | thread.start() |
674 | 682 | | try: |
| skipped 4 lines |
679 | 687 | | threading.Event().set() |
680 | 688 | | if Version == 3: |
681 | 689 | | |
682 | | - | thread = Thread(target = p.dispatch, args = (0, Print_Packet_Tcpdump)) |
| 690 | + | thread = Thread(target = loop_packets, args = (p, Print_Packet_Tcpdump)) |
683 | 691 | | thread.daemon=True |
684 | 692 | | thread.start() |
685 | 693 | | try: |
| skipped 58 lines |