def dotransform(request, response): pcap = request.value usedb = config['working/usedb'] if usedb > 0: # Connect to the database so we can insert the record created below x = mongo_connect() c = x['STREAMS'] # Hash the pcap file try: md5hash = md5_for_file(pcap) except Exception as e: return response + UIMessage(str(e)) d = find_session(md5hash) folder = d[2] else: folder = config['working/directory'] l = len(folder) + 11 raw = pcap[l:-5] raw = raw.split('-') banner = 'Protocol:%s\nSource:%s\nDestination:%s' % (raw[0], raw[1], raw[2]) e = pcapStream(banner) response += e return response
def dotransform(request, response): pcap = request.value usedb = config["working/usedb"] # Check to see if we are using the database or not if usedb == 0: return response + UIMessage("No database support configured, check your config file") else: pass x = mongo_connect() try: r = x.INDEX.find({"PCAP Path": pcap}).count() if r > 0: p = x.INDEX.find({"PCAP Path": pcap}, {"PCAP ID": 1, "_id": 0}) for i in p: sessionid = i["PCAP ID"] else: return response + UIMessage("PCAP not found, is the SessionID correct??") except Exception as e: return response + UIMessage(str(e)) try: s = x.STREAMS.find({"PCAP ID": sessionid}).count() if s > 0: p = x.STREAMS.find({"PCAP ID": sessionid}, {"File Name": 1, "_id": 0}) for i in p: fname = i["File Name"] q = pcapFile(fname) response += q return response else: return response + UIMessage("No streams found for that Session ID") except Exception as e: return response + UIMessage(str(e))
def dotransform(request, response): usedb = config['working/usedb'] # Check to see if we are using the database or not if usedb == 0: return response + UIMessage( 'No database support configured, check your config file') else: pass zipfile = request.value folder = request.fields['folder'] pcap_id = request.fields['sessionid'] # Build the web server variables url = config['web/server'].strip('\'') port = config['web/port'].strip('\'') upload_url = 'http://%s:%s/pcap/_uploads' % (url, port) # Connect to the database so we can insert the record created below x = mongo_connect() c = x['FILES'] now = time.strftime("%c") # Hash the pcap file try: md5hash = md5_for_file(zipfile) sha1hash = sha1_for_file(zipfile) except Exception as e: return response + UIMessage(str(e)) f = len(folder) + 1 filename = zipfile[f:] download_url = 'http://%s:%s/pcap/downloads/%s' % (url, port, filename) # Check to see if the file is already uploaded s = c.find({'File Name': filename}).count() if s > 0: return response + UIMessage('File already uploaded!!') else: data = { 'Upload Time': now, 'File Name': filename, 'Folder': folder, 'MD5 Hash': md5hash, 'SHA1 Hash': sha1hash, 'Download': download_url, 'PCAP ID': pcap_id } try: # Create the POST request to upload the file files = {'files': open(zipfile, 'rb')} r = requests.post(upload_url, files=files) if r.status_code == 200: c.insert(data) return response + UIMessage('File Uploaded!!') else: return response + UIMessage('Whoops file upload didn\'t work.') except Exception as e: return response + UIMessage(str(e))
def dotransform(request, response): pcap = request.value usedb = config['working/usedb'] # Check to see if we are using the database or not if usedb == 0: return response + UIMessage('No database support configured, check your config file') else: pass x = mongo_connect() ipaddr = [] try: r = x.STREAMS.find({"File Name": pcap}).count() if r > 0: p = x.STREAMS.find({"File Name": pcap}, {"Packet.Source IP": 1, "Packet.Destination IP": 1, "_id": 0}) for i in p: sip = i['Packet']['Source IP'] dip = i['Packet']['Destination IP'] ipaddr.append(sip) ipaddr.append(dip) else: return response + UIMessage('This needs to be run from a TCP/UDP stream') except Exception as e: return response + UIMessage(str(e)) for t in ipaddr: e = IPv4Address(t) response += e return response
def dotransform(request, response): pcap = request.value usedb = config['working/usedb'] # Check to see if we are using the database or not if usedb == 0: return response + UIMessage('No database support configured, check your config file') else: pass x = mongo_connect() try: r = x.STREAMS.find({"File Name": pcap}).count() if r > 0: p = x.STREAMS.find({"File Name": pcap}, {"Stream ID": 1, "_id": 0}) for i in p: sessionid = i['Stream ID'] else: return response + UIMessage('This needs to be run from a TCP/UDP stream') except Exception as e: return response + UIMessage(str(e)) try: t = x.DNS.find({"Stream ID": sessionid}).count() if t > 0: p = x.DNS.find({"Stream ID": sessionid}, {"Request Details.Query Name": 1, "_id": 0}) for i in p: e = Website(i['Request Details']['Query Name']) response += e return response else: return response + UIMessage('No DNS records found') except Exception as e: return response + UIMessage(str(e))
def dotransform(request, response): filename = request.value usedb = config['working/usedb'] # Check to see if we are using the database or not if usedb == 0: return response + UIMessage( 'No database support configured, check your config file') else: pass # Connect to the database so we can search for IP addresses. x = mongo_connect() c = x['STREAMS'] try: hosts = [] r = x.STREAMS.find({'File Name': {'$regex': filename}}) if r > 0: for x in r: hosts.append(x['Packet']['Source IP']) hosts.append(x['Packet']['Destination IP']) # streamid = x['Stream ID'] else: return response + UIMessage( 'No records found, please make sure the pcap stream file is indexed' ) for h in hosts: e = IPv4Address(h) # e += Field('streamid', streamid, displayname='Stream ID', MatchingRule='Loose') response += e return response except Exception as e: return response + UIMessage(str(e))
def dotransform(request, response): filename = request.value usedb = config['working/usedb'] # Check to see if we are using the database or not if usedb == 0: return response + UIMessage('No database support configured, check your config file') else: pass # Connect to the database so we can search for IP addresses. x = mongo_connect() c = x['STREAMS'] try: hosts = [] r = x.STREAMS.find({'File Name': {'$regex': filename}}) if r > 0: for x in r: hosts.append(x['Packet']['Source IP']) hosts.append(x['Packet']['Destination IP']) # streamid = x['Stream ID'] else: return response + UIMessage('No records found, please make sure the pcap stream file is indexed') for h in hosts: e = IPv4Address(h) # e += Field('streamid', streamid, displayname='Stream ID', MatchingRule='Loose') response += e return response except Exception as e: return response + UIMessage(str(e))
def dotransform(request, response): pcap_id = request.value usedb = config['working/usedb'] # Check to see if we are using the database or not if usedb == 0: return response + UIMessage('No database support configured, check your config file') else: pass # Connect to the database so we can insert the record created below x = mongo_connect() c = x['INDEX'] try: s = c.find({'PCAP ID': pcap_id}).count() if s > 0: r = c.find({'PCAP ID': pcap_id}, {'Working Directory': 1, '_id': 0}) for i in r: folder = i['Working Directory'] except Exception as e: return response + UIMessage(str(e)) e = Folder(folder) e += Field('sessionid', pcap_id, displayname='Session ID') response += e return response
def dotransform(request, response): pcap = request.value usedb = config['working/usedb'] # Check to see if we are using the database or not if usedb == 0: return response + UIMessage( 'No database support configured, check your config file') else: pass x = mongo_connect() ipaddr = [] try: r = x.STREAMS.find({"File Name": pcap}).count() if r > 0: p = x.STREAMS.find({"File Name": pcap}, { "Packet.Source IP": 1, "Packet.Destination IP": 1, "_id": 0 }) for i in p: sip = i['Packet']['Source IP'] dip = i['Packet']['Destination IP'] ipaddr.append(sip) ipaddr.append(dip) else: return response + UIMessage( 'This needs to be run from a TCP/UDP stream') except Exception as e: return response + UIMessage(str(e)) for t in ipaddr: e = IPv4Address(t) response += e return response
def dotransform(request, response): # Store the pcap file as a variable pcap = request.value usedb = config['working/usedb'] # Check to see if we are using the database or not if usedb > 0: # Connect to the database so we can insert the record created below x = mongo_connect() c = x['DNS'] # Hash the pcap file try: md5hash = md5_for_file(pcap) except Exception as e: return response + UIMessage(str(e)) # Get the session and/or pcap id d = find_session(md5hash) pcap_id = d[0] session_id = d[1] else: pass try: pkts = rdpcap(pcap) dns_requests = [] for p in pkts: if p.haslayer(DNSQR): timestamp = datetime.datetime.fromtimestamp(p.time).strftime('%Y-%m-%d %H:%M:%S.%f') r = p[DNSQR].qname[:-1] tld = tldextract.extract(r) domain = tld.registered_domain if usedb > 0: dns = OrderedDict({'PCAP ID': pcap_id, 'Stream ID': session_id, 'Time Stamp': timestamp, 'Type': 'Request', 'IP': {'src': p[IP].src, 'dst': p[IP].dst, 'length': p[IP].len}, 'Request Details': {'Query Type': p[DNSQR].qtype, 'Query Name': r, 'Domain': domain}}) t = x.DNS.find({'Time Stamp': timestamp}).count() if t > 0: pass else: c.insert(dns) else: pass if r not in dns_requests: dns_requests.append(domain) else: pass for d in dns_requests: x = Domain(d) response += x return response except Exception as e: if usedb > 0: error_logging(str(e), 'DNS Requests') else: return response + UIMessage(str(e))
def dotransform(request, response): usedb = config['working/usedb'] # Check to see if we are using the database or not if usedb == 0: return response + UIMessage('No database support configured, check your config file') else: pass zipfile = request.value folder = request.fields['folder'] pcap_id = request.fields['sessionid'] # Build the web server variables url = config['web/server'].strip('\'') port = config['web/port'].strip('\'') upload_url = 'http://%s:%s/pcap/_uploads' % (url, port) # Connect to the database so we can insert the record created below x = mongo_connect() c = x['FILES'] now = time.strftime("%c") # Hash the pcap file try: md5hash = md5_for_file(zipfile) sha1hash = sha1_for_file(zipfile) except Exception as e: return response + UIMessage(str(e)) f = len(folder) + 1 filename = zipfile[f:] download_url = 'http://%s:%s/pcap/downloads/%s' % (url, port, filename) # Check to see if the file is already uploaded s = c.find({'File Name': filename}).count() if s > 0: return response + UIMessage('File already uploaded!!') else: data = {'Upload Time': now, 'File Name': filename, 'Folder': folder, 'MD5 Hash': md5hash, 'SHA1 Hash': sha1hash, 'Download': download_url, 'PCAP ID': pcap_id} try: # Create the POST request to upload the file files = {'files': open(zipfile, 'rb')} r = requests.post(upload_url, files=files) if r.status_code == 200: c.insert(data) return response + UIMessage('File Uploaded!!') else: return response + UIMessage('Whoops file upload didn\'t work.') except Exception as e: return response + UIMessage(str(e))
def dotransform(request, response): # Store the pcap file as a variable pcap = request.value usedb = config['working/usedb'] # Check to see if we are using the database or not if usedb > 0: # Connect to the database so we can insert the record created below x = mongo_connect() c = x['HTTP'] # Hash the pcap file try: md5hash = md5_for_file(pcap) except Exception as e: return response + UIMessage(str(e)) d = find_session(md5hash) pcap_id = d[0] else: pass # Find HTTP Requests pkts = rdpcap(pcap) http_requests = [] for p in pkts: if p.haslayer(HTTPRequest): timestamp = datetime.datetime.fromtimestamp(p.time).strftime('%Y-%m-%d %H:%M:%S.%f') r = p[HTTPRequest].Host if usedb > 0: http = OrderedDict({'PCAP ID': pcap_id, 'Time Stamp': timestamp, 'Type': 'HTTP Request', 'IP': {'src': p[IP].src, 'dst': p[IP].dst}, 'HTTP': {'Method': p[HTTPRequest].Method, 'URI': p[HTTPRequest].Path, 'Referer': p[HTTPRequest].Referer, 'Host': p[HTTPRequest].Host}}) # Check if record already exists s = x.HTTP.find({'Time Stamp': timestamp}).count() if s > 0: pass else: c.insert(http) if r not in http_requests: http_requests.append(r) else: pass for i in http_requests: h = Website(i) response += h return response
def dotransform(request, response): pcap = request.value lookfor = ['MAIL FROM:', 'RCPT TO:'] pkts = rdpcap(pcap) usedb = config['working/usedb'] # Check to see if we are using the database or not if usedb > 0: d = mongo_connect() c = d['CREDS'] # Hash the pcap file try: md5pcap = md5_for_file(pcap) except Exception as e: return response + UIMessage(str(e)) x = find_session(md5pcap) pcap_id = x[0] else: pass addr = [] try: for p in pkts: for m in lookfor: if p.haslayer(TCP) and p.haslayer(Raw): raw = p[Raw].load if m in raw: for s in re.finditer('<([\S.-]+@[\S-]+)>', raw): addr.append(s.group(1)) except Exception as e: return response + UIMessage(str(e)) for x in addr: if usedb > 0: data = {'PCAP ID': pcap_id, 'Type': 'Email Address', 'Record': x} t = d.CREDS.find({'Record': x}).count() if t > 0: pass else: c.insert(data) else: pass e = EmailAddress(x) response += e return response
def dotransform(request, response): pcap = request.value usedb = config['working/usedb'] # Check to see if we are using the database or not if usedb == 0: return response + UIMessage( 'No database support configured, check your config file') else: pass x = mongo_connect() try: r = x.INDEX.find({"PCAP Path": pcap}).count() if r > 0: p = x.INDEX.find({"PCAP Path": pcap}, {"PCAP ID": 1, "_id": 0}) for i in p: sessionid = i['PCAP ID'] else: return response + UIMessage( 'PCAP not found, is the SessionID correct??') except Exception as e: return response + UIMessage(str(e)) try: s = x.STREAMS.find({"PCAP ID": sessionid}).count() if s > 0: p = x.STREAMS.find({"PCAP ID": sessionid}, { "File Name": 1, "_id": 0 }) for i in p: fname = i['File Name'] q = pcapFile(fname) response += q return response else: return response + UIMessage('No streams found for that Session ID') except Exception as e: return response + UIMessage(str(e))
def dotransform(request, response): sessionid = request.value usedb = config['working/usedb'] # Check to see if we are using the database or not if usedb == 0: return response + UIMessage('No database support configured, check your config file') else: pass x = mongo_connect() try: r = x.INDEX.find({"PCAP ID": sessionid}).count() if r > 0: p = x.INDEX.find({"PCAP ID": sessionid}, {"_id": 0}) for i in p: pcap = i['PCAP Path'] s = pcapFile(pcap) response += s return response else: return response + UIMessage('PCAP not found, is the SessionID correct??') except Exception as e: return response + UIMessage(str(e))
def dotransform(request, response): pcap = request.value usedb = config['working/usedb'] # Check to see if we are using the database or not if usedb > 0: # Connect to the database so we can insert the record created below x = mongo_connect() c = x['CREDS'] # Hash the pcap file try: md5pcap = md5_for_file(pcap) except Exception as e: return response + UIMessage(str(e)) d = find_session(md5pcap) pcap_id = d[0] else: pass d = smtp_creds(pcap) if len(d) == 0: return response + UIMessage('No SMTP Credentials found..sorry') for n in d: if usedb > 0: data = {'PCAP ID': pcap_id, 'Type': 'Email Credential', 'Record': n} t = x.CREDS.find({'Record': n}).count() if t > 0: pass else: c.insert(data) else: pass e = Credential(n) response += e return response
def dotransform(request, response): sessionid = request.value usedb = config['working/usedb'] # Check to see if we are using the database or not if usedb == 0: return response + UIMessage( 'No database support configured, check your config file') else: pass x = mongo_connect() try: r = x.INDEX.find({"PCAP ID": sessionid}).count() if r > 0: p = x.INDEX.find({"PCAP ID": sessionid}, {"_id": 0}) for i in p: pcap = i['PCAP Path'] s = pcapFile(pcap) response += s return response else: return response + UIMessage( 'PCAP not found, is the SessionID correct??') except Exception as e: return response + UIMessage(str(e))
def dotransform(request, response): filename = request.value md5hash = request.fields['sniffmypacketsv2.fhash'] usedb = config['working/usedb'] # Check to see if we are using the database or not if usedb > 0: # Connect to the database so we can insert the record created below x = mongo_connect() c = x['MALWARE'] v = vt_lookup_file(md5hash) if v is not None: link = v['permalink'] scan = v['scan_date'] else: return response + UIMessage('No record found in VirusTotal') s = x.ARTIFACTS.find({'MD5 HASH': md5hash}, {"PCAP ID": 1, "_id": 0}) pcap_id = '' for m in s: pcap_id = m['PCAP ID'] data = {'PCAP ID': pcap_id, 'File Name': filename, 'Permalink': link, 'Scan Date': scan, 'MD5 Hash': md5hash} t = x.MALWARE.find({'MD5 Hash': md5hash}).count() if t > 0: pass else: c.insert(data) e = VirusTotal(link) response += e return response
def dotransform(request, response): pcap = request.value usedb = config['working/usedb'] # Check to see if we are using the database or not if usedb > 0: # Connect to the database so we can insert the record created below d = mongo_connect() c = d['ARTIFACTS'] # Hash the pcap file try: md5pcap = md5_for_file(pcap) except Exception as e: return response + UIMessage(str(e)) x = find_session(md5pcap) pcap_id = x[0] folder = x[2] else: w = config['working/directory'].strip('\'') try: if w != '': w = w + '/' + str(uuid.uuid4())[:12].replace('-', '') if not os.path.exists(w): os.makedirs(w) folder = w else: return response + UIMessage('No working directory set, check your config file') except Exception as e: return response + UIMessage(e) folder = '%s/%s' % (folder, 'artifacts') if not os.path.exists(folder): os.makedirs(folder) dissector = Dissector() # instance of dissector class dissector.change_dfolder(folder) dissector.dissect_pkts(pcap) list_files = glob.glob(folder+'/*') # print list_files # Loop through the stored files and create the database/maltego objects for g in list_files: try: md5hash = md5_for_file(g) sha1hash = sha1_for_file(g) ftype = check_file(g) n = len(folder) + 1 l = len(g) filename = g[n:l] if usedb > 0: data = {'PCAP ID': pcap_id, 'Path': folder, 'File Name': filename, 'File Type': ftype, 'MD5 Hash': md5hash, 'SHA1 Hash': sha1hash} t = d.ARTIFACTS.find({'MD5 Hash': md5hash, "File Name": filename}).count() if t > 0: pass else: c.insert(data) else: pass # Create the Maltego entities a = Artifact(filename) a.ftype = ftype a.fhash = md5hash a += Field('path', folder, displayname='Path') response += a except Exception as e: print str(e) return response
def dotransform(request, response): pcap = request.value usedb = config['working/usedb'] # Check to see if we are using the database or not if usedb > 0: # Connect to the database so we can insert the record created below d = mongo_connect() c = d['SSL'] # Hash the pcap file try: md5hash = md5_for_file(pcap) except Exception as e: return response + UIMessage(str(e)) d = find_session(md5hash) pcap_id = d[0] else: pass # Load the packets pkts = rdpcap(pcap) # Look for SSL packets and pull out the required information. servers = [] try: for p in pkts: if p.haslayer(IP) and p.haslayer(TCP) and p.haslayer(Raw): x = p[Raw].load x = hexstr(x) x = x.split(' ') if x[0] == '16': timestamp = datetime.datetime.fromtimestamp(p.time).strftime('%Y-%m-%d %H:%M:%S.%f') stype = 'Handshake' if x[5] == '01': htype = 'Client Hello' slen = int(''.join(x[131:133]), 16) s = 133 + slen sname = binascii.unhexlify(''.join(x[133:s])) if sname not in servers: servers.append(sname) if usedb > 0: data = {'PCAP ID': pcap_id, 'SSL Type': stype, 'Handshake Type': htype, 'Time Stamp': timestamp, 'Source IP': p[IP].src, 'Source Port': p[TCP].sport, 'Destination IP': p[IP].dst, 'Destination Port': p[TCP].dport, 'Server Name': sname} t = d.SSL.find({'Time Stamp': timestamp}).count() if t > 0: pass else: c.insert(data) else: pass if x[5] == '02': htype = 'Server Hello' ctype = ''.join(x[76:78]) if usedb > 0: data = {'PCAP ID': pcap_id, 'SSL Type': stype, 'Handshake Type': htype, 'Time Stamp': timestamp, 'Source IP': p[IP].src, 'Source Port': p[TCP].sport, 'Destination IP': p[IP].dst, 'Destination Port': p[TCP].dport, 'Cipher Suite': ctype} t = d.SSL.find({'Time Stamp': timestamp}).count() if t > 0: pass else: c.insert(data) else: pass else: pass else: pass except Exception as e: return response + UIMessage(str(e)) # Return Maltego entities based on the SSL server name for s in servers: e = Website(s) response += e return response
def dotransform(request, response): # Store the pcap file as a variable pcap = request.value usedb = config['working/usedb'] # Check to see if we are using the database or not if usedb == 0: return response + UIMessage('No database in use, so this is pointless!!!') else: pass # Connect to the database so we can insert the record created below x = mongo_connect() c = x['GEOIP'] # Hash the pcap file try: md5hash = md5_for_file(pcap) except Exception as e: return response + UIMessage(str(e)) # Get the PCAP ID for the pcap file try: s = x.INDEX.find({"MD5 Hash": md5hash}).count() if s == 0: t = x.STREAMS.find({"MD5 Hash": md5hash}).count() if t > 0: r = x.STREAMS.find({"MD5 Hash": md5hash}, {"PCAP ID": 1, "_id": 0}) for i in r: pcap_id = i['PCAP ID'] else: return response + UIMessage('No PCAP ID, you need to index the pcap file') if s > 0: r = x.INDEX.find({"MD5 Hash": md5hash}, {"PCAP ID": 1, "_id": 0}) for i in r: pcap_id = i['PCAP ID'] except Exception as e: return response + UIMessage(str(e)) # Load the pcap file and look for IP addresses, then GeoIP them convo = [] pkts = rdpcap(pcap) for p in pkts: if p.haslayer(IP) and p.haslayer(TCP): proto = 'TCP' s = proto, p[IP].src, p[TCP].sport r = proto, p[IP].dst, p[TCP].dport if s not in convo: convo.append(s) if r in convo: convo.remove(r) else: convo.append(r) else: pass if p.haslayer(IP) and p.haslayer(UDP): proto = 'UDP' s = proto, p[IP].src, p[UDP].sport r = proto, p[IP].dst, p[UDP].dport if s not in convo: convo.append(s) if r in convo: convo.remove(r) else: convo.append(r) else: pass # Run each IP through a GeoIP lookup and build a directory object to insert into the database for proto, src, sport in convo: s = lookup_geo(src) if s is not None: geo = OrderedDict({'PCAP ID': pcap_id, 'Protocol': proto, 'src': src, 'src port': sport, 'src geo': s}) t = x.GEOIP.find({'src': src, 'src port': sport}).count() if t > 0: pass else: c.insert(geo) else: pass # Build the URL for the returned Maltego entity url = config['web/server'].strip('\'') port = config['web/port'].strip('\'') map_url = 'http://%s:%s/pcap/%s/map' % (url, port, pcap_id) e = GeoMap(map_url) response += e return response
def dotransform(request, response): pcap = request.value usedb = config['working/usedb'] # Check to see if we are using the database or not if usedb == 0: return response + UIMessage('You have chosen not to use a database') else: pass d = mongo_connect() c = d['PACKETS'] y = d['PACKETSUMMARY'] url = config['web/server'].strip('\'') port = config['web/port'].strip('\'') # Hash the pcap file try: md5pcap = md5_for_file(pcap) except Exception as e: return response + UIMessage(str(e)) def convert_encoding(data, encoding='utf-8'): if isinstance(data, dict): return dict((convert_encoding(key), convert_encoding(value)) \ for key, value in data.iteritems()) elif isinstance(data, list): return [convert_encoding(element) for element in data] elif isinstance(data, unicode): return data.encode(encoding, errors='replace') else: return data # Get the PCAP ID for the pcap file try: s = d.INDEX.find({"MD5 Hash": md5pcap}).count() if s == 0: t = d.STREAMS.find({"MD5 Hash": md5pcap}).count() if t > 0: r = d.STREAMS.find({"MD5 Hash": md5pcap}, {"PCAP ID": 1, "Stream ID": 1, "_id": 0}) for i in r: pcap_id = i['PCAP ID'] streamid = i['Stream ID'] else: return response + UIMessage('No PCAP ID, you need to index the pcap file') if s > 0: r = d.INDEX.find({"MD5 Hash": md5pcap}, {"PCAP ID": 1, "_id": 0}) for i in r: pcap_id = i['PCAP ID'] streamid = i['PCAP ID'] except Exception as e: return response + UIMessage(str(e)) stream_url = 'http://%s:%s/pcap/%s/packets' % (url, port, streamid) pkts = loadpackets(pcap) # Dump the full packets into the database for later use. x = find_layers(pkts, pcap, pcap_id, streamid) try: for s in x: tstamp = s['Buffer']['timestamp'] q = d.PACKETS.find({"Buffer.timestamp": tstamp}).count() if q > 0: pass else: v = OrderedDict(json.loads(json.dumps(convert_encoding(s), encoding='latin-1', ensure_ascii=False))) c.insert(v) except Exception as e: error_logging(str(e), 'Packets') # Build the packet summary so we can make pretty pages. count = 1 packet = OrderedDict() try: for p in pkts: tstamp = datetime.datetime.fromtimestamp(p.time).strftime('%Y-%m-%d %H:%M:%S.%f') p_header = {"PCAP ID": pcap_id, "Buffer": {"timestamp": tstamp, "packetnumber": count, "pcapfile": pcap, "packet_length": p.len, "StreamID": streamid}} packet.update(p_header) if p.haslayer(IP): p_ip = {"IP": {"ip_src": p[IP].src, "ip_dst": p[IP].dst, "ip_ttl": p[IP].ttl}} packet.update(p_ip) layers = [] counter = 0 while True: layer = p.getlayer(counter) if layer != None: if layer.name == 'HTTP': pass else: layers.append(layer.name) else: break counter += 1 p_layers = {"Layers": layers} packet.update(p_layers) view_url = 'http://%s:%s/pcap/%s/%s/packets/%s' % (url, port, pcap_id, streamid, count) p_view = {"View": view_url} packet.update(p_view) t = d.PACKETSUMMARY.find({"Buffer.timestamp": tstamp}).count() if t > 0: pass else: y.insert(packet) count += 1 packet.clear() except Exception as e: error_logging(str(e), 'PacketSummary') # Return the Maltego Entity a = pcapStream(stream_url) response += a return response
def dotransform(request, response): usedb = config['working/usedb'] # Check to see if we are using the database or not if usedb == 0: return response + UIMessage( 'No database support configured, check your config file') else: pass zipfile = request.value # Build the web server variables url = config['web/server'].strip('\'') port = config['web/port'].strip('\'') upload_url = 'http://%s:%s/pcap/_uploads' % (url, port) # Connect to the database so we can insert the record created below x = mongo_connect() c = x['FILES'] now = time.strftime("%c") # Hash the pcap file try: md5hash = md5_for_file(zipfile) sha1hash = sha1_for_file(zipfile) except Exception as e: return response + UIMessage(str(e)) # Get the PCAP ID for the pcap file try: s = x.INDEX.find({"MD5 Hash": md5hash}).count() if s == 0: t = x.STREAMS.find({"MD5 Hash": md5hash}).count() if t > 0: r = x.STREAMS.find({"MD5 Hash": md5hash}, { "Folder": 1, "PCAP ID": 1, "_id": 0 }) for i in r: folder = i['Folder'] pcap_id = i['PCAP ID'] else: return response + UIMessage( 'No PCAP ID, you need to index the pcap file') if s > 0: r = x.INDEX.find({"MD5 Hash": md5hash}, { "Working Directory": 1, "PCAP ID": 1, "_id": 0 }) for i in r: folder = i['Working Directory'] pcap_id = i['PCAP ID'] except Exception as e: return response + UIMessage(str(e)) f = zipfile.split('/') filename = f[len(f) - 1] filename = filename.replace(':', '') download_url = 'http://%s:%s/pcap/downloads/%s' % (url, port, filename) # Check to see if the file is already uploaded s = c.find({'File Name': filename}).count() if s > 0: return response + UIMessage('File already uploaded!!') else: data = { 'Upload Time': now, 'File Name': filename, 'Folder': folder, 'MD5 Hash': md5hash, 'SHA1 Hash': sha1hash, 'Download': download_url, 'PCAP ID': pcap_id } try: # Create the POST request to upload the file files = {'files': open(zipfile, 'rb')} r = requests.post(upload_url, files=files) if r.status_code == 200: c.insert(data) return response + UIMessage('File Uploaded!!') else: return response + UIMessage('Whoops file upload didn\'t work.') except Exception as e: return response + UIMessage(str(e))
def dotransform(request, response): usedb = config['working/usedb'] # Check to see if we are using the database or not if usedb == 0: return response + UIMessage('No database support configured, check your config file') else: pass zipfile = request.value # Build the web server variables url = config['web/server'].strip('\'') port = config['web/port'].strip('\'') upload_url = 'http://%s:%s/pcap/_uploads' % (url, port) # Connect to the database so we can insert the record created below x = mongo_connect() c = x['FILES'] now = time.strftime("%c") # Hash the pcap file try: md5hash = md5_for_file(zipfile) sha1hash = sha1_for_file(zipfile) except Exception as e: return response + UIMessage(str(e)) # Get the PCAP ID for the pcap file try: s = x.INDEX.find({"MD5 Hash": md5hash}).count() if s == 0: t = x.STREAMS.find({"MD5 Hash": md5hash}).count() if t > 0: r = x.STREAMS.find({"MD5 Hash": md5hash}, {"Folder": 1, "PCAP ID": 1, "_id": 0}) for i in r: folder = i['Folder'] pcap_id = i['PCAP ID'] else: return response + UIMessage('No PCAP ID, you need to index the pcap file') if s > 0: r = x.INDEX.find({"MD5 Hash": md5hash}, {"Working Directory": 1, "PCAP ID": 1, "_id": 0}) for i in r: folder = i['Working Directory'] pcap_id = i['PCAP ID'] except Exception as e: return response + UIMessage(str(e)) f = zipfile.split('/') filename = f[len(f) - 1] filename = filename.replace(':', '') download_url = 'http://%s:%s/pcap/downloads/%s' % (url, port, filename) # Check to see if the file is already uploaded s = c.find({'File Name': filename}).count() if s > 0: return response + UIMessage('File already uploaded!!') else: data = {'Upload Time': now, 'File Name': filename, 'Folder': folder, 'MD5 Hash': md5hash, 'SHA1 Hash': sha1hash, 'Download': download_url, 'PCAP ID': pcap_id} try: # Create the POST request to upload the file files = {'files': open(zipfile, 'rb')} r = requests.post(upload_url, files=files) if r.status_code == 200: c.insert(data) return response + UIMessage('File Uploaded!!') else: return response + UIMessage('Whoops file upload didn\'t work.') except Exception as e: return response + UIMessage(str(e))
def dotransform(request, response): pcap = request.value usedb = config['working/usedb'] # Check to see if we are using the database or not if usedb > 0: # Connect to the database so we can insert the record created below d = mongo_connect() c = d['ARTIFACTS'] # Hash the pcap file try: md5pcap = md5_for_file(pcap) except Exception as e: return response + UIMessage(str(e)) x = find_session(md5pcap) pcap_id = x[0] folder = x[2] else: w = config['working/directory'].strip('\'') try: if w != '': w = w + '/' + str(uuid.uuid4())[:12].replace('-', '') if not os.path.exists(w): os.makedirs(w) folder = w else: return response + UIMessage( 'No working directory set, check your config file') except Exception as e: return response + UIMessage(e) folder = '%s/%s' % (folder, 'artifacts') if not os.path.exists(folder): os.makedirs(folder) dissector = Dissector() # instance of dissector class dissector.change_dfolder(folder) dissector.dissect_pkts(pcap) list_files = glob.glob(folder + '/*') # print list_files # Loop through the stored files and create the database/maltego objects for g in list_files: try: md5hash = md5_for_file(g) sha1hash = sha1_for_file(g) ftype = check_file(g) n = len(folder) + 1 l = len(g) filename = g[n:l] if usedb > 0: data = { 'PCAP ID': pcap_id, 'Path': folder, 'File Name': filename, 'File Type': ftype, 'MD5 Hash': md5hash, 'SHA1 Hash': sha1hash } t = d.ARTIFACTS.find({ 'MD5 Hash': md5hash, "File Name": filename }).count() if t > 0: pass else: c.insert(data) else: pass # Create the Maltego entities a = Artifact(filename) a.ftype = ftype a.fhash = md5hash a += Field('path', folder, displayname='Path') response += a except Exception as e: print str(e) return response
def dotransform(request, response): filename = request.value folder = request.fields['path'] usedb = config['working/usedb'] # Check to see if we are using the database or not if usedb == 0: return response + UIMessage('No database support configured, check your config file') else: pass # Build the web server variables url = config['web/server'].strip('\'') port = config['web/port'].strip('\'') upload_url = 'http://%s:%s/pcap/_uploads' % (url, port) # Connect to the database so we can insert the record created below x = mongo_connect() c = x['FILES'] now = time.strftime("%c") zipfile = '%s/%s' % (folder, filename) # Hash the pcap file try: md5hash = md5_for_file(zipfile) sha1hash = sha1_for_file(zipfile) except Exception as e: return response + UIMessage(str(e)) # Get the PCAP ID for the pcap file try: s = x.ARTIFACTS.find({"MD5 Hash": md5hash}).count() if s > 0: r = x.ARTIFACTS.find({"MD5 Hash": md5hash}, {"File Type": 1, "PCAP ID": 1, "_id": 0}) for i in r: pcap_id = i['PCAP ID'] ftype = i['File Type'] else: return response + UIMessage('No PCAP ID, you need to index the pcap file') except Exception as e: return response + UIMessage(str(e)) download_url = 'http://%s:%s/pcap/downloads/%s' % (url, port, filename) # Check to see if the file is already uploaded s = c.find({'File Name': filename}).count() if s > 0: return response + UIMessage('File already uploaded!!') else: data = {'Upload Time': now, 'File Name': filename, 'Folder': folder, 'MD5 Hash': md5hash, 'SHA1 Hash': sha1hash, 'Download': download_url, 'PCAP ID': pcap_id, 'File Type': ftype} try: # Create the POST request to upload the file files = {'files': open(zipfile, 'rb')} r = requests.post(upload_url, files=files) if r.status_code == 200: c.insert(data) return response + UIMessage('File Uploaded!!') else: return response + UIMessage(str(r.status_code)) except Exception as e: return response + UIMessage(str(e))
def dotransform(request, response): # Store the pcap file as a variable pcap = request.value usedb = config['working/usedb'] # Check to see if we are using the database or not if usedb > 0: # Connect to the database so we can insert the record created below x = mongo_connect() c = x['DNS'] # Hash the pcap file try: md5hash = md5_for_file(pcap) except Exception as e: return response + UIMessage(str(e)) # Get the session and/or pcap id d = find_session(md5hash) pcap_id = d[0] session_id = d[1] else: pass try: pkts = rdpcap(pcap) dns_requests = [] for p in pkts: if p.haslayer(DNSQR): timestamp = datetime.datetime.fromtimestamp( p.time).strftime('%Y-%m-%d %H:%M:%S.%f') r = p[DNSQR].qname[:-1] tld = tldextract.extract(r) domain = tld.registered_domain if usedb > 0: dns = OrderedDict({ 'PCAP ID': pcap_id, 'Stream ID': session_id, 'Time Stamp': timestamp, 'Type': 'Request', 'IP': { 'src': p[IP].src, 'dst': p[IP].dst, 'length': p[IP].len }, 'Request Details': { 'Query Type': p[DNSQR].qtype, 'Query Name': r, 'Domain': domain } }) t = x.DNS.find({'Time Stamp': timestamp}).count() if t > 0: pass else: c.insert(dns) else: pass if r not in dns_requests: dns_requests.append(domain) else: pass for d in dns_requests: x = Domain(d) response += x return response except Exception as e: if usedb > 0: error_logging(str(e), 'DNS Requests') else: return response + UIMessage(str(e))
def dotransform(request, response): # Store the pcap file as a variable pcap = request.value usedb = config['working/usedb'] # Check to see if we are using the database or not if usedb > 0: # Connect to the database so we can insert the record created below x = mongo_connect() c = x['HTTP'] # Hash the pcap file try: md5hash = md5_for_file(pcap) except Exception as e: return response + UIMessage(str(e)) d = find_session(md5hash) pcap_id = d[0] else: pass # Find HTTP Requests pkts = rdpcap(pcap) http_requests = [] for p in pkts: if p.haslayer(HTTPRequest): timestamp = datetime.datetime.fromtimestamp( p.time).strftime('%Y-%m-%d %H:%M:%S.%f') r = p[HTTPRequest].Host if usedb > 0: http = OrderedDict({ 'PCAP ID': pcap_id, 'Time Stamp': timestamp, 'Type': 'HTTP Request', 'IP': { 'src': p[IP].src, 'dst': p[IP].dst }, 'HTTP': { 'Method': p[HTTPRequest].Method, 'URI': p[HTTPRequest].Path, 'Referer': p[HTTPRequest].Referer, 'Host': p[HTTPRequest].Host } }) # Check if record already exists s = x.HTTP.find({'Time Stamp': timestamp}).count() if s > 0: pass else: c.insert(http) if r not in http_requests: http_requests.append(r) else: pass for i in http_requests: h = Website(i) response += h return response
def dotransform(request, response): # pcap file pulled from Maltego pcap = request.value usedb = config['working/usedb'] # Check to see if we are using the database or not if usedb == 0: return response + UIMessage('You have chosen not to use a database') else: pass # Connect to the database so we can insert the record created below x = mongo_connect() c = x['INDEX'] # Check the file exists first (so we don't add crap to the database try: open(pcap) except IOError: return response + UIMessage('The file doesn\'t exist') # Check the pcap file is in the correct format (not pcap-ng) try: f_format = check_pcap(pcap) if 'BAD' in f_format: return response + UIMessage( 'File format is pcap-ng, not supported by sniffMyPackets, please convert.' ) except Exception as e: return response + UIMessage(str(e)) # Hash the pcap file try: md5hash = md5_for_file(pcap) sha1hash = sha1_for_file(pcap) except Exception as e: return response + UIMessage(str(e)) # Get the file size try: filesize = check_size(pcap) except Exception as e: return response + UIMessage(str(e)) # Check the pcap file doesn't exist in the database already (based on MD5 hash) try: s = x.INDEX.find({"MD5 Hash": md5hash}).count() if s > 0: r = x.INDEX.find({"MD5 Hash": md5hash}, {"PCAP ID": 1, "_id": 0}) for i in r: e = SessionID(i['PCAP ID']) e += Field('sniffmypacketsv2.pcapfile', pcap, displayname='PCAP File') response += e return response else: pass except Exception as e: return response + UIMessage(str(e)) # Popup message box for entering comments about the pcap file msg = 'Enter Comments' title = 'Comments' field_names = ["Comments"] field_values = [] field_values = multenterbox(msg, title, field_names) # General variables used to build the index comments = field_values[0] now = time.strftime("%c") pcap_id = str(uuid.uuid4())[:12].replace('-', '') # Get a count of packets available try: pkcount = packet_count(pcap) except Exception as e: return response + UIMessage(str(e)) # Get the start/end time of packets try: pcap_time = get_time(pcap) except Exception as e: return response + UIMessage(str(e)) # Check for working directory, if it doesn't exist create it. w = config['working/directory'].strip('\'') try: if w != '': w = w + '/' + pcap_id if not os.path.exists(w): os.makedirs(w) else: return response + UIMessage( 'No working directory set, check your config file') except Exception as e: return response + UIMessage(e) # Build a dictonary object to upload into the database index = OrderedDict({ 'PCAP ID': pcap_id, 'PCAP Path': pcap, 'Working Directory': w, 'Upload Time': now, 'Comments': comments, 'MD5 Hash': md5hash, 'SHA1 Hash': sha1hash, 'Packet Count': pkcount, 'First Packet': pcap_time[0], 'Last Packet': pcap_time[1], 'File Size': filesize }) # Insert record into the database c.insert(index) # Return the entity with Session ID into Maltego r = SessionID(pcap_id) r += Field('sniffmypacketsv2.pcapfile', pcap, displayname='PCAP File') response += r return response
def dotransform(request, response): pcap = request.value folder = '' usedb = config['working/usedb'] # Check to see if we are using the database or not if usedb > 0: # Connect to the database so we can insert the record created below x = mongo_connect() c = x['STREAMS'] # Hash the pcap file try: md5hash = md5_for_file(pcap) d = find_session(md5hash) pcap_id = d[0] folder = d[2] except Exception as e: return response + UIMessage(str(e)) else: w = config['working/directory'].strip('\'') try: if w != '': w = w + '/' + str(uuid.uuid4())[:12].replace('-', '') if not os.path.exists(w): os.makedirs(w) folder = w else: return response + UIMessage('No working directory set, check your config file') except Exception as e: return response + UIMessage(e) # Create TCP/UDP stream files s = create_streams(pcap, folder) if usedb > 0: for i in s: # Create StreamID streamid = str(uuid.uuid4())[:8] # Get a count of packets available try: pkcount = packet_count(i) except Exception as e: return response + UIMessage(str(e)) # Get the start/end time of packets try: pcap_time = get_time(i) except Exception as e: return response + UIMessage(str(e)) # Hash the pcap file try: md5hash = md5_for_file(i) sha1hash = sha1_for_file(i) except Exception as e: return response + UIMessage(str(e)) # Pull out the details of the packets l = len(folder) + 1 raw = i[l:-5] pkt = raw.replace('-', ' ').replace(':', ' ').split() # Create the dictonary object to insert into database data = OrderedDict({'PCAP ID': pcap_id, 'Stream ID': streamid, 'Folder': folder, 'Packet Count': pkcount, 'File Name': i, 'First Packet': pcap_time[0], 'Last Packet': pcap_time[1], 'MD5 Hash': md5hash, 'SHA1 Hash': sha1hash, 'Packet': {'Protocol': pkt[0], 'Source IP': pkt[1], 'Source Port': pkt[2], 'Destination IP': pkt[3], 'Destination Port': pkt[4]}}) # Check to see if the record exists try: t = x.STREAMS.find({"File Name": i}).count() if t > 0: pass else: c.insert(data) except Exception as e: return response + UIMessage(str(e)) else: pass # Create Maltego entities for each pcap file for p in s: e = pcapFile(p) response += e return response
def dotransform(request, response): f = request.value usedb = config['working/usedb'] # Check to see if we are using the database or not if usedb > 0: d = mongo_connect() folder = [] # Check the pcap file doesn't exist in the database already (based on MD5 hash) try: s = d.ARTIFACTS.find({"File Name": f}).count() if s > 0: r = d.ARTIFACTS.find({"File Name": f}, {"Path": 1, "_id": 0}) for i in r: folder = i['Path'] else: return response + UIMessage('File not found!!') except Exception as e: return response + UIMessage(str(e)) else: folder = request.fields['path'] msgdata = [] lookfor = 'DATA' file = '%s/%s' % (folder, f) # split the original file into two parts, message and header and save as lists with open(file, mode='r') as msgfile: reader = msgfile.read() for i, part in enumerate(reader.split(lookfor)): if i == 1: msgdata.append(part.strip()) save_files = [] for item in msgdata: newfolder = '%s/email-messages' % folder if not os.path.exists(newfolder): os.makedirs(newfolder) filename = newfolder + '/' + 'msgdata.msg' fb = open(filename, 'w') fb.write('%s\n' % item) fb.close() if filename not in save_files: save_files.append(filename) fp = open(filename) msg = email.message_from_file(fp) fp.close() counter = 1 for part in msg.walk(): if part.get_content_maintype() == 'multipart': continue filename = part.get_filename() if not filename: ext = mimetypes.guess_extension(part.get_content_type()) if not ext: ext = '.bin' filename = 'part-%03d%s' % (counter, ext) counter += 1 savefile = newfolder + '/' + filename fp = open(savefile, 'wb') fp.write(part.get_payload(decode=True)) fp.close() if savefile not in save_files: save_files.append(savefile) # Create the Maltego entity for s in save_files: e = EmailAttachment(s) response += e return response
def dotransform(request, response): pcap = request.value folder = '' usedb = config['working/usedb'] # Check to see if we are using the database or not if usedb > 0: # Connect to the database so we can insert the record created below x = mongo_connect() c = x['STREAMS'] # Hash the pcap file try: md5hash = md5_for_file(pcap) d = find_session(md5hash) pcap_id = d[0] folder = d[2] except Exception as e: return response + UIMessage(str(e)) else: w = config['working/directory'].strip('\'') try: if w != '': w = w + '/' + str(uuid.uuid4())[:12].replace('-', '') if not os.path.exists(w): os.makedirs(w) folder = w else: return response + UIMessage( 'No working directory set, check your config file') except Exception as e: return response + UIMessage(e) # Create TCP/UDP stream files s = create_streams(pcap, folder) if usedb > 0: for i in s: # Create StreamID streamid = str(uuid.uuid4())[:8] # Get a count of packets available try: pkcount = packet_count(i) except Exception as e: return response + UIMessage(str(e)) # Get the start/end time of packets try: pcap_time = get_time(i) except Exception as e: return response + UIMessage(str(e)) # Hash the pcap file try: md5hash = md5_for_file(i) sha1hash = sha1_for_file(i) except Exception as e: return response + UIMessage(str(e)) # Pull out the details of the packets l = len(folder) + 1 raw = i[l:-5] pkt = raw.replace('-', ' ').replace(':', ' ').split() # Create the dictonary object to insert into database data = OrderedDict({ 'PCAP ID': pcap_id, 'Stream ID': streamid, 'Folder': folder, 'Packet Count': pkcount, 'File Name': i, 'First Packet': pcap_time[0], 'Last Packet': pcap_time[1], 'MD5 Hash': md5hash, 'SHA1 Hash': sha1hash, 'Packet': { 'Protocol': pkt[0], 'Source IP': pkt[1], 'Source Port': pkt[2], 'Destination IP': pkt[3], 'Destination Port': pkt[4] } }) # Check to see if the record exists try: t = x.STREAMS.find({"File Name": i}).count() if t > 0: pass else: c.insert(data) except Exception as e: return response + UIMessage(str(e)) else: pass # Create Maltego entities for each pcap file for p in s: e = pcapFile(p) response += e return response
def dotransform(request, response): # Store the pcap file as a variable pcap = request.value usedb = config['working/usedb'] # Check to see if we are using the database or not if usedb == 0: return response + UIMessage( 'No database in use, so this is pointless!!!') else: pass # Connect to the database so we can insert the record created below x = mongo_connect() c = x['GEOIP'] # Hash the pcap file try: md5hash = md5_for_file(pcap) except Exception as e: return response + UIMessage(str(e)) # Get the PCAP ID for the pcap file try: s = x.INDEX.find({"MD5 Hash": md5hash}).count() if s == 0: t = x.STREAMS.find({"MD5 Hash": md5hash}).count() if t > 0: r = x.STREAMS.find({"MD5 Hash": md5hash}, { "PCAP ID": 1, "_id": 0 }) for i in r: pcap_id = i['PCAP ID'] else: return response + UIMessage( 'No PCAP ID, you need to index the pcap file') if s > 0: r = x.INDEX.find({"MD5 Hash": md5hash}, {"PCAP ID": 1, "_id": 0}) for i in r: pcap_id = i['PCAP ID'] except Exception as e: return response + UIMessage(str(e)) # Load the pcap file and look for IP addresses, then GeoIP them convo = [] pkts = rdpcap(pcap) for p in pkts: if p.haslayer(IP) and p.haslayer(TCP): proto = 'TCP' s = proto, p[IP].src, p[TCP].sport r = proto, p[IP].dst, p[TCP].dport if s not in convo: convo.append(s) if r in convo: convo.remove(r) else: convo.append(r) else: pass if p.haslayer(IP) and p.haslayer(UDP): proto = 'UDP' s = proto, p[IP].src, p[UDP].sport r = proto, p[IP].dst, p[UDP].dport if s not in convo: convo.append(s) if r in convo: convo.remove(r) else: convo.append(r) else: pass # Run each IP through a GeoIP lookup and build a directory object to insert into the database for proto, src, sport in convo: s = lookup_geo(src) if s is not None: geo = OrderedDict({ 'PCAP ID': pcap_id, 'Protocol': proto, 'src': src, 'src port': sport, 'src geo': s }) t = x.GEOIP.find({'src': src, 'src port': sport}).count() if t > 0: pass else: c.insert(geo) else: pass # Build the URL for the returned Maltego entity url = config['web/server'].strip('\'') port = config['web/port'].strip('\'') map_url = 'http://%s:%s/pcap/%s/map' % (url, port, pcap_id) e = GeoMap(map_url) response += e return response
def dotransform(request, response): # pcap file pulled from Maltego pcap = request.value usedb = config['working/usedb'] # Check to see if we are using the database or not if usedb == 0: return response + UIMessage('You have chosen not to use a database') else: pass # Connect to the database so we can insert the record created below x = mongo_connect() c = x['INDEX'] # Check the file exists first (so we don't add crap to the database try: open(pcap) except IOError: return response + UIMessage('The file doesn\'t exist') # Check the pcap file is in the correct format (not pcap-ng) try: f_format = check_pcap(pcap) if 'BAD' in f_format: return response + UIMessage('File format is pcap-ng, not supported by sniffMyPackets, please convert.') except Exception as e: return response + UIMessage(str(e)) # Hash the pcap file try: md5hash = md5_for_file(pcap) sha1hash = sha1_for_file(pcap) except Exception as e: return response + UIMessage(str(e)) # Get the file size try: filesize = check_size(pcap) except Exception as e: return response + UIMessage(str(e)) # Check the pcap file doesn't exist in the database already (based on MD5 hash) try: s = x.INDEX.find({"MD5 Hash": md5hash}).count() if s > 0: r = x.INDEX.find({"MD5 Hash": md5hash}, {"PCAP ID": 1, "_id": 0}) for i in r: e = SessionID(i['PCAP ID']) e += Field('sniffmypacketsv2.pcapfile', pcap, displayname='PCAP File') response += e return response else: pass except Exception as e: return response + UIMessage(str(e)) # Popup message box for entering comments about the pcap file msg = 'Enter Comments' title = 'Comments' field_names = ["Comments"] field_values = [] field_values = multenterbox(msg, title, field_names) # General variables used to build the index comments = field_values[0] now = time.strftime("%c") pcap_id = str(uuid.uuid4())[:12].replace('-', '') # Get a count of packets available try: pkcount = packet_count(pcap) except Exception as e: return response + UIMessage(str(e)) # Get the start/end time of packets try: pcap_time = get_time(pcap) except Exception as e: return response + UIMessage(str(e)) # Check for working directory, if it doesn't exist create it. w = config['working/directory'].strip('\'') try: if w != '': w = w + '/' + pcap_id if not os.path.exists(w): os.makedirs(w) else: return response + UIMessage('No working directory set, check your config file') except Exception as e: return response + UIMessage(e) # Build a dictonary object to upload into the database index = OrderedDict({'PCAP ID': pcap_id, 'PCAP Path': pcap, 'Working Directory': w, 'Upload Time': now, 'Comments': comments, 'MD5 Hash': md5hash, 'SHA1 Hash': sha1hash, 'Packet Count': pkcount, 'First Packet': pcap_time[0], 'Last Packet': pcap_time[1], 'File Size': filesize}) # Insert record into the database c.insert(index) # Return the entity with Session ID into Maltego r = SessionID(pcap_id) r += Field('sniffmypacketsv2.pcapfile', pcap, displayname='PCAP File') response += r return response