def parse(protos, packet):
if protos[0].childNodes[2].attributes['show'].value.startswith('230 OK'):
return [
ModuleStorage(value={'FTP_VERIF': ''},
complete=False,
notes=' - ',
relevance=10,
verification=True)
]
for p in protos[0].childNodes:
if p.attributes['show'].value.startswith('PASS '):
return [
ModuleStorage(value={
'pass':
hexStringDecode(p.childNodes[1].attributes['value'].value)
},
complete=False,
notes=' - ',
relevance=10)
]
if p.attributes['show'].value.startswith('USER '):
return [
ModuleStorage(value={
'user':
hexStringDecode(p.childNodes[1].attributes['value'].value)
},
complete=False,
notes=' - ',
relevance=10)
]
return []
def parse(protos, packet):
# pop.request.parameter
t = ''
if protos[0].firstChild.attributes['name'].value == 'pop.response':
if protos[0].firstChild.attributes['showname'].value.startswith(
'+OK logged in.'):
return [
ModuleStorage(value={'POP_VERIF': ''},
complete=False,
notes=' - ',
relevance=10,
verification=True)
]
for p in protos[0].firstChild.childNodes:
if p.attributes['name'].value == 'pop.request.command':
t = hexStringDecode(p.attributes['value'].value)
continue
if p.attributes['name'].value == 'pop.request.parameter':
return [
ModuleStorage(value={
('%s' % t).lower():
hexStringDecode(p.attributes['value'].value)
},
complete=False,
notes=' - ',
relevance=10)
]
return []
def parse(protos, packet):
if protos[0].childNodes[2].attributes['show'].value.startswith('230 OK'):
return [ModuleStorage(value={'FTP_VERIF': ''}, complete=False, notes=' - ', relevance=10, verification=True)]
for p in protos[0].childNodes:
if p.attributes['show'].value.startswith('PASS '):
return [ModuleStorage(value={'pass': hexStringDecode(p.childNodes[1].attributes['value'].value)}, complete=False, notes=' - ', relevance=10)]
if p.attributes['show'].value.startswith('USER '):
return [ModuleStorage(value={'user': hexStringDecode(p.childNodes[1].attributes['value'].value)}, complete=False, notes=' - ', relevance=10)]
return []
def parse(protos, packet):
# pop.request.parameter
t = ""
if protos[0].firstChild.attributes["name"].value == "pop.response":
if protos[0].firstChild.attributes["showname"].value.startswith("+OK logged in."):
return [
ModuleStorage(value={"POP_VERIF": ""}, complete=False, notes=" - ", relevance=10, verification=True)
]
for p in protos[0].firstChild.childNodes:
if p.attributes["name"].value == "pop.request.command":
t = hexStringDecode(p.attributes["value"].value)
continue
if p.attributes["name"].value == "pop.request.parameter":
return [
ModuleStorage(
value={("%s" % t).lower(): hexStringDecode(p.attributes["value"].value)},
complete=False,
notes=" - ",
relevance=10,
)
]
return []
def parse(protos, packet):
if protos[0].firstChild.attributes['name'].value == 'data':
# print "[!] DATA?!"
return []
ret = []
host = ''
method = ''
uri = ''
cookie = ''
data_text_lines = ''
http_proto = protos[0]
for r in HOST_REWRITE:
if packet.src['host'].find(r[0]) >= 0:
packet.src['host'] = r[1]
break
elif packet.dst['host'].find(r[0]) >= 0:
packet.dst['host'] = r[1]
break
try:
if http_proto.firstChild.childNodes[2].attributes[
'name'].value == 'http.response.code':
if protos[1].attributes['name'].value == 'data-text-lines':
# TODO write to file?!
notes = ''
full_response_content = ''.join([
hexStringDecode(x.attributes['value'].value)
for x in protos[1].childNodes
])
for i in I_G:
if packet.src['host'].find(i[1]) >= 0:
m = i[0].search(full_response_content)
if m:
notes = 'User: %s' % m.group(1)
break
if verif_trigg.search(full_response_content):
# HTTP verification found!
ret.append(
ModuleStorage(value={'HTTP_POST_VERIF': ''},
complete=False,
notes=notes,
relevance=10,
verification=True))
# else:
# print '\n\n'.join([x.toprettyxml() for x in protos])
# parse the response for validations
return ret
except:
#print '\n\n'.join([x.toprettyxml() for x in protos])
pass
if len(protos) > 1:
data_text_lines = protos[1]
for f in http_proto.firstChild.childNodes:
if f.attributes['name'].value == 'http.request.method':
method = f.attributes['show'].value
continue
if f.attributes['name'].value == 'http.request.uri':
uri = hexStringDecode(f.attributes['value'].value)
continue
for field in http_proto.childNodes[1:]:
if field.attributes['name'].value == 'http.cookie':
cookie = Cookie.SimpleCookie()
cookiestr = hexStringDecode(
field.attributes['value'].value)[8:].replace('\r\n', '')
try:
cookie.load(cookiestr)
except:
continue
multi_cookie = []
for k, v in cookie.iteritems():
if not len(multi_cookie):
for s, d in SESSION_DB:
if s == k:
ret.append(
ModuleStorage(
value={('%s session' % d): v.value},
complete=True,
notes='"%s %s" @ %s' % (method, uri, host),
relevance=3))
break
if not len(ret):
if not len(multi_cookie):
for s, d in SESSION_MULTI_DB.iteritems():
for x in d:
if x == k:
multi_cookie.extend((s, {k: v.value}))
break
if len(multi_cookie):
break
else:
for x in SESSION_MULTI_DB[multi_cookie[0]]:
if x == k:
multi_cookie[1][k] = v.value
break
if len(multi_cookie) and len(multi_cookie[1].values()) == len(
SESSION_MULTI_DB[multi_cookie[0]]):
ret.append(
ModuleStorage(value={
('%s session' % multi_cookie[0]):
', '.join(multi_cookie[1].values())
},
complete=True,
notes='"%s %s" @ %s' % (method, uri, host),
relevance=3))
continue
if field.attributes['name'].value == 'http.host':
host = hexStringDecode(
field.attributes['value'].value)[6:].replace('\r\n', '')
continue
if field.attributes['name'].value == 'http.authorization':
if field.firstChild.attributes['name'].value == 'http.authbasic':
# TODO - find a method to verify http basic authentication
ret.append(
ModuleStorage(value={
'http basic auth':
field.firstChild.attributes['show'].value
},
complete=True,
notes='"%s %s" @ %s' % (method, uri, host),
relevance=11))
continue
if data_text_lines:
try:
post_data = hexStringDecode(
data_text_lines.firstChild.attributes['value'].value)
except:
return ret
for q in parse_qsl(post_data):
for trigger in triggers:
if trigger[0].match(q[0]):
ret.append(
ModuleStorage(value={trigger[1]: q[1]},
complete=False,
notes='%s %s' % (method, uri),
relevance=10))
return ret
def parse(protos, packet):
if protos[0].firstChild.attributes['name'].value == 'data':
# print "[!] DATA?!"
return []
ret = []
host = ''
method = ''
uri = ''
cookie = ''
data_text_lines = ''
http_proto = protos[0]
for r in HOST_REWRITE:
if packet.src['host'].find(r[0]) >= 0:
packet.src['host'] = r[1]
break
elif packet.dst['host'].find(r[0]) >= 0:
packet.dst['host'] = r[1]
break
try:
if http_proto.firstChild.childNodes[2].attributes['name'].value == 'http.response.code':
if protos[1].attributes['name'].value == 'data-text-lines':
# TODO write to file?!
notes = ''
full_response_content = ''.join([hexStringDecode(x.attributes['value'].value) for x in protos[1].childNodes])
for i in I_G:
if packet.src['host'].find(i[1]) >= 0:
m = i[0].search(full_response_content)
if m:
notes = 'User: %s' % m.group(1)
break
if verif_trigg.search(full_response_content):
# HTTP verification found!
ret.append(ModuleStorage(value={'HTTP_POST_VERIF': ''}, complete=False, notes=notes, relevance=10, verification=True))
# else:
# print '\n\n'.join([x.toprettyxml() for x in protos])
# parse the response for validations
return ret
except:
#print '\n\n'.join([x.toprettyxml() for x in protos])
pass
if len(protos) > 1:
data_text_lines = protos[1]
for f in http_proto.firstChild.childNodes:
if f.attributes['name'].value == 'http.request.method':
method = f.attributes['show'].value
continue
if f.attributes['name'].value == 'http.request.uri':
uri = hexStringDecode(f.attributes['value'].value)
continue
for field in http_proto.childNodes[1:]:
if field.attributes['name'].value == 'http.cookie':
cookie = Cookie.SimpleCookie()
cookiestr = hexStringDecode(field.attributes['value'].value)[8:].replace('\r\n', '')
try:
cookie.load(cookiestr)
except:
continue
multi_cookie = []
for k, v in cookie.iteritems():
if not len(multi_cookie):
for s,d in SESSION_DB:
if s == k:
ret.append(ModuleStorage(value={('%s session' % d): v.value}, complete=True, notes='"%s %s" @ %s' % (method, uri, host), relevance=3))
break
if not len(ret):
if not len(multi_cookie):
for s,d in SESSION_MULTI_DB.iteritems():
for x in d:
if x == k:
multi_cookie.extend((s, {k:v.value}))
break
if len(multi_cookie):
break
else:
for x in SESSION_MULTI_DB[multi_cookie[0]]:
if x == k:
multi_cookie[1][k] = v.value
break
if len(multi_cookie) and len(multi_cookie[1].values()) == len(SESSION_MULTI_DB[multi_cookie[0]]):
ret.append(ModuleStorage(value={('%s session' % multi_cookie[0]): ', '.join(multi_cookie[1].values())}, complete=True, notes='"%s %s" @ %s' % (method, uri, host), relevance=3))
continue
if field.attributes['name'].value == 'http.host':
host = hexStringDecode(field.attributes['value'].value)[6:].replace('\r\n', '')
continue
if field.attributes['name'].value == 'http.authorization':
if field.firstChild.attributes['name'].value == 'http.authbasic':
# TODO - find a method to verify http basic authentication
ret.append(ModuleStorage(value={'http basic auth': field.firstChild.attributes['show'].value}, complete=True, notes='"%s %s" @ %s' % (method, uri, host), relevance=11))
continue
if data_text_lines:
try:
post_data = hexStringDecode(data_text_lines.firstChild.attributes['value'].value)
except:
return ret
for q in parse_qsl(post_data):
for trigger in triggers:
if trigger[0].match(q[0]):
ret.append(ModuleStorage(value={trigger[1]: q[1]}, complete=False, notes='%s %s' % (method, uri), relevance=10))
return ret
