def dotransform(request, response):
pcap = request.value
# Create a temporary folder for this particular pcap file and return as part of the pcapFile entity
try:
tmpfolder = request.fields['sniffMyPackets.outputfld']
except:
tmpfolder = '/tmp/'+str(uuid.uuid4())
if not os.path.exists(tmpfolder):
os.makedirs(tmpfolder)
# Run the pcapFile through a convertor to ensure it's the correct libpcap format
dumpfile = '/tmp/output.dmp'
cmd = 'editcap ' + pcap + ' -F libpcap ' + dumpfile
os.system(cmd)
cmd2 = 'mv ' + dumpfile + ' ' + pcap
os.system(cmd2)
# Hash the pcapFile and return both the SHA1 hash and the MD5 hash
fh = open(pcap, 'r')
sha1hash = hashlib.sha1(fh.read()).hexdigest()
fh = open(pcap, 'r')
md5hash = hashlib.md5(fh.read()).hexdigest()
e = pcapFile(pcap)
e.sha1hash = sha1hash
e.md5hash = md5hash
e.outputfld = tmpfolder
e.linklabel = 'Ready for use!! :)'
response += e
return response
def dotransform(request, response):
interface = request.fields['sniffMyPackets.interface']
tmpfolder = request.value
tstamp = int(time())
fileName = tmpfolder + '/' + str(tstamp) + '-filtered.pcap'
if 'sniffMyPackets.count' in request.fields:
pktcount = int(request.fields['sniffMyPackets.count'])
else:
pktcount = 300
msg = 'Enter bpf filter'
title = 'L0 - Capture Packets with BPF [SmP]'
fieldNames = ["Filter"]
fieldValues = []
fieldValues = multenterbox(msg, title, fieldNames)
bpf_filter = fieldValues[0]
pkts = sniff(iface=interface, count=pktcount, filter=bpf_filter)
wrpcap(fileName, pkts)
e = pcapFile(fileName)
e.outputfld = tmpfolder
response += e
return response
def dotransform(request, response):
folder = request.value
file_list = []
file_ext = [".pcap", ".cap"]
try:
if not os.path.exists(folder):
return response + UIMessage("Whoops, that folder doesnt exist")
except:
pass
file_list = glob.glob(folder + "/*")
for x in file_list:
sha1hash = ""
md5hash = ""
for s in file_ext:
if s in x:
fh = open(x, "rb")
sha1hash = hashlib.sha1(fh.read()).hexdigest()
fh.close()
fh = open(x, "rb")
md5hash = hashlib.md5(fh.read()).hexdigest()
fh.close()
e = pcapFile(x)
e.sha1hash = sha1hash
e.outputfld = folder
e.md5hash = md5hash
response += e
else:
pass
return response
def dotransform(request, response):
pcap = request.fields['pcapsrc']
proto = request.fields['proto']
dstip = request.fields['sniffMyPackets.hostdst']
srcip = request.fields['sniffMyPackets.hostsrc']
sport = request.fields['sniffMyPackets.hostsport']
dport = request.fields['sniffMyPackets.hostdport']
filename = '/tmp/' + str(srcip) + '-' + str(sport) + '.pcap'
# Filter the traffic based on the entity values and save the pcap file with new name
sharkit = 'tcpdump -r ' + pcap + ' host ' + srcip + ' and port ' + sport + ' -w ' + filename
os.system(sharkit)
# Count the number of packets in the file
pktcount = ''
pkts = rdpcap(filename)
pktcount = len(pkts)
# Hash the file and return a SHA1 sum
sha1sum = ''
fh = open(filename, 'rb')
sha1sum = hashlib.sha1(fh.read()).hexdigest()
e = pcapFile(filename)
e.sha1hash = sha1sum
e += Field('pktcnt', pktcount, displayname='Number of packets', matchingrule='loose')
e.linklabel = '# of pkts:' + str(pktcount)
e.linkcolor = 0x669900
response += e
return response
def dotransform(request, response):
pcap = request.fields['pcapsrc']
proto = request.fields['proto']
dstip = request.fields['sniffMyPackets.hostdst']
srcip = request.fields['sniffMyPackets.hostsrc']
sport = request.fields['sniffMyPackets.hostsport']
dport = request.fields['sniffMyPackets.hostdport']
folder = request.fields['sniffMyPackets.outputfld']
filename = folder + '/' + str(request.value) + '-' + str(srcip) + '.pcap'
# Filter the traffic based on the entity values and save the pcap file with new name
sharkit = 'tcpdump -r ' + pcap + ' host ' + srcip + ' and port ' + sport + ' -w ' + filename
os.system(sharkit)
# Count the number of packets in the file
pktcount = ''
pkts = rdpcap(filename)
pktcount = len(pkts)
# Hash the file and return a SHA1 sum
sha1sum = ''
fh = open(filename, 'rb')
sha1sum = hashlib.sha1(fh.read()).hexdigest()
e = pcapFile(filename)
e.sha1hash = sha1sum
e += Field('pktcnt',
pktcount,
displayname='Number of packets',
matchingrule='loose')
e.linklabel = '# of pkts:' + str(pktcount)
e.linkcolor = 0x669900
response += e
return response
def dotransform(request, response):
interface = request.fields['sniffMyPackets.interface']
tmpfolder = request.value
tstamp = int(time())
fileName = tmpfolder + '/' +str(tstamp)+ '-filtered.pcap'
if 'sniffMyPackets.count' in request.fields:
pktcount = int(request.fields['sniffMyPackets.count'])
else:
pktcount = 300
msg = 'Enter bpf filter'
title = 'L0 - Capture Packets with BPF [SmP]'
fieldNames = ["Filter"]
fieldValues = []
fieldValues = multenterbox(msg, title, fieldNames)
bpf_filter = fieldValues[0]
pkts = sniff(iface=interface, count=pktcount, filter=bpf_filter)
wrpcap(fileName, pkts)
e = pcapFile(fileName)
e.outputfld = tmpfolder
response += e
return response
def dotransform(request, response):
folder = request.value
file_list = []
file_ext = ['.pcap', '.cap']
try:
if not os.path.exists(folder):
return response + UIMessage('Whoops, that folder doesnt exist')
except:
pass
file_list = glob.glob(folder+'/*')
for x in file_list:
sha1hash = ''
md5hash = ''
for s in file_ext:
if s in x:
fh = open(x, 'rb')
sha1hash = hashlib.sha1(fh.read()).hexdigest()
fh.close()
fh = open(x, 'rb')
md5hash = hashlib.md5(fh.read()).hexdigest()
fh.close()
e = pcapFile(x)
e.sha1hash = sha1hash
e.outputfld = folder
e.md5hash = md5hash
response += e
else:
pass
return response
def dotransform(request, response):
pcap = request.value
usedb = config["working/usedb"]
# Check to see if we are using the database or not
if usedb == 0:
return response + UIMessage("No database support configured, check your config file")
else:
pass
x = mongo_connect()
try:
r = x.INDEX.find({"PCAP Path": pcap}).count()
if r > 0:
p = x.INDEX.find({"PCAP Path": pcap}, {"PCAP ID": 1, "_id": 0})
for i in p:
sessionid = i["PCAP ID"]
else:
return response + UIMessage("PCAP not found, is the SessionID correct??")
except Exception as e:
return response + UIMessage(str(e))
try:
s = x.STREAMS.find({"PCAP ID": sessionid}).count()
if s > 0:
p = x.STREAMS.find({"PCAP ID": sessionid}, {"File Name": 1, "_id": 0})
for i in p:
fname = i["File Name"]
q = pcapFile(fname)
response += q
return response
else:
return response + UIMessage("No streams found for that Session ID")
except Exception as e:
return response + UIMessage(str(e))
def dotransform(request, response): pcap = request.value filehash = '' fh = open(pcap, 'rb') filehash = hashlib.sha1(fh.read()).hexdigest() e = pcapFile(pcap) e.sha1hash = filehash response += e return response
def dotransform(request, response):
pcap = request.value
pkts = rdpcap(pcap)
folder = request.fields['sniffMyPackets.outputfld']
new_file = folder + '/replay-' + request.value[42:]
msg = 'Enter the new IPs to rewrite the pcap file with'
title = 'L0 - Rewrite pcap file for replay [SmP]'
fieldNames = ["New Source IP", "New Destination IP"]
fieldValues = []
fieldValues = multenterbox(msg, title, fieldNames)
new_src = fieldValues[0]
new_dst = fieldValues[1]
old_src = pkts[0][IP].src
old_dst = pkts[0][IP].dst
for p in pkts:
del p[IP].chksum
del p[TCP].chksum
for p in pkts:
if p.haslayer(IP):
if p[IP].src == old_src:
p[IP].src = new_src
p[IP].dst = new_dst
if p[IP].dst == old_src:
p[IP].src = new_dst
p[IP].dst = new_src
wrpcap(new_file, pkts)
e = pcapFile(new_file)
e.linklabel = 'New pcap\nsrc:' + str(new_src) + '\ndst:' + str(new_dst)
e.linkcolor = 0x33CC33
e.outputfld = folder
e += Field('pcapsrc',
request.value,
displayname='Original pcap File',
matchingrule='loose')
response += e
return response
def dotransform(request, response):
pcap = request.value
pkts = rdpcap(pcap)
folder = request.fields['sniffMyPackets.outputfld']
new_file = folder + '/replay-' + request.value[42:]
msg = 'Enter the new IPs to rewrite the pcap file with'
title = 'L0 - Rewrite pcap file for replay [SmP]'
fieldNames = ["New Source IP", "New Destination IP"]
fieldValues = []
fieldValues = multenterbox(msg, title, fieldNames)
new_src = fieldValues[0]
new_dst = fieldValues[1]
old_src = pkts[0][IP].src
old_dst = pkts[0][IP].dst
for p in pkts:
del p[IP].chksum
del p[TCP].chksum
for p in pkts:
if p.haslayer(IP):
if p[IP].src == old_src:
p[IP].src = new_src
p[IP].dst = new_dst
if p[IP].dst == old_src:
p[IP].src = new_dst
p[IP].dst = new_src
wrpcap(new_file, pkts)
e = pcapFile(new_file)
e.linklabel = 'New pcap\nsrc:' + str(new_src) + '\ndst:' + str(new_dst)
e.linkcolor = 0x33CC33
e.outputfld = folder
e += Field('pcapsrc', request.value, displayname='Original pcap File', matchingrule='loose')
response += e
return response
def dotransform(request, response):
interface = request.fields['sniffMyPackets.interface']
tmpfolder = request.value
tstamp = int(time())
fileName = tmpfolder + '/' +str(tstamp)+'.pcap'
if 'sniffMyPackets.count' in request.fields:
pktcount = int(request.fields['sniffMyPackets.count'])
else:
pktcount = 300
pkts = sniff(iface=interface, count=pktcount)
wrpcap(fileName, pkts)
e = pcapFile(fileName)
e.outputfld = tmpfolder
response += e
return response
def dotransform(request, response):
pcap = request.value
usedb = config['working/usedb']
# Check to see if we are using the database or not
if usedb == 0:
return response + UIMessage(
'No database support configured, check your config file')
else:
pass
x = mongo_connect()
try:
r = x.INDEX.find({"PCAP Path": pcap}).count()
if r > 0:
p = x.INDEX.find({"PCAP Path": pcap}, {"PCAP ID": 1, "_id": 0})
for i in p:
sessionid = i['PCAP ID']
else:
return response + UIMessage(
'PCAP not found, is the SessionID correct??')
except Exception as e:
return response + UIMessage(str(e))
try:
s = x.STREAMS.find({"PCAP ID": sessionid}).count()
if s > 0:
p = x.STREAMS.find({"PCAP ID": sessionid}, {
"File Name": 1,
"_id": 0
})
for i in p:
fname = i['File Name']
q = pcapFile(fname)
response += q
return response
else:
return response + UIMessage('No streams found for that Session ID')
except Exception as e:
return response + UIMessage(str(e))
def dotransform(request, response):
try:
output_file = request.fields['dumpfile']
folder = request.fields['sniffMyPackets.outputfld']
except:
return response + UIMessage('No Alert pcap available..sorry.')
# Hash the file and return a SHA1 sum
fh = open(output_file, 'rb')
sha1sum = hashlib.sha1(fh.read()).hexdigest()
# Hash the file and return a MD5 sum
fh = open(output_file, 'rb')
md5sum = hashlib.md5(fh.read()).hexdigest()
e = pcapFile(output_file)
e.sha1hash = sha1sum
e.outputfld = folder
e.md5hash = md5sum
response += e
return response
def dotransform(request, response):
try:
output_file = request.fields['dumpfile']
folder = request.fields['sniffMyPackets.outputfld']
except:
return response + UIMessage('No Alert pcap available..sorry.')
# Hash the file and return a SHA1 sum
fh = open(output_file, 'rb')
sha1sum = hashlib.sha1(fh.read()).hexdigest()
# Hash the file and return a MD5 sum
fh = open(output_file, 'rb')
md5sum = hashlib.md5(fh.read()).hexdigest()
e = pcapFile(output_file)
e.sha1hash = sha1sum
e.outputfld = folder
e.md5hash = md5sum
response += e
return response
def dotransform(request, response):
sessionid = request.value
usedb = config['working/usedb']
# Check to see if we are using the database or not
if usedb == 0:
return response + UIMessage('No database support configured, check your config file')
else:
pass
x = mongo_connect()
try:
r = x.INDEX.find({"PCAP ID": sessionid}).count()
if r > 0:
p = x.INDEX.find({"PCAP ID": sessionid}, {"_id": 0})
for i in p:
pcap = i['PCAP Path']
s = pcapFile(pcap)
response += s
return response
else:
return response + UIMessage('PCAP not found, is the SessionID correct??')
except Exception as e:
return response + UIMessage(str(e))
def dotransform(request, response):
interface = request.value
tstamp = int(time())
fileName = '/tmp/'+str(tstamp)+'.pcap'
if 'sniffMyPackets.count' in request.fields:
pktcount = int(request.fields['sniffMyPackets.count'])
else:
pktcount = 300
pkts = sniff(iface=interface, count=pktcount)
wrpcap(fileName, pkts)
sha1hash = ''
fh = open(fileName, 'rb')
sha1hash = hashlib.sha1(fh.read()).hexdigest()
e = pcapFile(fileName)
e.sha1hash = sha1hash
response += e
return response
def dotransform(request, response):
sessionid = request.value
usedb = config['working/usedb']
# Check to see if we are using the database or not
if usedb == 0:
return response + UIMessage(
'No database support configured, check your config file')
else:
pass
x = mongo_connect()
try:
r = x.INDEX.find({"PCAP ID": sessionid}).count()
if r > 0:
p = x.INDEX.find({"PCAP ID": sessionid}, {"_id": 0})
for i in p:
pcap = i['PCAP Path']
s = pcapFile(pcap)
response += s
return response
else:
return response + UIMessage(
'PCAP not found, is the SessionID correct??')
except Exception as e:
return response + UIMessage(str(e))
def dotransform(request, response):
pcap = request.value
convos = []
stream_file = []
try:
tmpfolder = request.fields['sniffMyPackets.outputfld']
except:
return response + UIMessage('No output folder defined, run the L0 - Prepare pcap transform')
pkts = rdpcap(pcap)
# Find all the UDP streams within the pcap file
for p in pkts:
s_ip = ''
d_ip = ''
s_port = ''
d_port = ''
if p.haslayer(IP) and p.haslayer(UDP):
if p[IP].src is not None:
s_ip = p[IP].src
if p[IP].dst is not None:
d_ip = p[IP].dst
if p[UDP].sport is not None:
s_port = p[UDP].sport
if p[UDP].dport is not None:
d_port = p[UDP].dport
convo = s_ip, s_port, d_ip, d_port
duplicate = d_ip, d_port, s_ip, s_port
if convo not in convos:
convos.append(convo)
if duplicate in convos:
convos.remove(duplicate)
else:
pass
else:
pass
# Create the individual pcap files using tshark
counter = -1
for s_ip, s_port, d_ip, d_port in convos:
counter += 1
dumpfile = tmpfolder + '/udp-stream' + str(counter) + '.dump'
cmd = 'tshark -r ' + pcap + ' -R "(ip.addr eq ' + s_ip + ' and ip.addr eq ' + d_ip + ') and (udp.port eq ' + str(s_port) + ' and udp.port eq ' + str(d_port) + ')" -w ' + dumpfile
# print cmd
if dumpfile not in stream_file:
stream_file.append(dumpfile)
os.popen(cmd)
# print stream_file[0]
# Now for the long bit...
for s in stream_file:
cut = tmpfolder + '/udp-stream' + s[52:-5] + '.pcap'
cmd = 'editcap ' + s + ' -F libpcap ' + cut
os.popen(cmd)
remove = 'rm ' + s
os.popen(remove)
# Count the number of packets
cmd = 'tshark -r ' + cut + ' | wc -l'
pktcount = os.popen(cmd).read()
# Hash the file and return a SHA1 sum
fh = open(cut, 'rb')
sha1sum = hashlib.sha1(fh.read()).hexdigest()
# Hash the file and return a MD5 sum
fh = open(cut, 'rb')
md5sum = hashlib.md5(fh.read()).hexdigest()
e = pcapFile(cut)
e.sha1hash = sha1sum
e.outputfld = tmpfolder
e.md5hash = md5sum
e += Field('pcapsrc', request.value, displayname='Original pcap File', matchingrule='loose')
e += Field('pktcnt', pktcount, displayname='Number of packets', matchingrule='loose')
e.linklabel = 'UDP - # of pkts:' + str(pktcount)
response += e
return response
def dotransform(request, response):
pcap = request.value
folder = ''
usedb = config['working/usedb']
# Check to see if we are using the database or not
if usedb > 0:
# Connect to the database so we can insert the record created below
x = mongo_connect()
c = x['STREAMS']
# Hash the pcap file
try:
md5hash = md5_for_file(pcap)
d = find_session(md5hash)
pcap_id = d[0]
folder = d[2]
except Exception as e:
return response + UIMessage(str(e))
else:
w = config['working/directory'].strip('\'')
try:
if w != '':
w = w + '/' + str(uuid.uuid4())[:12].replace('-', '')
if not os.path.exists(w):
os.makedirs(w)
folder = w
else:
return response + UIMessage(
'No working directory set, check your config file')
except Exception as e:
return response + UIMessage(e)
# Create TCP/UDP stream files
s = create_streams(pcap, folder)
if usedb > 0:
for i in s:
# Create StreamID
streamid = str(uuid.uuid4())[:8]
# Get a count of packets available
try:
pkcount = packet_count(i)
except Exception as e:
return response + UIMessage(str(e))
# Get the start/end time of packets
try:
pcap_time = get_time(i)
except Exception as e:
return response + UIMessage(str(e))
# Hash the pcap file
try:
md5hash = md5_for_file(i)
sha1hash = sha1_for_file(i)
except Exception as e:
return response + UIMessage(str(e))
# Pull out the details of the packets
l = len(folder) + 1
raw = i[l:-5]
pkt = raw.replace('-', ' ').replace(':', ' ').split()
# Create the dictonary object to insert into database
data = OrderedDict({
'PCAP ID': pcap_id,
'Stream ID': streamid,
'Folder': folder,
'Packet Count': pkcount,
'File Name': i,
'First Packet': pcap_time[0],
'Last Packet': pcap_time[1],
'MD5 Hash': md5hash,
'SHA1 Hash': sha1hash,
'Packet': {
'Protocol': pkt[0],
'Source IP': pkt[1],
'Source Port': pkt[2],
'Destination IP': pkt[3],
'Destination Port': pkt[4]
}
})
# Check to see if the record exists
try:
t = x.STREAMS.find({"File Name": i}).count()
if t > 0:
pass
else:
c.insert(data)
except Exception as e:
return response + UIMessage(str(e))
else:
pass
# Create Maltego entities for each pcap file
for p in s:
e = pcapFile(p)
response += e
return response
def dotransform(request, response):
pcap = request.value
pkts = rdpcap(pcap)
r_pkts = []
folder = request.fields['sniffMyPackets.outputfld']
tstamp = int(time())
new_file = folder + '/search-results-' + str(tstamp) + '.pcap'
msg = 'Enter Search Criteria'
title = 'L0 - Simple pcap search [SmP]'
fieldNames = ["Source", "Destination", "Port", "Free Text"]
fieldValues = []
fieldValues = multenterbox(msg, title, fieldNames)
s_ip = fieldValues[0]
if s_ip == '':
s_ip = None
d_ip = fieldValues[1]
if d_ip == '':
d_ip = None
port = fieldValues[2]
if port == '':
port = None
text = fieldValues[3]
if text == '':
text = None
if s_ip or d_ip is not None:
for p in pkts:
if p.haslayer(IP):
if p[IP].src == s_ip and not None:
r_pkts.append(p)
if p[IP].dst == d_ip and not None:
r_pkts.append(p)
if port is not None:
for p in pkts:
if p.haslayer(TCP):
if int(port) == p[TCP].sport and not None:
r_pkts.append(p)
if int(port) == p[TCP].dport and not None:
r_pkts.append(p)
if text is not None:
for p in pkts:
if p.haslayer(Raw):
if text in p[Raw].load and not None:
r_pkts.append(p)
if len(r_pkts) > 0:
wrpcap(new_file, r_pkts)
else:
return response + UIMessage('Sorry no packets found!!')
pktcount = len(r_pkts)
e = pcapFile(new_file)
e.outputfld = folder
e += Field('pcapsrc',
request.value,
displayname='Original pcap File',
matchingrule='loose')
e += Field('pktcnt',
pktcount,
displayname='Number of packets',
matchingrule='loose')
e.linklabel = 'Search Results'
response += e
return response
def dotransform(request, response):
pcap = request.value
stream_index = []
stream_file = []
try:
tmpfolder = request.fields['sniffMyPackets.outputfld']
except:
return response + UIMessage('No output folder defined, run the L0 - Prepare pcap transform')
# Create a list of the streams in the pcap file and save them as an index
cmd = 'tshark -r ' + pcap + ' -T fields -e tcp.stream'
p = os.popen(cmd).readlines()
for x in p:
if x not in stream_index:
stream_index.append(x)
try:
for y in stream_index:
y = y.strip('\n')
dumpfile = tmpfolder + '/tcp-stream' + y + '.dump'
if 'tcp-stream.dump' in dumpfile:
pass
else:
cmd = 'tshark -r ' + pcap + ' tcp.stream eq ' + y + ' -w ' + dumpfile
if dumpfile not in stream_file:
stream_file.append(dumpfile)
os.popen(cmd)
except:
pass
# Now for the long bit...
for s in stream_file:
cut = tmpfolder + '/tcp-stream' + s[52:-5] + '.pcap'
cmd = 'editcap ' + s + ' -F libpcap ' + cut
os.popen(cmd)
remove = 'rm ' + s
os.popen(remove)
# Count the number of packets
cmd = 'tshark -r ' + cut + ' | wc -l'
pktcount = os.popen(cmd).read()
# Hash the file and return a SHA1 sum
fh = open(cut, 'rb')
sha1sum = hashlib.sha1(fh.read()).hexdigest()
# Hash the file and return a MD5 sum
fh = open(cut, 'rb')
md5sum = hashlib.md5(fh.read()).hexdigest()
e = pcapFile(cut)
e.sha1hash = sha1sum
e.outputfld = tmpfolder
e.md5hash = md5sum
e += Field('pcapsrc', request.value, displayname='Original pcap File', matchingrule='loose')
e += Field('pktcnt', pktcount, displayname='Number of packets', matchingrule='loose')
e.linklabel = 'TCP - # of pkts:' + str(pktcount)
response += e
return response
def dotransform(request, response):
pcap = request.value
convos = []
stream_file = []
try:
tmpfolder = request.fields['sniffMyPackets.outputfld']
except:
return response + UIMessage(
'No output folder defined, run the L0 - Prepare pcap transform')
pkts = rdpcap(pcap)
# Find all the UDP streams within the pcap file
for p in pkts:
s_ip = ''
d_ip = ''
s_port = ''
d_port = ''
if p.haslayer(IP) and p.haslayer(UDP):
if p[IP].src is not None:
s_ip = p[IP].src
if p[IP].dst is not None:
d_ip = p[IP].dst
if p[UDP].sport is not None:
s_port = p[UDP].sport
if p[UDP].dport is not None:
d_port = p[UDP].dport
convo = s_ip, s_port, d_ip, d_port
duplicate = d_ip, d_port, s_ip, s_port
if convo not in convos:
convos.append(convo)
if duplicate in convos:
convos.remove(duplicate)
else:
pass
else:
pass
# Create the individual pcap files using tshark
counter = -1
for s_ip, s_port, d_ip, d_port in convos:
counter += 1
dumpfile = tmpfolder + '/udp-stream' + str(counter) + '.dump'
cmd = 'tshark -r ' + pcap + ' -R "(ip.addr eq ' + s_ip + ' and ip.addr eq ' + d_ip + ') and (udp.port eq ' + str(
s_port) + ' and udp.port eq ' + str(d_port) + ')" -w ' + dumpfile
# print cmd
if dumpfile not in stream_file:
stream_file.append(dumpfile)
os.popen(cmd)
# print stream_file[0]
# Now for the long bit...
for s in stream_file:
cut = tmpfolder + '/udp-stream' + s[52:-5] + '.pcap'
cmd = 'editcap ' + s + ' -F libpcap ' + cut
os.popen(cmd)
remove = 'rm ' + s
os.popen(remove)
# Count the number of packets
cmd = 'tshark -r ' + cut + ' | wc -l'
pktcount = os.popen(cmd).read()
# Hash the file and return a SHA1 sum
fh = open(cut, 'rb')
sha1sum = hashlib.sha1(fh.read()).hexdigest()
# Hash the file and return a MD5 sum
fh = open(cut, 'rb')
md5sum = hashlib.md5(fh.read()).hexdigest()
e = pcapFile(cut)
e.sha1hash = sha1sum
e.outputfld = tmpfolder
e.md5hash = md5sum
e += Field('pcapsrc',
request.value,
displayname='Original pcap File',
matchingrule='loose')
e += Field('pktcnt',
pktcount,
displayname='Number of packets',
matchingrule='loose')
e.linklabel = 'UDP - # of pkts:' + str(pktcount)
response += e
return response
def dotransform(request, response):
pcap = request.value
pkts = rdpcap(pcap)
r_pkts = []
folder = request.fields['sniffMyPackets.outputfld']
tstamp = int(time())
new_file = folder + '/search-results-' + str(tstamp) + '.pcap'
msg = 'Enter Search Criteria'
title = 'L0 - Simple pcap search [SmP]'
fieldNames = ["Source", "Destination", "Port", "Free Text"]
fieldValues = []
fieldValues = multenterbox(msg, title, fieldNames)
s_ip = fieldValues[0]
if s_ip == '':
s_ip = None
d_ip = fieldValues[1]
if d_ip == '':
d_ip = None
port = fieldValues[2]
if port == '':
port = None
text = fieldValues[3]
if text == '':
text = None
if s_ip or d_ip is not None:
for p in pkts:
if p.haslayer(IP):
if p[IP].src == s_ip and not None:
r_pkts.append(p)
if p[IP].dst == d_ip and not None:
r_pkts.append(p)
if port is not None:
for p in pkts:
if p.haslayer(TCP):
if int(port) == p[TCP].sport and not None:
r_pkts.append(p)
if int(port) == p[TCP].dport and not None:
r_pkts.append(p)
if text is not None:
for p in pkts:
if p.haslayer(Raw):
if text in p[Raw].load and not None:
r_pkts.append(p)
if len(r_pkts) > 0:
wrpcap(new_file, r_pkts)
else:
return response + UIMessage('Sorry no packets found!!')
pktcount = len(r_pkts)
e = pcapFile(new_file)
e.outputfld = folder
e += Field('pcapsrc', request.value, displayname='Original pcap File', matchingrule='loose')
e += Field('pktcnt', pktcount, displayname='Number of packets', matchingrule='loose')
e.linklabel = 'Search Results'
response += e
return response
def dotransform(request, response):
pcap = request.value
folder = ''
usedb = config['working/usedb']
# Check to see if we are using the database or not
if usedb > 0:
# Connect to the database so we can insert the record created below
x = mongo_connect()
c = x['STREAMS']
# Hash the pcap file
try:
md5hash = md5_for_file(pcap)
d = find_session(md5hash)
pcap_id = d[0]
folder = d[2]
except Exception as e:
return response + UIMessage(str(e))
else:
w = config['working/directory'].strip('\'')
try:
if w != '':
w = w + '/' + str(uuid.uuid4())[:12].replace('-', '')
if not os.path.exists(w):
os.makedirs(w)
folder = w
else:
return response + UIMessage('No working directory set, check your config file')
except Exception as e:
return response + UIMessage(e)
# Create TCP/UDP stream files
s = create_streams(pcap, folder)
if usedb > 0:
for i in s:
# Create StreamID
streamid = str(uuid.uuid4())[:8]
# Get a count of packets available
try:
pkcount = packet_count(i)
except Exception as e:
return response + UIMessage(str(e))
# Get the start/end time of packets
try:
pcap_time = get_time(i)
except Exception as e:
return response + UIMessage(str(e))
# Hash the pcap file
try:
md5hash = md5_for_file(i)
sha1hash = sha1_for_file(i)
except Exception as e:
return response + UIMessage(str(e))
# Pull out the details of the packets
l = len(folder) + 1
raw = i[l:-5]
pkt = raw.replace('-', ' ').replace(':', ' ').split()
# Create the dictonary object to insert into database
data = OrderedDict({'PCAP ID': pcap_id, 'Stream ID': streamid, 'Folder': folder, 'Packet Count': pkcount,
'File Name': i, 'First Packet': pcap_time[0], 'Last Packet': pcap_time[1],
'MD5 Hash': md5hash, 'SHA1 Hash': sha1hash,
'Packet': {'Protocol': pkt[0], 'Source IP': pkt[1], 'Source Port': pkt[2],
'Destination IP': pkt[3], 'Destination Port': pkt[4]}})
# Check to see if the record exists
try:
t = x.STREAMS.find({"File Name": i}).count()
if t > 0:
pass
else:
c.insert(data)
except Exception as e:
return response + UIMessage(str(e))
else:
pass
# Create Maltego entities for each pcap file
for p in s:
e = pcapFile(p)
response += e
return response
def dotransform(request, response):
pcap = request.value
stream_index = []
stream_file = []
try:
tmpfolder = request.fields['sniffMyPackets.outputfld']
except:
return response + UIMessage(
'No output folder defined, run the L0 - Prepare pcap transform')
# Create a list of the streams in the pcap file and save them as an index
cmd = 'tshark -r ' + pcap + ' -T fields -e tcp.stream'
p = os.popen(cmd).readlines()
for x in p:
if x not in stream_index:
stream_index.append(x)
try:
for y in stream_index:
y = y.strip('\n')
dumpfile = tmpfolder + '/tcp-stream' + y + '.dump'
if 'tcp-stream.dump' in dumpfile:
pass
else:
cmd = 'tshark -r ' + pcap + ' tcp.stream eq ' + y + ' -w ' + dumpfile
if dumpfile not in stream_file:
stream_file.append(dumpfile)
os.popen(cmd)
except:
pass
# Now for the long bit...
for s in stream_file:
cut = tmpfolder + '/tcp-stream' + s[52:-5] + '.pcap'
cmd = 'editcap ' + s + ' -F libpcap ' + cut
os.popen(cmd)
remove = 'rm ' + s
os.popen(remove)
# Count the number of packets
cmd = 'tshark -r ' + cut + ' | wc -l'
pktcount = os.popen(cmd).read()
# Hash the file and return a SHA1 sum
fh = open(cut, 'rb')
sha1sum = hashlib.sha1(fh.read()).hexdigest()
# Hash the file and return a MD5 sum
fh = open(cut, 'rb')
md5sum = hashlib.md5(fh.read()).hexdigest()
e = pcapFile(cut)
e.sha1hash = sha1sum
e.outputfld = tmpfolder
e.md5hash = md5sum
e += Field('pcapsrc',
request.value,
displayname='Original pcap File',
matchingrule='loose')
e += Field('pktcnt',
pktcount,
displayname='Number of packets',
matchingrule='loose')
e.linklabel = 'TCP - # of pkts:' + str(pktcount)
response += e
return response
