def dotransform(request, response):
pcap = request.value
usedb = config['working/usedb']
# Check to see if we are using the database or not
if usedb == 0:
return response + UIMessage('No database support configured, check your config file')
else:
pass
x = mongo_connect()
try:
r = x.STREAMS.find({"File Name": pcap}).count()
if r > 0:
p = x.STREAMS.find({"File Name": pcap}, {"Stream ID": 1, "_id": 0})
for i in p:
sessionid = i['Stream ID']
else:
return response + UIMessage('This needs to be run from a TCP/UDP stream')
except Exception as e:
return response + UIMessage(str(e))
try:
t = x.DNS.find({"Stream ID": sessionid}).count()
if t > 0:
p = x.DNS.find({"Stream ID": sessionid}, {"Request Details.Query Name": 1, "_id": 0})
for i in p:
e = Website(i['Request Details']['Query Name'])
response += e
return response
else:
return response + UIMessage('No DNS records found')
except Exception as e:
return response + UIMessage(str(e))
def dotransform(request, response):
try:
url = 'http://%s' % request.value
urlopen(url)
response += Website(request.value, iconurl=thumbnail(url))
except IOError, ioe:
response += UIMessage(str(ioe))
def dotransform(request, response, config):
if 'taskid' in request.fields:
task = request.fields['taskid']
else:
task = request.value
netw = network(report(task))
for d in netw['http']:
response += Website(d['uri'].decode('ascii'), taskid=task)
return response
def dotransform(request, response):
pcap = request.value
get_requests = []
cmd = 'tshark -r ' + pcap + ' -R "http.request.method == GET" -T fields -e http.host'
a = os.popen(cmd).readlines()
for host in a:
if host not in get_requests:
get_requests.append(host)
for host in get_requests:
e = Website(host)
response += e
return response
def dotransform(request, response):
pcap = request.value
usedb = config['working/usedb']
# Check to see if we are using the database or not
if usedb > 0:
# Connect to the database so we can insert the record created below
d = mongo_connect()
c = d['SSL']
# Hash the pcap file
try:
md5hash = md5_for_file(pcap)
except Exception as e:
return response + UIMessage(str(e))
d = find_session(md5hash)
pcap_id = d[0]
else:
pass
# Load the packets
pkts = rdpcap(pcap)
# Look for SSL packets and pull out the required information.
servers = []
try:
for p in pkts:
if p.haslayer(IP) and p.haslayer(TCP) and p.haslayer(Raw):
x = p[Raw].load
x = hexstr(x)
x = x.split(' ')
if x[0] == '16':
timestamp = datetime.datetime.fromtimestamp(p.time).strftime('%Y-%m-%d %H:%M:%S.%f')
stype = 'Handshake'
if x[5] == '01':
htype = 'Client Hello'
slen = int(''.join(x[131:133]), 16)
s = 133 + slen
sname = binascii.unhexlify(''.join(x[133:s]))
if sname not in servers:
servers.append(sname)
if usedb > 0:
data = {'PCAP ID': pcap_id, 'SSL Type': stype, 'Handshake Type': htype,
'Time Stamp': timestamp,
'Source IP': p[IP].src, 'Source Port': p[TCP].sport, 'Destination IP': p[IP].dst,
'Destination Port': p[TCP].dport, 'Server Name': sname}
t = d.SSL.find({'Time Stamp': timestamp}).count()
if t > 0:
pass
else:
c.insert(data)
else:
pass
if x[5] == '02':
htype = 'Server Hello'
ctype = ''.join(x[76:78])
if usedb > 0:
data = {'PCAP ID': pcap_id, 'SSL Type': stype, 'Handshake Type': htype,
'Time Stamp': timestamp,
'Source IP': p[IP].src, 'Source Port': p[TCP].sport, 'Destination IP': p[IP].dst,
'Destination Port': p[TCP].dport, 'Cipher Suite': ctype}
t = d.SSL.find({'Time Stamp': timestamp}).count()
if t > 0:
pass
else:
c.insert(data)
else:
pass
else:
pass
else:
pass
except Exception as e:
return response + UIMessage(str(e))
# Return Maltego entities based on the SSL server name
for s in servers:
e = Website(s)
response += e
return response
def dotransform(request, response):
# Store the pcap file as a variable
pcap = request.value
usedb = config['working/usedb']
# Check to see if we are using the database or not
if usedb > 0:
# Connect to the database so we can insert the record created below
x = mongo_connect()
c = x['HTTP']
# Hash the pcap file
try:
md5hash = md5_for_file(pcap)
except Exception as e:
return response + UIMessage(str(e))
d = find_session(md5hash)
pcap_id = d[0]
else:
pass
# Find HTTP Requests
pkts = rdpcap(pcap)
http_requests = []
for p in pkts:
if p.haslayer(HTTPRequest):
timestamp = datetime.datetime.fromtimestamp(
p.time).strftime('%Y-%m-%d %H:%M:%S.%f')
r = p[HTTPRequest].Host
if usedb > 0:
http = OrderedDict({
'PCAP ID': pcap_id,
'Time Stamp': timestamp,
'Type': 'HTTP Request',
'IP': {
'src': p[IP].src,
'dst': p[IP].dst
},
'HTTP': {
'Method': p[HTTPRequest].Method,
'URI': p[HTTPRequest].Path,
'Referer': p[HTTPRequest].Referer,
'Host': p[HTTPRequest].Host
}
})
# Check if record already exists
s = x.HTTP.find({'Time Stamp': timestamp}).count()
if s > 0:
pass
else:
c.insert(http)
if r not in http_requests:
http_requests.append(r)
else:
pass
for i in http_requests:
h = Website(i)
response += h
return response