def parse_pcap_file(filename, net_mask, time): try: p = open_offline(filename) except PcapPyException as e: print(e.message) sys.exit(1) p.filter = 'icmp' request_packets = dict() print("Parsing " + filename) stats = {'icmp_count': 0, 'suspect': 0} try: while(True): packet = p.next_ex() if packet is None: print("Done parsing the file!") break got_icmp_packet(stats, packet[0], packet[1], net_mask, request_packets, time) except KeyboardInterrupt: print("File parsing canceled by user") except PcapPyException as e: print(e.message) print("Found " + str(stats['icmp_count']) + " ICMP packets") print("Found " + str(stats['suspect']) + " suspicious ICMP packets")
def parse_pcap(file): print(file) p = open_offline(file) first_packet = p.next() ts = int(first_packet[0][2]['tv_sec']) return ts #print(ts) #result = subprocess.Popen(['captcp', 'throughput', '-p', '-r', '-ubit', '-t', file], stdout=subprocess.PIPE) data = [] #for line in result.stdout: #print(line) #if throughput_re.match(line): #matches = throughput_re.findall(line)[0] #print(matches[0] + " BW:" + matches[1] + "bps") #data.append((ts+int(float(matches[0])), int(float(matches[1])))) return data
# }}} stats = {'continous_request':0, 'continous_request_skip':0, 'continous_response':0, 'continous_response_skip':0, 'not_fin':0, 'skip_ack':0, 'skip_no_syn':0, 'skip_fin':0, 'skip_other':0, 'no_response_body':0, 'bad_request_amf':0} tmp_stream_index = 0 tmp_streams = {} if not sys.argv[1:]: print 'usage: %s <dump.pcap>' % sys.argv[0] exit(-1) # Open the file p = open_offline(sys.argv[1]) def dumphex(s): bytes = map(lambda x: '%.2x' % x, map(ord, s)) for i in xrange(0,len(bytes)/16): print ' %s' % string.join(bytes[i*16:(i+1)*16],' ') print ' %s' % string.join(bytes[(i+1)*16:],' ') def hex_string(s): return ''.join( [ "%02X" % ord( x ) for x in s ] ) def ip_string(s): return '.'.join( [ "%d" % ord( x ) for x in s ] ) def port_string(s):
return rs def update_record(ip, ts): r = is_ip_stored(ip) if r['earliest'] == 0 or r['earliest'] > ts: r['earliest'] = ts if r['latest'] == 0 or r['latest'] < ts: r['latest'] = ts r['count'] = r['count'] + 1 locations.update({"_id": ip}, r) def got_packet(d, hdr, data): packet = decoder.decode(data) ip_packet = packet.child() src_ip = ip_packet.get_ip_src() ts_parts = hdr['ts'] full_ts = ts_parts['tv_sec'] * 1000000 + ts_parts['tv_usec'] update_record(src_ip, full_ts) # print "{0} at {1}".format(src_ip, full_ts) if not sys.argv[1:]: print 'usage: %s <dump.pcap>' % sys.argv[0] sys.exit(-1) p = pcappy.open_offline(sys.argv[1]) p.filter = 'dst host 137.110.222.70 && icmp' p.loop(-1, got_packet, {})
def extract_cap_handshakes(basedirs): """ Look for cap files with handshakes, and extract them to hccap files. Does not return anything. """ ########################################### # Look for cap/csv handshakes print "" print "*** "*30 print "*** "*30 print "*** "*30 print "*** "*30 print "" print "Beginning search for cap files with handshakes" print "" handshakes_found = 0 hccap_files = [] for basedir in basedirs: if basedir[-1] <> '/': basedir += '/' cap_files=[] csv_files=[] for f in os.listdir(basedir): name,ext = os.path.splitext(f) if ext==".cap": if os.path.isfile(basedir+name+".csv"): cap_files.append(basedir+name+".cap") csv_files.append(basedir+name+".csv") else: cap_files.append(basedir+name+".cap") print "" print "[ ] Looking for cap files with handshakes in",basedir for iic, cap_file in enumerate(cap_files): f = open(os.devnull, 'w') s = subprocess.Popen([WPACLEAN_BIN, '/tmp/cleaned.cap'] + [cap_file], stdout=f, stderr=f) s.wait() if os.stat('/tmp/cleaned.cap').st_size == 24: print '[-] No WPA/WPA2 handshakes captured from %s'%cap_file pass p = open_offline('/tmp/cleaned.cap') # filter beacons p.filter = 'link[0] == 0x80' def gotpacket(d, hdr, data): bssid = struct.unpack('6B', data[10:16]) bssid_str = ':'.join(format(x, '02x') for x in bssid) d.append(bssid_str) # Parameters are count, callback, user params bssid_list = [] p.loop(-1, gotpacket, bssid_list) ##############################33 # Our BSSID list from the cap file is a # short but interesting set of BSSIDs # whose handshakes have been captured. # for bssid in bssid_list: BSSID = bssid.upper() # this is a new bssid print '[+] Handshake found!' print ' pcap file = %s'%cap_file print ' BSSID = %s'%BSSID bssid_file = re.sub(r'\:','_',BSSID) # check if we have a csv file, # airodump-ng dumps a csv file # besside-ng does not if csv_files <> []: csv_file = csv_files[iic] # extract bssid/essid information stations_list, clients_list = csv2blob(csv_file) # stations stations_head, stations_data = parse_aps(stations_list) bssid_ix = stations_head.index("BSSID") essid_ix = stations_head.index("ESSID") essid = '' all_bssids = [station[bssid_ix].strip() for station in stations_data] all_essids = [station[essid_ix].strip() for station in stations_data] if BSSID in all_bssids: this_ix = all_bssids.index(BSSID) this_essid = all_essids[this_ix].strip() try: print ' ESSID = %s'%essid except: print ' ESSID N/A' print " Extracting BSSID handshakes to hccap file [%s] with Aircrack"%( '/tmp'+bssid_file ) if not DRYRUN: s = subprocess.call([AIRCRACK_BIN, '-J', '/tmp/'+bssid_file, '-b', BSSID, '/tmp/cleaned.cap'],stdout=f,stdin=f) src = "/tmp/"+bssid_file+".hccap" dest = basedir+bssid_file+".hccap" print " Moving hccap handshake file to [%s]"%(dest) if not DRYRUN: s2 = subprocess.call(["cp","-f",src,dest],stdout=f,stdin=f) hccap_files.append(dest) handshakes_found += 1 print "" print "Found %d handshakes."%handshakes_found print "" print "*** "*30 print "*** "*30 print "*** "*30 print "*** "*30 print "" return hccap_files
if not argv[1:]: print 'usage: %s [in1.cap] [in2.cap] ...' % argv[0] exit(-1) f = open(os.devnull, 'w') s = subprocess.Popen([WPACLEAN_BIN, '/tmp/cleaned.cap'] + argv[1:], stdout=f, stderr=f) s.wait() if os.stat('/tmp/cleaned.cap').st_size == 24: print '[-] No WPA/WPA2 handshakes captured...' exit(-1) p = open_offline('/tmp/cleaned.cap') # filter beacons p.filter = 'link[0] == 0x80' def gotpacket(d, hdr, data): bssid = struct.unpack('6B', data[10:16]) bssid_str = ':'.join(format(x, '02x') for x in bssid) d.append(bssid_str) bssid_list = [] # Parameters are count, callback, user params p.loop(-1, gotpacket, bssid_list)
#!/usr/bin/env python from pcappy import PcapPyOffline, open_offline from sys import argv if not argv[1:]: print 'usage: %s <dump.pcap>' % argv[0] exit(-1) # Open the file p = open_offline(argv[1]) # or this instead: p = PcapPyOffline(argv[1]) # Parse only HTTP traffic p.filter = 'tcp and port 80' def gotpacket(d, hdr, data): print d, hdr, repr(data) d['count'] += 1 # pass in some random parameters to loop()'s callback. Can be any python object you want! d = {'label': 'HTTP', 'count': 0} # Parameters are count, callback, user params p.loop(-1, gotpacket, d)
cursor.execute('''CREATE TABLE entries(id INTEGER PRIMARY KEY, bssid TEXT unique)''') if not argv[1:]: print 'usage: %s [in1.cap] [in2.cap] ...' % argv[0] exit(-1) f = open(os.devnull, 'w') s = subprocess.Popen([WPACLEAN_BIN, '/tmp/cleaned.cap'] + argv[1:], stdout=f, stderr=f) s.wait() if os.stat('/tmp/cleaned.cap').st_size == 24: print '[-] No WPA/WPA2 handshakes captured...' exit(-1) p = open_offline('/tmp/cleaned.cap') # filter beacons p.filter = 'link[0] == 0x80' def gotpacket(d, hdr, data): bssid = struct.unpack('6B', data[10:16]) bssid_str = ':'.join(format(x, '02x') for x in bssid) d.append(bssid_str) bssid_list = [] # Parameters are count, callback, user params p.loop(-1, gotpacket, bssid_list) if not os.path.isfile(os.getenv('HOME') + '/.wpa_pwn.sqlite3'):