Example #1
0
    def __init__(self, *args, **kwargs):
        super().__init__(
            name="special-ips",
            description=
            "identify DNS resolutions that fall into special IP (IPv4 and IPv6) spaces (i.e. private, reserved, loopback, multicast, link-local, or unspecified)",
            bpf="port 53",
            author="dev195",
            output=AlertOutput(label=__name__),
            longdescription="""
Identifies DNS resolutions that fall into special IP spaces (i.e. private,
reserved, loopback, multicast, link-local, or unspecified).

When found, it will print an alert for the request/response pair. The alert
will include the type of special IP in parentheses:
    (loopback)
    (private)
    (reserved)
    (multicast)
    (link-local)
    (unspecified)

For example, to look for responses with private IPs:
    Dshell> decode -d specialips ~/pcap/SkypeIRC.cap  |grep "(private)"
    [special-ips] 2006-08-25 15:31:06      192.168.1.2:2128  --      192.168.1.1:53    ** ID: 12579, A? voyager.home., A: 192.168.1.1 (private) (ttl 10000s) **

Finding can also be written to a separate pcap file by chaining:
    Dshell> decode -d specialips+pcapwriter --pcapwriter_outfile="special-dns.pcap" ~/pcap/example.pcap
""",
        )
Example #2
0
 def __init__(self):
     super().__init__(
         name="sweetorange",
         longdescription=
         "Used to decode certain variants of the Sweet Orange exploit kit redirect traffic. Looks for telltale Javascript variable names (e.g. 'ajax_data_source' and 'main_request_data_content') and automatically decodes the exploit landing page contained.",
         description=
         "Used to decode certain variants of the Sweet Orange exploit kit redirect traffic",
         bpf="tcp and (port 80 or port 8080 or port 8000)",
         output=AlertOutput(label=__name__),
         author="dev195",
         gunzip=True,
         optiondict={
             "variable": {
                 "type": str,
                 "action": "append",
                 "help":
                 'Variable names to search for. Default ("ajax_data_source", "main_request_data_content")',
                 "default":
                 ["ajax_data_source", "main_request_data_content"]
             },
             "color": {
                 "action": "store_true",
                 "help":
                 "Display encoded/decoded lines in different TTY colors.",
                 "default": False
             },
         })
Example #3
0
    def __init__(self, *args, **kwargs):
        super().__init__(
            name="Top Talkers",
            description="Find top-talkers based on byte count",
            author="dev195",
            bpf="tcp or udp",
            output=AlertOutput(label=__name__),
            optiondict={
                "top_x": {
                    "type": int,
                    "default": 20,
                    "help": "Only display the top X results (default: 20)",
                    "metavar": "X"
                },
                "total": {
                    "action":
                    "store_true",
                    "help":
                    "Sum byte counts from both directions instead of separate entries for individual directions"
                },
                "h": {
                    "action": "store_true",
                    "help": "Print byte counts in human-readable format"
                }
            },
            longdescription="""
Finds top 20 connections with largest transferred byte count.

Can be configured to display an arbitrary Top X list with arguments.

Does not pass connections down plugin chain.
""")
Example #4
0
 def __init__(self):
     super().__init__(
         name="ssh-pubkey",
         author="amm",
         description="Extract server ssh public key from key exchange",
         bpf="tcp port 22",
         output=AlertOutput(label=__name__))
Example #5
0
    def __init__(self):
        super().__init__(
            name="ftp",
            description="alerts on FTP traffic and, optionally, rips files",
            longdescription="""
Goes through TCP connections and tries to find FTP control channels and
associated data channels. Optionally, it will write out any file data it
sees into a separate directory.

If a data connection is seen, it prints a message indicating the user, pass,
and file requested. If the --ftp_dump flag is set, it also dumps the file into the
--ftp_outdir directory.
""",
            author="amm,dev195",
            bpf="tcp",
            output=AlertOutput(label=__name__),
            optiondict={
                "ports": {
                    'help': 'comma-separated list of ports to watch for control connections (default: 21)',
                    'metavar': 'PORT,PORT,PORT,[...]',
                    'default': '21'},
                "dump": {
                    'action': 'store_true',
                    'help': 'dump files from stream'},
                "outdir": {
                    'help': 'directory to write output files (default: "ftpout")',
                    'metavar': 'DIRECTORY',
                    'default': 'ftpout'}
            }
        )
Example #6
0
    def __init__(self, **kwargs):
        super().__init__(
            name="track",
            author="twp,dev195",
            description="Only follow connections that match user-provided IP addresses and ports",
            longdescription="""Only follow connections that match user-provided IP addresses

IP addresses can be specified with --track_source and --track_target.
Multiple IPs can be used with commas (e.g. --track_source=192.168.1.1,127.0.0.1).
Ports can be included with IP addresses by joining them with a 'p' (e.g. --track_target=192.168.1.1p80,127.0.0.1).
Ports can be used alone with just a 'p' (e.g. --track_target=p53).
CIDR notation is okay (e.g. --track_source=196.168.0.0/16).

--track_source : used to limit connections by the IP that initiated the connection (usually the client)
--trace_target : used to limit connections by the IP that received the connection (usually the server)
--track_alerts : used to display optional alerts indicating when a connection starts/ends""",
            bpf="ip or ip6",
            output=AlertOutput(label=__name__),
            optiondict={
                "target": {
                    "default": [],
                    "action": "append",
                    "metavar": "IPpPORT"},
                "source": {
                    "default": [],
                    "action": "append",
                    "metavar": "IPpPORT"},
                "alerts": {
                    "action": "store_true"}
                }
            )
        self.sources = []
        self.targets = []
Example #7
0
    def __init__(self):
        super().__init__(
            name="sslblacklist",
            author="dev195",
            bpf="tcp and (port 443 or port 993 or port 1443 or port 8531)",
            description=
            "Looks for certificate SHA1 matches in the abuse.ch blacklist",
            longdescription="""
    Looks for certificates in SSL/TLS traffic and tries to find any hashes that
    match those in the abuse.ch blacklist.

    Requires downloading the blacklist CSV from abuse.ch:
    https://sslbl.abuse.ch/blacklist/

    If the CSV is not in the current directory, use the --sslblacklist_csv
    argument to provide a file path.
""",
            output=AlertOutput(label=__name__),
            optiondict={
                "csv": {
                    "help": "filepath to the sslblacklist.csv file",
                    "default": "./sslblacklist.csv",
                    "metavar": "FILEPATH"
                },
            })
Example #8
0
 def __init__(self):
     super().__init__(
         name="sslalerts",
         author="dev195",
         bpf="tcp and (port 443 or port 993 or port 1443 or port 8531)",
         description="Looks for SSL alert messages",
         output=AlertOutput(label=__name__),
     )
Example #9
0
 def __init__(self):
     super().__init__(
         name="SYN/RST",
         description=
         "Detects failed attempts to connect (SYN followed by RST/ACK)",
         author="bg",
         bpf="(ip and (tcp[13]=2 or tcp[13]=20)) or (ip6 and tcp)",
         output=AlertOutput(label=__name__))
Example #10
0
 def __init__(self):
     super().__init__(
         name="innuendo-dns",
         description="proof-of-concept detector for INNUENDO DNS channel",
         bpf="port 53",
         author="primalsec",
         output=AlertOutput(label=__name__),
     )
Example #11
0
 def __init__(self):
     super().__init__(
         name='ip',
         description='IPv4/IPv6 plugin',
         bpf='ip or ip6',
         author='twp',
         output=AlertOutput(label=__name__),
     )
Example #12
0
    def __init__(self):
        super().__init__(
            name="reverse-flows",
            description=
            "Generate an alert if the client transmits more data than the server",
            author="me",
            bpf="tcp or udp",
            output=AlertOutput(label=__name__),
            optiondict={
                'threshold': {
                    'type':
                    float,
                    'default':
                    3.0,
                    'help':
                    'Alerts if client transmits more than threshold times the data of the server'
                },
                'minimum': {
                    'type':
                    int,
                    'default':
                    0,
                    'help':
                    'alert on client transmissions larger than min bytes [default: 0]'
                },
                'zero': {
                    'action':
                    'store_true',
                    'default':
                    False,
                    'help':
                    'alert if the server transmits zero bytes [default: false]'
                },
            },
            longdescription="""
Generate an alert when a client transmits more data than the server.

Additionally, the user can specify a threshold. This means that an alert
will be generated if the client transmits more than three times as much data
as the server.

The default threshold value is 3.0, meaning that any client transmits
more than three times as much data as the server will generate an alert.

Examples:
1) decode -d reverse-flow <pcap>
    Generates an alert for client transmissions that are three times
    greater than the server transmission.

2) decode -d reverse-flow <pcap> --reverse-flow_threshold 61
    Generates an alert for all client transmissions that are 61 times
    greater than the server transmission

3) decode -d reverse-flow <pcap> --reverse-flow_threshold 61  --reverse-flow_zero
    Generates an alert for all client transmissions that are 61 times greater
    than the server transmission.
            """,
        )
Example #13
0
 def __init__(self):
     super().__init__(
         name="Uncommon Protocols",
         description=
         "Finds uncommon (i.e. not tcp, udp, or icmp) protocols in IP traffic",
         bpf=
         "(ip or ip6) and not tcp and not udp and not icmp and not icmp6",
         author="bg",
         output=AlertOutput(label=__name__),
     )
Example #14
0
 def __init__(self):
     super().__init__(
         name="web",
         author="bg,twp",
         description="Displays basic information for web requests/responses in a connection",
         bpf="tcp and (port 80 or port 8080 or port 8000)",
         output=AlertOutput(label=__name__),
         optiondict={
             "md5": {"action": "store_true",
                     "help": "Calculate MD5 for each response."}
         },
     )
Example #15
0
    def __init__(self):
        super().__init__(
            name="tls",
            author="amm",
            description=
            "Extract interesting metadata from TLS connection setup",
            bpf=
            "tcp and (port 443 or port 993 or port 25 or port 587 or port 465 or port 5269 or port 995 or port 3389)",
            output=AlertOutput(label=__name__),
            longdescription="""
Extract interesting metadata from TLS connection setup, including the ClientHello and Certificate handshake structures.

For JA3 support (ClientHello hash), install module pyja3
            """)
Example #16
0
    def __init__(self):
        super().__init__(
            name="RTP",
            author="mm/dev195",
            bpf="udp",
            description="Real-time transport protocol (RTP) capture plugin",
            longdescription="""
The real-time transport protocol (RTP) plugin will extract the Hosts, Payload Type, Synchronization source, 
Sequence Number, Padding, Marker and Client MAC address from every RTP packet found in the given pcap.

General usage:

    decode -d rtp <pcap> 
    decode -d rtp --no-vlan --layer2=sll.SLL <pcap> 

Examples:

    https://wiki.wireshark.org/SampleCaptures#SIP_and_RTP
    https://wiki.wireshark.org/SampleCaptures?action=AttachFile&do=get&target=rtp_example.raw.gz

    decode -d rtp rtp_example.pcap

Output:
    
    rtp 2016-09-21 23:44:40   50.197.16.141:1195  --     192.168.9.12:44352 ** 
        From: 50.197.16.141 (00:02:31:11:a5:97) to 192.168.9.12 (45:20:01:31:45:40) 
        Payload Type (7 bits): Dynamic
        Sequence Number (16 bits): 58635
        Timestamp (32 bits): 1331328074 
        Synchronization source (32 bits): 1948709792
        Arrival Time: 1474497880.6 --> 2016-09-21 22:44:40.604135
        Contributing source (32 bits): 1, Padding (1 bit): 1, Extension (1 bit): 1, Marker (1 bit): 0
     **
    rtp 2016-09-21 23:44:40         10.5.1.8:5086  --         10.5.1.7:5070  ** 
        From: 10.5.1.8 (00:02:81:11:a0:d7) to 10.5.1.7 (45:00:20:c8:a3:26) 
        Payload Type (7 bits): PCMU - Audio - 8000 Hz - 1 Channel
        Sequence Number (16 bits): 17664
        Timestamp (32 bits): 98240 
        Synchronization source (32 bits): 1671095215
        Arrival Time: 1474497880.6 --> 2016-09-21 22:44:40.604160
        Contributing source (32 bits): 0, Padding (1 bit): 0, Extension (1 bit): 0, Marker (1 bit): 0
     **
  """,
            output=AlertOutput(label=__name__))
Example #17
0
 def __init__(self, *args, **kwargs):
     super().__init__(
         name="DNS Country Code",
         description="identify country code of DNS A/AAAA record responses",
         bpf="port 53",
         author="bg",
         output=AlertOutput(label=__name__),
         optiondict={
             'foreign': {
                 'action': 'store_true',
                 'help': 'report responses in non-US countries'
             },
             'code': {
                 'type':
                 str,
                 'help':
                 'filter on a specific country code (ex. US, DE, JP, etc.)'
             }
         })
Example #18
0
    def __init__(self, **kwargs):
        super().__init__(
            name='dhcp',
            description='extract client information from DHCP messages',
            longdescription="""
The dhcp plugin will extract the Transaction ID, Hostname, and
Client ID (MAC address) from every UDP DHCP packet found in the given pcap
using port 67.  DHCP uses BOOTP as its transport protocol.
BOOTP assigns port 67 for the 'BOOTP server' and port 68 for the 'BOOTP client'.
This filter pulls DHCP Inform packets.

Examples:

    General usage:

        decode -d dhcp <pcap>

            This will display the connection info including the timestamp,
            the source IP : source port, destination IP : destination port,
            Transaction ID, Client Hostname, and the Client MAC address
            in a tabular format.


    Malware Traffic Analysis Exercise Traffic from 2015-03-03 where a user was hit with an Angler exploit kit:
        <http://www.malware-traffic-analysis.net/2015/03/03/2015-03-03-traffic-analysis-exercise.pcap>
    We want to find out more about the infected machine, and some of this information can be pulled from DHCP traffic

        decode -d dhcp 2015-03-03-traffic-analysis-exercise.pcap

            OUTPUT:
[dhcp] 2015-03-03 14:05:10   172.16.101.196:68    ->     172.16.101.1:67    ** Transaction ID: 0xba5a2cfe   Client ID (MAC): 38:2C:4A:3D:EF:01    Hostname: Gregory-PC **
[dhcp] 2015-03-03 14:08:40   172.16.101.196:68    ->  255.255.255.255:67    ** Transaction ID: 0x6a482406   Client ID (MAC): 38:2C:4A:3D:EF:01    Hostname: Gregory-PC **
[dhcp] 2015-03-03 14:10:11   172.16.101.196:68    ->     172.16.101.1:67    ** Transaction ID: 0xe74b17fe   Client ID (MAC): 38:2C:4A:3D:EF:01    Hostname: Gregory-PC **
[dhcp] 2015-03-03 14:12:50   172.16.101.196:68    ->  255.255.255.255:67    ** Transaction ID: 0xd62614a0   Client ID (MAC): 38:2C:4A:3D:EF:01    Hostname: Gregory-PC **
""",
            bpf='(udp and port 67)',
            output=AlertOutput(label=__name__),
            author='dek',
        )
        self.mac_address = None
        self.client_hostname = None
        self.xid = None
Example #19
0
    def __init__(self):
        super().__init__(
            name="ms15-034",
            author="bg",
            description='detect attempts to enumerate MS15-034 vulnerable IIS servers',
            bpf='tcp and (port 80 or port 8080 or port 8000)',
            output=AlertOutput(label=__name__),
            longdescription='''
Proof-of-concept code to detect attempts to enumerate MS15-034 vulnerable
IIS servers and/or cause a denial of service.  Each event will generate an
alert that prints out the HTTP Request method and the range value contained
with the HTTP stream.

Usage:
decode -d ms15-034 -q *.pcap
decode -d ms15-034 -i <interface> -q

References:
https://technet.microsoft.com/library/security/ms15-034
https://ma.ttias.be/remote-code-execution-via-http-request-in-iis-on-windows/
''',
        )
Example #20
0
    def __init__(self):
        super().__init__(
            name="Joomla CVE-2015-8562",
            author="bg",
            description=
            'detect attempts to enumerate MS15-034 vulnerable IIS servers',
            bpf='tcp and (port 80 or port 8080 or port 8000)',
            output=AlertOutput(label=__name__),
            optiondict={
                "raw_payload": {
                    "action":
                    "store_true",
                    "help":
                    "return the raw payload (do not attempt to decode chr encoding)",
                }
            },
            longdescription='''
Detect and dissect malformed HTTP headers targeting Joomla

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8562

Usage Examples:
---------------

Dshell> decode -d joomla *.pcap
[Joomla CVE-2015-8562] 2015-12-15 20:17:18    192.168.1.119:43865 <-    192.168.1.139:80    ** x-forwarded-for -> system('touch /tmp/2'); **

The module assumes the cmd payload is encoded using chr.  To turn this off run:

Dshell> decode -d joomla --joomla_raw_payload *.pcap
[Joomla CVE-2015-8562] 2015-12-15 20:17:18    192.168.1.119:43865 <-    192.168.1.139:80    ** x-forwarded-for -> "eval(chr(115).chr(121).chr(115).chr(116).chr(101).chr(109).chr(40).chr(39).chr(116).chr(111).chr(117).chr(99).chr(104).chr(32).chr(47).chr(116).chr(109).chr(112).chr(47).chr(50).chr(39).chr(41).chr(59)); **
''',
        )

        # Indicator of (potential) compromise
        self.ioc = "JFactory::getConfig();exit"
        self.ioc_bytes = bytes(self.ioc, "ascii")
Example #21
0
 def __init__(self):
     super().__init__(
         name="rip-http",
         author="bg,twp",
         bpf="tcp and (port 80 or port 8080 or port 8000)",
         description="Rips files from HTTP traffic",
         output=AlertOutput(label=__name__),
         optiondict={
             'append_conn': {
                 'action': 'store_true',
                 'help': 'append sourceip-destip to filename'
             },
             'append_ts': {
                 'action': 'store_true',
                 'help': 'append timestamp to filename'
             },
             'direction': {
                 'help':
                 'cs=only capture client POST, sc=only capture server GET response',
                 'metavar': '"cs" OR "sc"',
                 'default': None
             },
             'outdir': {
                 'help':
                 'directory to write output files (Default: current directory)',
                 'metavar': 'DIRECTORY',
                 'default': '.'
             },
             'content_filter': {
                 'help': 'regex MIME type filter for files to save',
                 'metavar': 'REGEX'
             },
             'name_filter': {
                 'help': 'regex filename filter for files to save',
                 'metavar': 'REGEX'
             }
         })
Example #22
0
    def __init__(self, *args, **kwargs):
        super().__init__(
            name="DNS",
            description="Extract and summarize DNS queries/responses",
            longdescription="""
The DNS plugin extracts and summarizes DNS queries and their responses. If
possible, each query is paired with its response(s).

Possible anomalies can be found using the --dns_show_noanswer,
--dns_only_noanswer, --dns_show_norequest, or --dns_only_norequest flags
(see --help).

For example, looking for responses that did not come from a request:
    decode -d dns --dns_only_norequest

Additional information for responses can be seen with --dns_country and
--dns_asn to show country codes and ASNs, respectively. These results can be
piped to grep for filtering results.

For example, to look for all traffic from Germany:
    decode -d dns --dns_country |grep "country: DE"

To look for non-US traffic, try:
    decode -d dns --dns_country |grep "country:" |grep -v "country: US"
""",
            author="bg/twp",
            bpf="udp and port 53",
            output=AlertOutput(label=__name__),
            optiondict={'show_noanswer': {'action': 'store_true', 'help': 'report unanswered queries alongside other queries'},
                        'show_norequest': {'action': 'store_true', 'help': 'report unsolicited responses alongside other responses'},
                        'only_noanswer': {'action': 'store_true', 'help': 'report only unanswered queries'},
                        'only_norequest': {'action': 'store_true', 'help': 'report only unsolicited responses'},
                        'country': {'action': 'store_true', 'help': 'show country code for returned IP addresses'},
                        'asn': {'action': 'store_true', 'help': 'show ASN for returned IP addresses'},
                    }
        )
Example #23
0
    def __init__(self, **kwargs):
        super().__init__(
            name="tftp",
            bpf="udp",
            description="Find TFTP streams and, optionally, extract the files",
            author="dev195",
            output=AlertOutput(label=__name__),
            optiondict={
                "rip": {
                    "action": "store_true",
                    "help": "Rip files from traffic (default: off)",
                    "default": False},
                "outdir": {
                    "help": "Directory to place files when using --rip (default: tftp_out)",
                    "default": "./tftp_out",
                    "metavar": "DIRECTORY"}
            }
        )

        # default information for streams we didn't see the start for
        self.default_stream = {
            'filename': '',
            'mode': '',
            'readwrite': '',
            'closed_connection': False,
            'filedata': {},
            'timestamp': 0
        }

        # containers for various states of streams
        self.open_streams = {}
        self.closed_streams = []
        # These two are holders while waiting for the server to decide on which
        # ephemeral port to use
        self.unset_write_streams = {}
        self.unset_read_streams = {}
Example #24
0
    def __init__(self):
        super().__init__(
            name='bitcoin',
            description=
            'Extract Bitcoin traffic, including Stratum mining protocol (pooled) traffic',
            longdescription='''
The bitcoin plugin will extract any Bitcoin traffic attempting to find and output: 
    Client/server IP addresses, src/dst port numbers, MAC addresses of the machines
    used in the Bitcoin communication/transactions, timestamps of the packets,
    packet payload sizes in KB, and the Network type 
    ('Bitcoin Main' if Bitcoin data traffic).

Connection tuples are cached when BITCOIN-MAIN traffic is detected, such that following this,
any blobs in a cached connection that do not contain BITCOIN-MAIN magic bytes, are labeled
as part of a connection containing Bitcoin traffic.

Any traffic on BITCOIN-MAIN's designated port will be labeled as potential Bitcoin traffic.  

Additionally for Stratum mining, the plugin will attempt to extract:
    Bitcoin miner being used, transaction methods used in each connection 
    (mining.notify, mining.authorize, mining.get_transaction, mining.submit, etc.), 
    User ID (Auth ID) used to access the Bitcoin mining pool, and possibly the password 
    used to connect to the pool if it is stored in the JSON of the payload.

    Also, the: 
    range of job IDs (per connection), previous block hash, generation transaction (part 1), 
    generation transaction (part 2), merkle tree branches (hashes), block version, 
    and the hash difficulty (n-bits)
    (The generation transactions and merkle tree branches are only optionally outputted 
     to a file: See Example (2) below)
 
    Note (1): The first time that all of this Stratum mining information is 
              collected (per connection), all of the packets decoded after this 
              point from within the same connection (same exact sip, dip, sport, dport) 
              will continue to output the same collection of information since it 
              will be the same, and is cumulative per connection.

    Note (2): The gen_tx1 and gen_tx2 fields enable the miner to build the coinbase
              transaction for the block by concatentating gen_tx1, the extranonce1 
              at the start of gen_tx1, the extranonce2 generated by the miner, and 
              gen_tx2 (hashes with scriptPubKeys)

    Note (3): Some pools recommend miners use their Bitcoin wallet ID 
              (address used for payment) as their 'Auth ID'. This will be easily 
              spotted as it is an address consisting of 26-35 alphanumeric characters, 
              and it always begins with either the number '1' or '3'


    For additional information: 
        Bitcoin Protocol:        <https://en.bitcoin.it/wiki/Protocol_documentation>
        Stratum Mining Protocol: <https://en.bitcoin.it/wiki/Stratum_mining_protocol>


--------Main ports / Some secondary ports used for Bitcoin Traffic---------
    Bitcoin Main traffic uses port 8333
    Bitcoin Testnet uses port 18333
    Several pools use ports 3333, 8332, 8337
    The other ports checked are known ports used by specific BTC mining pools
    Other Bitcoin pools utilize alternate ports (even 80 / 443)


Examples:

    (1) Basic usage:

        decode -d bitcoin <pcap>


    (2) Saving Generation Transaction Data and Merkle Branches to a specified file:

        decode -d bitcoin <pcap> --bitcoin_gentx='foo.txt.'
''',
            bpf='''(tcp and port (3332 or 3333 or 3334 or 3335 or
                                                    4008 or 4012 or 4016 or 4024 or
                                                    4032 or 4048 or 4064 or 4096 or
                                                    4128 or 4256 or 5050 or 7033 or
                                                    7065 or 7129 or 7777 or 8332 or
                                                    8333 or 8334 or 8336 or 8337 or 
                                                    8344 or 8347 or 8361 or 8888 or 
                                                    9332 or 9337 or 9999 or 11111 or 
                                                    12222 or 17777 or 18333))''',
            output=AlertOutput(label=__name__),
            author='dek',
            optiondict={
                'gentx': {
                    'type':
                    str,
                    'default':
                    None,
                    'help':
                    'The name of the file to output the fields used to generate the block transaction (gen_tx1, gen_tx2, merkle_branches) (default: None)'
                },
            })

        self.auth_ids = {}
        self.notify_params = {}
        self.methods = {}
        self.miners = {}
        self.job_ids = {}
        self.smac = None
        self.dmac = None
        self.bc_net = None
        self.size = 0
        self.bcm_cache = set()
        self.JSON = False
        self.NOTIFY = False
Example #25
0
    def __init__(self):
        super().__init__(
            name='nbns',
            description='Extract client information from NBNS traffic',
            longdescription="""
The nbns (NetBIOS Name Service) plugin will extract the Transaction ID, Protocol Info, 
Client Hostname, and Client MAC address from every UDP NBNS packet found in the given 
pcap using port 137.  UDP is the standard transport protocol for NBNS traffic.
This filter pulls pertinent information from NBNS packets.

Examples:

    General usage:

        decode -d nbns <pcap>

            This will display the connection info including the timestamp,
            the source IP, destination IP, Transaction ID, Protocol Info,
            Client Hostname, and the Client MAC address in a tabular format.


    Malware Traffic Analysis Exercise Traffic from 2014-12-08 where a user was hit with a Fiesta exploit kit:
        <http://www.malware-traffic-analysis.net/2014/12/08/2014-12-08-traffic-analysis-exercise.pcap>
    We want to find out more about the infected machine, and some of this information can be pulled from NBNS traffic

        decode -d nbns 2014-12-08-traffic-analysis-exercise.pcap

          OUTPUT (first few packets):
            [nbns] 2014-12-08 18:19:13  192.168.204.137:137   ->    192.168.204.2:137   ** 
                    Transaction ID:         0xb480   
                    Info:                   NB_NAME_QUERY    
                    Client Hostname:        WPAD             
                    Client MAC:             00:0C:29:9D:B8:6D 
             **
            [nbns] 2014-12-08 18:19:14  192.168.204.137:137   ->    192.168.204.2:137   ** 
                    Transaction ID:         0xb480   
                    Info:                   NB_NAME_QUERY    
                    Client Hostname:        WPAD             
                    Client MAC:             00:0C:29:9D:B8:6D 
             **
            [nbns] 2014-12-08 18:19:16  192.168.204.137:137   ->    192.168.204.2:137   ** 
                    Transaction ID:         0xb480   
                    Info:                   NB_NAME_QUERY    
                    Client Hostname:        WPAD             
                    Client MAC:             00:0C:29:9D:B8:6D 
             **
            [nbns] 2014-12-08 18:19:17  192.168.204.137:137   ->  192.168.204.255:137   ** 
                    Transaction ID:         0xb480   
                    Info:                   NB_NAME_QUERY    
                    Client Hostname:        WPAD             
                    Client MAC:             00:0C:29:9D:B8:6D 
             **
  """,
            bpf='(udp and port 137)',
            output=AlertOutput(label=__name__),
            author='dek',
        )
        self.mac_address = None
        self.client_hostname = None
        self.xid = None
        self.prot_info = None