def dotransform(request, response):
    # Store the pcap file as a variable
    pcap = request.value
    usedb = config['working/usedb']
    # Check to see if we are using the database or not
    if usedb > 0:
        # Connect to the database so we can insert the record created below
        x = mongo_connect()
        c = x['DNS']
        # Hash the pcap file
        try:
            md5hash = md5_for_file(pcap)
        except Exception as e:
            return response + UIMessage(str(e))
        # Get the session and/or pcap id
        d = find_session(md5hash)
        pcap_id = d[0]
        session_id = d[1]
    else:
        pass

    try:
        pkts = rdpcap(pcap)
        dns_requests = []
        for p in pkts:
            if p.haslayer(DNSQR):
                timestamp = datetime.datetime.fromtimestamp(p.time).strftime('%Y-%m-%d %H:%M:%S.%f')
                r = p[DNSQR].qname[:-1]
                tld = tldextract.extract(r)
                domain = tld.registered_domain
                if usedb > 0:
                    dns = OrderedDict({'PCAP ID': pcap_id, 'Stream ID': session_id,
                                       'Time Stamp': timestamp,
                                       'Type': 'Request', 'IP': {'src': p[IP].src, 'dst': p[IP].dst, 'length': p[IP].len},
                                       'Request Details': {'Query Type': p[DNSQR].qtype, 'Query Name': r, 'Domain': domain}})
                    t = x.DNS.find({'Time Stamp': timestamp}).count()
                    if t > 0:
                        pass
                    else:
                        c.insert(dns)
                else:
                    pass
                if r not in dns_requests:
                    dns_requests.append(domain)
            else:
                pass
    
        for d in dns_requests:
            x = Domain(d)
            response += x
        return response

    except Exception as e:
        if usedb > 0:
            error_logging(str(e), 'DNS Requests')
        else:
            return response + UIMessage(str(e))
Ejemplo n.º 2
0
def dotransform(request, response):
    # Store the pcap file as a variable
    pcap = request.value
    usedb = config['working/usedb']
    # Check to see if we are using the database or not
    if usedb > 0:
        # Connect to the database so we can insert the record created below
        x = mongo_connect()
        c = x['DNS']
        # Hash the pcap file
        try:
            md5hash = md5_for_file(pcap)
        except Exception as e:
            return response + UIMessage(str(e))
        # Get the session and/or pcap id
        d = find_session(md5hash)
        pcap_id = d[0]
        session_id = d[1]
    else:
        pass

    try:
        pkts = rdpcap(pcap)
        dns_requests = []
        for p in pkts:
            if p.haslayer(DNSQR):
                timestamp = datetime.datetime.fromtimestamp(
                    p.time).strftime('%Y-%m-%d %H:%M:%S.%f')
                r = p[DNSQR].qname[:-1]
                tld = tldextract.extract(r)
                domain = tld.registered_domain
                if usedb > 0:
                    dns = OrderedDict({
                        'PCAP ID': pcap_id,
                        'Stream ID': session_id,
                        'Time Stamp': timestamp,
                        'Type': 'Request',
                        'IP': {
                            'src': p[IP].src,
                            'dst': p[IP].dst,
                            'length': p[IP].len
                        },
                        'Request Details': {
                            'Query Type': p[DNSQR].qtype,
                            'Query Name': r,
                            'Domain': domain
                        }
                    })
                    t = x.DNS.find({'Time Stamp': timestamp}).count()
                    if t > 0:
                        pass
                    else:
                        c.insert(dns)
                else:
                    pass
                if r not in dns_requests:
                    dns_requests.append(domain)
            else:
                pass

        for d in dns_requests:
            x = Domain(d)
            response += x
        return response

    except Exception as e:
        if usedb > 0:
            error_logging(str(e), 'DNS Requests')
        else:
            return response + UIMessage(str(e))
Ejemplo n.º 3
0
def dotransform(request, response):

    pcap = request.value
    usedb = config['working/usedb']
    # Check to see if we are using the database or not
    if usedb == 0:
        return response + UIMessage('You have chosen not to use a database')
    else:
        pass

    d = mongo_connect()
    c = d['PACKETS']
    y = d['PACKETSUMMARY']
    url = config['web/server'].strip('\'')
    port = config['web/port'].strip('\'')

    # Hash the pcap file
    try:
        md5pcap = md5_for_file(pcap)
    except Exception as e:
        return response + UIMessage(str(e))

    def convert_encoding(data, encoding='utf-8'):
        if isinstance(data, dict):
            return dict((convert_encoding(key), convert_encoding(value)) \
                        for key, value in data.iteritems())
        elif isinstance(data, list):
            return [convert_encoding(element) for element in data]
        elif isinstance(data, unicode):
            return data.encode(encoding, errors='replace')
        else:
            return data

    # Get the PCAP ID for the pcap file
    try:
        s = d.INDEX.find({"MD5 Hash": md5pcap}).count()
        if s == 0:
            t = d.STREAMS.find({"MD5 Hash": md5pcap}).count()
            if t > 0:
                r = d.STREAMS.find({"MD5 Hash": md5pcap}, {"PCAP ID": 1, "Stream ID": 1, "_id": 0})
                for i in r:
                    pcap_id = i['PCAP ID']
                    streamid = i['Stream ID']
            else:
                return response + UIMessage('No PCAP ID, you need to index the pcap file')
        if s > 0:
            r = d.INDEX.find({"MD5 Hash": md5pcap}, {"PCAP ID": 1, "_id": 0})
            for i in r:
                pcap_id = i['PCAP ID']
                streamid = i['PCAP ID']
    except Exception as e:
        return response + UIMessage(str(e))


    stream_url = 'http://%s:%s/pcap/%s/packets' % (url, port, streamid)
    pkts = loadpackets(pcap)

    # Dump the full packets into the database for later use.
    x = find_layers(pkts, pcap, pcap_id, streamid)
    try:
        for s in x:
            tstamp = s['Buffer']['timestamp']
            q = d.PACKETS.find({"Buffer.timestamp": tstamp}).count()
            if q > 0:
                pass
            else:
                v = OrderedDict(json.loads(json.dumps(convert_encoding(s), encoding='latin-1', ensure_ascii=False)))
                c.insert(v)
    except Exception as e:
        error_logging(str(e), 'Packets')

    # Build the packet summary so we can make pretty pages.
    count = 1
    packet = OrderedDict()
    try:
        for p in pkts:
            tstamp = datetime.datetime.fromtimestamp(p.time).strftime('%Y-%m-%d %H:%M:%S.%f')
            p_header = {"PCAP ID": pcap_id, "Buffer": {"timestamp": tstamp, "packetnumber": count, "pcapfile": pcap,
                                                       "packet_length": p.len, "StreamID": streamid}}
            packet.update(p_header)
            if p.haslayer(IP):
                p_ip = {"IP": {"ip_src": p[IP].src, "ip_dst": p[IP].dst, "ip_ttl": p[IP].ttl}}
                packet.update(p_ip)
            layers = []
            counter = 0
            while True:
                layer = p.getlayer(counter)
                if layer != None:
                    if layer.name == 'HTTP':
                        pass
                    else:
                        layers.append(layer.name)
                else:
                    break
                counter += 1
            p_layers = {"Layers": layers}
            packet.update(p_layers)
            view_url = 'http://%s:%s/pcap/%s/%s/packets/%s' % (url, port, pcap_id, streamid, count)
            p_view = {"View": view_url}
            packet.update(p_view)
            t = d.PACKETSUMMARY.find({"Buffer.timestamp": tstamp}).count()
            if t > 0:
                pass
            else:
                y.insert(packet)
            count += 1
            packet.clear()
    except Exception as e:
        error_logging(str(e), 'PacketSummary')

    # Return the Maltego Entity
    a = pcapStream(stream_url)
    response += a
    return response