Beispiel #1
0
def dotransform(request, response):

    pkts = rdpcap(request.value)
    tcpflags = {"SYN": 02, "FIN": 0x001, "XMAS": 0x029, "ACK": 0x010, "NULL": 0x000}
    senders = []
    talkers = []

    for p in pkts:
        for key, value in tcpflags.iteritems():
            if p.haslayer(TCP) and p.getlayer(TCP).flags == int(value):
                dport = p.getlayer(TCP).dport
                srcip = p.getlayer(IP).src
                flagset = key
                talker = srcip, dport, flagset
                if talker not in talkers:
                    talkers.append(talker)
                if srcip not in senders:
                    senders.append(srcip)

    counter = 0
    for x in senders:
        for y in talkers:
            if x in y:
                src = y[0]
                counter += y.count(y[1])
                flag = y[2]
                e = WarningAlert(str(flag) + " scan from: " + str(src))
                e.linklabel = "# of connections: " + str(counter)
                e.linkcolor = 0xFF0000
                response += e
            return response
Beispiel #2
0
def dotransform(request, response):
  
  pkts = rdpcap(request.value)
  tcpflags = {'SYN': 0x002, 'FIN': 0x001, 'XMAS': 0x029, 'ACK': 0x010, 'NULL': 0x000}
  senders = []
  con = []
  flagset = ''

  for p in pkts:
    for key, value in tcpflags.iteritems():
      if p.haslayer(TCP) and p.getlayer(TCP).flags == int(value):
        sport = p.getlayer(TCP).sport
        srcip = p.getlayer(IP).src
        flagset = key
        if srcip not in senders:
          senders.append(srcip)
        if sport not in con:
          con.append(srcip)
  
  for x in senders:
    e = WarningAlert(str(flagset) + ' scan from: ' + str(x))
    e.linklabel = '# of connections: ' + str(con.count(x))
    e.linkcolor = 0xFF0000
    response += e
  return response
def dotransform(request, response):

    pcap = request.value
    pkts = rdpcap(pcap)
    folder = request.fields['sniffMyPackets.outputfld']
    output_file = folder + '/suspicious-icmp.pcap'

    icmp_packets = []
    # Common ICMP payload types for ping
    icmp_payload = ['0123567', 'abcdef']
    suspicious = 0

    # Look for ICMP request and reply packets and store in new list
    for p in pkts:
        if p.haslayer(IP) and p.haslayer(ICMP):
            if p[ICMP].type == 8:
                icmp_packets.append(p)
            if p[ICMP].type == 0:
                icmp_packets.append(p)

    # Look through ICMP packets stored in list and check the payload against common ping payloads
    for x in icmp_packets:
        if x.haslayer(Raw):
            for s in icmp_payload:
                load = str(x[Raw].load)
                if s not in load:
                    suspicious = 1

    # Write files out to a new pcap
    wrpcap(output_file, icmp_packets)

    # If there is something dodgy write it out to Maltego otherwise return message to UI
    if suspicious == 1:
        e = WarningAlert('Suspicious ICMP Payload')
        e.linklabel = 'Output ' + output_file
        e += Field('sniffMyPackets.outputfld',
                   folder,
                   displayname='Folder Location')
        e += Field('dumpfile',
                   output_file,
                   displayname='Output File',
                   matchingrule='loose')
        e.linkcolor = 0xFF0000
        response += e
        return response
    else:
        return response + UIMessage('Nothing dodgy here')
Beispiel #4
0
def dotransform(request, response):

    pkts = rdpcap(request.value)
    deauth_packets = []
    station = []

    for p in pkts:
        if p.haslayer(Dot11) and p.haslayer(Dot11Deauth):
            deauth_packets.append(p.getlayer(Dot11).addr2)
            if p.getlayer(Dot11).addr2 not in station:
                station.append(p.getlayer(Dot11).addr2)

    for x in station:
        e = WarningAlert('Deauth Attack:' + str(x))
        e.linklabel = '# of pkts: ' + str(deauth_packets.count(x))
        e.linkcolor = 0xFF0000
        response += e
    return response
Beispiel #5
0
def dotransform(request, response):
    
  pkts = rdpcap(request.value)
  deauth_packets = []
  station = []
  
  for p in pkts:
	if p.haslayer(Dot11) and p.haslayer(Dot11Deauth):
	  deauth_packets.append(p.getlayer(Dot11).addr2)
	  if p.getlayer(Dot11).addr2 not in station:
	    station.append(p.getlayer(Dot11).addr2)
	    
  
  for x in station:
    e = WarningAlert('Deauth Attack:' + str(x))
    e.linklabel = '# of pkts: ' + str(deauth_packets.count(x))
    e.linkcolor = 0xFF0000
    response += e
  return response
Beispiel #6
0
def dotransform(request, response):

    pcap = request.value
    pkts = rdpcap(pcap)
    folder = request.fields['sniffMyPackets.outputfld']
    output_file = folder + '/suspicious-icmp.pcap'

    icmp_packets = []
    # Common ICMP payload types for ping
    icmp_payload = ['0123567', 'abcdef']
    suspicious = 0

    # Look for ICMP request and reply packets and store in new list
    for p in pkts:
        if p.haslayer(IP) and p.haslayer(ICMP):
            if p[ICMP].type == 8:
                icmp_packets.append(p)
            if p[ICMP].type == 0:
                icmp_packets.append(p)

    # Look through ICMP packets stored in list and check the payload against common ping payloads
    for x in icmp_packets:
        if x.haslayer(Raw):
            for s in icmp_payload:
                load = str(x[Raw].load)
                if s not in load:
                    suspicious = 1

    # Write files out to a new pcap
    wrpcap(output_file, icmp_packets)

    # If there is something dodgy write it out to Maltego otherwise return message to UI
    if suspicious == 1:
        e = WarningAlert('Suspicious ICMP Payload')
        e.linklabel = 'Output ' + output_file
        e += Field('sniffMyPackets.outputfld', folder, displayname='Folder Location')
        e += Field('dumpfile', output_file, displayname='Output File', matchingrule='loose')
        e.linkcolor = 0xFF0000
        response += e
        return response
    else:
        return response + UIMessage('Nothing dodgy here')
Beispiel #7
0
def dotransform(request, response):
	
  pcap = request.value
  pkts = rdpcap(pcap)
  dnsHost = []
  
  for x in pkts:
    if x.haslayer(DNS) and x.haslayer(DNSRR):
      ancount = x.getlayer(DNS).ancount
      qname = x.getlayer(DNSRR).rrname
      if ancount >= 7:
	dnsrec = qname, ancount
	if dnsrec not in dnsHost:
	  dnsHost.append(dnsrec)
  
  
  for dnsv, dnsc in dnsHost:
      e = WarningAlert('Fast Flux?: ' + dnsv)
      e.linklabel = 'Unique IPs:\n' + str(dnsc)
      e.linkcolor = 0xFF0000
      response += e
  return response
def dotransform(request, response):

    pkts = rdpcap(request.value)
    tcpflags = {
        'SYN': 02,
        'FIN': 0x001,
        'XMAS': 0x029,
        'ACK': 0x010,
        'NULL': 0x000
    }
    senders = []
    talkers = []

    for p in pkts:
        for key, value in tcpflags.iteritems():
            if p.haslayer(TCP) and p.getlayer(TCP).flags == int(value):
                dport = p.getlayer(TCP).dport
                srcip = p.getlayer(IP).src
                flagset = key
                talker = srcip, dport, flagset
                if talker not in talkers:
                    talkers.append(talker)
                if srcip not in senders:
                    senders.append(srcip)

    counter = 0
    for x in senders:
        for y in talkers:
            if x in y:
                src = y[0]
                counter += y.count(y[1])
                flag = y[2]
                e = WarningAlert(str(flag) + ' scan from: ' + str(src))
                e.linklabel = '# of connections: ' + str(counter)
                e.linkcolor = 0xFF0000
                response += e
            return response
Beispiel #9
0
def dotransform(request, response):

    pkts = rdpcap(request.value)
    ips = []
    success = 'SMBu\\x00\\x00\\x00\\x00'
    null_share = 'IPC$'

    for p in pkts:
        if p.haslayer(TCP) and p.getlayer(TCP).dport == 445 and p.haslayer(Raw):
            raw = p.getlayer(Raw).load
            srcip = p.getlayer(IP).src
            dstip = p.getlayer(IP).dst
            if success and null_share in raw:
                convo = srcip, dstip
                if convo not in ips:
                    ips.append(convo)


    for src, dst in ips:
        e = WarningAlert('Null Share:\n' + str(src) + '->' + str(dst))
        e.linklabel = str(null_share)
        e.linkcolor = 0xFF0000
        response += e
    return response
Beispiel #10
0
def dotransform(request, response):
	
  pcap = request.value
  pkts = rdpcap(pcap)
  dnsHost = []
  
  for x in pkts:
    if x.haslayer(DNS) and x.haslayer(DNSRR):
      ancount = x.getlayer(DNS).ancount
      qname = x.getlayer(DNSRR).rrname
      ttl = x.getlayer(DNSRR).ttl
      if ancount >= 7 or ttl == 0:
        dnsrec = qname, ancount, ttl
        if dnsrec not in dnsHost:
          dnsHost.append(dnsrec)
  
  
  for dnsv, dnsc, ttl in dnsHost:
      e = WarningAlert('Fast Flux?: ' + dnsv)
      e.linklabel = 'Unique IPs: ' + str(dnsc)
      e += Field('dnsttl', ttl, displayname='TTL')
      e.linkcolor = 0xFF0000
      response += e
  return response
Beispiel #11
0
def dotransform(request, response):

    pkts = rdpcap(request.value)
    ips = []
    success = 'SMBu\\x00\\x00\\x00\\x00'
    null_share = 'IPC$'

    for p in pkts:
        if p.haslayer(TCP) and p.getlayer(TCP).dport == 445 and p.haslayer(
                Raw):
            raw = p.getlayer(Raw).load
            srcip = p.getlayer(IP).src
            dstip = p.getlayer(IP).dst
            if success and null_share in raw:
                convo = srcip, dstip
                if convo not in ips:
                    ips.append(convo)

    for src, dst in ips:
        e = WarningAlert('Null Share:\n' + str(src) + '->' + str(dst))
        e.linklabel = str(null_share)
        e.linkcolor = 0xFF0000
        response += e
    return response